Hey guys, I have a technicolor modem DW0100 the wifi us connecting on all devices except two galaxy note 4 the wifi gets saved but does not connect any fixes
Saturday, August 3, 2019
STP or VPLS over L3 for different sized site to site links?
We are building a branch location with a few hundred users; The HQ location is connected to the branch location with a 10Gbps wavelength point-to-point circuit from $ISP1 and a 1Gbps VPLS point-to-point circuit from $ISP2.
The branch is physically less than a mile away from the HQ location and latancy on either path is < 1MS.
We have Aruba 2930F access switches, 5406R campus core switches, and 3810M datacenter top of rack switches. Topology will be:
[2x palo alto VM100's as gateway routers for all vlans] | [Stack of 2x 3810M switches in datacenter top-of-rack] | | [10G-Wavelength] [1G-VPLS] | | [VSF Stack of 2x 5406R ZL2 switches as Campus Cores] | | | [Access Stack 1] [Access Stack 2] .... [Access Stack N]
The Palo Alto VM100's are the gateway for all access vlans.
So my question is, should we stretch our vlans across the 10G Wave and the VPLS, and use STP to block the 1G VPLS?
Or, should we route across the wave and the VPLS and run VXLAN across the routed underlay?
Another approach?
How would you handle this where you have a branch location with 2 different sized links back to HQ, and the campus location has NO routing, DNS servers, DHCP servers, or anything other than L2 switching?
Wifi network using TP link RE450 extender keeps dropping connection
My girlfriend and have our PCs set up in the same room, both using a usb wifi adapter. Sometimes while playing games one of our connections will just suddenly drop for 10 seconds and come back. What could be causing this? It can happen to either of us at any given moment, but it's usually only one pc that is affected. It seems to be directly related to the TP link extender.
Risk of running WAN and LAN traffic on same switch (different VLANs)
I'm in the midst of designing an HA setup for my SMB network and I've realized that in order to run CARP for the public WAN IPs I need to have our two internet connections (primary 100/100 fiber and 10/10 secondary cable) come in through a managed switch.
Given my current infrastructure, I have a managed switch (Aruba 2930F) which also runs several internal VLANs with some free ports and I'm thinking that the simplest solution would be to use those with a couple of dedicated VLANs for the two internet connections.
I'm trying to think up possible risks if I go with this solution. DoS seems unlikely to hurt anything given that we only have a 100 mbits of bandwidth (plus our ISP would stamp it out pretty quickly). With the switch not doing any routing and basically being passive for the WAN traffic (aside from tagging traffic going to the routers/firewalls), is there really much of a security risk here?
Ideally, I'm sure the best alternative to this solution would be a dedicated switch, but all I have on-hand are some basic 8-port Netgear managed desktop switches... I'm sure they'd be reliable enough given what they'd be doing, but would that be better than using the enterprise-level switch?
Anyone have any advice or suggestions?
How do we rename BGP Communities (serious)
Seriously, is there any way to discuss in an IETF meeting the renaming of BGP communities to something more meaningful (e.g. BGP tags). Is submitting an RFC for such a topic meaningful? It's not the biggest problem on the Internet but why stuck with a bad name forever? Router vendors could just keep the existing community commands and add an alias with the same name to keep backward compatibility.
Cisco Multicast/IGMP Proxy without pim?
I had a Cisco C897VA connected to a VDSL 2 circuit and have upgraded it to a Cisco C1100 connected to an Ethernet circuit. The data side works fine but there was a Multicast service (IPTV) also provided by this circuit and it no longer works. I'm wondering if what I want is possible in Cisco or if I'll have to find an alternative some how.
In order for the IPTV to work the device in VLAN 20 sends an IGMPv3 Join message which must be forwarded to the provider outside of PPPoE encapsulation (so on ethernet 0/0/0 rather than the dialer interface). On the 897VA i could use a bridge interface to bridge VLAN 20 and the Ethernet0 interface so the join requests worked. On the C1100 these are WAN ports and so the bridging command is not available.
The provider utilizes PPPoE for the connection. So on both routers I have a dialer interface for the PPPoE and the actual interface for the the physical connection (Ethernet0 for the C897 and Gi0/0/0 for the C1100). The default route is learned via PPP via the dialer interface.
Does Cisco support any way in which I can forward any IGMP join requests sent on VLAN 20 directly out interface Ethernet 0/0/0? Is there some IGMP setup I've missed or is this just not possible?
Monitoring multi-vendor network
What's your take on monitoring multi-vendor networks? Consolidate everything to single software, pipe everything from vendor's different tools to single software or just have them all running and send emails?
We have few different vendors, and for example we have Cisco and Aruba in the wireless. I guess we can't really get rid of Prime or Aruba's Airwave/MM stuff as they're used to manage the networks also and not just monitor. Also they of course have lot's of pre-built stuff to analyze their own devices, so leveraging that would be great. Meaning that Prime/Airwave can probably do a lot better analysis of the wireless network that for example Solarwinds could do if we sent logs there.
However running multiple different monitoring systems is complex and you're never really sure if everything is monitored similarly on the Cisco side as it's on Aruba side. Or how the other vendors are monitored...
Airwave, Prime or IMC aren't that good for polling constantly the interface usage or monitorings syslogs, so we'd need an AKiPS/LibreNMS installation and maybe some sort of SIEM or Graylog too, so more softwares to the mix. And let's throw in a Zabbix to consolidate all the alarms (but not the logs) :)
I'm wondering if it would make sense to have the vendor stuff for their gear, and figure out if Prime or Airwave is better for those other vendors (to get the basic ping etc monitoring going too). Then configure LibreNMS to just poll interface usage and error info, nothing else. And then glue everything together with FortiSIEM (which can also take configuration backups from the devices). FortiSIEM could also do PING/SNMP monitoring but not really sure if it's the right tool to use as NMS. Maybe we could even save some money on the SIEM licensing as it would be something like 160 EUR per device perpetual with 5y support if we just send logs from Airwave and Prime to the SIEM
Any ideas or thoughts? Thanks!
How does one go about learning physical network setup and maintenance?
I have an IT background in programming. I have come to realize I prefer blue collar physical work to sitting down and programming. I don't want to throw my IT background because I make good money.
I was thinking of trying to get into physical network setup both LANs and WANs. Maintaining servers physically and perhaps as a sysadmin too, but for lots of servers. If something goes wrong physically fix it and stuff.
I know in the past Cisco was big. Not sure if this is still the case? Maybe it is some Chinese company now.
How can i go about learning this in my 30s?
Contractor to Fed?
Would you guys consider taking anywhere from a 15 - 30% pay decrease to move from a network engineer contractor position to a fed equivalent? I'm single with no kids. Coming up on 40 years old. D.C. Area. Have any of you made the switch (or vice versa?)
Port mapping
I have a huge project coming up and need to gather information from 90 to 130 IDF. All cisco what software can I use to see if the model is EOL and pull ports that are not being used and have never had any traffic on those ports. Also pull show inventory, show version, sh cdp. sh lldp, and pull running-configuration.
thank you
New Wireless Router, Hostnames no longer working
Hello, I bricked my old wireless router trying to update it.
I bought a new router, its a TP-LINK TL-WR940N.
Anyways even with DHCP enable I cannot ping anything by hostname.
The hostnames are registered with DHCP.
Any ideas, I know it is something in my router, I looked at all the settings in my router and I don't see anything I can change to make the hostnames work.
Any suggestions Ideas on why it does not work anymore.
I think it is my router as I was able to do use hostnames with my old router.
Popular VPN/mtu settings seem backwards to me - Where do I have this wrong?
I must be misunderstanding how to use mtu with VPN's. At this point, I am focused on a UDP VPN with UDP traffic inside of it. I recognize the man page says:
--link-mtu n Sets an upper bound on the size of UDP packets which are sent between OpenVPN peers. It's best not to set this parameter unless you know what you're doing.
I'm not hoping for answers of "do what everyone else does, use fragment and mssfix". I'm instead hoping for "know what you're doing" knowledge.
There's:
link-mtu: The maximum packet size ignoring the tunnel, including VPN overhead ("double" IP/UDP headers, encryption/etc.)tun-mtu: The maximum packet size for thetunadapter, inside the tunnel, and ignoring VPN overhead.
Several popular VPN's and many examples online set the tun-mtu to 1500, for inside the tunnel. This seems completely backwards to me. When I look at what's being sent out to the internet in wireshark, during large transmissions, I see fragmented packets alternating between 1500 and 85 bytes. This looks to me like unnecessary fragmentation, with increased overhead and twice the chance for transmission error.
The maximum non-jumbo Ethernet frame size is 1518, with 18 being Ethernet headers. So, the maximum mtu that could ever be used when transmitting across the internet is 1500. If a higher mtu is used, the packet either needs to get fragmented by the device (probably customer's router, but potentially at the ISP) handing it off to another with 1500, or it will just get dropped. Everyone's maximum mtu across the internet isn't 1500, it can be less.
FWIW, my physical connection supports a 1500 mtu. (I can ping outside with don't fragment outside with 1472 bytes, plus the 20 byte IP and 8 byte ICMP headers, and 1473 bytes fails as expected.)
Shouldn't the goal for a VPN be to make the actual across-the-internet packets a maximum of 1500, to maximize packet size while preventing what could be a single packet from being fragmented? (Or, maybe a bit less if they wanted to do so since some customers will have less, at the cost of those who do have 1500.)
I have this feeling my reasoning must be flawed, because the man page suggests not using link-mtu, and several popular VPN's (who should "know what they're doing") make their config files include:
tun-mtu 1500 tun-mtu-extra 32 mssfix 1450
When I connect, it shows adjusting link-mtu to 1657, and sets the new tun device mtu to 1500.
Shouldn't a VPN should set link-mtu to a maximum of 1500 or a bit less, allowing OpenVPN to calculate a tun-mtu of a bit less, and setting up the tun adapter with the appropriate mtu, also a bit less? (I'd think these would be the same, but as I'll mention in next paragraph, they aren't.)
My reasoning seems to make sense, because if I edit the config file to have link-mtu 1500, OpenVPN says tun-mtu is 1375 (including being 3 less because of peer-id) and the tun device is 1447. (Not sure why tun-mtu and tun device mtu are different by 72.)
If I then perform an outgoing UDP benchmark with UDP packet size 1419 (28 less than the tun mtu of 1447, due to 20 IP bytes and 8 UDP bytes) and look at wireshark, I see only 1500 byte packets being transmitted out to the internet, at least during the large transmission. Seems clean.
If I use their configuration and allow a UDP packet size 1472 (28 less than tun mtu of 1500) and look at wireshark, I see fragmented outgoing packets, alternating between 1500 and 85 bytes.
Using my configuration, my outgoing UDP benchmark increases by 48%, and becomes much more consistent.
Unfortunately, even using my configuration, their server has its own configured mtu value, so I have no way to increase my incoming bandwidth, unless I convince them to change their server configuration.
Which doesn't seem likely to happen, since it looks like everyone's doing it the way that seems backwards to me.
Can my CenturyLink C3000z router limit users download speed? So they don't take up to much network.
As suggest by someone: I looked into QoS and that led me nowhere. QoS does not seem to have options to limit download speed per specific user.
I was hoping you guys can tell me if my router supports per client bandwidth throttle and how I can set it up.
Friday, August 2, 2019
Cisco ASA S2S VPN, no encaps only decaps
I'm trying to ping across a S2S VPN but it's failing, phase 1 is MM_Active, phase 2 has 0 encaps and some decaps.
access-list OUTSIDE_cryptomap_3 extended permit ip 10.10.12.0 255.255.255.0 10.134.151.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.134.151.0/255.255.255.0/0/0)
current_peer:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 9382, #pkts decrypt: 9382, #pkts verify: 9382
I'm sourcing a ping from Site A(3rd party FW) to Site B(this Cisco ASA and stats). When I run a capture on site B's server I don't see the ping come in. When I capture on the ASA's inside interface I don't see it come in. It seems to be getting dropped between the tunnel and inside interface.
Any help is appreciated.
Is 802.1p pointless?
Is it pointless setting up 802.1p considering when it reaches WAN it doesn't matter?
Question regarding making ethernet cables
When your testing a CAT 5e cable after crimping it. If the tester says some of the pins are Short or Open does it mean its a bad crimp??
ISP Data Cap Overhead / Usage Calculations
This month I hit my data cap (again) and after looking up how accurate ISP data usage meters really are, it got me thinking about something.
With ISP data caps measuring traffic in/out of the modem WAN, if you were to start sending broadcast packets out to the network broadcast IP (or maybe ARP requests to a group of IP addresses within your subnet), would this eat away at every modem's data cap that is also on the same subnet as your IP? Or are ICMP / broadcast packets not counted towards the data cap?
Anybody have details (or theory) on how data usage is actually calculated?
Stupid question i know.
I put in 20 keystones into a building wiring them with type A configuration, obviously it supposed to be type B (which i didnt remember at the time), but at this point the jobs too far along, for my patch panel, if i use type A on that will it still work or is it pointless and ill have to switch back?
Serial ports on managed network switch important?
Little new to networking and looking to get a switch. Found one at a decent price but serial seitches are not functional.
How important are they?
ADD: I was thinking I could configure SoE?-
3650 trunk port err-disabled after upgrade to 16.3.8
After upgrading a standalone Catalyst 3650-48PD-E IP Base switch that has a single fiber cable trunk connected to the main 3650 access switch stack for its path outbound to the Internet, we had the switchport for the trunk go err-disabled on the standalone switch after it came up from the reboot after the upgrade process. We upgraded from 3.6.6E to 16.3.8. I had performed the same upgrade without issues on other offices that are configured in this way.
We don't prune vlans on this trunk, pvst is running on both, BPDUguard is not on this port, and both switches have the same vlan configuration and are running VTP.
I didn't see a message about the port being err-disabled in the syslog, just a message about it being blocked by spanning tree and some link flaps. I looked it up, and the STP syslog message below suggests native vlan was set to different vlans on either side of the trunk, but both switches don't specify a native vlan so it should default to vlan 1, and currently both are trunking native vlan 1.
I was able to recover from this problem by doing a shut / no shut on the impacted interface gi1/1/1, and we didn't get spanning tree messages after that, the port came up without issue. I'd like to better understand what happened so I can control for it when I upgrade other offices with similar setups. Does it look like the err-disable status is from link flap, and is the STP syslog message unrelated to the err-disable status? STP should only block, not errdisable, as there is not BPDUguard on this port. Errdisable flap-value for link flap is the default of 5 flaps in 10 seconds, but we saw 3 flaps in 10 seconds. Would errdisable recovery cause link-flap help in this case? Is this a known bug?
Syslog from the standalone switch after rebooting from the upgrade below. This shows what happened before the port went errdisabled, but there wasn't an entry in syslog for the port going errdisabled.
000259: *Jul 30 20:44:24: %LINK-3-UPDOWN: Interface GigabitEthernet1/1/1, changed state to down 000266: *Jul 30 20:51:16: %LINK-3-UPDOWN: Interface GigabitEthernet1/1/1, changed state to up 000271: *Jul 30 20:51:18: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 3 on GigabitEthernet1/1/1 VLAN1. 000272: *Jul 30 20:51:18: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/1/1 on VLAN0001. Inconsistent local vlan. 000273: *Jul 30 20:51:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up 000276: *Jul 30 20:51:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down 000277: *Jul 30 20:51:26: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up
Reasons for why channel 14 of the 2.4Ghz band is not approved by the FCC for use
Thread title, is it because channel 14 starts at the end of channel 11? I believe I read that this band is allowed to be used in places like Japan. I'm just wondering if there's a reasoning why it isn't allowed in the US. This is purely a question for my own sanity.
PBR ECMP using Recursive Next Hop on Catalyst 3650
Hi,
I was trying to do PBR ECMP on Cat3650 using recursive next hop and running into issues that the RouteMap has unsupported options. Software Version was 3.7.5E.
I created a small topology of 2 L3 Ports (20.1.1.1/30 20.1.1.5/30) having one L3 next hop (20.1.1.2, 20.1.1.6) each on them (directly connected).
I created a recursive next hop 30.1.1.1 which is reachable via 20.1.1.2 and 20.1.1.6 (equal cost). The route-map has set ip next hop recursive as 30.1.1.1 and I expect traffic to be load balanced between the 2 next hops.
This is the switch:-
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24PD 03.07.05E cat3k_caa-universalk9 INSTALL
This is the syslog seen :-
*Aug 2 05:58:16.207: %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map pbrmap2 has unsupported options for Policy-Based Routing. It has been removed from interface, if applied.
Here is the output from switch:
cisco1#sh route-map pbrmap2
route-map pbrmap2, permit, sequence 10
Match clauses:
ip address (access-lists): pbr1
Set clauses:
ip next-hop recursive 30.1.1.1
Nexthop tracking current: 30.1.1.1
30.1.1.1, fib_nh:3CD08684,oce:38175DF4,status:1
Policy routing matches: 0 packets, 0 bytes
cisco1#sh ip route 30.1.1.1 255.255.255.255
Routing entry for 30.1.1.1/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 20.1.1.6
Route metric is 0, traffic share count is 1
Route metric is 0, traffic share count is 1
cisco1#
cisco1#sh run
cisco1#sh running-config in
cisco1#sh running-config interface vl
cisco1#sh running-config interface vlan 10
Building configuration...
Current configuration : 60 bytes
!
interface Vlan10
ip address 10.10.1.1 255.255.255.0
end
cisco1#sh logging
*Aug 2 17:11:20.433: PBR Nexthop Callback invoked: 3A5FA628, (30.1.1.1) tableid 0, status: 2,type: SET NEXTHOP RECURSIVE
*Aug 2 17:11:20.433: map: pbrmap2, sequence: 10
PBR Control Plane Notification: 30.1.1.1 PBR_CP_SET_NEXTHOP_RECURSIVE
*Aug 2 17:11:20.433: PBR CP Notification sent: Type:SET NEXTHOP RECURSIVE, 30.1.1.1SW_OBJ_TYPE: 1D, SW_HANDLE: 3D2D41B0
*Aug 2 17:11:26.899: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/10, changed state to up
*Aug 2 17:11:27.897: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/10, changed state to up
*Aug 2 17:11:27.902: PBR Nexthop Callback invoked: 3A5FA628, (30.1.1.1) tableid 0, status: 2,type: SET NEXTHOP RECURSIVE
*Aug 2 17:11:27.902: map: pbrmap2, sequence: 10
PBR Control Plane Notification: 30.1.1.1 PBR_CP_SET_NEXTHOP_RECURSIVE
*Aug 2 17:11:27.903: PBR CP Notification sent: Type:SET NEXTHOP RECURSIVE, 30.1.1.1SW_OBJ_TYPE: 15, SW_HANDLE: 38175DF4
*Aug 2 17:14:17.542: %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map pbrmap2 has unsupported options for Policy-Based Routing. It has been removed from interface, if applied.
My question is whether its not supported by this platform or in this software release in this platform.
Or am I doing fundamentally something wrong here :slightly_smiling_face:. Any pointers will help.
Network/Cable testing
Hi,
I've been asked to look at an issue whereby users in a certain area of the office are experiencing frequent issues with their computers for a long time and we have a feeling it might be to do with network performance.
We recently had cable testers come in and they reported that everything is ok as far as they can see. Is there software I can run to do such a test to see how it performs over time. Maybe there is only EM interference at a certain time of day?
What is odd is that we have other users who are plugged into the same switch but a different area of the floor who don't have issues which is why I thought it might be a localised cable issue.
I've been using simple "net statistics" commands which aren't showing much so far but is there something which is more detailed.
Thanks,
Question for the big brained hive mind. How to find the MAC address of the passive member of an active/passive teamed NIC.
We are in the process of a data center migration to application-centric ACI. We currently have all layer three in the DC routing via ACI network-centric mode with most devices traversing L2Out for their respective VLANs. Right now we just have a couple of 10Gb connections between ACI and our old core, so our current step is to directly connect the ToR switches to ACI leaf switches.
The documentation has not been kept up to date (as per the usual, I find), so I've written a series of scripts to identify what device is on every legacy port in the DC. It grabs the MAC address table from each ToR switch, then does a lookup against a list of MAC's provided by our sysadmins, failing that search it grabs the endpoints table from ACI and looks up the IP, then does a reverse DNS lookup to determine server/device name, failing that, it looks in the old core's ARP table. Once it has that info it dumps it into an Excel spreadsheet to assist with planning the move (it also grabs port config and a few other things, mainly because more data is better).
The problem that I'm running into is servers that have teamed NICs in active/passive mode. The passive NICs don't talk much, so the entries age out of the cam tables, which means I can't find them. Which leads to my question.
Does anyone know how to make these passive NICs talk (without disconnecting the active) so that I can find them? The servers are mostly HP of all ages and lineages. With a few Dells thrown in for good measure. Does anyone know of an HP tool that would do that, or any other tool for that matter? Pretty sure that I'm pissing in the wind and we'll just have to do it that hard way, but it's worth a shot asking the big dawgs out there in Reddit land.
Cox Business DNS - conflicting issue/server info received
Hi all,
For one of our clients with an East Coast office near Boston, MA, I'm receiving conflicting info on which DNS servers granted by their ISP to use with the LAN.
Their Cox cable modem receives the following 3 DNS servers via DHCP from Cox upon boot: 68.105.28.11 68.105.29.11 68.105.28.12
Calling their support support and using the Cox business support site note to use the following DNS servers: 68.105.28.16 68.105.29.16 https://www.cox.com/business/support/domain-name-services-mail-exchange-hosting-and-dns-server-information.html
Performing a traceroute shows 5 hops from their modem to all IP's, with similar response times on each hop through to the final destination IP:
traceroute to 68.105.28.11 (68.105.28.11), 64 hops max, 72 byte packets 1 192.168.0.1 (192.168.0.1) 1.376 ms 0.982 ms 0.922 ms 2 10.1.216.1 (10.1.216.1) 7.675 ms 7.791 ms 7.631 ms 3 100.120.244.72 (100.120.244.72) 9.566 ms 8.348 ms 10.322 ms 4 100.120.244.54 (100.120.244.54) 11.626 ms 14.604 ms 24.376 ms 5 cdns1.cox.net (68.105.28.11) 9.997 ms 8.628 ms 9.455 ms
traceroute to 68.105.29.11 (68.105.29.11), 64 hops max, 72 byte packets 1 192.168.0.1 (192.168.0.1) 2.290 ms 0.925 ms 0.960 ms 2 10.1.216.1 (10.1.216.1) 7.071 ms 7.057 ms 7.726 ms 3 100.120.244.72 (100.120.244.72) 9.186 ms 8.754 ms 9.394 ms 4 100.120.244.54 (100.120.244.54) 8.157 ms 8.271 ms 7.615 ms 5 cdns6.cox.net (68.105.29.11) 8.550 ms 8.155 ms 9.322 ms
traceroute to 68.105.28.12 (68.105.28.12), 64 hops max, 72 byte packets 1 192.168.0.1 (192.168.0.1) 2.276 ms 0.966 ms 0.928 ms 2 10.1.216.1 (10.1.216.1) 7.548 ms 17.955 ms 7.928 ms 3 100.120.244.72 (100.120.244.72) 9.668 ms 10.047 ms 8.575 ms 4 100.120.244.54 (100.120.244.54) 8.645 ms 8.465 ms 8.713 ms 5 cdns2.cox.net (68.105.28.12) 8.235 ms 8.738 ms 7.190 ms
traceroute to 68.105.28.16 (68.105.28.16), 64 hops max, 72 byte packets 1 192.168.0.1 (192.168.0.1) 2.993 ms 0.948 ms 1.636 ms 2 10.1.216.1 (10.1.216.1) 8.869 ms 12.140 ms 8.877 ms 3 100.120.244.72 (100.120.244.72) 8.243 ms 11.333 ms 8.133 ms 4 100.120.244.54 (100.120.244.54) 7.721 ms 8.360 ms 9.066 ms 5 68.105.28.16 (68.105.28.16) 9.121 ms 9.061 ms 7.796 ms
traceroute to 68.105.29.16 (68.105.29.16), 64 hops max, 72 byte packets 1 192.168.0.1 (192.168.0.1) 2.270 ms 0.968 ms 1.072 ms 2 10.1.216.1 (10.1.216.1) 35.242 ms 8.462 ms 7.867 ms 3 100.120.244.72 (100.120.244.72) 9.031 ms 7.414 ms 9.172 ms 4 100.120.244.54 (100.120.244.54) 8.185 ms 7.169 ms 8.253 ms 5 68.105.29.16 (68.105.29.16) 8.437 ms 10.793 ms 19.922 ms
Can anyone here with hopefully similar Cox service advise what DNS servers should be used here?
As I find it odd that the modem receives different DNS servers than those recommended by Cox support & the Cox support page I posted above.
Thanks all.
PC can access reach server but Android tablet can not?
I have a guest WiFi setup and when connected Android tablets can not reach the server but PC's can. Tablets can't even ping the server.
Does Android handle something differently?
Any Android tools I could use to diagnose the issue further?
MC-LAG and revert time out issue with Ciena<->Cisco configuration
I am currently configuring MC-LAG between two Ciena 3916 and one Cisco 3560CX. On top of that, I have BGP configured on an SVI that is added as a trunk on the Po interface in the Cisco router.
Ciena (Main) 3916_CE01 Port 1---> Cisco 3560_CPE Gi0/2
Ciena (Bak) 3916_CE02 Port 1---> Cisco 3560_CPE Gi0/4
Everything seems to work fine including the switch over from main->backup when simulating power failure on the main CE and/or uplink fibre break.
The only issue I have (and quite game-breaking) is when the main CE01 revert timer (default 5mins) finishes and takes over from the backup CE02 I can see my SVI going down, which then brings BGP down and I get a 40-45 secs outage. The reason why the SVI goes down is that the interface that was UP/UP and working fine at the time of the revert (Gi0/4), goes down BEFORE the main interface goes up (Gi0/2) for 1ms or less.
I have tried this with multiple OS and different Cisco boxes - I wanted some feedback regarding if this is the intended behavior on MC-LAG/LACP or if the issue is more Layer 8, before going back to Ciena and asking them why their CE drops the up/up interface before bringing up the backup one.
Cabling New Network with 280 odd devices ( need help/advise how to make it easy with opensource or any other tool)
Hi All,
This is Jess, hope you all are doing good.
I am not sure if this is the right place to ask a question or should I ask it in a different forum.
Our company has planned to set up 10 new offices and each office is going to deploy about 28 devices in spine and leaf topology.
My dilemma is how can I easily create a spreadsheet to send it to the cabling guys to patch the cables.
Each office will have 4 core switches, 8 aggregation switches and 16 access layer switches.
I would like to make a spreadsheet where I can say as an example:
Core SW 1 port 1-3 goes to AGG SW 1 port 1-3
Core SW 1 port 3-6 goes to AGG SW 2 port 1-3
Like this, it would keep going down and once completed I would have to do the same from AGG SW to Access layer SW.
Is there a way I can predefine in excel what the connection I would like to have and the rest it will populate on its own.
Is there any tool or spreadsheet that is available that could help me to get this to cabling team to patch the devices to the appropriate ports?
X
Jess
What could cause a DNS to resolve to 127.8.0.x?
I have a problem i can't work out.
Client is using fortinet client and fortigate firewalls for VPN services. I can't go into specifics of config, but here's the problem i'm seeing. Basically, a user connects to teh VPN with an ip range of say, 192.168.154.x, the DNS they're given (is routable) to 192.168.0.20.
Now, DNS works fine, internet connectivity works fine, everything is going great, until about 15 minutes in, outlook and skype stop working until the VPN tunnel is torn down and restarted. BUT, while the tunnel is still up, a traceroute and nslookup to outlook.office365.com swaps from it's expected CNAME IP address to 127.8.0.77 or 127.8.0.127.
What could potentially be the cause of this? I swear it's something the remote DNS is doing but the client claims the DNS is ok. I have a head scratcher here i can't get passed.
I had originally thought maybe the DNS server was also hosting some tunneling service or was doing some weird o365/azure express route tunnelling (you know, loopback on different port for some outbound service handling) but the client says they're not doing any of that, any anything on their network that's not in the VPN tunnel sees the true o365 DNS, so it kinda rules out something funky in the client's group policies. Only VPN users are affected, but the VPN uses the same path as the unaffected corporate fixed traffic, hence why i tend to dismiss the VPN itself as the issue.
New Router/Modem Recommendations
So at my workplace currently we have a really old Cisco 800 Series router and we are looking to get a new one.
However we have been given a budget of only £200 and the new one needs to support:
- VDSL
- IPsec VPN
- Gigabit Connection
Any suggestions if possible at all with that budget
This took me WAY too long to figure out. Sometimes the patch cable *isn't* the problem...
Just finished wiring up a new wall drop and did a routine TDR test on the switch to confirm everything was good. TDR showed an open on pair D right on the switch rack (https://imgur.com/qEWhabN). Looked at the patch cable, one of the brown wires looked a bit marginal so I re-crimped it. Still no go.
I spent a while looking around the rack jiggling things, inspected the punch-down connection on the patch panel, and everything looked good.
Then I had the bright idea to look at the switch port... https://imgur.com/4ImqSac. Welp.
On the plus side, this is going to a lab bench that had lots of very expensive 10/100 gear on it so I can just mark the wall drop "100M only" and not have it be too much of a problem. Still annoying though.
Thursday, August 1, 2019
Learn to cable from scratch
I want to learn how to cable a network. I might be going into a job (Learning everything on the job, but want to learn some things prior to so I don't look like a muppet. I'm talking about taking switches, and computers, and learning the intricacies of connecting them together from scratch. Is there any place you guys would recommend to learn this stuff?
MX80 queuing license
Hi Team
Quick question for someone who has access to an MX80/MX104. I want to confirm if the S-MX80-Q per vlan queuing license on an MX80 is enforced? We've been offered a few of these boxes for a small POP deployment and they're not worth using if we have to purchase licensing for them.
Cheers!
Can I connect Router to Mesh network?
Hello Network experts! I've a curious problem. My current networking set up is a modem to which I have connected a Mesh Primary node (TP-Link MW5). The primary node has an Ethernet wire connected to a switch to which I hardwire my Smart TVs, Z wave hubs, etc. I have two secondary nodes.
Recently with a desire to be able to access my garage door, I bought a Wifi Controller which is the same brand as my Garage Opener. Unfortunately, my Garage controller does not want to connect to my WiFi. It does mysteriously connect to a phone hotspot. With this in mind, I was wondering if I could connect a router to one of the Ethernet slots on the switches or on the secondary node and then could potentially connect the garage controller to that. What do you think? Any other solution for a not so savy network guy.
fluke networks linkrunner at 2000
Bought the linkrunner at 2000 (fluke networks version). Cheap at eBay. Does the job well but I am on version 1.1.2
Wondering if there is a newer version available. Can't find it on their webpage as everything link seems to be broken and there is a netscout version that needs extended services
Fortigate log; action=timeout?
Is it possible to identify whether the response was missing from the source or destination, apart from capturing the traffic at the client or server? This happens randomly, and I'm having a hard time telling who is not responding that causes the session to be timed out.
Tools?
Any tools that are must to have? I’ve got a good toner, punch down, crimp tool, lineman’s scissors and jacket cutter. Looking at something Netscout Linksprinter to troubleshoot cable and PoE issues. Is something else recommended?
Taking an HTTP server's resulted in WiFi connection failures
The situation:
I have a server that only serves HTTP with an assigned IP. My firewall forwards all HTTP requests to an external address to this server's IP.
I foolishly changed the MAC assigned to this IP address to my own machine as we were clearing out stale assignments and it wasn't responding to ping.
This morning, our guest WiFi could not reach any outside addresses. Our other two wireless networks would take several minutes to get an IP, could barely communicate with any internal addresses and could reach not outside addresses.
- A wired connection did not have this problem.
- The wireless is not on a separate VLAN.
- When I checked the server from it's other IP, it did not have an IP assigned to the NIC whose IP I stole.
It was mentioned in a comment when I posted this in sysadmin that it was due to ARP cache, but, again, it only affected wireless clients.
Changing the MAC back fixed the issue. I'd like to understand the how/why only wireless clients were behaving this way.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Took a tour of a large SCADA room at a client’s office, and was shunned for calling it a NOC.
I took a tour of a large SCADA center which aggregates, monitors, and controls equipment and sensors over a national network of remote equipment. Am I wrong that a SCADA is just a subset/type of NOC? They looked at me like I had three heads.
...Whoops?
Racking my brain (VPN Querys Juniper)
Hey Guys,
I've been racking my brain and cant think of the best way to do the below
Requirement:
Our customer requires a VPN to be established via a 4G/LTE Modem plugged into a draytek and the IP address will be dynamic. These VPN's will be connecting to one of our core Juniper SRX devices.
For the life of me, I can not think of the best way to implement this? I was looking at the Juniper Dynamic VPN config however I read that you require a VPN client for this to work.
Note: there will be 50+ sites having to connect back
Is this even possible?
How to connect remote office to data center through main office?
Hi all,
First off, I am no networking expert by any means... but here is what I am trying to accomplish.
My MainOffice has a firewall and a direct VPN connection to our hosted Data center.
The RemoteOffice has a firewall and a direct VPN connection to the MainOffice.
Only the MainOffice has needed access to the data center until today. Now the RemoteOffice is requesting access to the data center as well. I know I could do another direct VPN connection to the data center from the RemoteOffice, but shouldn't they (the RemoteOffice) be able to connect to the data center THROUGH the existing connection they have to the MainOffice? As it is currently configured, they cannot. I'm not sure where to start looking, so any direction you can point in would be great. MainOffice has a Sonicwall firewall. RemoteOffice has a Cyberoam firewall. I'm guessing that the data center would need to allow return traffic to RemoteOffice subnet, but wouldn't their source be the MainOffice anyway (which they are already allowing)?
Thanks!
Unable to transfer boot image using SolarWinds TFTP
I have a new Cisco ASA 5508-X I am configuring. I have SolarWinds TFTP server setup and running. I have created a local ADDRESS=10.0.0.2 NETMASK=255.0.0.0 GATEWAY=10.0.0.5 SERVER=10.0.0.1 IMAGE=asasfr-550x-boot-5.3.1-152. TFTP server just keeps timing out. I get the message: Interface link did not come up. Timed Out TFTP: Operation terminated. Any ideas on what i am doing wrong?? Thanks.
Limiting Bandwidth being helpful?
I work in a production type setting. We have means to capture data out on the line and feed them back to the office as well as machines on the floor that connect to the network. Would limiting the bandwidth to these ports do anything beneficial?
Just got the thought since the demand from those machines are not that high the file size of the data is tiny. But with something like 30 of them out there would limiting them all benefit the bandwidth as a whole?
Apple Thunderbolt Monitor kills network.
Been chasing these random network crashes for a bit now and finally got a good packet capture which lead me to this article. https://discussions.apple.com/thread/6443650
This is exactly what was happening and matches the source MAC address too. We only have 4 of these expensive monitors and we've had them for years so I'm not really sure why suddenly one or more was flooding.
Just a random fine in case anyone else has run into something similar.
Cisco ISE FTE Support Estimates
Hi all. We have been doing some analysis between NAC solutions and have landed on ISE as our preferred solution. We are in the budging process for next year and in addition to the ISE licensing we are wanting to bake in some headcount costs to support the system. Wondering what everyone’s real world experience is with the appropriate number of staff to supporting an install.
Here are some considerations to help compare scale: 1) ~22,000 LAN endpoints spread across 60 offices 2) ~1500 VPN endpoints 3) Would be enabling posture checking on VPN connections 4) Would be licensing Plus to allow for device profiling on LAN (I.e., expectation is we won’t need to look at every devices connecting but instead only review/approve outliers that don’t fit defines profiles). 5) quickly growing environment, fairly standard corporate hardware but probably have 100+ new devices at minimum added a month.
Let me know how you are compatible staffed to manage ISE in your world!
Brocade two port trunk, one side has one port blocked
I understand on a Brocade TurboIron 24x there are two ways to create a trunk:
Method 1: trunk ethe 1 to 2
Method 2: int e 1 to 2
link-aggregate configure key <key id>
link-aggregate active
I have both ways done on two TurboIron 24x. Method 1 above for two 10gbe cables between switches, and Method 2 for two 10gbe fiber between a switch and a Tegile storage array serving NFS shares.
Issue I have is on switch 2, the method 1 (static trunk) between switches shows the second port, port 19 blocked, and true the LED on that port on the switch is not illuminated. However on switch 1, this same port 19 shows in a "Forward" state and sure enough the LED is lit solid on that physical switch port. How can the link be forward on one switch and blocked on the other, if they are configured the same? Thinking it was a bad Twinax cable, I replaced port 19 between switches with an 850nm SFP+ and a short fiber optic cable. I had the same result where switch 1 showed the port forwarding but switch 2 showed the port blocked.
Here's an output of show trunk on switch 1
Configured trunks: Trunk ID: 18 Hw Trunk ID: 1 Ports_Configured: 2 Primary Port Monitored: Jointly Ports PortName Port_Status Monitor Rx_Mirr Tx_Mirr Monitor_Dir 18 10gbe1* enable off N/A N/A N/A 19 none enable off N/A N/A N/A Trunk ID: 21 Hw Trunk ID: 2 Ports_Configured: 2 Primary Port Monitored: Jointly Ports PortName Port_Status Monitor Rx_Mirr Tx_Mirr Monitor_Dir 21 Tegile* enable off N/A N/A N/A 22 Tegile* enable off N/A N/A N/A Operational trunks: Trunk ID: 18 Hw Trunk ID: 1 Duplex: Full Speed: 10G Tag: No Priority: level0 Active Ports: 2 Ports Link_Status port_state 18 active Forward 19 active Forward Trunk ID: 21 Hw Trunk ID: 2 Duplex: Full Speed: 10G Tag: No Priority: level0 Active Ports: 2 Ports Link_Status port_state LACP_Status 21 active Forward ready 22 active Forward ready
Here's an output of show trunk on switch 2
Configured trunks: Trunk ID: 18 Hw Trunk ID: 1 Ports_Configured: 2 Primary Port Monitored: Jointly Ports PortName Port_Status Monitor Rx_Mirr Tx_Mirr Monitor_Dir 18 10gbe1* enable off N/A N/A N/A 19 none enable off N/A N/A N/A Trunk ID: 21 Hw Trunk ID: 2 Ports_Configured: 2 Primary Port Monitored: Jointly Ports PortName Port_Status Monitor Rx_Mirr Tx_Mirr Monitor_Dir 21 Tegile* enable off N/A N/A N/A 22 Tegile* enable off N/A N/A N/A Operational trunks: Trunk ID: 18 Hw Trunk ID: 1 Duplex: Full Speed: 10G Tag: No Priority: level0 Active Ports: 1 Ports Link_Status port_state 18 active Forward 19 down Blocked Trunk ID: 21 Hw Trunk ID: 2 Duplex: Full Speed: 10G Tag: No Priority: level0 Active Ports: 2 Ports Link_Status port_state LACP_Status 21 active Forward ready 22 active Forward ready
Here is how that trunk is configured on both switches... at the very top of the config on both it shows:
trunk ethe 18 to 19 port-name "10gbe1 to 10gbe2 A" ethernet 18
Here's how the trunk to the operational Tegile storage array looks on switch 1
interface ethernet 21 port-name Tegile Controller A Port 1 no spanning-tree link-aggregate configure timeout short link-aggregate configure key 21001 link-aggregate active ! interface ethernet 22 port-name Tegile Controller A Port 2 no spanning-tree link-aggregate configure key 21001 link-aggregate configure timeout short link-aggregate active
And how the trunk to the other Tegile storage array controller looks on switch 2
interface ethernet 21 port-name Tegile Controller B Port 1 no spanning-tree link-aggregate configure timeout short link-aggregate configure key 21002 link-aggregate active ! interface ethernet 22 port-name Tegile Controller B Port 2 no spanning-tree link-aggregate configure key 21002 link-aggregate configure timeout short link-aggregate active
The issue is that yesterday I failed over the Tegile storage array from controller A to controller B. This means the NFS storage traffic to 8 ESXi servers would now originate off of switch 2, so that traffic would have to traverse the switch 2 to switch 1 trunk (ports 18 and 19) back to the "active" vmware adapters. Those vmware storage adapters remain active unless a link failure, then and only then would vmware try to talk off of switch 2. I can't use becon probing instead of link state for failover because I read for stability you need 3 adapters for this and I do not have a third adapter. So the issue I had was the two IP's on the Tegile storage array claimed to be moved over to controller B, but vmware could only ping ONE of those IP's... all storage mapped via the second IP went (inaccessible) and SSH to an ESXi server revealed I could only ping one of the Tegile IP's. So I'm trying to rule out a networking issue because so far Tegile took our config and put it on one of their lab systems and both IP's we have programmed moved properly to their second controller. However the difference is they just spun their test system up for us, whereas we have 400+ days of uptime on our controller, so they do suggest I reboot controller B and try again... but rather than cause another outage I want to investigate why this inter switch trunk has one port showing blocked only on one switch.
We have money in the budget to replace the brocades with Arista, however I only have enough money to do 1 Arista switch and then we would be running just 1 switch, or 2 switches but two different vendors (1 arista primary, 1 brocade backup). Next year I can request more money and if approved get a second Arista switch.
Thanks for your info. I'm used to Cisco and Extreme Networks. The brocade foundry stuff seems a little foreign to me and limited.
Dell s4148s / OS10 not saving VLAN config
Has anyone had any issues with the new version of OS10 i think its 10.4.3.3 ? not saving VLAN info on port channels?
I have a VLT between two switches and have switchport access vlan 40 assigned on the port channel, i write the memory reload the switch and it isnt there on the config, i run the command and connectivity resumes. bit of a PITA as i will need to reconfigure every time i have to power cycle the switches.
Multipal default gateways
Hello,
I am staging a cutover and would like some suggestions. I have a core switch (Dell), that has several VLANs. These VLANs are very large and we are working to trim them down. We are also implementing a firewall. The firewall is working as expected so no issues with that. However, the new VLANs need to go out the new default gateway, while still maintaining connectivity to the rest of the VLANs on the Dell core.
When I use a route-map with an acl that says
permit ip 10.10.10.0 0.0.0.255 any
For the route-map, traffic goes out of the new next-hop, but I lose connectivity to the rest of the VLANs. I've tried this for the ACL for the route-map as well, thinking if it's deny, it just won't hit the route-map.
ip access-list testacl
1000 deny ip any 172.16.0.0 0.15.255.255
1010 deny ip any 192.168.1.0 0.0.0.255
1020 deny ip any 10.0.0.0 0.255.255.255
1030 permit every
I know there has got to be a way to do this and I am being boneheaded.
Thanks
How to confirm that voice VLAN is working - Juniper EX3400
I've got IP phones with piggyback computers on them, and decided to try out the auto voice VLAN option on my Junipers. I have configured two phones with the settings but I'm not sure if they're actually using the voice VLAN. I can see that the port is configured and it shows that my data VLAN is untagged and voice vlan is forwarding and tagged, but is there a good way to confirm 100% that my voice traffic is actually going over the voice VLAN? I guess I could disable the voice VLAN on my phone system and see if the phones stop working, but that seems a little archaic.
Cisco C3750G-48TS Temps
I have a spare 3750G running in a closet without A/C offsite. Maintenance sounds like they don't want to put A/C in so I am left with how it is. The temps on the device are fairly stable at 46C. I know through the info sheet on the switch that its max workload temp is at 45C.
My question is, should I be worried about the temps long term over the threshold by just a bit? Thanks!
NAT between VRFs on nxos
I need to nat traffic between an IP range in one vrf to a single overload address in a different VRF on a nexus switch.
config im using is roughly like this
int e1/1 ip address 1.1.1.1 255.255.255.252 vrf member AAA ip nat outside int vlan 123 ip address 2.2.2.2 255.255.255.0 vrf member BBB ip nat inside ip nat inside source list LIST-BBB pool AAA overload ip nat pool AAA 10.10.10.10 10.10.10.10 prefix-length 32 vrf context AAA ip route 10.10.10.10/32 null 0
>>>>>>>>>>>>>>>>
switch advertises only the 10.10.10.10 /32 address via BGP to neighbour 1.1.1.2 on other side of e1/1 interface. The 1.1.1.2 neighbour advertises a range of addresses to the switch and these are leaked into the BBB VRF using route targets.The single null route is just used to get the 10.10.10.10 address into the routing table so it can be advertised by BGP
The aim is to get all traffic from LIST-BBB going out the e1/1 address to be NAT-ed as 10.10.10.10/32
I cant seem to get this config to work. I initiate connections from the inside but cant see any translations happening.
Any ideas where I might be going wrong?
When i enter "ip nat inside source list LIST-BBB pool AAA overload" there is no option to specify vrf
QUIC protocol
Hi guys, i don't know if the section is correct, if not address me to that correct :)
In order to complete a university test, i have to compare QUIC protocol with TCP protocol.
I used Wireshark to test both connections and i got some results (Opening connection time for https sites).
Now my goal is to extimate the overall connection duration (not just the opening handshake). With TCP i have no problem to understand when a connection closes, but with QUIC i can't understand. Can anyone help me please? Thank youu
HP ProCurve switch VLAN - passing through a VLAN
SysAdmin here trying to configure simple VLAN on HP ProCurve and getting confused with trunk/tagged/untagged VLAN terminology between different brands. Wan't to make sure I got this down correctly.
Here is how the hardware is connected:
Ubiquity UAP -- [port 11] --> HP ProCurve 2530 -- [port 1]-> [port 1] HP ProCurve 1810G -- [port 2]> Fortigate
Purpose: Have the AP segregate Guest from internal network via VLANs (i.e. the UAP slaps on a VLAN tag on the guest SSID connected clients, which then only goes to the Fortigate).
I have setup the AP - tagging the guest network with VLAN 253. The Fortigate has a virtual network with VLAN 253 handing out DHCP and NATing to the Internet. Now I just have the HP switches to configure as seemingly they do not just pass-through VLAN tags by default.
So to make sure I understand: to pass-through VLAN 253 I need to set it to "tagged" on all ports it will pass, leaving the default VLAN 1 in an unatgged state to allow normal traffic without a VLAN (i.e. endpoints don't know about any VLAN) to pass through.
Some people have test network, other have an extra production one ;).
Now I just need to find out what the IP of the 1810G switch is... maybe some lldp with help.
Thanks to all in advance.
UDP Malformed Packet Wireshark Trace
Hello guys,
I captured a network trace to the host 185.166.232.52 and its only UDP.
Every view seconds I see a RTCP malformed packet. Should I be worried about something?
I checked with the filter _ws.malformed and it occurs really very often.
I have attached a wireshark capture file here:
https://send.firefox.com/download/d91424ea4c54de89/#unuzqc0VjLbbqxQyLYVCwQ
Wednesday, July 31, 2019
MPLS Alternatives
We have 18 locations connected via managed MPLS. Network was fine until we agreed to the providers EvolveIP VoIP solution. We’re fed up and ready to make a change.
Starting to look for alternatives to large carrier point-to-point / MPLS and considering a mix of broadband and DIA with SD-WAN.
ERP and voice services will be hosted, as well as O365. We do have a codec based video conference system that I expect will move to Skype / Teams soon. Other resources are local. Firewall is in a shared data center.
Any suggestions for WAN solutions or things to stay away from?
Any gotchas with SD-WAN?
Looking for a starting point as we begin to plan the WAN upgrade / replacement.
AWS Routing from EC2
Hi Guys
Just noticed that as of today, all of our EC2 instances are showing some very odd addresses when performing a trace-route to any of our data-center's servers.
traceroute to aphrodite.launtel.net.au (45.248.48.18), 30 hops max, 60 byte packets 1 ec2-54-252-0-50.ap-southeast-2.compute.amazonaws.com (54.252.0.50) 14.373 ms ec2-54-252-0-56.ap-southeast-2.compute.amazonaws.com (54.252.0.56) 13.936 ms ec2-54-252-0-54.ap-southeast-2.compute.amazonaws.com (54.252.0.54) 12.975 ms 2 100.66.8.4 (100.66.8.4) 14.674 ms 100.66.8.28 (100.66.8.28) 21.099 ms 100.66.8.60 (100.66.8.60) 12.615 ms 3 100.66.11.108 (100.66.11.108) 16.102 ms 100.66.10.200 (100.66.10.200) 12.966 ms 100.66.10.70 (100.66.10.70) 14.562 ms 4 100.66.7.229 (100.66.7.229) 18.039 ms 100.66.6.107 (100.66.6.107) 21.333 ms 100.66.6.35 (100.66.6.35) 13.753 ms 5 100.66.4.227 (100.66.4.227) 18.660 ms 100.66.4.187 (100.66.4.187) 12.907 ms 100.66.4.29 (100.66.4.29) 22.398 ms 6 100.65.11.161 (100.65.11.161) 0.861 ms 100.65.8.1 (100.65.8.1) 0.368 ms 100.65.9.33 (100.65.9.33) 1.241 ms 7 52.95.38.225 (52.95.38.225) 14.028 ms 52.95.38.213 (52.95.38.213) 1.549 ms 52.95.38.211 (52.95.38.211) 3.794 ms 8 52.95.36.56 (52.95.36.56) 2.683 ms 52.95.36.136 (52.95.36.136) 1.744 ms 52.95.36.40 (52.95.36.40) 1.640 ms 9 52.95.37.51 (52.95.37.51) 1.244 ms 52.95.36.99 (52.95.36.99) 1.318 ms 52.95.37.51 (52.95.37.51) 1.275 ms 10 as134697.sydney.megaport.com (103.26.69.27) 1.555 ms 134697.syd.equinix.com (45.127.173.35) 1.518 ms as134697.sydney.megaport.com (103.26.69.27) 1.686 ms 11 bacchus.launtel.net.au (45.248.51.207) 27.234 ms 27.162 ms 27.007 ms 12 45-248-48-18.dyn.launtel.net.au (45.248.48.18) 26.829 ms 26.981 ms 26.837 ms
As you can see, the CGNAT addresses at the top (100.xx.x.x) are what I have observed as new.
Is this is something Amazon does now or is this a cause for a ticket? Routing through a bunch of CGNAT seems very odd.
Disable 96-bit HMAC Algorithm on Cisco network devices?
Hi, Would like to ask if we can possibly disable 96-bit HMAC Algorithm? Devices is currently in ssh v2 and recently received a vulnerability issue regarding this.
show ip ssh SSH Enabled - version 2.0 Authentication methods:publickey,keyboard-interactive,password Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc MAC Algorithms:hmac-sha1,hmac-sha1-96 Authentication timeout: 60 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded):
Can I just disable using this command?
(config)# ip ssh server algorithm mac hmac-sha1 (config)# ip ssh version 2
or an IOS upgrade is needed to have the lastest version and to have a strong cipher suites? Any idea? thanks
Software or services for captive portal
I have a lot of customers who are looking to collect social media, email, or some other info in exchange for their 'free wifi' in restaurants mostly (some deli or small shops too). I am fine with setting up captive portals on the technical / hardware / controller side of the house but these are small business owners who also are asking me about doing the captive portal side for them.
I found Facebook stopped accepting vendors / partners on their wifi services and it seemed limited to only Facebook and lets face it, not everyone has FB. So I've gotten some pricing from companies such as socialwifi.com for example and I'm shocked at the pricing... for basically collecting info into a database and giving it to each site's owner for marketing, they are charging at least $49/mo/site. If I have to spin up an AWS cloud sever for this purpose, that's fine with me... I too would charge but build it into my hardware support costs and be more reasonable but really I don't know if I want to manage yet another cloud service.
Does anyone know any open source options for this or companies who could allow me to resell the services (i.e. sign up for a 10 site account and split it with 10 of my single site customers)?
I know this is outside the super technical stuff I come here to keep an eye on regularly but it's related to networking so I'm hoping this is allowed. Thanks in advance!
PS: Hardware is currently in OpenMesh but I'm moving these customers to beta.altiwi.com which runs openWRT with cloud controller or I may go to another open source controller... I am sure I can make the hardware work for captive portal needs with whatever vendors or opensource software can collect the data and keep it organized to run reports.
Anyone delivering TV and data on same WAN port with Calix?
Our ISP is getting ready to offer TV service, switch GPON vendors, and the way we deliver service, all at the same time.
We currently have 1000+ customers using Zhone 2726 routers and we are switching to a Calix solution. We will be running fiber into a 803G and delivering service to a customer's own router, or a 844E. This has been working great during initial testing with data.
We have a data VLAN that goes to a local distribution router, and a TV VLAN that goes back to the central mini headend. The issue that we are running into is that we can not deliver the TV VLAN and data VLAN to the same WAN port on the 844E. When setting this up on the 844G, you can just provision the TV VLAN on a different physical interface. Most of the Calix documentation is for using a MVR setup with a unicast and multicast VLAN for TV service, but this will not work for us as unicast and multicast are being delivered from a single interface on the MHE.
My next step will be to work with double tagging actions to see if I can put my 2 service VLAN's into a single VLAN, send it to the 844E, and untag it on separate physical interfaces. Does anyone have any experience setting up multiple service types to the same WAN port? I am not super committed to the way we are wanting to deliver the VLANs, but we will definitely be using the 803G to 844E setup.
Juniper Route Preference Best Practices
I come from the land of Cisco. I'm venturing into the land of Juniper. I've got two Juniper MX20 routers doing OSPF with the other devices in my network. These two routers are in an active/backup type setup. I've then got links to customers hanging off these two routers (eBGP). Basically, connecting my network to customers (extranet type setup). I've noticed that one router will redistribute all it's BGP routes into OSPF and the other device will then favor these because in Juniper land OSPF is treated better than eBGP on the route preference/Admin Distance scale. As opposed to Cisco that treats eBGP over OSPF.
There's 1000 ways to skin this cat. I don't know which way is the least headaches and best results. Also what most people are doing in other places (so if someone new comes in, they understand).
Is it, change the route preference on the routers so that eBGP is favored over OSPF? Or is it to create a policy so that any routes in my from-customers IP list, don't get accepted back into the routing table?
Setting up router with info from Isp help
Stuck setting up a router like this for the first time.
Isp gave me the following:
IP address
Gateway
Network mask
Dns
DNS secondary
Am I missing something?
If I'm understanding correctly, my WAN/outaide interface would be the Gateway address. I can get the usable range from the ip and mask. Now I get mixed up, Inside interface is the first ip in that range... And a default route of 0.0.0.0 0.0.0.0 to the Gateway address?
Apologies for the newbie question, thanks in advance for any help..
Firewall as gateway
Hello everyone,
When is it ideal to use a firewall as a default gateway for a vlan(users). Im starting a project where the current set up is that there is a ACL on a switch that is controlling access into/out of a vlan. I will be replacing this access control with an ASA.
Should I have the users use the firewall as the gateway or should I keep it as the SVI/VRRP address on the switch.
Thanks
Ubiquiti AirFiber 24 as a redundant ring
I am still fairly new to the networking world, so be gentle :)
I manage the network (WAN/LAN/WLAN) for a large school district (75+ sites, 68k students, 7500k staff). My director wants to implement a redundant network using Ubiquiti Airfiber 24 wireless bridges in the case of fiber cuts. We are a growing city and this is happening more and more often.
We are a Cisco shop, hub and spoke network (Core switch--> Campus 4500X--> 2960X stack in each IDF.) I'm looking at route policies to that leverages the production fiber connection, then flip to the airfiber connection if the pair is cut and becomes unreachable, but I'm not 100% confident in my thought process. Something like this:
interface Vlan100
ip address X.X.X.X 255.255.255.254
no ip redirects
no ip unreachables
!
interface Vlan101
ip address Y.Y.Y.Y 255.255.255.254
no ip redirects
no ip unreachables
!
interface GigabitEthernet1/1
description Fiber
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/2
description AirFiber
switchport access vlan 101
switchport mode access
spanning-tree portfast
!
ip local policy route-map AirFiber
ip route 0.0.0.0 0.0.0.0 X.X.X.X track 123
ip route 0.0.0.0 0.0.0.0 Y.Y.Y.Y 254
!
route-map AirFiber permit 10
match ip address 101
set ip next-hop X.X.X.X
Anyone have any experience with Airfiber deployment and configuration? What is best practice for configuring this with minimal downtime? Do you use L3 with alternate VLANs and IPs for Airfiber? Any help and suggestions are greatly appreciated.
VoIP/sip providers in the UK?
Our business is based on telephony, we dial out using various VoIP providers, making money off the difference in rates charged and the rate we charge.
We currently use Verizon, daisy, Tata, and colt.
Verizon give us the best rates but their setup is convuluted and a pain in the arse as we need IPsec tunnels for signalling, can't fail over between sites as SBC up has to be from a designated subnet assigned by Verizon etc.
Any hidden gems out there we could take a look at? I'm not aware of the rates or commercials, but really want to move away from Verizon due to setup issues
Becoming the "Mac" guy
Hey all!
I am starting a new position as a network engineer very soon, and during the interview, the person interviewing me noted they have ran into problems with clients with macs and not being able to support them as no one they had were experts with Mac's. I already own a mac, which I purchased to become more familiar with the system as I think its important for my job to have a general knowledge of all systems.
An example of a problem they ran into is getting SharePoint to work on Macs correctly, I don't have too many details as I wasn't personally there at the time, but something to do with Temp files in SharePoint causing file path issues.
I want to know if anyone knows any sources to learn more about Mac's in a hybrid environment, using Mac's with popular SaaS like Office 365, things like digging deep into OSX, and how to solve issues that may arise with Mac's on networks primarily windows based.
Hopefully, this doesn't count as early career advice, and doesn't get too much hate, whether we like it or not, some clients use macs and we have to know how to service them.
Thanks!
Cisco Switch PoE Problem
Recently, a user started complaining about his phone/pc intermittently dropping connections. The phone refused to power up with PoE, so it was attached to a power supply. A TDR test showed the last two pairs listed short/crosstalk. The cables in the switch room and user end were replaced, and the user’s Jack was repunched. The outcome didn’t change.
I decided to test the phone and PC separately. A TDR test showed that when connected to the computer, all pairs listed as normal. When connected to the phone without the power supply, all pairs were open. When connected to the phone with the power supply, the last two pairs were short/crosstalk. It didn’t matter which type of Cisco phone or PC was tested, the results were the same.
Has anybody come across this before, and can give a tip on where to go from here?
Best policy for traffic across leased fiber?
We are setting up our first branch office. There is going to be some consulting help on this, but I do not want to leave everything in the hands of them.
- We are using a local meraki switch to a remote meraki switch over leased fiber. There will not be a firewall in the process. What is the best way to keep only the traffic that matters from crossing?
-Should I block all workstation on the local vlan from the remote vlan?
-Should only block broadcast traffic?
-I need some active directory traffic between servers, but I want to the branch to use its local resources not the main office.
Software for branch management
Hello,
I'm looking for some software to manage all information about branches and HQ for my company. Currently all infos are stored in xls files but it's super non-effective.
I've start thinking about CRM solutions (SuiteCRM or similar) but maybe someone have better solution.
Informations I want to manage:
- location (address),
- IP addressing,
- installed devices (router and #, switches and #, AP and #...),
- internet circuits ID and bandwidth,
- some specific info like number of branch or local director,
- maybe integration with monitoring solution (SolarWinds) like link to device
Get ip from ip helper on cisco interface?
Is it possible to somehow get an ip address in a interface from a DHCP-server who is ip-helper on the same router?
Eg:
interface Lo100
ip address dhcp
interface fa0
ip address 10.10.10.1
ip helper-address 20.20.20.1
Could I some way get interface lo100 to send its DHCP-requests to 20.20.20.1 ?
N93180YC-EX BIOS update
I've got a pair of Nexus 93180YC-EX switches which I was trying to update to nxos.7.0.3.I7.6 but I've held off because one of them is saying it isn't going to install the bios update as a part of the patch like the other is, even though they're currently on the same version.
Can anyone explain this?
Switch 1:
Module Image Running-Version(pri:alt) New-Version Upg-Required 1 nxos 7.0(3)I5(1) 7.0(3)I7(6) yes 1 bios v07.59(08/26/2016):v07.56(06/08/2016) v07.65(09/04/2018) yes 101 fexth 7.0(3)I5(1) 7.0(3)I7(6) yes
Switch 2:
Module Image Running-Version(pri:alt) New-Version Upg-Required 1 nxos 7.0(3)I5(2) 7.0(3)I7(6) yes 1 bios v07.59(08/26/2016):v07.56(06/08/2016) v07.59(08/26/2016) no 101 fexth 7.0(3)I5(2) 7.0(3)I7(6) yes
Issues with VXLAN + live migration in Linux
Long post. Thanks in advance for reading!
I have an all layer 3, ECMP underlay network with routing on the hosts. The hosts are Linux machines running Proxmox (qemu/kvm) and have vxlan interfaces defined, without any control plane - the bridge fdb table is statically populated with the other VTEP addresses. Each VXLAN interface is attached to a bridge (regular Linux bridges, not OVS), and VMs get attached to the bridges.
When I live migrate a VM, it (mostly) loses its network connection. Here's what I've observed so far:
-
Pinging VMs attached to the same VXLAN, but living on different hosts, works intermittently. I get a reply for maybe 1/3-1/4 of the requests sent.
-
tcpdump on both hosts shows replies exiting the ping target just fine, but the migrated VM's host never seems to receive some of them.
-
The VM cannot ping the gateway at all. It never receives the ARP reply sent by the gateway. The gateway is also a member of the VXLAN, but what's different about it, is it's got 4x ECMP routes into the underlay rather than 2 like everything else, and it's a Fortigate.
-
On all hosts and the gateway, I've checked the bridge fdb table after the migration, and can confirm that the new host sent the gratuitous ARP, and all hosts know that MAC now lives on a new host.
-
For good measure, I've run captures on the old host as well, to make sure no traffic for the VM is still arriving there. There is none.
-
To keep a long story short, I discovered that forcing an OSPF change/route reconvergence on the network fixes it. Then, to dig into that a bit further, I did another migration, started a ping from the migrated VM to a VM on another host (B), and on host B, flushed the route cache (ip route flush cache). This cleared up the problem for all VMs on host B, but no other hosts - including the gateway.
-
We use keepalived to float VIPs between servers on different hosts with VRRP, and that works perfectly, never had an issue with it.
Now, after digging a little, it seems like route caching was removed from the Linux kernel, I think in 3.6. so I'm not sure why flushing the route cache solves the problem. In any case, I'm extremely confused. Anyone here have ideas as to what's going on?
802.1X handle Wi-Fi connection / EAP-TLS - Problem
I'm running EAP-TLS (Radius and Cert Authentication) to handle Wi-Fi connections.
Got it working on some Offices over IPSec, but some does not.
From TCP dump i found that the NPS server is responding with a challenge.
Once the client is sending a new request, it sends a duplicate request which i believe may be the cause of my problem.
Access-Request id=253
Access-Challenge id=253
Access-Request id=254
Access-Request id=254, Duplicate Request
Packet info
Framed MTU: 1400
I believe the packet with with the certificate is getting chopped but have not been able to verify that it has been. I mean, that packet size on both ends of the VPN is the same size.
I'm not getting any ICMP's telling the firewall to lower MTU.
Firewall config on both ends
Fiberconnection with static IP
PMTU and DF is set to Clear.
On the NPS server, I can't find any event in the eventviewer about this.
But if i check the NPS Log textfile, i find the entry and it's correlating packets.
Anyone got a good idea to why this happens?
NSX over EVPN VXLAN
Has anyone seen or have any experience running an NSX deployment over the top of an existing BGP EVPN VXLAN fabric? I am working on a project where the network team already runs VXLAN on Nexus 9k and the compute team wants to deploy NSX. I don’t think they are necessarily wanting the overlays but they want micro-segmentation.
I’d love to hear any comments!
Two offices with EdgeRouters connected via VLAN and not working Gigaset
Hello guys,
I'll preface this with saying that I'm completely new in this field and not really sure what this all means, please bare with me here. I've been given a task to resolve this issue at my work but since I have no network expierence (working in web dev) it's been a struggle and I'm kinda out of my field, would love some help.
We have 2 small offices that are in different physical locations that are connected via VLAN which was configured by their ISP. Both of the locations use EdgeRouters (8 port and Lite). Everything other than Gigaset phone works perfectly fine (RDP, NAS etc) but when it comes to the phone it's got the signal but we cannot actually hear anything on neither sides. From the main location we can ping the Gigaset but cannot access the web-gui. From the guy who actually made the VLAN I heard that it's NAT related problem but it didn't really help me solve it as I'm clearly out of my field.
I assume this is not enough information to be any specific in answers but just general advices would be a tremendous help. I will also try to answer all the questions. Thank you guys.
setting up remote view on dahuwa
Hi everyone i want to set up remote viewing for dahuwa's dvr i have just one little question if i choose p2p and scan the Qr and check DHCP option, will i be able to run the remote viewing on a phone working with 4g that isn't connected to the same network as the dvr ?if not what are the extra informations that i have to input?(i'm so sorry for my dumb question still new to this)
Azure Express Route considerations
Hi peers,
we currently have an office in Amsterdam that has a fiber connection to a DataCenter (ELAN 1GB link). The datacenter runs ESX clusters VMs.
We also have a couple of regional offices (ASIA, US, Europe).
The regional offices all have a DMVPN router, there is also a DMVPN router in our dutch office and one in the DC running the VMs. So we have an Internet & I-WAN site-to-site type of network with regional links speed of 100Mbps for the most part. It works well for us.
All client VLANS are replicated with EIGRP so all client vlans can access each other and can access also the servers running in the dutch DC.
Since the dutch ESX cluster is shrinking in size and getting old, we want to migrate the VMs (around 40 VMs) to Azure and terminate our DC agreement and close the ELAN connection.
I have contacted a network provider that can offer us a fiber 1Gb port and quoted us for Express Route at different bandwith (100Mb,200,500,1GB,...). They don't offer BGP, NAT as a managed service so we'll need help from network advisors with that. I am not a network engineer so I am just busy now trying to compare the price involved with keeping stuff on-premises or running in Azure. This is really preliminary work and I understand that I need to work with network professionals but for this reason I want to do some homework before so I ask the correct questions.
-
Since Express Route offers site-to-site topologies I was wondering if there would be any gotchas setting up an Express Route link directly from our Amsterdam Office to Azure and have regional offices reach azure via the DMVPN network via our dutch office, then via Express route...? it's very low traffic anyways we have an accounting application that 1 or 2 colleagues access with a VPN client, connect to a VM in Amsterdam via RDP then run the accounting client on that VM. We are a small shop (15 people in Amsterdam, regional offices from 5 to 30 people in our biggest office in Asia). Occasionally some people in Asia or US require access to a file server VM but thats about it.
-
I saw an option for Express Route premium but I cannot wrap my head around the design implementation for improving regional access (in Asia for instance). Moving forward if we want to build VMs in Asia for our Asian's colleagues we may want to get Express Route links in Asia too, how does it plays out with Premium, do we get premium on our Europe link so we can extend our regional presence or do we need ER links for each regions we want to work with in Azure.
EDIT: they dont offer BGP as managed service
Tuesday, July 30, 2019
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
ACI L3 out & EIGRP
Is anyone able to give me an easy to understand and super concrete answer to whether or not there are limitations to the number of EIGRP L3 outs you can configure per Leaf node? I have an existing MPLS WAN and would like to route into individual VRFs using EIGRP if possible. I keep hearing that only one eigrp l3 out per node is allowed, or there's some maximum of about 5 or 6. I can't seem to find a definitive answer.
nxlogs - netflow to syslogs
Hi All,
Just looking for some help to convert NetFlow logs from an edge( SD-WAN device) to Syslog and send to the SIEM.
I am currently using nxlog enterprise trial but happy to explore other options.
Any help to achieve this
<Extension netflow> Module xm_netflow </Extension> <Extension json> Module xm_json </Extension> <Input udpin> Module im_udp Host hostip Port 2055 InputType netflow </Input> <Output out> Module om_file File "c:\\temp\\netflow.log" Exec to_json(); </Output> <Route nf> Path udpin => out </Route>
sdn - sd network, lan/wan/wlan. meraki? aruba tunneled-node? versa? You mean it all still works the same.. does the same stuff.. in many cases, simpler, but I can do without the narcissism and ego of engineers making excuses for inconsistencies, delays, and misconfigurations?
sign me up.
that is what the c levels are thinking. they are not wrong.
as a consultant, 80% of my time is spent looking at very stupid mistakes. legacy configurations, huge mistakes. incorrectly configured interfaces, no stp priorities defined, no vlan allowed pruning, wrong ospf timers or manual costing.. not to mention qos stupidity, prefix-list mistakes, acl's with allow all's. absolutely no ability to consistently audit large network fields. legacy brownfield networks are consistently shit.
sdn is the future, you can refuse to embrace it like you embrace a local binary of Microsoft word.. meanwhile the rest of the world has moved to o365 and teams.
call it my Wednesday rant.
Apartment Building Wireless
I work for a small ISP. We've been asked to provide internet to an apartment building with 200 apartments. The ceilings of the common areas are only easily accessible, not the apartments themselves. My plan is: a 1gbps connection in. Then put wireless 802.11ac APs in common areas, broadcast a hidden SSID with wpa2-enterprise. Each apartment would then get a router with wireless as its WAN (connect to hidden SSID) and the broadcasts an SSID internally for each apartment to use. APs would be Ubiquiti UAP Pros. 10 apartments per AP. What issues am I likely to face?
Radius - Local Fallback After Bad Attempts
I can't ever remember how to do this.
I want to setup my Cisco gear to fallback to local authentication in case my domain password isn't working. I think I used to set it to like 3 bad attempts then request local credentials. Is that possible? Seems like a security issue the more I think about it. But that's what I want it to do. =)
suggestions for CCNP bootcamp?
hello, trying to gauge the quality of training from bootcamps. would like to see if there are any suggested companies/providers and reasons you chose them.
op: CCNA, AWS CCP, ITILv3 3+ years enterprise experience 2k+ nodes
What is the best way to bootstrap CSR1000v? (ZTP or Day0)
Hi guys
I am struggling with ZTP with CSR1000v, this is not in a public cloud, it is a KVM/qemu deployment. configuring the router via DHCP option 6X or 150 is not consistent and I am looking for alternatives
One thing I am considering is injecting the startup config (a generic one that enables DHCP SSH and adds an user name) in the qcow2 image. Is there any other way to do it? (not sure if this will work as the image might be compressed somehow
ASA 5510 Migrating to ASA 5508-X
I have an ASA 5510 that I am currently changing over to an ASA 5508-X. I am trying to figure out how to get the ASDM console working on this 5508-X. I currently have FiOS setup as the outside and Comcast setup as the inside. I have management enabled but can't seem to get to 192.168.1.1 to download the interface. My inside is 10.1.1.1. Just a little confused as to what to do to get the ASDM image downloaded so I can configure the 5508 through the ASDM.
What vendors for rack enclosures and tech furniture?
Looking for solid vendors that can help with rack enclosures and custom tech furniture solutions. Thanks
Experience with Optical Fiber Identifiers & duplex paths
Currently looking into buying an Optical Fiber Identifiers, possibly through AFL, but was wondering if they could be used to measure duplex SM jumpers instead of just simplex. Has anyone had any experience with this? Is it even possible? We have several dead paths that are not being used anymore and they are pretty evenly split between simplex and duplex.
Need help setting up multi-homed BGP 1 ISP 2 routers.
Hello r/networking, I was hoping to get some advice on our current setup as all the research I've done is for a different type of topology and I'm presently trying my best to come up with a viable solution here and would like some help if possible. Everything on my end AS1111 and back is Cisco.
Ultimately I'm trying to achieve load-sharing on our environment and then have equal routes advertised back to S1/S2.
I've found two ways now to do this so my confusion keeps growing as I read more into it. Some people are saying to run iBGP between R1/R2 and set an AS prepends to have one be primary, another is saying to set higher local preference.
Can anyone explain to me the differences? Pros/Cons?
Any guidance would be appreciated, thank you!
Here's my current netmap to our provider.
When you can't afford a traffic generator (lab rant)
I have trying to find a way to measure the performance of my Juniper SRX345 that I've got in my lab. As it only has 1Gig interfaces, but is capable of 5Gb/s throughput I decided to build two LACP LAGs with 4 GigE interfaces in each to an EX3300 - That showed to be much more trouble than I thought (despite it worked kinda ok) - but I got issues with return traffic and couldn't tell if that was a problem on the SRX side not being able to handle the traffic, or issues with the hash (I'm doing L4)
Instead I decided to get dedicated L3 interfaces on the SRX, one for each Gig interface, in total 8 (the SRX has an additional 8 SFP but I don't have any copper SFPs in the lab) and stretch that into my EX3300 ans L2 and up to my ESXi hosts that has 10G NICs. So I spun up 8 (!) linux VMs with iperf3 and run 4 concurrent flows, all at 1Gb/s each.
https://i.imgur.com/GGmy9AZ.png
Does anyone have a better idea how I could test this?
Small Office Buildout
I'm looking to redo a very small office (only has 2 people most of the time, maybe 4 at most), and am unsure what hardware route to go in terms of networking. They have spectrum business class internet, and are moving to Jive for VoIP. So a total of 4 VoIP desk phones, 2 hardwired computers, and a handful of wireless devices (laptops, phones).
Backup circuit options
Hey all!! I have questions about my options for a back up circuit for a site I manage.
We have two buildings in a downtown location. We will call them buidling1 and building2 . Building1 houses or core network. Building2 is full of office space and the like. When we initially setup building 2, we physically connected to our core switch network. So building2 is layer2 to the core. Now the company wants to have a backup "circuit" via cable modem for building2 in case the link to the core goes down. I am at loss as to how I could make a layer 2 network use a cable modem to get back to our core. Does anyone have any ideas that may help me find a solution? I am open to anything.
DoD/Fed Network Engineers - Are you struggling to move up in your career/knowledge?
I work in the government/fed sector where you typically need a clearance from an agency or department to perform any IT work. The pay is really good and jobs are far from scarce.. I get about 4 hit ups for a new a job every single week. What i am struggling with is staying up to date with technologies and getting meaningful experience under my belt. I've worked as a "Network Engineer" for a couple of contracting companies ,but this mostly entailed doing VLAN changes or copy n' pasting configurations. Literally getting paid 115k+ to sit on my butt and do about an hours worth of work a week. To some of you this might sound awsome ,but to me its not. I'd like to start getting my hands on with SD-WAN, EVPN/ACI/NSX, AWS, and etc.. Outside of work i do a lot of studying. I currently have my CCNP and currently working on AWS SA plus studying python automation ,but home labbing and theory isn't enough if all your doing is mundane tasks at work.
TLDR; I work as a fed contractor and get paid a lot to do easy tasks. i'd like to start getting my hands with more advanced technologies and projects. any other fed contractors experiencing this issue?
Hey r/networking, I need some advice...
I hope it's okay to post this here... I need some career advice and not sure who/where else to ask.
Fairly young guy here with extensive experience (10+ years) in Network Operations Center (NOC) environments, and I'm trying to figure out how to best leverage my experience and what to do next.
I've worked with almost every large wireless telecom company you can think of (all of the top 4), including some global telecom companies you may not have heard of.
I've worked in multiple NOCs, managed NOCs, built around 15 NOCs from scratch, performed a lot of consulting, process design and engineering, training, offshoring, automation, you name it - I've done it. My efforts have saved these companies millions and millions of dollars.
I've also lead successful offshoring initiatives in two global NOCs on different continents. Each required setup, recruitment, training, management, continuous improvement, etc. I'm also ITIL and Lean Six Sigma certified.
I'm ready to leave the corporate world. So, the question...
- How do you think I can best leverage my experience to start a consulting business?
- What gaps exist in the market place that my unique experience can help fill?
Thank you!
VIRL problem with services
Hi,
Maybe someone will be able to help me with VIRL. Not sure why but I cannot run any simulation. System Operation Check is showing below services are not up. I've tried to start them manually and also to restart them via cli. Tried also the virl_setup utility to restart services.
Agent "neutron-metadata-agent" (host "virl-1") is not up
Agent "neutron-dhcp-agent" (host "virl-1") is not up
Agent "neutron-linuxbridge-agent" (host "virl-1") is not up
Agent "neutron-l3-agent" (host "virl-1") is not up
Any ideas what to do with this?
Second question, VIRL looks to be a very complicated system under the hood - is there any good documentation for tshooting?
How many users ONU can support theoretically?
I work in a third world country and the ISP I work in connects Resellers through ONU from quite sometime since it is cheaper than using a Manageable Switch. One of the resellers is facing issues since he has above 200 users running through that ONU, he was facing issues. Our Boss had hired a Networking Engineer and he said that ONU can support only 150 users at maximum.
Can you help me confirm this fact? I manage the marketing, sales & customer support, so I don't have much clue behind the technicalities and Boss Man has asked me to confirm this fact made by Network Engineer.
Please help me out Redittors.
Small Manufacturing Business Network Equipment/Setup Upgrade
I'm in the process of looking for new network equipment to upgrade our small office network. I currently have a single consumer-grade Netgear wireless router to unmanaged switch and then another netgear router configured as a WAP in back of the building. We have comcast business 75/25 for internet service without static ip. We don't have a physical server, everything is handled through G Suite. We do have 5 voip phones (1 to 2 calls at most at once) and a Synology NAS for any local data transfer needs and local g suite backup. There are 5 office users with laptops. Three printers. There are 4 wired ip cameras controlled by a separate Synology + a network door access controller. Lastly, everyone has personal/business phones connected to a guest network including additional 10 manufacturing employees with their own devices. Our current router controls "everything" on the network which is not much: QoS for voip phones, reserved IP addresses for printers etc.
I'm leaning towards the Synology router + 1 WAP because I like the interface of my NAS, that it comes with free VPN capability, and it appears to have a secure guest network. I am really the only VPN user, nobody is remote, I just need it to check on equipment, cameras, door access etc. I don't want anything that charges licensing for additional features but I do want VPN so that I don't have to expose internal network equipment to the internet for external access. I currently have a VPN setup through L2TP/IPSec on the Synology NAS so could continue that approach.
Budget is pretty flexible but I'd say trying to stay under $1,000 for 2 (maybe 3) pieces of equipment - router + 1 to 2 WAPs.
I have an unused managed switch that I haven't connected and I could go into the VLAN approach if that's appropriate? I've never set one up but it appears common for phone systems and maybe another network for iPhones/guests? I'm not an IT professional other than part time job responsibility here. When I switched us to the VOIP phones I came to the conclusion via google that we didn't need VLAN for our size office phone system and so far so good.
Hopefully that's enough of a use case scenario for people to provide alternative products for me to explore. My main concerns are ensuring quality of service to the phones, security in general, and I'd really like to lock out the iphones/guest network devices that aren't owned by the company if somehow those devices became security threats. I'm sure this is somewhat similar to past posts but things change quickly and I'm hoping with my use case explanation that I can get some responses of similar configurations by people who may do this for a living. Thanks in advance for any/all suggestions.
Network Mapping Software
What network mapping software exists that can dynamically draw a network map using LLDP / CDP information / interface information? Ideally we would have a google maps background to put the devices on a map as well as an overlay.
I like how the ubiquiti unifi system does this, but that is only for Unifi devices. I am looking for something more universal.
Redundant ring (?) network topology with EdgeSwitch 16-Port XG
Good afternoon,
This is a crosspost from ITdept, got recommended to post this here instead. And as it seems images are not allowed I'll be using links to images describing the situation. I am quite new to networking on this scale, so don't be harsh and explain it using simple dummy words :-) thanks! Also, this will be a forklift upgrade (new word I learned at the other post on ITdept).. so any other devices, it's possible. However the company demands we kind of stay true to our original plan using Ubiquity.
My second post on Reddit, after I have been reading and following topics for quite some time. I work at a small IT company and we recently acquired a nice (larger) customer. The customer has three locations on the same industrial site. There is fiber optic between each location, as can be seen on the attached drawing.
https://i.redd.it/sq1em2prq1d31.png
We have already bought some EdgeSwitch 16-Port XG to try it out. Although it is possible to make a single ring and to use port blocking, a double ring is quite a challenge. In addition, there is 50 ms downtime when a new route (as in, fiber route) must be chosen and I would prefer to see this without downtime.
My intention is to use the switches as a L2 network. The switches know the VLAN's, the routers do not.
For example:
192.168.1.1 = Guest network, VLAN 5, connected to firewall and guest access points
172.16.2.1 = LAN network VLAN 2, attached to firewall and endpoint switches
172.16.3.1 = MGMT network VLAn 3, attached to mgmt devices, firewall, etc.
https://i.redd.it/ilmt52utq1d31.png
Our idea was to install 2 "core" switches of the EdgeSwitch 16-Port XG type at each location. Connect these two switches together, connect servers to both switches (double uplink) and thus create a reliable solution.
Only now it gets pretty complicated and I am a bit lost.
Do you have suggestions as to how this can best be built up?
Thanks for reading and taking your time.
Location of Client/Mobile access switches in Spine/Leaf
I'm coming from the traditional Core\Agg layer design world and now have to re-design an existing network at a new company. I'm looking into Spine\Leaf as a possibility, but cannot find documentation out there related to where the Client access switches connect. Are they just another Leaf switch or are they connected another way?
Curious on this at another level as well. If the client access layer is just another leaf, and the environment is large enough to justify 6 spine switches. Would that mean that each client access switch would need 6 uplinks back to all the spines? That seems excessive.
Most of the searches out there that I come up with regarding client access layer in Spine\leaf only return articles referring to the leaf switches as 'access' switches for server nodes.
Subscribe to:
Posts (Atom)