I have the switches above and I want to connect them as one if possible. If they can't be connected as one (one IP address, then how to do it with each having its on ip address? I'd like them to have static addresses. Currently have a comcast router bringing the internet into the house followed by a Nighthawk router and then I want to connect the two switches in question. Please, share your guidance on this. Thanks in advance.
Saturday, May 18, 2019
Information Sheet to help people get Fiber to the Home
I'm trying to put together a few guides to help rural areas get Fiber to the Home. This one has to do with running conduit along private / shared driveways. Could someone who knows more about the process than me help look over my sheet?
Is there a better FAQ out there? This seems really important, yet I could only find a few comments on the issue, nothing formal.
SSID rate limiting
Hey,
We're currently looking at rate limiting our guest ssids to allow our corporate traffic to maintain priority during peak times.
Would this not have a similar effect to leaving older rates enabled? I.e setting a 5mbps limit for guest would actually decrease efficiency because they require more airtime to complete downloads/uploads.
Can someone help clarify this?
Help identifying and explaining QoS script
A friend copied large parts of a script online with some changes a long time ago to make an ISP that had to fall back on a 100mbit connection make it so the users could still browse/email etc. Seems to be a kind of cascading bucket design but with some other stuff.
Any QoS gurus in here able to help me find the original script, and help explain some of the sections? Any help appreciated. Thanks!
Script: https://pastebin.com/5jyMKV4x
Meraki MS350 to Brocade ICX6610
Hi guys,
I am having a weird issue. I have a Meraki switch that I am putting in a separate building to replace an older switch. It uses fiber to connect back to our Brocade Core Switch (ICX 6610). When I connect the fiber up to the SFP port I get a green light on the Meraki and same goes for the Brocade. However, we get no network connections. We are using the Cisco SFP modules and I have it on the native VLAN for both.
Any ideas or advice would be greatly appreciated! Thanks!
Needing some help with home network
I've been out of the network administration scene for about 5 years and needing some help.
I recently got divorced and have moved into a family members basement (renting) for the next year or less while i pick up the pieces and put myself back together. What I'm looking to do is connect up my web server, plex server, and Nas through a Cisco catalyst through the second port on the x1 rodem or through the port on the linksys router that is being used for all the other equipment.
That sounds a bit odd. Let me try that again. The first point on the network is the xfinity x1 rodem, they have all of the xfinity equipment connected to this. Connected to this is a linksys router that is used for all the personal devices.
I have 3 thoughts Would it be OK to put the Cisco into the dmz on the rodem. If I do this can I just remote into the boxes normally if I'm connected to the linksys wireless?
Should I port forward to the Cisco from the rodem?
It seems like more work than needed but would it be better to connect through the linksys?
Angry rant about failed cert
Sorry, but I have to get this out.
I recently had the opportunity to take a 3 day Layer8 CCSA class, all funded by my employer. The class seemed fine, the instructor gave ya all of his notes and was essentially reaching us the test. The fans were informative.... All seemed well and like the exam would be easy to pass.
I'll get this out now.. I have no previous Checkpoint experience. I've spent years administering other vendors firewalls and hold the associated certifications.
Anyways, I has a test scheduled yesterday, I did my normal study routine, puchased practice tests, etc... I show up to take the test and I failed miserably.
The problem with the test was half of it was never covered in the Later8 class. Checkpoint only allows certified organizations to teach their curriculum, so why was the material not covered? The class included VPN config, Clustering, Licensing, user MGMT, logging, and the Checkpoint policy stuff. I passed all of the questions asked about this stuff the other half was just garbage.
I'm disappointed in this whole process. I'll take the exam again on my own dime, but the whole experience feels dirty. It feels like Pearson, Checkpoint, or Layer8 just want to take my money.
Had anyone else had this experience?
Meraki MS350-24 Firmware Upgrade - Slow!!
Updated the firmware of a MS350 24 PoE yesterday and it took for friggin ever. Once the upgrade was kicked off, the status light flashed for at least 30 minutes before it actually rebooted. Wicked fast Internet so speed isn't the issue. The security appliance and APs took only 5 minutes. Documentation says no more than 11 minutes. Anyone else seeing this?
need help integrating door security and voip
This is the closest sub I could think of to ask for help; if there's a different sub please direct me.
I have a 3 office suite and looking to integrate a door security system (w or w/o video) so that my VOIP desk phones will ring when someone buzzes at door. I already explored the AIphone IX system but that is not compatible with my phones, which are Polycom VVX400. Can anyone recommend a product which I could further explore? Any help is appreciated.
eBGP/iBGP question
I'm trying to work through a design and thought I would come out here and ask.
Current Data Center is using eBGP with the ISP, but only has one ISP right now. The backup DC is now gone that was running the other eBGP. Between them, they were using vlan tagging over the Spectrum L2 (ELAN) and using EIGRP to connect the sites. Not sure why they used EIGRP for this, as I've always used iBGP for it, but I digress.
So, on to present day. Backup DC is now gone and building a new Second Data Center across the country. QinQ is being used between all of the sites over the ELAN including the new DC and is being used to be able to do QoS between all of the sites. Effectively creating Hub-Spoke sites with metrics to control the preferred site. DC's will be running active/active with the apps closest to the end users.
New equipment to be installed at each site:
eBGP routers: ISR 4431
L3 Cores: Nexus 93108's at the new site, Cisco 3850's w/ ipadvanced at the current DC
Spectrum ELAN routers: ASR1001x
The thing I am trying to figure out, is how to get the iBGP between the DC's. My first thought, is to just drop it on the corporate network and let it travel the QinQ to the other side. It would have it's own L3 QinQ and IGP AS. But I'm worried about exposing it like that.
My other option is going from the 4431's using an extra Gi interface to the ASR1001x and using something like psudowire to connect to the other side over the ELAN to supply the iBGP. Effectively doing the same thing as just using the Corporate network, but masking it in pseudowire.
I'm not sure I feel comfortable sending the iBGP over the corporate network and ELAN without masking it. Maybe I've overthinking this?
The other part I need to figure out, is what the configuration will look like on the NGFW 2110's for this.. I'm assuming both side will pretty much look the same. But that will be another day. Also, how to use the /28's from the ISP's with the eBGP running. Or do I just not use them and just use my /24.
Thanks!
Bridging the network between two small offices - SoftEther vs. Ubiquity Networks
Been using SoftEther VPN Server and VPN Bridge on two older Mac Minis (one macOS High Sierra and the other Ubuntu Server 19.04) to create a layer 2 bridge between two offices.
There is a single /24 subnet - half the addresses allocated for office A and half for office B. The gateway for office A is .1 and .254 for office B. DHCP for each office only hands out addresses for its range and SoftEther prevents DHCP from going across the bridge.
Has anyone compared SoftEther's performance to an EoGRE layer 2 tunnel using Ubiquity Networks equipment? Saw this tech note from Ubiquity Networks using EdgeRouters to create an EoGRE layer 2 tunnel and it seems to fit our scenario but wondered if performance would suffer compared to SoftEther.
Also interested to hear about similar approaches. Have read that SoftEther is faster than OpenVPN but I'm not sure if this is hype or has been verified.
Simultaneously deploy multiple machines that compellingly need to have the same Ip-Address but have to connect to the same Networkshare on a Windows Machine
So without going to much into detail what the Company is selling, I am dealing with the problem that Company asked me to get this scenario running.
The problem i am facing is like headline is saying, they want to install their software on multiple servers at the same time, all connecting to the same Networkshare on a Deployment Server.
The real problem is, that the IP can not be changed afterwards when the Software has been installed on the machines because there are some weird database dependencies. And of course, company does not want to buy new Hardware for that Situation because of financial reasons.
So i can't just go and plant multiple Routers with NIC's in other Subnets to build some kind of Transfernet.
I am struggling how to set up the networking on this Situation because i am pretty fresh out of studying and any help or point to put the lever on would be appreciated.
How to create cloud-computing server at home?
Like the title says, I would like to make a centralized computing server at home, where people could be on some basic 2-in-1 laptop, do their daily whatevers, but if they go to do something that can benefit from a much better system, it then utilizes the servers hardware to finish the task faster.
I'm not entirely sure if a system like this is entirely possible, but something makes me feel like it could be done. It could essentially be an RDP session, but without the hassle of initiating it. Like opening remote desktop and connecting to the server, or opening VSphere and logging into a VM. Basically run VMware on the server and make a VM for everyone on the network that runs hand-in-hand with whoever it's assigned to, only over the network.
Hell even if there's a way to make you log directly into a remote desktop session when you turn on your PC then that could work. Just think of the users as computer illiterate and would never be able to remember to connect to the remote session before starting whatever they wanted to do.
Another question I have is how to sync user's files and programs between computers on the LAN. My college does this well, where you can save your documents and installed programs on computer A, then wheel over to computer B and it would have everything you just did on the previous machine.
The first time you log into a machine that you haven't logged into before, it goes through a setup process which can take a few minutes, but after that it has all the things associated with your domain profile on computer B.
Any help is appreciated, thank you in advance!
Friday, May 17, 2019
Request for a comprehensive course that covers networking - TCP, IP, routing, switching etc.
Context:
I have a general idea about networking basics (OSI model, TCP protocol , how packets flwo thru OSI model) etc.
What i am looking for:
- I dont have a deeper understanding of things like - TCP packet structure, various algorithms like BGP, OSPF, how a router functions, how a switch functions, routing tables, how routing paths are decided , Nagles algorithm, TCP_CORK , how to do in-depth network troubleshooting on Linux etc.
- I haven't found a single course or a set of learning paths that cover all these topics
- Reason for learning all this - Trying to prep for interviews.
Websites i have access to?:
I have linkedin learning, Pluralsight, linux academy subscriptions.
Request:
Is there a single course out there, that covers networking in-depth
Rewiring without opening up the walls?
I want to wire a house that I’m about to purchase as it has CAT5 and is quite old. I’m not going to be doing a lot of wall work so don’t want to be ripping out and opening up walls if I can help it, however the floors on all levels will be ripped up completely (and lowered on the first floor) so I will have a lot of profeesionals and no issues with having them do work, can I have them run the cables under the floors (they will be putting in hardwood) or will that damage the cables ill be using CAT 8.2 and don’t need runs absolutely everywhere mattering on difficulty. So if anyone has any ideas on the best way to run cables without having to open up all the walls I would appreciate it greatly.
Change Controls Gone Awry; Or how to make a 5 minute fix take 12 days.
My employer has recently started requiring change controls for any configuration change. Typing config t and hitting enter without a change control could result in termination. Each change requires an implementation plan, a validation plan, and a rollback plan. 40 character minimum each. The board only meets on Wednesdays to approve changes, and the changes have to be in 48 hours before the start of the board meeting. Implementation, actually making the config changes is only allowed on the weekends.
Want to change a port description? Change control with 3 tasks with a 40 character minimum describing the change, a validation plan, a roll back plan, and a detailed description of the potential impact of the change. Want to shut no shut a err disabled port? Same deal... You get it. All inactive ports are disabled. To enable any of these ports you will need a change control.
To put this in perspective if I want to disable a port and change a port description to "Rogue DHCP Device! - Do Not Enable!" I need to know 1 week in advance and submit 3 documents, with a total of 120 characters describing the change. If I don't meet these requirements it doesn't even make it to the board for review and if I ignore the process I could be terminated.
On the fly troubleshooting steps like altering duplex settings or port speeds and the like for malfunctioning endpoint devices is impossible. We probably have over 200 network cells on our campus alone. We also have off campus stacks.
Have a port die? User setup is a pc > ip phone > drop > pp > switchport? Old fix: Move them to a new switchport, enable it, get them back online, confirm, and then go back to the cell to troubleshoot the problem port. Not anymore!
Sorry Mr. CFO, all the unused ports are disabled.. You say the problem started yesterday before you went home? OK, What day is it? Tuesday the 14th? Sorry, earliest you will have access to your desk phone and a functional PC is Monday the 27th, 12 days from now. You didn't really need any of that to do your job right?
This feels insane. Am I missing something? Anyone seen anything similar, or have good advice on how to approach a situation like this? Let it burn?
Antenna suggestions
Looking for recommendations on long range antenna options. I have a couple of customers in the landscape industry that are wanting to connect multiple smart irrigation controllers from a single POS. Any and all suggestions would be helpful. I am handy with most things but definitely a noob when it comes to networking so details would help too. Thanks in advance!
interface 'classification'
hey all!
I'm designing a network traffic analysis product and i'd like to try and get something right before we ship it. So i've got a question for folks
If you run a corporate WAN/LAN network, do you group your interfaces into various things for accounting purposes?
Thinking like: “External WAN, External Internet, External Transit, External Peer
or
Internal Access Port, Internal Trunk Port, Internal Servers” etc.
I'm just trying to make sure I’m not leaving anything obvious on the table.
Thanks!
I BGP'ed All the Things...
and couldn't be happier. Life is just so much better without running OSPF or EIGRP internally.
That is all.
*edit*
watch this: https://youtu.be/yJbqnOdD3cg
read this: https://www.oreilly.com/library/view/bgp-in-the/9781491983416/
My design is built on eBGP, 32 bit ASNs, modifying timers, specifically the keepalive = 1, hold = 3, advertisement interval = 0, and BFD.
It's possible, thanks to BFD, to get sub-second failover.
*edit 2*
I run eBGP in from my internet edge, throughout my DC, across my WAN, and all the way down to my access switches at branch sites and corporate campuses. I have a single pocket of OSPF across a P2P link to a vendor device that does not support BGP.
Inbound traffic hosted load balancer
I have a requirement to implement inbound traffic load balancing across 2 different ISP circuits terminating into a single perimeter device. The business has 2 /29s so we cannot advertise outbound.
The idea is to have a hosted load balancer that listens to external DNS requests, then is health-checking the 2 outside interfaces of the perimeter device and balancing routing and failover accordingly. The issue right now is that the top services I have reviewed (CloudFlare, AWS Route 53, Azure Traffic Manager) all use either HTTP/S GETs or TCP establishment. In order for that to work with the equipment we're dealing with, those requests would need to pass through the perimeter to a device behind the router. This isn't ideal since then the health checks would hinge on that one endpoint listening device being up or down. Technically speaking I could whitelist ranges via ACLs to have the management pages respond to the above checks, but I'm really not in love with that idea at all (albeit that may be misplaced reservation, I'm open to having my mind changed).
I'm a bit stumped as to my options, and maybe I'm going about this the wrong way. I think we'd want to use something just pinging our outside interfaces periodically and that would be sufficient, but please correct me if I'm wrong. I'm not really able to find anything that does that.
Crown Castle Outage - Fiber Cut near 401 N Broad, Philly
Currently sans phone service... Issue started around 11AM Eastern.
I have reports from two of the involved parties that there's a fiber cut at/near 401 N Broad St. in Philadelphia on Crown Castle's network.
... has discovered a fiber cut at our 401 North Broad location in Philadelphia, which may be impacting your service. Engineers have engaged the vendor and they are currently working to resolve the issue. Further details will be provied once they are available.
... and:
We received an update from <datacenter> that they found a FIBER cut in the upstream carrier, Crown Castle's network.
How is everyone else's Friday going?
CISSP: Technical value
To those who are operating in an security/network engineering position: What is the technical value of this CISSP certification in relation to other professional development you have endeavored upon? Would you recommend this certification for its technical value or rather the monetary salary gain from obtaining it?
I have little respect for certs since working with so many paper-engineers that my evaluation may be a little skewed, looking to hear from those that had a large technical background and endeavored for the CISSP--- Whats your take?
A Question of Practicality with VRF's
I haven't had time to lab this out so unfortunately I can't verify, but the classic error message of "% 192.168.1.0 overlaps with GigabitEthernet0/1" could be bypassed by using duplicate network on two different routed interfaces as long as they were in different VRF's so that the routing table wouldn't have any route/interface selection discrepancies? Alternatively I am not sure how this would affect eBGP instances, I bet negatively.
Any thoughts or experience in this regard?
OM3 vs. 4/5
Currently upgrading to a 10G network throughout, I am curious and trying to understand, if there are any benefits to going straight to OM5 fibre as opposed to using 3 or 4 (besides future proofing). Cost isn't an issue/concern. Is there any reason why I shouldn't be doing this?
Are there any tangible technological benefits (such as better quality fibre, less loss etc) that OM5 has over 3 and 4? (ignoring the 40/100 speeds they offer).
thoughts and advice please.
Needing to gain better throughput for our Non Profit Cat Rescue for Cameras. Using Meraki system that is already in place.
Greetings. Hopefully this is in the correct sub. I am not a certified networking professional but I am semi familiar with basics of mesh networks and the like. We have a non profit cat rescue that is located on donated land. The majority of the land is an RV Park with a Meraki system for WIFI access for the guests of the park. There is no IT or Networking person in charge of anything regarding their coverage until now. ME. ha.
Anyways, the "cathouses" at the far end of the property needs to have a camera system accessible over the net. Obviously, the bandwidth is affected by distance/ AP routing,clients connected and such. The owner of the RV Park who donated the land is open for a new wifi system that could support PoE cameras (at least 5) or a central DVR with PoE devices. Before that can happen I feel that the basic network needs to be better setup, tweaked or even a new system supporting the capabilities needed (access control, monitoring, alerting, etc) to be purchased and installed. With this in mind I was hoping to gain some insight into what options to explore, given this subs expertise in networking I posted here. I am hoping that in tweaking or moving / modifying the equipment already on site (different antennas, re-positioning) that I can get the cathouse online properly. I have many fun screen-caps to illustrate what I currently have to work with. https://imgur.com/a/QnNudL2
Any help would be appreciated.
Quick help with tcpdump
I know how to see all incoming traffic, filter it or see MAC addresses but I was wondering if there is a way to add geolocation to it.
Such that I would be able to see like Canada, QB or USA, CA. I find this helps me figure out a problem faster if I already have in mind who and where the packets are coming from. For example, getting the ip in reverse by knowing the location. I just need a real time view along with other info. Or perhaps a recommendation to another problem I can run side-by-side.
I prefer to do everything from the CLI.
Thanks!
Live Software Patching
I just attended a presentation from Arista outlining their platform. One thing that really caught my eye was the ability to do live software patching- where the data plane will continue to pass traffic during a software update. Has anyone had any experience on how well this works? Does any of the Cat 9000 series switches have this capability?
Good way to learn basic networking principles for web development
Hi everyone,
I'm a front end developer with 1-2 years experience trying to get into backend field. I've been learning Golang since last 1 month and now I've started building some very basic web apps using the same.
The issue is that I'm not really confidant with my networking concepts so although I've been building http web servers using Golang, a lot of the stuff like tcp/ip, http, ports, protocols is like foriegn language to me.
What would be the right way to learn the basics of networking? Any useful resources like blogs or lectures are also welcome.
Thanks for the help in advance.
Mobile internet: are TCP ACKs being sent by network provider?
I'm new to this sub so first of all I'd like to apologise in advance if this is not the correct place for this type of question or if it has been asked before (I couldn't see any questions like this however).
I have an interesting issue. I noticed while working on a Python script that I could establish a connection to the MongoDB TCP port 27017 on servers that do not have MongoDB running, but no data was sent from the server over the connection once established. I then noticed that I could connect to any port on any server! For example, www.google.com:12345 connects just fine using nc. Furthermore, nmap -p12340-12350 www.google.com. shows every port in the range as open. I know this is not the case; trying to connect from another server to any of these servers fails as expected.
I currently have to use a mobile phone for my Internet connection, so I am wondering if this is something that mobile service providers are known to do?
I ran Wireshark while connecting to www.google.com:12345 and the expected TCP SYN/ACK handshake was observed from my client to Google's server at 172.217.20.4, so from that perspective it looks as though this server was indeed responding to my TCP SYN for port 12345. Is it possible that the mobile service provider is pre-emptively sending the rest of the handshake, perhaps to give the illusion of faster connections? The SYN/ACK response was extremely quick, a single millisecond, which makes me think that it didn't come from Google's own server.
For reference I am in Croatia using Bonbon as the service provider and I am running Ubuntu Linux 19.04 (tethered).
Why would my works IT guy think he can’t run data and voice over the WiFi?
I don’t do IT here so idk what they’re setup is like. They don’t have a lot of the kinds of tech they should (excel spreadsheet to manage orders/customers instead of a DB).
I was watching the do everything guy string some cat5 and asked why he was bothering if they have WiFi coverage. He said they can’t do data and voice over the WiFi.
I just wanted to know if there’s any good reason for this. They don’t need lots of bandwidth or anything. Just emails and web surfing mainly.
Edit: we have 6 people in the building with desks.
Policy Based Routing
Hi All,
I have an Edgemax Pro ubiquiti.
I have 3 IPSEC/GRE Tunnels setup with OSPF running. Works great.
However i have setup PBR Routing to go over one of the GRE links as a next hop, and works a treat!
However if i disable that Tunnel, OSPF Kicks in flips all the routes over to the next best route, (works fine) But the clients with PBR applied start using the main routing table which goes out directly to the internet. This is most likely by design, understood.
If i re-enable the tunnel OSPF again kicks in, and changes the routes back! great! However the PBR dont change and the devices carry on using table main and using the local ISP internet.
What are the commands i need to run in order to reset the routing? I have tried flushing conntrack to no avail.
In order to get the PBR routes back i have to restart the router. Annoying.
I have put this on the UBNT forums, but i wanted to get it out there on Reddit as well, as i know there are some good guys on the networking forums on reddit.
Cheers all!
Craig
Edge Router
I'm looking for a reasonabley priced edge router that will do full tables, say 4 feeds.
It doesn't have to do much in terms of throughput. I'm only looking for 2-4x 1Gb lines.
Can anyone point me in the right direction?
I see the cisco's are still priced ridiculously high so I'll avoid them like the plague.
BGP between multiple peers
Hello,
My current situation with BGP and multiple peers: Me is A
Internet -> C -> B -> A
This is the current situation that the traffic/route will get to me, But indeed i also have direct peer
Internet - > C -> A So It can actually Internet -> C-> A But based on the current situation and without special community or local perference, It goes this way: Internet -> C -> B -> A
But i want to have Internet -> C-> Abut not affecting B -> A (which is B -> C -> A that i dont want that happens unless the connection is down) Should i look at BGP community, or local preference? Currently want to get the right direction of solving this problem.
Thanks for your help.
EDIT: Seems my question is not clear enough so i explain more here: B is actually transit, C is actually IX. So A (me )and B both have peers to this IX (C). the real problem is that i dont want the traffic from C that go though B and then to me. May try prepending.
Leaf-and-Spine Fabrics versus Fabric Extenders
Hi all!
We are using N7k with FEX architecture and sooner or later we're gonna move on to N9k. Our architect team was choosing between classic scheme with fex and Leaf/n/Spine. They choose fex over leaf and spine. Thats it - put 1-2 FEX on top of every rack and connect it to the Nexus. Done! Pretty simple. But are they right about their decision?
p.s. our datacenter is splited in two locations on the same floor and basically consist of several enclosures and rack servers (about 10-12 racks of equipment).
Using EEM Scripts on the Nexus 9k
Hi All
I just wanted to get some feedback on using EEM scripts on the 9Ks to take corrective actions automatically. Some people look at EEM script as a crutch because NX-OS doesn't have inbuilt capabilities.
For example ACI natively has port-tracking capabilities but under the hood it's just a bunch of scripts to monitor the spine links and shut down host ports in the event of both uplink failure.. I've implemented the same functionality with using EEM scripts on NX-OS..
is there any better way to perform the same function without EEM scripts for port tracking.. not sure if there's a trick im missing
Testing a VPN out
I'm currently trying out Surfshark since it seems to have good reviews and offers a free trial period. I've run some tests on dnsleaktest.com and ipleak.net, and they seem to come back with the correct IP, and DNS server matching the location of the server. To the VPN experts out there: is there anything else I should be testing?
OpenVPN client failed to connect to server, may it be because of the Chinese Great Firewall?
Hi,
Right now I don't have issue with using a personal VPN , however my internship assignment is to establish a secured tunneling between a client and a server using OpenVPN from a windows server to an openWRT router.
Trying to establish the connection, I faced the following error:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) TLS Error: TLS handshake failed
I am unsure if this is due to some mistakes I made in the configuration or if it's because of the Firewall. According to this post, it's because of the Firewall:
https://serverfault.com/questions/479892/openvpn-tls-key-negotiation-failed
But the mentioned error is very and could have dozens of other reasons and the answer is a bit dated and doesn't have many upvotes.
So is it my bad or because of the Firewall?
I doubt it helps much (since it's either or not because of the firewall, I am not asking for you to solve my issue if I indeed did a mistake in the configuration) but here is my configuration/log anyway.
Thank you for your time!
Logs from the Server
```
Fri May 17 15:47:57 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018 Fri May 17 15:47:57 2019 Windows version 6.2 (Windows 8 or greater) 64bit Fri May 17 15:47:57 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10 Fri May 17 15:47:57 2019 Diffie-Hellman initialized with 2048 bit key Fri May 17 15:47:57 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 17 15:47:57 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 17 15:47:57 2019 interactive service msg_channel=0 Fri May 17 15:47:57 2019 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 I=17 HWADDR=54:ab:3a:9b:db:b4 Fri May 17 15:47:57 2019 open_tun Fri May 17 15:47:57 2019 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{955EC4CC-EDF2-4989-B9D9-444B469FCA00}.tap Fri May 17 15:47:57 2019 TAP-Windows Driver Version 9.21 Fri May 17 15:47:57 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {955EC4CC-EDF2-4989-B9D9-444B469FCA00} [DHCP-serv: 10.8.0.2, lease-time: 31536000] Fri May 17 15:47:57 2019 Sleeping for 10 seconds... Fri May 17 15:48:07 2019 Successful ARP Flush on interface [16] {955EC4CC-EDF2-4989-B9D9-444B469FCA00} Fri May 17 15:48:08 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Fri May 17 15:48:08 2019 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2 Fri May 17 15:48:08 2019 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=6 and dwForwardType=4 Fri May 17 15:48:08 2019 Route addition via IPAPI succeeded [adaptive] Fri May 17 15:48:08 2019 Socket Buffers: R=[65536->65536] S=[65536->65536] Fri May 17 15:48:08 2019 UDPv4 link local (bound): [AF_INET][undef]:1194 Fri May 17 15:48:08 2019 UDPv4 link remote: [AF_UNSPEC] Fri May 17 15:48:08 2019 MULTI: multi_init called, r=256 v=256 Fri May 17 15:48:08 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Fri May 17 15:48:08 2019 IFCONFIG POOL LIST Fri May 17 15:48:08 2019 Initialization Sequence Completed Fri May 17 15:04:45 2019 Initialization Sequence Completed
```
Logs (with a verbose of 5) from the Client
```
root@OpenWrt:/etc/openvpn# openvpn vpnclient.conf Fri May 17 15:00:17 2019 us=79513 OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] Fri May 17 15:00:17 2019 us=79724 library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.10 Fri May 17 15:00:17 2019 us=80041 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Fri May 17 15:00:17 2019 us=86033 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 17 15:00:17 2019 us=86246 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 17 15:00:17 2019 us=86793 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ] Fri May 17 15:00:17 2019 us=87043 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] Fri May 17 15:00:17 2019 us=87316 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client' Fri May 17 15:00:17 2019 us=87434 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server' Fri May 17 15:00:17 2019 us=87652 TCP/UDP: Preserving recently used remote address: [AF_INET]36.17.55.143:1194 Fri May 17 15:00:17 2019 us=87807 Socket Buffers: R=[163840->163840] S=[163840->163840] Fri May 17 15:00:17 2019 us=87918 UDP link local: (not bound) Fri May 17 15:00:17 2019 us=88034 UDP link remote: [AF_INET]36.17.55.143:1194 WWWWWFri May 17 15:01:17 2019 us=391256 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Fri May 17 15:01:17 2019 us=391462 TLS Error: TLS handshake failed Fri May 17 15:01:17 2019 us=391970 TCP/UDP: Closing socket Fri May 17 15:01:17 2019 us=392172 SIGUSR1[soft,tls-error] received, process restarting Fri May 17 15:01:17 2019 us=392316 Restart pause, 5 second(s)
Server config
################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # "C:\\Program Files\\OpenVPN\\config\\foo.key" # # # # Comments are preceded with '#' or ';' # ################################################# # Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1194 # TCP or UDP server? ;proto tcp proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap0" if you are ethernet bridging # and have precreated a tap0 virtual interface # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca ca.crt cert server.crt key server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh2048.pem 2048 dh dh2048.pem # Network topology # Should be subnet (addressing via IP) # unless Windows clients v2.0.9 and lower have to # be supported (then net30, i.e. a /30 per client) # Defaults to net30 (not recommended) ;topology subnet # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.8.0.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # Configure server mode for ethernet bridging # using a DHCP-proxy, where clients talk # to the OpenVPN server-side DHCP server # to receive their IP address allocation # and DNS server addresses. You must first use # your OS's bridging capability to bridge the TAP # interface with the ethernet NIC interface. # Note: this mode only works on clients (such as # Windows), where the client-side TAP adapter is # bound to a DHCP client. ;server-bridge # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly). ;push "redirect-gateway def1 bypass-dhcp" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. ;client-to-client # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. tls-auth ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC # Enable compression on the VPN link and push the # option to the client (v2.4+ only, for earlier # versions see below) ;compress lz4-v2 ;push "compress lz4-v2" # For compression compatible with older clients use comp-lzo # If you enable it here, you must also # enable it in the client config file. ;comp-lzo # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. ;user nobody ;group nobody # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log ;log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 # Notify the client that when the server restarts so it # can automatically reconnect. explicit-exit-notify 1
Client config
root@OpenWrt:/etc/openvpn# vim vpnclient.conf ############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote 36.17.XXX.XXX 1194 ;remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert client.crt key client.key # Verify server certificate by checking that the # certicate has the correct key usage set. # This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the keyUsage set to # digitalSignature, keyEncipherment # and the extendedKeyUsage to # serverAuth # EasyRSA can do this for you. ;remote-cert-tls server # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert client.crt key client.key # Verify server certificate by checking that the # certicate has the correct key usage set. # This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the keyUsage set to # digitalSignature, keyEncipherment # and the extendedKeyUsage to # serverAuth # EasyRSA can do this for you. ;remote-cert-tls server # If a tls-auth key is used on the server # then every client must also have the key. tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. #comp-lzo # Set log file verbosity. verb 5 # Silence repeating messages ;mute 20
IXIA Explorer Networks Training Material
Hey Guys,
Let me ask about IXIA Explorer testing. Currently, I'm working as a field support network engineer. I always need to test network protocols, network efficiency of routers & switches(especially DC) by using IXIA. I can learn different type of network protocols and others but I have no idea to learn IXIA step by step. Can you share your experience on IXIA & training materials.
Patch panel naming. Does this seem correct
I’m the PM on a large data centre build out. The cabling vendor has named the EOR patch panels as follows
C#-R#-U#-P#
Fine it has all info we need EXCEPT the panel is named after its DESTINATION
So cab1 row 1patch panel is named C3-R6-U5-P1 because Thats where it terminates and conversely C1-R1-U5-P5 is the panel in cab 3,row6 etc.
Confused. Yep me too
So. Is this one of the many standards and options? I’m not bothered about the actual naming convention, it’s more the fact that the panel is named after the opposite end not where is physically is.
Also. I am a great advocate of labelling each end of the patch lead. Makes life easier. All they are doing is labelling each end in pairs rather then true end
So - number 1 to 3000. (Yes we have 3000 connections). I know. I have 1. Now to find its matching pair.
Comments please 😩
Thursday, May 16, 2019
10Gbe bench mark tools
Hey fellow networkers. What’s a good internal network benchmark to stress test/test multigigabit switching?
I have an interesting question
Anybody know how to get client probe information out of a WLC (8540)? Not associated clients but any device in the area.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Flow-based synchronous routing
A client has two last-mile links to a CE router for redundancy. These links are currently running in active-passive configuration via BGP by simply;
- Advertising a default route from the PE router towards the CE over both links.
- The CE then applies an AS Prepend on inbound and outbound directions for the backup (passive) link to become least-preferred.
What concepts can I apply to achieve synchronous traffic routing between the client to the hosted application in our environment over the currently passive link. While all other services are to remain routed over the default link.
To technically achieve this my initial thought was to statically route the application server's range over the backup link from the CEs perspective. This allows traffic sourced from the LAN destined for the application to be sent over the backup link. However, I am not finding a solution to ensure that the return path, source being application and destination being the LAN, stays synchronous. This will follow the route advertised by the CE for the LAN range over the primary link. To combat this I thought of a policy-based route matching source of the application and setting the next hop to the secondary link's P2P IP. However, it is not possible to adjust the next-hop of a packet in the outbound direction. I cannot apply this policy-based route on the incoming interface of the application as it is on a different PE router and therefore can't reach the theoretical next-hop.
A diagram depicting the above.
Otherwise my question is;
Is it possible to effectively route a "flow" of traffic (matching IPs/ports only) over one link?
Quick Question about Mellanox FW bin creation
Hi everyone, recently I've been having issues with my Mellanox ConnectX-2 card where it just spams my switch with a lot of spanning tree queries and gets the port blocked. After a lot of research, I found that the firmware on it could be the issue and I need to update to a newer one.
My problem is I have the files to generate the BIN file, but following the instructions at this link https://forums.servethehome.com/index.php?threads/mellanox-connectx-2-firmware.14350/#post-137727 I get the following error. I have looked up what mic binary image creation tool is and only something for Linux shows up. But pretty much every thread I've seen has people creating the bin file under Win10. So what is it I need to install for this to work?
PS C:\Program Files\Mellanox\WinMFT> .\mlxburn.exe -fw .\FW\fw-ConnectX2-debug.mlx -conf .\FW\MNPA19_A1-A2.ini -wrimage firmware-image.bin
-I- Generating image ...
-E- Image generation failed: -E- mic is not installed on this machine
child process exited abnormally
Thanks!
Dual-Homing an L2 switch to EVPN VTEP's
Afternoon, Everyone -
Looking for some guidance on a detail of an MP-BGP EVPN project that I'm working on.
I have some Layer 2 access switches that will be connecting to the EVPN fabric, and I'm trying to see if there are any considerations that I need to take into account.
Here is a simplified version of a section of the topology -- Red are L3 links, Blue are L2
With the 2960 sending broadcast traffic to three different VTEPs (two at a time - one 9200 and one 9300), how will the EVPN fabric respond?
If it's relevant, I'm planning to use ingress-replication rather than Multicast, if possible.
Cisco ISE 802.1x VOIP not clearing sessions
I am running into an issue with that I have some Mitel and Cisco voip phones on the network authenticating with certificates and the devices behind them also authenticate. When a device is unplugged from the phone the access session and mac address are still present on the switch. We are using Cisco switches but per regulations, we are not allowed to run CDP. I am doing some testing with subscriber aging timers. I was hoping to see if someone else was having the same issue and what resolution they came up with. Thanks
L2VPN EVPN over Segment Routing MPLS
My google fu is failing me; I can't find any documentation on whether this is supported on the Cisco Nexus 93180YC-EX. I've only found documentation on configuring EVPN Type 5, but nothing on Type 2. Does it take a more expensive device to support this feature?
Fiberstore fiber inspection scope?
I need a new fiber inspection scope. I found Fiberstore has some at what looks like reasonable prices. Does anybody know if they are any good?
I'm looking to get a scope with a video screen, either the 250x with an LCD screen or the 400x with USB to laptop.
Or should I look somewhere else? Suggestions?
Interrogating and troubleshooting IPSec VPNs
I have a love/hate relationship with IPSec VPNs. Setting up new ones aren't usually a problem -- just match the configurations and I'm done! But when configurations match but a new tunnel fails to come up, or I have to troubleshoot an existing tunnel, or I just need to interrogate an existing tunnel to figure out which phase 1 or phase 2 configuration it's using, then suddenly VPNs become my least favorite technology. I find myself asking: "Is the VPN tunnel using ISAKMP policy 100, 101, or 102" "Is it using the transform set with AES 128 and SHA, or the one with AES 256 and SHA256?" These questions are harder to answer when the VPN device has many policies and transform sets, custom lifetimes, and so on. It's even more daunting on Cisco ASAs and ISRs where the configuration is sprawled all over the running-config and nested together.
I'm trying to figure out...
- What encryption algorithm an existing tunnel is using
- What ISAKMP policy is it using
- What hashing/integrity algorithm an existing tunnel using
- What DH group an existing tunnel is using
- What lifetime does an existing tunnel have configured, and whether the lifetime is based on time or bytes transmitted
- Whether the VPN is using PFS
- Whether the VPN is using IKEv1 or IKEv2
- Whether one VPN peer is rekeying out of sync with the other
I already know how to...
- Isolate the IP address of the VPN peer that I'm troubleshooting
- Get crypto map associated with that peer, which then helps me get the ACL associated with the peer
- Partially read the output of "show crypto isakmp," "show crypto ipsec sa," "show vpn-sessiondb," "debug crypto ..."
I know how to get this information from the running-config, but not the operational state of the tunnel (e.g. using "show" commands). I figured the answer to my question is hidden within the output of those "show crypto ..." commands...maybe I haven't hit "?" enough or I haven't read enough!
Thanks!
Firepower FTD/FMC 2140 Out of date config on 1 device
Has anyone seen a section or command where you can compare un-deployed configuration changes for the Access Control --> Access Control Policy against the running config? I am the only admin for our firewall, but I see that yesterday my firewall had a config change modified by "Firepower System" but it doesn't tell me what was changed. How do I know what I am deploying? Running 6.2.3 on the FMC and 6.2.2 on the FTD.
WAN learning resources
I recently earned my CCNA, but I still feel very uncomfortable with WAN technologies. I'm pretty comfortable with LAN stuff like IGPs, switching, etc. but I feel like MPLS, IPsec, GRE tunnels, EoMPLS, and the like are my major weak points right now, and it's definitely worrying me a bit. I feel like a lot of explanations I've seen cut out a lot of details with a big drawing of a cloud in between LANs, so that kind of obscures things, but maybe I'm looking into it too deeply. Any recommendations for resources to learn about WAN technologies in detail would be greatly appreciated!
Cisco 5K virtualization
Does anybody know if it's possible to virtualize a Cisco 5K switch in a VM?
I am aware that Cisco offers emulation software, but I'm not sure how to virtualize a Cisco switch in a VM.
Any related links would be appreciated. Thanks
PRTG on Juniper aggregate interfaces
Sorry if I shouldn't post this here but PRTG Reddit isn't very active. Anyway, when I monitor an aggregate interface (traffic sensor) in PRTG on a Juniper EX switch (ae0 for example) the bandwidth isn't correct at all. It's showing .01 Mb/s even though I know it should be much higher than that. Does anyone use PRTG and monitor ae interfaces on Juniper gear?
Thanks!
Looking for advice on active monitoring solutions for an ISP network
I work for an ISP in Europe, your typical 4P provider (cable company).
In the last couple of years we've had some outages/problems that weren't visible with passive monitoring tools.
I'm looking into active monitoring solutions in addition to our more traditional SNMP polling.
In short, I would like:
- Connect probe devices to our P, PE routers and DC gateways (around 150 devices)
- Configure partial or full mesh continuous measurements (mapping on our topology)
- Basic metrics would be: latency, packetloss
- Bonus metrics: video quality, voice quality (MOS), page load speeds (DNS resolving, HTTP performance)
- Alerting via API or SNMP traps
- Provisioning via API
- Easy deployable probes, preferably vendor supported hardware
- We are looking to spend money on this, we need a proper solution with vendor support.
- What I'm not looking for is application monitoring or analytics on our user traffic.
I've come across these solutions/vendors:
ThousandEyes
Ixia HawkEye
Accedian SkyLIGHT
Netrounds
AppNeta
NetBeez
Uila
Does someone has some real-life experience with one of above solutions? What is your experience so far?
Or if anyone has other solutions/vendors/insights, I'm eager to learn more...
Performing a technical interview
Im being asked to sit in for some technical interviews with some job candidates tomorrow. Im our current most senior network engineer, but ive never sat on the other side of the interview for this level of position. I started in my company in a jr position, and have been moved up to where i am internally, so i dont have a great idea of what to ask or how to run such an interview that's beyond just the JR level.
what kind of questions should i be asking to make sure the candidate is a good fit for our environment. i dont want to be the guy who asks a bunch of "gotcha" questions, or comes across as questions that are about showing off my knowledge of a particular area. i want to be able to figure out if the candidates will be able to perform the duties, has a decent understanding of the technologies we are using, and has the competency to learn about the areas they are weak in that are part of our environment, as well as their design and trouble shooting skills.
Dealing with ISPs/leased-line provider support
Hi r/networking,
Hopefully this doesn't fall under 'early career advice' and is a reasonable question.
To make a long story short, part of my job role is liaising with our clients' ISPs and leased-line providers during circuit outages, and more often than not I feel like I am getting the run around because I don't know how to put the pressure on these big companies to give us the support we need.
Example (the situation I am currently dealing with):
Leased-line down for 5 days and counting, location has a DIA circuit that WAN connectivity can rely on when MPLS is down so no user impact (yet). Opened ticket with provider (won't say who, one of the biggest providers in NA) requesting they troubleshoot and resolve Was routed to a team of 'escalation engineers/managers' who seem to simply be running out the clock until their shift is over, and handing off to whomever is next in their follow-the-sun model. Worked with customer to escalate issue with their account managers at provider, they were brushed off/re-assured that the issue is being worked on just as I was when I escalated to them.
My question is, how would you handle this differently? What would you do to escalate this/light a fire under them so they are providing adequate support during an outage?
Thanks!
What is UBNT Hotspot 2.0 and can I used it for everything?
I'm trying to set up a solution for resident wireless and what I'd like to do is have each room's devices talk to each other, but no one else. Obvious solution #1 is as SSID/VLAN/Subnet per room but Hotspot 2.0 on UBNT has an option for "Personal device network" that sounds like it might be exactly what I want. Problem? There's absolutely no documentation on what it is, how to set it up or what it does anywhere that I can find. I know it only recently stopped being a beta feature but I feel like I should be able to find something on it somewhere. Anyone set it up or experienced with it? The only info I can find is some marketing speak spiel about cellphones and billable services, I want it to just let me give a resident a login, have them use it for all their devices and let their stuff talk to each other but no one else.
TACACS with multiple AD domains?
We are using tacacsgui for aaa, authenticating against our corp AD. We have some users who will need to be able to authenticate, but they are not part of our AD (we merged with the company last year, but IT is still a mess)
tacacsgui uses this for its backend: http://www.pro-bono-publico.de/projects/tac_plus.html#AEN2318
Is it possible to configure it to use 2 different AD's? otherwise we will configure them as local tacacs users, but its not ideal
Port 531
Is port 531 (Like the port that AIM, mIRC, etc... I never was able to use AIM when I was a kid) even used for instant messaging in this day and age? Kinda stupid question but I thought I might just ask it anyway.
Anyone have a TEM they're happy with?
Considering offloading our WAN and Internet circuit ordering/auditing to a third party. I know there are companies that claim to do this at no (direct) cost to the client- anybody using a service like this and what has your experience been?
Different bandwidth consumption observed on different ISPs
While running a few tests on an online application, I have noticed that the bandwidth consumed by the application is very high(value X) on a certain ISP and quite normal(value Y) on another.
I checked with another team in a different location and they got value Y on their side. So, value X is definitely a wrong one, but I'm curious to understand why would it be so.
Things I know: - Did a packet capture analysis on traffic from both ISPs and the rate of retransmitted packets was quite large in value X. But it doesn't look large enough to cause a big difference in the bandwidth usage ( X=~2*Y). - checked the firewall and found no rules that could cause this. - the ISP 1's NOC team has also conveyed that the amount of traffic observed on their end matches the amount of traffic on ours. But they could not say why. I could not escalate this to SOC without adding any more details. - one of the Network Engineers told me that different ISPs have different routing paths set up, which can cause this.
I'd really appreciate if anyone can help me understand why would there be such a difference running the same application on the same infrastructure on different networks.
Thanks
Cambium Networks APs, Worth a Try?
Has anyone here used Cambium APs in a large scale deployment like a warehouse environment? Are they worth trying out?
I'm interested in deploying to a warehouse with about 50 total Android RF Guns. I can literally buy four Cambium APs for every one Cisco 3802 when you factor in licensing. They are also willing to do a large POC with part of our warehouse to ensure it is the right fit.
Update: Since Friday have experienced multiple power/network failures. 95% back, can't get *some* Macbooks onto Wireless
Friends - we have slayed the beast that was this issue!
So some updates before the final fix - In addition to Macbooks not being able to connect to the wireless, we discovered with time some Windows/Android/iOS devices that wouldn't connect to wireless and finally this week we discovered several clients not connecting to wired.
Yes...this issue took over a week to resolve.
Was it a bad DHCP helper statement as /u/TastyNuggiez, /u/0xBEEFBEEFBEEF, /u/Jedi_Lucky, /u/pacodude78 predicted?
Was it VLANs as /u/BigPapaGotti thought?
Spanning tree /u/Cableguy87 ?
Sadly...we'll never know. We rebooted the entire goddamn switch stack and everything resolved itself. I have to say, I've been doing desktop support for almost 10 years now and I've never seen an issue like this before.
The only thing I can think of is what /u/BaconEatingChamp, /u/cr0ft and /u/k-med were alluding to and that was the switch change in the stack that ended up causing...something. I can't tell you what that something was but fully rebooting the entire stack fixed all our issues.
My guess is, between the two unintended power outages and the failure of the switch and installing the new switch something got corrupted in a config or port somewhere. But the fact that **some** clients worked just fine the whole time and others didn't? Strange shit.
Thank you to all for your input and suggestions, I wish I had a true root cause for you to digest but for now, we get to be satisfied with the fact that no matter what level of technology we're dealing with, sometimes we just need to turn it off, then back on again.
Cisco Nexus 93180YC-FX to Meraki MX400: PVST+/RSTP?
Hoping this is the right place for this, if not, apologies. This might be a long one, but as a first post here, I'm trying to follow the rules and provide as much detail as is relevant/possible.
I'm not an incredibly experienced network admin, but was recently tasked with replacing our infrastructures core switch (A single WS-C3750X-24 ) with two 93180YC-FXs in a VPC configuration.
I was only assigned to this after the hardware had already been decided on and purchased and have since been communicating with the team that sold us the equipment in an attempt to make this work.
The intention was to have a redundant connection between this VPC domain and two Meraki MX400's (in HA using VRRP/Warm Standby/Active/Passive/Whatnot) acting as an gateway to our ISP - however I found that the Mx400's do not support LACP, which killed that idea shortly after. (LACP being a requirement to participate in connecting to a VPC as a member port, to my understanding.)
In an attempt to salvage the redundancy, it was suggested by our partner that we rely on spanning tree to properly block a portion of the connections between all four devices, with each uplink being an orphan port in the VPC.
It was discovered shortly after this that the MX400s do not actively participate in spanning tree - not having a lot of experience in this level of networking, it appears that they pass BPDUs but do not participate in the election process? (I'm sure this is incorrect to some level, but having trouble determining details.)
At this point, we decided to move forward with the replacement, but to only provide a single Nexus 9k with an uplink to the two MX400s at this time. This was an attempt to see if spanning tree from the switch could properly deal with the potential loop Between MXA, MXB, and 9kA.
This is where things got a bit odd.
I could see PVST+/RST frames coming across the LAN 2 port on the MX400-A and B, but both ports on the Nexus 9k were still listed as BKN* under a "show spanning-tree".
So we trimmed everything back to just a single link between the MX400-A and the Nexus 9300-A.
At this point, connectivity was still not up and the same spanning tree frames were showing up in a packet capture off of the MX400's LAN port and the Nexus 9k port still shown as broken.
During all of this, the VPC keep-alive and peer links were up and functioning, but not applied. (Just noting in case it's relevant)
"spanning-tree vlan [vlan-ids] root primary" was used to try and ensure that the switch was set as the root bridge.
Since this was my first attempt working with an NX-OS device, I'm sure it's something in the STP options on the 9300 that I'm missing, but I'm having trouble narrowing down what to do with these switches to make this uplink possible.
Copying some portions of the config below -
interface Ethernet1/47
description **Datacenter MX A**
switchport mode trunk
spanning-tree port type normal
no shutdown
interface Ethernet1/48
description **Datacenter MX B**
switchport mode trunk
spanning-tree port type normal
no shutdown
Core_9300_A# show spanning-tree summary
Switch is in rapid-pvst mode
L2 Gateway STP is disabled
Port Type Default is network
Edge Port [PortFast] BPDU Guard Default is disabled
Edge Port [PortFast] BPDU Filter Default is disabled
Bridge Assurance is enabled
Loopguard Default is disabled
Pathcost method used is short
STP-Lite is disabled
At the moment everything has been rolled back to the 3750, so I'm unable to gather live information for troubleshooting any further.
Are there any other portions of the nx-os config that may help with troubleshooting before attempting another migration?
If anyone can offer any assistance or insight into this on either the Meraki MX or Nexus side it would be greatly appreciated.
Thanks
Cisco Learning Credits on SmartNet Renewals
Morning, all -
Getting ready for this year's SmartNet renewal, and was curious if any of you guys normally get learning credits on SmartNet renewals? Or only with hardware purchases?
If you've gotten them, can you share your number of learning credits per X dollars for SmartNet renewals?
Energy consumption for wired vs wireless
I'm looking for information on power consumption (overall) of wired networks vs wireless networks. I'm wondering if a move toward an All (of More) Wireless Office would bring significant savings. I can't seem to find anything online about this, but then I can't imagine being the first to ask the question either.
Has anyone seen any numbers on this?
Who's using Cumulus on an Onie or whitebox switch for edge routing?
I'd like to hear people's experiences using Cumulus Linux for bgp peering at their edge. How many peers do you have? Redistributing to IBGP? How many routes learned (after any inbound filtering)? What kind of hardware? Experience any snafus that couldn't be worked around? How well do communities, prefix/path filtering, and MEDs work for you? Any incompatibilities with Cisco or Juniper peers?
I'm about to configure a fully-redundant peering mesh between two PAN FWs speaking IBGP to two L3 switches (Dell S4048-ON, capable of ~128K routes each), each speaking with two independent upstream ISPs. I plan to take a full BGP view from all upstreams, but discard routes that originate outside of North America (99% of our traffic involves customers and partners in North America), or more than 2 AS hops away, or have a prefix longer than /20, giving us approximately 16,000-20,000 prefixes per peer. We'll use weighted default routes for everything else.
Load Balancing on Port-Channel
Hello r/networking
Our Datacenter has recently been running into problems with some extraordinary traffic. And I was hoping to find others who are experiencing these problems or something similar.
We've had a massive SAS job run, which has generated some heavy traffic.
While doing Real-Time Polling with Solarwinds, we found that a single link in a Port-Channel has been responsible for 99.5% of all discards aswell as having full link utilization, while the 3 other links have about 33% utilization.
These discards are usually during microbursts of data, but they result in huge issues as the retransmissions create latency on our storage, causing several VMs to drop their drives and malfunction.
So the question is: Do you have any recommendation on how to deal with these microbursts? My colleagues have divided themselves into two camps, either saying "That's just how L2 Port-channels will treat the traffic, sending flows, not loadbalancing the packets, we need I/O control", while others say that we should route it on L3, and that would allow us to utilize better loadbalacing on these links.
Mods: I'm sorry in advance if this breaks any rules. And while I'm certified, it's only in CCNA Routing & Switching, so I'm fairly new to this data center position. I will do my best to provide any needed information.
Best Vendor for IoT Visibility
Forescout seems to make claims that they are the only company that can provide continuous visibility for IoT devices without SPAN port access due to their other techniques. Is this true? Are there other vendors that can match Forescout's agentless visibility offerings?
Issue with Checkpoint VPN
Hello everybody.
I have a client with users that use softphones. They work fine, but whenever the users are working home through the VPN, the softphones dont work anymore.
The traffic is being blocked, and the description states the following: "Encryption Failure: according to the policy the packet should not have been decrypted"
So basically the Firewall decrypted the packets, but it shouldnt have.
The remote user address pool is 172.16.150.0/24, i think this might be some form of overlapping or issue with the IP address range they have on their home network, that we also have on that clients network.
Thoughts?
Problem with DHCP and 2 firewalls
Hi.
I am currently working with a firewall migration where i need both the new pfSense and the current Cisco ASA to keep running meanwhile. This means that our DHCP server is behind the ASA but the clients behind the new pfSense needs to get the IP from the said DHCP server.
I have currently setup DHCP Relay on the pfSense and also tried enabling it on the Cisco ASA without any success. We built a transport network between the 2 firewalls and we can ping between new clients and old DHCP server, but can't seem to get an IP-address. When doing ipconfig /renew we just don't get any response from the DHCP server.
I hope you can help.
Best regards
EDIT: I should mention that for testing purposes everything is opened on the firewall and also tried with specific rules to open for UDP port 67-68.
Wednesday, May 15, 2019
Standardize fixed TCP/UDP port selection for NFS firewalling?
NFSv4 and later has (a) fixed TCP/UDP port for communication; NFSv3 and earlier use dynamic ports discovered through the ONC RPC portmapper on udp/111.
Windows Server supports serving NFS 4.1, but as a client still only supports NFSv3, so I need to support the traditional ONC RPC ports. As we all remember, these are normally dynamic and play havoc with firewalls, which don't have ALGs for ONC RPC, and with NAT, for those situations where it must be used. Luckily, the ports can be fixed to well-known ports in modern implementations.
Most Linux distro documentation uses some ports in the 32000 range, but NetApp's default fixed ports are notably different as are Isilon's.
| service | NetApp Clustered Data ONTAP | Netapp Data ONTAP 7 Mode | Isilon |
|---|---|---|---|
| portmapper | 111 | 111 | 111 |
| nfs | 2049 | 2049 | 2049 |
| mountd NFSv3 | 635 | 4046 | 300 |
| statd NFSv3 | 4046 | 4047 | 302 |
| lockd | 4045 | 4045 | 304 |
I'm interested to know if you standardize these in your environment, what standards you use, and if there might be anything any more authoritative on what the standard should be.
policing / shaping recommendations
So i've got a 200 meg ip-vpn connection from CLINK. I've applied a shaper policy to the interface that states 'shape average percent 100', and on the interface, i've set bandwidth 200000.
I've got a serious problem with traffic leaving the site. Some hosts can send >60 Mb/sec just fine (windows server 2k8r2), others (windows server 2012 and windows server 2k8r2) can't send over 2 megabit/sec. Traffic bursts at 8mb/sec, then 2.1, then 0 and the connection drops. wireshark shows 'fast retransmissions' and 'duplicate ack', leading me to believe that packets are delivered out of order. Testing with iperf3 over TCP. 4 VM's talk fine, 2 are crap. 1 happens to be my veeam server, which really sucks, because it can't even push the runtime to my storage nodes to run jobs.
Now, traffic the other direction (into the site / vms), runs at full speed, no problem. Even on those two 'problem' vm's that cant talk out the site without all the packet loss and disconnects.
The problem machines can also talk to other servers onsite at full speed, no problems. Only when traffic hits the wan and leaves the site is there a problem. Doesn't matter if it's heading to any of the other three sites, same issue. Which leads me to believe that the problem is this one site and it's connection.
router is cisco isr c1111p running 16.9.3. CLINK says they are getting > 200 megabit/second, and are hard dropping packets over that rate. Even if that's so, why are some hosts sending data fine, and others a complete failure?
I see no errors on any interfaces. all speeds and duplex's are good.
Also, if I fall back to my existing 60 meg circuit, everything is fine.
It's got me stumped.
iperf3 -- VM -- B200m3 -- 2208FEX -- FI -10G- C2960s -1G- 4507r -2x1g- isr1111 -1g- clink NID -//- clink NID -1g- c1111 -2x1g- 6509VSS -2x10g- C220M3 -- iperf3
Where can I get a generic/universal "ball-joint" mount like this? Ubiquiti stopped including these with their newer antennas. All I can find are crappy little GoPro knockoff mounts, too small and not made for 24/7 outdoor use.
Ubiquiti used to include these little ball-joint mounts that gave you 360 degrees of movement on your antennas.
Now they don't include anything like this and instead just let you strap directly to a pole. But if you have an existing pole that you can't move or angle, you're shit outta luck.
I can't seem to find anything like this. Am I using the wrong search terms?
Building Ansible Hosts file - 10,000 devices
We’re starting out on our Ansible journey and the one giant mystery we’re trying to figure out is how to configure our inventory host file. Do we group by geographic location and then device type? Should we have multiple groups and routers/switches that fall into multiple categories or is this a bad idea?
For anyone who has deployed on an Enterprise level with a large number of devices like this, I’m wanting to hear your input. Any recommendations? Any insight is greatly appreciated!
Aruba ACCA/ACCP
Anyone have any experience with good study plans for Aruba Clearpass? I usually do certifications as a method to learn a product but am having trouble finding good resources outside of their paid training
How can I confirm if my ISP is leaking private IP addresses outbound?
Doing some tinkering around the local network I found a device with IP 192.168.49.1, happens to be a Canon printer (still figuring out how this happened, but that's another story).
Ran a ping tool and the traceroute takes it 6 hops beyond my network, two ASs away.
Is this normal?
pastebin here: https://0x0.st/zAlM.txt
Circuit went down, No MAC address from ISP's Ciena box Circuit went down, No MAC address from ISP's Ciena box after restoration
We had a circuit go down due to a fiber cut out in the street, and it is still down after repair.
Show arp on the router shows an incomplete MAC address for the Ciena port. The ISP says it must be us because they're all good so I tried two other routers and replaced cables but no change. They dispatched a tech who also said they are good to the smart jack. Anyone have any bright ideas what else I can try? It's a tagged circuit and my config is good. All I can get a hold of is friendly but clueless denizens of Mumbai or some such place.
Edit: Not sure why title is kind of doubled. Maybe a mod can fix it?
Any way to recover from express setup?
Is there any way to recover configs from when express setup has been done on a Cisco 3850?
I feel like I run into a new use for loopbacks every couple of months, but I'm not sure I fully understand them. Any advice?
I understand how I would, say, use a loopback plug to test and interface. And how you would use a virtual loopback interface to associate an IP to a physical T1.
I don't want to be too specific because I half way would rather not get doxxed with this username, but today I came across a Loopback with a public IP, and then a private IP addressed interface referenced it. I don't know why the physical interface just wasn't assigned the public IP. And I don't fully understand how a loopback works here. Again, I don't want to be too specific...but essentially traffic is sent to the public IP loopback, and then the public IP loopback relays the traffic to the privately addressed physical interface.
Does anyone have any idea what the benefit of that is? Is this a "transitional" configuration? It doesn't make sense to me when the public IP could have just as (more) easily been configure on the physical interface.
And that's got me wondering more about what I don't know about loopbacks instead of the specific questions I have about my last paragraph. Any suggestions, tips, advice would be awesome. I want to understand loopbacks better.
Heat Shrinking without Disconnecting Cable
Hello!
I'm looking for a solution where I can label a cable in a way where I don't have to disconnect it. Unfortunately, I haven't been able to find a solution just through Googling. Has anyone been successful in cutting a heat shrink label and reheating to seal the cut again or something similar?
For example, if I have to label a cable every so many feet but unable to unplug the cable to split heat shrink labeling onto it, are there other solutions? Unfortunately I'm unable to use cable flags (no zip ties, etc.).
Thank you!
SSL Certification Help
I am working on getting my company PCI Compliant. The first thing we are working on is passing our external vulnerability scan. We are using Trustwave and are scanning 10 locations and 1 website. We have given the IP address of the perimeter firewall of each location to Trustwave to scan. Before any changes were made, we were failing with SSL certificate is self-signed and SSL certificate is not trusted. So I went out to find an SSL certificate for our firewalls, but have had a hard time getting an SSL certificate for anything that is not a domain.
We already have a wildcard certificate for our website, *.domain.com. I set up each firewall ip as a subdomain,firewall.domain.com, and added the wildcard certificate to the firewall and it worked! The problem is is that Trustwave says I need to use the IP Address in their scan, which still fails.
I'm pretty sure I'm just missing something and once I figure that out it will all click. Any help you guys can offer would be greatly appreciated, if you need any additional information just ask.
Tunnelling/VPN question
So, I am helping troubleshoot a piece of a network, and I have run into something that seems odd.
There are 2 tunnels in the setup. Devices at the end of the tunnel cannot communicate across the Layer 3 Cisco switch to stuff on the other side. They appear to be getting a good connection to the switch, though
The tunnels go out FA0/1, using the IP address assigned to the port as the source. The IP address of the port is in the same subnet as the WAN link.
interface Tunnel0
ip address 10.44.2.2 255.255.255.252
ip nat inside
ip virtual reassembly in
tunnel source 50.208.230.57/29
tunnel destination 66.174.16.250
tunnel vrf xxx
So, Fa0/1 50.208.230.57/29
G0/1 50.208.230.58/29
There is a route in the routing table of 50.208.230.56/29 going out the G0/1 port.
I have 2 questions:
1. I have tried using Packet Tracer to recreate the situation, but I can't find a switch or router in there that will let me use an IP address as the source of a tunnel. Is there one?
2. Would this setup cause an issue with traffic going across the tunnels?
Aruba 2540-sfp+ to esxi host - 10G DAC - seeing RX errors on switch
Im seeing errors on a newly set link between a host and an aruba 2540-24G-sfp+-poe+ switch.
Totals (Since boot or last clear) :
Bytes Rx : 2,914,334,292 Bytes Tx : 2,437,851,313
Unicast Rx : 175,849,866 Unicast Tx : 1,174,044,778
Bcast/Mcast Rx : 304,887 Bcast/Mcast Tx : 474,980
Errors (Since boot or last clear) :
FCS Rx : 277,220 Drops Tx : 0
Alignment Rx : 0 Collisions Tx : 0
Runts Rx : 0 Late Colln Tx : 0
Giants Rx : 2919 Excessive Colln : 0
Total Rx Errors : 280,139 Deferred Tx : 0
In the back of my head theres something telling me that the switchport defaults to HD insted of FD when the other end is set to fixed, and its set to auto-neg..
But I cant seem to find the any way to set it to 10g-full on the switch? What am I missing..?
Netbox vs. Infoblox
I'm looking to implement Netbox as our IPAM + DCIM tool. Hoping to solve the problem of people not updating Visio diagrams by just generating site specific diagrams from Netbox, containing the devices/connections/circuits at a certain site. And when you document the "truth" there, you'll add the IPs/VLANs etc. too so it would work well as an IPAM from what I can see. Our current IPAM solution doesn't really seem to work that well when you have multiple customers with many VRFs and overlapping IP addresses.
However these commercial products have fancy integrations with DNS and DHCP, automatically updating the pools and zones. Netbox doesn't have those at least out of the box, but then again Infoblox etc. don't really help with the issue of documenting the connections between devices. So it's not really 1:1 comparision but they have that much overlapping parts that I wouldn't want to implement for example both Netbox and Infoblox.
Our DNS records are quite static (besides the subdomain that has all the AD connected PCs), so I probably could just add custom field in Netbox for IP addresses called hostname, and then run some scripts to update the DNS zones based on that.
Not sure about the DHCP though. Commercial products also have nicely clustered solutions at least according to Powerpoints, how about ISC DHCP (or Kea?)
Any thoughts? Thanks!
Regional network refresh - what to consider
If a provider plans to upgrade existing network infrastructure, what things would an engineer consider?
Need some comprehensive bullet points or the right kind of mentality. Thanks!
Sending alerts to Office 365 using Cisco FTD
Hi Guys,
Can you please help me what is the static IP I need to set up for me to send alerts to Office 365. Thanks, in advance
GSOC Supplimentary Resources
Hi all,
I have just landed myself an amazing job opportunity as a GSOC Analyst for a reputable company with zero networking knowledge. Training is on the job and the learning curve is steep. I want to supplement my working knowledge with a bit of knowledge of how hardware and configurations work within my scope. We test and verify e1 circuits and 64k lines, as well as data circuits (normally 10mb a go) that we lease and let to clients. My job is to triage issues, grab logs and monitor tickets. Any hints or tips? I’ve watched the first 30 episodes of cbt nuggets, I would love more insight.
ASA Failover Pair?
Hi. ASA idiot again here.
I have two 5512's, which are supposed to be "clones" of each other for total failover.
I went lurking through this document here and have some questions.
1) Does anyone have a "this is the core of the HA/Failover link" configuration
2) The failover itself--is it a closed system (doesn't matter what the IP addresses are) or no?
3) The failover link itself, is it passing traffic, or simply alerting the other ASA to pick up the slack?
4) The links on Primary ASA (such as inside/outside), are they supposed to be the same?
Math for Bandwidth Calculation
I'm trying to figure out the formula behind a "Size" X "Speed" = "Time" calculation
Similar to this: https://www.omnicalculator.com/other/bandwidth
It seems so simple yet I can't figure it out own my own accord.
Truly outdoor WAP suggestions
We are in the middle of upgrading our wireless network and are looking to replace an old outdoor WAP.
We'd like to get something that is truly ourdoor and weather proof. For inside our greenhouse (high humidity, maybe some water splashing on it, nothing like rain) we use Ubiquiti UniFi UAP-AC-PRO. It does say it is Outdoor but upon later inspection it is only "Weather Resistant", not weather proof. I know this is usually a way to cover their asses but do any of you have any experience with this WAP unprotected in the elements?
Any experience with this KuWfi? The reviews talking about the distance rating sounds right up my alley but I've never heard of the brand, so maybe someone could speak on that or offer something different?
We are in New Hampshire, so think all sorts of weather (rain, freezing rain, snow, heat/humidity, lightning, etc).
We don't have a huge budget so something around $200-300.
Thanks!
Asr1002 license question
Ok, so I have an asr1002-x with the 10g upgrade license in place. I need to upgrade again to 20G which would be the FLSA1-2X-10-20G. Now my question, I can get the 5-20G license at a great price, as it was never applied and is sitting currently. Can I use that one? I don't see why I can't remove the 10g license which drops it back to 5g then add the 5-20g on it. Thoughts?
Firepower - Finding internal or external hosts that might be saturating an interface or resources on a specific host.
trying to rule out why a certain host is being bombarded with requests and talks of "network is slow".
been reading up on network analysis policy and the use cases with enabling certain ids signatures to generate and generate and drop for port scanning and either rate limiting or dynamic state rules..any feedback on best way to find offending network traffic or to prove its not the firewall would be appreciated.
SD-WAN Subscription Costs
What is everyone doing for justification of the extra cost for SD-WAN? There's some savings to be had depending on carrier changes etc. but what else have you been using to justify the cost or prove the savings? So far the only real thing I can quantify easily is circuit savings. I'm looking for ideas I may have missed.
Subscribe to:
Posts (Atom)