I am looking for some advices my company are looking into replace our Extreme networks with Fortinet. We have a campus network with 70 switches, all are linked togheter with 2-4 10gig fibers for redundancy. Local server for DHCP and another FW brand. Now we are using SPB and IS-IS for bridging, the uptime is unbelievable good but due to the prices were looking into Fortinet for a complete solution with FW and management, I'm just afraid a Fortinet don't could manage the same uptime... I don't think they have the same good solution for bridging? And maybe run the DCHP on the FW and shut down the local server.
Saturday, November 23, 2019
Network Design Project
Hi guys, I know there are a few other threads about similar topics, but I just need some direction. I’m working on a network design project for a class. I’m new to networking and am just looking for some good resources. The project is to create a network design for a small company.
Monitoring on 2 Nics
I am about to deploy a mini PC with 2 LAN port on it to a business that claims they been having consistent internet problems. I am using one port to put behind a Fortinet firewall. The second port will be going directly behind the ISPs modem. I will be getting assignment 2 different IP ranges. Is there a software or some better way I can run an active trace route per NIC?
Who has the most impressive network in the world, and why?
I know “impressive” can mean many things. My personal criteria are massive scale, high efficiency, and unique innovation. It also must be extremely reliable, versatile, and robust. A network you could say is a clear global leader, this is the most advanced network on Earth.
But what do I know? Feel free to rate based on your own criteria. Just please give an explanation for why you think it’s that organization.
I am sure the top picks may be among the FAANG organizations, or some global CDN. Maybe even one of the top carriers? I’m just curious to see which one specifically gets this sub’s vote, and to read about what epic things these top players are doing on/with their networks.
I also realize this thread could end up flopping, since most of these impressive networks probably operate on a high level of confidentiality—but I know this sub tends to host a number of highly experienced industry experts, so I’m hoping fun discussions will be had.
Help mapping out company cabling / patch panels.
So, after a few network issues, I suggested our company should make a map / diagram / excel sheet of every port on the patch panel, where it runs to in the building, what's connected, ....same for the switches.
....
Now my big mouth has been given the task to do this, but I'm struggling on where to start, so I would love suggestions to make this task easier.
.... Software, templates, perhaps hardware / analyzer that can help (and isn't too expensive.)
( the company has 2 buildings next to each other, in each building:
-
5x 48 port switches,
-
1x 8 port POE switch,
-
7x 24 port patch panel,
-
wall connections in each room (some only 2, other 12)
So it's my task to find out what individual wall connection goes to what patch panel port, And what patch panel port goes to what switch port.
... Available tools given: flashlight, paper, pen, pc, label maker
.... Yay! ..... Help!
Solarwinds N-central and network mgmt
Just curious if anyone out there uses Solarwinds N-central and have you had any luck with backups and config changes. We are demoing the product in organization and for Infra and the help desk this tool is greatz but it seems like we have a lot of custom work ahead of us to make the network manageable. Just looking for other's experiences.
Using Ansible to save Cisco (IOS, NX-OS, ASA) configs
I know this is only tangentially a networking question, but I figured networkers are more likely to have come up with solutions to the challenge below.
We started using Ansible modules (ios_config, nxos_config, asa_config) to save running config of our network devices to an Ansible server. I have a couple of annoyances:
- The playbook runs daily and saves the config to disk regardless of whether there have been any changes.
- I looked at the documentation and didn't see a way to conditionally backup configs.
- I'm thinking of using python or bash to do a diff between saved files and delete files that are identical.
- The filenames are `<host>_<date>@<time>` by default. I'd rather drop the `<time>` portion but am having a hard time using a variable from a different play to save the configs as `_`. Has anyone come up with a solution to this? I'm thinking of using `sed` to rename files, but that strikes me a clunky.
To end on a more positive note, if anyone has plays they run for their Cisco or F5 LTM gear (not config changes), or clever tricks to massage the data, feel free to share.
Total noob question about static IP's
So I work for an ISP and I've learned a lot about what happens behind the curtain, but unfortunately a lot of the other side of the curtain is still kind of a mystery to me. We provide static blocks for customers, usually just a /29 block. And every now and again a customer will ask me why they need this. And I still kind of stumble to answer it lol. Obviously that's only enough IP's for their management devices. Does it just make management easier? I don't see how this helps with security.
Noob firewall question
So a while back I made a pfsense firewall and setup saracuta. I don't think it's working very well because I just used an old computer I had lying around and it's slow. I want a premade plug and play hardware firewall with no yearly or monthly fees just buy the box and forget about it. Are any of those on Amazon good? I've looked at a untangle z4 but is it pre setup? Or do you have to configure it to actually work? My price range it anything under 200 USD. I mainly want something that will protect against Remote access tools, virus, and malware. Any ideas. Sorry if noob question.
Transfer speed between NAS and PC
I have a Synology NAS and a media PC. The transfer speeds between the 2 are about 100mbps. But if I use my PC to transfer to the NAS, I get gigabit speed. If I use my PC to transfer to the media PC, I get gigabit speed. It's just the transfer between the media PC and the NAS. They are sitting next to each other on the same switch. I have tried moving the NAS to the same switch as my PC and the same situation happens. I've tried turning off large send offload.
Firepower 2110 & GNS3
Does anyone know if its possible to get a new CISCO firepower (FXOS?) running in GNS3?
I'd like to have a play in a lab before the real life devices arrive in work,
I'm comfortable with the typical ASA stuff but haven't touched firepower at all really. I also find it confusing that the 5508/12/15/16 etc etc have 'firepower' but only as a module you direct certain traffic to whereas the new 2110 type devices seen to be completely standalone
Cheers
Operation Hatred? How does your org handle it? Engineering vs Operations Interaction.
I figure there may be some folks out there with a strong split between Ops and Engineering in their orgs, and maybe even Architecture in some circles. How do you handle that inter-team interaction and is compensation adjusted for the Ops people? What do you prefer?
At my org we have a pretty clear split and our Ops folks, while generally good to work with, tend to complain about "Engineering Shit Sandwiches" even though we can never pull them into design discussions and when we query them for input or pain points it is generally vague stuff like "make sure it doesn't suck". it is almost like a cultural thing with that group. Only a couple of folks will actually engage you to learn a product and they get pulled away often because engaging EVERYTHING which makes them just as useless.
Being on the Engineering team we are often faced with major forklift upgrade and new implementation and integration of products, up to day 1 support, and hand-off of the project. It is a large undertaking as Architecture or Engineering or even Ops sees a need and it is up to Engineering to take the "need a new Switch Fabric" request and go. We investigate vendors, run PoCs, deal with CAB and review boards, test, set up, document, troubleshoot, everything. It becomes a very deep dive into that one solution and you can very easily be pigeon-holed into your couple of projects because of the scale. The ownership of these products also follows you throughout your entire tenure as you are now known as the "The Arista Guy" because that is the vendor you chose due to whatever reason; good or bad. The trade-off is the work, while long at times, is a lot more steady and there is a lack of on-call and true spikes in workload (I think this is the main reason Ops gives us shit).
The Ops team handles tickets and thanks to our outsourced workflow they generally don't handle mundane provisioning requests unless the queue gets too big. I have been in Ops and understand the work can equally challenging when anomalous, hard to track activity is seen. Different time zones, language barriers, levels of technical expertise, etc all make this more challenging. There is also the on-call aspect of which I don't think is formally acknowledged. There is a wink and a node for adjusting time worked to ensure you aren't getting hammered but we all know how that is; you just end up working in silent mode at home. I will note that sitting by that team they have a lot of downtimes and are very quick to toss "Engineering problems" back to us even if it is something like a circuit being undersized due to a project misquoting the number of users for the entire project. I think they look at our workflow and are horribly jealous.
Now here is where I have the issue. I have done Ops for 3 years and Engineering for 3 years. I kind of enjoy Ops more. The on-call can suck but the tasks are much more straight forward break-fix and I personally enjoy helping people. While the technical skill-set is near equivalent there are minor twists there. Ops mainly focus on getting something working and needs to be quick and internalize a few critical aspects. Engineering needs to be slow and methodical to follow best practices and can't internalize such a vast amount of information because I am going far deeper into this specific technology and not touching half of what we have to know stuff like "this specific code version always throws this error; Engineering needs to upgrade them all".
I really can't complain overall, I enjoy my job and all my teammates are great folks, it just gets annoying when you go out of your way to craft a solution for a problem and all you get is flak from the Ops team, told how easy your job, and accused of not doing your best job. It may just be cultural but still frustrating.
Friday, November 22, 2019
So I wanna replace my xfininty router with a new one that's not rented but does it have to be compatible?
I don't really get this stuff but I do know I wanna buy a TP-Link Archer AX1500 but i don't know if it's compatible or if I just plug it in.
Looking for high bandwidth rooftop to rooftop solution ideas
Edit: Fixed Gbps, not Mbps.
One of my clients is expanding into a building within the same office complex but not directly next door.
They have a need for large data transfers between buildings. They expect to be generating about 60 GB of data daily in one building that needs to make it over to the other building.
I initially looked at some rooftop 24GHz solutions but was seeing max throughput of about 1.45 Gbps (correction from earlier). I then suggested that we trench fiber between buildings and handle the delivery that way. With fiber, I can run multiple 1Gbps or 10Gbps links and data transfer wouldn’t be a problem.
The contractor gave a quote for the trench and now the client is having a bit of sticker shock.
Are there alternative rooftop solutions that I’m not finding that offer higher bandwidth? RF or optical?
Can multiple RF pairs be “stacked” to form a higher bandwidth link?
My alternatives are to have higher bandwidth ISP drops and do a VPN, look at MPLS (assuming ISP supports it) instead of the VPN, or look to drop servers in the new building to capture data and the stream it out slowly.
Any advice would be great!
Asa firewall and network documentation
Hey,
I inherited a few Asa firewalls and switched with no documentation on them. How should I go about looking at and understanding these devices. I will like some advice. Thanks.
Career path
I'm wanting some insight into my career options. Any input, opinions, or resources to help me make a final decision would be awesome.
As of now, I only have customer service/food work experience. I have completed the Advanced Networking Certification Program at UoP and have a strong knowledge of networking and computers from personal and school experience.
My end goal is Senior Network Engineer and/or Architectural Designer. This is my long-term goal. Every job I view of this requires at least 2 of 3 of these requirements: 1.) 4+ years of experience in related field with knowledge of everything networking pretty much, 2.) Bachelor's Degree from accredited college, and 3.) industry certifications such as MCIP, A+, Net+, CCNA, CCNP.
So what would be the route most likely to get this job?
A.) Continue off of my Advanced Networking Program from UoP at Missouri S&T and earn my Bachelor's in Information Science and Tech. Also take the Network + cert which I am self studying for.
B.) Take any IT job I can get, pay 170$ for network plus out of pocket and earn Bachelor's in Network Operations and Security at WGU(accredited online college). (Although this college doesn't look as good on resumes.) Note that this college program includes 11 different, paid for, certification attempts.
C.) Take advanced mathematics classes at a college near me and qualify for the Computer Science program at MS&T, then transfer to MS&T..also take the Net+. I would qualify for transfer scholarships this route. But do more schooling also.
iptables forwarding question
How would I go about adding an iptables rule to forward all traffic from a VPS to my local machine connected through OpenVPN?
Combining nic card for more bandwidth
I did some googling and tried to find this topic on this thread as well but with no avail.
Can someone point me in the direction of this perhaps if you know of a thread?
My pc has 2 network cards one is 1gb and other is 1gb curious if anyone has successfully combined the two to connect to another computer with 2 gigabit instead of single? Essentially doubling the speed?
Thanks in advance for any info.
Upvotes for dumb questions
Apologies in advance of this is the wrong subreddit, but I am lost and need a little help with a Juniper SRX240 and an Extreme Summit X440.
Long story short, I got a Juniper firewall and a handful of Summit X440-48P's. I have no clue if they've been wiped of any sensitive info/config data (not sure what may be on them that could be sensitive info), I can't bother the people who were trashing them, and I want to make sure they are wiped before I try to sell them. But I've never the messed with this stuff and I'm lost after reading through the documentation.
I'm assuming I need to connect to the console port on the devices to begin communicating with it via Telnet (is the web UI accessible through this port as well), but I'm not sure if a regular Ethernet connection works, or if I need a cable with a different pinout, an Ethernet to serial adapter, or something non-standard. I found a pinout for the cable connecting to the console connection on the Juniper at least, but am not experienced enough on my own to figure out if what I have laying around (standard Ethernet cables and one random serial/Ethernet cable with unknown pinout) will work or not. I'm mostly afraid of shorting something and breaking stuff.
I'm just trying to figure out how to connect to these devices and check to see if they're wiped/reset and void of any sensitive data and okay to sell. Any and all help would be MASSIVELY appreciated.
ACLs between Vlans - how granular do you get?
Not too long ago we began using dot1x authentication and dynamic vlan assignment on switch interfaces. Depending on who you are, you get assigned a different vlan and subnet. There are a number of different types of user, and a number of different vlans. Once authenticated, a vlan is assigned to the interface as well as a dacl (permit all).
The acls I have been working on are applied at the vlan interface.
The acls are getting pretty crazy. I'm ok with it from a management point (but god help the guy who gets handed this task later), I have written some scripts that produce and apply the acls to each site but I wonder if I am getting too granular. I allow specific access to print servers, and only on the ports necessary. I allow specific traffic for active directory functions, dhcp, etc. You need smtp? you get 587. You need access to the security camera system? I will enable a temporary permit statement with "log" on the end so I can analyze logs for a baseline of what is needed for permit statements to be permanently added.
Is this normal? Anybody have any "best practice" advice on this?
Blunders while troubleshooting..!!
What is your mistake/blunder you accidentally did in heat of troubleshooting a network/ device upgrade/ migration and you regretted it for a long time? Comment it out, and let’s make a list..
Dual Internet Circuits - Need Some Advice
Our org has ordered a second internet circuit in one of our datacenters. It was ordered before consulting with us. We only have a /26 from one of our carriers. I discovered after the fact that no one advertises anything more specific than a /24. The carrier with the /26 owns that IP address space. Is the only option to try and get a /24 and re-ip everything? We are wanting both circuits to be usable and the only way I can see that to be feasible is to request a /24 from ARIN and re-ip all of our stuff. Looking for some suggestions. I tried to turn up the circuit and foresaw this coming. In the BGP looking glass CenturyLink advertises the /26 but no one else does.
BiDi SFP - no link with a Mikrotik switch, links fine between Netgear switches
I figured this is suitable for here.
So I currently have 25m of multimode OM3 fiber between my WAN modem and my lab which has my router. I'm getting a failover WAN so I thought it would be great to use BiDi to send the signal over the existing duplex fiber (but not adverse to replacing with SMF).
FS advised that OM3 MMF MIGHT work but could not guarantee it, but OS2 SMF would work. Proceeded to buy 1550nm-TX/1310nm-RX and 1550nm-RX/1310nm-TX BiDi SFPs for use - they're rated for 10km.
Using a Netgear GS724T and another Netgear switch, I can get a link using BOTH SMF and MMF but can't check signal levels as neither of the Netgear switches give me that data. However, trying to use the GS724T and the Mikrotik shows the following:
| Tx Bias | Power Tx | Power Rx |
|---|---|---|
| 12mA | -5.804dBm | -7.096dBm |
| 14mA | -5.954dBm | -12.457dBm |
The first in the table is the SMF, second is MMF. Both test cables are 30m of fiber. Both SFPs in the Mikrotik are the 1550Tx and the 1310Tx are in the Netgear. Datasheet for the thing is here.
First off, why would the Netgear uplink instantly but the Mikrotik not link, and second, are the power levels off?
Rollback change if not confirmed
Hey guys ... I read something in here some time ago that I forgot to remember. It was a save command or a paramter for that (I think) that basically reverted the config or rebooted the switch if a change wasn't confirmed after x amount of minutes. Can't remember what vendor that was, Cisco, HPE ... but it sounded kinda interesting.
Not a networker here but my colleagues don't know what I'm talking about, they say they just schedule reboots and take 'em out if everything went well. And I'm sure it was different than that ...
Thanks guys! :D
Does the command "enable algorithm-type" not work in GNS3 at all?
I'm running a 7200 router in GNS3 with IOS 15.2. Really frustrating that this command doesn't work in packet tracer either.
Help understanding 25/40/100Gbit and MPO/MTP
I am researching in to equipment beyond 10Gbit for future upgrades but having trouble understanding the transceiver types as well as cabling and connector types and fibre capacity requirements. Currently we have 10Gbit uplinks for switches and 10Gbit in all core and data centre using SFP+ and mixture of single mode and multi mode structured fibre cabling with mostly LC and some SC connector panels.
Looking at the optics I see there are two options QFSP+ and QSFP28. I am understanding correctly that QSFP28 is the way to go it has superceded QSFP+? Or is there still place for QFSP+ and 40Gbit?
Also finding it hard to understand the MTO and MTP type cables with breakouts. I understand there is the option for a 1 to 4 breakout cable and to have 1 switch port split into 4 x 10Gbit individual links to separate devices. How does it work when wanting to connect two devices at 100Gbit over a run of fibre? I see the cable contain multi fibre strands, so I assume any structured cabling in between would need that number of strands available? For example, our site to site fibre is presented on LC or SC connectors, would we require say 4 pairs of structured fibre to run a 40Gbit or 100Gbit link between buildings or sites and have to use a breakout cable to split the link into 4 LC connectors? And then same at the other end to go from the 4 LCs to 1.
Basically what I am trying to understand is does all optics that run at over 10Gbit require multiple channels and multiple strands of fibre? Or is WDM involved somewhere? I have years of experience with 10Gbit but feel clueless without actually getting my hands on some 40 or 100Gbit gear and cables and optics etc. Cheers.
2 network management systems?
Our current network management system is a bit stuffed. Our network ahs grown quite large and our NMS is experiencing hiccups. Stuff like mistakenly sending alarms for something that was down for 1 second but was never actually down(we have checked).
We have tried beefing up the VM, giving it more vCPUs, RAM, multiple 1G links etc... But it still experiences problems.
Would making a separate 2nd NMS alleviate those issues? I.e. one NMS only watches one half of the network? Like only customers routers? We would also need to place the second NMS at a different place in the network to manage congestion.
Ofcourse then if we have an interlinked downtime we would need to look at 2 places but, eh, you win some you lose some.
Large Multi-Tenant Office block - How would you build?
I wanted to pick your brains around a network design project I am currently looking at.
Situation:Large company in an office block is moving out and the owner is splitting the site in to 150 small offices for different tenants. The site is across 5 buildings but all on the same site. Internally there are very little changes as it was split in to small offices anyway.
Current:Every office is already cabled back to around 15 racks all with patch panels. All current switches are coming out. but all structured cable will remain in place.Every rack has fibre linked back to one location (with exception of 2 which are daisy chained from one another)Connectivity is provided by 1Gbps leased line connection from a main provider, this will remain in place and will have public IPs available (a 2nd can be added if required)Wifi APs are present on site and will remain, they are WPA2-Enterprise compatible
To be:Each tenant to have their own connection which they will pay for as part of their rent, as an optional extra almost, but will be required unless a separate line is to be brought in for them.Connection is to be accessible via WIFI and wired lan, each connection should allow port forwarding and the ability to assign a public IP if required and allow VPN access in their network.Customers to be able to logon to panel and see usage, devices connected etc, order additional products such as speed increases
Question:So my question is how would you do it? What equipment would you use? How would you set it up? What Monitoring/Management would you use?
My plan was to do the following;
- Mikrotik Cloudcore Router which would contain VLANS and VPN access (1 VLAN for each tenant)
- Freeradius Radius Server (Daloradius) to manage vlan logon for WIFI via WPA-Enterprise
- Switches (Open to ideas but have used Dell 1100Series successfully for smaller projects)
- Network management via single panel including monitoring of tenant usage (not sure on this)
The above I believe is the most simple, but what else could be done? Could we set it up almost as an ISP where every tenant has their own IP address, would that offer more control such as filtering? As we have not started anything yet I have a blank sheet and don't worry too much about budget. Funding is available for this.
Thanks all
Edit: detail
Year-end admin tasks
Hi All,
What tasks are necessary on your network, systems, or department at year's end? Updates, backups, documentation? What else? Help us to make a list!
What features of network monitoring would be helpful for you?
Networking help about subnetting
Hello everyone I recently started an academy online at network administration and we got a task for practice now I have absolutely no clue on how to do this are there any tips or tutorials u can give me ?
- 10.20.6.0. / 24 split on different networks in a way that every network has a minimum of 7 Computers.
a) Find the possible number of adress hosts in every subnet
b) Find the possible number of subnets
- Find the common Network ID for 111.17.0.0. /24
- 111.17.1.0. /24
-111.17.2.0. /24
- ...
- 111.17.9.0. / 24
Mainly my problem is the first sentence split 10.20.6.0 /24 on different networks in a way that every network has minimum of 7 Computers. I figured which formula I have to use 2 on the power of n minus 2 for host adresses but how am I suppose to split the network ? Thanks in advance.
Thursday, November 21, 2019
Best router for small business that has the features of Cisco RV320
Hello! I was very close to purchasing the Cisco RV320 today and slowly realized that this router is a rebranded Linksys router and it comes with many security vulnerabilities.
It does have many great features that a small business would need. The features can be seen in the emulator. The most important ones to me are VLANs, firewall of some sort, access rules, bandwidth management based on IP range, VPN, web filtering? (https). I’ve been looking around and I just haven’t been able to find something as nice as this.
Network will consist of 30-80 users, have plans of implementing an IP camera system.
The maximum budget is $200. No subscription based license please. We will most likely be purchasing a used version online. I would appreciate any suggestions!
Work options with Network + cert
Passed the Network + cert test but have no on- the- job, experience. Even Jr. Help Desk positions are asking for experience. Many Network Tech jobs are also asking for clearances. I've been reading study manuals for CCENT, Network +, & Security + for almost 2 years now. How do I get my foot in the door?
I do live in metro D.C. area so I'm sure theres competition but how does one get started without being able to get a job due to entry barriers?
Packet Tracer Frame Relay
Hey! It seems that packet tracer still cannot support frame relay. Are there other simulators that you know that I could use?
Is cross-training a myth?
I've been working F/T in IT for 22 years. I keep running into management who think they can take two people in the department, who have completely different jobs, and magically cross-train them for emergency coverage situations. Anyone actually ever seen this done successfully?
Strange behavior on IPsec tunnel between Azure and Palo Alto
I'm trying to troubleshoot a weird issue between our Azure network and one of our servers in a DMZ behind a Palo Alto firewall. The IPsec tunnel is already routing traffic for a bunch of /23 networks in Azure and it is working with no issues, Traffic to and from the /23 to the DMZ is working fine
Today we added a new Azure /23 to the Proxy ID list in the Palo Alto side of the tunnel but the DMZ is unreachable. We don't see any traffic in the Palo Alto logs coming in from Azure to the DMZ. After a while we realized that starting a ping from the DMZ to the Azure host "opens up" traffic and everything seems to work as expected
Reading online it seems this is a known behavior when there is a mismatch on the IPsec keep alive SA configuration. However, the existing /23 networks are working just fine, we only have this issue on the new subnet added. Also, there is no traffic on the Palo Alto logs that tells me the Azure VM is even hitting the firewall so I can look into updating rules,
Is there anything obvious that I am missing?
Tagged vs Untagged vs Blank - Is my understanding correct?
Untagged ports for a specific VLAN means that that VLAN can traverse freely through this port?
Tagged: The same thing for a VLAN but will only be recognized by devices that are configured for it? You can have multiple tagged VLANS on a port but not multiple untagged VLANS for a port?
Blank ports: (neither tagged or untagged) means VLANS cannot traverse these ports?
Idk why this is so confusing to me and I apologize - I’m sure this has been covered many a time.
Spliced Cat5e. What's going on here?
I just moved into a new house and found cat5e cables spliced together behind blank plates and connected to RJ11 instead of RJ45 ports. What's going on here?
Pictures: https://imgur.com/gallery/0Dqu3fS
Routing Question - Shouldn't be this hard!!!!
So I've got a DNOS 6 Dell Switch. Basically Cisco/FTOS command line. The use case is I have a police department security center that monitors video feeds from around the city.
I've got a Comcast gigabit modem plugged in to Port 1. This connection is dedicated to this office and not on our LAN. The purpose of this connection is to be able to handle the high amount of traffic and not interfere with the rest of our city operations. It is set up with an IP address using vlan 10.
I have created a vlan "99" and set up the DHCP server to hand out .99 addresses to all the other ports.
The idea here is to route all traffic out this dedicated Comcast connection EXCEPT the IPs that need internal resources i.e. our internal cameras and DVRs. The default route is set to point to the Comcast gateway and the other routes are in place to access internal subnets going over the fiber link that goes to our core switch on our LAN.
EVERYTHING works except internet access on devices on the .99 network. Using ping on the switch it is able to get to the internet (directly through vlan 10) but if I ping using source vlan 99 it doesn't work. Traceroute and ping dies also. Oddly on the test laptop when I ping NFL.com or something else it shows an IP as if it's getting DNS but doesn't actually ping. Also despite not using the damn thing to go out to the web, devices on the 99 network can access the Comcast gateway via the web browser BUT devices on the 99 cannot ping or traceroute the gateway.
WHAT THE HELL?
Is this a config issue or a issue with the Comcast modem not being able to communicate with my 99 network?
I need help with the network configuration for my high school servers
At my high school, we have several rack mounted servers that got donated to us and we are are trying to find the best configuration to get the highest possible speeds.
Our original goal was to connect the servers to a switch and then plug that into the ethernet port adjacent to our server rack. Unfortunately, the school tech chief forbids us from connecting to the wired network, im assuming it causes issues with the user authentication. (Normally when you connect to the network it prompts you for your name and student id number) so it looks like that is out the window. The tech chief also refuses to create us our own private vlan so that is out the window as well.
Currently, we have around 6 servers to setup and only 2 network cards. Our class also has a bunch of switches, routers, and ethernet cables at our disposal. My question is, is it possible for us to create a sort of “router on a stick” scenario where all the servers are connected to a switch and that traffic is sent from the switch to a router that exchanges traffic with the school network? (Keep in mind the issue is we don’t have direct ethernet connection to anything, not even an ethernet input for the ‘router on a stick’) Or should we just buy network cards for all our servers?
Also, once we gain access to the network, we aren’t sure how to authenticate the servers without a GUI. Normally on windows we use google chrome to type in our id # and password into the online portal. Could it be as simple as sending a post request containing our credentials to the server hosting the authentication site?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Small and Cheap Switch with LLDP?
Hey guys and gals,
I'm currently trying to find a cheap switch that supports LLDP. Preferably under $100 each. What I'm thinking is if I can get a very basic, small switch (5 or 8 port) with LLDP then I can start making sense of physical topology a little bit easier by placing these in various locations then seeing how everything comes back to the distribution switch.
My scenario: out in the desert, have a site with 10 or so individual buildings that are all connected, 6 of the buildings have strictly layer 2, basic Netgear or HP ProCurve switches. I've been able to piece everything together luckily but it has surely taken much longer than I'd like. It's important to note that this location will NOT remain this way and it's kind of something I inherited. Yay!
Any pointers would sure be helpful. Thanks!
Cisco 2960L: simple DHCP port-based ip address allocation, can't do it, help!
tldr; need basic advice on how to setup port-based address allocation on a switch with no router, no dns-server.
Background
I've been using 2960L switches for almost a year now. I use them in a manufacturing scenario where we make "widgets" that have a network interface. During manufacturing, I use the 2960L as a dhcp server and controllable PoE provider. That's it. Just a 2960L, widgets get plugged into the switch, and then a computer (also plugged into switch) runs scripts to power-on the widgets, load software, configure, and test the widgets using the switch as an isolated LAN. Then they're unplugged put in a box and shipped. No router. Nothing talks beyond the switch, except the computer but it uses a second NIC card for that.
It has been working great. And last year folks on r/networking helped me get past the initial Cisco WTF-moments in configuring these switches. I am not a network person, but I just need to do this stuff sometimes as part of my job. Thanks!
Problem
I now need to adapt to a slightly different scenario where, for technical reasons, I would like to use what Cisco calls "DHCP Server Port-based IP Address Allocation". Instead of giving out DHCP addresses tied to device MAC addresses with a lease, I would like to make it so that when I plug a widget into port 1, it gets ip address 192.168.1.1, when I then plug that device (or any device) into port 2, it gets ip address 192.168.1.2. Devices plugged into port 3 gets 192.168.1.3, and so on... up to port 28.
That seems fairly simple, but geezus, it's so hard to understand the Configuration "Guide" (using 15.2(6)E). Getting frustrated and confused.
Here's what I've Tried
I've written a script that flattens the switch down to a factory default and then starts to configure it by assigning it an IP address, hostname, user/password, and enabling ssh. That works. I can even enable DHCP like before. The issue is that I don't understand how I am supposed to set-up the port-based address allocation.
The chapter on this in the guide, tells me to do this...
enable configure terminal ip dhcp use subscriber-id client-id ip dhcp subscriber-id interface-name interface gigabitethernet 0/1 ip dhcp server use subscriber-id client-id OK, the next to last line above specifies a particular port. Presumably, I need to do the last two lines for each interface? That seems tedious for 28 ports, but continuing...
interface gigabitethernet 0/2 ip dhcp server use subscriber-id client-id [...] interface gigabitethernet 0/28 ip dhcp server use subscriber-id client-id end Still, nothing in there said anything about assigning specific ip addresses to specific ports. Then the guide says...
What to do next
After enabling DHCP port-based address allocation on the switch, use the ip dhcp pool global configuration command to preassign IP addresses and to associate them to clients.
So now it wants me to setup dhcp pools... presumably, that's where I get to assign ip addresses to ports? The instructions say...
For procedures to configure the switch as a DHCP server, see the “Configuring DHCP” section of the “IP addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4.
OK, putting down the configuration guide, and going to another huge manual, the instructions are...
service dhcp ip dhcp pool uutpool network 192.168.1.0 /27 Here, I am trying to specify a dhcp pool that is just large enough to cover all ports (28). This one will give me 30 ip addresses ranging from 192.168.1.1 to 192.168.1.30. Can I safely assume that it will magically assign each of these to the ports in order so that Gi0/1 gets 192.168.1.1 , Gi0/2 gets 192.168.1.2, and so on? Continuing...
domain-name mycompany.com dns-server 192.168.1.202 end Since no traffic that is on this switch is ever going to go outside of the switch, I don't need a gateway, nor do I need a dns-server. I don't know what I am supposed to put for these things. I assigned an ip address for the switch of 192.168.1.200 , and for the gateway, 192.168.1.201 and for the dns-server 192.168.1.202. There's no router and no dns server, of course, but it seems that these things aren't optional so I just set them to something outside of the dhcp pool.
When I try to connect my laptop after configuring the laptop interface to get a DHCP address, it just gets the default 169.254.... address-- so it's not getting an ip address from the switch DHCP server, let alone a port-allocated address. When I give the laptop a static IP, I can ssh to the switch and see the webpage.
I don't see what I am doing wrong here. It should be simple, right? What am I missing? I will gladly paste in my config file if that helps. I am stuck!
ONT with ASA
Hello all,
Has anyone ever ran an ONT connection from Verizon directly to the console port of an ASA?
I ran into this at a remote site and have found very little info on google.
Many to Many NAT on SonicWALL - can't figure out where this internet facing IP goes internally. What am I missing?
I've been tasked with setting up a VPN and routing some traffic to an internal server versus pointing to the internet facing WAN interfaces on a SonicWALL firewall. I have access to the firewall and am trying to figure out where this traffic goes internally but I'm confused when looking at the configuration. This is all SQL traffic, for what it's worth. (All IPs have been changed for obvious reasons)
Our application is in the 2.2.2.0/24 network on the internet
Currently the applications have connection string that point to sql.domain.com, which resolves to 1.1.1.10
There are several NAT policies, but the only one that includes the 1.1.1.10 on port 1433 looks like this
Source - Any || Translated - Original || Destination Original - 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.10 || Destination Translated 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6 || Service - TCP 1433 || Translated - Original || Inbound - Any || Outbound - Any
There is a firewall rule as well
From - WAN || To - LAN || Source 2.2.2.0/24 || Destination 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.10 || Service - TCP 1433 || Allow
I can't figure out what internal IP address on the 10.10.10.X range SQL traffic will go to when it comes from the 2.2.2.X network and hits the 1.1.1.10 address on the WAN interface of the firewall. Is this declared somewhere else in the firewall configuration that I'm missing?
I don't understand Verizons public IP assignment
Apologies in advance if this is a stupid question but I usually work on the LAN side and not on the WAN.
A client ordered 5 static IPs from verizon fios and received a router that only has 4 ports. My plan was to replace that router with an ASA and have it do the NATs and act as a router. Would this work with Verizons ONT? There is a single ethernet cable coming out of the ONT. Is that a L2 connection or do I need to use one of the static IPs on the ASA port that I connect it to? Any help or explanation would be greatly appreciated.
Edit: they gave the client a /24 which 5 usable IPs
Dup ACK with multiple SLE/SRE
Up front, I'm not a networks person. My concentration is mostly VSI/VDI and Storage. While dealing with an SCCM issue, I was running a packet capture on my primary NIC. I noticed long strings of DUP Acks with an SLE and SRE. My understanding is this is part of SACK's functionality, with the SLE marking the 'end' of a segment of packets, and the SRE marking the 'start' of another segment of packets. What I am having a hard time understanding is that the SRE is increasing with in each subsequent DUP Ack. Then a second set of SLE and SRE appears, then a third, then a fourth. Sorry for the anonymized data, everything here is public IP space, though all in the same campus/LAN.
https://imgur.com/PuQUvok https://imgur.com/OD5JkFT
A little further down, there are long strings of Spurious Retransmissions , Fast retrans, and then regular retrans.
Any guidance on why this might be happening or additional data that I could gather to better assist our networks team? The conversation is between a laptop on a wired connection and a server that is virtualized in our datacenter. Networking between here and there passes through a pair of Aruba switches running VRRP and functioning as the SVI for the building VLAN, 2 different pairs of Arista switches also running VRRP, an HA Pair of palo altos, a pair of Arista top-of-rack switches running VRRP, and finally into the HPE F8 virtual connects and passed off to the VMware layer.
bridging real switch to GNS3/PC with dot1q is causing malformed packets
Hello everyone,
I have gns3 set up with a bridge connection to a physical 3750 switch, the purpose is to send data with 802.1q tags from
VIOS or normal routers with subinterfaces to the physical switch. I am using a rj45 usb nic and i have enabled monitormode. (monitormode = some sort of nic option so it wont strip the 802.1q tags once they come inbound at the pc)
Packets going outbound from gns3 (so the tagged packets send from the virtual network devices) are okay and wireshark confirms that they are being send with a tag, but specifically tagged packets from the physical switch received at the PC show up with 'ipv4 total length exceeds packet length ' messages, dhcp requests from clients connected to the physical switch for example become malformed, ping replies send from the physical switch also become malformed.
the wireshark capture shows all the malformed data with a corruption of 4 bytes change, for example icmp ping with ipv4 total length 100, it shows the malformed packets with 'ipv4 total length exceeds packet length (96 bytes)'
I am getting an idea that the 4 bytes 802.1q tag has something to do with this. but even if i would set the pc mtu to 1600 i still get the same messages that the inbound received packets are malformed.
some important additional info, normal non dot1q traffic flows fluently, no problems whatsoever, and most importantly, tagged traffic like for example icmp with a max size of specifically 42 bytes also works (from virtual network devices to physical switch, with dot1q tag)
anyone have any idea/clue what the issue could be? i am planning on setting this up on linux since it natively has vlan support but this would be not ideal for me (lots of migration to linux would have to take place)
second edit: have some more info
What does it mean to purchase an IP block, and how do companies use them?
I just read online that MIT sold 8 million IP blocks back in 2017. What exactly does this mean, how do they sell them, and what are the use cases for purchased blocks of IPs?
5G Enterprise solution.
Hello everyone,
I am just doing some research on 5G cellular and specifically as using it in an enterprise network as a backup WAN connection. I know that a few UK operators (EE, Vodafone) have bought some bands from the 3.4GHz spectrum and even have some 5G coverage already.
So now I am interested if anyone knows vendors that have 5G hubs, routers or gateways that would I could try using in my organization. Also it would be really nice if I can use the hub/router device is passthrough mode and connect it directly with my Router. Then I can configure the failover or traffic shaping form my router side.
1) The first device I look into was the Cisco Meraki MG21 device. That seems to be a dedicated cellular gateway that would be perfect for my purpose, but it does not seem to support 5G to my surprise.
2) There is a device from Lantronix model is SGX5150000US. That device seems to be focused on WiFi as far as I can see. I would not be using any WiFi capabilities so I would need to shut down those and also the Ethernet port need to be at least CAT6 capable. I was not able to find too much information on this device but I believe it support only CAT5E.
3) Vodagone GigaCube is another possible solution, but again I was not able to find enough information on it and I am not sure if it would match my requirements.
So I guess my question here is if anyone has more information on this subject or any thoughts?
Thanks!
How do companies handle the legal grey area for GNS3?
Now that GNS3 is privately owned and i'd bet everyone using it is using it for Cisco images - How do large companies handle the legal grey area of using IoL and IOSv images?
There's some big names putting their brand (Google, VISA etc) beside GNS3 - Couldn't cisco come after them for license violations? Is it just expected that Cisco turn a blind eye?
Any recommend software to do SMB file logging?
Currently working as an intern in IT. Anyone knows a software I can use to do SMB file logging, using mirrored data, from Cisco Router Span Port?
I am thinking of logging user actions on the file server, using the Cisco Switch SMB network traffic data.
The file server Cisco switch network ports will be mirrored to a pre-determined Cisco switch data port.
From which a PC with the relevant software will capture the mirrored data, analyze and log which user have taken what action (copy / paste /delete etc) from which PC/IP address etc.
F5 Training
Hi All,
Just wondering if anyone could recommend some decent F5 training resources as its something I have never dealt with over the course of my career but seems to be part of most job specs recently.
I took a look at the F5 university a while back but if I remember correctly you need to have a support contract in place to access most of it, although i might be mistaking that with arista.
Wednesday, November 20, 2019
A Power Issue?
I have been working a problem ticket for the past couple of weeks. It is tracking the constant bouncing of circuit feeding one of our remote sites. An issue with the lines from the building to the pole has been resolved by the utility company. Also the batteries in the ups that our equipment is plugged into have been replaced. I thought for sure that we had this issue pegged.
As a requirement for problem tickets, I have been monitoring our remote equipment to ensure that the issue has been resolved. In my monitoring I have found that there have been periodically incrementing output drops on the WAN interface of our main switch at the site. My initial thought was over utilization of the circuit, but I did not find any in our monitoring tools.
I then called the Vendor. I wanted to know if they could see any over utilization on the circuit. What they found was the exact opposite. They found that the connection has been dropping between their equipment and ours. They found that their Adva’s logs are showing dying gasps alarms every two days right around 16:50 each time. Our equipment has been up since the site transitioned back to commercial power early last month(I check the uptime every morning).
My hypothesis is that there is an issue with the UPS that is causing the power to fluctuate enough to briefly effect traffic but not enough to register as a power hit. One of my colleagues has suggested it is an issue with the Vendor equipment. What do you guys think?
Need help to solve the connection problem with our WiFi
So we have WiFi connection and it is being use by 100 users at once. I asked the ISP they said 50Mbps can support all of them. But I don't see it can. I check the speed and it is stable but surfing the internet doesn't seems to work correctly plus the device sometimes keep disconnecting from the WiFi.
Edit: Router model: Tenda ac1200 Number of access point: 1
How much should a switch cost for a small business with around 30 end devices?
I have this structured cabling project to do for one my infrastructure classes, and I'm at a part where I need to model out finances. I'm having trouble finding a reasonable price for a switch, or rather I'm not quite sure how much it should cost. I know I'm going to need more than one, but as stated before I'm not sure what the price should be. I've seen things from just a few hundred dollars to thousands of dollars. The base requirements I need are, At least 160 1000baseT ports, along with two 10Gb/s ports for backbone and server connections. I'm wondering if someone can point me in the right direction, or give me some tips.
If you couldn't use NetBox, what would be your next choice for an IPAM/DCIM?
I'm at a place that refuses to support NetBox, which is terrible since I really like the product and who can complain about free? Preferably the replacement product should replicate NetBox functionality1:1, but if somethings are lost or added, I'm okay with that. The big three things it needs to have is address management, circuit management, and device inventory/rack elevations.
I think the front runner that I'm looking at is Device42, which seems to be the next best thing.
PPPoE WAN Passthrought
Here's the issue I'm facing. Where I am in Canada, the most available and affordable fiber Internet provider is Bell, which use PPPoE authentification. My Firewall/Router (fortigate) can only use it's NPU for hardware acceleration when the MTU is of 1500.
I'm trying to figure out an affordable solution to get the NPU to work. The first one that come to mind would would be to get a router as a PPPoE client. It would need to be able to manage a gigabit connexion. Also, I'm not sure what to pick and how to do that. If you also have any other suggestions, I would be more then open to hear you out. Thanks!
Also, I must specify, I have to work with Fortinet as my employer is a reseller and I actually love the product otherwise, so, I'm not looking to replace it.
Thanks for the Help!
Anyone have experience with 900mhz networking?
Hey there fellow networkers. So I have an interesting dobicle I'm trying to remedy. So I have 2 of the Ubiquity Nanobrodge m9s (900mhz variant to their networking solution). I live in Alaska, so due to large tree cover, 900mhz is my only realistic option.
So host side is approximately 1.7 miles from client side. There's a large quantity of trees ranging around 50ft in height between the two points. I'm not looking for a perfect signal, but how high do you think I'll have to mount both sides before I can even get a visible AirMax connection? At this point, I know the hardware works, but I can't even get one to see the distant end from approximately 20ft or so mount height. Maybe a pointing issue?
Long story short, any troubleshooting suggestions would be much appreciated. I have extensive networking background, but it's mostly satellite, not point to point.
Weird VPN issue.
So today I got a call from a customer saying that the vpn between them and their billing company is down. I have no changed any config on our ASA and the other team said the same thing. I am only seeing decaps and no encaps and I am at a loss of what has caused this issue.
Here is the output of the cfg and the packet tracer results, any idea helps!
Only seeing decaps and no encaps.
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 340, #pkts decrypt: 340, #pkts verify: 340 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: xxx.xxx.xxx.xxx/0, remote crypto endpt.: xxx.xxx.xxx.xxx/0 path mtu 1500, ipsec overhead 58(36), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 1D2031CF current inbound spi : 589530ED inbound esp sas: spi: 0x589530ED (1486172397) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 376832, crypto-map: mymap sa timing: remaining key lifetime (kB/sec): (3914980/27090) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x1D2031CF (488649167) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 376832, crypto-map: mymap sa timing: remaining key lifetime (kB/sec): (3915000/27090) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
Shadyside-ASA# packet-tracer input inside tcp 192.168.10.92 65230 172.20.1.245 443 detialed Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,any) source static INT-COMPFELLOW-HOSTS INT-COMPFELLOW-HOSTS destination static COMPUTERFELLOWS-HOSTS COMPUTERFELLOWS-HOSTS Additional Information: NAT divert to egress interface outside Untranslate 172.20.1.245/443 to 172.20.1.245/443 Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (inside,any) source static INT-COMPFELLOW-HOSTS INT-COMPFELLOW-HOSTS destination static COMPUTERFELLOWS-HOSTS COMPUTERFELLOWS-HOSTS Additional Information: Static translate 192.168.10.92/65230 to 192.168.10.92/65230 Forward Flow based lookup yields rule: in id=0xcb4dfba8, priority=6, domain=nat, deny=false hits=0, user_data=0xcb4dc918, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.10.92, mask=255.255.255.255, port=0, tag=0 dst ip/id=172.20.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc826b6f0, priority=1, domain=nat-per-session, deny=true hits=2137, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xcb48d9f8, priority=0, domain=inspect-ip-options, deny=true hits=1645, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 6 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xcc1b2ba8, priority=0, domain=host-limit, deny=false hits=1323, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 7 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0xcb8eef68, priority=70, domain=encrypt, deny=false hits=1, user_data=0x0, cs_id=0xcb8e5058, reverse, flags=0x0, protocol=0 src ip/id=192.168.10.92, mask=255.255.255.255, port=0, tag=0 dst ip/id=172.20.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=outside Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule Here is the firewall cfg that has not changed.
object network obj-192.168.10.6 host 192.168.10.6 object network obj-192.168.10.7 host 192.168.10.7 object network COMPUTERFELLOWS-HOSTS subnet 172.20.1.0 255.255.255.0 object network obj-192.168.10.12 host 192.168.10.12 object network obj-192.168.10.13 host 192.168.10.13 object network obj-192.168.10.64 host 192.168.10.64 object network obj-192.168.10.92 host 192.168.10.92 object network obj-192.168.10.63 host 192.168.10.64 object network obj-192.168.10.66 host 192.168.10.92 object-group network INT-COMPFELLOW-HOSTS network-object object obj-192.168.10.64 network-object object obj-192.168.10.92 network-object object obj-192.168.10.63 network-object object obj-192.168.10.66 access-list COMPUTERFELLOWS-VPN extended permit ip object-group INT-COMPFELLOW-HOSTS object COMPUTERFELLOWS-HOSTS crypto map mymap 2 match address COMPUTERFELLOWS-VPN crypto map mymap 2 set peer xxx.xxx.xxx.xxx crypto map mymap 2 set ikev1 transform-set ESP-3DES-MD5 crypto map mymap 2 set security-association lifetime seconds 28800 crypto map mymap 2 set security-association lifetime kilobytes 4608000 nat (inside,any) source static INT-COMPFELLOW-HOSTS INT-COMPFELLOW-HOSTS destination static COMPUTERFELLOWS-HOSTS COMPUTERFELLOWS-HOSTS tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l tunnel-group xxx.xxx.xxx.xxx ipsec-attributes ikev1 pre-shared-key ****** Huge gaffe today
Just needed to get something off my chest. I was talking to my boss and a colleague at my (very) new job today about a story where an individual had automated his entire job and basically worked an hour per day and after some time of basking in the glory of that situation, finally told his manager about it and was subsequent fired.
I, in a moment of sheer fucking stupidity, commented on how a deadman switch would be the appropriate hedge against such a situation.
Needless to say, my new boss was not very pleased to hear that coming from the FNG, so I pretty much swallowed my entire foot whole and probably looked like I had just seen a ghost.
Not looking for any advice, just needed to throw it out there about how fucking stupid I was and that joking about deadman switches in a role where things tend to be automated is a really bad idea. I don't think anything material will come of it, but trust and rapport are immeasurable and I fear they may have suffered some damage after working really hard to build them up.
Visualize a very complex network (with monitoring)
Hello, I have just started in a new job, and I have realized, with all of the PBR going on, load balancers, SD-WAN devices, data center firewalls, production firewalls, it is difficult, even for some of the people who build the network, to visualize what route a packet might take. Can someone recommend a software solution to help with this? We use Orion, but it seems limited in that regard.
We are looking to adopt something new and get rid of some of the random tools and pull this all into one tool. This doesn't need to be free, it just needs to work well and offer a demo we can stand up.
Thanks!
Blog: The ABC of SDN (Software-Defined Networking)
Here is my latest blog... Let's understand the basics of SDN
http://vmantra.in/the-abc-of-sdn-software-defined-networking/
Please review...
Thanks.
Public Cloud Architecture - SD-WAN
I wanted to get community feedback on the following topic. How are you designing your connectivity into public cloud?
How many of you are comfortable running SD-WAN software instances in a transit VPC, or VNET to facilitate connectivity? I am sure we all have seen some nasty software bugs, I personally lean towards relying on the native technologies that public cloud can offer like Transit Gateway, and build my VPNs into it.
Where is your comfort level of building hubs/regional hubs in public cloud?
I appreciate any viewpoints / opinions on the topic.
Anyone having figured out WAN optimization in conjunction with SD-WAN?
Dealing with a "combo" without ability to provide optimization in the same solution as multiple transport app routing, with the SD-WAN using Fortinet, and the optimization using Riverbed. The former came about recently, and it is still in the process of deployment, presently in a "single" transport mode, until all sites are done. Turning on multiple transports will then present the interesting problem of deciding what to optimize with Riverbed, and thus "mark" somehow with a particular level of SD-WAN processing, and what to pass through Riverbed, as the SD-WAN proper app traffic interpretation would be more important than the optimization upstream. Any recommendations/advice, or direct experience with such?
Alternative to Cisco Packet Tracer?
For a school related course, I need to get acquainted with Networking, and to help with this I downloaded Packet Tracer by Cisco.
But it seems all the end device available for emulation are windows based machine. When I log into the emulated terminal for the devices, I see that you only have the window console available.
Question is: Is there no linux based emulated device on packet tracer?
If the definite answer to this is No, then my follow up question is:
what other alternatives are there? Since I would really want to have a linux based terminal since all of the commands I am learning with the school course assumes a Linux machine is being used.
Wi-Fi 6 professional hardware?
Our office is moving to a new location in the first half of next year.
Our CEO likes to run Wi-Fi 6 instead of cables (for one I think it is a bad idea). Is there any Wi-Fi 6 equipment out there that is not for home use? We run UniFi AP-AC-Pro and UniFi AP-nanoHD now.
PPPoE on VLAN sub-interface - ASA 5506 - Doesn't Work
Hi All,
Trying to turn up a new circuit that uses PPPoE. It's an ASA 5506 to the ISP's ONT box. The LAN side of the ONT uses VLAN 200, so they require that the port on the 5506 also be tagged to vlan 200, which is done by doing sub-interfaces since 5506 uses layer 3 ports. I've set up below configs, but no luck. What follows is the debug logs. ISP says the issue is on my end, but I don't see any fault. Any ideas?
Here's what I've tried:
Delete and rebuild PPPoE configs
Reload ASA
Tried to assign the IP via ip address pppoe setroute instead of specifying the IP
Tried to set it up on a layer 3 port without subinterfacing.
Had ISP confirm username, password, IP and authentication method are correct.
Configs:
interface GigabitEthernet1/1.200
vlan 200
nameif outside
security-level 0
pppoe client vpdn group WALVISBAY
ip address 197.xxx.xxx.63 255.255.255.255 pppoe setroute
vpdn group WALVISBAY request dialout pppoe
vpdn group WALVISBAY localname [xxxxxxx@s](mailto:xxxxxxx@static.telecom.na)tatic.xxxxxxx.xx
vpdn group WALVISBAY ppp authentication pap
vpdn username [xxxxxxx@static.xxxxxxx.xx](mailto:xxxxxxx@static.xxxxxxx.xx) password xxxxxxx
Debug Logs:
PPPoE: PPPoE:(Rcv) Dest:084f.a93d.e0db Src:6cb2.aec6.bed5 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:65=PADS Sess:20765 Len:51
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000001
PPPoE: Type:0102:ACNAME-AC Name Len:15
PPPoE: SWK-1006-BRAS01
PPPoE: Type:0104:ACCOOKIE-AC Cookie Len:16
PPPoE: 6B6ED47C
PPPoE: 3EBE819E
PPPoE: ADD82AB3
PPPoE: 5D0B970E
PPPoE:
PPPoE: PADS
PPPoE: IN PADS from PPPoE tunnel
PPPoE: Opening PPP link and starting negotiations.
PPPoE: PPPoE:(Rcv) Dest:084f.a93d.e0db Src:6cb2.aec6.bed5 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:A7=PADT Sess:20765 Len:0
PPPoE: PADT
PPPoE: Shutting down client session
Looking for advice for multiple low latency video streams over the internet.
I'm with some people starting a small over the internet live Esports production group. I'm looking for a way to send multiple low latency video streams over the internet so a main producer can receive them all in roughly the same time +-50ms hopefully.
This way for something like an Esports broadcast, the producer can switch between multiple cameras, and the game audio that comes with them. It needs to work on windows because obviously that's the way we run the games we are making the productions for, and we all can't afford secondary PCs and capture cards. Right now we just use p2p game streaming services to get a second camera to the producer in real-time, and the producer is also a spectator. This is not scalable, puts a lot of stress on the producer, and we want to correct that.
I've been looking into WebRTC but I'm having trouble coming up with a way of streaming multiple video sources to 1 central server that the producer then connects to. WebRTC was built to be P2P after all. RTMP works and it's easy to implement, but it's far too easy to desync, and the latency is quite high. We may be able to get something usable by fiddling with the buffer sizes more tho.
Any advice? The video stream needs to carry the video, and at least 1 audio stream. It would be nice if that stream could be outputted from OBS using a custom FFmepg output. I can host a linux server for whatever. Currently our producers are using OBS studio.
Small device to use kind of like a server?
Is there some kind of small device that you plug in to the wall and then people on the network can connect to it and store data on it? I know you can use a computer and remake it to a server but if i don't want to spend that much money and only need a few gigs?
Tuesday, November 19, 2019
Load balancing multiple incoming RTMP streams.
We run a business which receives multiple incoming RTMP streams every day (up to 20 concurrently, although we suspect that will escalate quickly as we grow) which we re-stream on our platform. At this point we have dedicated "slots" on relatively high-spec media servers for each location that we stream from (with a maximum of 5 locations per server). Obviously this isn't a great idea in terms of availability and especially scalability, so we're investigating ways to decouple our transcoding servers from ingestion and rather than having a number of dedicated servers matching incoming streams have an available cluster of transcoders which we can spin up or down depending on incoming demand from the load balancer(s).
We currently use Wowza Streaming Engine for all ingestion / transcoding, with the plan to move to OpenResty/Nginx + RTMP module for transcoding, however I can't seem to get my head around how we would present a single ingest URL to our clients, i.e., streamto.ourbusiness.com/live without some sort of layer 4 DSR load-balancing since the RTMP handshake needs to happen directly with the transcoding server, not the load balancer.
I've looked into HAProxy and others, but just can't seem to find any documentation etc on how to handle and load balance many incoming RTMP streams - most of the articles I've found are suited for the other way around, i.e., pushing out many streams.
I'd appreciate any advice and am happy to provide more details where needed.
Thanks!
IPv6 for Enterprise
Has anyone made the leap to IPv6 in Enterprise yet?
I started my networking career at an ISP/CLEC and transitioned to Enterprise six years ago. From my perspective, IPv6 adoption still remains with the carriers and content providers. Has anyone taken the plunge outside that space?
The continual emergence of IOT endpoints makes me worried on how quickly I'll deplete RFC1918 prefixes. I'm beginning to plan a path to v6 and am curious on how far other enterprises are.
BYOD MacBooks are not playing nice with our Aruba wifi network.
I'm wondering if anyone else has seen similar behavior to this and if so what they did to fix it. Also open to any other helpful suggestions:
We're on a college campus running Aruba wifi with ClearPass. ArubaOS version 8.3.0.5. We have a mix of almost every model AP Aruba's ever made, AP-105 up through AP-325s. If it matters, our routing/switching gear is all Cisco. Since the beginning of the semester (August) we've had students report two similar but different issues with MacBooks on our network. These MacBooks tend to be newer on the most current version of code, but aren't all identical models, they're personally owned student devices. The issue also isn't specific to one model of AP, we've seen it on both the newer and older models. Our ClearPass implementation is decently new, it went in in May.
In both scenarios the MacBook shows up as connected to an AP (on the controllers/MM and the MacBook itself) yet cannot pass any traffic, even arp or dhcp. We have packet captures from the client side that show it is sending ARP requests and DHCP discovers but getting no responses.
Scenario 1: The user opens the MacBook after it has been closed for an extended period and moved to a new location. It takes 30 seconds to 3 minutes for the wireless to start passing traffic. Logs show it connects to an AP immediately. It then reconnects, usually to the same AP after some period of time (seconds to minutes). At that point it starts passing traffic as normal. If the user cycles the wireless adapter it starts passing traffic immediately.
Scenario 2: The user has been stationary and usually active (but not always) on their MacBook for some period of time (40 minutes in the last reported case). They suddenly lose their internet connection, the Wifi symbol gets an exclamation point in it and the MacBook says it is searching for Wifi. They are usually close to the AP they are connected to with good signal strength. This scenario will continue until the user moves to a new location or cycles their wifi adapter. Packet capture from the client shows unanswered ARP and DHCP discovers. Packet capture from the controller for the clients MAC shows no traffic at all to or from the client. The DHCP server does not see the discover packets.
Aruba TAC has been engaged but has no idea what is happening. Here's the added bonus, my networking staff can't reproduce the issue. We've only seen it happen on student machines (they've brought them to us), but we haven't been able to get one of our in house Macs to exhibit the behavior. As we can't reproduce it for TAC on demand, they don't seem to be interested in troubleshooting further. We have tried different power level settings, disabling Airgroup and setting “Force 5Ghz” with no change in the issues. We're trying a software upgrade this weekend to fix an unrelated issue, but we're not hopeful it'll help.
If anyone's seen anything like this, I'd be forever grateful for any information you could pass along. Thanks!
Looking for some advice on packet loss issue with Velocloud and Sonicwall setup
So we have a pair of Sonicwalls in an HA configuration and recently added a Velocloud device alongside them. Our site is the hub and we'll eventually have remote sites with VCE devices as well instead of going over the Sonicwall VPN. When we first implemented we split our WAN connection with an unmanaged switch to the VCE and SW pair. The VCE would report pretty bad packet loss throughout the day. We have fairly high bandwidth usage on our connection so I wouldn't exactly rule out overutilization. However, I see the same exact issue just as bad when using our backup WAN which has much lower utilization.
So far we've tried different switches, different cables, a different VCE device. The other day I plugged the VCE in directly to our WAN bypassing everything else and the QoE score was a 10 pretty much the entire time. When I reintroduced the SW's it started back with packet loss. Today I configured a private vlan setup on a Cisco SG switch with the router as the primary vlan, the VCE in an isolated vlan, and the SW pair in a community vlan. This seemed to help improve things quite a bit as the QoE score went up to 9-9.5 for the day, but there is still some packet loss. I am wondering if I can take what I setup maybe a step further to get this just right, or if there is a better solution? I suspect there is some L2 issue with the SW and VCE being on the same network, but I am just not sure where to take it from here so any advice is appreciated. Thanks!
100GE link..is it 100GE both directions, or a total of 100GE?
This may seem like a basic question, but I wanted to make sure I understood it correctly. We have a 100GE fiber interface on a swtich, that I'm seeing about 50GE in one direction, and 45-46GE in the other. Some are saying we should be able to get 100GE in both directions, others are saying it's 100GE total. ELI5 please?
Aruba IAP leaking IPv6 RA's across VLANs when using 802.1x
Our campus-wide (offices, factory, warehouse) WiFi is provided by (primarily) IAP105 access points.
We recently enabled 802.1x authentication, consolidating separate SSID's into a single SSID with dynamic VLAN's. RADIUS authentication is handled by a Windows 2019 Server using NPS.
Since doing so, we're seeing IPv6 Router Advertisements leaking across VLAN's - clients that are dynamically allocated into VLAN 3115 receive RA's from VLAN 3116. The client then SLAAC configures an IPv6 address based on that RA. It also receives the RA from VLAN 3115 (as it should) and configures an address for that subnet.
So the client ends up with IPv6 addresses for both VLAN's. They cannot actually talk in VLAN 3116, so they can't reach the router they think they can based on the RA. This causes timeouts when the client selects an address in the 3116 VLAN for a connection.
- We do not see the same with the VLAN's reversed (ie, clients in the 3116 VLAN do not receive RA's from VLAN 3115).
- It only applies to clients using WiFi. Wired clients on the same VLAN don't see the wrong RA's.
- We did not see that same in our previous configuration with multiple SSID's statically assigned to VLANs.
Has anyone seen this before, or have any ideas? We have a support case open with Aruba/HP, but their team don't seem to understand IPv6 very well (I had to explain what an RA packet is, IPv6 multicast etc).
POE Network -- Problem Help PLZ!
Hello Redditors!
I have the following networks setup.
1: PFsense box --> POE Switch --> Office Computers/Ubiquiti AP AC LR for office. << Working perfectly.
2: PFsense box --> POE extender indoor --> Wireless Range extender. << Working perfectly.
3: PFsense box --> POE extender indoor --> Outdoor POE Extender --> Outdoor POE Extender --> POE Extender indoor --> Ubiquiti AP AC LR for house. << Not working in that configuration, needs one thing to change.
#3 Is a Lan cable that runs 400metres from the office down the back of the business to the house. Both the "Poe extenders" are the default ones from Ubiquiti.
#3 Will only work if I use the POE switch instead of the first POE extender(I would like to connect it directly to the PF Sense box, so that I can separate the networks). Would anyone know why?
The only thing I can think of is the difference in power out?
Cisco port channel redundancy on a stack best practices
This is a hard one to google but I have a stack of 9300 switches and in the past for redundancy, I've ran 2 links to each IDF with one plugged into the top switch and the other plugged into the 2nd switch whenever I have available fiber ports.
I have a vendor that is recommending we use the top switch and the bottom switch in the stack for these LAG ports, citing Cisco best practices. I can't find it and can't think of a reason that would be the case. Anyone ever heard of this? I wouldn't think it matters at all.
Do you use WAPs in monitor-mode or AM-mode?
I've seen Cisco and Aruba both recommend putting something like 1 out of 4 APs in monitor mode. Does anyone do this? Does it really help?
Discrepancy in network performance
Have a 100Mbps ATT ethernet that goes straight to internet in AL.
The Enterprise has a 1Gbps MPLS from CenturyLink that takes our site in AL to Seattle where it goes out to the internet.
On the ATT connection i can get 90-95Mbps with wget from softlayer in seattle. ATT line has a 69ms RTT.
On the CL connection I can only get 2-16Mbps from the same exact softlayer site. CL connection has a RTT of 76ms.
I have tested other sources and have consistent results. We can max our our ATT line but can’t even get more then 30Mbps on the CL line.
Same exact machine gets unplugged from one to the other to do test. I have checked MTR and no dropped packets on either connection. On the CL line I do see a lot of ??? but no packets are being dropped.
I’m trying to work with the enterprise to figure out why the MPLS (CL) is so much slower. They do a test by just sending 200Mbps of UDP traffic from seattle or STL to our site in AL and say that it’s working fine. I don’t get how that can validate the connection?
I have no visibility into what’s happening on the MPLS circuit other than it’s throughput is significantly slower trying to get out to the internet than our connection that has 10x less bandwidth.
What does sending 200Mbps of UDP traffic validate?
Been asked to add event wifi to a HS basketball Gymnasium for an event 6 months from now.....
So my town is going to have a fundraising event and they want to have an internal wifi network for the event as the venue is just not up to snuff to have that many people doing online things at once. It can be all an internal network...no outside Internet needed however I'm trying to understand what infrastructure I would need to provide WiFi to about 1100 devices in 3 distinct but wall adjoined rooms which people will be passing through.
I work in IT but on the development/programming side not on the networking side of the house. So please be a bit 4th grade in explanations.
Thanks-R
Question about broadcasting an ARP request
Hi, my course material doesn't seem to address this so I wanted to ask here. Say there are two hosts A and B on different subnetworks connected by a router. A wants to send to B and knows only B's IP. If A's ARP table is empty he would broadcast an ARP request, but assume instead that A has the IP and MAC of the router. Will A still broadcast? Or will A unicast to the router? I ask this because A should be able to derive that B is not on the same subnet by comparing NetIDs. Therefore should A recognize that sending the datagram only to the router makes sense.
Thanks!
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Cisco WLAN DNA Advantage when only using Prime?
We're using Prime and probably are not going to SD-access if we can avoid it. Wondering if we should get the new APs with DNA Advantage (+Network Advantage) license or just go with Essentials?
Not sure though what these all fancier features are: https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-cl-wireless-controller-cloud/nb-06-cat9800-cl-cloud-wirel-data-sheet-ctp-en.html
But at least rolling AP upgrades would be great for 24x7 environment. Is app perf / client location / assurance & analytics stuff something you only get with SD-access?
I've heard Cisco reps saying that you wouldn't have to renew DNA licenses, but would you bet on that :) ? Or would you just get 5 years DNA license even if you're using Prime to be sure?
Configure RADIUS on a Catalyst 3850?
I have a Cisco WS-C3850-xx Running IOS-XE, v3.07.xx & can't quite figure out RADIUS. I'm following the steps from Cisco & a couple of other sites with no luck...
aaa new-model radius server NameOfServer address ipv4 192.xx.xx.xx auth-port 1812 acct-port 1813 key 0 <password> aaa authentication login default group radius-server1 local aaa authentication login console group radius-server1 local RADIUS server is a Windows Server 2013 box. NPS role installed & configured according to these steps here.
I try logging into the switch with ["username@my.domain.name](mailto:"username@my.domain.name)" & the password, but I get "Authorization Failed". The account is a member of the Active Directory group specified to have "shell: priv-lvl = 15" access.
Meraki M6 Screws?
This might be an odd thread, however we've got some Meraki switches at my current place.
I really like their... screws given you can turn them by hand for most of it ie: you can grip them pretty easily. Think rackstud screws but metal instead
I haven't managed to find those screws elsewhere, and I'd really like to for when I'm at my new place if we ever install anything. They're just so... easy
Wireless in areas with lots of competing access points nearby
I have not been able to find much information on how different wireless access points behave when there is a high density of other access points around that are not under my control to make them play nice.
Long story short sales team has a traveling demo, the access point is a physically smaller unit without a lot of power like a cisco 100 or 300 series. This works great when they take it to places for a sales demo.
However they took it to a conference last year where there were dozens if not a hundred plus wireless access points from other attendees in the show hall and that poor access point got stomped on and the tablets and other wireless devices that were trying to communicate back to their home server though that access point were just timing out.
Now I have been tasked with helping them modify the demo for this years conference. My initial thought is just to send them one of our bog standard corporate access points in autonomous mode but I have never run into this use case and I have no way to simulate this other than going to the local store and buying dozens of different access points.
Our VAR has been able to dig up nothing on this use case from any of the wireless vendors. So I turn to you, have any of you had to deal with getting wireless working around dozens of competing wireless access points.
Ports not open through AT&T fiber hardware yet AT&T says everything open.
I need to have multiple ports forwarded to devices on LAN for a company to SSH into these devices. (Lets ignore that a VPN would be a better way to handle this for the time being.)
I have deployed this setup multiple times across the country using UniFi gear. This setup is no different aside from the ISP being AT&T dedicated fiber. Same hardware, firmware, LAN, forwarding rules. Everything the same.
But I can not reach the devices on the internal LAN.
I am not quite sure what to ask the AT&T support to do at this point, they have stated
"This internet router is not blocking any ports for the Public LAN block "
DHCP/DNS appliance?
The SE side of my operation has unilaterally decided to pull servers from all our branch offices. We stopped using them for DHCP quite some time ago, but we've reached a point in their decommissioning where the lack of local DNS servers are causing problems. Can anyone recommend an inexpensive but supportable solution that would (maybe just barely) squeak in as network infrastructure as opposed to systems infrastructure? I'd be perfectly happy with a little white-box 1U platform running a linux distro and bind/dhcpd, but management is *nix averse and will inevitably something with a support contract.
Open SSH - Safety concerns regarding remotely connecting to Ubuntu server
Is open SSH safe to use for remotely connecting to the server? Steps to follow and precautions to take before configuring open SSH
Is there any other alternative?
cisco xconnect performance datasheet
Hello,
I was looking for datasheet that would provide information about xconnect performance of cisco devices. But I cannot find any. Maybe someone has it? :)
I need cisco device which supports 20mbps of xconnect traffic :) Any recommendations?
SDN / SD-WAN solutions and market-share
I haven't worked with SDN or SD-WAN yet (unless you count Meraki), and I was wondering what the going solution is these days? Is Cisco dominating that field, or are others taking the lead?
If I were to focus on learning a specific technology, which one should it be?
Recommendations for Certs/Classes to better understand troubleshooting networks.
For instance, when I get a complaint of network slowness, i usually start by checking link speed and replacing things on the physical layer, by swapping cables, reterminating / replacing jacks, swapping ports. Id like to learn more in depth troubleshooting like finding network loops easier, learning to utilize wireshark to its full potential and how to understand what im looking at. Best place to install wireshark or read the traffic logs on our firewalls without google searching ecerything. What certs or classes should i pursue if my job is willing to pay for them.
169.254.x.x address manually assigned to a printer yet can still communicate through WSD
I took over a small office (3 offices, 2 printers, wireless clients) tech position a few days a month. The previous technician setup a networked color printer and manually input a 169.254 address. The printer is working through a wired PC and a wireless Macbook through WSD/Bonjour. Lastly, the rest of the network is using typical private address space of 192.168.x.x.
I'm not too familiar with WSD/Bonjour so I don't know how exactly they can communicate. Can anyone elaborate? What's more is why would someone manually use a 169.254 address as this is often self-assigned when DHCP fails? Lastly if there was no WSD/Bonjour would your typical router learn to route between 169.254.x.x and 192.168.x.x?
Thanks for any insight
Need suggestions on network tutorials for customers
Hello all, so I'm second line network helpdesk. In our company we launched website for our customers where we gonna upload various tutorials. Main idea is to create tutorials in our native language because most of the customers don't understand english. But I'm out of ideas what kind of tutorials should I create related to network. I already created various VPN tutorials which we offer for customers, how to check your internal ip address, mac address and so on. So maybe anyone can suggest anything more?
GeoBlocking with CDNs?
We're currently GeoBlocking anything outside the US/CA/Some parts of EU and require white listing for anything specifically needed. We just ran into an issue where a resource has moved to akamai and at times the IP the resource is resolving to is outside the US.. We can't just whitelist all of *.akamai or all of akamai's IPs..
Other orgs that are geoblocking have you ran into issues with CDNs? Is there a subdomain or IPs they can give you? Or is there something special they can do for us as everything from our network will be NATed to a single address..
Iranian needs help!
I'm writing that to summarize the situation and to understand how we can help them, hope networking Redditors could do the difference.
I'm thinking about how government has technically shutdown the internet from 2 days with my Iranian friend , and what is emerging is that they can control core routers and filter connections (that's fact but I want to give you a clear view).
Some Iranian expert could access internet through some proxies so there are ways to interact with "international" internet if you are enough expert, now the question to you redditors is : how an iranian expert could perform something to give internet access to a good amount of non-expert people in a safe way (journalists maybe)?
That's a CNN link to understand what is going on in Iran : https://www.cnn.com/2019/11/18/middleeast/iran-protests-explained-intl/index.html
Thanks to anyone will interact with this, it's matter of rights.
Portable link aggregation / network bonding router for life-streaming
Hello. I hope my post is good enough to qualify for you guys.
What I'm trying to do:I'm trying to achieve stable network connection from multiple LTE modems + wi-fi + build in ethernet plug for streaming into the external RTMP server with load balancing between my multiple modems so if one gets disconnect or it will somehow break network connection would still be not broken.
What have I done/tried so far:
- I have set up Windows on my portable computer (Lattepanda 800s) and a Hyper-V virtual machine running OpenMPTCProuter,
- Configurated vpn,
- I have configurated Hyper-V virtual switches and network adapter for the VM,
- Set up NAT so the virtual machine can share internet back into the host computer,
- I wrote myself a simple autostart program to set virtual switches mode (external or internal depending if there is physical network adapter to connect to) depending on detected adapter in the network with help of few powershell scripts,
- I set them up in the GUI provided by the OpenMPTCProuter (as there will always be an adapters in the side of VM),
- I started the stream,
- Unplugged on of the connections (wi-fi) and stream goes down without recovery of any sort.
- I tried messing with some setting on the side of the OpenMPTCPRouterbut nothing help, always same results,
My bonus ideas (I'm not the network specialist out of profession so this is just raw speculations):
- Set up Linux,
- Get all adapters,
- Get connection on eth0 to host computer,
- Send/receive packets on all routers at the same time,
- On VPN the feasters one gets accepted rest is ignored as the crypto hash is invalid/duplicated,
or
- Set up Linux
- Get all adapters
- Ping 8.8.8.8 from all of the connections and use fasters 2 based on response times
- On VPN the feasters one gets accepted rest is ignored as the crypto hash is invalid/duplicated
Any kind of working solution would be nice I'm kind of running out of time as I need to have the setup ready on 27th of November.
Juniper SRX - Interface monitoring now working
Hi,
Whenever we deploy SRXs we use interface monitors with redundancy groups and reths... this is the first time I've deployed on a SRX345 and also the first time I've had a major problem.
If I pull a cable (simulating an event) the interface monitor will identify there was an event and depending on the weight, move to the other node for that RG or simply subtract the weight from 255.
The issue is when I plug back in the cable, the LED status light is green but the interface shows down in the CLI , if I pull and put back in both interfaces in a RG... neither come back.
Can't replicate it on other SRXs and have never had this issue before. Software - we upgraded to the recommended JTAC version, which has a lot more layer2 default config and functionallity than older junos's so I reverted back to 15.1 which works on SRX 1500 and 4100, 4200's without any issue
show chassis cluster interfaces Control link status: Up Control interfaces: Index Interface Monitored-Status Internal-SA Security 0 fxp1 Up Disabled Disabled Fabric link status: Up Fabric interfaces: Name Child-interface Status Security (Physical/Monitored) fab0 ge-0/0/14 Up / Up Disabled fab0 fab1 ge-5/0/14 Up / Up Disabled fab1 Redundant-ethernet Information: Name Status Redundancy-group reth0 Down Not configured reth1 Up 1 reth2 Down 2 reth3 Down Not configured Redundant-pseudo-interface Information: Name Status Redundancy-group lo0 Up 0 Interface Monitoring: Interface Weight Status Redundancy-group (Physical/Monitored) ge-5/0/12 128 Up / Up 1 ge-5/0/11 128 Down / Down 1 ge-0/0/12 128 Up / Up 1 ge-0/0/11 128 Up / Up 1 ge-5/0/8 255 Down / Down 2 ge-0/0/8 255 Down / Down 2
set chassis cluster reth-count 4 set chassis cluster redundancy-group 0 node 0 priority 200 set chassis cluster redundancy-group 0 node 1 priority 100 set chassis cluster redundancy-group 1 node 0 priority 200 set chassis cluster redundancy-group 1 node 1 priority 100 set chassis cluster redundancy-group 1 preempt set chassis cluster redundancy-group 1 interface-monitor ge-0/0/11 weight 128 set chassis cluster redundancy-group 1 interface-monitor ge-0/0/12 weight 128 set chassis cluster redundancy-group 1 interface-monitor ge-5/0/11 weight 128 set chassis cluster redundancy-group 1 interface-monitor ge-5/0/12 weight 128 set chassis cluster redundancy-group 2 node 0 priority 200 set chassis cluster redundancy-group 2 node 1 priority 100 set chassis cluster redundancy-group 2 interface-monitor ge-0/0/8 weight 255 set chassis cluster redundancy-group 2 interface-monitor ge-5/0/8 weight 255
Anyone come across this ?
Thanks
Cian
Subscribe to:
Posts (Atom)