Just curious to know what the expected website load time tolerance/thresholds are from employees at your company, IE, what they expect of you.
Where I am at, anything over 2.8 is a complaint. Just wanted to know if this sensitivity is normal, or if users are overly sensitive due to the fact that we are the beta store for a few applications, and they are better attuned than most to any issue, perceived or real.
Thanks!
If you have OSPF internal, and eBGP at the wan edge, how can you originate the same route at two different locations?
Usually when there’s one origin of a prefix it works fine. Packet flows via ospf until it reaches the wan edge where eBGP admin distance beats OSPF. Packet routes out to the Spoke Router, and everything’s good.
However if two sites are advertising the same prefix, then you’ll learn it eBGP from wan edge (from remote site), and also from ospf (local back end connection.)
Then no spoke Router can successfully reach the destination, because packet routes to one of the two hubs, then tries to route back out to the wan due to admin distance.
Swap distance between ospf and bgp at the wan edge Router, and then break all the actual wan spoke routes.
Either way it seems like a routing loop. Any ideas?
I have set up Openvpn server on an AWS instance. Can someone monitor what is going out of the AWS instance? Since the request would have been decrypted by the server then.
So i was wondering if someone monitors the outgoing traffic at the server, there's no point of a VPN.
Is my understanding correct?
Hey Networking Reddit!
I've been studying Junos for a week now and I wanted to start playing with the CLI in a VM. Needless to say I've been having trouble.
I downloaded the vSRX ide file from the Juniper website and have attempted to load it into VirtualBox and Vmware with different settings. I've tried a variety of options that I have seen in old videos or posts, but I can never get it to start and just work. It either loads Wind River Linux, repeats a line that says it's mounting something, or says Routing Info Failed!!!!!!!!!!!!!!!!!!!!! and stops.
I have no experience with VMs and would greatly appreciate some instruction or insight on how to get this up and running.
is the site broken right now? I was browsing cisco.com to grab the latest gold star ios for a 2960x, and when i went to the ios download page, the default view was the latest release, with no option for finding the gold star release?
I tried firefox and chrome with similar results.
Am I a dumb or is this broken for anyone else?
thanks.
I see all these super high paying Dev Ops/SRE jobs in my area that all rely on a solid sys admin background with coding, AWS, Ansible, Infrastructure as Code, etc, etc.
Is there a Networking version of this stuff for people who come from a tradition Cisco background? I'm seeing tradition Cisco CLI skills as more rare and rare jobs in the NY area. Just trying to give myself a leg up when I make my next move...
I have been searching all over on how to do this but to give a perspective on the issue, I have a VPS that is hosting a set of services that are accessible by the public. I have an IPSec VPN on that VPS that my home server is connected to. I am using this home server to test different sites and services before they get installed to the main server hosting the VPN. How would I be able to get the home server to listen on the VPS's IP through the IPSec VPN?
Edit: The VPS is running Debian 9 and the home server is running Windows Server 2016.
CCIE-SP V4.1 EVE-NG lab setup - simple lab without configuration. All interfaces are connected,
We need these images on eve-ng, CSR , vIOS, SRV
10 Cisco CSR 1000v
8 Cisco XRv
11 Cisco vIOS
Download Below Link .
http://www.mediafire.com/file/afmgm6jpwiql14k/CCIE-SP+2019+Eve-NG+lab++without+configration.zip
I recently got a new network adapter to replace my old one as it couldn't handle installations without wireless connection dipping in and out, but now that I can install perfectly fine I can't stay connected to online servers without the connection being interrupted. It also affects other programs like discord. This wasn't an issue until after replacing the old adapter, which never had this specific problem, while also solving the issue with installations the old one had. I have no idea how to troubleshoot this problem. Even tried a network reset and reinstalling the network adapter. Anything I do only seems temporary and/or a fluke.
Hi all,
I do IT work for a small business in London, UK and we have a really terrible 8-ish year old Draytek router. I made another post in another sub a while back about trying to get 2FA working via TOTP with it, and honestly the amount of faff I have been through to get a Duo solution that works for a few days at a time then just cuts out (on the router's part) means that it is time for it to go.
I have been looking at the SSL VPNs on the market. We want something that has good bang for the buck and shouldn't need too much looking after (aside from regular security patching, etc.) since I only work with the company ad hoc and I'm not there full time to look after it 24/7.
Our types of users are very mixed:
All users who are out of the office use split tunnelling.
It looks like Cisco ASA, Fortinet and Palo Alto networks all have good support for most of these options, but I'm not sure about the following:
We have no real affiliation with any particular vendor. We use Windows Server 2016 on-prem, and currently have a Dell sales rep available but I've not heard great things about SonicWalls so we're ignoring those for now...
It's a pretty small company with a relatively flat network comprising of around ten machines including a server. We also have a site-to-site setup in place to connect two offices together but the amount of traffic going over that site-to-site setup is very low. I want to future proof this with support for at least 10 parallel VPN connections open at once with reasonable throughput.
Thanks so much in advance for any tips or pointers anyone can provide!
Chris
Just an FYI if you are seeing any RDP 0x609 errors this morning and are using Cisco Firewalls, you will need to disable inspection for your RDP connections. Assuming this was caused by an updated pushed down from Cisco.
I posted this question here earlier. People took it the wrong way, since i was not very clear about what i wanted to ask.
please note that i do need help with this assignment, but i don't want you do the work for me.
The assignment goes like this:
You are appointed as a Senior Technical Support at one of the leading office which looks after monitoring of different servers. You are given a task to assign IP address to different part of the office. The Office contains one server room, one admin room, one visitor lounge and one account room. There is a separate network required for the Manager room. How would you design the topology? Make a list of required devices (printers, routers, PCs, etc) and all the subnets should be done properly. Calculate the total cost to implement this topology.
Here the question says, the office contains one server room, one admin room, one visitor lounge and one account room. Then it also says there is a separate netwoek required for the Manager room.
This is my question:
Do i create 5 different networks, each for server room, admin room, visitor lounge, account room and a manager room?
Or, do i create 2 networks, 1 network for server room, admin room, visitor lounge, account room, and 1 separate network for manager room?
Or do I ask my professor to make it clear?
Thanks in advance.
I am looking at an FTTC connection that prequals to 80/20, but the attainables are 30/11.
I suspect this is to do with the attenuation values, and I am curious as to what is normally considered a good range of a values for attenuation and noise, and what values would normally qualify for an engineer visit to the exchange or customer premises?
Values for this particular connection are - downstream attenuation: 7.5, upstream attenuation: 25.3, downstream noise margin 9.7, upstream noise margin 9.2. The profile has been dropped to 30/8 to bring the downstream under the attainable, but in doing so the attainable dropped again, below 30.
Hello all,
Hope I'm in right place to find help I need.
I have 5GHz router from my ISP but it does not cover my whole house so I have used my old D-Link DIR-655 and set it in bridge mode so it works as AP. Unfortunately this router does not have 5GHz mode so it is being used in 2.4 GHz mode.
Now few things:
You are appointed as a Senior Technical Support at one of the leading office which looks after monitoring of different servers. You are given a task to assign IP address to different part of the office. The Office contains one server room, one admin room, one visitor lounge and one account room. There is a separate network required for the Manager room. How would you design the topology? Make a list of required devices (printers, routers, PCs, etc) and all the subnets should be done properly. Calculate the total cost to implement this topology.
For this project you need to make report (800 words) and diagram of implementation.
Greetings,
Has someone run into an issue where Arista switches do not load balance beyond 50% of the bonded capacity? I have 2x10G active LACP, which should give me a 20Gbit ceiling, instead I'm capped at 10Gbits (~4.5Gbits on each link).
This is happening on a DCS-7148SX and DCS-7050S-52, which are connected to Cisco 6500's and a few Juniper QFX's.
Thanks in advance for any possible information.
Hi!
I've never used Juniper, and I'm looking to learn the basics.
I'm investigating the options to run it on virtualbox. I've seen a few guides where people are suggesting to use JunOS12, but it looks quite old.
Is there a particular reason why v12 is recommended? Are these just old articles, or is this version freely downloadable due to its age?
Is JunOS12 on virtual box a reasonable place to start learning the CLI basics?
My company has some servers on the west coast and wants to setup continuous file transfer to a data center in the East Coast. I'm trying to estimate the bandwidth needed.
The vendor application that transfers the files shows huge traffic variations from time to time and I have the past traffic data. There are 5 servers on the West coast where the data originates. The data is transferred in periodic bursts from each of the 5 servers. It's possible each of the five servers can transmit data at once and also that there is no traffic at some times.
How do I calculate the higher end of the average bandwidth so that average size files keep moving and highest size files can take a slightly longer time to transmit.
Any calculator will be helpful.
Recently I got my first job that let me really stick my nose into the IT world and OHHHH boy I've been enjoying the hell out of it, but I've run into a problem that I'm really too new to understand how to fix it and I'm less intimidated and more enthusiastic to fix it. Even if I don't end up fixing it, learning how to do it in theory would really be enjoyable for me.
So, my company has ran since basically the dawn of time. They're very slow at adding new technology and they don't always allow the budget or time to do things right. Because of this, we don't hire contractors for our wiring and we've just had facilities wire our extremely large building over time. This has caused a tremendous amount of problems and the largest network rats nest I've ever read about in my entire life.
I was responsible for setting up a new department for the company, so I did everything from installing PC's, carrying them in, setting them up, setting IP's, and the other stuff, when one guy just starts ripping out all the cables from the switch! In my head I'm freaking the hell out, but he was my superior, so I assumed he knew best. Next thing you know, 1/2 the network goes out for the building and I'm up the rest of the night fixing what my supervisor messed up.
But Here's the cool part. I got to play with the switch and hang around the engineers who had to come in and fix it! I learned a massive amount, but I was also surprisingly trusted (for some god forsaken reason) to set up the switch and run the cables, set up the network, and was even introduced to how to play with the switch through putty. I began to make a layout of the department and started tracing every port and wire. I began to learn that facilities didn't even trace wires to the closest switch and the rats nest was worse than I thought. Over the entire week, I've begun just tracing every port I run across and running my wand across the switches to learn where they lead, and I've begun to make a network topology of the entire building. It's a very slow process and I was wondering if you guys had any ideas that could help me speed up the process.
I've slowly begun to clean up the network too and organize, label, and document everything. One of the engineers has been helping me find ports I can't trace too because he's been incredibly encouraging and he also wishes to fix the rats nest. Is running my wand across every switch port by port really my only option? I'm horribly eager to learn, but getting the layout for this building could take me 2+ more months of work alone and I'm also tasked with other jobs, so I can't be doing this all day. I'm just really trying to fix this, but I'm kinda stumped as to how to speed it up.
Thanks in advance for your time and any insight you may have.
I might be creating a default gateway paradox by trying to do this, but there's a reason. I think. Feel free to tell me I'm dumb.
Let's say you have two Sonicwalls, one at the edge for normal traffic and you have a DMZ network on X4. On that network you have a reverse proxy. You need to proxy HTTPS to some backend servers that MUST be on the LAN. So you put one of their NICs in the DMZ network and give it the X4 IP for its default gateway.
Everything works, but let's say you wanted to separate the DMZ from the LAN with another Sonicwall, and have the reverse proxy connect to an interface there and another interface could serve the connection to the backend servers and be restricted by access rules in that second firewall. Let's say you want to do this so that if the reverse proxy is compromised, there's nowhere for it to go except the second firewall.
This probably means that the DMZ and the "DMZ 2" NICs behind the second firewall are on a different network and will have different default gateways.
How would you give the second firewall the ability to return traffic back to the DMZ from whence it came without also allowing the reverse proxy to talk directly to the servers outside of enforcement by nature of them being in the same subnet?
My thoughts are (to me) coherent with the following alternate setup until the default gateway:
DMZ Interface --> Switch --> Reverse Proxy | proxy cons -> | Second Firewall upstream interface [Same network as DMZ?]
[ Second Firewall ] DMZ Server IP NAT to --> Internal zone Server IP --> Internal Zone interface --> NICs on servers configured in different network than that of the DMZ.
[ Access rules ] Allow DMZ --> Internal zone HTTPS (DMZ Server IP Group)
[ Server NICs ] IP in Internal Zone network | Default Gateway = ???
If I use the Internal Zone interface IP for the DG, how will the traffic return to the DMZ? If I configure the NICs with a default gateway of the DMZ interface and add a route in the second firewall, will the traffic ever hit the Internal Zone interface to begin with, being in different subnets? Can't be. Should I make the Internal Zone the DG and NAT it to something that can touch the DMZ network going upstream? Is that even a thing?
???
My brain is mush from a very long day. I'm also not a network guy, so I am very sorry for doing this on you.
Thanks again.
What exactly is the intended use for Arista's campus line of switches? From what I've been able to find, 7300X3 and 7050X3 have been designated as the campus dedicated models. My question is whether these switches are designed to be used at the access layer, connecting workstations, printers, etc directly to these switches? Or rather are they intended to serve as top-of-rack switches, handling layer 3 routing, security etc.
My question stems from us shopping for new access layer switches for our campus network. Currently we're using a pair Cisco 3750x as our core layer 3 switches which handling all the routing and such. We plan to replace these sometime next year. Beneath those in the topology, we're using 8 HP Procurve Layer 2 switches for the access layer. These are all trunked off of the cisco pair we have and handle all of our workstation and printer connections. In the DataCenter we installed a pair of Arista 7050s back in the fall for our server infrastructure and they've been rock solid.
As I'm shopping for a replacement solution for our Procurves, I've been weighing Aruba 2930s or Juniper 3400s. My boss however was under the impression we would be converting fully to Arista. He thought we would use them even at the access layer in the Campus. He read an article about how they were making their way into campus switching and thought we should go with them to try to uniform our deployment. I told him it sounds like overkill but that I would research an Arista solution for the campus.
From what I've been able to determine, Arista is not intending to provide the access layer. I can't fathom spending $200,000 for 9 access switches. Is anyone able to break down and explain Arista's campus switching intentions for me?
Hey guys,
So, I'm planning to start implementing IPv6 on my networks and I'm looking for a few pointers.
I have two coax connections from Comcast, one gigabit connection with no statics, DHCP and one 100 Megabit connection with a 5 IP block of IPv4 statics and and a /56 IPv6 block.
My networks are schools and I have IPv4 setup right now only with IPv6 turned off. Staff networks are routed out the 100 Megabit connection and Students are routed out the gigabit connection. The reason for this is that when using Comcast's RIP'ed static block with a large number of student devices, we found that the modem would just die routing all of that, so we put in a second modem that is simply bridged and does a single DHCP'ed IPv4 address to the firewall. Apparently, with the way that Comcast does IPv4 static assignments, the modem itself does quite a bit of routing and all of the TCP connections that were happening would REALLY bog it down where it would be unresponsive with 300-500 devices online at once.
Now, I have a IPv6 /64 delegation from Comcast, but I'm not entirely sure how I use it. I'm very new to IPv6, so if this seems like a stupid question, its because I still find IPv6 a bit confusing, as I'm used to the IPv4 and NAT world of yore.
How do I had off the IPv6 /64 block to my student's devices and have their gateway be my Watchguard firewall for web filtering?
What ICMP protocols do I need to allow for IPv6 to work? I know there are a few that are required in IPv6.
Any other pointers on setting something like this up?
We're building basic VXLAN EVPN fabric to our two DCs, and wondering how you would connect your external partners to the network. These would be our customers and other entities we would like to have integrations from our DC.
Our fabric would look something like this, the usual setup:
https://snag.gy/XWfceB.jpg (with more leaf switches, but just one DC edge router and two spines). MPLS core is our campus LAN and managed by us.
My two options would be either to connect the customers to a pair of border switches, or buy new routers to connect to edge routers. Myself I would prefer connecting them just to our border leaves, as we already have the gear. If we'd need to get extra routers that would cost extra money.
Partners advertise only few routes to us, so the BGP processing capability isn't an issue.
If I connected the customers to border leaves, our DC edge routers would be the BGP peer for the customer.
Any thoughts?
Thanks!
Edit: updated the picture
To preface this, I am not a networking professional. I am a System Administrator for K12.
I have a history of networking and am a hobbyist of sorts - but I am NOT a network admin or engineer by trade.
We are currently dealing with a major service interruption in our network and the network team seems to be at a loss in how to get to the bottom of it.
They cannot seem to isolate if this is an attack or a misconfiguration. This especially concerns me.
I feel as though we should employ some other solutions in our network to ease administration as well as make it easier to track issues like this.
I currently think we should look at Infoblox for a DDI solution.
So, to my original question: What solutions do you guys find useful to run in your networks to help identify possible misconfigurations or attacks before they become major interruptions?
What would be the quickest way to find what ports on remote Cisco switches are associated with a specific MAC? I'm trying to isolate ports associated with a specific vlan. I know I can run show mac-address-table and find them on the near switch but I'm stuck on where to go after that.
Hi,
I am designing our network in the cloud. Our network security guy is convinced the best way to do it is to have one VM running all our services with a subnet assigning an IP to each different service. He says we should reduce the number of machines we run down to the minimum. The cloud service in question is IBM cloud. I am hesitant about this because
1) I have have not assigned an IP to a specific service on a single machine before. And
2) I don't have experience with cloud networking.
I would prefer to have one VM per service and assigning different IPs per VM, or failing that, running a group of related services on one VM. What is /r/networking's opinion on this?
Hi Folks,
I am looking to do a VRF-Lite implementation in an effort to restrict east-west traffic on a L3 switch. Does anyone have any suggestions on resources to both learn on VRF-Lite and possible do a virtual lab to practice? I am looking to use free and\or subscription based resources.
As an aside, I wonder which definition of the word "lite" is applicable here? English is kind of silly sometimes...
Hey all. So I'm still really new to networking in general. But my question is what gear to use for managing the network. I'm told although low end, ubiquti is decent. If it matters I'll be using mikro tik for routing and netonix for powering the AP'S. any insight would be greatly appreciated!
So why is that option still included with some routers? I mean I appreciate it, I used telnet to disable automatic updates in my Netgear Orbi after it decided to attempt to go down to update at 8:00 AM (I'll be coming into work on Saturdays when I need to deal with updates).
I'm just confused. If it's antiquated and insecure, why it is still an option?
Also, why did I have to use telnet to disable automatic updates? Did I miss an option in the routers GUI and just do things the hard way?
Would like to ask if any used python connecting to device via ssh without installing any new library?
Due to some restrictions from server itself, I have limited access in installing any libraries for python.
Anyone tried using subprocess? To ssh and to send command? Currently checking about this but if you could share sample especially sending command or other way/method.would be better.
Thanks
We periodically run a free course on Python for Network Engineers (about once a quarter) and we will be running this course again starting on Tuesday, May 28th.
The course is fundamentally about Python, but told with a network engineer's bent (i.e. the examples and exercises are more relevant to network engineers). Later in the course we also get into some more networking specific topics (Netmiko and Jinja2...well Jinja2 isn't really networking specific).
The course format is a lesson a week for eight weeks. The lessons are all delivered via email and consist of videos, exercises, and additional content. The course is self-paced.
The weekly lesson breakdown is as follows:
The course is Python3 (there are reverences to Python2/Python3 compatible code, but pretty much everything is done in Python3).
A bit about me--I am a long-time network engineer (CCIE emeritus, routing and switching). I have been pretty into Python and network automation for quite a while. I am the maintainer/creator of the Netmiko library; I also am one of the core maintainers of the NAPALM library.
Sign-up is available here: https://pynet.twb-tech.com/email-signup.html
Need some suggestions for making some career related decision, which one according to you holds more promise, Cisco ACI or Arista Open Cloud ( BGP EVPN / VxLan ) in DC and campus segments. Which one do you feel has a better potential to be successful. Any suggestions would be highly appreciated. Thanks in advance..
This is probably a dumb question, but I am having trouble finding a good answer. If you have an open TCP connection and the IP address you are behind changes, what happens to the connection? Do you send a special packet that says that your source address has been changed? Or will the connection just timeout and then have to be reestablished?
I'm trying to create a syslog rule on a Juniper EX switch that will log anything that starts with SNMP_TRAP to a file called traps. For some reason it's just not working. I've tried several variations but here is the latest:
file traps {
match "^SNMP_TRAP.+";
Can someone tell me why this wouldn't work? I've looked at the docs and also tested this expression on a site to verify it does match the string.
Thanks for the help!
I'll be setting up my first Nexus network soon and I'm in a bit of a weird spot.
In my past roles I had senior engineers to turn to that knew everything I could ever need if I got stuck but now I'm on my own. It's going to be fun.
The plan is 9300s, spine and leaf design using NXOS (no ACI), BGP internally with ECMP and BFD for redundancy/bandwidth. Palo Alto FWs in Active/Active for edge security.
I'm not asking for help with the design, I'm pretty sure I've got it all covered and I'm ready to learn what I don't know.
Saying that, if you can think of any kinks I could hit with what I've said above please let me know.
To my question, I am going to have to configure and manage QoS on this beast and I'm a bit concerned about how to do so. I've looked for tools to manage QoS config but haven't had any luck finding a good one.
Can you suggest one?
Hi,
I am building a WiFi network with external antennas and I would like to use lightning arresters between the antennas and the AP; not only I have troubles finding any lightning arresters for WiFi on a local market, when I lookup internationally, all I can find are N connectors lightning arresters...
Do you guys know of anyone who makes lightning arresters with RSMA connectors?
Looking to find the Age(min), this example it is 32, via SNMP
cisco_2960xr#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.39.15132 1860.24a5.5e67 ARPA Vlan39
Can use ipNetToMediaPhysAddress 1.3.6.1.2.1.4.22.1.2 to get the rest of the information. It's marked as deprecated but works.
ipNetToPhysicalPhysAddress 1.3.6.1.2.1.4.35.1.4 current but not working for me.
We're trying to troubleshoot server guys' storage latency issues (VMs on NFS), and I'm seeing some discards on our DCI link. It's 6x10Gbps, servers are connected also with 10Gbps NICs. How much discards would you consider OK? I'm thinking it's OK to have some, as two flows might get hashed to same DCI link and max out that 10Gbps causing some drops. (microbursts)
Server guys are also telling me that they're seeing TCP retransmissions on their servers. Probably because of the discards. What you would consider normal amount? They're of course telling me that even one is a bad thing :)
We have some some VM datastores that are replicated between DCs, and the write isn't acknowledged by the local server before the remote server also ACKs it. So if we'd have lot's of latency in the DCI, it would cause latency to the local VM too. DCs are separated by 5 miles or so.
This too is a case to prove it's not the network. But thank you in advance for any ideas :)
I'm less than a month in to this job and have been tasked with migrating from static routes to dynamic routing. I'm gonna go with OSPF and so far I've been trying to understand the network topology to determine if a single or multi-area design would be best.
Each site has a core switch with a routed port connected to ISP2 Metro-E. The routers have a connection to ISP1 Metro-E. Each branch switch has a trunk to its default gateway, the branch router. Head office switch forwards to a firewall then to the router for data
I've read this article from PacketLife on routing protocol migration so in my scenario I believe I can safely turn on OSPF to start learning routes since its AD is obviously higher than static routes. I've also seen that I can simply redistribute static/connected routes but what happens when you remove a static route that you redistributed?
Hello all.
I'm curious as to what you guys are using for network template version control? I just switched to a new company and am trying to get some standards defined around here. I'm used to using Excel with highlighted rows where things need modified. This doesn't have a great version control feature. Looking for more "the right" way to do it. Have been considering GIT but don't know enough about it.
Good morning,
I have a small network with two Cisco Catalyst 3650 switches connected together via fiber.
On switch1, I have configured three VLAN interfaces and VLANs as below:
interface vlan 20: 10.101.20.1/24
interface vlan 110: 10.101.110.1/24
interface vlan 200: 200.0.0.1/24
vlan 20 (Clients)
vlan 110 (Network Devices)
vlan 200 (Production Machines)
On switch 2, I have configured one VLAN interface and the three VLANs mentioned above.
interface vlan 110: 10.101.110.2/24
So I am at the testing phase, and am running into some issues. First, when I statically set a laptop up on the 20 VLAN (10.101.20.110/24) and plug into switch1, I can talk to devices on different vlans connected to the same switch. However from that laptop, I cannot ping 10.101.110.2 (I can ping it from switch1). Also, from switch2, I am unable to ping any of the default gateways (VLAN Interfaces) from switch1.
Any ideas or suggestions would be greatly appreciated. This is my first solo network config so I'm sure its just a stupid rookie mistake! I am here trying to better myself as a network admin, so please provide any constructive criticism you can :)!!!
Hey all,
Question for you, below are my setups for my home network
PC > Router via WIreless (can see all computers on the network)
PC > Router via Ethernet (can see all computers on the network)
PC > Switch > Router via ethernet (cannot see any computers on the network)
so am guessing there is an issue with connecting to the switch, however they all receive internet.
Any help would be great, thanks.
We have a small mpls network carrying multiple L3VPN's, 2 of which are used by ourselves. One is corporate, and the other was created to segregate a production voice system - sip carrier terminations, audio infrastructure etc.
Its becoming apparent that splitting these networks up was probably not the wisest choice. There are more and more resources in the production voice VRF that are actually corporate resources etc.
I could explicitly leak routes between the 2 with policy-statements, but the more i think about it the more sense it makes to bring them both together. Could i do this by putting the same vrf-target on both routing-instances? It would save me having to move the interfaces, bgp settings etc from one vrf into another
Hi Guys,
Can someone please help me with LLDP packet capture on Aruba 3810M switch.
Thanks
Hi folks, have any one of you installed netbox on a raspberry as server? We dont really have some spare hardware that fits the case and all our server stuff is cloud based (not renting more for that purpose unfortunately). We´re re-doing our internal network next week and I want to get it all well documented.
I am getting my associates in Cybersecurity from a community college and will transfer to UMUC for Bachelors in Networking and Cybersecurity. Yesterday I heard one of my professors say in the software design class that “there are tons of jobs for Programmers, it’s not saturated like Networking”. I was like “what”?. Was he correct ? I have high hopes from the networking and Cybersecurity field
Anyone implemented this feature and actually have it working? Ive found a few posts but no one has had success with it it seems.
Im trying to include *.salesforce.com in split tunnel but no routing entries are being made in the client route table, and trace goes straight out local adaptor
Why is it that companies think it's OK to offload the process of creating documentation to their customers?
We've recently deployed some new hardware and whilst there is decent documentation for the Setup and provisioning of it a lot of the documentation for the Ops side is touted as "oh, we have a user community"... in other words they're too lazy to write it themselves.
In a CIDR Network address of 172.16.31.32 /29, how many usable host addresses are there?
Difficult one to search for since "IPS" tends to get hits on IP's as in IP addresses!
How many of you in the enterprise space are doing IPS or IDS for east/west traffic? How are you dealing with high levels of traffic? I realize the last question is a relative one, but at the many gigabits per second levels, you really need your IPS to perform well to avoid operational impacts.
Finally, are you combining your IPS with your Firewall? Success?
If it's not obvious, we are running into performance issues with IPS enabled on internal firewalls supporting east/west traffic. The devices either need to be bigger or scaled horizontally ($$ in either case), the functionality split out to dedicated devices or pulled closer to hosts via SDN technologies. Or maybe IPS internally is a lost cause and we should be focused on more passive approaches like analysis via network taps and DNS "Firewalls".
TIA!
Looking for some input on how to securely do my network, thank you in advance for any help!
I run a small restaurant, no more than 100 people in the building at our busiest, likely average 20-30 people per hour. Layout for my building is back prep room and office, then the kitchen, then the dining room, and then the front kitchen/register area. My connection is 100 down 4 up. My office is towards the back of the building, this is where my modem and router are. At the moment the only think plugged in is my credit card machine at the front of the building. We have no POS or anything that have to be wired. I have a private network set up here, and am currently using a Netgear ac1750 with a Mesh Range Extender to help reach the front of the building, though it doesnt work great on the other side of my brick wall.
What i'd like to do is have my private network for myself and employees reach the whole building while also having a guest network for customers. What do you folks think might be the best way to go about this? Ive been looking in to Ubiquiti access points, thinking that i can run 2 across my building from my router. One to the dining room and another perhaps on the ceiling of the front kitchen area.
I have no experience with guest networks, but i was hoping i could make this available to my customers with some advice/help from here.
Thanks again!
Just inherited a decade+ (4+ year uptime) old asr9k and trying to get used to it. My standard wr mem or copy run start doesn't seem to work properly. Is it like mikrotik where you commit the changes and that's it; you don't have to save to a file?
The filesystem seemed to be empty the first time i logged in. When i did "copy run start" it created a new file called start, and when i ran it again it asked me to replace. same with copy running-config startup-config. dir /all shows only those two files i just created.
What's the deal with the config on the asr9k?
edit: It's so old it does not support ISSU. Also only 1 RSP. And the uplink/downlink are plugged into the RSP. totally defeats the purpose of having an ASR.
edit2: after dir'ing through all the filesystems, there is one "config" file stored in disk0 where all the software images are located. Is this the config thats loaded on boot?
I'm not super familiar with this one yet but sounds pretty interesting.
Summary:
Thrangrycat is caused by a series of hardware design flaws within Cisco’s Trust Anchor module. First commercially introduced in 2013, Cisco Trust Anchor module (TAm) is a proprietary hardware security module used in a wide range of Cisco products, including enterprise routers, switches and firewalls. TAm is the root of trust that underpins all other Cisco security and trustworthy computing mechanisms in these devices. Thrangrycat allows an attacker to make persistent modification to the Trust Anchor module via FPGA bitstream modification, thereby defeating the secure boot process and invalidating Cisco’s chain of trust at its root. While the flaws are based in hardware, Thrangrycat can be exploited remotely without any need for physical access. Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.
Hi guys
Did anybody get the management interface of ASR9000v working in GNS3?
thanks
mM
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
When using Telnet to test if a port is open, will it succeed even if there's nothing listening on the remote machine?
Bonus Question... Does PowerShell's test-netconnection -port work the same?
Hi All,
I'm working on setting up a BGP config on two MX80 routers. I have two Cisco 4500X switch in a VSS pair as the core.
I'm planning on taking full tables to the MX's but what i'm concerned about is the 4500's. The only have 4 gig 's of ram so I don't believe they'll be able to handle the bgp routes. So two options come to mind for me in this scenario.
Option one is filter the IBGP routes to the core (perahps not accept routes smaller than a /20 or larger?). Think this may give me stronger and more controlled routing options. But i'll leave you to judge.
Option two is have the core not participate in BGP and just have the boarder routers advertise a default route via OSPF with different metrics. Let the boarder routers speak BGP (IBGP and EBPG).
Overall just looking for thoughts.
Thanks!
Does anyone know of any sort of Alcatel automatic maintenance that could be used in order to automatically disable any and all ports that are not in use at a given time?
I'm unsure if it doesn't exist or if I'm just not searching for the right thing. In the end we have over 100 switches in various locations that we are trying to verify in use ports and disable any enabled that are not in use.
I have a main branch and one very small branch office down the road. Main branch uses SonicWall NSA with fiber internet. Currently, the branch office connects to main branch via point-to-point L2 over fiber and connects directly into our main branch LAN. This is costing us an arm and a let.
I looked at it and figured that we could get the basic fiber package at branch office and then connect bran to main via SSLVPN and use SonicWall WXA.
What I am trying to figure out here is:
I decided to upgrade the firmware on my TP Link TL-SG105E. I was trouble shooting another issue so the upgrade was unnecessary. Of course, the upgrade failed. Now the Easy Setup Config Util won't see the switch, even after a reset, but it still works. I just can't manage it. What else can I do or just get another one? Thank you.
Hey guys, I need a hand. I've run up a Server 2019 VM on my Win10 workstation to act as an MDT/WDS server.
The problem is, I can't get physical machines to boot off it. They get their DHCP lease, it hangs for a while, then times out.
The WDS logs tell me the machines are connecting to the server, but they fail when they try and transfer boot files over TFTP - the error I'm seeing in the log is 1460.
If I network boot a second VM on my machine, connected to the same switch as the MDT VM, it works.
It's a flat network with DHCP running on a separate Windows SBS 2011 box. Other machines on the network can see the MDT server and access the deployment share.
I've tried restarting the server, setting DHCP options 66/67, installing WDS on a different server, setting TFTP maximum block size to 1024 and 512, enabling/disabling variable window extension, and I'm running out of ideas. PXE response is set to respond to everything, I've even disabled the firewall on the server.
The main router is a cyberroam (aka sophos), and I'm starting to wonder if something in there could be impacting things.
If I try and run a tftp get from the host PC as a test, wireshark tells me the server receives the request and starts responding, but then receives retry requests for the file, as if the responses aren't getting through to the host.
Can someone please help?
Hey all,
I'm a new Systems Admin for an MSP (I'm basically doing everything from systems to network engineering for our customers) and I'm looking for some advice on configuring a VoIP VLAN for a (somewhat large to me) environment of ~100 VoIP phones.
An overview of their setup:
Main building - A SonicWall NSA at the edge doing DHCP for their Workstations on a 192.168.10.0/23 subnet on the X0 interface of the SW. The SW is also doing DHCP for their VoIP phones in the main building on a 10.10.10.0/24 subnet on the X3 interface of the SW (no VLANs configured, just two separate subnets). They're using a Linksys managed PoE switch for the phones in this building which is assigned a static IP in the 10.10.10.0 subnet. The workstations are using different switches in the 192.168.10.0 subnet. The workstations and phones have dedicated ethernet drops (no daisy-chaining).
They recently added a second building to their environment and are using a ubiquiti AirFiber (bridged) to get network access over to the second building. They have another Linksys managed PoE switch in the second building currently with a static IP on the 192.168.10.0 subnet. Both workstations and the VoIP phones are connected to this switch and then back to the AirFibers, which are getting DHCP IPs on the X0 interface of the SonicWall.
I apologize if this seems simple, but I'm not quite sure where to start. I don't want to cause any unnecessary problems for them, so I'm just looking for some general advice on how to go about this. I need to do the setup remotely (although they have an IT person on-site that can assist me if needed). I've configured auto voice VLANs in small environments, but this one is making me nervous. Also, I'm not sure if going the auto voice VLAN route is even appropriate for this situation.
I'd really appreciate any and all advice! Thanks!! :)
I'm about to finish up my CCNP (with any luck on TShoot) and am planning for my next cert. I was talking to one of my former colleagues and mentioned I was going to go the AWS route to expand my horizons a bit, but still keep within the networking realm (somewhat). He suggested I go the Cisco Data Center route, because, to paraphrase him. there's always a data center at the end of the cloud.
I laughed him off at first, but it definitely something that stuck with me the last couple of weeks.
I know the choice is ultimately subjective and depends a lot on where I want to do in the future, but I'm wondering if anyone can weigh in on this some.
AWS or Cisco DC? Any benefits to either or has anyone done them and found them ultimately not very useful?
So the last couple days I have been testing out wireguard to replace openVPN for the site-to-site connection between my home and my azure could development infrastructure. At my home, I have 1Gbit symmetrical FTTH and the azure DC in my city is like 3 blocks from my condo so the latency is about 2-3ms.
The weird issue I am seeing is when testing throughput with iperf3 is:
Home ------------->DC ~550Mbit/s
DC----------------> Home ~50-65Mbit/s
Both systems have more than enough CPU power to push 1Gbit, I am using the official wireguard client for windows as the client in my home and the server is ubuntu 18.04LTS.
Any ideas?
Guys, is it possible to load balance among different paths in different areas?
As in this example https://imgur.com/8ZxEfMn, let´s say that both routers are ABRs and share Area 1 and the Backbone. Also, there are three minimum cost paths between them: two in Area 1 and the other in the Backbone. If the traffic is sent between these routers, would they load balance using the three paths?
Anyone working a job that requires them to STIG switches (Cisco or otherwise)?
I'm working on (just started a few minutes ago...) a powershell script to check a txt file (switch running config) against STIG requirements. Wondering if anyone may have already done this. I'm horrible and powershell and dreading this already.
I glanced over some FANG repositories the other day and found some interesting tools, but most of it was focused on systems or application development tools. Does /r/networking know of any GitHub repositories or projects that are worth checking out?
Hello, I have a router (ASR1001-x) that was configured for both remote access as well as a tunnel to Amazon VPC where we had Direct Connect. The crypto stuff is a little beyond me and I'm just wondering how one is able to remotely connect.
For starters in the config the vty is as follows:
line con 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class VTY_IN in exec-timeout 0 0 logging synchronous login local line vty 5 97 access-class VTY_IN in exec-timeout 0 0 logging synchronous login local
VTY_IN is the access list.
and the crypto is setup as follows:
crypto keyring <keyring name> local-address <amazon DXCON default gateway> pre-shared-key address 52.4.x.x key <key goes here> ! crypto isakmp keepalive 10 crypto isakmp profile <profile name here> keyring <keyring name> match identity address 52.4.x.x 255.255.255.255 local-address <amazon DXCON default gateway> ! crypto ipsec security-association replay window-size 128 ! crypto ipsec transform-set <ipsec name> esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec df-bit clear ! crypto ipsec profile <ipsec name> set transform-set <ipsec name> set pfs group2
This stuff to me seems all related to the amazon dxcon tunnel. I'm unsure how anyone was able to remote in.
I’ve got an NVR+PoE switch setup to replace a broken NVR with a built in switch. My problem is I can see my NVR and ping it, but I can’t ping any of my PoE cameras that are plugged into the separate PoE switch.
I can see all my devices however, and nothing has changed from my previous setup (I.e. router and internet provider are the same).
I’m not sure where to start with troubleshooting this. I’m sure my switch is the correct one with 802.3t.
Hi
Does anyone have or could share expected response times for ARP, Neighbor Discovery, DHCP and DNS?
Monitoring software advices are welcome too.
Thanks.
PS:
LibreNMS and AirWave seem pretty good.
I'm not good at convincing people, so I thought it would be good to gather videos to do it for me. 2 months ago I made this thread asking aboutthe value over free software?
( https://www.reddit.com/r/networking/comments/b3shrb/opensource_ipams_vs_paid_ipam/ )
The ones that stood the most to our IT staff from the ones y'all recommended were Efficient IP and BlueCat.
We are mainly looking for a solution that performs an in-depth analysis of the DNS traffic and makes sure we have protection against all types of attacks, but personally, I think they might turn down our initiatives since we had issues with forced refreshes when we were using Infoblox.
"Formal training. If you have more than a few people who will be getting in on using the product, having a vendor managed, a thorough training course can help a lot. "
Do you think it would be good to show him a video like this one? https://www.youtube.com/watch?v=G-P7WUPMy1s
I am sure it exists, there is opensource project avail already for anything I can imagine :)
I want to build a web interface where I can enter some information in a form, it will run a template and generate me peace of config. Something like ansible but more specific for templating and easy to use web interface. so not to scary regular network guys with yaml :)
It easy to do but I am not a big fan of implementing UI. If something availb that I can tune - pls let me know.
Thx
Hello, thank you for taking the time to read this.
I am having an issue with a Spectrum ISP Point to Point link from one office to our HQ.
It looks like this
{Remote Site} [Catalyst 9300 Access Switch] --Trunk--> [ISP PPP Modem] --PPP--> {HQ Site}[ISP PPP Modem] --Trunk-->[Cat9300 ACI Fabric Core]
The link comes up on both ends but is not passing traffic, the configuration on the Remote site Cat9300 is just a "switchport mode trunk" command, here is the connection on the fabric end: https://i.imgur.com/xZvaOEs.png
I am not sure what I am missing for passing traffic? A Protocol, etc?
No routes but it should be layer 2 per my understanding?
Thank you for any help!
I'm trying to get a better understanding of throughput testing using iperf so lets say I have a 100mb wan link and I currently have traffic going over this link if I did a throughput test on the link from a computer on one end to a server on the other end and both capable of 100mb should the throughput show close to 100mb? Or does it take into consideration other traffic on the link? If other traffic on the link was using about 20mb should the test show close to 80mb? I hope this make sense.
Hi all!
I am right now studying about fiber networking and I saw myself in some rumours about connectors.
There is an connector called E2000 that's becoming well known and used in the market.
I heard though, that this connector is a proprietary of some brand which I can't find out .
I would like to study it to eventually produce it but since there is so many rumours going on around this I would like to know if any of you know anything about this.
Thank you!
Hi everyone,
I should start by saying I'm not a networking guy so I am hoping to get some assistance for some odd DNS behaviour we are seeing on our internal firewall ASA 5525 9.8.
Basically, when you Ping / Packet Trace / Show DNS host to push.webexconnect.com, depending on what context you are on, you receive different IP addresses back. This issue is manifesting internally by stopping us receiving Notifications for Cisco Jabber on our iPhones when the app is not open on the device (this was working until a few weeks ago). The push.webexconnect.com URL is used by Cisco to send traffic to Apple and for Apple to then relay that traffic via APNS which wakes up Jabber on the phone and displays the call Notification essentially.
The route the traffic takes is CUCM Publisher > FW Context 1 > FW Context 2 > Internet
Traffic is resolving as expected on the Context 1, and the IP addresses resolved are consistent with those we’ve tested externally (Google, Cloudflare, etc). Context 2 is listing different IPs which are part of Webex Cloud but I have not seen responses anywhere other than here.
Context 1:
Ping
Result of the command: "ping push.webexconnect.com"
Sending 5, 100-byte ICMP Echos to 62.109.230.142, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
Show DNS
Result of the command: "show dns host push.webexconnect.com"
Name: push.webexconnect.com
Address: 62.109.206.142TTL 00:01:05
Address: 62.109.230.142TTL 00:00:55
Context 2:
Ping
Result of the command: "ping push.webexconnect.com"
Sending 5, 100-byte ICMP Echos to 66.163.36.125, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Show DNS
Result of the command: "show dns host push.webexconnect.com"
Name: push.webexconnect.com
Address: 66.163.36.125TTL 00:00:15
Address: 173.243.12.125TTL 00:00:42
I checked the DNS configuration for both contexts. There were some minor differences in the ordering but otherwise both were the same. I corrected the ordering on Context 2 to match that of Context 1 and issued "clear dns host push.webexconnect.com" but this has not made any difference to the issue as it is still pulling in the 66. And 173. Addresses.
First Context DNS Config:
dns domain-lookup "External Internet Context"
dns domain-lookup "Context 1"
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
name-server 8.8.8.8
name-server (Internal DNS)
name-server (Internal DNS)
domain-name Company
Int-3rd DNS config:
dns domain-lookup Context 1
dns domain-lookup voice
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
name-server 8.8.8.8
name-server (Internal DNS)
name-server (Internal DNS)
domain-name Company
To further muddy the waters, running a packet trace from our CUCM publisher to the URL, 4 times out of 5 it will not resolve the host name which I guess could be related.This mismatch between contexts is the root of the issue I believe.
Any guidance would be really appreciated on this as I am unsure where to go next.
First time I've done this process before and was hoping for some advice. After googling many times and looking at documentation I'm still slightly confused.
I'm looking at upgrading code on an ASA cluster we have from 9.10(1) to a new patch 9.10(22) to fix a bug. This is the process I would folow any tips would be appreciated specifically on downgrading. Also we've recently upgraded the sourcefire code to 6.2.2. recently but from documentation note this willl not be impacted by this work.
Before start take a copy of the configuration.
1.) Download the Software to both units and specify the new image to load with the 'boot system' command.
2.) Reload the standby unit by executing a 'failover reload-standby'
3.) When standby has reloaded and is in a Standby Ready State (show failover) we force a failover 'no failover active'.
4.) Verify failover to Standby and perform a reload of the former active unit 'reload'.
5.) When the former active (now standby) has reloaded successfuly we force a failback ' failover active'.
In a scenario where I need to downgrade incase we see major issues with FW during upgrade - I've looked at the 'downgrade' feature in documentation but I don't see it's use case here and it's confusing me. As it's not a major release I presume I can set the boot system variable to old code and perform the same process above as the upgrade but to downgrade. And the downgrade option is used in other circumstances such as major releases where config may change.
Thanks in advanced for any help.
I have an odd issue on my hands. A user is complaining about slowness to an SAP server at certain times of the day [afternoon]. I asked them to do a traceroute and they replied. When things are fine the traceroute looks as one would expect. When things are slow, the traceroute shows a duplicate entry [with different ms responses] for every single hop including the first. So this explains why in the initial ticket they showed a ping result where the first ping goes through but after that they are all TTL expired.
Any thoughts?
Hi all,
I'm on the hunt for some Wi Fi test Equipment, namely to be able to test the signal range and find the areas without coverage. So far the best thing I've found is this https://uk.rs-online.com/web/p/wi-fi-test-equipment/1354293/ but it's a bit expensive compared to similar devices used for mobile networks, does anyone know where I might find something a little less expensive?
Hi,
We're currently replacing a Juniper wireless network infrastructure with Cisco Access Points. One of the problem we have is with Access Point Client bridges for ethernet only device. We use ATOP AW5500C in Client Mode to connect ethernet only devices to our wireless network. With Juniper the AW5500C can connect to the wireless network and will have two IP addresses. One for the AW5500C itself and one for the device connected to it's ethernet port. With the new Cisco Access Points this isn't possible anymore. Our Cisco wireless experts told me "It's not allow two IP addresses with one wireless client".
Question 1) How can the AW5500C client to the Cisco Access Point?
Question 2) If the answer of question 1 is "never possible" then, which other Access Point client bridge for ethernet only deivce can I use with Cisco Access Point?
Thanks for your help,
Patrick
Hi Folks.
I'm currently looking at a dual port and quad port variants of the PRO 1000 PT on my desk and I'm curious to know whether there is a large performance difference Vs an i219-v onboard ethernet adapter.
My goal is rock solid link stability and consistent latency. The onboard i219-v seems to be garbage when it comes to stability and responsiveness under Windows 10 and Linux (Arch, btw ;)). No matter how I tweak flow control and offloading etc.
Basically, what I'm seeing is random drop outs that occur for tiny fractions of time at random intervals. It's not a regular interval (like maybe every 15-20 minutes or so) and the link seems to go super laggy for a split second then comes back. Windows is much worse at recovering from this "micro drop" than Linux is.
In Windows if I'm doing a large file copy, the drop is long enough to break the file transfer, but short enough that there are no obvious signs a drop has occurred...barely detectable, like a fart in the wind. The only way I could spot it was to leave a ping rolling where I noticed when the drop occurs there's a smallish spike in latency for one packet.
CPU usage can be incredibly low and nothing else can be happening except the ping and it still occurs...less pronounced on Linux, but still there.
Usually, I'd just whack a PCIe card in and be done, but all I have to hand is a couple of relatively ancient server cards.
I can't see any significant differences between the newer chipset and the older cards but maybe you guys can point them out.
I should point out that I've tested the cables, switch, patching and swapped everything out and the same thing happens.
My guess is the i219v is just shit.
I need to migrate an active-active VPN to Azure from an ASR to an ASA ha pair.
This is a route based setup with vti's. On the current router we have 2 static routes to the azure subnets, one out of each relevant vti interface. The azure side is active-active.
Does this setup carry actions to an ASA? my only concern is the "statefulness" of a fw. If we have two static routes, with same metric, to same azure subnets, but via different vti interfaces, will that mess anything up?
We have no ACL's on the tunnel interfaces so I don't think that will be an issue. But I'm curious inf anyoje else has done the same and if they saw any unexpected behaviour.
What I want to happen is that ASA sends out of any vti, and received from either vti, and doesn't care!
Need a sanity check here to see if I'm on the right path. I'm trying to lab some multicast paging devices before installing it at a customers site. It will consist of some server units at one location and some receivers at a few other locations on a L3MPLS network (going to need to tunnel over this). Recipient speakers will vary depending on which paging function is used. To mock this up I've set up an old Avaya 4550 switch with some SVIs on it in our lab and placed each device in a different VLAN based on what location it will live at once installed. I may hunt around for other switches later but I also have an Avaya 3526 to use though I don't think it will matter since the multicast docs on it are identical.
Where I'm stuck right now is my discovery/programming tool usually only finds the paging devices on the same VLAN as my laptop is plugged into. Every device is already configured with the correct IPs. I'd like to say the occasional discovery of other devices is a quirk or some misconfiguration on my part in the device/tool. I'm going to Wireshark and play with it more tomorrow to see what it's doing so I'm mostly concerned with the multicast parts. I've enabled IGMP snooping and IGMP proxy on each SVI and it looks like the switch sees all the joins and is happy with it.
To my knowledge, the network consists of a mix of my own Avaya 36xx series switches and my customer's Meraki stuff (firewalls/switches) but I'm going to try and get more details on the topology tomorrow just in case I'm responsible for some routing instead of just their Meraki stuff. I'm also unsure if I'll be able to make this work without PIM in the event that my switches are doing routing on the network since the docs for these switches don't mention PIM anywhere and I haven't been able to ? my way to PIM anything on the switches.
I THINK I need PIM at this point (PIM-sparse in particular from what I understand) to get across the VLANs on this switch and later my customer network. I also found some stuff about mrouter ports but I'm not solid on what they're used for. From the documentation I've read is that they're used for when you have more than one querier on a VLAN that the switch can see and you want to receive traffic from more than one, is that correct or close?
Is it possible to reliably get multicast to route across a multisite network without PIM?
Anyone here actually implemented/designed firewall segmentation with a Cisco router?
If so, what were the biggest differences between that and going for the ASA? ASA code seems to be a dying ship, but I like the famularity of Cisco products and mpf
we have a spare srx300 and my team is insisting me to use it for the new branch office. i prefer to use pfsense since its easy to use(web GUI). is there any way we can configure bandwidth limit using its web gui? their web is kind of lacking functionalities. i try to avoid the CLI since it will be hard for my team mates to do troubleshooting.
my goal is, like in pfsense setup.
network coming from vlan11 will share 15mbps up/down speed, vlan12 5mbps up/down, and so on.
this is our possible setup. (still considering replacing srx300 with pfsense)
internet -- srx300 -- cisco core switch -- L2 switches -- PCs
I have scoured the Internet, manufactures technical sites, books, and the search function on Reddit but I cannot find the concrete answer I am looking for when configuring Rendezvous Points in Multicast.
Should the RP be an actual L3 interface on the router or is a interface-less IP sufficient enough for the RP? If it is an interface, what is the best practice interface? One exclusive to the RP?
I am assuming the RP IP not associated with an interface isn’t sufficient however I am uncertain. I am also betting that an IP exclusive to the RP is the best way to go.
Thank you everyone for checking this out, and I am working on a Juniper Platform.
Maybe there is an obvious gotcha, but so far I haven't found it.
The story so far...
I was creating a LAGG between a 9300 two member stack and a 3650 two member stack. I ran out of 10G interfaces on the 3650 end, so I thought I'd toss a 1G interface into the LAGG group as sort of a standby (I know you can't mix 10G and 1G interfaces since they run at different speeds).
If I configure the member interfaces with `channel-group 1 mode active` they come up as LACP, as expected, no problem. The problem is that sometimes the 1G would be `(P) - bundled in port-channel` while the 10G would be `(s) - suspended`, or vice versa.
Then I got the bright idea of giving 10G a higher priority... somehow.
PAGP's "port-priority" sounds promising. So I set the 10G interface to `pagp port-priority 1`, the 1G interface to `pagp port-priority 255`. Thinking everything looks ok, I `no shut` the 1G interface, was about to `no shut` the 10G, when the 3850 seems to go offline (console dead, can't ping it). I eventually get on the serial console, and before doing anything else, I `shut` the 1G interface, since that was the last change. Right after doing that, I see a bunch of stack-mgr message scrolling by... WTF?
Both stacks are using stacking cables, not virtual stacking. So i'm at a loss.
Is there a footnote on PAGP port-priority on stacked switches I'm missing?
I have a firewall gateway with all ports closed from external access. I have an internal host who reaches out to a web server on port 80, and generates an arbitrary port of 6000 for the return. If I set a port scanner on the firewall, when the traffic is returning, will I see port 6000 open on my firewall for external access?
I have a question regarding configuration of these. Prefacing that I know that they work above the Layer 3 layer, so I'm more trying to determine how they interact with L3.
An explicit proxy is pretty easy, your browser has the settings configured to use the proxy to communicate and it points the web traffic to that address. All your underlying Layer 4 architecture works as it should, gateways are your routers out of the network or firewalls, etc...
How do transparent proxies work exactly? Does the router/firewall point to the proxy as a next hop? Does the proxy intercept ARP requests and provide it's own MAC if it detects outbound traffic? Is it physically in-line behind a router and intercepts all protocol appropriate traffic?
I've only ever worked with explicit proxies and a smidge not sure how transparent ones work in deployment.
I scripted the creation of IPSec VPN configs for ASAs based on user input. It checks existing configurations (policies, crypto maps, ACLs, etc.) to determine whether the new configurations are necessary, and omits them from the file if so. I'm proud of it, but I feel like there's a lot more that could be accomplished with SDN (if my example even counts), so I'm curious to hear your success stories to get some inspiration and whatnot.
I am currently exploring zero configuration networking with a set of devices on a network. I've spent a few days doing all research possible regarding zeroconf, and while I found loads of threads about how to fix problems, I didn't exactly find an article or anything that explained how to use something like Avahi. I have scoured the web and found that Bonjour and Avahi are two major implementations, and the purpose of zeroconf is that it minimizes the burden of going through each device on a network and setting up network services. I felt this subreddit was my best bet at getting some information on the subject. Since Avahi comes with Linux, I'm looking for help with learning how to use this rather than Bonjour right now. I guess at the moment, I have two main questions regarding zeroconf and Avahi (daemon):
Any and all help with understanding this is much appreciated!!
*EDIT: spacing
I'm thinking more on the side of branch offices where we don't have high availability equipment. Our job is all about uptime. But sometimes power cycling a couple of suspect devices is faster than finding the exact problem. Would you take down another service in hopes to fix another one more quickly?
edit: what if it were data down and VOIP up?
We have a super simple set-up, but I just cannot get this to work. Our network only has outbound traffic, nothing coming in for RDP, web hosting, or email since everything is hosted off site for security reasons. Because of this we don't have any WAN block IPs from Comcast except the one used for our Fortigate 60e, or whatever device is attached to the Ciena switch for the fiber.
The configuration Comcast gave me is as follows:
Link IP Address: 50.XXX.XXX.208/30
Gateway: 50.XXX.XXX.209
Layer 3 IP: 50.XXX.XXX.210
Layer 3 Subnet Mask: 255.255.255.252
I've configured the WAN port on the FG to be set to the Layer 3 IP, configured the IPv4 policy, and get nothing. If I swap from the fiber installation to the cable modem that is still active, and reconfigure the IP for that, the network has internet. I can ping the Ciena switch and the 50.XXX.XXX.210 ip for the WAN port from our server or any of our terminals, but still no internet.
So I plugged a laptop directly into the Ciena switch, set it's IP as what the WAN port was configured to, and everything works.
Out of desperation I've even tried configuring static route for the Link IP address and gateway, but still don't get anything.
I feel like I'm missing something obvious that I need to enable, but I can't for the life of me remember what it is.
Any advice?
Hi guys, I've got an ASAv sitting in Azure. Let's say it has an "outside" interface with ip address of 192.168.1.1 for the Azure network.
In Azure, a static Public IP Address is assigned to that interface. We'll call it 10.10.10.2 (yes this is a private range, just an example).
When IKEv1 tries to negotiate Phase 1, it fails: IKE phase-1 negotiation is failed. Peer's ID payload 192.168.1.1 (type ipaddr) does not match a configured IKE gateway.
Now obviously, my IKE gateway is specifying the public Azure IP address of the ASAv... but when it gets the packet from the ASAv, the payload says 192.168.1.1 because that's what the ASA thinks its own IP address is.
I've got many tunnels to physical ASAs that don't seem to have this problem. I've been researching for a couple hours, but don't understand how I can resolve this, or why it doesn't happen on the other ASAs.
I'm a Server guy by trade, so maybe I'm missing something obvious here?
Just when I think I've gotten a handle on QOS something knocks me down.
I'm currently in an MPLS Environment where we need to work within a 4 queue structure with our carrier. We do get to choose various algorithms from them and queuing structures.
We were running zero qos before but predictably when we got congestion tons of user reports about critical traffic being dropped and the support desks response was to hunt down everyone browsing youtube on their breaks and shut them down... This wasn't sustainable.
So I put in a decent amount of time trying to finally learn a command other than auto-qos and we put in a hierarchical policy that I thought looked pretty good:
Example Parent Policy
policy-map 200MB_SHAPE_CC_EDGE_WAN class class-default shape average 200000000 service-policy CC_EDGE_TO_MPLS
Example Child Policy
policy-map CC_EDGE_TO_MPLS class VOIP priority percent 30 class NCONTROL priority percent 5 class CRITICAL bandwidth remaining percent 60 random-detect dscp-based random-detect ecn class class-default random-detect dscp-based random-detect ecn fair-queue
We chose this method because it allows us to have parent policies for all our different bandwidth metrics. Our largest site is 700mb and our smallest is 50mb.
After we implemented this all was right with the world for the last six months. We no longer get user reports when we max out our bandwidth.
Until this week. This week one of our larger sites at 200mb finally started hitting their max and our telecom team came running over showing that the RTP streams are experiencing loss.
Weird I thought... check the VOIP buffer and no drops. I reach out to our carrier and surprisingly they are very helpful they point that the issue may be with some of the QOS settings that aren't viable for a 200 MB link.
Specifically they stated the following three items:
rate correctly set at 200M but the bc and be are over scaled at 800000 bits each equaling at 100KB burst... the tolerence is 64kb... recommend adjusting the BC and BE values manually to define at 512000 each if the CPE will allow
Raise the queue limit of 833 to at least 1000 as it is too small for the 200M service.
As for the nested QOS, it is not an exact match to the ordered network of 30-06-42-22. The output shows the cpe is set 30-05- bandwidth remaining 60%. This entials that your AF tagging is not allocating 42% of your CIR, rather your AF and BE combined are claiming the remaining 60% of the bandwidth which could account for further drops.
So I have a few concerns/questions I have been trying to google an understand but it seems like every recommendation points me in different directions. Hopefully someone here who has much more experience can weigh in and give me a hand.
Platform is ASR1001
On the ASR when going to set the BC and BE values the context sensitive help literally recommends against setting the BC and BE manually saying an algo will find the best value. Is this safe to ignore? Is there another Cisco feature that I should be using in order to more safely scale this correctly to match the carrier?
Queue Limits - I don't seem to have any control over the values that are set for the priority queues or the parent shaper. Is there something else I can do here?
The nested QOS is a fair issue. Cisco allows two priority queues and everything I found suggested VOIP and network control traffic should go in those priority queues. Our carrier only has one priority queue for EF traffic only. CS7/6 traffic would go into their P2 queue.
Is it better to just adjust our network control out of priority so it's easier to match the carrier? How do you all handle differing carrier policies and queues?
I'm looking at an implementation where lower QoS/CoS tunnels are allowed to expand if there's unallocated bandwidth, but higher QoS/CoS tunnels are not allowed to. I'm having a hard time thinking of a practical reason for this that you would see in the wild.
The only thing I can come up with is that someone could spoof high priority traffic and cause a DoS attack, but in many cases you shouldn't be accepting the tagging of the incoming traffic, you should be deciding for yourself how you'll tag it.
Are there any other commonly seen reasons someone would want it this way?
Hi everyone,
We run a small datacenter and mostly everything is just L2 and each customer having their own firewall. We do run a shared firewall on a Sophos SG210 running UTM, and each customer having their own VLAN, and we assign them a public ipv4 address which we just NAT to their specfic VLAN, and we not that happy with that solution. So now, we're looking for a firewall that is meant to be used for multiple customers. What kind of firewall would guys suggest as a multitenant firewall?
Thanks!
It happens to all of us, some weird random problem that happens after-hours or some especially whiny end user. It'd be a hell of a lot easier if you had a historical capture of the data within that timeframe right? Well, if you have a shitty desktop or laptop with a non-flash based HDD (more room typically) you can make that happen.
1.SPAN, RSPAN or ERSPAN (or a hub but that's a bad idea long term) the port or traffic to your laptop using the Googles (you want a port in the path of the affected user or their port)
https://ccie-or-null.net/2011/04/04/configure-span-session/
https://www.youtube.com/watch?v=WJM9wSR8PVM
4: ???
5: Profit
Edit: Add a second NIC to be able to manage the box, or you won't be able to get to it as a SPAN destination.
Greetings Everyone!
Apologies for the length of the post, as I'm trying to provide as much context and documentation as I can. Trying to wrap my head around an issue we're having here. We have dual firewalls in a HA failover config. each Firewall has a physical IP and several Virtual IPs configured for High Availability VRRP when the firewalls are failed over. the VRRP Virtual Mac addresses all start with 00:00:5e:00:01:0-VHID. Depending on the response, there are stretches of time where we lose connectivity - somtimes after a couple of hours, sometimes after a few days ; I'm convinced as a result of some sort of arp cache issues. The MAC addresses can be traced to our systems, so it's not a matter of dupicate IPs in their extended network since we share a subnet with their other customers. I found no rogue or unidentifiable Mac addresses, it's just that that sometimes THE ISP gateway responds with the Physical Interface MAC and sometimes with the VRRP Virtual MAC. We maintain 2 other HA Firewall Configs with differing IPspace and ISPs that have the same type of configs, both of those have been trouble free. This ISP is the only one that has been causing an issue, and it seems more frequent as time goes on.
I welcome any insight at this point. I feel like I'm going insane.
My Question:
As an example, here's the ARP table on our standby firewall with the primary firewall as active. I sent the below output (as well as traceroutes etc) to their tech team, and I got the verbal equivalent of eyes glazing over. Their level 3 support defaulted to "reboot the modem" which is something we've done at least once a week each time anyway. Rebooting the modem brought a couple of the Virtual IPs back, others remain an issue as noted below.
(ISP_GATEWAY) at (ISP_GW_MAC) on bge4 expires in 1173 seconds [ethernet]
(VIRTUAL_IP1) at (FW1_PHYS_MAC) on bge4 expires in 388 seconds [ethernet]
(PHYSICAL_FW2) at (FW2_PHYS_MAC) on bge4 permanent [ethernet]
(VIRTUAL_IP2) at (VIP2_VIRT_MAC) on bge4 expires in 1193 seconds [ethernet]
(VIRTUAL_IP3) at (VIP3_VIRTUAL_MAC) on bge4 expires in 1183 seconds [ethernet]
(VIRTUAL_IP4) at (FW1_PHYS_MAC) on bge4 expires in 1170 seconds [ethernet]
ARPING VIRT_IP_3
60 bytes from FW1_PHYS_MAC (VIRT_IP_3): index=0 time=165.729 usec
60 bytes from ISP_GW_MAC (VIRT_IP_3): index=1 time=10.383 msec
60 bytes from FW1_PHYS_MAC (VIRT_IP_3): index=2 time=183.767 usec
60 bytes from ISP_GW_MAC (VIRT_IP_3): index=3 time=12.337 msec
60 bytes from FW1_PHYS_MAC (VIRT_IP_3): index=4 time=181.841 usec
60 bytes from ISP_GW_MAC (VIRT_IP_3): index=5 time=104.296 msec
10:35:53.667220 ARP, Request who-has VIRT_IP_3 tell FW2_PHYS_IP, length 44
10:35:53.667385 ARP, Reply VIRT_IP_3 is-at VIP3_VIRT_MAC (oui IANA), length 46
10:35:53.677589 ARP, Reply VIRT_IP_3 is-at FW1_PHYS_MAC (oui Unknown), length 46
10:35:54.667351 ARP, Request who-has VIRT_IP_3 tell FW2_PHYS_IP, length 44
10:35:54.667516 ARP, Reply VIRT_IP_3 is-at VIP3_VIRT_MAC (oui IANA), length 46
10:35:54.679669 ARP, Reply VIRT_IP_3 is-at FW1_PHYS_MAC (oui Unknown), length 46
10:35:55.669868 ARP, Request who-has VIRT_IP_3 tell FW2_PHYS_IP, length 44
10:35:55.670034 ARP, Reply VIRT_IP_3 is-at VIP3_VIRT_MAC (oui IANA), length 46
10:35:55.774143 ARP, Reply VIRT_IP_3 is-at FW1_PHYS_MAC (oui Unknown), length 46
ARPING VIRT_IP_2
60 bytes from FW1_PHYS_MAC (VIRT_IP_2): index=0 time=218.118 usec
60 bytes from ISP_GW_MAC (VIRT_IP_2): index=1 time=9.392 msec
60 bytes from FW1_PHYS_MAC (VIRT_IP_2): index=2 time=185.204 usec
60 bytes from ISP_GW_MAC (VIRT_IP_2): index=3 time=11.139 msec
60 bytes from FW1_PHYS_MAC (VIRT_IP_2): index=4 time=136.903 usec
60 bytes from ISP_GW_MAC (VIRT_IP_2): index=5 time=124.488 msec
10:48:02.686125 ARP, Request who-has VIRT_IP_2 tell FW2_PHYS_IP, length 44
10:48:02.686345 ARP, Reply VIRT_IP_2 is-at VIP2_VIRT_MAC (oui IANA), length 46
10:48:02.695503 ARP, Reply VIRT_IP_2 is-at VIP2_VIRT_MAC (oui IANA), length 46
10:48:03.687297 ARP, Request who-has VIRT_IP_2 tell FW2_PHYS_IP, length 44
10:48:03.687462 ARP, Reply VIRT_IP_2 is-at VIP2_VIRT_MAC (oui IANA), length 46
10:48:03.698416 ARP, Reply VIRT_IP_2 is-at VIP2_VIRT_MAC (oui IANA), length 46
10:48:04.688300 ARP, Request who-has VIRT_IP_2 tell FW2_PHYS_IP, length 44
10:48:04.688423 ARP, Reply VIRT_IP_2 is-at VIP2_VIRT_MAC (oui IANA), length 46
10:48:04.812769 ARP, Reply VIRT_IP_2 is-at VIP2_VIRT_MAC (oui IANA), length 46
Is anyone using cat 6a patch cables campus wide? We've got 6a runs across 75% of our campus but all of our patch cables are cat 6. Is this something I should start to be concerned about or is it still overkill?
Hey guys & gals,
Need your suggestions for a distribution switches replacement project. About 200-300 employees on site with more and more POE gizmos to power (APs, SIP phones, cameras, blah blah...).
I am particularly interested with the models offering the higher power budgets with robust power supplies. Ideally 48 ports, all of them POE+-capable.
Cisco is okay... but if there is other obvious choices out there that you can vouch for, then good!