I recently went through and cleaned up my firewall rules on one of my gateways, and was wondering what a better naming convention might be. I've been using Source Interface > Destination Interface but it gets a bit lengthy and redundant since I see those interfaces in the row anyways. Any commonly used naming conventions that are more concise and nicer to read?
Saturday, June 15, 2019
What sort of format do you use for your firewall policy names?
Friends can no longer connect to my game servers
Sorry, I'm kind of a dumbass when it comes to networking. As of recently (not sure what changed) in both Minecraft and Arma 3, it seems like nobody can access my IP address. I have all of the ports forwarded correctly and I tried turning off my firewall. What else could be blocking the connection?
T-Rex traffic generator/Tester... and others?
Hi all,
I have a multi-site WAN (MPLS) performance test planned for later in June. We are looking for good tools to run end-to-end.
Iperf is an old standby, but what else is out there?
I also came across T-Rex and it looks interesting: https://github.com/cisco-system-traffic-generator/trex-stateless-gui
Netgear switch not playing well with vlan
I've had this problem with my works vlan for a few weeks now and I'm really stumped about what is happening.
IT set up a vlan for our department to use. During certain events they will run us a line and assign it to our vlan. There are some places in the facility where we have audio-video equipment and there is a permanent connection to our vlan.
IT ran us a line to a temp trailer for an event and we connect a brand new Netgear Prosafe 16 port gigabit switch (JGS516). Plug it in and no connection. Link light will sometimes turn green then turn off. Sometimes it won't even turn on. I've tried different ports, different cables. I've disconnected a whole group of devices in one of our AV rooms and it had no effect. A friend said it might be STP on the managed switch feeding us, but our IT department says they don't use STP on the network. This test
IT gave me a Netgear 8 port switch to try...works instantly. Connects to vlan, DHCP dishes out IPs etc. If I connect the vlan to the 8 port first then use a patch cable to connect to the 16 port gigabit switch this also works.
I also have an older Netgear 10/100 that used to work when I plugged in the vlan connection but now it doesn't even though I get solid green link lights on it.
Not really sure what else try or should I RMA the Netgear 16 port?
Recommendations for serial / console port usb adaptors?
My previous laptop died and with it the onboard serial port. I’ve got a temporary laptop but no serial port. I’m trying to find a new laptop with serial port but they are thin on the ground and was wondering what the state of play these days is with usb > serial / console adapters is these days.
Last time I played with them was maybe 10 years ago and I always had a lot of trouble with them. Are they any better these days and reliable enough not to need to worry about a built in serial port? If so what recommendations are there?
Ideally would like something that will work with most kit out there. Perhaps even with kit that requires a custom cable. If there is anything that can handle that at the software level even better to save carrying around a load of cables.
Thanks for any suggestions 👍
Real head scratcher. Can access internal network, cant access external.
One of our customers went offline today. Unable to remote into any device but I was able to access the firewall (Sonicwall). From the firewall I was able to ping every server and workstation.
I was able to get into the hyperv server via iDRAC. I could ping every device internally but I was unable to hit Google or anything outside the network. A reboot of the firewall seemed to fix the issue and called it day.
I received a complaint a little later in the day that a single computer couldn't access the internet. Went onsite and it had the similar symptoms as before - computer was receiving an ip from the dhcp server, I could ping everything inside the network, couldn't ping outside the network, and to make the issue stranger, I couldn't ping this computer from any other device on the network. Once again, A reboot of the firewall resolved the issue.
I was hoping reddit would have some suggestions on where to look. Verified no duplicate IPs, sonicwall is not doing dhcp, made sure signature 5 (EKE) was disabled. Nothing seems to be going on with DNS (all ping tests were via IP). There are no funny lan to wan rules.
I will likely end up opening a case with sonicwall on Monday if I don't see anything in the meantime.
enterprise WIFI for high density rooms
Hello,
I'm getting frustrated with my current wifi. Currently we have some hundreds of MikroTik hAP, wAP, cAP AC accesspoints running with several CCR in a controller forwarding based setup. The solution works ok, when there are only few clients connected with the access points, i.e. ~10 clients for each band. I say connected, i.e. there's actually not that much traffic <<50Mbit/s on the access point. The problem start, when more and more clients connect. Sometimes the traffic completely stops, also some clients do not get an IP address from the DHCP server which is running on the WiFi controller. It's not a STP issue either. On Mikrotik's forum you can find many topics about wireless problems, too. Mikrotik's support is non existing in our case. I was told that they are working on a new wireless driver package, no timeframe was mentioned. Yes, Mikrotik writes its own drivers, they don't take ready to use kernel modules from the chipset vendors. The hardware itself is current, e.g. the cAP AC has IPQ4018 ASIC (802.11ac Wave 2) PoE in and PoE out is great, but I have to admit their wireless driverhas a low quality and offers only basic features. They even don't promote their access points to support "up to XXX clients", but why did they release e.g. a Wave 2 Access Point which could do more, but lacks software support.
Ok, so here I am. I need access points for huge class rooms with 50 to 300 clients. Currently in those rooms I have 2 to 12 hAP/wAP access points (clear spectrum, 20 or 40 MHz channels on 5 GHz, non overlapping with all neighbour rooms.) I don't want controller based access points again. I will setup VRF instances and want Radius based dynamic VLANs with local tagged traffic for the clients on one single SSID. NAT would be done by an external firewall cluster, no more all inclusive box.
What is my budget, you will ask: Currently nothing, I'm planning.
So I was looking around, e.g. HPE/Aruba:
- Aruba 802.11ax AP-555: 600€
- Mounting, 60W PoE injector: 50€
- Aruba Airwave license: 30€
- Aruba Airwave Support contract + failover for 5 years, starting at 800€ (for 1 device license)
plus taxes. We get huge educational discount from HPE, but counting everything together I'm at ~500000€, that's without new PoE switches.
So, for one room with 50 clients, I'd take the best single access point and hope for the best. Still I don't know how it will actually work.
Of course, there are way less expensive solutions (Grandstream 4x4 802.11ac Wave 2, 100€, Engenius 4x4 802.11ax, 300€) with no licensing cost at all which would also work with my existing 802.3at switches, but I think none of them have ever been tested with a huge amount of clients connected and therefore will fail like the Mikrotik devices.
Help please. How to configurate AnyConnect VPN for employees in this scenario??
Hi everybody;
We want to configure Cisco's anyconnect service to offer around 50 VPN employees to connect to our offices. The problem with what you can see in the topology is that employees must point to one of our Public IP's to link to our datacenter. The question is, if the ASA is below in the topology that I show you, how to configure properly so that users can connect correctly via VPN?
P2P over proxy?
User U1 uses a peer-to-peer chat client that lets him connect to user U2 and initiate a chat session. The client creates an endpoint by binding U1's public IP address to some port and then generates a string which U1 can share with U2 via some other means (WhatsApp or whatever). The string basically encodes U1's IP address and port, which U2 can pass to the same chat client so that it can decode IP and port details out of that string and make a connection request to U1. Upon U1's confirmation, a session is successfully created.
My question:
a) Is the idea anywhere close to how peer-to-peer clients and libraries (like jitsi) work?
b) What if all the traffic to and from U1's client is (SOCKS) proxied and U2 gets the IP address of the proxy server instead? The connection request from U2 fails right? How real world clients/libraries deal with (or avoid) such issues?
Cisco ASA and asymmetric routing
Ok, by default it is prohibited, however I have need for it, if nothing else, ECMP balancing over AWS transit GW VPN where ECMP balances over 2 VPNs which are set as VTIs so ASA blocks asymmetric connections. As always, VTI seem as quick add-on to ASA that does not support all functions like interface zones. Any advice how to implement this?
Friday, June 14, 2019
Does attempted WIFI connection, but no password sent, expose your info to that network?
Say you accidentally click on the wrong WIFI networks that are broadcasting SSIDs from your phone. Then you immediately cancel without even attempting a password try. Is your login attempt and other information like your MAC address and device name already exposed to the network and the wireless access point router?
Basically, the moment you attempt to connect, the wireless access point already knows about it and it is already too late to back out even if you don't go through with the whole process to send a password? And that this action can in theory trigger a log?
Granted most home wireless routers are not sophisticated to log these stuff for their users, but just discussing this in an academic sense.
As a noob, from what I read about the four way handshake of IEEE 802.11 standard is that to even attempt a login, the access point has already set up an AN-nonce for you and awaiting your SN-nonce reply. Is that correct? So the router should already know you're there and at the bare minimum clicked login?
Or does this depend on the connecting client side too? Maybe the device doesn't go through with the handshake until after the password field is filled, and then it attempts the first connection to be established an AN-nonce from the router only after the password is entered in software?
3Com (HP) switches and NTP
I have a 3COM 5500 switch which takes its time from a server. The server is showing a time of 14:45, for example, which is the correct time but the switch is showing 13:45 after a successful sync. I can apply the summer-time change to the switch but my question is, if the server is showing the correct time, why does the switch sync an hour behind? Is the switch picking up the time from the server as it is before the server makes its own daylight saving change perhaps?
It's not a massive problem as the summer-time command is fine but I was just wondering why it doesn't reflect the time on its reference server exactly.
I am in the UK so I'm using default UTC but that confuses me a little as 'timezone GMT' and 'BST' don't work in the cli.
New network engineer, need a bit of direction.
What tool do you use to document a network other than a monitoring tool. I'm tasked to learn the network but we don't have a network mapping tool and I am not sure if I am allowed to use one.
I guess I just need a bit of direction and see what some of you guys use.
Edit: For the past week I have been crawling the network using cdp (we are a Cisco partner) but it has felt inefficient. I however need to do it. I have some diagrams made for a few of the campuses
Decent QinQ endpoints?
So we've got a ton of Dot1Q VLANs that should have been QinQ stretched all over the place, and we're looking to clean it up.
Unfortunately the switches we have in place (dell Force10) don't have any provision for any complex topologies. They call QinQ "vlan-stack", with "vlan-stack access" being a port that takes Dot1Q tagged frames (C-Tags), wraps it in an S-Tag and forwards it along. The problem is that there can only be ONE S-VLAN on a given vlan-stack access port and there's no way to natively support topologies where some C-Tags get a certain S-Tag, while some other C-Tags get a different S-Tag.
So one option is to keep the customer facing port straight Dot1Q and use another pair of ports to loop some of them onto a given S-VLAN (burning 1 pair of ports on the switch per S-VLAN), and requiring every customer VLAN to be explicitly configured on the switch, etc. It works, but it's a nasty kludge.
A coworker suggested using Accedian NIDs for this purpose. The way he tells it we can just slap these things in-line and configure arbitrary tagging/untagging behavior. Pretty much what we're looking for. Issue is he's never used them for that purpose, no one else on our team is remotely familiar, and we also don't have any to quickly test.
Can anyone share some perspective on using them (or some other equivalent) devices for this purpose? Gotchas, etc?
He's got the task of "find someone we can buy this crap from", but if you've got recommendations for suppliers (we're thinking MetroNIDs for 1G, MetroNODEs for 10G), or a guess at how hard they're going to be to source, we'd happily take that as well.
Spine/Leaf - Overlay necessary?
Greetings,
Been a long time lurker here, and recently took (was voluntold to take) a more active role in network administration at my job. There may have been an RSTP issue a few weeks back that caused a production outage, and I am the only one who has some room in my schedule to address this. So I am somewhat new and trying to take a slow and structured approach to this.
I'm tasked with figuring out how to move up from an older Juniper design we have been limping along. We have 8 racks with virtual chassis EX ToRs, each has redundant aggregate uplinks to a 2 member virtual chassis 10g EX distribution switch, and finally a firewall cluster north of that. We only have 4 production VLANs plus I think 2 test VLANs, those gateways are on the firewalls.
Most diagrams I've seen seem to have two spines minimum, so I'm wondering if it would be worth it to split the distribution VC into separate spine switches. Assuming I do that, and go with eBGP on each link and private ASN per switch to put the L3 gateways on the leafs, my question is whether it's necessary for an overlay like VXLAN or if just eBGP is enough since we aren't a large or complex DC.
We have some home grown IPAM system and needless to say, huge chunks of the 10.x.x.x and 192.168.x.x networks available for IP ranges. Initially I was thinking of carving out eight /24's to represent the first prod VLAN, one /24 per leaf with the gateway assigned to an irb interface, and repeat for each additional VLAN. That also seems like a LOT of IPs to reserve so then I started considering using /25's to slim things down but I was concerned if that would over complicate this situation.
Or just scrap BGP altogether and try OSPF. I like the idea of AS prepending though to bleed off traffic for maintenance though.
Palo Alto FW: filter help
Trying to write a filter on alerts
(( zone.src neq outside ) and ( name-of-threatid neq 'ZeroAccess.Gen Command and Control Traffic' ))
Instead of this being a classic AND, this is taking both individually. How do I fix this? Effectively Im trying to filter this alert if its sourced from the outside. I still care about it if its from the inside.
What is your recommended website/ store for purchasing networking supplies?
For reference, I’m in Long Island, NY. My small IT company is considering new sources for buying networking gear. Does anyone have any recommendations? Much appreciated.
Favorite text based resources for network design?
Hi!
I'm the sole IT staffing of a private school that will be expanding from one campuses to two campuses, and while mostly able to handle the needs of my users, this is throwing me into totally new territory.
Over the coming months I'll be responsible for getting the new campus up and running. I'll need to set up a new AD server, as well as switches, router(s), WiFi, firewall and anything else we may need. I'd like to connect the two campuses, but will have to convince the powers that be of the value of this.
I'm in the early planning stages now, and I was wondering if there are any text resources (books preferably) for the design of a new network that you have particularly liked. If you have favorite websites or videos, I'm not averse to looking through those as well, however in the initial phases, I find myself less likely to get lost in tangent when there are no links to click. Ideally, once I feel comfortable about what decisions to make regarding IP addressing schemes, need for VLANS, room for growth, I'll dive into the more technical details on each front.
I'd like to to my best to get this set up right from the get-go and save myself headache later. Thanks for any recommendations!
Tools to test/benchmark the speed of DNS/TLS/SSL of a website
I need to do some tests/monitoring of website performance in terms of DNS/SSL resolving. I'm looking for a tool that you can automate/script and it should have the ability of not caching things.
CLI/GUI preferred over online options.
Juniper EX4550 trunk to 3750
I know this has been discussed before but here goes..
I am trying to trunk from a 4550 to a 3750 but traffic is not going through.
3750:
!
interface GigabitEthernet1/0/24
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20,1060-1069
switchport mode trunk
Juniper:
# run show configuration interfaces ge-0/0/24
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VLAN20 VLAN1060 VLAN1061 VLAN1062 VLAN1063 VLAN1064 VLAN1065 VLAN1066 VLAN1067 VLAN1068 VLAN1069 ];
}
}
}
After doing some research it seems that Junos does not play nice with iOS if you dont have a match on the native-vlan-id. Hence I am thinking of creating vlan1 on the juniper and setting it as a native-vlan-id on the trunk port. Can anyone confirm if this is something that will be causing issues?
MPLS VPN - MP-BGP
Hello
i need to explain my Network Operators how MPLS VPN Works.
but im at no way a good teacher, also i have learnt this stuff with books and labs.
so my first try was realy bad.. ( i tried to explain how a VPNv4 Prefix is formed with the 32bit IPv4 Adress and the 64bits of the RD. but i forgot first of to explain them what a RD is....)
How would you explain this, in a easy way without confusing them with BGP MP capabilites,
vpnv4 Prefixes and so on.
like explain this question to someone with no deep know how of bgp.
- how does a route in a VRF go over the network to the other site VRF. (with RR in mind)
as for now they got how LDP Works. and how traffic is lable forwarded.
please help me.. give me some hints.
Amazon Network Development Engineer interview queries
Hi r/networking, not sure if we entertain networking interview queries but i am taking my chances.
Has anyone of you given interview for Amazon Network Development Engineer role? If yes, what was the experience like. How is it different from the standard interviews that we take. I hear a lot about Amazon leadership principles and also that they will ask a lot of scenario based queries rather than book questions on networking.
I was curious to know how they translate their leadership principle round for networking engineers. Also in general how difficult is their process ? Any other inputs will be valued.
Juniper vMX for Labs
Hi,
I was wondering if there is any way to get vMX for lab purposes. I have seen that there is a trial that can be downloaded, but as I'm not a customer (I'm still quite new to Juniper), my account doesn't have the permissions.
Are there any tricks to getting access to this?
Thanks!
PS, I'm aware of vLabs, but I was wanting to see if I can create labs where I connect Cisco routers to Juniper.
IT management power struggles?
Is it me or is there a lot of pettiness between different department's upper level management in IT within a single company? I see it a lot. Is this specifically more intense or harsh in the IT world where you have management who used to be in high level technical jobs. Are people who are able to troubleshoot complex technical issues, super critical and competitive in management positions against those who threaten their standing and power? Or am have I been at my company too long and am now just jaded. Have any of you been wowed by surprisingly cooperative departments in a single company?
Thursday, June 13, 2019
How much does a CCIE help you when working under DoD?
Just curious. According to the 8570, it doesn't say anything about the CCIE. Working on CCNP right now and just wondering what my options should be going down the road. Does having a CCIE make you more qualified for certain jobs? Are there other IT jobs outside the GS- 2210 series that require CCNP or CCIE? Or is a CCIE only really beneficial outside of the DoD?
Interview Question: If you had to build a WiFi network in Central Park, how would you go about doing it?
I was on a job interview today and was asked this question. It kind of threw me back because I had never thought about something that scale before.
Without going into a long drawn out several paragraph explanation...how would you have answered this question with just a few broad stroke sentences?
Edit: Minus the smartass comments plz :P (I know it's hard...that's what she said) 2nd Edit: Maybe forget the fact that it's Central Park, replace that with a very large area the size of Central Park.
Cisco OEM Optics vs 3rd Party for new DC & Campus Core
Having a real hard time making a decision here wanted to talk to get some opinions, insight, and experience from fellow infrastructure warriors. Thanks in advance for any stories and advice.
I'm currently working on a DC block and Campus LAN refresh with new cores and some access layer refresh. This includes a new C9606 chassis, N9K-9336c-fx, and C9410R for access density.
We are moving from 10G backbone MMF OM3 to 40G backbone with SMF. We have decided to go SMF for the future and not run any OM5 MMF.
The SMF optics for QSFP-40G-LR4-S 40GBASE-LR4 are 4500$ an optic (after discounts) and we need upwards of 400k of them. Also some QSA module optics to help with 10G to 40G migration. Currently we use vendor optics with full support and I don't have to worry about. period end of story. We normally buy all cisco optics for our current MMF but the cost wasn't that high to second guess it.
Now I'm flirting with the idea of using 3rd-party optics but I've never used them in any environment. I could spend 50K for the same amount of optics and even have full backups saving 350K to spend elsewhere on upgrading the network.
For example the same optic on fs.com is 279.00$ it's insane the price difference.
Layer 3 Routed Network Upstream Gateway Issue
Hi folks. I’m at the end of my rope with my lack of advanced knowledge surrounding routing, and I need some help. I have struggled lately grasping routing concepts that should probably be general knowledge to me by now; so needless to say, I’m feeling a bit defeated and frustrated. I’m a visual learner by default, and networking is often hard for me because “concepts” are explained well with diagrams and visuals, but the actual programming of switches/routers, etc. are often not explained with any helpful visuals. Anyways…
I’m trying to get a brand new Layer 3 (L3) network up and running. We are using a core stack of some Netgear M4300s. I have successfully configured the internal network for VLAN/subnet routing. I have not gone through and implemented any ACLs yet, so at present, all VLANs can successfully ping one another with no issues. Internal subnet routing is working just fine.
My problem is the uplink to our gateway. We have a bit of a unique situation (well maybe not), and I fear I am overthinking something, or missing something minor. (I literally spent 12 hours on this yesterday trying to figure out what I was doing wrong—so long that my arm physically hurts from being on the mouse and googling things all day.) We have an intermediate link that will be used to carry traffic over a buried fiber (private) line to our actual ISP equipment; we are using two identical L2/L3 Extreme Networks switches to carry the connection over the fiber (this will sound silly, but yes, that is literally all they are doing is creating an L2 “conduit” between our buildings; they are dedicated because they were funded by E-Rate and can be used for nothing else other than our internet connection transport). Our link looks a little like this:
[Internal Network] <---> [Netgear Layer 3 Switch] <---> [Extreme L2/L3 Switch] <---> [private fiber] <---> [Extreme L2/L3 Switch] <---> [ISP Equipment w/ Cloud Fortinet FW] <--->|<---> (public internet)
I have this set up in a test environment right now because our actual building this is being installed in (we are a rural educational cooperative) is not ready yet. I’m trying to be proactive so that this stuff is ready to go and can just be racked up when the network closets are done.
I do not have access to the Extreme switches, as those are being installed on-site by the vendor we purchased from (and the building isn’t ready for that yet), so in my test environment, I’m currently going from the Netgear L3 Switch to my physical pfSense box (firewall/gateway).
I am unable to successfully ping out from any internal subnets to the pfSense gateway or back into the internal subnets from the pfSense gateway. The ONLY thing I can ping is between the two ports on the respective devices (I can ping from the assigned uplink port on the L3 Netgear switch to the receiving port on the L2 Extreme switch—and vice versa).
I wish to “terminate” the VLANs in the Layer 3 Netgear switch; I have no desire to forward those VLANs to the Extreme switches for any VLAN routing there because the VLANs won’t be used on those switches at all (again, they are just connecting our fiber at both ends).
Here is what I have done so far:
- Enabled routing on the Netgear, globally (i.e. turned Layer 3 on; it is off by default).
- Created all needed VLANs--with VIPs (virtual IP addresses) that assign each VLAN to their own appropriate subnet, then enabled routing for each VLAN, and assigned my ip helper addresses for DHCP addressing (which is working fine, btw). VLAN10 (which is where the networking mgmt plane now resides) has an IP of 172.30.0.10/21 (this is the IP address for the switch). I will list the rest below VLANs below.
- Moved switches (mgmt IPs) off of native VLAN1 and onto VLAN10 for security reasons.
- Assigned an IP address to the physical port (on the Netgear switch) that is being used as the uplink port: 10.0.0.2/30. This port is 1/0/12. I have enabled routing for this port. It is set as a “general” port (not trunk since I don’t want to pass the VLANs to the upstream gateway). This port is in VLAN1, as the pfSense box cannot do a native VLAN change on its ports (it can see VLAN tags, but it can’t have its own port moved off of VLAN1). Since this port, along with all other VIPs are routing-enabled, I assume that this being in VLAN1 is no issue. (This would make sense since I can ping from an internal subnet—i.e. 172.30.XX.XX/2—to the physical uplink port of 10.0.0.2/30 with no issue.)
- Assigned an IP address to a free NIC interface/port on my pfSense box: 10.0.0.1/30. (I also created one firewall rule for this interface that allows ANY traffic from the Source Network (10.0.0.1/30) to ALL destinations (this is exactly how I have my homelab setup, as well, and I’ll explain that in a sidenote down below).
- Created a new default IP Route on the Netgear switch as follows: 0.0.0.0 (net address) 0.0.0.0 (netmask) 10.0.0.1 (next hop address). After this Route is created, this then shows up in the IP routes list with the additional column of “next hop interface” = 1/0/12.
- When creating the IP address on the physical port (IP 10.0.0.2/30 on interface 1/0/12) it automatically created the following IP route in the table: 10.0.0.0 (net address), 255.255.255.252 (netmask), 10.0.0.2 (next hop address), 1/0/12 (next hop interface)
- RIP is on by default; OSPF is off by default. I know very little about either of these or if I even need them for this setup, but it looked like I should have at least one protocol on, so I chose to leave the default RIP enabled. I’ve tried it with it disabled but saw no change that I could tell.
Based on everything I have tried to read up on the internet and in the Netgear M4300 guide, this should be all that is needed to make the upstream gateway active.
Now, I’m fully aware that there could be something odd with my pfSense box that may not be the case when this setup is moved to production with the Extreme switches, but the fact that I can’t ping out to the gateway from the routed internal network OR ping back in to the routed internal network from the gateway is troubling. I have to be missing something simple, right?
(Sidenote: on this pfSense box, I have another interface that I have in an exact same setup—different port IP address & subnet of course—to act as the upstream gateway for my homelab equip (homelab uses different subnets then what I’m using here, so no conflicts there) and it works just fine. I’m using a Layer 2 HP switch with one of its ports going to the upstream pfSense gateway, with the rest of my home lab network running on that HP switch; nothing in this setup above is using the HP switch, btw. Anyways, the point in me explaining all of this is that pfSense works fine as the upstream gateway for my homelab. I know that the pfSense box can be the upstream gateway and provide the internet connection to the downstream equipment. The only difference is that my homelab is not a routed VLAN network.)
Can anyone, just by reading this, pinpoint something stupid/minor that I forgot that is breaking this setup? Is there some kind of NAT that I need to setup on the pfSense? (And if so, can you explain it to me like I’m 5—ELI5—and also explain if (and how?) I’ll need to set that up on the production Extreme switches?
Here are the rest of my routed VLANs:
· VLAN10: 172.30.0.0/21 with VIP of 172.30.0.10 (networking management plane VLAN; yes, I’m aware this doesn’t match the “pattern” of my other subnets, but is valid nonetheless)
· VLAN20: 172.30.8.0/21 with VIP of 172.30.15.254 (“servers” VLAN; DHCP resides here that hands out addresses for all subnets)
· VLAN30: 172.30.16.0/21 with VIP of 172.30.23.254
· VLAN 40,50,60,70,100,200,300, and 500 follow the same exact patter as above for VLAN20 and 30.
I have been doing most of the setup in CLI for this (easier for bulk changes) and then using the web GUI to verify my settings along the way. Here are some shots of the Web GUI for the items I laid out above.
I feel like I’m in a black hole right now trying to figure this out. I appreciate anyone who takes the time to ready through all this crap to help me out. One of the reasons I have been so detailed here is the complete lack of information I could find online for this exact scenario. Maybe I was not searching for the correct things, but I’m hoping this post will get picked up by the ol’ search bots for someone in the future who finds themselves in this same situation.
Thanks again, all.
(P.S. – I leave for vacation on Sunday; I likely won’t be able to reply until I return, but I will come back to reply to any questions posed AND to update the fix for this when I do get it figured out so that this thread has a SOLUTION for future reference.)
X-Post with /r/NETGEAR
[HELP] Help regarding SNMP
Hello everyone I got exams soon and just got some questions regarding SNMP. I have some understanding issues and would appreciate any help.
Questions:
-
Do I need a MIB Table to translate an OID to "human readable" output? or is there another way without a MIB?
-
Lets say the manufacturer of an device does not release a MIB (or you're not able to find out); and you MUST monitor a specific network device. Which steps would you take, to still monitor the device even without a MiB Table/without any translating to "human readable" information?
-
How difficult is it to create a own MIB Table to a specific device? Are the OIDs on every device the same? For example (an example i thought about) Device A - OID Sys.Info = 123 Device B - OID Sys. Info = 123 or 234? Can Device B have the same OID 123 or it can't because its alread registered for device A?
I appreciate any help. Have a nice evening everyone!!!
Thanks in advance
DNS/SSL performance domain vs domain
https://i.imgur.com/ilClL0u.png
I have two domain names registered with 2 different registrars, both pointing to the same website. Making a first request (when loading one and the same webpage) via one of the domains is twice longer than via the other (see screenshot for details). There is a single SSL certificate at use listing both domains (issued by AWS). One of the domains is an IDN containing non-latin characters, if that matters.
One of them is a 3-rd level domain [xxx.yyy.tf] pointed to the website via CNAME and the other one is a 2-nd level domain [zzz.top] pointed to the website via ALIAS.
Why is there such difference in performance and what can be done to make things better? What do I investigate/test next?
Abnormal Traceroute behaviour
Got a quick question based on an odd thing i saw today .
If i do a traceroute to an IP address and say after 12 or so hops i get to the destination address... and traceroute keeps going until the 30 hop limit and times out, all the while showing up the same destination IP i got after hop 12. Is that indicative of a routing loop stuck behind a NAT? I am pretty sure it is, but I just wanted to check.
Connecting Two Networks
Hello! I am hoping someone can help brainstorm with me.
I have two physical networks. We can call them network A and network B.
Network A consists of production machinery. Network B consists of end user devices and has access out the Internet.
Recently, we added a server on network A that needs to send reporting out over the Internet, as well as allow remote connections to it via TeamViewer.
My question is, can I just plug a switch port on network A into a switch port on network B so the traffic that needs to go over the Internet can? Normally, I would put a router between the two networks, but I’m not sure I have the time/resources to do that.
Any thoughts or opinions are greatly appreciated!
Thanks 🙏
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Poll: How many of you have structured cabling in your data centers, and how many just run end-to-end patch cables across the length of the room?
Personally, I think that there should be a special place in hell reserved for long ass patch cables from a central location to endpoint devices in a data center.
What sort of monitoring software would you use for over 7000 devices?
I am curious what ISP level networks use for monitoring their equipment. Would something like Solarwinds or Zabbix be fit for the job?
Who do I hire to configure a camera system for my budding small business?
I just need a company to help me make sure my wireless cameras are configured correctly, they're storing data the right way, and they're sitting on their network correctly so they don't interfere with my POS system. I don't have a ton of money, and when I google for IT contracting services in my area I get a lot of huge companies that do project planning and such. I think I'm just googling for the wrong things. What should I be looking for?
Thanks!
DHCP snooping with wireless roaming - enable or not?
Hi
Protecting from both rogue IPv6 and IPv4 DHCP servers with DHCP snooping looks like a good thing to do - usually, however while thinking on how it works and experimenting with it I came to realize that it in theory and also in reality it does impact roaming for wireless clients on APs that are connected to a switch that has DHCP snooping enabled on the given VLANs. (Considering the APs are not using any tunneling protocols like CAPWAP, more how UniFi APs work)
The DHCP binding is registered to the switch on the port the wireless client has connected to first and thus gets denied after roaming to another AP on the same switch.
I've come across a Cisco forum where they discuss a possible workaround with 'authentication mac-move permit', however my switches are not from Cisco and I've tried to think out-of-box how others might have searched on that
TL;DR: Is there a way to protect from rogue DHCP servers in wireless environments or is DHCP snooping (by default) asking for trouble in such situations?
Need help understanding how this could be done.
The issue at hand is that my area does not have fiber optic layed out in my area, only copper one is layed out which is really slow anyways. So the only current subar soultion is a 4G modem.
I have two solutions in mind but I don't know how viable they are and how would they would need to be exatcly done.
First solution would be asking around ISP's about a settalite dish reciever or something of that sort but I am not sure what even ask them for this method.
Second would be a wifi extender or something of that sort because one of the relatives only lives 1.2 miles (1.9km) away and they have fiber which can go up to 1GB/s.
P.S The ISP's has been promising to layout fiber optic for years now and does not seem that this will ever happen.
Qwest/CL outage in Chicago area today
Anyone face an issue this morning starting around 9am GMT? We had an outage for around 3 hours and CL have stated outage due to failure of routine maintenance
No Documents....
Hey peeps,
So looking for a little advice, I started a network engineer position Tuesday, and i'm a little nervous. On my first day it's become a habit to look for documentation on the network, especially on new things I have yet to really touch, and while looking, SURPRISE! Barely any documentation to be found, the last engineer worked here for 9 years, kept almost everything in his head, and told everyone before I got here that "documentation wasn't his thing, and any engineer who can't put it together isn't worth his salt". So here I am, wild goose chase trying to find switch, router, vpn, vlan ip's, ranges and information, phone numbers, and everything else all while trying to figure out the new monitoring tools, firewalls, and vpn's i will be working with. I'm confident I can pull everything together with a lot of google, and so far days of investigating and looking into every switch and router i've come across, but i'll be lying if i said I wasn't nervous and a bit overwhelmed, because this isn't a small company. I think this turned into more of a rant, but any advice on ways to make this smoother would be greatly appreciated.
How to get started with network automation
Hello.
The evolving of networking ask us to learn network programming.
In my case i did the python for networking course from David Bombal and im actually following is course on Ansible for network.
Now i have some basics on Python for doing basics task on gns3 labs.
But actually how to really getting start on Network programming?
I mean networking programming is not only using python modules and ansible.... There is the SDN stuff, controllers, API... How to getting start with those stuff? I heard construtor go their own stuff
How do I get a Palo Alto Customer ID?
I need to test out a PA solution before I pitch it to a client. After trying for two weeks to get CDW to give me a price on a lab unit, I gave up and bought a used one on eBay. The guy is ready to transfer ownership to me, but it turns out I can't create a Customer Service Account without a Customer ID - which I don't have. I've reached out to PA sales but got no response.
If I need to purchase a support contract I can do that, it's not like I have no budget here. Maybe there's some trick like "buy one SFP so you can get a customer ID".
RD and RT allocation and tracking
Hi All,
Currently I operate a small SP type network with only a handful of PE routers and a relatively small number (<150) L3VPN / VPLS services.
At the moment we manage all of our circuits and RD/RT assignments via a spreadsheet. While this has been working well for the small number of services we provide atm, I can see this getting out of hand. Also as we are looking to move to automate the provisioning of our VPN services, this got me thinking of a better way to manage this information.
My first thought was to simply create a database which contained all of the relevant information that I could query with my provisioning scripts, but I would still need to seed the relevant information into the database prior to creating the service.
Does anybody have an recommendations on any pre-built tools which they utilise for similar functions? Ideally we would utilise this system as the source of truth for all provisioned services so would need to contain all the relevant information to provision the service - PE router, interface, RD, RT, circuit size etc. Ideally something with an API that I could query directly would be handy.
I have had a google and there seem to be a few options around for circuit management but most of this seems to be geared to physical circuits. As always budget is tight so the closer to $0 the better.
Cheers.
Cisco Nexus 5000 Series & Dell PowerConnect S4148U-ON - Fiber Channel Link
Firstly, my knowledge of FC is dangerous, so be gentle if I get some terms wrong - here goes:
We have a scenario where we have two sites that are linked via fiber, 1 site has a Cisco Nexus 5000 series switch and the other has a Dell PowerConnect as stated in the title. There is a need to have hosts at both sites to be able to communicate with SAN's at both sites via FC. My question is: how do I configure the FC ports on both the Nexus and Dell switches to get this connection up and running. I assume it has to be done by using FC over IP, but not at all sure.
Has anyone done this before?
Lancom to Palo Alto VPN
Hello :)
I currently have some troubles setting up a site-to-site vpn between a Lancom 1783va-4g and a Palo Alto PA-220 to connect the two local networks (192.168.100.0/24 on the lancom and 192.168.4.0/24 on the PA). The PA is behind another firewall (192.168.0.0/24) which has the public IP address and routes ports 500 and 4500 to the PA, the NAT and routing are not a problem tho. Both sides have a static IP adress Pretty. I am pretts new to Palo Alto so sorry if i forget something.
The outgoing connection on the PA to the other firewall is at ethernet 1/1 (192.168.0.1) and my local net which i want to connect with the vpn is on ethernet 1/3 (192.168.4.254). I have set up the IKE Gateway for 1/1, configured the IKE Crypto and IPSec Crypto, configured the IPsec Tunnel with a Proxy (since Lancom is policy-based VPN) and configured a tunnel for the vpn security zone.
The Lancom connects with the PA and IKE phase-1 works fine as far as i can tell from the logs.
With IKE phase-2 there seems to be a problem with the SA payload from the lancom:
IKE phase-1 negotiation is started as responder, aggressive mode. Initiated SA: 192.168.0.1[4500]-x.x.x.x[4500] cookie: ******************************.
IKE phase-1 negotiation is succeeded as responder, aggressive mode. Established SA: 192.168.0.1[4500]-x.x.x.x[4500] cookie: ****************************** lifetime 2800 Sec.
IKE phase-2 negotiation is started as responder, quick mode. Initiated SA: 192.168.0.1[4500]-x.x.x.x[4500] message id: *********.
IKE phase-2 negotiation failed when processing SA payload. no suitable proposal found in peer's SA payload.
IKE protocol notification message sent: NO-PROPOSAL-CHOSEN (14).
The Lancom doesn't offer much help:
VPN: Error for peer PPA-220: IPSEC-I-No-proposal-matched
Disconnected from peer PA-220: VPN-no-channel
The problem seems to be with my PA config, maybe someone has an idea how to fix that. It's probably something kinda obvious but my mind is kinda stuck atm.
the PA config:
any help appreciated
All IPs starting with 127.x.x.x resolve to localhost.
For some reason all IPs starting with 127.x.x.x resolve to localhost, which is annoying since there are quite a few ISPs using the 127.0.0.0/8 block in my country.
Any ideas what this might be?
EDIT: I assumed the loopback was 127.0.0.1/32 since I was getting invalid ips.
To add a bit of context, I'm getting all servers from https://servers.fivem.net/ and parsing them.
From all 96 servers with the "brasil" tag, 16 of them start with 127. Dump: https://i.imgur.com/jpC9fvP.png
Cisco IP Access List has no effect
I'm probably having a brain fart but for whatever reason this access-list isn't working. I'm trying to lock down SSH access to a host and allowing all other traffic.
IOS-XE ASR903 "bootflash:asr900rsp3-universalk9_npe.16.09.01a.SPA.bin"
ip access-list extended RESTRICT_SSH_LOGIN
permit tcp host 10.0.0.20 host 172.16.0.100 eq 22
deny tcp any host 172.16.0.100 eq 22
permit ip any any
interface BDI100
ip address 172.16.0.1 255.255.255.0
ip access-group RESTRICT_SSH_LOGIN in
This is the only ACL on this interface and it seems ACL isn't having any effect. Other hosts in 10.0.0.0/24 are still able to SSH to 172.16.0.100.
sh ip access-lists isn't showing any matches.
Any ideas?
Cable Standards & Testing Processes with Dan Barrera
https://www.youtube.com/watch?v=kNa_IdfivKs
Very interesting, esp. WRT how PoE can impact cable performance.
Wednesday, June 12, 2019
Netflow Logs to Nprobe
Hi All,
We are migrating to SD Wan and we would like the flows to be sent to our SIEM.
I have got nprobe but not sure how to collect and export on windows
Is there any other options/software we can use to export the logs
Our SIEM only takes syslog hence require this export/conversion
Speed Test
Have a question maybe someone can help with. Upgraded my WiFi speed from 500 to 1 Gig. On my hardwire connection to my IMac I’m get 1.2 Gig. When I do my speed test on my IPhone I’m getting lower speeds that I was getting when I had the 500. My current router is Linksys EA9500 is which I’m pretty sure can handle the 1 Gig speed according to the specs. So can anyone tell me what gives?? Now I know I’m not gonna get 1 Gig speeds wirelessly, but I was getting anywhere from 350-500 on my speed test wirelessly when I had the 500. So i would naturally think I should at least be getting 700-900 on the 1 Gig now. Help?? Please!!
Noob in the mountains: Recommendations for cellular site survey process to know if a Cradlepoint CBA850 w/ external antennas would be able to offer reliable failover?
I'm helping put together a network plan for a new property in a developing nation for our non-profit. We have a very remote site up on a mountain. No power or internet available for at least 2 more years. I'm planning on a wireless bridge to bring in internet from the city since we have great line of site at just 5km. But I'd really like to have some sort of on-site redundancy/failover. I've had several recommendations for a Cradlepoint unit, but having never used one before I'm having a hard time know if this solution would be the best to approach. There's no satellite internet available currently in this area, and in general prefer to avoid it.
But what's the best process for assessing cellular signal and if a Cradlepoint with external antennas would even be beneficial. Are there any tools that could help with this? There is one corner of the property where some staff can get a faint cellular signal, but I'd much prefer to have some sort of data to help support the decision to go this route.
Happy to provide more info! Thanks for all the help. And if there's a better place to field this question let me know!
Network Automation
Hey everyone,
I just felt like making this post as I have been pretty indifferent to automation and its impact on the networking profession. I currently work as a Network Engineer with focus in R&S, Security, and Data Center. Before the new Cisco certifications came out I was really wondering how much longer we have before we no longer will ever login to any routers/switches/firewalls and how we will no longer be needed. I realized that this is the complete opposite and I have started to embrace automation and I plan on automating most of the stuff in our network as to be honest there are so many tasks I feel like are a waste of my time (Adding/removing/trunking VLANs, configuration templates, etc). I have so many ideas to actually create a framework for the company I work with so that we do not deviate from standards (unfortunately like we do now). That being said, I am particularly only interested in developing network and security automation tools to give us a more efficient way of deploying networks, etc. In fact, I am doing a POC for our DNA center and me and one other guy are the only ones out of a team of about 12ish that know how to automate. Also, working on automating some ISE stuff using the API and REST :) We are a long way away from full automation anywhere and I actually still login to the CLI everyday for routing and the likes, so I think this will still be a thing in a future, but not as much as now. I noticed that learning Python is going to further and help my career once I transfer into a more Cyber Security role :)
Do you think we will get to a point where everything is automating and we no longer will be around? I, also, wondered, if our job was basically going to be turning into pure software development. I had to think hard about this and I have come to the conclusion that if anything it is going to create more jobs and specializations. I feared that I would no longer be needed, but when automation goes wrong, we are the ones that are going to be troubleshooting. Sorry for the ramble, I had to get this off my chest somewhere haha. Time to finish up my NP and start getting some more security focused certifications :) I really want to know what you guys think our profession entails for the future.
Rerouting All Traffic from One IP to Another?
Hello community!
I have a very weird and specific situation to address. Don't ask why I want to do this, but here it is anyway.
Let's say I have a server that goes by the public IP: 111.11.111.11, and clients can connect to it.
Now, I just need a different IP address (any other IP address I could find, rent, or use from any source), preferably a server or some sorts. Let's name this IP; 222.22.222.22
I need to route all that's coming from the client (user, for example) to 222.22.222.22, then route it to 111.11.111.11 instead of directly routing all traffic from the client to 111.11.111.11.
Is there any way to do this? Also, I'm looking for something relatively cheap too (if it requires money), because I wouldn't need to do this frequently and I really only need one other IP (besides my server).
Thanks a lot, please let me know if you have ideas (AWS, or whatever you have in mind!)
Equipment recommendation: mobile phone hotspot to wifi ethernet bridge for remote office internet access.
Is there a recommended list of wifi network extenders that are known to be good performers and reliable in this application? This office has spotty DSL service and bad weather outages are common. They are all the on Verizon the network with recent Samsung and iPhone devices and so the idea is to swap in a wifi extender in bridge mode in place of the modem when the DSL goes down.
DHCP through a NAT
I have the following network layout:
There is a house DHCP server, and we have several production lines with 192.168.X.X private networks. We have a cable from house access point the drops to a NAT on each line that is connected to each lines private network. Most things have static IPs and in the NAT we simply hardcode the translation 192.168.1.24 = 10.216.232.14 or whatever in the NAT table.
We have a lot of devices that don't even need to communicate with anything internally though, they don't have a static IP and are setup for DHCP by default. IT is able to set 10.216.232.200-254 as DHCP addresses, is it possible to have a device (monitor C) send a DHCP through the NAT to the houses DHCP server and get a house IP address that will communicate through the NAT?
The NAT we are using is a mGuard rs2000. I am reading through manual and I can setup it's DHCP server to be a relay. Would that work like I want it to?
Automation (scripted) in a restricted access environment
I'm curious if anyone has come across this before and if they've found any workable solutions when trying to integration python/robot into a network management org. We are looking at off the shelf solutions, but that is a ways off so users are trying to perform a variety of different automation tasks in the interim. It's fairly limited to information gathering/audit/small config changes/etc. but we seem to be blocked at every point from a policy/security aspect.
- Laptops don't have rights generally to install software. Even if something like installing python is authorized, installing modules with pip is blocked by a download policy.
- Standalone jump boxes don't have direct internet access and internal repositories don't provide anything close to useful.
- External resources or sandbox environments where we could run some of the tooling, don't have access to resources to take anything beyond concept.
If it were a matter of getting one or a handful of pieces of software approved, that might be doable, but that kills most of the flexibility that something like python could bring. I'm trying hard not to go down a shadow IT path but I'm starting to run out of ideas that are even worth presenting.
2.4 GHz network vanishing and re-appearing every 5 minutes. RF Bursts?
Yeah, I'm going crazy with this. I noticed that my devices periodically were not available for a few minutes at a time. After using wifi analyzer, I noticed that the signal just VANISHES periodically butvery regularly.
I was using a Netgear Nighthawk R8500, and thought it might be faulty, so replaced it with a TP ArcherC5400X... but the problem continues in the exact same way! The 5Ghz network and hardwired devices are rock solid. I updated the firmware then factory reset both routers.
I noticed that it's ALL the 2.4Ghz signals around, across all different internet providers. The signal drops also cycle through the channels. IE the channel 1's go down and come back, then channel 6 and then 11.
There is a new construction site not too far away, but I wouldn't know what to ask them to look into.
Here is a sample of the signal:
Any help would be greatly appreciated figuring out what kind of device would cause such interference.
The Impossible situation
I was recently told by a friend of mine that they had a problem setting up 2 computers to make a simple network because machine1 could ping machine2 but machine2 could not ping machine1 and then to make matters more confusing machine2 had no problems pinging google servers and machine1 could access the files hosted on machine2 but machine2 couldn't access files hosted on machine1. It was explained to me that they tested everything from: rebuilding the OS to triple checking the configurations. disabling firewalls on everything entirely on each device and even changing all the hardware/cables except the actual desktops them self yet machine2 still could not interact with machine1 but machine1 had no problems interacting with machine2. They even went to the length of switching over to an unmanaged switch but to no avail. After hearing all this I told him that despite his claims that the configs where perfect there must be an error somewhere. So I was wondering if anyone had seen this before or has a solution. Please keep in mind that the 2 people making this small network have about 2 decades of experience with networks much larger between them so I do believe they have tried everything that I suggested to them already.
Arista Layer3 switches - support for nat?
I read something here this week that caught my eye. Arista offers competitive layer3 switches with a very close cisco CLI. They also apparently all run the same binary image and software set. That is quite appealing to me.
But how complete is the image on different hardware? Routers are not switches, switches are not firewalls. Would a switch be able to nat? Is there a rudimentary protection from hostile networks (internet) that can be used? Something like CBAC or ZBFW approach?
Are we finally at the place where we can reduce the stack down to a single switch for small branch offices?
Dev/Accept/Prod environement any network isolation requiered ?
I was wondering in a large enterprise network do you do any segmentation to isolate Dev/Accept/Prod servers ? If you do how far do you push it ?
We currently have a physical LAB (mini DC) and we also have Dev/Accept/Prod environement on the production network not isolated, on shared subnets. (Main DC)
We are making the move towards the public cloud and I'm trying to assess if any changes are required at this level.
Career Move - From NOC to Engineer, but full time to contract. Worth?
My current employer is a sinking ship, I feel, and I feel my career has reached a dead end. I'm currently acting as Tier 2 Data in a NOC environment ( I reconfigure broken devices, make small changes to fix things, sometimes large changes as rerouting traffic to different cards in enterprise equipment, have lots of obtuse hardware knowledge, current CCNA, CCNA SEC, and JNCIA ). I currently make 62k + benefits.
I was offered a Networking Engineer spot at one of the "big 3" ISPs as contract for 90k. My goal is eventually Engineer, Sr. Engineer, Architect. I feel like I was unable to attain this role at my current position, as they've been under hiring freeze for several years now.
I am a little nervous about the jump from full time to contract as I live alone, and this would mean removal of my benefits, but I have been trying to secure an engineering spot for almost a year at this point,at almost any company, unsuccessfully.
Is it worth the jump? The new employer says they convert contract to full time usually within 3-6 months if you're good, and I have several "moles" who have moved to this company from my current company who can confirm that this is true.
Is anyone else considering starting over with the new Cisco Certs?
I saw some blogs around the web, and read the new CCIE requirements - hooooly hell.
TBH I am thinking of starting over at the CCNA level and working back up to CCIE level. I have 0 experience with DNAC and that is going to be VITAL to all the exams moving forward. They have removed all the pre-requisites from the CCNA so I figure I might just start back at that base level, and move from there.
The new CCIE track is only (1) CCNA Exam, (2) CCNP Exams, (1) CCIE Lab. This is a massive shift from where it used to be. I have been deploying Cisco Wireless for about a decade now and the only reason I have been as successful as I have been thus far in my CCIE studies, is all my past experience. Being that most of that is now thrown out the window, I feel like (1) The learning Curve and (2) Training materials availability are a large driver for me just to start over from scratch.
I imagine the CCNA trainers will get into shape rather quickly followed by the CCNP tracks. The great news is there are FAR FEWER tracks for them to develop content around, so I would expect the training community to have a far greater success in developing content.
I am a current NetworkDojo Customer and it is going to take Jeff some time to get all the new material squared away and available. I figure I could at least tackle the CCNA and CCNP levels to fill in my knowledge gaps (especially around DNAC) as I prep back up to the CCIE level.
Thoughts?
Options for branch connectivity into MPLS
We manage and maintain our own mpls network. Branches are set up with a router on a stick setup, but with a firewall. Think along the lines of a 5512x pair with a L2 switch stack.
Internet breakout is centrally managed - LAN/MPLS to a DC then off out to the internet via a pair of Palo altos.
I want to put some different options to my boss in regards to future connectivity for new offices. I can't see why we should spend £5-10k for office firewalls when all they are doing is a bit of L3 routing.
We could just go with a L3 switch stack?
Any downsides to moving away from deploying firewalls in all our offices?
Divide traffic from one ethernet cable
Each office desk has one ethernet port. Some desks have Polycom 311 phones. So wall port goes phone. The phone has another ethernet jack for another device..aka a laptop or desktop. I'm trying to segregate the laptop from the phones for security reasons.
However, I'm unsure how I could do that with only one ethernet wall port.
I have a Zyxel usg310 firewall.
Any ideas how I could make sure there is separation between the phone and other hard wired device? Is there a small device that I could get which would solve the problem or could it be solved via the firewall?
Aruba 2530 24G VLAN as Un-managed Switch
I am trying to eliminate an unmanaged 8 port switch that splits an ISP handoff in four directions by using some ports on an Aruba 2530 nearby and honestly cannot figure out how to do it.
I assumed I would just be able to create an untagged VLAN with no network info but it won't let me. I do not want this on our primary VLAN or any other VLAN in our network. I don't want to assign it an IP or gateway. I just want four ports to mock a simple switch isolated from the rest of the VLANs.
Thanks in advance for any help.
Help needed please...
Hello,
I am a Linux Administrator and not a network administrator. Our Network Admin was termed for stealing. I was asked to assist with things until they get a new one. I was asked to document and email the Change Board and i am stuck on an IP issue. I need a small amount of IPs for a small building. I need 30 (/27) for one SSID and i need 14 (/28) for another. now the issue i have is that i want it to be at the end of 2 different ranges. and i am trying to write it out correctlly, so is the following correct? I want it to be 223 through 255
XXX.XXX.XXX.223/27
XXX.XXX.XXX.239/28
New NOC/microdatacenter where animal cages used to be?
Yeah, I can't believe the title either. I work at a college and one of our science buildings has been replaced with a newer/better one. That leaves, you guessed it, the basement vacant. This is where they kept animal cages for scientific experiments. Rats, mice, fish, etc. There are floor drains, lots of overhead plumbing and wash stations. There is a separate HVAC for the area because the fresh air cannot be shared with the classrooms above. There is no redundant fiber path to the building, which needs to be built anyway as well as added fiber.
And yet, it has been proposed that we could put a NOC for our secondary internet connection, border gateway, possibly our backup firewall, and possibly a micro-datacenter with some server backup appliances here. It is adjacent to a major road so it would be easy to get our secondary internet connection moved to that building. There is an elevator, but no loading dock, so hauling a rack full of gear will never happen.
So what kinds of defense should I use here? I think this is a really bad idea, but my CIO is more big picture and is very hard to talk down once they think they have a good idea. Are there health concerns, safety hazards, anything I could reference in best practice small datacenter builds? I think we would only be talking about one rack worth of stuff max... I think.... who knows what other schemes are in place.
Appreciate the help, wonderful comrades.
IP Renumber Shenanigans
Our company was recently sold and we are losing all our IPs, so every client in the data center (not a huge operation) needs to have their IPs renumbered. The two guys in charge of provisioning these IPs don't understand the fundamentals of subnetting.
The current plan is to have a /30 followed directly by a /29 and a /28. All next to each other with no wasted address space. Because in fantasy land you can arbitrarily place subnets wherever you want in an address range. Because a 0.0.0.4/29 broadcasts on 0.0.0.11, right?
Cisco ISR4331 Throughput Licensing
I've searched, but I can't seem to find an answer to this question. For an ISR4331 with the base 100Mbps license, is this 100Mbps per interface (50/50, 70/30, etc), or is this the total amount of traffic that the box will forward? For example, I've got a site with a 20/20 Circuit and a L3 switch hanging off of the 4331. Is that a total of 40Mbps in regards to the license, or is it a total of 80Mbps since the interface facing the switch could potentially be running at 40Mbps also? Put another way, if I have sites that have a 50/50 ISP Circuit, should I be looking at the 300Mbps license, or would the 100Mbps license work for me?
ASA w/ Firepower and Umbrella
So evaluating whether I need both ASA with Firepower services (AMP, URL, IPS) and Umbrella or if ASA with Firepower can do it all?
Firepower uses Talos and Umbrella too
Firepower can do URL filtering and AMP, Umbrella too
Only reason I can see for needing the ASA is for if you want to segregate local traffic on an internal network and create rules for that. Am I wrong and have I missed something?
I know Firepower is a heap of shit.. yes but Umbrella is actually a kick ass product.
Thanks in advance folks.
Tuesday, June 11, 2019
So I just upgraded an ASA5516X to FTD 6.4.0 from 6.3.03 and now it won’t come back up.
After I upgraded it took about 45 minutes to become reachable again. Once I logged in, I seen that the code was updated. Great. Except now it’s stating there are pending changes to deploy. I was pretty sure they were just firepower updates or whatever because there was nothing waiting to be deployed before hand. It’s now been like 1.5 hours and it hasn’t come back up.
Am I screwed here? Is it normal to have pending changes to be deployed after upgrading?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Viptela on ISR/ASR
I have a vendor telling me, that it's not a good idea to put a vEdge enabled ISR/ASR right on the internet without putting a firewall or FTD in front of it.
Security concerns.....
Is this accurate?
Python/NAPALM SSH Login Question
So, logging into my GNS3 devices through my linux terminal requires me to use the command "ssh [username]@[IP address] -c aes256-cbc -o Kexalgorithms=+diffie-hellman-group1-sha1". What I'm wondering is how do I tell NAPALM to log into my devices in this way/format?
What I'm actually trying to do: I'm trying to make a script that logs into my switches and uses the get_facts() command to pull information.
What is the typical cost of a good cat6 connector?
I just started a job where my boss says he's paying 1.50$ an end connector. I told he was out of his mind, but he swears ends that cost that much are the only ends that have worked good enough. Am I out of my mind? I know there are cheap ends that are crap, but a 1.50$ an end? Is that not really expensive?
Migrating from existing mpls on nexus to another provider on meraki. Presently auto vpn works on vpn but need to add mpls static routes at all hub sites and spoke sites so they are preferred over auto vpn. Question is will i have to create static routes on all hub and spoke sites towards mpls
Migrating from existing mpls on nexus to another provider on meraki. Presently auto vpn works on vpn but need to add mpls static routes at all hub sites and spoke sites so they are preferred over auto vpn. Question is will i have to create static routes on all hub and spoke sites towards mpls ( duplicate routes ) or is there any easier way ? Create static routes on all hub and spoke sites is cumbersome
Is there a way to make Cisco Firepower Management Center web app performance less pathetic?
I gave the VM plenty of resources and I access it over a LAN but it's tortuous navigating through stuff. Firefox is slightly faster than other browsers but still pretty sad. Is there something I can tweak? Why is it so frigging slow? I don't know much about the inner workings of web apps. Please spare me the Palo Alto jokes, it's not an option. Well, if you need kudos go for it, they are usually good for a few points.
Have to ping a ESXi Host first before I can Vsphere to it.
So I have workstations on one subnet that have to talk to ESXi Hosts in another subnet in another part of the country.
And when I try and vsphere (TCP 902) from one of my workstations I see "incomplete" in the firewall entries. Even on the firewall protecting the other (esxi hosts) subnet I still see an inbound firewall request that also has the status incomplete.
If I ping the host once first then I can vsphere/console to the host and all the virtual machines on the host. Im thinking that it is something to do with the host not finding a route back to my workstations? and that ping is setting up that connection to allow that route back. The hosts have a default route to a pair of cisco routers and they have their gateway pointing to a paloalto 3020 which then has a bunch of routes going via a wan connection (pretty standard stuff).
Unsure how to fix this as there is no firewall blocking the traffic - just this odd behavior requiring the ping first.
Does anyone have experience migrating to AT&T ASE(Metro-E) circuits?
Hello again everyone. I am getting ready to start migrating from ATT Opt-e-man to ASE (mpls) circuits, and was wondering if anyone has any experience with ATT ASE circuits. I dont know if I need to change anything on my routers when I cut over (I'm all on static routes).
Thanks again!
[Edu] CMTS Virtualization
Hi,
I'm looking into CMTS for a while now and it was always at a theoretical level. (Modulation, provisioning, ...)
So I wanna really dive deep into this topic by getting more pratical and learn a lot more about it even though I don't own any hardware.
First I thought about GNS3 and I googled about this and found this thread:
According to this the RF features don't seem to be virtualizable which is semi-ok for my purposes.
After a while I found this thread on docsis.org.
In 2013 it seemed to be the way to go to set up hardware labs for advanced purposes which indeed makes sense.
I just may ask if the technology has improved over the time and something that fits my purpose (even if not completely) is now available for a reasonable price or student licencing.
Rack rentals
What rack rentals do you use for testing, re-creating your Cisco infrastructure? Looking for cloud/web based solution, fully licensed devices, Nexus availability etc...
Change in iOS causing issues with BYOD 802.1x enrollment
Anyone else having problems with something that recently changed in iOS in regard to how configuration profiles are installed? We use Ruckus CloudPath for device enrollment. On iOS once the users logged in to the portal, they would get a link to install the wireless network. Once they clicked the link they would be taken to the settings app with a popup to install the configuration profile for the wireless network. Now when they click the link they get a message that a profile has been downloaded and they have to go find "Downloaded Profiles" on the device and install it from there.
Simple ping problem - low packet loss
Hello Networking,
I have a problem that's giving me a huge headache. I am running a highly sensitive test on some Macbook clients that pings a couple of IP addresses on the public internet over 24 hour period and fails if over 2% packet loss occurs. Now, the network path for these tests is as follows
Macbook --> Aruba MAS Switch --> Aruba controller --> ISP Modem(Internet_destination)
Here's the thing, when the test runs (and I have confirmed it is simply sending ICMP pings size 1024 over an interval of 1 second) the final result shows an average of 2-8% packet loss over the entire course of the test. To make matters worse, if I try to prove out the network by running the following ping tests I show <1% packet loss every time over extended ping tests (I have monitored 4-8 hours pings and shown 0% packet loss)
Ping SRC: Aruba Controller
Ping DST: Macbook
Path: Controller --> MAS Switch --> Macbook
and
Ping SRC: Aruba Controller
Ping DST: Internet_Destination
Path: Controller --> ISP Modem(Internet_Destination)
and finally, I have learned that if I hook the Macbook directly to the Aruba controller so that path is now
Macbook --> Controller --> ISP Modem(Internet_Destination)
I experience 0% packet loss on the test.
Any idea what I could be missing, or why I would be experiencing low packet loss when the ping's source from the Macbook instead of the Controller? I have captured Wireshark logs on the Macbook and validated that the pings are being sent out the interface. I do not currently have a way to validate that the pings are actually hitting the switch (MAS Switch doesn't have SPAN capability with our VLAN design.)
4 OSPF IPsec tunnels and asymmetric routes
We have two data center sites on opposite ends of the US. Our ops office is centrally located between the two. We recently just replaced our Cisco gear in the office with a Fortigate 201E and setup 4 IKEv2 IPsec tunnels. Up until yesterday it had been working fine for 145 days. We lost our backup ISP and then our primary ISP last night and things have been quirky since. This morning we had an asymmetric route where private datacenter traffic would go out tunnel 1 and come in on tunnel 4 and it would cause disconnection for user applications.
Here's how my tunnels are configured:
Tunnel1 - DC1 ovr ISP1
Tunnel2 - DC1 ovr ISP2
Tunnel3 - DC2 ovr ISP1
Tunnel4 - DC2 ovr ISP2
How does OSPF know which tunnel to use? I've know it takes in count latency, etc?
What would be some things to check to fix the issue? We have some static routes but those are separate from these tunnel subnets.
Start studying or hold out?
Hey everyone..I know these posts are coming in like the plague but I haven't really found the info I need to make a proper decision. My CCNA expires October 2019 and I was a few days away from purchasing CCNP study material. I read on a blog there are no longer prerequisites to any of the exams so would it be in my best interest to just wait until the new exam material is out? I'm thinking yes as long as I don't have to take the CCNA again before I can take the CCNP.
ICMP issue with a KM-TEST loopback and GNS3
I have a router that's connected to the 'cloud' which is a loopback interface on my computer. Both interfaces are on the same subnet and show up/up on the router. I can't ping from the router (10.1.1.10/24) to the loopback (10.1.1.2/24). Tried running a packet capture on that line but I don't see packets leaving the router. I'm trying to get this set up for a Udemy course I'm taking for Python and Network Engineering.
9300 L3 and stacking
License question for you all,
I have a remote office connected via MPLS and we are replacing the switches (and router) with a stack of 4 9300's. I want the stack to act as a router and run OSPF over our MPLS circuit (instead of buying a router to replace the old one). Do I need the L3 license for all switches in the stack or just one?
Need Some Help On Adding New Link and Switch
I am going to try my best to describe what I need to do and hope for some advice.
We currently have a pair of 7k switches as our Core and Building 1. We purchased a metro connection to building 2. With this connection there is 2 connections. One is active one is passive. T
I am planning to send 1 connection to one 7k the other to the second 7k.
For building 2 my thought process is that I will put 1 connection in to 1 9k switch and another into the other 9k switch. Then from there we have 4k switches that our users will connect to. I was planning to do 1 connection to each 9k from each 4k.
Here is a rough diagram of what I am trying to achieve. The photo shows 1 4k but we have multiple.
Does this seem like the best way to do it? If so Would I be doing L3 from the 9k to the 7k and l3 from the 4k to the 9k? I am hoping to do a vpc from the 4k to the 9ks.
Issue with one switch on oxidized
Hi,
I need help because one of my switch stopped to backup after a reboot. All others device do their backup as they should.
I searched on the web but did not find a lot. I'm totally new to this and have no documentation.
Is anyone able to tell me where to begin it would be really appreciated.
Thank you.
Unable to Console Into Switch (Help)
Good Morning everyone. I'm running into a bit of an issue with a new business. I have taken over their IT and reworking the mess that the previous company created. I'm efficient and knowledgeable with a lot of things but CLI console/ switch commands are something I've never really had a chance to dabble in. Here is my issue:
There is an older cisco switch on the network that has a db9 console connector on the back. This is the only console connector i see on it. I have a Dtech db9 (female) to usb cable so that I may console in and figure out what in the world they did with the VLAN setup. I am using PuTTy and have setup the cable to register as a COM connection. I have followed the instructions on how to get a console window setup and connected to the switch using serial connections. I get to the part where the console shows up, but nothing can be typed and nothing shows up. Hitting enter does not populate anything nor does Ctrl+C. The switch is on and active.
I've searched online but not much comes up on the subject other than a bad cable. However, I've swapped cables and nothing has changed. same results.
Any ideas?
How much should I charge for a site-to-site VPN?
Hi all,
I hope I've popped this in the right place and it isn't classed as "early career advice", or a dumb question.
I've been offered a spot of freelance work on the side.
The job is to set up a site-to-site VPN between two sites, I've been given the requirements, one end of the tunnel is done and the other side is using a Meraki Security Appliance.
It sounds a small job at a small site tbh, but I'd budget a few hours just to account for any change control, rollback, documentation, unforeseen complications etc.
You all know how these "small jobs" work out...
I'd like to go contracting - but I'm not actually sure what I'm worth. I don't want to undersell myself, but I don't want to take the piss.
In terms of my skill set right now, I've got a CCNP R&S, CCNA Security and a lot of experience on other vendors kit (such as Meraki...)
Any idea what I should be charging for this? Per hour? Based in the UK.
Research seems to suggest £300 per day for a reasonably skilled engineer.
Thanks for any advice :)
TTL/hop distance use-cases for network optimisation or monitoring
I've written post about using TTL to watch for network health.
But I think there are more use-cases that I can mention in it.
For example, I'm pretty sure that real-time applications are sensitive to hop distance, but don't know how exactly they are affected, time synchronization issues between src and dst?
Monday, June 10, 2019
How to detect counterfeit Cat2960S and Cat2960X switches?
Does anyone know how to detect counterfeit Cisco switches?
I have a large pool of cat2960s and 2960x switches of questionable origins at remote sites that need to be patched. Most are still on 12.2.
I've burned a couple times during upgrades, where the new code (15.2) disables the counterfeit switch.
I need help with client isolation!
Currently, I have Cisco switches and a pfSense router-on-a-stick. I was looking to start selling Ubuntu instances to friends but wanted to separate them from one another (not using firewalls on the ubuntu VMs themselves). I am aware that it is possible to create separate subnets for each instance using VLANs (/32 subnets), but is there a more efficient way to accomplish this besides creating a VLAN for each ubuntu instance? I am running all the Ubuntu instances on ProxMox VMs. A friend told me there is a way to have one gateway, but then have the subnets on their own. I didn't quite understand, and that's all I got from talking to him. I'm pretty good at networking and have a lot of experience in Linux. If anyone could help me, that would be great!
Where can I find the self-paced walk-in labs from Cisco Live online?
A while ago I believe I found the walk-in labs available online. Does anyone have the link handy?
How to set a cellular wifi dongle to prefer specific mobile network using AT commands?
I've been trying to solve this issue for a while and I've made several failed attempts.
TL/DR: I have a mobile wifi dongle that will be plugged into a router serving an unmanned kiosk. I need the dongle (with a Telus sim card) to prioritize connecting to Rogers roaming network. And this has to be a saved setting so that it remembers to prefer Rogers over it's native mobile network even after the device reboots due to power outage.
Longer Explanation:
First, I had a Huawei E3372H-510 WiFi dongle with a Telus sim card. The location where the device would be used had a poor Telus network signal, but a strong Rogers signal and the sim card comes with unlimited global roaming. When you plug the device into a computer, it opens a web UI where you can manually select a mobile network, but it changes back to automatically selecting the default Telus network after a reboot. I was planning to use AT commands to change the default mobile network from the sim provider to whichever network happened to be strongest at each plant location.
For these Huawei dongles, you apparently have to flash the firmware to get it to respond to more than just the basic AT commands. I tried with one and got it to respond, but it was having connection issues as I only have access to region specific firmware that is not appropriate for North America. Tried to flash it back to web UI mode and I bricked it.
Now I have a Huawei E8372H-517, which is slightly better, but in web UI mode it still doesn't remember the preferred mobile network or recognize the AT commands I need to change the default mobile network. The only way I can think of to ensure it always goes to the right network is to use AT commands, but then I need a very specific firmware which is unavailable and every attempt risks bricking another device.
Acceptable Solutions:
- Any repeatable method to set a preferred mobile network on a wifi dongle
- If there's another device I can use instead, I'm happy to switch
- Whether it uses AT commands or not is irrelevant, I just need something that works consistently
I'm out of my league on this one and there's no one else on this project that can assist, so any help you can provide is much needed and appreciated.
Adding new context in a multicontext Cisco ASA.
Have an existing active/standby pair of ASA5555. It already has 4 context. The sh version shows it can support upto 10.
I want to add a new context. Is there any impact while creating a new one, or is it transparent? Is there anything else I should be aware of?
Cisco Certification Revisions
Hi all. This is my first time posting to r/networking, so here's my question...
Due to the new Cisco cert revisions, how does this play out for Networking careers? I'm currently in school for Information Technology w/ a concentration in Network Management. The Cisco announcement pretty much just made my entire college course plans obsolete. I was originally going for Route/Switch & Design, but now it looks like those standalone options are no longer a thing. And the way the new CCNA exam topics look, they seem to now be more on par with CompTIA Net+ and the CCNP looks awfully similar to the current CCNA. Does this mean the value of the certs will decrease? And which track is going to now be the "preferred" route to take??
(Sorry if my post seems all over the place. I'm freaking out a little bit right now).
Resume check for network admin/engineer position
Hi all, was hoping to find some honest feedback from other people in the industry. I've been putting my resume out there for a bit now but haven't had too many replies back. I'll be the first to admit I'm not great at writing them so I'm flying blind as to how it's coming off to recruiters and IT managers.
Thank you for any feedback, and good luck to all other admins and engineers out there looking for work, it's not easy!
I am located on the east coast in case it helps.
PDF here https://drive.google.com/file/d/1bDq50Ntiq2UhOj7wou2SvKW0elCR9REz/view?usp=sharing
Photo here https://imgur.com/a/hHbYmot
Cisco next gen firewall w threat defense vs just endpoint protection
Hi everyone,
I am looking at moving a small NGO forward with better security to get them on track towards HIPAA compliance.
Its a really small getup-- 4 workstations, a couple tablets, a few cell-phones, an All-in-one printer. No servers or VOIP at the moment, eventually some commercial grade scanners and a document server (but these two are a big maybe).
I'm wondering how worth it getting a cisco 5506-x with threat defense would be. We are going to go with BitDefender Business security for endpoint.
What would be the major pros of buying/implementing a cisco next gen firewall, in your opinion? cons?
the price is relatively low for the unit--- 5506-x device and 3yr threat defense license about 400$ through techsoup.
Suggestions for wireless USB/PCIe adapter that supports WPA2-Enterprise?
I have a user with a Dell OptiPlex 9020 who will need a wireless connection to our network, which uses WPA2-Enterprise authentication, for the next four months. What are my options for wireless adapters under $50? Do all WPA2-compatible adapters work with WPA2-Enterprise networks or do I need to specifically find ones that specify WPA2-Enterprise support?
Answering interview questions like: What is routing
So firstly, I just had my first legit networking phone interview. I passed the interview and have another interview. I've been applying for network jobs for months now I am extremely anxious and trying not to fuck this up.
The only question she asked that really had me stuttering was "What is routing". I never realized how much this would throw me off. It's like asking a mechanic, how does a car work? I was like...where do I even start? Should I break down the entire routing process from what happens at layer 2 etc etc, it was so broad of a question I totally froze up and ended up stumbling through my answer. Luckily it didn't totally wreck my interview but I want to be more prepared for this in the next interview. Advice?
Help with VLANing
I am going to be setting up a network for a Phone system and needs some help with getting the VLANs setup properly. The network consist of a router(192.168.0.1) performing a site to site connection for the phones(192.168.1.X) back to the main office and then the PCs(192.168.0.X) that go to the internet. So my question is if I only have one wire that is going to go from the switch to the Phone then from the Phone to the PC, what do I have to do to make it so the phones get the IP they need and the PCs get the IP they need. Does the router need to be aware of the VLAN? Can I just assign MACs to VLANs to ensure proper IP addressing? Is there a better way to do this? I will gladly provide any information that might be missing.
EDIT: Switch is an HP Aruba 48 Port POE Switch and the Phones are something that are going to be Provided and was told they just needed a VLAN.
Cable Management Solutions for 2 Adjacent Cabinet Racks
Just found out one of our new buildings is getting a last minute IDF added to it. We're looking into adding 2 45u APC rack cabinets next to each other and removing the panels in the middle. One rack would have around 3 switches and the second all the cat6a patch panels, enough for 150 drops. So what we want to do is route the cables properly and one possibility is having them go through the roof of the cabinet. Another idea is to have the cables run inside the rack cabinets through the removed panels, But I don't know if anything like that exists.
We need cabinets since this last minute IDF is also a storage room so other non IT admins will have keys to enter the room. Any ideas or tips? Doesn't have to be APC specific also.
Know-How - how deep you go?
Hello my fellow Networkers.
How deep do you usually go when learning something new?
As for me, i cant go on without going all out full details - which is cool but so time consuming. and many other Engineers i got to know, dont have such a deep know-how as i have. Like mpls.. many know what it is, how it works but ever went deep like how ldp establish sessions? neighborships? what explicit null and implicit null labels are? and the other predefiend label nummbers?
im thinking sometimes, i do just to much.
Anybody here work for Booze allen for an extended time?
Hi guys, in my particular area Booze Allen is a really big company and I saw there are opportunities for network engineers. I was wondering if anybody here has worked for them and how are they as an employer?
Huge new changes to the Cisco Certification programs
Changes have just gone live on the Cisco cert website. 3 new Devnet certs Route/Switch terminology is no longer - it is now Enterprise Network Core Now have concentration areas in the CCNP track
Lots of others that I haven't dug through yet. I'm looking forward to the Devnet stuff personally!
https://www.cisco.com/c/en/us/training-events/training-certifications/next-level-certifications.html
Nexus 6k ISSU & Upgrading Best Practise L3
Hello,
I’ve been researching into upgrading 2 Nexus 6k switches which are used as a layer 3 core and have 2000 series FEX’s attached.
I’m hoping to confirm behaviour of upgrading Nexus switches after reading Cisco documentation on it.
-
First, they are being used for L3 features/routing etc. It appears ISSU not supported for L3 at all and will therefore be disruptive. My understanding is without removing all L3 features and L3 license it will be impacting. So we could do this with one switch at a time but doesn’t seem particularly feasible and we may just have to take the hit with the upgrade impact anyway as removing L3 features could have it’s own impact if not done correctly with routing convergence etc.
-
If we wanted to do a basic upgrade like on a catalyst typical switch I believe we would get the images on check the image compatibility and do a ‘install all’ on both the primary and secondary switch in VPC topology. (follow the good documentation Cisco have generally on upgrade procedure checks https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus6000/sw/upgrade/731\_N1\_1/n6000\_upgrade\_downgrade\_731\_n1\_1.html#64244)
Any tips or suggestions would be welcomed on the L3 part as not getting my head round what is best practise and it should be clear to some that this is not something I have done before.
Thanks
What are some Automation best practices
I have been using python more and more in the network. What are some of the best practices for automation that people have found. I am looking at both from a business standpoint (ex: what are good things to automate, how to automate them, etc) but also from a CLI point (ex: no spaces in description names, standardize device names, etc).
Networking N00b!
Total n00b here.... studying for my Network+ lots of resources online and I am doing well on my quiz's until I got to the "Sub-netting" stuff. I got the binary to decimal and back down pretty well but when trying to figure out the first usable and last usable for a network range its still pretty confusing. Are there some simple tricks not found in the books you used to figure this out?
Interconnecting layer 3 switches
Hi everyone, i need to make a network for a networking exercise. The network consists of two ISPs, 2 routers (each one fo them connected to one ISP, say, router A with ISP A, and router B with ISP B) Those routers are connected to a layer 3 switch (the main switch) which is going to be connected to another 5 layer 3 switches, each of them with 16 computers per switch connected, for a total of 80 PCs. The thing is, our tutor wants us to interconnect the 5 switches between them and to the main switch using a topology, im using hibrid star ring (the ring is connecting the 5 switches between them and to the main one, and the star is for the 16 computers per switch). I am not sure if this is the correct way to do it, as i've read that if i were to connect the 5 switches to the main one using, say, extended star, those 5 routers would be interconnected and able to communicate between them. Any help would be appreciated.
Subscribe to:
Posts (Atom)