I saw that AWS has an “AWS Certified Advanced Networking” cert but their prerequisites for the cert aren’t clear, to me at least. Can I take this cert immediately or are there others I need before I take this. I’m currently studying for my CCNP but I hear so much about AWS and think this might be worth it. I’m thinking about pausing my studies and go for the AWS-CAN. Any advice would help!
Saturday, March 23, 2019
Aruba Wi-Fi Mobility Master license pooling and Virtual Controllers?
I’m trying to wrap my head around how Aruba Wi-Fi licensing works with Aruba's virtual Mobility Controllers. If I understand Aruba's documentation correctly, a site needs one LIC-AP license (JW472AAE) for every access point, plus a license for the virtual Mobility Controller itself. Virtual controller licenses are priced by max APs supported with 10, 50, 250, 1000 options. For example, a MC-VA-250 (JY903AAE) is a license for a single virtual controller that supports up to 250 APs.
Now where I’m confused is Aruba also offers Mobility Master software for managing multiple sites. MM costs extra and doesn't replace the AP and MC licenses, but it does add license pooling between sites. According to the Aruba licensing guide this includes the ability to pool MC-VA licenses. But I don't know if pooling in this context includes splitting a larger MC license into more than one site.
Say I have 10 sites with 90 APs each. I could buy (900) LIC-AP licenses plus (10) MC-VA-250 licenses and be covered. But if Mobility Master allows me to split up licenses from a central pool, I could save a ton of money by replacing the (10) MC-VA-250 licenses with a single 1000 AP controller license (MC-VA-1k) plus the 1000 AP Mobility Master license (MM-VA-1k). But I can’t tell from Aruba’s documentation if this is allowed.
Any insights are appreciated!
IP4v for sale or transfer.
We have a few ipv4 blocks for sale/transfer. Anyone interested to buy pm me.
P.S Not interested in brokers.
Spanning-Tree between Cisco and Brocade
We're currently doing a migration from Cisco to Brocade and there seems to be a spanning tree issue whenever the two are linked together.
We still have some servers running on the old Cisco equipment and they need to be up until they are migrated over. The old 6509 cores are only passing a single vlan over to the new cores but whenever we plug the two together the entire network goes down. It seems like they are fighting to become the root bridge and its sending so many packets there's just not enough hardware to handle it. The logs only show the port going up and down and then the spanning tree states.
If any one has any tips for troubleshooting it would be greatly appreciated.
Mar 23 12:19:54:I:STP: VLAN 700 Port 2/1/47 STP State -> DISABLED (PortDown)
Mar 23 12:19:54:I:STP: VLAN 700 Port 2/1/47 STP State -> BLOCKING (DOT1wTransition)
Mar 23 12:19:54:I:STP: VLAN 700 Port 2/1/47 STP State -> FORWARDING (PortDown)
Mar 23 11:53:21:I:STP: VLAN 700 Port 2/1/47 Bridge TC Event (DOT1wTransition)
Mar 23 11:53:21:I:STP: VLAN 700 Port 2/1/47 STP State -> FORWARDING (DOT1wTransition)
Mar 23 11:53:21:I:STP: VLAN 700 Port 2/1/47 STP State -> LEARNING (DOT1wTransition)
Mar 23 11:53:18:I:STP: VLAN 700 Port 2/1/47 STP State -> BLOCKING (DOT1wTransition)
Mar 23 11:53:18:I:STP: VLAN 700 Port 2/1/47 STP State -> DISABLED (PortDown)
Mar 23 11:53:18:I:STP: VLAN 700 Port 2/1/47 STP State -> BLOCKING (DOT1wTransition)
Mar 23 11:53:18:I:STP: VLAN 700 Port 2/1/47 STP State -> FORWARDING (PortDown)
Mar 23 11:53:13:I:STP: VLAN 700 Port 2/1/47 Bridge TC Event (DOT1wTransition)
Mar 23 11:53:13:I:STP: VLAN 700 Port 2/1/47 STP State -> FORWARDING (DOT1wTransition)
Mar 23 11:53:13:I:STP: VLAN 700 Port 2/1/47 STP State -> LEARNING (DOT1wTransition)
Mar 23 11:53:10:I:STP: VLAN 700 Port 2/1/47 STP State -> BLOCKING (DOT1wTransition)
Mar 23 03:00:13:I:STP: VLAN 700 Port 2/1/47 STP State -> DISABLED (PortDown)
Mar 23 03:00:13:I:STP: VLAN 700 Port 2/1/47 STP State -> BLOCKING (DOT1wTransition)
Mar 23 03:00:13:I:STP: VLAN 700 Port 2/1/47 STP State -> FORWARDING (PortDown)
Sending commands to device through Ethernet port
Hey all
So, at work we have recieved a carousel which responds to input consoles via an Ethernet cable. I am trying to emulate the output of the console on my PC so that I can control the carousel with a python based selection program I've written.
I have an instruction manual on the input consoles which has provided me with a wealth of information, everything from encoding type (RS-485) baud rate, how to format the STX/ETX, I feel really good about being able to start playing around with automating carousel movement. The one thing that this manual doesn't help me with is how in the hell I am supposed to actually send these commands through the Ethernet cable.
The console has settings to echo or transmit data for testing purposes. Using these settings, I have been looking for any way my computer will recognize the output from the console. I have tried finding the device through netstat, python socket listening, Wireshark, but I am completely stumped.
How can I listen to and communicate with these consoles over Ethernet cables?
mTLS setup on a Pulse Secure 3000
I wanted to see if anyone has any experience with setting up mTLS on a Pulse Secure. I have been trying to get this setup for a few weeks now and am having little luck. Pulse TAC has not been very helpful other than causing the Pulse client to no longer connect due to one of their changes.
Some background:
I would like to have the Pulse challenge the client machine for its machine cert with a particular OID in the EKU field. If the client machine does not provide the cert during the TLS handshake, I would like for the Pulse to RST the connection or something similar. I do not want it to proceed to any screen that may provide information to a potential malicious user.
I currently have 2 realms and roles in place as requested by the Pulse engineer. One for the machine tunnel using PKI and one for the user which will use AD and SecureAuth for authentication.
Currently in my pcaps, I see the TLS handshake begin and once they go to change the cipher spec, the pulse sends a RST because the client is not providing a cert. I can see this in the pcap as the cert length field is set to 0. I feel like I have tried every option on the device that might seem related to mTLS but am getting nowhere and now after Pulse tried playing around in there, I am getting a general network error on the client(error 1115) which tells me nothing and can no longer reach the server from the web portal.
I am at a loss and this project coming to the deadline with this being my last hurdle. Any advice or experience would be appreciated. Thanks!
4431 RJ45 connected to a media converter tons of input errors
After a recent power outage, my Cisco 4431 connected to a VPLS network reports input errors on the interface connected to a RJ45 to Fiber media converter. I have rebooted the media converter and replaced the copper cable between the MC and converter. I have set speed and duplex and also set autoneg, both returns tons of CRC and runts only on the input side. Carrier reports no errors on their side connected to the fiber port of the MC.
Could this just be a bad MC?
Random Question on VLANs and Tagged Traffic
I have a question about VLANs if anyone has a moment.
SITUATION:
- I have a network called Network1 on VLAN 20
- I have an AP on VLAN 5 broadcasting Network1
- The port on the switch that the AP is connected to is tagged with VLAN 20 and VLAN 5 and set to dual-mode.
- Then let's say we connect a device, DeviceA, to Network1 on that switch. The device is now on VLAN 20.
THEN
- I have a different switch that has all of its ports on VLAN 70. All ports are also set to dual-mode. We connect a device, DeviceB, via RJ45 into one of the ports on this switch.
QUESTION:
If DeviceA is on VLAN 20 and DeviceB is on VLAN70, how does DeviceA talk to DeviceB? Or rather, how does the switch handle this? Does the port for DeviceB need to be tagged for VLAN20 as well, or does dual-mode handle this? Or, does DHCP handle this exchange as a middleman, takes the message from DeviceA and sends it to DeviceB as untagged, thereby sending network traffic through the default VLAN which is therefore allowed to pass through to DeviceB because the port is set to dual-mode?
Aruba AP-515 vs AP-535
If most of my clients are on a 5GHz network, is there any advantage to the AP-535 (4x4:4 on both radios) over the AP-515 (4x4:4 on 5GHz, 2x2:2 on 2.4)?
Should I just put the AP-535 in high density areas? I guess this would be a similar issue to those running the AP-315 and AP-335.
Research survey on cloud tech!
Hi folks,
It's me again, I'm doing research into what people find most concerning with cloud technology.
Above is a Microsoft forms survey, it asks that you order the items from what YOU consider to be the most important down to the least important.
Now obviously you would try priorities these issues the same in the real world but I wanted to see what people choose if they had to.
This is another survey asking whether you would actively search for cloud providers that were more green in their energy consumption.
Now obviously you can't get 100% green because of how expensive green technology can be but if a company made the effort etc.
Thank you for your time! :)
Network Adapter is not showing on network and internet settings.
Hi All,
I have connect my desktop using the Ethernet cable for internet connection. Suddenly my internet connection is disconnected and I am unable to see the ethernet adapter on (network and internet settings).
I have checked on my device manger, could able to see yellow triangle with exclamatory mark on ethernet adapter under network adapter.
I have uninstall it ,rebooted the machine and tried to connect the cable to my machine. Still the internet not connected . Also i have noticed the same yellow triangle with exclamatory .
Additionally I am also using the virtual box on my desktop. Due to this above issue has been occurred ?
Is it time to consider enterprise-grade core switches?
One of the network I manage is based on Cisco SG200/500 switches. The two 500s are used as core (they are also stacked), the other 8 200s are access floor/room switches. We started some month ago a complete recabling of the switches interconnection with SM fiber because cables are aging and I got some suspicious error rate on some of them.
Putting it short, the core part is running out of SFP ports, and I don’t want to deal with fiber media converter… I also have the possibility to repurpose the SG500 in other environments and the server will be upgraded next year with 10Gbit connectivity (maybe, even more). I’m starting to look towards a full-sfp core switch, and evalutating if its time to go with truly enterprise switch like a Dell S4128F-ON for the core part. It would be nice to move most of the routing features from firewalls (ubiquiti er8) to the switch layer… what do you think about it? I know the S4000 series may sound overkill, but I haven’t found a cheaper alternative (with as many SFP+ ports) that makes me happy. I don’t have stringent requirements on routing features, but I really like the future-proofness of the ON series.
Trying to obtain a ipv6 address
So I recently switched my main internet connection to a cellular hotspot, but it seems like att does not allow ipv6 connections on hotspots. My question is since I still have my old dsl connection still is there anyway to use that for a ipv6 address and have the speeds from the cellular? Sorry if this is a dumb question, but Im constantly having Nat issues in games and voip servers.
Juniper - show monitor command output
Hello,
So I have come across this command today, show monitor interface, which shows the real time traffic passing through an interface. Here is an example:
Interface: ge-0/0/0, Enabled, Link is Up
Encapsulation: Ethernet, Speed: 100mbps
Traffic statistics: Current delta
Input bytes: 6793955454531 (1808 bps) [12163]
Output bytes: 5474030012928 (22672 bps) [108889]
Input packets: 11094661890 (4 pps) [261]
Output packets: 11358524543 (5 pps) [453]
My question is that if the above link is 100Mbps, then how much traffic is currently consumed according to this? I'm guessing its the 'output bytes', but not sure how much is "5474030012928", bytes, kilobytes, bits?
Thanks
Kg 175D Random mac-addresses problem
Hello on my enterprise network i have a KG-175D that has just got replaced and is spitting out random mac-addresses and tripping port security. I replaced it and this second device is also doing the same thing. Sometimes its 50 macs an hour some times it 50 macs a day. Either way i do not know what the problems is and could really use some assistance.
Have problem if I change from one ISP to the other. Why?
Hello guys, I have a problem with my internet connection which drives me crazy. I would appreciate any help.
I have fiber connection from ISP (lets call it ISP1). ISP1 supplied me a Huawei EchoLife HG8010H V2 GPON and a ZTE router. However, as ISP1 doesn't give me PPOE credentials and there is no bridging in their router, I had to put the router in DMZ mode and directed all traffic to my pfSense (VM). This works. But, I am not quite happy with double NAT.
So, I got a second fiber line from another ISP, ISP2, with intention of dropping ISP1 altogether. ISP2 supplied me NOKIA G-240G-C GPON and a ZTE router. As ISP2 gives PPPOE credentials, I put their router in bridge, entered PPPOE credentials in pfSense. This also works.
Both connections (ISPs) are available at the moment.
Now, on to the problem. I am running Nextcloud + Collabora with Letsencrypt certs (all as dockers on Unraid). While I am connected to ISP1, all works fine. While I am connected to ISP2, Collabora doesn't open in Nextcloud. The errors come up are related to SSL certificates. However, both Nextcloud and Collabora works independently.
I am getting Letsencrypt certs as wildcard using Cloudflare plugin. Of course, when I change from ISP1 to ISP2, or vice versa, I change the static IP on Cloudflare DNS settings, accordingly.
More info:
- I don't know how to enter Nokia GPON as I don't know the login/pass. So, I am not sure what is the configuration of GPON.
- I turned off all security related settings on ZTE router.
Anybody has any idea why this happens.
Friday, March 22, 2019
[Advice Needed]: Okta or Jumpcloud
Hi All,
I have just built a small development team who are all over the world and want to build some standard controls, they mainly use:
- Office 365 - Confluence & JIRA - Google Cloud & AWS services.
I’m wondering if anyone has compared Okta & Jumpcloud and what your thoughts were.
I basically need good MFA, policy management and user lifecycle control.
Appreciate your feedback.
[Q] Moving from MVPM/ MPLS network to public ethernet - SDWAN or IPSEC?
I've got 6 offices.
One of them contains two racks of equipment at one location. This would be our "data center" (big word for such a small closet, granted the server room is like 200sq ft, so I guess that's more than most small businesses).
Summary of what we have:
In our datacenter we have a L3 switch and two L2 switches for our core.
We have an Untangle UTM for end default routes. All the edge networks for the other sites point to our L3 switch currently.
Each site has a L2 switch, no routing capabilities. Internet is piped out from one location: traditional hub and spoke setup.
We utilize Citrix XenApp for most of our applications.!<
Reason for change:
Managed services are extremely expensive for what they are providing. We can improve our bandwidth by 10x and reduce re-occurring costs by over 50%. Up time matters, bandwidth matters. We could potentially improve our up time and reduce cost by having a fail over route for when the primary network goes down. We are with Century Link (TW Telecom customer originally) and we seem to experience and outage that costs of a half day of production in on or all offices about three times a year).
We want to move from MPLS/ MVPN to each office having a fiber connection and a gateway. I am wondering if it will be cost effective to utilize SD-WAN, or if I should just skip it and look into Cisco ASAs and a UTM or just keep using Untangle at each branch site.
I would like to be able to have some sort of dynamic fail over with 4G LTE or a cable connection for when backhoe bob strikes - but I am not sure how to plan for a fail over using IPSec tunnels in regards to hardware. You can't have both tunnels active, you would have to turn them on after the primary tunnel break, and 4G LTE would give us a dynamic IP address which complicates the issue - especially if our core site goes offline for whatever reason.
Any suggestions here? I'm skeptical to use Untangle boxes at each site, but It would be a cheaper solution that also provides a UTM. If the one in the core site went down - I could roll another box up in 30 minutes or so with a spare server we have. If a branch goes down it's a 5 hour drive. I have had great success with whitebox Untangle builds over the last three years at other un-related offices.
IOS-XE: Redundant VPN tunnels to cloud provider with BGP on top, best practices?
https://imgur.com/X8KMA62 <- Crude diagram of setup
Hi,
I'm hoping to use the power of the hive mind to tell me whether I'm crazy or not.
Sorry for the crude diagram, but I hope it illustrates what I'm on about, will try to be as concise as I can.
Requirements:
Establish BGP sessions over redundant VPN tunnels to Google cloud to provide automatic failover/failback in the event of a fiber cut
Tunnel 0 needs to establish over interface Gig0, Tunnel 1 needs to establish over interface Gig1.
On site office router is an ASR1001-x.
Gig0 is a public interface, static IP, default route pointing to the gateway of our fiber provider.
Gig1 is a public interface, DHCP IP, connected to a docsis modem.
Gig4 just represents the office network and any that reside behind it.
Office uses a very simple BGP setup to route internal networks over VPNs between several sites.
Said sites also use this main office to reach internal dev networks that reside in Google cloud.
Originally I set up a VTI0 tunnel to Google, set up BGP, office router learns routes for Google cloud networks and advertises routes for networks at the other ofices to google, works well.
I've now been told we require a redundant path, hence the new docsis connection.
My thought process was basically this:
1. OK so I need to fire up another VTI, second BGP adjacency to Google, path prepend the docsis connection so it prefers the fiber and that should work.
2. But wait, The office router has a default route going out Gig0 so how will VTI1 come up over Gig1?
3. Ah yes! VRFs! Throw Gig1 in to its own VRF, configure BGP and then... oh... Now that's up but it's two separate routing tables, so no failover obviously
4. Route redistribution between VRFs? OK so make Gig0 VRF "fiber", make Gig1 VRF "cable", make Gig4 VRF "mixed"... redistribute routes from fiber and cable VRFs in to mixed VRF... and add all internal interfaces to mixed VRF?
At that point I began to doubt myself. I have a decent amount of networking experience, but it's not my main job role. I've done some research but feel like I'm going in circles a bit.
I understand a bit about how BGP works and the basics of how to make sure certain paths are preferred over others, but this is well outside of what I've done in the past.
I know the best answer is probably "hire a consultant that knows what they're doing" but regrettably that's not an option here right now.
I have more networking experience than others on my dev team, erego I'm "the network guy", so it's on me to make something work, whether that takes me 4 hours or 4 days.
I've mucked about in GNS3 to get a proof of concept going, and I more or less have it working. But I feel like my multi VRF with redistribution setup might not be the best way to go about solving this problem, and I'm likely missing something much simpler.
Not looking for anyone to do my job for me, am just looking for general guidance here IE; "Yea, that's about the best way to do it" or "No you idiot, go read up on X and use that"
TIA for any suggestions
Cheapest way to create VPN tunnel without using Windows built-in features?
Hi,
So I have an office with 2 machines at one location and another machine at another. I'd like the one computer to be able to connect to the network at the other location. I really want to avoid using the built-in VPN feature of Windows. All three machines are Windows, so after doing some homework I've come up with possibly the following:
Spin up a Virtual Machine and install OpenVPN Access (comes with two free device connections for testing, but not sure how much that would screw things up making a Linux VPN Server in a VM on a Windows machine. Seems like the networking part would get a little tricky here with Virtual NIC etc).
There really isn't much more support unless you want to buy expensive networking gear that's basically overkill for our business. Just need to connect one machine to a network on two other machines in a Windows Environment.
Does anyone have any unique ideas I failed to look over / see on Google?
Thanks in advance!
TLDR; Have two Windows boxes at one location and 1 Windows box at another location. Needing to connect the one machine to the network at the office with the the Windows boxes.
Arista Layer 3 Leaf & Spine Design question?
Does anyone have the Arista L3 Leaf & Spine Design and Deployment Guide pdf? I am not able to find it anywhere.
Thanks in advance.
Your friendly neighborhood poop pusher.
I have an ASA 5585-X. Whats the closest thing I can replace it with so I can throw this into a dumpster fire?
Doesn't have to be Cisco.
Please help me throw this into a dumpster fire. I just need something to POC out.
Web interface for device configuration / management
Hello,
I'm looking for a application a user in this subreddit wrote, it was a basic web interface for managing configuration on Cisco devices, it simply listed them and allowed simple things such as changing vlans, hostnames, interfaces, etc. I remember them posting it in a thread in this subreddit in the last 2 years. I've been searching for the better half of 2 hours and can't find it. I remember it was hosted on github.
Career Fair Update!
Original post here: https://www.reddit.com/r/networking/comments/b31x3x/career_fair_for_5th_graders/
I thought I'd share my experience here in case anyone has a similar need in the future. Overall, the career fair went pretty well! I ended up just having the Meraki dashboard up showing my home network. I talked about the 2.4GHz spectrum, showed the kids the spectrum analyzer and location heatmaps and talked about things in your house that might degrade your wireless signal. We also connected to my phone's hotspot and looked at the signal graphs in NetSpot, then wrapped the phone in aluminum foil and watched the signal drop off. Just about every kid raised their hand when I asked about online gaming and we had a bunch of Fortnite, Minecraft, Roblox and Rocket League players. Everyone knew that low ping = good but didn't know what ping was, so we passed a ball student to student through the room and back and timed it with a stop watch. I had one kid drop the ball so we had to "retransmit" our packet. They kept wanting to repeat that and see if they could get a lower "ping"! Thanks again for all of your input!
Router lost all settings - how the hell does that happen?
So I was minding my own business when I got a call from my siblings that my server services was offline. I thought that was odd, as I was on it locally and there was no internet issues in my house. I started trouble shooting the most popular service that my family use all the time, which has a history of weird connectivity issues with every update they push. Everything I tried resulted in failure, and I was resigned to a weekend of unfucking this...... and then I thought "i'll take a look at the router" I don't know why though. I'm the only one with physical access and the only one with the rather long password (kept in a key-bound KeePass database, an hilariously over the top encryption level for the task) ........ but it didn't work..... until I tried the factory login: admin;admin...... and it fucking worked. Uptime matched my last known reset, but all settings were gone.
How the hell does something like that happen?
Change VLAN-ID for just specific ports
I'm trying to remotely resolve someone misconfiguring a bunch of devices with the incorrect management vlan.
Our management subnet 10.111.222.0/24 is supposed to be vlan-id 15, so all devices with an IP in this subnet have to be configured for vlan-id 15 but someone changed a few devices and I'm seeing some of the switches MACs only on vlan 25.
Is there a way to rewrite the vlan-id 15 on certain ports to be vlan-id 25 and not effect other ports/devices?
I'm working with a L2 HP 2530 and I don't have anyone on-site for remote hands otherwise I'd ask someone to connect two switches and I'd just untag vlan-id 15 on one side to another untagged with vlan-id 25, temporarily.
I can't change vlan-id 15 without taking down the wireless network, otherwise I would just do that.
Necessary open ports for business
Dear helpful people of reddit,
I’m currently trying to kick out unnecessary open ports out of my workplace’s firewall. The workplace itself is a small shop with a lone macOS Sierra computer in the office. The office mac is the only computer in the network (just used for accounting, eMails, etc).
I suspect that the wifi router came with prepared settings trying to make it as easy as possible for families, therefore making it a bit unsecure for businesses. For example, ports for Kazaa and IRC were already open.
Long story short, I already compared the list of ports to the necessary ones for my router and for Apple.
What I’m struggling with are ports where I’m unsure whether they’re needed for a normal business workplace or not.
I compiled them in the following table:
| Portname | Port | Description |
|---|---|---|
| clients_1 | UDP/TCP (1024 - 4999) | Ephemeral Ports |
| clients_2 | UDP/TCP (32768 - 65535) | Ephemeral Ports |
| chargen | TCP (19) | Character Generation |
| exec | TCP (512) | Remote Process Execution |
| ftp | TCP (21) | File Transfer Protocol |
| gopher | UDP/TCP (70) | Gopher |
| msp | TCP (18) | Message Send Protocol |
| netware-ip | TCP (396) | Novell Netware |
| nntp (SSL) | TCP (563) | Usenet |
| npp | TCP (92) | Network Printing Protocol |
| rap | TCP (38) | Route Access Protocol |
| rlogin | TCP (513) | Remote Login |
| rpc | TCP (135) | Remote Procedure Call |
| rtelnet | TCP (107) | Remote Telnet |
| server | UDP/TCP (5000 - 32767) | ? |
| sftp | TCP 115 | Simple File Transfer Protocol |
| sqlserv | TCP 118 | SQL server |
| talk | UDP/TCP (517 - 518) | Talk, NTalk |
| terminal server | TCP (3389) | Microsoft Terminal Server |
| tftp | UDP (69) | Trivial File Transfer Protocol |
| unpriv | UDP/TCP (1024 - 65535) | unprivileged ports |
| uucp-path | TCP (117) | UUCP Path Service |
| x400 | TCP (102) | Microsoft Exchange Service |
I would really appreciate if you could give me your advice or point me to the right website!
[Question] If A records for a domain take time to propagate, then why are subdomains available instantly after setting them?
For example, if I point my domain, let's say example.com, to address 1.2.3.4, then it can take a while for the change to take effect, up to 24 hours, yet when I make a subdomain, like sub.example.com, it's available instantly. Shouldn't it also take some time to propagate to other DNS servers?
Cisco announces the new 802.11ax access points
Interesting that the lower model with 4x4 radios supports UL-OFDMA but the 8x8 will probably need a software update in the future
help pricing a network switch i received.
ive received 2 working Allied Telesis AT-9424Ts/XP units from a business doing upgrades, and im wondering how much they are worth. the non XPF models seem to go for 100-300 around ebay and the net. the /XP versions i have, also have the XPF modules in them i only found refurbished or out of stock everywhere, and generally 2000-4000 dollars. is this right? and what is the reasoning? id like to sell them at a price they will sell. and have a little more information on why before i list them.
Noob question: Why can't I access reddit on school wifi without first going to a different reddit client?
To get on reddit on my personal computer at school, I have to first open MSOutlookit, a non-official reddit client, and then I can open the official Reddit page. When I don't go to MSOutlookit first, I'm unable to get to Reddit.
P.S. I'm on Reddit during my free period, don't worry mom.
[Question] Failover internet setup, share connect with neighboring business.
I had this thought last week while our ISP was having trouble with a fiber line.
We have a different ISP than the business next to us. We use a local ISP while the neighboring business uses the cable company.
I had the thought of connecting our internet connection so we both have a back up. Setup a failover device that would only use the others Internet if the primary connection went down.
Giving there is pavement between the two of us I was thinking of something wireless. Both buildings are metal so I would need something that can be mounted on the outside of the building and POE would be nice.
But I'm not sure how to go about this. My knowledge of networking is ok, but not great. No formal training just tinkering in my own.
I tried to do some searching for a setup like this but just keep finding articles on why you shouldn't share you wifi with the neighbors.
Any suggestions from more knowledgeable folks?
Chinese VPN
Hello everyone!
Just looking for some advice, we have some sales guys that frequently travel to China. They are now asking to have VPN access to our sites in Europe.
We don't have a permanent site over in China (yet) so having a direct line from point to point isn't really an option. I know we could use services like express VPN etc but it needs to be kept above board.
What have people been using for situations like this? Really struggling to find much information on it at all.
Thanks!
Can you help me understand why/how DHCP is working on my network? Multiple VLANs, multiple DHCP scopes, and switch "ip helper-address" questions.
Alright, /r/networking. Help me out here. I'm usually pretty adept at networking, but I'm a bit stumped on this one. I was hired last year as IT Manager/System and Network Admin. The previous guy in my position had some really weird stuff set up that I'm working through, and a lot of it isn't up to standards. This might be one of them.
TL;DR: I'm trying to figure out what's telling my DHCP server which scope to hand out an address from.
Now, everything is working as far as DHCP goes, but I'm honestly not sure how. Here's the setup:
Windows Server 2012 R2 DHCP server, almost exclusively HP/Aruba switches. My Server 2012 box is running about 10 DHCP scopes. I'll focus on just a few of them:
Scope 1
- 10.1.0.1/16
- Pool 10.1.101.1-10.1.102.254
- Router 10.1.0.1
- DNS 10.1.2.1, 10.1.2.2
Scope 2
- 10.2.202.0/23
- Pool 10.2.202.2-10.2.203.240
- Router 10.2.202.1
- DNS 8.8.8.8, 8.8.4.4
Scope 3
- 10.2.204.0/23
- Pool 10.2.204.2-10.2.205.240
- Router 10.2.204.1
- DNS 8.8.8.8, 8.8.4.4
All three of those router addresses belong to the same two switches, which share them as VRRP addresses on different VLANs. For example:
vlan 204
name "204-WLAN_OSH_AUTHENTICATED"
ip address 10.2.205.253 255.255.254.0
ip helper-address 10.1.2.1
ip rip 10.2.205.253
vrrp vrid 204
virtual-ip-address 10.2.204.1
priority 254
enable
exit
exit
The "ip helper-address" there, 10.1.2.1, is my Server 2012 box running DHCP. That's the only IP address assigned to it. Other servers are also in the 10.1.2.0 range. The management interfaces of my network equipment are on 10.1.254.0. For example, the two switches sharing the VRRP addresses are HP 5606zl models on 10.1.254.110 and .115. My actual router/firewall is 10.1.254.245, which those switches have set as their gateway.
**The Question:**
What exactly is telling my DHCP server which scope to hand out an IP address from? Is it based on the virtual IP address of the VLAN interface on the switch?
So far I've just kind of left everything as-is, but I hate the way the network is currently laid out physically, and I'm going to be changing it up. Probably 3/4 fiber runs to other network closets in the building run to the 5406zl in my datacenter (10.1.254.110). The others run to the 5406zl in my largest network closet (10.1.254.115). Again, these two switches share all the VRRP addresses, including the primary gateway for most devices on the network, 10.1.0.1. There are two 1Gb fiber runs between the two switches running in LACP.
What I'd like to do is move away from the shared IP addresses between the two, and move all my fiber runs to a new pair of stacked Aruba 3810 16 SFP+ switches. I'm going to upgrade the link between the DC and network closet to 10Gb using LRM modules and that'll free up a fiber pair. I've already tested it and it's just waiting for me to switch to it. I'm going to move all my fiber links from the 5406zl in the DC to the 3810 stack. I'll take the fiber runs from the 5406zl in the network closet and patch them through the 12-strand fiber to the DC, again to the 3810 stack. I'll then replace the 5406zl in the DC with several stacked 48-port switches and link that to the 3810 stack with DAC cables. I'll then assign all those shared IP addresses to the 3810 stack appropriately.
I just want to make sure I understand how everything is working right now and that I don't screw anything up. Thoughts?
Unable to ad printer to print server over vpn
Hello,
I have a vpn to a branch office that has some printers, its contains two printers, one was in the main office before moving over and works fine, but cant connect to our file share for scans, the other, can be connected to via https, and you can ping it, but you can't add it to the print server. The vpn works fine for everything else, the acl's are ip any, everything is no-natted. Any ideas?
DIA broker
Can you guys and gals please recommend a broker that you've had good results with? Looking for DIA and transport. Small scale stuff.
HSRP
Hello,
We are looking at Cisco ASA for an internal firewall solution. I would like to hear how people feel about hsrp with two firewalls. We will be passing a lot of traffic on a few of these gateways such as SQL replication.
We would likely want to load balance and provide reduncancy using hsrp...thoughts?
using nmap to return hostname, IP, and MAC addresses on a subnet?
I've been manually compiling that data, but one of our Linux guys told me to check out nmap. I've been playing with it all morning but I'm not well versed in Linux. I haven't been able to some up with a single command that will return each of those three things. Has anybody else managed to do this?
Cisco 2900 Series Routers Unable to Consistently Resolve NHRP Addresses
I have implemented two different Cisco routers at a site that have both run into the same issue. For a handful of spokes in the DMVPN "cloud" they cannot seem to automatically resolve the public IP address mapping for the private address automatically. I am having to manually go in to the tunnel interface and statically define the mapping. What is strange is that it is successfully mapping the addresses for around 80% of the locations and it isn't 100% consistent with which locations it is struggling. When this problem is occurring for a given location I will generally see an entry under sho dmvpn of:
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
4 UNKNOWN 192.168.1.10 IKE never IX
0 UNKNOWN 192.168.1.50 IKE never IX
0 UNKNOWN 192.168.2.10 IKE never IX
0 UNKNOWN 192.168.3.10 IKE never IX
Additionally, it has these entries for individual hosts on the subnet behind the DMVPN router that provides connectivity to the site. The workaround I have been doing to statically resolve for a site is under the tunnel interface:
tunnel 1
ip nhrp map 192.168.251.1 xx.xx.xx.xx (xx's represent the public IP address)
After completing this manual mapping, connectivity to the site works without issue. The primary symptom that brought this to our attention was users getting one-way audio between sites, because interestingly enough, the other side of the spoke does not have this issue (other than the user at the problem site complaining about one-way audio).
Any help or advice on this issue would be greatly appreciated.
Purdue has blocked all streaming services from their Academic buildings.
It's been making the news cycle in the academic arena. Apparently Purdue has decided to block all streaming services from their academic buildings. Some reasons listed for the decision:
- Bandwidth is expensive (wut?)
- 1 person streaming will consume the entire network bandwidth (Again...WUT?)
- Professors want the students paying attention(News flash, students have ignored professors for centuries!)
- 20% of the wireless users are still 2.4Ghz only(don't buy it) so they will not be migrating to 5Ghz
Reading more on the story from various sources make me question the competence of their networking team.
Articles about the block:
- https://www.chicagotribune.com/news/ct-met-purdue-netflix-ban-20190318-story.html
- https://www.insidehighered.com/news/2019/03/04/purdue-university-extends-streaming-website-ban
Found this thread in here from a few years ago. This might shed some light on the issue as well.
All I can say is....wow.
[QUESTION] Is there any auto-backup switch?
I have two internet providers, Lets call them X and Y.
I Want "X" To be my main internet provider.
And "Y" to be my backup internet provider, just in case "X" Fails or Gets Disconnected.
Is there any Switch that can change my main provider to the backup provider automatically when it presents any fail?
Internal network Speed test tools.
Anyone have any pointers to good tools that I can install to give end-users a good way to test the performance of their VPN connection, or to remote offices that complain "things are slow" ?
I'm not interested in any external websites. I'm looking for some pre-rolled packages that I can drop on a server in my own data center, and give an easy interface for users to tell how their connection to the corporate network is doing. An open-source package that I could drop onto an existing apache server would be great. IIS would be possible too.
Any suggestions?
How to ? or What should i do?
Hello, I've been currently tasked with setting up and small business network approximately 126 devices that include printers,laptops, and BYOD's, we dont have web server nor a large NAS, but i need to monitor all devices on the network and their traffic once in awhile if needed. What tools could be useful for this task? and also is there a tool where i could monitor the disk space of every computer in the building?
Ansible YAML vs Python
Hi guys,
I've recently started playing around with basic network automation. From what I've read we use Ansible as a script runner (veeeryyy simplified) and the Ansible itself uses the YAML as the command execution language.
I've also read about the Netmiko which can use Python directly. So how about using Python with the Ansible or using YAML to refer to Python scripts. Let say I wanted to build the script that changes the access lists based on the Vlan interfaces that are on the device - I would try to use the 'if then' conditions. Does YAML support such conditions or do I need to call Python script within YAML?
How does DNA Center licensing work?
I have been getting quotes for Cisco 9200, 9300, and 9500 switches and they all come with (forced to buy) DNA center licensing. Would this licensing ~$500 per switch be all I need for DNA center? Or do I still have to buy DNA center separately with these switch licenses being like “adder” licenses?
Thursday, March 21, 2019
Ruckus Cloud Wi-Fi opinions
We’re in the process of upgrading and we’ve made the jump to Ruckus from a previous M brand.
So far, most things are similar, M had more controls but nothing that made me want to stay with them.
The one thing I found is via the Ruckus cloud mobile app, I can disconnect a specific client, but via the main web interface, that doesn’t seem to be an option.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
BGP filtering on Watchguard, using prefix-list
Hello guys.
So today i ran into an issue. I am creating a tunnel with Azure using a Watchguard firewall, and BGP is required.
The issue is with the BGP configuration on the Watchguard.
router bgp 64528
network 192.168.136.0/23
network 10.61.57.16/28
ip prefix-list AZURE_IN permit 172.16.224.0/20
ip prefix-list AZURE_OUT permit 192.168.136.0/23
ip prefix-list AZURE_OUT permit 10.61.57.16/28
neighbor 172.16.227.254 remote-as 64525
neighbor 172.16.227.254 activate
neighbor 172.16.227.254 prefix-list AZURE_IN in
neighbor 172.16.227.254 prefix-list AZURE_OUT out
172.16.227.254 is the Azure peer. The adjacency is established without issues.
However, this is actually filtering everything from the Azure side. The moment i filter Azure peer "in" i dont get any routes at all, and neither does Azure.
If i leave only the "out" statement Azure receives my routes, but i receive everything from them and that is not intended.
I have tried a million ways. A prefix list denying specific networks didnt work either, tried with a route-map, pretty much anything i specify "in", i get no routes after.
This adjancency needs to be filtered for several reasons, to list a couple, i dont want some random Chinese app devs even receiving routes for systems that i use, and i dont like the possibility of assymetric routing.
Thoughts?
Help with Modifying "Via" and "Contact" Headers in SIP Messages on Cisco Voice Gateway
One of our SIP trunks starting giving us a one way audio issue earlier today after previously working without issue. When I contacted the telco they said the reason is because a private IP address is showing in these two fields and needs to be the public IP address. They say they do not know how it was working up to this point :) .
The SIP gateway is behind a firewall that is NATing it's private IP address to a public one but apparently this does not apply to the SIP messages themselves. I have taken my best guess at using the reg expressions to change them but I can't get it right.
I need these two fields:
Via: SIP/2.0/UDP 192.168.19.6:5060;branch=z9hG4bKE157253B
Contact: <sip:##########@192.168.19.6:5060>
changed to reference a public IP addresses instead of private IP addresses.
Any suggestion on specifically what I need to apply in the sip-profile? I have already modified some of the other needed fields but that was more/less handled by instructions provided by the telco.
This is a Cisco 2900 series gateway.
Sustainability Case Study.
Hello everyone, I'm currently doing a case study on how IT systems improve the sustainability of a business that is Built around IT services, this case study requires me to find someone in the IT business and ask them a few questions. If anyone is willing to help, here are my three questions.
- What does your business do, and what functions does your business contain.
- What ethical principles do have in place.
- Are there any future challenges and opportunities.
Thanks advance.
Setting up a new AP
I was going to set up a new AP but I can't decide between Unifi lite, pro, or LR. I just need enough to cover 40 feet ish. Main router is nighthawk r7000p
Sophos XG Firewall and Ubiquiti Switches / AP’s
Does anyone have experience deploying the sophos XG UTM firewall as a layer three switch to manage ubiquiti unifi switches? I know unifi switches only offer layer two but from the reading i’ve done I can use the firewall as a layer three switch. We’re a small business with ~15 on site users, a few printers and a POE powered surveillance system.
My setup would be WAN -> Firewall -> Core Layer 2 10GB/s Ubiquiti US-16-XG Switch -> 2x US-48-500W access switches.
My connection between the access switches and core switch would be SFP+ 10GB/s using multi-mode LC fibre cable. I would have a LAG connection using two SFP 1GB/s over multi-mode LC fibre cable going from my core switch into the Sophos firewall. We have 1GB copper coated coax coming into our building currently supplier internet from our ISP, this would link to the Sophos firewall through a single 1GB CAT6a connection.
I realize that my switches having a 10GB/s link and my core to firewall having a 2GB/s LAG link will cause a bottleneck but my boss is putting restraints on costs for this project so we will be purchasing an SFP+ snap-in module for the Sophos firewall in the future which should clear up that bottleneck.
I guess my main question is if Sophos plays well with Ubiquiti and how much of a headache will setting all this up be? Would I be better going with different switches or a different setup all together? Trying to cut costs without impacting performance too much.
Thanks for any input.
Dell switch redundancy
I have 2 Dell switches that I want to setup redundancy for and have some basic questions.
1) Will a simple LAG between the 2 switches provide redundancy if I turn on LCAP?
2) Instead of a simple LAG, would an MLAG be preferable?
One switch, per applications behind them, will only see traffic at a time. But if the traffic seeing switch fails the traffic will automatically fail over per the application.
Downstream of the 2 switches will be an HA active/passive setup for firewall redundancy.
What would you recommend for this setup? Now that I'm typing this, I'm thinking my HA router pair, with port monitoring, will actually take care of it regardless. Lmk your thoughts. Thanks!
Route Filtering Question
I thought up a theoretical route filtering scenario today at work that I wanted to run by other folks. Any thoughts would be greatly appreciated because I haven't been able to find anything analogous online.
Suppose I have two eBGP neighbor routers, one in AS 65520 that I manage for company ABC and one in AS 65530 managed by company XZY. My router is redistributing the BGP into EIGRP and vice versa. I am filtering the routes I receive and send out with route-maps. So I currently have the following:
route-map EIGRP-BGP permit 10 match ip address prefix-list ABC route-map ABC-out permit 10 match ip address prefix-list ABC route-map BGP-EIGRP permit 10 match ip address prefix-list XYZ set metric 10000000 100 255 1 9000 route-map XYZ-in permit 10 match ip address prefix-list XYZ ip prefix-list XYZ seq 10.0.0.0/16 ip prefix-list XYZ seq 10.1.0.0/16 ip prefix-list ABC seq 10.254.0.0/16 ip prefix-list ABC seq 10.255.0.0/16 router eigrp 100 router-id 192.168.1.1 redistribute bgp 65520 route-map BGP-EIGRP router bgp 65520 address-family ipv4 unicast redistribute eigrp 100 route-map EIGRP-BGP neighbor 172.16.1.2 remote-as 65530 address-family ipv4 unicast route-map XYZ-in in route-map ABC-out out soft-reconfiguration inbound always
So this way XYZ sees 10.254.0.0/16 and 10.255.0.0/16 from me, and ABC (me) sees 10.0.0.0/16 and 10.1.0.0/16 in our IGP from the other organization.
What if I want to send XYZ 10.253.0.0/16 minus just 10.253.122.0/24 ? What if I want to accept 10.2.0.0/16 minus just the host 10.2.0.100 (so the same question inbound)? Is the only way to essentially accept a range of everything minus the one host (like 10.2.0.1 - 10.2.0.99, 10.2.0.101 - 10.2.255.254) or can you filter the one host in a more elegant way with a route-map or another mechanism I'm not familiar with?
Thank you in advance!
IP Assignment with Aerohive APs (Using wrong VLAN)
We have 8 locations all using Aerohive APs with the same configurations across the board, but one of our locations is assigning IP addresses based on the native trunk vlan assigned to the port the APs are connected to (AFAIK). The switch ports for the APs are setup as trunk ports with the VLANs being used in our SSIDs as trunk allowed VLANs. None of our SSIDs are configured to use the VLAN that the clients at this location are being assigned. How do I troubleshoot this? I have checked all the locations to make sure the switch ports were also the same configuration.
network configuration
how do you i setup my /etc/network/interfaces so that i get a route to internet?
i have eth0.cfg under /etc/network/interfaces.d as well
Most Common WPA2 EAP Methods - What's your preference?
I'm curious as to which EAP methods you guys prefer for wireless security; which are you currently using and why?
Would a failing backup battery cause TTL expiration?
We have a failing backup battery in one of our branches and users are unable to connect to one of our servers. Running tracert to that server shows that traffic is bouncing between two IPs, eventually causing TTL to expire.
Would a failing battery be likely to cause this or do you think it's a separate issue?
Rant!! Downed internet good ol centurylink!
Sitting here at work, got my ticket update
Greater cleveland ohio area is suffering a massive outage, construction crew that were digging up a manhole damaged a fiber bundle.
Fyi that's what I have heard from metro support. For those in the Cleveland area that are wondering. Unknown if this affects residential service as well.
Question about Cisco ISE (Authentication logs in Windows AD)
Hey /r/Networking
I'm hoping there are some Cisco ISE gurus in here that might be able to help me with an interesting problem I'm experiencing not with ISE itself but the authentication back end.
Scenario is pretty simply, there is a guest wifi that authenticates through ISE, drops the user on to the appropriate VLAN based on AD group membership. Simultaneously I'm collecting Active Directory logon events with a FortiNet FSSO collection agent which gathers logs from all AD servers in the environment. The user identity is used for logging/reporting.
The issue seems to be that although ISE authenticates these users to the domain, there are no logon events being generated in Active Directory. I beleive ISE is tied into AD through radius but that should still produce a logon event when checking a password/user name against the directory (unless I'm wrong here?)
The other solution to this problem would be to use Radius accounting and have ISE blast accounting messages at the FSSO agent and learn user identity/IP pairings that way, but according to several articles that can't be done and I would have to have the physical WLCs send said radius accounting messages, which is nuts!
If someone could point me in the right direction or slap me if I'm on the wrong track it would be much appreciated!
Thanks in advance!
* There is a feature request on ISE:
Enhancement request for Cisco ISE to send RADIUS accounting messages (CSCvd83297) to Fortigate
Remember Terry Childs, the CCIE who hijacked the entire network of San Francisco?
https://www.computerworld.com/article/2517653/after-verdict--debate-rages-in-terry-childs-case.html
https://www.infoworld.com/article/2653004/why-san-francisco-s-network-admin-went-rogue.html
Managers, don't let your networking babies grow up to be cowboys...
DMZ question
Hey all,
Doing a little DMZ design work. Web server will be placed in DMZ. External users, DMVPN users, and LAN users will all need to be able to hit it. I was going to do this in a way where DMVPN users came into the firewall on the inside interface like LAN users and external folks obviously came through the outside interface. However, boss man wants to stop this split DNS thing we got going on and wants internal DNS to match public DNS. Due to split tunnel policy, DMVPN users can definitely come in hitting the public IP just like external users, but I feel weird about my LAN users trying to access the web server via the public IP. In fact, there are null routes on our core to prevent you from routing to our public blocks. I did not put that there but I know it would need to be taken out to make this work. Is there a reason why I shouldn't do it how the boss is looking to do it? We have two data centers (connected through fiber) and use AS path prepend via BGP to dictate the flow of traffic from the outside if it matters. Never really barked down this alley before so hoping someone wiser than myself can give me some advice. Thanks!
Cisco 2960x line. What's the IOS version you've had the most luck with regarding dot1x/MAB support?
I've been having issues where ports that are configured to use MAB and/or dot1x are failing the switch between them. I've set order to MAB>Dot1x, and priority Dot1x>MAB. However, devices aren't getting IPs when switching, and other connectivity problems are arising.
I suspected it could be an IOS thing, as this has been going on for a long time (but I just left out MAB unless it was needed per port), but we do need it to support some other functionalities of ISE authentication.
So, does anyone use dot1x/MAB with ISE (or Clearpass, I'm not picky) on 2960x Cisco switches and not have issues? If so, what version are you running, and what does your average dot1x enabled port config look like?
Confused with SNMPv3 and required configuration
I've been tasked with clearing SNMPv1/SNMPv2 and configuring all of our devices with SNMPv3. I'm slightly perplexed with how to go about this since I've seen numerous potential configurations online. I don't want to give too much power to our SNMP server (which is a SolarWinds server) since the only thing it really does outside of normal monitoring is perform configuration backups every night.
Is it safe to say that the following configuration is accurate?
ip access-list standard <ACL-NAME>
permit <SOLARWINDS-SERVER-IP-ADDRESS>
snmp-server group <GROUP-NAME> v3 priv access <ACL-NAME>
snmp-server user hasadmin has v3 auth sha <INSERT-PW-HERE> priv aes 128 <INSERT-PW-HERE> access <ACL-NAME>
I apologize as well as these questions might come off as stupid, but I simply would like to have a better grasp as to what I'm actually configuring here:
- Why do I need to specify an ACL for both the group and the user?
- What's the difference between using
accessorreadwhen specifying thesnmp-server group? - Why do I need to specify the password twice when performing the
snmp-server usercommand? Is this the same password?
I saw some other articles online referencing something like an engineID and so I'm just not sure where to get started.
Wireless site survey best practices
A few of us on our team have been tasked with learning how to perform wireless site surveys. We've been given, I'm told, one of the best tools for the task, Ekahau site survey. My question is what are the best strategies for walking a survey?
Palo Alto FW - easily get visibility on NCAA March Madness streaming
It's that time of year again! Use your PA firewalls to see how much and who is streaming all day! Just add in the custom applications found here: https://live.paloaltonetworks.com/t5/Community-Blog/Custom-App-ID-for-NCAA-March-Madness-2019/ba-p/254141
You could even use this tool to block the streams, by why would you?
Open-Source IPAMs VS Paid IPAM
I have seen that there are a few open-source IPAMs out there. What do you think would be the main differences between these and the ones available in the market? (InfoBlox, BlueCat, EfficientIP) Any highlights you give me for this research will be highly appreciated.
I am looking to get an IPAM for a large enterprise. What gives them value over free software?
Traffic/Packet Shaper alternatives
Hi,
we have a data center with multiple customers that use our shared internet breakout for their firewalls. We have an inline Packet Shaper (BlueCoat), that sits between the ISP-Router and the individual firewalls and controls the assigned bandwidth to each customer by IP-Groups.
E.g. customer A has 3 public IPs assigned, pays for 30Mbps and has a burst rate of 50 Mbps if the line is free. CusB has one server (IP) and 5/10 Mbps, etc. - pretty simple setup.
Our current solution needs to be refreshed, and for such a trivial function the estimated cost would be around 100k$.
What are you guys using? Are there any simpler/cheaper solutions?
Cause I think for our simple scenario with 300 Mbps Internet connection, maybe even an open source solution (server with 2 IFs) would be enough - if there is any.
I just googled a bit and stumbled upon "Open Traffic Shaper", but their documentation is a bit poor. I couldn't even figure out if it would be possible to use it in such a way (Layer2 transparent).
Downsides of home network on 44.0.0.0/8
I have a continuing problem where i've had to readdress my home network three times because my employer keeps crashing my address space.
I was addressed in 10.10.10.0/24, they stood up a 10.10.0.0/16. I moved to 10.35.9.0/24, they stood up 10.35.0.0/16.
The issue is that when I'm working from home and on the VPN back to work, their routes clobber mine and my home network goes unreachable.
So the last time they did this, I had the network guy reserve 10.21.0.0/16 as "Testbed" for my department and moved my home stuff under there. It's worked great since.
As of this morning, yep, no love, whole home network goes dark when I get on the VPN. Verified that the network manager stood up something that clashes.
There's 10.x, 192.168 and 172.16 type stuff on the work network as well due to a bunch of mergers and acquisitions, so anywhere on a private network is potentially going to get clobbered again.
While I had a friend tell me "I just use 2.0.0.0/8 at home because I don't care about France." I'm not comfortable just grabbing a public net range.
But there's this: https://en.wikipedia.org/wiki/AMPRNet
My HAM license expired, I have zero desire to do packet radio, and I run nothing at home that someone on AMPRNet would need to get to.
What is the downside of putting my home internal nets somewhere in 44.0.0.0/8?
BGP Multipath across eBGP and iBGP peers
Diagram: https://i.imgur.com/DRcmX84.jpg
I'm working with a pair of Cisco ASR1002hx routers that peer with an external IAAS ("Cloud") Provider. HSRP is used as the FHRP from the firewalls for now. The firewalls are not configured for any sort of dynamic routing, and it's another group that manages them, so that is somewhat out of my control.
We have a single 10G link connected from each router to the external provider, peering via BGP. If possible, I would like both of the links/routers to be sending traffic active/active at all times. I understand that return traffic load sharing is a different story and not concerned about that right now.
I tried turning on "maximum-paths eibgp 2" on both of the routers. Judging by the CPU jumping from 1% to 50% on both of them instantly, I realized I must have caused some sort of routing loop, so I removed it. It did show both (ebgp + ibgp) destinations in the RIB when I did this, however.
Is there any simple way to do multipath from r01 to both r03 (ebgp) as well as r02 (ibgp) without causing a loop?
Guest Network - ASA on a Stick
Trying to spin up a Guest Network at a remote office. We have a ASA5525X down to 2960Xs. Pretty basic.
Below is the ASA config I have in place
interface GigabitEthernet0/0
description INSIDE
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.1
vlan 100
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/0.2
vlan 200
nameif Guest_WIFI
security-level 100
ip address 192.168.200.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
dhcprelay server 192.168.100.12 inside
dhcprelay enable Guest_WIFI
!
access-list acl_guest extended permit udp any4 object Domain_Controller eq bootps
access-list acl_guest extended permit udp any4 object Domain_Controller eq bootpc
access-list acl_guest extended permit IP any4 Domain_Controller (tried this as well just as a test)
!
access-list acl_inside extended permit ip object Domain_Controller object Guest_WIFI
!
The switches are setup with like
Vlan 100
ip address 192.168.100.5 255.255.255.0
!
Vlan 200
no ip address
!
Trunk port to the ASA
The Domain controller is setup with the scope Wondering if I am missing anything here. thanks in advance.
Limit Aruba 2540 PoE Output
Hi
We have quite a number of IP camera's connected to Aruba 2540 PoE+ switches that we're experiencing difficulties with. We've lost connection to quite a number of them and one had to be sent back to the manufacture for repair.
When looking at the PoE status on one of the switches I'm finding that working camera's are drawing 1.9W per port and all the ones that I can't connect to are drawing 3.5W each when the port is configured with the default PoE allocation of "Usage". From the camera's Data Sheet, they're "Power over Ethernet IEEE 802.3af/802.3at Type 1 Class 2 max 3.2 W".
When I change the power allocation to the ports connected to these cameras to "Class", the port status shows 0W being used and flipping between "Searching" and "Fault" for the detection status.
I'm suspecting that we experience power surges which is damaging the cameras and preventing them from telling the switch what device class they are, and so the switch doesn't know how much power to provide them.
My question is if the PoE allocation is set to "Value", or manully configured to a range of 1-3W would the switch not provide anymore power than that, or are those setting simply telling the switch how much power to allocate to those ports for power distribution purposes?
Thinking about contracting on the side of my normal Network Admin job.
Anyone here doing that and how did you get started? Any pointers? What would you have liked to know getting started?
RDP Dropping over IPSec Tunnel, Cisco ASA over LTE Modem
Having an issue getting a new site turned up. We don't have a physical circuit yet (and wont for a few months) but we have a Verizon LTE modem we can use for our WAN for the time being. The issue is RDP traffic drops after a few minutes and takes upwards of 30 seconds to re-establish the connection, works for a few minutes, then repeats this cycle. Everything (internet, file shares, ping, etc) else works fine. We have a request into TAC for assistance, but they haven't been much help up to this point.
Also worth adding that if we connect a laptop up to the LTE modem and connect to our Juniper VPN, RDP works fine. We are on the latest ASA software. We dropped MTU on the ASA to 1400 per recommendation of an associate of ours since the LTE adds some overhead to the frames, so don know if that could impact this.
Any help is appreciated. Thanks.
Streaming Telemetry - What are you monitoring?
I'm in the midst of getting streaming telemetry going in our network and beyond the usual stuff of interface counters, system level processes and BGP RIB route counts I'm beginning to wonder what else people are looking at with ST.
I'd love to hear some ideas on things to monitor!
Background/Setup:
We've been hearing about streaming telemetry from our Cisco SE for some time now but just getting around to looking at it as an augment to our SNMP polling/traps. Sub-5min res and the sexiness of influx/grafana combo is a draw for us. The biggest hurdle was getting the backend systems going and then figuring out the Cisco Pipeline configuration. Our setup is:
- Docker swarm
- 3 zookeeper containers
- 4 kafka containers
- 1 pipeline container
- 1 influxdb container
- 1 grafana container
Cisco XR devices configured to send to Pipeline. Pipeline is configured to send metrics to Kafka and directly to Influx (for now); we'll eventually have influx subscribe to Kafka topics for metrics. If anyone is struggling with the Pipeline setup, I'd be happy to lend some guidance on how I figure out how to translate from the GPB line format to Influx metric format.
Cisco DHCP snooping
Hi reddit,
I need to configure DHCP snooping on my existing network.
I 'm wondering if i enable it globally would it affect my network in any sense?
Or if I enable it on a VLAN, would it cause any outage? Because in the moment it is enabled on a VLAN, I assume all interface will be untrusted? So those request won't be responded whose requesting in that exact time, when I enabling that.
What would be the order to configure it?
Cisco use operational backups are massive
Our operational backups are increasing at a rate of 2gb per month. Coming from ACS our backups wedd increasing at a rate of 100mb per month. Is there a way to find out the cause? Like to find out if the increase is only due to tacacs and perhaps a way to remove a tacacs user account from the logs or backup?
PIM routing multicast
Hi guys,
We are testing out multicast routing for an upcoming project and have managed to set up DVMRP in on some test switches but also wanted to try PIM. DVMRP was easy to set up but I can't seem to get PIM working.
We have three switches set up linked via layer 3 point to point VLANs and OSPF. One is acting as the core and two are hanging off this as edge switches. We then have separate VLAN on each edge switch to connect the multicast end points to. I have tried enabling various commands for PIM but can't seem to get the multicast routed. DVMRP works fine on this setup. Am using Alcatel switches so is really hard to find any documentation for these beyond official config guides. Following the config guide I enabled everything I thought would be needed and still no joy.
I have enabled on each edge switch:
enable multicast globally
enable PIM sparse mode
enabled the point to point and end device IP interfaces as PIM interfaces
On the core switch:
enable multicast globally
enable PIM sparse mode
enabled the point to point and loopback IP interfaces as PIM interfaces
added the loopback IP as CBSR
added the loopback IP as candidate RP
When testing I can see the multicast sources on each edge switch but don't see anything on the core or receive anything from other edge switch. I can see each switch as a multicast neighbour. I am new to multicast and have gone through a lot of guides but most online stuff is for Cisco and the CLI style is totally different so not of much help. I know Alcatel isn't very common.
Any help appreciated. Cheers.
Recommendation in an alternative to the old Codian MCUs
Hello everyone,
First of all, please let me know if this is not the correct subreddit for my question and/or point me to a more appropriate direction.
So long-story short, I work for a big company that has been using the good old Codians MCUs (we have around 20 of them: MSE 8510, MCU 5420..) and they were (kinda still are) working flawlessly.
I am in the middle of a corporation war between clients that want a white glove service, network teams, tight budget, new technologies... that is driving me crazy as I am the one that have to act as the middle point between all these people.
We used to run those MCUs in the video-conference bridge where we managed (locally with on-site technicians and remotely with an operator on the bridge) all the meetings around the globe. We could dial from those beast to anywhere and set up the meetings for our clients.
As they are now end-of-life, we migrated to these CMS for a more "self service" form to lower the cost, which is fine for most of the users but not for the VIP members (CEOs.. directors..).
so, my questions are..
- is there any modern product that coud replace those Codian MCUs with all his old features?
- As far as I know, Cisco only provides with the APIs... is there any company that develop any management software for those CMS to use them as a bridge service? for example: dialing to internal or external endpoints, so the client can just walk into the room and start the meeting.
I hope I could explain myself, apologize for the formatting and for my English as I am writing this from my phone and English is not my first language.
Rastrojero.
Cisco Network Academy
Hey guys,
Can someone please explain to me the point of the Cisco Network Academy? I went through it at University (College for you American folk) and did like 4-5 papers. But I’ve since graduated and got a job in IT and now I’m doing ICND1 and ICND 2 to get my CCNA and it basically feels like I’m just redoing everything I did in NetAcad? Does the Network Academy qualify me to sit a CCNA exam?
StaticIP SIMs for Mobile Devices.
As we all know, sometimes static IPs can be very useful for various applications. I'm looking for a new tool for the tool belt.
Mobile devices have brought technology and connectivity to a whole new level, but to my surprise, StaticIP is rarely available.
In my personal case, I am looking for such tech to act as a second Sim so I could use that static IP to connect to secured resources.
I have seen some, but I'm not sure what the best option would be.
I think this tech should be more prominent, it seems to have deeper reach than VPNs could reach, as this would be on the mobile network.
Security Protocols for a small business network
First off greetings to all of you, I'm hoping you guys and girls can provide some insight for my problem. As a project for my computer networking class in college, I've been tasked with creating a secure network separated into three different branches. The network must be able to securely communicate between branches and the internet while also being monitored by an administrator. As it stands I know most of the basic protocols that occur within a network but have no grasp of how to ensure security on the internet outside of things like SSL, HTTPS and the like. I've done some research of my own on things like packet labeling but most of it seems to revolve around transfer protocols. If it helps I could include my diagram of the network as it stands. Anything helps, feel free to ask questions as I tried to be as cut and dry as I could. Thank you for your time for those who read or respond to this.
Wednesday, March 20, 2019
Need some help clarifying something for me
I'll be honest, I've never done Router-on-a-stick or deal wtih SVIs much. My enterprise exposure has been largely 65xx series and Nexus 7k series doing all the routing/switching integrated. Access switches like 3750s and 2960s were just Trunked back to our cores and all routing done there. So I just want to get something right in my head while i'm working on CCNP troubleshoot at the moment.
In regards to running an IGP on DSWs and CSWs inside a network that have the various Layer 3 SVIs, if i trunk a pair of DSWs together and share vlans across, the IGP instances will work across those trunks too, same as if i just had a pair of routers or 6500s talking to each other, correct? (Obviously assuming the IGP is configured right, either per interface or per instance).
Is there any extra configuration, like setting up the IGP instance inside the VLAN data itself that i should be aware of or just treat the SVIs on the DSWs/CSWs as if they were routers linking to each other normally and be done with it?
I mean, the way i see it, is if you give the Vlans an IP address, put those on trunks between each DSW/CSW and their interfaces are running an IGP, it should work same as if any routers were just linked together (assuming IP routing was running on the DSW/CSWs)
[Palo Alto Networks/GlobalProtect VPN] CLI command to initiate/disconnect GlobalProtect Agent connection on GP for Windows?
I have several use-cases where I want to initiate a VPN connection using the GP agent and then disconnect at the end of specific tooling, such as RoyalTS connections, so I'd like some cli commands to call.
I've been idly scouring the internet here and there for a year looking casually but haven't found anything passively. Do any of you wizards have any magic words?
Routing Base on Active VPN Tunnel
I Have a Site that currently has 2 ISP's. A ISP1, which is there main line(Due to higher Bandwidth), and a ISP2. They both have static IP's. Currently when ISP1 goes down, the router flips over to ISP2 and when ISP1 is back active it flips back. They have a Site to Site VPN set up to a place that periodically sends files to them via the IPSEC Tunnel. However it is only active to the Comcast Connection.
ISP1 is sometimes flakey in terms of uptime. Especially late at night when the other company is sending these files. I was wondering if both ISP1 and ISP2 having IPSEC Tunnels established on their respective Interfaces. Would there be a way to set up routing on the other companies side to Route to ISP2 if ISP1 is not active. They could do this manually but the other companies current process is completely automated. Without looking into BGP which is out of the question. Is there a way to route based on link activity and say. After x amount of packet loss send to Route to ISP2? This other company is very hesitant to change that automated process but their networking team is a little more flexible and being able to make changes on their side to figure this out.
Any Ideas will help! Thank you!
My experience with Meraki
So a client of mine recently moved from Cisco/Palo Alto/Ubiquiti to all Meraki. They installed the gear and I configured it for them. In all it was about 30 switches 60 AP's and 20 "Security Appliances". Until this point I only played with Meraki a little bit and didn't really have an opinion of it.
After this migration I can honestly say that I can not believe anyone with even a slightly complex environment would use them. They seem fine for very simple installs but totally fall apart with anything even remotely complex. Some things they are supposed to support doesn't work (like changing the ip of outbound traffic from the default interface ip). It seems like every other thing I wanted to do wasn't supported. Need a PBF rule? Nope. Need a SNAT rule? Nope. Need a specific server to have a different ip than everything else for outbound traffic (like Exchange)? Nope (I plan to call support on this one though). The list goes on and on.
Another issue is some things would be SO MUCH FASTER if it had a CLI.
I also had lots of issues where the AP or switch would take FOREVER to actually take the changes I made. Sometimes it was fine but other times it would take several minutes. This adds up. It was also common for me to change an ip address of a device then wait up to 10 or 15 minutes and no change, then change it to something different and change it back again and it would take it right away. Lots of little quirks like this.
If Meraki was less expensive I would probably be happy with them for what they are honestly, but for the price I expected more. For the price of Meraki you can get lots of other truly enterprise brands, some even have GUI's that are easy to use.
Anyway, just wanted to share my experience for anyone wondering about how Meraki would do with something other than a 10 person branch office.
NMS/PRTG to Trigger Switchport Actions
Hi All,
We use PRTG heavily to monitor our network switches and have traffic thresholds set where needed to notify us when things aren't in a good state.
I have a use case where I need to disable one port and enable another if bandwidth on one of my devices dips below a certain threshold.
Have any of you setup a system similar to this? Where an alarm trigger in PRTG or your NMS will take action to either enable or disable another port? Basically having the alarm take corrective action for an issue.
What's the best way to approach this? Should I be using SNMP to trigger these corrective actions (enable/disable ports) on the Cisco switch? Can powershell or .bat scripts send SNMP triggers to a Cisco switch? I don't see much online about this at all.
Thanks!
IGT- Computer Operator Interview
I know it isn't the best place to post but it's the only place I'm sure to get a answer.
So I have an interview tomorrow with IGT for the role of a Computer Operator which seen like a NOC role as I'll be working 12 hour days.
Anyone have experience working in this company or position. I just need some tips or things I should know.
Network Reconfiguration Scripting Challenge
My organization will be refreshing wifi with a different vendor, and the switchport configs will be slightly different. My challenge is to automate the reconfiguration of all wifi switchports across about 100 Cisco switch stacks. There is no consistency whatsoever as to what port ranges are used for wifi, so a simple 'int ran gi1/0/1-12' isn't going to get the job done. However, the wifi switchports all have exactly the same description ("Xirrus" — the rip and replace makes sense now, right?) and our existing WAPs use LLDP, so I have two easy ways to identify which ports I need to reconfigure.
I use simple Ansible playbooks and I have some very, VERY rudimentary skills in Python. What's the best way to create a process that identifies the appropriate switchports and applies a given config to each?
I'm currently thinking that this is a Python problem, and that I need to write a script which does the following:
- Run "show int desc | inc Xirrus" or "show lldp neigh | inc B,W,R"
- Somehow pull all the Gi#/#/# strings from the command output and put them into a list
- Execute a for-loop to apply the given config to each item in the list
And then obviously put that all inside a big for-loop to execute on each switch. The middle step there is the stumbling block right now.
Or is there some magical, easier solution?
What do you use for a WAN Switch in a HA setup?
I have a requirement for a WAN switch to bridge two Firealls to one ISP handoff.
We don't want the ISP handoff physically touching anything internal so using a VLAN on an existing switch is out.
So basically I need a low port count (3) switch that I can trust to pass packets and not die.
Requirments
1) 3+ Ports
2) L2 only
3) Gigabit Ethernet Rj45 ports
4) Trustworthy
5) Under $200 USD
I'm a a loss for the trust-worthiness part. Unless I can find something that small and cheap with an OOB port to monitor it we will basically be trusting it to not choke and die and just do it's thing, but I feel like most dumb small port-count switches don't seem very reliable. I'm looking at currently Cisco SG250 - 8 port
or maybe
https://dl.ubnt.com/guides/edgemax/EdgeSwitch_ES-8-150W_QSG.pdf
It feels like such a simple requirement but I guess I'm just having a hard time trusting anything that's cheap.
Can anyone spare an opinion?
Simple Draw IO Diagram
Cisco IPSEC SA increasing "send error"?
Hi Guys,
I'm running DMVPN with ipsec profile but currently having issue in connectivity from different sites. What would be the issue if ipsec not encapsulation/decap packet, also noticed that #send errors 17939 is increasing. no other parameters/stats?
Phase 1 is established.
sh crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr xxxx
protected vrf: (none)
local ident (addr/mask/prot/port): (xxxx/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (xxxx/255.255.255.255/47/0)
current_peer xxxx port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 11102, #recv errors 0
local crypto endpt.: xxxx, remote crypto endpt.: xxxxx
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Both local and remote address seem ok same with the other side. anyone encountered this issue?
Kindly comment if need more information.
Thanks
Can't communicate between Vlans (or even to any Vlan interface) from host machine using L3 switch.
Hi everyone, I'm a beginner in networking using GNS3 to simulate communication over Vlans. I've been stuck on this problem for a couple days...
I have two PC's, one with ip address 192.168.1.1/24 and default gateway 192.168.1.100.
The other is 192.168.2.3/24 with default gateway 192.168.2.100.
They are both connected to an L3 switch (Cisco 3640) that has two Vlans configured:VLan 1 : Ip address 192.168.1.100 / 24
VLan 2 : Ip address 192.168.2.100 / 24
Fast Ethernet port 0/0 is assigned to Vlan 1, and is connected to PC1.Fast Ethernet port 0/1 is assigned to Vlan 2, and is connected to PC2.
However, I can't ping PC2 from PC1 and vice versa. Even worse, I can't even ping either gateway from either PC (for ex. I can't ping 192.168.1.100 from PC1).
Any help is appreciated, thank you!
Images of topology, config, and ping attempt: https://imgur.com/a/yI0ohNl
Cat5 to Fiber and Back
This is probably a nooby question, but here goes.
I currently have two RAD ETX-203AX boxes that are set up to convert data traffic between Ethernet and fiber optic, using flows in the RAD boxes.
What I need to do is add another Ethernet port that will travel through the same fiber optic line and not share data with the original Ethernet data.
If this is the wrong subreddit, would someone please direct me to the correct one?
Visio template issue driving me crazy. Does anyone know how to make this stop?
I have a visio template I have been re-using for a while. I'm not sure how, but when I create a text box to label something, there are these blue triangle "arrow heads" that always appear and if clicked on inserts a rack into the drawing. There's an imgur link to the behaivor that I'm talking about. Does anyone know what property of that object is inserting the rack and how to disable that? Everytime I accidentally click in the wrong area, I get racks all over the page.
Switches on the roof, in a box, it gets oh so hot! Need recommendations
Might anyone share their go to switch that's unmanaged or basic cli thats PoE+?
I need about 16 ports per and 200watts per switch
Right now I am deploying Netgear GS116PP in a box with a few fans (not AC) and temps can hit up to 110 outside.
Network Cabinet Extension
I'm doing a big network cutover for a customer and they have 19" deep wall mounted cabinets. The new switches going in need 24" with the power supplies and fiber connections to be safe. I dont want to have to replace all the cabinets since they are 45ft in the air. I've seen one manufacture that sells 6" extension kits to basically replace the front door of the cabinet and allow the extra space. Has anyone else see these kits before? I can only find a 12u cabinet size extension but these cabinets are 12u, 15u, and 18u.
Interview question about ACLs that I've never heard of before...
Let's say you have an IP range, for instance 192.168.0-192.168.100
Is it possible to create an ACL statement that will permit only the even numbers in the third octet of this block? That is, 192.168.2 192.168.4 192.168.6...192.168.100
I have never heard a question like this before. And I was wondering if this was something that was possible using just the Cisco syntax command line? Or is this something done with a script?
This was an interview question asked to a candidate. The interviewer (my snr network engr) is more of a programmer to be honest and knows more scripting/coding than networking.
Routers
Hi, first post here. I don't know much about routers or networks in general. I've been having trouble connecting to my 2.4GHz network and the only other choice is the 5GHz which doesn't work as well because range obviously. None of the devices can detect 2.4GHz and I don't know what to do. I've tried looking up solutions and trying to disable guest networks and whatnot but 2.4GHz simply does not appear in my wifi list. Using 5GHz is a pain because of speed and furthermore it disconnects and reconnects every 5 minutes. We have tried resetting the router multiple times and even factory reset today but it was all in vain. Can anyone help me out? Thanks.
Non Profit ISP and Backhauls
Hello! I work at a rural non profit camp and retreat center in Nebraska that sits right along I-80. We have an ever growing guest count and our DSL line just cant handle the bandwidth, and our staff average age is getting younger so connected device count is going up. Currently there is only one hardline ISP in our area with a cap at 20/10 for our needs. In the next largest town (about 15mi away), they have an ISP that runs fiber with good speeds and all that, however they basically blow off our calls.
So I'm looking at some new options. The first I came up with was make an 'ISP' that would basically only service the camp and its onsite staff housing. I've done some research and given our size, fundraising for equipment is not entirely out of the question depending on how far the fiber needs to be ran. However I am worried about the potential legal issues and such as a nonprofit.
Note: oddly enough we already have fiber running on the camp. I dont know exactly were, how, or who owns it, but its there. We are not using it at all though.
So my questions are
1. Is this idea even a good one?
2. What are some issues I should be aware of?
3. Are there other options that I'm not thinking of that would work better?
4. What are some good backbone providers to look at? I've been looking at Hurricane Electric
Wifi site survey gear question
I've been doing some site surveys for the multiple buildings my company owns with Acrylic Wi-Fi Heatmaps and my onboard laptop wifi adapter. I'm looking to up my game as we run into more wifi interference issues in these buildings. Is there a step in between where I'm at now and purchasing an Ekahau Sidekick or an Aircheck G2?
I'm pretty sure I can get my company to spring for a few wifi adapters and a usb hub as well as a software license, but not that pricier hardware.
Is this correct usage of Secondary IP [ALU]
Trying to figure out if I'm using Alcatel's Secondary IP on rvpls correctly.
Telecom device is connected to ALU L3 switch via trunk and VL728.
SVI/rvpls is created and assigned 10.48.196.109/30. Switches are running OSPF, telecom device has static routing (default GW to 10.48.196.109).
The device has IP 10.48.196.110 and everything works as expected.
*****
There is a new requirement to add Virtual IP to the device to separate OM. Virtual IP is created within the device as 10.48.105.18.
Now am I correct using Secondary IP on the switch SVI side to allow communication?
I can see OSPF advertises secondary subnet correctly and its GW .17 can be pinged, but not device's 10.48.105.18
Do I need anything else to make this click?
Thank you.
----------------------------------------------
interface "svi728" create
address 10.48.196.109/30
secondary 10.48.105.17/30
vpls "vl728"
exit
exit
no shutdown
----------------------------------------------
----------------------------------------------
allow-ip-int-binding
service-name "vl728"
sap 1/1/40:728 create
exit
no shutdown
----------------------------------------------
Route Table (Router: Base)
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.48.105.16/30Local Local 19h43m45s 1
svi728 0
-------------------------------------------------------------------------------
Route Table (Router: Base)
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.48.196.108/30Local Local 32d22h45m 1
svi728 0
-------------------------------------------------------------------------------
Update your PuTTY to 0.71 (Security Update)
In January an EU-funded bug-bounty was put out to find bugs and security flaws in PuTTY. Based on the findings (i.e. they found major security flaws), they provided an update to PuTTY.
Download: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
Changes detailed: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
These features are new in 0.71 (released 2019-03-16): * Security fixes found by an EU-funded bug bounty programme: * a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification * potential recycling of random numbers used in cryptography * on Windows, hijacking by a malicious help file in the same directory as the executable * on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding * multiple denial-of-service attacks that can be triggered by writing to the terminal * Other security enhancements: major rewrite of the crypto code to remove cache and timing side channels. * User interface changes to protect against fake authentication prompts from a malicious server. * We now provide pre-built binaries for Windows on Arm. * Hardware-accelerated versions of the most common cryptographic primitives: AES, SHA-256, SHA-1. * GTK PuTTY now supports non-X11 displays (e.g. Wayland) and high-DPI configurations. * Type-ahead now works as soon as a PuTTY window is opened: keystrokes typed before authentication has finished will be buffered instead of being dropped. * Support for GSSAPI key exchange: an alternative to the older GSSAPI authentication system which can keep your forwarded Kerberos credentials updated during a long session. * More choices of user interface for clipboard handling. * New terminal features: support the REP escape sequence (fixing an ncurses screen redraw failure), true colour, and SGR 2 dim text. * Pressing Ctrl+Shift+PgUp or Ctrl+Shift+PgDn now takes you straight to the top or bottom of the terminal scrollback.
I'd highly recommend you update your version today.
Subscribe to:
Posts (Atom)