Really not sure if this is the right place but I will ask anyway. I had a customer at work today who claimed to be a network engineer, ask me about one of the Tri-band routers we have but the question stumped me. He mentioned that they are falsely advertising the router because it is not possible for it to have a 2.4 ghz band and 2x 5 Ghz band. I tried to tell him that multiple manufacturers make them like this and he claimed the manufacturers were all lying. He said because he was a network engineer and understood how all this works that its not possible to have two 5 ghz bands at all. Is there any truth to this thinking? I haven’t used one of these routers myself so I just go by what the box and our website says.
Saturday, February 23, 2019
I'm a networking professional and have a really dumb question that at this point I'm too afraid to ask. Can a large company use the same public IPs in different locations?
It just occurred to me today I don't think there would be anything wrong with using duplicate IPs across the internet for mirrored sites. And I'm wondering if that's even standard practice now that I think of it. I see a problem if you don't have out of band management, but if you do...
Let's say you have a site in L.A., and a site in N.Y. They're redundant sites, and the servers are exactly the same. Can you put 1.1.1.1 on the server in LA, and 1.1.1.1 on the server in NY and just let BGP calculate the best route? And is this ever done in practice? Aside from management reasons, I don't see any reason that wouldn't work (unless maybe, just maybe, a user is smack in the middle and getting their packets "load balanced" between the two sites). Purely from a user's perspective, this would work, right?
Sorry for the dumb question. I've never once considered how duplicate public IPs would work out until today. And it's kind of blowing my mind.
How do you find a broadcast address?
I'm stuck finding the broadcast address for this IP address for this homework question. The IP is 123. 205. 44. 155 /20 is asking me to find the network address and subnet mask which i know how to get but for the broadcast address i keep getting it wrong, i already look up YouTube videos but they don't really work. Can somebody me help how to solve for it?
Cisco transport gateway over https
Has anyone used https between a router and Transport Gateway VM for smart licensing? My http works, and https work for connecting to the website for management (no CA). I'm wondering if it's a certificate error, maybe I'm pulling the certificate from wrong place (the default that was there already). I also I tried to generate a certificate manually with keytool, also with no success in the end.
Need help to configure switch for a user
I hope this is the correct forum for my question.
Background: CEO wants to have an IP Phone(NEC brand) and Polycom with the same phone number, he is fine either both rang at the same time, which I am not sure how to get support for such function or he can have a toggle to switch either device.
I research there is A/B box for physical switch. This probably will do it but I am also interest how to do it in software level.
https://www.amazon.com/CableWholesales-Way-Switch-RJ45-Female/dp/B004Y34VQS
Here is my question, what I need to install on his laptop and use what language to program a managed switch. I know how to do with telnet with old fashion vbs with "send key" but I prefer not to use this route.
The GUI is a simple toggle, read which port is enabled, and he just need to press one button to switch to another port hence the switch between the Polycom and the IP phone.
Thanks in advance.
What does a professional network topology look like?
Maybe I'm just searching for it wrong, but I'm trying to see how a professional would outline and draft a extended star network topology. I was curious to see how someone properly/professionally set up their equipment room and telecom closets. I was curious to see someones choices and most importantly HOW they actually planned out the network in every detail for a building. I am also curious as to how someone may professionally format their paper when writing such things. As I feel my current way is very poor quality compared to someone who is experienced in such things.
If you have any ideas as to where I can find some PDF's, images, or any other sources to see such things, I'd greatly appreciate it.
Please Explain Diffie Hellman Group 24
I know groups 19, 20, and 21 are eliptical curve. Can someone ELI5 Group 24 and its next gen encryption?
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bitelliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bitelliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bitelliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption
Whats a good WAP to use for a lab.
I just got the big CWNA book and i'm going to start learning about 802.11. I already have a bunch of switches for ccnp switch, so i'm just needing a WAP now to implement what i read on. Can anyone recommend a cheap one that has everything I would need for labing, preferably Aruba as that is what my work uses.
Palo Alto vs. Fortinet + Cisco vs. Aruba
My company has sprung a "surprise, we're adding a new (smaller) corporate office!" scenario on me and I've got limited time to build out the network I'll be installing in the new office. I've spent the last 15+ years as a Cisco die-hard. Historically I'd just go out and buy another pair of ASAs and throw FTD on them, but I think I'm pretty over FTD. It's a total dumpster fire of a buggy mess I want nothing to do with anymore (or at least not until it's fixed). SO...
I've been courting Palo Alto and Fortinet on the edge. Curious about other people's assessments between the two platforms. Still working on defining the specific criteria I'll be buying on. I like "word on the street" about Palo Alto, but Fortinet (at least on paper) seems like a strong contender.
As for the access layer, I've historically rolled your usual Catalyst stacks, but even there I'm contemplating what it'd look like to move to something like Aruba. (From the discussions I've had about them) I like the idea of Arista at the core, but it may be overkill for a smaller office like this.
Thoughts? Input? Warnings? heh
Connection between 1G SPF and 10G SPF+ work?
Hello Experts,
I have a peculiar question. Would connection between 1G SPF port of one switch and 10G SPF+ port of another switch work? Both switches are different brands - Meraki switch(new) and Extreme Network(old switch).
Is there any one who actually used these two brands on a same network with this kind of fiber optic connection?
Putting "somewhat" irrelevant work experience on resume?
Hi everyone,
I'll soon graduate and am hoping to email about a dozen job applications within the next week. My college years were honestly not "all-study" and I have been involved in several student startups (unregistered businesses - typically worked 6 mos - 1 year long, made money though). I've mainly worked on creating software powered with concepts like natural language processing, machine learning, etc. which currently have little to do with network engineering, and sound more related to software engineering.
I was wondering if it'd make sense to include the work experiences I mentioned earlier, or that it'd sound too unrealistic / distracting / fraudulent for a college student, and also somewhat irrelevant to the job I'm looking for (graduate positions like Network Supporting Engineer, etc.). I also have my CCNA now which I'll surely include, and so I'm concerned about the look of my resume bloated with different work areas and skillsets.
As people with experience, what'd be your take on this?
What are the basic deployment readiness configurations items for network appliances (specifically Clearpass)?
I am going to be responsible for deploying new Clearpass clusters to replace Cisco ACS at a large enterprise. The project to migrate to this solution preceded me, so much of the developmental and lab environment has already been built and initially configured, so I do not have much experience deploying from the ground up.
Since I am building these systems from the ground up, I was trying to think of some basic configuration items on the appliances necessary for a secure deployment. I'm worried I might be missing some system basics that would apply to other network devices as well.
Some of the items I am thinking of are:
-configuring only necessary network services (disable or enable certain services like ssh)
-restricting default admin permissions and changing default passwords
-setting up snmp monitoring (ex: Microfocus)
-setting up syslog monitoring ( ex: Splunk, SEIM solutions,)
-binding to AD and adding other authentication and authorization sources
-installing certificates (https, radius)
-importing CRLs (for wireless profiles, etc)
-configuring cluster publisher and subscribers as well as failovers
-configuring services and service elements (profiles, role mappings, dictionaries)
Am I missing any basic configuration considerations? Are there any initial setup tips that relate to other network appliances that would be applicable here?
Thank you in advance for any help!
your Meraki experiences
I have a client looking at the MX67 and similar series devices to support locations with low bandwidth requirements (less than 100Mbps) but high client count (in excess of 250 end users).
my understanding is the lower end machines, while powerful, are unlikely to support so many flows, given that the L7 features (which can't be turned off?) introduce state, and 250+ users create a lot of state.
I also know Cisco is keen not to cannibalize their ISR market with powerful lower cost Meraki devices. So my question is, does anyone have experience with the Meraki MX67 or similar lower end devices supporting multiples of the recommended 50 users?
much appreciated (for all of your recent Meraki experience -- I last touched their gear two years ago and was not impressed, but the trajectory was promising)
Do you install air-conditioner in switch closets?
Hi, I would like to know how common is to install air-conditioner in switch closets? At my new work place closets get +120F degrees during summer heat. There are 20 closets with 7-10 access switches in each. So, should we invest in air-conditioners to protect those switches? What would you advice?
Need help in network design change and in choosing switch model
Dear Experts,
We are planning to do full upgrade because the existing network devices from core to edge level switches are currently 7 year old. Because we are non-Cisco shop and would like to migrate over to Cisco/Meraki we need help.
Would you please recommend Cisco switch models that would be best suitable for us? Thanks a lot!
Environment: College campus User count - 1,500 Printers - 50 Wifi Access points - 450 Servers - Physical 8-10 (virtual many)
Current network info:
2 backbone HA switches 15 distribution switches (DL) - 10G fiber optical uplink to the core switch Around 60 edge switches (4 to 8 access switches connected to each DL. switch) - 1G fiber optic connection uplink to DL switches All switches are Allied Telesis.
Question 1: Which switch Cisco model would you recommend for the core, DL and edge level switches?
Question 2: - Is it better to get rid of DL switches and replace them with stacked edge switches or keep the existing structure (15 DL switches and stacked edge switches)?
Thank you so much with your help!
FTTC vs ADSL fastpath, same ping to AWS?
Me (ADSL) and my friend (FTTC) are 2km one from another and we tried to ping AWS servers.
The results were both around 25ms.
How is that possible? The FTTC fiber has no ping improvement over ADSL fastpath?
I wanted to do the test because the game we play is hosted on AWS and my game feels slow and crappy.
Friday, February 22, 2019
Calculating physical and logical failure risks within Cisco Nexus Leaf/Spine
Trying to quantify the network side probability (five nines, ten nines) of a catastrophic event disrupting the entire domain. For HW I’m thinking zero/infinite (no single failure results in any loss of service - worst is reduction in BW available), but for SW I can think of several theoretical protocol/table events that could occur. Looking to capture the potential of hitting a bug or erred config and the RPO to restore). The opposing side of the question is the risk reduction with a second or N leaf/spines isolated across a backbone or disparate DCs. Even getting to ‘unknown’ if it happens, but when event disrupts it takes 40 minutes to restore over four spines and eight leafs (or whatever the math scales to) would be helpful.
Know this is a near impossible hard data question, but hoping someone has done enough math to quantify portions.
Thanks.
How much latency in optical fibre
I heard about IEX 38 mile/61 km of fibre which acts as 350ms "Speed Bump", but that didn't sound right to me because that distance isn't even that far, how can it add that much of a delay
I then found this online calculator: http://www.timbercon.com/time-delay-of-light-in-fiber-calculator which tells me that 61000m would add 300 ms. Doesn't quite match IEX's claims but still it seems that just 61 km can add this much latency.
I am in Melbourne, Australia and I ping a server in Sydney, Australia, which is about 714 km between them.
The server in Sydney pings at 26 ms.
According to the calculator, that would be 3500 ms.
What do I seem to be missing? Is there a mix up between milliseconds and microseconds somewhere?
MAC Address being learned in transparent Bridge
My organisation has DSL/VDSL access services where we use a modem in transparent bridge & a Mikrotik as the router. PPPoE on the Mikrotik.
What we find, is that whenever these services drop for any reason, a number of them will either not re-authenticate, or take a long time to re-authenticate.
What I've found from speaking with our upstream carrier, is that their BRAS have a MAC learning limit of 1. They are seeing that they are learning the MAC address from the modem in transparent bridge, when they shouldn't be. This is causing the MAC Address table on the BRAS to not learn the Mikrotik MAC, so PPPoE tunnel cannot be established to pass credentials. It's not possible for the carrier to increase MAC learning limit.
The modem we are using is the Netcomm NF10WV. I'm trying to find a setting/reason for why this is happening, but I'm unable to. I'm also wondering if this is expected behavior that the modem in transparent bridge doesn't share it's MAC address upstream. Firmware is up to date on the modems also.
Any ideas/thoughts?
ICND1 Labs
I’m looking to sit my icnd1. I have read ICND1 book and also watched all CBT Nuggets videos.
I’m looking for some labs to do. What’s the best method of doing labs? Boson? GNS3? Packet tracer? And does anyone have some free labs for 100-105 they could upload/send to me pleaaaaase?
Options for router in a residential building
I'm a computer engineering student, and I have some networking experience with OpenWRT at home and with Cisco equipment in networking courses. An acquaintance is asking me to help them setup a shared business connection between units in their apartment building (10-15 apartments from what I understand). Our (my) plan is to run CAT cable to each apartment, provide each apartment with a SOHO router, connect everything to an Ethernet switch in the basement and to the edge router.
My problem is that I'm not really familiar with business-grade routers, do you have any leads as far as the type/model of router that I should get? My other option is to buy a high-end SOHO router and use that as an edge router, but I'm concerned about throughput and durability (we plan to use a gigabit fiber connection).
Trying to limit uplaod on an old router
Has anyone got an answer to this? https://superuser.com/questions/946520/how-to-set-qos-on-tenda-router-to-reduce-ping
At the moment I can't my hardware not can upgrade firmware; cause the current version my router's on is actually the latest on that model.
Netflow for Retransmissions Detection
Hello,
im using Elastiflow to get insigth into my network.. But im also trying to build some dashboard's that may help with troubleshooting during incidents.
I wonder if it's possible to check for tcp.analysis.spurious_retransmission or fast.retransmission using netflow data so i can filter out most conversations with those flags. If possible any experience on where to look on the netflow data?
One user unable to log into Cisco Anyconnect
Checked: I can log in. Other users can log in from this machine. The user in question, can not.
A direct comparison in active directory shows that this user has everything needed to connect (supposedly), just as I and others do.
The machine is connecting through an ASA, which is talking to ISE, which is talking to AD.
On the firewall I get an AAA user authentication rejected = AAA failure
I can log in fine....
I cloned the user in AD for testing but I'm not seeing anything.
Things that are not on the table are: adjustments to the ASA itself, or ISE. They work for everyone else but this user.
Logs on ASA from attempted login:
Built inbound TCP connection ### for outside:IP/PORT to identity: IP/PORT
Starting SSL handshake with client outside:IP/PORT to IP/PORT for TLS session
SSL client outside:IP/PORT to IP/PORT request to resume previous session
Device completed SSL handshake with client outside:IP/PORT to IP/PORT for TLSv1 session
AAA user authentication Rejected : reason = AAA failure : server = SERVERIP: user = ***** : user IP = USERIP
SSL session with client outside:IP/PORT to IP/PORT terminated
Teardown TCP connection 15620376 for outside:IP/PORT to identity:IP/PORT duration 0:00:00 bytes 1216 TCP FINs
My only thought is that there is something wrong in Active Directory. It has to be...but I'm posting this in case someone else has run into something else that could cause this?
\
Edit:
Radius Logs from ISE
11001 Received RADIUS Access-Request 11017 RADIUS created a new session 15049 Evaluating Policy Group 15008 Evaluating Service Selection Policy 15048 Queried PIP - Network Access.Device IP Address 15048 Queried PIP - Network Access.Protocol 15048 Queried PIP - Radius.Service-Type 15048 Queried PIP - DEVICE.Device Type 15048 Queried PIP - Normalised Radius.RadiusFlowType 15041 Evaluating Identity Policy 15013 Selected Identity Source - DERP 24430 Authenticating user against Active Directory - DERP 24325 Resolving identity - copieduser 24313 Search for matching accounts at join point - [derp.net](https://derp.net) 24319 Single matching account found in forest - [derp.net](https://derp.net) 24367 Skipping unusable domain - ONE,Domain trust is one-way 24367 Skipping unusable domain - TWO,Domain trust is one-way 24367 Skipping unusable domain - THREE,Domain trust is one-way 24323 Identity resolution detected single matching account 24343 RPC Logon request succeeded - [copieduser@derp.net](mailto:copieduser@derp.net) 24402 User authentication against Active Directory succeeded - DERP 22037 Authentication Passed 24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory 15036 Evaluating Authorization Policy 15048 Queried PIP - Network Access.Protocol 24432 Looking up user in Active Directory - DERP 24355 LDAP fetch succeeded - [derp.net](https://derp.net) 24416 User's Groups retrieval from Active Directory succeeded - DERP 15048 Queried PIP - DERP.ExternalGroups (12 times) 15016 Selected Authorization Profile - DenyAccess 15039 Rejected per authorization profile 11003 Returned RADIUS Access-Reject
The Curious Case of the Flapping Link...
Got a flapping link between 2 of my MLSwitch (both are Cisco 6800-XL).
int Te7/3 on MLS_1 to int Te7/1 on MLS_2
the fiber connector on MLS_1 is SC, while the fiber connector on MLS_2 is LC
I have changed the fiber cable (Single-mode LC-to-SC) and I have also changed the transceiver/module (10G-BASE-LR on MLS_1 and SFP-10G-SR) but it is still flapping.
interestingly, only the int te7/3 shows flapping in its logs, while int Te7/1 on MLS_2 shows OSPF breaking/re-establishing (due obviously to the flapping link on the other end).
on MLS_1, i assumed int Te7/3 is prolly faulty, so i moved the connection from int Te7/3 to int Te7/2, but after moving it, the flapping still occurs.
# MLS_1 logs showing flapping
>Feb 22 10:40:42.832 pst: %LINK-3-UPDOWN: Interface TenGigabitEthernet7/3, changed state to up
>Feb 22 10:40:42.932 pst: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet7/3, changed state to up
>Feb 22 10:55:14.942 pst: %LINK-3-UPDOWN: Interface TenGigabitEthernet7/3, changed state to down
>Feb 22 10:55:15.022 pst: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet7/3, changed state to down
>Feb 22 10:56:19.446 pst: %LINK-3-UPDOWN: Interface TenGigabitEthernet7/2, changed state to down
>Feb 22 10:56:20.530 pst: %LINK-3-UPDOWN: Interface TenGigabitEthernet7/2, changed state to up
>Feb 22 10:56:20.630 pst: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet7/2, changed state to up
>Feb 22 11:07:46.111 pst: %LINK-3-UPDOWN: Interface TenGigabitEthernet7/2, changed state to down
# MLS_2 logs showing OSPF breaking due to flapping
>Feb 22 10:40:44.945 pst: %OSPFv3-5-ADJCHG: Process 10343, Nbr 192.168.1.1 on TenGigabitEthernet7/1 from LOADING to FULL, Loading Done
>Feb 22 10:40:47.705 pst: %OSPF-5-ADJCHG: Process 10343, Nbr 192.168.1.1 on TenGigabitEthernet7/1 from LOADING to FULL, Loading Done
>Feb 22 10:55:15.590 pst: %OSPFv3-5-ADJCHG: Process 10343, Nbr 192.168.1.1 on TenGigabitEthernet7/1 from FULL to DOWN, Neighbor Down: Interface down or detached
>Feb 22 10:55:15.590 pst: %OSPF-5-ADJCHG: Process 10343, Nbr 192.168.1.1 on TenGigabitEthernet7/1 from FULL to DOWN, Neighbor Down: Interface down or detached
>Feb 22 10:57:01.538 pst: %OSPF-5-ADJCHG: Process 10343, Nbr 192.168.1.1 on TenGigabitEthernet7/1 from LOADING to FULL, Loading Done
>Feb 22 11:07:51.962 pst: %OSPF-5-ADJCHG: Process 10343, Nbr 192.168.1.1 on TenGigabitEthernet7/1 from LOADING to FULL, Loading Done
The flapping lasts less than a second but it is enough to bring down ospf, and it turn it is disconnecting users who have sessions going on on that link.
Anyone seen anything like this? I am stumped, I have tried everything.
Should I change from a Single mode to a multimode fiber cable?
really appreciate any suggestions, thanks
Python for Network Engineers free course starts Tuesday Feb 26
Periodically, I run a free course on Python for Network Engineers. The next course starts this Tuesday.
This course is aimed at Network Engineers that want to learn Python. It covers Python fundamentals, but using exercises and examples that are more relevant to network engineers. That being said the course is definitely oriented towards beginners (from a Python programming perspective).The week-by-week schedule for the course is as follows:
- Week1 - Why Python, the Python Interpreter Shell, and Strings
- Week2 - Numbers, Files, Lists, and Linter
- Week3 - Conditionals and Loops
- Week4 - Dictionaries, Exceptions, and Regular Expressions
- Week5 - Functions and the Python Debugger
- Week6 - Modules and Packages
- Week7 - Classes and Objects
- Week8 - Libraries, Package Installation, and Virtual Environments
The course is taught using Python3.
The course format is a lesson a week for eight weeks. The lessons are all delivered via email and consist of videos, exercises, and additional content. The course is self-paced i.e. you can work on it on your schedule. In general, I estimate about 3 to 10 hours of work per lesson with the main variable being how much time you spend working on the exercises (and your preexisting skills/knowledge). There are usually about 45 minutes to an hour of videos per lesson.
A bit about myself: I am a long-time network engineer (CCIE #6243 emeritus). For several years, I have been working extensively in network automation. I am the creator/maintainer of the Netmiko-Python library. I am also a core maintainer on the NAPALM-Python library. I also work quite a bit on both Nornir and Ansible [check out Nornir if you haven't already... :-) ]
Sign-up is available here:
Options for router w ~40 connections
Hope y’all geniuses can be of some assistance. I’m opening a hostel and will need a wireless router that can handle something around 40 simultaneous connections or so. I’ve never done much router shopping outside of basic home stuff so looking for best options or configurations. Any ideas?
Selling ipv4
We have a few ipv4 blocks to sell. Anyone know any reputable companies to sell to ? want to avoid brokers as much as possible.
We have about 5 /21 and 8 /22
Edit: We are looking at $23 to $25 per ip. Thanks
I have a question concerning configuring LTE mobile internet services and devices to integrate with a LAN to circumvent the absence of broadband in a rural area.
I have a laptop that runs as a headless server. It is configured to have a static IP address, to run as a DNS server, A Media Center and as a DHCP server using dnsmasq while the modem/router hybrid is given to me by my ISP currently running only as a Gateway for internet service to flow through this LAN and serves as a b/g/n hotspot for wireless devices to connect to it. The laptop and all other wired devices(Samsung Smart TV,Ethernet Bridge etc.) are connected via ethernet cables to the router so that it receives internet service for security/software updates etc. Now a new problem arises where I will have to move into the countryside where the broadband service that my ISP provides through the modem/router hybrid(It's an Arris 5 Ghz Router) will not be available and only mobile internet data is available. I considered trying to use a Mifi Device but it does not have ethernet ports and does not function as a router would, only as a hotspot for wireless devices which would leave out hardware that are configured to accept only wired network connectivity. What strategy or combination of hardware/software you would use to solve this problem so that internet service will be available to both wired and wireless devices in the LAN using mobile internet data provided by your mobile carrier through a USB Dongle or a Mifi Device?
Anyone with CIPSO or Netlabel experience? Firewall dropping packets.
So, I have a customer network coming into a data center. They are using CIPSO protocol to add a tag to their header for a security label. This is communicating with a server beyond my edge firewall. We were working fine, until we upgraded the firewall to a new model with also an updated OS (Fortigate 620B to Fortigate 500E).
The packet sniff responds with a parameter problem indicating from what we can tell, that it thinks the packet is malformed. This would make sense if it sees the header with a security label added and doesn't recognize what it's for.
Working with Fortinet and others we haven't found any way to get it to either bypass this or ignore it. There are a few options to lower the header inspection security but none to disable it. Any checks we can seem to find and disable don't seem to help. It's possible it's just a version problem, but I would need to get approvals and take a lot of things down again to go and start trying new versions.
Has anyone ever had experience with this or maybe something similar that adds to the ip header?
[CISCO] Cisco 7600 RSP 720-3CXL
Hello networking comunity.
I am facing a task to perform tech. analysis of performance problems with traffic routed via bunch of good old C7604s.
I have come to an idea that overloading the v4 table size might cause the problem.
Two of those routers sitting at the edge of the network are serving as peering/upstream routers.
On one fo them, there are several bgp sessions(3xfull bgp feed= over 2M routes).
Datasheet of RSP used in this router tells that it can store 1M (IPv4); 512K (IPv6) .
My question is, can this situation negatively affect routing performance?
Cisco and Solarwinds
I am looking for some help and google has a few ideas so I am checking here next.
I need to find a way to pull a report that shows any latency between two of our hops talking together. I did a SW report but that looks to just be latency between SW and the device.
One answer on google says SW VoIP monitoring could do this. Anyone have information or something else I can use to check these links?
Using existing 6 wires cable as Ethernet connection?
Hello. My house is connected to a telephone line using a 6 wires cable which gives me internet. Only two blue and white-blute cables are connected to a socket, a router from ISP is connected to that socket using some kind of flat-RJ11 (UK BT socket?), next thing in the network is my OpenWRT router which is the central point of my network. I would like to remove the router from ISP which would require me to rewire that socket.
Problem is that 6 wires cable. Is it possible to convert it from 6 wires to 8 wires ethernet cat5? I don't want to rewire everything in the house, just want to replace the custom router with my own, and configure OpenWRT to connect using ppoe.
Picture of the cable coming in to my house: https://i.imgur.com/zHhKHSk.jpg
do I just need to connect blue-blue, whiteblue with whiteblue etc, and ignore brown and white-brown? There are connectors like this on market[1], so it must be possible, but so far every my attempt failed.
[1] https://www.amazon.co.uk/CDL-Micro-Male-Cat5e-Cable/dp/B003534VGS
Loop Detection - revisited
I didn't have too much luck in the past with simply using TCN or other means of loop detection through our syslogs. I since have been testing with BPDUGuard and setting up SNMP Traps to be received on our PRTG server. Next step I need to figure out is how to filter on the correct SpecTrap as PRTG calls it. The strange part is that I am seeing 2 messages each time and am not sure which to trust as they are both different SpecTrap numbers. Anyone have good reading material on Trap Receivers, specifically PRTG. My google terms have not been getting the best results. Thanks all.
Multicast on Cisco DNA
Hi all,
Sorry if this is a dumb question or if it’s not for this subreddit. I am trying to setup a system using Multicast on a Cisco DNA setup. Multicast is working fine within a single switch stack but will not / can not traverse between stacks. I’m assuming multicast can bee used on a DNA system. Other traffic works just fine to and from switches.
Thanks for any clues in advance.
S
Network Traffic Replay for Lab
Hello,
We are in the beginning stages of setting up a lab environment. We would like to replay some of our network traffic through this lab. Can anyone point me in the right direction as far as productions that could get this done?
Any insight is appreciated.
Cisco C9300-48UXM DHCP snooping bug
Hey folks!
Just wanted to spread the word on bug CSCvn15912. It looks like Cisco's document isn't published just yet but our team got caught by it and wasted many hours troubleshooting.
There were some reports that the code release 16.6.4 would resolve a bug where a C9300 becomes near unresponsive when enabling the DHCP snooping feature on the switch. We are running code 16.6.4 and the issue persists. TAC has reached out to us to let us know that a fix will be released in 16.6.6/16.9.3
ETA for 16.6.x is mid-April, ETA for 16.9.3 is end of March.
Shim6 use case
Hi, i'm try to understand the shim6 use case, Is it use only for do a "bgp peering" like connection or the change of ulid is used only in a data flow between hosts?
Thanks
Commscope vs Clearfield for FTTx
I'm planning a FTTx deployment and am trying to minimize outside plant splicing. I've narrowed down my options between Commscope's fiber indexing terminal and Clearfield's YOURx. Does anyone have any other recommendations or experience with these product lines?
SSL Cert Install on ASA
So I had a customer send me a .crt that needs installed on the ASA for anyconnect. I did not generate a csr from the firewall for this and I believe that the same keypair was used this time as I generated a csr for them last year for this. Would I just install this certificate over the current one so it uses the same keypair on the ASA?
MACSec Use case?
Hey all,
I work for a company which handles alot of patient data. We have multiple sites (site A = head office, B = diagnostic imaging office).
Right now we have two Sonicwall TZ205, one sitting at each site. We have dark fiber connecting the sites through a local small emerging ISP. Due to the nature of our data, the visibility the ISP would have into the line if needed, we need to secure the traffic before it leaves each site. Because of this, we have been using site-to-site VPN. While this works, the TZ-205 is not handling this well, and strangles our internet due to the throughput limitations.
The provider gives us an EPL:
that the EPL would be considered a “private Line data service”. We align with the Metro Ethernet Forum’s (MEF) ”CE 2.0” standard.
Every Frame that comes into your EPL port (AKA UNI port) is mapped into a virtual tunnel across our network to the UNI port on the other end of the EPL. This includes all untagged, tagged VID 1-4096, and the majority of L2 control frames.
We provide no encryption and, if need be, network engineers have the ability to mirror traffic from your circuit into a packet capture device, which would only be done if they were troubleshooting an issue.
So we actually have the hardware portion of the EPL in place on both sites, just not wired into anything yet.
Our switches are all SG200 series hardware (we are not a huge enterprise)- and we are in the process of upgrading our firewalls, I would like to leverage the EPL for our site-to-site traffic.
Is this a proper use case of MACSec? Is there a better way to do this?
Thanks for the help!
What would cause a Windows 2012 R2 server to send to wrong MAC address?
I have Windows servers replicating across a non-routed network. All servers on this network are layer 2 adjacent. Traffic that leaves the production interface is fine but all traffic that leaves the replication interface has a destination MAC address of the core switch instead of the adjacent servers. This causes ICMP redirects from the core switch and packet loss. I've tried adding static ARP entries and the server just ignores them and still sends to the MAC of the core switch. I'm at a loss. My next step is to just blow away the interfaces and recreate them but I'd like any other suggestions first so I don't have to wait until the next Change Control windows.
Edit: All Servers are configured on the 172.19.220.0/24 network. All masks are correct. There is no gateway address configured on the interface. ARP table is being populated with correct MAC entries but they are being *ignored*.
Wired/Wireless Network Infrastructure for a Nightclub - connecting Tills and PDQs to the Internet
Hi,
I work in the nightlife industry and have been given the task of completely redoing the network which connects tills, PDQs, CCTV and other devices to the Internet. At the moment, we have constant problems with parts of the network 'going down' and general unreliability. This obviously isn't great as card sales make up the vast majority of sales in the business, so when the card machines are unable to connect to the Internet, the business loses out.
Currently, the network is a complex mess of switches and routers placed all around the venue. My thought is that the current system has just gotten too complex as routers and switches have just been added on top of each other as the years have gone by, which has led to instability.
My thoughts are to scrap the current infrastructure and start with a brand new mesh network. Is this the best solution? Is there another type of network I should consider? What equipment would be best for this job? We need a solution that will keep our tills, PDQs (card machines), CCTV and other devices (laptops and phones) connected to the Internet reliably. This is not a a public WiFi for customers.
Any help would be greatly appreciated! Thanks :)
Having trouble understanding NAT from the client side.
This question comes from my homelab (I think this question relates to networking at large but if this fits better in another sub please let me know.).
After some searching the information I find is either too simplified of tangential to the situation I'm trying to understand. I have just taken NAT for granted. Forward a port for incoming traffic all if good. That is until now, I'm working on a project that, at least for testing, needs a web server on both ends (over wan) to catch http POSTS.
My question is, if I need to open ports any time there is a traffic inflow, how are services able to send and receive from client devices? Is it the client only receive over 80/443 and are allowed by default?
As an example I am thinking about chat platforms like discord. Is it only an issue of the client making the first request to the server to setup a tcp/udp connection or is there something I'm missing?
I studied networking but am just starting to learn programming and it is raising a lot of questions about things that were taken for granted in school.
Links for further reading would be greatly appreciated, thanks.
Routed-based VPN Cisco to Juniper - is it possible?
Looking to replace Cisco routers at multiple remote sites with Juniper SRX's, but it seems impossible to create a route-based S2S VPN between a Juniper SRX and a Cisco ASA.
The ASA log will show the following:
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
It looks as though the Juniper is expecting an any/any crypto map on the ASA but the ASA doesn't use crypto maps for route-based VPNs.
Two questions:
- Is it even possible to form a route-based VPN between the two manufacturers?
- It's my understanding that route-based VPNs do not use crypto maps because the routing protocols take care of that. So, am I mistaken or do Juniper devices implement a janky form of route-based but not route-based VPNs that still use crypto maps?
Appreciate your insight!
[Linux] Why cannot receive packets from source not in my routing table?
So, these are the two experiments I did:
- Use the default gateway provided by my router.
- Did a
tracepath -n8.8.8.8 - Got the expected result of the hops answering
And then I decided to do the following:
- Remove the default gateway.
- Add static route to 8.8.8.8 through the gateway.
- Ping to 8.8.8.8 works
- tracepath shows only the first hop and nothing else.
- wireshark shows that I receive icmp packets with TTL expired messages, but apparently they are ignored somewhere along the chains.
So my question is, what is dropping these packets and why is this behaviour like that. My (very possibly flawed) common sense dictates that the application should receive the packets even though it cannot send to those destinations.
Thanks :)
VRF leaking without route-target?
On a N7K, I defined a VRF, lets call it:
vrf context WTF
rd 500:1
address-family ipv4 unicast
There's another VRF, lets call it:
vrf context NotHere
rd 700:1
address-family ipv4 unicast
route-target import 700:1
route-target export 700:1
I built a BGP session that advertised a default route into VRF WTF - and somehow that route appeared in VRF NotHere...
That's not supposed to happen right? Once I defined a junk route-target export within WTF's context, it stopped happening.
Aruba controller trunk port changing to access causing outage
Hi,
We have Aruba wireless with controllers split across two core routers in data centres with L2 connection between both data centres. Our IP addressing is handled on the core routers rather than the controllers and we use VRRP between the two DCs. We recently needed to create a new VLAN for wireless clients and a new subnet on the core network for these users. We created the new VLAN on our core network and the IP interfaces and VRRP setup, then tagged the controller uplinks with the new VLAN. Basically followed current design we have not trying to do anything different.
All was well, then we created the VLAN on the controllers and then once we added the new VLAN to the list of allowed trunk VLANs on the uplink port channel on one of our controllers everything died for clients connected via APs terminating on that controller (SSIDs were still broadcasting etc). We tried to troubleshoot as best we could to find the cause but ultimately ended up reverting back by deleting the VLAN off the controllers and disabling the VLAN on the core routers and then it came back.
We noticed two main things when the outage occurred, one of our VRRP instances failed over when we made the change but we are not sure why. The other is that when the outage was occurring we could still connect to WiFi and get access over a particular VLAN. The strange thing is when we look at our config on the controllers in the CLI, this VLAN is listed as the access port default VLAN for the uplink port channel (1005 in the example below).
interface port-channel 0 add gigabitethernet 0/0/2 add gigabitethernet 0/0/3 add gigabitethernet 0/0/4 add gigabitethernet 0/0/5 trusted trusted vlan 1-4094 switchport mode trunk switchport access vlan 1005 switchport trunk allowed vlan xxx, xxx-xxx, xxx
The switchport mode is trunk but it is as if when we make the change it flips to being access but still shows as being trunk in the GUI and CLI. The VLAN in question is one that I added a while back in a similar change in which we also had a very brief outage but by the time it was reported it had resolved itself without any intervention so was not able to diagnose anything. Checking our other controllers it appears as if the last VLAN created on each is populating this line in the config but no one would have intentionally configured it that way.
There were a load of logs and errors at the time on the controllers and core but so far our support partner has been basically useless and wants to close our ticket because the outage is over rather than find the root cause. As this has occurred twice now we are very reluctant to make any changes to the controllers before we know what is up.
Any help appreciated. Thanks.
proxy vs dns
whats better when having to redirect some urls to a specific ip/dns when using the dst-nat to redirect the dns request to my own dns server (with adding some filter rules) could give the same result that gives when redirecting dns same requests to a local proxy and creating access rules there also is there any benifit using One instead of thr other ?
Ever made a huge mistake you wish aired as a Southwest Commercial?
I wiped our config from our main fortigate fw being an idiot (the short version of this story). I am new on the job and am slowly trying to feel out the network. Noticed the last config backed up on the fw was 1.5 years ago and for some reason the previous admin never backed it up with Orion after that point. Needless to say the old config was better than no config but we lost a shitload of policies and now I have to recofigure our S2S tunnels (there’s only 5 and the sites are low on the pecking order of being operational). Needless to say, I am trying to figure out based on the old config that had to be restored, what needs be changed or added back in. My boss was weirdly calm about it and I am wondering if it will hit them tomorrow that there is a lot of shit that won’t work right after this fiasco. Any pointers on how I can properly triage this problem are appreciated.
Maximum Tunnel Limit with SecurityK9 license in Cisco Router query
Can someone quickly check and let me know the limit of tunnels with SecurityK9 License. I have encountered one issue with our core router where the maximum tunnel limit has been reached. It looks like the limit 225 but I just want to confirm it.
I also would like to understand whether I can enable the hseck9 license evaluation temporarily to bring up the remaining tunnels. We have 500 tunnels to be activated today. I can raise the request to Procurement to purchase the tunnel and get it done in one week.
Feature name Enforcement Evaluation Subscription Enabled RightToUse
appxk9 yes yes no no yes
uck9 yes yes no no yes
securityk9 yes yes no yes yes
ipbasek9 no no no yes no
FoundationSuiteK9 yes yes no no yes
AdvUCSuiteK9 yes yes no no yes
cme-srst yes yes no no yes
hseck9 yes no no no no
throughput yes yes no no yes
internal_service yes no no no no
It would also great if someone can tell me the command to check the number of tunnels in Cisco router? The command doesnt seems to working in the router.
#sh platform cerm-information
^
% Invalid input detected at '^' marker.
cisco ISR4451-X/K9 is the model.
Feb 22 10:48:53.170: %CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.
Thursday, February 21, 2019
Alcatel - How is the questions asked?
HI, a friend of mine is stressing out before his Alcatel exam because he has no clue hoe the question will be asked.
Is it multiple choice? longer format? Practical implementation?
Any other tips would be appreciated.
Linecard port density subscription ratio
I have a C4507 switch at my company with line card WS-X4712-SFP+E. Reading through Cisco datasheet I came across below points which I have hard time understanding or can say calculating -
-
48gigabits per-slot capacity
-
Bandwidth is allocated across four 3-port groups, providing 12Gbps per port group (2.5:1)
I am scratching my head with the last point and how to decode the 2.5:1 ratio if I need to use both 10G and 1G in this linecard. Can someone help me in layman terms please?
Thanks in advance.
Help with some STP issues (please)
I have this issue on a network where I keep getting these messages, and topology changes are happening rapidly.
_4th_3560X_1#debug spanning-tree bpdu _4th_3560X_1#term mon 4th_3560X_1# 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 no 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 s 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 no d 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 01 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0100 1400 0200 0F00ebug all All possible debugging has been turned off _4th_3560X_1# 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/23 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 F4 AC C1 07 D7 98 00 07 42 42 03 26w6d: STP: Data 00000080 26w6d: STP: VLAN0001 Gi0/23:0000 00 80 26w6d: STP: VLAN0001 Gi0/15 tx BPDU: tcn: 0000 00 80 26w6d: STP: VLAN0001 Gi0/23 tx BPDU: config protocol=ieee Data : 0000 00 00 81 8000000A04E2CDC0 00000013 8001001955DEA180 8017 0200 1400 0200 0F00 26w6d: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/15 , linktype IEEE_SPANNING , enctype 2, encsize 17 26w6d: STP: enc 01 80 C2 00 00 00 00 0A 04 E2 CD CC 00 26 42 42 03 26w6d: STP: Data 00000000818000000A04E2CDC0000000008000000A04E2CDC0800C0000140002000F00 26w6d: STP: VLAN0001 Gi0/15:0000 00 00 81 8000000A04E2CDC0 00000000 8000000A04E2CDC0 800C 0000 1400 0200 0F00 26w6d: STP(1) port Gi0/15 supersedes 0
Any help with the troubleshooting would be great. I just need some new ideas.
SMB Firewall and VLANS
Hi!
I’m hoping for some advice on a network plan.
A little background:
I’m working for a smaller business where we have about 20 employee computers, 15 IP phones, a couple networked printers, and about 20 servers (mostly testing servers, a couple production servers), all of which run on a flat network.
We’ve determined we need a new firewall to support VPN connectivity and we’d like to take the opportunity to spec the new firewall such that we can segment the flat network that exists today.
We’re thinking the following VLAN setup should meet our needs:
- Public Server DMZ
- Remote Access
-
Guest Internet
-
Employee Computers/Printers
-
Servers
-
Voice
Today we have a simple firewall at the Internet edge and a Dell PowerConnect N3048 L3 switch which just functions as an access switch.
A majority of the traffic today already either goes out to the Internet or to a site-to-site VPN that terminates at the firewall. Additionally, we have an AWS environment that we would want to eventually hook into with an always-on VPN, using this firewall.
Option 1:
I believe the simplest option is to use the firewall as the core to do all the routing with a trunk from the firewall to the switch. This is nice because of the central management aspect, ability to have all VLAN traffic controlled, and the existing switch supports trunking, but from research, the firewall could become bottlenecked if also having to route and inspect the internal VLAN traffic.
However I don’t know if this is even really a concern at our scale if the firewall is spec’d large enough?
We are looking at Fortigate firewalls. Which metric(s) of a new firewall should we be looking at when trying to evaluate if this will be an issue?
Any suggestions on Fortigate firewall models based on my info?
Option 2:
Since we already own an L3 switch, I also considered routing between the Employee, Server and Voice VLAN’s using that switch and having the other VLAN’s off the firewall. I would potentially use ACL’s to control inter VLAN access on the switch.
Do ACL’s allow the granularity where we could have all employee IP’s able to connect to servers over HTTPS and only limited IP’s (IT Staff) able to connect to servers over RDP/SSH?
I was also hoping to use the firewall’s MAC filtering to prevent clients from changing their IP’s and I believe we will lose this ability using the switch to route? If so, any way to replicate this behavior at the switch without going with an all out NAC solution?
Still learning, so always open to any other/better designs or suggestions!
Thanks for the help!
Need help tracing a suspicious stream of packets through a Palo Alto firewall. How did these things get onto my network, where did they come from and what are they doing?
tl;dr - Packets from a private address range that doesn't exist in our org are continually trying to get to our DCs on TCP 389 . How to get a better idea of where they're coming from and why?
My org uses a 10.0.0.0/8 internal addressing scheme, with the second octet indicating location, third indicating department, etc. Pretty common.
I was looking at logs from our internal Server segment firewall earlier today, and I noticed a stream of packets from the 192.168.0.0/16 range trying to get to our Domain Controllers on TCP 389 (I assume LDAP). My server firewall is dropping them because I don't have a rule configured for that address range, but I was confused as to how those packets got onto our network and why they're aiming for our DCs.
I traced the packets back to our edge Palo Alto firewalls, and specifically to to one of the Tunnel interfaces. This specific tunnel interface is used for our Global Protect gateway, but all of the DHCP addresses for our Global Protect clients are given out in the 10.x.<department VLAN>.x range. Yet all these packets have source IPs in the 192.168.0.0/16 range. There's no other information in the firewall logs about which user it might be coming from. See the show session id example below.
What's my next step in troubleshooting this? These packets are being dropped by our internal firewall and no one is complaining about anything not working, but I can't help but be confused as to where they came from and what they're trying to do.
Here's an example of one of the many sessions that I've seen like this, taken from my edge firewall which let it through.
Session 235688 c2s flow: source: 192.168.1.103 [Zone_L3_Global Protect] dst: 10.-.-.- (one of our DCs) proto: 6 sport: 55158 dport: 389 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 10.-.-.- (one of our DCs) [Inside_Routed] dst: 192.168.1.103 proto: 6 sport: 389 dport: 55158 state: INIT type: FLOW src user: unknown dst user: unknown pbf rule: ISP Failover rule 11 start time : Thu Feb 21 16:48:42 2019 timeout : 5 sec total byte count(c2s) : 62 total byte count(s2c) : 0 layer7 packet count(c2s) : 1 layer7 packet count(s2c) : 0 vsys : vsys1 application : incomplete rule : Global Protect to any session to be logged at end : True session in session ager : False session updated by HA peer : False layer7 processing : enabled URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : False session traverses tunnel : True captive portal session : False ingress interface : tunnel.1 egress interface : ae1 session QoS rule : N/A (class 4) tracker stage firewall : Aged out end-reason : aged-out
What version of Aruba OS are you using on your switches?
We currently have a few the 2930F and 2530 that seem to be running fine on 16.07.0003. This spring we are moving to Aruba 2930M and 3810M switches for distribution and access layer, not sure yet what version I am going to put them on, probably the newest 16.07.
Whats best way to approach amazon prime video about a public block?
Amazons Prime video service has blocks and blocks of addresses blocked to address content licensing complications that VPN's can bring. (Speculation).
I have a block for residential internet that I need to somehow tell them about. It's been done with Netflix before but I can't seem to be able to reach anyone that can help me over there.
WiFi quality agent
Does anyone know of an agent that can run on company devices and BYOD that reports back to a server how good the connection is in ruckus WiFi? At our company we have several hundred acres of agricultural production in several sites and we are VERY dependent on WiFi. I know there are things like spectrum analyzers that show where radio is good and signal strength from APs but how about the quality returning to the AP? Anyway things like that I would like to know if there’s an agent like that? Thanks !
I need a lesson in Layer 3 routing
The Details:
I have 4 x Dell N3048EP-ON switches stacked, 2 x N4032F switches stacked, and a FortiGate 500E.
To simplify the ordeal, let's just focus on a single switch and the FortiGate.Let's take 3 VLANs - 10, 20, and 30.
VLAN 10 - 192.168.10.1/24
VLAN 20 - 192.168.20.1/24
VLAN 30 - 192.168.30.1/24
Firewall:
The FortiGate has a LAN interface with the IP of 192.168.30.3/24. A simple static route (0.0.0.0/0 -> Public IP). A policy allowing all traffic sourced from VLAN30 going to the FG's WAN interface to allow all the things.
Routing:
InterVLAN routing works just fine. 10 can get to 20 and 30, 20 can get to 10 and 30 , etc. I'll setup ACLs later. My problem is routing to the Internet. The Default Gateway is the FortiGate's interface IP (192.168.30.3). The switch can ping/traceroute/whatever out to the Internet - take a traceroute to 1.1.1.1. Works A-OK.
What Works:
- If I put a host on 30NET, I can get out just fine.- Like I stated before, the switches can ping the FG interface and 1.1.1.1.
What Doesn't Work:
- If I put a host on 10NET or 20NET, they can't get out.- Said hosts can't even ping the FG LAN interface.- A traceroute/tracepath stops at their VLAN gateway (192.168.10.1 or 192.168.20.1) and won't hop to 192.168.30.1 in order to hop to 192.168.30.1.
------------------------------------------------------------------------------------------------------------------
Weird Things I've Tried:
- I've added a VLAN interface to the FG's physical interface for each VLAN.- I've then manually added static routes (0.0.0.0/0 -> 192.168.10.3 & 0.0.0.0/0 -> 192.168.20.3)- Changed the switchport from an access port (VLAN 30) to a trunk allowing VLAN 10, 20, 30.- This lets every host in each VLAN be able to ping the FG LAN interface associated with their VLAN, but it causes some other weird behavior.- I'm pretty sure the switches are only supposed to have a single static route and not multiple default gateways for each VLAN
I'm fairly certain the problem lies in the layer 3 routing at the switch level. As I mentioned, they will route between VLANs perfectly fine, but it won't route any traffic out to the default gateway that isn't part of that host's VLAN.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Résumé advice?
To keep it brief, I started out on the NOC at my current position two years. Across the two years I learned really fast and moved up twice to their Level 2 Routing/Switching team. At this point I get paid about 15k less than the lowest guy on the team. They say they're willing to give me 5k increases every year to bring me to up par, but I think it's time to move on(or use an offer to get a big raise).
I don't have doubts they will offer me more money if I say I'm leaving, I've fixed some really nasty issues that had everyone stumped, brought a lot of improvements to the SNMP monitoring and I'm the only guy on the team who can code well. I know automation is popular right now which is good because I've been doing a lot of work with python(netmiko) to address some gaps. This is a large enterprise company.
Problems: No certs(colleagues say my knowledge is CCNP at least), no post-secondary.
Anyone been in a similar situation and have advice on getting to an interview? I'm pretty confident I can impress in an interview if the interviewers are technical, it's just getting there that I'm worried about. I know it might be smart to get certs first, but that's a lot of time/cost when I'm eager to move.
Cisco Nexus config-sync - Yes or No?
Situation is we have pairs of N5Ks with dual-connected N2Ks - i.e. each FEX connects to both switches.
At the moment we are not using the config-sync feature which means that if an interface is configured, we need to make sure we apply the exact same configuration on both switches. Sometimes this hasn't been done and boy that can be confusing for a while.. and this happens as different engineers might be doing this work who are not familiar with the dual-homed Nexus or have forgotten the requirement.
So I'm looking for opinions from people using the config-sync feature as to whether you thinks it's worth it or not? I see some posts from a few years back where it sounded buggy. We are running 6.0.x FWIW
Switch seeming to randomly lock up
We have an issue at our main building. 4 floors, and each of them have an UBNT switch handling all workstations for the floor. All share a single subnet. We have an issue where one wants to lock up for seemingly no reason. Yesterday the UBNT switch handling workstations on floor 2 locked up. We rebooted it and everything came back up. Today we replaced it with a spare. We then did a firmware update on the switch on floor 1. When we did, floor 2 (with the new switch) locked up again. We were able to reset it this time by just disabling and re-enabling the port from our main L3 to it. These switches on floor 1 and 2 aren't connected together. All UBNT floor wide closet switches (each with 20ish workstations attached) have runs to our main server room's L3 switch. No wireless in the building. I'm thinking it almost has to be some kind of loop causing a broadcast storm. We set up monitoring on all ports on all switches to see if it happens again. In the meantime does anyone have any thoughts as to what else might be causing it? And why would the floor 1 switch firmware upgrade cause the floor 2 switch to lock up until we disabled and re-enabled it's link to the rest of the network? My limited networking experience has me thinking we have a loop somewhere. Any thoughts or insight welcome.
OSPF Summarization Lab Question
So, I'm having trouble with this lab. I don't have access to enough equipment to do all sections as shown but I plan on doing a small portion just to make sure it works later on. Anyways, I've never gotten any proper explanation of how summarization works so been trying to figure it out on my own. Going to post an image of the assignment with what I've done so far.
https://i.imgur.com/TT7vbCJ.png
That's Area 10, there are 4 more Areas, 20-50 for a total of Areas 10, 20, 30, 40, 50. They're all roughly the same as above. Now, if I did something wrong I'd love a polite explanation of what it was.
Is there a ground loop in this diagram?
I'd like to know if there's a ground loop in this diagram.
Notes:
This is a swing gate rack so for weight purposes I've got a 2U vertical flush mount rack to hang the UPS on. The UPS has a NEMA 5-15P plug on it which includes a ground.
The busbar can be grounded to the building or to a ground rod outside.
How would you guys prefer to ground?
Using Interface PPPOE and IP?
Hi Team,
I have a question about a config that I am playing with.
I have a Cisco router's G8 interface connected to a modem. The router has a dialer interface that establishes a PPPOE connection through the modem. The dialer gets the ip of 172.16.1.10/30 This works perfectly.
The modem also has a web page interface. The problem is that this page is hosted on 172.16.0.250 If I add a static ip address of 172.16.0.200/24 to the G8 interface, I can reach web page from computers behind the router.
With this config, I am now using the G8 interface for both the traffic going through the dialer and traffic accessing the modems web page.
Is this the best way to solve this problem? Are there any dangers with this config?
Thanks for your help guys.
Server issues
I’m no expert, and will probably need many of the terms in you responses to be dumbed down. I have a server with four Opteron cores in it each at 1.15ghz, 46gbs of RAM, and no operating system. When we just let it boot, it flashes a BIOS screen for a split second, and shows a screen saying it’s booting through an Intel boot agent. It also has an option to press control + s. This will bring you into a menu that looks like this.
I have tried to boot the server with a hard drive running Windows 7, and using Parrot on a USB drive. The sever still boots through the quick BIOS, shows the setup screen option thing, then turns off the monitor and screams (on board buzzer turns on and won’t turn off until the power is pulled).
Edit:I also have pictures of some of the numbers on the chips on the mother board if needed for identification.
No Split Horizon with DMVPN?
Say I have 3 routers using DMVPN. Why does SH need to be turned off to propogate all routes? Can't R1 get unique routes directly from R2 and R3 advertisements and so on through full DMVPN mesh?
WAN Load balancing - what am i looking for ?
Looking to do load-balance between WAN's for a companies main office. What type of hardware am i looking for ?
some "specs":
- "Head Quarters" has
- 5 WAN's (same ISP) at 35 Mbit/s down / 5 Mbit/s up (speed-test) (V-DSL)
- expected to grow to 100/200/400/1000 Mbit (soon^TM)
- each WAN supplies IP-Telephoy (including a SIP-Trunk)
- 20 work stations (back office)
- expected to grow to 40 within the year
- 10-ish Wireless-clients
- expected to grow to 100+ users with 2-3 devices each as 'the company moves away from "pen & paper" and embraces the 21st century' (quote) and allows BYOD.
- 1x IPsec tunnel for a branch office (currently 5 Mbit/s)
- 5 work stations
- a plethora of Wireless clients
- massive increase in bandwidth planned (due to remote backups (HQ <-> Branch office) being considered)
- additional branch office to be integrated at some point (new tunnel - same size as above) - contingent on their connectivity increasing.
- 5 WAN's (same ISP) at 35 Mbit/s down / 5 Mbit/s up (speed-test) (V-DSL)
Backstory:
- HQ and Branch Office have different 'contractors' responsible for their respective connectivity/network.
- Second (planned) branch office has "in-house IT" and runs a paper-less office (for years) - looking forward to do remote-backups into "HQ"
The Problem:
I am being "quoted" Vendors (Watchguard, Sophos) and prices (ballpark 8.5k usd) , but no one is getting specific on what type of hardware this is going to be.
Addendum:
- (for the lack of proper terminology) I am looking for the type of "load balance" that mode "balance-tcp" on LACP with openvSwitch does on my proxmox-servers) - yes, i am a sysadmin/'server-admin' in charge of herding cats (here we are again ...)
- 35 Mbit/s is the max a single connection can provide (the line is supposed to do 50 Mbit/s)
- the tunnel between HQ and branch-office is at current fast enough. It is the WWW-usage at Main office that is crawling (1 connection utilized)
Can someone help me make sense of this wizardry..
Hi, everyone. I'm somewhat new to the networking and security side of things and I'm trying to wrap my head around some concepts. I've worked in telecommunications for a number of years (field technician) and have had some exposure but I've decided to take the leap and self-study my way into the realm of security. I'm close to taking my A+ cert currently to start climbing that ladder but if someone would be so kind to help me understand a few concepts better it would be much appreciated.
- When incoming data is sent to a gateway/router, attemping to reach a client that has had no previous request sent for such data, how does the gateway handle that incoming traffic? Is it the job of a Firewall to prevent those frames from entering the network or is the data forwarded to the client regardless? If so, how does a client handle unsolicited incoming traffic? Is it dependent on whether client is listening on that port?
- How is unsolicited incoming data "dropped" by a network or device? Are those electrical pulses dumped onto a grounding wire?
(Attempt at an example if it helps..)
SERVER_A is sending a HTTP response to HOST_A over the internet, though HOST_A never made a request for it. What happens?
Sorry if these questions seem "elementary". Thank you for taking the time to read and respond!
Struggling to get 1000GBASE-LX to work with SFP+ slots? (NetGate XG-7100)
I'm trying to get a Netgate XG-7100 working with a incoming 1GBASE-LX fiber line.
The media converter I tried from FS.com didn't work, so going to try directly with optics
I have confirmed the line has network connectivity, using a Juniper 740-011614 SFP optic in a Optiview XG tablet.
(I did try with a Intel FTLX1471D3BCVI31 (aka E10GSFPLR - Intel spec sheet) - however, even though it's meant to be dual-rate, it didn't pick up a signal on either the Optiview XG or the Netgate XG-7100. Is there something you need to do special to get this to work?)
Question 1 - The XG-7100 only has a SFP+ port (Intel X553) - are there any SFP+ modules that support only 1GBASE-LX? (
Question 2 - I did buy the PCI riser for the Netgate XG-7100 - which I was hoping to try with a Intel X520-DA2 which I believe supports both SFP and SFP+. However, it seems to be keyed differently to the slot:
https://i.imgur.com/6U8bq3d.jpg
Any ideas what's going on, or what SFP/SFP+ cards could work here?
Studying for network+ cert.
Hey all, I'm currently studying for the network+ Comptia exam. I was wondering if y'all have any recommendations on how to get more hands on for the lab sims. I've seen people mention virtual labs, I have downloaded VMware and not sure where to go next.
switch for 96 to 756 endpoints
Hi all,
EDIT:
starting with 96 but have to support 756 endpoints and need 10G uplinks between the switches. All copper except for the uplink ports.
1g ports-2G full duplex
Advanced Cisco, network security, or server admin?
I was recently looking at college choices and majors that I will end up taking next year. I have my mind set on network management and security. The college that I choose has three options for the fourth and final year, Advanced Cisco networking specialist, Network Security specialist, and Server Admin specialist. Does anyone have an opinion on which path is best to take, or experience in one of these sections that will help me better understand the difference between the three? Thank you!
Stacked switches are slower to take commands
I noticed that my stacked 2960X switches take range commands really slow.
I typed in:
Config t
int range gi1/0/1-48
<Pasted Commands 5 commands>
and like 20 to 30 seconds later it finally finished applying the commands to the access ports. Does anyone know why it would be so slow? Commands to one interface are fairly fast, but when I use range, it's slow.
Data Center security
Interesting topic came up and I wanted to see how others accomplish this. Standard hub and spoke topology with DC at the hub IPSec VPN spokes to branches. Branches have LAN and WIFI routed back to user network in DC at 192.168.1.x. Our Management VLAN in DC is 192.168.99.x, an admin at a branch office wants access to the .99 network. What we have them do is RDP to a .1 server then use it as a jump host since everything in .1 is open to .99.
What do others do? I know other standards I've used for this is to have an SSL VPN for admins. A more secure approach to what we do is have ACL's denying all .1 traffic to .99 except for a specific servers that's used as a jump host.
Prototype of SSH over 900MHz XBee
Hey all,
Thought you might be interested in a little project I've been coding lately. Use case if for embedded Linux applications that need long range, low data rate networking. They apparently used to make these 900MHz products called WaveLAN, but the only one on the market today (AvaLAN) costs nearly one grand a pair. So, I wrote a little program in Python to run IP networking over Digi's XBee 900HP (it would work with other XBees, but if 2.4 GHz is acceptable you may as well use WiFi) modules which are only $40 a piece. They have UART and SPI interfaces and of course you can throw in an FTDI chip for USB serial.
The modules have a 200Kbps RF data rate, and actual optimum throughput it only 30Kbps, so this is definitely a use case of M2M, embedded devices (unless you just like dialup speeds). They come with a proprietary DigiMesh protocol which is similar to Ethernet. You program each module's flash with a frequency hopping pattern, preamble, and network ID all of which must match, there is no join/deauth pattern like with WiFi. Regular MACs are used for addressing. The firmware has built-in AES encryption, which would be a good choice as TLS will reduce bandwidth even further.
Rather than broadcasting ARP packets to resolve the IP's, I made use of a "node ID" feature that comes in the DigiMesh protocol. The code sets the Node ID to a string representation of the IP address, and then uses built-in "node discover" feature to . The downside is that this incurs a fixed time penalty because it will always take the timeout to respond back over serial (the responding radio uses this time to avoid interrupting "real" traffic). There is a way to do broadcasts but they are repeated numerous times to ensure transmission across the mesh and so they would have a greater performance impact.
GitHub Link: https://github.com/aidanh010/StrangeNet
Demo Video: https://send.firefox.com/download/19fa2e0025/#vk_kjb8igC2Gn7xewCrhrg
I actually wrote this for my high school robotics team to use for transmitting scouting data at events, because WiFi networks are banned (they are used for the actual robots and they've had interference issues before) and we didn't want to violate the spirit of the rule with a different 2.4 GHz network (they are fine with Bluetooth due to its low power, but its range is not at all suitable). We are using CouchDB so a way to send regular TCP packets was a must.
Router without server
I'm at a loss because I'm searching for the wrong search terms.
In our new building, we will be subleasing to three or four other small businesses (almost in an executive suites setup). I think what I want is a router that lets me provide them internet access without letting them see other computers from another business.
My business has no need of an onsite file server--we are 100% cloud.
- Is it a thing to have a router that can set up VLANs without needing a dedicated server? If so, when I look at routers, what is that feature I'm looking for called or where can I read more?
- As a bonus question (for me!) (that may be in the explanations I should be reading but can't find) I was going to put IP phones on one VLAN, the shared printer on another, and each of the businesses respective computers on their own VLANs. If I want to be that complicated, where everyone can "see" the printer but can't "see" other businesses' computers is that exactly what a dedicated server is for? Am I blinding myself in thinking of servers primarily as file servers?
(rambling at this point: given that my firm has 6 users, and the tenants will be 1-4 users each, is the answer to just get cheap residential-grade routers for each tenant that separately connects to the modem and then if they want to print to the shared copier they either put it on a flash drive or I try to set up email to print?) (Taking that a step further, I could just give them access to guest wifi and make it their problem if they want to secure themselves from other people on the guest wifi.)
(my business is a law firm in a type of law where data privacy is a bigger concern than other law firms apparently think of it)
SSH clients
I have used many different SSH clients over the years free and paid. Was wondering what peoples preferences \ favorites are, or perhaps you have given up on a dedicated client and use UNIX. Are there any tricks you use (e.g i used to add creds to the .ssh file for my local unix box to speed things up). I am currently using solarputty, which is far from perfect but given that its free and has features i like (tabs \ hotkeys \ credential retention - i know this is bad) i am sticking with it for the time being. I am sure this discussion has been had before but hoping it was not recently, if so apologies in advance.
Opinions on connecting labs (GNS3 etc) to a wider campus network
Hi guys,
Long time reader first time post.
We have had a request to setup a network simulator that will run in virtual machines in a classroom of approx 30 physical PCs that are currently connected to our LAN covering the rest of our campus (HE environment). Not sure yet if the labs will involve bridging the virtual network to our LAN to reach the internet or other things but I suspect it will and regardless there is nothing to stop a student setting this up this anyway.
What are peoples opinions when connecting a lab with these sort of tools/software to a wider network? Should I be worried about any potential impact to the wider network? Am I being overly cautious? There is nothing stopping people using this sort of thing already on our network but I am just wondering what needs to be considered before we decide to ok this as students always seem to find ways of breaking things even if they aren't trying to be malicious.
We have layer 3 at the edge of our network and these machines are currently on their own VLAN but this is shared by machines that would be in other classrooms. Can put them onto their own VLAN. Anything else to consider besides DHCP snooping etc? Or would you just say no and tell them keep these lab machines off the main network to avoid any hassle?
Thanks
Sent packet errors on Cisco switches
Hey all,
Wondering if you can provide some insight on this. I'm trying to understand this for my own education here as I'm the security guy and I'm seeing this behavior logged into my SIEM product. Our network guys seem to think it's not a big deal (though I don't think I agree). I'm seeing logged sent packet error rates of sometimes as high as 90%+. Obviously, you can see why I might be alarmed by this. What would typically cause errors of this nature? At first it seemed like mostly the ports our APs were plugged into but I'm also seeing it on some of the switches in our data center. Any clue what would cause such a high error rate? Also, any clue why it would not seem to cause any issues? I'd have to think we'd see noticeable impact if it was erroring so badly. Should it matter, it's only sent packets not received.
Thanks in advance!
Switches for Medium Business
Hello /r/networking,
I have been given full responsibility over the Networking at my place of employment. The current project is to replace old switches with new ones and to get our backbone to 10g.
We had some sales guys give us a quote for 2960x switches. I was informed now that we can get newer switches rather than catalyst ones.
I take a lot of pride in my work, and I like to be as accurate possible. Which leads to self doubt in my decision making since I want to be as optimal as possible (I'm working on that). My question is... I noticed there were new 9000 series Cisco Switches, I narrowed it down to the 9200 due to the swap-able modules and better specs than the 2960x. Am I missing something here? I have a weird feeling that I'm going the wrong direction with the 9200 series due to the sales guy not pushing them.
What are your thoughts on 2960x vs 9000 series CISCO Switches?
Edit: Why down vote?
SD-WAN FEC and packet duplication
SD-WAN without FEC and packet duplication features can dynamically move traffic to the best VPN tunnel to ensure the best performance from the links available.
From my understanding packet duplication and FEC come into play and improve that end user experience further in the following 2 scenarios.
Scenario 1:
There are 2 WAN links available and voice traffic is passing over both links when Packet duplication is enabled. And only WAN 1 only when packet duplication is disabled. We then experience intermittent performance degradation/brownout or a complete failure of WAN 1
WITH FEC/PACKET DUPLICATION
FEC and packet duplication can offer a seamless transition over to WAN 2 resulting in no noticeable impact to the end user.
WITHOUT FEC/PACKET DUPLICATION
Without this technology the end user will experience a disruption to the service and will last the duration of time it takes for the vendor equipment to detect the loss and failover to the second WAN link. This time varies based on vendor but in my experience it’s typically sub second.
Scenario 2
There are 2 WAN links and both are experiencing intermittent performance degradation/brownout.
WITH FEC/PACKET DUPLICATION
Because traffic is being duplicated over both WAN links the packet has a better chance of arriving at the destination.
WITHOUT FEC/PACKET DUPLICATION
Because only 1 WAN link is being used the SD-WAN will pick the best of the bad links. Meaning the end users experience will suffer from all the loss, latency and jitter on that WAN link.
In my mind there is no question that FEC/ packet duplication is a innovation that improves the end user experience. This feature from my experience really resonates with customers and facilitates them buying into the SD-WAN technology.
Now, to the points I would like us to debate
With regards to scenario 1, a sub second disruption while the failover takes place is tolerable for the majority of businesses.
With regards to scenario 2, how frequently does this scenario come about? If the ISPs that you a using take a similar path over the internet then there is a very good chance the end user experience will be poor regardless. Secondly, if the customer is using ISPs that are using diverse paths over the internet then the likelihood of this scenario happening is drastically reduced.
I predominantly work with SME customers based in Europe and the USA where they are looking at dual broadband links with there SD-WAN solution.
Is the benefit of packet duplication and FEC often over valued? I work for a partner that offers two SD-WAN solutions, one that supports FEC and packet duplication, and one that doesn’t, with the price difference being approximately 3 times. In addition you are also increasing your bandwidth consumption, a resource which is typically a bottle neck for organizations.
If we put aside for the moment all other technical differences that the two vendors have, also the sales aspect which typically involves trying to take as much money as possible from the customer.
When would you pay 3 times the price to allow you to go with a vendor that offers FEC and packet duplication if that was the only relevant differentiator between the two vendors?
My belief is that it’s going to most likely be large global enterprises who often have branches in areas with poor connectivity options. Possibly with with a high dependence on real time traffic. Who probably know the cost to the business of any disruption to these services and are happy to absorb the higher cost to get this feature.
For a lot of my customers I feel that this technology is potentially overkill especially as they are operating in areas of the globe where connectivity options are generally good. I don’t feel the price difference is great value for money.
Apologies for the long winded rambling nature of this post. I suppose it’s more of a series of statements I would like you to approve/challenge and really just give your insight on as I’m still pretty fresh to this technology. It would be great to hear from people who have extensively tested both and understand why they chose one over the other based on this FEC/packet duplication
From Fed to Private...making the switch
I'd love to hear people's experiences moving from the federal government to the private sector. I'm a GS-14 step 4 with 16 years of federal service (4 via military buy back). My current career path is either to move into a managerial position as a 14 or compete and promote to a GS-15 where a minimum 50% travel is the expectation. I have 2 young kids at home and a stay at home wife. I've been interviewing for a senior leadership position at a very prestigious government contractor, pay is significantly more than I would ever make as a Fed and the position requires next to no travel. It's a regular M-F 8-5 gig. They also contribute 10% to 401k.
I'm 90% certain that I will make the jump to private if provided with an offer like we have discussed but wanted to hear from others who have been in this situation.
I'm a service connected disabled vet so if I wanted to get back into the federal government I think I'd be able to. I kind of look at it like this opportunity will only be here now, the federal government will always be there.
Thoughts? Advice?
Monitoring bandwidth for Ethernet/IP networks
Hi,
I am looking for a tool to monitor the bandwidth of industrial network. I am already aware about Cisco's Industrial Network Director, Factory talk Network manager and Hirschmann Industrial HiVision. Are there any more tools available for monitoring traffic ?
wlc 2504 traffic shaping / user ratelimit
the 2504 isnt really my speciality so a bit unsure if this is possible as on the bigger platforms..
Cant seem to find any ways to ratelimit per user for an ssid.. only thing that comes up when using some gfu is for the bigger platforms.
Are there any quickfixes? - i guess i could just move the traffic to a dedicated port and drop it out at 10Mbit but thats a bit of a meh solution imo..
We are considering migrating to a 5520 or 9800 platform (most likely the first due to the limited age of the 9800) but we have a few issues with wifi users going nuts bandwidth wise that I would like to resolve now since the selection process is taking forever (go management!)
S2S VPN with HSRP
Hello together. I have a problem with my HSRP VPN.
The network looks like this: https://imgur.com/a/WGYFx1j
My problem is that PC0 can ping PC1 but PC1 can't ping PC0.
I think it's a problem with access-list but I wasn't able to figure out.
Router0 and Router1 are configured the same way (except their own ip address).
Router 0 config:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 20.0.0.1
!
crypto ipsec transform-set VPN_TRANS esp-3des esp-md5-hmac
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 20.0.0.1
set transform-set VPN_TRANS
match address VPN_ACL
!
interface Loopback0
ip address 8.0.0.6 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.0.3 255.255.255.0
duplex auto
speed auto
standby 1 ip 10.0.0.1
standby 1 preempt
standby 1 name HSRP_1
crypto map VPN_MAP redundancy HSRP_1
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.3 255.255.255.0
duplex auto
speed auto
standby 2 ip 192.168.1.1
standby 2 preempt
standby 2 name HSRP_2
!
interface Serial0/1
no ip address
shutdown
!
interface Serial0/2
no ip address
shutdown
!
interface Serial0/3
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.0.7
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
!
ip access-list extended VPN_ACL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Router 2 config:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key CISCO address 10.0.0.1
!
crypto ipsec transform-set VPN_TRANS esp-3des esp-md5-hmac
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set VPN_TRANS
match address VPN_ACL
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
no fair-queue
!
interface FastEthernet0/1
ip address 20.0.0.1 255.255.255.0
duplex auto
speed auto
crypto map VPN_MAP
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 20.0.0.7
!
!
ip nat inside source list 101 interface FastEthernet0/1 overload
!
!
ip access-list extended VPN_ACL
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
Hope you can help me :)
Subscribe to:
Posts (Atom)