So for the past few weeks or so i have been trying to get into my routers panel to switch my channel. i had been able to log in before but now my default user name and password does not work anymore and now i don't know what to do . i have tried resenting it holding the reset button for 15 seconds still nothing i may just call my isp and see what the problem is if i don't get an answer.
Saturday, April 13, 2019
Virtual Switching Sanity Check - BGP
Hello all, I have a home Kubernetes cluster that runs in 4 VMs on top of Proxmox. Proxmox is tagged to VLAN 20, the Kubernetes VMs are tagged to VLAN 40.
The Kubernetes VMs are BGP neighbors of my router so that I can tag pods to then run on one of two other VLANs that are designated as DMZ spaces, 50 and 60. In short, the network looks like this:
- VLAN1: Networking Hardware - VLAN20: Physical Machines - VLAN40: Kubernetes VMs - VLAN50: Internal Kubernetes Deployments - VLAN60: External Kubernetes Deployments
This works great, everything is able to communicate with one-another and the internet just fine. With one exception, performance.
My Proxmox server also acts as my storage server by advertising a ZFS pool as an NFS server. This works great, and is capable of some pretty fast reads and writes for a home storage server. Upwards of 6Gb/s reads, for example.
When I used to run Docker containers directly on my Proxmox server, virtual switching allowed the containers to interact with the NFS server hosted by Proxmox by hostname at nearly that speed.
Furthermore, before I set up VLANs, the Kubernetes VMs used to run on the same VLAN (1) as Proxmox itself. And any pods that were deployed on Kubernetes were also able to interact with the NFS server hosted by Proxmox by hostname at nearly that speed.
However, now that I have configured VLANs and use BGP to provision my Kubernetes pods on separate VLANs from the hosts, networking has been capped at 1Gb/s, if not worse than that.
My Ubiquiti Edgerouter Lite and Unifi Switch 8 are both 1Gb devices, so it makes sense. However, this is starting to feel very painful in my lab. For example, cover art in Plex Media Server takes upwards of 10 seconds to load when I scroll in my library because Kubernetes volume mounts the database on the NFS server. Similarly, Deluge is acting incredibly poorly. The web interface crashes frequently and any sort of action such as opening the Preferences panel or trying to see the Details section of a new torrent can take several minutes! Deluge's cache settings are set to use 4GB of memory, but I'm unsure if these performance issues are because of my network or because Deluge just doesn't scale well to 1100 torrents. Lastly, sometimes my Kubernetes deployments that interact heavily with a database (Plex, Jira, etc) end up with a corrupted database after a few weeks of running. This is presumably because of network latency, but I'm not sure.
I'm looking for a few questions to be answered with this post:
-
I know my network is complex, especially for a homelab. However, my homelab is used pretty much entirely for learning for my job. And the hobby is fun for me, especially when I cater to obscene levels of complexity. However, I'm just curious if everything seems like it is configured correctly to you, given the fact that I am okay with the complexity.
-
Would purchasing a 10Gb switch resolve this issue or would it also be necessary to purchase a 10Gb router since the Edgerouter is a BGP neighbor of the Kubernetes nodes?
-
If it would be necessary to purchase both a Switch and a Router, would it instead be possible to purchase a 10Gb switch with BGP capabilities?
-
What hardware would you recommend I purchase to resolve this issue? Ideally I would like to keep the total cost under $500-1,000 but it doesn't look like that would be possible given the incredibly high cost of 10Gb routers.
-
Would it be possible to use a different Kubernetes Storage Class for storing the data directly on the nodes? What would this look like?
-
Would you recommend a different solution to my problem?
Small Business network
Hi I am tasked with setting up a small network with 5 sites. There will be 4 branch offices connecting to one main office with an AD server. I was wondering what are the most cost efficient switches and routers I need for every office.
iMac 10GBe (Thunderbolt Adapter) direct to Mac Pro 10GBe (PCI Adapter). Inconsistent connection speed. Questions…
I have a Akitio T3 10GBe Thunderbolt adapter connected to my iMac 5K, and a Aquantia AQtion 10GBe PCI card in my 2010 Mac Pro. I've connected the 10GBe Thunderbolt adapter to the 10GBe PCI adapter with a 10ft Cat 7 cable. I use my Mac Pro as a file server for the iMac.
While no drivers are needed, it's not immediately obvious how to get the best speed out of this set up. I figured I would need to set the preferred service order in System Preferences > Network so that the 10GBe adapters are top of the list. The list is as follows…
- 10GBe Adapter
- Ethernet
- WiFi (*iMac only. Only on so that certain Apple features work such as AirDrop, Continuity, etc)
When I mount a drive from the Mac Pro on the iMac (a 2x 8TB IronWolf RAID 0) I get inconsistent speeds with Blackmagic Disk Speed Test over the 10GBe connection. Reads are consistently around ~500MB/sec which is awesome, where are writes vary from 180MB/sec down to a paltry 15MB/sec
The only way I can get a consistent 180MB/sec+ for the write speed is to shut off all network connections on my iMac *except* the 10GBe. My theory is that some data is being sent over regular Ethernet (and maybe, horror, WiFi?)
Obviously by shutting these networks off, my Internet doesn't work anymore. As a work around I've set the Mac Pro Internet Sharing settings to share its internet from Ethernet to PCI 10GBe. This works, and on my iMac I now have consistent speeds and internet!
I'm just curious if this is the best approach or if there's a way to keep my regular iMac network ports active for internet but force all SMB shares to/from the MacPro over 10GBe only?
SD-WAN router/edge device placement?
Need your opinion here regarding SD-WAN topology or edge placement. To narrow the discussion, let’s only consider using VeloCloud or viptela SD-WAN solution.
Customer has branch offices and a central CO-LO dc. Both branch and DC are deployed with NGFW/UTM at network edge. Small branch has Dual internet links and big branch has the metro Ethernet besides the single Internet.
During design for SD-WAN for this customer, I am little bit struggling with the placement of the SD-WAN edge in relation to the existing NGFW...Customer is in financial industry and their security team is fairly picky on traffic flow and inspection...
My current design for the small office is to put the SD-WAN device in front of the NGFW facing Internet. This way, the dual internet load balancing and failover are covered. Then traffic going to and from branch LAN could also be inspected by the NGFW.
For both the big Branch and DC, I am thinking to put the SD-WAN device behind the NGFW facing internet. The metro Ethernet will connect directly to the SD-WAN devices which route traffic to NGFW for further inspection before reaching LAN. NAT exemption will be configured on NGFW for these related traffic. The traffic to and from internet will naturally be inspected by NGFW as well.
Will these make sense? Any suggestions?
Wish there is a SD-WAN device comes with NGFW/UTM features...
Old WG602v4 Access Point. Need help!
Hey all! So..... I have a few WG602v4 Access Points I am looking to set up just to stretch my WiFi at home (I know they are old but its all I have without buying something else).
I am looking to set them up as a repeater, however, I can not figure out for the life of me how to do it... I cant even get it working as an access point currently. I have reset to factory settings and have got access to the settings page, however, anything I try doesn't seem to work.
Other Access points I have I am just able to select the network and start repeating... but with these on selecting repeater mode it asks for a MAC address which I can only assume is from my main router. When I type this in and press apply, I see this appear at the bottom but doesnt pick up an SSID or signal strength. I am not really sure how to get this working at all.
Here are some links to the manuals which I have been trying to follow.
http://www.downloads.netgear.com/files/WG602v4_IG_04June07.pdf
https://www.downloads.netgear.com/files/WG602v4/Documentation/RM/WG602v4_RM_07June07.pdf
I feel there is something simple I am probably missing but really do not have a clue when it comes to this access point.
My steps were to reset to factory, configure my laptop to allow the connection to configure the AP. Then set up the AP to allow me to connect to it with a wireless connection. After that I am looking to change it to repeater mode (Which I assume I can do by plugging a cable from my router to the AP) but this is as far as I get....
Captive portal with Radius Auth via Clearpass and Cisco WLC
Our current staff wireless network uses radius via clearpass to authenticate Active directory credentials. The problem is that everytime a user is forced to change passwords their mobile device is causing their account to be locked out which is becoming a headache for the lower tier support groups.
I have seen in other organizations that instead of using a constant authorization to connect to wifi, they instead had a captive portal that used your AD password and username to authenticate a device and that device's mac address the first time you connected to their wireless network. The user would no longer have to present AD credentials and that device was allowed to connect until account termination.
Is there a way I can do this with clearpass and a cisco WLC? Is it compatible with a hidden network?
What's your test network look like?
First off, I'm aware of the adage "Everyone has a test network. Some people are lucky enough to have a production network." For the purposes of this post, assume that when I say "test network", I do NOT mean your production network.
So, do you have a test network? If so, what does it look like?
- Do you have a couple of spare random switches and routers laying around you can use to test new features, while connected to your production network?
- Do you have one of each type of device, so you can test new OS versions?
- Do you have an exact mirror of your network topology?
Inter data-centre routing
I caused an outage a few days ago - connected 2 data centres via VPN, added static routes via VPN but didn't realise that Palo alto installs routes which are down a tunnel interface even when the vpn attached to the tunnel is down.
I've been thinking of what else can be done apart from static routes. What are you all using? In the next 9 months we'll be connecting all the data centres up with physical connections, at which point we'll simply extend our mpls, but in the meantime what routing protocol would you recommend to use over VPN between data centres?
Looking for good Cisco security VAR (CNJ/NY metro)
Hi folks,
We have a current Cisco VAR who helped us transition from VPN3000 to ASA many years ago (we use ASA just for VPN, use Checkpoint for border firewall.) Loved working with the engineer there, who did a great job with the project, but who has since moved up the ladder to Sr. SE. On our last refresh, they pitched Firepower units (FPR2110’s replacing ASA5520’s) running ASA code (currently 9.9.2). The engineer they assigned to that upgrade was one of the worst I’ve experienced (to be fair, not too long after my project he was let go) and he introduced many errors in the converted config that I had to catch and had him correct.
Now even though things basically work, we have been experiencing some VPN problems that may be a result of missed config etc. I’m not sure who our VAR has now that I’d trust. (In my role, I’m forced to be a “jack of all trades” and so I have to rely on VARs for the deep-dive stuff in many areas, such as ASA config.) So my question is, can folks here recommend an awesome Cisco security engineer who can review our config, and recommend improvements? We are in the central NJ area (“metro NY” market) if proximity should come into play. Not sure if Cisco themselves has a consulting service we could take advantage of...
Thanks for your recommendations...
Toning a cable while patched into switch
Hey guys, I am trying to troubleshoot an Ethernet port at our site. No link light when I put my Network tester on it. So either it is not patched in or the port on the switch is shutdown. I cannot track this cable down anywhere in our IDFs. I tried toning it out and cannot find it. If it is patched into a switch, will the tone not be audible? Any help would be appreciated, thanks.
Express VPN
Hi, I was wondering if anyone could tell me if ExpressVPN hides activity from router logs?
What do you think about GNS3 certification?
Hi
I free time i learn linux and networking, but consider this certification mainly for learning automations
Course to exam
Exam
https://gns3.com/certification
What is your point of view?
Options for network power monitoring for small remote sites?
Greetings all,
I’m helping a non-profit roll out new networking equipment. Pretty simple setup with a FortiGate 60E and Unifi equipment behind it. However, the country is having insane power issues right now, and I just had PoE board pop on a switch. I ran new outlets with grounding to each enclosure, and run the switches from a UPS, but it still took a hit.
I’ve got an electrician coming to see about a voltage conditioner / regulator for the whole property... but I’d love to have something that can monitor and log the power spikes. Is there anything like this out there with SNMP?
Friday, April 12, 2019
ACL Help Packet Tracer
Anytime I configure an ACL on the router with the denial of a specfic subnet.. All traffic gets blocked? I use permit any after words and all traffic is permitted and it ignores my deny...
Internet Exchange participants: how much do you pay?
I'm exploring starting a small IX in Montana for our local providers and large entities.
Currently, the only IX I personally participate in is the SIX in Seattle. There's no monthly recurring fee, only a one-time fee depending on the port speed.
I don't have a lot of datapoints, but IXs like Equinix have fairly high monthly fees to participate. Is this common? Or is the SIX method more typical?
I'd like this IX to be as cheap as practically possible because that encourages continued participation. At the same time, I can't imagine more than a dozen participants compared to the 300+ that SIX has, and that might be hard to sustain financially in a tiny market.
For the love of anything mighty someone please tell me how to put cat6a wire in a plug...
Good lord I am about to blow up my God damn house... I have gone through 13 cat6a plugs, with cat6a wiring. Every time I get the wires lined up, pushed in.. crimp.. it fails. Short circuit. I am losing my god damn mind over here.
I spent about $200 on tools, crimp, tester, special cat6a plugs, etc. This is ridiculous. Bad enough my damn hands keep cramping up all to hell trying to work with these microscopic damn wires and plugs.
Is there some fancy ass tool that you can feed the 8 stupid wires in to and it lines them up and puts them in perfect... because this stupid little prong that I have to slide the wires in to.. then push in to the plug is a massive failure of a design. The female end looks cool.. you got 8 slots, you push them in then push down with a tool and close it up, all done. But these male ends.. are ridiculous. How the hell someone make 50 to 100 of these in a day.. I have spent over 3 hours one one plug.. 13 retries.. a hole in the wall out of anger.. this can not possibly be the way its done.
First off, how the hell do you freaking straighten all the wires out. Every twisted pair is so twisted (23awg) that I use my pliers on each wire and press down in multiple areas to try to flatten/straighten it out. Even when I do that to all 8, I still cant get the ends to all line up nicely right next to each other. One is curved, another loops around easily. This cant possibly be how everyone does this. Patience my ass.. if I go any longer I wont have a network center in the wall.. I will kick the stupid thing in and see it slide down into the wall.
Any help on how you deal with cat 6/6a/7 wiring... plugs... short of buying those $13 each plug that are very nice, but WAY too expensive for me to use on a long run of cable... would be appreciated.
All devices showing on same port
Hello,
I was trying to track down a switch port from a mac address on HPE networking gear for the first time - I'm used to Cisco
However every mac address was on the same port, the CST root port. I'm not good with spanning tree. Does this mean all data is going though one port?
How do I find out the real port of the Mac device?
Monoprice bulk ordering patch cables unbagged?
Replacing a bunch of wiring, gonna be ordering hundreds of 6" and 1' jumpers, and assorted others. Monoprice is by far the best pricing, and have proven reliable. Unfortunately, everything is individually packaged. Is it possible to get them unbagged in bulk? Or is it just bound to be an afternoon of cutting and separating bags and cables?
Challenge - Hacking/Breaking into a PA-500 to change the password
I was given a Palo Alto PA-500 to study on at work. Which is great :)
Only caviat - no one (and I mean no one) knows the password. Or anything about this particular one, really.
So the challenge giving to me is, without factory resetting the device, changing the password on the PA. Does anyone have any recommendations on how to accomplish this?
Does your company buy based off fear? EVPN VxLan vs ACI or NSX, Containers vs. VM’s, Vendor run Open Stack vs. in house built self service and automation.
I’m started to realize a lot of companies make purchasing decisions purely out of fear and politics.
Curious how many feel large organization buy based off a perceived insurance policy thought to come from the big vendors.
After spending 3+ yrs working with many companies who choose more of a roll your own model, I’m now working with a lot of companies who are following what the big vendors tell them, and it’s perplexing for me. We’re talking some of the largest companies in the world still trying to roll out ACI, NSX, using VM’s to host containers, and paying vendors to build and run their Open Stack.
As I talk to executives about their purchasing decisions, I’m finding more and more it all comes down to fear and politics.
How prevalent is this really? Have you tried to help your organization modernize and got pushed down by management? Does your company consider using open source products, or innovative products from less well known startups even when they have a proven track record?
I know there is another breed out there, most of that breed is probably the ones here on Reddit. I can spot your slack sticker a mile away, but I think that only makes up a small percent of the population.
Would love to hear what everyone thinks.
SMS based onboarding solutions for wifi
Anyone have recommendations for this? I know Clearpass can do this as well as Ruckus but I'm looking for some feedback on those two. Clearpass supports custom SMS HTTP APIs while Ruckus only lets you select from a few like Twilio etc. If anyone has other recommendations/ideas too please comment.
Can't Set Up LAN without Connecting the Router to the Internet
I am trying to set up a LAN with my brand new Linksys E2500. I don't have a functional CD drive, so I downloaded the .bin file from the website. Didn't work - shows up as a blank CD.
So I decide to try it on my other laptop, which does have a functional CD drive. Put it in, run the program - the FIRST thing it does is try to set up the internet. In order for it to progress the router HAS TO BE CONNECTED TO THE INTERNET. If not, there is NO WAY to get the software to install to set up my router for LAN.
So I try to do it manually - go to the IP shown in the manual. AND IT SENDS ME TO A PAGE THAT TELLS ME TO DOWNLOAD THE SOFTWARE FROM THE WEBSITE, THE SAME SOFTWARE THAT WON'T LET ME GET IT SET UP.
This is completely retarded, in trying to idiot-proof it they have apparently made it impossible for someone without an internet connection to even use their router.
Is there any way I can force this goddamn router to act like it's supposed to, i.e. let me manually access the setup configuration on the router without their stupid software?
I have no internet connection except a proxy on my phone, and do not intend to ever get any other form of internet. If it is not possible to actually use this router without a fixed internet connection I am seriously considering a campaign of genocide against the idiots at Linksys who thought this was a good idea.
I note that someone else has had the exact same problem with the exact same router, and there were no responses. Linksys apparently doesn't give a shit about people without internet.
Any opinion on Catalyst 9200 vs 3650?
We're looking at making a large purchase of new switches. Previously our standard was 3650, but it looks like the 9200 (non-L) might be a bit cheaper. We'd be looking at 48 port PoE with the 4x10G uplink module, as well as non-PoE 48 porters without an uplink module to create a stack with. We're only going to be using these in Layer 2 mode, with all the VLANs on the distribution layer (Cat6.8K)
Anyone have any thoughts on the 9200s, and if they would purchase them in place of the 3650? We are not really looking at SDA right now and would just do a 3 yr license that we'd likely never use. The 9300s are likely out of our budget.
Unmanaged switch not connecting to LAN
I am not too network savvy, so I'll try to be as clear as possible. Sorry if I get some of the jargon incorrect.
Update: I think another important piece of information is that I'm getting assigned 169.254.x.x ip addresses. Seems that might be relevant information?
I am tasked with setting up 36 laptops for classes through North America, sometimes the laptops come back to our office and I have to update the course content. As you can imagine it take forever doing it manually with a couple thumb drives when the overall content is about 120 gbs.
I try to automate as much as possible, we have deep freeze set up on all the computers, so the ip addresses are easily managed... Deepfreeze does alot of other unrelated stuff for us. Anyway, we have 2 unmanaged network switches, 1 16 port and 1 24 port. (they already had the 16 port switch, so I bought the 24 port to get enough connections). It worked great yesterday, I was able to move almost a terabyte of data overnight, and set up WOL which will make things even easier. This morning they were all still connected, so I restarted the systems with WOL just to make sure, and all was still good.
Then, about 4 hours ago, I noticed they were all disconnected. After some troubleshooting, I realized the new 24 port switch is the cause. This is what ipconfig /all is showing on the laptops connected to the switch Here The other switch is working fine as I can connect to them just fine.
Is there a way to reset the switch? I tried power cycling to no avail... It was my impression unmanaged switches don't assign ip addresses, so I wouldn't think this is an issue. I also tried changing some of the ports around which did not help.
Networking is hard.
Router-On-A-Stick, Loopbacks, and Management
Quick question. I'm using router-on-a-stick to a switch (Router --> Switch --> Hosts), which has 3 VLANs for hosts, plus a management VLAN makes 4. I'm using g0/1.1, g0/1.2, g0/1.3 for hosts and g0/1.99 for the management VLAN, so the hosts below the router and connected to the switch will have a gateway to the management subnet. I also have a loopback address for management purposes (this is the address, for example, that I would SSH into). The rest of my network is also using loopbacks for management and I'm looking to keep things consistent.
Addressing is as follows:
G0/1.1: 172.16.0.1/24
G0/1.2: 172.16.1.1/24
G0/1.3: 172.16.2.1/24
Lo0: 172.16.255.235/32
Management subnet: 172.16.255.0/24
My issue is with adding an IP to G0/1.99. I already have the /32 loopback configured, so when I try to add 172.16.255.1/24 to G0/1.99, it tells me it overlaps with Lo0. If I understand correctly, this is because I'm adding the same subnet onto a router twice, so it denies the change. But I want the Lo0 interface to be in management, and the G0/1.99 to be the gateway for management, so both have to exist on the same router. How can I work around this?
Cisco VXLAN EVPN & Microsoft 2016 DHCP RFC3527 issue
Hey all,
Have any of you ran into an issue when using a VXLAN EVPN network with option 82 on the DHCP server? We have this running live in our environment now. Client are able to get addresses through the option 82, but when a device goes to another site with a different subnet they are not getting the new IP addresses, but rather sticking to the old address.
Config has been verified with Cisco, and I am going to have to contact Microsoft on Monday. But in the meantime have any of you experienced this, and what was your workaround?
CCDA training courses in the UK?
My company is offering to pay for a week course and I've an interest in going for CCDA (already hold CCNP).
Anyone here of UK based course providers apart from firebrand?
VPN Apps (Palo Alto, Cisco, Pulse Secure and f5) - Session Cookie Vulnerability
Read this Article earlier today. Out of four vendors, only Palo Alto has issued a patch. Until the apps are patched, best defense appears to be two factor authentication.
Networking gear that supports automation
I'm building a lab in a box, that has a switch, couple APs, and a router / firewall, along with a server, and the configs can be modified via a script.
From the networking side of things, I need to be able to handle vlans, static routes, raidus, 802.1x for the wireless, and be able to firewall off ports and vlans from cross talking. I also wants this to be fully managed without internet, but I could make internet access a requirement.
Configuration of all this had to be scripted so someone with limited networking knowledge can do things like, specify how many teams, usernames and passwords for the different radius users, etc. This would drive the number of subnets / vlans that get created, setup firewall rules, etc. Clients would join the wireless or wired networks on the switch. If internet access is a requirement the WAN port would be connected to the local network onsite and everything would be NAT'ed. Not idea in the real world of course, but nothing will be reacting into the lab from the WAN, only getting out as needed. Clients would not allowed to get to the internet other than getting a font library or something.
Today I do all this with Ubiquiti USG, Cloud Key, Unifi APs and switch, however they have no officially supported APIs and what I've seen of the comunity SDKs, APIs, I'm not filled with warm fuzzies. While this fits the price point, I'm worried about being able to automate their gear. This solution works for the one lab I run, but if this is going to scale to multiple labs that are shipped around, I might need something else.
This is for a non-profit and used for mostly high schools and colleges. so cheap is another requirement. This is not for production usage, so no HA requirements, and don't need support other than firmware updates as needed. Don't need hardware support if the equipment is cheap enough.
I've mostly worked with Cisco Nexus and Palo Alto in my career and that level of gear is way over my budget for what I need. Are there any other brands or something open source that would work for this? Meraki might work, but they are expensive and requiring internet to manage it, is a bit of a detractor.
Found a version of packet tracer (7.2.1) for macOS, is it legit? And if so, why is it such a memory hog?
https://www.netacad.com/group/offerings/packet-tracer
It seems to not be allocating the memory on my computer correctly. I have a 2018 macbook pro with 16GB of memory and while it says it only uses about 400-500 MB of memory, it says its using 130-150% of my CPU. How is this possible? Has anybody ever experienced something like this?
Question on fiber type and size
Hello, I'm planning to buy these transceivers for distances of less then 15 feet. I do need the 10Gb capability as well.
What is the correct size and type of fiber to buy for these?
Minimum cable length for a 1u patch panel to an adjacent 48-port switch?
I would like to have the cleanest and shortest patch cables between a patch panel and an adjacent 48-port switch. Each port is just connecting to the port in the row closest to it in the patch panel, straight up-and-down. The equipment is behind a glass-door rack and I would like it to be as clean as possible. Thank you.
What networking equipment or setup ?
I need some advice to upgrade my office network as we are expanding and moving to a new location.
So i have three options:
(by vendor)
option 1
catalyst 9200 x2 + isr 1100
option 2
catalyst 2960l + isr 1100.
Option 3 juniper
Ex2200 x2 + srx300
I shall reiterate my requirements :
Gigabit lan across the office. or 10gig lan if possible without breaking the bank (no im not in us)
Segregate users according to groups.
Access to internet for only select groups / or specific employees.
NAS for backup ( raid 6 or 10), automatic backup
Wireless ap split into guest and secured executives channel.
There will be almost 55/65 employees + one port for cameras + 5 ports
for bio metrics + 2-4 wireless ap's + 5-7 peripherals (printers /
plotters) + nas for storage.
Total office area is 3100sqft and on one single floor
Internet shall be 100 mbps up/down
ACL VLAN question
Sorry if this is the wrong to post this.
I have a layer3 switch with 2 VLANs (VLAN 10 and VLAN 20)
I want to only allow PC1 (vlan 10) to connect to PC2 (vlan 20) on port 8000.
This is only communication I want between VLAN10 and VLAN20. So I plan to apply an ACL on VLAN 10 to permit this.
My question if I apply another ACL on VLAN 20 to block all traffic into VLAN10, will PC1 still be able to connect to PC2 on port 8000?
Thanks
Cisco IOS & Route Map Problem
Folks,
I've been struggling with this for days, and I've completely changed topology multiple times, and this: https://imgur.com/a/OiLAfWA is what I've decided on.
I will focus on the Cisco 891F in the top left of the diagram for now. It has an internet connection with a /30 and a /28 IP address assigned to VLAN1 (with the /28 as a secondary). It also has an "internal" interface of 172.31.255.1/30 assigned to Fa0.
The Meraki MX84 is connected in routed mode with a real world IP on port "Internet 1" (second usable /28 IP). It also has another interface directly connected to the Cisco with an IP address 172.31.255.2/30.
I have the below configuration on the Cisco side:
!
interface Loopback0
ip address 10.30.10.1 255.255.255.0
ip policy route-map ROUTEMAP
!
interface FastEthernet0
ip address 172.31.255.1 255.255.255.252
duplex auto
speed auto
!
route-map ROUTEMAP permit 10
match ip address 10
set ip next-hop 172.31.255.2
!
access-list 10 permit 10.30.10.0 0.0.0.255
access-list 10 permit 10.40.10.0 0.0.0.255
!
I can ping 172.31.255.2 from the Cisco, but I cannot do a "ping 8.8.8.8 source lo0" -- this fails. A packet capture on the Meraki shows nothing, so I know it's a Cisco issue... but not sure where to go from here. I mean... this should be very basic...
Thank-you!
Looking for a configuration analysis/standardization tool
I'm looking for a tool I can use that will compare a configuration file against a baseline set of rules to look for standards being followed. The goal being to look for things like vlan tags, vlan names, SVI descriptions, etc. all being standard across a large set of devices. I've got to think that there's something out there that exists in the software development world that could easily be adapted for looking at a text config file from a router or switch, but I haven't been able to find anything.
Edit: Thinking about how I asked my question, I know there are comparison tools that can take two file and do a diff on them. I'm looking for something where I can feed it a configuration file and it compares that file against a set of pre-defined rules that I configure.
Onboarding into Infiniband (needed)
Hey i'm digging into Infiniband 10/20 and 40GBit/s or SDR/DDR and QDR. Currently i have two problems to solve to get everything working.
Problem 1: Speed negotiation issues with windows
Details:
- A goold old HP ML150 M5 with Mellanox ConnectX-2 MHQH29-XTC and Server 2008 R2 running.
- It shows physical link, but diagnostics says there are issues with speed negotiation (speed test failed, link test passed).
- Port LED on switch flashes green.
- I tried to do a firmware update but i cant find any matching ids for an update.
- Device Manager lists Controller as MT26428.
- The drivers used for installation are VPI_WinOF Version 5.35.
Problem 2: Connect IB-Switch with GBE-Switch
Details:
- To be more precise we want to connect a Mellanox IS5022 with a HP ProCurve 2810-48G directly or with an adapter/converter
- Protocol used is IPoverIB.
- As far as i know we need to convert from QSFP+ QDR (or SDR/DDR) to a usual 1 GB Ethernet.
- We already tried to connect these switches by ourself with no success:
- IS5022 -> HP QSFP-SFP Adapter 655874-B21 -> GBIC HP SX-LC J4858C -> SX Multimode 850nm LC Cable -> HP GBIC HP SX-LC J4858C -> ProCurve 2810.
- GBIC's and fibre cable are functional, I tried it with another GBE switch and they are fine.
- Distributor said that our QSFP to SFP Adapter will work because they sell/use them quite often together with a IS5022.
- Current error i would describe as: physical link led is off.
Additional Details
- Infiniband is already working between some hosts. 2x HP DL360 Gen9 with ESXi 6.5 and Mellanox Connect-X 2 NICs connected to a Mellanox IS-5022 Switch.
- I wanna use IB for usual IP/network communication between hosts and clients.
- IS-5022 is a unmanaged switch for 40GBit/s / QDR IB
- tried several drivers on windows machine- no success
- controller port configuration changed to auto / ib or eth - no success
- tried everything with both ports on nic and different ports on switch - no difference
Any ideas or advices?
Key features to acheive 2Gbit/s single communication stream with LACP
Hey there,
i have here a rumor (it has already been proved working) that it is possible to acheive a higher throughput for a single data stream just with LACP configuration. For example with 2x 1 GBit/s Ports transfer one file with more than 120 MB/s.
There were 3 admins that proved me it is working, but failed to get it working on my setup. The main problem is, they can not tell me where i have to look for or at. I have digged really a long time into this topic for years now and now i am trying to get some help here. So far some basics that might cover my issue:
- smb3 introduced multipath / multichannel data transfer when using multiple nics with multiple ip addresses. But this is not what i want
- LACP has different revisions and implementations. There are at least two different functionalities known as TRUNK MODE and ADAPTER TEAMING. Only the last option seems to be suitable for my needs.
- there are several load balancing algorithms for LACP. Depending on the device you need to choose a specific one to get it working. Some call it Layer2 and Layer3 or MAC and IP with Source and Destination address calculation?!.
So far i wasn't able to acheive 2 GBit/s with a single stream at my setup / network / lab.
More Details
- Bandwidth is tested with iperf
- OS used is windows server 2012 R2
- Hardware used are Fujitsu RX200 S8, Intel MFSYS25, QNAP TS-563 Pro, some other Servers/workstations with Intel DUAL Server port Adapters
- Switches i tried are hp officeconnect 1920s and netgear prosafe GS724T
- german short overview about htis topic and screenshots from other admins transfer speeds https://docdro.id/5VUAeXS
Windows config
- Teaming = LACP
- Load Balancing = Dynamic
- Standby - none
Switch Config
- LACP Dynamic for NAS and windows servers
- LACP Static for ESXi hosts
ESXi config
- switch type = vSphere distributed Switch
- nic type = vmxnet3
- Load Balancing = IP Hash
- Failover = status only
- notify switches = yes
- fallback = no
NAS config
- teaming = 802.3ad
- Load Balancing = Dynamic
- Standby = no
- QNAP claims that their device can not acheive more than 1 GBit/s on a single stream. Other examples that are working were always with synologie diskstations (2x cases sof ar)
My goal is to to acheive more throughput for backups between multiple esxi hosts to our backup-server and increase bandwidth between multiple hosts. I have a second project running with infiniband, but thats not functional for now :-/. And i really want to know why they can what i can not do.
Patch Panels
We use Leviton 48 port patch panels. Simple question, how long can I reasonably expect one of these to last before needed replaced?
Is it just a matter of punching them down again every so often and they last forever? Should these have a regular replacement schedule?
Multicast-questions
Hi guys,
i am currently troubleshooting a strange problem, which I can't really grasp right now. While troubleshooting, I've got some questions concerning multicast-traffic and igmp-snooping on switches.
For the sake of clarity our internal network in this post is 172.16.0.0/16. This might be relevant later.
Our CheckPoint-Firewall-Cluster spams our intranet with it's multicast packets. IGMP Snooping is active at the cisco coreswitch, where the firewalls are connected to.
In order to troubleshoot that issue, i've looked at the switch, and both firewall ports got recognized and grouped with a multicast-address.
CORESWITCH#sh ip igmp snooping groups Vlan Group Type Version Port List 1 224.1.1.10 igmp v2 Gi3/0/36, Gi4/0/36
Next, I've mirrored one of the interfaces, and looked at the multicast traffic itself. After searching around on the internet and looking at MDNS-Broadcasts etc. with Wireshark, my understanding is that a 'proper' multicast packet looks like this (internal IP-Adresses and MACs are changed/randomized):
| Source IP | Destination IP | Source MAC | Destination MAC |
|---|---|---|---|
| 172.16.3.4 | 224.0.0.251 | 0f:1d:ef:73:d4:ab | 01:00:5e:00:00:fb |
So for me the proper multicast packet has a normal source IP and MAC and a multicast destination IP and MAC.
Now looking at the Check Point High Availability multicasts which are my problem, i see the following:
| Source IP | Destination IP | Source MAC | Destination MAC |
|---|---|---|---|
| 0.0.0.0 | 172.16.0.0 | 00:00:00:00:fe:01 | 01:00:5e:01:01:0a |
so for me the Check Point CPHA multicast looks strange, and the problem is, it gets forwarded via our whole campus.
My next step would be to talk to our check point consultant, and looking into the 'weird' multicast packets sent by the cehckpoints.
My Question is:
- is my discovery right, that the checkpoint multicasts are not real multicasts rather than broadcasts, and that they are being forwarded because of this?
- what could i do to troubleshoot this further?
Thank you guys in advance for any help, it is much appreciated.
VRRP - virtual-ip-ping - Aruba/Procurve
Hello Networker,
I am preparing to replace an Core Switch with ISC (2x5406R v2). It will be a 1:1 exchange (to 2x5406R v3).
Existing firmware: 15.16.0005
New Firmware: 16.08.0002
Unfortunately a VSF is not possible, because we still have to use V2 modules....
My question:
Under the old firmware my global VRRP config looked like this:
router vrrp virtual-ip-ping ipv4 enable exit
The command virtual-ip-ping does not exist anymore. Has this command become unnecessary because virtual-ip-ping is now default or is there a new command?
Actual advantages or disadvantages of enabling EEE / 802.3az?
Hi
I've been reading up a bit on the advantages and disadvantages of Energy-Efficient Ethernet (EEE) / 802.3az. Most switches that support it, so far seem not to enable it by default. I've enabled it for testing on one switch that mostly feeds Ubiquiti access points to see what happens during idle times. From that small sample it looks like during night and school holidays a some reduction in total power usage so I wouldn't be opposed if it doesn't come with issues like affecting stability.
I've tried to find the disadvantages and / or issues enabling EEE might give us. So far the added latency is something that is definitely not wanted in low-latency networks such as audio (DANTE) or high-frequency trading. But that's not my use case. Other than that, I haven't found many disadvantages or reports where it would affect stability or even when the connected device wouldn't support 802.3az but the switch does.
I've found a paper published through IEEE in 2013 that show that the process of switching from LPI mode to operational mode on a port some spikes that might "eat up" the power saving of LPI mode to a certain degree. (Bolla, Bruschi, Lago: The Hidden Cost of Network Low Power Idle)
Are there any other source or experience that you could share or point me at?
Thursday, April 11, 2019
MPLS/VPLS Service
I am looking at a MPLS/VPLS proposal tomorrow to inter-connect some branch circuits. I don't know a whole lot about MPLS or VPLS, I have yet to encountered a use case as a systems architect to have to work with these technologies. One of the questions I have yet to seek clarity on is the CE router. Do SPs typically provide this with their solution and maintain this device? What is the hand off to the customer, typically?
Sonicwall to Azure VPN connected no traffic
Hi all,
Fairly new to the scene and am in the process of setting up an azure to sonicwall VPN. Sonicwall is a SOHO running SonicOS Enhanced 5.9.1.7-2o
I can see the VPN as connected in AZ and on the sonicwall however no traffic is coming through.
I set up the address object for the VPN it points to the subnet of the AZ gateway 192.167.1.0
The VPN is set as site-to-site - IKE pre shared secret with the primary gateway as the public IP of the AZ gateway
proposals are:Phase 1 - IKEv2 - Group 2 - AES-256 - SHA1 - 3600
Phase 2 - ESP - AES-256 - SHA1 - 3600
Keep alive is checked
The networking tab of the VPN policy is set to any address and then the destination is the azure address object
I have routes in place from azure to any local and from any local to Azure
The logs:
09:23:54 Apr 12712NetworkDebugTCP connection reject received; TCP connection droppedACK RST
09:23:53 Apr 121327VPNInformIKEv2 Send Dead Peer Detection ResponseEvo-AZV...
09:23:53 Apr 12171VPNDebugSENDING>>>> ISAKMP OAK IKEV2_INFORMATIONAL (InitCookie:0x43a4286b88e45b06 RespCookie:0xef8518ea0109f6f0, MsgID: 0x185)
09:23:53 Apr 121324VPNInformIKEv2 Received Dead Peer Detection Request09:23:53 Apr 12171VPNDebugRECEIVED<<< ISAKMP OAK IKEV2_INFORMATIONAL (InitCookie:0x43a4286b88e45b06
These repeat with the exception of the TCP connection error
The firewall rules all auto built with creation of the VPN.
Azure has the local network gateway as the public IP of the Sonicwall.
The virtual network gateway is the public IP assigned in AZ.
Address space: 192.167.0.0/16
I have 396b of traffic in and none out. I cannot ping anything in AZ, public or otherwise. I have not updated any of the NSG rules for the one VM that is up yet as I am not sure what to allow, I thought a VPN negated the need for those rules as they applied to the public IP.
Please let me know if anything else is needed.
Cheers
Edit - added more info
TIL you can permit/deny IP ranges and groups
By ranges I mean like 10.10.10.10 through 10.10.10.20, not something based on a subnet mask.
And say a group consisting 10.10.10.10, 192.168.1.5, 172.30.10.251, or whatever.
Duh. I wish I knew that long ago. I'd provide examples but I'm guessing I don't have much company in that regard. Note to self: quit sniffing glue.
I'm referring to the ASA here, not sure about others.
Is the output(!) of a passthrough(!) powerline adapter filtered from the signal it gets in its power input?
I know this might not apply to every design but i was wondering if it's a kind of standard amongst PLCs designs in general or not at all or if it's like some companies do it on some models and others don't and if yes or no why.
Google....Reddit...Cisco TAC progression
Working through a problem (self-induced) that while the solution is normally pretty straightforward (google answer), it involves a VSS config. Specifically, a pair of Cisco 6816X-LE's running IOS 15.5.1.
Login works to Router>. When I attempt to elevate to Enable, I get the error "% Error in Authentication". The procedure is clear. Restart to ROMMON, confreg 0x2142, fix the AAA local config that I fouled up, config-register 0x2102, reboot, tahtah.
Doesn't seem to work with the VSS as the reset button (to initiate ROMMON) only seems to restart one of the two switches. The other one takes over as primary. Before I head off to open a TAC Case, is there a solution here in the sub?
Thanks -
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
I was thinking about what would happen if I was ssh'ed into a router, ran an infinite ping, and then closed the session....
...then realized what would happen if I was remoted into Windows box and ran ping -t. Obviously I would need reboot or start a new session and kill the process. And then that got me thinking that some routers you can't just reboot. And then that go me thinking that killing individual processes on routers is more common than I once thought. But how do you guys know what processes are causing problems? I know Juniper is built on FreeBSD and see how you could do some OS troubleshooting...but what about Cisco?
I don't really know what to ask...I guess I'm just looking to explorer this topic and get people talking about it because I've never really considered just killing individual processes.
Computer History Museum - Oral History of Bob Metcalfe
Thought this might be interesting for those that like knowing a bit about history. I for sure have enjoyed listening. It's pretty much 5+ hours, discussing the origins of Ethernet, 3Com, work at Xerox PARC, and all you can imagine from the period where inventions helped shape what we know today.
Why Ethernet speeds comes only in the flavor of 1, 10, 40 100 Gig?
Is there anything physically limiting from doing 6 gig, 55 gig speeds?
I know LACP is there but i am talking about single link.
Cisco's new licensing model
We have a couple of 5508 WLCs with a 100 or so APs. Got a quote for an additional AP from our Cisco reseller and Cisco added a little tidbit to the price. AIR-DNA-A-5Y. I think it's a mistake since we're still using legacy equipment so I'm going to have him remove it since it adds $400+ to the quote for one AP.
But I've been doing some cursory reading and I guess it's their new licensing platform? for the controllers like the 9800 series. Seems a little expensive to add an extra $400 per AP for licensing that's only good for 5 years. Went back through an old quote to add 50 licenses to our current controller and it was $192 per license that never expired. Maybe I'm cynical but seems this is a bit of a money grab. I wonder if the license expires and it bricks your APs like Meraki?
I'm curious if anyone has been using the new Cisco DNA licensing platform and what would the benefits be exactly?
https://www.cisco.com/c/dam/en/us/products/collateral/software/nb-06-dna-acces-wl-sw-faq-ctp-en.pdf
Routed access LAN design in progress, what about WiFi?
I'm setting up an office LAN (~20 48p switches) using a lot of refurb Catalyst 3750x, and I want to design it as a full routed access network, down to the clients (with VRF). We already have many Ubiquiti AP; does anyone know how to fit them in this scenario? Of course there is the problem of client mobility between APs. I was thinking about tunneling them to the core (that I suppose will be made by a bunch of N3K), but I don't really like this double-standard solution...
Any hint will be appreciated :).
Dell R4148T running Dell OS10 Enterprise issues with VLT Lags
Anyone else have inconsistent behavior with a VLT pair on switches running Dell OS10 Enterprise? I have a pair of switches running the latest firmware that seem to improperly turn up a lag to a server before fully applying some sort of background configuration. All looks well. Port channels are up. mac learning on the PC looks correct, yet if I sniff the port on the host I only see locally generated arp requests, etc on the port. No broadcasts or anything from the rest of the VLAN. It just so happens I do see the LACP packets from the switch though. This only seems to be on newer firmware.
C9500-16X third party SFP compatibility
Anyone have any luck with third party SFP's on the 9k series ? just got off chat with the fs.com rep and they say the 9k isnt supported. does anyone know of any vendors that make a compatible sfp ?
also, before anyone asks, yes these two commands are in my config.
no errdisable detect cause gbic-invalid
service unsupported-transceiver
thanks
Have to use IP when UNC while on VPN
I set up a VPN from my home to my small business office and all works fine EXCEPT:
When I UNC to a PC on the work network I have to use IP instead of name. What am I missing? Not a huge deal at all but I wouldn't mind fixing it.
EXAMPLE:
I want to \\mypc\d$
But I have to \\192.168.13.144\d$
Question about altering the local preference in a MP-BGP configuration.
I'm currently studying CCNP and am lost on what to do in this situation, would appreciate advice.
If I have a network setup with MP-BGP configured, which is using IPv4 BGP Transport, how would I go about setting the local preference with a route map. More specifically, where would I place the map?
If I was configuring standard IPv4 BGP, I would go about it like this.
R1(config)# route-map PRIMARY_T1_IN permit 10 R1(config-route-map)# set local-preference 150 R1(config-route-map)# exit R1(config)# router bgp 64512 R1(config-router)# neighbor 192.168.1.5 route-map PRIMARY_T1_IN in
In MP-BGP, would I create two different maps, and place one in each IPv4/IPv6 address family, or rather just place one map in the general BGP config? I can't find reference to this anywhere.
Thank you!
I need IBM X3650 M4 uses ideas.
I have a dual socket X3650 M4 at work that is mine to play with and learn on. Since it's still plenty powerful and work is picking up the electric bill what are some thing's you'd do with a 24 thread server and 256GB of RAM? I have about 10TB of space to work with on it.
Protection for OnPrem from hybrid cloud
We are currently running an AWS hybrid deployment with a 10g direct link to AWS. Due to some configuration errors, AWS servers bombarded our internal proxy systems with way too many requests and data and basically caused a major incident. How do you guys protect your OnPrem systems from a hybrid cloud dos attack? Policying on our routers causes probably more problems then it helps, we do not need a 10g link if we want to do that. Maybe some kind of DDoS appliance? Any other ideas? Thanks!
What type of Major did you have?
(not career advice, just curious)
I'm A+ and Net+ Certified out of HS, about to attend college in the fall. I've been slated for a CIT program, which I am content with. I'm just wondering what type of majors other people in networking have gotten. Again, not looking for advice, just curious!
show spannning-tree vlan XXX output
I am troubleshooting high CPU on a few (5 out of 75) Cisco 3650 (3.07.04E) switches in a flat L2 network. I found that the STP process is floating around 60% on one of the switches.
Is it normal to have all the client interfaces reported in the output of 'show spanning-tree vlan xxx'?
switch#show spanning-tree vlan 200
VLAN0200
Spanning tree enabled protocol rstp
Root ID Priority 4327
Address xxxx.xxxx.xxxx
Cost 4
Port 52 (TenGigabitEthernet1/1/4)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32999 (priority 32768 )
Address xxxx.xxxx.xxxx
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/6 Desg FWD 4 128.6 P2p Edge
Gi1/0/12 Desg FWD 4 128.12 P2p Edge
Gi1/0/14 Desg FWD 19 128.14 P2p Edge
Gi1/0/24 Desg FWD 100 128.24 P2p Edge
Gi1/0/26 Desg FWD 4 128.26 P2p Edge
Gi1/0/29 Desg FWD 4 128.29 P2p Edge
Gi1/0/30 Desg FWD 4 128.30 P2p Edge
Gi1/0/40 Desg FWD 4 128.40 P2p Edge
Gi1/0/41 Desg FWD 4 128.41 P2p Edge
Gi1/0/42 Desg FWD 4 128.42 P2p Edge
Gi1/0/47 Desg FWD 4 128.47 P2p Edge
Te1/1/4 Root FWD 2 128.52 P2p
Trying to enter a classless IP address for RIPv2. Keeps trying to convert to classful.
Am I missing something here? I have IP 16.10.1.1 as the address I want to enter, and the subnet mask is 255.255.255.252, but it keeps going back to 255.255.0.0 as the mask to attempt to make it classful. I thought the "no auto summary" command might work, but it's not. Any idea why this is happening?
New RDP Compliance options
Hello.
I am an administrator at a small business who was just given some new requirements by a big customer for our server network/rdp environment. Their new rules are:
Can't use standard RDP port
Must only allow access from trusted subnet
Can't access from outside.
I was never foolish enough to have an internet facing RDP port listneing. Since getting this, I have created a group policy that changes the port that all machines in the "server" OU use for RDP connections from the standard to some number we made up. Let's use 90210 for an example.
However, I am wondering about the subnet portion. Everything I read online says you should use the Windows Firewall to do this but that seems clunky to me. I'm wondering if I can just put an ACL on the server Vlan interface on our core switch that could do the job quickly and easily?
Would something like this work?
10 permit tcp (the.trusted.subnet) (the.server.subnet) eq 90201
20 deny tcp any (the.server.subnet) eq 90210
30 permit ip any any
Does this seem like a good thing to do or am I totally on the wrong track here? Any ideas of the best way to implement this would be apprecaited!! Thanks!
OSPF instead of static routes
Hey everyone, first post here so bear with me. I just started overseeing a network of about 28 sites all inside city limits. They're all connected to AT&T OEM/ASE clouds (two clouds, currently migrating all to ASE), and all sites are connected with static routes (and very large ACLs).
So I am planning on doing OSPF and get rid of all static routes (along with new L3 and L2 equipment, the current gear is about 10 years old), and create Lo0 addresses for management.
I will be using RFC1918 addresses and want to use 10.x.x.x for the management VLAN and 172.x.x.x. for the Lo0. Company is growing so I need to account for that. So my questions for you experts would be
1) Any issues with using Lo0 addresses starting 172.16.1.254/32, 172.16.2.254/32 and so forth?
2) The existing routers are currently addressed starting at 10.1.1.1, 10.2.1.1 and ending in 10.28.1.1. Any issues with addressing the new one starting at 10.30.1.254/24, 10.31.1.254/24, etc?
3) I want to start the OSPF zones at 0.0.0.0 (DataCenter) and go up from there using odd numbers (0.0.0.3 for the DR site, 0.0.0.5, etc). This will leave the even numbers for future growth.
I am well aware that everything need to be re-IP'd and management is OK with that.
Suggestions are appreciated.
Thanks!
Issues with Aerohive WiFi? Seeing lots of users disconnect.
I have been having issues with our Aerohive system here for the last two months, and have been working a ticket with Aerohive support without much success the entire time. I am using an on premise hivemanager using hivemanager classic.
Has anyone else experienced any frustration with this wireless solution? Our issues seemed to start right after we were troubleshooting a localized issue with support. They recommended upgraded to the latest firmware (6.5r12) as well as enabling background scanning and channel auto selection. After this everything seemed to go south, we have users disconnecting all over the building. We have since reverted every single setting we could back but are still having users here and there have spotty wifi.
We are at the point of trying to get Aerohive out on site because it seems as if their techs are just unable to get to the bottom of our issues. I have dug through logs on devices on our physical network but don't see anything out of the norm.
There is so much troubleshooting we done to try and attack this from every angle it would be hard to list it all out here. What I do have is some logs from the most recent disconnected event on the AP. I have deleted the hostnames and usernames from this log.
Any ideas on this? Similar experience?
2019-04-10 14:58:50 info ah_auth: [Auth]: receive driver notification[0x8c04, IWEVEXPIRED] for Sta[4851:b704:b0f0] at Hapd[4018:b1b3:b829, wifi1.2] 2019-04-10 14:58:50 info ah_auth: sta 4851:b704:b0f0 is disassociated from 4018:b1b3:b829(wifi1.2) in driver 2019-04-10 14:58:50 info ah_auth: [Auth]: receive driver notification[0x8c04, IWEVEXPIRED] for Sta[4851:b704:b0f0] at Hapd[4018:b1b3:b829, wifi1.2] 2019-04-10 14:58:50 info ah_auth: sta 4851:b704:b0f0 is disassociated from 4018:b1b3:b829(wifi1.2) in driver 2019-04-10 14:58:50 info ah_auth: [Auth]: receive driver notification[0x8c04, IWEVEXPIRED] for Sta[4851:b704:b0f0] at Hapd[4018:b1b3:b829, wifi1.2] 2019-04-10 14:58:50 info ah_auth: sta 4851:b704:b0f0 is disassociated from 4018:b1b3:b829(wifi1.2) in driver 2019-04-10 14:58:50 info ah_auth: [Auth]: receive driver notification[0x8c04, IWEVEXPIRED] for Sta[4851:b704:b0f0] at Hapd[4018:b1b3:b829, wifi1.2] 2019-04-10 14:58:43 info kernel: [mesh]: set proxy : b4ae:2b3c:8379 4018:b1b3:b800 wifi0.1 flag 0x1c03 2019-04-10 14:58:43 info amrp2: set proxy route: b4ae:2b3c:8379 -> 4018:b1b3:b800 ifp wifi0.1 upid 300 flag 0x1c03 monitor(0/0) p kt/sec ok 2019-04-10 14:58:43 info amrp2: receive event <STA join>: b4ae:2b3c:8379 (ip 10.0.124.14) associate wifi0.1 upid 300 vlan 1 flag 0x00000000 2019-04-10 14:58:43 info ah_auth: [Auth]STA(b4ae:2b3c:8379) login to SSID(wifi0.1) by user_name=host/ 2019-04-10 14:58:43 info kernel: [mesh]: set proxy : b4ae:2b3c:8379 4018:b1b3:b800 wifi0.1 flag 0x1c03 2019-04-10 14:58:43 info amrp2: set proxy route: b4ae:2b3c:8379 -> 4018:b1b3:b800 ifp wifi0.1 upid 300 flag 0x1c03 monitor(0/0) pkt/sec ok 2019-04-10 14:58:43 info amrp2: receive event <STA join>: b4ae:2b3c:8379 (ip 10.0.124.14) associate wifi0.1 upid 300 vlan 1 flag 0x00000001 2019-04-10 14:58:43 info ah_auth: add new RT sta: MAC=b4ae:2b3c:8379, IP=10.0.124.14, hostname=ee, username=host/ on wifi0.1 2019-04-10 14:58:43 info ah_auth: [Auth]STA(b4ae:2b3c:8379) login to SSID(wifi0.1) by user_name=host/ 2019-04-10 14:58:42 info ah_auth: sta 4851:b704:b0f0 is disassociated from 4018:b1b3:b815(wifi0.2) in driver --More-- 2019-04-10 14:58:42 info ah_auth: [Auth]: receive driver notification[0x8c04, IWEVEXPIRED] for Sta[4851:b704:b0f0] at Hapd[4018:b1b3:b815, wifi0.2] 2019-04-10 14:58:42 info ah_auth: [Auth]: receive driver notification[0x8c03, IWEVREGISTERED] for Sta[b4ae:2b3c:8379] at Hapd[4018:b1b3:b814, wifi0.1] 2019-04-10 14:58:42 info kernel: [wifi]: ah_idp_timeout: wifi1 idp mitigate disable 2019-04-10 14:58:41 info kernel: [wifi]: wifi0.2: suppress request from 48:51:b7:04:b0:f0, reason band-steering-prefer-5g 2019-04-10 14:58:38 info ah_auth: sta b4ae:2b3c:8379 is disassociated from 4018:b1b3:b814(wifi0.1) in driver 2019-04-10 14:58:38 info ah_auth: [Auth]: receive driver notification[0x8c04, IWEVEXPIRED] for Sta[b4ae:2b3c:8379] at Hapd[4018:b1b3:b814, wifi0.1] 2019-04-10 14:58:32 info kernel: [wifi]: ah_idp_timeout: wifi1 idp mitigate disable 2019-04-10 14:58:24 info ah_auth: sta 4851:b704:b0f0 is disassociated from 4018:b1b3:b829(wifi1.2) in driver
Firepower no longer works with ASA 5506-X version 9.10(1)
How is this acceptable? Straight from the release notes:
"No support in 9.10(1) for the ASA FirePOWER module on the ASA 5506-X series and the ASA 5512-X—The ASA 5506-X series and 5512-X no longer support the ASA FirePOWER module in 9.10(1) and later due to memory constraints. You must remain on 9.9(x) or lower to continue using this module. Other module types are still supported. If you upgrade to 9.10(1), the ASA configuration to send traffic to the FirePOWER module will be erased; make sure to back up your configuration before you upgrade."
The module goes into an unresponsive state on the 5506 and as stated in the notes, is literally unusable. Are we supposed to stay on 9.9 forever now and not patch?
Anyone else run into this issue?
Best SMB router/gateway solution?
Hey guys,
I'm just going to say right off the bat I'm not looking to use unifi. We are looking for something that has advanced security features and VPN capability. We are looking to stay in the 300 - 500 dollar range. Does anyone have any ideas on what a cheap, decent solution would be? I understand a lot of companies rely on the subscription model which we are fine with as long as its not 1000 dollars every year. These are for high security clients with an office of only about 15 end users and computers. It doesn't need to be rack mountable. The security features matter the most considering we need something for companies that hold peoples personal info like socials and things like that.
Thanks,
Cisco Meraki Issues
Hi all,
I work for a company that provides an RFID service to help car washes manage an unlimited wash program. We have computers all across the country that are all connected to our central server. Our local systems communicate every minute via heartbeats. We monitor the systems to ensure they maintain heartbeats so they can communicate with our website, and the central server. Every 2 hours the local machines are synced up with our system so we can store the local data on the server, and so that any new changes that have been done on the website are communicated to the local system. Our local computers must maintain an internet connection at all times to be able to communicate with our server. If for any reason it loses connection, we are alerted on our system status report with a time stamp when the last heartbeat was.
One of our largest customers with 79 locations just converted over to a new name, and in the process re-configured their networks. They now have our computer hooked up to a Cisco Meraki device for our system to get an internet connection. This device does not have a wired connection, but is running off of the cellular network. This is where I'm running into an issue. Our systems have been randomly losing internet connection, and there is no rhyme or reason as to why it is happening on our end. Our local computers do restart a service we created for RFID every 12 hours. The issue seems to be resolved every time by simply power cycling of the Cisco Meraki device, but like I said they are randomly going offline all the time. I've called the stores as the issues come about, and have them power cycle the device, but I think there is a larger problem here.
Has anyone had any similar experience with these devices? We are going to continue power cycling in the meantime, but it is definitely tedious to call the stores frequently to have them do this. I am looking for help in diagnosing the underlying issue here. We do have other customers that utilize a wired connection for their Meraki devices instead of cellular, and that doesn't have the same issues. This particular customer though wants us on the cellular network.
Thanks in advance for anyone who offers up suggestions!
Netgate TNSR: Nx10G software router using DPDK/VPP/FRR?
This newish software router from Netgate popped up in another thread yesterday about 10G on a shoestring: https://old.reddit.com/r/networking/comments/bbsgpl/10g_on_a_shoestringbudget_software_or_hardware/
Has anybody any experience with TNSR that they'd like to share? BGP and forwarding performance in particular are of interest.
Direct product link: https://www.tnsr.com/product
Running RJ45 cable underneath emergency corridor at festival: how to protect?
Dear community,
a search didn't yield any relevant posts to some problem I'll be facing (as long as I did not fail to find the correct one, in which I'd be glad if you could point me there!)
I'm responsible for networking at a small festival in my hometown, and we have the problem that the internet access point is in a building that will be completely cut off from the rest of the festival (where the network needs to go) by means of an emergency access corridor for firefighters and ambulances. Due to regulations we're not allowed to traverse the corridor at any height (obviously), so the only two options for us are a) run a WiFi across the corridor and b) run the cable underneath the corridor.
I had to resort to option a) last year, where I did the job for the first time on short notice, and this didn't work as somebody placed a huge steel container for trash directly in the line of sight of the wifi emitter. You can imagine how good the signal strength is after ten meters crossing through two walls of solid centimeter-thick steel.
So this year I would like to give option b) a chance. However, even if there's no emergency, vehicles up to 12 tons (maybe more) will be using the emergency corridor to access the main stage, which means any cable I run underneath the corridor needs extra care.
What I can make use of already: There'll be a protection layer to shield the grass underneath the corridor from too much damage. Additionally, there will be many protective mats that I thought could help disperse the weight of the vehicles further.
Do you have any further advice on how to adequately protect such fragile cables from too much stress and achieve such a crossing without having to worry too much of the cable tearing apart, including advice on suited cables (e.g. potentially flat RJ45)? Or is a suitable cable bridge which will completely shield the cable really the only viable alternative?
Thanks in advance for any help you might have!
HP CLI / Web Interface Help
Good Morning People (UK here),
I recently took on support of a site with HP Procurve switches everywhere, about 30 of them. I have a strange problem that I can't figure out on my own and I believe it may be a quick easy fix.
When I first took over the network, the previous company was kind enough to give me a list of IP Address' and Passwords. They all seem to work. When I first browsed to the Web Interface of the switches I could view settings right away without any login, but not change them. I changed the passwords to new ones to remove any unauthorised access using the telnet command 'password all'. This prompted me to change the Operator and Manager password to new ones and confirm. I have changed them both to the same password for now.
Now when I browse to the Web Interface of the switches, I immediately see a login / password box and it does not seem to accept any combinations of my operator / manager and password. It does not tell me it's incorrect, it just loads the login page again, the same behaviour if I deliberately enter something incorrect.
A lot of the switches vary in Model number but for reference one of them is a 5406zl (J8697a).
Anyone able to offer any advise at all? I am more accustomed to Meraki and Web Interface Management of older devices, my CLI is very rusty!
VLAN hopping on non Cisco switch
Hi guys,
I'm doing a project for school which requires me to setup a network. Within this network there are two VLAN's. The reason for me to set it up like this is to test VLAN hopping technique, specifically the switch spoofing one.
If I understand correctly, the switch spoofing technique relies on the dynamic trunk protocol. The protocol negotiates if the port should go into trunking mode or access mode. If it's in trunking mode you can pass all 802.1q tags (and they will get forwarded), because that's the purpose of trunking mode. Therefore, if you can get the port into trunking mode, the switch spoof is successful.
However, I do not posses a Cisco switch, but a HP one. I have not found a similar protocol to DTP which is, to my understanding, a requirement for switch spoofing. The closest I could find was the GVRP protocol, but that one is closer to VTP, which does not allow switch spoofing.
So the basic question is: Is VLAN hopping only possible on switches which use DTP? Or are there similar protocols (for other vendors) which allow switch spoofing to happen?
If anyone would like more information, please ask (:
Thank you for reading!
DOT graphs
Hey,
I am struggling to find any tool for network scheme drawing. I know about draw io, visio and others. Issue might be with my feature requests.
I was wondering if there is a tool which allows you to draw a network scheme and would export it to DOT) format graph. I know about tools which do a reverse kind of thing (graphviz). This is necessary for me because I would like to use it for Cumulus linux topology generator which could run tests using my topology. Maybe somebody knows about such tool? Maybe it doesn't exist yet?
Nexus Switch Multicast Issues
Hey all,
I'm having issues with multicast which I've been pulling my hair out over for the past few weeks.
I've got a Cisco 92160YC-X switch running PIM-SM on Vlan 200, with all multicast subscribers/publishers also in Vlan 200.
Multicast traffic functions for a while, and then stops. During the period when it stops, I can see IGMP query messages sent from the SVI IP address on Vlan 200, and IGMP reports from each host. I see this on TCPdumps on the hosts, as well as igmp debugging on the switch.
Upon issuing a 'clear ip mroute *' multicast traffic begins to flow again.
I'm testing with a python multicast script from Redhat - https://access.redhat.com/articles/22304, as well as an multicast test application using multicast group 239.255.0.1.
This only appears to occur with multicast group 239.255.0.1, but I'm not 100% on this yet. The test application uses 239.255.0.1, and the python script uses a definable address. The python script continues to work on another group - 229.255.0.1 when 239.255.0.1 stops working.
Here's the relevant sanitised configuration.
Switch configuration: Switch(config)# show run int vl200 interface Vlan200 no shutdown no ip redirects ip address 10.1.1.2/24 ip pim sparse-mode ip pim dr-priority 100 Switch(config)# show run | i rp-address ip pim rp-address 10.1.1.2 group-list 224.0.0.0/4 override
Hosts used for testing: Vlan 200 IP hosts: 10.1.1.12, 10.1.1.13 & 10.1.1.14
Interfaces for the hosts, useful for IGMP snooping output below
Switch# show interface status | i Host Eth1/1 Host1 connected 200 full 10G SFP-H10GB-CU2M Eth1/2 Host2 connected 200 full 1000 1000base-T Eth1/3 Host3 connected 200 full 10G SFP-H10GB-CU2M Eth1/4 Host4 connected 200 full 10G SFP-H10GB-CU2M Eth1/5 Host5 connected 200 full 10G SFP-H10GB-CU2M Eth1/6 Host6 connected 200 full 10G SFP-H10GB-CU2M Eth1/7 Host7 connected 200 full 10G SFP-H10GB-CU2M
Host packet capture:
sudo tcpdump -v -n -i eno3 igmp 03:48:27.163568 IP (tos 0xc0, ttl 1, id 59596, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 10.1.1.2 > 224.0.0.1: igmp query v2 03:48:35.401867 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) 10.1.1.13 > 239.255.0.1: igmp v2 report 239.255.0.1 03:48:27.164166 IP (tos 0xc0, ttl 1, id 59596, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 10.1.1.2 > 224.0.0.1: igmp query v2 03:48:27.271682 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) 10.1.1.12 > 224.0.0.251: igmp v2 report 224.0.0.251 03:48:36.630537 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) 10.1.1.12 > 239.255.0.1: igmp v2 report 239.255.0.1 03:48:27.164166 IP (tos 0xc0, ttl 1, id 59596, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 10.1.1.2 > 224.0.0.1: igmp query v2 03:48:27.271682 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) 10.1.1.12 > 224.0.0.251: igmp v2 report 224.0.0.251 03:48:36.630537 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) 10.1.1.12 > 239.255.0.1: igmp v2 report 239.255.0.1 03:48:27.164169 IP (tos 0xc0, ttl 1, id 59596, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 10.1.1.2 > 224.0.0.1: igmp query v2 03:48:29.913727 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) 10.1.1.14 > 239.255.0.1: igmp v2 report 239.255.0.1
NXOS Bash tcpdump showing IGMP reports from the hosts coming back into VLAN 200
bash-4.2# tcpdump -v -n -i Vlan200 tcpdump: listening on Vlan200, link-type EN10MB (Ethernet), capture size 65535 bytes 06:36:41.706046 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) 10.1.1.11 > 224.0.0.251: igmp v2 report 224.0.0.251 06:36:42.787077 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) 10.1.1.16 > 239.255.0.1: igmp v2 report 239.255.0.1 06:36:44.415473 IP (tos 0xc0, ttl 1, id 4888, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 10.1.1.23 > 239.255.255.250: igmp v2 report 239.255.255.250 06:36:45.672004 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA)) 10.1.1.14 > 239.255.0.1: igmp v2 report 239.255.0.1 06:36:45.696663 IP (tos 0xc0, ttl 1, id 44482, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 10.1.1.22 > 239.255.255.250: igmp v2 report 239.255.255.250 IGMP snooping groups: Switch(config)# show ip igmp snooping groups Type: S - Static, D - Dynamic, R - Router port, F - Fabricpath core port Vlan Group Address Ver Type Port list 1 */* - R Eth1/47 200 */* - R Vlan200 200 239.255.0.1 v2 D Eth1/7 Eth1/3 Eth1/4 Eth1/5 Eth1/6 200 239.255.255.250 v2 D Eth1/34 Eth1/35 Eth1/36 Eth1/37 Eth1/38
RPF checks are passing as expected. There is only one path to each host.
Switch(config)# show ip mroute summary rpf-failed IP Multicast Routing Table for VRF "default" Route Statistics unavailable - only liveness detected Total number of routes: 12 Total number of (*,G) routes: 2 Total number of (S,G) routes: 9 Total number of (*,G-prefix) routes: 1 Group count: 2, rough average sources per group: 4.5 Group: 232.0.0.0/8, Source count: 0 Source packets bytes aps pps bit-rate oifs (*,G) 0 0 0 0 0.000 bps 0 RPF Failed (pkts/bytes): 0/0 Group: 239.255.0.1/32, Source count: 4 Source packets bytes aps pps bit-rate oifs (*,G) 0 0 0 0 0.000 bps 1 RPF Failed (pkts/bytes): 0/0 10.1.1.12 4261 218096 51 0 27.200 bps 1 RPF Failed (pkts/bytes): 0/0 10.1.1.13 5171 264506 51 0 27.200 bps 1 RPF Failed (pkts/bytes): 0/0 10.1.1.14 64 5343 83 0 27.200 bps 1 RPF Failed (pkts/bytes): 0/0 10.1.1.15 42 4221 100 0 20.400 bps 1 RPF Failed (pkts/bytes): 0/0
The multicast routing table when hosts aren't receiving multicast traffic.
Switch# show ip mroute IP Multicast Routing Table for VRF "default" (*, 232.0.0.0/8), uptime: 05:02:35, pim ip Incoming interface: Null, RPF nbr: 0.0.0.0 Outgoing interface list: (count: 0) (*, 239.255.0.1/32), uptime: 05:02:29, igmp ip pim Incoming interface: Vlan200, RPF nbr: 10.1.1.2 Outgoing interface list: (count: 1) Vlan200, uptime: 05:02:29, igmp, (RPF) (10.1.1.12/32, 239.255.0.1/32), uptime: 05:02:32, ip pim mrib Incoming interface: Vlan200, RPF nbr: 10.1.1.12, internal Outgoing interface list: (count: 1) Vlan200, uptime: 05:02:29, mrib, (RPF) (10.1.1.13/32, 239.255.0.1/32), uptime: 05:02:35, ip pim mrib Incoming interface: Vlan200, RPF nbr: 10.1.1.13, internal Outgoing interface list: (count: 1) Vlan200, uptime: 05:02:29, mrib, (RPF) (10.1.1.14/32, 239.255.0.1/32), uptime: 05:02:13, ip mrib pim Incoming interface: Vlan200, RPF nbr: 10.1.1.14, internal Outgoing interface list: (count: 1) Vlan200, uptime: 05:02:13, mrib, (RPF) (10.1.1.16/32, 239.255.0.1/32), uptime: 05:02:35, ip pim mrib Incoming interface: Vlan200, RPF nbr: 10.1.1.16, internal Outgoing interface list: (count: 1) Vlan200, uptime: 05:02:29, mrib, (RPF) (*, 239.255.255.250/32), uptime: 05:02:34, igmp ip pim Incoming interface: Vlan200, RPF nbr: 10.1.1.2 Outgoing interface list: (count: 1) Vlan200, uptime: 05:02:34, igmp, (RPF) (10.1.1.22/32, 239.255.255.250/32), uptime: 04:54:28, ip mrib pim Incoming interface: Vlan200, RPF nbr: 10.1.1.22, internal Outgoing interface list: (count: 1) Vlan200, uptime: 04:54:28, mrib, (RPF) (10.1.1.23/32, 239.255.255.250/32), uptime: 04:58:22, ip mrib pim Incoming interface: Vlan200, RPF nbr: 10.1.1.23, internal Outgoing interface list: (count: 1) Vlan200, uptime: 04:58:22, mrib, (RPF) (10.1.1.24/32, 239.255.255.250/32), uptime: 04:55:47, ip mrib pim Incoming interface: Vlan200, RPF nbr: 10.1.1.24, internal Outgoing interface list: (count: 1) Vlan200, uptime: 04:55:47, mrib, (RPF) (10.1.1.25/32, 239.255.255.250/32), uptime: 04:59:10, ip mrib pim Incoming interface: Vlan200, RPF nbr: 10.1.1.25, internal Outgoing interface list: (count: 1) Vlan200, uptime: 04:59:10, mrib, (RPF) (10.1.1.26/32, 239.255.255.250/32), uptime: 04:57:27, ip mrib pim Incoming interface: Vlan200, RPF nbr: 10.1.1.26, internal Outgoing interface list: (count: 1) Vlan200, uptime: 04:57:27, mrib, (RPF) Switch# show ip igmp snooping groups Type: S - Static, D - Dynamic, R - Router port, F - Fabricpath core port Vlan Group Address Ver Type Port list 1 */* - R Eth1/47 200 */* - R Vlan200 200 239.255.0.1 v2 D Eth1/7 Eth1/4 Eth1/3 Eth1/5 200 239.255.255.250 v2 D Eth1/37 Eth1/36 Eth1/35 Eth1/34 Eth1/38 Switch# Switch# clear ip mroute * Switch# show ip mroute IP Multicast Routing Table for VRF "default" (*, 232.0.0.0/8), uptime: 00:00:14, pim ip Incoming interface: Null, RPF nbr: 0.0.0.0 Outgoing interface list: (count: 0) (*, 239.255.0.1/32), uptime: 00:00:12, igmp ip pim Incoming interface: Vlan200, RPF nbr: 10.1.1.2 Outgoing interface list: (count: 1) Vlan200, uptime: 00:00:12, igmp, (RPF) (10.1.1.12/32, 239.255.0.1/32), uptime: 00:00:07, ip mrib pim Incoming interface: Vlan200, RPF nbr: 10.1.1.12, internal Outgoing interface list: (count: 1) Vlan200, uptime: 00:00:07, mrib, (RPF) (10.1.1.13/32, 239.255.0.1/32), uptime: 00:00:14, ip pim mrib Incoming interface: Vlan200, RPF nbr: 10.1.1.13, internal Outgoing interface list: (count: 1) Vlan200, uptime: 00:00:12, mrib, (RPF) (10.1.1.14/32, 239.255.0.1/32), uptime: 00:00:08, ip mrib pim Incoming interface: Vlan200, RPF nbr: 10.1.1.14, internal Outgoing interface list: (count: 1) Vlan200, uptime: 00:00:08, mrib, (RPF) (10.1.1.16/32, 239.255.0.1/32), uptime: 00:00:14, ip pim mrib Incoming interface: Vlan200, RPF nbr: 10.1.1.16, internal Outgoing interface list: (count: 1) Vlan200, uptime: 00:00:12, mrib, (RPF) (*, 239.255.255.250/32), uptime: 00:00:14, igmp ip pim Incoming interface: Vlan200, RPF nbr: 10.1.1.2 Outgoing interface list: (count: 1) Vlan200, uptime: 00:00:14, igmp, (RPF) Switch# show ip igmp snooping groups Type: S - Static, D - Dynamic, R - Router port, F - Fabricpath core port Vlan Group Address Ver Type Port list 1 */* - R Eth1/47 200 */* - R Vlan200 200 239.255.0.1 v2 D Eth1/4 Eth1/5 Eth1/7 Eth1/3 200 239.255.255.250 v2 D Eth1/35 Eth1/36 Eth1/37 Eth1/34 Eth1/38
How to call a script with arg, Nexus 9K
Hi. Sorry for formatting, I'm on mobile.
So my problem is pretty straightforward :
When I go in guestshell, I can call my script :
python script.py "argument"
This script sends a request to a website, with this argument as parameter.
And it works. But when I'm not in guestshell :
run guestshell python script.py "argument"
This doesn't work. I steal reach the website but I get a HTTP 500 error, as if the argument given was wrong. My "argument" is a log. So it is a pretty long string.
Is there ANYTHING I can do about my shit ISP?
Where I live you have two options for an ISP. You can go with CenturyLink, the ISP that slow as hell at under 20 Mb download speed at all times that is reasonably stable but when it's out it's really out or you can go with charter which has their standard package at 100 Mb area but goes down nearly every other night and manages to somehow take my entire network with it causing me to need to restart my modem and both of my routers constantly which is a real pain in the ass when I'm trying to run media servers and large downloads to archive websites potentially in the scale of terabytes. whenever my internet service goes down my downloader keeps trying to download pages but gets errors and assumes the pages are dead. Is there anything at all I can do other than call up charter and tell him how fucking garbage they are every time my internet goes down? Also when I call up charter they tell me that the service issues are because they are "upgrading their network to improve it to something bigger and better", how much of that is true and how much of that do you think is just bullshit they tell people to make them feel better? Also do you think that it's reasonable for a major ISP to cause down time over gear upgrades? Shouldn't they have redundancies built in so that even if some of their gear is pulled for replacement it doesn't take down entire multi-city areas?
sorry this is kind of more of a rant than a question/discussion but on behalf of everyone in the world can I go ahead and say fuck the ISPs
Wednesday, April 10, 2019
I just got a job as an installer. Any tools on the internet to help me learn the job faster?
Sorry if this is the wrong sub. I was a journeyman laborer and left to become an installer with hopes of joining the electricians apprenticeship. It was my first day today and I’m feeling overwhelmed with all of the new information. Any tips on where I can find some study guides to impress my foreman? Thanks in advance.
Mikrotik CCR 1072 Poor bridging and routing performance
While turning up a new 10Gbps internet circuit, I noticed speeds tested max out at around 200mbps download but 1gbps upload. Plugging straight into the provider, I immediately get 1gbps down and up (limited by my MBP interface). After playing around with tons of Mikrotik settings and trying tons of different servers, we finally factory reset it. Using a simple bridge with the provider port in SFP+1 and my laptop in SFP+2 (copper module), speed test still sucked. Finally, the configuration was completely rebuilt, combed through and minimalized for BGP and it currently maxes out at around 400-600mbps on a single speed test. This was good enough for now, but hopefully, someone has some insight on these. The bridging capacity is very high on these routers even though that isn't necessarily what they should be used for.
The provider's router is a Juniper MX80 and all the 1072 CPUs were steady at a low percentage.
Things experimented with:
- Difference laptop
- Different speedtest websites
- Different cables
- Different SFP modules (tried copper and 10g SFP)
- Different interface queues and sizes
- Enable/Disable hardware offloading
- Enable/Disable fastforward, fasttrack, fastpath
One thing specifically odd about this router is that the interconnection subnet provided by the provider does not fall on the subnet boundaries as expected. For instance, the provider is using a subnet mask of /30, where their router is a valid host IP and ours is technically a broadcast IP. I will be requesting a new subnet tomorrow.
Options for bridging wireless network into wired network?
I have a couple Cisco 1562 outdoor APs. They broadcast (via CAPWAP) 3 SSIDs.
Let's say SSID3 is a WPA2 PSK network. Can I have the Ethernet port on the Mesh AP provide access into that network? It seems like the "Ethernet Bridging" feature just passes the wired network that the Root AP is connected to over to the Ethernet connection on the Mesh AP, but I'm looking for the Ethernet connection to provide access into one of the wireless networks via CAPWAP. Possible?
If not, what is a good industrial option to do this? I could get a Cisco IR829 and join the WLAN radio to the SSID that is being broadcast by the Mesh AP, but they are pretty expensive.
Suggestion for easy to use enterprise router
Good Evening,
Where I work, we currently have a Mikrotik CCR1036-12G-4S-EM Cloud Router that we use to manage our network. We have around 200-250 computers, have 2 separate 1GB/sec internet connections (one for staff and one for public). We have 4 or 5 VLANs and have a couple of web servers we host. We also use Layer 7 to block torrent traffic and a few rules to allow servers to talk on multiple VLANs. Pretty straight forward setup.
This router is currently serviced by a local company that unfortunately is experiencing growing pains and their service on non-critical issues has become almost nonexistent. My team and I run all other IT functions in the building except for managing the router. Since we don't change router settings very often, it doesn't make sense for us to hire someone for this role alone, nor do we have the budget. I have experience setting up networks and routers, just not with hardware that is mainly command line base or has tons of complicated menus.
Currently, I've been looking online to see if there is a router that my team and I could manage and it have a fairly easy to understand interface. I saw a Grandstream GWN7000 router that fits the bill pretty well in the easy to understand GUI dept. Setting up VLANs, routes, network groups, is all easy to do in a simple interface. Now, the Grandstream router can handle 1 million packets a second, but our current solution does around 24 million, so obviously it would not be a replacement.
Are there any other enterprise level routers out there that anyone could recommend? I know Sophos has a pretty good GUI firewall, but I am not sure if it handles everything a Mikrotik router would in terms of functionality. Anything that is straight forward and easy to set up and manage would be great. I'd love to see an easy to view dashboard to see how the network is running too.
Any recommendations would be appreciated!
Thanks in advance
-Luke
How can I create a build script for CORE Network Emulator using Docker or some other method?
I have a little bit of experience with Docker and CORE and would like to set up a build.
Whatsup Gold vs Juniper Space Monitoring
Hey guys,
Basically we got Juniper network security director but i`m telling my boss that we can`t use that to monitor Azure and i`m not confident in that platform to monitor Cisco devices.
I`m curious to hear you guys thoughts on this
Multi-vendor networks Interoperability test report
Various networking product was put to test for interoperability, you may find this report interesting:
Using a Tier 1 ISP for a Small Business?
I'm wondering how much configuration is necessary to peer up with a Tier 1 ISP instead of using Comcast. The symmetrical nature of the fiber would be quite nice for the VOIP deployment.
I'm working with a small non-profit to help them move towards VOIP, and they literally sit a few blocks away from an Equinix peering center where literally almost every Tier 1 ISP peers with (NTT, Telia, HE, Zayo, Cogent, etc.).
So that begs the question (I expect it to be more than a grand or so to build out the fiber): would this be a good choice for a small business?
BGP Conditional route advertisement (Cisco IOS)
Hey all,
I have a Cisco IOS router with two upstream BGP peers (P1 & P2). P1 is our ISP, and P2 is a routed DDoS service.
I want to advertise some prefixes to P2 and then fail-over those prefix advertisements to P1 in the event that BGP peering with P2 is lost. The idea is that our incoming traffic will be able to bypass the DDoS service in the event of an outage.
This is easy to do with a conditional advertisement (specifically using a non-exist-map), however we do not currently receive any routes from P2. In my test lab I have been using a dummy route received from P2 (E.g. 169.254.0.1/32) as the basis for an advertise-map.
I'm yet to ask our DDoS provider if they can accommodate this arrangement, but wanted to ask your opinions to see if there is a better way I should be doing this? Perhaps with some sort of object tracking or BGP peer status tracking?
People who use SNMP: is it common for devices to not respond to a walk with all OIDs? To only reply with some OIDs when specifically asked for those?
I'm not that experienced with SNMP so I'm willing to acknowledge I could be wrong, but I thought the whole purpose of doing an SNMP walk was to have the device reply with every last possible OID string it had in its tables. I'm currently dealing with certain devices that will not do this. There are certain OIDs the device will not give you in an SNMP walk. You have to specifically ask for that subtree and then it'll give you the data. Is this common??
66 block in the house we are about to move into
We are in the process of purchasing a home with a lot going on behind the walls. My main question...in my (future) office there is a 66 block that connects to a phone system but also appears to use ethernet cables that feeds into all of the bedrooms and the other larger rooms like the den and the kitchen (they all have keystone jacks). There is an in speaker system that also goes through the entire house, it doesn't appear to be connected to that block. I was wondering if i take down the 66 block and put rj45's at the ends of the lines taken off the block and connect them to a switch which connects to my router would that in theory give me the hardwired internet im looking for. I dont know enough about these 66 block things to know if it's the same type of cable (ethernet-cat5) or if it's a completely different kind of cable all together. Any help would be super helpful.
Quality of Cat6 cable from different manufacturers. How do I spot the differences?
Hi there, I’ve been browsing Anixter, CableSupply and other cable distributors to purchase new cable for the office. I know the typical things I should watch out for (CCA conductors, gauge, CMR, CMP, etc).
However, most of the cables I found are the same. The only difference is the price and brand. For example, I found this spool of Cat6 from Tripp Lite listed for $129. On Anixter, I found this spool of Panduit Cat6 for $319.
There’s an obvious price difference but what factors into the cable price being different? Is it the brand of the cable, specs of the cable that I may be missing? Is there anything on the spec sheets that I need to understand when deciding which cable I should buy?
IP address assignment to router by ISP
Hey, guys!
I am new here and to the networking concepts, so bear with me if my questions feel stupid.
-
How does DHCP know which client asked it for IP address in a home network? (Does it takes help of MAC address?)
-
How ISP assigns IP addresses to routers/access points, I mean again how does ISP know which router asked it for IP address?
Existing fiber between server room and IDF's - cannot get link established with new switches. How do I troubleshoot this?
I have 6 strand fiber from server room to each IDF with only 2 strands already in use. I have installed a new core switch and new access switches in the IDF's, however I cannot get the switches to show an active link over the other fiber strands. We have done the exact same switch refresh at multiple locations so I truly believe that this isn't a configuration issue. I am using vendor approved optics, and if I take my access switch back to the server room and use an OM3 fiber patch cable directly to the core I get link no problem. As soon as I take it back to the IDF and connect I get nothing. These are 10Gbe switches so I have tried both 10Gbe and 1Gbe optics with no difference. If I connect the fiber to the core switch and go to the IDF and look at the cable I see red light, it's a bit dimmer than I would expect, but it is there. The odd thing is that our 8 year old HP and Force10 switches don't have an issue using the same exact fiber strands. Our Extreme Networks gear just doesn't like it.
What do I do next? Should I have the fiber tested for continuity? Is there another factor that I am not considering?
Subscribe to:
Posts (Atom)