Hi, I'm currently preparing for a Nexus I/O module replacement and I just want to know which module is being used of a specific interface?
But do we have a detailed show command on interface level or module level. Though I'm still searching the correct command on Cisco docs. Thanks
We're finally getting around to polishing up the IPv6 side of the network. We have been running dual-stack for the past four years. IPv6 felt like more of a lab experiment than a production ready network. That is all changing. We've been adding lots of IPv6 peers, new IPv6 DHCP servers (PD), new IPv6 DNS recursors, pdns LUA scripted PTR and AAAA for our /36, and lots of FTTP access and residential gateway testing on IPv6 underway.
Now here's my question(s), what should be happening at the ISP router security level? We currently have ACLs that basically only permit BGP and ICMP echo (with CPP). These were basically a copy paste of the IPv4 rules. With IPv6's heavy reliance on ICMP, should the ICMP rules be opened up a bit for the router too? Or is this basically a host issue only? To be clear, the ACLs I am referring to are only for traffic with a destination address of the router. Otherwise all traffic is passing straight through on the data plane.
Any other special IPv6 router security considerations outside of ICMP?
We're in a Cisco environment, but I think these questions are general and apply to everyone no matter the vendor.
( Background, CCNA, trained on CCNP but didn't take exam. I come from enterprise networking working on 2960X's, 4500X's, integrated service routers, etc and these small business appliances I never seem to have luck with, and I hate GUI's because I can't view the config as easily. I've had a Cisco 4507R+E I decommissioned with an uptime over 900 days. Is there some major disconnect between Cisco Ent and Cisco SB? )
I currently have an RV340 at this site, has done us okay so far until now besides the inter-vlan routing glitch with the latest firmware. The RV325 just seemed much more reliable but is limited on features.
We have an extremely unreliable cable provider at this site that often goes down for several hours during the weekend or after 5PM, one of those rural cable companies. (They just now rolled out DOCSIS 3.0 and bumped customers from 8/1.5 to 35/5 megabit, while some customers are still only offered 1.5/0.1 megabit "Lite" internet)
I have purchased and added a Novatel/Verizon USB730L Global 4G LTE Modem with Unlimited Data, 4G speeds up to 15GB, not bad for a fail-over.
The RV340 sees the modem on USB2, connects to the LTE network, and even pulls a public IP address. By default the modem required SIM PIN (1111) and was performing NAT, but I disabled that. The modem works 100% fine on my laptop.
Sometimes the routing table shows the USB2 sometimes it does not but it is always metric 4 along with the WAN1 entry and the WAN1 subnet entry. All VLAN metrics are 0.
Everything looks fine, the USB2 light is green, then I unplug WAN1 to test. USB2 blinks green a few times, then goes out, then comes back amber. I check the RV340 and it no longer is connected to the modem. I plug WAN1 back in and it comes back, and USB2 light eventually goes back to green.
Can anyone provide guidance if I am doing something wrong? I have tried enabling "Network Service Detection" on both, and then just the WAN, and then just the USB2, no dice.
Even if I configure the opposite with USB2 as priority 1 on Multi-WAN, it gets skipped as it disconnects and fails over to WAN1.
If this is an issue with the RV340 I'm going to be livid, the modem is listed on the compatibility matrix?
It works fine on my laptop if I plug the USB directly in.
Last resort I'm going to try and get it working as the primary WAN on an RV325 then run double NAT and plug it into WAN2 on the RV340, I would be really disappointed in this RV340 if I had to do this but a colleague said that he's had to do it on every RV340/USB fail-over he's set up.
Let me know if you guys need screenshots, but I've followed just about every other setup I can find online down to a "T" and it has made no progress.
Any help would be so much appreciated at this point as we have signed a 2-year contract for this 4G stick and currently it is useless, and this is the cable companies most unreliable time of the year they claim due to "temperature changes throwing off our routing"... what.....
I attached screenshots on my CISCO post here: https://community.cisco.com/t5/small-business-routers/issue-with-rv340-failover-to-4g-lte-with-a-verizon-novatel/td-p/3938109
Getting invalid input detected when I try to declare the standby version when trying to configure the HSRP for my uni assignment. Never used packet tracer before so I've probs missed something obvious, anyone know why it's invalid input. Version 7.2.1 Imgur pic
I have just finished day one of a two day cutover window. Goal: centralization of services for the company, they had three distinct business units all operating separately (own domain, networking, ISP, telephony etc).
We had a design of how the network was to work and have applied configs to the switches accordingly.
| VLAN | Description |
|---|---|
| 1 (untagged) | Data |
| 20 | voice |
| 30 | cctv |
| 40 | guest |
| 50 | mgmt/servers |
I also have laid out my subnet scheme
| Site | Subnet |
|---|---|
| Site1 | 10.100.vlan.0/24 |
| site2 | 10.150.vlan.0/24 |
| site3 | 10.200.vlan.0/24 |
I ran into an issue with my WAN provider expecting tagged traffic on vlan1 rather than untagged. My trunk ports looked like this
spanning-tree port mode vlan participation include 1,20,30,40,50 vlan tagging 1,20,30,40,50 When PVID1 is 1, the default behaviour for the above is for 1 to be untagged, so i've just added a random PVID to force the behaviour they want to see:
spanning-tree port mode vlan pvid 999 vlan participation include 1,20,30,40,50 vlan tagging 1,20,30,40,50 This worked and during my circuit testing I had connectivity. Come today I've finished applying my switch configs, and internet connectivity is borked. My question is, do all my trunk ports between switches need to be PVID999 to force tagging on VLAN1, or only the switch/port that uplinks to the CPE? (I've done the former). I've left site for today without internet working which is disappointing (still got through more than expected). Tomorrow will just be troubleshooting internet connectivity issues. I can provide more design information or configs here, I just didn't want to load the post with too much information unnecessary
TLDR: tagging1 for WAN vendor CPE, do I need to tag1 between access layer switches when my default data vlan is untagged? There seems to be a LOT of data out there on GNS3, but Im hoping to glean the best bits from the top minds of r/networking.
Use Case: I work for an ISP running a MPLS/BGP network. Lots of copy/paste implementing. Configuring devices for migrations. A little bit of trouble shooting. Not much direct learning/teaching going on. I want to implement my own virtual network, (or try) using the configs of devices at work but build them like Im the designer. Eventually track labels and poke and break things. We do have actual lab equipment, but its kind of production lab. I can easily break customers messing with configs. Single area OSPF and BPG just used for MBGP.
Question: How the fuck do I do it. Can I run this on a beefy laptop? Do I use the VM? Is the VM just a stand alone machine? Do the routers just use normal IOSes? Or are there virtual IOSes? How do I implement switches?
Im really interested in digging deeper, I just dont know how to go about it.
Hello, I have been reading a lot of posts from this sub but cant really get to a conclusion.
I have a small business, where I only use a desktop pc and sometimes a notebook to access remotely to the other pc or just to a cloud where I have stored all my stuff which consists in documents and backup data from my main app that manages my business . I also do a backup to an external drive often.
With that said, what kind of security I need? Or what questions should I be asking to know how to protect my business "decently"
I only use Windows defender atm. Do I need a firewall hardware solution? Do software firewall solutions offer anything?
What free or cheap options do I have? I heard stories of other collegues from by business area getting "piracy attacks" and that were recomended to get a firewall which was expensive in their case.
Thanks for the help in advance.
Hi,
I'm looking for a switch with power over ethernet (PoE) with SNMP (for STONITH purposes). However, these requirements often come with a price tag above 150 euros. I read that someone setup a high availability cluster with the MikroTik hEX PoE. However, in the specs it says the maximum output per port is 450 mA. While the raspberry pi uses (with the official charger) 5.1V and 3A. So it seems it would be underpowered, which results in an unstable system, if it boots at all.
Does anyone have a recommendation?
I just tore apart one of our IDFs to re-do the [https://imgur.com/a/cD4L4lb/](hellish disaster zone of wiring) and actually put the switches into the rack, but because I'm dumb I forgot to check if the switches actually had rack-mount ear on them. And they don't. So now I've got half my company headquarters down and I'd planned on having most of tomorrow to put back together, but because I can't mount the switches I can't unless I want to pile them back on top of the rack again.
If you have any rack-mount ears for some Cisco 2960X switches, please send them to me right meow. I'm in the SF Bay area. If you're in Northern California basically anywhere, I will come and pick them up from you on Saturday or Sunday. If you're not in NorCal, I will give you our Fex-Ex account number and please send them to me overnight for first AM Sunday delivery. I will also pay you in whatever method you like, excluding cocaine and hookers.
(...might actually be able to do hookers depending on where you are.) Kidding!OramI...?
Hey guys, with VXLAN EVPN, what network monitoring tools aside from DCNM can be used. Are there any other ways to get visibility into the vxlan fabric?
Hello,
I need some assistance on hooking up a new Avaya analog phone (similar to a 6221).
The telco provided a single pair of wires as a handoff (one black & one yellow, thin strand of copper cross connect wires) Is this single pair enough to power up the phone display and get dial tone? How do I hookup the phones RJ45/RJ11 jack to the single pair strands coming out of the telco board demarc?
The phone has a jack that accepts RJ45/RJ11 combo and I've tried testing it by plugging a regular ethernet cable into the back of the phone and stripping the other end to untwist the 4 pairs and stick them one by one onto the pins of the handoff on the telco board but I could not get dial tone and the phone display wouldn't light up. I tried every set of pairs orange, green, blue, brown with the standard 568B wiring on the phone end.
Isn't a single line analog phone supposed to need just the middle pair for a connection? I know the colors are different on the standard 2 pair phone/fax cable going to 4 pair twisted ethernet, but isnt the copper core essentially the same? 24 gauge AWG, etc? Essentially I should be able to un-twist the middle pair of the CAT5 (blue/blue stripe) and splice it into the black and yellow cables coming from the hand off from the telco and it should give me dial tone. Does this sound like it should work. Obviously the older analog phone doesn't need PoE, but can it pull basic dial tone over a single pair of stranded cross connect wire?
Any help is greatly appreciated.
Hello, everyone. I apologize in advance if i do something wrong in this sub, as this is my first time. I was hoping if i could get some input on this question i was given below. I'm a bit confused on how to break down data packets. The question is stated below as;
"The original IP Datagram is given below. This datagram arrives at a network where the MTU is 1200 bytes. Fill in the blanks in as many IP fragments that will be created to transmit the original data across this network"
i am then given the original datagram here https://imgur.com/a/5TOJtUJ
followed by 6 more empty datagram diagrams. and a list of "notes";
Does this mean that i subtract 1200 from 4020 for every iteration? What about the other factors? do they change too as i fill in the rest of the datagrams? What i did is subtract the amount, and decrease TTT by 1 for every datagram i made, everything else stayed the same more or less, but i have no way of checking if i'm correct.
I don't mind doing most of the problem solving myself, since i want to learn how to do it on my own eventually. But i'm having a really difficult time doing the first iteration, so even just a nudge in the correct direction, or some readings would help immensely. The textbook i have is either not that helpful or sometimes too difficult to understand at first.
Hi guys,
So TODAY I have successfully installed and configured RADIUS Server with WiFi Authentication on my Windows Server 2016. I used 2 TP-Link Access Points that I had new and was not using (model TL-WA801ND) and finally enabled wireless access to my LAN. My question to you guys is if it's ok to use this AP's or should I upgrade to more robust hardware. Keep in mind that:
So... any tips greatly appreciated; security is paramount. Thanks!
I'm due for a new work laptop. While suggestions about the hardware are appreciated, I know that question comes up almost monthly and I can search the past posts just fine. I'm also pretty sure I'll end up with an X1 Carbon.
That being said, I'll be loosing the MacOS terminal and all it's unixy goodness, so my real question is: how many of you run a Windows VM on your Linux OS, or a Linux VM on your Windows OS; how do you like it; what would you change; what issues have you encountered?
I don't think there is anything I must have Windows for--office-wise almost everything is web-based--although I do prefer the native Outlook application and I haven't thoroughly tested openconnect vs AnyConnect. Most of my time is spent in Firefox, SecureCRT, Slack, VSCode, and a text editor for notes (sublime, but I'm not married to it).
For those of you suggesting hardware my only requirements are: USB-A-style port and single-cable dock that supports dual displayports. I'm fine with an Ethernet dongle as long as the dock supports it.
So we just got some Threat and URL licensing. Going through docs and some trials, I see that when there is a new SRU or VDB update, the policy deployment can cause Snort restarts causing traffic disruption.
How do you handle this? I mean, if I have to keep updated, I need a weekly maintenance window disrupting traffic at our DC's. Our interfaces are routed, so based on docs, new connections are dropped until snort comes back up.
Hello,
I have a Cisco 2504 WLC on our network and Cisco has an advisory out for this particular controller. Cisco Wireless LAN Controller HTTP Parsing Engine Denial of Service Vulnerability. My question is, how do I go about applying the fix to this controller? We are currently on version 8.4 for the software. Any help is appreciated. I do have a Cisco TAC support account but completely lost on how to resolve this issue.
Thanks,
Host 58b1.xxxx.xxxx in vlan 101 is flapping between port Fa0/1 and port Fa0/3. I just don't get it.
Both Trunk ports. I get what flapping is on a single port but what does it mean when multiple ports are flapping over a vlan?
Hi,
Hope the follow question is not too 'low level' for this section
We have 8 D-Link DWL-3600AP access points unified with a D-Link DWC-1000 Wireless Controller. We would like to be able to generate temporary passcodes for visitors but getting a step-by-step guide when the equipment is out of warranty is a struggle. Has anyone got any experience of the D-Link portal or any tips/suggestions?
Thanks
I have a csv file of 10,000 ip addresses and I need the geolocations of them
My organization is currently in the planning stages of moving our data center into a colo. Our existing DC support ~200 host on a mix of pizza box hardware and UCS. The network infrastructure is a Cisco 4507 pair in VSS. The equip we are looking to throw out in the colo are a few pairs of Cisco N9K's.
My question is regarding IP overlap that will occur once we start the build-out. From what I have read, technologies that sorta let you stretch L2 like VXLAN or OTV are not supported on my existing hardware that exists in the old DC. That leaves me with moving the DC a VLAN at a time or NAT'ing between the DC's. Anyone else out there have any ideas, or any case studies that could help out?
Hello, I work for an ISP company as a Marketing and Sales officer, i live in a third world country/city, the internet here is expensive, the quota that we( the companies) give on the internet is very, very limited, we provide internet for home users -ADSL service-, in the past couple of years, we started to provide VDSL service, we are the only company in the area to provide this service.
As i mentioned before, the quota is very limited, and its consumed daily, meaning that we provide you with a 7,9,11,13 or even 20 GB per day only. with VDSL service we wanted to be unique, we market and sell our new service as an unlimited quota option, meaning that you can download 100GB per day, 200 GB, 1 TB, but that is not really the case, you see because 90% of the locals barely download over 15GB per day here, we say it's unlimited, but those few people who download over 20-25 GB per day on regular basis, we remove them from our system. I do not like this, its a company's policy, im trying to change it by setting "packages" for the VDSL service, for example 500 GB- 700 GB- 1TB-2TB packages for end-users, instead of treating them all the same, why not divide them into clusters and gain money? we currently charge a fix amount of 21.5 USD for the VDSL service, my suggestion was to proivde 14.5 USD for users with low data usage, 21.5 USD for users with average data usage, and 26USD for users with high data consumption, my idea was rejected because " they dont want their income to decrease by selling 14.5 USD" Since the situation in the country where i live is difficult, most people here are poor, the company have this idea that all customers will change their package to the lowest one (14.5 USD), but i think that having 5000 customers paying 14.5 is better than having 3000 current customers who pay 21.5, most people refuse our VDSL service because they say its too expensive for them, how do i convince the board that this is a viable solution?
Was at a fortune 10 (well 5) when they 'went agile' (kanban). They claimed big boosts in productivity but with no baselines for comparison. In the datacenter we had things pretty well regimented thanks to good design, organization, and automation. Agile added a fairly large meeting overhead compared to what was already there. Throughout it looked like a 'ground and pound' where all that mattered was moving cards as fast as possible.
It's possible that the place I was at was just not good at it. Agile seemed like it was aimed mostly at getting rid of waterfall, and neither seemed to fit network engineering. Looking at another place using agile - everything about the place looks good except that; could be I just have agile PTSD. Anyone have positive agile accounts?
I understand that SNR MARGIN is the arithmetic difference between 1) actual line SNR 2) SNR required to synchronize
My provider has an option to lower from 12dB to 6dB
I’m wondering what the ISP really changes when it modifies the margin
If it is 1) or 2)
Any idea?
I am trying to document public facing websites and internal websites that we host on our network. Aside from the "Get-website" command in powershell, there does not appear to be a straightforward way of returning statically hosted URLs and subpages. This seems nuts! How to the web developer remember all their names?! It must be listed somewhere. I can check bindings to find the front page but as for further pages they are just a mystery?
Hi all,
I've got the following issue currently in a lab, but want to deploy at some stage.
Situation is this: Only one of the vPC peers has the interface with the default route, so when the other vPC member is the HSRP active, vPC members forwarding to the vPC peer that doesn't have the default route isn't able to forward traffic to the default route. I've tried to resolve this by using OSPF between the vPC peers and advertising the default route that way to no avail - layer 3 peer-gateway has been configured on the vpc domain.
Traffic forwards fine when the vPC peer with the default route is the HSRP active gateway.
Lab with topology and configuration: https://i.imgur.com/6fw5tdn.png
Any pointers/suggestions welcome.
Edit: I think I may have found the answer..
" Figure 60. Layer 3 and vPC Unsupported Designs: Peering Over a vPC Interconnection "
Suggestion is to create a separate layer 3 link for routing and not the vPC peer-link. I'll play around again later and post back.
A power strip with 2 input cables and a relay to 'fail-over' when the primary goes down, that's all I'm looking for. There is a Tripplite (PDUMH20AT) that we purchase, but I'm looking for a more of a $100 solution. Anyone find something that works?
Usage: grid on primary, secondary on battery system (which eventually catastrophically fails, or need maintenance, so the transfer switch is our passive, dumb device to reduce downtime. We deploy this at customer sites, not a data center.
Tried to figure it out, and understood for 2G and 3G (old releases) ,timing was required as the transport circuits where synchronous, like ATM, T1/E1 lines. But for 3G(R99), 4G the transport piece is all IP. Then why does the spec mandate for near nanosecond synchronization?
I've been doing some research, but I wanted to ask people here. If you are using it, what made you decide to look into it? What kind of problem does it solve?
Cisco has been trying really hard to sell it to me, which makes my hackles raise.
Just wondering what you use to manage Juniper switches from a central location.
For example to push configs out, push out updates, run reports, etc.
The number of switches I'm managing is increasing, and managing each one individually is getting difficult. Looking for some ideas to simplify it!
Thanks
The setup I am working with has a Arris XB6 Modem/Wireless Router which sadly only has two gigabit ethernet ports. There are several devices that benefit from having a wired connection to the router including a NAS that supports link aggregation (LACP) to provide maximum bandwidth for the clients to utilize.
Unfortunately it's not possible to wire the NAS directly to the XB6 as this would take up all the available ports so instead I installed a Netgear GS308T switch to put downstream of the router. This is a "smart" switch that supports link aggregation - both static and LACP.
I connected both ports of the XB6 to the GS308T and configured a static LAG for both corresponding ports on the GS308T with STP enabled which seemed to work pretty well. (I also created a LACP LAG on two ports for the NAS which worked flawlessly).
I thought all was well until I tested some of the other downstream wired devices and noticed that some weren't able to get DHCP addresses and others were complaining about duplicate addresses on the network. Does anyone have any idea why this might be happening? Is it simply a case that the XB6 doesn't play nice with Link Aggregation or is there perhaps something I can do to make this work?
It feels like I am close as some of the devices are working fine and the switch isn't detecting any loops so if anyone had any ideas that would be much appreciated. Thanks in advance!
Crude Network Diagram:
[Arris XB6 Modem/Wireless Router]==(Static LAG)==[Netgear GS308T]----[Wired Devices+NAS]
Ok gang, I don't usually need help, but this annoying situation has been gnawing at me off and on for a while now.
I'm confident one of you can nudge me in a good direction.
I ran this through TAC already, but let's just say communications issues interfered with our ability to find a complete solution.
I have four ASR1K WAN routers. Two per Data Center, times two data centers.
They all reach out to the interwebz for NTP.
Basic configuration looks like this:
ntp update-calendar clock calendar-valid clock timezone UTC 0 0 no clock summer-time ! ntp server A.A.A.A version 4 source loopback 123 ntp server B.B.B.B version 4 source loopback 123 ntp server C.C.C.C version 4 source loopback 123 ntp server D.D.D.D version 4 source loopback 123 ntp server E.E.E.E version 4 source loopback 123 ntp server F.F.F.F version 4 source loopback 123 ! ntp master 2 ! ntp panic update ! end Ok, so maybe six external sources is a tad excessive. Once upon a time (pun intended) we had a very bad experience with an NTP time warp. So, we're over-cautious, ok?
All of that works perfectly.
Each of my routers see all those sources and everything works perfectly at that level.
Each of my routers believes they are a Stratum-2 device, which is valid at least from an NTP topology perspective.
Here is the part that doesn't work the way I want it to work. (Probably because I'm doing something wrong)
What if I lost all of my internet connectivity?
I don't care that the total loss of internet connectivity is ridiculously far-fetched.
What if?
It feels to me like I should be able to use the ntp peer function to tell each router in the group about the other three, and they should be able to maintain an average time among themselves in the absence of a higher stratum source.
So I applied this configuration:
! ntp peer <Router-B> version 4 source loopback 123 ntp peer <Router-C> version 4 source loopback 123 ntp peer <Router-D> version 4 source loopback 123 ! end Some of my routers consider some of my other routers to be "insane", while some routers consider all 3 peers to be sane.
Am I mis-using the ntp peer feature? Should I just identify them as standard ntp servers instead of peers?
TAC was suggesting that the issue was with all 4 of my devices being configured as Stratum-2, but that didn't make sense to me.
In the NTP Hierarchy, they all have equally direct access to our upstream sources.
Thoughts? Suggestions? Kitty gifs?
I was wondering if the experience within a Security Device Management team in the big4 would allow someone to build the skills required for them to move later on into a Network Security engineer role. For example, working with firewalls, siems, proxies in terms of security changes for clients as well as patching/upgrades/basic troubleshooting from what I heard. I am currently in this role now with a big4 and I already have two year experience as a network engineer and I can gain certificates while working in the current role but I want to see if such path and experience could be adding to what I have to reach the network security engineering roles. Thanks a lot.
I'm trying to see if I can get some clarification/sanity check on the process to upgrade an FMC and the SFR modules in both a 5525x and 5506x. I have a TAC case open for the issue which is pushing us to upgrade, but TAC is not exactly helpful in explaining the process and I'm new to both ASAs and FMCs. The Cisco doc at https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/firepower-fmc.html doesn't help much either as it only covers the FMC. I found https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#id_59002 but that seems to cover the ASA and not the SFR.
Systems are:
FMC: 6.2.3.2-46 (virtual appliance)
5525X: 9.6(3)20
5506X: 9.9(2)
Target: 6.4.0.4-34 (current gold star)
Per TAC, the 5506X cannot be upgraded past 6.2.3, so they would be coming up to the highest interim release in that train. Presently that is 6.2.3.15. The FMC is managing the 5525x and two 5506x units, at 3 separate locations (FMC and 5525 at HQ, 5506s are at branch sites).
TAC has told me to start with upgrading the FMC. I was also told that I shouldn't need to touch the ASA code as it's over 9.6. My current understanding is that in the FMC I browse to system>updates and upload the file that I'll pull from Cisco's web site, followed by install and reboot. Great. Now, once I upgrade the FMC, how do I upgrade the SFR modules in the 3 firewalls? How do I keep two firewalls on 6.2.3 while bringing the 5525 up to 6.4?
Any help and/or bourbon donations are appreciated.
I spent WAY TOO MUCH time with MSPs. I am back in enterprise and it is literally a quality of life improvement. No more worrying about KPIs and customer sat bullshit. I work on network problems, not people problems. No more being overworked and understaffed. No more trying to figure out how to cover for lying sales people that over promise and HR/Ops Managers that under deliver. I spend the day calmly addressing or investigating network problems. No one is screaming about SLAs.
It's glorious. Living the MSP life was killing me. Literally. I am so very thankful that I found this role.
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Hi guys,
I have two transit routers. Ibgp between them and they each have ebgp with their own ISP.
My concern is that I don't see my null routes for my advertised networks in the rib on one of my transits. Instead one the transit routing table shows routes from the Ibgp peer.
Transit1#show ip bgp neighbors a.a.a.a advertised-routes BGP table version is 612755750, local router ID is 192.168.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> x.x.x.0/20 0.0.0.0 0 32768 i *> y.y.y.0/22 0.0.0.0 0 32768 i *> z.z.z.0/22 0.0.0.0 0 32768 i *> w.w.w.0/21 0.0.0.0 0 32768 i ip route x.x.x.0 255.255.240.0 Null0 250 ip route y.y.y.0 255.255.252.0 Null0 250 ip route z.z.z.0 255.255.252.0 Null0 250 ip route w.w.w.0 255.255.248.0 Null0 250 transit1#sh ip route y.y.y.0 Routing entry for y.y.y.0/22, supernet Known via "static", distance 250, metric 0 (connected) Advertised by bgp VVVV Routing Descriptor Blocks: * directly connected, via Null0 Route metric is 0, traffic share count is 1 This looks proper. However on my second Transit:
transit2#sh ip bgp neighbors b.b.b.b advertised-routes BGP table version is 61131389, local router ID is 192.168.0.3 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> x.x.x.0/20 0.0.0.0 0 32768 i *>iy.y.y.0/22 192.168.0.2 0 100 0 i *>iz.z.z.0/22 192.168.0.2 0 100 0 i *>iw.w.w.0/21 192.168.0.2 0 100 0 i ip route x.x.x.0 255.255.240.0 Null0 250 ip route y.y.y.0 255.255.252.0 Null0 250 ip route z.z.z.0 255.255.252.0 Null0 250 ip route w.w.w.0 255.255.248.0 Null0 250 transit2#sh ip route y.y.y.0 Routing entry for y.y.y.0/22, supernet Known via "bgp VVVV", distance 200, metric 0, type internal Advertised by bgp VVVV (self originated) Last update from 192.168.0.2 04:15:04 ago Routing Descriptor Blocks: * 192.168.0.2, from 192.168.0.2, 04:15:04 ago Route metric is 0, traffic share count is 1 AS Hops 0 MPLS label: none Does this look okay? As long as I have the routes in my rib, it doesn't matter if it's from my null routes, or from an ibgp peer?
As someone just starting to look at learning networking for real, do you think it's worth buying some (most likely pre-owned ) hardware to mess around with? If so what?
We have lot's of branches all around the country, and some larger campuses. Currently we're trying to document everything in Visio files, but it's getting really difficult. For example where to end one Visio diagram and strat with another. Should we draw the core routers, or just put in a cloud. Or how should we split the campus in different Visio files. Also everyone has a bit different "handwriting" when they are doing the graphs. Adding management IPs to the diagram either requires us to use graph attributes or add text fields, and searching for something from hundred Visio files is quite hard. Also if we have a DC diagram that has link to other city's DC, which files are the ones we should draw the fiber link to...
This is why we're looking for another solution to draw the diagrams. Something that doesn't require the Visio client to be installed on every laptop, as quite often techs write the cable routes on a paper and then try to remember to add those to Visio files when they're back at the office, often times forgetting that.
So I've looked at NetTerrain, which seems like a proper tool to do this. Web GUI, eveyrone can access that and all the diagrams are in different levels and everything in one central system.
Just wondering what would be the alternatives? Is there something else we should look in to? We're not really that interested in where the actual fibers go, as we just rent the fibers from ISPs. We just need to know that there is a fiber connection from this panel to the building 20 miles apart.
Thanks!
Hi all,
I'm trying to replace some old and just plain not good switches in our DC. Currently we have 2 Cisco Small Business SG500x switches that down link to a pair of HP Procurve 6120XG Blade switches via LC to LC transceivers. We are replacing the SG500x with 2 Aruba 8320 48p Base-T 6p QSFP+ (JL581A). I need to keep at least 10Gb connectivity to the blade switches until we completely migrate off the blade system.
I'm trying to figure out how I can accomplish this. I don't seem to be able to use a breakout cable on the 8320 - at least I've not found any command reference to it in any AOS-CX documentation, and I can't find any supported part numbers in the quickspecs.
Similarly, I can't find any Base-T transceivers for either the 6120XG or SG500X. Ideally I'd like to remove the SG500 and connect the 8320 directly to the 6120, but if needed I can keep the SG500s until we are off the blades.
My question is if anyone has a direct way of connecting the 8320 to the 6120. I'm wondering if I can use a LC QSFP+ transceiver on the 8320 and it negotiate to 10Gbps? Is this possible with the 8320?
Any help would be awesome, thanks!
I'm part of team designing a portal to be used by enterprise companies who use our SD-WAN service. We intend the portal to be used lightly by executives and more heavily by network engineers, network admins, and so on. My question to this community (who I already get so much helpful info from!) is hypothetically what types of problems are you looking to solve when you log into a portal like this?
What information on a dashboard would allow you to most easily and efficiently accomplish your goals?
If you had a magic wand, what would an online portal for your SD-WAN solution allow you to do?
How would these answers differ if you are an executive?
ANY input on this would be incredibly useful! Thank you so much!
Hi All.
Not an experienced network admin here, but my company doesnt have one.
I've been vlanning, and created a MGMT VLAN 100.
I could access this VLAN from all my other switches and everything seemed good.
I noticed in the webui that it shows a primary vlan but no management vlan.
So, I ran the (config) management-vlan 100 command, and have now lost access via webui and ssh to the switch (have not yet consoled in)
Why would this be? What'd I do wrong here? I can no longer ping this switchs MGMT IP, though all other traffic seems to be okay, still.
Edit: I've also seemingly lost access to the mgmt IP of all my other switches as well - even the one Im direct connected to?
Hey all,
My wife runs her own food blog which we have hosted with a hosting company. My wife recently came up with the idea maybe we could not only host her website but others to so we run a small hosting service, it got me thinking I could rent some servers install whatever services are needed so wordpress or FTP whatever's required and charge a fee for the service. I think renting would be the way to go briefly thought about doing my own servers but the up keep, electrical cost and all the other millions of things iv not even thought of would costs so much.
iv been mulling it over for the last day or so and think it would be achievable assuming I keep expenses to a minimum and do alot of the config myself and start off small.
i`ll admit I dont have a huge amount of experience in hosting but I have worked in IT for 20 years and have managed to install a few Wordpress servers without issue.
I wanted to get others thoughts and if there are area's I should take into consideration
Hi,
In which way the Bandwidth Command issued in the Interface Context of an e.g. Cisco Switch or Router is Influencing the initial TCP retransmission values?
This is only taking place for Connections with the Interface itself as source or Destination, correct? The device is not actively applying any actions in the communication flow of two communicating hosts!?
Hello there!
My first Reddit post comes at a time of much head scratching. Currently we are working on a project which requires each of our virtual machines to have a different IP(ten total). We have several data sims running in USB modems plugged into multiple TP-Link MR3020 which are then connected to a switch. On the vms which run Windows10 we specify the IP of the router/sim we wish to use and that all works fine.
THE PROBLEM
We want to have more internet connections but also want to avoid the cumbersome hardware which will come with it. I have been searching for a solutions and would like something like this. However we already have something similar and it requires 3rd party software and a whole lot of configuring and thats just to use VOIP. Ideally we want each sim in the modem to have its own ip so we can just specify the gateway for vm pointing them to a different sim each time.
THE QUESTION(S)
Does this product exist out there and if so can you point me to it?
If the product does not exist can somebody make one for me or point me in the direction of someone who can? (I will pay you good money not the bad stuff...)
Hi,
just wanted to ask you guys about the audible "-a" ping switch.
On linux when you "ping -a 1.1.1.1" you get a "beep" at every successful ping.
So I probably get messaged by a recruiter on LinkedIn maybe once a week, in fact I got my current job from a recruiter who got me an interview at a very large company.
My issue is this, other then what is on the job requirements form the recruiter obtains from the company they don't really understand what a Network engineer does on a day to day basis. Does anyone have similar experiences with recruiters? Like how is their job not automated yet?
Hi all,
I have a Catalyst 3850-48XS that I need to land two fiber circuits into which run to remote facilities. I have my 3850 configured for 9000 MTU because I have some storage servers connected to this switch.
The two remote switches (on the other end of the fiber circuits) are 1500 MTU standard switches.
We plan on setting up two “transport” VLANs / SVIs and connecting my switch with the remote switches that way. (L3 trunks)
At no time should any client machine on my side send a jumbo frame toward the remote switches.
Am I going to have problems due to the mismatch? Or is going to fine since as long as traffic on my side is sent from hosts at 1500 MTU it will traverse the L3 fiber circuits fine.
Should I configure the SVI for 1500 MTU?
Thanks so much!
Hi guys,
I'm have been working for a small IT company as a Network engineer in the UK since January. They get network projects as a third party from AT&T etc to Rack, Stack, patch and upload configurations and so on.
We are currently working on a project that requires me to visit the customer sites with the PM to oversee the implementation of the network.
The customer has several sites throughout Europe, USA and Southeast Asia and I really enjoy the travelling side of the role. Unfortunately, Since January I was only given 3 Network jobs to do before this project. The rest of the time was spend as a travelling IT support engineer.
Once this Project will finish, I'm afraid that I will go back to doing mainly IT support, which I loathe, until a new network project comes along, which are few and far in between.
I guess my question begins by asking if there are any network deployment engineers here? Is the role name accurate? How high up do you have to be to do this kind of role? I found 1 or two roles on sites like glassdoor/Jobsite/indeed but the pay is significantly lower than what I'm getting paid currently. Also my preference is southeast Asia or Africa, so i'd like to hear if there are any engineers that get to travel to that area.
Any info is appreciated no matter how small.
Sorry to ramble this much.
Thanks
In Wireshark I use "tcp.port == 3389 || ip.addr == x.x.x.x"
Is there a better filter to use to see if anything takes longer than it should?
Hi All,
Not a networking guy but in the office on my own and not getting anywhere with support so thought I'd ask here.
I'm getting pretty poor speeds across an IPSec VPN between Meraki and Palo Alto and I have no idea what the bottleneck might be.
I dont think it's CPU or WAN link bandwidth saturation. I've tried when both offices are empty and getting same speeds (and no replication on going etc).
I'm getting through put from Meraki -> Palo Alto around 355KBps and Palo Alto -> Meraki around 10Mbps
If I connect to either site not using VPN, for example downloading in browser I'm getting much faster speeds so
For IKE I'm using 3DES (although tried with AES 256 and AES 128), SHA1 and DH2
and for IPSec I'm using 3DES (Again tried with AES 256 and AES 128) and SHA1 and no PFS.
There is no QoS on the meraki to limit anything. There is some QoS on the Palo Alto concerning VoIP traffic but its controlled by destination IP and I dont see anything else that could be causing it.
I know its a long shot but if anyone had an idea or theory I'd really appreciate it.
Normally.. my google-fu would help me out but im struggeling at bit here.
Im trying to understand the process and steps needed to go from a non-802.1x port to having the accesspoints connect to an 802.1 enabled port while using EAP-TLS/certificate authentication.
Theres is a windows pki backend, cisco ise for posture check of clients and then obviously the wlc and accesspoints.
Dear Fellows,
I would like to create a local game-streaming setup for 50 users spread across 300 meters range, streaming at 1080p 30hz, 30mbits/ps video quality, i know the setup and how to get it up and running ( suggestions are gladly welcomed ) but i really dont know which devices i am going to use to be able to achieve lowest latency 150ms to 200ms is at most. in wireless environment.
my investment is 8000$.
Thanks,
Hello,
I am thinking about layer 2 encryption (macsec) between a PC and switch using Cisco anyconnect software. I don't want ISE involved and I don't have an ASA. I simply want the traffic between my switch and PC encrypted to prevent snooping on cat5 cable that I don't have eyes on 24/7. My switch and PC are about 100 feet apart. Is this possible? Anyconnect software seems to have macsec but I don't know how to get a key prompt or anything.
Thanks in advance.
Is it common or uncommon to see the Access Point management IP address do 24 ARP request for the gateway in 1 minute? I have a Ruckus R610 that is doing this when I do a packet trace on the management IP address from my VLAN interface on the router. I run two Ruckus AP in my homelab. The R610 is hardwired to the switch and the R510 is mesh to it. Any Ruckus experts seen this behavior and know why it does it. The meshed R510 only does an arp request for the gateway once every 30 seconds. I don't have the proxy arp turned on and I only have about 7 devices connected to it. Thanks for the help!
Trying to understand what went wrong. We were trying to advertise a summarized route to our wan. The site has several subnets in the 10.10.0.0 space. For ex. 10.10.0.0/24, 10.10.1.0/24, 10.10.2.0/24, 10.10.3.0/24.
No other location had any subnet in the 10.10.0.0/16 range.
For this reason I said that we could eliminate all these advertisements and replace it with one 10.10.0.0/16 summary route.
So we put in the network statement in bgp for the /16 route, but it wouldn’t advertise. That’s when I remembered that you need a matching route in your rib or it won’t advertise.
So I entered this command at the wan edge router.
ip route 10.10.0.0 255.255.0.0 null0 As soon as I hit enter, I immediately lost connection to the router, and our LAN went down. Phone also started blowing up that remote sites were all down.
I could not ping a neighboring local subnet. It was even on the same switch as me with intervlan routing. I even did show ip route to said subnet and it showed directly connected /24 subnet, so that /16 wasn’t the best path.
We rushed to the wan Router and I consoled in with locals, tacacs wasn’t reachable even though that was all on a separate vrf.
I no’ed out the null0 route, and that fixed everything.
I am just flabbergasted on what could have happened. This was my first week on the job too and I’m worried big time. The senior engineer let me do it without change management because he agreed it shouldn’t cause any impact. He was just as surprised as me. Help!
I'm the defacto IT guy for a construction company and we are upgrading to a brand new office.
The owners gave me free reign to design the entire IT infrastructure for the new building. I researched everything exhaustively, designed the server room, bought all the equipment, picked out the subcontractors, everything. It's been fun for a geek like me.
But I've never messed with a network as complex as this one will be, and as a jack-of-all trades IT guy, networking is not my strongest area. Nevertheless I did my best and made up a network diagram of my plan.
I then crowdsourced it to the Spiceworks community asking for advice/critiques. In the past they've been a good resource for me, and indeed this time I got what appeared to be really good advice from networking experts. They critiqued my initial plans and convinced me that I was "over-VLANing". After many revisions they helped me evolve my network plans to this. From 7 VLANs to 4.
But the introduction of an L3 switch for inter-VLAN routing and changing the gateway to something other than the firewall were both fairly intimidating to me, so I hired a consultant to review my plans and assist with implementation if the need arose. He took one look at my plans and basically said "Wow.....ok..... that's not how I would do it but I'll implement it however you want." With a very "Your funeral." tone.
So I ask him how he would do it, and he tells me IP phones, management interfaces, printers, basically everything should get it's own VLAN.
*sigh*
So I hire a DIFFERENT consultant, from a different company, hoping he will either agree with the last guy, or agree with the Spiceworks community. Neither. He recommends a flat network with no VLANs for a company our size (about 40 office employees and a dozen remote).
*half sigh half sob*
I'm completely lost. I feel like a religious person that's lost their faith. I have no idea who to believe and I'm doubting everything I think I know.
I understand this stuff can be as much an art as a science, but REALLY?! Is there really no right or wrong way to do this? Why can't I find anything resembling a consensus from you networking gurus!?
Here is the latest revision of my network diagram. I'd really appreciate any input, because at this point I feel like I know less than when I started.
I want to code my own reduced version of TCP, IP and Ethernet protocols, but I can't find any *good* material online to help me. I bumped into TCP/IP Illustrated from Richard Stevens as well as this GitHub repo (which at first seemed perfect but ended up being not very well documented).
I've seem similar questions and people tend to answer that one should first study the protocol and then implement it. What I'm trying to do is make the learning a little lighter by inserting practical coding alongside it. Problem is, even if one knows what goes on in, say, IP, implementing it means understanding and knowing your way around kernel-level stuff.
Are there any books/tutorials whose sole purpose is to guide you through the process of coding you own protocol stack?
Thanks in advance :)
I know its weird question but I am curious if it is possible to export ios image of Cisco switch and use it in GNS3 or eve-ng
We've built our own MPLS network on top of ISPs L2 connections:
https://i.snipboard.io/MjhKfI.jpg
All the branch/HQ routers do L3VPNs, and we have VRF at the branch sites for each use cases. One for standard workstations, one for printers, one for APs, one for HVAC, one for some kinds of medical devices, one for other kinds etc etc.
Currently it's sort of easy to limit traffic between the different segments as we just create a VRF and then do the same on the DCs end and terminate it to the HQ FW cluster.
While it works OK, there's not that much load balancing at the branch (we usually get 2x 100-1000Mbps MPLS + LTE to each site). Also visibility to the traffic is quite minimal on the branch end and we really don't know how the clients are there.
That's why I'm thinking about these SD-WAN solutions, mainly FortiGates as we've used them and using "SD-WAN" is not an extra cost. Maybe in the smaller places even use their switches and APs... Aruba could be another option, but if I remember correctly you can't use the same controller device as a SD-WAN gateway and WLAN controller, so we would need two devices. Or 4 for HA.
What I'm wondering is how you would do the VRF thing, or is it 90's calling back and today we should do the segmentation in completely different way :) ?
Or any thoughts at all about the setup or the SD-WAN idea? Thanks!
We're looking for a NAC for a division within the company, I've used Aruba ClearPass many times before, what else should we look at? Juniper switches, but not that it really matters, most of it is vendor neutral.
I've looked at Packet fence as well, it seems many go that way anymore and I saw indeed did and made a video https://www.youtube.com/watch?v=e7wRTtFH_ao. However, I'm not sure the costs savings are worth the time to get it setup vs a commercial product.
Hi all,
As far as my understanding goes, technology has advanced so much that network devices can push frames with bigger than a 1500-byte MTU. However, the norm is still stuck at the "default" of 1500.
My question is: If I change all my switching MTU to 9000 internally and leave the internet edges doing fragmentation, will that increase performance? In other words, is there any reason why the default MTU is not 9000 by default in the 21st century?
Hi, I was wondering if anyone stumbled across this before. I am trying to update the release on an ASR907, I can copy the image just fine on the active RSP bootflash but, when I try to copy it on the standby, I get an error that there's not enough space free.
Directory of stby-bootflash:/ 11 drwx 16384 Sep 5 2017 18:56:15 +02:00 lost+found 245281 drwx 4096 Nov 5 2019 11:20:13 +01:00 .prst_sync 654081 drwx 26537984 Nov 6 2019 11:57:53 +01:00 tracelogs 12 -rwx 1193 Sep 5 2017 18:57:17 +02:00 tracelogs.759 457857 drwx 4096 Sep 5 2017 19:06:38 +02:00 core 277985 drwx 4096 Sep 5 2017 19:07:45 +02:00 .rollback_timer 621377 drwx 4096 Dec 7 2017 12:01:58 +01:00 .installer 13 -rw- 18681 Dec 7 2017 11:45:11 +01:00 SYSMEM20171207.dat 14 -rwx 145860 Dec 7 2017 11:46:39 +01:00 smartdebug.tcl 261633 drwx 4096 Sep 5 2017 20:21:00 +02:00 Image 15 -rw- 484870554 Dec 7 2017 10:38:54 +01:00 asr900rsp3-universalk9_npe.16.06.02.SPA.bin 16 -rw- 26 Nov 5 2019 11:27:39 +01:00 check_fmc 17 -rw- 95 Feb 13 2019 14:44:53 +01:00 cpak_up.tcl 6185086976 bytes total (0 bytes free) So that should be around 500ish megs occupied out of 6gb total space but as you can see, it says there's no free space. Has anyone ever experienced this?
I've been playing with Proxmox server for the first time and I'm close but missing something. After screwing with it all day I'm sure I'm missing something simple. I can ping the Guest OS from WAN. Guest OS can ping out. DNS works fine etc. but I am unable to wget or apt update as the connection fails.
I've gone as far as disabling all firewalls but nothing has changed. Any ideas? Routing tables etc. are below.
On the Guest OS (debian buster)
root@UBNT:~# ip route default via 94.130.50.129 dev eth0 onlink 94.130.50.128/26 dev eth0 proto kernel scope link src 94.130.50.136 /etc/network/interfaces:
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 94.130.50.136 netmask 255.255.255.255 gateway 94.130.50.129 # netmask 255.255.255.192 pointtopoint 94.130.50.129 On the Proxmox host:
#route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 94.130.50.129 0.0.0.0 UG 0 0 0 vmbr0 10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 vmbr1 94.130.50.128 94.130.50.129 255.255.255.192 UG 0 0 0 vmbr0 94.130.50.128 0.0.0.0 255.255.255.192 U 0 0 0 vmbr0 /etc/network/interfaces:
### Hetzner Online GmbH installimage source /etc/network/interfaces.d/* auto lo iface lo inet loopback #iface lo inet6 loopback auto enp0s31f6 iface enp0s31f6 inet manual auto vmbr0 iface vmbr0 inet static address 94.130.50.153 netmask 255.255.255.192 gateway 94.130.50.129 pointtopoint 94.130.50.129 broadcast 94.130.50.191 bridge_ports enp0s31f6 bridge_stp off bridge_fd 0 # route 94.130.50.128/26 via 94.130.50.129 up route add -net 94.130.50.128 netmask 255.255.255.192 gw 94.130.50.129 dev vmbr0 auto vmbr1 iface vmbr1 inet static address 10.10.10.1 netmask 255.255.255.0 bridge_ports none bridge_stp off bridge_fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE # iface enp0s31f6 inet6 manual # address 2a01:4f8:10b:2823::2 # netmask 64 # gateway fe80::1 *Sorry some of this is a bit messy I've been trying things left n right.
I understand the concept of a MITM attack where someone connects to a free WiFi and logs into something via http protocol for example, whilst someone else is capturing the data, and the attacker can get your password using a software like wireshark.
But can this happen over mobile data, or is using mobile data as in 4g much more secure in terms of confidentiality.
I spent the better part trying to copy some files from Cisco ASA. Because it's a corporate laptop, for some reason I couldn't make the TFTP/FTP server (3CDaemon) work on my laptop.
I don't have a linux server at my disposal. Managed to find a windows server with 3cdaemon - tftp worked for smaller files, did not work for large files(timed out)
Couldn't get FTP transfer to work (permission denied)
I ended up using ASDM to transfer file between the ASA and my PC.
Just wondering, how do you people get the files? Is there something native in windows that we can use to copy file from the ASA directly? A python script/function just for retrieving files? Some Powershell magic ?
I feel there might be something very simple I might be overlooking.
Ok i have a question.
I want to have a WiFi network wich can handel 50 users at the same time. Its 1 floor of around 150 m2 with a few rooms. Its not all the time that 50 users use it at the same time but if i would like that WiFi still works. What router can handel that? Or do i need access points for that. What would be a setup that work for a budget under 200 euro's?
Gr.
Hi there,
What do you implement for companies which run everything in the cloud, SharePoint / SaaS based?
Today our enterprise internet provider reported their major outage incident (all their Sydney services it appeared) was due to “a large amount of broadcast traffic received by a border router”. As usual, we approach these incidents with a series of follow-up questions about risk management to the vendor. Is anyone able to succinctly explain how, conceptually, broadcast traffic would be received by a [border] router and then why that would cause intermittent and extended outages? Essentially: how does broadcast traffic bring down a router?
Wondering if this is a good way to create a ring backbone between 6 buildings all fibres eventually returning to the core. I'd like to pull 2x12 fibre MTP trunks between the buildings. As we only need 1trunk currently the other is for possible growth I'd breakout at each point using 2x6 duplex LC cartridges, one for incoming and the other outgoing. Each building only needs a single LC pair with one going from the incoming cart to a switch and another pair from the switch to the outgoing cartridge. The remaining 5 pair would be patched from the incoming to the outgoing cartridge to eventually complete the ring. The spare trunk has no need to be terminated yet so can we just join this trunk with the outgoing trunk. Problems or comments are welcome...be nice I'm new at this.
Edit; fibre is OS2 single mode. Runs are max 200 meter between buildings. Switches are Aruba 2930f 48/24. Core is stacked 2x Aruba 3810m.
I've read that p2p Cisco cellular GRE connections cannot be setup if a carrier provides a Cellular interface with a private address meanwhile the other end of the connection is a public address. Has anyone overcome this somehow?
Two circuits (mpls/internet or internet/internet). Over each path is built an IPsec tunnel to the backbone of a managed services provider.
Customers want to do performance-aware application-based local breakout.
So have apps either break out locally from the CPE, or go over one of the tunnels to the MSP backbone and exit to the internet there. So for example, send Youtube over whatever the best performing path is - over IPsec1, IPsec2, or Local Breakout.
Problem is that internet-bound traffic will have a different public IP depending over which path it is going - from server perspective.
From first packet, you have to identify the flow as belonging to a specific application - to avoid the possibility of it getting identified say on the 10th packet, have it's path and public IP changed, breaking the session.
I've seen some vendors do some kind of DNS Snooping to do first packet DPI. Others subscribe to some kind of service that helps build a list.
What have you all found to be the best vendor offering this?
Also, for the performance aspect - are there any solutions that inspect performance based on data plane metrics - similar to Cisco's AVC feature - where it calculates deltas between stages of the 3-way handshake and server sending data and client ACK'ing?
Thanks in advance!
Hi, I want to set up a lab basically mimics the public internet from browser to web server and back. So far my equipment list includes: Client, router, modem, dns server, switch, router2 and web server. Can you think of anything else I might need?
I have a stack of 5 Dell Power Connect 3548 switches that are fully utilized but need more available ports. I have additional 3548's on hand not being used. What's my best option for adding one of my standalone switches to the stack? Would it be simpler for me to set the stack ID to 6 and add it to the stack or could I utilize one port of the existing stack, set proper VLAN tagging and daisy chain to the extra switch as a standalone? Networking isn't a strong point of mine and the ins and outside of managed switches even less so therefore any help would be greatly appreciated
Using an internet VRF and would like to leak the default route into the global table. Using EIGRP as my IGP and *not* peering with the ISP. Using a static route in the vrf. How can I accomplish this? My BGP knowledge isn't the sharpest. Cisco docs say how to configure the vrf and RDs but not how to actually get it into BGP.
Basically thinking about creating scripts that analyze configs, logs, and statuses to determine possible issues. For example...finding port number of an undocumented AP in the network. Any more ideas?
Hi i am having issues with connectivity to the internet with my virtual network here is a little network diagram of my virtual network.
So the core router is running VyOS and the domain controller is windows server 2016, i want the windows server to have internet access by going through the core router, then going up to the firewall which is PfSense.
I can ping the Domain controller from Pfsense, but i cannot ping Pfsense from my domain controller.
I can access the web GUI from the domain controller, but still no internet access.
Pfsense can also ping out into the internet (ex. Google.com). I'm not sure what i did wrong here i could use some help
Thank you
Title pretty much states my question, how does OSPF interpret seeing routes learned from different Area 0's within the same AS that is split up logically by other area's in between. I would imagine OSPF would think there is a routing loop, correct?
Our wanted Area 0 is going to see the cost to get the other source that is advertising area 0 routes as high seeing as how it is geographically disperse from it. Will that impact any routing logic?
Area 0 (New York) - Area 1 - Area 0 (Boston [Intended Area 0])
Pardon me if this is a stupid question.
Have never used LLDP and looking at enabling it for networks running Cisco and Ubiquiti, as well as VOIP phones, etc, in school settings for 14 locations. The idea is to use LLDP to allow us to more easily identify traffic on the subnets. Read a bunch about it on Cisco's website, but still kind of hazy. Anyone with some experience with it know if this is a useful tool to identify and segregate traffic?
I have an opportunity to get involved in a municipal broadband project in a management (non-technical) role. The physical infrastructure is all owned by the local government and the fiber backhaul terminates at a local POP where there's a lot providers to choose from. I have enough experience to ballpark a lot of the operational expenses but have never done capacity planning or negotiated a bandwidth contract.
There's approximately 1,000 subscribers, evenly split between 25/25mb, 100/100mb, and 1000/1000mb service plans. They're almost all single family residences (no dorms, businesses, etc). Would anyone be able to estimate what might be the total bandwidth requirements? And what would be a typical monthly costs? Thanks!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
I am looking for any comments related to the Dell EMC S4112T. I am considering get two of these for a new server project.
I don't know BGP well and I've inherited this network recently. I am learning via online courses as much as possible, but this change is being required of me before I am capable/fully "trained."
My goal is to start pushing more traffic to my newly upgraded 10Gb ISP-BRAVO connection, but I don't know the way to do this yet. I could really use some help! If additional information is required, please let me know and I'll update or provide answers as requested. I've posted "sanitized" BGP/Zebra configs from each router below (linked to pastebin - is that OK on this subreddit?).
Current design:
2 dell servers running Quagga as external routers with 3-ish ISP's connected between them. Router 1(RTR1) has a 2Gb ISP circuit connected directly from ISP-Alpha over a 10Gb fiber interface. Router 2(RTR2) has two ISP's connected to it: ISP-Bravo serving us a 10Gb connection over a fiber interface and ISP-Comcastic serving us a limited-use 2Gb connection over a fiber interface.
Additionally, the routers have a single 10Gb HA/cross-over connection directly connecting each other and each also has a single 10Gb connections to an "inward-facing" HPE/Aruba 2920 switch.
The HPE/Aruba 2920 switch has 2 additional 10Gb connections that each run to separate Sophos XG550 firewalls that are configured in an HA pair.
The firewalls have four additional connections that plug into our core router/switch (2 connections from each Sophos firewall; 1 for primary user network and 1 for guest user network) and an HA link (10Gb) between them.
ISP-Comcastic is designed to only be advertised for traffic destined for Comcast services, specifically IPTV.
RTR1 bgpd.conf and zebra.conf: https://pastebin.com/gWqjdXg9
RTR2 bgpd.conf and zebra.conf: https://pastebin.com/0rfZis73
TL;DR: Based on the linked configurations, how do I force more of my users' network traffic to my newly upgraded 10Gb circuit? What would this change or new configuration look like if BGP is the way to do this?
Sorry for such a long post - I hope this is allowable and I truly hope one or more of you can assist!
Ubiquiti is changing a lot lately. Some as seen in another post here not everything to the better. More of a miss-miss lately...
Still they announced quite a lot of new products that can be considered interesting.
New Products include, but are not limited to
Also there is some strong hints (even pictures but no specs) of a 4 Bay NVR or even NAS device.
Source: Youtube of joojo_online https://www.youtube.com/channel/UCFKkxwzaL0QjsymQfZBcpbw
Is it safe to assume that too many AP's is just as bad as too few? For a couple thousand foot office space, how many would you use? There are several walls, so my though is two; on opposite sides of the space.
At our six branches, we currently utilize a local internet provider for external internet traffic while sending all internal traffic back to headquarters over a MPLS connection. What I'm looking to do is configure failover for when the internet provider is down.
Currently in each 2901, I have a default router configured: ip route 0.0.0.0 0.0.0.0 10.132.12.2 to point internet traffic to the firewall. I also have advertised a default route via BGP at our headquarters site. This only shows up on the branch routers if I remove the local static default route.
What I'd like to do is configure SLA monitoring so if the local internet connection goes down, it removes the default route and fails back to the route obtained via bgp. When the local internet comes back up, it adds the route back.
What's the best way to accomplish this? Thanks in advance. I'm more of a server guy so this is foreign to me.
Edit.. Seems we don't have the required license to even do IP SLA.
Hoping someone knows the answer to this, as I'm struggling with my google-fu.
Currently testing IPSec deployment using certificate based authentication with SCEP. Enrolling the cert with SCEP works fine and IKEv2 authentication is working with the certs.
The issue I am having is, if I revoke a certificate and the firewalls updates the CRL it knows the remote peer certificate is now invalid. But, what I have observed is the tunnels still remain up, my thinking was the tunnels should go down.
It's when I do a reset of the ipsec tunnel (clearing the SA), the IKE authentication then fails because it sees the remote cert is in the CRL.
I'm testing on Huawei USGs, but even checking cisco and juniper docs it doesn't give me any clues if the tunnels should go down dynamically.
I'm looking to start a discussion on here on what method(s) you would use to capture data from a device that MUST link at 1Gbps.
This would include what software and/or hardware you are using to do this.
My guess is this will be VERY situational, as in "Where are you trying to capture the data?" So I'll give a basic situation here that I'm looking for advice on capturing:
Currently I am using a Netgear DS104 Hub with my computer running Wireshark, but the limitations of the Netgear hubs are 10/100 only from what I could find. The 2 devices in question are also on the hub. This situation is working great to capture at 100Mbps.
My situation now requires that I connect the device at 1Gbps and capture traffic from that, but I just can't seem to find any hubs out there running at 1Gbps that are for sale.
What do you all use in this situation? A cheap smart switch with port mirroring? Do you trust you are getting absolutely everything with port mirroring? Do you know of where to obtain a 1Gbps hub? Or do you use a completely different method here? I'd love to hear!
Thank you in advanced for any help here!
I have the opportunity to specify these Airwall+Conductor devices for a new project. I like the shiny lights and slick sales presentations, I've met the people at a meet and greet, and they are quick to answer my technical questions. I would like to know if anyone has used them for themselves or their customers and what the experience has been like. Thanks!
I recently got a Swann NVR. The cameras that are connected directly work fine. The issue is that there are a couple cameras that are connected to a network switch that are connected to a router which is connected to the router that the NVR is connected to. Pretty much the NVR is not seeing the cameras connected to this other router. When I go to manually add a camera via the manual add option using the cameras IP (which I can see by physically walking over to the other router, connecting through wifi and using Fing,) it acts like its not there. When I type the cameras IP address on my computer I dont see it either. It seems anything connected on the router my NVR and Main PC is connected to is not seeing anything on the other router.
Hello Reddit folks, in one o my University courses were dealing with diffserv and DSCP, today the teacher was talking about how the network card in your machine reads the fields of DSCP y IP headers using Wireshark to view...
At that moment and idea come to me, get the network card driver of my raspberry pi modify the source code for the DSCP or diffserv fields, and reload the driver into the Kernel, and for example mark all mi trafic with EF QoS (only for learning purposes) and show it in the class.
I have some knowledge in C, Linux, Networking but I need a starting point.
What should I do, where to start?
Thanks
So,
I'm currently developing a indoor location based system based on wifi packets.
I have 4 Raspberry PIs on strategic points of my building working as wireless monitoring stations, the PIs capture 802.11 packets and store the relevant data (Origin MAC, Destination MAC, rssi and a timestamp) on a local storage.
The system appears to be working fine, but I'm collecting WAY to much unique Origin MAC addresses. Over the course of 1 month I've captured over 60k unique MACs (which is almost half of my city's population) and i have no idea how that can even be possible. Do you guys have any idea of what can be causing this?
Thanks in advance!
I have CCNP, but am managing Fortigate 80D at the moment :) and some classic Cisco ASA experience. Can anyone advise me on functional differences among Cisco Firepower, Palo Alto and Fortigate? My understanding of NGFirewall is classic firewall + SDN (SD-WAN) + Web/DNS filter + IPS, that are included in Fortigate. any other important functions that I missed?
If you have any questions, please let me know.
When you boot the VM for the first time and login as root, it runs a script that allows you to set a few parameters.
Where is this script stored so I can run it again on-demand?
Thanks
Currently some of our network closets have 3-4 48 port switches in non-stacking configurations which makes it frustrating to locate specific devices since you have to go from switch to switch. We have the opportunity to upgrade our switches this year and I’m looking for some input on whether stacking or chassis switches have any benefits over the other. Is there any reason you prefer one over the other?
Specifically I’m looking at Cisco 9400s or 9300s, and Aruba 6400s or 6300s.
Hello,
we have some strange behavior here with a policy. Its really a simple setup with just one policy pointing from LAN to Internet.
The problem here is that sometimes the policy blocks the traffic and sometimes not. Its like a random choice if the firewall let passtrough the traffic or not. There are no filters set for this policy so it should behave like a router. There is no active subscription on the Fortigate.
This error message appears when the traffic is blocked (can be any traffic type, message is same, in this case simple ping):
------------------------------------
Application
Application Name PING
Category unscanned
Protocol icmp
Service PING
Data
Received Bytes 0 B
Sent Bytes 0 B
Sent Packets 0
Sent Shaper Bytes Dropped 0 B
Action
Action Deny: policy violation
Threat 131072
Policy 18
Policy UUID 03bfb666-ffd0-51e9-27ac-5cac18848f72
Policy Type policy
Per-IP Shaper Name PerIP-Max-2000
Sent Shaper Name MAX-6000
When the traffic passes trough, this message is logged:
------------------------------------
Application
Application Name PING
Category unscanned
Protocol icmp
Service PING
Data
Received Bytes 168 B
Received Packets 2
Sent Bytes 168 B
Sent Packets 2
Sent Shaper Bytes Dropped 0 B
Action
Action Accept
Policy 18
Policy UUID 5efcee64-ffd4-51e9-311f-7624f2d29967
Policy Type policy
Per-IP Shaper Name PerIP-Max-2000
Sent Shaper Name MAX-6000
Anyone any idea on this? If nothing helps we will format the fortigate and configure from scratch.
Thanks a lot
FWIW, the 10-32, 12-24, and M6 machine screws that have an unthreaded piece at the tip, making one-handed starting easier, are called pilot points.
I'm hosting a Pritunl OpenVPN server on a virtual linux instance and connected to it is a remote client. I'm unable to port forward on the remote device's end and was wondering if I could forward the ports to it on the server's local network?
Hi, I am part of a team that participates in rover challenges such as URC (University Rover Challenge), ERC (European Rover Challenge), etc. These competitions, especially URC requires our rovers to travel around 1 Km away from the base station. The major hurdle in this situation is to manage the communication between the base station and the rover. Such competitions only allow specific radio and WiFi frequencies to be used (Pages 4-5 contain rules regarding communications equipment).
I am having trouble finding equipment that can maintain a wireless connection for at least 1 Km. The communication has to be non line-of-sight ready as the rover may have to travel on small hills or in valleys during the competition's tasks. Also, the throughput demands are high compared to low power wireless as the rover would be constantly sending sensor telemetry and multiple video feeds over the wireless link.
Things we have thought of/implemented -
The entire communications system should be completely wireless between the rover and the base station.
I am also open to custom solution designs. Please let me know if anything else is required. Thanks!
Just started a new role and they have a task of rolling out Talari SD-Wan at all locations. Long story short, none of the people involved with the purchase for IT are here any longer and I'm having some trouble figuring out exactly what they were trying to accomplish with the purchase. I'm not exactly sure what problem they were trying to fix.
We are in the process of rolling out updated circuits with DIA primary and cable secondary. Only a few sites are on MPLS and these will be eliminated shortly. Internet traffic is being routed out from the sites specifically instead of back through a datacenter. We do have services that communicate with one another across IPSEC tunnels but it isn't much.
Phone traffic is also through a cloud VoIP provider and also goes out from the facility.
What I'm trying to figure out is how the Talari devices will benefit us. From what I understand I can't send out a single Talari and begin having it load balance the WAN connections at each site individually. They need to connect to a head unit at a location. That head unit controls all other units. All the magic happens within the tunnel between Talari units.
Also with this I'm adding another hop in my network. I need to put these devices behind our firewalls and route traffic that way. So the current setup I have is like this:
ISP A -> FW1 -> Talari1
ISP B -> FW2 -> Talari1
If we were sending all traffic over the tunnel and back to our datacenter I could understand it more. If we had a mix of MPLS circuits still running I could see it more. Since we only have a handful of servers and services (about 10) at our datacenter and we don't pass much traffic back I'm not seeing what gain I get from it.
There are no hooks into web services we use. We don't have anything in AWS and to connect with Azure we'd have to pay monthly for a server as well as purchase the Talari licensing.
I've been tasked with finding the benefit and how the solution is going to improve things for us. I'm struggling to find how we can measure that and what we gain. I still need to manage firewalls and add QoS tagging for our cloud traffic. I can also manage failover and load balancing links with our firewalls.
Am I missing something?
Do you have a dedicated "admin" VLAN that has all the goodies in one place? Thinking:
- admin interface for switches/routers/firewalls
- admin console for VMware ESXi
- HP iLO out-of-band server (KVM-style) mgmt
Would you want to isolate those things from each other for any reason?
I am currently putting in place a firewall solution to filter inbound traffic to some devices. All traffic outbound from these devices is allowed. I have explained this in simple terms to those that really don't understand networking.
But its becoming obnoxious how they are blaming me for issues that are not at all present on other devices that are in the same VLAN.
"Can't access this website can you permit it?"
I check other PC's in the same VLAN have access. "Not me buddy, check website admins or check desktop service"
That's just one of a few.
Hi,
currently I’m running a few Netgear and D-Link smart managed switches.
As I only need basic layer 2 functionality (VLAN, STP) they fit quit well, except for the point that they are not central manageable.
I know that there are full manageable switches out there from Aruba, Cisco and so on, but they all have a ton of functions with an according price and I don’t need these functions.
So, my question is: Do you know a switch manufacture who offers basic layer 2 switches with central management capabilities like a REST API?
Thanks
So I have a Cisco SG300, and a Netgear XS728T. The SG is static'd on VLAN 1, the XS is static'd on VLAN 40 and I can reach the XS just fine.. both ICMP and HTTPS. However a device I static'd on VLAN 30 is inaccessible on the XS.
I have added all VLAN's as tagged to the requisite ports from the firewall down (FW is acting as L3 device). If I static a device on any tagged VLAN then hang it off the SG directly I can reach it. But, in this case a new QNAP NAS, on VLAN 30 I cannot ping it nor can the Qfinder app see it. I uplinked it's secondary nic and left it on DHCP for VLAN 1.. it pulled a valid address and was discoverable.
The XS and SG are uplinked via Fiber 1G SFP, I just verified those two ports are set to untagged VLAN 1, Tagged VLANS 20, 30 and 40. Also the Firewall LAN interface is also set to U VLAN 1/T VLAN 20,30,40 I've also verified the static address on the Qnap does have the correct subnet mask and GW.
For the life of me I cannot figure this out and I know it's something stupid.
Hi all,
We're starting to think about how can we write iptables rules the clearest and cleanest way possible, and then generate them based on a configuration file.
We're at the point where we think about kind of a csv file like :
[source CIDR list],[destination CIDR list],[protocols list],[source ports lists],[destination ports lists]
We're really at point zero on this but I was wondering if something hasn't already be done which would looks like that. We know iptables wrapper like ferm or ufw but we are unsure about the use of them.
What do you think ?
Has anyone ever seen an issue on a Fortigate (virtual appliance in this case) where the firewall can intermittently reach/ping resources on the same subnet as it's main LAN interface? I.E. 2 pings out of 30 will succeed, the rest fails. Everything worked yesterday and this morning it's hell on earth...
Hello /r/networking
As part of solving a larger problem, it would be useful for me to find web servers which are hosted locally - i.e: not in a data center, but on the premises of a business.
Are there any hallmarks of a site or server which is hosted on-premises, vs hosted on "the cloud"? Are there any ways to scan for hosts of this kind?
As title states, how do you name your networking devices?
Currently we do it differently depending on type of equipment.
rtr-1.street.city.technology.dns-suffix - this would be a typical CPE name.
fw-1.customer.dns-suffix - a firewall could be placed anywhere :/.
nex-1.datacenter-room.dc-location.dns-suffix ( could be a datacenter switch where customers or shared services is connected )
My biggest problem is that we have been part of a company merge 6 smaller ones, getting into 1 big. And still this day a few years later, we still use different naming conventions. Seems like a subject everybody is afraid to talk about.
I am a Network Engineer with 6 years experience with a current salary of 115K. If I go for JTAC, and get 140-145k, would it be worth going into a support job? I also see it as a way to learn Juniper, and to get my foot in the door. If I end up going for it, maybe I stay in that role for a couple years before making a transfer internally.
Now the question is, will I lose my sanity along the way and is that worth it?
Hey All
I have a number of switches at my new employer that are REALLY out of date (like, 2014 out of date)
I'm having trouble with HPs firmware update site - some switches show stuff like this:
If your software version is: Your next step should be:
K.11.11 through K.12.29 Update and reload into software version K.12.31 or K.12.62 (BootROM K.11.00 - K.11.03)
K.12.31 through K.13.55 Update and reload into software version K.13.58 or K.13.68 (BootROM K.12.12 - K.12.14)
K.13.58 or newer Update into software version K.15.15.xxxx (BootROM K.12.17 or newer; (BootROM K.15.30) use "show flash" command)
K.15.15.xxxx -K.15.16.xxxx Update into software version K.15.17.xxxx or K.15.18.xxxx
K.15.17.xxxx - K.16.01.xxxx Update directly into software version K.16.02.xxxx
Whereas some of them dont. If they're not showing this, can I just update straight to the latest firmware, or am I still likely to need to do this in steps?
I wanted to reach out and see if anyone has had any success taking the plain .txt based running-config from enterprise network gear and through Python or other coding method converted it to a yang data model to use for automated network management?
As most folks do we have a large deployment of multiple vendors as I am working on building our automation solution and one key step in this is to get away from "old school' config management and move toward model-driven configuration management. This will require hand converting what can't be pulled through NetConf and RestConf method already. We've already automated several tasks such as large scale local break-glass account resets, large scale updates such as ACL's and Vlans but we have many other items that are much easier to accomplish with model-driven configuration management.
Preferred language for this would be Python as that is what I am comfortable developing in, however, I am not opposed to learning other languages as well.
