have tons of acls and majority we have file policy enabled to scan for potential malware from source to destination, ive read its best not to do this because of resources and only enable on rules with untrusted destinations and nothing internal to other internal destinations, this seems odd because other internal servers could get infected just as much as untrusted internet file servers..any thoughts?
Saturday, May 4, 2019
LACP / LAG between 2 switches
Hi, r/networking.
Trying to set up LACP between 2 switches, switch is working fine as expected when Port 2 for both switch is connected. But, when I trying to connect Port 3 to both two switch, LED light start flashing rapidly (All Ports) & Network is unusable.
SW-01 & SW-02 : TP-Link TL-SG108E
Link Aggregation : LAG 1 (Port 2-3)
Loop Prevention : Enabled
VLAN Settings (SW-01 & SW-02) :
| VLAN ID | SW-01 (LAG 1) | SW-02 (LAG 1) |
|---|---|---|
| 1 (MGMT) | U | U |
| 10 | T | T |
| 20 | T | T |
| 30 | T | T |
Regards,
Kelvin G.
Details and experience from S5800/S5850/S5900 switches?
So somewhat long post but there are a few question at the hottom (if you survive that long? ;-)
Im currently looking for replacement of HPE FlexFabric 5820X 24XG SFP+ Switch (JC102B) that is something that can do IPv4/IPv6, MLAG, a few ACL, if needed dynamic routing (but not a full internet table) such as BGP and have at least 12xSFP+ (10G, preferly 1G/10G slots). Would also be nice if there is a capable builtin DHCP and DHCP6 server too (like be able to lease based on option82).
HPE suggests HPE FlexFabric 5940 48SFP+ 6QSFP+ Switch (JH395A) as replacement but that has a riddiculous pricetag, about $18875/each around here + VAT.
So I took a quick glance at what FS.com has to offer and found these models:
- S5800-8TF12S 12-Port 10Gb SFP+ L2/L3 Switch with 8 Gigabit RJ45/SFP Combo Ports for Hyper-Converged Infrastructure #69404, $1900/each + VAT
https://www.fs.com/products/69404.html
- S5850-32S2Q 32-Port 10Gb SFP+ L2/L3 Data Centre Leaf Switch with 2 40G QSFP+ Uplinks #29122, $3000/each + VAT
https://www.fs.com/products/29122.html
- S5900-24S4T2Q 24-Port 10Gb SFP+ L2/L3 Data Centre TOR Switch with 4 Gigabit RJ45 and 2 40Gb QSFP+ Uplinks #73467, $2500/each + VAT
https://www.fs.com/products/73467.html
So a few questions:
1)
Anyone in here with some info regarding what are the main differences between the S5800, S5850 and S5900 series of switches which FS.com provides (other than what the datasheet for each model provides)?
Do they for example have equal feature set when it comes to IPv6 and what else - and what about ACL (well ACE's) capabilities etc?
2)
Is it sane to assume that S5900 is the newest out of these?
Like that they were released S5800 -> S5850 -> S5900 and not something like S5800 -> S5900 -> S5850?
Looking through the datasheets the one for S5900 have a different design then the other two.
By looking on when latest firmware were released (doesnt necessary mean anything) the S5800 was last updated in may 2018, S5850 dates in august 2018 and S5900 was last updated in march 2019.
3)
Also looking through the productpages its namedropped that S5900 uses Broadcom BCM56846 (Trident+) but not a word of which CPU is used for the mgmtplane.
While the other two is namedropped that Freescale PowerPC P1010 is being used as mgmtplane CPU but not a word of whats being used as switch chip.
Anyone who can fill in the blanks?
4)
Looking through particullary the S5900 manual I get strong Comware (aka HPE A-serie) vibes from it.
Comware comes from H3C which was a joint venture of Huawei and 3COM then HPE bought 3COM and H3C came along.
Later on HPE sold H3C along with the Comware stuff to some chinese university or such: https://www.reuters.com/article/us-hp-m-a-tsinghuaunigroup/hp-sells-2-3-billion-china-unit-stake-to-forge-partnership-with-tsinghua-unigroup-idUSKBN0O703V20150522 - this was in spring 2015, now 4 years later it seems like HPE ditched Comware all together from documentation and what else (unless someone in here got some other info to provide?) and is phasing out the Comware productline in favour of ArubaOS (previously known as ProVision aka HP E-series who then merged with well Aruba and became ArubaOS).
Anyone who might know more of this backstory? Has FS.com somehow teamed up with the leftovers of H3C or are they in a joint venture with Huawei (due to very similarity of the commands in their firmware)?
5)
And finally what is your (first hand) experience from these models, how have FS.com worked when you needed to file a bug and how fast was it resolved etc?
Mikrotik to Sonicwall edge conversion - need an assist
Trying to figure out how they had this setup, this config dump is really the only info I have. There are 2 key subnets, 192.168.193.0 & 192.168.1.0 /24 (both). They both have a mix of Dynamic and Statically addressed hosts, with the MikroTik acting as the DHCP server for both (I think). Everything was fed on one LAN port of the mikrotik - trying to mirror but I'm not understanding how this was setup, I figured a RoaS setup but I don't see any sort of VLAN or .1q info in the config. Time-crunch, this just got dumped in my lap. Halp.
RouterOS 6.7
#
/interface bridge
add admin-mac=D4:CA:6D:xx:xx:x5 auto-mac=no disabled=yes name=bridge-local \
protocol-mode=rstp
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether3 ] auto-negotiation=no master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway speed=100Mbps
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.1.20-192.168.1.90
add name=dhcp_pool2 ranges=192.168.193.20-192.168.193.90
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
add address-pool=dhcp_pool2 interface=ether3 name=dhcp2
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes \
interface=bridge-local network=192.168.88.0
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=192.168.193.1/24 interface=ether2 network=192.168.193.0
add address=9.x.x.x/29 interface=ether1-gateway network=9.x.x.x
/ip dhcp-server lease
add address=192.168.1.53 mac-address=00:24:E8:11:11:11
add address=192.168.1.62 client-id=1:0:18:a:11:11:11 mac-address=\
00:18:0A:11:11:77 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.193.0/24 gateway=192.168.193.1
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=10.47.72.0/22 list=Company
add address=10.57.0.0/22 list=Company
add address=208.0.0.0 list=Person
add address=192.168.193.0/24 list="Local Subnet"
add address=192.168.1.0/24 list="Local Subnet"
/ip firewall filter
add action=drop chain=input comment="Block External DNS Requests" dst-port=53 \
in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="Block External DNS Requests" dst-port=53 \
in-interface=ether1-gateway protocol=udp
add chain=input protocol=gre
add chain=input dst-port=500 protocol=tcp
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Forward to AP 1" dst-port=8292 \
protocol=tcp to-addresses=192.168.193.10 to-ports=8291
add action=dst-nat chain=dstnat comment="Port Forward to AP2" dst-port=8293 \
protocol=tcp to-addresses=192.168.193.11 to-ports=8291
add action=dst-nat chain=dstnat dst-port=33976 in-interface=ether1-gateway \
protocol=tcp to-addresses=192.168.193.235
add action=src-nat chain=srcnat dst-address=136.0.0.0/16 src-address=\
192.168.193.0/24 to-addresses=192.168.1.1
add action=masquerade chain=srcnat disabled=yes dst-address-list=Company \
src-address=192.168.193.0/24
add chain=srcnat dst-address-list=Company src-address=192.168.193.0/24
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-gateway \
protocol=tcp src-address-list=!Company to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=RDP disabled=yes dst-port=3389 \
protocol=tcp src-address=10.47.72.0/22 to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=RDP disabled=yes dst-port=3389 \
protocol=tcp src-address=10.57.0.0/16 to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=RDP2 dst-port=3390 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=Vertical dst-port=5103 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=DVR1 dst-port=80 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=DVR3 dst-port=18004 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=DVR2 dst-port=9000 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=Vertical3 dst-port=9777 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=Vertical1 dst-port=5002 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
/ip route
add distance=1 gateway=1.0.0.0
add distance=1 dst-address=10.0.0.0/8 gateway=192.168.1.62
add distance=1 dst-address=19.0.0.0/8 gateway=192.168.1.254
add distance=1 dst-address=136.0.0.0/16 gateway=192.168.1.254
add distance=1 dst-address=192.28.0.0/16 gateway=192.168.1.254
add distance=1 dst-address=192.168.55.0/24 gateway=192.168.1.62
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4Q
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
Setting up a TFTP server for firmware updates
I need to set up a TFTP server to perform firmware updates on several Cisco 7942 IP phones. I am using a laptop with a TFTP app as my server and a Cisco switch to to perform all the updates at once.
How do I configure the switch to update all the phones at once?
3850 tengig interface - not connected
Good morning folks,
Just adding up new fiber connections between 3850 stacks.
quite strange that new ports are not connected, even though fiber is patched with SFP.
SFPs are the same as other Tengig ports. SPFs are fine I have tested with plug unplug.
sh, no sh ports - still not connect.
Any idea what could be?
Enterprise vs MSP?
Hi,
I currently work for an enterprise, and I worked for an MSP before who were quite...awful, and sexist to boot. I won't name them here.
I did see this:
https://www.reddit.com/r/networking/comments/2ay4id/career_advice_working_for_an_mspvar_vs_enterprise/
however I thought "That were four years ago", and USA specific. I live in the UK. Long term I'm not sure if it is worth going back to another MSP, or not. I'm quite the self starter, in the sense that I'm actively willing to start learning stuff that yeah an MSP would give you experience for, but without any SLAs, and learning in your own time as such ie: buying cheap stuff, to play with...
What would people recommend, and more so in the UK? Ideally long term, I want to move more into security..anyway
Anyone ever had issues with upgrading a Zabbix Proxy?
Been trying to figure out what is going on with a recent attempt to upgrade a Zabbix proxy.
Basically I have a virtual machine (CentOS 7) where I had configured a Zabbix proxy (and agent) using version 3.4.
Due to the fact the latest version of Zabbix is 4.2 I thought to myself "why not update it?" so I went on to this new adventure. The problem is: I was able to update my agent (which is now on version 4.0.7) but my proxy is still on version 3.4.
This were the commands I have used:
systemctl stop zabbix-proxy
systemctl stop zabbix-agent
rpm -Uvh https://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-release-4.0-1.el7.noarch.rpm
yum clean all
yum makecache
yum -y update zabbix-proxy-sqlite3.x86_64 zabbix-agent
systemctl start zabbix-proxy
systemctl start zabbix-agent
Right now I'm not sure anymore what I can possibly do. My server is currently on version 4.0.7 so it won't "speak" to proxies below 4.x
Is there anything I could possibly do or would it be the case to create another machine?
VPN connection for two sites
You are a network administrator responsible for all network platforms and services. The CIO has asked that two site networks be connected through a secure VPN connection. He indicates that cost is not an issue to support and manage this change. Which security option(s) for Internet transmission would you provide and state risks, if any, in your recommendation. Justify your answer.
My idea is setting up a VPN tunnel kind of thing, where wired computers will be connected to a VPN router which will connect to the internet which in turn connects to the other site which has the same things. Would this work? But that doesn't really answer the question... As for security options on internet transmission, I'm pretty sure connection-oriented protocol, uses TCP, and i don't know about the rest. COuld anyone help me with this?
Hairpin route on ASA after upgrade blocks ICMP
We have a pair of ASAs that host a few web servers that are accessible via NAT addresses from the internet. A very strange issue occured after performing a zero-downtime upgrade on the pair of ASA 5540s in active standby. We were running 8.4(1) code and failed over to standby unit that was running 9.0(4).
For internal monitoring we have a hairpin (aka u-turn) route on the inside interface of the ASA that points to a MPLS router to get back to our internal network(for oob management/monitoring). The weird issue is that upon failing over, all TCP and UDP connections coming from our internal network work (across the hairpin route). The only thing that does not work from internal network is ICMP.
Our monitoring tools triggered saying ping was down, but SNMP, ssh, https were up. What gives?
I started to t/s this to see if the ICMP packets were reaching the ASA. Per logs, ICMP sessions were created and tore down. I also did a packet capture on ASA, and saw packets being received, and coming back. The one caveat I saw in packet capture is that for every 2 requests I saw only 1 reply.
I finished upgrading the ASA to 9.1(7) hoping it was a bug with the interim upgrade. The problem still persisted. ICMP requests and replies don't complete.
ICMP is not inspected in default policy. The same-security intra command is applied (TCP and UDP sessions are working correctly). Am I possibly missing something with how ASAs handle hairpin routes/NATs between the upgrades? This issue is a head-scratcher.
10G MLAG capable switches
Which 48 port SFP+, 4+ 40G/100G port switches do you think are the best on the market right now? We're a relatively small business looking for new core/server switches (hypervisor hosts would be directly connected to these switches aswell).
Would use the faster ports for MLAG connection.
We are currently on Extreme, but the hardware of X460-G2 seems kinda outdated and they don't really have a better option for our needs afaik. I'm mainly concerned about latency for HCI (probably going for Nutanix in the near future).
I have an assignment that I don't get any of, can someone lead me in the right direction?
You are a network administrator responsible for all network platforms and services. The recent popularity in mobile computing has prompted a request from the CIO to allow wireless LAN access to its employees. There is one building with 100 employees. What network requirements will need to be addressed in response to this request? Explain each in detail.
You are a network administrator responsible for all network platforms and services. The Teta Company currently has only one building which houses its sole data center. The CIO indicates the company recently purchased the building next to existing building that will house 150 employees. Unfortunately, only a wireless solution will work for providing access to the data network. What network requirements and recommendations would you make to the CIO that will allow the employees in the new building to access the company LAN?
You are a network administrator responsible for all network platforms and services. The CIO has asked that two site networks be connected through a secure VPN connection. He indicates that cost is not an issue to support and manage this change. Which security option(s) for Internet transmission would you provide and state risks, if any, in your recommendation. Justify your answer.
The XYZ Company, which sells widgets, is looking to provide redundant data center capabilities from its home location of New York City to a co-location facility in San Francisco. Since most of the widgets sold by the company are from Internet sales and staff members rely heavily on administrative systems to receive and fulfill orders, any major disruptions lasting longer than 24 hours in computing services would have a significant negative impact on revenue. Therefore, the XYZ Company wishes to have the capabilities of quickly responding to such disruptions in their data center via a remote facility. Should a disruption occur, the remote facility should be able to resume normal computing services within 12 hours. Each data center has a centralized storage device that can provide this level of replication via the network. The main storage device holds 7TB and the update interval to the remote data center is twice per day transferring 20GB of information. Design a basic but cost effective network solution that will provide the necessary communication channel(s) between the two data storage units for the data transfer twice daily. This should include but not be limited to the type of network media or services used; required networking equipment; topology; protocols and connection types used; and how it will be managed by a single network administrator.
New opportunity for me, and switch advice
Hello, I work at an msp and it's looking like I may be going to transition into a design role, enforcing standards so we do things as close to write as we can first time. With me being the network person. There will additionally be a telephony guy, infrastructure guy.
At the moment I'm thinking up minimum feature sets for switches. But I have to admit, I've not had the opportunity to look at who makes the best products out there. At the moment, before getting into it, hp/Aruba is our go to brand. Zyxel are being used as the bottom end.
What's people's opinion on the manufacturers available right now? Anyone to avoid? Do people believe in these cloud based managed products now?
Thanks
Centralized DHCP or on-site?
I need some opinions on how to arrange network.
There are 15 locations (hotels).
All of them are connected via optical link to my central location and separated in two VLAN-s.
VLANguests, VLANprivate.
DHCP is located in central location for both networks.
Would it be good move to put DHCP-s on-site locations or to keep it centralized?
I know there are good reasons to keep it like this, and also good reasons to put it on-site.
Bright me up! :)
IP subnetting question for the pros
This should be an easy one for you guys. I'm studying for my CCENT, and I'm having trouble retaining a quick method for subnetting. I understand the concept pretty well, but when a question calls for me to employ my subnetting skills, I can't seem to do it very quickly. Advice, YouTube links, anything would be appreciated.
Side note, I think I struggle most with any questions involving network multiples, where they give you one that isn't the 0 network.
Networking Newb trying to get started
So I'm trying to get my homelab set up and I have my modem/router combo running the default 192.168.0.0/24 subnet.
My PC has a static of 192.168.0.25 and I bought a cisco sg350-10p to try to use as my homelab switch.
I connected through serial and deleted the default IP of 192.168.1.254/24 and added an IP of 192.168.0.225/24 and set the switch gateway to be my modem/router, but the management interface won't come up. I can set a static on my PC and connect to the address just fine, but I can't if I plug it in though my modem/router. The router doesn't even see the static in the address table it has.
Any help would be greatly appreciated!
ASA policy-map sip inspection
I've hit issues with ASA's and SIP ALG time and time again in the 4 years I've been in networking and I've reached a point where I'm determined to get this figured out. I'm not great with policy-maps and I'm trying to get a solid grasp on that as well. It really boils down to this. When configuring an ASA in front of a PBX where remote phones will be registered to that PBX through that ASA...
If I don't have SIP inspection enabled on a policy map, the RTP ports won't get pinholed during call setup so I have to manually create NAT rules for those RTP ports and/or permit them through the firewall depending if the PBX has a static assigned or if we're doing PAT.
If I do have SIP inspection enabled on a policy map, the RTP ports DO get pinholed during call setup and I don't have to manually create the NAT and/or access-list rules however the ASA always takes and changes the source IP of the phones RTP stream and modifies it to be the inside global IP of the phone, not the outside global as it should be.
Is there a trick to this? Anyone else hit this issue and discovered what's wrong or what specifically resolves the way ASA's handle this? Thanks for any help!
VPN server for LAN gaming
Hi All!
I would like to use VPN for LaN gaming. Could you suggest to me a simple installable and manageable vpn szerver solution with internal dhcp for this? It would be a virtual appliance or docker container or something out of the box. For free or very very cheap....
Thank you!!
Application based IP packet filtering with Ubuntu and Mikrotik
I am looking for this many years ago, but still have not found any solution, so I would like to ask you if anyone know how to solve this.
There is a computer network, every node has a different subnet and VLAN to prevent listening each other (nodes wired to the router and cross VLAN communications are explicitly blocked in the router; each node runs on different subnet). The Mikrotik router runs a firewall, that filters communication based on a whitelist ruleset.
I realized that port and content based filtering is not enough, and I need to implement an application based network filter on the router itself.
So I am looking for a solution that can mark/tag IP packets with some application specific data. Then I would like to analyze and filter the marked/tagged packets on the router to decide which is allowed or not.
For example, there is a node, which runs firefox, chrome, vlc and other softwares, and I would like to only allow firefox to communicate with any servers outside of the local network - over port 80 (HTTP) and 443 (HTTPS). Meanwhile I would like to restrict chrome to access only several servers outside of the local network - over the same ports and protocols.
So what I need is a software, which can somehow mark/tag the outgoing packets with a predefined ID of the application which is sending the packets. So there could be a list of key-value pairs (pathOfExecutable:customID), like:
/usr/lib/firefox/firefox:20 /opt/google/chrome/chrome:21
Every application which is not specified in this list should be marked with a default value, with 0 for example.
Then after the packet leaves the computer, I need to be able to detect these marks/tags with RouterOS on the Mikrotik router to implement filtering.
Do you know how to do this? I would really appreciate any solution or help.
Thank you!
Looking for Appliance to Balance Bandwidth Between Two Separate Networks
Hi all, My company is interested in trying to share a 2g WAN link between two different networks. What I am thinking about doing is receiving a single connection from our ISP that has two separate IP ranges for each network. Then connect into an appliance that would allow the bandwidth to be dynamically shared between the networks. Coming out of that appliance, the networks would split and connect into each router. The main goal is to allow each network to use more than 1g if the traffic needs it. One network is used mainly at night and the other is used mainly in the day so keeping them separate leaves a lot of bandwidth not being utilized.
Can someone point me into the right direction as far as an appliance that would do this?
Hp/Brocade Audit Script
Hi guys, I'm searching for some feedback as I'm thinking about making an Audit script of the confil for HP and Brocade switch,
does anyone had already make a similar script? and if so what is your high level routine/workflow ? I'm not sure how to perform some of the check i.e some vlan present on the switch ( only some not all ) then dhcp-snooping trust to be checked and ensure that those specific vlan are present
I've been reading a bit about Jinja as a template but I'm currently unsure hence why I wanted to have a discussion with you guys
thanks,
Friday, May 3, 2019
I need help fixing my Xbox ping
Hey I need your guys help. I have always been getting 35-45 ping in online games but all of a sudden I didn’t change any settings or anything it has jumped to 70 ping on my router I have tried different dns servers port forwarded did the DCHP reservation. I’m not very good with networking but I have Been trying to fix this the past couple of hours. I have a Cgmn 2250 modem. I have restarted my Xbox and factory reset my modem countless times.
please point me to which f5 networks product i should be looking at.
i am working on a large scale Bosch Video Management System and hitting a roadblock with there support. Even with level 3 support on the network design. At the hub I have the MGMT and pieces up and running, at the spoke I have the Cameras and Storage.
Per the docs I have to port forward 500xx to the camera over the VPN (We are using Meraki) to the 443, i knew this part was going to be a problem but the sales and support upfront said our product will work just fine.
Well it didn't and i stood up a NGINX machine as a proxy for TCP and UDP.
server {
listen 50008 udp;
listen 50008;
proxy_pass camXX.LOCATION.servicesdomain.skynet:443;
}
this solution works however I want to get the machine off my vmware cluster and on a hardware semi easy platform for anyone to add entries in. Each camera starts to stream up to 1.5mb and going live with 900 cams as this project ramps up.
So please point me to a f5 1u appliance, new models or older models i can check out.
thanks!
Any Advice? Infected Network
So, we have a PFSense router running our main LAN and a Microtik running the Guest LAN, and I've been struggling with a network infection for a few months now. Got WebRoot and Malwarebytes installed on all the PCs and my PC also runs Symantec. The first thing we're noticing is a blocked Trojan when web browsing. The site doesn't seem to matter, it's the same blocked Trojan every time: xmr omine org and IP 59 127 213 219, the port changes every time. The second thing we've noticed is porn popups from the site bongacams when web browsing. Third is reported by Symantec when I navigate to our Microtik's IP address: "Web Attack: JSCoinminer Download 61." To troubleshoot, I've run regular scans with Malwarebytes, WebRoot and SuperAntiSpyware on every computer. Then, I've reinstalled Windows 10 on computers reporting the popups. Finally I installed Snort on our PFSense router and configured it to use the security IPS profile and enabled blocking after removing some false-positives. Nothing has stopped the infection, and I'm not entirely sure what to do next. Any suggestions?
Best Cat6 Outdoor/Indoor rated cable (Suggestions)?
Looking for recommendations on outdoor rated cat6 cable or cat5e.
Looking online there are more than a few selections and I know to look out to avoid aluminum cooper.
Suggestions are welcome.
Thanks!
Finally figured out traceroute mac on Cisco L3 switches
Just want to put this out there for whoever needs it.
For those who don't know, the "traceroute mac" command will perform a L2 traceroute to tell you the switch and port that the MAC is found on. Syntax is like this:
traceroute mac [source_mac_address] [destination_mac_address]
Pretty handy, but it wasn't working for me consistently.
If you're using traceroute mac and it keeps failing, it's probably for one of two reasons:
- The MAC you're trying to find is on the L3 switch itself.
- There's is a VoIP phone or some kind of switch-like thing in between the device and the access switch. Traceroute mac needs to have the same network between switches for it to work. If you change networks (like say the voice VLAN) it will fail.
I've been racking my brain trying to figure out why it failed on some MACs but no others, and there's not a lot of documentation about it.
Hope this helps someone in the future!
VMware is looking for a Solutions Engineer (Bay Area, CA)
Hi, I'm a fan favorite of this subreddit for years now. I didn't see anything against the rules about posting positions so I hope I'm not violating any. I do however see a lot of talent in /r/networking.
My team located in the Bay Area, CA is looking for a Senior Solutions Engineer. The listing is here - https://careers.vmware.com/job/palo-alto/solutions-engineer/1567/11265733 . I'm happy to be available to answer any questions regarding day to day work, culture, team dynamics, ect.
What gateway are devices using - Cisco Router
My companies standard is to use x.x.x.1 as the default gateway for a subnet. We bought a company that uses x.x.x.254.
A coworker replaced the router a while ago at one of their warehouses and did this...
interface GigabitEthernet0/0.5 description Data_vlan encapsulation dot1Q 5 ip address 192.168.5.254 255.255.255.0 secondary ip address 192.168.5.1 255.255.255.0
He also changed dhcp to hand out .1 as the default gateway.
Here is my problem, there is still a random mix of static devices out there that use .254 as the default gateway and I want to remove .254 from the config.
I know I can log into each static device manually and look at the network config or remove the gateway and see what breaks but this situation got me thinking. I have no idea how I would be able to tell what gateway is used by what device from the router or another tool. Even a packet capture will only show the destination MAC address but the same MAC is used by both gateway IP addresses...
cvg0rtr01#sh ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.5.1 - f8c2.889d.b00b ARPA GigabitEthernet0/0.5 Internet 192.168.5.254 - f8c2.889d.b00b ARPA GigabitEthernet0/0.5
Anyone have any ideas on how to track what the default gateway is set to on a device without logging into it? I'm mostly just curious.
SSH AND Telnet Libraries to use in same Python Script?
I'm fairly new to scripting so please bear with me.
I built a script that uses Netmiko to go out and check firmware on our devices. I wanted to incorporate telnet into this as well. We have a shop of mixed vendors as well as a mix of SSH/Telnet (don't ask) and i'm having trouble trying to do this.
I don't think there's a way to load a json file to use with Telnet like there is with Netmiko correct? If that's the case, what's the best way to load a list of devices, where I could only call one file, rather than make two separate files.
Sorry if this is vague. If you need more info, please let me know.
Thanks.
How are you using the "location" and "contact" fields in SNMP?
I'm at a point where I'm deciding what the standard should be to standardize all of our SNMP field devices across 8 sites (mostly colocations, but also two offices). I'm trying to think of how I want to use these two fields.
# Location:
I see a few options:
- Datacenter name (e.g. "New York City", "Salt Lake City Headquarters")
- This is a bit redundant since the hostnames already contain that data (e.g sw-slc-tor-3)
- Datacenter name and rack or closet - "New York City - Rack 2", "Salt Lake City Headquarters - Closet 280"
- Longitude and latitude (e.g. "39.474365,-100.403449"
# Contact:
A few options
- They're all set to the group mailbox of the singular team that manages it all (kinda lame, useless) - "[operations@example.com](mailto:operations@example.com)"
- Set to the email or phone number of the colocation (where applicable)
- Re-used for something creative
I'm thinking in the context of network monitoring tools, as well as inventory and provisioning systems. All of these are underdeveloped in our environment so I have a hard time coming up with a solid case for which of those options fill our current needs. One of our monitoring tools does automatically group devices based on SNMP location, and then you can put other data in the NMS about that location (like GPS coordinates).
What are you doing? Have you seen any clever re-use of any of these fields?
Thoughts about UBNT
Hello I am looking to use UniFi point to point to set up some cameras roughly 600 feet away for a business. I have heard a few bad things from my product reps that say “Ubiquiti is cheap for a reason and after a year or so venders are having to rip it out and replace it with real products.” Is this true? does anyone have experience running UniFi P2P? I have heard a few other brands being mentioned rukus, fluidmesh and so on. But the cost is almost 3 times UBNT pricing.
Port Forwarding to seed torrents. Help needed!
For once, there is someone that is trying to use torrent clients LEGALLY, and my post gets deleted on r/Torrents. I really hope I can find someone here able to help, because I need to give these files to my classmates as soon as possible. I'm really not very savvy in this regard, never played around much with modems and routers and their settings.
I'm trying to send some files to my classmates but the torrent does not seed. I called my ISP and they finally gave me permission to access my modem's settings (they've refused multiple other times). It's a DSL modem with Ethernet and Wireless outputs, so I guess it's a modem-router device. Before opening the port, a few of my friends had already connected even if upload/download was not starting. (I could see them in the peers list)
I have a dynamic IP and considering I don't have a router, I don't see a reason to make it static. The modem has it's own IP address, no matter what IP it assigns to my PC, right? Anyway, while having DHCP activated, I can't change the IP address for the port I want to forward. The first digits of the IP are already set and I can only change the last digits. Screenshot Here
I haven't tried making it static, but I'm concerned about the security issues it might cause. I tried opening a port, but it still shows as "stealth" on GRC. After allegedly opening this port, my friends disappeared from the peers list on qBittorrent.
My dynamic IP address is completely different from the modem's static address and all the subsequent addresses that are assigned to smartphones and other wireless devices (which are the same as the modem's except for the last 3 digits). If I open this port on my modem, doesn't it also remain open for my PC, no matter what IP is assigned to it?
My qBittorrent settings should be okay, and UPnP is enabled. Why isn't it working? Should I reset the router? Should I change the IP to static? What are the consequences of using the same IP address across 2-3 computers and over 5 smartphones?
The modem's settings have lots of options and I don't really know most of them. Static Assigned DHCP Clients,Ethernet based bridging, Network Configuration -> LAN, WAN; Port Triggering, Dynamic DNS, Port Filtering, DMZ and lots of other stuff. Is any of these settings responsible? I'm on IPv4 btw and qBittorrent is allowed on the Windows Firewall rules...
EDIT: I just checked and my PC (ethernet) has a static IP according to the 192.168.0.1 page. The wireless devices have a dynamic one.
vPC question
I'm setting up a vPC (having never done so before) between our N7Ks down to our N5ks. I'm sure curious as to whether the vPC network in This Link will work with a single VPC domain, or if i would need to make a domain per 5k? Looking at Cisco's best-practice for VPCs, all of their images I saw only had a single downstream per domain for single layer VPC.
Thanks in advance.
EDIT: Let me know if more information is needed. I thought this would be enough for the question. Also this is a not a layer 3 VPC.
Crazy problem not sure what is going on
First off, I am intermediate in terms of networking. Not a n00b but not an expert.
Now to the problem.
I am a teacher and 3 days ago I came into school with my personal laptop and phone like I always do. Except on this day, I was unable to connect to the school's networks. The school has a guest network as well. No one else is reporting issues. Windows 10 tells me "Can't connect to the network" and my android says authentication error.
One strange thing is that it apparently never gets to the authentication phase. I put the wrong password in on both networks and got the same message. Also, the IT guy said he did the equivalent of resetting the router. For what that's worth.
Any help would be greatly appreciated.
iPerf3 Testing Assistance Needed - Troubleshooting throughput with ISP
Hello,
I am wondering if anybody would be so grateful to do an iPerf3 test to a public server that we setup and post the results? Here is what I am hoping you can provide.
- Your Location
- Your ISP and speeds you are paying for (up/down)
- Average Upload iPerf Results
- Average Download IPerf Results
You can download iPerf here
https://iperf.fr/iperf-download.php
Upload Command
- PowerShell - "./iperf3.exe -c 209.59.236.70"
- cmd - "iperf3 -c 209.59.236.70"
Download Command
- PowerShell - "./iperf3.exe -c 209.59.236.70 -R"
- cmd - "iperf3 -c 209.59.236.70 -R"
The reason I am requesting this is to compare the results and share with the ISP.
It's a long story but basically we are battling a throughput issue with an ISP at one of our branch locations. We are using a Cisco Meraki MX64 as our router which uses Auto-Provisioning IPsec VPN tunnels to connect to our head end Meraki unit in our Data Center. Upon first installation we noticed that throughput through our Meraki VPN to our Data Center was painfully slow. We were (and still are) seeing a max speed of 3Mbps (both up/down) for any type of traffic going through our Meraki tunnel. At first we thought the slowness was a Meraki issue since onsite speed tests to the ISP test server did indeed show near the promised 100Mbps up/down. We then opened a ticket with Meraki which eventually led to them sending us a brand new MX64 appliance. After replacement there was no improvement and we were still seeing the exact same slow throughput. The combination of that and knowing that we have other branch sites that use the exact same Meraki equipment and same exact VPN configuration back to the same Data Center/internet egress made us start to investigate the ISP connection as the issue. Our other branch sites are using other various ISPs with different speed offerings and iPerf results are showing the advertised speed through those tunnels (to our same public iPerf server).
Any assistance is greatly appreciated!
Is it a monopoly game from Cisco or what!
I googled CDP: Cisco Discovery Protocol and from Wikipedia, I found there is a replacement protocol from IEEE called LLDP: Link Layer Discovery Protocol and HP removed the support for CDP since February 2006 replaced by LLDP!!
Also, if you look to CDP, any devices connected with Cisco devices, the CDP will share the operating system and IP address for those devices which means "stealing somehow" the data from other vendors and that's why HP realized that, Am I right or not and does Cisco use LLDP and CDP together or is it part of the monopoly game!
What does the label SB on a ethernet cable mean?
So I dont have a toner with me though im about to go buy one... I'm trying to find 3 Ethernet cables in the field. At the Patch panel they're labeled D01 D02 D03.
Every cable is accounted for except these three. I have found three cables coming out of the wall. Crimped 'em and tested by plugging into my laptop but no luck.
On the cables themselves the labels are SB01 SB02 SB03. What are these? Whats the abbreviation?
Thanks
OSPF question
Would a change in route cause a network/internet outage? Basically i took out a static route from one device so it could be redistributed via ospf from another. Apparently this coincided to an outage throughout the campus (clients unable to go to the internet). The route in question wasn't our default route (also via ospf) but i'm guessing maybe since ospf was changed the time it needed to reset caused all of this. TIA
Risk of not removing a provisioned switch that is no longer there?
At my work we have a switch that used to be a part of a stack. However the master died and we pulled it out. Now it's just the 2nd switch running as a single switch, not stacked with anything else. However, if you show stack on it, it still thinks it is part of a 2-stack and switch 1 is missing.
It's an easy fix: remove provision, renumber stack, change priority, but the company I work for is super anal about changes. I have to write up a report on the risk of not doing the change.
Anyone have any reasons they could think of that would be a risk of not doing this? Everything runs fine the way it is, but it's not the standard so I want to change it.
BGP Optimization Solutions?
Hey everyone, I was looking at a couple of solutions for BGP optimization for the enterprise edge routers, I came across solutions provided by Noction and by Expereo. I was wondering if anyone here had tested these or any other ones. Are they any good? Do they Work as advertised? Any bad experiences?
Please do share.
ipsec over Dmvpn Spoke to spoke not working ?
Hi, I'm having connectivity issue from spoke to spoke communication. Both spokes can reach the hub. Here the details and configuration.
📷
Configuration:
Hub:
interface Tunnel1
ip vrf forwarding test
ip address 1.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp map group test service-policy output test-out
ip nhrp network-id 1111
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1111
tunnel protection ipsec profile prof1 shared
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key address 0.0.0.0 no-xauth
crypto isakmp keepalive 10
crypto ipsec profile prof1
set transform-set tras1
crypto ipsec transform-set tras1 esp-3des esp-md5-hmac
mode transport
Spoke1:
interface Tunnel1
ip address 1.1.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 1111
ip nhrp map 1.1.1.1 111.1.1.1
ip nhrp map multicast 111.1.1.1
ip nhrp network-id 1111
ip nhrp nhs 1.1.1.1
ip nhrp server-only
tunnel source 192.168.1.1
tunnel mode gre multipoint
tunnel key 1111
tunnel protection ipsec profile prof1
end
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
mode transport
crypto ipsec profile prof1
set transform-set trans1
Spoke2:
interface Tunnel1
ip address 1.1.1.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 1111
ip nhrp group test
ip nhrp map 1.1.1.1 111.1.1.1
ip nhrp map multicast 111.1.1.1
ip nhrp network-id 1111
ip nhrp nhs 1.1.1.1
ip nhrp server-only
tunnel source 172.16.1.1
tunnel mode gre multipoint
tunnel key 1111
tunnel protection ipsec profile prof1
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ippccwsec address 0.0.0.0 no-xauth
crypto isakmp keepalive 20 3
!
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
mode transport
crypto ipsec profile prof1
set transform-set trans1
Verification:
Hub:
#sh crypto isakmp sa | i
111.1.1.1 80.1.1.1 QM_IDLE 54023 ACTIVE
111.1.1.1 122.2.2.2 QM_IDLE 54022 ACTIVE
#sh dmvpn | beg Tunnel1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 80.1.1.1 1.1.1.2 IKE 1d00h DN
1 122.2.2.2 1.1.1.3 UP 00:25:03 DN
#show ip nhrp tunnel 1
1.1.1.2/32 (test) via 1.1.1.2
Tunnel1 created 1d01h, expire 01:54:25
Type: dynamic, Flags: unique registered used nhop
NBMA address: 80.1.1.1
Group: GRPMAP-TMS-MGMT-1M
(Claimed NBMA address: 192.168.1.1)
1.1.1.3/32 (test) via 1.1.1.3
Tunnel1 created 01:44:44, expire 00:08:21
Type: dynamic, Flags: registered used nhop
NBMA address: 122.2.2.2
(Claimed NBMA address: 172.16.1.1)
Spoke 1:
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
111.1.1.1 192.168.1.1 QM_IDLE 1002 ACTIVE
#ping 1.1.1.1 (HUB)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 900/907/919 ms
#ping 10.10.10.3 source 10.10.10.2 (spoke2)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.2
.....
Success rate is 0 percent (0/5)
Spoke 2:
#ping 1.1.1.1 (HUB)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 590/603/622 ms
#ping 10.10.10.2 source 1.1.1.3 (Spoke1)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.3
.....
Success rate is 0 percent (0/5)
Please let me know if you need more details and output.. trying to get more tshooting tips as possible as I'm still new with advance tshooting.
Thanks
Cisco switches - changing from 1G RJ45 to 10G SFP
Hello
We're upgrading from 1G copper RJ45 switches to 10G switches and plan to use SFPs on the switch side. Is there a specific type of copper SFP model we need in order to support our endpoints? We'd like to re-use the existing copper cabling so that we can just move the switch side connections when we come to move the servers from old switch to new switch.
Thanks
AK
Is device connected directly to a LAN port on ISP's router completed isolated from the subnet created by Sonicwall router connected behind the ISP's router.
Have small office. We have a Sonicwall connected to Verizon router. Verizons LAN IP is 192.168.1.1 and its DHCP issues IP range of 192.168.1.*. Sonicwall IP is 192.168.2.1 and its DHCP range of course is 192.168.2.*. We have a credit card machine that we've been told must be connected via VLAN on our network to be PCI Compliant. We figured if we just connected the card machine directly to the Verizon router rather than the Sonicwall that would isolate it from the internal network since they are different subnets but were told that this sort of configuration is not as isolating as a VLAN and thus not PCI Compiant. Is this the case?
HTTP Squid Proxy Server - DNS Leaks
Hi all,
I am running a Squid Proxy server using HTTP on an AWS EC2 Instance that I connect to remotely from my home network. In the Squid conf I have specified a non-ISP/privacy-oriented DNS server also with the use hosts file option enabled. On neither server-side or client-side is my ISP configured as the target DNS server.
When doing Extended tests on https://dnsleaktest.com, the correct DNS server is being used, however when using https://dnsleak.com, my ISP is being shown.
I am struggling to work out why this DNS leak is happening when no where my ISP is being configured as the used DNS server and why one website shows different results to the other.
Any information would be great, TIA!
VoIP latency conversion figures
Is there a resource online where I can get conversion latency figues from Analog to E1, or Analog to IP, or E1 to IP for say Cisco kit or similar?
I have a bench setup which has a round trip delay of circa 250 ms, and the tech support guys are trying to convince me the my analog to IP conversion will be nearly 50ms worth of latency.
Obviously that means 4 conversions in a round trip test which is circa 200ms,but that can't be right... how do international circuits work if these or the figure I get on a simple bench LAN setup
Minimum distance for Single Mode fiber -LR SFP?
Hi all,
I am in the process of purchasing what is necessary to move our infrastructure over to SMF.
Im particularly interested in minimum distance needed for -LR SFP's.
It is 2m according to https://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/data_sheet_c78-455693.html
However, is that overall length or does patch cabling affect this? Id like to use 1m cables from switch stack to patch.
Does the amount of patch cables affect this as well? Ex, stack, to LIU, to LIU (middle LIU), to LIU, to Core.
Appreciate any help!
I need to setup a linksys wrt54g running dd-wrt v24-sp2 as a repeater bridge, wireless bridge or wireless switch
This is for a network in venezuela so I don't have many other resources besides the main router (netgear not running ddwrt), the secondary router where a few computers will be connected and a few cables. Both routers are close but on different floors so running a cable is not viable. Also, should I upgrade the firmware for this situation? Since this is a very old router which is the latest version this router can run? Also, if I'm asking in the wrong sub let me know
Server mapped out and printed.
Does anyone do anything like this?
I might be calling it the wrong thing but basically I plan to map out the server in a physical form.
A simple excel sheet with the ports, color coded to the config we have and what they connect to. Along with other important info SNs,Macs,and where to find the base config for the switch itself.
Just trying to stay ahead if something were to fail and there is little to no access to any local PCs that would house the info I plan to put on these sheets. Good idea? Shit idea? Better way to do it?
Issues With Bonjour Services on Enterprise Network
So I am currently struggling with an issue with AirPrint on a business (enterprise is probably a stretch) network. I have a Cisco WLC AIR-CT5508-K9 (Ver 7.0) with 8 APs configured. The WLC is connected via trunked portchannel to SW1, all needed vlans are allowed. The APs are connected to SW1 ports configured as access for the vlan 100 (this is the vlan used for management of APs and WLC).
I have set up a VLAN for the iPads and the printers (which are AirPrint compatible, according to the vendor who sent both), which is VLAN 30. I have created a WLAN for VLAN 30 and assigned the appropriate IP to the interface. The printers are hardwired into SW1 ports configured for vlan 30. So, iPads and printers are on the same vlan and the same subnet. However, the iPads cannot see the printers. I did some research, and found the mDNS feature of the WLC that can let it act as a Bonjour gateway. But from what I read, this will allow Bonjour to work accross mutliple vlans. It seems like this feature wouldn't be needed if I am just trying to connected two devices in the same subnet.
Anyway, the software version 7.0 doesn't seem to support mDNS, and I am currently searching if the upgrades to 7.5 are free.
Shouldn't Bonjour services work fine if the devices are on the same subnet? Has anyone ever dealth with this? Any advice would be appreciated! If you need more info, let me know.
SNMP Traffic Monitoring on Subinterfaces
Quick question....
We recently purchased some Nexus 3064PQ switches, and I have set up some subinterfaces for one of our customers to separate their public/private/voice/etc networks. I have them set up as the gateway for all those networks, however I have prtg and I am trying to monitor each subinterface individually. PRTG recognizes the subinterfaces and lets me add the sensors, however, there is no traffic being reported and when I run sho int et1/1.x on the switch, there are no packets in the counters for inbound or outbound.
Is there a feature I need to enable, or is the nexus not able to report snmp traffic on subinterfaces?
Thansk.
Multi-mode SFPs with SMF, link-light. Multi-mode SFPs with MMF, no link-light.
New remote site, we thought there was MMF in place from the DMARC to MDF, but turns out it was SMF. We ordered MM SFPs for the DMARC side (Ciena) and MM SFPs for the MDF side (Meraki SW). Tech onsite connected the fiber (1 long 220ft LC-LC fiber jumper) we got link light, but our throughput was only 10mbps. Turns out it was SMF connecting DMARC to MDF. Order a new LC-LC 220ft fiber jumper but made sure it was MMF. Ran the fiber, connected both ends, no link-light. Tried swapping the cable ends (think ciena was just passthrough), no luck. Tried swappign SFPs, no luck.
Here's the notes I have two simply diagrams I made.
--DMARC--
Ciena 3903x
(To MDF) SFP Port2: Ciena SFP (XCVR-B00G85)
(From Street) SFP Port3: Ciena SFP (XCVR-A10Y31)
--MDF--
Meraki MS120-24p
SFP Port25: Meraki SFP (MA-SFP-1GB-SX)
Link-light - https://i.imgur.com/IBr6wDV.png
No Link-light - https://i.imgur.com/N5wIl6P.png
New WPA/WPA2 (PSK) SSID connects, but with "No Internet"
Hi everyone,
I have just finished setting up a new NPS server and two new SSIDs on our new domain to migrate off of our old domain / old NPS server / old SSIDS. That is all set! But, we currently have a Guest SSID that is set up differently that the others, as in it is utilizing WPA/WPA2 (PSK). So, I created a new SSID that is essentially a copy of the current (old) Guest network, but when I connect I am getting a No Internet message. When I check the Network Properties, sure enough I am not being handed out an IP from the DHCP server that I have set in the properties of the new SSID. But I find it strange since the current (old) Guest network has the same properties and is connecting just fine and handing out DHCP addresses? Thanks!
Microsoft NPS MAB wildcards
I'm working on setting up MAB on Microsoft NPS for devices such as printers that can't authenticate using wired 802.1x. I want to use the OUI portion of the MAC for the time being for authentication.
I've created a network connection policy condition using the OUI and wild card in form aa-bb-cc* for the CallingStation-ID and this works fine. Also, I can authenticate the exact MAC address as well.
The problem I'm having is I would like one policy for each type of device with multiple OUIs in the CallingStation-ID. This would be better than a separate policy for every different OUI.
For instance, a policy for multiple printer manufacturers using something like aa-bb-cc*|dd-ee-ff*|11-22-33*
Unfortunately, this doesn't seem to work. I've looked at the Microsoft NPS regex guide but I haven't found the solution. I'm sure it's something simple I'm missing.
Has anybody else successfully implemented something like this?
BGP prefix-list question
Hey networking,
Had a quick question in regards to BGP outbound filtering using prefix-list.
My configuration below:
router bgp 65000 template peer-session NEIGHBOR-SESSION remote-as 65001 timers 10 40 password RedditBruh template peer-policy NEIGHBOR-POLICY route-map NEIGHBOR-OUTBOUND out soft-reconfiguration inbound ! network 172.16.0.0 mask 255.255.224.0 neighbor 192.168.1.1 inherit peer-session NEIGHBOR-SESSION ! address-family ipv4 neighbor 192.168.1.1 inherit peer-policy NEIGHBOR-POLICY ! route-map NEIGHBOR-OUTBOUND match ip address-prefix-list OUTBOUND ! ip prefix-list OUTBOUND seq 5 permit 172.16.0.0/19 ip prefix-list OUTBOUND seq 10 deny 0.0.0.0/0 le 32 !
If I run a "show ip bgp neighbor 192.168.1.1 advertised-routes", I shows that I am correctly advertising the /19.
However, if someone on the other side wants needs to reach 172.16.5.0/24, which is part of the /19, it fails; there's no reachability at all.
In order to make it work, I have to create a new statement in the prefix-list allowing the specific 172.16.5.0/24, and then it works.
ip prefix-list OUTBOUND seq 5 permit 172.16.0.0/19 ip prefix-list OUTBOUND seq 6 permit 172.16.5.0/24 ip prefix-list OUTBOUND seq 10 deny 0.0.0.0/0 le 32
I though that the /19 outbound would cover anything that falls under the /19, including the 5.0/24 network. So people on the other side trying to reach the 5.0/24 should have no problem, correct?
Can someone shed some light into why this is?
EDIT: I understand that not allowing the /24 through will mean that the other side won't see it, since it doesn't have any ge/le statements, it will only allow the /19 through. However, this is more of a case as to why my BGP peer isn't using the /19 to reach the /24, when clearly the /24 falls under the /19. The /19 should serve as a catch all for all 172.16/19 networks trying to reach me; I shouldn't have to allow all my specific prefixes through for this to work.
What is the big deal with Ubiquiti?
Am I missing something? Why is Ubiquiti hardware so highly regarded right now? My FOMO meter is off the charts..
VoIP Latency issue, looking for opinions / advice
First of all, I'm by no means a network admin, please keep that in mind.
We're experiencing issues with our VoIP calls, it always has a delay in communication when making external calls.
Our setup:
- Ubiquiti Edgerouter (Previously Fortigate 60D, same issue though), We have a 200/20Mb Coax Internet connection (Provider is Ziggo, Dutch ISP), Edgerouter connected to their Modem
- (Setup QOS on the Edgerouter for DSCP 24 & 46, Also checked with Wireshark that these values are in fact being send out)
- All Switches are Ubiquiti Edge switches 1 Gbps
- Seperate VLAN for VoIP, Office, Etc
- 3CX Server, 2 UniFi VoIP Phones
- My ping time to google DNS is roughly ~12 ms
When I do an local call, from 1 VoIP phone to another I have no issues at all. No latency. When I make an outbound call it's really noticeable. Probably half a second of delay. I've done all I could think of, so that's why I'm reaching out for help..
Things I've tried as well:
- Lowest bandwith codecs
- Registerd VoIP Phone directly to our VOIP provider (voys.nl), same issue
- Unplugged all my equipment, only had the VoIP phones and 3CX server on the network, same issue
IS it a reasonable possibility, our ISP itself the issue?? I've got no idea what other steps I can take to test things.
Advice would be greatly appreciated!
Thursday, May 2, 2019
Visio Stencils - Minimalist Flat Design
Hi There
I'm wanting to redo all my logical network diagrams and have traditionally used the Cisco stencils in the past. I'm wanting to go with a very minimalist sleek flat diagramming style now and was wondering whether there are any recommended stencils out there for network diagrams that are flat and minimalist, and look really good?
Thanks
WAN Serial PPP Link (AT&T Fiber, business)
AT&T gave us what appears to be a PPP encapsulated serial WAN link handoff. I have a Unifi router. I want to avoid a Cisco router or device. I'm looking for something that can plug into the serial handoff, do the deencapsulation, and give me IP/Ethernet.
I'd imagine there is a family of devices that does this and this alone. What might these be referred to?
Google is failing me. Cisco pays for a lot of placement!
installing a cert on the F5 or the server or both?
Hello all, kinda new to certs but trying to find out if installing the cert on the F5 must also be installed on the iis servers. So if I have 2 iis webservers both hosting the same website(example.com), currently both being load-balanced and monitored by the F5. I generated a CSR on the F5 for example.com and sent to CA. I got back the cert from CA and I threw the key, the cert and the intermediate cert on the SSL client profile, then I put the cert and key on the SSL server profile. I followed these steps based on F5 articles
- If I install the cert chain on the SSL client profile and SSL server profile like I mentioned above, does this mean that the F5 is now doing full SSL offloading? where the traffic is not encrypted between the F5 and server?
- Do I also need to install the certs on the webserver if my intention is to do SSL offloading? based on what I'm reading online, it seems I do not need to do so, but can't be sure. I'm attempting to take as much work away from the servers as I can.
- Let's say I have changed our internal dns to point exmaple.com to my VIP and If my servers were not ready to accept connections just yet, but I have installed the SSL client/server profiles, can I somehow see the certificate from a browser if I try to hit the VIP in the browser. I understand that the servers can't deliver any content because they are not ready yet, but could I view the cert on a browswer since it is at least installed on the F5?
DNS records for single G Suite user
I have both a registered domain and a web hosting plan at my local web hosting company. I was provided a cPanel account to manage my web pages and to manage my DNS settings as well. Before the web hosting plan I only had my domain name, that I pointed to freedns.afraid.org and I created a G Suite account, to have my personal email hosted on Google's servers, but now cPanel manages DNS.
My web hosting plan also has a mail server option and I made few more mail accounts for my team members, but I wanted to keep my own on G Suite. However, even though I put in the same DNS records as the G Suite setup guide suggests (+ I had the same setup before), I can no longer receive, neither send emails from my G Suite account, but other accounts on my domain can, therefore I think something has to do with DNS, but this sadly exceeds my knowledge.
Another thing to point out: I've read blog and forum posts on split mail delivery, which is rather not the same thing. I need to route my domain to Google, only to host a single user. Others will be hosted from my cPanel mail server at the hosting company's servers.
Kind regards,
Jure
Anyone working with Huawei VRP gear? output screen width help needed
Hello redditors,
I've got some Huawei S5700 around that are used for a smallish project, these use VRP as its NetOS (not CloudEngine). I have a problem with the following command:
display lldp neighbors brief
It returns cropped data, for instance:
Local Intf Neighbor Dev Neighbor Intf Exptime(s) XGE0/0/1 ar-dc01-asw05.netinfr... Gi1/1/2 102
The whole name of the device is ar-dc01-asw05.netinfr.mycompany.com so it should return something like:
Local Intf Neighbor Dev Neighbor Intf Exptime(s) XGE0/0/1 ar-dc01-asw05.netinfr.mycompany.com Gi1/1/2 102
Anyone know if there's a way to fix this? I've tried "screen width" command to no avail, the reason I need it full is because I'm building a micro app that queries this data and then parses it, so I need the full name and the other command I have vailable:
display lldp neighbors
Produces a wall of text... per interface with a neighbor, which I am having a hard time parsing.
Any ideas?
Thank you in advance.
BGP routes on Cisco 3750G-12S
Hello all. Long time lurker here. Just have a quick question for those familiar with these switches.
I run 2x Cisco 3750G-12S switches in a DC. I run iBGP between the two switches and have route-reflector clients downstream of them. Upstream I have connectivity from each switch to two transit providers and an intermediary with LINX.
My question is this. I accept a bunch of routes over the ‘intermediary’ peer in order to steer as much traffic towards LINX as possible. These switches only handle around 8K IPv4 and 8K IPv6 prefixes (if I remember correctly!) Currently, I’m taking in just short of 2K IPv4 prefixes on each switch and these are then being exchanged over iBGP as well thereby forming multiple paths to these destinations. Does this in effect use 4K out of the 8K prefix capability or does it only count as 2K prefixes but use slightly extra ram to store the additional paths?
I apologise in advance if this seems like a silly question but I can’t seem to get a clear answer on Google.
Thanks for reading.
What's the point of a static IP on common devices?
I see most of my devices give me the option to assign a static IP to them. For instance my PC, my MacBook, or my Xbox One. I mean what's the point? Why should I care if my Xbox gets assigned a different IP everytime? I heard and I can easily understand that a static IP is useful for servers, but what's the point on consumer devices like an Xbox or a MacBook?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
DCNM for Managing NX-OS VXLAN Deployment
All,
I am curious if anyone is using DCNM to manage a full blown VXLAN MPBGP EVPN solution? I am in the process of a data center re-design and a few of the requirements that I have are :
- No spanning tree
- Spine leaf architecture (CLOS fabric)
- Must be Cisco
That being said I have drank the ACI Kool-aid and know that Cisco says that it can borderline cure cancer, but I have not yet found anyone that is using DCNM to manage a VXLAN.
Any thoughts? Opinions? War stories on DCNM?
Thanks!
Opinions on HPE Aruba 2930F Series
I'm trying to build a "pro-consumer" network for the home office. I'm collecting people's experiences and knowledge with regard to the subject switches. From this thread, the reviews seem to be mixed, albeit the thread was from a couple of years ago. I'm in the market for switches that have 16 or 24 ports, POE+ (for cameras), at least SPF and SPF+ (price dependent), and (crossing fingers) a centralized management system.
Are these just rebrands of old, almost EOL hardware? Are they still being deployed in the infrastructures? Are there continuous software/firmware updates? Other comparable switches I should consider?
link aggregation between HP switches?
is link aggregation between hp switches possible?
not between server and switch, but between 2 switches?
they are in racks more than 3 meters apart. so the stacking cable is too short.
Any Netgear experts in here?
I'm sort of confused as how to do some basic Qos, vlan tagging and making a LAG with the web gui.
What's the difference between a PVLAN ID and a membership?
This is oddly confusing, I wonder if the CLI would make more sense.
Equinix pricing guide?
Hey guys,
I was wondering if anyone knows or if there’s an Equinix pricing guide for their colocations services - specifically in London (LD1-LD10) for 1/2 a cabinet.
Thanks!
How difficult is it to learn python for network automation?
Just curious how fast others have picked it up? I have absolutely no experience with any kind of programming language, nor do I have any real desire to have any. But network automation always seems pretty interesting to me. Is is possible to learn the basics of network automation in like a week or 2 or is python a little more complex than that?
ASA - Palo VPN keeps dropping after 8 hours
New S2S routebased vpn between ASA and Palo Alto FW keeps dropping after 8 hours. Clearing ipsec peer on ASA does no good, i have to disable the ike gateway on the Palo to get things working again.
ASA debug shows this:
"IKEv2 Negotiation aborted due to ERROR: Detected an error notify payload"
Palo debug shows the below:
"2019-05-02 19:48:16.991 +0100 [DEBG]: { 13: }: received notify type INVALID_KE_PAYLOAD
2019-05-02 19:48:16.991 +0100 [DEBG]: { 13: }: ikev2_process_child_notify(0x103ff660, 0xfff085e5b0), notify type INVALID_KE_PAYLOAD
2019-05-02 19:48:16.991 +0100 [PWRN]: { 13: }: 17 is not a child notify type
Obviously something not, but im not sure where to start! Anyone able to advise? this is the first routebased vpn off this poarticular ASA, but the same vpn config on another ASA to my Palo Alto has been stable for days
EDIT: Full Cisco config i applied is below
----------
proposal
----------
crypto ipsec ikev2 ipsec-proposal DEFAULT-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-384 sha-256 sha-1
----------
profile
----------
crypto ipsec profile DEFAULT-PROFILE
set ikev2 ipsec-proposal DEFAULT-PROPOSAL
exit
------------
tunnel int
------------
Interface Tunnel1
no shutdown
nameif TUNNEL
ip address 169.254.44.1 255.255.255.248 standby 169.254.44.6
tunnel destination x.x.x.x
tunnel source interface outside
tunnel protection ipsec profile DEFAULT-PROFILE
tunnel mode ipsec ipv4
--------------
group policy
--------------
group-policy IKEV2-GROUP-POLICY internal
group-policy IKEV2-GROUP-POLICY attributes
vpn-tunnel-protocol ikev2
--------------
tunnel group
--------------
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy IKEV2-GROUP-POLICY
tunnel-group x.x.x.x ipsec-attributes
peer-id-validate nocheck
ikev2 local-authentication pre-shared-key x.x.x.x
ikev2 remote-authentication pre-shared-key x.x.x.x
isakmp keepalive threshold 10 retry 2
--------------
ikev2 policy
--------------
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 28800
ISP Quote
Currently in college to get my bachelor's in IT, and one of the classes assigned a project to design/install a network for a theoretical hospital company, with 5 hospitals, 11 clinics, and a research facility(RF). All of this would be east coast USA, primarily VA/MD/DC.
My group and I are thinking 10Gb fiber lines connected to each hospital as well as the RF, but I can't find quotes for 10Gb anywhere. Does anyone have an idea of potential costs per site? Or if 10gb is overkill, quotes for 1Gb would be greatly appreciated. Even just direction would help, as several ISPs have all declined to give me a quote, instead directing me to deadends. Each of the 5 hospitals would average 2k users.
Any and all help would be appreciated, thank you.
Best Network Tester Under $1k
What's everyone's opinion on the best network cable (RJ45/Cat6) tester/tracer for under $1k. I'm a one-man shop and I'm getting ready to terminate about 300 cables in our new facility. Need something to test the cables and help trace them all out.
Which usb flash drive do you use?
Hi guys,
I recently purchased Samsung 3.1 USB flash drive so I can download some Cisco IOS images and plug it into the switch/router to upgrade the code.
Well, I just tested it out today but none of them is reading this USB and I am considering to return this and find another USB.
Do you have any recommendations?
Thanks!
IP Whitelisting using dynamic DNS records
I have been tasked to setup the following
1 - Setup and maintain a dynamic list of IP addresses, using results performed using a trusted DNS resolver
2 - Also maintain a static whitelist (for business apps that require so)
3 - blackhole traffic for all IP address that do not match the whitelist.
Essentially, IP traffic for which a corresponding successful DNS request, and reply, does not exist is denied.
There is a lot of details (aging, intercepting and redirecting DNS requests sent elsewhere, etc) but disregarding them all together at this point in time by questions are:
A - Is it possible?
B - Is there a tool that exists that does that?
C - Is managing some static whitelist for legit traffic going to be a nightmare?
D - more importantly, is it a good idea to start with? Is there any real security benefit / gain in doing this?
PS I looked wide and far here, on different subs and also Google but all I could find was around the concept of using predefined FQDN in some way (different ways). This is not what I am after; any FQDN is Ok (some other system may blacklist domains, but this is another topic).
PPS Obviously, the trusted DNS resolver MUST be really good and trustful, but this is also for another topic.
Yet another backdoor in Cisco gear - what vendor to trust?
https://www.theregister.co.uk/2019/05/02/cisco_vulnerabilities/
I think there’s like 20 cases where Cisco has had hard coded password or some other vulnerabilities within a year. Juniper had some too and no one trusts Huawei even though they haven’t had backdoors but they’re Chinese.
We’re doing a network upgrade, so is Nokia the only vendor you can trust security-wise?
VM VPN private from host
If I setup a virtual machine to use NAT networking (instead of shared/bridged) and I also use a VPN (ie- expressVPN) can the host OS view the network traffic going out my home network?
I want to be sure not even the DNS lookups are visible to the host.
Basically, I'm installing a VM on my work laptop and I want to make sure nothing I visit using a browser or torrenting is visible to the Host OS. In particular I want to be sure the anti-virus Sophos can't log my network activity in the VM.
Thanks in advance!
Seattle Low Voltage Contractor
Hope this is not out of line here, but I wasn't quite sure where else to post this (Didn't quite seem to fit in r/cableporn ....).
I'm pretty familiar with the players in my existing markets, but my company is opening a new office in Seattle. I've never worked in the market, and none of my contacts have anyone they'd suggest up there either.
Anyone here have a contractor you use and like who does low voltage (Cat 6, fiber...) in Seattle proper? Two or three options would be great. The building ownership has provided me with one company, "Diamond Communications" - but I'm hesitant to just pick the first vendor and run. I like to have a few options and bid stuff out. I turned to trusty Google, but I always love the opinions of other network engineers. Thanks for the help!
VPN tunnel keeps going down. I'm at a loss.
tldr; My site-to-site goes down periodically. If I manually reset it, it lasts 7.5 hours. If it eventually resets itself, the time it lasts varies.
Hi everyone. I have a problem with my site to site tunnel and I can't figure it out.
I have my main network and I have a satellite office.
I've set up a tunnel between the two and it periodically goes down for hours at a time.
The external interface on the satellite side never goes down. I can always ping it.
On my main side, I am using a Palo Alto (PA-3050 x2 (HA)) managed by Panorama.
On the satellite side, I am using a Juniper SRX 100.
[Palto Alto] <> [tunnel] <> [Juniper]
I've tried the following:
* Lowering the MTU to 1350 on the Juniper.
* Swapping one Juniper for another, both factory reset.
* Disabled all ALG inspection on the Juniper.
* Delete settings on Palo Alto side and recreate them.
I'm sure there's more that I'm forgetting.
The only thing that seemed to make a difference was the last one.
I didn't create the Palo Alto side of the tunnel and noticed some discrepencies such as the lifetime seconds were different on both sides.
I set it to 8 hours.
Changing the lifetime actually did make a difference.
Now instead of going down every hour or so, it lasts about 7 hours and 30 minutes.
Also, I notice the tunnel takes around 10 minutes to start passing traffic once the firewalls show that its up.
In other words, I'll reset the tunnel and it shows both IKE and Ipsec are connected, but I can't ping through it until about 10 minutes later.
It seems like the tunnel is dying before its 8 hour lifetime and then if it re-establishes itself eventually, the two sides get out of sync or something sooner or later.
Or who knows? Maybe the time has nothing to do with it.
So here are some logs and configurations.
100.50.10.33 is our home network (Palo Alto).
200.1.1.74 is our remote network (Juniper).
10.20.20.1 is the internal interface which I'm performing a continuous ping.
I replaced the real IPs with fake ones for this post.
Palo Alto config: https://imgur.com/a/awPM9Ut
Juniper config: https://pastebin.com/9fiz47aP
Palo Alto logs: http://devante.org/pa_logs.html
Pings (warning, 11 MB text file): https://drive.google.com/open?id=1SimthgtZaV2eekD6iYWDKndw8dr-eI5s
Breakdown of pings:
04/27 23:34:30 Up 7 hours, 26 minutes and 1 second
04/28 07:00:31 Down
04/28 07:10:27 Up 7 hours, 26 minutes and 29 seconds
04/28 14:36:56 Down
04/28 22:23:21 Up 7 hours, 26 minutes and 20 seconds
04/29 5:49:41 Down
04/29 8:08:26 Up 7 hours, 28 minutes and 26 seconds
04/29 15:36:52 Down
04/29 16:15:53 Up 7 hours, 27 minutes and 26 seconds
04/29 23:43:19 Down
04/29 23:53:19 Up 7 hours, 26 minutes and 22 seconds
04/30 7:19:41 Down
04/30 8:09:42 Up 7 hours, 34 minutes and 3 seconds
04/30 15:43:45 Down
Locked out of routers?
We were trying to set up SSH access for our routers and after inputting these commands in the config terminal:
ip domain-name x
crypto key generate rsa
1024
line vty 0 4
transport input ssh
login local
password x
exit
line console 0
logging synchronous
login local
we got locked out of the router and cannot get back in with the username and password we set. We tried using local, HQ-Router and admin for the username and none worked with our password to log back in. Can anyone give insight on what would the right combination to get back in? Thank you!
What to do with a Disconnected ONT on a FTTH network?
Looking for advice on how others handle disconnected services in a FTTH market? Currently the ISP I work at leave the ONTs on premise and connected when a customer cancels their services. As a result our NOCC will receive occasional bogus alarms for the ONT when power outages occur or other events. The NOCC is asking for the ONT to be removed from the premise so that it can not alarm, but the install group like having them left in place to provide rapid reconnect. There has been discussion about suppressing alarms from the ONTs, but that leaves us with no visibility to a $100 piece of essentially remote equipment.
Cisco ACI getting all the interface configuration
Hello,
I'm looking to be able to query ACI controller via API to be able to determine which traffic will actually flow through this port, so it includes pulling interface access policy profiles and policy groups. I can pull all of that info and then figure it out locally, but that requires pulling bunch of data off the controller and I am not sure that's the most efficient way (I may end up doing some automation with this queries, so I may end up doing quite many of those calls).
Did anybody have to do this by any chance? If yes, could you share your code or the API calls? Just trying to avoid doing the work if somebody has already done it :)
Thanks!
Native vlan on allowed statement Cisco switch
So, i'm testing out one of these nifty new cloud based WAPs. The brief config guide I have says the port needs to be trunk, the vlan for the WAP needs to be native, and the vlans for clients need to be in an allowed statement on the port. I'm just curious if the native vlan needs to be in the allowed statement and what the differences are if it is/isn't. My google search has turned up conflicting information, so figured I would ask you helpful folks.
Right now I have the following config on the port: (vlans changed to protect the innocent)
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 200,222,500,543
Cradlepoint LTE
I have a cradlepoint ibr600 that is setup for AT&T but I need to use it with verizon. I have searched but cannot find where to download the firmware without signing up for the net cloud thing that I don't really want. Has anyone updated their firmware manually?
What’s the proper method to mount network racks to a commercial steel stud wall?
I’ve been getting mixed answers, some say to use snap toggles into the studs and others say sheet metal screws will work just fine. We will be mounting two 10U hinged IDF racks with plywood backing (fire-rated).
What method has worked well for you? I’d appreciate any feedback/suggestions. Here’s an example of a hinged 12U IDF mounted to a wall with plywood backing. Can anyone tell what the installer did here?
Ideally, I’d like the two racks to hold a UPS, switch, and a patch panel.
Thank you.
CCNP Security Stupid Questions
- One of the questions in the exam:
Which two web browsers are supported for ISE GUI?
options:
- Netscape
- IE version 8
- Chrome
(Many more like this, e.g. where to click on ASDM).
Can anyone explain to me how knowing these makes you a better engineer?
:(
Pfsense OpenVPN 3 site setup - Help
So i have the following setup.
Multi Site to Site VPN
Site A: Server
Site B: Client
Site C: Client
Site A can talk to Site B and C.
I also want B and C LAN to be able to talk to each other.
Site A
Site B
Site C
How can i go about setting this up?
Do i need to push routes or change NAT?
Can A act as the gateway for the B , and C to talk to each other?
IS-IS scale
I’ve inherited a network for a large enterprise. The company has roughly 50 sites and that could grow to ~200 within a few years. They are small sites with just a few network devices in each location.
For WAN connectivity they have a layer2 service from two telcos. Basically a VPLS style setup where we use a VLAN on our external port and we get connectivity into all other sites.
ISIS is used as the IGP. Right now we enable ISIS on the multiaccess provider interface so everything on that VLAN forms adjacencies with everything else. Right now that means about 50 devices are all in the same VLAN all running ISIS in a single level 2 area.
There is also some point to point wavelengths between the bigger sites that also do ISIS in the same area. BGP is used as well, we peer with loopbacks at each site, and have route reflectors doing the bulk of the work. ISIS is used only for advertising the loopbacks of each device
So my question is, how many devices do you think can exist in the multiaccess network before ISIS starts to have issues?
All the devices that participate in ISIS are modern, QFK10K, QFK5K, NCS5500..
ACL killing DHCP
I am trying to enable a template ACL we have been using across our access switches on a new model of switch and it seems to be producing some strange results. The syntax is the same as the old switches yet adding the same commands seems to kill DHCP even though our ACL explicitly includes the IP address of our DHCP servers.
Our two rules are:
Allow - source vlan 1050 destination network group <IP ranges and the addresses of our DHCP/DNS servers>
Deny - source vlan 1050 destination ip Any
Without the deny enabled I plug in a test PC to VLAN 1050 and get an IP address as expected. Once I enable the deny rule and release and renew my address the PC fails to get an IP. If I set the IP statically on the PC I get connectivity as expected and can access only the address range specified in our ACL including our DHCP and DNS server.
Wireshark packet capture shows only the DHCP requests going out and no other traffic. Our DHCP server is on another layer 3 and we are using IP helper to forward the request. The exact same config works fine on the older model of switch.
Any ideas?
Cheers
Most efficient transfer protocol to Nexus Switch?
Hi all,
New here, apologies if I break any rules...
I'm just wondering what people use to transfer files to remote Nexus switches? I'm currently using TFTP from a jumpbox but I'm getting speeds of ~200kbps, and with the 300MB+ images on the Nexus this is taking hours to transfer. Wondering if anyone knew of any better ways of remotely loading images to the switches? I've tried SCP in the past but I remember that being a similar speed.
Thanks!
Steve
Subscribe to:
Posts (Atom)