Hello all, I have a project coming up migrating from a palo-alto firewall to a fortigate firewall, it's only 3 s2S tunnels about 30 plus polcy rules, about 13 NAT rules and all static routes. I am more familiar with fortigate then I am Palo Alto. The config seems small enough where information gathering and config building can be done from scratch using spreadsheets to keep track of information but for future reference what are some methods other engineers are using in this situation when migrating from one firewall vendor to another?
Saturday, October 19, 2019
RFS6000 as a router
Hello, I work for a family owned business and we have a RFS6000 that is connected to a home router to get access to the internet (and I guess as a NAT). I think the router is dying since it randomly loses connection to the WWW and sometimes we can't even connect to it. Does any one know if the RFS6000 is capable to work as the router too? I looked over the settings but since I'm no networking pro, I was not able to get too far. I have also searched the web for tutorials but no luck. I appreciate any help, thanks.
[Cisco ACI] PBR in a contract with vzAny as Provider and Consumer
Hi r/networking,
Has anyone successfully configured PBR in a contract with vzAny acting as both Provider and Consumer (any to any)?
Apparently, the release notes of 3.2(1), White Paper and Cisco Live BRKSEC-2048 all briefly mentioned we could, without further explanation. However, anytime I tried to do so, the APIC raised an error (not a fault, something about rsanyToProv already exists).
I'm running version 3.2(4e) with mixed Gen1 and Gen2 (both Gen1 are dedicated for the PBR node), with the configuration can be abstracted as below:
- Contract PERMIT-ANY > Subject PERMIT-ANY > Filter common/default. Permitted bi-directional, with reverse filter ports enabled.
- Apply this contract to vzAny, as both Provided and Consumed Contract.
- Apply the existing SG template: Consumer <= PBR node <= Provider. The PBR node (HA firewall) is deployed one-armed.
- Configure with the BD of the PBR node (called FW-EXT-CONN), redirect policy and cluster interface.
- The above error is raised.
Also, if I tried to configure it as a unidirectional contract, then the contract subject did not even appear while applying the SGT.
I was also trying to configure a vzAny to L3Out EPG (with PBR) which raised the same issue (rsanyToProv already exists)
Specific EPG-to-EPG contracts with PBR work fine as they're what we've been using so far.
Not sure if it's a bug or a misconfig on my side, so I'm in need of some help from you.
Thanks in advance.
My boss wants me to put ntop-ng on the internet
I have an SMB client with a plane jane Ubiquiti Edge Router 4 and Aruba Instant On access points. DPI in the ER as well as the DPI on the access points is too limited and my client wants better application visibility.
No problem; ntop-ng community edition works great for that. My proposition to my boss was to mirror a trunk port and create an ntop-ng + openvpn appliance using a dual NIC mini PC. I have the appliance deployed and now my boss says that our client will never be able to figure out how to connect to the (split tunnel) VPN. He wants me to run ntop-ng on some random port and put it on the internet.
I know this is probably a bad idea but how bad?
Wireless for Small Arena
So here's the scoop. I've recently gotten involved in a volunteer capacity with a local Junior hockey team. For what it's worth, the team just changed management, so everything I'm about to describe here is what was done by the previous folks.
I've got a small to medium sized arena (~2250 seats), with one hell of a mess of networking at the moment. I'm trying to bring this somewhat in line, but on a modest budget. Up to now I've been looking at the 2nd hand enterprise hardware online.
- On the wired side, there's currently 4 separate networks, 3 of which share the same internet connection (2 networks are double-NAT though a third, and the fourth is separate). Did I mention these are all just /24 networks (with 7 day DHCP leases...)?
- Building Operations
- Team Operations
- 50/50 lottery system
- Guests (protected / semi-private)
- On the wireless side, I've got a dozen or more consumer grade routers (Eg. TP-Link & D-Link) hanging out all over the damn place. Some are configured with same SSID/psk, others are just named randomly and have the password written down somewhere.
They were "ok" with this crap setup until they got a new ticketing system, which has wireless iOS based ticket scanners at all the entrances, which aren't able to get a strong or reliable signal from the lower level entrances. They asked if I could put some more (consumer grade) access points down there to help the problem, and I said no. If you want me to do something, I'm going to rip out every last piece of junk that's in here and I'm going to replace it with something that's intended to do the job. I don't need to have crazy high speeds (WAN is only 200/200), but would l'm trying for something that's at least reliable, easier to manage, and doesn't look like Red Green built it with duct tape.
So far I've gotten:
- 15x Cisco 1142 A/B/G/N
- Cisco 5508 Wireless Controller w/ 35 AP license
What I need to get:
- POE Switch(s)
- Router
By the end of it, I'd like to have a unified network running on VLAN's that looks something like this:
- vlan1, SSID Team-CORP, WPA Enterprise, full internet access. For team management & employees, mobile ticket checkers.
- vlan2, no wireless, no wireless, full internet access with ability to dedicate WAN bandwidth. For live video production, outbound video stream.
- vlan3, SSID Team-PLAYERS, WPA Enterprise, full internet access. For players, segregated from office/mgmt network.
- vlan4, SSID Team-5050, WPA2-PSK, no internet access. For Handheld 50/50 sales deivces to communicate back to the in house server. Could possibly use WPA enterprise, but don't see the need.
- vlan5, SSID Team-GUEST, some undecided wireless security, internet access bandwidth limited by client & by total usage. ie. each client can't use more then 2 mbps, and that all guest combined can't use more then 100 mbps. This is semi-private in that it's not open for use by all the fans
No access between each, but all sharing a single internet connection.
So I guess I have two real questions here:
- What should I get for a router/fw? I've quickly looked at the ubnt EdgeRouters, and I think some of the upper tier ones might be well suited. What about some used Fortigate gear?
- Without spinning up a separate RADIUS server, is there a way to do dynamic VLAN assignment using only the "local net users" on the Cisco WLC? If possible, I'd like to trim down to 2 SSID's: "TeamName" & "Guest" and have the system decide which vlan to dump the client on. If I can't do this all in the WLC, what would you recommend as free or low-ish cost RADIUS server to do this?
I created an app with built-in Netmiko scripts for mass config backups
You can check out the website here and the GitHub page here.
You might remember my previous post about Igloo, an open-source application that I created in Python with useful sys/netadmin features.
Since then, I've added some useful capabilities like rapid pings across a list of devices, SSH output collection (you can write it to files or just print to the console), and an improved port scanner.
You can also configure granular TCP/IP settings for Windows client and server boxes, if you wear that hat too.
Let me know what you think, and if there are any features you would like to see.
Parasitic Reverse Tracerouting Case Study
Interested in evaluating your corporate network defenses against a parasitic reverse tracerouting attack?
We are currently running a case study for our research project at the University of Amsterdam OS3 institute.
Paper and source code release are scheduled in two weeks.
The project will be documented here: https://www.researchgate.net/project/REVCON-Reverse-Network-Reconnaissance
Shaping on ScreenOS
I have traffic shaping set up on a rule to a citrix farm, and my monitoring seems to indicate it's not working. Since it's a 10Mb line, I have the egress on the WAN side set to 9950Kbps so it hits my shaper instead of the AT&T policer. That part appears to be working.
The part that doesn't work is prioritizing the traffic to the host I'm trying to monitor. I noticed that latency was mirroring usage, so I uploaded a large file to test. When I did that the latency to the citrix farm went wild, which is what I'm trying to avoid. I can tell the ICMP traffic is hitting the rule because I can see it in the rule log.
Here are screen shots of the settings and graphs. The shaper is enabled in "get envvars" or whatever that command is. Firewall is an SSG140 running 6.3.
I'm hoping there is something silly I'm forgetting here. It's under support so I can call it into JTAC on Monday if I have to.
Router Suggestion for new 1G/1G Connection with 10G Switch?
Just had my CL 1G/1G SLA Connection Installed. It was supplied with /29
CPE Overview
Cienna 3916 (CL's Switch)
AdTran NetVanta 5660
My Equipment
Netgear Prosafe S3300-52x
From what I've been told the AdTran is setup for static routes of my IPs but not for LAN DHCP. So looks like I need a router similar to how my Comcast Handoff at our main office is. There I have the Ubiquiti ER-8-XG 10G SFP+ EdgeRouter Infinity and a separate Netgate XG-7100 1U pfSense® Security Gateway Appliance.
Currently
Setup an Eeros to do routing to hold me over for a few days while ordering equipment. But obviously losing some throughput to the switch.
Plans
Get a Router with DHCP, connect to my 10G Switch. Get Separate pfsense Firewall. Rack-mount Preferred.
Question
Which router should I get. Ideally looking forward 1-3 years, might need 2G/2G so would like it to handle that.
Cheers and thanks for any suggestions.
What Universities and schools want from Esports?
I work for a REN (ISP for research and education) and we are starting to offer Esports ISP package. I am in charge for engineering and design and would love to get some feedback or ideas from other engineers and network teams from schools.
Juniper EX-series and Cisco 6500 STP interoperability
I'm having an interesting problem with what I think is spanning tree, and I'm wondering if anyone has any advice. I'm not a full-time network engineer, and I've inherited this so none of this is my design...
The scenario: we have two sites. One site has a pair of EX9204s handling the L3 routing, and a VC of EX4300s for access. The other site has a single Cisco 6509 handling both L2 and L3 in the same chassis. The Cisco is hopefully going in the garbage soon - which might make this problem moot anyway - but for now I'm stuck with it. We're using VSTP on the Juniper side, and PVST+ (spanning-tree mode pvst) on the Cisco side.
The sites are connected to each other over a VPLS connection. There are two ports on the EX4300 VC connected to two separate ETX devices at one site, and two ports on the 6509 connected to two ETX devices at the other site. We use a single VLAN to do L3 across the VPLS to provide site-to-site connectivity. Complicating things further, we also have connections to our 3rd party cloud provider into the VPLS - however, the routing for these is handled by separate routers, but also connected to the same switches.
The problem is this - when I plug in the second connection in the first site (with the EX4300 VC), after a few seconds everything goes nuts. The counters on both the interfaces on the EX4300 VC connected to the ETXs rapidly start to climb. The DDoS protection on the EX9204s start to kick in, complaining of a spike in VRRP and OSPF packets. The Cisco 6509 in the other site complains that it's suddenly getting a firehose of OSPF packets. These things suggest to me that there's a loop somewhere. Unplugging one of the connections to the EX4300 VC makes the problem instantly go away.
After doing a bit more reading, I have a feeling I also need to configure RSTP and add the same native VLAN on the EX4300 VC side as is being used on the Cisco side, but I'm honestly out of my depth at this point. Any suggestions would be gratefully received :-)
Network scanning
Hi . What tool and technique should I use to scan network that we are going to adopt . To make sure the network is safe before we merge the network into our companies network . Scanning workstations, servers , switches etc to make sure they all good.
[TCP] Question about delayed acknowledgement and its impact on the size of payload
Hi, so I have an exam in networking coming up but I have huge problems understanding delayed acknowledgements in TCP.
So lets say I want to transfer 15000 bytes (in 10 1500 byte-segments) between two processes on two hosts (A and B). I'll denote these processes as Pa and Pb.
Delayed acknowledgements (two full sized segments) are used with a maximum delay of 100ms. If a delayed ACK is to be sent at a time instant when a new segment arrives, the delayed ACK is sent first. TCP on the receiving host has a receiver window size limit of 6000 bytes. The initial congestion window size is 4500 bytes.
The question is: How much time does it take to transmit the data from A to B NOT including the connection establishment and tear down, until the last ACK is received by A? You can ignore the transmission times of the segments, but you should consider the impact of congestion and flow control.
The graph in the answer sheet is the following: https://imgur.com/Dmt2OPq
The red acknowledgements denote delayed acknowledgements.
Okay so to my question, why does delayed acknowledgement mean we cannot utilize the RWND to its fullest? As you can see, only 3 segments are sent at most even though both CWND and RWND allow for 4. How do I foresee what the maximum limit of segments I can transfer at once?
Edit: I figured it out myself! The unacknowledged segment counts as one segment currently being sent and therefore I cannot send more until I've received an acknowledgement for that segment. Sorry for the dumb question.
Layer 2 over Layer 3 to get rid of STP?
Hi,
An application I'm using using can't wait for RSTP to converge. We're experiencing convergence times that take up to 20 seconds total. I've been thinking on alternative solutions that can converge the network more quickly.
At the center of this is 5 rooms that are equal with the same network gear spread out geographically, where 4 of the 5 rooms are identical and each can on its own run the workload. The 5th room exists as a tie breaker for clustering. We are seeing a requirement in the close future on the workload to have n+2 redundancy, thus the complex nature behind it. I've played with Cisco ACI and to some extent with VMware NSX as well in the past. For the workload today and in the near future stupendously expensive for such a small environment besides its criticality.
The network gear I'm looking to purchase to solve this is stacked Cisco 3850's that allow me (from what I can figure out) to run EoMPLS over either an iBGP or EIGRP or OSPFv3 L3 network with BFD configured on the interfaces that connect it together. I expect this to be a network that can converge down into the 1-2 second range, if not faster. Each room is connected to the other rooms with fiber. For switches that are downlink of the stacked switches, can I utilize the same configuration in case they have redundant paths to more than one room as well?
Are there any alternatives to EoMPLS to get Layer2 across Layer 3?
Lastly, am I making an even bigger headache with configuring a Layer3 transport for Layer2?
Converting from EIGRP to OSPF: Gotchas I may have to look out for?
Hello,
Our network was previously pure EIGRP but with the introduction of devices that do not speak EIGRP, we have had to introduce OSPF into the mix. This has introduced some instability and I am thinking it may be better to just completely eliminate EIGRP from the network.
So, with it's lower AD, I am thinking I can simply establish OSPF enterprise wide, essentially in the background, and then remove EIGRP without introducing any isolation/outages once OSPF is fully converged?
Make sense? Anything I should be on the lookout for?
Thanks!
Combatting dust in IDF cabinets
Hello r/networking,
I work in IT at a pretty large international manufacturing business. I have been asked to redo all of the IDF cabinets in the plant as, at the moment, they are a mess. This will be done during a window way out in December. Ever since I started here about nine months ago, I've noticed a pretty suspicious amount of our networking gear failing. This is due to dust stirred up from the manufacturing process. Most of our equipment has an expected lifespan of little more than a year in these environments, and as it is a 24/7 plant, regular cleaning is nearly impossible. At the moment, all of these cabinets just have the fan that came with the enclosure installed in the default location.
Does anyone have any kind of experience in preventing this? At the moment, my plan is to install some sort of dust filtration and better ventilation into the cabinets. However, I can't really find a lot of documentation on this. Any advice would be appreciated. Thank you.
Is it possible to transfer video feed from an IP Camera and an NVR to one's own AWS Server automatically?
I'm part of a Data Science team that is going to be working on a tracking and surveillance system using multiple cameras deployed across a site. The problem is that while all of us are experts at images and video data, none of us knows jack about Cameras and NVRs. We need to make an order for about 100 IP Cameras soon, and while we've identified a few, I'd like to know if modern IP camera systems provide the ability to reroute and save data to one's own cloud?. Something like FTP and simply entering the target IP would be great.
Need Advice Setting Up Wifi Network for 40 Active Users
Hi guys, I've been having hard time getting 40 active users on a WiFi Network to work well. So the goal is to get all of these users to connect to a single local server and run a web-based e-learning application smoothly.
My current setup is like this:https://photos.app.goo.gl/THWYKV3PjtFiSWrq5
All of the wifi routers is a consumer-grade Wifi router, the ones typically used at home or small office. (Like one of those 20-30$ routers). ROUTER 1 is connected to the server through LAN cable. ROUTER 2&3 are connected to ROUTER 1 through LAN cable as well. Users are split evenly amongst routers via WiFi which are password-protected and each has different SSIDs
Current problem is that once I hit > 30 users, the whole thing often hangs or the connections to the server timeouts/delayed. The server doesn't seem to be the problem because CPU usage is still low when it happens (<10%) and network-wise I think the server is also fine because each of the client is just using something like 100 KBps and they're not even active all the time, because they're just accessing a web application.
I found out that when a hang happened, restarting WIFI ROUTER 1 recovered the hang. After that, the connections seemed to be pretty good for a while before another hang that requires a restart happened again. This got me thinking that maybe the bottleneck is that WIFI ROUTER 1 couldn't handle all the packets from 30+ users? I'm thinking of buying a gigabit switch and have all of the routers and the server connected into it, to replace the role of ROUTER 1 as the switch as in the setup above.
Do you guys have thoughts or advice?
Thanks in advance!
Small VXLAN Deployment
Need to figure out if I can configure a very small VXLAN deployment. I'll have three DC's, each with only two Cisco 93180YC-FX connecting directly to a pair of Cisco FI's. The sites are geographically dispersed and a direct layer 2 connection is not feasible. I do need to span layer 2 for only a few VLANs across all three sites for IP mobility (not by choice).
My questions are basically, if I use VXLAN what is the best model to use (ie BGP EVPN, flood and learn, multi-site, etc...) and how do I get my stretched layer 2 VLANs with active gateways at each site?
Every document I've read shows a spine/leaf topology and anycast gateway, but none of them talk about how to get those routes into the global VRF to reach the users. I don't see many articles for a very small deployment like mine, and most only setup the flood and learn without SVI's/GW's.
Long range internet
I am doing a theoretical project and which is basically putting internet on the ocean so I am interested in long range internet solutions and having trouble finding practical solutions which have more then 100 km do you guys know of any better solutions
Connecting through hotel wall port
Iam staying in hotel for couple of months and wifi here is non existence but they do have a wall port. I did hookup to my router but it wont connect. When h checked the status i can see ethernet public network and has no connection at all. Any help?
Friday, October 18, 2019
Need guidance on best network topology to use
Hey sorry if this is a very basic question, but I am quite new to networking and have a homework question where I need to select the most effective topology with the "aim to enable easy and effecient connections of all devices". I am really trying to understand what are the best options available.
Question given- A head office which occupies one floor in a building hosting 30 employees from 2 key business departments, production and administration.
Another office located at a different location has 8 employees which are part of the production team.
Each staff is equipped with a desktop computer, and there are 10 available laptops.
There are 4 servers in the head office, 2 for internal business functions and 2 for the website / online shopping.
Any recommendations/ advice would be MUCH appreciated. As I said I am very very new to all of this so please cut me some slack lol :))
Anyone seeing macOS Catalina (10.15) networking oddities (forgetting ARP entries)?
Alas, I only have 1 datapoint, a 2013 MacBook Pro that was upgraded. Everything else is either still on older versions or are running Linux, Windows, etc.
The symptom: Post upgrading, this MacBook will now decide that hosts on the WiFi LAN are unreachable. Established connections will be terminated (notably SSH), and pings are immediately rejected locally with ping: sendto: Host is down. This usually means the networking stack can't resolve the MAC address of the remote host any longer, and, indeed, running arp shows that the host of interest has an at (incomplete) on en0 ifscope [ethernet] entry.
Of course, no other machines are having these types of connectivity issues, and the target systems in question are supporting other connections happily.
This sounds vaguely like an old ARP bug (net.link.ether.inet.arp_unicast_lim=0) rearing its head again, though the symptoms (double-NAT, etc.) don't quite align. I'll see if setting that helps at all, but I'm curious if other network admins are hearing similar complaints yet.
Cisco Virtual StackWise switches to non-Cisco switches. Will it work?
if I use two Cisco 9500 series switches to create a network using Virtual StacKWise to create one virtual core switch, can I use non-Cisco (third party) switches that support LACP? Or is this a strictly Cisco to Cisco thug?
Multiple ISP, Multiple Static IP each
I am having trouble finding all the information I need for my future network needs. My company is moving to a new location within the next 6 months, and I am trying to understand multiple static IPs for business lines.
Our plan is to have 2 ISPs (1)-Primary with static IPs for (1a)-employee internet traffic (1b)-on-prem exchange (1c)-future sharepoint (1d)-reserved (1e)-reserved. (2)-Secondary with static IPs (2a)-VOIP (2b)-guest network (2c)-reserved (2d)-reserved (2e)-reserved.
The reason for multiple ISPs is a requirement in our field, to allow for failover incase of an outage. Each ISP has to be able to support all functions, just split load at the same time.
My plan was to use ASA5525x (to utilize gigabit service over the 5516/5508/5506) on each ISP, next have L3 switches to be able to share VLANs across each physical space, and then L2 switches for mass connections.
Our primary is most likely going to be Google Fiber Business, and all information they publish shows if you have multiple static IPs, you have to use your own router, not their gateway, but I can't figure out if I have to have a router in front of the ASA, or if the ASA can do multiple sorting? Secondary may be AT&T/WOW and nothing I can find from them says they wont support multiple with their gateway device.
I am most familiar with Cisco gear on the enterprise level, and have been using the 5506x for years with a single static IP configuration. I use virtualized pfsense at home, but I need to keep hardware for work.
TIA
[Question] How common is the use of PXE boot for imaging Windows PCs these days?
Need a sanity check.
We have a new IT group managing Windows endpoints and they are pushing for us to add IP helper statements pointing to their servers because "DHCP doesn't work" ... OK sigh.
I suspect they're coming across blog posts like this one as confirmation that the network is the problem:
My understanding was that Windows 10 rarely needed to be re-imaged if properly managed but I'm not really a Windows person.
Networks that have a significant Windows PC deployment (> 1000) do you support PXE boot for Windows imaging? Do you do so through DHCP options or IP helpers? How often do you re-image? We don't use AD for DHCP (we use our IPAM and DDI solution) so we're reluctant to point helpers at what is potentially a rogue DHCP server.
Trying to get a sense of how common this practice is and if we're being unreasonable in our reluctance to be accommodating to this.
P.S. Please be honest and don't chime in with "It works fine everyone is doing it" if you only run a smaller network.
Cisco 2821, 2 VRF, autorp/pim sparse mode issue.
Hi Everyone,
I have a Cisco 2821 (rescued from the garbage) in my lab with 2 physical interfaces. We'll call this router "P". Firmware version is 15.1(4)M6.
Each physical interface on router "P" has no config, but has 3 802.1q interfaces under it and is plugged into a switch that allows trunking to these vlans. All BGP/routing/unicast works as expected between router "P" (simulated provider) and router "E" (simulated customer - our on-site router)
On router P (interfaces Gi0/0, and Gi0/1) :
Gi0/0 has no config but Gi 0/0.1, Gi0/0.2, Gi0/0.3 all have config and are assigned to vrf "c"
Gi0/1 also has no config but Gi0/1.4, Gi0/0.5, Gi0/0.6 all have config & are assigned to vrf "s"
Each of these 802.1q interfaces has "ip pim sparse mode" under the interface config
I've also got "ip pim vrf c autorp listener" and "ip pim vrf s autorp listener"
I've got these 2 vrfs to emulate 2 provider networks. Both vrfs run BGP & multicast (pim sparse mode & autorp as mentioned above)
Gi0/0.1 (vrf c) goes to router E and does BGP
Gi0/1.4 (vrf s) also goes to router E and does BGP
As far as router E is concerned, it's talking to 2 different networks.
Multicast routing is turned on for both vrfs (Router P) & config is the same for both. Auto RP is also enabled as is pim-sparse mode for both interfaces on router E as well as router P.
"ip multicast-routing vrf c"
"ip multicast-routing vrf s"
vrf c works great & it finds the RP.
vrf s never finds an RP.
I've shut down the working vrf c parent interface (Gi0/0) just incase it was some RPF bug or something, but it still doesn't work.
Router "E" is a 4321 running IOS XE 16.9.3
It has "ip multicast-routing distributed" as well as "ip pim sparse-mode" on both interfaces facing both the actual switch acting as RP as well as each interface connected to the 2 vrfs on router "P". It also has "ip pim autorp listener" enabled in the global config.
Anyone seen this? I'm almost convinced this is a bug, or I'm missing something very basic.
Root DNS vs Authoritative DNS
Why are my internet DNS lookups so much faster when using Root DNS, as opposed to my Internet Provider's DNS, or Cloudflare's DNS?
I thought Root DNS had to request a (.) dot server, then a domain, just to locate the authoritative DNS Nameserver. My ISP's DNS should just have that cache sitting around and be faster... but this is not the case. Root wins by 10ms.
Measurements done with: http://www.grc.com/dns/benchmark.htm
tl;dr - Why isnt a public recursive DNS server faster than Root DNS?
WikiDevi will be going offline 2019-10-31
"WikiDevi will be going offline 2019-10-31"
source: https://wikidevi.com/wiki/Main_Page
I find it really sad that this homepage will go down as it was my favorit source for any device specific information.
Does anyone know the reason behind this decision?
Trying to use my HUAWEI HG532F as a WiFi extender, need help.
I have an old Huawei HG532F that I’m trying to set up as a wireless WiFi extender, back then I remember seeing an option to do that in the huawei hilink app on mobile. But now I can’t even get the app to connect and find the router which sucks. Is there still a way to do it? I’m trying to do it wirelessly because wired won’t work for me. My other router that I’m trying to extend is a huawei model B618s-22d
How to see the bytes of a websites public key from my terminal?
Say I have a website such as unh.edu. In my browser, I am able to see that the first few bytes of the websites certificate are EA 66 BE E0 etc. However, I want to be able to view and verify the bytes of this websites certificates public key in my terminal. I have tried "openssl s_client -connect unh.edu:443" but that does not display the bytes of the public key. Any suggestions? Thanks!
get_l3_facts.py - when you can't 100% trust IPAM, get your layer 3 facts straight from the source
Retooling some firewall policies, I needed a 100% accurate list of all addresses/networks in use.
Our IPAM has come a long way from Excel, but after finding a few discrepancies, decided it's not yet reliable enough.
Next idea: NPM (solarwinds). The SQL-like syntax makes queries super easy, but its data is limited to managed interfaces. Which they all should be, but as with IPAM, that's not 100% reliable (yet).
In the end, the only 100% accurate source available to me: the devices themselves.
At first I thought about trying out ansible, a great chance to kick the tires, right? But for some reason, my brain refuses to wrap itself around that approach. I have it built up in my head as this monster of a learning curve, fraught with unnecessary complexity and overhead--which I'm sure it's not--but, I don't have the time to sort that out for this project. So I reached for what I know and love: python.
Reflexes said "netmiko," but realized the NAPALM library does most of the heavy lifting already. Combining the output of `get_interfaces()` and `get_interfaces_ip()` into my preferred data structure proved the most difficult part, and there's plenty of room for improvement (maybe pandas?), but the results work well for my needs.
I can now query an arbitrary list of devices, getting 100% reliable L3 facts, and save the results as CSV!
Cisco VPC Peer Link Down
Hi all I’m having some trouble with a pair of Cisco nexus 3000 series. I am configuring VPC between the two which I have done an awful lot recently successfully - but for some reason with this pair the peer link won’t come up
The keep alive is up and the port channel that I have decided to use for the VPC peer link is also up
The config is minimal now - I have proven traffic can flow over the VPC peer link and that the physical connections are good But still no luck
Any ideas?
Remote port monitoring with low-end HP switches
Hi folks, this is my scenario, a vendor installed a server for call recordings, its dependent on being connected to a mirrored switch port of the PBX. We got a HPE 1920 switch on that location and have been working good for some years.
Now the server came out of warranty and I propose to virtualize it, no problems with virtualization but I'm getting trouble to stream the remote switch mirrored traffic to the vm on the datacenter.
We don't have fancy switches on our business, top tier are HPE 1950 wich I guess have the remote mirroring function I'm missing on the 1920 ?
My first guess was to generate a monitor VLAN for the traffic, tag the traffic on the mirror port and give the monitor port access to that VLAN, but no traffic on the VM is showed on wireshark.
Could you give some idea ?
Good Source for IPv6 Information?
I have the basics of IPv6 down in terms of Link Local and Global, though am somewhat frustrated attempting to learn how DHCPv6 and how control / routing in a no NAT world works smoothly... Even when things like NAT66 exist? I get NAT is seen as "bad", and stateless dhcpv6 is recommended, but how would an organization concentrate and identify an environment with 100s of devices in an organized fashion? Also, things like Unique Local is a bit confusing as in identifying it as a direct correlation to private IPv4.
If anyone has a great resource that helped them grasp the concepts of IPv6 when having a decent foundation of IPv4, that'd be great. I get they are different beasts, though I end up going "hm??? wha" when trying to learn it blind. Any resource recommendation or link would be appreciated.
A way to view attempts to access my wifi?
Hello everyone, I tried searching for this, but maybe I don't know how to word it...I was wondering if there is a way to generate a report on my wifi network access stats. For example see when someone connected to the wifi, when some attempted but failed to connect, and what they used as passwords. Basically as much I go about the sign in. I k ow I can have alot of control for what happens inside my network, but I was wondering if I have any control/insight on what happens at the 'gate' to my network
Thanks!
CenturyLink outage yesterday
Hey, what are you all hearing about the CenturyLink outage yesterday? I've heard from customers from Georgia to Maryland. My ISP says it was something with DNS. Anyone have more news?
Dell OS10 vs OS9
We're bringing in a decent number of Dell S4048s and such, and I'm curious if anyone has any perspective on OS stability for the two platforms?
Seems that one of the biggest draws of OS10 is supposed to be friendliness to automation / disaggregation, and those are interesting to us, but aren't hard requirements and we probably wouldn't want to gain those at the expense of overall stability and "cli sanity".
Any thoughts?
Cisco Switch SNMP problem - snmpwalk gives variable responses
Good morning,
I have a 55 device infrastructure with fully operational snmp - except one switch. This 3650 is in a stack and seems to give me variable responses. PRTG will report it as alternating between up and down, and when I installed SNMPWalk and query that switch, I sometimes get a huge list of OIDs, sometimes just a handful, and sometimes none. It seems like the SNMP service itself is flapping.
I tried completely clearing out the config and doing "no snmp-server" and reconfigured it but this still occurs. This switch is in our 911 center so I can't do a reboot without a lot of red tape and explaining.
Anyone have thoughts on other things I can try? I'm mostly concerned that this is a symptom of a larger issue with the switch.
Need help with setup LAN
Hello r/networking community,
I'm an employee in a company and I was told to setup a LAN. Unfortunately, this is the first time I do something like this (noob alert) and hope you might help me. I'm just not sure if I can do what I'm thinking of.
The task: LAN with Ethernet backbone for four rooms ~25 meters apart at maximum. We want to be able to connect PCs and network related stuff via Ethernet. Also, Internet is in discussion. We might want to be able to access internet at any port and we might want to connect an access point.
My solution: One layer 2 switch (20 ports, 10GBASE-T) in each room with uplink ports connected with CAT7 copper cables. I would just connect the switches via uplink port in a line topology and that's it. Later on we could add in each room an access point for WLAN (connected to a switch port) and might enable a connection to Internet via Router.
This should work out right?
Would be really nice if you can help. Sorry for my bad english.
Trunking Dell switch with a Cisco
I've got a dell core switch which has a Cisco 2960 connected to it. Vlans 1 and 30 are tagged ports on the dell. On the Cisco a few interfaces are access mode on vlan 30 and the uplink from the dell is a trunk port. Devices plugged into the Cisco get an IP from pfSense but can't ping the gateway or anything really. Nothing from outside the vlan (with appropriate fw rules) can ping either.
Cisco config is here: https://pastebin.com/beUHNx5U
Not sure where i'm going wrong. Vlans work fine on the dell switch. I've followed multiple tutorials for setting up vlans on IOS and i think i've followed everything correctly.
Thursday, October 17, 2019
MPTCP, MLVPN, Linux bonding module, Peplink speedfusion, mushroom networks, please help!
I am in a rural area and have used multiple technologies to bond two very different links over many years. Lately I have been using peplink with an AWS hosted endpoint to do VPN wan bonding. It does what I want, but I hate using proprietary tech when I know there must be a clean elegant way to do this with FOSS.
I have used mlvpn before and the issue I had was that it seemed unmaintained and it wanted to use both links all the time which is not what I want. I want an aggressive health check to cause an immediate switch to using the backup link in a failover scenario for all L3+ traffic.
I see where people are using mptcp as apparently implemented by the linux kernel bonding module combined with ovpn tun interfaces and a socks proxy for udp. If I am reading the bonding module documentation correctly the failover mode works with the state of the tun interface instead of any health check, and the way ovpn works means that I think I would need to remove the failed interface from the bond, wait for the health check to pass, and then bring that interface back up. Is adding that logic the only hurdle here? Is the linux bonding kernel module meant to be an implementation of mptcp or am I way off and missing something?
Microsoft Message Analyzer being deprecated
Wireshark tends to be my go to in terms of being lightweight and simple to use, but the simple power in MSMA makes it indispensable so often. I'll be making a local backup, figured some redditors here might want to know as well.
https://docs.microsoft.com/en-us/openspecs/blog/ms-winintbloglp/dd98b93c-0a75-4eb0-b92e-e760c502394f
I want my WiFi to only connect to 5ghz
So I have this duel band WiFi but sometimes it auto connects to 2.4ghz. I only want it to be 5ghz. How can I make this happen?
Where do you guys get your enclosed network racks from? Any certain manufacture you like or stay away from?
title says it all, looking for standing racks, 42U, server depth, standard data center stuff.
Ethernet wires to thick
I bought 100m of CAT 6 cable. The problem is that after I crimped the cables, they seem to be a bit to thick fit in the connector and they need to be forced really hard and the final product is not so good. Any tips?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Cisco SG300 odd behavior
Hello friends,
While I am not new to networking or switching, I am new to these SG300s I have inherited with my new company. They were being used in local access only, so one of my first projects was to implement RADIUS and individual logins and accounting. Fastforward, RADIUS is working, local accounts are working, but not as the documentation says it should.
When I use commands
aaa authentication login SSH radius local
aaa authentication enable SSH radius enable
RADIUS login works successfully, but local login does not.
When I use command aaa authentication login SSH local local login works.
So I know both accounts login successfully, but in the event RADIUS is down I need the local account (backdoor) to login.
Has anyone seen this behavior before? I know the SG300s are not the greatest, but it's all I have to work with until we can replace them.
SDWAN: Are you still sending traffic to the DC for Internet?
We are currently looking at implementing an SDWAN solution and thinking about the idea of doing internet breakouts at each branch site instead of sending them back to the security stack at the DC. One of the concerns is visibility and security. Do vendors like viptella and velocloud offer this? Or do we need to use something like Zscaler ? We initially wanted to just setup sdwan and still send everything back to the DC.
Verizon Outage
In the midwest, seeing a Verizon outage? Calls come though, but no voice. Is anyone else seeing this or have any idea what's going on?
Finally getting my home lab built and 2 of my 3 2900s won’t even power on :(
I’ve been really excited to get my home lab ready to go. So last night after I got everything racked and got everything cabled and I plugged in my ups so everything would turn on at once like a Christmas tree and my heart sank because 2 of my 32900s did not power on. I tried to watch the console of them powering on but I get errored. I’m home sick today so this was the day I was going to get everything configured, now I have to figure out if there’s anyway to salvage these.
So when I plug the power in the LED ac light shows green so that’s good, on one of them I popped the hood and I would hear it click and one of the front modules phone ports would flick it’s lights and then stop, every 4-5 seconds. On the other one it’s just nothing. I don’t know what the deal is on the other one. My first guess is that they have bad power supply’s, why do I think this? I decommissioned these off offshore oil platforms and it looks like the fan cages and power supply are covered in rust.
Is there any other troubleshooting shooting steps I can take with these to diagnose the issue? My next step this morning is to swap the good powersupply out and put it in one of those.
1G speed on 10G transceiver
Hey guys,
just a small story I wanted to share with you.
Yesterday we had a scheduled downtime at a customer for a core switch upgrade and I ran into a problem I never knew even existed.
We have a modular HPE Comware 10508 as core switch, which was running a 2014 firmware. I checked the release notes for incompatibilities with certain modules or transceivers but did not find any problems with the new firmware. Everything worked fine with the upgrade to the current version, management modules upgraded, then the switching fabrics, then the line cards. All came up normal, links came up, the network was back online.
I was ready to celebrate an upgrade without problems when we noticed that our darkfibre connection to the datacenter was down. The interface was down.
I checked the transceiver, HPE 10G LR SFP+, ok.
I checked the received dBm on the transceiver, looks fine, the link should come up.
I changed the config to another module but it still didn't work.
Then the customer also compared the config to the old config file and noticed that the interface was set to "speed 1000" in the old config. I was very confused at that point, as I thought you can not change the speed of a transceiver to a lower speed. And the switch confirmes this, as the command is not allowed in the new firmware ("This operation is not supported").
We used a 1G LX transceiver and the link came up immediately.
Have you guys ever seen that a transceiver is set to a lower speed? I never knew this is even possible and I can't find any documentation on it. Sure you can use a 1G transceiver in an SFP+ port, but setting a 10G transceiver to 1G?
ZTP config deployment based on switch model
Hi everyone,
I'm a noob with ZTP and I manage to get a basic dhcp and ztp servers running and I have already configured one switch successfully.
I've followed one video on youtube and it's been very easy. Basically, configure a dhcp, configure ztp server and then I had to place the startup_config file within a folder. That folder had to be named as the switch mac address.
So far so good, as I said, it worked.
Now my problem is I'm having a bunch of switches and having to create files and folders for each one of them is a no-no.
I'm going to have only two models of Arista (7010T and 7060CX) and all the switches of the same model are going to have the same configuration. That means, one startup_config_7010T and one startup_config_7060CX.
Does someone know if there's any way to make the ZTP on the switches recognise which file they need to load based on the model of the switch?
Cloud only identity providers - Getting rid of all my on premise access control hardware.
I work for a partner selling networking hardware primarily Cisco Meraki, networking being my strength. Increasingly customers are expressing their desires to move to a complete cloud solution with regards to managing user access control.
On one end of the scale, we have 802.1x providing Network Access Control to switching and wireless and at the other end, we have a whole bunch of ever-increasing SAAS applications often using Azure AD or Okta for access control.
What I would like to discuss is how are organizations merging these two different access control approaches together. Are the cloud identity providers seen as complementary to on-premise access control solutions or have some customers been able to go fully cloud
If anyone has successfully achieved this then what have been the tradeoffs of moving to the cloud? any issues to be aware of?
Which one to go for?
I have an interview both a VAR, but I wouldn't be in the department where they do the VAR stuff. Well I had one there. O
And got one at an MSP but they only do SD WAN
The first company (VAR) have a lot of actual kit, and are moving in terms of telephony, firewalls, networking in Azure etc... I've never worked with Azure
As they've been acquired, and acquired others, a lot of their kit may be overkill meaning projects to overthrow various pieces.
The second are an MSP where you basically just do SD WAN . Dunno which one is worth doing? Both have a different set of challenges. The salaries are about the same too
Benchmarking load balancers
Hi all,
Our company is currently in the phase of testing a self-developed software load balancer. We've made sure everything works, HA mechanisms etc. are working and load is being spread across backend servers. Now what we're looking for is a way to test it seriously for heavy loads.
We could do it the simple way (i.e. setting some web servers behind the load balancer and generating requests as fast as possible, throw TLS in the mix somehow etc.) but I don't really like the idea as I'd like to test more scenarios (load balancer for database, what happens with a mix of TLS and pure HTTP and many other scenarios that are rather complicated to simulate).
Is there any software pack or application which would help me set up the backend servers and generate load fast enough to stress the load balancer?
Cheers.
Which WAN interface should my residential router be using for my ipv4?
Im using OPTUS for the NBN in Sydney, Australia. Im sick and tired of paying for 100mbps and getting 60-75. Ive noticed that in my WAN config, the only interface setup to an ipv4 is ptm0.1 - with the comment - ipoe_0_1_1.0 . Im very confused by this.
Further more, the diagnostics tool checks verification, authentication and valid ip from the ISP with the interface ppp2.1 - ADSL network. This interface has not yet been configured so does not work. With the result FAILFAILFAILFAILFAIL
Wednesday, October 16, 2019
Wifi Analyzer for iOS
Hey just wondering if anyone knows of a wifi Analyzer for iOS? Something that can scan for channels. I have to set up a temp wireless network but having trouble finding a channel that’s less congested.
How did my instructor get this wildcard mask?
We're currently learning about wildcard masks. On our worksheet, the first two answers are given to us.
-
Create a wildcard mask to match this exact address. IP address: 192.168.25.70 Subnet mask: 255.255.255.0
-
Create a wildcard mask to match this range. IP address: 210.150.10.0 Subnet address: 0.0.0.255
Answers: 1. 0.0.0.0
- 0.0.0.255
Wouldn't the first problem's wildcard mask be the same as the second one's?
How did he get 0.0.0.0?
Ethernet Troubleshooting: 100mbps on cable that tested good
I'm a cable tech of 10+ years, I work for an MSP with a WISP subdivision. I have a wisp customer whose drop tested perfect but their radio is connected at 100/full. Input?
Best Podcasts
What are some great podcasts for those of us in networking? I'm aware of Network Collective but was seeing what else is out there. Network centric would be best, and maybe even the transition to devops.
Ingress eyeball traffic from Akamai nodes?
I'm responsible for some web services and in recent months I've started noticing inbound web traffic from Akamai. Generally the PTRs are in the form n-n-n-n.deploy.static.akamaitechnologies.com, same as their CDN nodes. It's not a significant amount of traffic and it's not problematic, it just has me curious, because I'm conditioned to thinking of Akamai as a destination, not a source of eyeballs.
Is Akamai doing a proxying service (a la Zscaler) now?
Only RDP connection over VPN
Here is the problem to be solved. I need a way to have a couple of remote users be able to connect to a IKE V2 VPN (on a Watchguard router) for a remote desktop session. I need only the RDP session to pass over the VPN connection. All other internet traffic needs to stay on the local network to the machine. Does anyone know of a way to set this up on either the client or server side?
Armageddon for AT&T
I have been greatly disturbed today by the just total lack of information flowing out of AT&T on what looks like to be a major national outage. I found the only information about my local outage (fiber sonet down, cell service down) on a college campus newspaper site.
Some of my sources tell me that there was a major fiber SONET outage for Columbus, OH. How is nobody reporting that? What is happening in Atlanta, DC, Dallas, and Chicago? Also, does anyone have great sources to go to for this kind of information?
OSU - AT&T Outage Due to Manhole Fire
God help the fiber splicers in downtown Cbus right now.
Why does this large wall-mounted rack only have space for 2U?
Bought a new (to us) building that didn't have fiber run to it. Had the local provider come out and install it.
They put this 46" tall wall-mounted rack in, but it only has space for 2U of equipment. This is taking up a tremendous amount of wall space in our utility room.
Is this so nothing else can be mounted to it and potentially disturb the fiber? That's the only thing I can think of.
Photos:
Quick help with language for an IS request
Hey all - I need to put in a request to my hospital IS department regarding our guest wireless access and I just need a little help on what to report. When you connect to our guest network, you are redirected to the terms of use screen and hit accept to gain access. Problem is every single time your device powers off, you have to go through the process again. It is a frequent complaint from patients that their devices are continually losing network access. Can IS allow a longer time of access for a given device, and what is the clearest way to ask for this (what term would they recognize?) Thanks!
Network monitoring tool per device
Hi, trying to find a free, networking monitoring program which can tell me what device is eating bandwidth, and what devices are connected to my network. Something lightweight.
I tried looking around, couldn't find anything.
Thx
Access layer switch replacement
If you were tasked with replacing every access layer switch in your organization (over 100), which vendor/model would you choose to accomplish this?
Currently the organization runs all 100Mb HP Procurves and all network team members maintain their CCNA. Is there any feature differences between Cisco/Aruba/any one else I should keep in mind? Is there a huge price difference between each vendors access layer switches?
Network overhaul advice needed, long(sorry!)
I work for what I would call a medium sized business. We have an established network, but he have reached it limitations. Our current set up is very low maintenance and has been maintained by an off sight engineer as more of a favor for a friend for 10+ years.
Heres a basic idea of what we use: -VoIP -Local server, that will be upgraded to support up to 12 virtual machines -several databases are used -not much wireless support, that is a big need! - about 30-40 concurrent wired users, most access some sort of database
I am looking for advice on which direction to go. My company wants me to take over the network admin role over the course of the next year. I am leaning towards Ubiquiti everything at this point. I’m comfortable with the UI and the wireless support seems very cost effective and manageable.
Please let me know if you need more info! I tried to be as brief as possible
is anyone familiar with this Juniper issue?
I am going to try and keep this brief:
Basically we have a series of impairments all being traced back to ATT. They have said their Junipers are losing MAC entries, and then flooding requests which are essentially causing a denial of service on our network.
It took an absurd amount of time to get them to do their due diligence and identify the problem, and now I'm interested in if anyone has seen this so I can maybe nudge this along.
Cisco WLC AP MTU Size
I also posted this on the Cisco sub.
We have an issue where UDP traffic is being dropped at one of our remote sites because the DF bit is set on the AP traffic but the size is larger than 1500 (after ipsec). I have found how to adjust mss size for TCP but I can't find anything for UDP. I also don't see anything for MTU at all. How can I either manually change the MTU on the AP interfaces or set it so that fragmentation is okay?
Thanks!
Nexus - interface Eth1/4 has gone down. Reason: Echo Function Failed
Hello everyone,
Had an event yesterday that caused an outage in our DC. I was wondering if anyone could provide some more insight into what may have caused this to happen.
Here's what I know -
No changes made to environment
Legacy design of Nexus 3k's 2 Core 2 Service Edge
Core's lost sight of SE's which caused some SVI's to be unreachable
Digging deeper into the SE's I found the following BFD logs -
2019 Oct 15 15:53:42 DAL-SE-1 %BFD-5-SESSION_STATE_DOWN: BFD session 1090519093 to neighbor 10.255.255.93 on interface Eth1/4 has gone down. Reason: Echo Function Failed.
2019 Oct 15 15:53:46 DAL-SE-1 %BFD-5-SESSION_REMOVED: BFD session to neighbor 10.255.255.93 on interface Eth1/4 has been removed
2019 Oct 15 15:56:44 DAL-SE-1 %BFD-5-SESSION_STATE_DOWN: BFD session 1090519085 to neighbor 10.255.255.77 on interface Eth1/3 has gone down. Reason: Echo Function Failed.
2019 Oct 15 15:56:48 DAL-SE-1 %BFD-5-SESSION_REMOVED: BFD session to neighbor 10.255.255.77 on interface Eth1/3 has been removed
2019 Oct 15 16:01:05 DAL-SE-1 %BFD-5-SESSION_MOVED: BFD session 0x4100003d: Installed on LC 1
2019 Oct 15 16:01:05 DAL-SE-1 %BFD-5-SESSION_CREATED: BFD session to neighbor 10.255.255.93 on interface Eth1/4 has been created
2019 Oct 15 16:01:05 DAL-SE-1 %BFD-5-SESSION_MOVED: BFD session 0x4100003e: Installed on LC 1
2019 Oct 15 16:01:05 DAL-SE-1 %BFD-5-SESSION_CREATED: BFD session to neighbor 10.255.255.77 on interface Eth1/3 has been created
2019 Oct 15 16:01:10 DAL-SE-1 %BFD-5-SESSION_STATE_UP: BFD session 1090519101 to neighbor 10.255.255.93 on interface Eth1/4 is up.
2019 Oct 15 16:01:12 DAL-SE-1 %BFD-5-SESSION_ACTIVE_PARAMS_CHANGE: Local parameter of BFD session 0x4100003d has changed Disc 0x4100003d [[protocol 1 if_name Eth1/4 if_index 0x1a003000 iod 0xa 5effff0a:0:0:0=10.255.255.94 -> 5dffff0a:0:0
:0=10.255.255.93]] TX(2000000): RX(2000000): ST(2000000), Mult(3), Ver(1)
2019 Oct 15 16:01:12 DAL-SE-1 %BFD-5-SESSION_ACTIVE_PARAMS_CHANGE: Local parameter of BFD session 0x4100003d has changed Disc 0x4100003d [[protocol 1 if_name Eth1/4 if_index 0x1a003000 iod 0xa 5effff0a:0:0:0=10.255.255.94 -> 5dffff0a:0:0
:0=10.255.255.93]] TX(2000000): RX(2000000): ST(2000000), Mult(3), Ver(1)
2019 Oct 15 16:01:13 DAL-SE-1 %BFD-5-SESSION_ACTIVE_PARAMS_CHANGE: Local parameter of BFD session 0x4100003e has changed Disc 0x4100003e [[protocol 1 if_name Eth1/3 if_index 0x1a002000 iod 0x9 4effff0a:0:0:0=10.255.255.78 -> 4dffff0a:0:0
:0=10.255.255.77]] TX(2000000): RX(2000000): ST(2000000), Mult(3), Ver(1)
2019 Oct 15 16:01:13 DAL-SE-1 %BFD-5-SESSION_STATE_UP: BFD session 1090519102 to neighbor 10.255.255.77 on interface Eth1/3 is up.
2019 Oct 15 16:01:13 DAL-SE-1 %BFD-5-SESSION_ACTIVE_PARAMS_CHANGE: Local parameter of BFD session 0x4100003e has changed Disc 0x4100003e [[protocol 1 if_name Eth1/3 if_index 0x1a002000 iod 0x9 4effff0a:0:0:0=10.255.255.78 -> 4dffff0a:0:0
:0=10.255.255.77]] TX(2000000): RX(2000000): ST(2000000), Mult(3), Ver(1)
I'm not terribly familiar with BFD but have checked the firmware we're running and there's no bugs related. Any insight would be appreciated or if you need more data please let me know.
3rd party SFP+ module in HPE Aruba 2540 for 10 Gbe BASE-T connectivity
I am wanting to do 10 Gbe BASE-T connections, and would love to use an HPE Aruba stackable switch (so not a chassis like the 5406 or a OfficeConnect/comware switch). The 2540 supports 10 Gbe via SFP+ fiber connections, but HPE does not list a compatible copper BASE-T module. fs.com and optcore (https://www.optcore.net/product/sfp-10g-t-hpe/) do list modules that are supposably compatible, but I was looking for anybody who has actually done this with success before just ordering parts and testing.
srx vpn source nat issue
Hi, guys,
I have come across some strange issues, when I try to create a vpn tunnel between srx100 and paloalto (tunnel is UP and stable). when I enable source nat in srx , a client computer behind paloalto can't communicate with client behind srx, But client behind srx can communicate with client behind paloalto. When I remove the source nat everything works fine.But the local clients behind the srx can't access internet as there is no source nat. If I route all the traffic through vpn tunnel then also everything works fine, I will post my configuration below, It would be really helpful if you someone please point me in the right direction to solve the issue.
(172.18.40.1/27)srx----------intrenet------------paloalto(172.16.0.0/16)
set version 12.1X46-D86
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family inet address 233.54.23.23/25
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet address 10.0.0.1/24
set interfaces vlan unit 0 family inet address 172.18.40.1/27
set routing-options static route 0.0.0.0/0 next-hop 234.38.76.76
set protocols stp
set security ike policy asianet mode main
set security ike policy asianet proposal-set standard
set security ike policy asianet pre-shared-key ascii-text "$9$H.T36/t1RSHqCuOBSy24aJi.QF/tu1ZU/tu0hc"
set security ike gateway ike-asianet ike-policy asianet
set security ike gateway ike-asianet address 233.45.65.75
set security ike gateway ike-asianet external-interface fe-0/0/0
set security ipsec policy asianetvpn proposal-set standard
set security ipsec vpn ike-asianet bind-interface st0.0
set security ipsec vpn ike-asianet ike gateway ike-asianet
set security ipsec vpn ike-asianet ike ipsec-policy asianetvpn
set security ipsec vpn ike-asianet establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule match destination-address 172.16.0.0/16
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule then source-nat off
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces st0.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/0.0
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
Network Drive Files
Hi guys,
I believe we have a lot of old junk files dispersed throughout all the network drives that no one has accessed in a while. I was wondering if if there is a way to generate a report of files that have not been accessed for a while. Probably a report with 2, 3, 4, 5 or older years back. This would allow us to bring these files to the attention of their owners to be removed. I was hoping to make our data footprint a bit smaller with some cleanup.
Any guidance would be much appreciated.
Thanks.
How to Get into Networking
Hello all,
I have been in the IT field for about 8 years. I have been doing Helpdesk mostly desk-side support and active directory. My question is what certificates would you refer to get into a network Admin role? I currently only have work experience and no certs under my belt.
Thanks
Enterprise folks: what do you use for KD/How-to docs?
I work at a large enterprise where all of IT used to be outsourced, but we're just insourcing it back.
Being fairly large, we have a NOC, L3 and L4 teams, with L4 divided into different teams like Data Center and Branch networking. Unfortunately, we use SharePoint for documentation.
As all of you may know, SharePoint is great as a document repository. I haven't found it particularly useful for KB, how-to or deep architecture documentation with articles and imbedded images.
What do you use that works? (i.e. decent RBAC, team 'spaces', editing capabilities).
- Confluence? (a little concerned about the cloud licensing, but would be glad to hear)
- Anything open source? (am open to spinning up our own thing and maintaining it if needed, we have resources)
- Please don't say Sharepoint or Teams!
- Anything else?
Thanks for all the help!
Help with creating direct link for one device across two routers
I am having a hard time figuring out the best way to solve an issue. We have a third party managed router that provides an ipsec tunnel for one laptop to a government entity. Every once and awhile we lose connection to the government site and then a few days later it comes back. We currently have the router connected to our site router. We also have a static nat and two policies on our firewall that handle inbound and outbound connections. I want to remove the firewall as a potential issue. Here is where I get stuck. The laptop has a static ip address that hits a gateway on the third party router. This address is not part of our normal addressing scheme, it is an address that is part of the third party router network. It is then sent out another interface with an address on our network. This leads to our router, which hops to the core router, and then to the firewall. If I moved the third party router to our datacenter, what would be the best way to connect the laptop to the gateway? This would mean taking a laptop that needs to be on the same subnet as the gateway, but there would be two routers in between. The other option would be leaving in on site and creating a route that completely bypasses the firewall.
I do have a good bit of networking experience, but at the same time I am new to this job and am still learning how to properly configure a firewall.
Has anyone gotten an extension on the cisco intro to networking course?
I go to a university, and this 8 week course is about to end. To be honest, I'm only halfway done with the course. He gave us the final and said it was open internet open book everything so i just googled stuff i didn't know.
I 100% need more practice for packet tracer. It says my course ends on October 31st. I'm going to go over all teh stuff I'm iffy on. This class is accelerated. So it has been hard to keep up.
It's an intro to networks cisco course on net acad.
Bridging Public IPv4 Subnet
I have connected two network bridges of debian servers via OpenVPN bridging. One Server is within a DC with a public IPv4 Subnet. The other Server is in a private IPv4 Subnet behind a NAT. The Server behind the NAT is connecting to the public Server via an IP in the public IPv4 Subnet.
Basically everything is working great. I can connect devices via Ethernet to the Bridge on the NAT'ed Server and use the Public IPv4 Subnet through the OpenVPN Bridging.
But now I would like to assign a Public IP from the Subnet to the Server handling the OpenVPN tunneling. But If I do so it creates a route for the Public IP Subnet and thus it can't connect anymore to the OpenVPN Server in the same Subnet.
Is there a solution for such a kind of issue? For me it looks like I need a sort of second routing table.
King of Prussia, Penn - Tone/Tag
Hi All,
is there anyone in here near king of prussia that wants to make some cash and tone/tag a 5-6 cables at about ~ 75-100 feet?
I've called 5 dif places and no one has gotten back to me.
Location is King of Prussia Penn.
So what is wrong with our switch??
Not sure if the right subreddit, please tell me I screwed up by posting in the wrong subreddit,
Anywho back to the switch problem. So I logged in to my switch to a firmware upgrade, the switch
It's a Aruba Aruba-3810M-48G-PoEP-1-slot
Anywho, checking log's and see I am flooded with log's stating
Port 1 is now offline 04.15.16
Port 1 is now Online 04.15.18
Port 1 is now offline 04.15.20
Port 1 is now Online 04.15.22
Port 1 is now offline 04.15.24
Port 1 is now Online 04.15.26
Port 1 is now offline 04.15.28
Port 1 is now Online 04.15.30
Port 1 is now offline 04.15.32
Port 1 is now Online 04.15.34
Port 1 is now offline 04.15.36
Port 1 is now Online 04.15.38
Now let me tell you this I flooded a whole day worth logs of this stupid garbage.
At first, I thought the faulty device, no biggie! Let me replace the Poe camera with a fresh one,
Next day flooded with the same message's, So I thought am I overloading the switch
Nope, its a 1050watt switch, draws 50-55 watts at day, 80-120watts of Poe at night for CCTV, NADA
Double-checking log's and it was a whole day of logs from day to night so I know it a night issue.
So I tried unplugging the device, from port 1 and see the log's and its tilling me the same thing
We have around 15+ Poe cam's half them are non-night vision and 10+ VoIP phone's
Port 1 is now Online
Port 1 is now offline
Port 1 is now Online
Do you think we should RMA this device? since we tried from rebooting and restarting to factory defaults.
Since our team can't figure if we contact Aruba and RMA the device, or do more troubleshooting steps.
Again, I want to apologize if this the wrong subreddit for this.
Also, this is a re-post since the bot is drunk.
Tuesday, October 15, 2019
Lightweight AP provision issue - AP name invalid
Hi all,
I've got an AP that i'm trying to point to my WLC using flexconnect. Not sure why but it keeps rejecting the AP name, therefore I'm unable to statically assign an IP to point to the WLC.
The AP is booting into Cisco Controller mode and expects the following syntax:
config ap primary-base <Switch Name> <Cisco AP> <Switch IP Addr>
I configure the following:
(Cisco Controller) >config ap primary-base WLC1-5520 AP123 10.122.202.1
Cisco AP name is invalid.
The AP name is EAP123, as per the below config
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Build Info....................................... Engineering Special
Product Version.................................. 8.5.140.0
System Name...................................... EAP123
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.2370
IP Address....................................... 10.122.108.115
Last Reset....................................... 1: reload command
System Up Time................................... 0 days 0 hrs 1 mins 40 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... GB - United Kingdom
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
--More-- or (q)uit
Number of Active Clients......................... 0
OUI Classification Failure Count................. 0
Memory Current Usage............................. 64
Memory Average Usage............................. 64
CPU Current Usage................................ 4
CPU Average Usage................................ 12
Flash Type....................................... Compact Flash Card
Flash Size....................................... 1073741824
Burned-in MAC Address............................ removed for reddit
Maximum number of APs supported.................. 100
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1/SHA2
The AP is an AIR-2802I-Z-K9. Admittedly, this is the first time i've had to provision one of these in lieu of a AIR-2802I-E-K9. P.S cannot use CAPWAP dns or connect locally to controller. Usually this is much simpler and the syntax appears different from what I am expecting, I am assuming the software image is completely different, perhaps a capwap provisioning image?
I also tried the following:
(Cisco Controller) >config ap unifiedmode WLC1-5520 10.122.202.1
Warning! Sending config unifiedmode to all APs will cause the WLC to be rebooted.
Are you sure you want to continue? (y/n) y
Cisco AP/SWITCH name is invalid.
Learning about Failovers and VLANs
In an effort to improve cross-business performance for things like IP phones, data storage and centralized server application access, I’ve decided to try linking our buildings via a wireless point to point link. These properties are across public roads, so a wired link between them is not an option.
The concept is simple, but I believe I’ve gotten myself confused about some things and I’d like a second opinion.
I have essentially two networks which have independent internet connections and networks. Currently the phones are all interconnected and hosted through the main site, accessed through a site to site VPN. While this is stable, I don’t have much bandwidth. To solve this issue, I’ve added a point to point link, and unfortunately it cannot be connected directly to the router on both ends. (see the diagram).
I’d like to configure the link to support multicast across both ways, and while I was able to get the link working earlier today, multicast did not appear to be working properly. This could be a firewall issue but I’d like to know if there anything you can see wrong with this diagram.
(The diagram isn’t exactly my network and it’s possible that I’ve made a mistake at replicating it for you, but I did indeed have a working connection over the link for RDP and file sharing earlier)
As for how I configure the actual failover, it seemed to failover fine using this guide
Fiberstore horror story
I don't have the time nor inclination to write up a huge post so i'll keep it succinct.
Bought the 8 port PoE injector from FS because I didn't want the hassle of trunking a PoE switch to my non PoE core switch. It arrives after ONE MONTH. I rack it up and plug it in with a good quality power cable (came with a chinese plug). Turns on fine, all LEDs light up. Start plugging some 802.3af compliant stuff in (phones and APs). They turn on for a split second then off again. Popping sounds come from the FS injector.
FS injector is dead and so is hundreds of dollars worth of stuff plugged in. FS account manager has approved my RMA request but is only offering a 4% discount on future orders, no compensation for the destroyed equipment.
I've learnt my lesson, buy a name brand for anything you care about. I now don't recommend FS for anything other than cables and transceivers because those can't fuck up.
How (If possible) can I create multiple routes for RDP connections when the request will always include port 3389?
Here's the scenario along with my current setup and what I'm working with. I'll preface this by stating I'm a tech enthusiast, not by trade, so try not to cringe at this question.
I have a server in location x. This server hosts two Windows virtual machines. Windows 10 instance #1 RDP port listens on port 3389 and Windows 10 instance #2 listens on port 3399.
The server is sitting behind a pfsense router. I use a dynamic DNS with NameCheap to redirect all traffic from mywebpage.com to my WAN address. I have set a port forwarding rule so that all RDP requests on port 3389 are forwarded to my virtual machine instance #1. This works perfectly fine. I have another port forwarding rule for requests from port 3399 to go to instance #2. So mywebpage.com:3399 will route to Windows 10 instance #2. This also worked fine.....mostly. Until I encountered an issue.
I have client machines behind firewalls that I cannot control which can ONLY make RDP connections using port 3389. And here lies the dilemma.
Circling back to my initial question, is it possible to use some sort of combination of NGINX and port forwarding rules on pfsense to allow the initial query to request and RDP connection using port 3389, but be able to connect to a different local IP on the server?
Is this sequencing practical/logical/possible?
Windows RDP Software request mywebage.com:3389 ---> My WAN address @ port 3389 ----> Local IP of Windows Client #1 @ port 3389
Windows RDP Software request rdpsubdomain.mywebpage.com:3389 ----> NGINX listening for subdomain "rdpsubdomain" -----> Proxy_Pass to Local IP of Windows Client #2 @ port 3399 (I assume if this sequence worked, 3389 would work too).
Any quick info or tips on how this can, can't work?
Shaw (Canada) route issue. Any staff out there?
Any Shaw network staff that might be willing to checkout a weird routing issue? PM and I'll send you the IP addresses.
I have a /28 which is part of a bigger /22 that a 3rd party is advertising and is assigned by them. 2 of the IP addresses within the middle of the /28 is being routed to somewhere else. Multiple trace routes seem to point the issue somewhere between 24.244.6.118 and 206.174.218.2
From my home, the working IPs within the /28 has an average of 40ms with 12 hops and the bad IPs have an average of 17ms with 9 hops.
Using trace route services outside of canada, has the traffic going over the HE network which is properly routing the 2 IP addresses and I'm able to verify that by using a 3rd party VPN service.
First time I have ran into an issue where there might be a route issue and there is a ping response.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Linux eager to fail TCP Fast Open
I was trying to test a few servers for TCP Fast Open support. After some failed attempts, my client stopped sending fast open cookie request entirely, and it wouldn't send them until I restarted. After some looking around, I found that Linux disables client-side TCP Fast Open globally, for an hour, then 2,4,8 hours, if it encounters 3 consecutive timeouts. I only learned this because I looked at the kernel source code: https://github.com/torvalds/linux/blob/master/net/ipv4/tcp_fastopen.c#L553
I think this is very significant. Is this documented anywhere? I don't see it mentioned in the RFC: https://tools.ietf.org/html/rfc7413
at least not globally on the client side. Do people know about this? Any reference would be helpful. Thank you!
Does anyone have any opinions about ZPE?
I've recently encountered ZPE, and specifically their service router, while looking at OOB management options.
What I haven't found is any pricing information on it, or any user commentary.
Has anyone used their kit? Is it great? Does it suck?
What's the cost like compared to other (cough, opengear, cough) options?
Quick-ish MTU question - C3850's, port-channels and jumbo frames
Without trying to go into too much pointless background info
I have a 3850 stack with a number of LAG's providing converged network services to some VMWare and Hyper-V hosts.
I was trying to enable jumbo frames (system mtu 9198) and all my things broke. Of course it was during the day - so I hurriedly put it back to 1500.
Looking at the logs, it appears that it was going through and individually assigning the new MTU to the physical interfaces, and I may have panicked.
The question is - would eventually all physical interfaces in the LAG get the correct MTU, port-channels recombine, and and happiness resume on the network if I had just waited another minute or two?
Test plan for a WAF
Hello wonderful people. Hope you're all doing well. I am soon doing a POC for a cloud hosted WAF with my company. This is my first time deploying one but know what it does and what to look for. I would like to know from you folks what a test plan should look like and what the criteria for a successful POC should be. I will appreciate your input
Need help please
Networking is not my thing as I do desktop support, but tomorrow as a colleague is ill I’m being asked to do a hard loop back on a circuit. It’s being presented in MM fibre and I need to do an end to end test on cable because Networks are unable to connect to router once plugged in. The circuit is long-lined from handover mux, to a patch panel then a 3m cable to router.
I have a Fibre loop back so am I right in thinking I can use a “joiner” with loop back on one side and plug circuit into joiner?
Sorry if it’s an obvious to you guys but this is way above my pay grade and I’m flapping. Hope you understand what I’m asking
Whitebox reviews?
Recently discovered FS.com and their switchs, I feel like I can buy two for the price of one. I'm in the market for 10/40gig datacenter switch. Can I trust a pair to provide the always on environment? Any recommendations of blogs? Thanks
How to NAT a public IP block in a different subnet?
A new ISP provided me with a block of 5 static public IP addresses to use. However, they are in a different subnet from the main WAN and my router complains when I try to use its 1-1 NAT function to tie one of those public IPs to an internal private IP.
I am thinking I am dealing with something I am unfamiliar with like a Static Routing Table?
Any guidance will be appreciated, thank you!
DDI on a budget
We currently have a single Windows DHCP server, AD servers as DNS servers and another Linux DHCP server for some networks. Windows part is hard to monitor, Linux DHCP has been taken down few times by someone directly editing the files and leaving a typo and then restarting the dhcpd and no one could get an address.
So I'm wondering what would be our options to do better DHCP/DNS/IPAM stuff without really paying in anything else than work hours. We have Linux guys we can borrow and of course students/interns we can "borrow" :) But we don't have the money to get Infoblox.
I'm hoping for a system where we could register a network/IP address/etc and that would automatically propage to DNS and DHCP servers, and the DHCP servers would be in a cluster. And we would have some sort of reporting who used what IP and where.
Netbox is probably the I in the DDI? And then dhcpd or should we go with Kea? Internal DNS should probably be at Active Directory servers as we have lot's of windows computers? We have FortiADCs for external DNS stuff I think they could handle the requests from the internet and we could do zone transfers to those.
Any experiences setting this kind of budget DDI? Or any tips what to do and what to avoid?
Thanks!
Any tips for getting colleagues interested in automation?
I'm interested in the possibilities to do some small scale automation like using Ansible to configure new switches, make sure all the switches behind the routing switch have correct VLANs, loop through the building's network to build graphviz maps and to check if all the devices are included in the monitoring/backup/etc solutions.
However some of my more vocal colleagues are saying that it's for nothing as it doesn't really take that long to install a new switch or go to the configs and add those VLANs. Not really sure why we then have that many colleagues but I guess they'd argue that the physical installation and problem solving is something that takes time.
Any tips how to convince them to get on board for automating stuff or are they correct and it's a waste of time :) ? Usually they also use something like "come to the site and do the actual work yourself and see" as I'm in a more senior position and also do stuff like managing the firewalls etc. that doesn't require on site presence.
One I've also heard is "what about when your scripts break everything" when talking about for example creating new VRFs and BGP peering links from those VRFs to firewall.
Or do you maybe have examples of good projects that you started with?
Thanks for any tips!
Vendor Differences in PoE Allocation
Hoping to get some external input on a PoE topic that's been bouncing around my team lately.
In Aruba's world we're getting feedback that the ProCurve switches will provide the exact power needed based on the connected PD + any accessories (eg USB or PD pass through). So if an AP needs 10.3W, it gets exactly that from the switch. I tested this on an older 5406 and the switch does seem to be calculating PoE utilization in this manner.
Conversely, on the Ruckus side of things we're being told that the ICX switches will allocate the full power for whichever PoE-class the PD reports to the switch. So if an AP reports itself as Class 3, the switch apparently reserves a full 15.4W to that port even if the AP is only drawing ~12W. Another source has also told us this behavior is configurable to behave like Aruba, but I have not been able to verify and I don't have an ICX switch on hand to test it myself.
The AP datasheets are adding their own confusion to the mix:
-
Aruba AP-303H DS says 9.7W for max idle, + 6.1W for USB + 15.6W for PD pass through = 31.4W worst-case (??)
-
Ruckus H510 DS (<PDF) says 9.2W for max idle or 12.95W total max with PD pass through - no mention of the USB draw at all
This can make a huge difference in total switch counts at bigger sites depending on how you do the math, and also makes cross-vendor comparison builds really difficult. What have you all heard and/or experienced in the field when calculating PoE requirements?
Should I shape Metro Ethernet?
Hi there. We have several p2p metro ethernet circuits but they're all sub-rate. They're all connected to 1Gbps interfaces but some of the bandwidth ranges from 200 to 400M. We do shaping facing our MPLS wherein they're connected to 1Gbps interfaces as well but we shape it to 300M. Should I do the same for the Metro-E circuits?
Network Monitoring Factors for Prioritization
Hey r/networking, I'm Cisco! I'm a first-time poster here so be gentle. I am in my final year of university and I'm doing a final year project about Network Monitoring software. I'm currently in the research phases of this project and I've become kinda stumped with something. What should I look for in network monitoring software and what factors should be prioritized over others? The network scope would be for a small business.
Fibre Connection Shows Signal but no Link
Hi,
I'm really sure I made a configuration error but I just can't find it. I hope you can help.
One Side is a HP FlexFabric with a compatible 10Gb LR LC SFP+ and the other Side is a Aruba 2930F with the same SFP+. Inbetween is a Third-Party Fibre.
I finally have a Connection:
Transceiver in 27 Interface Index : 27 Type : SFP+LR Model : J9151E Connector Type : LC Wavelength : 1310nm Transfer Distance : 10.0km (9um), Diagnostic Support : DOM Serial Number : CN93KBW1PF Status Temperature : 41.875C Voltage : 3.2966V Tx Bias : 36.008mA Tx Power : 0.6243mW, -2.046dBm Rx Power : 0.3038mW, -5.174dBm Bit I have no Link on the Port. Here is the Config on the HPE Side:
interface Ten-GigabitEthernet1/2/11 port link-mode bridge description Link port link-type trunk port trunk permit vlan all port trunk pvid vlan 21 and here is the Aruba-Side:
hostname module 1 type jl255a snmp-server community unrestricted snmp-server contact location " vlan 1 name "DEFAULT_VLAN" no untagged 4,24,27-28 untagged 1-3,5-23,25-26 no ip address ip igmp ipv6 enable ipv6 address dhcp full exit vlan 21 name untagged 24,28 tagged 27 ip address 192.168.21.20 255.255.255.0 exit vlan 81 name untagged 4 tagged 27-28 no ip address exit vlan 91 name " tagged 27-28 no ip address exit vlan 101 name tagged 27-28 no ip address exit vlan 111 name tagged 27-28 no ip address exit vlan 121 name tagged 27-28 no ip address exit vlan 131 name tagged 27-28 no ip address exit vlan 144 name tagged 27-28 no ip address exit vlan 171 name tagged 27-28 no ip address exit spanning-tree allow-unsupported-transceiver I have no idea why I don't have a link... any Tips?
Security Engineering careers
Good Morning All,
I have been looking at pursuing something similar to a Master of Science in Information Security Engineering and wanted to reach out to see if anyone here has gone down that road.
An example would be from a place like this https://www.sans.edu/academics/masters-programs/msise#curriculum
I've been engrossed in ICS-CERT security releases and how people actually go about discovering those flaws.
Currently about 9 years network engineering experience with my NP security and RS. I keep pushing off the IE lab because it just doesn't spark that passion. I get it and then what?
If anyone has pursued this career path I would really appreciate being able to ask some questions if possible.
Thanks!
Datacenter failover scenarios presentation
So I need to put together some failover scenarios for our datacenters - like current failover solution and what we want (some options). What would be a good way to visualize this? Audience is IT folks but most with limited network knowledge.
Do I want SDWAN, or something else?
Hello! One-man-band small business here and I need some design advice. My go-to vendors don't understand how to help me design what I'm looking for.
What I have:
-
Public-facing apps: Websites, SFTP Servers, SIP Connectivity to multiple carriers
-
Two sites. Most apps are hosted from Prod site. Some apps (websites) are at both sites. More Complex apps are failover with our datacenter (SFTP Server) or have IP failover with vendor (SIP). DR Site is a colo with my equipment.
-
Currently, have a slow, small, MPLS for replication and layer2 PROD<>DR Connectivity.
-
Complex public app DR with DNS Failover
-
Too small for BGP (only 15-20 public apps)
-
Aging out Palo Alto firewalls (but I like PA, so new ones)
What I want:
-
Carrier agnostic connectivity - direct internet circuits only - two at each site - 1GB each
-
Public users (like websites and SIP) connect to one place. That place is always up, or failover is transparent. In other words, a simple website (www.mysite.com) can live in multiple physical locations and requires no DNS failover or BGP to work when internet or a location goes down
-
fast replication between the sites (using Nutanix AHV across the board)
-
Simple config/maintenance for changes because I don't have a network team
Do I want SDWAN?
Here's a dream graphic. Each arrow line is a different DIA to some magical place where my apps' public footprint lives.
TIA
Subscribe to:
Posts (Atom)