I've recently made the step up to an architecture position and I'm a little bit concerned about what might happen when the next recession comes. Are architects typically the first to go when cuts are demanded? If this happened to you, were you able to land on your feet?
Saturday, April 6, 2019
GreenTunnel, Deep Packet Inspection blocker that defeats censorship and DPI against large nation-state regimes!
GreenTunnel bypasses DPI (Deep Packet Inspection) systems found in many ISPs (Internet Service Providers) which block access to certain websites.
You can install GreenTunnel using npm:
npm i -g green-tunnel
or use GUI version (beta):
https://github.com/SadeghHayeri/GreenTunnel/releases
to more info and see how it works:
Does anyone know how to get AT&T Fiber to my area?
I am just sick of Comcast charging way to much for 60mbps in my neighborhood when literally 1 mile away there is AT&T that offers 300mbps for the same price I'm paying Comcast right now. So does anyone know how I could get AT&T service to my area.
Looking for career advice!
I'm having trouble choosing between a job that i can put on my resume (almost as a notch on the belt). wont give me a lot of experience, but its an IT job. Or a SATCOM position with more pay and little experience but SATCOM is moving more toward IP based.
Rough quote question.
How much would it be to pull 1000 feet of 24 strands of single mode fiber from a school MDF closet to a IDF closet that already has fiber ran so the run in there. And how much to terminate 12 SC, 12 ST, 24 LC connectors.
Why did IS-IS lose to OSPF?
I'm curious on this, it seems like IS-IS is pretty close in implementation to OSPF and is more scalable to larger networks, why did OSPF end up winning out?
UPDATE: Network + compared to CCNA
So I took the network + and passed not with a super high score but I studied maybe 4 hours total for it. I mainly just looked at parts that weren’t covered on the CCNA (cloud). Overall I think the network + is easier than the CCNA. The questions were compatible but the big difference was in the simulations.
Why are all clients only connecting to one AP in my salon?
Hello all - new here.
Last night I set up a UniFi network at my salon. I've got the USG, the POE switch and 3 Pro AC APs. Two of them are in my main, larger building (Pedicure AP, Manicure AP), with one next door in my smaller building (Wax AP). The Mani/Pedi APs are about 80 feet apart but are in two separate rooms with firewall (literal fire, not networking) between them. Ever since setup, I literally cannot get a device to connect to Manicure AP. I'm new to UniFi so it may be a silly question but I can really use some help. I tried dialing back the power of both APs from "High" to "Medium" based on a blog post I found but to no avail.
Screenshot for reference: https://imgur.com/a/l0Fo9ss
Any help is certainly appreciated!
Minecraft Bedrock server port forwarding works on host network but not other networks
I’m running a Pocketmine bedrock server off my PC. I port forwarded my system’s static IP with the default port. I can connect to my external IP on my house internet but if I switch to my guest internet I can’t connect to the server with the external IP. I know the port is open because I can connect on the home network and I used this website that detects if ports are open to other networks. Anybody know why it’s doing this and what a fix would be?
BGP for VIP advertisement (Load Balancer)
Hi all,
In our datacenter, we've implemented a subnet-per-rack architecture (default gateway resides on ToR switch), mainly in order to avoid large broadcast domains and spanning tree issues. We use EVPN for some special cases which require a stretched L2, but would rather avoid this at all costs as it is not only complicated but doesn't really eliminate all L2 issues.
The issue is load balancers (and high availability, or VIP advertising in general) - since there's no shared broadcast domain or subnet, normal VIP advertising via VRRP etc. does not work. This has brought me to the thought of using BGP to advertise VIP addresses - servers peering with ToR switch and advertising a VIP that is in a different subnet, with the next hop being the server itself (I believe Google's Maglev and Facebook's Katran use this, Calico sort of does the same for Kubernetes).
First question, networking redditors - are you aware of such solution that implements such architecture?
This architecture poses some challenges and issues. From the top of my head:
- BGP sessions design. You obviously don't want your ToRs to peer with all servers (because it's a real mess to manage and automate, and because it creates issues with VM migrations). This implies a sort of centralized control plane (i.e. a single point of BGP peering between the fabric and a server which represents all load balancers. This is somehow similar to OpenStack Neutron's BGP speaker topology).
- Security. What prevents one server from advertising the VIP of other servers? Does the automation of this solution configure route-maps (or any other sort of routing policy) on the switches?
- How to create the actual interface holding the VIP (I was thinking about a loopback or Linux bridge with routing enabled on the server itself, but this seems a bit unconventional)
- Given the single point of peering from point 1, the obvious following challenges: which component probes for all load balancers/VIP holders in order to make sure they are up? pros and cons of centralized architecture vs a distributed one? how to make the centralized component highly available etc.
I'll be glad to hear your thoughts, ideas, implementation tips etc.
Cheers.
Why is ping the sum of send and receive time in gaming?
Suppose Machine1 sends a packet to Server1 in 30ms and receives data from other computers in 25ms, through the server. We will say that the latency of the Machine1 to the server is 55ms. But, if the computer can send and receive simultaneously (which I am not sure about), then ping should be the maximum latency, viz. 30ms, as while the data is being sent in 30ms, in that time period only the data is received. Please clarify and explain if a client can send and receive packets simultaneously or not.
Insanely high amount if input discards on Nexus 3K uplink ports
We have Nexu 3048 with 1 Gbps uplinks that have ~300-500 Mbps of traffic. I noticed, that there is massive amount of input discards on the uplink interfaces:
Ethernet1/52 is up Dedicated Interface Belongs to Po1 Hardware: 1000/10000 Ethernet, address: 003a.7d50.f53b (bia 003a.7d50.f53b) Description: rcnS00;G2/4/17;MH;DC;x;x MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec Load-Interval #2: 5 minute (300 seconds) input rate 172.22 Mbps, 24.44 Kpps; output rate 14.26 Mbps, 2.88 Kpps RX 662943483379 unicast packets 2662619555 multicast packets 1059169069 broad 0 input with dribble 633520490014 input discard +-----------------------------------------+-----------------+----------------+-------------------------------------+ | Counter Description | Count | Last Increment | Last Increment Time | +-----------------------------------------+-----------------+----------------+-------------------------------------+ IPv4 Discards 0 0 STP Discards 17 13 01-07-2019 12:16:22.321309 Policy Discards 0 0 ACL Drops 0 0 Receive Drops 142307726820 3407 04-06-2019 18:09:37.646092 Vlan Discards 142303991446 3987 04-06-2019 18:09:37.646092 +-----------------------------------------+-----------------+----------------+-------------------------------------+
There are literally tens of thousands of discards per second. I have no idea why this should be happening. Especially the VLAN discards make no sense since almost all vlans are allowed on the ports. NX-OS 6.0(2)U3(7).
Anyone seen anything like this?
Adding a second switch kills multicast traffic
Hi all,
I'm encountering a mysterious issue with a pair of switches I'm working with. I openly profess my ignorance and hope someone will be kind enough to point me in the right direction so that I can learn about what's happening.
I have a Dell N3048 as a primary switch, and I just came into possession of an HP Aruba 3810M. I currently have a few Macs, a FreeNAS, and a bonjour printer connected to the N3048, all of which are visible to each other over mDNS/Bonjour. However, a few minutes after I connect an uplink to the 3810M I noticed that mDNS and Bonjour pretty much dies on the entire network. As soon as I disconnect the 3810M, almost instantly mDNS and Bonjour is happy again.
This is all within a single VLAN. I'm not trying to traverse VLANs or anything. The only thing plugged into the 3810M is a single known-good machine, and an uplink to the N3048 where everything else is plugged into.
The 3810M has multiple user manuals, one of which is dedicated to multicast routing alone, and it's over 400 pages. I'm finding it very difficult to narrow down what I'm dealing with here. Could someone give me a pointer? Thank you!
Aruba 3810M config:
; JL076A Configuration Editor; Created on release #KB.16.08.0002 ; [REDACTED] hostname "Aru3810" module 1 type jl076x module 2 type jl076y module 3 type jl076z flexible-module A type JL083A mdns enable dhcp-snooping dhcp-snooping vlan 1-2 igmp filter-unknown-mcast igmp lookup-mode ip timesync ntp ntp server-name "0.pool.ntp.org" ntp server-name "1.pool.ntp.org" ntp server-name "2.pool.ntp.org" ntp server-name "3.pool.ntp.org" ntp enable ip default-gateway 10.1.1.1 ip dns server-address priority 1 1.1.1.1 interface 1 dhcp-snooping trust dhcpv6-snooping trust exit interface A1 dhcp-snooping trust dhcpv6-snooping trust exit snmp-server community "public" unrestricted oobm ip address dhcp-bootp exit vlan 1 name "DEFAULT_VLAN" untagged 1-48,A1-A4 ip address 10.1.1.249 255.255.255.0 ip igmp ip igmp version 3 jumbo exit vlan 2 name "VLAN2" tagged 1-48,A1-A4 ip address 10.2.1.249 255.255.255.0 ip igmp ip igmp version 3 jumbo exit spanning-tree spanning-tree 1 loop-guard spanning-tree A1 loop-guard no tftp server loop-protect disable-timer 300 no autorun no dhcp config-file-update no dhcp image-file-update password manager password operator
Dell N3048 Config:
!Current Configuration: !Software Capability "Stack Limit = 8, VLAN Limit = 1024" !Image File "N3000AdvLitev6.5.3.4" !System Description "Dell EMC Networking N3048, 6.5.3.4, Linux 3.6.5-e3cd5a07, Not Available" !System Software Version 6.5.3.4 ! configure vlan 2 name "vlan2" exit slot 1/0 3 ! Dell EMC Networking N3048 slot 1/1 6 ! Dell EMC N3000 SFP+ Card stack member 1 4 ! N3048 exit interface out-of-band ip address 10.1.1.241 255.255.0.0 10.1.1.1 exit system jumbo mtu 9216 interface vlan 1 ip address 10.1.1.241 255.255.255.0 exit username "admin" password [REDACTED] privilege 15 encrypted application install SupportAssist auto-restart start-on-boot application install hiveagent start-on-boot ip dhcp snooping ! interface Gi1/0/1 ip dhcp snooping trust switchport mode trunk exit ! interface Gi1/0/2 ip dhcp snooping trust switchport mode trunk exit ! interface Gi1/0/3 ip dhcp snooping trust switchport mode trunk exit ! interface Gi1/0/4 ip dhcp snooping trust switchport mode trunk exit ! interface Gi1/0/5 ip dhcp snooping trust switchport mode trunk exit ! interface Gi1/0/6 ip dhcp snooping trust switchport mode trunk exit ! interface Gi1/0/7 ip dhcp snooping trust switchport mode trunk exit ! interface Gi1/0/8 ip dhcp snooping trust switchport mode trunk exit ! interface Gi1/0/9 ip dhcp snooping trust switchport mode trunk exit ! interface Gi1/0/10 ip dhcp snooping trust switchport mode trunk exit ! interface Te1/0/1 ip dhcp snooping trust switchport mode trunk exit
Router that can limit wifi speed to clients
What do you think is the most efficient price wise router available for 4 people home use
Alternatives to one-armed-router setups for performance (help)
Hello. Im looking to buy and setup a better network at home for performance and security reasons.
Current setup is just a Router 6300v2.
From reading one-armed-router setup dont seem to be the best possible setup for that as the traffic between switch and router will be congested quickly.
Say i want to send a big file (1Gbps) from A to B that is connected to the switch, and at the same time C want to download a file from internet (1Gbps). This would make the Router handle the routing and not the switch right? Seeing as its the Router that handles VLAN.
My question here would be: What is the best setup for this problem? I want to keep WAN line clear from LAN traffic, and still have the Router features working (NAT etc).
My thought was L3 switch handling VLAN but that would remove NAT from Router?
So in conclusion: Is Router-on-a-stick the best setup possible to keep Router features and at the same time have VLAN?
Any help is welcome. Even suggestions on setup. What i want is low latency to WAN (gaming), even when LAN traffic is happening (i.e NAS traffic, file sends).
Gear i want to buy: ER-4, nanoHDs, L3(necessary?) switch with poe, later on poe-cameras.
If you dont mind, what is your setup and why?
What Mesh Wifi Systems Offer Guest Throttling?
Good afternoon, I'm trying to determine if there are any mesh solutions out there that offer guest throttle for a business. The business currently has a spectrum supplied modem. I'm looking to turn this into more of a managed solution from my phone/home for the business. I was thinking about getting rid of their modem, installing a mesh system with switch (for atm jukebox pos systems). My problem is, with 25b speed and 8 ip hd cameras I'm afraid if I just throw up a guest Network at this bar, quality of the wireless cameras will go down, and I can really set a priority for the important bar things.
Any suggestions or help would be incredible. I mean it
Bottleneck bandwidth estimator tool
Hi, I am looking for a tool for estimating the bottleneck bandwidth along a path.What could i use?
Friday, April 5, 2019
weird problem surfacing with Internet [HELP!]
I’m staying at an extended stay America and have been for 1 month now, I bought their upgraded internet and for the first month I had no problems whatsoever, the speeds weren’t great but I could videogame and have a reasonable ping and not have any lag.
As of yesterday I started getting problems, my ping is between 150-500 ms at all times and sometimes the internet totally times out. I’ve called tech support 9 different times and all they have me do is run a speed test and connect me to closest access point, which fixes nothing. My DL is 5-10 mbps and upload is around .5-2 mbps, I know the download isn’t even true either because I tried downloading a driver and it’s actually About .5 mbps.
Since the tech support seems inadequate to help me, I’ve gone crazy the last few hours trying to find a fix, I’ve updated all my drivers, turned firewall on and off, messed with services trying to find ones I can disable to free up internet, ran virus scans, forgot network and reconnected, and a lot more stuff.
Nothing has worked, I took cyber security classes back in highschool so I have a basic understanding of computers, plus I spend all my free time on it. I cannot access the router page obviously because it’s an extended stay hotel. Also I almost never download files off internet, I strictly game on my pc so I don’t think it could be an issue with a file/virus.
If someone could help me fix this it would mean the world to me, seriously.
Back To Back vPC with VXLAN in Between?
Hey Guys,
So I have been thinking about this topology wondering if it is possible. If I have four Nexus 9300 switches and I want to put each vPC pair into two different racks in the same DC but I want to keep the IP subnet the same between each rack. Would using routed interfaces between vPC 1 and vPC 2 with VXLAN between work? I would use HSRP on the "frontend" on all four 9K switches and configure the the same IP subnet on each switch. On paper this sounds promising, but wondering if this will work, any gotchas, or I'm I just crazy ;)
The main goal is to keep the networks the same between each rack, I don't have a core switch these would be the only switches in the DC besides maybe some copper switches for management traffic. Which would connect to either vPC 1 or vPC 2 not both.
The topology would look something like this:
vPC Domain 2 -+---------+- -+---------+ | +----+ | |9K-3 +----+9K-4 | -+-----+---%- -#----+----| | x z | | xz | | zx | VXLAN | z x | +-----+---# %----+----+ | +----+ | |9K-1 +----+9K-2 | +---------+ +---------+ vPC Domain 1
Thank You
Slow Network, Crashed HP Enterprise Printers
Hello...quick background. I'm a 23+ year experienced IT Professional. In the last 8 years, I've held an IT Generalist/Jack of all Trades IT Director position. I am also SOLO IT guy. Networking is my weakest area.
Today around 12:20PM central, a group said their printer was down. HP LaserJet Enterprise M605. It has a message of 33.05.13, Security Alert. I checked the other M605 and it had the same thing. I decided to go check a wall of HP Enterprise M72525 printers and to my shock, all 3 (which have bigger touch screens) had the same error. I started to panic. Our lone Enterprise Color LaserJet had the same error. All 10 of our Enterprise Level printers had this message. Regular class LaserJets/Deskjets had no problem. PC's and Servers were fine and we had no problem with day to day work except for printing.
Later in the day, our two Toshiba Copiers started acting very slowly.
Our primary server is a Dell VTRX system with two PowerEdge M630 (VRTX) blades that we only use one blade currently for production. I can get to the CMC fine but when I try to go into the blades IP address to launch the virtual console, it acts like a DoS attack and never fully connects. I connected a laptop directly to the CMC and everything comes up normal speed.
As mentioned, the biggest hit is the HP Enterprise Printers being totally down and the Toshiba copiers slow. Workstations, File Server, SQL, Applications all are fine...for now.
We have unmanaged switches and I was 5-6 weeks out from getting a budget to upgrade network equipment. But I digress.
My problem is I have no idea what is causing this and not a lot of tools or experience to help locate the problem. I have WireShark but don't know how to use or read the data.
What should I be looking for first? What can I do next? Should I power off all workstations in case one is infected with something causing a broadcast storm or DoS attack? Why cannot I get into my two blades? I am considering all options even powering off all workstations and then turn them on one by one to see if I can see if one of those is causing it.
I have until Monday morning to get this resolved. I do worry about it it might be a growing problem but wonder if it is safe to leave tonight and start fresh tomorrow...
Can anyone share their experience with Cisco Instant Access Switches?
I've been tasked with putting together a BOM for a small call center. While looking through Cisco's website I came across the 6800IA line which I hadn't heard of. These switches look really interesting but it seems they have gone EOL already. I like the features they have to manage all of the access switches from one large switch. I'm interested in hearing stories from admins who have used these, were they any good? Also interested to learn if there is a replacement for these that can do the same sort of manage everything from one switch with FEX like links connecting all of the access switches.
IPv4 question
for the ip address 172.16.117.77/20 my current understanding leads me to assume that the network ID for this address would be 172.16.113.0, but an IP calculator is showing the third octet is 112. Shouldn't 117 be lowered by only 4 bits and not 5?
Tcpip can actually drop packets in extreme circumstances right?
I am getting anomolies on my basic client<>server networking architecture. I only get these anomolies on terribad cell phone data networks where latency can be 40,000ms +. I am thinking somewhere along the lines or in the air, tcpip is giving up transfer after 40 seconds of failure may be happening...
I read webpages that say tcpip is not perfect over terribly bad networks, but just want to hear it from a real person if a packet or two may be dropped over a terrible network such as spotty cell phone coverage.
Cisco 829 LTE takes several minutes to turn up the cellular interface. Is this normal?
I'm getting ready to deploy a small fleet of these damn things and I'm finding something odd. About half of them are going into vehicles that aren't on 24/7 and bootup time is a concern.
The router boots in 3 min, sits there calmly with all interfaces up/up hearing MACs from downstream and waits an additional 4 minutes to bring the damn Cell 0 up. I can't find any tuning for this in documentation. Anyone have insight into this?
AutoQos on a port-channel for VOIP on a Cisco 4500 and 6800
We are currently in the process of upgrading our phone system to Cisco VOIP. In the documentation they recommend you to run the Auto qos voip cisco-phone command under the interface where the phones will hang off from. I will need to do this on uplinks and the voice server interface.
How do we go about configuring the uplink ports for auto QoS from the access switch(4500) to the Core (6880) these are port-channeled to each other?
I did configure four phone ports with auto QoS VoIP cisco-phone command, which then creates a laundry list of auto-generated qos configurations.
example
4500(config)#interface tenGigabitEthernet 5/1
4500(config-if)#auto ?
security-port Configure AutoSecurity
4500(config)#interface port-channel 47
4500(config-if)#auto ?
security-port Configure AutoSecurity
6800 running on 15.2(1)SY6
4510 running on 03.08.07.E
How can I prepare for a noc tech interview?
IM nervous I want to get into IT, I did a survey and the boss liked my answers, He said he wants to discuss this opportunity futher in a 15-30 minute call, I've never done noc work before,should I turn this down?
Juniper 5200-48Y 25gig config
Does anyone know how to disable the config warnings you see on a 5200 when you enable an ASIC for 25 gig?
Example:
set chassis fpc 0 pic 0 port 0 speed 25g
gets this:
root@5200-leaf# show | compare warning: 25g config will be applied to ports 0 to 3 warning: 25g config will be applied to ports 4 to 7 warning: 25g config will be applied to ports 8 to 11 warning: 25g config will be applied to ports 12 to 15 warning: 25g config will be applied to ports 16 to 19 warning: 25g config will be applied to ports 20 to 23 warning: 25g config will be applied to ports 24 to 27 warning: 25g config will be applied to ports 28 to 31 warning: 25g config will be applied to ports 32 to 35 warning: 25g config will be applied to ports 36 to 39 warning: 25g config will be applied to ports 40 to 43 warning: 25g config will be applied to ports 44 to 47
Note: this comes up every time I commit. I've had the 25g config applied for months and have had numerous commits since and every time I commit the warnings come up.
ACI migrations - How long to you plan for?
For those out there doing ACI implentations or for those who have done their own, how much time do you budget from planning to project sign off for a 2 DC mulitpod installation with 50 baremetal hosts and 400 Vmware virtual machines?
Troubleshoot Help | Brocade ICX 6610 | I have a brocade ICX that when reboots, goes back into switch mode and I have to manually put it back into router mode.
I have to do this every time: configure terminal boot system flash secondary write memory reload
My goal is to not have to buy a router, but use the Router on a Stick and when this device reboots, goes back into router mode. After 2 power outages, that was a pain for me. Manually console'ing to the box can be difficult.
Any advice will help.
Outdoor Cat6 cable?
We are going to be installing 10 outdoor access points at various buildings over the summer. The cables will be run inside as far as they can, but eventually will exit a wall or conduit and be exposed for probably less than 10ft. Should I go with an outdoor rated Cat6 cable, or from searching around some people use direct burial cable for this purpose?
I had used some outdoor Cat6 cable before, and it had vaseline or something inside the cable and made it difficult to terminate, is this the case for most outdoor cable?
But first, you must ART for your gateway
I recently found out that tshark can capture and print files in color, so I decided to make an art.
https://dl.dropboxusercontent.com/s/pt45pphiekt4srh/packets_the_universal_interface.png
This image consists of tshark --color capturing on all 4 OSes that I care to put in a VM + are supported by Wireshark. Easter egg is to figure out which one is the host based on the traffic.
Shout out to Dave Goodell for making this feature and to Guy Harris for Windows improvements.
Edit: Looks like I can't add an inline image, so I'm leaving it as a link to an image.
Cisco LTE EHWIC config
I have configured a 2921 with a Verizon EHWIC and it is all working fine but it picked up this speed limit somewhere and I not sure where or how to get rid of it.
line 0/0/0 script dialer lte modem InOut no exec rxspeed 100000000 txspeed 50000000
Is it picking that rxspeed and txspeed up automatically from Verizon?
Multiple VLANs But Can't Use Trunk
Hey All,
Have a quick question. If I have the need to pass traffic for multiple VLANs from a switch to a router but am not able to have a trunk link between the two, am I then able to connect multiple cables between the two as access ports on either side.
From what I understand the access ports on the switch that are closest to the computers will tag that traffic entering ingress on those ports with the VLAN number. The access ports on the switch closest to the router will strip the tag when traffic leaves egress on those ports and will traverse the link untagged, and then will get tagged again when they access my router's access ports, correct?
So an example traffic flow:
VLAN10 Computer sends a DHCPDiscover > Enters Access VLAN10 on Switch > Leaves Access VLAN10 on Switch closest to router and gets untagged > Enters Access VLAN10 on Router > Routers responds back in the reverse patch with DHCPOffer
Here is a diagram that may explain better than I can:
https://i.imgur.com/KrlNgG6.png
Don't ask why I can't use a trunk instead of 4 cables, it's a long story....
Cisco SDWAN, Viptela?
Anyone else run into MTU issues when working with 17.x and 802.1q interfaces ?
Long story short, when converted to a trunk, the Vedge only supports a max wire size frame of 1514, resulting in a max mtu of 1496, causing all sorts of fun.
Quick fix is to ensure the core switch transit vlan, that connects to the vedge is set to 1496, and mss adjust is set.
Not usually an issue with tcp flows due to the mss adjust, but when it comes to full frame UDP traffic...... well yeah.
Best practice to set root switches?
In a typical small office environment with a hub and spoke topology where 1 ISP goes to 1 firewall that is connected to 1 "core" distribution switch with several access switches connected to it, is it best practice (or even needed?) to set the "core"/distribution switch as root for all VLANs?
My thinking is with only default routes on the access switches and no redundant paths, traffic should never be taking the long way around regardless where the root gets elected. Although for future needs my preference would be to always set the distribution switch to root in case we start adding redundant links.
Should you change the router password for when you put in the router IP and are asked to enter a password or it doesn't matter security wise?
I know you should use a strong password for wifi but I don't use wifi and keep connected by wire and shut off wifi.
But there are two passwords for my router, the wifi one, and the admin password for the router.
Is it advised to change the router password or does it not matter in terms of hackers? ie would it only be accessible locally or via the internet as well.
If the former I would say it was not pertinent to change it since no one accesses my flat etc, that is not a security issue but if the latter I guess it should be changed.
So which is it? is it accessible from the internet or only locally? I am talking about when you put in the router IP address and are taken to the admin setting page for the router.
Cannot get routers to communicate with ISP router in the following topology
Hey everyone. I was tasked with creating this topology in class, creating subnets and implementing the RIPv2 protocol for the orange:
https://i.imgur.com/jRBQtQx.png
To keep it short, every router can ping any router in the orange zone. The problem is that only the HQ router (directly connected to the ISP router) can ping the ISP router; needless to say that every router needs to be able to ping the ISP.
The network address of the ISP-HQ link is 201.165.205.224. The IP of the interfaces that that connect the ISP to HQ are 201.165.205.226 and 201.165.205.227, respectively.
This is the routing table of the HQ router: https://i.imgur.com/0CtkLD5.png
I've done the following:
HQ#(conf) router rip
HQ#(conf-router) network 201.165.205.224
This is how the routing table of Leste (a router directly connected to HQ) looks: https://i.imgur.com/Hn3DIFw.png
Here's my Packet Tracer file: https://ufile.io/ishon | I configured network 201.165.205.224 in this file.
Good IPS for Home and small business?
Hey guys I am hosting some basic servers along with a Synology at home, as well as at work.
I am trying to do everything I can to keep things as secure as reasonably possible. I am currently running pfsense, with pfblockerNG and Suricata.
Suricata has been...a pain, to say the least. So far I’ve only been running it at home so I can familiarize myself with it before setting it up at work too. But I have been removing false positives for over a month now, and I still managed to have my own iPhone blocked yesterday.
My question is this, what is a more “turn key” solution - yes I know nothing will be 100% turn key - that is actually affordable for a small business or even a home user?
I am going to be talking to the people over at UntangleNG today, but I’m getting the feeling their Snort based system won’t be any easier than what I’m already running. And at least what I’m already running is free.
Connect Through Home Internet Connection from Anywhere?
Hi, I’m wondering if there is a way connect to access the internet through my home network when I’m away. For instance, if I’m out of the country but want to connect to a site using my home IP address that I normally use, is there a way to do this (besides using Remote Desktop)? Essentially I would like to be able to set up my home network as a proxy server for when I’m not at home.
Let's play "What did I fuck up?"
Recent Firepower upgrade (not by me) caused tons of issues and outages (Fuck you for that Cisco). After that issue was "fixed" some devices needed to be moved to a new VLAN due to identity issues caused by the "upgrade". So I get a call. "This PC is no longer working". Get instructions from the boss to move device to a new VLAN to get it to work. So, go to the access switch, make VLAN change on the access port, and of course the uplink trunk doesn't have the VLAN, so add VLAN to the trunk. Go to the upstream distribution switch and add the VLAN to the downlink to the access switch. Go to the uplink trunk interface from the distribution switch to the core 6500 switch (G1/0/43) and add the VLAN to the trunk. I lose connectivity to the distribution switch. I cause an outage impacting some of our biggest customers. What did I fuck up? Some info is left out of course because mentioning it would give away what I fucked up. Can you solve this riddle?
Edit#1: I used the "add" keyword in all instances. Edit#2: Outage was 20-30 minutes. Edit#3: Issue not layer 3 related. Edit#4: I know the answer. As soon as I consoled in to the distribution switch I saw what happened and fixed it. Edit#5: Not a root switch issue. Edit#6: Issue partially answered by user raulnd. Can you place the last puzzle piece?
Thursday, April 4, 2019
Pulling my fugging hair out over S2S OpenVPN with USG Pro
So a project got dumped on me which involves setting up a site-to-site VPN between two Ubiquiti USG PRO-4. The topology is currently
USG1WAN -> SW1 -> ONT1 -> INTERNET <- ONT2 <- FW <- SW2 <- USG2WAN
I saw that OpenVPN must be used with the USG if you are behind NAT so I'm trying that with the following configuration
Site 1 Remote Host: Site 2 Public IP Remote Address/Port: Site 2 Public IP/501 Local Address/Port: USG1WAN IP/501 Site 2 Remote Host: Site 1 Public IP Remote Address/Port: Site 1 Public IP/501 Local Address/Port: USG2WAN IP/501
Even after reading this guide and the Controller User Guide, I still don't really understand what the fields mean and my googling is just finding a lot of client VPN setups and not S2S. Another hangup I realise with Ubiquiti is that I can't even see the status of the tunnel in the controller! Wtf! What IP addresses do I put where?
Send help please.
Need advice on build-out for ISP redundancy...
I've been asked to create redundancy in our ISP setup and need some help in designing this... execution will be a difficult task given that I have never done this before myself, but I figure I've got to get this part right first, eh..?
Basically I'm trying to nail down what is needed, what's not needed, what's simply overkill... I'll end up relying on vendors and contractors for execution but want to make sure they do not go nuts on the design and make this too complex for future support by a small staff w/o a lot of experience.
To that end I'm soliciting opinions on this drawing - https://imgur.com/xGrduev
Goals
- Add ISP redundancy - Primary connection, Failover connection
- Prevent other single-point of failure if possible
- Keep the setup as simple as possible
** goal #3 should be given strong consideration at each layer
** this solution is based in a colo... the support team live within 30 minutes, and can be on-site within an hour for a hardware replacement if needed.
In networks that I have previously supported, I have never had the challenge of multiple routers at the edge so dealing with BGP is new to me here. Have also never had a chance to deal with creating LAG's or Port-Channels between routers to switches, or from firewalls to switches... everything I have supported in the past was typically single-homed with a PRI/SEC firewall setup the only redundancy in the whole setup.
Big questions I have are:
- Edge Routers
- Is there a benefit to using multiple routers, or should we just aggregate both ISP's into one router..?
- If two routers are used, am I correct in assuming you would need an HSRP connection between them to deal with BGP..?
- Can you build a LAG or Port-Channel between the routers and the switching at the next layer..?
- External Switch Stack
- Same as above, is there benefit to putting a stack in and creating some kind of LAG or Port-Channel between the router/s to the switching at this layer, or just using one switch..?
- Firewalls
- Can you build a LAG or Port-Channel between the firewalls and the Core switching at the next layer..?
ACI so where should I start?
I just sat in on a half day partner training session on ACI.
It looks goddam magical, I'm not sure where vxlan has been all my life.
I guess I hit up dcloud, and watch videos and then hope I get put on a cool multi-million dollar project...
Any other suggestions?
Also according to Cisco, VMware NSX is shitty. Lol
Roku Devices Destroying our WiFi Network
Hey all,
We have Meraki MR52’s and Roku devices absolutely destroy my access points. If someone fires up a Roku stick the device will latch on to the same WiFi channel as the nearest WAP and then transmit at full power on the same channel (madness). This spiked my WAP channel utilization to 100% and users immediately lose connectivity or speeds drop significantly. I’ve read a bunch about others experiencing this too...
Others online have stated that Roku used to have a secret developer menu where you could do a few button presses and get access to nitty gritty WiFi parameters and transmit power menu. On my newest Roku this menu is removed!
Wondering if others in corporate networks have had these issues and how you combat this.
Note: even if you hardwire the Roku device it still, no matter what, will transmit its own WiFi network. Apparently the remote uses WiFi to communicate. We’ve also tried using an IR remote instead of the WiFi remote but the Roku continues to transmit the network.
Any advice is greatly appreciated!
Mobile Carrier Site Info
I recently decided to take on sales engineering at my small ISP, as we've been getting lots of low MRC orders, and I want to turn that around. I was doing some research on my companies fiber ring, which primarily serves rural communities. I figured cell sites would be a good candidate for wholesale backhaul, and thanks to this site http://www.cellreception.com/towers/ ,I found a bunch right off our ring. The thing is the only listing info I can find is the tower owner. They don't typically lease fiber, the mobile carriers are responsible for that. I talked to one tower owner and they wouldn't provide me with contact info, which is understandable as those are their customers.
My company has a big pipeline in communities with not much competition, anyone have ideas on how to get a hold of a carrier's tower management?
Can't Load Some Websites (HTTP and HTTPS) After Public IP Migration
Has anybody had issues accessing websites after a public ip migration?
We have two HQ offices with separate public ip spaced. We only changed our public block on one of those two locations.
The location we didn't change we have no issues. We noticed that a few trivial sites (trivial so far) don't load and just hang before timing out since change our public ip block. Looking through logs I see no blocks. Even when I capture on the firewall at the edge, I see SYNS leave from my attempts but no SYN/ACKS come back from these sites. We've checked with some of these sites so far to see if they've blacklisted our new public range and the answer has been no.
In the past, i've had issues when after installing new edge routers or getting new ISPS, you have to clear your arp tables because your gear may be hanging on to stale l2/l3 info. I'm wondering if there's a layer 4-7 version for what I'm experience? Any ideas? These sites all load fine externally and or from the site we didn't change the public space on.
Need Help with Multicast and VPN
Hey I need assistance. Maybe I am not thinking right about this issue or maybe there is something I haven't thought of yet.
I have an issue where I want to send multicast over a network, however I want to encrypt the multicast traffic. I also want to keep the multicast destination the same from the trust side to the untrust side, so this way I can allow the traffic to still flow to multiple sites simultaneously. I have access to both Juniper routers and a Cisco routers to solve this issue, so any thoughts will help.
My vision of how this would work is to encapsulate the original header information and add new header information while keeping the multicast destination the same.
Here is a visual representation of what I am after. https://imgur.com/a/4cPb5UL
The reason why is because we have security camera's around the campus, they output to an individual multicast address, I don't control what the security section purchases, so I have no influence there.
These cameras allow for the security team to see what is going on around the buildings at different locations.
I have more than one security section that is interested in the video, even though my image only depicts one.
So I have to allow for the traffic to flow to both sections simultaneously, it works today no issues, however if someone were to insert themselves somewhere and sniff the MCast traffic they would see the cameras. I would like to prevent this.
Any help?
ISP SM optical handoff using SC simplex patch cord
AT and T installed a new link for us recently. The optical hand off is two (2) single mode SC simplex connectors (one for transmit one for receive). We have a ASR it will terminate to, via a standard LC sfp. My question is what would be the cleanest way to connect to this optical hand off? Should I buy an adapter or buy a couple of LC to SC simplex patch cords? It seems a bit weird to run simplex LC cord into a duplex sfp
IPv6 security questions
Hello folks. I'm studying yet. I've watched this video where talked about "Security implications" about IPv6. I know that video is from 2012 but how many of those "implications" are still available. Due to i just read this article and one of my missunderstading is with NAT. As far as i know NAT born to help IPv4, also it's useful to hide the real addressing of your network. I am really confused.
How google tracks internet location?
Let's say my real location is A. My approximate ip address location is B (Confirmed by visiting ipcorner.io). When I visited google.com in a private browsing tab, it is showing a location at the bottom with a slogan "From your Internet Address" which is C. The location B is about +400 km from A but C is only around +50 km from A which is pretty accurate. How is google finding this? Are they getting this from my router. I am connected to internet via a router with Dynamic IP. I tried this same setup with cellular network, In that instance google.com showed pretty much the same approximate ip location of ipcorner.io which is acceptable. Is getting router location possible?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
I need to get a quick list of User groups and users in those groups on Active Directory.
Is there a quick power shell command / command line command that will allow me to view all user groups and their members on Active Directory? Its for a class and I didnt have a hand in organizing AD so Im not super sure of how to get this information aside from drilling down all of the groups, and clicking "members." Its windows server 2016.
Best Practice - Firewalls Should Not Route??
So basically we've done a global deployment of firewalls and towards the MPLS WAN some of the firewalls do BGP. These are grunty enterprise firewalls so no issue with performance and/or features IMO. So when requesting a new ASN from the (large global) Service Provider one of their employees questioned our setup, saying it's not best practice for Firewalls to do routing. He reckons we should use a router to do the routing "for layers of security". Turns out he's like a director of CyberSecurity or something.
I challenged him respectfully saying I can't see any reason as to why we'd want to add an extra hop/extra device to manage/extra device that can fail/spend extra money. He didn't give a proper reason just some generic statement about security best practices are important blah blah.
So purely from a technical security perspective can someone please shed some light on why? It appears "firewalls should not route" is best practice from a decade ago, but I'm open to be corrected and enlightened. I guess dynamic routing opens up another attack vector but I'd rather have the firewall take the attacks as there would be better logging, visibility and protection...
IPS/IDS vs IPS/IDS Sensors
I have a course assignment, in which it tells to indicate where IDS and IPS's are supposed to be. 1st network for example.
But then he says to add IDS/IPS sensors also, and I am confused about what the difference is. They seem to work the same way as if they're the same thing, only the sensors seem to be cheaper. Are the sensors supposed to be an extension of the IDS/IPS's?
It's an online course, with no book, and all my attempts of trying to google the difference have failed. I've emailed him about it, but I'm going to post here for good measure.
network ACL versus content filtering
Here is the weird question I'm supposed to answer for my studying.Any help much appriciated.
Company's current security policy mandates PII is not stored in SaaS solution.Which of the following config. should be used to block sensitive info from being stored in the SaaS?
a.implement file level encryption
b.implement network ACL
c.implement IPS
d.implement content filtering
I can't decide between b and d..
thnx
Asymmetric routing issue: How to use PBR to make sure traffic that arrives on ISP-A leaves on ISP-A, not ISP-B
We have 2 ISPs (ISP-A and ISP-B).
On our edge router, ISP-B is configured as the default gateway while ISP-A has advertises 16,700 routes to us.
As a result, we occasionally experience traffic come in on ISP-A and leave via ISP-B and vice-versa(come in on ISP-B and leave on ISP-A). we have a script that sends an email anytime asymmetric routing occurs and from the looks of it, it happens ~4times a week.
I have basic knowledge of PBR, i know how to direct traffic based on the src IP using ACL, but i was wondering if pbr can also be used to fix this asymmetric issue.
my question is how do I use PBR to make sure that traffic coming in on ISP-A, leaves on the same ISP-A.
thanks
DHCP server on VM with Windows Server 2016 + Svive/Cisco switch
Hi,
I've setup a Virtual Machine with Windows Server 2016. I'm thinking of setting up a DHCP server, to try to learn more about networking. I'm just a bit scared of ruining the whole network for the students around the area.
My computer is cabled with a RJ-45 right now to port 8 on the Svive 8 port switch, and then from the switch-port 1 to my network point on the wall.
Do you guys think it will be OK do install the DHCP server on the VM. If i remove the switch, and just directly connect to the network point on the wall, will it interupt the other peoples network? :)
Thanks in advance. Tried googling it but couldn't find anything.
Btw, I've a Cisco catalyst 2960 switch also which I've not setup yet. Should I maybe change from the Svive 8 port to the 48 port 2960 switch, and then set everything up?
Trunking a LAG
I'm trying to set up a test environment for a traffic inspection device to replace an existing product.
The way the existing environment is set up is ISP -> Core Router -> inspection -> Core Router -> TOR Switches. We utilize a PBR to force traffic coming from the ISP onto the inspection device, at which point the return traffic flows back to the Core Router and rest of the network normally. The inspection device is connected via a 4x10G LAG. The Core Router is a Brocade MLX-8.
I have the new product sitting behind a TOR on a 2x1G LAG. The Core Router does not have any additional ports available, or else I would have connected them directly. Admittedly I'm not a network engineer, so this is out of my realm. Is it possible to trunk the physical connection to the TOR directly to the Core Router and set up the LAG on the CR, is it possible to trunk the virtual interface created by the LAG directly to the CR? Either way, I would like to set up the PBR on the Core Router to do this traffic forwarding.
Or if I'm going about this completely the wrong way, please let me know! Thanks in advance guys
End-user question about high-tier ISP packet loss
I am a typical end-user with a question best answered by this sub. Per sidebar it should be allowed as an educational topic.
Question: Who is responsible (legally and practically) for packet loss that occurs midway between my home network and a target server half way around the planet?
Example: I am located in Europe and connecting to a server in the USA. Specifically it's a gaming server located in a Chicago DC. I've been having connection issues and have concluded (after ruling out my home network first) that this is due to packet loss along the way, specifically at a Telia router (or is it a switch) in NY, where it's between a crazy 40-50% (other hops have PL at <1%). I suspect this is in NYC because of the hostname - nyk-bb4-link.telia.net. Whois is showing Telia's Swedish HQ address for all their hops (ffm, prs, nyk), so I am basing location info on the prefix. Also, I tried a couple other Chicago connections and PL is limited to Telia. msichicago.org was also giving me ~50% PL in nyk and 4% at ldn while chicago.gov and fieldmuseum.org had no PL as they were through seabone.net and att.net.
Of course I would like to get this connectivity issue fixed but more importantly, and that is why I am posting here, I would like to understand what is going on at these higher levels of networking. I get that my ISP is a member of a national IX and unless there's local peering going on (which in this case there probably isn't), then it's a question of ip transit, but which party is paying for that and who is responsible for the quality of traffic between my ISP and the target server? Is it my ISP or the gaming company that owns/rents the server in the Chicago DC? Do these IP transit clients usually have contracts with just one company? For example, if Telia transit fails, does the client have a fallback carrier and when/how does that kick in?
Basically, as you can tell, my understanding of this is very limited and I acknowledge the complexity of networking beyond that of my home, so if it's not feasible to provide an ELIx answer, is there at least a recommendation on some good reading material or even youtube channels that would help me find answers to these sort of questions? I came across "Tubes: A Journey to the Center of the Internet". It has a lot of reviews on goodreads, but an ok rating, so not sure if I should skip it for something better. For recommendation context, my current networking knowledge is an incoherent mess of wikipedia-level info (IXs, transit/peering, different tier ISPs, Colos, MMRs, Cross-connects, ASNs), so a book that would bring all that together and build on it would be mostly appreciated.
Network Automated Test Frameworks
Hi folks! I'm starting down the path of leveling up our post-deployment test mechanisms to move them from manual checklists to automated tests with generated reports.
I've started looking at Robot Framework and pyATS + Genie, and I'm wondering if others have had success using that or other frameworks. What are the benefits and disadvantages you've run into?
Eventually I'd love to evolve this into a continuous test rather than a one-off job that gets kicked off so that it's easier to track state regressions after a change.
Thanks in advance!
What the FTP?
A little background. We have a Barracuda link balancer that connects us to the internet through two ISPs (one cable one DSL) for failover. We are going to have to move our entire server/networking close because of some remodeling to our office. We had a rep from the DSL company come out today and while he was looking at the modem he jiggled some wite and maybe pulled the power on the modem. Whatever the case we lost connection on the DSL. Not a big deal we mainly use the cable the DSL is just for emergencies.
Here is where the strangeness starts. One of our designers told me they weren't able to connect to FTP to update the websites. While investigating we found that all FTP traffic on the entire network was being redirected to one of our two FTP servers. It didn't matter what address you put in, all traffic for port 21 was going to the one server. This is true for any traffic originating inside and outside the network. As soon as any port 21 traffic hit our network it was being sent to the one server. Rebooting the DSL modem fixed the issue but how on earth could one malfunctioning modem that isn't even used by the majority of our traffic be able to redirect all the FTP traffic on the network?
Weird behaviour when redirecting traffic internally from Default Gateway
In an office we have 2 internet links, one goes to a router which contains all our vpns and routes to our vpn destinations and one which goes to a fw which is for internet traffic only.
default gateway is the router, and out comcast, this then has a default route pointing to the firewall which is used for internet. traffic flow for vpn destinations is user > router > vpn tunnel via comcast. traffic for internet traffic is user > router > firewall > internet.
router and fw have lan leg in the same subnet.
Im in the middle of splitting 2 departments into 2 subnets so we can make use of each internet link, default gateway will be router for one (removing the redirect default), and the other department will use the firewall for gateway.
When i set my gateway to be the firewall i am unable to ssh to vpn destinations. I have a route on the firewall pointing to the router for vpn destinations. Ping works fine. so user > fw > redirected to router > vpn tunnel > end device.
Ping is fine, but when i try to ssh to a device destined via vpn i cannot connect. A wireshark shows that traffic is going both ways but im seeing "tcp acked unknown segment".
Traffic outbound is user > fw (10.1.10.1) > router (10.1.10.10) > vpn. traffic inbound would be vpn > router (10.1.10.10) > user. Inbound traffic does not go via the firewall as fw, router, and user have leg in same LAN.
Whats going on here? is it because inbound is not hitting the firewall, rather its coming direct to the user? the redirect default works when router is gateway, but not when firewall is gateway.
Old Server to new system, no access to old server
Funny situation.
There's an old server at one of our locations that nobody has access to root on, so nobody can get in to change IP addresses.
We're migrating remaining devices off of the old network and moving them to new...but this one. This one is a problem. Its still a mission critical device locally until the new replacement is installed, which could be months down the road.
I'm wondering if it is at all possible to cheat our way out of this without having an IP conflict, as the network (old system) that it is on also exists on the new system--elsewhere.
So for argument sake I'll say that this machine has an ip of 10.10.10.156/24
10.10.10.0/24 is a network that is tied in to OSPF elsewhere, and though there is no potential IP conflict (at that particular IP), this still poses a problem.
I am resigned to leaving this and the ridiculous switch setup in place for the time being for the sake of leaving this thing online until the service itself is replaced by a new one.
I'd much rather have access to an old password book, but looking for other options.
OSPF Unnumbered between IOS-XR and Junos
I'm trying to determine if it is possible to establish an OSPF adjacency between IOS-XR and Junos using unnumbered (ethernet) interfaces.
The RFC indicates that the netmask should be ignored on point to point interfaces. However Juniper's take on that is ethernet is not a p2p medium, and so the netmask is considered. On the IOS-XR side, a netmask of 255.255.255.255 is sent, which is different than the 0.0.0.0 that Junos uses. 0.0.0.0 is the RFC compliant mask. And thus no adjacency because the Junos side considers the netmask that IOS-XR sends.
Is there any way to tell one or the other OS to ignore it's own little idiosyncrasy?
Need help finding an IKEv2/PSK compatible VPN client for Windows (more info inside)
I need to test a client IKEv2 VPN connection to my Fortigate with a VPN client other than FortiClient. I am hoping someone might be able to suggest a compatible VPN client. I need to be able to configure the IKEv2 parameters (enc/hash algos, DH groups, etc.) and it must be PSK-compatible.
Here are a few I've already tried:
-ShrewSoft
-AnyConnect 4.7
-EtherSoft
-Native Windows VPN client
None of them seem to have the right combination of features I need. Does anyone know of a versatile-enough VPN client that supports IKEv2 with PSKs for private VPN servers?
Lost with some really basic things
Hello. I took my CCNA courses in univeristy a few years ago but I seem to have forgotten things. I started a new job in networking. I'm comfortable configuring interfaces, VLANs, BGP and stuff like that but some basic troubleshooting and verifying knowledge seems to be lost on me. Like checking if other (edge) routers are receiving default routes, are the networks being advertised etc.
Does anyone have a source for good materials on these kinda topics?
200m network extension.
I'm looking at ways to get signal from our modem to the other side of a building which is about 200 meters away. Cable options are out so I'm looking at a directional antenna.
Is there a way to patch the phone line into the antenna and move the modem or would it be easier to send a wifi signal across?
Antenna/setup recommendations for either would be helpful!
1,000 apologies if this is the wrong sub.
Physically lockable network patch ports
Hi All,
I have a bit of a strange solution i'm looking for, as background our offices are almost exclusively Wifi based for network access and the only real need for physical ports is in IT where a hard wired connections are required for developers, etc. for the majority of these ports we have them locked down with port security as well as monitoring tools checking for invalid access in the event of mac spoofing. now our trouble is with our Service desk staff who require the ability to plug any computer into the ports at their desks for troubleshooting/imaging and as such port security simply wont work.
Essentially what i am looking for is a product that would introduce a level of physical security to these patch ports which would require a key to open the patch panel in order to connect a cable to the RJ-45. Ideally id like it so statically a single cable could leave the lockbox so they can remain locked at all times and if the connection needs to change, then they would unlock the port and connect a new cable.
Is anyone aware of anything like this being available on the market? i've done some looking and all i can find is cheap plastic port plugs that block the port until you go at them with a set of side cutters and that's not exactly secure in my opinion.
Thanks in advance for any insight all you fine people can provide.
Need help with Dell 6224 or recommendation for different approach
I have inherited a bunch of servers (30+) that all live on the same network. I connected them all to a fresh dell 6224 and pointed the dell at my gateway. Everything works. The dell is basically unconfigured and just acting as a dumb switch. I just recently discovered that some of my VMs are using one of the hyper-visor ports to get to a completely different network, which I don't have set up. This new network and my existing network need to route to eachother.
My solution was to use the 6224 to set up a new VLAN for the new network, and let it handle the routing. I believe the 6224 can act in this capacity. Unfortunately my knowledge of getting this switch to do what I want is limited. First question, is it in my best interest to get a dedicated router for this? Or should the 6224 handle this easily.
Second question, I'm currently about 400 miles from the hardware, and I'm worried about losing access to the dell and rest of the network while working remotely. Is there a safe way to implement the VLANs and associated routing without risk of losing connectivity?
I have done some research, and I have two links that contain information that relates to what I want to do, but I'm not super comfortable with how the 6224 will behave as I try to implement this:
Post with steps from VirtualDave
In the Dave post, he talks about enabling routing globally: console(config)# ip routing
I'm worried that once I do that, I may lose access to the web management interface, and/or lose access to my whole network, since VLAN1-Default doesn't route. Any risk of this, or am I misunderstanding?
Once I do this, it seems like I should group my initial primary set of devices into a new VLAN and my new network into a second vlan, and set up the routes. I can most likely fumble my way through this.
Anyway, I'm open to recommendations or a sanity check from someone with familiarity of the 6224's temperament.
My apologies if this post is below the skill level required to ask a question. Thanks.
Connecting branch office, IPsec or flat Layer 2?
We have a branch site connected with Palo Alto Site-Site VPN.
We are getting a L2 circuit between our main office and that branch.
We want to connect the branch with this new circuit but what option would be better?
A) Connect Core-Core Layer 2, no encryption
B) Use this L2 link for creating a bigger pipe for IPsec site-site
If we extend L2 across a service provider, how secure is it? What options are there to secure that L2 communication?
PBR Not working with BGP with 1 IX and 2 ILL Link .
HI,
2 ILL link and 1 IX LINk is configured in the BGP .from IX i am receiving 50k routes and from 2 ILL upstream i am receiving default route only .
according to me ,I want to manage the outbound traffic through the PBR but when i am configuring the PBR its working but in that case the outbound traffic is not going through the IX link to directly connected prefixes .But to avoid this problem i am using IP routing rules but in that case the traffic is going through the IX link but the traffic is not going through the iLL link which i have configured in PBR ,instead its going over another ILL link which is not configured in PBR.
(Newb)Question: Routing between locations over Lan-to-Lan.
I' am a sys admin who has been tasked with configuring our new core switch. We dont have real dedicated network engineers as we're just a small company with an oversized ego :-)
Right now we have a LAN-to-LAN vpn between our main office and the hosting facilities we're renting two rack spaces at. A breakout to the internet where we have a Sophos firewall in place. Now we need to close the breakout locally and have everything go through hosting. Thus I need do all our routing on our Aruba 2930f, instead of on the firewall and mikrotik routing board we have in place now.
My question is, to get to hosting is it enough to have a 0.0.0.0 0.0.0.0 "insert gateway of hosting firewall" and then configure where to send traffic on the firewall, is it even possible? I' am out a bit deep but I haven't lost hope that I can figure this out eventually, hopefully you guys can be of assistance!
.
.
.
.
Inserting my current config draft below:
.
.
Running configuration:
; JL258A Configuration Editor; Created on release #WC.16.08.0001 ; Ver #14:07.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:24
hostname "KEH10-CORESW"
module 1 type jl258a
time timezone 60
ip access-list extended "UNTRUSTED"
10 permit tcp 10.10.120.0 0.0.0.255 0.0.0.0 255.255.255.255 established
20 permit tcp 10.10.130.0 0.0.0.255 0.0.0.0 255.255.255.255 established
30 permit icmp 10.10.130.0 0.0.0.255 0.0.0.0 255.255.255.255 0
40 permit icmp 10.10.120.0 0.0.0.255 0.0.0.0 255.255.255.255 0
50 deny ip 10.10.120.0 0.0.0.255 10.10.10.0 0.0.0.255
60 deny ip 10.10.120.0 0.0.0.255 10.10.100.0 0.0.0.255
70 deny ip 10.10.120.0 0.0.0.255 10.230.70.0 0.0.1.255
80 deny ip 10.10.130.0 0.0.0.255 10.230.70.0 0.0.1.255
90 deny ip 10.10.130.0 0.0.0.255 10.10.100.0 0.0.0.255
100 deny ip 10.10.130.0 0.0.0.255 10.10.10.0 0.0.0.255
110 permit ip 10.10.120.0 0.0.0.255 0.0.0.0 255.255.255.255
120 permit ip 10.10.130.0 0.0.0.255 0.0.0.0 255.255.255.255 exit
ip route 0.0.0.0 0.0.0.0 10.230.80.1
ip routing
snmp-server community "public" unrestricted snmp-server contact
vlan 1
name "Management"
no untagged 5-8
untagged 1-4,9-10
ip address 172.16.0.1 255.255.254.0
ipv6 enable
ipv6 address dhcp full
exit
vlan 10
name "Servers"
untagged 5-8
tagged 9-10
ip address 10.230.70.1 255.255.254.0
ip helper-address 10.230.70.52
exit
vlan 100
name "Clients"
tagged 9-10
ip address 10.10.100.1 255.255.255.0
ip helper-address 10.230.70.52
exit
vlan 110
name "WiFi"
tagged 9-10
ip address 10.10.110.1 255.255.255.0
ip helper-address 10.230.70.52
exit
vlan 120
name "BYOD"
tagged 9-10
ip access-group "UNTRUSTED" in
ip address 10.10.120.1 255.255.255.0
ip helper-address 10.230.70.52
exit
vlan 130
name "Guest"
tagged 9-10
ip access-group "UNTRUSTED" in
ip address 10.10.130.1 255.255.255.0
ip helper-address 10.230.70.52
exit
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
ASA HA Stateful VS Failover interface
Hello,
Can anyone explain the difference and need for a failover interface when we already have a stateful failover interface?
2140 firepower running ASA code.
nexus PBR (anything but RFC 1918) to new DMZ edge
Guys,
We are in the middle of a FW edge migration and want to specific subnets to the new internet edge for anything but rfc1918 address space, we want the rfc1918 address space to follow normal routing behaviours. Our switching infrastructure is cisco nexus 9k (7.0(3)I7(5a))
I was first thinking of doing this using PBR - creating an ACL with 3 deny statements at the top to deny RFC 1918 from being policy routed to the new internet edge and they a permit on the 0.0.0.0/0 - I would reference this is a route map and then set the next hop to the new internet edge.
I went to do this and the nxos didnt like it, and told me that I can't have deny statements in an ACL referenced in PBR (I'm sure I have done this on IOS)
So my second train of thought would be to create 2 ACLs named 'routed_to_new_edge' and 'normal_routing' (names will probably change) - routed to new edge would contain the following logic - permit SOURCE to 0.0.0.0/0. normal routing would contain the following logic permit SOURCE to RFC1928
I would then create a route map with 2 sequences the first sequence would match the normal routing ACL and have no set statement (this would not have any effect on the flow and would follow the normal routing logic) my second sequence would match the 'routed_to_new_edge' ACL and the next hop would be set to the new internet edge firewall.
Can anyone foresee any issues with this, should this logic work, has anyone done anything similar? Obviously all PBR will be removed when the FW migration is complete
Thanks
Here is the lists of ospf, rip, and eigrp passive interface labs and theories.
1.Route filtering passive interface OSPF. https://www.internetworks.in/2019/04/route-filtering-passive-interface-ospf.html
2.Route filtering passive interface RIPv2. https://www.internetworks.in/2018/11/route-filtering-passive-interface-ripv2.html
3.Route filtering passive interface EIGRP. https://www.internetworks.in/2019/03/eigrp-passive-interface-and.html
BGP Dual-home Prepending
We are setup between two ISP for redundancy, receiving full routes from each, one primary 1Gb/s with a 300Mb/s backup. We are using prepending to add a few hops to the backup circuit so that most of the traffic comes through the primary circuit.
However, if maintenance is done causing an even brief outage to the primary circuit, it seems like the route-map no longer works, even after the primary circuit comes back up. The majority of the traffic comes through the backup circuit. In order to resolve the issue, I can remove the route-map, wait for the tables to adjust, and then reapply the route-map. After doing so, the traffic flips back to the primary circuit.
Anyone know what is going on? Is there a better way to do things?
Thank you.
Ansible - Extracting variables from Output
Hey guys,
Hoping you can all help. I've nearly finished my project to implement device configuration standards using Ansible but i can't get this last bit to work! I've copied my post from /r/ansible below:
I'm working on a task that will run a command (see below) on a Cisco device & return an output. What i then want to do is check that output and compare it to "inventory hostname" the (ip address) and then register a variable from that line
My code may clear it up:
- name: getInterface ios_command: commands: - show ip int bri | inc [0-9]+[ ]+YES timeout: 20 register: interface - name: debuggings debug: msg: ""
This returns:
"msg": "Vlan13 1.1.1.1 YES NVRAM up up"
Essentially i want to scan through the output and pick out "1.1.1.1" if it matches inventory hostname and then register "Vlan13"
Has anyone done anything similar in you're own setup? I've tried a few methods but still can't get this to work!
Thanks in advance
Advice for a secure RDP connection
Hi all
This is in between home networking and enterprise, so I hope you dont mind the post
I have a RDP connection for my home PC
I often use it while im at work to connect in to home to test things externally (im a jr sys admin)
However I know that having RDP open is a bad idea,
I have it set to a different port, but even then I know its not secure
Iv been meaning to setup a VPN to remove most of the port forwarding I have on my router, but im looking for a way to best setup the VPN for my RDP
I can't make a VPN at work, as I still need to be able to connect to work servers etc.
and sometimes im using a different PC than my usual one (On the road with no laptop, so using someone else's PC)
Ideally im looking for some sort of RDP client, that uses a VPN
My backup plan was a portable virtualbox with a pre-configured OS with vpn, but I know thats doubling up resources and id like to try avoid having to run a whole OS just for RDP
Any ideas or input would be great
Thanks
Wednesday, April 3, 2019
Do most of you people here recognize most of the tools and acronyms mentioned here? I'm still pretty green to the field, but there are sooo many different acronyms and tools out their that I have a hard time believing most people have any clue what other people are talking about on this sub.
Am I the only one? Like I said, I'm new to this. But how long have you been in the field and what percentage of these posts/questions do you understand without consulting Google? I try to pick a new acronym or tool a day to look up and research, but come up with 10 new ones in the first 4 post's titles. Do most of you guys understand most of what's being asked/discussed here?
And if so, why do you think you can so easily keep up with all of the topics/tools/technologies that are brought up here? How can I do the same? Experience? Study? Tech news?....?? There are so many fucking acronyms!!!
What is the typical eBGP convergence numbee for DC clos
Hello data center network experts, What is the typical eBGP convergence number for large scale clos network? I am trying to understand if eBGP based design is ideal for large-scale spine/leaf architecture. If not, what are other preferred protocols can be used to design similar large scale design..think of 100 to 1000 or more switches.
SVI/HSRP Configuration confusion
Why is it that everyone (every network engineer I have met) configures HSRP on the vlan interfaces on a distribution switch as opposed to other virtual interfaces such as loopbacks etc. All that is listed as supported is Routed port's, SVI's, and Etherchannel port channel in Layer 3 mode.
I guess I have just never seen a use case and was wondering if one could be provided.
I was looking over the cisco documentation and the examples they give have it listed on an actual physical interface, which confused the hell out of me.
Does anyone have experience using Cybersponse's SOAR platfrom?
I'm currently researching SOAR platfroms, and they all seem to have their pros and cons.
So on our team's list, Demisto and Cybersponse are the top two candidates.
It seems that Demisto is the popular choice, but I want to know what features does Cybersponse have and does not have before taking things further.
So if anyone has any actual experience using Cybersponse, please give me a hint :)
Network CVE Script
Hey guys, figured I'd share and see if this helps anyone. We have to document CVEs that may affect our devices and I got tired one afternoon of doing it manually so I threw this script together.
It's far from perfect, but it works pretty well for us and saves us hours doing it manually until we can get the software that will do this for us. Right now it is only setup for F5 LTM, Palo Alto, NXOS and ASA vulnerabilities. Hope it helps!
https://github.com/mr2man07/CVE-Parser
Here is an example output file and the terminal:
[question]Double Sided VPC routing issues
Network diagrams: https://imgur.com/a/ZmZP2jN Switches 11,12,14,16 are Nexus 3000. Switch 3 is a stack of 3750's(to be decommissioned). We are adding a new DC2 for redundancy. I have a dark fiber between the two DC's using CWDM to get a a few 10GB channels(synchronous SAN replication). I have a connection at each site to our ISP's MPLS network that connects to all our remote sites. If i disable the Primary link in DC1 to the ISP MPLS i get about 50% packet loss. If i disable the port-channel on switch12 highlighted in Red, while the Primary link is shut, everything works fine. I have check all ethernet ports,links,port-channels and routing tables a couple of times. Their are no issues routing between the DC's or from servers connected to the Nk3's. No errors or anything meaningful in the logs. I have done isolation tests on the VPC between the DC's and don't seem to get any errors.
My guess is that switch12 is not forwarding(Routing traffic) traffic to switch11. I can't figure out why. i have looked at https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/118997-technote-nexus-00.html and as far as i can tell it is a supported Topology.
Any ideas?
Switch configs(redacted and sorry about the poor formatting): [switch3]# config 15.0(2)SE10 interface GigabitEthernet2/0/47 description [ISP MPLS] no switchport ip address [ISP MPLS] 255.255.255.248 interface vlan [VPC routing vlan to switch 14/16] ip address [VPC routing vlan to switch 14/16]/24 interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk interface TenGigabitEthernet1/0/1 description [switch14] switchport trunk encapsulation dot1q switchport mode trunk channel-group 2 mode active interface TenGigabitEthernet2/0/1 description [switch16] switchport trunk encapsulation dot1q switchport mode trunk channel-group 2 mode active router bgp 65010 redistribute connected redistribute static neighbor [ISP MPLS] remote-as [ISP AS] neighbor [ISP MPLS] transport path-mtu-discovery neighbor [ISP MPLS] version 4 neighbor [ISP MPLS] soft-reconfiguration inbound neighbor [router] remote-as [Our_Public_AS] neighbor [router] transport path-mtu-discovery neighbor [router] version 4 neighbor [router] soft-reconfiguration inbound neighbor [switch14] remote-as 65010 neighbor [switch14] transport path-mtu-discovery neighbor [switch14] version 4 neighbor [switch14] next-hop-self neighbor [switch14] soft-reconfiguration inbound neighbor [switch16] remote-as 65010 neighbor [switch16] transport path-mtu-discovery neighbor [switch16] version 4 neighbor [switch16] next-hop-self neighbor [switch16] soft-reconfiguration inbound [switch14]# config version 7.0(3)I7(1) interface vlan [dc - to dc routing vlan] ip address [dc - to dc routing vlan]/24 interface vlan [Peer-link routing vlan] ip address [Peer-link routing vlan]/24 feature vpc vpc domain 1 peer-keepalive destination [switch16] source [switch14] peer-gateway layer3 peer-router interface port-channel1 vpc peer-link interface port-channel26 vpc 26 interface Ethernet1/45 - 48 description [DC1 to DC 2 link] switchport mode trunk switchport trunk allowed vlan [group of vlans including bgp routing vlan] channel-group 26 mode active interface Ethernet1/49/1 - 4 description [peer-link] switchport mode trunk channel-group 1 mode active interface Ethernet1/51/1 - 4 description [peer-link] switchport mode trunk channel-group 1 mode active router bgp 65010 address-family ipv4 unicast redistribute direct route-map REDIST-ALL neighbor [switch12] remote-as 65043 address-family ipv4 unicast soft-reconfiguration inbound always neighbor [switch11] remote-as 65043 address-family ipv4 unicast soft-reconfiguration inbound always neighbor [switch3] remote-as 65010 address-family ipv4 unicast next-hop-self soft-reconfiguration inbound always neighbor [switch16] remote-as 65010 address-family ipv4 unicast next-hop-self soft-reconfiguration inbound always [switch16]# config version 7.0(3)I7(1) interface vlan [dc - to dc routing vlan] ip address [dc - to dc routing vlan]/24 interface vlan [Peer-link routing vlan] ip address [Peer-link routing vlan]/24 feature vpc vpc domain 1 role priority 1 peer-keepalive destination [switch14] source [switch16] peer-gateway layer3 peer-router interface port-channel1 vpc peer-link interface port-channel26 vpc 26 interface Ethernet1/45 - 48 description [DC1 to DC 2 link] switchport mode trunk switchport trunk allowed vlan [group of vlans including bgp routing vlan] channel-group 26 mode active interface Ethernet1/49/1 - 4 description [peer-link] switchport mode trunk channel-group 1 mode active interface Ethernet1/51/1 - 4 description [peer-link] switchport mode trunk channel-group 1 mode active router bgp 65010 neighbor [switch11] remote-as 65043 address-family ipv4 unicast soft-reconfiguration inbound always neighbor [switch12] remote-as 65043 address-family ipv4 unicast soft-reconfiguration inbound always neighbor [switch3] remote-as 65010 address-family ipv4 unicast next-hop-self soft-reconfiguration inbound always neighbor [switch14] remote-as 65010 address-family ipv4 unicast next-hop-self soft-reconfiguration inbound always [switch11]# config version 7.0(3)I7(3) interface Ethernet1/4 description [ISP MPLS] no switchport ip address [ISP MPLS]/30 interface vlan [dc - to dc routing vlan] ip address [dc - to dc routing vlan]/24 interface vlan [Peer-link routing vlan] ip address [Peer-link routing vlan]/24 feature vpc vpc domain 2 role priority 40 peer-keepalive destination [switch12] source [switch11] peer-gateway layer3 peer-router interface port-channel1 vpc peer-link interface port-channel26 vpc 26 interface Ethernet1/45 - 48 description [DC1 to DC 2 link] switchport mode trunk switchport trunk allowed vlan [group of vlans including bgp routing vlan] channel-group 26 mode active interface Ethernet1/49/1 - 4 description [peer-link] switchport mode trunk channel-group 1 mode active interface Ethernet1/51/1 - 4 description [peer-link] switchport mode trunk channel-group 1 mode active router bgp 65043 neighbor [switch12] remote-as 65043 address-family ipv4 unicast next-hop-self soft-reconfiguration inbound always neighbor [switch14] remote-as 65010 address-family ipv4 unicast soft-reconfiguration inbound always neighbor [switch16] remote-as 65010 address-family ipv4 unicast soft-reconfiguration inbound always neighbor [ISP MPLS] remote-as [ISP AS] address-family ipv4 unicast soft-reconfiguration inbound always [switch12]# config version 7.0(3)I7(3) interface vlan [dc - to dc routing vlan] ip address [dc - to dc routing vlan]/24 interface vlan [Peer-link routing vlan] ip address [Peer-link routing vlan]/24 feature vpc vpc domain 2 peer-keepalive destination [switch11] source [switch12] peer-gateway layer3 peer-router interface port-channel1 vpc peer-link interface port-channel26 vpc 26 interface Ethernet1/45 - 48 description [DC1 to DC 2 link] switchport mode trunk switchport trunk allowed vlan [group of vlans including bgp routing vlan] channel-group 26 mode active interface Ethernet1/49/1 - 4 description [peer-link] switchport mode trunk channel-group 1 mode active interface Ethernet1/51/1 - 4 description [peer-link] switchport mode trunk channel-group 1 mode active router bgp 65043 address-family ipv4 unicast neighbor [switch11] remote-as 65043 address-family ipv4 unicast next-hop-self soft-reconfiguration inbound always neighbor [switch14] remote-as 65010 address-family ipv4 unicast soft-reconfiguration inbound always neighbor [switch16] remote-as 65010 address-family ipv4 unicast soft-reconfiguration inbound always
IP Infusion offers industry proven NOS (Network Operating System) on whitebox
IP Infusion, the leader in disaggregated networking solutions, delivers the best network OS for white box and network virtualization. IPI's enterprise and carrier-grade software solutions allowing network operators to reduce network costs, increase flexibility, and to deploy new features and services quickly.
IP Infusion offers network operating systems for both physical and virtual networks to carriers, service providers and enterprises to achieve the disaggregated networking model. With the OcNOS™ and VirNOS™ network operating systems, both powered by ZebOS®, a industry proven control plane. More than 300+ OEM customers trust IP Infusion’s ZebOS® and have deployed in thousands of use cases. This industry proven control plane makes IP Infusion’s OcNOS so unique. OcNOS is a modular, multi-tasking network operating system, with tight integration capabilities on commodity hardware. This design allows for scaled and performance critical deployments. The niche coupling with merchant silicon utilizes key hardware capabilities for better performance and feature set.
With OcNOS–IP Infusion’s network operating system for white box switches–networking solutions can be built using traditional networking components to allow for transition to new disruptive technologies. OcNOS supports disaggregation of network hardware and software to reduce overall Total Cost of Ownership (CapEx, OpEx) by 60% and increase flexibility.
Multisite EVPN with Cisco BGWs
Hello,
I'm working on EVPN Multisite solution based on Cisco Nexus 9k switches. Currently I have prepared one site with eBGP as under and overlay routing - 2x Spine in one AS and 2x vPC pair leaf switches in separated AS.
This solution works fine for L2 EVPN and is full compliant with RFC - works with pair of Cumulus switches in clag as extra leaves.
In next step I want to prepare mirrored site and connect them together by 2x BGWs and 1x SuperSpine layers/ per site.
If found some documentation: https://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c11-739942.html
But in most important part they send me to "For more information" chapter without giving any answer :(
Questions:
-
BGWs should be in different AS then SuperSpine and Spine switches?
-
BGWs should have full VNI base - sum of all VNI in same site/both sites?
-
Is iBGP session between BGWs necessary?
-
Do you seen any whitepapers or working deploymend?
Sorry for my english - is not my native language. And of course thanks for answers.
Observium PHP loadding issue
I have followed this doc to the letter {https://docs.observium.org/install_rhel7/}. I have Observium running and during a polling or discovery you can see that it did add devices and does see them. But when you try to go to the web page it loads in index.php file as text. Any idea what I have missed?
Monitor vMotion VM migrations from Nexus 9K
Hi,
to keep it simple, I have 2 ESXi which are linked via Cisco Nexus 9K. What I'm looking forward to do is to trigger a script when virtual machines migrate from one ESXi to another (vMotion). I need to do it from the Nexus by tracking MAC addresses. I can't use syslog/logging, I need to send a notification to a web server when a MAC mouvement is detected (virtual machine migration). Can I achieve that with event handlers ? Thank you.
EAP-TLS With IOS and ANDROID
Ready to pull my hair out cus this topic just doesn't sink in with me, but here goes:
I'm looking into testing EAP-TLS on a wireless network with iphones and android devices as clients. As it stands, android will ignore certs presented to it, presumably because they are not trusted. iPhone will at least ask if you want to trust the cert. My first point of confusion is whether or not iphone and android need the full chain (root/intermediate/server) or just the root cert in order to trust.
My next point of confusion is finding out how I can push profiles to iphones and androids that have the cert bundles they need and get them to trust them. I believe MDMs can do this, but can't force iphone and android devices to trust. Has anyone every successfully done this?
Has anyone gotten EAP-TLS to work with Android/iPhone? What CA did you have to use? The server is going to be a Clear Pass Policy Manger. Thanks!
Anyone have any design experience with Packetfence?
I've been keeping my eyes open for a NAC replacement... would potentially go with ISE but we don't have the licenses or money for it right now. We may pursue it in the future but I'm spending some time finding alternatives to what we have now that will allow us to continue moving forward with features. Packetfence has caught my eye.. I've been really impressed with the feature set and the number update schedule.
We're using a RADIUS based NAC for both wired and wireless access in our Residence Halls (as well as our academic wireless and guest networks) currently but not doing full 802.1x. Mostly it is MAB with devices auto-classifying based on a combination of fingerprinting factors. Devices that don't get classified currently require a call to our support center at which point we manually register it. Wireless is all Cisco and wired is mostly Cisco with a few Dell 6248 switches.
I'd like to move forward with 802.1x, MAB fallback with a portal sign-in page for devices that can't do 802.1x, and perhaps a self-registration portal so students can register devices that aren't capable of 802.1x and don't have a web browser. The goal would be for all devices to have a user-id associated with them and the ability for the students to self-manage their devices. I'd like to avoid requiring an install of a policy key on the end-user devices if possible. Also, I'm thinking a Layer 3 deployment would fit with our needs better so the Packetfence server would probably be on a DC network somewhere using our existing DNS and DHCP services. Ipv6 support would be great at some point as well.
I'm wondering if anyone with Packetfence has experience with such a deployment? If so, is this a reasonable deployment plan or am I looking at it incorrectly or outside the feature set?
Thanks in advance!
What do you all use for enterprise level scripting?
So at my job we have an in-house application that is our only option for scripting of network tasks. It supports python but has limited input parameters and is not very user friendly for non-scripters.
I was wondering what other enterprise-grade solutions you all use at your jobs, for things like automating tasks and config changes on multiple devices that meet certain conditions, etc. I don't really know what else is out there, open source or commercial (especially for very large networks). What are the favorite things about your scripting tool/s and what are the biggest drawbacks or things that you wish you could do?
Best place for learning network service provisioning?
I would like to study concept of network service provisioning. Mostly about business related things such as peering, AS, transit network, QoE, VPN, etc. Things that an ISP should know. Any recommendations? Could be even a youtube channel if such exist.
Netalyzr is gone - anyone have ideas for a replacement?
I've been using ICSI Netalyzr for years to quickly check network quality. It seems that they've stopped development and took the app offline. I'm wondering if a similar tool exists?
Need a cheap, basic layer 3 device for a DMZ switch
I'm looking to pick up two layer 3 switches for a DMZ switches. We don't plug everything into our firewall and our existing DMZ switch runs at 100Mb and we need to get bigger pipe.
One of our ISPs requires us to do some simple static routing on our end, so that's layer 3 is required.
Someone here posted the FS S3900 switches awhile ago and for $280 they fit the bill on paper, but no one seems to have experience with them. Can anyone comment on that or suggest another slightly smarter than dumb switch? I'm not opposed to picking up a refurbed one either. Anything is probably better than the existing HP4000m we're rocking right now
VPN management system
Hi, spending some money in headache pills, managing SSL VPN connections on FG.
Clients that get stuck, unstable connections, poor debugging etc. Every once in a while situation get stable but then a windows update or solar storms make all your certainties so ephemeral.
So I wanted to know from you wise friends, what are your VPN choices for employees/consultants/customers , and what's your ideal tool for manage them.
Is IPSEC the cure? Are there any tools that prevent a man going nuts managing all that stuff? (not that much, speaking of about 30-50 concurrent VPN connections).
Many thanks, have a wonderful day!
Is a demarcation box required to be outside or can the cable run straight from node to inside of building?
Hello there! Our office building is a commercial property. We currently have a demarcation box on top of our roof. I‘d like new CATV cables to be ran inside so they don’t sit outside exposed to weather elements.
My question is, is there anything wrong with moving the demarcation box inside to the MDF? This way if a coax cable needs to be ran inside, it doesn’t have to go outside to the demarcation box (an additional hole that’s drilled). The ISP node is just a few feet away from the MDF, so could a cable be run underground from the node to inside the building? I’d imagine this is the setup for most commercial properties.
I couldn’t find any information related to my question online, any help would be appreciated.
Thanks.
Hiding SSID Aruba WiFi
We have an old SSID we want to get rid of but unfortunately we still have thousands of users connecting to it. We are looking at ways to get users off this SSID and on to the new one and things we can do other than just emailing users (most will ignore) or just simply turning it off and letting users deal with it (management will never agree to that so please don't suggest this). The problem we have is we have hundreds if not thousands of new users every year and even with guidance a lot will still connect to our legacy SSID so the problem won't just go away over time.
One thing we thought of doing was to look at hiding the old SSID so that existing users can still connect but no new users could see it and attempt to connect. I am aware it can easily be seen and connected to by anyone with a bit of knowledge but most new users on our sites will just connect to our new SSID and be done with it. I have tested hiding the legacy SSID whilst connected and find that while my devices stay connected once the SSID is hidden if I turn my WiFi off and on again it won't reconnect. If I forget the network then reconnect and auth to it while hidden then cycle my WiFi it is able to reconnect after. I presume there is a setting on the OS that specifies whether an SSID is hidden and whether to actively try and connect even if it isn't visible? I'm testing on OS X and IOS so I think these settings are not visible to the user and are only set when you setup your wireless connection while the SSID is hidden.
Is there any way to lessen the pain of moving users off this legacy SSID or have we just got to suck it up and cause some pain?
Juniper VSTP Questions
Hey all - hopefully a quick question and it's just a matter of me missing something. My Google-Fu is turning up nothing on this.
I have a virtual chassis of 9 x Juniper EX3400 48 port switches on 18.1R3.3 limited, running L2 to our aggregation layer. This stack has 12 VLANs on it, and because reasons (not greenfield), we are running VSTP. Not sure if it matters, but we are using dot1x mac authentication against RADIUS. When I try to configure VSTP on more than 11 VLANs, I get the following error when attempting to commit:
user@stack# commit confirmed 5 [edit protocols] 'vstp' xSTP:Trying to configure too many interfaces for given protocol vports:[5173] error: configuration check-out failed
The Juniper docs that I've read indicate that VSTP can be applied to a limited number of ports, but I can't find what that limit is. The docs also specify a limit of 510 VLANs, which we are not even near. (https://www.juniper.net/documentation/en_US/junos/topics/concept/spanning-trees-ex-series-vstp-understanding.html)
I've tried to discern what the [5173] in the error message might refer to. My current thinking is that 9 switches x 48 ports x 12 vlans, minus 1 port statically configured on a single VLAN puts us right at 5173. It seems to line up too well to be a coincidence. Maybe VSTP is limited to 4096 vports?
I'm guessing that my only real option is to migrate to MSTP or RSTP. Can anyone confirm any of this or provide advice on the best way to proceed? Going full L3 is unfortunately not an option in the near future. MSTP or may not be a near-term solution, I'll have to do more research on it to see if our aggregation/core layer will play nicely.
Thanks in advance!
tl wr104nd v3 (tp-link) board documentation
Hi! I'm looking for board documentation of this router or just lockaion of chip with software on it. I'm going to unbrick this guy and ttl doesn't work very well for me so I woudl like to try Libreboot style trick with changing software on chip. If you have any ideas how to fix ttl (it's easier way and less afford so it's preferable to use it imo, I have a problem with receiving signal from board on my rpi (in minicom i have some weird letters)) it will be also appreciated.
Subscribe to:
Posts (Atom)