HI, a friend of mine is stressing out before his Alcatel exam because he has no clue hoe the question will be asked.
Is it multiple choice? longer format? Practical implementation?
Any other tips would be appreciated.
Thursday, February 21, 2019
Linecard port density subscription ratio
I have a C4507 switch at my company with line card WS-X4712-SFP+E. Reading through Cisco datasheet I came across below points which I have hard time understanding or can say calculating -
-
48gigabits per-slot capacity
-
Bandwidth is allocated across four 3-port groups, providing 12Gbps per port group (2.5:1)
I am scratching my head with the last point and how to decode the 2.5:1 ratio if I need to use both 10G and 1G in this linecard. Can someone help me in layman terms please?
Thanks in advance.
Help with some STP issues (please)
I have this issue on a network where I keep getting these messages, and topology changes are happening rapidly.
_4th_3560X_1#debug spanning-tree bpdu _4th_3560X_1#term mon 4th_3560X_1# 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 no 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 s 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 no d 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00ebug all All possible debugging has been turned off _4th_3560X_1# 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0
Any help with the troubleshooting would be great. I just need some new ideas.
SMB Firewall and VLANS
Hi!
I’m hoping for some advice on a network plan.
A little background:
I’m working for a smaller business where we have about 20 employee computers, 15 IP phones, a couple networked printers, and about 20 servers (mostly testing servers, a couple production servers), all of which run on a flat network.
We’ve determined we need a new firewall to support VPN connectivity and we’d like to take the opportunity to spec the new firewall such that we can segment the flat network that exists today.
We’re thinking the following VLAN setup should meet our needs:
- Public Server DMZ
- Remote Access
-
Guest Internet
-
Employee Computers/Printers
-
Servers
-
Voice
Today we have a simple firewall at the Internet edge and a Dell PowerConnect N3048 L3 switch which just functions as an access switch.
A majority of the traffic today already either goes out to the Internet or to a site-to-site VPN that terminates at the firewall. Additionally, we have an AWS environment that we would want to eventually hook into with an always-on VPN, using this firewall.
Option 1:
I believe the simplest option is to use the firewall as the core to do all the routing with a trunk from the firewall to the switch. This is nice because of the central management aspect, ability to have all VLAN traffic controlled, and the existing switch supports trunking, but from research, the firewall could become bottlenecked if also having to route and inspect the internal VLAN traffic.
However I don’t know if this is even really a concern at our scale if the firewall is spec’d large enough?
We are looking at Fortigate firewalls. Which metric(s) of a new firewall should we be looking at when trying to evaluate if this will be an issue?
Any suggestions on Fortigate firewall models based on my info?
Option 2:
Since we already own an L3 switch, I also considered routing between the Employee, Server and Voice VLAN’s using that switch and having the other VLAN’s off the firewall. I would potentially use ACL’s to control inter VLAN access on the switch.
Do ACL’s allow the granularity where we could have all employee IP’s able to connect to servers over HTTPS and only limited IP’s (IT Staff) able to connect to servers over RDP/SSH?
I was also hoping to use the firewall’s MAC filtering to prevent clients from changing their IP’s and I believe we will lose this ability using the switch to route? If so, any way to replicate this behavior at the switch without going with an all out NAC solution?
Still learning, so always open to any other/better designs or suggestions!
Thanks for the help!
Need help tracing a suspicious stream of packets through a Palo Alto firewall. How did these things get onto my network, where did they come from and what are they doing?
tl;dr - Packets from a private address range that doesn't exist in our org are continually trying to get to our DCs on TCP 389 . How to get a better idea of where they're coming from and why?
My org uses a 10.0.0.0/8 internal addressing scheme, with the second octet indicating location, third indicating department, etc. Pretty common.
I was looking at logs from our internal Server segment firewall earlier today, and I noticed a stream of packets from the 192.168.0.0/16 range trying to get to our Domain Controllers on TCP 389 (I assume LDAP). My server firewall is dropping them because I don't have a rule configured for that address range, but I was confused as to how those packets got onto our network and why they're aiming for our DCs.
I traced the packets back to our edge Palo Alto firewalls, and specifically to to one of the Tunnel interfaces. This specific tunnel interface is used for our Global Protect gateway, but all of the DHCP addresses for our Global Protect clients are given out in the 10.x.<department VLAN>.x range. Yet all these packets have source IPs in the 192.168.0.0/16 range. There's no other information in the firewall logs about which user it might be coming from. See the show session id example below.
What's my next step in troubleshooting this? These packets are being dropped by our internal firewall and no one is complaining about anything not working, but I can't help but be confused as to where they came from and what they're trying to do.
Here's an example of one of the many sessions that I've seen like this, taken from my edge firewall which let it through.
Session 235688 c2s flow: source: 192.168.1.103 [Zone_L3_Global Protect] dst: 10.-.-.- (one of our DCs) proto: 6 sport: 55158 dport: 389 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 10.-.-.- (one of our DCs) [Inside_Routed] dst: 192.168.1.103 proto: 6 sport: 389 dport: 55158 state: INIT type: FLOW src user: unknown dst user: unknown pbf rule: ISP Failover rule 11 start time : Thu Feb 21 16:48:42 2019 timeout : 5 sec total byte count(c2s) : 62 total byte count(s2c) : 0 layer7 packet count(c2s) : 1 layer7 packet count(s2c) : 0 vsys : vsys1 application : incomplete rule : Global Protect to any session to be logged at end : True session in session ager : False session updated by HA peer : False layer7 processing : enabled URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : False session traverses tunnel : True captive portal session : False ingress interface : tunnel.1 egress interface : ae1 session QoS rule : N/A (class 4) tracker stage firewall : Aged out end-reason : aged-out
What version of Aruba OS are you using on your switches?
We currently have a few the 2930F and 2530 that seem to be running fine on 16.07.0003. This spring we are moving to Aruba 2930M and 3810M switches for distribution and access layer, not sure yet what version I am going to put them on, probably the newest 16.07.
Whats best way to approach amazon prime video about a public block?
Amazons Prime video service has blocks and blocks of addresses blocked to address content licensing complications that VPN's can bring. (Speculation).
I have a block for residential internet that I need to somehow tell them about. It's been done with Netflix before but I can't seem to be able to reach anyone that can help me over there.
WiFi quality agent
Does anyone know of an agent that can run on company devices and BYOD that reports back to a server how good the connection is in ruckus WiFi? At our company we have several hundred acres of agricultural production in several sites and we are VERY dependent on WiFi. I know there are things like spectrum analyzers that show where radio is good and signal strength from APs but how about the quality returning to the AP? Anyway things like that I would like to know if there’s an agent like that? Thanks !
I need a lesson in Layer 3 routing
The Details:
I have 4 x Dell N3048EP-ON switches stacked, 2 x N4032F switches stacked, and a FortiGate 500E.
To simplify the ordeal, let's just focus on a single switch and the FortiGate.Let's take 3 VLANs - 10, 20, and 30.
VLAN 10 - 192.168.10.1/24
VLAN 20 - 192.168.20.1/24
VLAN 30 - 192.168.30.1/24
Firewall:
The FortiGate has a LAN interface with the IP of 192.168.30.3/24. A simple static route (0.0.0.0/0 -> Public IP). A policy allowing all traffic sourced from VLAN30 going to the FG's WAN interface to allow all the things.
Routing:
InterVLAN routing works just fine. 10 can get to 20 and 30, 20 can get to 10 and 30 , etc. I'll setup ACLs later. My problem is routing to the Internet. The Default Gateway is the FortiGate's interface IP (192.168.30.3). The switch can ping/traceroute/whatever out to the Internet - take a traceroute to 1.1.1.1. Works A-OK.
What Works:
- If I put a host on 30NET, I can get out just fine.- Like I stated before, the switches can ping the FG interface and 1.1.1.1.
What Doesn't Work:
- If I put a host on 10NET or 20NET, they can't get out.- Said hosts can't even ping the FG LAN interface.- A traceroute/tracepath stops at their VLAN gateway (192.168.10.1 or 192.168.20.1) and won't hop to 192.168.30.1 in order to hop to 192.168.30.1.
------------------------------------------------------------------------------------------------------------------
Weird Things I've Tried:
- I've added a VLAN interface to the FG's physical interface for each VLAN.- I've then manually added static routes (0.0.0.0/0 -> 192.168.10.3 & 0.0.0.0/0 -> 192.168.20.3)- Changed the switchport from an access port (VLAN 30) to a trunk allowing VLAN 10, 20, 30.- This lets every host in each VLAN be able to ping the FG LAN interface associated with their VLAN, but it causes some other weird behavior.- I'm pretty sure the switches are only supposed to have a single static route and not multiple default gateways for each VLAN
I'm fairly certain the problem lies in the layer 3 routing at the switch level. As I mentioned, they will route between VLANs perfectly fine, but it won't route any traffic out to the default gateway that isn't part of that host's VLAN.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Résumé advice?
To keep it brief, I started out on the NOC at my current position two years. Across the two years I learned really fast and moved up twice to their Level 2 Routing/Switching team. At this point I get paid about 15k less than the lowest guy on the team. They say they're willing to give me 5k increases every year to bring me to up par, but I think it's time to move on(or use an offer to get a big raise).
I don't have doubts they will offer me more money if I say I'm leaving, I've fixed some really nasty issues that had everyone stumped, brought a lot of improvements to the SNMP monitoring and I'm the only guy on the team who can code well. I know automation is popular right now which is good because I've been doing a lot of work with python(netmiko) to address some gaps. This is a large enterprise company.
Problems: No certs(colleagues say my knowledge is CCNP at least), no post-secondary.
Anyone been in a similar situation and have advice on getting to an interview? I'm pretty confident I can impress in an interview if the interviewers are technical, it's just getting there that I'm worried about. I know it might be smart to get certs first, but that's a lot of time/cost when I'm eager to move.
Cisco Nexus config-sync - Yes or No?
Situation is we have pairs of N5Ks with dual-connected N2Ks - i.e. each FEX connects to both switches.
At the moment we are not using the config-sync feature which means that if an interface is configured, we need to make sure we apply the exact same configuration on both switches. Sometimes this hasn't been done and boy that can be confusing for a while.. and this happens as different engineers might be doing this work who are not familiar with the dual-homed Nexus or have forgotten the requirement.
So I'm looking for opinions from people using the config-sync feature as to whether you thinks it's worth it or not? I see some posts from a few years back where it sounded buggy. We are running 6.0.x FWIW
Switch seeming to randomly lock up
We have an issue at our main building. 4 floors, and each of them have an UBNT switch handling all workstations for the floor. All share a single subnet. We have an issue where one wants to lock up for seemingly no reason. Yesterday the UBNT switch handling workstations on floor 2 locked up. We rebooted it and everything came back up. Today we replaced it with a spare. We then did a firmware update on the switch on floor 1. When we did, floor 2 (with the new switch) locked up again. We were able to reset it this time by just disabling and re-enabling the port from our main L3 to it. These switches on floor 1 and 2 aren't connected together. All UBNT floor wide closet switches (each with 20ish workstations attached) have runs to our main server room's L3 switch. No wireless in the building. I'm thinking it almost has to be some kind of loop causing a broadcast storm. We set up monitoring on all ports on all switches to see if it happens again. In the meantime does anyone have any thoughts as to what else might be causing it? And why would the floor 1 switch firmware upgrade cause the floor 2 switch to lock up until we disabled and re-enabled it's link to the rest of the network? My limited networking experience has me thinking we have a loop somewhere. Any thoughts or insight welcome.
OSPF Summarization Lab Question
So, I'm having trouble with this lab. I don't have access to enough equipment to do all sections as shown but I plan on doing a small portion just to make sure it works later on. Anyways, I've never gotten any proper explanation of how summarization works so been trying to figure it out on my own. Going to post an image of the assignment with what I've done so far.
https://i.imgur.com/TT7vbCJ.png
That's Area 10, there are 4 more Areas, 20-50 for a total of Areas 10, 20, 30, 40, 50. They're all roughly the same as above. Now, if I did something wrong I'd love a polite explanation of what it was.
Is there a ground loop in this diagram?
I'd like to know if there's a ground loop in this diagram.
Notes:
This is a swing gate rack so for weight purposes I've got a 2U vertical flush mount rack to hang the UPS on. The UPS has a NEMA 5-15P plug on it which includes a ground.
The busbar can be grounded to the building or to a ground rod outside.
How would you guys prefer to ground?
Using Interface PPPOE and IP?
Hi Team,
I have a question about a config that I am playing with.
I have a Cisco router's G8 interface connected to a modem. The router has a dialer interface that establishes a PPPOE connection through the modem. The dialer gets the ip of 172.16.1.10/30 This works perfectly.
The modem also has a web page interface. The problem is that this page is hosted on 172.16.0.250 If I add a static ip address of 172.16.0.200/24 to the G8 interface, I can reach web page from computers behind the router.
With this config, I am now using the G8 interface for both the traffic going through the dialer and traffic accessing the modems web page.
Is this the best way to solve this problem? Are there any dangers with this config?
Thanks for your help guys.
Server issues
I’m no expert, and will probably need many of the terms in you responses to be dumbed down. I have a server with four Opteron cores in it each at 1.15ghz, 46gbs of RAM, and no operating system. When we just let it boot, it flashes a BIOS screen for a split second, and shows a screen saying it’s booting through an Intel boot agent. It also has an option to press control + s. This will bring you into a menu that looks like this.
I have tried to boot the server with a hard drive running Windows 7, and using Parrot on a USB drive. The sever still boots through the quick BIOS, shows the setup screen option thing, then turns off the monitor and screams (on board buzzer turns on and won’t turn off until the power is pulled).
Edit:I also have pictures of some of the numbers on the chips on the mother board if needed for identification.
No Split Horizon with DMVPN?
Say I have 3 routers using DMVPN. Why does SH need to be turned off to propogate all routes? Can't R1 get unique routes directly from R2 and R3 advertisements and so on through full DMVPN mesh?
WAN Load balancing - what am i looking for ?
Looking to do load-balance between WAN's for a companies main office. What type of hardware am i looking for ?
some "specs":
- "Head Quarters" has
- 5 WAN's (same ISP) at 35 Mbit/s down / 5 Mbit/s up (speed-test) (V-DSL)
- expected to grow to 100/200/400/1000 Mbit (soon^TM)
- each WAN supplies IP-Telephoy (including a SIP-Trunk)
- 20 work stations (back office)
- expected to grow to 40 within the year
- 10-ish Wireless-clients
- expected to grow to 100+ users with 2-3 devices each as 'the company moves away from "pen & paper" and embraces the 21st century' (quote) and allows BYOD.
- 1x IPsec tunnel for a branch office (currently 5 Mbit/s)
- 5 work stations
- a plethora of Wireless clients
- massive increase in bandwidth planned (due to remote backups (HQ <-> Branch office) being considered)
- additional branch office to be integrated at some point (new tunnel - same size as above) - contingent on their connectivity increasing.
- 5 WAN's (same ISP) at 35 Mbit/s down / 5 Mbit/s up (speed-test) (V-DSL)
Backstory:
- HQ and Branch Office have different 'contractors' responsible for their respective connectivity/network.
- Second (planned) branch office has "in-house IT" and runs a paper-less office (for years) - looking forward to do remote-backups into "HQ"
The Problem:
I am being "quoted" Vendors (Watchguard, Sophos) and prices (ballpark 8.5k usd) , but no one is getting specific on what type of hardware this is going to be.
Addendum:
- (for the lack of proper terminology) I am looking for the type of "load balance" that mode "balance-tcp" on LACP with openvSwitch does on my proxmox-servers) - yes, i am a sysadmin/'server-admin' in charge of herding cats (here we are again ...)
- 35 Mbit/s is the max a single connection can provide (the line is supposed to do 50 Mbit/s)
- the tunnel between HQ and branch-office is at current fast enough. It is the WWW-usage at Main office that is crawling (1 connection utilized)
Can someone help me make sense of this wizardry..
Hi, everyone. I'm somewhat new to the networking and security side of things and I'm trying to wrap my head around some concepts. I've worked in telecommunications for a number of years (field technician) and have had some exposure but I've decided to take the leap and self-study my way into the realm of security. I'm close to taking my A+ cert currently to start climbing that ladder but if someone would be so kind to help me understand a few concepts better it would be much appreciated.
- When incoming data is sent to a gateway/router, attemping to reach a client that has had no previous request sent for such data, how does the gateway handle that incoming traffic? Is it the job of a Firewall to prevent those frames from entering the network or is the data forwarded to the client regardless? If so, how does a client handle unsolicited incoming traffic? Is it dependent on whether client is listening on that port?
- How is unsolicited incoming data "dropped" by a network or device? Are those electrical pulses dumped onto a grounding wire?
(Attempt at an example if it helps..)
SERVER_A is sending a HTTP response to HOST_A over the internet, though HOST_A never made a request for it. What happens?
Sorry if these questions seem "elementary". Thank you for taking the time to read and respond!
Struggling to get 1000GBASE-LX to work with SFP+ slots? (NetGate XG-7100)
I'm trying to get a Netgate XG-7100 working with a incoming 1GBASE-LX fiber line.
The media converter I tried from FS.com didn't work, so going to try directly with optics
I have confirmed the line has network connectivity, using a Juniper 740-011614 SFP optic in a Optiview XG tablet.
(I did try with a Intel FTLX1471D3BCVI31 (aka E10GSFPLR - Intel spec sheet) - however, even though it's meant to be dual-rate, it didn't pick up a signal on either the Optiview XG or the Netgate XG-7100. Is there something you need to do special to get this to work?)
Question 1 - The XG-7100 only has a SFP+ port (Intel X553) - are there any SFP+ modules that support only 1GBASE-LX? (
Question 2 - I did buy the PCI riser for the Netgate XG-7100 - which I was hoping to try with a Intel X520-DA2 which I believe supports both SFP and SFP+. However, it seems to be keyed differently to the slot:
https://i.imgur.com/6U8bq3d.jpg
Any ideas what's going on, or what SFP/SFP+ cards could work here?
Studying for network+ cert.
Hey all, I'm currently studying for the network+ Comptia exam. I was wondering if y'all have any recommendations on how to get more hands on for the lab sims. I've seen people mention virtual labs, I have downloaded VMware and not sure where to go next.
switch for 96 to 756 endpoints
Hi all,
EDIT:
starting with 96 but have to support 756 endpoints and need 10G uplinks between the switches. All copper except for the uplink ports.
1g ports-2G full duplex
Advanced Cisco, network security, or server admin?
I was recently looking at college choices and majors that I will end up taking next year. I have my mind set on network management and security. The college that I choose has three options for the fourth and final year, Advanced Cisco networking specialist, Network Security specialist, and Server Admin specialist. Does anyone have an opinion on which path is best to take, or experience in one of these sections that will help me better understand the difference between the three? Thank you!
Stacked switches are slower to take commands
I noticed that my stacked 2960X switches take range commands really slow.
I typed in:
Config t
int range gi1/0/1-48
<Pasted Commands 5 commands>
and like 20 to 30 seconds later it finally finished applying the commands to the access ports. Does anyone know why it would be so slow? Commands to one interface are fairly fast, but when I use range, it's slow.
Data Center security
Interesting topic came up and I wanted to see how others accomplish this. Standard hub and spoke topology with DC at the hub IPSec VPN spokes to branches. Branches have LAN and WIFI routed back to user network in DC at 192.168.1.x. Our Management VLAN in DC is 192.168.99.x, an admin at a branch office wants access to the .99 network. What we have them do is RDP to a .1 server then use it as a jump host since everything in .1 is open to .99.
What do others do? I know other standards I've used for this is to have an SSL VPN for admins. A more secure approach to what we do is have ACL's denying all .1 traffic to .99 except for a specific servers that's used as a jump host.
Prototype of SSH over 900MHz XBee
Hey all,
Thought you might be interested in a little project I've been coding lately. Use case if for embedded Linux applications that need long range, low data rate networking. They apparently used to make these 900MHz products called WaveLAN, but the only one on the market today (AvaLAN) costs nearly one grand a pair. So, I wrote a little program in Python to run IP networking over Digi's XBee 900HP (it would work with other XBees, but if 2.4 GHz is acceptable you may as well use WiFi) modules which are only $40 a piece. They have UART and SPI interfaces and of course you can throw in an FTDI chip for USB serial.
The modules have a 200Kbps RF data rate, and actual optimum throughput it only 30Kbps, so this is definitely a use case of M2M, embedded devices (unless you just like dialup speeds). They come with a proprietary DigiMesh protocol which is similar to Ethernet. You program each module's flash with a frequency hopping pattern, preamble, and network ID all of which must match, there is no join/deauth pattern like with WiFi. Regular MACs are used for addressing. The firmware has built-in AES encryption, which would be a good choice as TLS will reduce bandwidth even further.
Rather than broadcasting ARP packets to resolve the IP's, I made use of a "node ID" feature that comes in the DigiMesh protocol. The code sets the Node ID to a string representation of the IP address, and then uses built-in "node discover" feature to . The downside is that this incurs a fixed time penalty because it will always take the timeout to respond back over serial (the responding radio uses this time to avoid interrupting "real" traffic). There is a way to do broadcasts but they are repeated numerous times to ensure transmission across the mesh and so they would have a greater performance impact.
GitHub Link: https://github.com/aidanh010/StrangeNet
Demo Video: https://send.firefox.com/download/19fa2e0025/#vk_kjb8igC2Gn7xewCrhrg
I actually wrote this for my high school robotics team to use for transmitting scouting data at events, because WiFi networks are banned (they are used for the actual robots and they've had interference issues before) and we didn't want to violate the spirit of the rule with a different 2.4 GHz network (they are fine with Bluetooth due to its low power, but its range is not at all suitable). We are using CouchDB so a way to send regular TCP packets was a must.
Router without server
I'm at a loss because I'm searching for the wrong search terms.
In our new building, we will be subleasing to three or four other small businesses (almost in an executive suites setup). I think what I want is a router that lets me provide them internet access without letting them see other computers from another business.
My business has no need of an onsite file server--we are 100% cloud.
- Is it a thing to have a router that can set up VLANs without needing a dedicated server? If so, when I look at routers, what is that feature I'm looking for called or where can I read more?
- As a bonus question (for me!) (that may be in the explanations I should be reading but can't find) I was going to put IP phones on one VLAN, the shared printer on another, and each of the businesses respective computers on their own VLANs. If I want to be that complicated, where everyone can "see" the printer but can't "see" other businesses' computers is that exactly what a dedicated server is for? Am I blinding myself in thinking of servers primarily as file servers?
(rambling at this point: given that my firm has 6 users, and the tenants will be 1-4 users each, is the answer to just get cheap residential-grade routers for each tenant that separately connects to the modem and then if they want to print to the shared copier they either put it on a flash drive or I try to set up email to print?) (Taking that a step further, I could just give them access to guest wifi and make it their problem if they want to secure themselves from other people on the guest wifi.)
(my business is a law firm in a type of law where data privacy is a bigger concern than other law firms apparently think of it)
SSH clients
I have used many different SSH clients over the years free and paid. Was wondering what peoples preferences \ favorites are, or perhaps you have given up on a dedicated client and use UNIX. Are there any tricks you use (e.g i used to add creds to the .ssh file for my local unix box to speed things up). I am currently using solarputty, which is far from perfect but given that its free and has features i like (tabs \ hotkeys \ credential retention - i know this is bad) i am sticking with it for the time being. I am sure this discussion has been had before but hoping it was not recently, if so apologies in advance.
Opinions on connecting labs (GNS3 etc) to a wider campus network
Hi guys,
Long time reader first time post.
We have had a request to setup a network simulator that will run in virtual machines in a classroom of approx 30 physical PCs that are currently connected to our LAN covering the rest of our campus (HE environment). Not sure yet if the labs will involve bridging the virtual network to our LAN to reach the internet or other things but I suspect it will and regardless there is nothing to stop a student setting this up this anyway.
What are peoples opinions when connecting a lab with these sort of tools/software to a wider network? Should I be worried about any potential impact to the wider network? Am I being overly cautious? There is nothing stopping people using this sort of thing already on our network but I am just wondering what needs to be considered before we decide to ok this as students always seem to find ways of breaking things even if they aren't trying to be malicious.
We have layer 3 at the edge of our network and these machines are currently on their own VLAN but this is shared by machines that would be in other classrooms. Can put them onto their own VLAN. Anything else to consider besides DHCP snooping etc? Or would you just say no and tell them keep these lab machines off the main network to avoid any hassle?
Thanks
Sent packet errors on Cisco switches
Hey all,
Wondering if you can provide some insight on this. I'm trying to understand this for my own education here as I'm the security guy and I'm seeing this behavior logged into my SIEM product. Our network guys seem to think it's not a big deal (though I don't think I agree). I'm seeing logged sent packet error rates of sometimes as high as 90%+. Obviously, you can see why I might be alarmed by this. What would typically cause errors of this nature? At first it seemed like mostly the ports our APs were plugged into but I'm also seeing it on some of the switches in our data center. Any clue what would cause such a high error rate? Also, any clue why it would not seem to cause any issues? I'd have to think we'd see noticeable impact if it was erroring so badly. Should it matter, it's only sent packets not received.
Thanks in advance!
Switches for Medium Business
Hello /r/networking,
I have been given full responsibility over the Networking at my place of employment. The current project is to replace old switches with new ones and to get our backbone to 10g.
We had some sales guys give us a quote for 2960x switches. I was informed now that we can get newer switches rather than catalyst ones.
I take a lot of pride in my work, and I like to be as accurate possible. Which leads to self doubt in my decision making since I want to be as optimal as possible (I'm working on that). My question is... I noticed there were new 9000 series Cisco Switches, I narrowed it down to the 9200 due to the swap-able modules and better specs than the 2960x. Am I missing something here? I have a weird feeling that I'm going the wrong direction with the 9200 series due to the sales guy not pushing them.
What are your thoughts on 2960x vs 9000 series CISCO Switches?
Edit: Why down vote?
SD-WAN FEC and packet duplication
SD-WAN without FEC and packet duplication features can dynamically move traffic to the best VPN tunnel to ensure the best performance from the links available.
From my understanding packet duplication and FEC come into play and improve that end user experience further in the following 2 scenarios.
Scenario 1:
There are 2 WAN links available and voice traffic is passing over both links when Packet duplication is enabled. And only WAN 1 only when packet duplication is disabled. We then experience intermittent performance degradation/brownout or a complete failure of WAN 1
WITH FEC/PACKET DUPLICATION
FEC and packet duplication can offer a seamless transition over to WAN 2 resulting in no noticeable impact to the end user.
WITHOUT FEC/PACKET DUPLICATION
Without this technology the end user will experience a disruption to the service and will last the duration of time it takes for the vendor equipment to detect the loss and failover to the second WAN link. This time varies based on vendor but in my experience it’s typically sub second.
Scenario 2
There are 2 WAN links and both are experiencing intermittent performance degradation/brownout.
WITH FEC/PACKET DUPLICATION
Because traffic is being duplicated over both WAN links the packet has a better chance of arriving at the destination.
WITHOUT FEC/PACKET DUPLICATION
Because only 1 WAN link is being used the SD-WAN will pick the best of the bad links. Meaning the end users experience will suffer from all the loss, latency and jitter on that WAN link.
In my mind there is no question that FEC/ packet duplication is a innovation that improves the end user experience. This feature from my experience really resonates with customers and facilitates them buying into the SD-WAN technology.
Now, to the points I would like us to debate
With regards to scenario 1, a sub second disruption while the failover takes place is tolerable for the majority of businesses.
With regards to scenario 2, how frequently does this scenario come about? If the ISPs that you a using take a similar path over the internet then there is a very good chance the end user experience will be poor regardless. Secondly, if the customer is using ISPs that are using diverse paths over the internet then the likelihood of this scenario happening is drastically reduced.
I predominantly work with SME customers based in Europe and the USA where they are looking at dual broadband links with there SD-WAN solution.
Is the benefit of packet duplication and FEC often over valued? I work for a partner that offers two SD-WAN solutions, one that supports FEC and packet duplication, and one that doesn’t, with the price difference being approximately 3 times. In addition you are also increasing your bandwidth consumption, a resource which is typically a bottle neck for organizations.
If we put aside for the moment all other technical differences that the two vendors have, also the sales aspect which typically involves trying to take as much money as possible from the customer.
When would you pay 3 times the price to allow you to go with a vendor that offers FEC and packet duplication if that was the only relevant differentiator between the two vendors?
My belief is that it’s going to most likely be large global enterprises who often have branches in areas with poor connectivity options. Possibly with with a high dependence on real time traffic. Who probably know the cost to the business of any disruption to these services and are happy to absorb the higher cost to get this feature.
For a lot of my customers I feel that this technology is potentially overkill especially as they are operating in areas of the globe where connectivity options are generally good. I don’t feel the price difference is great value for money.
Apologies for the long winded rambling nature of this post. I suppose it’s more of a series of statements I would like you to approve/challenge and really just give your insight on as I’m still pretty fresh to this technology. It would be great to hear from people who have extensively tested both and understand why they chose one over the other based on this FEC/packet duplication
From Fed to Private...making the switch
I'd love to hear people's experiences moving from the federal government to the private sector. I'm a GS-14 step 4 with 16 years of federal service (4 via military buy back). My current career path is either to move into a managerial position as a 14 or compete and promote to a GS-15 where a minimum 50% travel is the expectation. I have 2 young kids at home and a stay at home wife. I've been interviewing for a senior leadership position at a very prestigious government contractor, pay is significantly more than I would ever make as a Fed and the position requires next to no travel. It's a regular M-F 8-5 gig. They also contribute 10% to 401k.
I'm 90% certain that I will make the jump to private if provided with an offer like we have discussed but wanted to hear from others who have been in this situation.
I'm a service connected disabled vet so if I wanted to get back into the federal government I think I'd be able to. I kind of look at it like this opportunity will only be here now, the federal government will always be there.
Thoughts? Advice?
Monitoring bandwidth for Ethernet/IP networks
Hi,
I am looking for a tool to monitor the bandwidth of industrial network. I am already aware about Cisco's Industrial Network Director, Factory talk Network manager and Hirschmann Industrial HiVision. Are there any more tools available for monitoring traffic ?
wlc 2504 traffic shaping / user ratelimit
the 2504 isnt really my speciality so a bit unsure if this is possible as on the bigger platforms..
Cant seem to find any ways to ratelimit per user for an ssid.. only thing that comes up when using some gfu is for the bigger platforms.
Are there any quickfixes? - i guess i could just move the traffic to a dedicated port and drop it out at 10Mbit but thats a bit of a meh solution imo..
We are considering migrating to a 5520 or 9800 platform (most likely the first due to the limited age of the 9800) but we have a few issues with wifi users going nuts bandwidth wise that I would like to resolve now since the selection process is taking forever (go management!)
S2S VPN with HSRP
Hello together. I have a problem with my HSRP VPN.
The network looks like this: https://imgur.com/a/WGYFx1j
My problem is that PC0 can ping PC1 but PC1 can't ping PC0.
I think it's a problem with access-list but I wasn't able to figure out.
Router0 and Router1 are configured the same way (except their own ip address).
Router 0 config:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 20.0.0.1
!
crypto ipsec transform-set VPN_TRANS esp-3des esp-md5-hmac
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 20.0.0.1
set transform-set VPN_TRANS
match address VPN_ACL
!
interface Loopback0
ip address 8.0.0.6 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.0.3 255.255.255.0
duplex auto
speed auto
standby 1 ip 10.0.0.1
standby 1 preempt
standby 1 name HSRP_1
crypto map VPN_MAP redundancy HSRP_1
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.3 255.255.255.0
duplex auto
speed auto
standby 2 ip 192.168.1.1
standby 2 preempt
standby 2 name HSRP_2
!
interface Serial0/1
no ip address
shutdown
!
interface Serial0/2
no ip address
shutdown
!
interface Serial0/3
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.0.7
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
!
ip access-list extended VPN_ACL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Router 2 config:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 10.0.0.1
!
crypto ipsec transform-set VPN_TRANS esp-3des esp-md5-hmac
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set VPN_TRANS
match address VPN_ACL
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
no fair-queue
!
interface FastEthernet0/1
ip address 20.0.0.1 255.255.255.0
duplex auto
speed auto
crypto map VPN_MAP
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 20.0.0.7
!
!
ip nat inside source list 101 interface FastEthernet0/1 overload
!
!
ip access-list extended VPN_ACL
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
Hope you can help me :)
Thinking of RJ45 instead of SFP+ 10Gb due to cost for small business. Any ideas? (Switch, networking cards and cables)
Hello everyone! I think it is my first time posting here.
I am doing some research for a friend who owns a small video editing company.
He currently has an appalling set-up and I stepped in to help and move his data on a FreeNAS box. We are looking to spend about 2-3k EUR for the whole setup with mainly used enterprise equipment and I understand that this may not be something this subreddit is used to. Please don't cringe too much!
I am looking at Dell 12 Gen servers, mainly R620 or R720. He is going to need an external hdd shelf anyway due to the large amount of data and drives. We will use Samba.
The caveat is that he is using old Mac Pros and Hackintosh machines for editing because his editors are used to working with Final Cut. They will be editing on the NAS. I want to move his workstations to 10Gb. Unfortunately, the Mac OS does not support the usual (r/homelab) cheap Mellanox cards, so I am looking at Intel X520s, X540s or Aquantia AQtion based cards, all of which cost around 100 EUR either be it SFP+ or RJ45.
Moreover, the 12 Gen Dell servers have Mezzanine card options with Intel X520's or X540's that are similarly priced and the X540's (10Gbase-T) are more available in Europe. I am looking to conserve PCI-e slots for future use.
SFP+ cabling would be considerably more expensive. There are currently 5 workstations that need 15m+ of cable each. The cost of 10 MM SFP+ transceivers alone is about double what 5 x Cat6A patch cables of the required length cost.
Switch options are the Unifi 16-XG (SFP+) or Netgear XS708E (10Gbase-T). The Netgear is ~50 EUR cheaper but considered unreliable. The Unifi is said to have problems with the RJ45 ports, at least in 10Gb mode. The usual (r/homelab) used suspects like the Quanta LB6M are nowhere to be found in Europe, are expensive or draw too much power. At 0.2 EUR/KWh a more expensive 50W switch is going to pay for itself against a 150W+ cheaper one pretty quickly.
TL;DR
Need switch with at least 6 x 10Gb ports, new or used. SFP+ only if considerably cheaper than 500 EUR with <150W power consumption.
Switches that need lots of hackery (like complicated firmware flashing, difficult cli configuration etc) are not welcome.
Network will be flat, no need for advanced routing capabilities.
Unreliable equipment not welcome.
Has to be available in Europe. Cannot buy from US or Asia due to crazy import taxes.
LACP would be nice for the NAS to have a 20Gb uplink to the workstations. Not sure if it will be helpful or easy to implement.
Subnote: I know all of the above might not be recommended for a production grade setup. Unfortunately, the financial situation is forcing us to go down this route.
Wednesday, February 20, 2019
How to increase firewall/VPN skills?
Hello All,
As the title suggests what's the best route to accomplish this? I Currently have my CCNA and working as a sys admin but don't get to touch the networking gear. My career goal is to become a network engineer, I am going to pursue my CCNP:RS, but wanted to get an idea of how firewalls and VPNs work as i believe this is a great skill to have since VPNs are everywhere.
CCNA did touch up on these but i still don't feel knowledgeable about them. Since i have my CCNA, should i maybe branch off before diving into CCNP with lets say a Palo alto cert or something like that? I def want to learn this technology but also want have something for the resume.
Look forward to hearing your suggestions!
Thank you!!
Cogent can’t support more than a 7Gbps flow from AWS on a 10G interface.
Cogent is something else today. They called one of my NOC guys to say “Uh, hey, we need you to send less traffic over your port. We can’t handle 7Gbps on that 10G port you have. It is causing issues with peering for us.”
My response ...
Seriously? Your capacity management or lack thereof is not my problem. But thank you for letting me know that our port is artificially capped at less than the speed we are paying for so I can submit for a service credit.
DHCP client tool
I want to allocate myself four IP addresses from a DHCP pool. I am looking for a tool or script that runs on Linux, makes DHCP requests that look as if they came from four different devices, and reports what IP addresses were allocated. After this, I run the tool every <n> hours to renew the lease.
I realize that the correct way to do this is to talk to the admin, ask them to give me four addresses and then remove these addresses from the DHCP pool. This is going to be hard if not impossible.
Also I don't have real devices that can make DHCP requests. These four addresses will be assigned to any of several VMs on a need basis ("floating IPs" in OpenStack parlance).
Any tool recommendations?
Please advice - Cisco AIR-1815W vs Ruckus 901-H320
Hello guys!
I'm having a specific situation, there is a need to order around 900 devices, for 900 rooms.
We decided because of many factors to go with access point in each room. I have an professional IT company recommending me Cisco AIR-1815W, and I have a arhitecture company offer me Ruckus 901-H320.
Difference between these two products is around 45.000,00$ (Cisco more expensive)
Is it really Ruckus comparable with Cisco?
Personally I would go with Cisco because I've been working with it a lo. But I always like to hear what others think.
Thanks!
How do I redirect traffic from urlA to urlB?
I have a proxy setup and I can redirect HTTP traffic as desired but I can't seem to do it with HTTPS requests. Any ideas? Suggestions?
Weird question... looking for large count fiber for a project
Hey guys and gals,
Former telco lady here. I'm feeling crafty, and wanted a piece of large count fiber to make something with. It turns out, that's not exactly easy to procure. I did find an unverified piece of trans-atlantic cable that Tiffany's sold in the 1900's, but I don't want to fuck up a piece of history like that. Does anyone know or have a slice of a large fiber bundle OR cable (like undersea)? I enjoy repurposing tech trash into pretty things! Not trying to sell this shit after I make it, either, so please don't think I'm trying to make money off this.
Thanks, and make sure you have a glass of bourbon at the end of your day!
DNS query for a period
Has anyone every seen a DNS query for just a period?
I'm trying to figure out if the way my logs are being collected is causing this to show a DNS query as soon period or if there's hosts querying for a period.
I found one article on like SANs indicating that it may be dos activity that is related to a Porn site but nothing else.
Any help would be great.
P.s. the log only shows a period, not a fqdn then a period at the end. Which I personally think the log is possibly showing me the period at the end that's being stripped into a new log.
Port forwarding without static IP?
2 pieces of hardware
- PC
- 4G LTE Modem
I have several PCs across the country and I'm connected to them through a 4G LTE modem and the PCs are getting a private IP from that modem. As of now, I can access each PC remotely through port forwarding on the static address of the modem. These PCs since ever I started working for my company have always ran off of DHCP and never had static IPs. We are in a transition phase where we are switching modem providers and they can't seem to grasp how our existing modems were set up to do port forwarding our PCs since they are on DHCP and the IP may change at any point. I spoke with our existing provider and they advised that they have it set up so that when I SSH 123.123.123.213(modem's public IP) on port 122, modem searches for 192.168.1.2 listening on port 22 and if no device has that, try searching for 192.168.1.3 listening on port 22, and if that doesn't work try searching for 192.168.1.4 listening on port 22, etc. They were beating around the bush to explain how they configured their modems to run like that. Does anyone know what type of port forwarding set up I need to tell our new provider in order for me to be able to access my machines? I'm seriously trying to avoid having to set private static IPs on hundreds of PCs if I can help it
Not sure where to post this
I recently acquired a Dell Axium 30, and was wondering if it was possible to set it up to modern WiFi
BTW it is the mid range model so I think it has built-in WiFi
Network issue with one remote site while transferring files to another.
Diagram: https://imgur.com/rdK21wO
While transferring large files to Site C from Site A connection to Site B appears to reach saturation, causing lost connections and transmission errors. This only occurs when transferring to or from Site C. Transferring files inside Site A has no effect on the connection to or from site B. Site A is the default route for both B & C.
Both sites are connected to Site A through the Core Switch.
-
Site B via 10Mb Metro-E, Using EIGRP with a trunked vlan interface(non-standard Management network).
-
Site C via Dark Fiber trunked on the same network management Vlan, as all other switches on Site A.
Site C shares no networks or vlans with Site B, and Site C is not shared with site B via EIGRP.
Router Recommendations Needed for 1-gig IPSec Throughput
It's shocking how cheap ISPs are offering 1-gig Internet circuits for these days. Especially CenturyLink Fiber+ 1-gig fiber for $550/month.
We want to utilize these cheap circuits to make direct IPSec connections into our Azure data center for backup/recovery.
Can anyone provide more economical options for a router that is capable of 1-gig IPSec sustained throughput?
It looks like PFsense has some purpose built hardware by Netgate in the $2500 range..was looking for something more economical.
Why does Freeradius have so many config files?
This is the part I don't get, why does Freeradius have so many config files scattered all over the place? I don't understand what is so difficult about having one file with different sections in it. I don't even remember where things are and need a manual just to remember what I did where and why.
Layer 3 Campus Design Problem
Hey, guys. I've been having an issue trying to implement FHRP with a Layer 3 interconnect between the Distribution switches and have no idea what's going wrong. VLANs do not span, so I have tried to limit L2 so that each access switch uplink is forwarding and the are no L2 loops. However, once I do that, hosts in one VLAN can still ping their default gateway, but when they try to ping another host in another VLAN all i'm getting is a timeout.
Basically my thinking was, when VLANs span you can sync HSRP active routers with STP root bridges. However, if the VLANs are restricted to a single access switch, you can make the link between the Distribution switches layer 3, and break the potential L2 loop, now the access switch essentially becoming like a hub and spoke topology with 2 forwarding upstream links to the Distribution layer, and you could then run GLBP instead of HSRP for load balancing. But it's not working and I don't know if i'm just being incredibly stupid and missing something obvious haha.
For what it's worth, I can't even establish and ospf neighbor relationship between the 2 Distribution switches when they are both configured for a 10.0.0.0/30 point to point link.
Any help would be really appreciated!
Image of the Topology: https://imgur.com/a/i2sN5xd
And graphic from Cisco which I'm trying to implement: https://imgur.com/a/I9RpgHo
Thanks!
HELP Trunking on Dell S4820T force10 switches
Hi guys, I've been working with cisco switches for the majority of my life, but recently we got these dell S4820T switches, has anyone had experience with setting them up in a vcenter environment and configuring it for trunking to the esxi hosts? i've read that there's 2 types of trunks it can do private-vlan trunk and vlan-stack trunk, but i've done what i've always done to configure trunking for cisco switches but it doesn't seem to be the case with these, any help would be greatly appreciated!!
Replacement ASA 5506 and ASDM
Excuse my lack of knowledge in advance, I've mostly been working with SonicWall and Fortigate in the firewall department.
So we've taken over a customer who has an ASA 5506 with OS 9.6(1) and ASDM version 7.6(1). We got the replacement unit which is running OS version 9.8. When I booted the new unit, the ASDM installed on site isn't supported with the newer OS on the ASA.
The issue is the customer doesn't have a valid service contract, so I'm unable to access any downloads on Cisco's website. How would you go about doing this upgrade - any tricks or just get a contract?
The replacement unit doesn't come with an extra power supply, so I have to schedule downtime for the customer in order to swap the unit and can't do any testing in my office. I was able to get most of the services running using the old running-config and CLI, except for the VPN tunnels. We also want the ASDM for long-term management.
EDIT: The old unit was affected by the clock signal bug which means it could die any time. This is why they received a replacement unit.
VAR Sales Engineer tired of Sales life.
I want to go back inside (IT Ops) but I’m afraid of the brain dump impact sales has left me. I left my Network Architect job 18mo ago for a VAR sales engineer gig.
Additionally I can probably expect a 40% pay loss and back to 8-5 M-F rigid hours where as now I work my own hours and do about 50% travel.
Anyone else feel confined to the overly charming sales life with high pay, soul-sucking customer relationship management, and zero technical challenge?
On the other side I’m trying to count my blessings: aggressively saving money and working on my MBA.
I’m just afraid I will get left in the dust if I stay in sales too long - I’m missing hands on experience with the cloud/SDN evolution. Or maybe I should suck it up and finish school and then try to go back inside for a higher job (IT Director, etc).
Anyone have any advice?
trying to configure pap chap
R1
interface Serial0/1/0
ip address 10.3.3.1 255.255.255.252
encapsulation ppp
ppp authentication pap chap
ppp pap sent-username R1 password 0 cisco
clock rate 2000000
R3
interface Serial0/1/0
ip address 10.3.3.2 255.255.255.252
encapsulation ppp
ppp authentication pap chap
ppp pap sent-username R3 password 0 cisco
clock rate 2000000
I am trying to search online and all of the tutorials are pap only and chap only. I've read that you can configure pap chap or chap pap together but the powerpoint doesn't include a sample configuration. I tried the configurations above and it doesn't work.
Network/Firewall design for streaming services
Hello,
I'm brainstorming about a setup we will have to figure out soon. We have a streaming network currently that sits on N5K's.
The incoming internet line is 4* 40Gbps, this is terminated on N5K's. The hosts are also connected into that network (streaming servers) and are secured with IP Tables. There is no FW cluster nor services active in this network.
The idea is to modernize this setup. The challenges we face are quite simple:
Incoming speed is 40Gbps, if we want to talk serious about security we'll need traffic filtering in some sort. But the flow of the traffic will not be 40Gps inbound, but more outbound. The endpoint on the internet will ask to setup a session and our network will have to respond with the bandwidth.
I know there is a setup that exists (I've seen it in the past before) with triangle routing, you filter the incoming request (which is not at 40Gbps), you respond (allow/block) and then route the traffic to the endpoint. But the routing is not done via the firewall due to the massive requirement of 40Gbps.
I haven't been that active in the Firewall world to know if anything in the product line of Palo Alto/F5/... can offer this solution. A potential problem I see is: What if the incoming stream request needs to be encrypted?
Potentially I could setup an ACI fabric (single small pod) and deal with the bandwidth requirement (40Gbps) but it will only be able to offer basic FW (ACL), I'll have to look into PBR but I think the encryption of the stream will still pose a massive issue.
Anyone been in touch with these kinds of designs?
Solarwinds as a NOC monitoring tool?
The higher ups in my company are pushing us to use solarwinds as our primary monitoring tool, but from what I've seen, and contact with the sales reps it doesn't seem to be the best tool for this job.
We currently use what's up gold, it has an easy to see map layout. It's quick to see nodes and links that are down etc and it automatically raises alerts via SNMP.
From looking at solarwinds it seems to be a tool to use if you were wanting to dive deep into stats, rather than something which provided instantaneous alerting of live incidents.
Can solarwinds be used as the only network monitoring tool, or do you supplement it with something else?
Phone call alerting
So this isn't networking per se but I think of it as "layer 0".
Can anyone recommend a service that can call more than one cell phone if a particular email message is received?
My nightmare scenario is for power to go out at our main site in the middle of the night, the generator doesn't start for whatever reason and our data center goes on UPS and then run out of juice. Yes power chute can shut most things down, but not everything. And I want to avoid a shutdown if possible. Regular email alerts won't suffice - I and my team will sleep right through them. If we get alerted, we can remote onto the generator and try to command it to turn on and then we'd shutdown down all our systems if the generator won't start. Ideally I'd love to exclude the weekly generator run tests from these phone alert blasts. Also helpful would be if the alert calls would come from the same number all the time so I can make sure any calls from that number blast my phones ringer at full volume.
Thanks again in advance.
IPsec VPN issues - Cisco ASA to Dell Sonicwall
I work as an integrator for a customer that is wanting to set up a site to site, ipsec ikev1 tunnel between their ASA 5515x and another companies Dell Sonicwall. As I have no experience with Sonicwall, another integrator hired by the other company is handling that side of the config.
We attempted the cutover last night, and of course it did not go well. We were able to get phase 1 up, and then we kept getting a phase 2 mismatch. Strange thing was after a while, it would go back to giving an error in phase 1 that was saying the PSK was incorrect, and so we would both re-input the key, and it would work again and fail on phase 2. Then, out of the blue we lose both phase 1 and 2, and no matter what we did it would not come back up. Guy on the other side swears he didnt change anything, and I know I didnt. Now, I say this but I am very untrusting of anything the other integrator says, due to the fact that he came completely unprepared, and it took him an hour and half to LOGIN to the firewall, and find the location of where he even begins to configure the site to site connection.
All that being said, I am sharing a scrubbed copy of the basics of my configuration script, hoping someone can put eyes on it and let me know if anything looks off. I have used the basics of this script for multiple setups (though none to a Sonicwall), and it has always worked. I am admittedly not very experienced in these setups though, so it is very possible that I am missing something. /endnovel
The agreed upon parameters are:
PHASE 1
Encryption - AES256
Hash - SHA1
Peer Auth Method - Pre-Shared Key
Diffie-Hellman Group 2
IKE SA Lifetime - 86400 Seconds
PHASE 2
Auth protocol - ESP
Encryption Algorithm - AES-256
Hash - SHA1
DH - Group2
IPsec SA lifetime - 28800
SCRUBBED CONFIG
crypto ikev1 policy 5
encryption aes-256
hash sha
authentication pre-share
group 2
lifetime seconds 86400
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key presharedkey
object network x-Peer host x.x.x.x
access-list x-Tunnel-Interesting remark INTERESTING TRAFFIC FOR a-x TUNNEL
access-list x-Tunnel-Interesting extended permit icmp object OBJ-y object x-Peer access-list x-Tunnel-Interesting extended permit tcp object OBJ-y object x-Peer access-list x-Tunnel-Interesting extended permit icmp object OBJ-z object x-Peer access-list x-Tunnel-Interesting extended permit tcp object OBJ-z object x-Peer
access-list x-Tunnel-Interesting remark PRIVATE TRAFFIC FOR a-x TUNNEL
access-list x-Tunnel-Private extended permit icmp object x-Peer object OBJ-y
access-list x-Tunnel-Private extended permit tcp object x-Peer object OBJ-y
access-list x-Tunnel-Private extended permit icmp object x-Peer object OBJ-z
access-list x-Tunnel-Private extended permit tcp object x-Peer object OBJ-z
crypto ipsec ikev1 transform-set x-set esp-aes-256 esp-sha-hmac
crypto map x-map 5 match address x-Tunnel-Interesting
crypto map x-map 5 set peer x.x.x.x
crypto map x-map 5 set ikev1 transform-set x-set
crypto map x-map 5 set security-association lifetime seconds 28800
nat (inside,outside) source static OBJ-z OBJ-z destination static x-Peer x-Peer no-proxy-arp route-lookup
nat (inside,outside) source static OBJ-y OBJ-y destination static x-Peer x-Peer no-proxy-arp route-lookup
Any help is greatly appreciated!
CISCO VPN tunnel up with no traffic flowing - Rebooting Cable/DSL Modem fixes the issue
Seen this issue twice now. The first time was with one of our remote sites. The tunnel just stopped working one day. We confirmed the config on remote side matched the backup config and had not been changed in over a year. Config on local side matched backup and the only recent changes had been to some servers to an access list. After two days of troubleshooting, we were able to get someone into the comm closet to power cycle the modem. After that, the tunnel magically worked again.
Last night around midnight this issue hit our main data center and took down our tunnel to AWS. Once the sleep fog cleared I realize this was the exact same issue we had a month back with our remote site. No config changes on either side. Restarting tunnel and reboot FW did not fix the issue. After a remote power cycle of the modem then tunnel started working again.
Anyone else seen this? My best guess the tunnel management port is passing traffic but something is stopping the traffic port from passing traffic.
Allow CRL File traffic in Palo Alto custom application
I am an intern in a company. One my tasks is to revise the palo alto firewall rules. All CRL traffic falls into a blocked category. I can add all CRL's in the allow list but this is not a good solution because there are a whole bunch and is not that practical. I have copied a custom application from the forums but it still doesn't work. Any idea's?
Custom app: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUBCA0
HP L3 Switch ACL blocking DHCP for mobile but not laptops, why?
Network is 10.77.50.0/23
Gateway/Router/DHCP Server is 10.77.50.1
The ACL is an extended ACL applied as "vlan-in"
This ACL allows laptops to get DHCP but iPhones and Androids will not:
ip access-list extended "PublicWifi"
10 remark "THIS ACE ALLOWS DHCP REQUESTS"
10 permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
20 remark "THIS ACE DENIES ICMP INCLUDING AND TRACEROUTE"
20 deny icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
50 remark "THIS ACE BLOCKS TO ANY 192.168.0.0/16 OTHER THAN ABOVE"
50 deny ip 10.77.50.0 0.0.1.255 192.168.0.0 0.0.255.255
60 remark "THIS ACE BLOCKS TO ANY 10.77.0.0/16 OTHER THAN ABOVE"
60 deny ip 10.77.50.0 0.0.1.255 10.77.0.0 0.0.255.255
70 remark "THIS ACE ALLOWS IP TRAFFIC TO ANYWHERE ELSE"
70 permit ip 10.77.50.0 0.0.1.255 0.0.0.0 255.255.255.255
exit
Once I allow all traffic local to the subnet/vlan, which I didn't think was necessary as it's not coming in to the vlan from outside...
This ACL allows the mobile devices as well:
ip access-list extended "PublicWifi"
10 remark "THIS ACE ALLOWS DHCP REQUESTS"
10 permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
20 remark "THIS ACE DENIES ICMP"
20 deny icmp any any
30 remark "THIS ACE ALLOWS LOCAL IP TRAFFIC"
30 permit ip 10.77.50.0 0.0.1.255 10.77.50.0 0.0.1.255
40 remark "THIS ACE BLOCKS TO ANY 192.168.0.0/16"
40 deny ip 10.77.50.0 0.0.1.255 192.168.0.0 0.0.255.255
50 remark "THIS ACE BLOCKS TO ANY 10.77.0.0/16 OTHER THAN ABOVE"
50 deny ip 10.77.50.0 0.0.1.255 10.77.0.0 0.0.255.255
60 remark "THIS ACE ALLOWS IP TRAFFIC TO ANYWHERE ELSE"
60 permit ip 10.77.50.0 0.0.1.255 0.0.0.0 255.255.255.255
exit
nating
does Destination-Nating is related only to packets entering a router or it be configured to change also packets leaving the router itself (maybe for the reason to change their route rather than using the prerouting option for example) so confused seeing different rules and explenations about that..
UniFi Switch packet loss with Microtik SFP
Hello reddit,
We have a network with several unifi US-48-500W switches linked at 10Gbps in star topology with multimode fiber to a core switch model US-16-XG.
We are having random packet loss in almost every switch (sometimes low, sometimes really high).
Also we are using 10Gb's SFP from Mikrotik in the Unifi's, could this be causing packet loss in the unifi's?
Thank you.
Wifi site survey adapter
Hi, I am going to do a wifi survey for the first time and I am using Tamograph for it. Do I need an adapter that supports all a/b/g/n/ac to get the best result? Or ac is enough - I think ac is compatible with the older ones. Thanks.
Can I just host dhcp in any public network?
I'm not sure where else to ask this. :p
Im learning in school about this kind of stuff, and my teacher told me basically in a network if you have a windows server (installed on a vm on a laptop f.e.) on you can host dhcp and nothing would prevent you from doing it, so if I am connected to a public network for example in a station or airport can I just host dhcp and deny devices connected acces to internet? not that I want to do this, I just wonder.
How to plot and benchmark UDP response time?
Our application uses UDP protocol in the transport layer.
I'm currently filtering the packet trace with the port and then manually checking the RTT by selecting the packet stream and by using " Set time reference".
As shown in the picture, I'm currently evaluating the performance manually.
- 3.47 rtt and 2. 3.7 rtt
I also tried to use the "Time delta from previous captured frame" in the Wireshark. However, Sometimes the application uses multiple sessions to send the complete payload.
What is the best and efficient way to benchmark and plot the UDP response time in an IO graph format?
Tuesday, February 19, 2019
Proxy Transparent Forwarding packets?
So I’ve got a question. I’m working on a TCP proxy right now. What is expected is that:
-
General: A host will send tcp packets to said proxy and the proxy then forwards it to its intended destination.
-
Point: when the proxy gets traffic from a host, an action needs to be triggered (this I have done already, but with hard coded IPs)
I’m using sockets in Python so socket AF_INET, SOCK_STREAM. What I don’t understand is how the proxy gets the packets IF the packets are destined for their real destination address? If an unknowing host sends packets out to their destination say 1.3, how would the proxy pick up / get those packets and then forward them to 1.3 on behalf of the host? If the packet’s destination was 1.3, how would a proxy who’s source is 1.1 get those packets??
Right now I have a basic tcp client/server and the proxy server.
What I want to do is from the client, send tcp packets to the server without the client having knowledge of the proxy. If I want to go to a web server hosted on the client on a port, I just type in the ip:port of the server. The proxy gets that traffic and forwards it to the server.
What I have right now is send the data to the proxy and then have the proxy hardcoded to send to the server. In my example above I have the client connecting to a port on the proxy, and the proxy sends the data to the web server. All destination IPs are hard coded.
So in that example, what if there’s 2 web servers (A & B)? If I have a host trying to connect to Server A and I send that data to the proxy’s addresses, how does the proxy know if the data is destined for Webserver A or B? (Since the dst address coming from the client is that of the webserver?) the goal is to have the client just type in the address of webserver A (packets dst of webserver A), that data being sent to the proxy, and the proxy sending it to webserver A.
(note: this is for ALL tcp traffic, not just web traffic)
TLDR; How does a proxy receive packets that are not initially destined for it and then forward them to their real destination?
Also: if anyone knows how to do this in python or an easy enough process I’d love to hear it!
Thanks for the help!
VLAN Translation
Not a network guy so forgive me. I have a situation where a customer has VLANs on a server that do not match the VLAN ID's of the switches. No idea why it was setup this way, but it's worked for 5+ years. Now, we are doing hardware refresh, and the method of migrating servers needs the VLAN numbers to stay the same on the source and target system. Here's the catch. Source servers have more network ports available than target servers, and switch ports are set to access mode (no VLAN tagging). Since new, target servers don't have enough physical ports to accommodate the same setup, we need to use VLAN tagging. The network guys didn't know how to accommodate this since VLAN numbers are mismatches on servers and switches. One of them just found out about VLAN Translation capability of Cisco switches, but they are reluctant to implement because they claim it is "not widely used in the industry". Can anyone verify or negate that claim? Thanks!
SD-WAN bandwidth issues behind modem
We have several SD-WAN devices that are simply neutering bandwidth behind Spectrum cable modems. Through debugging on a Microtik from a fixed wireless provider we found PCQ had to be turned off for us to get the correct speeds. Has anyone had any issues like this, or do you have any good advice on what might be done to improve this on Spectrum circuits?
Is the CCNP R&S worth the effort?
Our organization has been growing at a good pace for the past few years and our networking team is growing with it. The work load has been shifting from break/fix and application driven projects to proactive network management / future planning and I'm being asked to perform more of a senior role. I have fair amount of experience in most areas of cisco networking market. I'm strongest in voice, meh in routing, and weakest in UCS. Our network topology is not terribly complex, so there are quite a few scenarios I've never faced. On the face of it, the CCNP R&S sounds like a good direction to improve my skill set in the right aeras. However, I'm concerned that the curriculum maybe be bloated with sales pitches and useless theory. I want to study to become a better Network engineer, not just to take a test. A CCNP is a nice mile marker and looks good on a resume, but is it worth the time and effort for me and my company? If so, what is the best study material/ curriculum for both practical knowledge and passing the exams? If not, what would be a good alternative course of study?
Edit: I have several CCNAs, but I felt exploited by Cisco after taking (and still passing) the Collab.
Trying to activate restAPIs on CSR1000v -getting % Virtual service crsr_mgmt install has not completed
Hi guys
It is was of those days when you decide to do something end you end up trobleshooting and endless chain of oddities that take you farther and farther from what you wanted to do
In my case I wanted to enable RESTAPIs for a CSR1000v installed in GNS3
I have not played with this in a while so I wasted some time figuring out how to configure the management interface and then I started enabling the RESTAPIs but ...no luckI am getting the above message + "Please activate the VM adter install is completed"
Do I need to install a demo license for this? I can't find anything related to the above. I suspect it is either that or some access to guestshell and enable some service there ?
Any help will be greatly appreciated. I am using CSR1000v 16.9.1
Resident Engineer - day to day
I have been an Enterprise network guy pretty much my entire time in IT. I have met many Resident Engineers mainly from Juniper and some Cisco. For the folks who are Resident Engineers, would you prefer to be a Resident Engineer or an Enterprise Network Engineer?
Do you travel a lot?
Is the Cisco 9300-24 good enough for a small K12 network server room rack?
We have virtualized most of our server, but still have about 7 physical standalone server. I'd like to consolidate them all to the same rack. I'm thinking of using a stack of 2 Cisco 9300 24 port switches with the 8 SFP+ module. 1 SFP+ port on each switch for the uplink and 1 for each of the other servers. The 24 gigabit ports would be used for iDrac and other management ports and redundant ports. Most of the time a server isn't putting out more than 1 gigabit unless it is during nightly backups.
VM rack uses a Nexus switch, but is a Catalyst fine for what I am describing?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Does Solarwinds Netflow Analyzer do PER HOP/NODE QoS feedback?
Hey folks, trying to cram in some research on QoS monitoring toolkits in a hurry. Does anyone who has worked with Solarwinds Netflow Analyzer know if it does PER NODE/HOP QoS analysis? The use case is that we want to run a test on a client's network to test VOIP prioritization through every switch and router between the testing point and the outside world, and have it generate a visual report that xxx router is not properly configured for VOIP prioritization so they know what to focus on. I believe that AppNeta does this, but they're a bit overkill for what we're looking for as part of a temporary toolkit at different locations. We're also looking at LiveAction NX and working with their support on a cloud server installation as another alternative.
Thank you most kindly :)
Security between private VPC to on premise networks
So this might be some what outside the scope of the sub but for those deploying hybrid clouds what security boundaries do you maintain between them and on-premise networks?
For example if you are deploying non-web facing servers that may need to access on-premises resources such as AD or do you just rely on (AWS) cloudtrail, cloudwatch and vpc-side firewalls? Do you also limit them at on-premises firewalls? Do you maintain separate them into separate forests? Do the same teams that manage the cloud elements maintain also maintain on premise elements? If someone has a better sub for this to go throw some names out thanks!
NW Architect feeling low about resigning
Spent 5y here. Star. Many achievements and promotions. Many more pending...
No one is convinced that my teammates can handle my work... I've been spending time for their training past 4 months.
Dunno hope everyone profits.
What are you doing for authoritative DNS these days?
I asked in /r/sysadmin, didn't get much feedback.
For non-AD zones, how do you serve authoritative DNS? Locally-hosted (LAMP/BIND), cloud (route53/cloudflare), or something else?
UEWA Course
Currently doing the official Unifi Enterprise Wireless Admin course.
So much to cram into two days in a course.
Anyone else done this?
Dynamic Routing - Route Map vs distribute-list
I am in the process of redesigning our dynamic routing on some of the core switches using EIGRP (yes I know I should move to something else but am stuck with it for now). These switches peer with a MPLS router on a separate EIGRP process/AS from everything else, which I need to advertise 2 static routes.
Normally I would just use a distribute-list to control which routes are advertised, however I am trying to work out if I am better using a route map, which is something I never had to use before. I understand route maps can do additional things such as set metrics, tags etc, however when I have attempted these before they have not worked as I expected (settings tags worked, but the metrics did not seem to work as intended).
Could I ask what people would recommend? Stay with distribute-lists or use a route map.
Thanks
Anyone have a Nexus 9K base config for a new VXRail install?
I'm going through their switch guide, but want to make sure I am not missing anything critical (like system MTU, etc.). If anyone has a base/sanitized config, I'd appreciate it. I haven't been involved in a VXR deployment before, and need to turn around the switch install and config in a day, basically (a few days from now). I'm trying to go in with everything but the site-specific info already laid out, so I can just blow it in and concentrate on the physical stuff.
Thanks for any assistance anyone can lend.
VRRP question: Traffic over interconnected routers
There are two routers that form a VRRP cluster with the virtual IP 192.168.0.254. Those routers are interconnected via direct ethernet link and communicate over the network 10.0.0.0/8 for link state advertisements.
To each router, a separate switch gets connected. The switches are not interconnected (no MRP or spanning tree).
Can a client connected to Switch A, talk to a client connected to switch B over the interconnection of the VRRP routers?
This is a mainly hypothetical question for better understanding what VRRP does and doesn't. Thanks!
Wireless BYOD - How would you meet these requirements?
I inherited a bunch of new Ruckus wireless equipment from a previous admin that just bought a bunch of stuff without really planning how it was all going to work and now it's my problem. He purchased a bunch of R720 AP's, two SmartZone 100 controllers, and a cloud hosted instance of CloudPath. Now I have to make it all work to our requirements. This is for a college that sees around 2500 devices on the wifi at any given time.
For the devices that we own and manage we are using 802.1x authentication. The cert install is handled through MDM or Group Policy. That all works fine. For guests I have a guest portal setup with walled garden. Users connect, enter an e-mail or phone number and then enter the code they receive. A traffic access policy only allows them to access things outside of our internal network. That also works fine.
For BYOD (staff and employee) the college want's the process to be as easy for users as possible, but they want to have some accountability as far as who is on the network. I tested with a small group using 802.1x but issues with redirecting from the CNA browser and having to install the cloudpath app on Android made the process very difficult for users and we got a lot of calls. Then I decided to try using Ruckus DPSK. After they connected to the onboarding SSID they had to authenticate and we generated a DPSK for them with instructions to connect to the BYOD network and enter in the key. That seemed to work well but after setting it up I found that the controller only supports 10000 DPSK's which is not enough for us. My last try was using the same type of setup as I use for guests. They connect to the BYOD network, enter in their AD credentials and the walled garden is removed and they are on the network. No encryption this way but administration is more concerned about ease of use and accountability than encrypting the BYOD network. This seemed ok and I configured CloudPath to create a MAC registration valid for 1 year during this process. After a day devices start prompting to login to the network again. I found the setting in the login portal for session timeout and it has a max of just a few days so they are going to have to keep having to login over and over. Ideally they wouldn't have to authenticate again for at least 6 months.
What would you guys do in my situation?
Data Cabling Vendor in the UK?
I'm looking for a data cabling vendor that operates in the UK. Typical duties would involve data circuit extensions and testing / terminating CAT5e data cabling.
I'm dealing with CDW.co.uk now, but was curious if there were alternatives. In the US, I've had good luck with Commworks and Tailwind - is there a UK parallel?
Bonus points if they have experience working in retail / malls.
ISP recommendation for Chicago area?
I'm looking for "plain" Internet access for a mid-sized office in the Chicago area, 1Gbps should do nicely. We already have an Internet link, which is paired with our phone service but I'd like to replace them eventually. As an aside... is it normal for bandwidth providers in the US to provide fiber circuits in the MPOE or Demarc room of the building without battery backup? I find this utterly ridiculous... but that's a whole other story.
Back to the recommendations... any suggestions for the above? I don't want anything fancy (no need for MPLS, or VOIP, or... anything really. Just an RJ45 handoff with 1Gbps, and no headaches, thanks.
Problems with ACLs
Greetings all! We have created an ACL rule on exos layer 2 switch to block connections from any source. Our switch is BD 12802 running EXOS version 12.5.2.6. Does anyone know if something has to be enabled for them to work? All we did was create the ACL, check it is correct format and enable it on an egress port. Any help is appreciated. We hade same type of problems with juniper. Edit1: computer we are using to send data is behind a l3 switch and has an ip-address. Switching is done with vlan to qinq to minm and same reversed other side. Wireshark in the qinq tunnel does recieve all the data it shouldnt and the packets do have an ip source, so it should get blocked with deny all source addresses (0.0.0.0/0)
Contention Resolution Strategies
I'm studying for a networks exam at the moment and one of the questions on a past paper is
List and describe the three contention resolution strategies that are used in networks and what the advantages and disadvantages of them are.
When I google search I only get research papers on contention resolution strategies for things like fibre optic etc which I'm not 100% confident would relevant to what I'm looking for.
I'm sure I will be able to find the advantages and disadvantages once I can get a name for each of them. I would really appreciate if someone could name all three strategies. Thanks in advance.
Subscribe to:
Posts (Atom)