I read this great teaser post a few weeks ago...
https://packetpushers.net/exploring-robot-framework-for-automated-testing/
...and it got me scratching my chin about the possibilities of having automated network tests. The article references the robot framework...just wondering if anyone does this currently and any examples or references I could build on.
Recently Cisco and Meraki have announced draft 802.11ax (WiFi 6) APs, the MR 45, MR55 and (Catalyst?!) 9115, 9117 APs.
My questions to everyone is, what's your experience deploying "pre-standard" APs? Is it worth it? Is it better sticking with tried and tested 802.11ac APs until the full 802.11ax standard is ratified or is there genuine benefit in jumping in feet first with this new gear?
For example, someone's deploying a brand new greenfield site next week, what's the best decision? No specific requirements, just want to know people's opinions.
I have about 30 workstations out of a 1000 that will not get a network connection. The remote networking people tell me the ports keep going into "err-disabled" mode after they're bounced. They say it's happening because a bad cable. I have replaced all cables, except the runs themselves. I have also replaced the desk/wall port. The only thing left is the cable run from the patch panel to the desk/wall port. These cables are bundled and some probably up to 250 - 300 feet. What is the best way to replace an individual cable in a bundle of them? Some go into the tiled ceiling, some go into the floor. Thanks for any and all help.
I've been working at a support desk for quite sometime and want to learn about the SonicWall firewalls since my company uses them for our various clients. Recently I was able to get handed a TZ 205w. While it's old itll probably be the best thing I can get my hands on. Where is a good place for me to learn the SonicWall GUI and stuff on firewalls in general?
Hello! I’m fairly fresh to the I.T. networking realm (senior in high school) and wanted to ask on my current idea of creating a secure and functional network that would be put into place for a bank (educational project). I appreciate any advice given and fully expect to be wrong in some areas! The main branch has 6 departments with a total of 203 IoT devices in 100 machines, 100 phones, and 3 printers and the auxiliaries have 4 with a total of 42 IoT devices in 20 machines, 20 phones, and 2 printers. In doing this I’m also trying to allocate space for expandability but not at the price of security.
My current plan is to have it sub-netted by department with the main branch being a class B and the Auxiliaries class C. The class B is more difficult for me to determine as of now but for the class C I have it set as
192.168.1.0/26 (0-63) = tellers 192.168.1.64/26 (64-127) = New Account Reps And etc on to the next branch which becomes 192.168.2.0/26 (0-63)
Would a class B of 172.16.1.0/18 be acceptable for the main branch? The main thing I’m trying to keep intact here as well is the expandability of the network with good security as well.
ACL’s are my main plan to segregate the network and obviously shut down unused ports where needed.
Lastly I can’t figure out what would be a solid switch and router to use. L3 Switches perplex me because some say that they can be used as a router as well removing the need for one completely? Is this a legitimate enterprise practice? Sorry if the questions are very newbish and this maybe being a longer post but I sincerely appreciate any advice!
Hey guys,
I would like some advice,
Our current ISP is having issues which to me looks like route flapping if i do a traceroute from our router i get the following:
Hop 1: 1 host
Hop 2: 2 Hosts
Hop 3: 3 Hosts
Hop 4: 5 hosts
Hop 5: 3 hosts
Hop 6: 6 hosts
Hop 7: 4 Hosts including Final Destination in one of the hosts
Hop 8: 3 hosts no final Destination
Hop 9: 2 hosts including Final Destination
My thought around the current situation is that for some reason their core swtiching like possible BGP routing is fucked? i could be wrong
As when you do an MTR on the route surely there should only be 1 host for each hop as the route should be learnt?
I work for a small WISP and we already have Observium monitoring our network ( I did not implement it). Currently our alerts only ID the devices using hostname, my boss wants the alerts to include the IPv4 address as well. So far I haven't been able to find anything in the Observium control panel, and google has not turned up any solutions either. Does anyone know if this is even possible?
Hello /r/networking!
I come to you today with a simple question that has been racking my brain:
Is it possible to route a public /24 network over a series of smaller /29 private networks?
Theoretically this setup would be done for a WISP via a handful of static routes, but I can't seem to answer my own question.
Say I have two physically separate networks that share a common subnet and I wish for a management PC to be able to talk to both networks on layer 2 but not for the two networks to combine. There would be no duplicate IPs and the networks would still function if connected.
What I'm thinking is some form of ACL that permits traffic to and from physical ports 1 and 2, and 2 and 3, but not 1 and 3.
Any ideas? Am I missing something obvious?
This isn't about whether one will ever need it. This is a general question, the answer of which I've been looking for as a curious CS grad.
Here's what I've learned from my research I have been doing for few days, after which I have by questions lined up.
PART 1 is about general load balancing with increasing number of connections
PART 2 is specific to persistent connections as websockets and Server-sent events
My concerns are in-particular to PART 2, so you can directly jump to that if you find it long.
PART 1 - general load balancing
Nginx is one of the many load-balancers available and is widely used. It can help in following ways:
- Small traffic, replicated servers for fault tolerance can be load balanced with servers referred by their IP address.
- Large traffic, multi-node/multi-server deployment where nginx handles the network requests and individual servers handle the CPU/DB operations.
However, there is a limitation on the number of connections which can be managed by the machine running the load balancer.
- RAM - this answer states that about 16GB RAM is required per million connections.
- Number of ports available - which can be handled by introducing virtual interfaces as the number of ports limit is 65535 per interface.
Still, this cannot handle large number of connections.
Another strategy is to have DNS based load-balancing which can region-wise distribute the traffic with the requirement of servers to be in sync and downtime as DNS cache update takes time.
Solutions like this one handle about a million clients on a single node, but I'm more concerned about a distributed system with enormous traffic.
What is the strategy services spanning multiple data-centers use to be available.?
PART 2 - for persistent connections
Persistent connections as SSE and websockets have redundant network operation on the load-balancer side as well as on the individual server. So I can think of two strategies
How would you recommend to solve this problem?
The association I work for passed a traffic contract with an ISP that has the usual burst limits, do you guys have a bandwith limitation in place for ingress traffic in your infrastructure ?
I've set up an HPE 1920-24G-PoE switch (JG926A) to authenticate against a Windows NPS server. Authentication is working fine, but authenticated users do not have manager permissions. I've set up a vendor-specific attribute as follows:
Vendor Code: 25506
Vendor-assigned attribute number: 29
Attribute format: Decimal
Attribute value: 3
Essentially the same NPS policy (aside from this vendor-specific attribute) works perfectly on my Procurve 26XX switches with aaa authentication login privilege-mode set.
Any ideas what's going on?
I apologise in advance if this isn’t the right sub for this. I’m completely new to networking bar replacing my ISP router with a separate modem and Ubiquiti Amplifi mesh setup so please excuse any misinformation or discrepancies in my post.
I’d planned an upgrade to the Ubiquiti SSG, gateway, switch, cloud controller and 2 nano AP’s however after trying to research my question online I don’t think these give me the functionality I’m looking for or whether it’s even possible.
I’ve done a little reading on VPN guest networks and can see in routers support DD-WRT that you can indeed have an ISP connection then a separate VPN connection.
Building in this, is this possible on the Ubiquiti platform?
Is there any home setup I could get that would allow numerous VPN guest networks? Ideally I’d like to have my ISP connection, a VPN connection based in the UK an another in the US and another based in Asia. However I’d be happy giving up the ISP / Asia connection and just having the 2 VPN connections if that’s possible?
Any help / purchasing advice is welcome. Based in the UK if that makes a difference.
I’m aware I could dedicate a VPN connection to a specific device but it would be easier if I wanted to change location to just connect to another network instead of going into each device to change the location, something very annoying on TV’s.
Hello everyone, I'm trying to implement SMTP protocol in java, a simple implementation. I've looked up some repos on github but all I've found were very large projects.
I wonder if you can guide me on what should I do? like a book suggestion or an online course? I want to be able to demonstrate my understanding of the protocol by writing a simple client and server that run on a local machine and send emails to each other.
thanks.
Dear All!
How can i do this?
Radius with eap-tls so i create certificates for devices. But i would like that the switch automatically configure the proper predefined untagged vlan on the port for the device: for example: VOiP phones should be in vlan22 Printers in 23 Clients in 24
I can administer the macs i would connect to the network. For example create a group of mac address (or part of the mac) and i say this should be in the vlan 23 then i upload the precreated certificate onto the device and i connect to a switchport.
Can i do it with MS NPS? Or please suggest a solution to me.
Thanks
I am on the Sprint network in a rural area and recently received a magic box gen 3. On the Pixel 2XL I am getting speeds of 70+ down. However on the R850 I am pulling 30 tops. I would like to move away from the R850 hotspot and dedicate the same sim card to a high powered modem/router. I am having trouble finding one that isn't priced above $200.
Are there any modems/routers that anyone has used to upgrade the reception of band 41?
So, I just bought a new home and I wanted to start a server room. The first items I purchased were UniFi gateway, 24 port switch and a surge protector.
It took me a while to get the internet working but I did it by copying what I read on Google which was OTS > WAN on gateway > WAN2/LAN2 to FIOS model/router and Gateway LAN1 to port 1 of the 24 UniFi network switch.
Internet works great when connected and I was even able to setup my Google Mesh network. However, I’m noticing hiccups when trying to setup certain things, the voice commands no longer works on my FIOS cable (it says not available) and apps like Amazon video opens perfectly but Netflix hangs (can’t sure if maybe that’s TV suddenly but voice commands on cable don’t work either)
Also while internet is fine, the globe is red on the FIOS modem/router.
Did I connect something wrong? The gateway wouldn’t connect to the intent unless I configured it this way. Oh and yeah I did download the software, update the divided, adopted them and all that stuff via the UniFi software.
I was thinking of building a navigation system for a building. Obviously GPS cannot be a solution for such small distances. I was thinking maybe if I could place some stand alone access points which could be detected by my app to determine the present location of the person and help them get to a specific place maybe downstairs or on the right or left wing of the building. Is there a solution to this? Maybe a set of Bluetooth or other wireless APs which could be detected?
I couldn't manage to find a standalone AP. All links directed me to be using Raspberries but it would be costly to set up dozens of them. A few links on further information or direct links to products is what I'm basically looking for. We are not a huge organization and so cost really does matter. If an AP has a range of 50 meters, I'd need around 40 of them. So please consider the cost it would take.
So today I got rejected for an offer in a mid-size company as a network consultant. I am currently working in a large ISP as a network analyst/consultant and I feel like the progress is super slow, all the nice projects are given to the same people, mostly CCIE level people or just manager's ass-lickers. I'm not sure what should I do. Look for a smaller company and keep learning on my own, or stay there at the ISP because of the good benefits and salary.
So we all know about "stingray" type devices that are essentially man in the middle cell phone towers that attempt to get clients to connect so they can spy on them while relaying traffic through to a real tower. I read that these have to be registered with the carrier who owns the end tower in the US now in order to be legal.
I'm curious though, are there any legal issues with running a cell phone site that doesn't connect to any carriers?
Assuming that is legal, is it technically possible to run your own cell phone site that also routes traffic through an internal network including out to the internet?
There are two goals I have. One would be to get cell phones to connect to this site and then prevent them from routing out to the internet. Essentially a "jammer" that isn't actually interfering with anything and is following RF laws and protocols. The signal would be so low that only local cell phones would get a strong signal and therefore attempt connecting, in theory. I don't know how most clients deal with this, is an "on network" cell tower with low signal still favored over a much higher signal that is "off network" and potentially even unknown in terms of the operator?
The second goal is to take this idea further and still allow some internet or other network access while not allowing many other services like texting, certain sites like Facebook, etc.
How legal are these concepts and how technically challenging would it be to achieve for LTE as an example?
Is the main obstacle going to be legal transmission on these frequencies? I assume cell repeaters like you can buy from carriers are just amplifiers but these still transmit on the same frequency right? How is this legal, is there some amplification loophole?
Hi, Would like to ask if why I cannot reach the site B SVI from A though I can learn its mac address completely?
Simple topology:
Site A(TAG 10) --------PE1(match10)------XCONNECT------PE2-----SW(ASR920)-------SITEB(SVI TAG 10)
https://imgur.com/4jfGtiZ -> diagram
From Site A, i can reach the Pe1 BVI and SW BDI (bidirectional) but Site B ip cant be reach from all test IP though mac address can be learn.
PE1 (Routed pweudowire to test the circuit): interface BVI99 vrf test ipv4 address 10.9.9.1 255.255.255.248 bridge group BGI10 bridge-domain BDI10 interface GigE0/2 neighbor 2.2.2.2 pw-id 1111 routed interface BVI10
PE2 interface GigabitEthernet0/0.10 encapsulation dot1Q 941 xconnect 1.1.1.1 1111 encapsulation mpls mtu 1500
SW port facing PE2 int g0/2 service instance trunk 100 ethernet encapsulation dot1q 2,941 rewrite ingress tag pop 1 symmetric bridge-domain from-encapsulation SW port facing Site B interface GigabitEthernet0/1 service instance 941 ethernet encapsulation default
Only issue pinging site B 10.9.9.4
Thank you
What is a good Practice Exam for the CCNA cert? I have the Pearson Test Prep app, but I don't think it is particularly that good...
Im getting some major packet loss in just fortnite, everything else is good Wifi. I use ethernet but this happened without ethernet too. this all started at the beginning of season 8. I`m pretty sure the issue is Fortnite itself, and I`m not the only person with this exact 30 packet loss at least twice a minute. very annoying. Its unplayable and as a competitive player it does effect me largely. I have a video of it if you want to see I can dm.
I have tried everything ive found online, except get a new router. reply asking for more details if needed. thanks.
already posted in tech support 6 times got barely any responses. I`m tired of this internet issue and I need this shit fixed for future tournaments.
Hi all,
I have a /24 that I am announcing with Vultr. I am using BIRD on a Vultr instance to route the entire /24 to my instance.
I can easily add IP's from that prefix to my Vultr instance and ping them remotely.
Now, if I wanted to begin subnetting my /24 into smaller slices, what is the recommend method to do so on Ubuntu 16.04? For instance, if I wanted a /29 from that /24 I would need a network IP, gateway and broadcast IP in that /29. What is the proper methodology to do assign this on Ubuntu or even pfSense?
Thanks!
Hi everyone,
I'm wondering if anyone has any resources for learning more about IOS. Not the networking aspect, but the OS and facilities aspect, like backing up your config, loading a config from a TFT server, etc. We barely touched these topics in my three years of college and I would like to have a better idea of what there is in IOS outside of the network configuration stuff.
We're running into more need for a consistent national (US) and sometimes international remote hands partner for SD-WAN endpoint placement, managed wifi/switch installs, MPLS and DIA CPE, demarc extensions, etc.
Back in the day I used to contract for https://www.fs24-7ltd.com/ but I don't know what this landscape looks like nowadays. I've reached out to the top handful of "remote hands" google searches as well, but I'm wondering if anyone here would be willing to share their experiences.
Our company uses android tablets to track driver activity. Recently customers have been calling about navigation accuracy issues through 3rd party Maps app we use in our software. When this happens, the blue dot is miles from where the driver currently is and it keeps saying "searching for gps". Uninstalling latest updates to Maps sometimes corrects this but not always.
can anyone tell me if this direct connection is supported.
server has 10Gbps CNA network card and the tape drive supports up to 8Gbps fiber channel.
Can i make a direct connection from server to tape drive using SFP+ transceivers in the server and OM1 or OM2 optical patch cable?
Hi all,
I have minimal experience with Cisco outside or reflashing APs and configuring them. Recently I landed a client and until we get them into a better firewall I have to administer their current one a Cisco asa-5506-x. It doesn’t have adsm enable and I can’t seem to find the image to enable it.
Anyways, I’ve scoured the net trying to find out to do a port forward that source locks to our office. I’ll list the players and someone can hopefully help I’m regards to how to make it work and I’ll list what I’ve done.
Our wan ip (not actual) 777.777.7.7 Their external IP 555.555.5.5 Internal server ip to RDP to 192.168.1.1 Desired external facing port 33891 Redirected port 3389
I’ve tried the following command with no luck
Access-list inbound extended permit tcp host 777.777.7.7 host 555.555.5.5 eq 33891
Then I tried the following command in config mode and exec mode and got incorrect parameters with the highlight carrot
Static (inside,outside) static (inside,outside) tcp interface 33891 192.168.1.1 3389 netmask 255.255.255
I entered that as a separate command and got the error.
Is there anyone out there who can help?
Thanks a million
Say you have three separate layer 2 domains (Availability Zone 1, 2, and 3) with VLANs 0, 10, 20, and 30 in use on them. You have linux nodes in each domain tagging all packets, i.g. eth0 = VLAN 0, bond0 (eth1, eth2), and bond0.10, bond0.20, and bond0.30. The nodes in the three domains share the same IP address subnets, i.g. VLAN 0 = 10.0.0.0/24, VLAN 10 = 10.0.1.0/24, VLAN 20 = 10.0.2.0/24, and VLAN 30 = 10.0.3.0/24.
1) How do you send packets to one of the nodes in the other domain? Since they all share common subnets, how will Linux know to route packets through a gateway interface to the other domains? Furthermore, the ARP table for one domain won't have MAC addresses for IPs in the other domain... they won't share broadcast domains. So they can't talk to each other right?
2) If you are able to send packets to the nodes in the other domains, do the VLAN headers get stripped when they cross the gateway?
If I understand things correctly, we need VPLS to connect the three separate layer 2 domains into a single broadcast domain. Yes? Are there other ways, i.g. GRE or MPLS tunnels?, to join these into a single broadcast domain?
Looking for help from someone who has successfully got a site-to-site working with a PA firewall to AWS. I have been trying to get this to work for the better part of the week and just cannot get it working.
I can get the tunnel up but the traffic is not passing. I cannot ping the AWS server from corp network and from AWS cannot ping the corp network.
Cisco Nexus switches have a checkpoint feature that does not exist in CatOS and IOS to my knowledge... what's the difference between saving a checkpoint and exporting the running-config? When would I do one versus the other?
Probably it's best both save a checkpoint, and export the running config before making any changes you would think?
We have ~10 branches behind cookie-cutter Cisco ISRs on IPsec to our hub PA appliance.
These are small offices of no more than 15 users with minimal traffic loads. Mostly HTTPS and SMB.
I don't need to turn 4 commodity links into an MPLS-quality connection at each site. I don't need sub-second failover or WAN optimization (strictly speaking--I could probably benefit from it, but it's not a hard requirement).
My main goal is to simplify deployment and management.
Also interested in adding link failover/diversity (e.g., LTE) where it would be cost-effective. Anything else is nice-to-have but not required.
I hear good things about Silverpeak and Cradlepoint, but I'm not sure if those represent deployments that need more features and horsepower than our use-case.
Should I consider some vendors over others, given our requirements?
I have a standard VS profile that is an LB for a pool of workers inside a Kubernetes ingress point.
SSL terminations happen in K8S so this VS literally just listens on 443 and round robins to a pool of 5 workers.
Test connections to a minio server inside K8S work fine from one source test Mikrotik but not the other. Both MTKs sit in the same test datacenter and follow the exact path across the WAN to the VS. The only difference between the two is that the failing (connection timing out) test modem sits behind a device that artificially adds latency to the connection to simulate satellite connectivity.
TCP dumps on workers and F5 show the F5 is issuing TCP resets to this source host.
I'm not familiar enough with F5s to know exactly what needs to be tweaked to make this VS more tolerant to high latency connections. No http profile applied to this VS.
Any help would be appreciated.
Can someone tell me how this conversion works? I was reviewing alarm thresholds set by our network admin in PRTG and I saw his calculation for Gigabit per second to Kilobit per second was strange. It began to make me question my understanding of data rate and network speed.
He pointed me to this website http://endmemo.com/convert/data%20transfer.php and proved his point through this calculator. Of course, I still was not convinced since the conversion did not explain why/how it was calculated.
The website's result for a ethernet (10Gb) are as follows:
ethernet (gigabit): 10
gigabit/second (Gbps): 9.313226
kilobit/second (Kbps): 9,765,625
Please tell me im not crazy to think that a 10Gb circuit that our ISP is providing = 10Gbps = 10,000,000Kbps
I'm hitting the tail end of rolling out a bunch of new Cisco SG250s and integrating some 2960s at 15 or so sites. We've also rolled out wired 802.1x. I'm in the process of re-thinking my monitoring, which has pretty much consisted of a few SNMP traps and ping alarms. I was wondering if I could get opinions on what you folks are using.
Basically I'm just looking to monitor changes on ports, unexpected MACs etc. We've had trouble with folks trying to plug in random junk in the past.
I'm currently evaluating ManageEngine OpUtils and have also evaluated PRTG. I'm not a huge fan of PRTG's per-sensor licensing model and visual aspect. Oputils seems to be more what I'm looking for. However I'm just playing pretend network admin since my company doesn't have one yet. I'd be grateful for any more seasoned opinions.
Hi,
See this diagram: https://imgur.com/0xaL42N
I am not very good regarding IPSEC and routing between IPSEC.
The goal here is to eliminate the two IPSEC tunnels going to 10.0.51.0 and the 10.0.0.0 networks directly from the .168 network. We want to go through the .101 network and be routed from there to 10.0.0.0. The tunnels are all up already, except the .168 talk directly to 10.0.51.0 and 10.0.0.0.
I have not had any good experience with trying to route traffic over IPSEC that is coming from another IPSEC tunnel.
You guys have any good ideas how?
I have another idea to implement a IPVPN connection from .168 to .101 site instead. That way there will be no IPSEC to route over, just normal routing.
Thoughs, opinions?
Yesterday I was having trouble turning up an IPSec connection between R1 and R4 in this topology.
The issue was the certificate sent by R1 produced a ~2200 byte datagram fragmented into two packets of 1500 bytes and 700 bytes.
R3 had a bogus MTU[1] configured on its upstream Ethernet interface, was dropping "oversize" frames on ingress.
Eventually I managed to get R3's interface reconfigured, but before that was possible I decided to test by setting ip mtu 1400 on the relevant interfaces of R1 (IOS-XE 16.6.2) and R4 (IOS 15.6M). I expected this configuration to cause both of those routers to fragment their traffic differently (1400 bytes and 800 bytes), and the certificate exchange to survive the trip through R3.
That is not the behavior I observed. A sniffer near R2 still showed 1500 byte packets originated by both R1 and R4 after the change to their interface MTU.
Am I missing something obvious about the ip mtu interface directive and control plane traffic?
[1] Please don't bicker with me about MTU vs. MRU at R3. The device in question only has one lever and it's labeled MTU. Curiously, R3 had no problem transmitting R4's large packets, even with the small MTU configured. The MTU setting seemed to only make a difference in the receive direction. <shrug>
This happened on Wednesday night and while everything is now back up and running, I’m going to have to explain why it took so long to restore and I genuinely don’t have the answers. The network guy is on vacation, so I had to step in and help. I used to call myself a network person, but I left that role about 10 years ago. Anyway, here’s what I know.
We had a power surge which caused the firewall to go down, when power came back up none of the IPSec tunnels would reestablish. The debug gave me a “no proposal chosen” error. I examined the crypto statements and all the proposals were named correctly with AES256, 3DES, etc however they were all showing DES. I tried to change the proposal statements but it would not take. I got an error that said something along the lines of needing certificates. The IOS was asa921.ke version 9.2(1). This made me think that version of IOS didn’t have 3DES available, but it was working just fine several hours before this.
Replaced the firewall with another 5505, running asa843.ke and got the crypto maps configured correctly, but the routing -while configured- wouldn’t show in the route tables. We couldn’t ping and errors indicated no established route.
Instead of copy and pasting sections of the configurations we tried tftp using the ASDM. That worked; routes were there, crypto was there, the network came back up.
I have no idea why the VPNs were up and running before the outage if the IOS couldn’t support AES256 or needed certificates.
What’s different between copy/pasting text files v. tftp? Why would this method of moving the configuration work but copy/paste wouldn’t?
Any insight would be greatly appreciated!
If I chose to use PAN products for my campus zero-trus or micro-seg, would it still be the perimeter-edge based filtering? What I mean is that I would implement a big PAN firewall and route every packet from user to the PAN for inspection and routing?
What I want to accomplish I believe should be simple.
I have 3 switches. 2 switches both currently trunk to an aggregate fiber switch. This fiber switch is currently the only way the other 2 switches can communicate between each other. I want to run 10G fiber between the switches, and only allow a couple VLANs to pass traffic through that 10G trunk instead of hauling all the way to the fiber aggregate switch and back down.
RSTP will simply nuke the other connection as soon as I link that fiber betwen the two switches....functioning as it should obviously. How do I configure it to play nice?
I have to setup/design networking for new building we are moving. The server room is on main floor and I have switching room and second floor. Our IT manager suggested we use fiber links between floors. I am thinking do we really need them? I mean what is the advantage? Emi for one but not much else right? The thing is that I have x amount for the whole project and why would I spend more money of fiber links, installation/termination services, finer modules etc when I can just do cat 7 with rj45 and use any switch I want. Everything is ethernet in the company, iscsi over ethernet for storage etc...
I am missing something, I do not want to confront/suggest this to my manager if there is any other obvious advantage to fiber them not having emi interference... I am thinking straight?
I am not core networking guy , more sys admin and being accidental networking guy
I feel like I'm stepping into a time machine to the 90's here, but would really appreciate some advice from the collective.
I've inherited a real mess of a topology and addressing. It's a call center operation with 12 sites connected through a mix of mpls and vpns. They are on managed services with the mpls vendor and everything has been configured with a random variety of rfc1918's using static routes. Yes, it's a real sh*tshow.
I've mapped out a new ip scheme and plan to migrate them over, and obviously, they need to get on dynamic routing at the same time.
Question for you folks - is bgp overkill for this? Should I just go with ospf? Any advice for how to best migrate over would be most appreciated. I know I can simply verify the routes are showing up under bgp before removing the static entries, but feel like that's way too simple. Surely I'm overlooking something here - or just need more coffee?
Many thanks in advance.
I am the sys admin for a company and we are in the process of building a large (200k sq/ft) warehouse. I am not a network admin but have been able to spec out and set up smaller sites in the past. This site is going to require 4 data rooms to cover the whole building. In addition it is remote to our main office so any on site visits would require airtravel. I am trying to plan this site to be as stable as possible and provide as much redundancy as possible. What are some best practices to use when building out such a large site? We are planning for HA pair firewalls but beyond that we don't have anything else set in stone.
Hi All,
We currently have x2 Cisco Nexus switches serving as iSCSi switches for ESXi hosts & NetApp storage. I need to build x2 more in a new datacenter and they are identical in every way. Can I just copy/paste the config from the show startup-config to the new switches? I've noticed the 'username user password 5 <hash>'. Will the user accounts/passwords copied over work or do they need to be unhashed first?
I recently saw a short presentation about the recently rebranded Cortex software. It was a sort of live sandbox on every station (via Traps client) with SOC. We've had a POC with Traps year ago, basically we had tons of false alerts in mobile devices and workstations. Is this tool any better these days? How do you see this aporoach of security?
Hello,
I am trying to create a new ASA cluster using cisco 2140 running ASA code. I can't seem to get the failover interface to come up. No blinky lights. I've tried placing a switch between them, nothing works. I have setup the asa config multiple ways as well. Any help is very much appreciated!!
The ip addressing are placeholders and the config is somewhat scrubbed:
##########################################
PRIMARY Unit:
##########################################
Prod-Primary# show run
: Saved
:
: Serial Number: JAD230709MC
: Hardware: FPR-2140, 14852 MB RAM, CPU MIPS 1800 MHz, 1 CPU (16 cores)
:
ASA Version 9.8(2)
!
hostname Prod-Primary
domain-name omitted
enable password
!
license smart
feature tier standard
names
!
interface Ethernet1/1
nameif outside
security-level 0
ip address 10.63.147.21 255.255.255.0 standby 10.63.147.22
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
description STATE Failover Interface
!
interface Ethernet1/12
no nameif
no security-level
no ip address
!
interface Ethernet1/13
no nameif
no security-level
no ip address
!
interface Ethernet1/14
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/15
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/16
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
nameif management
security-level 100
ip address 10.249.211.252 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server 208.67.220.220
name-server 208.67.222.222
domain-name omitted
object network obj_any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
failover
failover lan unit primary
failover link State-link Ethernet1/11
failover interface ip State-link 192.168.252.1 255.255.255.0 standby 192.168.252.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
!
object network obj_any
nat (any,outside) dynamic interface
route management 0.0.0.0 0.0.0.0 10.249.211.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.249.211.0 255.255.255.0 management
ip-client outside
no snmp-server location
no snmp-server contact
crypto ca trustpool policy
auto-import
telnet timeout 5
ssh stricthostkeycheck
ssh 10.249.211.0 255.255.255.0 management
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
##########################################
SECONDARY Unit
##########################################
Prod-Secondary# show run
: Saved
:
: Serial Number: JAD230709LH
: Hardware: FPR-2140, 14852 MB RAM, CPU MIPS 1800 MHz, 1 CPU (16 cores)
:
ASA Version 9.8(2)
!
hostname Prod-Secondary
domain-name omitted
enable password
names
!
interface Ethernet1/1
nameif outside
security-level 0
ip address 10.63.147.21 255.255.255.0 standby 10.63.147.22
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
description STATE Failover Interface
!
interface Ethernet1/12
no nameif
no security-level
no ip address
!
interface Ethernet1/13
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/14
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/15
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/16
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.249.211.251 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server 208.67.220.220
name-server 208.67.222.222
domain-name omitted
object network obj_any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
failover
failover lan unit secondary
failover link State-link Ethernet1/11
failover interface ip State-link 192.168.252.1 255.255.255.0 standby 192.168.252.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
!
object network obj_any
nat (any,outside) dynamic interface
route management 0.0.0.0 0.0.0.0 10.249.211.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 management
http 10.0.0.0 255.0.0.0 management
ip-client outside
no snmp-server location
no snmp-server contact
crypto ca trustpool policy
auto-import
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
##########################################
SHOW FAILOVER Output
##########################################
Prod-Primary# show failover
Failover On
Failover unit Primary
Failover LAN Interface: not Configured
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 1043 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(2), Mate Unknown
Serial Number: Ours JAD230709MC, Mate Unknown
Last Failover at: 12:40:03 UTC Mar 29 2019
This host: Primary - Disabled
Active time: 141 (sec)
slot 0: FPR-2140 hw/sw rev (49.46/9.8(2)) status (Up Sys)
Interface outside (10.63.147.21): Unknown (Waiting)
Interface inside (192.168.1.1): No Link (Waiting)
Interface management (10.249.211.252): Unknown (Waiting)
Other host: Secondary - Not Detected
Active time: 0 (sec)
Interface outside (10.63.147.22): Unknown (Waiting)
Interface inside (0.0.0.0): Unknown (Waiting)
Interface management (0.0.0.0): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : State-link Ethernet1/11 (down)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
SIP Tx 0 0 0 0
SIP Pinhole 0 0 0 0
Route Session 0 0 0 0
Router ID 0 0 0 0
User-Identity 0 0 0 0
CTS SGTNAME 0 0 0 0
CTS PAC 0 0 0 0
TrustSec-SXP 0 0 0 0
IPv6 Route 0 0 0 0
STS Table 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Thank you!
For months we've been having issues with Palo alto global protect chasing slow download speeds on end users laptops. I myself experienced the same - 400mb download off VPN at home, 200mb download on VPN at home.
I had a new laptop yesterday - i7 8th Feb. Did a speedteest this morning and surprisingly my download speed off and on VPN was the same - 400mbps.
As a test I limited my cpu state to 50% and I was able to recreate what I saw on my old laptop - 200mb on VPN and 400mb off VPN. Downclocking further saw even more exaggerated results.
Is this a thing? Slow CPU causing slow client VPN performance? Kind of makes sense but I've never seen this behaviour before
Hi all. I have minimal network experience however I was recently hired to a new medium sized business and the first order of business is to re document the network. I understand the basics behind doing it, however I've never actually used a toner before.
The main question I have is, using a Fluke Toner, if a cable is terminated, will the line still tone at the other end? So like if I stick the probe in a users jack, will I be able to tone the line out WITHOUT unplugging it from the patch panel? Or will I need to go behind the panel to the punch down block with my wand, and try to get tone off of that? There is 0 documentation of this network and it's a straight up mess so I'm trying to avoid unplugging anything at all costs, until I have it re documented. (after that, I'll be redoing the majority of it.)
Any advice is much appreciated. This is my first week as a sysadmin after 5 years in IT, and while I acknowledge making mistakes is the best way to learn.... I'm not trying to drop the ball on simple documentation one week into the position lol
Hi guys,
In our environment we need to connect two Nexus5k with our dark fiber link. We have these two DWDM SFPs ONS-SC+-10G fixed wavelengh (which means that each SFP already have it's wavelength assigned by default).
My question is: For make this work, need i to put some special DWDM configuration on my Nexus interfaces or i just need to connect the fiber without any additional configuration?
Thanks so much in advance!
Hi all,
We recently held a live event where we experienced a lot of buffering on youtube and we're trying to understand where the issue came from. The situation was as follows: We were pushing 5 different streams (different languages) to Wowza cloud which was distributing to various destinations including Youtube. One point to note is our wowza settings were going to Akamai first so we could use Primary/Backup ingest setup (we came to later know that this "route" ads an extra step in the delivery that can cause latency/buffering). On one system (Imac 2017), the destination was our main Youtube channel, for a few hours things were generally OK, however at one point during the event we reached appx 60K concurrent viewers. This is the time when we started seeing from our side and viewers side lots of buffering. Unfortunately, at the exact same time, Youtube was giving us an internal 500 server error, which prohibited us from viewing our dashboard and stream health, but we did notice our Wowza stream health had lots of incoming/outgoing datarate fluctuations. The buffering issue wasnt the case on the other channels that we were streaming to. Because the buffering was so bad, we were constantly switching on/off our wirecast feed to resume the stream, where it would switch between Akamai's Primary and Backup. Strangely, once the archive video was processed, we didnt see much issue except for this switching between Primary & Backup. Once the concurrent views dropped back to appx. 5K, things again settled back down and we didnt have any more issues.
So, we're wanting to understand a few things:
• What could have been the root cause(s) for this issue?
• Is this an issue from Encoder to Youtube or Youtube to User issue? Or both? (We had plenty of local bandwidth, but got buffering and "steam not available" message on our player)
• Should we assume that everyone had buffering? We didnt specifically ask in comments if anyone was seeing the feed well, so we arent sure.
• How do you avoid (and test) for something like this from happening in the future?
My broadband supplier is Virgin Media in the UK. One of the services they provide is public wifi in which an 802.1x network is used. This is authenticated using your ISP email username/password and a certificate is provided for iOS devices. For Mac and Windows there is no certificate as this comes together with an app.
If I use the network without validation am I at risk of having my email username and password exposed?
My understanding is the certificate stops the authentication process if it can't verify it as genuine. Should I avoid doing this?
I recently joined as a QA in a company that builds network devices. We need to build an automation test suite for a load balancer. I have experience with building automated tests for web pages, using Page Object Model and selenium, but in this context, that approach seems to be making the whole framework over-engineered as writing whole classes for just config commands seems a bit contrived.
On the flip side, if i just create a connection handler class(wrapper on top of paramiko..similar to netmiko) and individually send commands in the tests, it might later cause a maintenance nightmare as there are thousands of tests.So, I am a little confused on how to approach this, though a bit biased towards the over engineered, but safe approach.
I am quite sure that many have faced this situation before me. I just want to know if there is standard approach to design an automation test framework to test network devices(like Page Object Model for web based testing). Or if there are some best practices that i should know in this regard.Thanks, in advance, for the help.
I am looking for a way to measure the quality of my twinax cables connection, I know that for normal SFPs we can run command such as "show interfaces etx transceiver" (different command for different vendor), this would usually give us signal quality, however for DAC type, twinax cable this is not available at all.
Below is an output on a twinax connection.
device1# show interfaces et13 transceiver
Port Name Temp (C) Volt (V) Tx Bias Tx Pwr Rx Pwr
---- -------------------- -------- -------- -------- -------- --------
et13 N/A N/A N/A N/A N/A
Does anyone have a copy of the java device manager.exe for Nortel 5500 series switches?
The Avaya FTP links are dead now: https://support.avaya.com/products/P0910/java-device-manager/6.2.x
Thanks!
been going back and forth with their support (home network, not business) for 3 weeks now. The 'escalated' call today the technician told me that my 10% packet loss was within acceptable levels. This is after 2 on-site visits :(
This seems like the place to post this question, but I found a velocloud edge 520, what is it, what does it do, and can i use it for any personal use or does the box only connect to velocloud?
Thanks again
I need to split the connection from a single ethernet handoff from a service access switch to two separate routers. I've tried a couple lower end gb unmanaged switches (under $40) and had a 25% loss on the connection. Anyone have any recommendations for a good switch for this task? I have a block of 5 IPs and the two routers each need their own external IP.
Hi, Would like to ask if announcing routes using network command from BGP affect the output of the mpls label? Because tried using the redistribute from IGP into BGP and the label works, not sure if this is just in GNS3 bug or something... though seen that there are method that they are using the Network command in BGP.
ASBR P2P only: PE01---PE02
######### PE 01 #########
interface GigabitEthernet3
ip address 192.168.1.1 255.255.255.252
negotiation auto
mpls bgp forwarding
no mop enabled
no mop sysid
end
PE01#sh run | sec router bgp
router bgp 20
bgp log-neighbor-changes
neighbor 192.168.1.2 remote-as 10
!
address-family ipv4
network 8.8.8.8 mask 255.255.255.255
neighbor 192.168.1.2 activate
neighbor 192.168.1.2 send-community both
neighbor 192.168.1.2 route-map RM:IB out
neighbor 192.168.1.2 send-label
exit-address-family
PE01#sh ip route 8.8.8.8
Routing entry for 8.8.8.8/32
Known via "isis", distance 115, metric 50, type level-2
PE01#sh ip route 172.1.1.11
Routing entry for 172.1.1.11/32
Known via "bgp 20", distance 20, metric 40
PE01#sh mpls forwarding-table 172.1.1.11 (FROM PEER)
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
24 No Label 172.1.1.11/3223496 Gi3 192.168.1.2
######### PE 02 #########
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.252
duplex full
mpls bgp forwarding
PE02#sh run | sec router bgp
router bgp 10
bgp log-neighbor-changes
neighbor 192.168.1.1 remote-as 20
!
address-family ipv4
no synchronization
network 172.1.1.11 mask 255.255.255.255
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 send-community extended
neighbor 192.168.1.1 route-map RM:IB out
neighbor 192.168.1.1 send-label
no auto-summary
exit-address-family
Thanks
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Hey reddit,
I have a Watchguard Firebox X700 running pfSense 2.3.5 and I'm having some problems.
Basically what happens is the system boots and there's a WAN connection, however it's only about 5mbps where as normally it's 50-60mbps. After a few minutes the WAN appears to be competely gone all together and all the pings timeout.
Every time I reboot it's the same thing over and over. The CPU usage is sitting at about 30% and the memory at about 42% I'm new and am not sure if I've set something up incorrectly. When all this happens pfSense is still showing a WAN connection however, the network speed drops signifigantly till being no existant.
I'm still new to networking so appreciate the patience.
Does anyone have experience with WAN SDN Controllers? I've seen demos of NorthStar, but would like to see if there are others out there that have similar or better features. I'm trying to do some research into ODL, but can't find a lot of resources specific to SP networks and MPLS. Googling for WAN, SDN, and MPLS yields "SD-WAN vs MPLS" articles.
If anyone has first-hand experience with NorthStar, ODL, or other WAN SDN Controllers, what do you like/hate about them?
There's also a specific feature that I'm looking for. Let's say I have two diverse LSPs. I'd like to have packets with certain QOS markings take the LSP with the least amount of latency. As latency changes where the other LSP is now better by a certain value, then I'd like those packets to move to that LSP dynamically. Is this currently a possibility with open or vendor-specific solutions?
I have been working on a networking tool to help automate my workflow and management of my networks. However i was thinking about open sourcing it and allowing others to benefit or add to it. I wanted to add some features from the community that really helped people out.
What feature would really make your job a lot easier?
Hi all,
I am currently working on a Perl module for the Palo Alto API. As it now has a reasonable amount of functionality and has been tested I think it's ready for public consumption. You can find it on [metacpan](https://metacpan.org/pod/Device::Firewall::PaloAlto) or on [github](https://github.com/gregfoletta/Device-Firewall-PaloAlto).
I am fully aware that most people in the networking space are using Python rather than Perl, and frankly I am not interested in zealotry. What I have done however is write this module not only to be used in Perl scripts or modules, but to be used straight from the command line.
The API replies can be in some unfriendly formats. I clean these up, place put them in modules, then allow the output of JSON representations of these straight to STDOUT. You can then use the `jq` command line utility to quickly search or transform these structured replies.
Here's an example of using the module from a bash shell to quickly check which interfaces are up. The username, password and URI of the firewall are read from environment variables if not specified:
perl -MDevice::Firewall::PaloAlto -E 'Device::Firewall::PaloAlto->new(verify_hostname => 0)->auth->op->interfaces->to_json' | \
jq '.[] | select(.state == "up") | .name'
"tunnel"
"loopback.1"
"vlan.32"
"tunnel.2"
"loopback.2"
"ethernet1/2"
"loopback"
"vlan"
"loopback.4"
"loopback.3"
"ethernet1/1"
"tunnel.1"
Feel free to reach out with any suggestions or queries.
Hoping someone here can take a look at this config and maybe point me in the right direction.
I have a client that used to have an internal IT person. I use that term loosely cause this is a non-profit and this person was not IT, but handled all their IT
I have inherited this mess of a network. Cisco 891 is router/firewall front end. There are numerous internal networks, none of which are VLAN'd, all use layer 3 switches with various interfaces programmed with specific IP's in various subnets... just about every switch is throwing VLAN tagging mismatch errors, but hey it works they say! Not sure why it was setup in this fashion, but here I am with it.
I know ideally with the state of this network we need to burn it to the ground and start over, but again, client is a non-profit and has very little in the way of funds to put toward a network overhaul.
Config here - https://justpaste.it/4osoc
Config has been sanitized with various names/IP related info removed, but should be usable for the most part. Looks like half of this config was done with the CCP software while the other half is a hodge-podge of scattered changes.
Client wants PPTP VPN. Insists on using it, has internal AD server, wants to use AD auth, etc. etc.. Completely against having to install any software whatsoever.
I have PPTP forwarded without issue, seems my problem is actually getting GRE to passthrough. When attempting to connect, it hits, verifies credentials, then just hangs, and subsequently dies. Tried various things, using the built-in SDM_GRE on the 891 and getting an ACL applied that is "permit gre any any", but that ended with the same result and didn't work.
Ordinarily I could work my way through this one, but the mess of a config is making me cross-eyed and I seem to keep running into dead ends with nothing working as it should.
Thanks in advance for anyone able to offer any input, it is appreciated.
We are currently using a Pulse Secure MAG-4610 which is unfortunately EOL. We are struggling with replacement because the device allowed users to navigate to a web-page and upload\download to network shares or home folders. Does anyone know of any other devices or software that has this same functionality? Thank you!
I've got an A/V system just put in from Crestron -- the NVX system. It uses multicast to send out all of its streams. The other NVX boxes are configured as receivers to connect to these streams.
I'm fairly certain I don't have IGMP configured correctly on my switch. The multicast traffic goes out, sure, and receivers can pick it up, but if I switch between sources enough, I get huge packet loss. I'm talking 10k packets a second. If I leave a good connection be, I get 0 packet loss.
I've setup the querier for the VLAN it is on to be the management IP for that VLAN, as I'm not using an mrouter. I have immediate-leave enabled on that VLAN. I have Flow Control disabled on every port on that VLAN.
I've got IGMP v3 enabled on the switch stack and the NVX devices.
Weirdly enough, when I run a show ip igmp command, it tells me IGMP admin mode is disabled. It also says the IGMP Interface-Mode Status for every VLAN is "Disabled" and the Operational-Status is "Non-Operational"
What gives?
While replacing a broken switch for a costumer I started searching for better ways of mapping network cables to ports and came across this:
https://patchbox.com/patchbox-plus
https://www.youtube.com/watch?v=PxGQBOPCJ-4
If you are using that or something similar let me know what your experience is because curiosity is killing me.
So from my reading of the documentation and the noises jtac has been making, it is not possible to configure this; the only logs the switch will send to your server are what gets logged on the master. Is my assumption here correct?
I can think of some klugey methods to get this data, but they're not elegant...
Hello,
We have AT&T business fiber and paid for additional IP addresses. Usually we get all IPs in the same subnet but with AT&T, our primary static address is completely different than our 5 static IPs. I haven't seen this before and wasn't sure how they are supposed to be used.
My guess is we would set up those static IPs on other interfaces on the router/firewall and then config our router/firewall to route traffic from those 5 ips all through the primary static IP we were issued using Rules etc.
Is this correct? Why not just give us the IPs all in the same subnet?
Edit: I tried searching "AT&T fiber static subnet" before posting
I've resisted making a post about this, but I think it's time to ask the giant brains of /r/networking for help because Google has failed me and, support-wise, everyone is pointing at everyone. I apologize for the length; I'm trying to preempt questions where possible.
tl;dr Our Shoretel phone system - or our switches - has randomly starting dropping VLAN tags from the phones. It's either a config issue on the phones, or a bug in the switch.
Question: Has anyone seen this behavior before?
Switches: Netgear M4300 Prosafe switches (12.0.7.10)
Phones: various Shoretel models (mostly 230g and 480g)
I use a standard config to separate our phone/LAN VLANs.
#show running-config interface 1/0/1 !Current Configuration: ! interface 1/0/1 voice vlan 10 switchport mode access switchport access vlan 20
Assume:
VLAN 10 = Voice = 10.10.10.0/24
VLAN 20 = LAN = 192.168.20.0/24
The config works well and does what you'd expect:
Everything works fine...
#show lldp remote-device 1/0/1 LLDP Remote Device Summary Local Interface RemID Chassis ID Port ID System Name --------- ------- -------------------- ------------------ ------------------ 1/0/1 282 10.10.10.10 <-- Good! 00:10:49:xx:xx:xx Serial Number: ... #show lldp med remote-device detail 1/0/1 Local Interface: 1/0/1 Remote Identifier: 282 Capabilities MED Capabilities Supported: capabilities, networkpolicy, location, extended-pd MED Capabilities Enabled: capabilities, networkpolicy, extended-pd Device Class: Endpoint Class III Network Policies Media Policy Application Type: Voice VLAN ID: 10 <---- Good! Priority: 5 DSCP: 46 Unknown: False Tagged: TRUE <---- Good!
...until it doesn't. At random occasions, the phone just drops the VLAN tag entirely. I cannot find a root cause for this behavior.
During boot up, the LLDP-MED output remains the same as above, and then it just....drops the VLAN tag altogether.
#show lldp remote-device 1/0/1 LLDP Remote Device Summary Local Interface RemID Chassis ID Port ID System Name --------- ------- -------------------- ------------------ ------------------ 1/0/1 282 192.168.20.20 <-Bad! 00:10:49:xx:xx:xx Serial Number: ... #show lldp med remote-device detail 1/0/1 Local Interface: 1/0/1 Remote Identifier: 282 Capabilities MED Capabilities Supported: capabilities, networkpolicy, location, extended-pd MED Capabilities Enabled: capabilities, networkpolicy, extended-pd Device Class: Endpoint Class III Network Policies Media Policy Application Type: Voice VLAN ID: 0 <-------- Bad! Priority: 5 DSCP: 46 Unknown: False Tagged: False <------ Bad!
I've tried the following Very Basic troubleshooting steps:
However, if the switch is rebooted, the issue resolves itself. Everything comes back up fine. This is obviously not a preferable fix, made worse by the fact that we have some server clusters that crash if the switch they're connected to reboots, which involves MORE work to power off VMs and then re-enable them. And I can only stay up past midnight rebooting random switches to fix a single stray phone for a certain period of time before I have a mental breakdown.
The chatbot I spoke to said updating to 12.0.7.12 "may" fix the issue, but they have no idea. I've updated a couple of affected switches as a testing bed. So far, no issues, but it's only been a couple of days - this doesn't seem to occur until at least few days after a reboot.
I'm leaning towards it being a bug in the switch but my debugging options are limited on the switch side with relation to LLDP. I'm going to see about enabling syslog on the affected phone(s) so I can see what happens on that side with the VLAN tag, assuming a pertinent log entry even exists.
I am aware of other implementation methods if this issue cannot be resolved, so I don't need alternative methods to implement this (thank you, though!). I prefer this method as it's the cleanest config-wise (when it works, which 98% of the time it does), and I will migrate if I have to - this isn't a call center or anything, so at worst it's a minor annoyance. Most importantly, the phone system is still functional and these incidents are incredibly isolated - maybe three or four every couple of weeks.
What I would like to know is why is this happening? Has anyone run into this kind of issue?
You folks are great and I enjoy reading and being part of this community. I hope someone has an idea because I am out of them at the moment.
Hi,
I'm quite new to networking and I have set up two HPE 5940 switches in IRF.
Everything is working fine except that I am not able to access my management port... I have connected both management ports via cable to regular access ports in another VLAN in the same switch.
If I connect directly to the management port I can easily ping it and ssh into it but when I connect it to the access port I can not reach it it all, not even from the same VLAN. Other nodes connected the same way in the same VLAN are fine.
What is stopping me from connecting the management ports to access ports on itself?
interface M-GigabitEthernet0/0/0
ip binding vpn-instance MGMT
ip address 192.168.1.84 255.255.255.240
ip route-static vpn-instance MGMT 0.0.0.0 0 192.168.1.81 permanent
Hi,
We have VC which is remote address is from ASBR(option c), Why I'm getting this "No FEC mapping" result when ping the pseudowire circuit while the VC itself is up?
I'm not able to ping the remote IP using ping MPLS feature.
ping mpls ipv4 xxxx/y source xxxx
.....
Success rate is 0 percent (0/5)
ping mpls pseudowire xxxxx 100 source xxxx
Type escape sequence to abort.
FFFFF
Success rate is 0 percent (0/5)
Trace MPLS from Source to remote VC
TRACE 1:
0 x.x.x.x MRU 9202 [Labels: 27626 Exp: 0]
L 1 x.x.x.x MRU 9180 [Labels: 24006 Exp: 0] 5 ms
L 2 x.x.x.x MRU 9202 [Labels: 57 Exp: 0] 9 ms
L 3 x.x.x.x MRU 9216 [Labels: 576580 Exp: 0] 9 ms
L 4 x.x.x.x MRU 4484 [Labels: 625970 Exp: 7] 49 ms
D 5 x.x.x.x MRU 0 [No Label] 29 ms <<<------- DS Map mismatch
TRACE 2:
0 x.x.x.x MRU 9202 [Labels: 27626 Exp: 0]
L 1 x.x.x.x MRU 9180 [Labels: 24006 Exp: 0] 2 ms
L 2 x.x.x.x MRU 9202 [Labels: 57 Exp: 0] 9 ms
L 3 x.x.x.x MRU 9216 [Labels: 576580 Exp: 0] 9 ms
L 4 x.x.x.x MRU 4484 [Labels: 625970 Exp: 7] 51 ms
L 5 x.x.x.x MRU 4484 [Labels: implicit-null Exp: 0] 54 ms
but when pinging using normal IPv4 I can reach the destination IP?
ping ipv4 xxxx source xxxx
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/37 ms
Any idea? is this because theres a break on LSP path?
Last year I added port security restrict maximum 10 on our access ports on our 48 port layer 2 switches. I wanted to prevent a MAC flood attack.
How many MAC addresses does it take to flood a CAM table / MAC table? Will setting port security restrict maximum 10 prevent a MAC flood attack?
I was trying to be conservative in order to prevent any accidental business interruptions. Unfortunately there are not enough patch panels and we haven't been able to get new patch panels installed yet, so there are some crappy switches out on the floor in a couple places to provide wired Ethernet to VOIP phones, users and printers. Also we have all our computers getting Ethernet through a port on the VOIP phones So I can easily see there are more than five MAC addresses on a port.
Is the Network Plus certification worth it or should I skip to the CCNA?
A critical vulnerability in MikroTik’s RouterOS handling of IPv6 packets allows for “remote, unauthenticated denial of service,” according to security researcher Marek Isalski. According to a post on MikroTik’s user forum, the new vulnerability is “a memory exhaustion issue. You send a v6 packet formed in a certain way to a Mikrotik router and the kernel leaks a bit of memory. When memory runs out the router crashes, I assume until the watchdog reboots it. There is no way to firewall as whatever this characteristic is that causes the problem can be set with any v6 packet.”
Hi There,
I'm having an issue with slow transfer speeds when writing files from user computers to our storage server. I am the IT Administrator for our company and a goal of mine is to improve the transfer speed by 5-10x within a few weeks. Basically our setup is a high performance Dell workstation with 3.6ghz xeon processors, 32GB of ram, dedicated graphics cards, and gig/full duplex network adapters. They all use an application called Tekla Structures which is a modeling application. The issue is this application creates a folder for the model with thousands of files ranging from 2KB to 5MB, with 90% being in the KB range. If I transfer files over 1MB to our storage server as a test I get speeds of 500Mbps, which is expected. When I transfer files 500KB and under I get around 20-40Mbps up and 150 down, which is about 12x slower. How can I increase these speeds? Since this is a 3rd party program I cannot compress the information in some way to increase file size and lower the IOPS, so I am limited to thinking a NIC on the users Desktop might be the best bet.
I appreciate any feedback you can provide!
Thanks
Is it possible for a cisco switch stack to make any kind of configuration change after it powers on, by itself? I.E. I turn the switch stack on and 5 minutes later I run "show run" and it says the last configuration change was made 3 minutes ago.
EDIT "show history all" shows the switch stacking booting up and electing the master WHILE commands were being entered at the same time. How is that possible?
Hi,
I am hoping this qualifies as a career growth question and is not removed.
I am currently a 4 year experienced guy in networking with the entirety of my career in Cisco as a System Integration tester. This role has made me learnt a lot about how we work on a product and engineering level and shape it to be ready for the robust production environments.I have had good exposure of L2/L3 and other SP protocols (TE, multicast etc). Though I see a shift towards cloud/SDN and want to be ready on that as well. I am working towards my CCIE RS Lab and am keen to try out AWS certifications as well.
Side by side i have always been involved in numerous customer escalations and that has been always of my interest - to design a network and work on various real-time challenges.
I have recently trying to get a new job and have been offered multiple roles in both engineering and consultant roles.
For the same i seek advice on what path to take now so that I can end up in a Network design/Architect/TME roles.
Seeking inputs of growth in terms of salary, learning and being future ready.
What will be the possible pros/cons of engineering vs consultant roles?
P.S : pardon my ignorance on the wide range of my question, quite frankly i am very confused in the vast networking domain and want to take a solid step towards a fixed goal.
As my first project as a newly minted netops employee, I've been tasked with researching and upgrading the firmware on some switches. Sweet, first project ever! Thinking through things, I realized that I couldn't just upgrade the firmware, reboot the switch, and declare it done. Anyone have a reference or framework for being able to say I tested more than just pinging a couple of hosts and confirming I had access to the internet?
Edit: Forgot to mention that I do know this is going to be an after hours/change window kind of thing with reboots of the devices. I'm just unclear on what kind of baseline I'd be looking for post update.
Short version:
Did someone know an issue where the card needs a User input?
Long version:
I have a Mellanox ConnectX-3 MCX311A 10G Network card in an AsRock X299E-ITX Motherboard installed. The card works fine in my main PC but the AsRok board is not able to boot with this card installed.
The board has only one 16x pcie connector and no additional onboard graphics card.
With another 4x card for testing, the system works fine.
I ask the AsRok support for Help and they provide me a special Bios version and ask me try some settings without success.
Now they are thinking, maybe the card is waiting for a user input on boot and this is maybe the reason the system will not start.
Did someone know an issue where the card needs a User input?
Hello,
I'm a tech at a school and the kids connect to WiFi on their phones and then use a VPN client to get around our content filtering.
Most ports are closed on the firewall but I assume they are just using port 80.
There might be a clever way to stop these kinds of connections? Even if we can block the ports we must be able to block protocols?
The problem is our firewall is managed by another company. It would have to be something on Fortinet or HP switches.
Is this possible
Hello, I'm a sysadmin with minimal networking knowledge. Our network engineer quit and I've been tasked to clean up his mess. He was very knowledgeable but tended to do things quickly rather than correctly and once it works, stop and move on to another project without cleaning anything up. For instance this is one of our IDFs and sadly that isn't the worst one we have, just the only one I have a picture of.
Questions I have since I'll basically be replacing all networking switches is:
What is the proper method/ best practice for setting up trunks between all the switches? For instance can I have 4 switches all on Trk1 or do I need to have unique trunks for each switch? (all switches will have all VLANs trunked to them)
I've heard that for short runs (~1-2m) copper is technically faster for trunking than fiber (edge switches have only SFP so only 1gig either way), is that true?
Thanks for your help.
Thinking about upgrading our cisco ASA from version 9.6 to version 9.8 so that we can configure route based VPNs. This shouldn't have any impact on our current policy based VPNS already configured. I wouldn't think so and haven't seen anything in the release notes saying such. But I can be a little paranoid sometimes..... and it is Cisco...lol.
having issues when running eve-ng on esxi. i gave the machine enough resources but the problem is that when i run some nodes i get these errors :
hda error
dma timeout error
kernel segfault
if i deploy the vm on my local machine it works fine via wmworkstation.
I'm dealing with an issue that has left me perplexed.
A little background, we recently configured two separate stacks of 3 ex4800s as redundant access layers for our office. Each user has two ports at their desk, one going to either stack. These two stacks are trunking via LACP links to two ex4600s which sit in a virtual chassis. These sit in front of our office router, and a separate Cisco 2921 that does our VoIP network.
The configurations on the two access stacks are uniform and essentially identical. The same VoIP VLAN is configured on every port, and phones work without issue. That is, until we activate both stacks... If both access stacks are trunking to the aggregation VC there will be what appears to be a loop specifically confined to our VoIP VLAN. Phones will periodically lose connection for a time, until all the phones in the office are eventually down. During maintenance windows everything will appear fine, but as users roll in during the day the outage will come rolling in. Eventually the stack will become overwhelmed and require a reboot, but the phones are always the first victims.
The two stacks both see the aggregation as their root bridge, have RSTP enabled and bpdu-block-on-edge enabled. When we span the traffic during the outages we see TONS of DHCP traffic, but I'm not sure if it's a red herring. I've moved DHCP off of the Cisco Router and onto the AD instance that we use for all of our other subnets due to a lack of familiarity with DHCP on Cisco routers, but that hasn't brought any resolution.
There's no blatantly obvious loops in the network as far as I can tell.
As for now, we currently run off of one stack without issue, but I'd like to use two since the company has paid for both.
Is there something obvious I'm missing?
Hi,
We have VC which is remote address is from ASBR(option c), Why I'm getting this "No FEC mapping" result when ping the pseudowire circuit while the VC itself is up?
I'm not able to ping the remote IP using ping MPLS feature.
ping mpls ipv4 xxxx/y source xxxx
.....
Success rate is 0 percent (0/5)
ping mpls pseudowire xxxxx 100 source xxxx
Type escape sequence to abort.
FFFFF
Success rate is 0 percent (0/5)
Trace MPLS from Source to remote VC
TRACE 1:
0 x.x.x.x MRU 9202 [Labels: 27626 Exp: 0]
L 1 x.x.x.x MRU 9180 [Labels: 24006 Exp: 0] 5 ms
L 2 x.x.x.x MRU 9202 [Labels: 57 Exp: 0] 9 ms
L 3 x.x.x.x MRU 9216 [Labels: 576580 Exp: 0] 9 ms
L 4 x.x.x.x MRU 4484 [Labels: 625970 Exp: 7] 49 ms
D 5 x.x.x.x MRU 0 [No Label] 29 ms <<<------- DS Map mismatch
TRACE 2:
0 x.x.x.x MRU 9202 [Labels: 27626 Exp: 0]
L 1 x.x.x.x MRU 9180 [Labels: 24006 Exp: 0] 2 ms
L 2 x.x.x.x MRU 9202 [Labels: 57 Exp: 0] 9 ms
L 3 x.x.x.x MRU 9216 [Labels: 576580 Exp: 0] 9 ms
L 4 x.x.x.x MRU 4484 [Labels: 625970 Exp: 7] 51 ms
L 5 x.x.x.x MRU 4484 [Labels: implicit-null Exp: 0] 54 ms
but when pinging using normal IPv4 I can reach the destination IP?
ping ipv4 xxxx source xxxx
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/37 ms
Any idea? is this because theres a break on LSP path?
Thanks
I've been running a capture on a host for a week that continuously writes 500MB pcaps and have been manually combining those and then removing duplicate entries to get a list of source/destination traffic to/from the VM. Is there any low resource agent/program that can be installed that continuously captures this type of info? There's a lot of room for error in the way I'm doing it now and its super tedious!
What other methods are popular to capture this type of information?
I'm having an intermittent issue with some inter-vlan traffic and I'm not sure what could be causing this. I'm a 1.25-man IT shop for a small school district and not an expert by any means with networking.
I have a wired vlan, and 3 wifi VLANs for staff, students, and guest. The staff and student VLANs are setup in the exact same way. Both /22 networks. No firewall rules between vlans. Students are on locked down Chromebooks and guest network has rules through unifi wifi controller that limit internal access.
I have some internal web servers on the wired vlan that have just started recently becoming inaccessible to the student wifi network. It'll work for a bit and then stop working. I'm not sure where to look at this point. One odd thing is that if I set a laptop to a static IP on the wifi (same that it had with DHCP), I will sometimes lose the ability to ping the wired vlan. When I switch back to DHCP, it gets a new IP rather than the one it was just using. I don't know if that's related in any way but I've never seen it act like that before. DHCP server is a Win2008 server on the wired network vlan.
When this issue is occurring, trace route to the servers fail after the subnet's gateway.
Not sure what other details would be relevant. I haven't made any changes that I can think would cause this. It seemed to start happening after a power outage we had on Tuesday but all my equipment stayed up via UPS and generator power. I just had one switch that doesn't do any routing restart because UPS failed.
Hi everyone,
I'm having trouble configuring a site-to-site tunnel with OpenVPN to connect two small offices into a "single" LAN, using a routed IP tunnel. I have two CentOS machines, a server and a client. For the sake of simplicity, lets say server is on subnet 192.168.10.0/24 while the client is on 192.168.20.0/24.
In the server config file I have added the option to push "route 192.168.20.0 255.255.255.0" and I can ping any device from the server without an issue. However, I am unable to ping any of the 192.168.20.x devices from any 192.168.10.x device that isn't the server itself.
I have also created a ccd/client file and added
iroute 192.168.10.0 255.255.255.0 ifconfig-push 10.10.0.10 255.255.255.0
Are there any additional routes I need to configure? Does it need to be added on every single machine on both subnets? I don't mind doing the leg work at all but I am not sure what would be the next step. I'd prefer to avoid tinkering with the routers as they're heavily locked down by ISPs here.
Thanks in advance
Hello!
My company uses rubrik for backup and replication between data centers. The previous engineer decided to route that data through the firewall over a vpn to azure, needless to say the systems guys have to throttle that data to not overwhelm the firewall. We have an unused circuit on our isr4400 that I'd like to send all this backup data over. Our core switch is a catalyst 4500, which is what the rubrik, firewall, and router are plugged into. My initial thought was to move the rubrik into a new plan that is tagged back up to the unused circuit interface, and then make the rubrik default gateway the svi on the core. Is there a better way to accomplish this?
Thanks in advance for any ideas or suggestions!
So I just want to understand the concept for a vpn tunnel (ssh tunnel) connection for servers from another company coming into our company network. Is this vpn tunnel persistent or does the connection disconnect when not in use? I am comparing it to my own experience with vpn-ing into my company to access resources, and I disconnect when i'm done. Is this the same for servers that need to constantly poll systems in another corporate network, in that it just stays on all the time until you disconnect, or is this a different type of vpn where it stays on all the time?
I've tried reading up on PoE+ where I came across LLDP-MED being used to negociate PoE between a Switch (PSE) and a powered device (PD). - As far as I've learned some PD devices need to get the appropriate message from a PSE in order to get more juice and actually boot up. However beyond the full LLDP-MED spec (a rather large read), I've truggled to find a documentation explaining these things.
Netgear (managed switches) and Ubiquiti (EdgeSwitch line) are both based on Broadcom FASTPATH and can enable 'ex-pse' and 'ex-pd' described as " LDP extended PSE TLV" or "LLDP extended PD TLV" respectively. The closest I've come to get more details about what these TLVs do is Rukkus mentioning something as extended Power-via-MDI - is it the same is one of them needed / recommended to be enabled?
TL;DR: Can anyone point me into the right direction where I can read up on this topic?