Moving offices, wasn't able to get the SIP trunk ported in time.
Now I'm trying to get the SIP trunk to route over a Sonicwall to Sophos site-to-site VPN, but I've not had any luck.
Anyone done something similar? I could use some help.
Thanks!
Saturday, September 14, 2019
Script to reboot Meraki APs?
I've been finding the Meraki APs very unreliable lately, but they're not going anywhere. Rebooting has helped but it is tedious from the web gui.
We use 2960x switches and I have an inventory of what ports they are in. I would like to be able to load those in from a CSV and have a computer ssh into each 2960x (there are quite a few) and shut/no shut those ports.
Any thoughts? Does anyone have a script like this?
Question about Firewall Feature of SecureCRT
Hi Folks,
hope anyone has an idea about the following situation.
I posted the same in /r/SecureCRT but I fear it is not that active.
Here is the situation:
I have a remote Linux machine which I can access from my client directly.
This Linux machine is one of a very few hosts that is allowed to access a certain part of the network.
Therefore I use this Linux machine as a Jumphost.
To make my life a lot easier, there is the "Firewall" Feature in SecureCRT.
In my opinion it should be called proxy or jumphost feature - because that is exactly what it is doing.
I can save direct connections to hosts in the certain network and SecureCRT is "jumping" automatically over the Linux Jumphost.
But here is the catch:
When you access a Linux machine, you see every login and everything in the lastlog, right?
When I "jump" over my Linux machine using the firewall feature of SecureCRT...
... I never ever see anything at all about it in the lastlog... and also nowhere else.
I have root rights on this Linux Jumphost, and I am unable to find any trace at all about any login when my SecureCRT is clearly using it as Firewall for sessions to hosts logically "behind" it.
Has anyone maybe an idea why that might be this way?
Would appreciate any input very very much.
Thanks a lot in advance and best regards!
First Timer: Installed Unifi 48-port POE Switch
Hi everyone. This is my first Reddit post. I have no formal training in networking but have picked some things up in my last 6 months as the Network Admin for a large nonprofit. I inherited a solid system but as our program grew my predecessor added these 8-port Toughswitches and...well, wires everywhere and finally just had no place to add any more POE devices.
So today I installed a 48-port POE Unifi switch and tried my best to clean it up a little bit. The left picture is before, the right picture is after.
From the top:
1/2: Sigmamax patch switch (phones, copiers, etc.)
3: Intellinet patch switch (phones, copiers, etc.)
4: Unifi 48-port POE switch
5: Unifi 24-port Edgeswitch
6: Unifi 24-port Edgeswitch
7: Peplink router/VPN
8: Grandstream phone switch
9: A controller and, behind it, some devices on a shelf
I wanted to post this for two reasons: (1) show my first install & share how proud I am of myself and (2) ask for feedback.
It took me 4 hours to do this job. Now it's 10 times easier to maneuver cables but I'm sure there's lots of room for improvement. Such as those cables I hid between rows 7 & 8 - these cables came from other places that I couldn't connect to a patch panel. Without spending any money on cosmetic accessories, was there a better way to arrange those cords? Any other advice for a newbie?
Split LACP Between Two L2 Switches???
In efforts to maintain HA, how can I split a 2 or 4 port LAG between two switches??? Example, if not using stack cables and using two Unifi switches for instance.
Server A has 4 nics, or 2 whatever. 1 to switch A 1 to switch B, or 2 to A and 2 to B.
Pretty sure I can only have it per switch in UniFi. Not Span across both...
So , what is common practice? I want to split between two switches to maintain availability if one switch fails.
Cheers
Help me Please
Hi all,
I don't really have that much knowledge in this field so am hoping you can help me.
My question is, I have a UniFi outside Access Point but can I use a UniFi NanoStation AC loco on a area further on to of repeat any kind of internet connection (wired from it or wireless).
Hope you can help.
Thanks - Jake
Is there a way to stream a HDCVI camera through ethernet (UDP)?
Is there anyway to stream this camera that is coaxial through the ethernet and record the streaming using my computer?
https://www.dropbox.com/s/zz4sm70u9qnc7lj/C240%20Data%20Sheet.pdf?dl=1
Ruckus Zonedirector and cisco switch. Issue with Vlans
Currently Zonedirector and APs are accessed through Vlan 1. I need yo change it.kindly guide me to configure that.
SD WAN Lab
Hi Everyone
I would like to build my own SD-WAN lab in ESXI. I've had a go of Cisco's Viptella which is great but I think it's a bit too fiddly. I've had a go of Silver peak which I really like but I want able to lab this up in my own lab environment however I can't because I don't have license keys etc. Does anyone know other SDWAN providers whereby I can download the images and trial it all working in my own lab? I just don't want to waste loads of time building labs after downloading the images to find I can't advance because I don't have a licence key. Thanks
ROAS with switch stack or collapsed core for small office
I have a new office opening in the next couple of months. Currently debating the design with myself.
In either design the gateway will be a ha pair of firewalls as they have already been bought.
2 options I'm thinking of:
-
Stack of 5 Cisco 9200's with a roas setup. Will need to purchase the switches as we don't have any currently spare. This is what we have in another office so would standardise deployments.
-
Make use of existing stock. Core/distribution of 3650's X 2. 5 random switches at the access layer - will probably be a mix of 2960x's and ex3400's. This would give me more budget to spend on access points.
Option 1 works, and we have another office set up exactly like that now.
Option 2, am I being fancy just for the sake of it?
Friday, September 13, 2019
Multiple MLAG ports on Extreme EXOS switches.
Just posting here in case someone knows of a solution..
I have successfully connected two x460g2 (SW1 and SW2) switches with an MLAG to a pair of SLX switches (SW3 and SW4). That works great.
However I tried to set up an additional MLAG to another singular device., I lose all connection to SW2.
Turned turned up a LACP on the singular device (R1) and “enable sharing port 49 grouping 49 algorithm addressed-based L2 lacp” on SW1 which works fine. (I don’t have the SW2 Port 49 connected yet to R1)
As soon as enable “enable mlag port 49 peer SW2 id 301” on SW1, I lose all connectivity to SW2...
If I “disable MLAG port 49”, connectivity to SW2 restores.
Anyone familiar with extreme willing to help?
Network Backup
Mainly Cisco Gear, what are my options to have config backup done across set of 50 devices using free resources? i have setup rancid but its a pain and i can't get the notifications to work for configs. Any suggestions?
Real World Best Practice/ Design for "Firewall on a stick"
Hello,
Apologies for the weird title. I am wondering if I could pick the collective brains for a hand with a "Firewall on a stick" slightly fictional solution I am trying to come up with.
Essentially, I have 3 VRF's on a core switch, each representing a different "function" of the business. For simplicity, lets say Accounting, Brian's_Department, Craft_Department (VRF A,B, & C respectively). I want to map each of those VRF's to a zone on a Firewall. If traffic from an accounting Department PC wants to talk to an accounting Dept Server, that traffic happens within the same VRF. (processing happens on the switch)
If an accounting PC wants to look at a Craft_Department server ,then I want that traffic to go up to the firewall, processed by rules there, then come back down (processed on FW)
I want to do it this was as each department has a desire to implement each of their areas with 100 cameras, which must (of course) record in 4k. I don't want the Firewall to have to process/handle camera traffic from one vlan to another when it doesn't necessarily have to.
How do I go about interconnecting the Switch to the Firewall? I have heard of using sub-interfaces with a "transit" vlan for each VRF to the Firewall, where The Vlan has an SVI on both the VRF and the Firewall, which is then placed in a zone on the FW. Much like this; https://packetpushers.net/using-vrfs-to-maintain-security-zones-in-an-layer-3-datacenter-network/
However, i'm worried about this scaling; how would this work if I later wanted to do it as a port channel? Again, how would that work if the core was 2 Nexus switches doing VPC?
Really looking for advice on how this is handled on the real world and what the best way to do this is. If it helps, I'm using a Palo Alto Firewall.
Here's a diagram of what I'm trying to achieve: https://i.imgur.com/mcnOyFN.png Thanks for the read; really appreciate the help
EVPN and Hyper-V
So, I've been reading about EVPN and I'm inclined to give it a go with Cumulus Linux.
It makes sense so far, but the one thing I can't figure out is how I'm supposed to integrate it with Hyper-V (2019 in my case). It seems like I am supposed to terminate the VTEP within the hypervisor, but copious searching along the lines of "EVPN Hyper-V" comes up pretty dry.
Can anyone shed some light on how these technologies are supposed to integrate, or has MS not yet gotten on board this train and I am expected to only use their Network Controller?
Thanks!
Can someone please explain to me what I'm doing wrong?
I have an assignment that I'm tripping up hard on. Basically, we were to create a windows server VM with a domain and then create a client windows 7 VM and attach it to the domain.
While the client has been attached to the domain already, and the client can ping the server, the server can't actually ping the client (Destination host unreachable).
I gave the following to each machine:
Windows 7 Client Adapter 1 - Internal Network IP 192.168.100.10 /24 DNS 192.168.100.1 Adapter 2 - NAT Network DHCP
Windows Server 2016 Adapter 1 - Internal Network IP 192.168.100.1 /24 DNS 127.0.0.1 Adapter 2 - NAT Network DHCP
I made sure to turn the firewall off on both machines. I also changed the server DNS to 192.168.100.1 thinking that was the right thing to do?
If someone more experienced than me could please please help I'd really appreciate it.
If more information is needed I can supply it
Thanks
Demarc Fiber Optic Extension Gone Wrong: I Need Help!
Long story short. NOC gets 0.01 success rate when pings Adva 114 device. . ISP hand off copper then converted to Multimode fiber then to copper again:
• 114 Adva connected to ;
• Cat 8 connected to;
• Media Converter copper to Multimode Fiber connected to;
• Multimode patch cable connected to ;
•Acoupler connected to;
• Armored Multimode mode fiber cable all the way to the Telecom room from the 13th in the basement about 500ft.
Then I crossed over the cable to the same brand media converter and copper cable. So the extension is Copper to Multimode fiber to copper.
I am not sure what's the issue. I am getting -17 dBm and 18uW from one converter and I am not sure about the other tho. Any thoughts about this? Thanks,
How to use a Orange Pi R1 (dual ethernet) to invisibly sit between a printer and a router and sniff/alter data that is sent?
Hello,
I've been working on this project for quite some time and keep getting stumped. I want to create a device that lets you capture and possibly alter the data getting passed through the device to a printer.
Device: Orange Pi R1
OS: Armbian Bionic
Network/Router <--eth0--> Orange Pi R1 <--eth1--> Printer
I have found many tutorials on creating sniffers, but after following many of them I can't seem to get it to work. All the tuts are a bit old and they don't bring up network manager at all so I'm not even sure if I'm disabling that correctly so I can use interfaces. I'm not even sure if I am going down the right path here. I'm assuming that I create a bridge between eth0 and eth1 and then have wireshark or tcpdump look at that bridge for sniffing. I then thought I could use IPtables to route print jobs (port 9100) for processing and then send them to the printer.
I want the printer to be able to choose it's IP or use dhcp (whatever the printer settings are) and the router/network will see it the printer. The device should be invisible to the network. I really could use some help, happy to gilde for a point in the right direction.
Thanks guys
How can I redirect a web to another?
Hi, I need to redirect www.google.com to www.youtube.com so when I type the first one the second one comes up, I'm on windows 10. How can i do this?
n 4G proxy server questions
I'm designing a new proxy server for my Instagram network, i need one to run 8 different accounts, i schedule them all with Jarvee, setup would just be an android phone running the 'servers ultimate' android app, there's a deal in my country (UK) for a network called 'voxi' which offers 'endless social media' what i'm wondering is if that would still apply when being run through the software and probably not for its intended purpose, would it still receive everything as Instagram usage and not eat up all my data? thanks in advance for any answers :)
High Speed in Australia
Does anyone know if in Australia, using nbn, there is a way to get speeds faster than 250 Mbps download? I don’t know that much about networking so I’m sorry if this is a stupid question.
Juniper SRX-300 as an MPLS PE device?
We run our own mpl/L3vpn between a couple of datacentres in the UK, and a couple in the USA. For P/PE devices we are using Juniper MX80 routers.
We have a couple of racks in Sydney and HK which we also want to link up to our core network (currently using s2s VPN's). We have a vpls circuit in sydney and HK, on top of which we can build our own mpls/l3vpn.
Question is would an SRX300 be suitable for the job? The VPLS circuits are capped at 100mb anyway so i cant see throughput being an issue.
Total amount of routes will be around 300. Any caveats in using an SRX full meshed into our mpls core?
Open Source Asset management software
What are you all using for asset management of network equipment?
Im looking for something i can record the usual:
hostname, manufacturer, model, EOL, software version, supplier, support contract, etc
And finally move away from excel spreadsheet :)
Ideally something that could be expanded in future to cover it assets such as servers, laptops, monitors etc
Rate limiting a port
Hi Reddit,
As an MSP, we have a customer who we've sold a 100mpbs pipe at our Colo. They are connected to an interface on our switch that currently has a policing policy applied that doesn't appear to be working, the policy is configured as such:
ip access-list extended ANY_IP
permit ip any any
class-map match-all ANY
match access-group name ANY_IP
!
policy-map Policer_100M
description 100Megs Bandwidth
class ANY
police 100000000 8000 exceed-action drop
interface GigabitEthernet1/0/5
description Customer
switchport access vlan 9
ip access-group ANY_IP in
spanning-tree portfast
service-policy input Policer_100M
When I look at the policy stats I have nothing:
Service-policy input: Policer_100M
Class-map: ANY (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ANY_IP
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
0 packets, 0 bytes
5 minute rate 0 bps
From research I've done I think it would be better to accomplish this using the srr-queue bandwidth limit command. Thoughts?
Edit: Network device in question is a Cisco 3750G running IP Services 15.2
Mask/Strip X-FORWARDED-FOR to the internet with ASA/Firepower
Going through an issue now where an outside vendor is filtering permission by IP, however, their application is reading the XFF field and seeing our private IP instead of the Public IP.
After doing some reserch I see that ASA/Firepower does not have the ability to strip the XFF, just wondering if anyone else has ran into this and found a solution on the source side.
So far I have told them they need to find a way to not read the field via the application
Disabling SIP ALG on Cisco Router (C891F) running Cisco IOS
Hello everyone!
Sadly I am having some problems disabling SIP ALG & ensuring UDP port 5060 is open and hoping someone here would be kind enough to outline how I am dunce and what to do about it. :)
The steps I took to disable SIP ALG were... (source)
- I logged into the router via serial console
- enable
- configure terminal
- no ip nat service sip udp port 5060 (it didn't returrn anything)
- no ip nat service sip tcp port 5060 (this command registered).
However, when our VOIP provider ran their diagnostics/tests the 2 issues persisted...
- An active SIP ALG was detected on our network
- UDP port 5060 is blocked
It may be worth mentioning that I did not set up this router and my experience with Cisco CLI / IOS is limited.
Anyone have make/model numbers of working CWDM or DWDM transceivers that work in Aruba 2930F or 3810M?
I've got 4 strands of OS2 from site1 to site 2.
Currently, there are 2x 10GBase-LR connections from a stack of 2930F switches to a stack of 3810M switches, using all 4 strands.
I'm looking to remove the 10GBase-LR transceviers, install some CWDM or DWDM mux/demux units, and then install 10GBase-WDM transceivers.
Only problem is Aruba doesn't have any listed skus for supported CWDM or DWDM transceivers.
Anyone have working 10GBase-CWDM or 10GBase-DWDM or 1GBase-CWDM or 1GBase-DWDM transceivers that are working in Aruba 2930F or 3810M switches with firmware version 16.x.x?
I'm not afraid of using service-unsupported-transceiver, but I don't want to go buy a bunch of DWDM/CDWM mux/demux units, transceivers, patch cables, etc... and then find out they won't work anyway.
Toys for NOC - What should I buy?
I've been asked to come up with a shopping list of toys and distractions to put in our NOC.
Context: We're building out a small war room primarily for cloud network developers and network engineers at a separate campus from where front-end customer support happens. The on-call team go on rotation for 12 hours every couple of months. I would like the engineers to be able to blow off steam between fire-fights and feel like the space is more like a geek den rather than a drab conference room. Culturally our team is from all over the world, US, India, China, Europe, others and of course range in age from millennial to delayed retirement.
Links, photos, concepts, and of course suggestions from your experiences appreciated.
SVI vs SubInterface Pro's/Con's
I am in my late 20's and have always used SVI's to do routing for my vlan's. But it is my understanding (feel free to correct me) that sub interfaces are the legacy version of SVI's due to the classic example of router on a stick vs SVI routing for end hosts.
My new organization has a lot of routing configurations sourced from sub interfaces and I was wondering if there is another capability/feature of sub interfaces that SVi's can't accomplish or if it is literally a 1:1 comparison.
On a side note the whole syntax of SVi's are confusing to me (Why a . extension to the interface), having not dealt with them a lot.
Facepalm moment - i forgot to ask the stupid question
We setup branch office in london. Fairly small floorplan and while 2 APs should have had us covered (i love predictive heatmap tool with my chosen hardware) but installed 3 due to density.
My local (to me, flew overseas) helpdesk guy was onsite for 2 weeks. We had a local IT guy onsite who was let go, then had contractor for a few months, and hired new FTE for that location. We also paid low voltage guys to install APs and run cabling.
So by my count we had FIVE GUYS with hands on APs with at minimum rudimentary computer skills.
For SIX months (tbh, shouldnt have taken this long but time diff and lack of communications slowed it down considerably) the office has complained about wifi coverage. Ive replaced APs (rma) ive tweaked signal strengths thinking bands were overlapping, tried to coordinate testing with onsite users....
After 6 months of this nonsense and getting raked over coals i offhandedly said “and AP is mounted and hanging down from ceiling right?” Because it made 0 sense when i finally got IT guy to sit 5 ft away from AP and getting 2 bars....
He says “oh, the ceiling is metal so they are inside the ceiling”
Im sorry.... wat? The APs are in a metal/concrete box?!?!?
I should know better. But damn, 6 months and 5 IT guys and not one of them thought to mention this?!?!
headdesk
Attempting to connect a wireless device(shop tool) to our ShopTools SSID, constantly fails connection but will connect to other SSIDs. Any input is appreciated!
Pretty sure our ShopWifi SSID is a VLAN, has no internet access other than a specified website that I assume allows tools on that SSID to link to the rest of the network. I have confirmed correct password for the SSID and can connect other devices to it, and can connect this tool specifically to other networks.
Is there a way that I can resolve this predicament without contacting our IT department? I am starting to think that maybe the ShopTools requires devices to by authenticated on an admin level potentially?
This is a replacement tool, the previous one (same hw/SW) had no issues.
Thanks for the help!
Network Access Control in a mixed environment
Looking for some insight as to how other people have done network access control in a mixed environment?
So we have windows, mac and a mix of linux distros. I have trialed cisco ISE before but found it to be pretty useless when it came to identifying linux distros specifically. These make up almost half of our estate.
Has anyone else been in a similar situation with these sort of requirements and how was it solved?
Has anyone else found that many broadband Internet connections only work reliably when physically terminated directly on a layer 3 device?
As a general practice I always try to physically terminate Internet connections directly into a switch so that potentially multiple layer 3 devices such as router or firewall can have a public IP on the directly connected subnet to the Internet service. This has made my life way easier on many occasions due to the flexibility and potential redundancy it provides, particularly when conducting connectivity work remotely.
The vast majority of the time this works without issue. However, I have found that for many broadband/cable modem connections the connection will not perform reliably with this physical configuration. The only way I can get the connection to perform reliably is to physically terminate the cable modem into a router or firewall directly. This isn't the end of the world, but it is less than ideal.
When I say that the connection performs unreliably I mean that oftentimes the directly connected devices will be able to pass traffic for a few minutes or in some extreme cases even a few months before no longer being able to pass traffic. Sometimes power cycling the cable modem resolves the situation and sometimes not.
Has anyone else encountered this problem and (hopefully) found a solution?
SD-WAN and layer 3
Hi all,
Been told by a customer that their head office is looking at implementing SD-WAN, and that "they may require us to ensure we have layer 3 switches".
Now, as i've got no experience with SD-WAN i've had to go with YouTube videos and explanations of it, and it doesn't sound from the outset that it requires layer 3 switches everywhere. Can anyone confirm? Currently the site we look after has a bunch of ZyXel GS1920 switches with a pFsense instance providing VLAN routing.
ISP reads circuit good (950/950) - I can't read higher than 140. They blame us
Hey guys. I'm going to give a high level overview/rant in hopes for more experienced engineers to help guide this conversation.
We have a branch (~60) using a 1GB fiber circuit. Services have sucked. Many tickets have been opened. It all comes back to "problem is on your side * ticket closed". Issues are slow speeds, intermittent drops, etc.
On the stack (Juniper SRX/EX - very simple) we see maybe 100mbps to various speed tests. I use a gambit of tests in a matrix to get a better feel. We can disconnect the entire stack, hard plug directly into the handoff, 140mbps down.
They plug "their device" in. (Im not the guy on site) and get 950/950. Pack their shit up and leave. They quote "speed tests are inaccurate you're incorrect. So not a SINGLE device regardless of OS (linux,mac,windows,juniper,cisco) cannot get higher than ~100mbps except their device.
Also their device output showed 4ms on their test. Clearly it's not going to the internet. Meanwhile I have another branch in the city, same network stack, same fiber plan and I can blast the entire gig through.
Besides literally taking my hardware from the other known-good site, installing it into the known-bad, what the f*ck can I do to get these guys to do something? There's only one other carrier in the building that we've already started talks with. Idk what else to do. We pay for a gig we get shit. We are -not- under contract anymore.
From the ISP perspective - tell me what you'd like to see from me!
MP-BGP route propagation
Hi All net valuable colleagues! I'd like your opinion about how you would deal with the following scenario:
All those routers represent different vrfs inside a single physical router.The aim is to propagate customer routes in the forward direction through all the vrf chain, and the default route in the opposite direction. Each VRF should have it's next hop in the adjacent vrf loopback on its right on the forward direction, and the one on its left in the return direction.
As per standard configuration:
router bgp 65000 bgp router-id 1.1.1.0 bgp log-neighbor-changes ! address-family ipv4 vrf dlg-hau redistribute connected redistribute ospf 10 exit-address-family ! address-family ipv4 vrf firewall redistribute connected exit-address-family ! address-family ipv4 vrf internet bgp router-id 1.1.1.0 redistribute connected neighbor 1.1.1.1 remote-as 65535 neighbor 1.1.1.1 activate neighbor 1.1.1.1 next-hop-self exit-address-family ! address-family ipv4 vrf shaper redistribute connected exit-address-family
the default route would stop at "firewall" vrf, I assume because of the BGP advertisements limitations between iBGP peers.VRF chain should be flexible to easily remove (bypass a stage) or add a new node on the path (i.e. new stage of processing of the packets). An identical chain will be in place for redundancy purpose.BGP reflectors may solve the propagation issue and would add flexibility in case of new nodes, but I would keep the design as simple as possible.
Moving OSPF redistribution to the right end of the chain and leave the BGP to the only "internet" vrf would bypass the problem, but I'd rather use MP-BGP on the various stages because of MPLS future expansion of the network.
How would you deal with that?
Sincerely
Thursday, September 12, 2019
Best NAC product for an ICS network?
I have an industrial network (PLCs, RTUs, HMIs).
I'm looking for a way to have some control over what is connected to the network (is this xx brand HMI? Allowed. Is this an authorized laptop? Allowed. Is this a Raspberry Pi? Not allowed)
I'm looking at NAC solutions. Mostly ISE vs Clearpass.
Most of these devices won't have dot1x and would be authorized via MAB. I'm looking for a NAC solution that would be very good at profiling these ICS devices via some device probing/fingerprinting type work. Any suggestions?
Protocol Negotiation in Intergalactic Computer Network?
A while back, I remember reading how back when they were working on the Intergalactic Network under Licklider, etc., one of the problems they tackled was how to have two computers negotiate a common protocol to communicate with each other. The problem, if I remember correctly, was framed as a first contact scenario of two alien civilizations.
I have now forgotten where I read this and can't find any resource on whether they made any progress in this field. Any one has any idea what I am talking about here? Are there any publically available records of how much progress they made, which parts of the problem they were able to solve and what were those solutions?
Dell S4112T switch acoustic noise?
Datasheet for Dell S4112T switch does not include any acoustic noise data. Does anyone have measurements or subjective comments?
Force homepage on wireless network
Is there any way to set a default page for a browser when connected to my network?
Or be redirected to this page if you try to access some other website.
(On a local network using router and apache server)
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
VxLAN with FW as Gateway
Im curious on how many of you guys are using a FW as the gateway for ur VXLAN EVPN evironments. We are doing multi tenancy and use virtual firewalls as the gateway for each vrf/tenant and it performs the routing between different VNIs . We do static routes to leak routes into other vrfs. No anycast gateway. First time i see this design in production. I feel like this may bring scalability issues later on as our company grows.
Using RHEL 7 VM with Apache URL Redirect
I've been doing some testing with taking an few internal addresses ( e1.example.com, e1dv.example.com, e2dq.example.com ) and creating DNS Records for each pointing to the IP Address of a RHEL 7 VM running Apache with virtual hosts setup for each and then attempting to configure URL redirection through the Redirect directive. I think I am missing a step though or maybe this isn't the best use for URL redirection as when I go to configure the redirection I'm stuck at how putting the path for the virtual host is going to route traffic to the external address. If I want a user to enter e1.example.com in a browser while connected to our private network and end up at 'thisotheraddress.com:8000/test/example.maf' is this the wrong solution? I was trying to configure this functionality without an F5 though I understand an F5 could provide this functionality. Is there a more obvious / simple way to send an internal address to an external address?
Ethernet repeater
I'm with the IT division of a small city government. We recently had a vendor come out to one of our sites (an auditorium) to run two particularly long Cat5e cables to the ticket booth for the credit card reader. However, it seems that the run is apparently too long. (They estimated 90m, but it ended up being pretty much right at 99.5m) The workstation that now utilizes one of these two lines operates fine. Same with the printer. The card reader, however, apparently doesn't put enough juice into its transmissions to make the whole run back to the switch.
We confirmed, after pointless and extensive testing, that the issue is with the physical length of the run. No logical networking issues exist (routing, etc.) The placement of a simple unmanaged switch at the end of the run, between the card reader and wall jack, solves the issue.
I'm looking for the cheapest possible solution to get this card reader on the network, other than the unmanaged switch.
Thanks~
EDIT: Solved! Compatible solutions were offered:
https://www.reddit.com/r/networking/comments/d3b1s9/ethernet_repeater/f012njm/
https://www.reddit.com/r/networking/comments/d3b1s9/ethernet_repeater/f0177iw/
https://www.reddit.com/r/networking/comments/d3b1s9/ethernet_repeater/f01302n/
https://www.reddit.com/r/networking/comments/d3b1s9/ethernet_repeater/f0173ze/
We ended up going with the speed reduction while clearly labeling the wall jack as "for pinpad only". We didn't want to get a technician confused and attempt to "correct" the cabling upon noticing that the standard of "computer daisy-chained off of phone" wasn't being followed.
Whitebox Switch Recommendations
Hi all,
Due to the price point I'm considering purchasing some baremetal fiberstore 100G N-series switches and buying Cumulus Linux licenses for them separately.
Are there any red flags there that would make you favor a more established player like Dell or HP whitebox? The cost is so much lower that I'd be OK with having a few spares even if turnaround time is in weeks on hardware repairs. I understand that the fs switches are just rebranded Edgecore?
Thanks in advance.
Layer 2 in VCenter btwn Cisco 9000V and end-machine VMs?
I've got a virtual network in VCenter. I've connected windows/linux VMs to a cisco 9000v using portgroups on a distributed switch (one port group for each vlan/subnet).
The issue is, nothing communicated when i try to use L2 connections on the switch (SVI for VLANs, 'switchport mode access' and 'switchport access vlan X' for ports to a device. Currently I'm having to make a L3 port for the portgroup, and connect all of the VMs in a VLAN (or i guess subnet, since the whole VLAN thing isn't working ..) to a single switch interface.
Wondering if anyone's done this before and gotten it to work with switchports and not all L3 interfaces.
SNMP polling of switch failing since power outage
One of our branches had a power outage. When power was restored, the config was gone from one of our Aruba 2530 switches. I restored the config from backup, but now SNMP polling isn't working. I verified the SNMP configuration is the same as another Aruba 2530 at the branch. I tried upgrading the firmware of the switch but this hasn't made any difference. We use SolarWinds Network Performance Monitor for SNMP polling.
I'm not getting anywhere with Aruba support. Does anyone have any ideas?
Would appreciate some insight
Hey guys, I have an upcoming interview for a network engineer and I have no idea what to expect. I have not previously worked as one, I've been in IT Support for 1.5 half years now, but I've mainly dealt with windows stuff, identity management and active directory. I do have some knowledge and I plan on reading a few things before my interview but I'm not sure what exactly to focus on more. I'd appreciate some insight on what to focus on as a start, I have taken a networking course and I'm kind of aware how things work(tcp/ip, udp, dns, dhcp, rip, ospf etc.) but not sure what would be the main focus of the interview. It is a junior position(I'm a pre-last year student in university) btw.
I hope this does not violate anything in terms of rules.
Thanks in advance!
EDIT: It is a support role, working via tickets, not a NOC.
Meraki Portal down in NA
In case anybody had issues last night September 11th at around 8PM Pacific with false positives here is their non official forum response. No status page shame on them.
Ansible upgrade code - "msg": "bad character range"
Hey,
Maybe I should put this in the Ansible subreddit, but since it's directly related to network, I figured I'd ask here. So, I'm using Ansible to push upgrades to IOS devices that have older code. Currently I have a script I am attaching, every time I run it Ansible returns this: fatal: [test-wan]: FAILED! => {"changed": false, "msg": "bad character range"}
I'm struggling to find this on Google or any docs. Anyone have any ideas why my YAML is failing? Or what this error really means?
The script (I've removed the majority of the playbook, it's failing at the second task "UPGRADE IOS IMAGE IF NOT COMPLIANT"):
---
- name: UPGRADE IOS
hosts: test-wan
connection: network_cli
gather_facts: no
vars:
ansible_connection: network_cli
ansible_network_os: ios
ansible_user:
ansible_ssh_pass:
vars_prompt:
- name: "compliant_ios_version"
prompt: "What is the compliant IOS version?"
private: no
- name: "should_reboot"
prompt: "Reboot IOS node? (YES or NO)"
private: no
tasks:
- name: GATHER SWITCH FACTS
ios_facts:
- name: UPGRADE IOS IMAGE IF NOT COMPLIANT
block:
- name: COPY OVER IOS IMAGE
ios_command:
commands:
- command: "copy ftp://172.16.0.35/c1900-universalk9-mz.SPA.157-3.M3.bin flash0:"
prompt: "Destination filename [c1900-universalk9-mz.SPA.157-3.M3.bin]? "
answer: "\r"
Thanks!
Multiple VLANS within the same Subnet
Hi guys , I tested one interesting situation today :
We have 2 hosts in same subnet 10.0.0.1 , 10.0.0.2 for example ,but in different vlans, all ports are in access mode , everything on same switch
port 1 -host A, vlan 10 ,10.0.0.1
port 2 -vlan 10 , cable connected to port 3
port 3 -vlan 20 , cable connected to port 2
port 4 -host B, vlan 20 10.0.0.2
I tried this in lab and ping works between hosts , only cdp doesn't works because vlans are different.
How this works and what are the problems of this?
Console Switch/Server Symbol?
Hello all,
I am making a bunch of diagrams for some networks I'm turning over to another company and for the life of me I cannot think of what symbol to use for remote console access devices. The diagrams are supposed to be topology diagrams rather than technologies, so they will use generic switch and router icons, etc., but I need to portray a console server for out-of-band access like a Raritan or WTI device. If anyone has any ideas, it would really help me out.
Thanks so much!
9300 Switch - DHCP Snooping Issue
We're having a really hard time wrapping our heads around our DHCP Snooping issues with our 9300 switches. Long story short, our IP phones are unable to receive a DHCP IP address when snooping is turned on. Once we disable DHCP snooping, the phone immediately gets an IP address and works properly. All of our 3850 switches are configured with DHCP snooping and we have never had any issues.
Here's our DHCP Snooping config on our lab switch:
ip dhcp snooping vlan 26-27,249
ip dhcp snooping
interface GigabitEthernet1/0/48
switchport mode trunk
ip dhcp snooping trust
We have our lab switch config as bare bones as you can get. ISE is not configured on it at all.
I have tried all of the following versions of code with no luck:
-Everest 16.6.3
-Everest 16.6.5
-Everest 16.6.6
-Fuji 16.9.3
-Fuji 16.9.4
TAC seems to still be scratching their heads. We're surprised that this doesn't seem to be a wider issue with other customers. I've found many Cisco forum posts about users experiencing this issue but without any clear direction to a solution.
We've taken a packet capture with DHCP snooping on and it shows during the DHCP 'handshake' that only Discover and Offer are transmitted. The Request and ACK portion of the 'handshake' never come through. Once I turn DHCP snooping off, we can then see the full four step Discover, Offer, Request, ACK.
Has anyone found a solution?
HP ProCurve RSTP
Hi,
i have two hp procurve 2824 switches, this two should provide a failover. I can't set up a full stack with this model so stacking is only for configuration.
Anyway, i configured RSTP on both switches:
SW2# show span
Rapid Spanning Tree (RSTP) Information
STP Enabled : Yes
Force Version : RSTP-operation
Switch Priority : 4096 Hello Time : 2
Max Age : 20 Forward Delay : 15
Topology Change Count : 252
Time Since Last Change : 4 mins
Root MAC Address : 000f20-8c5d00
Root Path Cost : 10000
Root Port : 24
Root Priority : 0
Root Guard Ports :
TCN Guard Ports :
BPDU Protected Ports :
BPDU Filtered Ports :
Port Type Cost Priority State | Designated Bridge
----- --------- --------- -------- ---------- + -----------------
1 100/1000T 20000 16 Disabled |
2 100/1000T 20000 16 Forwarding | 000f20-e02ec0
3 100/1000T 20000 16 Disabled |
4 100/1000T 20000 16 Disabled |
5 100/1000T 20000 16 Disabled |
6 100/1000T 20000 16 Disabled |
7 100/1000T 20000 16 Disabled |
8 100/1000T 20000 16 Disabled |
9 100/1000T 20000 16 Forwarding | 000f20-e02ec0
10 100/1000T 20000 16 Disabled |
11 100/1000T 20000 16 Disabled |
12 100/1000T 20000 16 Disabled |
13 100/1000T 20000 16 Disabled |
14 100/1000T 20000 16 Disabled |
15 100/1000T 20000 16 Disabled |
16 100/1000T 20000 16 Disabled |
17 100/1000T 20000 16 Disabled |
18 100/1000T 20000 16 Disabled |
19 100/1000T 20000 16 Disabled |
20 100/1000T 20000 16 Disabled |
21 1000SX 20000 16 Disabled |
22 1000SX 20000 16 Disabled |
23 1000SX 20000 16 Disabled |
24 1000SX 10000 16 Forwarding | 000f20-8c5d00
SW1# show span
Rapid Spanning Tree (RSTP) Information
STP Enabled : Yes
Force Version : RSTP-operation
Switch Priority : 0 Hello Time : 2
Max Age : 20 Forward Delay : 15
Topology Change Count : 64
Time Since Last Change : 6 mins
Root MAC Address : 000f20-8c5d00
Root Path Cost : 0
Root Port : This switch is root
Root Priority : 0
Root Guard Ports :
TCN Guard Ports :
BPDU Protected Ports :
BPDU Filtered Ports :
Port Type Cost Priority State | Designated Bridge
----- --------- --------- -------- ---------- + -----------------
1 100/1000T 4 0 Disabled |
2 100/1000T 4 0 Forwarding | 000f20-8c5d00
3 100/1000T 4 0 Disabled |
4 100/1000T 4 0 Disabled |
5 100/1000T 4 0 Disabled |
6 100/1000T 4 0 Disabled |
7 100/1000T 4 0 Disabled |
8 100/1000T 4 0 Disabled |
9 100/1000T 4 0 Forwarding | 000f20-8c5d00
10 100/1000T 4 0 Forwarding | 000f20-8c5d00
11 100/1000T 4 0 Disabled |
12 100/1000T 4 0 Disabled |
13 100/1000T 4 0 Disabled |
14 100/1000T 4 0 Disabled |
15 100/1000T 4 0 Disabled |
16 100/1000T 4 0 Disabled |
17 100/1000T 4 0 Disabled |
18 100/1000T 4 0 Disabled |
19 100/1000T 4 0 Disabled |
20 100/1000T 4 0 Forwarding | 000f20-8c5d00
21 1000SX 4 0 Disabled |
22 1000SX 4 0 Disabled |
23 1000SX 4 0 Disabled |
24 1000SX 4 0 Forwarding | 000f20-8c5d00
So is that configuration ok?
Should the Designated Bridge on SW2 on Port 1-2,9 the 000f20-8c5d00 or 000f20-e02ec0 MAC?
Thanks for advice!
48 port poe switch suggestions
Im looking for suggestions for access switches in a small office location. We are looking at around 200 wall ports, so im looking for 5 switches with POE, ideally stackable for ease of management.
Last build we went for Cisco 9200's, but im open to other suggestions as ideally i would pay a bit less on switching equipment, and spend a bit more on wifi
Networking Career End Game Goal:
It might be difficult for some to picture early in your career, but what do you think the last 10-15 years will look like in this field? I'm mid-career and it honestly keeps me up some nights thinking about it. Every IT person over the age of 45 has been terrible. I know its anecdotal, but they fall into the following category; don't care, don't want to learn, or can't do anything. In the US in particular, there are no protections for employees being replaced. How does a 60 year old manage to keep their IT skills in shape?
Is the MSP space really that brutal towards engineers?
Was recently speaking with a fellow networking grunt in the msp space, and he mentioned how it is turnover city for tier 2-3 folks. As in, that was the norm. No one stays for more than a year or two at most. I found that interesting coming from an enterprise networking and then consulting stance. Spoke with an old friend recently who had taken the MSP road a decade or so back and was now in an MSP C level role. The context of the discussion was job related and he said, you dont want to work here, you would hate it.
Is it true? Why?
Wednesday, September 11, 2019
Firewall Search Default Deny!
Are there any firewalls out there that base hostname rules on IP's.
For example allowing Facebook.com, allows the IP's for FB rather than the Layer 7 address? No doubt there is a better way to explain this.
My goal would be to make a small allow list such as Facebook.com,YouTube.com,Reddit.com. Then no matter where the DNS resolves to, only those sites will load. Default Deny, no blacklists, no blocking bad ip's. (yes i'm aware this is a management nightmare for your corporate firewalls)
Looking for an IP Camera that uses RTP protocol, with RTCP properly implementing the timestamp in the Sender report (SR) packet type. Do you know any?
All ones I've tried do not implement the timestamps, or RTCP SR packet at all...
Ethernet-based cellular repeater?
This might not be the correct sub to ask but... What would such a device be called technically? I think I'm pretty damn good at the Google-Fu but I literally cannot find something like this. I live in an area with an average of 1 bar of signal with ANY provider. But I have 100mb Spectrum to the house.
It's 2019.. surely to hell there's a way to bridge cellular to Ethernet to allow me to send/receive texts from my living room which I cannot do on cellular alone. Not to mention the ability to make a call too.
thx
Will expired evaluation licenses on Cisco Catalyst C9500-12Q-A Switches lead to network degradation?
As per title, does anyone know if expired eval licenses on C9500s lead to forced network degradation? Or just a warning of some kind? I've heard throttling/degradation can be forced on some Cisco products for this reason but wondering specifically about this model. Thank you kindly!
question about sub-net mask 128.42.0.0/21 where does it come from/
i was studying sub-netting question for my ccent and i got a question to break down 128.42.0.0/21 into 4 equally large sub nets that can least hold 100 host each.
but my question is where did the /21 come from on the 128.42.0.0. its B class type so shouldn't it be a /16
Can a Netgear GS748Tv5 act as a DHCP server?
I'm trying to figure out if I can make the switch fill this role or not, but have had no luck finding the answer online, and can't find the option anywhere in the menus.
Thanks!
Few questions about Sonicwall
So my new job has a mix of Cisco ASA and Sonicwall depending on the site. I've never used Sonicwall but it seems pretty straight forward for the most part, I just have a few questions I hope someone can answer.
First of all, most of these are NSA 3650's. Also, I looked online before posting here but not a lot came up really.
- Where are the historical traffic logs? Like if I want to know if 10.10.10.5 went to 172.30.30.5 yesterday at 6PM for example. All I see are real time logs with active sessions (it seems that's what it is anyway).
- Is there a way to see what rule was matched by the traffic that was allowed?
- Is there a way to simulate traffic like you can with PA and Cisco? Like say ip address x is going to y on port 80 and see what it would do?
- Are rules evaluated in order of "priority"? Is that just a weird way to say "this is the order of the rules"?
I'm sorry if this is clearly documented somewhere but I didn't see much.
Thanks!
Better way to connect computers?
I have a PC laptop, my wife has a Mac, I am trying to create a network that will do two things. First allow us to upload files and documents we need to share with each other and the other allow me to backup my computer without having to constantly having a hard drive attached to it. I have looked at plugging a hard drive into the router but it wasn't reading it. Now trying to see if there is a more efficient way to achieve my goals?
any good resource (book or video tutorial) for learning all about TCP tuning
hi guys,
Can you guys recommend a book or even video series on tcp tuning.
one with a lot of examples and labs that someone can perform to fully understand it
thanks
Cisco FirePOWER going 6.4.0.4 for gold star release. Anyone use 6.4 yet?
Going over the release notes it appears to be a much better release that fixes the biggest problems (upgrades/deploys/better analysis/faster overall) and wonder if anyone has given it a shot yet? Looks to be a one step upgrade from all the way back to 6.1.x for the FMC and 6.2.x for the FTDs/ASA modules with a few gotchas. Biggest one is if you have ever ran 6.2.3.12 you're boned and need to fresh start it if you don't want to call TAC.
Also seems that they figured out a way to do deploys where snort doesn't drop all packets during the engine restarts and just fails open during that time. That's nice cause now I can deploy and not cause traffic stoppage.
Also the upgrade time seems to be waaaaaaaay better. I'll see how that pans out when I upgrade my virtual boxes. I have a hard time believing 6 minute upgrade for 4100s from 6.2.x. See how that pans out on a bare box.
Has anyone worked on 6.4 yet?
Switching to a management position?
Hello, I currently have around 4 years working in an ISP on both transport (DWDM, microwave) and core (MPLS, data centers) networks, and currently I got a chance for an interview at a smaller ISP in a management position for their transport network department. What are your thoughts on making the change from an engineering position to a management position?
Urgent ASA help needed - get traffic flowing between two inside interfaces
as title suggest, I'm trying to do something that should be simple, but I understand ASA is the anti-router and by default hates everything I want it to do...
I have inside1 with 192.168.0.0/24 and inside2 with 192.168.100.0/24
currently:
-
inside1 is security level 100
-
inside2 (new) is security level 99
-
both 1 and 2 can access internet (outside int)
-
I created NAT Exempt rule for inside1 interface with source of 1 and dest of 2, this allowed me to ping from 1 to 2! (GREAT SUCCESS lol)
-
I created two ACLs for both inside1 and inside2 interfaces (because I don't know what I'm doing, like AT ALL with this ASA), the 2 rules for each are any/the-other-inside-int and the-other-inside-int/any , so I made 4 ACLs.
I cannot get 2 to ping to 1, no matter what I do.. The goal is to put voip phones on inside2 and have them be able to access the main LAN for email server and other thngs, I can further restrict that later, for now I'd like it all to just talk.
btw this ASA has the old pre 8.2 config, in case it matters?
Office LAN Network only transferring at 100 Mbps
Forgive me for my ignorance, I'm not a networking professional.
I've discovered that the network at my office seems to be capped at 100 mbps. However, it appears that the hardware in the server room support gigabit speeds and the cables running into the ceiling that are distributed to the different offices are cat 5e cables. What's weird is that the switch that I have my NAS plugged into in one of the offices has an LED indicator that shows that it's running at gigabit speed but, but when I monitor the transfer speeds from my PC it's only running at 100mbps. How do switches determine how to light up the LEDs? How accurate is it? Ie, if all the cabling were only cat5 but the cable running from the switch to the NAS were Cat5e, would the switch's LED be smart enough to know that it's limited to 100 mbps?
I've tried transfering files from our file server to my computer, from my computer to my NAS, and from another employees computer to the file server and all cap at 100 mbps.
I'm sure there are a million things it could be but it seems that the least feasible to fix would be bad wiring in the ceiling so I'm trying to rule that out. Any advice is appreciated.
ARP Limit in Corporate Environment
Hi All,
Do you limit ARP PPS? If so, to what? At my work, our network team limited it to 15 PPS (Cisco Default). We can't even turn on BranchCache because it'll go over 15 ARP PPS and they'll get upset. We have about 600 Windows 10 Clients.
Will users adding their own switches cause my network to slow down?
I'm wondering if there's any downside to users plugging in their own switches to wall jacks to hook up their gear?This is an example of what I'm dealing with:https://i.imgur.com/NiR7ITG.png
Sometimes the users have more devices (mostly QA teams) than there are network jacks so they put little 5-port switches in jacks. Is this going to affect my network badly in any way?
Edit: Besides the possible loop and more devices on the network causing more traffic.
Question regarding Recursive DNS
I'm doing some work that involves adding a few customer IP addresses to my RDNS server for AD/LDAP purposes.
My understanding of DNS is that it should advertise the entries, even if the IPs listed are unreachable, is that correct? Or does DNS/BIND act like a routing protocol and only advertise what it can reach?
I'm trying to troubleshoot an RDNS entry that's provisioned but missing. My first thought was firewall needs to be opened between host IP and the DNS server, but i thought DNS operated slightly differently (advertise if defined, and let the requeestor determine if a connection is unreachable).
Ansible-playbook (in comments) failing when run against too many Cisco hosts.
Playbook that does the following tasks:
-
enter enable mode (this is written as a task because we have a non-standard 'enable' prompt and the 'become' commands do not work)
-
Make a backup of running config
-
Copy a change script to flash
-
Copy a backout script to flash
I dialed in this playbook using a couple of lab hosts. It works great, does exactly what I need. Last night I ran it against 50 hosts and it failed miserably on about 45 of them. I re-ran it a couple of times and different it kept giving me anywhere from 40-45 hosts would fail. I re-ran it against only 10 hosts and it again it worked as expected. Based on some googling I adjusted some settings in the ansible.cfg file because I believe what is happening is the Ansible connection is timing out with the default settings.
[persistent_connection]
connect_timeout = 100
command_timeout=60
After adjusting the above settings I re-ran the playbook against all 50 hosts and it worked fine... I've gotta ramp this playbook up to run against 4000 hosts over the next couple of days. Will I just need to play with the above settings to keep things from timing out? Should I expect to have to increase the timeout-values linearly in accordance with how many hosts I'm running this against?
Admittedly I'm a beginner when it comes to Ansible/python. I can figure things out through trial/error but would love it if someone else has already figured this out and can point me in the right direction.
Public Certificate + NPS for Corporate WiFi?
Hi All,
I've been scratching my head on this one, and I was wondering if I can get some clear information/steps.
We currently do not have Corporate/Business WiFI (just basic guest WiFI). We are getting some Meraki's for our new office and we would like to use RADIUS via Microsoft NPS. After reading about this setup, it requires a trusted certificate either from an internal CA/PKI setup or a public certificate.
I'd like to opt for a wildcard public cert (possibly from Comodo), as I do not want want to build an internal CA.. I've read some horror stories.
Can anyone give me points on:
- What type of cert to get (our internal domain matches our public domain FQDN)?
- Steps on how to install this certificate ready to be used for client to use the RADIUS server for WiFI
Please let me know if I've doing anything completely wrong!
Cheers!
OneAccess documentation?
Hey! I'm starting a new job, and I'm gonna work on OneAccess router. I'm looking for a pdf with every command and syntax that I could print to help me in my work. If you have a document like that, I would be more than happy if you posted it for me here. Thank you, and have a nice day
How to effectively handle multiple gigabit circuits?
Ok so I realize the titles a bit vague but let me explain:
Possible new job soon, part of new job is to configure multiple (3 at first, more later) incoming gigabit circuits. We will be utilizing this bandwidth to upload GIS data to AWS as well as mirror data repos between the main and a satellite site. (I do not know bandwidth at sat office yet)
So anyway I'm looking for ideas on how to manage this much bandwidth effectively and of course as budget friendly as I can get... which might not be too friendly given the throughput needed.
Right now I'm thinking a load-balanced setup to make the most out of those uplinks.
(I assume an upper end Cisco device but definitely open to other suggestions just not Juniper)
Palo firewalls and link aggregation
We have two Palo firewalls connected in active/active with HA links between. The HA links consist of multiple ports in a static link agg going across our network. One port in one of the link aggs we regularly see alerting for high utilisation. Having checked usage on the other 3 ports in the same linkagg they are hardly used at all. Having looked on our network side the hashing is set to 'source destination IP' but I am unsure how or where this is configured on the Palo side. Also not sure why this is configured as a static linkagg rather than LACP? We use LACP pretty much everywhere else on our network where supported so can only presume the person who installed years ago didn't bother with it. Has anyone got any experience with this or ideas why only one link would be getting used? Cheers
Cisco WLC: Local mode vs. FlexConnect (local switching)
Hi
I'll be inheriting a wireless network with a mix of soon 90 1600 and 1800 series APs that need to migrate from a WLC 2504 to a 3504 due to the older one being out of capacity. Unfortunately the old setup lacks most documentation and has seen little maintenance overall (runs WLC/AP firmware from late 2017) so some reverse engineering and documentation will be part of my job. (there are other things that will be more fun to work/play with as part of that job)
I come with the perspective of Ubiquiti UniFi wireless, they are great in some places but both have their respective places and use cases. But it's obvious that Cisco's WLC provides far more features and tunables than UniFi even at Ciscos lower end.
The old setup uses the APs in local mode, indicating that both management and data traffic gets routed through the WLC currently connected with a single 1G interface via CAPWAP. Technically all APs are on the same site / network, but in different buildings. There is no weak WAN between APs and the WLC where FlexConnect seems to be a recommended scenario.
Coming with my Ubiquiti perspective, FlexConnect with local switching looks quite appealing to me since I don't expect them to buy another WLC 3504 + licensing/maintenance to run in HA mode. Also there is the bottleneck of 1x or 4x 1G in case of the WLC3504 if running in local mode.
FlexConnect could allow this setup to be more fault-tolerant and less depending on the availability of this single WLC? In the UniFi world the controller can die without any significant impact on end users (except when you use their captive portal) which has been quite appealing in previous setup's I've worked on.
I see some disadvantages being mentioned like more complex switch port config more complex (trunk mode) and mDNS limitations etc. with FlexConnect (local switching) but I haven't found any decisive argument in favor of local mode vs. FlexConnect. Maybe I'm overlooking some things that are actually better in local mode vs. FlexConnect / local switching?
I've done some documentation reading but any haven't reached a definitive decision yet.
Inputs or links would be greatly appreciated :)
Ideas for final year project
Hello, final year student here, currently started working and doing intership at the same time as Second line helpdesk working with network problems , looking for ideas for final year project. I'm really bad with ideas so maybe I could get on the right track here. My main things on study program was Computer networks, peripherals, computer network and systems administration. I also had lectures with Bash, C++, Perl, HTML+CSS but all of that was just basics. Any ideas? Cause I'm little bit lost now... I have asked for any ideas in my workplace but currently there are no any project going or there are project which are totally unrelated with my study program.
Best way to do lan file sharing, while using wifi
Hi guys,
So we are a small company with 6 PC's in a co-working space which only has wifi and no lan.
We constantly have to share files i.e. one guy does a texture, then passes it to the other guy to put in a catalogue.
So far we have done that using usb sticks which, i know sounds a bit ridiculous.
Each of the pc's is currently connected to wifi to the same router, but the router is slow and far away, so file sharing is super slow.
We can get a router or a switch and connected the pc's through lan so we would be able to all use wifi internet.
I'm not sure that's the right the decision, im not even sure if i need a switch or a router.
Please help. Thanks !
Tuesday, September 10, 2019
Wake On LAN: Windows 10, Router is in Korean
IS there anybody who could help me out? I'd like to be able to use Wake on LAN to send my computer a magic packet while I'm at work to then use Chrome Remote Desktop to access it.
I've looked around, including here https://www.reddit.com/r/techsupport/comments/1fw9j3/how_to_wake_on_lan_over_internet/
but just can't get things to work yet. I can speak Korean well enough, and know one or two things about IT but it might take a master touch to fix this one.
How are you handling battery backup on redundant PSU switches?
Are you doing one PSU on house power and one on UPS?
Both on UPS?
Also, your preferred brand of UPS. We have been using apc but find it's centralized management offerings to be lacking. Eaton seems to have their stuff together in this regard... Add network card to ups and add to the dashboard. Anyone using Eaton? The apc network cards out of the box just offer a web server for the units and snmp traps for alerts....
foreign modems
I genuinely don’t know anything about these stuffs so does anyone know if I can use a korean modem in america
Enterprise wireless screen sharing
Looking for an enterprise suitable wireless screen sharing solution, mainly a solution that does not require mdns discovery to function.
Has anyone used one that they would recommend.
Question about S/FTP grounding.
Hello,
I am currently practicing for my CCNA in College. In the test lab environment we have full size modular server racks that are mounted to the ground. The racks consist of Cisco 2960 routers and 3560 L3 switches and firewalls that I'm aware of.
Due to the fact that some of the clips are starting to wear and get stuck in physical ports, I was looking at upgrading my cable kit. So I jumped the gun and ordered LINKUP S/FTP shielded CAT7 cables (I'm fully aware of CAT7 not being a official standard). My question is in regards to the shielding. Considering the environment in which these cables will be used. Should I be concerned about grounding and crosstalk? The cables I purchased are only 3FT and 7FT long.
After purchasing the cables I did some more research and found that if S/FTP cables are not grounded properly then its possible for the shielding to act as an antenna which can cause packet loss.
I'm wondering if the fact that the server racks are bolted to the floor if that is considered grounding? These S/FTP cables are still a lot cheaper than the cable kits available via Book Store for $90 which only includes 6 cables + a console cable.
UPDATE: Can anyone provide an example of a situation where your network would be considered not grounded? I'm just really confused about the grounding part.
Thanks.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Questions: Does IP Routing Change the Ethernet Header
So I am trying to detect ARP poisoning, and really need some help. Let's say that my computer is the victim of arp poisoning. So, when the router sends some information destined for my computer, it will first go to the malicious host. I assume he has IP routing enabled so that he does not deny me connection. I then use a packet sniffer to unpack the packet sent. Whose MAC address will be the source MAC address of the packet, the router or the malicious host?
Basically, does IP routing change the L2 header or not?
Thanks in advance guys.
Determine Type of Fiber Already in Place
Hello,
I apologize for the silly question, but I can't find a solid answer to my question. I'm hoping someone here can help me out. I know very little about fiber
How do I determine the speed and type (OSx/OMx) of fiber that's already in place?
The cables in question do not conform to established color codes (dark green and dark blue) and OSx/OMx is not seemingly labeled anywhere on the jacket.
How do I determine what fiber I'm dealing with?
Appreciate your help!
Can FIPS be enforced by the network?
I'm a software engineer with very little networking knowledge. I'm working on an embedded Linux device and was tasked with trying to automate the enabling of FIPS settings depending on the wifi network the user is connecting to.
I've tried Google but I'm not finding a good answer. Could a wifi network require the device have FIPS enabled (be FIPS compliant) before allowing a connection? Particularly on WPA2 Personal networks. The legacy code seems to automatically turn our FIPS setting on when connecting to and "TLS" enabled network, and off when connecting to a "PEAP MSCHAPv2" network.
I hope this makes sense.
Thank you in advance for your time.
BGP peering/edge opinions
My question is, would I be better off, peering each of my data center routers with one provider and the other two data center routers instead of each data center router peering with all three providers over a shared Layer-2 VLAN? Below are the details of connectivity.
I am about to deploy new equipment for our internet edge(s). We have acquired a couple companies in the past 2 years and some of the equipment is inadequate at best.
We have three different data centers, each with one different provider directly connected. We have dark fiber between the data centers and have a number of spanned VLANs, including 1 for each provider. Today, each location peers with all three providers, the local provider and the other two on a shared VLAN. Each provider interface is on a /29. I am considering peering Router A in datacenter A with provider A and with routers B and C, then Router B, peers with provider B and with routers A and C, likewise for Router C.
A secondary question that was brought to mind by reading through the comments on other BGP posts is am I better off running iBGP between the routers and using one ASN for everything, or keeping the three separate ASNs and peering between them. Today, each DC is the remnant of a former independent org and advertises its own prefixes on its own AS, prepending that AS on any non-local peer to lower the preference for that route.
I know how to do each of these, I'm just looking for some insight from experience on which is better and why.
Thank you for your opinions.
Maybe a dumb question about VLANs??
Hi I'm not a network engineer, but i'm currently working on a project for work, the customer would like VLANs to be configured to segregate traffic on their network. I'm not sure if I should use a L2 or L3 switch. The network currently is currently a single network, (192.168.1.0 255.255.255.0 for example) I'd like to know if its practical to implement multiple VLANs in a single network like this? Or should i subnet their network and use a VLAN to correspond with each subnet?
Monitor BGP and change routes automatically
Hello, I work at an internet provider and we have two links from two different carriers. Sometimes one of the links goes down and we have to change routes in Juniper. We use Zabbix to monitor and Elastiflow.
Our edge router is a Juniper.
We are looking for a way to monitor bgp peers and also change routes automatically. We have a lot of mikrotik equipment on the network, we are already thinking of using NetWatch to monitor and play the route change script, but we have already had a problem with one of the carriers that is limiting our speed in half and slowing down the customer network.
I am focused on learning so if you have suggestions on how I can do this, books on the subject that I can read.
Sorry for the basic english.
Thank you.
Why do HP and Cisco make it such a pain to download their various pieces of management software and utilities.
Like what the fuck am I going to do with the the USB drivers for a Cisco USB serial cable that I need a login and license to obtain it? Why isn't it just a free download that appears at the top of a google search.
Yeah I have these logons and I am allowed to download them. The issue isn't just limiting access. It is near impossible to find the software even with access.
Ok I get it lots of this stuff is not needed unless you own a license to the hardware. BUT 99/100 when I need to download this software it would EXTREMELY nice if I could just download it and move on with my life.
2 hours finding the exact right download 5 minutes to fix the issue I needed it for.
Oh. And A special "Fuck You" To Cisco and EVERYTHING related to their VPN software.
/EndRant
Handling Esports traffic at a college
So the college I work at recently added an Esports division. We've been having major problems with packet loss and recently we got a new phone system that uses sip, and Overwatch voice chat is being seen as SIP and not going through. We have to disable ALG on the Palo Alto to make it work, which then breaks the phone system. We've reached out to Palo Alto and they said that setting is either one or off and can't be applied to specific VLANS or subents.
Curious if anyone here has dealt with handling an Esports team at their college before and what kind of steps they took for handling it. The coach is already discussing getting a second internet for them which would solve their problems, but not exactly the route I want to take just yet.
Thanks!
NTP de-syncs going through Firepowers
Hello all,
Stumped on this issue, we updated our firepower ftds (yes I know, firepowers, blech) and after that, all ntp services passing through it cannot remain synchronized, we have done internal->ftd->dmz, dmz->ftd->outside, internal->ftd->outside, and no matter what it fails, we use ntpd on a linux server for testing, but we have 6 different servers that fail to stay synced. Sometimes it can stay synced for a few mins, to hours, then it just constantly syncs/unsyncs. I opened a tac case, the tac had me fastpath ALL ntp traffic in->out and it didn't help, had him go over the packet captures twice and no luck, packets dont seem to be blocked and aren't going out of order so I am stumped at this point.
We are on 6.4.0.3
Any suggestions?
Does this statement majke sense?
So, we are responding to a big gig and the procurement documents don't make sense and we have no clue what this means. Maybe someone can translate, cause even the guys who offered the job don't seem to know what they meant. Lol. Edit, there are actually two statements.
Wall mounted 20 pair floor distributor complete with 20 pair disconnection modules as Siemon
UTP CAT 6 Voice Patch Panel - 50 Pair as Siemon
NAT on ASA tunnels
Can someone explain this to me? I am failing to understand why there would be NAT applied and exactly what this policy is doing. There are no overlapping subnets at the two locations and they are both owned by the same parent. I have never tried or seen a need to NAT outside of overlapping subnets...I would rather have the actual IP hit all of my monitoring tools.
sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static site_medical_net site_medical_net destination static admin_server_net admin_server_net no-proxy-arp route-lookup
translate_hits = 590706, untranslate_hits = 722681
2 (inside) to (outside) source static site_medical_wifi_net site_medical_wifi_net destination static admin_server_net admin_server_net no-proxy-arp route-lookup
translate_hits = 1362403, untranslate_hits = 1378776
3 (inside) to (outside) source static site_medical_inet_net site_medical_inet_net destination static admin_server_net admin_server_net no-proxy-arp route-lookup
translate_hits = 2602, untranslate_hits = 2629
ASA Ipsec tunnel degrades on a schedule and it's driving me mad.
Hello,
We have an issue that has lingered on for about 2 weeks, where a site connected via an ASA IPSEC tunnel will stop passing about 50% of traffic after hours. The circuit is nowhere near full capacity when the issue starts. It's a 500Mbs DIA circuit - and after hours traffic might crack 5Mbs. The ASA won't process that much traffic anyway. The ISP on each side if verified as solid - no issues there. And like clockwork at 7:40am each morning - the issue with dropping traffic through the tunnel just goes away. Only to return about 12 hours later. Additionally it does not get fixed on weekends or holidays - when it goes bad on Friday, it stays that way until Monday (unless it's Labor day, it seems.) This same configuration has worked without issue for about 4 months. So this is a newfound problem.
I thought it was an environment issue (building HVAC shutting off after hours) but have verified temps on the equipment is well within the normal range. Cisco TAC spent 3 hours working on the issue and blames the ISP. ISP finds no issues (and I'm on their side - as I can verify that tunnel traffic is the only thing they ever seem to drop.)
I'm out of ideas. Anyone seen anything like this before? Is there rogue packet inspection in our path that only breaks things after hours?
Win2012R2 DHCP exclusion partially working: confused
Hi. First post here.
We've DHCP setup in a Win2012R2 server.
DHCP range: 192.168.100.50 to 192.168.101.254
Exclusions:
192.168.100.61 to 192.168.100.70 - works fine. these IP addresses are not handed out
192.168.101.61 to 192.168.101.70 - does not work fine. DHCP hands these out like candy
Is there something here that I've overlooking?
New IDF Closet, Cooling
Hey all,
Looking to see how others are handling small IDF closets these days. We’re building a new area of our office out and looking to drop an IDF where all CATV Coax and low voltage/CAT6 will terminate.
We estimate 2-3 network switches needed max.
Is this really enough to dictate dedicated cooling? Is there a nifty exhaust system we could use that would be ample?
Open to thoughts and suggestions of what others are doing.
Thanks!
Correct way to monitor network speed (upload/download)?
Hello, folks!For a few months I've been using speedtest-cli to monitor my client's internet speed (upload and download) and everything was going just fine, no issues, until last week another client got in touch with me informing the data that was being shown for them was not correct since they did use another online tool to monitor their network speed and it gave higher values than the ones we were getting from the script in the server. I ran several tests in several different servers and they were all giving me speeds in the range of 3~4 MB whereas online they would get 20MB up and 40MB down.Due to that I took down the service from such client and started to try to find another alternative for such monitoring. Do you guys also monitor your network speed? Talking about the speed your ISP gives, not just incoming/outgoing traffic.
Checking speedtest's GitHub there's this message at the end of the page:
Inconsistency
It is not a goal of this application to be a reliable latency reporting tool.
Latency reported by this tool should not be relied on as a value indicative of ICMP style latency. It is a relative value used for determining the lowest latency server for performing the actual speed test against.
There is the potential for this tool to report results inconsistent with Speedtest.net. There are several concepts to be aware of that factor into the potential inconsistency:
Speedtest.net has migrated to using pure socket tests instead of HTTP based tests
This application is written in Python
Different versions of Python will execute certain parts of the code faster than others
CPU and Memory capacity and speed will play a large part in inconsistency between Speedtest.net and even other machines on the same network
Issues relating to inconsistencies will be closed as wontfix and without additional reason or context.
Edit: we currently use the server which has the best results for such link, we run around 10 to 15 tests for each link (which are generally two or three WAN links) by changing the default route on the firewall (SonicWALL) since just getting the one with the best latency may, or may not, be the best option.
Edit 2: checking if the problem is not related to their network interface card being limited to a specific bandwith speed. Someone at work suggested me that and maybe that could be the issue.
Limit LDAP User Session / Guest Session to X amount of time per Day/24hours
Limit LDAP User Session / Guest Session to X amount of time per Day/24hours.
Okay been trying to research this for days now.
And for some reason, I just can't find a solution or I'm just googling wrong. Honestly.
Just a basic requirement, i think, a user, whether part of AD, or a guest user, local user, or any kind of user to just have a connection/session limit PER DAY(or per 24hours). session limit will start after First Login of a day.
Just like in coffee shops where a customer can only use the internet for maybe an hour or two, then, account will be invalid anymore.
But for us, we are restricting our employees to just use wifi access to 1hour per day. They will be using their AD accounts (LDAP) for login.
After 1hour, disconnected, then they won't be able to login again after 24hours from first login.
The Guest Management feature should be great in Fortigate. But its only for guests.
We want the users to be from our AD. (LDAP)
Can't use the Fortigate Schedule feature because that's for a fixed schedule.
The one time scheduling is not ideal since we have a lot of employees.
WLC have the " Enable Session Timeout ", but users can just re-login after being disconnected.
Can I do that with my current network setup? Is it possible?
Fortigate 500D Firewall
v5.6.3 build1547 (GA)
WLC : AIR-CT2504-K9
Software : 8.2.100.0
Windows Microsoft Active Directory
Blocking all traffic from outside US
Hi Reddit,
I was asked by a customer to block all traffic from outside of the US and all ports that aren't currently in use. I don't believe taking this request word for word is the solution, the users company recently got infected with randsomware so they are making knee-jerk request. What I think would be possible is to setup an ACL on the outside with a handful of subnets from the known bad countries. They only have an ASA 5505, no firepower, so that's the best solution to their request I can come up with. Other steps are being taken by our System guys with AV, but are their any other recommendations I should look at on the firewall?
Whole apartment block network
Hi Hope I’m posting in the right subreddit. If not, please let me know and I’ll remove it. This is for a 150 office & apartment block over 6 floors. I am looking to put IoT sensors, lights, locks, etc. here. As part of that, I need to wifi enable the whole area. Was looking at google Mesh wifi Was wondering whether the experts at reddit could suggest options?
ARP, Static NAT, single VLAN, 3000 devices
I have 150 nodes that have IPTables running a static NAT to 20 devices behind it. There are 25 of these nodes (along with the 20 devices behind it) in each of 6 /23 networks. Each of the 150 nodes is also connected via a wireless bridge and all of these devices are on a single VLAN. All equipment is Cicso & Industrial Ethernet rated and the wireless controller runs in the centralized traffic configuration and not FlexNet.
What is the ARP behavior look like in this environment?
Isn't the protocol limited to the subnet, regardless of how large the VLAN is?
Does the ARP of the devices behind the static NAT traverse the NAT since its 1:1, or would an ARP even happen since it's on a different subnet (192.168.1.0 -> 10.100.100.0)?
The only devices that would actually ARP on the 10.100.100.0 network would be nodes running the IPTables NAT, correct?
The main reason I'm asking is this is the current proposed schema, so I cannot physically test this network yet, but it makes sense to me that this should be a solid configuration using some basic best practices (i.e. keep your IP count below a /22, etc.).
Is there any major concerns with this configuration?
EDIT: Thanks for sorting by New!
Monday, September 9, 2019
Suggestions of a zone-based firewall platform that can meet the following hard requirements
- Solid IPSec implementation, support route based IPSec (i.e. Cisco VTI style IPSec ) up to 1000 peers;
- Solid routing protocol implementation, mainly BGP;
- Solid VRF lite implementation (route leaking, static NAT cross VRFs)
- Can do 10Gbps+ IPSec, 30 million packet per second firewall throughput for small packets (whatever that translates to bps value)
- Solid netconf implementation
- Support clustering (we need a single control plane)
- Support gprs inspection (sctp application and gtpc/u)
Edit:
We basically need something like AWS’s VGW functionality plus NAT and firewalling, but we don’t have the man power to develop that in house . Juniper SRX-HE can do it but its IPSec implementation is disappointing, we are looking for an alternative
Connecting router to modem that has wifi already built in
I am planning to use a router which is connected to the modem that already has an router built in.
The reason for that is I am living with my friends. They all have their own pcs laptop and everything connected to the modem with built in wifi. We have 2.5 and 5 ghz as well as guest wifis from the same modem-router thing. Only one box.
I am into online business and I do not want my accounts and websites to have problems(blocking, suspension, fines)just because they have their own amazon seller account or they are doing some bad shit.
Will connecting a router to a modem with built in wifi work or I need something else? Do they share the same IP? Can websites like amazon understand we are using the same ISP and have multiple accounts at home?
Enterasys multiple untagged VLANs in the same port
We are planning to replace Enterasys G3 series switches with Cisco switches and I am making a port table to show the VLANs per port.
However some of the switches have multiple untagged VLANs for the same port so I am not sure how I should configure this on the future Cisco switches.
Output of show vlan portinfo:
testing(su)->show vlan portinfo Port VLAN Ingress Egress Filter Vlan ----------------------------------------------------------------- ge.1.1 2 N untagged: 1,2 ge.1.2 2 N untagged: 1,2 ge.1.3 2 N untagged: 1,2 ge.1.4 2 N untagged: 1,2 ge.1.5 2 N untagged: 1,2 ge.1.6 2 N untagged: 1,2 ge.1.7 2 N untagged: 1,2 ge.1.8 2 N untagged: 1,2 ge.1.9 2 N untagged: 1,2 ge.1.10 2 N untagged: 1,2 ge.1.11 2 N untagged: 1,2 ge.1.12 2 N untagged: 1,2 ge.1.13 2 N untagged: 1,2 ge.1.14 2 N untagged: 1,2 ge.1.15 2 N untagged: 1,2 ge.1.16 2 N untagged: 1,2 ge.1.17 2 N untagged: 1,2 ge.1.18 2 N untagged: 1,2 ge.1.19 2 N untagged: 1,2 ge.1.20 2 N untagged: 1,2 ge.1.21 3 N untagged: 1,3
bgp/ospf - considering NCS 5501-se
Getting a Cisco NCS quoted - never used one. We do have experience with the ASR 9001. Looks pretty good, but may bit a tad expensive. Outside of BGP/OSPF, we don't use any of the ASR 9001 features.
Any other recommendations?
Also, if you have used the NCS 5501-se, do you like it? Trouble free?
Combining 2 Ethernets
Is it possible to combine 2 ethernets on my centos 6 server to increase speeds? I am meaning like combine 2 networks into one for increased download and upload speeds.
Zoom blocked in China
We got affected by this today.
https://technode.com/2019/09/09/china-blocks-us-video-conferencing-tool-zoom/
Redistribute OSPF Routes to BGP - Cisco IOS XE
Hello all,
I have a question about BGP configuration on Cisco IOS XE.
Here is an example configuration:
router bgp 1111 network 1.1.1.0 mask 255.255.252.0 neighbor 2.2.2.2 remote-as 2222
The command I plan to add in order to redistribute OSPF routes into BGP is:
router bgp 1111 redistribute ospf 1
So, let's say OSPF process 1 has routes for the following subnets (from OSPF neighbor):
Will BGP only add the OSPF routes contained in the "network 1.1.1.0 mask 255.255.252.0" config line, or will the RFC 1918 route 10.10.10.0/24 get added to the BGP table as well? Would I have to apply a prefix-filter to keep BGP from attempting to distribute the private address prefix?
Adding Riverbed radius dictionary to Clearpass
So I can find a Freeradius dictionary example for Riverbed, but Clearpass wants XML files and this is not the format provided in any example I can in the Riverbed userguides (11.4) or online. Has anyone been able to upload a Riverbed dictionary in XML format to Clearpass?
My goal here is to add Riverbed ARX's to my device list for RADIUS auth in Clearpass but there is no Riverbed vendor name listed so I am created a new dictionary.
So far I reviewed the following doc but I am not sure how to update this to XML format. https://fossies.org/linux/misc/freeradius-server-3.0.19.tar.bz2/freeradius-server-3.0.19/share/dictionary.riverbed?m=t
What does to about peak times for LTE masts
Just wondering outside of positioning an antenna better if there's anything that can be done to improve download and upload bandwidth over a 4g connection when lots of people are using it?
Is their any router settings that could help bandwidth in general ?
Also what do engineers do on the mast end of things to alleviate the issues / what things outside of what the consumer can be done to improve bandwidth.
Many thanks!
Difference between N9K-SUP-A and N9K-SUP-B?
I can't find any information on the practical differences between the two base supervisor models (epic comparison chart Cisco). Does anyone have any idea how it affects routing or switching having the extra processing / RAM?
Search Keywords: Nexus, NXOS, NX-OS, ACI, 9000, 9K, N9K, 9500, 9504, Supervisor
Where should I start? Should I post somewhere else?
I literally know nothing really about networking but am so sick of my job I would love to start learning and get my certifications I need in this great field. I am close to a 2 year degree in Computer Science and am a freelance web designer to give you part of my background, although my job title is a warranty administrator and service servant. What should I be buying to read and looking into? Any help is much appreciated and if I should be posting elsewhere I do apologize!
Project Tracking/Managing Software
I know this is not only related to Network but what do you guys use at you jobs to track big projects? If you tell me Google Sheets I am going to @!#^*. lol jk Hit me up guys let me know. I wonder if there is one out there with a ticketing system integrated also.
Thanks in advance!
Any way to force NAT-T?
I am having issues with a site to site VPN between two sonicwall devices. Does anyone know of any creative ways to force NAT-T? I believe we are having an issue with either our ISP throttling the VPN or our modem is not able to handle the ESP packets appropriately. When I switch over to our secondary ISP, the issue no longer exists. Does anyone have any creative ways to force NAT-T or otherwise force encapsulation in a UDP 4500 packet?
Redundant Switching
I am looking to reorganize my networking and servers for added redundancy, and need a quick check to verify that this will work as I think it will.
The plan is to have 2x 24-port switches (NetGear GS724T, sadly, but it's what we have) as the "core" of the network. Each of these switches will connect to a different physical interface on our perimeter router/firewall, with the rest going to the servers (VMware hosts w/ 2physical NICs each on the same vSwitch). This part I am 99% certain I understand and can make work easily enough.
Then, I want each of our 3 workstation switches to also each be cabled to both core switches. This will create a loop (Core1->WorkstationSwitch1->Core2->Core1) and I know that loops are bad unless otherwise configured.
Is this the best physical design, or is there a better way? If this is the way to do it, what is the best way to handle that loop? Is it just STP (which we don't have set up but probably should), or is there a more explicit way to set these up?
Need some high level info on salary/hiring in India
Good morning! Our company is growing faster than I can keep up. Our company is about 1000 people now with projected 25% growth, and we currently have 2 physical data-centers and 7 offices globally. Being the only network engineer is becoming bonkers due to time zone splits between the offices and the companies desire to open and expand offices globally and they want to add some regional data-centers in India/APAC.
I inquired to our IT director about hiring another network engineer and the response I got was it would need to be someone situated in our India office (Bangalore) and it would need to be a junior/lower-mid level engineer. He then tasked me with coming up with a "rough cost" of a new hire. I am looking to see if anyone would happen to know some ballpark numbers for a ccna/ccnp level network engineer doing basic support and implementation? Googling got me a range of like 350k to 1000k rupee (5k to 14k USD) yearly salary, is that correct? Anyone have any any pitfalls to look out for here or tips/tricks?
Thanks!
Spanning tree best practices question
Just wondering how you guys handle ST in the traditional core, dist, acc model. Do you give different priorities at the dist and access switches? like say 1 for core 4 for dist 8 for access etc?
Podcasts for commutes?
I have recently moved and my commute has grown considerably to my networking job. But i now have time to listen to podcasts and audio books on the drive.
What podcasts and audio books would you recommend relating to networking?
Cisco Air (5500 WC) stopping Meraki?
I have an issue, as you may have guessed :-)
I'm setting up a new Meraki roll out, All the settings seem to be correct, as per Meraki's instructions, but connecting to the new SSID's is... intermittent. Sometimes you can connect to the SSID fine. Other times you can connect but no internet. And some times you cant connect at all. Meraki Cloud reports no response from DHCP in the instances where I cant connect or connect with no internet. But as I previously mentioned, sometimes it works fine.
I'm wondering if our current WiFi system, and old Cisco Air deployment, could be causing this issue? I plan to test this by unplugging the old wireless controllers (out of hours ofc) but wanted your opinions!
Thanks for you help.
Subscribe to:
Posts (Atom)