Hello
Does anyone know if Masergy uses a specific vendor(s) for their sdwan offering or is a custom in-house developed product.
May thanks . Pankaj
Saturday, November 2, 2019
Commercial HTTPS proxies that allows inline HTTP payload modification?
I need to modify the payload for a HTTP POST request to a particular HTTPS webapp.
I've managed to do to it using a short Python script in mitmproxy, just to test things.
However, I'm wondering which commercial MITM proxies allow you to modify HTTP request payloads inline?
A lot of products seem to have their documentation and help articles behind paywalls/subscription only, which is actually quite frustrating when you're trying to evaluate things like this 🙁.
PAN has an article on modifying headers but I don't see payloads mentioned.
"HTTP Header Insertion and Modification" https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/app-id-features/http-header-insertion.html
Love your job but want to learn more?
Does anyone else experience this with there career?
I absolutely love my job. I'm an IT Manager and my boss is the CEO. However, the CEO is an Operations guy and has no IT experience. So it's tough for me to learn from someone who has experience in the field.
I absolutely love what I do. I'm a jack of all trades type, the only IT guy in the company but I'm terrified of not being competitive in the market because I spent so much time riding this gravy train and not learning anything new?
Most of my work nowadays is Project Management for software implementations.
Just curious what ratio of folks in this sub have stayed where you were or had to venture out because you knew you needed more knowledge?
Wireless roaming from Cisco to Aruba
We're starting to replace our Cisco wireless LAN with Aruba, starting with our new building that's finishing soon. There is a connecting hallway from older building, I'm wondering what happens when wireless clients move from Cisco network to Aruba. How smooth is the transition, if we drop the clients to same VLAN on the controller side and use the same RADIUS servers (Clearpass in our case)
There are some special devices like some self driving forklifts that use wireless, not really sure though how they communicate.
I can test this once the building completes but I'm curious if anyone has experiences with this. Is there something we could configure to make the roaming better? There are some 802 standards for roaming but I'm guessing those are used when the different wireless networks terminate to different IP subnets?
Thanks for any ideas!
Where can I buy a CAT 7 or 8 Ethernet cable besides Amazon?
Best Buy, Target, every store I check only has up to CAT 6???
How to upload, maintain, & update Assets that cannot be on the network
BRIEF OVERVIEW
Hi everyone, I have an issue. My company is trying to move its assets management data to Spiceworks. This was previously managed using an excel sheet. My company is an MSP and we are looking to also introduce this to our client tenants. Also, we would like to be able to monitor the inventory of the clients as well for documentation.
OBSERVATION
I have tested the Spiceworks asset manager, did a network scan of inventory and I have seen all the detailed goodness it can provide for managing devices that can be connected on the network, for example, printers, laptops, desktops, scanners, copiers, mobile phones, etc.
PROBLEM
But my problem is about devices that cannot be on the network, for example, physical tools, chairs, desks, appliances, cables, etc. and other stuff that are in an office but are not able to be put on the network. How are these managed in Spiceworks asset manager?
QUESTIONS
Is it possible to manage devices that are not connected to the network in Spiceworks asset manager?
How do I upload these OUT-OF-NETWORK items to the database?
how are these OUT-OF-NETWORK item records in the database updated and maintained? (for example, I want to state that this specific laptop disconnected from the network was upgraded from a 4gig ram to 8gig, or a vendor serviced an appliance on a given date and is due for servicing on another given date)
Also, does this mean only one administrator gets to update the database for the various department's inventories that are in the company? or how do the various department have access to update the inventory for their various teams?
If possible, how can this solution be deployed by an MSP to tenants and how can tenants' various department database assets be maintained both at their location and centrally from our company (the MSP)?
If this cannot be achieved by Spiceworks, is there any solution to achieve what I'm asking for??
Any assistance available will be highly appreciated
Cisco Site having issues once again
HTTP Status 500 - An exception occurred processing JSP page /jsp/session_check.jsp at line 18
type Exception report
message An exception occurred processing JSP page /jsp/session_check.jsp at line 18
description The server encountered an internal error that prevented it from fulfilling this request.
exception
org.apache.jasper.JasperException: An exception occurred processing JSP page /jsp/session_check.jsp at line 18 15: if (SessionHelper.isSessionValid(session) == false) 16: { 17: //logger.info("Session is invalid"); 18: SessionHelper.createSession(request); 19: } 20: 21: %> Stacktrace: org.apache.jasper.servlet.JspServletWrapper.handleJspException(Unknown Source) org.apache.jasper.servlet.JspServletWrapper.service(Unknown Source) org.apache.jasper.servlet.JspServlet.serviceJspFile(Unknown Source) org.apache.jasper.servlet.JspServlet.service(Unknown Source) javax.servlet.http.HttpServlet.service(Unknown Source) org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown Source) com.cisco.lcmt.core.servlet.SessionFilter.doFilter(SessionFilter.java:105) com.cisco.lcmt.filter.RequestFilter.doFilter(RequestFilter.java:219)
root cause
javax.servlet.ServletException: com.cisco.lcmt.exception.LCMTException: SYSTEM_EXCEPTION - Error while getting records from LC_USER SQL : Select * from LC_USER where upper(USERID) = ? and upper(USER_TYPE) = ? Constraints: {USER_TYPE=CCO, USERID=}: Active User with id () and type (CCO) is not found in db org.apache.jasper.runtime.PageContextImpl.doHandlePageException(Unknown Source) org.apache.jasper.runtime.PageContextImpl.handlePageException(Unknown Source) org.apache.jsp.jsp.error_005fpage_jsp._jspService(error_005fpage_jsp.java:486) org.apache.jasper.runtime.HttpJspBase.service(Unknown Source) javax.servlet.http.HttpServlet.service(Unknown Source) org.apache.jasper.servlet.JspServletWrapper.service(Unknown Source) org.apache.jasper.servlet.JspServlet.serviceJspFile(Unknown Source) org.apache.jasper.servlet.JspServlet.service(Unknown Source) javax.servlet.http.HttpServlet.service(Unknown Source) org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown Source) com.cisco.lcmt.core.servlet.SessionFilter.doFilter(SessionFilter.java:105) com.cisco.lcmt.filter.RequestFilter.doFilter(RequestFilter.java:219)
root cause
com.cisco.lcmt.exception.LCMTException: SYSTEM_EXCEPTION - Error while getting records from LC_USER SQL : Select * from LC_USER where upper(USERID) = ? and upper(USER_TYPE) = ? Constraints: {USER_TYPE=CCO, USERID=}: Active User with id () and type (CCO) is not found in db com.cisco.lcmt.usermgmt.UserMapper.get(UserMapper.java:190) com.cisco.lcmt.usermgmt.User.get(User.java:773) com.cisco.lcmt.session.SessionHelper.setLoggedInUser(SessionHelper.java:58) com.cisco.lcmt.session.SessionHelper.createSession(SessionHelper.java:195) org.apache.jsp.jsp.error_005fpage_jsp._jspService(error_005fpage_jsp.java:166) org.apache.jasper.runtime.HttpJspBase.service(Unknown Source) javax.servlet.http.HttpServlet.service(Unknown Source) org.apache.jasper.servlet.JspServletWrapper.service(Unknown Source) org.apache.jasper.servlet.JspServlet.serviceJspFile(Unknown Source) org.apache.jasper.servlet.JspServlet.service(Unknown Source) javax.servlet.http.HttpServlet.service(Unknown Source) org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown Source) com.cisco.lcmt.core.servlet.SessionFilter.doFilter(SessionFilter.java:105) com.cisco.lcmt.filter.RequestFilter.doFilter(RequestFilter.java:219)
note The full stack trace of the root cause is available in the Apache Tomcat/7.0.70 logs.
[Question] Typical Entry Level Careers
Hello there. I graduate from university in May 2020 and I am wondering, what are the typical entry level jobs for students in the networking/security field? Like I would like to start out as an security analyst, but I hear that you should work in networking a bit before so, so now I am confused on what jobs I should be looking at.
Cisco DNAC Rant
Am I stupid? Or is this thing extremely stupid and non intuitive to set up? Every step of the process has been a pain in the ass.
Network Services Billing tool/app/system
Our network getting bigger and bigger, my team would like to build an internal billing system to associate network resources usage to specific department or teams.
For example, we provide centralized Internet to many location/offices, we would like to give visibility and eventually bill individual location based on their real usage. The idea would be to become a "carrier/isp" within our business.
I know where/how to collect stats and/or usage data, but I've never worked to integrate this data into some sort of billing system. I'm beginning my exploration phase. I'll have to talk to internal teams (procurement/accounting) to know which app they use to bill other services (not network related).
On the more technical side, I'm wondering where/how to store billing related data. First intuition is to simply use our network management platform data to collect information (stats, usage, etc), then to "push/pull" this data into a crunching system (calculate 95centile, calculate numbers of ports in use, consolidate/aggregate some data for redundant services, etc). Finally, this "crunched" data would go into a billing system and service/price would be associated to it.
Any tips, ideas, experience with "network data" to "service billing" would be appreciated.
Can't apply firewall to WAN
Hi,
I've got an issue that I've been working on for a while that I was hoping someone could provide some insight on. We have google fiber and whenever I try to apply an ACL on the WAN interface I lose internet access. The WAN interface is DHCP, and I have the static IP on a subinterface and a couple of port forwards and a routed ipsec tunnel.
Basically I'm trying to apply OUTSIDE_IN to GigabitEthernet0/0/1 via:
ip access-group OUTSIDE_IN in
Basically I just want a firewall on the WAN that only allows the port forwards and the IPSEC. I'm somewhat of a novice here and I really appreciate any insight. Happy to answer any questions.
Here's the obfuscated config:
crypto isakmp policy 26 encr 3des authentication pre-share group 2 crypto isakmp key KEY_IPSEC address IPSEC.PEER.IP.2 crypto ipsec transform-set EBIZ26 esp-3des esp-sha-hmac mode tunnel crypto map EBIZ local-address GigabitEthernet0/0/1.1 crypto map EBIZ 26 ipsec-isakmp set peer IPSEC.PEER.IP.2 set transform-set EBIZ26 set pfs group2 match address ACCESS_LIST_IPSEC interface GigabitEthernet0/0/1 ip address dhcp no ip unreachables ip nat outside negotiation auto crypto map EBIZ interface GigabitEthernet0/0/1.1 encapsulation dot1Q 20 ip address WAN.IP.ROUTING.178 255.255.255.248 ip access-group OUTSIDE_IN in crypto map EBIZ interface Vlan1 ip address 10.45.0.7 255.255.255.0 ip nat inside ip nat pool inside_pool WAN.IP.ROUTING.178 WAN.IP.ROUTING.178 netmask 255.255.255.248 ip nat pool outside_pool 10.45.0.1 10.45.0.254 prefix-length 24 ip nat inside source static tcp 10.45.0.90 80 WAN.IP.ROUTING.179 80 extendable ip nat inside source static tcp 10.45.0.90 443 WAN.IP.ROUTING.179 443 extendable ip nat inside source static tcp 10.45.0.90 943 WAN.IP.ROUTING.179 943 extendable ip nat inside source static tcp 10.45.0.2 1192 WAN.IP.ROUTING.179 1192 extendable ip nat inside source static udp 10.45.0.90 1194 WAN.IP.ROUTING.179 1194 extendable ip nat inside source list NAT-SOURCE-NETS pool inside_pool overload ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip route 192.168.200.0 255.255.255.0 10.45.0.1 ip access-list standard NAT-DEST-NETS permit WAN.IP.ROUTING.178 ip access-list standard NAT-SOURCE-NETS permit 10.45.0.0 0.0.0.255 ip access-list extended EBIZ26 permit ip host 136.40.199.178 host 144.160.96.131 ip access-list extended ACCESS_LIST_IPSEC permit ip host WAN.IP.ROUTING.178 x.x.0.0 0.0.255.255 permit ip host WAN.IP.ROUTING.178 x.x.0.0 0.0.255.255 permit ip host WAN.IP.ROUTING.178 x.6.0.0 0.0.255.255 permit ip host WAN.IP.ROUTING.178 x.8.0.0 0.0.255.255 permit ip host WAN.IP.ROUTING.178 x.9.0.0 0.0.255.255 ... Continues for about 20 lines ... ip access-list extended OUTSIDE_IN permit ip host IPSEC.PEER.IP.1 any permit ip host IPSEC.PEER.IP.2 any permit ip object-group fiber_subnet any permit ip any host 10.45.0.90 What is the best way to document company network?
Hi fellow redditors,
I am network engineer for one small company. Recently my company started growing very fast. Currently I document our network by drawing diagrams using draw.io. As our network becomes very complex, I wonder if there is a better solution?
Rebooting core switches?
Recently the server guy in my team has been proposing to reboot the 6509 core switches as a matter of practice in order to "clear stuff out". As of last night, core1 was up for two years, four months, and core2 has been up for seven years, five months. I'm not sure why there is a mis-match on the uptimes. Is this a good idea to perform a "maintenance" reboot just because?
Do you give your loopbacks a description?
Talking about loopback interfaces on routers. Do you add an interface description? If so what? I think this is one thing that has enough wiggle room to be unique and entertaining. The two we use are "INDEPENDENT_INTERFACE" and "I_AM_AN_INTERFACE_THAT_NEVER_GOES_DOWN" Hahahaha!
Edit: I'm not looking for suggestions on what to call my loopbacks. I'm looking for the descriptions you give to yours. For entertainment. Nerd shit.
Friday, November 1, 2019
Where to go from IBM G8xxx series enterprise switches?
I recently found out from Lenovo that after they bought the RackSwitch business from IBM, they've kind of dropped the G8xxx series and replaced it with the NExxxx series. These are supposed to run all new code, so all my config templates etc won't work with their new CNOS vs the older ENOS. They also dropped the "pretty useful" GUI, which I do like. Now, I know we used ISCLI for the G series which was closer to something, and I thought it might have been Cisco, but IDK for sure.
I'm somewhat inclined to avoid HP due to the general insanity around what happened with Procurve in the past and the lack of clarity even in the "Aruba" brand that replaced it.
I like the contacts we have with Lenovo, but they just sort of bought into the G series, and I have no idea "how good" the NE series would be especially for whatever the price turns out to be.
Of course there's Cisco (expensive especially to get firmware updates), and I just saw Juniper also competes, no idea about their pricing / history.
What are people doing for 10/40Gbit SFP+, high performance MST 1Gbit with support for at least 11 MST instances, and doesn't need a service contract to get firmware updates? Is that even possible today? What still has a easy to use GUI for occasional users who need to change a PVID once in a while, but a good serial and OOB management CLI for ease of setup? What's cheaper than Cisco? Or is it doable to go mostly used (what we've been doing for G8xxx for a few years to good effect)?
It's worth noting, the only reason we're dropping G8xxx is difficulty sourcing used ones that work lately - I think they're close to off the market, especially at sub $2k prices which is about as high as I like to go used for 48 port switches. The other reason is forward looking, in 3 years or less, we'll likely be looking at 50/100 GBit SFP28 and the old G series don't do that.
How do AppleTVs/Chromecast Broadcast existance.
Does anyone know how or have documentation of how devices like chromecasts and apple TVs broadcast their existence on the network? We're trying to figure out a way to stop them from broadcasting everywhere without having to divide our wifi subnet into multiple subnets.
Network Engineer - Resume Advice - Entry-Level
Hey all,
I am a Network Engineer that has just over one year of experience under my belt looking for an entry-level position around Chicago.
I put my resume through a free ATS (Applicant Tracking System) scanner and it suggested to add a professional summary, as well as to use active-language instead of passive-language. The scan said I came off as a do'er instead of an achiever, i.e. someone that just "does" what they are told to do instead of working independently to accomplish goals for a company.
Yes, my last date of employment as a Network Engineer was December 2017, which concerns me, but I have to deal with it. I also know that I should touch on more projects that I worked on, but I mostly worked on learning our F5 GTM/LTM systems at the time, and getting my CCNA R&S + my F5-CA certs, so I am not sure what to include exactly. I had a variety of responsibilities, including managing our F5 systems (mostly working with devs to create and troubleshoot F5 VIPs using basic iRules - most complicated thing was the SSL-passthrough VIP that I mention on my resume), obtaining SSL certificates for our public-facing VIPs, modifying firewall rules, troubleshooting intermittent application issues via pcap analysis, analyzing network throughput/load, testing VPN and site-to-site throughput, and I installed a new Cisco switch stack when we deployed a new floor in our corporate office.
I am hoping that someone here can offer tips or advice on how I can modify my resume in order to be a more attractive candidate. You can find it at this link: https://docdro.id/quyj1do
Any an all suggestions are appreciated, thanks in advance.
Daloradius - automated monthly usage reports?
We use daloradius for authentication purposes for a number of legacy ADSL customers. What I would like it to do is send an email on a specific day in the monthly listing the bandwidth usage of each customer.
Is this possible, and if so, how?
I know I can query it manually, but it would make my life easier if it could send this report off to my finance dept automatically
Help us please
Hi guys,
INFO: Our new switch is the HPE OfficeConnect J9983A 1820 using sfp+ port to link to port 45S on an Aruba 2920-48G The VLAN20 is our desktop range which the APs get an IP for which is ok. Our curriculum VLAN should get IP 172.23.248.XYZ We have had 4 new classrooms built and need to put WiFi in, we have put in identical Ruckus APs to the rest of our network and they show up in the ZoneDirector.
Our new switch is linked via fibre to the nearest breakout room and plugs into a switch there with SFP.
Issue 1:
Our new switch is 172.23.241.40 and we can’t ping it outside of that switch. You have to be plugged into it with a static up of 172.23.241.XX to be able to get to the web GUI or ping the switch. Why can’t we access the switch from anywhere else like every other switch?
Issue 2:
VLANS have been setup on the switch like every other switch on the network and when you connect to the switch you get 172.23.242.XXX which is our desktop range. We need all wireless devices to connect to the 172.23.248.XX range.
If I take an AP into the main building you get the right AP and taking an AP from main building into the new classrooms you get the wrong IP. It’s definitely the switch config.
Any pointers??
Writing this after spending hours stuck in a tiny cupboard balancing a laptop so if my post makes no sense...hopefully you understand :)
BGP peering to multiple ISP's, FROM two physically separate FW cores (Internet Services & VPN)
Alright guys, got a though provoker for you. Right now I have two static data centers. Half of my sites come in on one, and half come in on the other. As a result of this being a long time coming, and a 10 hour outage on the main data center last week with lots of angry executives due to no dynamic routing/failover, I have been given the go ahead by management finally to merge the two together and set up BGP peering to each ISP. Here's the catch: One firewall (PA850) runs our public internet services that folks connect to from the internet (i.e. traveler iphone email). This is done by NATing the backend private IP's of the servers to public addressing, setting up DNS and configuring rules, as I'm sure you all have as well. The other core (ASA2110) is the hub for all of our branch site to site VPN's to terminate on. Both firewalls will connect to our 6509 core switch on the inside, and to both ISP's on the outside via eBGP, with a transit switch in between ISP's and my FW's. Here is a drawing I've done to represent this:
The primary requirement of doing this is to ensure that 12.3.250.0/24 is always reachable at all times, even if the primary ISP is down (assumption is BGP will reroute to 2nd ISP due to the advertisement of 12.3.250.0/24 I've configured to said 2nd ISP, and the end result is the internet services, as well as the site to site VPN's would never go down unless I lost both ISP's or hardware.
With that said, here are my concerns:
- To achieve this, since I have two physically separate cores (one Internet Services, one VPN), I need to BGP peer both of my firewalls to both of the ISP's, and I need to advertise 12.3.250.0/24 FROM both of my firewalls TO both of the ISP's. In my mind, the way I've always understood routing is you can't tell a router peer that a particular subnet lives in two spots, because then routing won't know where to send it. Now I know that assumes equal weight, AD, costing, etc, and that BGP will not weigh the route the same way since it's all on a common network thanks to the transit switch, so I am thinking the logic in BGP will take care of that if I'm advertising the same subnet from multiple physical points, but I can help but worry about potential routing loops here. Will this work as intended, or am I risking problems here trying to design it this way?
- The subnet I need to advertise happens to be the subnet that is in use for comms between my firewalls and the primary ISP's ISR router (because we don't own our own public /24, so we are leasing the ISP's), so the router knows about it already because it's directly connected (see diagram). If that is the case, do I need to advertise it manually in BGP to that peer?
DMVPN Diffie Hellman issues
I'm labing this DMVPN setup, and even though I have set DH key exchange in the ipsec profile, my spoke to spoke sa comes up but without DH. My Hub to spoke sa is using DH but not the spoke to spoke one. Anyone else have this problem?
I'm using the same settings on all the routers so there really no reason why this should happen. Everything "works" there are no errors, not even in the ipsec/ikev2 debug, but I just don't get DH key exchange going. I also don't see any fundamental reason why this would be the case, when the spoke to spoke tunnel comes up, the spokes negotiate a tunnel so it should just work the same as when the hub-spoke tunnel is created.
This is just a lab, but I wouldn't put something like this into production, given the nature of DMVPN where the keys are on routers in all sorts of remote offices, it would be very easy for someone to steal one and get the keys, and decrypt all past traffic. Not to mention the administrative pain of rekeying everything.
PoE "Cycling" problem - HP Procurve JG963a
Hey all,
I'm setting up a solution that involves iPads in wall mounts outside of conference rooms and I have an adapter that converts PoE -> Lightning for iPad 10.2 or Mini power (it's by Texas POE). This device uses 802.3af PoE technology
I have an HP Procurve JG963a switch, which, according to the manual supports 802.3af but it has that dubious verbiage of saying "802.3af (Ready)".
When I plug this PoE converter into the switch, the networking lights do a consistent cycle of seemingly powering on, then fading off, and repeat ad infinitum. If I look at switch logs, I see this error over and over: Trap <pethPsePortOnOffNotification>.
My best hypothesis is that I have to change some setting on the switch that either matches the power required by the PoE converter or enable 802.3af support, but I can't seem to find any options to do so.
Anyone have any ideas?
Cisco ISE help!!! - SSL Cert expired
SSL cert for our ISE expired yesterday.
Network admin took today off and is not answering his phone.
I was able to create a CSR and we got a new cert.
When importing the new cert it requires the Private Key and password....
I cannot find WHERE to export the private key and give it a password.
I know it is SOMEWHERE on the ISE, as it generated a CSR....
please help this poor lost soul...
I need some advise on Media Converters, just need a sanity check.
I have a remote site where the ISP delivered (it's stupid CenturyLink) a DIA two floors up from our space with long-haul 10km Single-mode fiber SFP thats 1/10/1000 Gbps capable.
If I were to purchase a cheap Media Converter like say this one - https://www.amazon.com/Gigabit-1000BaseT-single-mode-1000Base-converter/dp/B002N90OIO or one off FS / etc. just something that is 10km Single-mode capable - are these devices pretty much 'dumb' - can I expect it to 'just work' providing me Copper Ethernet that I can dump into our public switch?
The other option is piping it directly into our Cat 9300 on a isolated VLAN, I have SFP ports available on the module - but for security reasons would like to keep it completely out of band.
Thanks in advance for your time.
Linux application for the Pockethernet
I bought the Pockethernet hardware back when it was still on indiegogo, After all this time the android application that you're supposed to use with it is still pretty crappy.
I finally took the time to write a nice GTK3 application for it that can now do some of the basic features. I haven't managed to make some of the more advanced features work like the cable length tests and more advanced link tests like DHCP and the various port-id protocols.
It's written in python and split in two parts, Wiremapper is the GTK3 application and the pockethernet library that actually handles the communication with the hardware. This makes sure that it can support other testing hardware and probably a QT5 frontend.
I hope that I can make some other network administrators very happy with this application :D
ERSPAN support on McAfee NS5200 and LogRhythm NM3300/3400
Hi r/networking,
We are to implement a new Cisco ACI fabric as a replacement for a core DC network.
As per previous experience, Cisco ACI doesn't really play well in terms of mirroring traffic to the other security appliance as:
- All endpoints are now connected to different leaves (6 leaves to be exact), instead of centrally at one or two core (I know, it's a small setup).
- Local SPAN therefore requires the other appliance to have as many ports as the number of leaves (as they used Local SPAN with source VLAN on their core), which our NS5200 and LogRhythm are short of.
- ERSPAN (used by Tenant SPAN, which is the most appropriate match for the traditional Source VLAN SPAN) might not be supported by the security appliance (hence the title)
So, does these two appliances support ERSPAN at all? Or do I have to rely on an external switch or packet broker for decapsulating the ERSPAN traffic then push the raw data to the appliances?
Thanks in advance.
Why my redistribution doesnt work "rip into ospf" ?
Im learn a few routes from my rip process, but I would like to redistribute just one of then:
PE3#show ip route rip
172.31.0.0/32 is subnetted, 1 subnets
R 172.31.1.1 [120/1] via 30.210.2.2, 00:00:18, FastEthernet1/1
R 194.14.32.0/19 [120/1] via 30.210.2.2, 00:00:18, FastEthernet1/1
So I tried to do this :
Standard IP access list 1
10 permit 194.14.0.0, wildcard bits 0.0.255.255
My ospf:
router ospf 30
log-adjacency-changes
network 10.101.33.2 0.0.0.0 area 0
network 10.101.43.2 0.0.0.0 area 0
network 30.210.2.1 0.0.0.0 area 0
network 172.25.3.3 0.0.0.0 area 0
distribute-list 1 out
I know that I could use prefix list, route map... But I am just trying to learn all ways..
Thanks a lot.
Career question: Where do you see yourself in 5-10 years.
Hello,
With the constant evolution of IT, nobody's job is secure. MS Exchange admins are already long gone and IT infrastructure engineers are shrinking by the day.
I know I need to get in to the cloud wagon, but I would also like to hear another point of view in regards to where I should be heading to.
A bit about me. I am 34, and just started working in a huge enterprise company. My previous job was not a great place since they didn't know what virtualization (or even ITIL) was! I am CCNP certified with knowledge of linux, VMware, firewalls and Windows administration. I am currently passively on a free online course called "python for network engineers", and I want to get my AWS associate exam.
I went to a couple of interviews and I have failed to answer the question: "Give us an example on how you have successfully migrated workloads to the cloud." I want to be able to answer that, as well as keep my current salary.
I can either:
-move to management which i am not keen of.
-become a developer which I am not seeing it.
-specialize in Security (is CISSP still worth it? or be a CEH)
-become a CCIE (I think CCIE is not as valuable as it was 5 years ago, can you prove me wrong?). What's your opinion about the CCIE devops?
-Presales (which is my preferred route).
Any advice would be appreciated.
Access network share via network share in SMB network?
I have a temporary issue of two independent networks and one machine that is connected to both, temporarily I need to get some machines connected to a share on LAN1 but they have to be on LAN2. This is a windows environment.
I have one machine on both LANs and I was wondering if there was a moderately elegant solution I could use for the next week or so. VPN won't work due to limitations on the primary LAN.
Need some advice on Port Security
Hi,
I am new here. I need some advice on whether this is possible. The objective will be denying any external visitor/vendor to just simply plug in into our network plug and use our network, they need to authenticate themselves with Active Directory user and password before they are able to use it.
We can probably use the sticky mac address method, but there are a few hundred host and will be a hassle if they replace it. I have setup a radius server just in case i might need it.
I have run the commands from here, but is not working for me https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html#GUID-430BBBAE-CB5D-46F9-80B2-6DF8A5497922
Thursday, October 31, 2019
Crazy routing help
Hey Guys,
I have a business network with an open vpn tunnel setup so I can remotely administer my clients.
The OpenVPN tunnel works fine and I can see all subnets inside of a client network. My client has three subnets.
Vlan 10 with 192.168.255.0/24
Vlan 20 192.168.254.0/24
Vlan 30 192.168.253.0/24
My pfsense box acts as a VPN appliance and a NTP server. As I said the vpn part works great.
I added three static routes in my pfsense and one static route on the switch and I can see everything.
The switch config on my dell switch is mostly everything is in vlan 10 untagged/nontrunked ports.
Vlan 20 has a few ports untaggedand vlan 30 has a single file server attached via an untagged port.
Now my problem is that i can’t ping the NTP server from my file server. I can ping the gateway of 192.168.253.254 (vlan 30) from my file server. And I can even ping 192.168.255.254 and the the other vlans located on the switch from the file server. But the file server cannot ping the pfsense NTP server(192.168.255.1).
It seems I can ping the file server from pfsense but not the other way around.
How do I allow a response from pfsense through the switch back down to the file server.
Remember the file server is on vlan 30 while the pfsense box is on vlan 10 (everything untagged) Normally the switch would just route this over. But I think since I have a static route in my pfsense box routing 192.168.253.0/25 192.168.255.254 that it can’t go back down.
Remember I need the static route 192.168.253.0/25 192.168.255.254 in order for my OpenVPN to work. Or another form of it.
I’ve tried changing the gateway address to 192.268.253.254 on the pfsense static route and while I can ping the vlan 30 gateway via pfsense I still have to check a box that says I’m routing outside an interface subnet. So it works for my vpn tunnel but not from the file server to pfsense.
I’m thinking about doing vlans on the pfsense interface and Turing port 41 on the switch to tagged/trunked ports.
Someone also said I can create virtual interfaces with different IPs on the pfsense LAN port. Maybe that would help. Egh frustrated. With daylight savings time coming up I need this NTP server functioning!
Any guidance or suggestions would be appreciated. And I’ve spent months researching google so no, that’s not a very helpful response.
Cisco EOL's Catalyst 3850
Just announced today, in case anybody else missed it. Personally I'm only aggravated because I just had a meeting with our reps last Thursday and they mentioned nothing about it.
Site-to-Site VPN tunnels dying, ASA 5506-X
We have site to site vpn tunnels between remote offices and a datacenter where our SNMP server is. The vpn tunnel is for management traffic. The remote sites have newly installed ASA 5506-Xs on the outside doing the routing and firewalls and the data center is using a cisco 1921 router. We've seen issues at all remote sites with these ASAs where the VPN tunnels die after a day or two and we have to reload the ASAs to get them up again. The ip sla pings dont seem to be working on the ASA so we configured them on the core switches and they are working but we still see outages on the vpn tunnels semi-frequently. Anyone else experience these issues or have recommendations for troubleshooting?
TAC has told me that the ip slas are working as expected on the ASAs and that the ip sla needs to be configured on the inside of your network because the ASA will always use the closest interface to the outside instead an inside mgmt interface IP. But this still doesn't answer the issue of the mgmt vpn tunnels dying out so often.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
NVME Nas server opinion
Hello Guys I am planning on building an NVME nas server with a thinkmate QN10-11E2 https://www.thinkmate.com/system/rax-qn10-11e2 It will have 24 cores and 3 x 8 TB NVMES U.2 I will running Ubuntu server and serving large video files to 6 video editors. I am planning on doing a software Raid 0 and backing it up to another NAS every night as a backup. I know NVME has a write life so this will only be used to write big files once a day. It will be connected to a 10g SFP switch via 2 25g SFP ports. My question is has anyone done something like this for video editors? do you guys forsee any issues. How about the managing of the raid? any suggestions there for files sharing. And lastly do you recommend any specific switches. I have been looking at Cisco and Arista, no models picked yet. Thanks for all your help.
Communication across subnets!
Hey Guys,
So I have a server setup with a 192.168.253.31 address. The network has three vlans:
Vlan 10 with 192.168.255.0/24
Vlan 20 192.168.254.0/24
Vlan 30 192.168.253.0/24
All the servers connect to one "routing" layer 3 switch. Each port is segmented as untagged to be in the respective Vlans.
Now I have a pfsense box acting as my time server. It's address is 192.168.255.1 and it is plugged into a physical port on the switch assigned as untaged for vlan 10.
I need the server in vlan 30 to be able to ping and use ntp from 192.168.253.31 to 192.168.255.1.
Both interfaces are connected to the switch. I'm slightly confused how to do this. Do I do tagged ports? Do I make some kind of route?
I guess I could plug in another port into my pfsense box, and make that interface 192.168.253.1 then untagg the port to be in vlan 30. But I'm hoping that I don't have to physically go back into the server room if possible, it's a drive.
Anyway for me to get the server on: vlan 30 with an ip of 192.168.253.31/24 with a gateway of 192.168.253.254
to connect with the ntp server of 192.168.255.1/24 gateway 192.168.255.254
The gateway address for both devices points to the same switch, only on different vlans.
Thanks for any help!
-Twinkle
P.S. Do I tagged vlan 30 on the pfsense port and then assign a vitural interface on the pfsense box?
Copper repeaters - Anyone have a recommendation?
Just traced out a non-working network run to the far end of a building and it came in at 398 feet. Looking to buy a par of range extenders to make the distance, it's just for a couple of HVAC controllers so not worth redoing it proper. Anyone have a recommendation of brand/model that works well for them?
Any device fingerprint service?
Hi
I'm looking to feed my network steams to find what type of device is on network. I'm not looking for any commercial solution but some direct feeds. One I came across is "fingerbank.org" . Does anybody know any other?
Thanks
Angel
the common Palo Alto PA-2050 slowness topic - are there any fixes?
My commits are now taking 3+ hours to go through on my single PA-2050. I'm planning on replacing it next year, but in the mean time it's killlinnggg me. A single typo costs me 6+ hours. All of the reading I've done I see people complaining about 15 minute commits...I'd love to have that. Calling Palo Alto gets me no where, they just say it's a known issue and I should upgrade. Are there any easy gotchas that I can look for in my config that would be slowing this down so much?
Site-to-Site VPN drops and latency significantly increases anytime files are downloaded behind Cisco ASA.
I have a Cisco ASA 5506-X that has an outside interface being provided internet from a fiber 100/100mbps line. Over the past month or so something odd has changed.
Anytime I initiate a download on an inside client behind my inside interface OR even a laptop directly connected to an inside-test interface on the ASA (that routes out the same outside line), my VPN tunnel suddenly drops multiple packets and or ping requests are 800+ ms. This is normally 42ms. If I'm running constant 4.2.2.2 ping requests, these are normally at 6ms but will spike way beyond that. The second the download is stopped, traffic resumes back to normal.
Per TAC I upgraded to 9.10(1)30. No Firepower services running. There are no interface errors. I have a backup internet line and if I connect to that interface there are no issues.
I have yet to plug my laptop directly into the ISP as I'm having a hard time finding downtime but wanted to see if anyone had thoughts on what may be causing this. Seems very odd this hasn't always been a problem.
When I can plan an outage I plan on connecting my laptop directly to the Outside interface and testing. Then plugging directly into the ISP without the ASA in the picture. Finally configuring the outside interface on a different port on the ASA. Any suggestions on what I can test before then would be appreciated.
PoE Intercom with 4 wires?
Howdy folks. I've got an intercom I'm trying to get working. I'm attempting to use 4 wires leftover from our access control system.
The run is going through about 200' of conduit that I can't get a fish tape through due to multiple bends and what I assume to be a sleeve about 180' in since I can't get past that point from either direction.
So using those 4 wires, I connected the wires to the WO/O and WG/G at each end. WG/G should be supplying my PoE power, and the intercom lights up, so it's getting power. But I'm not getting an IP for the intercom.
Any suggestions on how to make this work? New conduit and wiring isn't a solution and I've only got 4 wires to work with.
Thanks!
Aruba switch stacking - assistance
Hi all
I have searched and searched but unable to find anything specific, some say its possible with certain firmware, but has anyone had any experience with the Arbuba 2540 24G PoE+ 4SFP+ Switch and pairing / stacking two together
Essentially we want 2 switches for redundancy.
If not has anyone had experience with similar model that is capable ?
Switch to Active-Active HA Firewall Pair
If I have an HA pair of firewalls in active-active mode, how does the in (WAN) side know which one of the firewalls to send the traffic to?
In my situation, I have Cisco switches before & after a pair of FortiGate 500e NGFWs. The source port only has 1 IP that is mirrored on both firewalls. If I change the firewall to an active-passive pair, traffic flows. I assume traffic flows because now only 1 device has the IP.
Improving documentation
Hello all,
Like so many engineers my technical aptitude is amazing and I can make almost anything work, but my documentation skills are not so good. I'm getting better as I do more projects but wanted to reach and ask if anyone has picked up any tips over time that have made thier technical documentation better?
Random computers connected but not to domain
I have an issue where a random user will log in, and not be connected to the network. Checking the switch, i see they are connected. But on the WIN 10 computer the network is not seen.
I have:
- Cleared the MAC from the switch and shut/no shut
- Uninstalled NIC and driver
-
Used a MAC spoofer that gets it on the network.
- Reverted back to original MAC and loses connection again
-
Checked ARP tables and seem ok, haven't tried flushing the table though
-
AV/FW on/off
-
DNS is fine, oddly doing an ipconfig shows me the correct IP
Any thoughts would be most welcome.
Instruction manual to install and use OpenDaylight on a Cisco Catalyst 3650-24TSA-E and OpenFlow
Introduction
For a school project, we made an instruction manual and -video on the topic: how to install and use OpenDaylight on a Cisco Catalyst 3650-24TSA-E and OpenFlow. We think that this topic is useful for this subforum, so we decided to post it here. Enjoy!
Instruction video: https://www.youtube.com/watch?v=kxKEmo26AMs&feature=youtu.be
Published manual: https://forums.anandtech.com/threads/how-to-install-and-use-opendaylight-on-a-cisco-catalyst-3650-24tsa-e-and-openflow.2572469/
Back-up when published material is not accessible: https://drive.google.com/drive/folders/1hPdcUTAH7q1xy8ob4M8_EOqa_1pQ5E9Z
Summary of the content:
- Introduction
- Software Defined Networking explained
- Configuring the Cisco Catalyst 3650 switch
- Installing OpenDaylight controller
- Installing Cisco Openflow Manager
- Demonstration
Transceiver Question
So I have a couple media converters (1000BaseTX <---> 1000BaseSX) connecting two switches in two different buildings. I'm doing some RFC2544 testing and it is failing on Jumbo frames. I know jumbo frames are supported on my switches, could it be the older transceivers/media converters causing an issue? Do those things have an MTU or do they just blindly convert electrical signals?
Thanks!
Is it possible to share an internet connection amongst two companies?
Sorry for the somewhat confusing title. My wife owns a small business, and the office space is shared with another small business. Two of the rooms in the building are hers and the other belongs to the other business.
Is it possible based on one incoming Internet connection to provide high-speed Internet to each business? We would want the Networks to be separate, since each business does have somewhat sensitive data.
I’ve searched on Google but the top hits keep seeming to be from articles from 2003. It appears what I would need to do is connect the modem to a switch and then that switch connects to two routers, one for each business. Is that correct, is it that simple? Are there any guides out there the show me how to configure the switch or the routers?
Cisco Fp1000 local management mode SNMP config
Hi all, I am fairly new to firewall configurations and I am trying to figure out how to set up my FP1000 to send alerts to our SNMP server. I could not find an option through the FDM(FirePower device manager). If anyone could point me in the right direction that would awesome.
Just wanted o be clear. There is a SysLog option in the FDM, but I can't seem to input community string
MT-bulk v2.2 - with security audit option - open source tool that helps manage multiple Mikrotik devices
Released new version, maybe will interest someone.
New features:
- new operation - scan for known vulnerabilities (CVE) and perform security audit
- added mt-bulk
internal key/value based database (used to cache CVE search results and information about new mt-bulk
releases) - added configurable CVE search API endpoints
- added option to define in custom ssh/api mode multiple matches for regex parsers of executed commands
Minor changes and fixes:
- fixed returning multiple errors
- fixed automatically creating not existing but configured paths
- fixed paths parsing
- improved internal tests
- improved documentation
- compiled with Go 1.13.3
Cisco HW Leasing
Hello
Does anyone have Exp. with Leasing Cisco HW?
My upper mgt is on the "no money train" and they're going at full speed.
ive read about Cisco Capital. but i wannt some first hand exp. with it.
Trying to connect my mac to a Cisco catalyst 3560 switch
I keep trying all different types of commands but it keeps saying "no such file or directory"
I am fairly new at this, any help would be greatly appreciated!!
Wireshark no longer analyze Quic/Gquic protocol
Anyone can explain me why Wireshark no longer analyze QUIC/GQUIC protocol? I need to complete my university thesis and i can't continue. Since July or August, all worked fine. Thanks for your help! ps: i tried latest wireshark version, but no one found gquic protocol.
How to setup/configure a WatchGuard firebox x500?
I got a WatchGuard firebox x500 for free and O'm wondering how to set it up/configure it. It's used but in good condition, I figured I had to reset it (facotory reset), but I can't find any information about it online, in fact I can't really find ANY information about the x500 at all.
Expanding Two-Tier Network
Hey there,
first: I have already set up a few small and simple networks, but I'm not a "professional and trained networking guy" and not sure what would be best practice for the following theoretical scenario:
This is the initial situation - a simple Two-Tier network. The gateway for all clients and servers is Switch A with some ACLs for restricting access from and to guest VLAN.
Let's assume our fictitious company wants to build a second building, 50 m / 328 ft. to the existing one - and this would be the planned situation.
How would you set up the connection between Switch A and Switch B?
My thoughts on this:
1. If Switch B acts as simple L2 switch, traffic between Client C and Client D needs to take an unnecessary long way (L2 Switch -> Switch B -> Switch A -> Switch B -> L2 Switch).
-
What if Switch B acts as L3 switch? Is that even possible? The gateway for Client C and Client D would be Switch B and you need to maintain ACLs on both Switch A and Switch B. What if Client C wants to access Client A (same VLAN, but different gateways)?
-
Am I on the wrong track and there is a completely different approach?
I'm scratching my head and hope you can help me. Thanks in advance!
Honeypots... Any real world success stories?
I’m about to deploy a bunch of honeypots across the network. They will all be sending logs to a SIEM, which will alert on suspecious activity.
This is all fine and dandy. And in theory this should up our awareness.
I’m looking for war stories. dos/don’t or any feedback really.
Cheers.
Wednesday, October 30, 2019
Nexus 5k Upgrade | Fex question?
Hi, We have a dual-homed topology in where I have 2 pair of N5k and its configured with vPC. N2k/Fex is currently dual-connect on both primary and secondary N5k(parent). What would be the output on the ff. scenario.
Scenario 1: I have upgrade the primary N5k?
- Please confirm if the vPC peer link connection/status on both parent still be in "peer adjacency formed" or down?
- Please confirm if the vPC on the downstream(fex) will in down state due to version mismatch?
- If I have upgrade the primary switch to a newer version and fex still running the old version will it still be synchronize/be online to the primary switch with newer version? or the fex's will only be transferred/online on the secondary switch? So if this true all the traffic will be forwarded to Secondary N5k (old version) from Fex.
Thank you
My Toner Almost Caught On Fire: Was It Poe That Did It?
I was working an issue with a pos terminal at a restaurant that would not connect to server. Pos was connected to a 3 port hub ( AC powered). After some trouble shooting, I decided to get my toner and probe to trace the cable to mdf. I get a tone from a port on the Juniper switch and then I get back to the toner and its hot and smells like burned plastic. I MEAN ITS BURNING HOT, WTH.
Pos is working now. But I think my toner over heated because of Poe from the switch.
What you guys think?
Cisco Nexus 9300 TCAM carving
I have Cisco Nexus C9396PX L3 switch and i have configured bunch of ACL (inbound) on it to deny/permit traffic. now if i am trying to add more ACL then getting error that your TCAM table is full. here is the output of tcam
If you noticed line "Ingress IPv4 RACL 259 253 50.59" It is for L3 ACL and reach to 50% utilization but still i have 50% free so why i am not able to add more rules? one thing i noticed its Ingress so may be possible i used up all Ingress entries and now whatever else which is for egress.. am i right?
Let's say i am not using any L2 function on switch and want to give VACL tcam size to RACL does that possible?
swt-c9396PX# show hardware access-list resource utilization slot 1 ======= INSTANCE 0x0 ------------- ACL Hardware Resource Utilization (Mod 1) ---------------------------------------------------------- Used Free Percent Utilization ------------------------------------------------------------------- Ingress IPv4 PACL 3 509 0.59 Ingress IPv4 Port QoS 4 252 1.56 Ingress IPv4 VACL 2 510 0.39 Ingress IPv4 RACL 259 253 50.59 Egress IPv4 VACL 3 509 0.59 Egress IPv4 RACL 3 253 1.17 SUP COPP 205 51 80.08 SUP COPP Reason Code TCAM 6 122 4.69 Redirect 2 510 0.39 VPC Convergence 1 255 0.39 sFlow Northstar ACL 0 256 0.00 LOU 2 22 8.33 Both LOU Operands 2 Single LOU Operands 0 LOU L4 src port: 1 LOU L4 dst port: 1 LOU L3 packet len: 0 LOU IP tos: 0 LOU IP dscp: 0 LOU ip precedence: 0 LOU ip TTL: 0 TCP Flags 0 16 0.00 Protocol CAM 2 244 0.81 Mac Etype/Proto CAM 0 14 0.00 L4 op labels, Tcam 0 0 1023 0.00 L4 op labels, Tcam 2 1 62 1.58 L4 op labels, Tcam 6 0 2047 0.00 Ingress Dest info table 0 512 0.00 Egress Dest info table 0 512 0.00 INSTANCE 0x1 ------------- ACL Hardware Resource Utilization (Mod 1) ---------------------------------------------------------- Used Free Percent Utilization ------------------------------------------------------------------- Ingress NS IPv4 Port QoS 1 255 0.39 Ingress NS IPv4 L3 QoS 1 255 0.39 Ingress NS IPv4 VLAN QoS 1 255 0.39 LOU 0 24 0.00 Both LOU Operands 0 Single LOU Operands 0 LOU L4 src port: 0 LOU L4 dst port: 0 LOU L3 packet len: 0 LOU IP tos: 0 LOU IP dscp: 0 LOU ip precedence: 0 LOU ip TTL: 0 TCP Flags 0 16 0.00 Protocol CAM 0 246 0.00 Mac Etype/Proto CAM 0 14 0.00 Open source netflow GENERATOR/Collector?
Hey all,
Due to some limitations, I need to open up a SPAN port and send the raw data to a netflow generator, then a collector. I see some paid programs (LANGuardian) but is there anything open source? Everything open source is simply a collector of netflows, and will not work!
Cisco ASA - capture directly to wireshark instead of buffer?
Is there a way to bypass buffer limitation on ASA and direct the cap/capture to wireshark host?
Thank you in advance.
Could you use BGP internally to allow for a more controllable scale when you find the need to use Totally Stubby Not So Stubby Areas?
My professor hardline says "BGP is for use in the internet" but using a NSSA-TSA seems like a annoying level of granularity, maybe it's just the name though.
Best online site to build/order custom fiber cables?
Having a hard time finding a company I feel comfortable going with. This is a large order, appx 500 cables... Not sure of deadline needed at this time. Anyone have any experience/suggestions?
Wireshark with aws/azure/gcp
Hey net lords, Have you guys done any packet analysis using Wireshark on aws/azure/gcp? I was reading on one of the aws forums that Wireshark will only capture on one particular ec2 instance where its deployed and not on other instances. Can someone please elaborate on this and also on azure and gcp.
P. S. I am just getting into Cloud so I have very basic idea about it.
website redirect not loading behind a sonicwall
I just called sonicwall support and they couldn't figure this out. I am trying to access a website that uses a redirect to view bills. and it seems to be just this one web address that never loads. sonicwall tech said we are sending packets out but it never comes back. which should be true since i believe they use a sso or some way that we can ping them but won't receive any information back.
has anyone had a similar issue? i am stumped. its not DNS or CFS issues since CFS is turned off and it still happens. If i bypass sonicwall and go to the modem it works just fine. someone had suggested to disable TCP randomization , i did that and it seemed like it worked for a week or less. now i am back to square one.
routing traffic between 2 physical LAN's each with their own internet connection
Hey there,
Hoping someone might be able to give me a hand with this.
I have 2 physical LAN's here with 2 different internet companies in a physical location. I have set one network to a 172.16.0.0/12 network and I have the other set to a 192.168.0.0/16 network.
What I want is to be able to port forward to get traffic from outside LAN#1 and have the port forwarded traffic route to a machine running on LAN#2.
I have built a quick OPNsense router with a 10Gbe NIC because I assumed I could create a static route and have the OPNsense router connect its WAN with the LAN#1 and connect its LAN interface with that of LAN#2 to bridge the 2 networks and route the traffic.
However, I must be doing something wrong because I just can't seem to get it to work.
If someone could help me through this I would be so eternally grateful. It is extremely important that I get this running.
Just for anyone who wants to know why I am doing this, I have to route a lot of data into this machine on LAN #2 and I can't afford to bog down the internet connection on this network, and I also am unable to move this machine completely over to the other LAN as it has duties to perform on this network.
Transit gateway routing
See Image
I have a test environment in aws setup like the image in the link above. Issue is i cant ping or SSH the linux instance. I have diabled source/destiantion check on the eni of the linux ec2 but with no luck. From my fortigate firewall, i can see that traffic is going out through the vpn to the transit gateway but nothing is coming back. I have setup a routing table and associated it to the remote site vpn and aws vpc attachments. I have put the routes as seen in the pic above but still having issues. What do you think is wrong?
Experiences with Arista
Anyone have any experiences, positive or negative, implementing Arista switches they can share?
We are looking at possibly implementing some 7160s in a leaf/spine fashion to replace an aging Juniper stack.
Looking for input such as how is the tech support, how is their OS, any major gotchas, would you do it again, etc.
Is there a tool to test/pair RJ-45 jacks?
The last person to configure the switch at my job did a horrible job and kind of mismatched all of the ports to the patch panel, so now I don't know which switchport to activate when turning on RJ-45 jacks in our cubicles. Is there a tool where I can say, plug in a tool to the port on the wall, and then go to our server room and test each port for like, a beep or some signal that will say "This is the correct port you have matched with"?
Thanks in advance.
Huawei - VxLan and Vlan configuration advices
Hey folks,
I am working on a project for which we need to use VxLAN.
Before I started to work on this project, I do not know anything about VxLan. So, I documented myself, and started to make a PoC. For information, we use Huawei routers and switches. So, I work on eNSP for my PoC.
The switches which we choose for this project are S6720SI and S6720EI. This switches implements VxLan functionnality.
So, as you can see on my screenshot (there : https://imgur.com/a/1kt2J5Z), I tried to make a simple configuration. I have my backbone, with RRPP and OSPF implemented. This two functionalities works.
I have mounted a VxLAN tunnel between SW_1 and SW_2. I can see that my tunnel is up and working. In my first VxLAN tunnel, I allow vlan 10 to go through, and in my second VxLAN tunnel, I allow vlan 20 to go through. I created my VxLan endpoint tunnel on sub interfaces GE1/0/9.10 and GE1/0/9.20 on SW_1 and SW_2. Also, I have VNI 1010 (for vlan 10) and VNI 2020 (for vlan 20).
On my switches SW_ANT1 and SW_ANT2, I allow vlan 10 and vlan 20 to go on the interfaces GE0/0/1 and GE0/0/24 with trunk configuration.
On my switches SW_SITE1 and SW_SITE2, I have a trunk on GE0/0/1 interfaces, allowing vlan10 and vlan20. The ports GE0/0/2 and GE0/0/3 are access, with vlan 10 or 20, depending on end network.
My problem is the following : from PC1-1, I can not ping PC1-2, which are on the same vlan.
I don't know what to do, because I have no experience with VxLan. Could you give me some help please?
The source I used for my PoC : https://support.huawei.com/enterprise/en/doc/EDOC1000178188/4fef8bd9/example-for-constructing-a-virtual-data-center-network-for-layer-2-communication-over-a-campus-network-using-vxlan
Some hosts on AD are host.company.local, but my Linux machine only resolves as host.local not host.company.local. Why?
This is just for curiosity, no work issues or needing to fix this.
I thought that all hosts on a LAN should be able to resolve to that FQDN of host.company.local. My resolve.conf on my Linux box shows 127.0.0.53 and does have "search company.local".
The most likely explanation I can think of is that my Linux box needs to be added to the local DNS somehow?
Ideas?
Routers speed test results
Hello everyone,
Is there any excel / web page with information about routers (most popular brand / models ) wifi/cable real speed test results? Comparsion list or just a results.
Only found this filter for review search and this link for a newer one where results can be found on "performance" page.
iperf test shows large number of TCP: duplicate ACK / retransmission & out-of-order
I carried out a network throughput test using iperf and captured packets at both ends. I see a almost 10% packets highlighted in tcp.analysis.flag with following characteristic:
“TCP duplicate ack” followed by “TCP fast restransmission / TCP restransmission” & “TCP out-of-order” occurs every second with rare occurrence of TCP ack for unseen segment.
Here is a printscreen using filter on the receiver side (filter: tcp.analysis.flags):
https://i.stack.imgur.com/bNSbD.png
Here is the capture from sender side:
https://i.stack.imgur.com/spbqg.png
I have used iperf to send data in TCP mode for a period of 500 seconds using IPv4 only.
Only capture filter was "host" followed by IP (sender or receiver). I also observed that major errors (duplicate ack/re-transmission) occur every 3.5 seconds. While few set of errors occur every second. Concluding through high number of duplicate ACKs, I feel there is definite packet drop? Am I correct or am I missing anything.
Here is statistics>tcptrace from Wireshark:
sender (client) side (client to server view):
https://i.stack.imgur.com/2iYiF.png
Thank you in advance.
Looking for a Wifi analyser for Windows 10 that alerts me when there are connection issues?
Ideally a little pop up that can tell me when the connection is no longer solid. Does such a programme exit? Thanks.
10G ISP Conversion
I’ve got an ISP delivering a 10G connection to us over fiber. Unfortunately, I only have 10G RJ45/copper ports available on my to router. What options for conversion do I have? I run a small network with HP switching in it, if that helps make a difference.
I currently have a single Dell R430 as my router with an dual port 10G copper and dual port sfp+ adapter. The sfp+ ports are taken and cannot be converted/reused.
This is probably a simple issue, but your help is needed!
Network Design and Audit HELP
Im currently doing up a site drawing for a make believe business for an assignment, but I am unsure about a few things. I am not sure if what I have done at the minute is correct. I have the main cable entry for internet going through my plant room, I then connected the internet cable to a MDF (Main Distribution Frame) which I set upstairs in my building. I then have an IDF (Intermediate Distribution Frame) right next to my MDF in a cut off room which is connected to the MDF. From the IDF I then have it connected to two routers which I have in the building, one for public wifi and one for staff wifi. I then have the routers connected to switches, 4 switches up stairs connected to the staff wifi router, as there is loads of office rooms with computers, printers etc and then I have one switch downstairs which is connected to the public wifi. As someone who is new to all of this I'm struggling to completely understand if this is the right approach I am taking?
From the switches I then plan on adding ports all around the buildings in order to give internet access to the different rooms, and from the ports I plan on connecting ip phones, computers etc. Id appreciate if anyone can help guide me if I'm on the right track!
Thanks :)
Site to Site VPN solution for SO-HO?
Hi Guys,
Network engineer hear that deals with a large enterprise grade network - working with cisco,juniper, f5 and palo alto etc...
My friend has approached me about setting up site to site connectivity for his manufacturing business - they currently have 2 sites - a main design office and a manufacturing plant(no more than 10 users in the business at the moment). Their requirement is to have the manufacturing team be able pull designs down from the head office and print down from one office to the next (essentially have the two sites able to share resources) - both sites have a 50mb internet connection currently FTTC (UK)
I dont really get involved with the small business side of things so I am not sure what is available in the marketplace outside of the big players - I was initially thinking something like an couple of ISR900s and setting up a DMVPN as this will allow them to scale out in the future - is this overkill? are there any one-box wonders that I should be looking at ? I know cisco used to do the ASA5505 but this has gone EOL/EOS I believe, and the 5506-X looks like it doesnt support L2 switching (one of the sites just has 2 people so Id rather not buy a separate switch If I can help it)
Any ideas? :) Thanks
Tuesday, October 29, 2019
Aruba CX 6400 / 6300
Need some advice on networking for our 'server room'. I'm not a network guy, more of a sysadmin/ops.
We have about $30-40k budget for network gear. Looking to see if it's worth buying a dedicated core switch or combine access & core together for our servers and workstations.
There is currently six 48 port 1G switches used for our office environment (4x Aruba 2540's and 2x Aruba 2930) in the server room. These are for workstations, phones, printers, and IoT devices. Each has 10G SFP+ uplinks. These currently link up to a Netgear switch that constantly locks up when the network gets a decent amount of traffic. We also run our servers off of this as well.
We have 8 servers (mix of HCI and Veeam backups). There's about 40 ports of SFP+ total, so 20 split between a pair.
I was looking into possibly connecting the servers to a 24p 10G Aruba 6300 switch pair, and hang some of the SFP56 breakouts for the 1G access switches. Or would it make sense to do the 6400 - buy 1 blade for core and connect the access switches to it and buy another blade for the servers and link that to the core blade? I've never worked with a modular switch before so not sure if this would be recommended.
Otherwise would it make sense to look at the 8320 32P QSFP as the core and 6300 24P SFP+ for servers?
I'm also open to other vendors, we just currently use Aruba's at our branch sites.
Ubiquiti's 2nd Gen Switches released
The 2nd generation unifi switches are out of hardware beta.
New features include quieter cooling, 4 x SFP+ ports on the 48 model, redundant power supplies with an extra 1U device (ew...). Nice update but one of the top comments says it well I think.
They're OK but not great.
Disappointing that they don't hit redundant hot-swap PSU baseline. They could have at least done a pair of 40G interfaces on the back for stacking. The PoE budget is very very low across all models. The power redundancy model is bad and something most vendors threw out 10 years ago.
For the price point you're really better off going with Cisco 2960-L if we're being honest.
Sure you get UniFi for management but I would have expected to see a lot more functionality through UniFi by now. Centralized management doesn't turn this into an Enterprise-grade switch. Where are the L2 features and improved UI for switch management? Not really seeing a great value at the price point. Nobody cares about the touchscreen.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Private VLANs to micro-segment user space
Hi everyone,
We are thinking of ways to segment our employee user space (data VLANs) to prevent spread of malware, specially ransomware, in layer 2 domains. I was thinking of using the concept of private VLANs to do that. Am I looking at this the right way? Does anyone have better suggestions on how to pull this off?
Thanks, JJ
Bad crimp
Is it possible to crimp a cat5 or cat6 cable too hard? I have been having issues with cables I am making, non of them seem to work.
Boston Area Cabling Costs
Just got a quote from a contractor that averages about $500 per drop for some access points and projectors we need to add our network. This is just to run about 30-40 ft from our wiring closets. We have drop ceilings in most locations and other floors have plenty of access so it's a pretty easy job. Everything terminates to Systimax wiring blocks.
It's been over a decade since we rewired the building to CAT 6 so maybe I'm behind the times, but $500 a drop seems pretty excessive to me even in downtown Boston.
Am I just behind the times or am I getting screwed?
How to discern what is throttling the link?
Hello you. I have a site to site link utilising pfsense openvpn. When trying to transfer data across the link, I seem to be capping at 100mbs despite all the links being 1gbs. I have run jperf and that returns the same connection speed. Trying to think of a good way to determine where the throttling is occurring but can't think of a way. Any suggestions would be welcome?
CPU seems to be within a reasonable threshold when running the transfer so I do not think it is that either.
How would you protect this floor mounted fiber patch panel?
https://i.imgur.com/ywfpT2M.jpg
Most of the fiber patch panels were installed on the floor like this... positioned perfectly by everyone’s foot. Anyone any suggestions on something that would protect the patch panel from slight kicks or shifting under desk debris?
Configure VTY lines using ansible
Hi
I am configuring VTY lines on some devices with AAA.
But the ios_config module always changes the configuration when it is already configured.
- name: RUN 'Changing line vty' ios_config: lines: - authorization exec VTY_author - login authentication VTY_authen parents: - "" with_items: - line vty 0 15 The reason is the configuration will be split up i 2 or more parts by the IOS:
line vty 0 4 authorization exec VTY_author login authentication VTY_authen transport input ssh line vty 5 15 authorization exec VTY_author login authentication VTY_authen transport input ssh My problem is on some devices the vty lines are split up into more than this.
line vty 0 authorization exec VTY_author login authentication VTY_authen line vty 1 authorization exec VTY_author login authentication VTY_authen length 0 line vty 2 4 authorization exec VTY_author login authentication VTY_authen line vty 5 15 authorization exec VTY_author login authentication VTY_authen ! Any good advice on how to avoid this?
Or do I have to make an "show run | inc line vty" and loop through it in my task?
Alternatives - Dell S4148F-ON
Hi all
I was wondering if anyone had any recommendations for alternatives to the
- Dell S4148F-ON
It does not have to be Dell but someone that is relatively popular that is readily available for purchase
I will of course - continue my research and post options for comment
Appreciate the help in advance
Need to connect about 250 wireless devices
Hi there, first of all I don’t really have knowledge about networking. I’m an AV guy and I need to setup a wifi connection for about 250 devices (cellphones/tablets). It’s a temporary installation for one day. It’s only for online votations so they’re not gonna use a lot of bandwidth. What kind of router would I need and is there any settings I need to tweak?
Thank you very much!
FreeRadius w/ DaloRadius, need PEAP authentication for wireless (ubiquiti wpa2 Enterprise)
Hey guys I'm using the default config on the lastest Debian. I'm using freeradius 3.0 from what I can tell and all the guides I can find are for older versions. How can I enable PEAP? With mschap v2?
Radius works fine on my ddwrt router but doesn't work at all for my airmax (ubiquiti devices) which I can only assume is due to 802.1x AUTH PEAP related. My googlefu turns up nothing.
ARP poisoning to imitate another device
From the perspective of keeping my network secure, I'm curious about the ins and outs of ARP poisoning & how that (or perhaps something else I'm not thinking of) can be used to imitate another computer. I'm fully aware of being able to poison the ARP table to imitate a computer on the same subnet. Beyond that is where my knowledge gets fuzzy. My understanding is that someone would not be able to imitate (via MiTM) a computer on another subnet because once the traffic gets to the router, MAC address info would be stripped off. First, is that complete and accurate information? And second, is there still a way to act as a computer on another subnet somehow, or at least set up a TAP to that computer, by spoofing the gateway perhaps? I'm talking as a rogue client on the network, not a network admin who could obviously set up a TAP if they wanted to. I've tried to figure out in my head if that would work because if you gave yourself the MAC of the gateway, how would you, yourself, forward that traffic on, or even get traffic back since the device(s) a hop away would be connected to the gateway so therefore the response traffic wouldn't get to your MiTM computer, right? Lastly, how would trunk ports enter into the mix? Could you pose as a computer on another trunked subnet somehow if you're on a trunk port or does the "gateway stripping the necessary information" rule still apply?
Some of the answers I'll get back will undoubtedly get a "duh" to myself once I see it, but I'm thinking out loud and trying to not make my brain hurt by thinking about all angles of this at once, and hoping people with better applied knowledge of this scenario can just rattle off the answers to me. (Thanks)
Bottom line, is I want to know the capabilities of a client being able to intercept traffic to, or somehow act as, a computer on another subnet/VLAN and either what would go into that, or if that's totally not doable due to how L3 works.
Hp Procurves - Primary VLAN questions
Hey all
Networking noob here - but my company doesnt have a networking admin.
So, I had questions about primary vlans. I'm trying to do a VLAN cleanup (this core switch had ~18 vlans, only about 5 of which are actually in use) and I cannot delete one of them - its being cited as primary vlan.
- How does one identify what the current primary vlan is?
- What are its functions, really?
- Does there have to be a primary vlan?
- Does it matter what vlan is primary, as long as there is one?
Thanks
Bizarre Network Access Issue
Ever since a power cut a couple of months ago, we've been having discovery issues within the network, to the point where only a select few IPs are accessible from outside the network at a given time. What's even stranger is that the IPs are of completely different vendors/devices, for example 192.168.1.11, .57, .201 and .202 being a HP ILO card, APC UPS, and 2 door control systems. These devices share no significant similarities as far as I can see. This issue has been creeping around for months and I honestly come to a brick wall with every project due to the straight up refusal of the IPs being accessible.
Any ideas? already had a MSP on it and they unfortunately couldn't find anything.
Purchasing new lines
Hi guys,
I am a system engineer so please bear with me as I am trying to wrap my head around something totally new for me.
We have a small office in Mexico, it is closing soon and they are moving to one of our mother's company building.
We contacted our service provider for a new Internet line and they are now asking us questions for the new line:
“Could you please confirm to me the required for the circuit MTU size, Tagging type(Tagged/Untagged/VLAN transparent), Port type(FastE?), Media type(Copper/SMF/MMF).”
We have contacted the building manager and he told us they have a room on their second floor (fiber backbone) where some Internet providers already have equipement (demarcs I guess it's called), the building manager is telling us he can do a site survey.
Now what I am trying to get right is, when the network provider ask us the MTU size, tagging type, port type, media type, they want to know that for the local tail and demarc connection or the extension to our office space network cabinet?
In the end we will have a Cisco ISR router to place so we can connect it to our existing DMVPN network.
We have a local contact at our mother's company that should be able to help us to get the router plugged in and configured, its just an issue currently between our service provider (GTT), the internet provider (IG Networks) and the building manager.
To add to the confusion the service provider speaks English whereas the building manager only speaks Spanish.
Are there any good VDSL modems people recommend for small business?
We have a VDSL connection here in Australia, over the NBN (National Broadband Network). Rated speed is 100 Mbps down, and 40 Mbps up.
The ISP has supplied us with a ZTE H268A ADSL/VDSL modem. Behind this is a Netgate XG-7100 running pfSense 2.4.4-p3.
However, the modem can be flakey sometimes - we've had a few occasions where the connection will go incredibly slow (i.e. 3-4 minutes to load google.com) - and we have to power-cycle the modem to fix things. And when we tried to put it in bridge mode (with a pfSense router behind it) - the connection would work for a day or so, then we'd need to power-cycle it.
The GUI interface is also slow and frustrating.
Is there a VDSL modem that people would suggest?
We don't necessarily want the cheapest, but something that's reliable, performs well, and has good manageability. (I can't seem to find any VDSL modems with console access, or out-of-band control).
I see the Draytek Vigor 165 is meant to be good, or the older Draytek Vigor 135 or 132? Any other brands/models that are good?
There's a list of "officially" supported modems here:
https://whirlpool.net.au/wiki/fttn_registered_modem_router#vdsl2_modem_routers_isp_settings
And the list of features they have to support are here - vectoring support is required:
Rules to restrict only VPN traffic
Hi all - if i have 2 firewalls and a VPN in between them, what kind of ruleset do i need to ensure that ONLY VPN traffic is allowed between the two and nothing else?
problems with speed
I have a range of 55 db on the case, but the maximum speed remains 2mbit, when I stand at 32db there is a normal speed. Channels are not the problem and the access points are also of good quality
someone who can advise me what to do?
Setup:
Aerohive ap130
Zyxel 8 port switch with POE+
Questions about the IPv4 block market and IPv4 block leasing.
I been trying to research the IPv4 block leasing market, I couldn't find much info about it. I been told it's a bad idea to lease out IPv4 blocks. I also been told the major problem with leasing out IP blocks is spammers. Hopefully someone here knows something about it. I'm not talking about ISPs leasing IP blocks to their customers. I'm talking about 3rd parties leasing to people for use on their ISP or their server host.
1) What is the market value of IP blocks that have been used for spam?
2) What percent of the time are leased blocks used for spam?
2) What's a normal rate of return for leasing out IP blocks?
4) Generally, how long are the leases?
5) How big is the leasing market?
6) Is there anything else I should know?
Monday, October 28, 2019
Question about units for Signal Strength: dBm vs mW
I know I have to look at relative changes when I compare signal strength of two different distances while using dBm. But if I convert it to mW, can I look at the absolute values and compare them generally(like we compare two different values for Joules, for example)?
Here's why I need it: I'm looking at Wi-Fi and trying to use it to compare the intensity at different distances. dBm would be very tedious to use, so if I could convert these values to mW and then look at the relationship much more intuitively, that would help much more.
Seperate LACP trunks, or combined LACP trunks?
Edit: That title was supposed to be ‘separate or single LACP trunks’. Apologies.
We have a network with two ‘environments’. These ‘environments’ cannot be combined for reasons (read; money). Each ‘environment’ has its own heavily used VM servers, but they share a physical storage server, which connects to the also shared gigabit switch over a dot1q trunk.
My boss wants to take that storage server the and break the trunk from a 4-port trunked LACP link into two 2-port LACP links, one for a physical switch for each environment.
I feel like this isn’t a great network design choice, but I can’t really explain why. My thought was that, since a couple of the links are always under load, a sudden burst of traffic might cause problems. I’m sure someone else can explain the actual facts better than I can though.
What is an Airwall and how does it work?
The concepts behind the Airwall were first proposed by Robert Moskovitz in 1999 as an individual IETF submission when the Host Identity Protocol (HIP) was conceived as a solution to overcome the fatal flaw in TCP/IP networking - which has made networking and security the complex Rubik it is today. An Airwall is comprised of one or more overlays, with each overlay made up of virtual trust segments, with each Airwall Edge Service possessing its own unique 2048-bit Cryptographic ID (CID) following the HIP RFCs. The result is a solution with military-grade encryption that can span nearly any device, network, or environment. An Airwall is set up using an intuitive, visual, and point-and-click management and orchestration engine, called Airwall Conductor. Unlike traditional IP networking and SDN approaches, an Airwall requires little to no modification of the underlying network or security infrastructure. It provides a simple policy-based configuration of devices or groups of devices that are explicitly trusted within the Airwall based on whitelisting. This trust, based on unique CIDs, determines what systems or machines can initiate and establish communication before any data is exchanged. A device or group of devices can belong to multiple Airwalls and an Airwall can span multiple existing VLANs, subnets, and easily span networking boundaries – across data centers, public clouds, campus networks, and remote locations, and even unmanaged networks. This enables devices to be connected or disconnected in seconds without disturbing the existing networking and security infrastructure.
Technical White Paper - https://www.temperednetworks.com/sites/default/files/tn-document/Tempered-Airwall-Next-Gen-Internal-Firewall.pdf
Networking 40,000 square feet and 10 non profits.
I need to rebuild the network of a 4 story, 40,000 sq ft building with 10 non profits ranging from 1-5 machines to a small college with 200 machines.
Right now each non profit gets their own internet service independently from two or three internet providers. Two of the biggest non profits are bringing in a single gigabit fibre optic line and many of the smaller organizations want to join in as it will be a considerable savings to the network expenses.
The building was built in the 70s and networked worked in the mid 2000s.
I have a good idea how I think it should be done, for the day-to-day cabling. But I'm curious how the experts in here wood setup the routers and switches.
I'm thinking going with a fibre optic switch because we should have 6 or 8 IP addresses and then giving big organizations their own routers. And and grouping all the smaller organizations with virtual LANS off a single router.
Any thoughts would be appreciated.
Thanks.
Network engineer trying to decide if I should ditch my CCNP
Sorry if this is too career oreinted.
I've been a network engineer for about 5 years, but never got my CCNP. I landed a job where I'm building and in some cases designing networks for a real estate management company and just came on full time after a 6 month contract. I'm wondering if a CCNP is even worth it at this point. I've worked for Palo Alto Networks, Match.com, and now at my current job, with nothing but a CCNA. Granted I'm a quick learner, have leveraged my communication skills, and have become very proficient in different networking concepts. I understand routing more than switching, but probably firewalls more than all. I've worked with l2/l3 infrastructure in both enterprise/data center environments along with security devices like ASAs and Palo Altos. I'm very familiar with Cisco Nexus 5 and 9ks, ISRs, and will be starting projects on Cisco ISE and SDWAN in the coming months. Currently I'm working on migrating MPLS circuits and also replacing our Cisco ASAs in about 20 remote sites across the country. I do solar winds monitoring and maintenance and even have a little experience with network automation and Ansible.
With all that said, I'm wondering if I should ditch trying to get a CCNP. I really want to focus on getting my AWS certification and dedicate my time to mastering python for network automation. The only reason I was studying for my CCNP was to get a solid network engineering job, but at this point my experience shows my capacity and practical know how as an engineer. What say you reddit and hiring managers? I want to get into devops, but I also want leverage AWS for my own consulting business in the not so distant future. Thoughts?
Can you explain AWS/GCP VPCs to me? Here's my understanding..
I am learning CCNA concepts and networking concepts since past couple of months.
Correct me if I am wrong.
Apologies in advance if this question makes no sense
We can subnet our local router and assign the fast ethernet port that subnet IP and mask. If there are two fast ethernet ports we can create two subnets and connect them to two switches.
So, is VPC just like that? When I create a VPC in say AWS, AWS spins up/powers up a router for me? And when I create subnets in that VPC, a command similar to 'ip address 10.0.1.0/24 s/0/0' is being run on the router that was created?
Thanks for reading. Have a good day.
Loopbacks for management: Good idea or not?
Maybe this is a dumb question but here goes. We're using management vlans for our network devices. Some are L2 only but most are L3 now. I know that some people use loopback interfaces instead. I know this has some advantages, the most appealing to me being that it never goes down and can be easily routed dynamically (we are using eigrp.)
But my concern is this. Let's say I designate a /24 space for these IPs. If they're all /32's, isn't that going to bog down all my routing tables? Each one will have to be a separate entry. Is a big number (hundreds) of routes just for management kind of a bad idea?
Am I missing something, or would it be wise to use loopbacks sparsely for this reason? What kind of management schemes are you guys using?
thanks
Norther CA fires, power outages, and data systems losing signal
I'm in Northern CA and we've been without power for a couple days and I've noticed I'm starting to lose signal to cell towers. Normally I have full 4/5g, but that fell down to low signal, and now is basically no data at all and only text and call.
So I have a few questions:
- During extended power outages what do mobile and hard-line (coax, fiber, etc) data providers do to maintain availability?
- Is what I'm experiencing the result of cell towers running out of back up power or an attempt to save power? Given the high winds it could also be damaged towers I suppose.
- Is there a way to get a live look at mobile signal strength overlayed on google maps or similar?
- I have att fiber at home, if I were to power my router, modem, and fiber converter, in theory, could I still have internet?
(I'm at work now were we do have power)
Which dynamic routing protocol do you use to connect servers to your network and why?
Let’s say you have to connect blade chassis to your transport network. There will be a lot of VMs on the chassis and two of them will be virtual routers. And there will be a lot of prefixes (last time I’ve splitted two /24 networks into 80 subnets). Which protocol should you use and why? (I or E)BGP, OSPF, ISIS, RIP?
New Cisco 3560 POE power deny
So I have a new Cisco switch (Uptime – 6 weeks) that seems to be denying POE power to a specific port. This just happened in the last few days, all other ports are identical in settings and are operational. The end device is a Shoretel deskphone model 530. I’ve read about deny-power bugs in earlier versions of iOS (12.x), but this switch is currently on version 16.6.6.
So far I’ve tried resetting the port, trying different devices, but still no power. No other changes to the port have been made in terms of PoE settings. I’m going to reboot the switch tonight to see if that helps, but in the meantime was wondering if anyone has come across this yet.
Switch model: WS-C3650-48PS iOS Version: 16.6.6
sh power inline…
Interface Admin Oper Power Device Class Max (Watts) --------- ------ ---------- ------- ------------------- ----- ---- Gi1/0/45 auto power-deny 0.0 n/a n/a 30.0 Switch#sh run | begin interface GigabitEthernet1/0/45
interface GigabitEthernet1/0/45 description Shoretel Phone Port switchport access vlan 100 switchport mode trunk speed 100 duplex full No Remote VPN Connections
So I configured a site-site vpn tunnel in ASDM on an ASA 5512.
outside interface to outside interface - protected networks (local - 81, 71)(Remote - 80, 70) IKEv2 Pre-shared key
vice versa at HQ site ---------- VPN connection is fine
---HQ--
outside interface 70.80.90.100
inside interface 192.168.80.17 (80_NET)
inside interface 192.168.70.17 (70_NET)
---remote site--
outside interface 100.90.80.70
inside interface 192.168.81.254 (81_NET)
inside interface 192.168.71.254 (71_NET)
I need a bidirectional connection from 70_NET to 71_NET
80_NET and 81_NET should be able to hit everything.
Current ACL rules:
81 interface incoming rule: Source - 81_NET Destination any permit ip
71 interface incoming rule: Source - 71_NET Destination 70_NET, 80_NET permit ip
80 interface incoming rule: Source - 80_NET Destination any permit ip
70 interface incoming rule: Source - 70_NET Destination 71_NET, 81_NET permit ip
---------- Can any let me know if this is right or there's anything I need to add?
Looking for a better understanding between an IP address and a MAC address
This isn’t really a homework question but if I’m asking it on the wrong subreddit feel free to tell me which one would be the right one to go ask this thanks.
I’m currently going through the Introduction to Networks class on Cisco’s netacad and have difficulty on grasping the use of MAC addresses if every device already has a unique IP address. I can understand that if the frame stays on the LAN that it has been sent from it might be easier for the switches to find the corect destination device but in the end if it’s the IP packet that knows where it’s supposed to end up and every end device has it’s own IP why even bother with the extra step of adding the MAC?
I also understand that if the end devices destination is not on the same LAN as the source device, the destination MAC address becomes the one of the router that ships the packet to the other network and not the one of the end device itself but with that comes my confusion of why is there not just a single fixed IP address for each network and then a unique MAC address for each receiving device instead of having a unique IP and MAC address for each device?
It gets a bit more confusing to me when I think about the fact that there is only about 4 billion unique IPv4 addresses and there is about 7 billion people on the planet (even though probably more than half of them don’t even have access to electricity let alone the internet) plus all the servers and other devices that exists, if IPv6 has been in rnd since the 90’s how has it not become standardized by now?
I hope this made sense to some of you, it has been bugging me for the past couple of weeks and since it’s an online course I don’t really have a teacher that I can go ask these questions to. The teachers from my actual classes might be able to help but the few times I did asked things somewhat out of their fields they seemed almost as lost as I was so since reddit has been helpful in the past I figured I might give it a shot.
If you made it all the way through thanks for trying to help it means a lot :)
Huawei MA5800-X7/X15 interface counters
Hello,
I'm looking for an equalent command on Huawei MA5800-X7/15 to check all interface counters.
"show interfaces counters errors" on Cisco CAT4500
On Huawei MA5800-X7 I need to enter configuration mode and check each interface individually
config
interface eth 0/1
display port statistics 0 | include CRC
Is there a way to do this?
Aruba/HPE Networking Certifications
Anyone on here have experience with Aruba/HPE networking certifications? I've recently moved into a role where I deal with Aruba switching and Wireless more than in my previous role which was primarily Cisco.
While I'm not required (yet) to have Aruba certs, I figured it would be a good idea to start with the ACSA to get some switching experience, then move to ACSP. After that probably the mobility track.
So far i've not seen much in the way of 3rd party self study materials (books and videos). The official study material is very expensive :(
*Time to rant* I thought Cisco's certification pages were confusing, but that is nothing compared to the HPE site. There are several different pages and links to click on to get the information I need. So far i've registered for the "fast-track" because I already have CCNP, but I'm not sure where to go from here...?
Any advice and training material for ACSA, ACSP, or ACMA would be greatly appreciated
Subscribe to:
Posts (Atom)