Can it be done? Trying to repurpose a switch remotely with a serial connection and the reload is blowing out my buffer. Any ideas?
Saturday, October 12, 2019
How much upload speed do I need for public WiFi
Going to be offering public WiFi for certain areas in a town. I’ll be limiting video streaming and file sharing apps. Essentially just for browsing internet and social media. I’m going to assume about 35-70 users per internet feed. I’m thinking something like 50Mbit upload should suffice, but just a guess.
Remote work
Hi,
Are there any sites that are particularly useful when searching for remote network engineer jobs, I’ve tried all the usual suspects but opportunities are sparse at best, I usually draw a complete blank.
I’ve also looked into upwork and it’s kin but they appear to be a bit of a shit show; am I missing a trick with them?
Thanks in advance
IKev2/IPsec problem
Sorry if this post doesn't belong here. Trying to fix something with my connection.
I've set up an IPsec vpn connection via NordVPN, but it only lets me connect to the google DNS(google, youtube, etc) when enabled. Anyone know what's wrong and how to fix it?
Thank you
tcp adjust mss
When deploying GRE or maybe IPsec GRE to connect sites, as part of the standard configurations do you find yourselves configuring "ip tcp adjust-mss xxxx" on the tunnel interfaces?
Im thinking about making this standard practice throughout our enviroment where we have IPsec GRE.
Network monitor tool
Hey all.
I got a Debian DHCP server and want to use a large monitor to show visual network data on it of all four nics. Preferably one that doesn't use X, terminal only.
I've been looking on Google at Monitorix, iftop, nload, etc. But does anyone have some advice? Perhaps a hidden gem.
Thanks in advance
How can i use a Cisco Phone SPA509G as a webphone, with an app with google hangouts?
I have a Cisco Phone SPA509G and would like to use it with my PC as a webphone, i currently have google hangouts in my PC, but would like to have a physical phone to answer phones on it, what options do i have if its not possible with a cisco phone?
Connect from Windows host to QEMU inside Docker
I am trying to establish a connection between Windows 10 running Docker container (Linux), which runs QEMU to host a QNX OS. This picture should make it more clear: Structure
I would like to highlight what I was able to reach so far:
- From the host, I can ping the the IP inside the docker container: 10.0.75.2
- From the docker container, I have established a tap interface and a VDE switch, and I can ping the QNX: 192.168.56.51
Commands used for initiating the environment: ```
add new network interface
ip tuntap add mode tap dev tap0 ip addr add 192.168.56.1/24 dev tap0 ip link set dev tap0 up
start vde switch connected to tap0
vde_switch -F -d -sock /tmp/myswitch -tap tap0
start QEMU
qemu-system-x86_64 \ -m 1024 \ -cpu qemu64 \ -smp 2 \ -netdev vde,id=t0,sock=/tmp/myswitch \ -device e1000,netdev=t0,mac=52:54:00:12:34:50 \ -drive file=/qnx/qnx_vm_x86_64-qemu.img \ -D /var/log/qemu_err.log \ -serial file:/var/log/qemu_out.log \ -display none -daemonize ```
Command to run the docker container: docker run -it --rm --network=host --cap-add=NET_ADMIN --privileged qemu_qnx
What is missing is to be able to connect between the host and the QNX. Is it possible for example to forward the connection from Hvint0 to Tap0?
Aside note: On Linux host, I can run the Docker container with network=host, and I can access it from the host easily, but unfortunately that wouldn't work on Windows host.
What I have tried so far unfortunately with no luck:
- Do port forwarding for the QNX guest: ``` #flush iptables rules iptables -F iptables -t nat -F
Add rule
iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 192.168.56.51:22
Save the iptables rule :
sudo iptables-save | sudo tee /etc/iptables.up.rules
```
- Start QEMU with hostfwd option, I can see the port is opened but I cannot ssh into it (doubting it can also be related to QNX network settings)
-device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::2222-:22
Please let me know if there might be any more information I can provide.
Friday, October 11, 2019
With only a CCENT under my belt, what kind of entry level wage seems appropriate?
I am still in school, finishing up my final term now (it's just an A.S. degree in "network engineering"), and am looking to get my foot in the door in the networking field. The way the degree program I am completing is setup is that we have 4 core networking classes (all Cisco based). The first two classes prepare you for the CCENT, and the third and fourth class prepare you for the CCNA cert.
I've completed all of these core networking classes, but currently only have passed my CCENT certification. I do plan to obtain my CCNA, but I admittedly need more time to study certain concepts before I'd feel comfortable attempting it. I recently found a job offer that was hiring people who preferably have a CCNA, but I applied regardless and was contacted and took part in a brief screening process via the phone (in other words, I was asked 10 random networking based questions, all of them very simple, to see if I had what it took to fit the job). I have yet to land the job officially, but at least I passed the beginning phase, so to speak.
Over the phone I was told I would be working 40 hours a week making $17 an hour (with some benefits such as health insurance and whatnot). This isn't much by any stretch, but for an entry level networking position, considering I only have my CCENT, is this common? I guess it depends on location and whatnot, I hear my area can be over-saturated when it comes to networking professionals, therefor the pay is often less than average. But it makes me wonder if I had my CCNA, would they pay me any more for the same exact position?
From what I have gathered over a few phone calls, I'll be working for a pretty major banking corporation dealing with "level 1 and 2" networking (seems rather simple if that's all it is) issues using SD WAN solutions. I have zero experience, in school or out of school, with SD WAN, but I've been looking into it and the learning curve should be pretty simple. I'm excited to get my foot in the door, and to obtain some industry related experience if anything, but I'm also curious as to what others have experienced.
Netnwork automation with Netmiko
Netmiko is a python module which is built on top of Paramiko, with added functionality and easier to use. Netmiko supports a wide range of router vendors.
This is the post to demonstrate a few how-tos:
- The minimum requirement to make netmiko work.
- How to get password and encrypt it to a file, then decrypt it when need to be used by netmiko.
- How to attach each router to a process, this is necessary to send the commands over to cisco routers in parallel.
- How to parse information from output of show ip int brief.
https://cyruslab.net/2019/10/12/pythonmultiprocessing-with-netmiko/
10gb Question - Same subnet hosts through GW or no?
Think my logic is correct but want to clarify...
My GW default router is Fortigate 100e, handling all l3 routing... no 10gb capability.
My switch stack, 3750X-48 acting as L2 devices only minus a l3 int for management vlan that’s same as FG.
If I put a 10gb switch in the mix and trunk that to the 3750 stack, if two hosts are on the 10g switch, and are on the same subnet... since that is just l2 they won’t even hit the gateway to route traffic between the two and 10gb speeds would be achievable pending the obvious disk factors etc, right?
I don’t know why but part of me feels like I’m wrong , but it’s been a long week.
For instance 10.10.10.1 is 10gb connected to 10gb switch and so is 10.10.10.2 , but the GW is on a stick at 1gb, shouldn’t matter unless trying to go to a different vlan?
Cheers
Can OSPF / BGP be used for the same subnet?
I am pretty fluent in networking, but advanced routing like BGP / OSPF I don't have a lot of experience with. I'd like to try learning at home in my home lab, so I'm wondering if I can do something like the following:
Network diagram:
I'm currently using keepalived along with haproxy to float some Virtual IPs between two kubernetes nodes in my lab. 192.168.1.25 - 192.168.1.27 Also on these 2 nodes sits 10.32.0.0/12, the kubernetes pod subnet. Keepalived is an Active/Passive tool, I'd like to try and implement OSPF/BGP if this is possible between the 2 nodes and my router/firewall (Palo Alto Networks PA-3020). I know the basic concept of BGP is to advertise different routes, I'm wondering if it can be done with the same subnet, basically issuing static routes (for 192.168.1.25-27, go to either 192.168.1.20 or 192.168.1.21) as well as routing the K8s subnet (for 10.32.0.0/12, go to 192.168.1.20 or 192.168.1.21)
Is this possible? I understand some BASIC principles of OSPF, not so much BGP, and not looking for a "here are the configuration settings you need to do it" so much as "yes you can do it, you need to set this for the Area on the Router and then this on the proxies"...I can fill in the blanks. I'm assuming that I can assign the VIPs to the loopback interfaces on both proxies.
Thanks!
Arista 7124 or Nexus 5010
Adding a 10gb switch in my mix for iscsi storage to a m1000e , it’s in a dc so I don’t care about noise, but power is on a budget... I’m familiar with Cisco iOS, never used nexus line, only catalyst.
Both can be had for ~$250 on eBay... any input on what’d be better for me?
Two NIC's on same Debian Machine
Hello everyone!
I am kind of n00b in networking, but I successfully installed a Debian machine who runs my 3CX server. The main ideea is that my SIP Trunk provider requires me to connect to the SIP Server through a dedicated VPN MPLS connection that is made by the ONT installed in location. Good, 3CX requires also internet connection in order to be accessible from the internet (Mobile 3CX App, and stuff like this). So, my configuration looks in the following way:
- Debian Server with 2 NIC's -> NIC 1 - in my router (IP class: 10.11.12.0/24) where I have internet connection / NIC 2 - in my ONT - for MPLS VPN, in order to be able to connect to the SIP Trunk (on this NIC I don't have internet connection).
Also, I need to specify to the network card that I use an IP, NM and GW. Also, in order to access the SIP Server I have to pass 2 different DNS servers, hosted by my ISP (SIP Trunk).
My concern is that now I successfully managed to install 3CX on Debian server, but now I don't have internet connection to the server, even that I added routes to manage this.
Can I receive some advice in how to setup it in order to be both NIC's accessible by the server, first NIC for internet connection and the second NIC to connect to the SIP Provider?
Here is my /etc/network/interfaces config:
(enp2s0 - LAN CARD 1 - Internet Connection / enp5s0 - LAN CARD 2 - Connected to the SIP Server)
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug enp2s0
iface enp2s0 inet static
address 10.11.12.150
netmask 255.255.255.0
dns-nameservers 1.1.1.1
dns-search 3cx
post-up ip route add 10.11.12.1/24 dev enp2s0 src 10.11.12.150 table rt2
post-up ip route add default via 10.11.12.1 dev enp2s0 table rt2
post-up ip rule add from 10.11.12.150/32 table rt2
post-up ip rule add to 10.11.12.150/32 table rt2
allow-hotplug enp5s0
iface enp5s0 inet static
address 192.168.30.94
netmask 255.255.255.252
gateway 192.168.30.93
My /etc/resolv.conf:
search 3cx
nameserver 82.xx.xx.xx
nameserver 82.xx.xx.xx
nameserver 1.1.1.1
Thank you in advice!
Network patching data model for CMDB
I need to start tracking every physical and logical patch, to enable programmatic config generation. Does anyone know of a good example of a patching data model that already exists, to save reinventing the wheel (I already have too many funny shaped wheels, and none of them are round). The more I think about it, the more complicated I realise it is, when you are trying to track all possibilities. I need to effectively be able to track, log and search every end to end patch in the DC, and report on paths.
Physical Patching
Off the top of my head here are a few examples of physical L1 Patches:
- Host-Cat6-Switch
- Switch-Twinax-Switch
- Host-(LC)OM3(SC)-PatchPanel-OM3infrastructure-PatchPanel-(ST)OM3(LC)-Switch
- Host-(LC)OM3(SC)-RapidNetPanel-(MTR12)OM3Fanout(LC)-Switch
- Host-Cat6-FloorPlate-PatchPanel-Cat6-Switch
- Switch-(LC)MMF(LC)-ThirdPartySP-(LC)MMF(LC)-Switch
- Switch-(LC)MMF(LC)-CWDM_Frequency_converter-(LC)SMF(LC)-splitter-(LC)SMF(SC)-PatchPanel-PatchPanel-(LC)SMF(SC)-splitter-(LC)SMF(LC)-CWDM_Frequency_converter-(LC)MMF(LC)-Switch
Arguably Host and Switch are the same thing, they are both devices with numbered interfaces (numbering is inconsistent, but unique).
Floor plates and panels could also be the same type.
Switch QSFP ports can break out to 4 SFP connections
Patch Panels may be connected to other panels in an arbitrary number of hops specific paths in the middle may not be known. Panels are not always the same number or ports either end (eg. 2 12 ports panels may connect to a single 24 port)
Patch panels and switch ports can potentially be more than one link. a single MTR cable can have multiple cables in it. It could be a single plug one end and 12 the other
I also need to track the media type (SMF, MMF, OM3, Copper, Twinax, etc.)
Track the Termination Type (RJ45, LC, SC, ST, MTR12, SFP, QSFP, etc.) Plug or socket.
Allow for CWDM/DWDM link aggregation channels on dark fibre. The optical spliter is effectively a patch panel of sorts, it has 8 interfaces which correlate to the splitter ports the other end, not sure if this is always the case.
Logical Patching
On top of the physical connections, I need to track things like:
- Port Channel aggregations (LACP, MLAG etc.)
- Trunks and VLANs
- Tunnels (GRE, IPSEC, SSL)
Some of these can obviously be nested for added annoyance and complexity. VLANs can even be in other vlans using QinQ trunks.
Can anyone else think of any other use cases to add to the list that would be typical in an enterprise network/DC.
My thoughts so far
- I think a link is comprised of two pieces of hardware at each end with a number of cables in between.
- Each piece of hardware has one or more interfaces of a defined type
- Each cable has a media type and a connector type at each end.
- A Patch Panel has a number of ports and each port can join two cables
- Multi core cables have a channel suffix and can connect a range of ports.
- WDM links are treated like multi core cables.
- Connecting it all together
- Each host interface has an UID or, the host has a UID and interface index
- Each Patch Panel has an port UID or, the panel has a UID and port index
- Each Cable has a UID and an A and Z end Foreign Key for the hosts or Panel UID and/or index
- Multi core cables are a collection of individual cables, possibly grouped at the connector
Representing the data in the DB is the first hurdle. I also need to find a way to enter it that is easy for everyone, to encourage them to maintain the data. I also need a good way to represent an end to end path in a clear easy to understand way.
I need to implement this in our CMDB, which is primarily Python/Django based, but want to get my head around the data model first. I would greatly appreciate any incites or recommendations from anyone who has already had experience with this type of problem, and any ideas of how to better represent any of the components.
Congested peering between ATT and Level 3
We use a cloud based phone system and after the recent power events here in Northern California my users are reporting issues with the phone system. After some investigation I narrowed the culprit down to the peering point inside of the ATT network before entering the level 3 network. We have a failover terrestrial microwave WAN circuit and our failover ISP has no congested peers along the way to the level 3 network. I know that manually cutting over to the failover line would resolve the issue. Should I try working with ATT to get the peering issue resolved (or just wait for that to happen on its own)? Or should I just force our router to use our failover line? Or both? Thanks.
Ansible Python API - playbook execution hangs with defunct process
I am using programmable python Ansible APIs to execute a playbook on Cisco Switches. I see that the playbook is hanging while executing a some commands on Cisco. The commands succeed as expected, but Ansible hangs and never comes out. I see the child forked by Ansible as "defunct". It appears to be a Ansible bug based on my googling. Anyone ran into this issue and what is the way out. Its pretty consistent and it hits this issue exactly at the same point in the playbook.
Forgetting that we have an IPAM, today I wrote a Python 3.7 script for parsing available Subnets
As the title says, I totally forgot that we have an IPAM, and was tasked to add a new IP-scope for Customer Premises Equipment. We have a /16 allocated internally for CPE usage, but to say that there were no structure followed when issuing scopes earlier is an understatement.
I ended up using this script for solving the problem, but was quickly reminded by colleagues that we had an IPAM for that. Some of you might not have that, so this might come in handy for you.
Here is the (not pretty) script:
import ipaddress import argparse import re # Setting up the arguments. parser = argparse.ArgumentParser(description="Given an IP-Scope, and subnets, gives back the unused subnets.",formatter_class = argparse.RawTextHelpFormatter) parser.add_argument("scope", action="store", help="The main IP-scope that you want to parse. DEFAULT-NETMASK=/24") parser.add_argument("-s", "--subnet", action="append", help="The subnets that you want to compare against the main-scope.", default=[]) args = parser.parse_args() def main(): mainscope = createScope(args.scope) args.subnet = [createScope(x) for x in args.subnet] remainingScopes = [] # A loop which goes through all of the scopes, and splits them up, to get all the "unused" scopes. for scope in args.subnet: if not remainingScopes: # initiates the list containing the remaining scopes. # !!FYI .subnet_of is new in Python 3.7!! Compares each scope agaisnt the remaining "super-nets". if scope.subnet_of(mainscope): for x in mainscope.address_exclude(scope): remainingScopes.append(x) # If the list has been initiated, then continue with further filtering. else: for x in remainingScopes: # !!FYI .subnet_of is new in Python 3.7!! Compares each scope agaisnt the remaining "super-nets". if scope.subnet_of(x): for y in x.address_exclude(scope): remainingScopes.append(y) # Removes the "super-net" from the list to avoid it being subneted further. remainingScopes.remove(x) print(f"Original scope: {mainscope}") print("Available scope(s):") for i in sorted(remainingScopes): print(i) if not remainingScopes: print(mainscope) def createScope(scope): """Searches for an IP-scope, and "corrects" it before creating an IPv4Network.""" # Find the format of the ip-scope. if re.search(r'(\d{1,3}\.){3}\d{1,3} */ *\d{1,2}', scope): # IP-address + / + shorthand scope = ipaddress.IPv4Network(scope.replace(" ", ""), strict=False) elif re.search(r"(\d{1,3}\.){3}\d{1,3} */ *(\d{1,3}\.){3}\d{1,3}", scope): # IP-address + / + netmask scope = ipaddress.IPv4Network(scope.replace(" ", ""), strict=False) elif re.search(r"(\d{1,3}\.){3}\d{1,3} *(\d{1,3}\.){3}\d{1,3}", scope): # IP-address + " " + netmask scope = ipaddress.IPv4Network("/".join(scope.split()), strict=False) elif re.search(r'(\d{1,3}\.){3}\d{1,3} *\d{1,2}', scope): # IP-address + " " + shorthand scope = ipaddress.IPv4Network("/".join(scope.split()), strict=False) elif re.search(r'(\d{1,3}\.){3}\d{1,3} *', scope): # IP-address without netmask/shorthand. scope = ipaddress.IPv4Network(scope.strip() + "/24", strict=False) else: return None return scope if __name__ == "__main__": main() Example of operation:
python.exe .\ipAvailableSubnet.py 172.16.0.0/24 -s 172.16.0.23/32 -s 172.16.0.128/25 -s 172.16.0.64/26 Original scope: 172.16.0.0/24 Available scope(s): 172.16.0.0/28 172.16.0.16/30 172.16.0.20/31 172.16.0.22/32 172.16.0.24/29 172.16.0.32/27 Ruckus mishandling DFS
We are a municipal ISP, offering fixed wireless connectiviy
We use Ruckus AP's and Mikrotik transceivers on the customers houses.
About a week ago we started hearing disconnect complaints.
Looking at the AP logs I could see radar moves followed by deauth.
Could see matching logs on the customer's equipment.
So as a test I disabled DFS channels on the AP's where customers were complaining.
This did not resolve the issue.
We had recently rejiggered our radius implementation, one of the key changes being non pays were not authenticated where previously they we put in a black-hole vlan. Knowing how dreadful Mikrotiks handling of deauths is in AP mode (we use hAP's for in home wifi), we had a strong suspicion they were behaving similarly in client mode now that we had deauths being sent by the APs.
So yesterday for a test we reauth'd everyone. No more loose deauth frames.
Still the issue persists.
Doing another deep dive in Ruckus/Mikrotik logs today I found DFS update followed by deauthing all clients on the AP and matching "lost connection, received deauth" on the Mikrotik.
This is on AP's that only use Uni-band 1 and 3, so obviously there is no frequency move.
Anyone seen similar behavior? How did you solve it? Any idea why it would start now?
For full disclosure the AP's now talk directly to freeradius, rather then proxying through SmartZone. That really doesn't look related however.
Routing port on Extreme Networks 3650
Would appreciate some help with this as it's been driving me crazy all night. I'm trying to get to grips with an Extreme Networks 3650GTS. I'm a Windows sysadmin primarily, with a small amount of Cisco experience, and I just can not for the life of me get this unit routing to an upstream firewall.
I have a few VLANs on the switch that are routing correctly between each other, 10.1.1.0/24, 10.2.2.0/24 etc. In Cisco-world I image I would make the uplink port a non-switchport, assign it an IP, put a static route in and point it to that interface or upstream IP. With this switch, I just can't seem to get that working.
So I've created a new VLAN 1010 for the link, 10.10.10.0/24 (wasteful, I know, but this is a lab environment), with an interface address of 10.10.10.2. The uplink port (port 48) is access VLAN 1010 and the upstream firewall is 10.10.10.1.
I can ping the firewall when source is 10.10.10.2, but no other VLANs can ping it as source. Help!
IP route and config below:
3650GTS-PWR+#sh ip route
Ip Route
DST MASK NEXT COST VLAN PORT PROT TYPE PREF
-------------------------------------------------------------------------------
10.1.1.0255.255.255.0 10.1.1.11 11 ---- C DB 0
10.2.2.0255.255.255.0 10.2.2.11 22 ---- C DB 0
10.9.9.0255.255.255.0 10.9.9.11 99 ---- C DB 0
10.10.10.0255.255.255.0 10.10.10.21 1010 ---- C DB 0
Total Routes: 4
-------------------------------------------------------------------------------
3650GTS-PWR+#sh run
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 3650GTS-PWR+
! Software version = v6.1.1.017
!
! Displaying only parameters different to default
!================================================
enable
configure terminal
!
! *** CORE ***
!
! username "ro" "********" ro
! username "admin" "********" rw
!
! *** RADIUS ***
!
!
! *** RADIUS Dynamic Server ***
!
!
! *** TACACS+ ***
!
!
! *** SNMP ***
!
!
! *** IP ***
!
ip default-gateway 10.10.10.1
ip address switch 10.9.9.1
!
! *** IP Manager ***
!
!
! *** ASSET ID ***
!
!
! *** System Logging ***
!
!
! *** STACK ***
!
!
! *** Custom Banner ***
!
!
! *** SSH ***
!
!
! *** SSL ***
!
!
! *** SSHC ***
!
!
! *** MSTP (Phase 1) ***
!
!
! *** LACP (Phase 1) ***
!
!LACP mode is set to OFF on all interfaces to enable manipulation of
!ports with LACP enabled
interface Ethernet ALL
lacp mode port ALL off
exit
!
! *** VLAN ***
!
vlan create 11,22,99,1010 type port cist
vlan name 11 "Servers"
vlan name 22 "Workstations"
vlan name 99 "Mgmt"
vlan name 1010 "Interlink1010"
vlan ports 1-12,46 tagging tagAll
vlan ports 48 filter-unregistered-frames disable
vlan configcontrol flexible
vlan members 1 NONE
vlan members 11 1-12
vlan members 22 13-23
vlan members 99 25-47,49-52
vlan members 1010 46,48
vlan ports 1-12 pvid 99
vlan ports 13-24 pvid 22
vlan ports 25-47 pvid 99
vlan ports 48 pvid 1010
vlan ports 49-52 pvid 99
no auto-pvid
!
! *** 802.1ab ***
!
!
! *** 802.1ab vendor-specific TLVs config ***
!
!
! *** 802.1AB MED Voice Network Policies ***
!
!
! *** QOS ***
!
!
! *** RMON ***
!
!
! *** EAP ***
!
!
! *** EAP Guest VLAN ***
!
!
! *** EAP Fail Open VLAN ***
!
!
! *** EAP Voip VLAN ***
!
!
! *** Interface ***
!
interface Ethernet ALL
name port 1-12 "ESXi Host Trunk"
name port 13-24 Workstations
exit
!
! *** Rate-Limit ***
!
!
! *** MLT (Phase 1) ***
!
!
! *** MAC-Based Security ***
!
!
! *** LACP (Phase 2) ***
!
!
! *** ADAC ***
!
!
! *** MSTP (Phase 2) ***
!
!
! *** Port Mirroring ***
!
!
! *** VLAN Phase 2***
!
vlan mgmt 99
!
! *** MLT (Phase 2) ***
!
!
! *** PoE ***
!
!
! *** RTC ***
!
!
! *** Extreme Networks Energy Saver ***
!
!
! *** AUR ***
!
!
! *** AAUR ***
!
!
! *** L3 ***
!
interface vlan 11
ip address 10.1.1.1 255.255.255.0 2
interface vlan 22
ip address 10.2.2.1 255.255.255.0 3
interface vlan 1010
ip address 10.10.10.2 255.255.255.0 4
exit
ip route 0.0.0.0 0.0.0.0 10.10.10.1 1
!
ip routing
!
!
! *** IPV6 ***
!
!
! *** MLD ***
!
!
! *** FHS ***
!
!
! --- FHS Global settings ---
!
!
! --- IPV6 access list settings ---
!
!
! --- IPv6 mac access list settings ---
!
!
! --- IPV6 dhcp guard settings ---
!
!
! --- IPV6 RA Guard settings ---
!
!
! --- IPV6 Policy Port Map settings ---
!
!
! --- IPV6 FHS ND SBT Table settings ---
!
!
! --- IPV6 Source Guard Interface settings ---
!
!
! *** VLACP ***
!
!
! *** DHCP Relay ***
!
!
! *** L3 Protocols ***
!
!
! --- IP Directed Broadcast ---
!
!
! --- Proxy ARP ---
!
!
! --- UDP Broadcast Forwarding ---
!
!
! --- Route Policies ---
!
!
! --- RIP ---
!
!
! *** DHCP SNOOPING ***
!
!
! *** ARP INSPECTION ***
!
!
! *** IP SOURCE GUARD ***
!
!
! *** IGMP ***
!
interface vlan 1
ip igmp
exit
interface vlan 11
ip igmp
exit
interface vlan 22
ip igmp
exit
interface vlan 99
ip igmp
exit
interface vlan 1010
ip igmp
exit
!
! *** STACK MONITOR ***
!
!
! *** SLPP-guard ***
!
!
! *** DHCP Server ***
!
!
! *** SLAMON ***
!
!
! *** STORM CONTROL ***
!
!
! *** Fabric Attach ***
!
F5 iRules syntax example for source, destination ip , port and protocol allow/deny
Hi, can anyone help with syntax for "source ip, destination ip , port and protocol allow/deny " for iRules on an f5 load balancer.
We are trying to remove an checkpoint firewall and use an existing f5 load balancer to do that job and understanding that iRules could be used for that purpose, if someone can help with the syntax it will be very much appreciated!
I have an below example, however i am not sure if i can use the same syntax for defined as port/port pool instead of "HTTP_REQUEST"
when HTTP_REQUEST {
log local0.debug "IRule has been triggered"
if { [class match [IP::client_addr] eq xxxxx] } {
pool xxxxxx_443_pool
}
if { [class match [IP::client_addr] eq ris_mlt_client_net] } {
pool xxxxx_443_pool
}
else {
pool xxxxxx_443_pool
}
}
Using Netbox and Ansible to facilitate network changes
My organization is a medium sized University. As with most universities(not all) we are short on funds. Our management has told us that we need a Network Management Solution. So we started looking at Solarwinds and Manage Engine. Liked some things with Manage Engine. Liked some things with Solarwinds. Management then comes down and says.."Oh, you have no money for your NMS." sigh Ok. We're used to this. Now we have to grow our own. We have been using Netbox for over a year now. However, a lot of it has been a manual process. But there are some neat features, like being able to have interfaces associated with a device and all kinds of data associated with the Interface. So, we got the idea of just using Netbox as our Management tool as well as our Source of Truth. So, I sat down 2 days this week and hacked out some python that uses pynetbox(which has almost no documentation) and some Jinja2 templates. I can import and export data out. Ended up using tags for the voice vlan. since Jeremy says that you can do it with Untagged and Tagged VLANs. sigh Not the same...Anyway, that's another discussion. My question to the community, is anyone else doing this? Is anyone using Netbox to actually change your configs? If so, how is it working? Do you have any hiccups? Are you using Ansible to push the configs out? Thanks!
Cisco IPSec tunnel with additional routes
I have very strange senario not sure its possible or not. we have public cloud and i am trying to create IPsec tunnel between my office to cloud VPC and from cloud VPC to other region VPC, let me explain in diagram.
This is ALI Cloud and trying to configure CEN (Cloud Enterprise Network) https://www.youtube.com/watch?v=I00gSpL8JKs
[VPC-A]-----------cloud-vpc-peering------------[VPC-B]--------------IPsec--tunnel------[Office]
I can ping from my office to VPC-B IP subnets (vms)
I can ping from VPC-B to VPC-A IP subnests (vms)
But i want to ping from office to direct VPC-A subnet which is not working, I have tried to add VPC-A IP subnet in Cisco ASA (office) IPsec tunnel as interesting traffic but how do i tell Cisco that route VPC-A subnet from VPC-B IPsec tunnel ?
is this possible or i am trying something which is not possible?
Visio is a nightmare, please recommend something better.
I really like how visio has almost all of the stencils I need, which allows me to properly build out the racks (front and back), that is a big win. However, I'm trying to build a network diagram showing all the switches in the network (redundancy, multiple buildings, fiber, copper, etc....and the connector feature is driving me insane, it never wants to link things properly and automatically builds its own path often adding un-necessary 90s and overlapping of other lines.
Is there software that allows me to add in icons (switches/routers/etc) link them and have the link be dynamic, meaning, if I have to move one switch around, it stays connected to the other switch and the lines actually look nice and don't overlap/cause confusion?
Thanks.
Selling a prestigious 2 letter domain. Guidance needed.
I know this is not really the best place to post this, but I am posting here initially just to get a feel for what pitfalls to avoid.
Our company is going out of business, and we have a very memorable 2 letter .com domain name. I have heard that auctions sometimes attract squatters, and may not yield the best price, but I don't know who to go to to oversee a private sale to maximize our return.
Are thier recommended agents to help out? Reputable auction houses?
Looking to pay for SNMP access to devices, can pay monthly
As the title states, Im looking to do some testing on a new tool im writing that will do SNMP monitoring for a slew of devices. Im looking to test against a number of Cisco, Aruba, and F5 devices. If you have any of those and are willing to configure/open SNMP to my static (public) IP, DM me and we can work out a deal. Happy to pay monthly for as long as you leave the port open.
Devices Im intrested in:
Cisco CatOS, NXos, ASA, WLC, Routers
Ariba - Anything
F5 BIG-IP
Aruba - Anything
Simple question.
hi all,
I’m a lower level IT guy with no certifications and a coworker came to me with a question from his kid. Sounded like a homework question but he asked if I knew the four IPv4 settings to connect to a WAN. I told him I didn’t know although I’ve connected several home routers to the internet. Maybe I know the answer, but don’t understand the question? I feel really dumb, but I figured if anyone could help it would be you folks...
iperf on different networks
Hi guys!
I have used iperf in the same host/same network for performance evaluation. Now I have two different computers in two different networks. Can I run in first machine iperf3 -s and in the second computer iperf3 -c to measure performance between two computers in different networks?
Thursday, October 10, 2019
Closed port on public IP
Hi guys,
So I need your help. I’m terrified of getting hacked. I have a open vpn server running FreeBSD. I set it to use custom port 667 on UDP.
I put the vpn Server behind a sonicwall into the DMZ zone to separate it from the company LAN.
I’ve forwarded traffic coming into port 667 into the DMZ network IP of the OpenVPN server.
Now if I do a port scan on my public IP I can see port 667 is closed. All other ports are invisible. I use more than one public IP.
I know that theoretically you would need to have the keys and crts to get into port 667 remotely. But it makes me nervous leaving something this valuable on the public internet, even though it’s closed.
I could put a proxy server in front of it to add an additional layer of security. Basically making my OpenVPN server appear to be a proxy server on port 443. The sending clients with the keys through to port 667 after connecting to the Proxy. Then if I do a port scan only port 443 appears to be open, while all other ports are invisible.
But then again the proxy may hide port 667 but it does leave open port 443 with basic login credentials, but getting into the proxy wouldn’t allow access to the VPN, you’d have to be crazy smart to get access to the VPN server after connecting to the proxy. You’d have to know how it was all setup, I don’t think a hacker could figure out there was even a vpn server running on the same computer as the proxy server. I don’t know. Maybe.
What are the chances I get hacked if I leave port 667 closed on the public internet installed on an up to date FreeBSD install?
Wireless Lab Equipment
I'm an enterprise voice engineer, but am wanting to broaden my horizons. If I wanted to build a wireless lab using some used equipment I could find reasonably priced on ebay, what would be a good WLC and WAP pair to look for? I do salute the Cisco flag every morning, but I'm happy to look at Aruba, Aerohive, etc. I just dont know which WLC's pair with what WAP's. And moreso dont know which models would be decent even if they're used.
Sonicwall SSL-VPN short lease time causing havoc on my DNS.
ISSUE: Duplicate DNS entries for the same IP address but different host names. This is most definitely being caused by the SonicWall SSL-VPN IP Pool having a one or two hour lease time because it is only affecting the subnet that is handed out by the SW. All my other DHCP scopes are working just fine and AD is getting the expected updates from the DHCP. DNS is configured per MS best practices so I believe I'm looking at 14 days before the records are updated, unless DHCP updates the record before then. As you might guess, these duplicate records are causing some serious problems with PDQ providing me with accurate device information, and I'm getting far too many scan errors due to the device IPs changing so frequently.
POSSIBLE SOLUTIONS: Either I extend the lease time, I can handle the number of addresses fine, or someone tells me the secret to getting the DNS records updated immediately when the IP changes.
Networking over 3k of Open Land
Hi there awesome networking people,
I have to connect up a building that is 3,000 ft away over open land. This building will house about 30 people, with need for VOIP and Office Internet. Running fiber seems like the best way of doing it but I'll have to 2" conduit all that way.
Would antennas work? Which ones would you use? What's the risks?
Thanks so much. You guys rock!
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Network card MAC settings: Windows vs. Linus
I dual boot my laptop with windows 10 and a Linux based operating system and the network card doesn’t seem to have any continuity between operating systems. In Linux I can easily change the MAC address used to access a network a number of ways. On windows, the network card is locked and a cant control the MAC address through the GUI CLI and registry. I was wondering if there is any programs that can override the network card like I can in Linux or if there is any known registry value pertaining to the network card not allowing change. Bye the way, I’ve been looking for a solution to this for a long time because I like to practice good security and don’t like to connect to public WiFi’s using my actual MAC and sometimes Linux just isn’t the most convenient OS to be using. Thanks
Aruba, Ruckus, Cisco? What are you using for Wireless?
We’ve recently had a project dropped on us to transfer body and dash cam footage from police squad cars, over WiFi, to an on premise server. The WiFi they currently have in place is woefully outdated and we are shopping around for a replacement.
Payload from each squad is about 150GB and we would like it offloaded as quickly as possible so the squad isn’t sitting uploading videos for an hour. What do you guys recommend these days for high performance WiFi? We have some experience with Aruba’s AIPs and they work well for light, indoor use. But I’ve also heard Ruckus offers great performance.
Aruba Central - Noob starting training
Good day everyone,
I am currently tasked with learning aruba switches (2930f) and controllers (7008) and making them work together.
I have been whacking away at these for a few days, and cannot for the life of me, get my switch to communicate past the router to the internet.
I am certain I am just dumb as a rock and missing some critical pieces that I cant seem to find.
- I can hit the internet and the switch from the controller, no problem.
- From the switch I get dhcp addresses for my vlan interfaces from the router
- I can ping the default router for each vlan
- I cannot ping anything beyond the default router in each vlan even from inside the switch, only getting a destination unreachable.
Here is my current switch config:
; JL258A Configuration Editor; Created on release #WC.16.09.0003
; Ver #14:27.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:04
hostname "Aruba-2930F-8G-PoEP-2SFPP"
module 1 type jl258a
include-credentials
password manager user-name "admin" sha1
"70ccd9007338d6d81dd3b6271621b9cf9a97ea00"
ip access-list extended "Test_Policy"
exit
interface 8
name "Trunk"
exit
interface 9
name "Fiber"
exit
interface 10
name "Fiber2"
exit
snmp-server community "public" unrestricted
snmpv3 engineid "00:00:00:0b:00:00:b0:5a:da:98:4a:40"
vlan 1
name "DEFAULT_VLAN"
no untagged 1-7,9-10
untagged 8
ip address dhcp-bootp
ipv6 enable
ipv6 address dhcp full
exit
vlan 10
name "MGMT"
untagged 1-2
ip address dhcp-bootp
exit
vlan 11
name "Corporate Users"
untagged 3-7,9-10
ip address dhcp-bootp
exit
vlan 255
name "Guest"
ip address dhcp-bootp
exit
vlan 3094
name "MPLS"
ip address dhcp-bootp
exit
vlan 3333
name "SystemVlan"
ip address dhcp-bootp
exit
vlan 4094
name "iNET"
ip address dhcp-bootp
exit
spanning-tree
no tftp server
loop-protect 1-7,9-10
no autorun
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
Asymmetric NAT'ing
I think I'm not fully understanding asymmetric NAT'ing...
Server A has Inbound NAT all ports/applications via Public-IP A.
Server A traffic is routed and Outbound NAT'd via Public-IP B.
Remote Host A pings Server A via Public-IP A and gets a reply from Public-IP A.
Server A pings Remote Host A, ping is received by Remote Host A from Public-IP B.
Why is the ping from Remote Host A -> Public-IP A received by Remote Host A via Public-IP A and not Public-IP B?
Wouldn't Remote Host A get reply packets from Public-IP B and drop them (because it never sent echo packets to that IP)?
*EDIT: I see similar behavior for any TCP connection via telnet from Remote Host A -> Public-IP A. The connection establishes and I see src/dst packets for Public-IP A only.
Cisco Devices Magnets
I am looking for magnets that represent Cisco networking devices for me to use in my classroom. I would like to purchase them not make them. Thanks :)
Some light to shed?
I noticed that ISP Telenet.be (Belgium) for some reason routes & responds to pings on these two specific private network subnets, but only from inside Belgium on their customer network:
172.22.1.1/16 172.23.1.1/16
I've never seen a private network address ping response from the internet before so I was baffled when getting a response on every ip in those /16 subnets. What could be the reason for having specifically those two private subnets routed and responding to pings on their public network?
Certificates instead of RADIUS for Remote Login Authentication (Cisco and others)
Friends,
Security is asking us to switch from RADIUS to certificates for administrative login to network devices. This is NOT for IPSEC or SSL VPN, just for device administration (ssh vty login, enable 15, etc.). Do you have any experience with this and can you describe any concerns or pitfalls you encountered? aTdHvAaNnKcSe!
ACS replacement recommendations?
Our ACS is no longer supported, we dont want to use ISE; does anyone have an alternate recommendation for Router and Switch authentications? We checked out shrubbery but it seems dated. We use a LDAP group to manage users for network device access.
Regular RTP Interruptions
Hoping someone here might have some ideas for me.
I'm working on an issue where a wireless security camera at a customer's site across a WAN from their data center is experiencing intermittent interruptions to it's stream. In performing a wireshark from the server that the RTP stream is coming in to, I am seeing an average of about 150ms delta for the stream, but every 5 minutes 7 seconds, there is a massive spike up to over 3-4 seconds, then back down to average.
I've got a debug log from the wireless controller, (Aruba), and it looks like the device is being seen as idle, waits 300 seconds, deauths it, and then the device immediately re-auths and reconnects. The time difference is about 7 seconds total from start to finish of that process it looks like.
I have used a wired camera at the same location on the same switch that the WAP connects through, and it does not exhibit the same issues.
I guess my question is, what could potentially cause an Aruba WLC to believe that a device that is consistently streaming at between 400kbps and 1.5Mbps as idle?
The device uses H.264 for the codec, audio is G.711 and the streams are interleaved. RTSP looks to be not having issues, and the RTCP send/receive reports indicate that there's not a significant amount of loss for the most part. So it's really just delay that is being introduced into this stream.
Just trying to wrap my head around this. I've been spinning my gears on it for a while trying to determine why this might be happening. Unfortunately I don't have direct access to the controller to grab logs myself. I'm using VLC to view the stream to allow me to direct the traffic to the system where I'm performing the capture.
Cisco.com down?
It appears that the entire domain is down ... weird ... I get the following errors for all links:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, it-webmasters.cisco.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
Junos BGP BFD - disable per peer
Looking at a QFX switch here which runs BFD for BGP at a global level but cant see any way of disabling it at an individual peer level (one provider is griping that we are sending BFD hellos when they dont run it)
Dont really want to have to re-do the whole bgp config to enable it at peer level. Any ideas how I can disable it for one peer? I guess I could filter the packets on the interface as a last resort before reconfiguration.
Outdoor camera networking in forest. WLAN or LAN or something else?
Hello everyone,
I am trying to connect multiple cameras to a server and transfer the video data / control them. This is all outdoor with an overall diameter of ca. 500m, elevation change 200m and a lot of trees.
Now the question is whether an outdoot WLAN makes sense with a couple of repeaters or if cables make the most sense.
At the moment just trying to figure out a good starting point / strategy to begin with. So please be gentle!
Cisco AnyConnect VPN reconnecting
There is no shortage of posts on reddit, or Cisco forums, or any other forum for that matter, of people complaining about Cisco AnyConnect reconnecting constantly. In my initial phase of using it, it was perfectly fine. But somewhere along the years it has gotten progressively worse. At first I thought it was something specific about where I work, for instance the laptop build, as installing Windows 10 and nothing else on the same laptop would result in Cisco AnyConnect working like a charm.
However, I have since found out that several other people not even connecting to our VPN profile are experiencing the exact same problems. As such, I have been able to rule out the WiFi / 4G I am using, the hardware and drivers, the AnyConnect client version, and our ASA.
The question is, has anyone really solved this before? I had a TAC case where they investigated AnyConnect DART logs and ASA logs and they said that it was this. However, we do not block the DTLS ports, and our MTU size is the correct size. At this point, I am guessing it is something on the Internet, as there are too many differing factors in each instance I have seen the issue.
Further, what does everyone feel is the best Remote Access VPN solution?
Ubiquity question
Help a Cisco guy out ;)
So I have a couple of Ubiquity switches/routers that were previously configured trough the web interface or the CLI.
I am considering starting to use UNMS ona our VM. I wonder, if I add the previously mentioned ubiquity devices to the UNMS, will they forget their configuration in the process? Is there a risk of that happening?
Asking just to make sure.
Standard Torrent Ports?
I was setting up port forwarding for a game the other day, and noticed that my torrent client had already set up port forwarding to/from port 8999.
AFAIK this isn’t a standard torrenting port? I can’t see much info about it online. If anyone could share some info on it I’d be grateful, sorry for my ignorance and sorry if this is the wrong place to ask
Wednesday, October 9, 2019
Anyone who uses Lucidchart/Visio/draw.io etc.?
Any one here who uses online diagramming tools (like Lucidchart, Visio, draw.io) and would be willing to chat with me (not more than 20 minutes) ?
I am a budding UX researcher (current graduate student). Please DM and thank you in advance!
Intranet (operating on LAMP server RPI) inaccessible on outside immediate local network
I am currently configuring an intranet for my farm; to allow me to input and track some data between my storage yard, cattle yard and house.
I am running into an issue which i'm sure has to do with my router, however I lack the requisite knowledge to correct and i'm hoping someone can either assist me with troubleshooting the problem, or assist with repairing the problem with some instructions.
Context, issue and ancillary is as below:
- My network consists of a router, a switch and another router connected to a wireless repeater to broadcast internet to my storage and cattle yard.
- There are approximately 11 devices (computers / laptops) located within the immediate network, which has the network location of 192.66.66.XXX, including my LAMP RPI, all of which are connected to the switch.
- All these computers are connected via ethernet, and all can access the intranet on my internal domain (intranet.local) and the IP address 192.66.66.XYZ.
- My storage yard and cattle yard are situated approximately 200m and 400m; respectively, away from my main residence and receive internet; albeit awful internet, from the wireless repeater, and they can access external websites without an issue.
- It appears that when using the wireless repeater, it assigns all devices on this network a new network IP, being 192.168.10.X, despite being connected to the same router.
- I assume that this acts in essence as its own "switch" and effectively means the two terminals located in these buildings are on a different local area network.
- I dont know how to get this to sit on the same network as my other devices.
- nor do I know how to configure my router to expose the 192.168.10.X network to my other local network without exposing my port 80 to the rest of the world.
- If its not obvious, I clearly did not set up this network and I spend most of my time trying to avoid screwing anything too serious up.
If someone has any knowledge on how I could potentially bridge these networks, or what I am required to do on my router that would be fantastic.
Specific vlans vs all vlans
Hi,
Can anyone tell me what is the advantage of allowing certain vlans vs allowing all? Why are we restricting vlans on trunk port? What is Cisco's recommendation?
Thanks in advance
AWS VPN - Multiple site-to-site VPN connections - Juniper SRX
Hi all, not sure if this should fall under the AWS subreddit instead, but seem like this sub would be a good place to get started.
I am trying to set up 4 site-to-site VPN connections using AWS's VPN solution, the specific scenario is listed under "Multiple Site-to-Site VPN Connections" in the s2s examples page, https://docs.aws.amazon.com/vpn/latest/s2svpn/Examples.html
I have 4 offices, each office has a Juniper SRX on site. the requirement is that the EC2 instance in the VPC needs to be able to communicate with servers on each office location.
Ip addresses:
AWS VPC Subnet: 10.0.1.0/16
Office "A" subnet: 172.21.25.0/24
Office "B" subnet: 172.21.26.0/24
I followed the AWS Administration documentation and got the IPSec Tunnels up on the SRX in office "A". This route propagates successfully to the subnet (adds 0.0.0.0/0 to the routing table linked to the subnet), and from the SRX I can ping the EC2 instance successfully.
My next step was to get Office "B" up and running. I followed the same step for office "B" and the tunnels come up successfully. As soon as the tunnel from Office "B" was up and running, I was no longer able to ping the EC2 instance from Office "A".
I guessed this was due to the route 0.0.0.0/0 being advertised by both my SRX devices, so I tried adding the correct subnet route, on each of the SRX devices, as following:
On the office A router:
set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 172.21.25.0/24 exact
On the office B router:
set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 172.21.26.0/24 exact
I also removed the 0.0.0.0/0 route-filter from both devices.
Once these commands were commited, the routes were advertised to AWS, and they propagated the routing table, but I am still not able to get any traffic to the VPC/EC2 instance.
How do I get traffic from my VPC/EC2 instance to both my connected offices via the AWS VPN?
This line in the AWS generated config bothers me:
# To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term
# EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with
# a valid next-hop.
What does the above refer to, exactly? this cant be a static route for the local subnet i each office.
At the moment I can only get once office to communicate with the VPC/EC2 instance at a time.
Config generated by AWS located here (sensitive details removed): https://pastebin.com/AP09QC19
Many thanks
Setting up a VPN Tunnel using Layer 2 GRE
The company I work for wants to connect to a VPN using Layer 2 GRE protocol, which is the only option provided. I'm new to networking so I don't have a clue where to start here, can anyone suggest how to implement this connection? Would it be configured on our company router?
Any help is greatly appreciated.
cisco 3850 to 6506 sm fiber connection problem
Hi everyone,
I am in my lab and i am trying to get a cisco 3850 to connect to a 6506 via SM fiber. In the 3850 i have a SFP-10GBase-LR in Te1/1/4 and in the 6500 i have a 10Gbase-LR in a xenpak in te3/1. I have about 1 meter of SM fiber patch (crossed over) between them. The levels on the 3850 are TX -4.0 and RX -0.9. I do not get a link light unless i only partially plug in the fiber... Then it gets a link-flap error and it goes err-disabled. They are not cisco optics, but i ran the service unsupported-optics command.
I have done this a few times in the past without any issues. Can't seem to figure this out. I have tried new patch cables, i had an extra xenpak and switched that out... tried different ports. The only thing i dont have a spare of is the sfp+ module on the 3850. It should be arriving tomorrow. I see that the one I have is one that supports 1g or 10g... The new one that is arriving is 10g only. I wonder if that is the issue?
Does anyone have any insight or something to try? Thanks!
NPS as RADIUS Server - Spinning Wheels ;/
Hi guys,
Setting up AAA auth for Aruba 2930 management interface is causing some grief on the NPS side. I have added CHAP, MS-CHAP v1, MS-CHAP v2, and PAP authentication methods but to no avail sadly. As you see below in the event viewer logs under 'Reason': "The user attempted to use an authentication method that is not enabled on the matching network policy." The authenitcation type shown in the logs is 'PAP', however it is already added in the network policy. Please guide. Is anyone familiar with the error and how can we fix it?
EVENT ID: 6273 Reason Code: 66 Authentication Type: PAP
EAP Type: - Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Do you think I need to change the processing order for this? Or should I disable the other network policies instead?
Thank you so much in advance.
Hamza
Cisco Network Assistant
We have a pretty large network. Maybe 75+ switches mostly Cisco but there are some legacy Dell switches. Do you know if there is anything I can do on the Dell switches to get Cisco Network Assistant to see them so I dont have these gaps in the network topology?
I know Cisco runs CDP and of course that's a Cisco only thing.
Or do you know of any other "Free" tool like CNA that is manufacture agnostic?
Cheers,
Chris
Router EIGRP in Cisco switches to alllow two sets of VLANs to talk.
So, currently I'm trying to get a connection from switch to switch through EIGRP to enable two external devices to talk. I tried to set it up and I got one adjacency (192.168.1.x) but the VLANs I advertised on the same EIGRP weren't able to talk? EIGRP was never truly explained to me and the explanations I've found are way too high level for my use case. From what I grasp, you create a "separate network" (192), give a port on each side an IP on that network, and advertise the separate network and all your vlans on that EIGRP. What's going over my head/ am I doing wrong?
Strange AP Issue - PoE issued, link down.
The AP came online initially and registered in the WLC just like normal. I was able to rename it, update its software, etc. Then it just went offline. I have ten other APs in the exact same setup. I stripped the config on the switchport to be very basic. I have 130 APs operational on this WLC and its licensed to 200. I'm guessing its a software bug and a reboot of the switch will resolve it, just curious if anyone else has seen anything like this before. As the title states, the PoE is granted, but the connection is down-down.
Hardware:
Cisco Outdoor 1562E - Sw version: 8.5.140.0
WLC 5508 - Sw version: 8.5.140.0
3580 PoE switch - Sw version: 16.3.8
Switchport Config:
switchport access vlan X
switchport mode access
spanning-tree portfast
The switch itself has plenty of power available from a "show power inline"
Available Used Remaining
(Watts) (Watts) (Watts)
--------- -------- ---------
1712.0 76.2 1635.8
Gi1/0/1 auto on 15.4 Ieee PD 4 60.0 (output for switchport of the AP)
Help with networking
Hi everyone, I have this project and would like to know if someone could help me build a network for 2 campus on packet tracer.
This campus has a lot of pc's, switches and routers, and im having trouble to configure. If someone could just give me some more information about some commands that i should use.
If someone could help me i appreciate a lot!
F5 BIG IP - Help with Redirect from Port to URL
Hello. I've configured SSL Offloading on my F5. I have my VS set to use 443, while my Pool is set for 80. I have set a client SSL certificate. Within IIS, my site is bound to port 80. I've tried a bunch of different iRules but am at a roadblock. When I try to connect via my client, I'm getting an error stating the connection has been actively refused on X.X.X.X:80. I had a similar configuration with Citrix ADC and had to create a policy to redirect from port 80 to https://server.domain.com. Is this possible with F5? Any help is greatly appreciated. Thanks!
Nortel Training CD's
I was cleaning out my closet and found about 15 - 20 CD's, Nortel Helmsman )C-3/12/48, AccessNode, etc...I know it's old obsolete, but in case someone wants them....
SD-WAN
Does anyone know of a good site or conference with some true vendor-agnostic SD-WAN material? Looking around the web and I am only finding people trashing one vendor over others (cough cough Cloud Genix).
I appreciate the info in advanced!
Grounding of buried STP from ISP antenna?
My rural Internet connection is through a local Mom & Pop wireless ISP. Their antenna on the garage is connected to a POE device in the house via buried Cat5 STP. There is no external ground; should the internal side be grounded? If so, how exactly should that be done?
Aruba VSF Stacking Question
Hello all, I've acquired nine Aruba 2930F switches for my job. I've got two running as standalone switches and I'm forming additional stacks of four and three switches, via SFP+ ports and DAC cables.
I'm setting up the stack of four at the moment and having some trouble. I reviewed Aruba's VSF documentation and followed a couple of different guides. I've got a stack formed, but it's showing up as a chain topology, rather than a ring.
Aruba-VSF-2930F# show vsf VSF Domain ID : 1 MAC Address : 08f1ea-xxxxxx VSF Topology : Chain VSF Status : Active Uptime : 0d 14h 54m VSF MAD : None VSF Port Speed : 10G Software Version : WC.16.05.0007 Mbr ID MAC Address Model Pri Status --- ----------------- ------------------------------------- --- --------------- 1 08f1ea-xxxxxx Aruba JL254A 2930F-48G-4SFP+ Switch 255 Commander 2 08f1ea-xxxxxx Aruba JL254A 2930F-48G-4SFP+ Switch 254 Standby 3 3821c7-xxxxxx Aruba JL254A 2930F-48G-4SFP+ Switch 128 Member 4 08f1ea-xxxxxx Aruba JL254A 2930F-48G-4SFP+ Switch 128 Member I'm not quite sure why this is, but when I show running config, I see a discrepancy that I think might be causing the issue?
Running configuration: ; hpStack_WC Configuration Editor; Created on release #WC.16.05.0007 ; Ver #12:08.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:ba hostname "Aruba-VSF-2930F" vsf enable domain 1 member 1 type "JL254A" mac-address 08f1ea-xxxxxx priority 255 link 1 1/49,1/52 link 1 name "I-Link1_1" link 2 name "I-Link1_2" exit member 2 type "JL254A" mac-address 08f1ea-xxxxxx priority 254 link 1 2/49 link 1 name "I-Link2_1" link 2 2/50 link 2 name "I-Link2_2" exit member 3 type "JL254A" mac-address 3821c7-xxxxxx priority 128 link 1 3/50 link 1 name "I-Link3_1" link 2 3/51 link 2 name "I-Link3_2" exit member 4 type "JL254A" mac-address 08f1ea-xxxxxx priority 128 link 1 4/51 link 1 name "I-Link4_1" link 2 4/52 link 2 name "I-Link4_2" exit I think it might have something to do with "link 1 1/49,1/52" on the commander (member 1). The stacking ports are both showing up under the same link, whereas for the others, they are separate. Not sure how to deal with this to reconfigure it to the same as the others... I don't even know if this would fix the issue... Any advice would be appreciated. Ultimately, I just want them in a ring topology.
Thank you.
Edit: Resolved
Need help with wifi issue (somewhat desperate)
Hello everyone!
I recently started a new role that is slowly becoming more Networking focused (not my specialty). I have full access to our local meraki instance.
Problem: people are constantly getting disconnected from the wifi even while the laptop is not moving. Currently we are only running out 5Ghz channel, when I look at the client event logs the event type is 802.11 disassociation details unknown reason. When can I start troubleshooting this???
Weird Networking Issue
Hello! :)
I have an odd networking issue that I can't understand and neither can my IT friends.. I am hosting a website off of my raspberry pi using apache and everything is up and working. My problem is that I just moved into a new house and after adjusting all the IP settings, I cannot access my website from inside my own network. Only from another network or somebody else's wifi. I've tried pinging my ip from inside my network and that doesn't work either... Any ideas?
UDLD Loop on Carrier Handoff?
Hey Everyone -
Have an odd issue, and wanted to see if the hivemind had any ideas.
Have a point-to-point circuit with a regional fiber carrier that connects from their Juniper CPE to our Cisco Nexus edge devices on both ends.
The problem we're having is that on one end of the circuit, everytime there is a Carrier outage, the Cisco edge device puts the port into a udld Loop state, and effectively blocks the port. It stays in this state until the interface is flapped.
This is pretty inconvenient, as it prolongs outages. A brief 30 second outage on the carrier side might take an hour to fix, because someone has to log into the site/switch, and flap the interface.
Is there anything that can be done on the carrier CPE or our edge device to prevent this?
Also - any common causes for the udld Loop state on a circuit handoff interface?
Aruba 7010 centralized licensing
I inherited two Aruba 7010 controllers: one is master, the other is backup.
Firmware version is 6.5.4.3
As far as I can see, licensing is centralized:
Configuration/ Network / Controller / Centralized Licenses:
Enable Centralized licensing: Ticked
License redundancy: Ticked
VRRP ID: 1
Peer IP Address: Master controller has Backup controller IP Configured and vice versa.
License server IP: Empty.
This morning, for some reason, the master controller rebooted.
Because of that, the backup controller became master.
All (remote) accesspoint went offline, because there were no licenses on the backup controller.
After rebooting the backup controller, all AP's came back online.
So, apparently centralized licensing is not working.
What could be the cause of this ? Did I miss something in the configuration ?
Thanks in advance !
SSID Extending
Is it possible to extended a SSID from a WLC to the meraki portal for offering to meraki devices? I have a Z3 that needs to connect to a wireless network that is hosted on a WLC.
Checkpoint VPN - phase 2 subnets
I mainly work with Cisco ISRs for VPN and I am used to creating an ACL to define the subnets I want to participate in phase 2 for IPSEC vpns. I can have multiple VPNs, all with different phase 2 source subnets.
On our Checkpoint firewalls (R77.30) I cant see how to configure the same behaviour. All I seem to be able to do is create a group to define a VPN domain at gateway level which applies to all VPN connections. This means all my subnets are getting included in phase 2 for all VPNs.
It doesnt prevent the VPNs from getting established but I am not comfortable with every VPN connection having all source subnets included in it.
Any idea how I can configure this in smartdashboard to be more like the Cisco config?
Network Analyzer / Monitoring
Hello,
Anybody can recommend a good free network monitoring tool.
Just for checking the current bandwidth that is passing on the network. and maybe other data also.
I just need to verify from a user standpoint. i don't have access to their internal devices.
Thank you in advance.
Preferences on NOS and Whitebox Hardware
I am trying to decide on a path for my network. I am looking at "Whitebox" options and their built in OS's (eg. fiberswitch, edge-core, dell) or go pure bare-metal and look at some of the NOS systems out there.
All I am really looking for is standard L3/L2 features, but also MLAG/"Stacking". So far I like the idea of the Whitebox switch with software over the built in, but Price is a strong factor as I will want two switches for the redundancy but can only afford one of the two at this time (Second one could be bought early next year if needed).
What are peoples feelings are on the names I have found:
Cumulus - Seems a touch Expensive based on some of the offerings on FS's site. IPfusion Big Switch Networks
PICA8 - Cheaper then Cumulus?
Other then the BS fs has pulled with the marketing what do people feel about with edge-core/fs builtin software?
I have looked at the usual hardware vendors (Dell, FS, Edge-core), and am wondering what experiences people have run into with those brands and the NOS based software.
One of the big things I am worried about in all of this is company reputation and support. I just realized as a cost saving feature I could possibly go with a Dell switch and save money on the software with openswitch. I do understand that this is a more on your own support model though.
Tuesday, October 8, 2019
Are there any power strips for ethernet?
Is there anything that I can use to convert one ethernet to multiple ethernet ports? And can they be found on the cheap
PSA: 802.1x issues with Microsoft Surface docking stations - fix
PSA - I’ve been having some issues with a large enough percentage of Microsoft Surfaces using docking stations failing 802.1x monitor / open mode that I’ve not been able to proceed with enforcement mode
The latest firmware has this zip file
Cisco_EAP_Supplicant_Installer_v1.zip
Via - https://docs.microsoft.com/en-us/surface/surface-dock-firmware-update
ACI GUI for ARP resolution for Bridge Domain's?
I need to confirm for some vendor work in a few weeks that DHCP is currently working in our ACI environment. Is there anyway in which I can verify that without physically going there and plugging my laptop in aka from within the GUI? I would guess show ip arp, but I am not sure if thats viable in ACI.
Captive portal for guest network to capture user's name etc. on Cisco WLC?
Hey folks,
I have a Cisco WLC 2504 and am looking to set up a guest network. What are the best ways to go about creating a captive portal that will ask the user to provide their name (or any other information) and accept an Acceptable Use policy? Ideally this information would be able to be viewed on the back end to link up with their device MAC address, device type, what IP address was assigned via DHCP, etc.
Any ideas?
Thanks!
How to check if an IP does not have a reverse DNS record in the terminal/command prompt?
So lets say I have the IP address 175.45.176.69 and I know that its corresponding host name is "airkoryo.com.kp". Is there a way to definitively show in the terminal/command prompt that there is not a reverse DNS record for IP 175.45.176.69 (i.e. a record that would point 175.45.176.69 to airkoryo.kp).
Thanks!
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Interfacing with an Arris Router
Hello everybody. Networking noob here. Been taking a Cisco networking course for a few months now. I have an Arris router at home and I wanted to interface with it and try to configure it. Can I use the traditional methods of accessing a Cisco router (Tera Term, Telnet, etc.) to access my Arris router?
How do I filter in the age of HSTS?
I've been researching a bit on firewalls and content filtering, looking at PAN, Cisco Umbrella, Cato Networks, et cetera, but they all seem to have this gaping hole around HSTS. This is especially concerning as HSTS is likely to spread to smaller sites over time.
Has this been solved yet for enterprises? I can deploy a cert, but it looks like loads of browsers will ignore the certs I load, as they come pre-loaded with some of the majors (e.g. Google). I can appreciate that Google wants to protect the privacy interests of their users, but surely there's some workaround for enterprises that doesn't just involve whitelisting them... right?
TL;DR - Any advice on how to approach content filtering Google today is much appreciated! Have a great day, everyone!
Wireshark: How to find the host name of a machine and the application program that generated the network traffic captured in a trace
Hey everyone.
I have been messing around with Wireshark and am absolutely loving it right now. As I dig through the weeds of the traces and learn about what everything means, two things have puzzled me. I cannot for the life of me find:
1. The name of the program that generated the network traffic captured in the trace (uses port 63815 I know)
2. The hostname of the machine where the command was executed (I think Apple_44?)
Here is the captured trace on Cloudshark if you want to take a look https://www.cloudshark.org/captures/6439ffce351d
Can anyone find #1 and #2? Am I dumb and missing them in plain sight? There are a lot of options and tools in Wireshark and I am sure I could be missing a setting that yields me these two pieces of data.
Thanks!
Cisco Config Staging and Rollback
So I started my network career in the Cisco world but then was quickly shoved into the Juniper world. After being introduced to 'commit confirmed' and 'rollback' I thought I would never look back... Well you see... life changes.
Anyway, I am wondering if any of you have some guides or blog post around equivalent features in the Cisco world.
I know archive exist. I know reload in x exist. What else is there? And how do you use all of these in practicality? What does your typical change look like?
Thanks fellow networkers!
Expressroute - Microsoft peering - multiple tenants
I'll prefix by saying this is probably a very specialised use case.....
Historically we have sold hosted Skype services - customers have a Lan connection into our network wherein they have their own vrf, we then host Skype services which for all intents and purposes is part of their LAN.
We are moving customers to Microsoft Teams, but wish to utilize Expressroute to route their Teams traffic over and through us rather than over the internet.
What I'm looking and hoping to do is utilise Expressroute with Microsoft peering to provide a connection from customer LAN to msft avoiding the internet.
I know this is totally possible, and is actually the whole point of Microsoft peering, but we want to share the expressroute between however many customers we sell the service to.
I'm not too clued up on the azure side of things, but when you specify a vlan for Microsoft peering, that should allow us to specify a different vlan per customer, and then associate that connection with their teams instance?!?
Anyone done similar in the past?
medium p2p on n3k and asr-1001-x
I have physical ethernet link between a ASR-1001-X and a N3K (3048-TP). When I enabled OSPF on the interface and brought the interface up, everything looked find and dandy. Interfaces show up/up. I could see CDP. I got my neighborship going via OSPF . I was learning the routes as expected from both sides.
However, ping is failing between the N3K and the ASR-1001-X. I tried pinging from the N3k to the ASR (other side of the /31 interface) and the ping failed. Ping / all standard traffic was failing even though I learned of routes via OSPF. For some reason the N3k and the ASR were isolated, but still could form a OSPF neighbor-ship. As I was troublehsooting this, I decided to take one command off at a time on the interface level to see if it would fix it. After removing the medium p2p on the ASR end, communication was restored.
Since the devices are being staged and not actually moving traffic, I decided to troubleshoot what the behavior is like. I put the medium p2p command back on the interface of ASR. I do a packet capture on the ASR and from it's perspective, it is receiving OSPF hellos (as well as sending out OSPF hellos) @ 224.0.0.5. Ping is being received from the N3K, and responded. For some reason though, I am still timing out pings on the N3k. (and vice versa if i try send a ping on the ASR end). I then tried removing P2P on the N3K, and leaving it still on ASR. Still fails. I take off medium p2p on the ASR and wa-la it works just fine. I have no idea what is happening on the wire but this medium p2p command on ASR is just bad.
From OSPFs perspective, the links are seen as p2p with or without the medium p2p command present. OSPF communication works just fine. But everything else does not between each other when medium p2p is configured. It is my understanding this command is suppose to force OSPF to view it as a p2p link. Instead, it is breaking communication.
As a final note, The ASR is also directly connected via ethernet to same model ASR. Both sides of interface (ASR-1 and ASR-2) have the medium p2p command configured. And communication works fine between those two ASRs. But whenever it is enabled when interconnected with the N3K, it just straight up breaks.
interface config:
ASR Config:
interface GigabitEthernet0/0/1
xx.xx.xx.xx/31
no ip redirects
no ip proxy-arp
medium p2p
ip ospf network point-to-point
ip ospf xxxx area 0.0.0.0
negotiation auto
cdp enable
N3K Config:
interface Ethernet1/37
xx.xx.xx.xx/31
no switchport
medium p2p
no ip redirects
ip ospf network point-to-point
no ip ospf passive-interface
ip router ospf xxxx area 0.0.0.0
Umm... okay (?) ... Anybody knows how this can work?
"...while communication by servers on the ground might take hundreds of milliseconds, in the cloud the same operation may take only one millisecond from one machine to another. “It’s orders of magnitude faster, and in the cloud we can easily afford more bandwidth resources, too. The photons have less distance to travel in the cloud than on the ground. All these factors make outsourcing the decision-making to the cloud more advantageous.”"
https://www.umass.edu/newsoffice/article/using-cloud-resources-dramatically-improve
Does AT&T ADI speed increase require rip-and-replace?
I'm going to get my new building hooked up with AT&T Fiber because it's already out in the street. I wanted to start with something small at 100Mbps but upgrade as needs grow. AT&T said it's a rip-and-replace of their equipment for any upgrades, which would equal downtime. I can understand for large upgrades, but even from 100Mbps to 200Mbps they would require a technician visit and replace existing hardware. Have you experienced this? If so, what is the downtime required?
Private vs Public DNS
Why do almost all companies use private DNS instead of the public ones? Is it necessary? Why can't they just use the public ones? Could someone please explain it to me? Thanks in advance.
Support for USB-to-Serial adapters in MacOS Catalina?
Networkers, I've used a Keyspan/Trip-Lite USA-19HS USB-to-Serial adapter to access device consoles from my Mac for many many years. Often, but not always, MacOS upgrades require a new driver from Trip-Lite but I noticed they haven't published one for 10.15 yet. I'm wondering, has anyone with one of these dongles upgraded to Catalina yet and if so does the current driver work (even if it might need to be installed again)?
Set DNS priority while using DHCP
I live in a dorm at my school and whenever I change from DHCP my connection is immediately dropped. Is it possible to have a device continue using DHCP with the ISPs default DNS connections but reroute them after?
Recommendations for K12 wired access refresh?
We support several k12 networks. Looking to refresh ~400 access switches in the next 2-3 years.
We have narrowed vendors to Cisco and HPE/Aruba.
Core requirements are:
- 1Gb access
- PoE+ w/ ~700w power budget
- At least 2 SFP+ uplinks
Thanks to changes in E-Rate funding models, cost is now more a factor than previous refreshes.
Looks like the Aruba 2930F (JL256A) and Catalyst 9200 (C9200L-48P-4X-EDU) fit the requirements.
I like Cisco because we run 95% Cisco already -- our training is current and things work well. But, they came up about 30% more expensive. I like HPE/Aruba because they will natively integrate with our WLAN/NAC, and I like AirWave's provisioning features. Also cheaper. But they would come with a modest learning curve.
Interested in feedback from those who have or plan to refresh their access layer, especially in K12, or when budget has been a constraining factor. Thoughts?
Maximum Frame Size when using vlans
I noticed that my Netgear fiber backbone switches have a maximum frame size of 1518 on all ports, but we use about 20 different VLANs across the campus. Should I be increasing the Maximum Frame Size to 1522 or 1526 on all my switches, to accommodate the VLAN tagging?
Cisco UDLD reset command
Hey,
From practical standpoint, if device on one end puts ports into err-disabled state, the udld reset command will bring all of interfaces that are currently down due to udld, but is it required to commit this on both sides of the links, or only one is enough? Anyone?
2nd question if there isn't requirement for both sides - how does the other end knows, when to recover their links? UDLS sends some specific frames for that?
Appreciate any help and thoughts, thanks
Looking for opinions on small business network rework.
Hi, I'm new here and in networking world in general (I finished a ccna course, but didn't take the exam).
I'm currently working on expanding a small business network.
Network consists of 6 clients, 1 printer, a Synology DS918+, 1 computer running ipfire that serves as a router, dns, dhcp server and firewall, a 24 port DGS-1100, and IPS provided fiber modem, all connected with twisted pair RJ-45 cables. I'm swapping ipfire pc for a mikrotik CRS109, adding a second switch (8 port), a printer and 6 clients.
https://imgur.com/a/JtWUH4t - still work in progress, but shows the general idea. I want to make downtime as short as possible by minimizing changes to existing setup (blue).
As you can see, i want to create separate LAN for new users. They need access to the synology, so, since it has two RJ-45 ports, I'd like to connect one of them to 192.168.1.0/24, and the other to 192.168.2.0/24. Is this a good idea, or should i create something similar to a DMZ between the two networks and place the server there?
Another idea I have considered was to split ports of 24-port switch into two vlans, make mikrotik router-on-stick, connect printers and users to corresponding vlans and server either to both vlans or to mikrotik in DMZ-like network, but I think it'd require a lot more time to set up.
I'm open to suggestions and constructive criticism.
Anyconnect DOT1x network change after laptop has been locked for a while
Has any one come across this issue?
We have deployed EAP-FAST using Anyconnect NAM as a supplicant. On the supplicant there is a dot1x network configured and a normal wired network configured for when the users take the laptop out of the office.
When the laptops are put into locked mode for about an hour then logged back into, Anyconnect will change the network from DOT1x to Wired and the users lose network access as the switch requires authentication.
The laptops are not sleeping and the users are authenticated and the laptops working before being locked.
Once the laptops are unlocked Anyconnect NAM doesn't even try the DOT1X configuration, it just attempts Wired and will then sit there showing "Limited or no connectivity"
Monday, October 7, 2019
Cant get the 10 Gig ports on the Cisco 4506 Sup 7E Card
I am trying to connect a couple 4506 Switches with Sup 7E Cards by their 10 Gig ports with SFP+ modules
So far by connecting them and just doing switchport mode trunk and a no shut on the two interfaces but the interfaces do not come up.
Am I missing some command in order to enable 10Gigabit on them?
Cheers,
Chris
IPv4 Question
I was testing connectivity on a machine after moving it to a new ESXi host and one of the tests I was pinging 192.168.0.30.
But I mistyped it as 192.168.0.030 and what it did surprised me a little, I figured it would have still sent the ping to 192.168.0.30, but instead it attempted to ping 192.168.0.24.
Is there something I don't understand here? Or an issue I need to look into?
EDIT: When I ping 192.168.0.30 it pings that address just fine.
How long did it take you to feel comfortable doing configs?
Hi guys,
I’ve been doing basic networking for about a year now, and I still don’t feel like I’ve fully grasped a lot of the in depth things. I’ve been trying to tackle my CCNA since I began this path, and there’s just so much detail. I understand the concepts and principles but after speaking with a few engineers, I just don’t understand how people reach such a high level of comprehension. For example, I understand how to configure OSPF, but when it comes to understanding the different types of LSA’s and what they do, I just can’t seem to understand it.
So, how long did it take you to reach your level of understanding?
Thanks everyone
Meraki Rant
Advanced warning, this is going to be long. First, some background, I bought a full Meraki stack for personal use back in April 2019. I got great pricing on it and I purchased an MX67, three MR42s APs, and four MS120 switches. At first, everything was great; I enjoyed configuring and tinkering with the various options / features. Sadly, this wore off shortly after I started encountering various bugs. MX bugs, MR bugs, Dashboard bugs, there seems to be no end of what doesn't work correctly. As a side note, I'm an active CCIE (for the last 13 years) and learn best when I have the gear on hand to work with. I'm not some goofball who bought some gear he knows nothing about.
On the MX side, my MX67 is afflicted by the following two really great ones in MX14.40 code:
Due to issues still under investigation, MX67(C,W) and MX68(W,CW) appliances may become inoperable after a device reboot occurs For a brief period of time upon boot, MX67(C,W) and MX68(W,CW) platforms can become bridged. This increases the likelihood of network loops forming in topologies with multiple inter-connected network devices for this brief period of time. Super. So, if my MX67 happens to reboot, it might just be a brick after. Maybe. Who knows? This defect has been in every 14.x release since I bought this MX67 back in April 2019. A device bricking defect is still around after 8 months? How is that possible? To go along with that, the MX67 bridges the WAN and LAN ports during bootup. That's super handy because it can bridge my cable modem to my internal LAN. At best this means that some internal devices get funky IP addresses, at worse it leaves open a nice security hole, especially if the device bricks itself while rebooting. Thankfully, MX 15.19 has a fix for the device bricking issue, but it comes with this known issue:
Due to issues still under investigation, there are significant performance regressions. Awesome. So, I can fix my device from turning into a brick at the cost of some unspecified "significant performance regressions." I opened a case to get clarity about what those regressions were but wasn't given any specifics. Instead I was told that they don't list bugs publicly and can't share with me what regressions might apply. I don't care which ones might apply, just tell me what they all are and I'll make the determination myself. Instead of being able to provide me guidance to make an informed decision about whether or not I wanted to risk bricking my device, or, if I wanted to deal with several performance impacts I'm instead left to just figure it out on my own. Then there's this bug, which is still open in all available versions of MX software:
After making some configuration changes on MX67(C,W) and MX68(W,CW) appliances, a period of packet loss may occur for 10 or more seconds. Why are there no specifics about what changes will cause a 10, or more, second period of packet loss? Surely they know what those items are, why aren't they listed? I haven't open a case on this one, but I assume I wouldn't be given any more information.
On the MR side I've run into equally frustrating bugs. First up, group policies. Meraki pushes these as a fancy way to do all kinds of interesting things. For example, one SSID can push different clients to different VLAN assignments based on what group policy they are assigned. At first, this sounded awesome, I could push my IoT devices into one VLAN and keep all my primary devices in another VLAN, all while keeping the same SSID and WPA2 PSK. Sadly, there was a huge bug in this where the access points wouldn't apply group policies correctly after reboot. This meant that after an MR or MS software upgrade, or power outage, the MRs would allow clients to connect, but some would get the wrong VLAN assignments because the group policy wasn't being applied. Then, the group policy WOULD get applied, but only after the devices in question already got a DHCP address. This meant the devices were in the correct VLAN, but had an IP address from the wrong VLAN, so nothing worked. This was recently fixed in MR26.5, 8 months after I reported the defect. Great, I'll just upgrade! The problem is MR26.5 causes frequent, random disconnects with my Nest cameras. They will just drop off the WiFI randomly for 10-20 minutes at a time, and then come back. This appears to be DHCP related as my DHCP server logs show DHCP DISCOVER / DHCP OFFER loops for the entire time the camera is offline. Sadly, this is (another) known issue in MR26.x where DHCP on bridged SSIDs sometimes just doesn't work. Seriously? DHCP on bridged SSIDs is broken? How basic is that function? It's been broken for MONTHS. Ok, no problem, I'll just skip group policies and then I can skip MR26.x and just run MR25.13. Not quite. MR25.x has a VoIP RTP packet loss defect that makes all VoIP calls via wireless completely unusable. It's not just VoIP handsets that are effected either. Facetime on iOS/MacOS also gets hosed because of this. In a household filled with iOS and MacOS devices this is unworkable.
On the MS side, I haven't run into too many issues, thankfully. These are just simple L2-only switches, how bad could it be? Sadly, I recently had an issue where the aggregation switch decided it lost connection to the Meraki cloud and therefore stopped forwarding any traffic. This took out connectivity for all devices behind it which meant I couldn't connect to anything to troubleshoot the problem. I'd be ok with this if my connection had actually gone out, but the MX67 did not report it's own connectivity problem during the exact same timeframe. Just this one MS120 switch decided to take everything down. I had to power cycle it to fix the problem. I opened a case to determine why and was told they didn't know why it dropped. Yesterday I changed STP priorities, a simple task, and it caused a 5 minute outage. STP doesn't take 5 minutes to propagate and there's no redundant paths/loops in my network, just single point to point links. Why should that take 5 minutes?
I knew what I was getting into from a feature / functionality perspective before I bought the equipment. However, there's still a number of things I find particularly annoying. In no specific order:
---Troubleshooting information is NONEXISTENT. You absolutely cannot syslog anything beyond simple firewall permit/deny messages. And, you can't count on support having any additional info, so, somethings are just impossible to troubleshoot.
---With regards to MX firewall permit/deny messages, the ONLY way to get them is via syslog. You can create the firewall rules in Dashboard, but there is zero facility to see what traffic, if any, is actually hitting those rules.
---Group policy firewall rules aren't actually firewall rules. They're ACLs. They aren't stateful. If you actually use group policy, which you shouldn't because of the above issue, have fun creating return ACL entries for all possible return traffic flows. There's even fewer options here, destination IP, port, and protocol. No source IP, no source port, nothing. This limited selection of fields makes dealing with return traffic practically impossible.
---Packet capturing via the Dashboard is a handy feature, except its broken. Want to capture for 3 minutes? Sorry, it'll stop after 10-15 seconds and show you no data. According to support this is a known issue and I've had a case open since late June with no fix.
---Stats via the Dashboard are handy, but the byte counts aren't accurate. Values shown at different places on the screen don't add up to the totals shown at the top. According to support this is another known issue.
---Absolutely no IPv6 support to speak of. In 2019.
---Want to configure specific traffic shaping rules so you can put particular traffic in a higher priority queue. Sorry, you can only specify destination IP addresses here, no source IP/port/DSCP combinations. Or, you can use the nebulous "Layer 7" rules they have predefined, but there's no specifics about what those rules are actually matching.
I could go on more, but honestly I'm tired of thinking about it. I spent a decent chunk of change on this gear and it has been a very frustrating experience. I've had way more bugs with it than the Ubiquiti gear I had before. I'm throwing in the towel. I'm gutting this Meraki gear and I've repurchased a new Ubiquiti stack and I'll use that going forward. This was truly a disappointing experience.
Subscribe to:
Posts (Atom)