Hi, I can't seem to find any detailed explanation of cellular networks - besides HINDI videos - on the topic of how Cellhpones work in a network, how IP addresses are recieved and sent.
Any idea where to find a good explanation of this?
So far the best is this
https://www.youtube.com/watch?v=o_WnRMYgW94&list=PL_a1TI5CC9RGSKu_wHNs265mfI0vhGT64
Saturday, November 30, 2019
Where can i Learn about Mobile Network /ICMP and Mobile IP?
Missing interfaces in IOUs for EVE-NG
I'm using the same IOUs (L2 --> adventerprise-15.1 and L3 --> adventerprise9-15.5) in GNS3 and EVE-NG. However, in EVE-NG I have less interfaces for the nodes. I only have e0/0-0/3 for both L2 and L3 nodes in EVE-NG. Is there a way to recover the missing interfaces?
Power Options
What does everyone use for power options for routers/switches at remote sites? Currently we have APC UPSs but I’m struggling with having to replace old units just because if power at the building goes down, there isn’t any benefit to keeping the network up aside from the time of everything having to reboot.. but the workstations are unusable anyhow.. not to mention if power is out for an extended period of time the UPS won’t matter. Is there a better way? Would nice surge protectors suffice?
Can't access admin interface on Cisco SG300-28 (remotely located).
I have a Cisco SG300-28 that's colocated a few hundred miles away. It seems to be working fine as a switch, but for the first time in years I need to login to it to make some changes, and I can't seem to access the admin interface.
I'm pretty sure I know the right IP address for the device, but going to that ip address via http or https using the normal ports gives me nothing. I've scanned the first few thousand ports, and it looks like nothing is open.
Is it possible the admin part just crashed? Should I have the switch remote power cycled and then see if I can get in?
If that doesn't work, what are my options? Can the isp where it's colocated get in via a serial console, and figure out the ip address and port?
How do I disable my Dad's throttling epidemic?
I have a commercial level Luxul system, but my Dad capitalizes on the bandwidth even though he doesnt use it. Some rooms are told to specifically dial down to a lower frequency band (2.4ghz) to get better speeds only in the places they need it. Everything is hard wired that can be. It's unnecessary completely, and he currently also has it set up to tell 2 of 3 the ssid's to kick sand when he uses his own. The bandwidth is so much, he wouldn't notice it. How can I help myself? I only care because streaming music (even if the smart device is hard wired) will still require about 50 to 20 mbps. It tanks my bandwidth from 50 to about 5 in seconds everytime.
How do you work with your execs when MSP/VARs are seemingly successfully working around your engineering team for infrastructure decisions?
Hello r/networking! Throwaway account.
Does anyone have the following situation or something similar?
- Non-technical CIO and CSO have developed what appears to be a friendly (maybe even close) relationship with a MSP/VAR for physical security projects
- CIO and CSO sign support long-term service contracts without any input from IT engineering teams, then inform these teams of the decisions made and that they'll be working with them
- MSP/VAR does not engage IT engineering for any sort of design or deployment input (sans IP address space) until they've already been onsite and done physical installations and are requesting items such as port configurations (and is sanctioned by CIO and CSO)
- MSP/VAR routinely meets with CIO and CSO, and continually makes pitches for the MSP/VAR to provide additional IT infrastructure contracts, including but not limited to network support and/or hosting
- MSP/VAR's non-hosted contracts seem to be focused on tier 2 and 3 'support' post-deployment, and they want all hands-on to be done by IT team, or they charge hourly for hands-on support
It basically seems like this MSP/VAR has keenly short-circuited our engineering team's ability to provide input into the decision process, and with some big equipment refresh coming, it seems like the MSP/VAR is going to be making a pitch to integrate their services and purchase equipment with a vendor we don't think is in our best interests.
And of course, our engineering team has never asked for tier 2 and 3 services, but instead we stated we want more tier 1 support, but our organization won't hire any more people, but they'll pay for services.
I'm not entirely sure how to get ahead of this and get more input into the decision making process. At times it seems like the CIO values our input when we do meet, but the MSP/VAR meets or is in contact way more than us.
How do you deal with with this situation, if at all? Our direct manager doesn't seem to be able to make an impact to this, so I'm a big flabbergasted at what to do. Is this a systemic issue and I just need to start looking for a job elsewhere? It doesn't seem like our jobs are at stake, but it does seem like the execs are quite receptive to outsourcing tier 2 and 3 engineering.
Any input would be greatly appreciated. Thank you for your time.
A VPN bypassed my ISP speed limit
Hi everyone, So basically where i live (Iraq) the government blocked Social Media for like 2 months, i was trying VPN’s here and there and found one on a Russian serve, G Core labs. My internet speed limit is 4 Mpbs and using the VPN it became 10 Mbps (not sure if this is the VPN’s limit or not) after looking around in https://bgp.he.net/ ,G Core labs was actually in the list for my ISP so i figured thats why it became faster. Is this correct? Can i take more advantage of this?
Best free syslog options
I know there are plenty out there but I’m looking for a free syslog platform that will ingest about 500 total Cisco routers and switches. Resourcing (storage, CPU, etc) isn’t a huge deal. The biggest value I’m looking for is the extensibility of parsing through the logs. I consider Splunk to have a great parsing engine but it comes with a price.
SFP to RJ45 questions?
Is it just me or does autonegotiation over SFP-RJ45 transceivers, well almost never work?
Sorry if this is a total noob question.
Also yesterday I had a issue on ubiquity equipment wheautonegotiation on such a link failed on 9/10 reconnects.
I am not feeling confident about forcing link speeds as this is just a testing setup for a switch replacement for other devices that I can't test on.
Ubiquiti dream machine vs weeks vs mikrotik
Currently have a couple of Ubiquiti AP and a USG. Trying to decide if I want to buy 4 of the Eero pros, or swap my usg for a mikrotik router or just buy the UniFi Dream Machine.
All of my aps are hard wired. Anyone have any thoughts?
Cannot connect to hole punched port
as far as i know
the server is on public and when client connects to the public server, nat mapped the ip and port to public but i cannot reach the goal.
I've tested on Symmetric NAT and Cannot Connect to my Client's Socket and keep raising `ConnectionRefusedError: [Errno 111] Connection refused`
how can i solve the problem? I've wrote the code on golang and reuse the port using `github.com/kavu/go_reuseport`
Friday, November 29, 2019
One site as failover for the other.
I have a building with two completely separate networks, one behind a pfsense fw and one behind a peplink LTE router.
I'd like to use one network to provide back up WAN to the other, and vice versa. Both devices have extra WAN interfaces available. What's the best way to avoid the double NAT situation that results?
Can I instead connect both networks on the LAN side instead? There isn't any IP overlap.
Changing Default DNS Server stops my Internet connection
Hello,
I want to know how can I change my university default DNS server. Whenever I try to change them, my internet connection stops. Also, can I how to bypass the speed cap they have imposed on my account
how do Cisco Secure Access Control System work ? are they similar to servers ?
The reason ask because while i was studying for the CCNA some people mention that its a great way to add tacacs and radius and some other features, but are they similar to servers like hp proliant ml350 ?
Discovery Methodologies for *Extremely* Large Networks
Hi /r/networking,
To preface my questions, I am fairly new to the consulting space (although I have worked for MSPs for ~6 years now, almost entirely in networking).
I have just begun a network architecture assessment for a customer and to be frank, I'm totally overwhelmed by the scale of their environment.
To give you an example, one of their smaller data centers contains about 30 devices, which is a small hardware footprint; but the more one digs into the configuration of each device (going off of some minimal and sometimes out of date documentation) the more questions arise.
To get even more specific, one of their firewalls has ~75 static routes, with over 10 unique next-hops among those static routes for which I do not know the management IP of the device on the other end.
Obviously, it's kind of a mess, but that is why they brought us in.
My question is, to those of you who have been exposed to poorly documented networks of this scale; how did you manage to get a sense of traffic flows and architecture?
I'm looking for both tools, and methodologies/frameworks that would help me understand this large environment in a relatively short amount of time.
Thanks!
Our ISPs never believe our SD-WAN
One of the coolest parts of SD-WAN is that it constantly monitors the health of our point-to-point tunnels including loss, latency, jitter, out of order packet percent, and MOS.
This is awesome because at the click of a button we can see a branch office is experiencing 30% packet loss outbound or having unacceptable jitter, etc. And it’s displayed in cool graphs and charts that are also easy for management to digest.
The problem is none of our ISPs ever believe a shred of it. It gets almost comically bad at times because like clock work as soon as we mentioned the SD-WAN they immediately get argumentative.
One example, our SD-WAN starts showing consistent packet loss in excess of 30% between a single branch office and our data center, in only one direction. Both locations have DIA Fiber from the same provider, in the same city. Pretty clear indication that something is wrong right?
We’re asked to provide some evidence of the problem we’re experiencing and we put a picture of the little graph in our SD-WAN orchestrator showing consistent one way packet loss between these two sites. Immediately: “nuh uh that’s wrong. That doesn’t mean anything.” It’s like as soon as SD-WAN is even mentioned they immediately shut down and get unhelpful. At one point we were even told “we’re an ISP we don’t drop packets.” And they try to tell us the circuit passed a test so that proves the problem isn’t them. We tell them no, that circuit is talking to 100 other sites with under 1% loss, the problem is only when these two sites talk directly to each other. We even run trace routes and reverse lookups and tell them “Look at Router AGG-RTR-XXX01.” They assure us “No, that’s impossible the problem is on your end and that’s that. Please open a ticket with your SD-WAN vendor.”
Fast forward like a month later and the loss magically disappears and the ticket gets stealth closed with no updates. Yeah sure they definitely didn’t find something on their end and fix it. rollseyes
In other case a bigger problem showed many down tunnels and huge loss all over the place and after investigation it looks like every problem is when a specific ISP A is trying to talk to a specific ISP B. We take our findings to the provider and same old story “you might want to call your SD-WAN vendor, because we don’t have anything like that going on.” Fast forward multiple escalation later and magically our ticket was linked to another Master Ticket and they’re bouncing ports and cleaning fiber at some NNI, and all the sudden everything goes back to normal after they resolve the Master Ticket.
I wonder why it is met with so much skepticism despite being battle tested?? I mean a lot of these ISPs are offering their own SD-WAN solutions too as a managed service, so they must believe in them?
Anyway my advice to anyone on here doing SD-WAN that has to bring up a ticket with a provider: Don’t mention SD-WAN as soon as you do they will stop taking you seriously. If you can, re-create the issue with other traditional tools and present that to them instead.
Ok I’m done ranting for now!
SD-WAN guys/gals: which vendor do you prefer?
I only started working with SD-WAN about 2 years ago. I did a PoC with Talari Networks (recently acquired by oracle), Silver Peak, and Meraki (Meraki is NOT SD-WAN.).
I ended up going with talari because it was not a subscription-based model, so the price was right. Only Down fall was that the config editor was clearly just a fancy way to display a .xml file (literally the way it expands you can tell where in the xml file the setting will sit... So maybe that's a pro depending on perspective.)
Anyway, for those of you who have some legit experience with multiple vendors, who do you like best, and why?
*My irrelevant passion regarding "SD-WAN": Why do we call this technology Software-Defined WAN? The WAN has always been Software-Defined. Routing is software. "SD-WAN" is just another Routing Protocol that, like BGP, runs at L4 with health-checks built-in. But hey, "SD-WAN" sounds cool, right?
Att tech just installed a second line of Adsl to give us 30 Mbps vs the 16 we had before yet said we could get higher with a VPN.
This is a copy/paste from r/buildapc.
I figured this question would be better answered here.
The tech just left after installing a second line in which effectively doubled our speed from 16 to 30 Mbps.
I checked the downstream on speedtest.net and it showed the 31 Mbps.
The tech recommended I use bings speed test first but it had a stall. After finally being able to run bings test the results for downstream came back at 87 Mbps.
I asked the tech why bings speedtest came up 50 Mbps higher than both the modem said it was receiving and what speedtest.net said we were getting and he said that's what Att is sending the modem. The modem is only sending the device 30.
He said I can bypass this by getting a VPN that allows me to go through the filter set by Att.
Does this hold any water?
Also, before he left he said the line would be unstable and now that he has left my downstream while downloading a game on steam has gone back to 16 Mbps. Is there anyway to ensure it remains stable consistently?
PBR to Vrf
Hello guys, I need to replace the config of a cisco isa3k firewall from PBR along with using route maps to Vrf routing being used in Industrial router is it even possible?
Some help with routing through site2site ipsec tunnel to aws
Hi,
I'm pretty new to juniper devices, but somehow i've managed to set up the tunnels to aws with 2 srx firewalls. But I now have a problem with routing through the tunnels and accessing the virtual machines on the aws end.
This is the show route output. As you can see the network 10.255.255.0/24 is accessible via the 2 tunnel interfaces, but for some reason I can not ping 10.255.255.10 which is a vm that has no firewall.
Also I've setup policies that ALLOW all traffic between the 2 zones that i have - trusted and untrusted. Just to be sure that it's not the firewall blocking the packets. Any ideas ?
root@srx-0> show route
inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 02:45:46 > to 143.133.16.1 via reth0.0 10.10.10.0/24 *[Direct/0] 00:48:25 > via reth1.0 10.10.10.10/32 *[Local/0] 03:43:51 Local via reth1.0 10.255.255.0/24 *[BGP/170] 01:16:20, MED 100, localpref 100 AS path: 64231 E > to 169.254.16.11 via st0.2 [BGP/170] 01:16:15, MED 100, localpref 100 AS path: 64231 E > to 169.254.74.8 via st0.1 13.37.13.0/24 *[Direct/0] 03:29:58 > via fxp0.0 13.37.13.37/32 *[Local/0] 03:29:58 Local via fxp0.0 169.254.26.24/30 *[Direct/0] 02:27:53 > via st0.2 169.254.26.26/32 *[Local/0] 02:27:53 Local via st0.2 169.254.77.8/30 *[Direct/0] 02:54:32 > via st0.1 169.254.77.10/32 *[Local/0] 02:54:32 Local via st0.1 143.133.16.0/22 *[Direct/0] 02:45:46 > via reth0.0 143.133.16.250/32 *[Local/0] 03:43:51 Local via reth0.
Anglesey single point of failure
Hi. I've been told by a business i'm doing some work for that the Isle of Anglesey has a single connectivity cable to mainland UK via the Britannia bridge so if something happens there, fire etc. the entire island would lose internet connectivity and therefore they wanted suggestions for resilience as they are becoming more reliant on it.
Looking at the submarine cable map I can see that there are actually two fibre lines connecting Holyhead to Ireland. Would the business just need to engage with an Irish ISP to take advantage of this route? None of the UK providers would use this route (i don't think) as Ireland is a foreign country. The management companies of the lines offer dark fibre etc. but the business has no presence in Ireland and therefore nothing to connect to at the other end.
This isn't my area of expertise so not entirely sure what the business would need to do to get Internet over these lines or if it's even possible?
Any suggestions?
Thanks
What kind of bag do you carry?
Network engineers, technicians, cable installers and all other workers who build, manage and troubleshoot large network infrastructures, what kind of bag and tools do you carry with you into the field?
I'm looking to put together a new toolkit along with a way to conveniently carry most of this equipment from site to site. I'm interested in hearing how most of you make the tools you need into more of a convenience and less of a hassle.
Some of the equipment I find necessary to have on hand most of the time.
-
cat6 patch cables of various lengths
-
cat5 and 6 cable ends
-
rj11 patch cables
-
rj11 cable ends
-
crimping tool
-
punch down tool
-
multi-bit screwdriver
-
side cutters
-
wire strippers
-
couplers
-
battery tester
-
cable and fiber tester
-
S and MM fiber patch cables
-
label maker
-
Small form factor laptop with ethernet and serial or an adapter for both. Currently I use a mac Air for this but would like something smaller and lighter and at least this powerful.
-
other miscellaneous tools
It would be nice if there were some convenient to carry bag for all of this. What do you do in this situation?
Is anyone using NHRP or OpenNHRP w Linux? If so where/how did you install it?
I've been doing quite a bit of searching and NHRP (or OpenNHRP) doesn't seem to exist in any debian or ubuntu repository unless I am missing something.
I do see it is available in applications like Quagga or FRR but does anyone know how to just install it on its own? Or where to get the latest version of the code?
thanks
Breakout solutions for QSFP-40G-SR4: 40G to 4*10G OM4 Fiber
I was looking for a new network setup (Nexus 93108TC-FX) and found the below solution. (Almost all servers are 10GBase-T, but I need some 10GB-SFP+ for some appliances as well. hence this. Would like to stick with Cisco Nexus) More reasoning in a previous post.
http://www.panduit.com/heiler/TechnicalReferences/D-FBTR123--WW-ENG-40GTO10GSOLUTION.pdf
In short this is a patchpanel solution with MPO cassettes to LC to make the patching with a standard LC fibre cable very easy and clean. These MPO cassettes are directly connected with a 'special' cable to the QSFP-40G-SR4
This seems really nice and clean. Has someone some experience with this? Some remarks? Are you happy or dissatisfied or did it simply not work or ...
QoS / CoS on a L2 switch
We have a L2 switch in front of our ISP demarcation point.
The service is for VoIP, so at layer 3, that's the ISP's issue. Once we mark our RTP traffic as "EF", it is kept as "EF" and everything else is remarked accordingly by the ISP (most just gets re-marked to AF21 and AF41).
What I want to know is, is there anything we need to do with our switch with regards to CoS?
We have policy and class maps on the switch to keep the DSCP markings that are received from the ISP, and to mark our RTP traffic as "EF".
But is this the correct thing to do, or do I need to do more on the switch?
Asset tracking
Hi Guys,
We are a team which provide IT support to a large warehouse. One of the devices we support are barcode scanners and Operations are losing them at a rate of 1 per day. As these scanners are costly to replace we are asked to find a solution to stop the scanners leaving the warehouse. We see that on our system the lost scanners are last seen near dock doors which brings us to the conclusion that workers are leaving the scanners on pallets when loading on truck trailers which are leaving docks.
Our idea is to have some RFID stickers on the scanners and have some sensor in front of Dock doors which would light up in realtime to let us know that the scanner has passed through them. It will should give us the details of the scanner and time when it was passed through the sensor
Is there already some system that can be implemented that we can utilise or give us ideas how to develop one ?
Thursday, November 28, 2019
How dangerous exactly is 100Gbase-LR4?
We're moving from 10Gbase-LR to 100Gbase-LR4 at my work.
I know that looking down fibres is never a good idea (and it's outside visible spectrum anyhow)
However, the consensus around 10Gbase-LR is that in general you should be ok, even if you accidentally glance briefly at it, as the power levels are quite low. (Although still a bad habit to have)
What about 100Gbase-LR4?
Is this the sort of where I should be wearing safety glasses around it? (Just concerned somebody on my team new to fiber might try it, or decide to monkey around)
IPv6 Mid SizeEnterprise - Give Me a Reason
Hi all- I'd like someone to give me a legitimate (reasons to executives) reason why I should start moving my middle sized enterprise towards IPv6. I've read about/listened to all the podcasts saying we need to start making this move. In the real world though no middle sized company appears to actually be doing this. The only real benefit I've heard so far for a middle sized enterprise is security related -- ie. remote users being forced to tunnel through corporate security functions.
I'm really interested in the topic but I still at this point do not see the reason why an organization not running out of RFC1918 would even try to implement IPv6. Please give me reasons, I'm very interested.
X710-DA2 - one port suddenly not working - BIOS says "The driver failed to load because an unsupported module type was detected. Message code: 10696053409972224"
I have a 2U4N SuperMicro server that I'm using to setup a Ceph cluster. I have a single Intel X710-DA2 (Dell-branded) installed in each of the 4 nodes.
I ran Geekbench 5 on one node, in order to put the CPU through its paces.
However, partway through, the machine appeared to abruptly shutdown.
Afterwards, when I tried to boot it up via the SuperMicro IPMI, it said:
> Performing power action failed. Please check.
https://i.imgur.com/If8zRgr.png
Has anybody seen this error message on a SuperMicro system before?
Anybody, I unplugged that node, and waited a bit, plugged it back in.
I tried to boot it up again, and this time, it said:
> Intel(R) 40GbE 1.7.19 is Unhealthy
https://i.imgur.com/FeV3OGk.png
Then, when I went into BIOS setup, it said:
> The driver failed to load because an unsupported module type was detected. Message code: 10696053409972224
https://i.imgur.com/v7jzK3l.png
I then tried to boot it up again and it did boot - but I seem to have lost network connectivity from one of the two SFP+ ports.
I tried swapping the SFP+ optic in that port, in case it was that - however, still no connectivity.
I then even tried swapping to another new X710-DA2 - same issue.
Is there any way that somehow benchmarking the box could somehow have damaged a PCI slot on the motherboard?
Or have I missed something obvious in the troubleshooting steps above?
I suppose I can get a OPM to test if there's light output from that port, right?
Any other suggestions?
nDPI CSV Export - Help understanding outputs
HI all
Iv started to play with nDPI to do packet capture analysis, and im using the NDPIreader to export a pcap to csv
Looking at the exports I can see alot of useful information like source and destination IP and port, and protocol used,
But im trying to understand why it has source to destination bytes as well as destination to source bytes
I would have assumed that traffic only flows from the source to the destination,
EG request a website, PC -> Server, sends x number of bytes
website responds, Server -> PC, sends y number of bytes.
I dont see why there should be a destination to source traffic.
or is nDPI being clever and bundling stuff together?
Hopefully someone can help answer my question.
A wireless access point and PoE switch in one?
Does anyone know if such a device exists, a small PoE switch with 4-8 ports, which also incorporates a wireless access point?
I have a space where I need to provide wireless access and also run a few PoE devices and would prefer to use a single device if possible.
After some advice regarding wifi extenders
I have a friend who has asked for some advice regarding his current office set up.
He shares a connection with another office, (they are in their own building, and he has an office in one of their spare barnes) where he gets a hard-lines connection (the ethernet cables for his connection run from their router to his office (approx 15 meters) into the barn. However, the wifi-connection (the hard-line is fine) from the main office where the router is located, is very poor, so he would like to look in to purchasing some hardware that he could connect to one of the spare ethernet ports, which would then give him decent wifi signal in the barn. He needs this as their are quite a few devices that require an internet connection, but there are only so many spare ports on his switch to connect to, hence needing to have the ability to connect them via wifi.
Inline adapters are out as he isn't on the same circuit as the other office.
Is something like this suitable? Just want to know the type of hardware I should be looking for.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Difference in ios releases
Hello
what the hell is the difference betweend:
UPD IP SRV 2 ADV IP ENCRYPT
ADVANCED IP SERVICES SSH
the bin filename absolutly the same. in the releasenote is nothing mentioned. also my google search dint not result in anything.
Cost effective 1G BGP edge router?
I need to replace an old BGP edge router that's getting a bit long in the tooth. What's currently everybody's favorite BGP edge router with 1G ports?
I need full routes on this one, as the backup router only takes defaults. I'm not picky, but I'd like to avoid using Mikrotik or Ubiquiti. Refurbished or eBay is fine.
Current setup:
- 2x upstreams at 1G each, full tables
- IX with less than 300k routes
- total peak traffic across all interfaces less than 1G
In this particular case I really am fine without an upgrade path to 10G. 1G interfaces are more than enough and will be for the forseeable future. Also I'm looking to contain costs by using 1G interfaces.
Computers refuse to route a subnet range to gatway
Ok, Feels like I'm taking crazy pills here, I have a Mikrotik hap, the network is pretty simple, Lan is 192.168.1.0/24, wan is 172.x.x.x I can't remember, and it has a vpn using some ip in the 192.168.10.0 range connected to this other remote site where they use the 192.168.0.0/24 range, The router has no problem getting to the remote site, and all computers have a single IP with a dhcp address in the 192.168.1.0 range. but here is the thing:
Computers refuse to send ip packets directed to the 192.168.0.0 range to the gateway. If you make a trace from any computer to 8.8.8.8, everything is fine, do it to 192.168.3.x and you get 3 or 4 jumps before it get lost in the ISP, but if you trace to something in the 192.168.0.x range, i don't get even a single jump, and the MK doesn't get a single packet addressed to that range.
I disabled all rules in the MK, no firewall (exept the masquerade for NAT), no VPN, only one route (0.0.0.0/24 to the 172 gateway) or anything beyond the basic. only 2 networks Lan & Wan, and even added an explicit route in a machine (192.168.1.0/24 via 192.168.1.1) but nothing.
I'm not a great (or good (or even acceptable)) netadmin, and I'm sure I'm missing something obvious here, I would be grateful for any advice you can give me, I'm returning tomorrow to check if you can change the server address in some s**a* old soft so I can use some other range but 0.0, maybe do packet capture, i hate working with teamviewer.
Top Remote Access VPN
Hello,
I was looking at Cisco Anyconnect and Juniper Pulse VPN Options. The issue is that they charge by user connected. I want it to have Active a Directory integration and a web user portal where the users can login. I'm expecting up to 120 Users at a time being connected. It also has to provide access to only one Vlan. I as looking at the Juniper SRX 340/345 or a Firepower 1120 as a combo firewall unit. We have a budget of about $2500 for both a firewall and VPN. I don't mind looking at different firewall vendors.
https://www.cdw.com/product/cisco-firepower-1120-next-generation-firewall-firewall/5617296?pfm=srh
VACL redirect to firewall
Hi,
I have some vlans with their default gateways on a firewall which is slow to process traffic.
I would like to move the gateways onto a switch (SVI).
For some traffic that goes between vlans I would like the switch to forward the traffic. For example, a program that copies large datasets on a specific port from a computer in vlan A to a computer in vlan B. For all other inter-vlan traffic I want the Firewall to make the decision on what to allow through.
Is this generally possible or is there a better design? (without moving services between vlans or buying a bigger firewall).
Thoughts?
Cheers,
zcs3
Breakout Cisco 93108TC-FX
Hi,
I am speccing a new environment for our company. As all of our servers are running 10Gbase-T with the exception of some appliances. We have a much bigger need for Copper then Fibre. We have a separate SAN as well so no need for FCoE. All these would be used for interconnecting 2 small computerrooms (don't dare to call them DC's) for their Internet Traffic(Hosting quite some Internet Services). At each location we need a bit more then 50 ports, so these Cisco Nexus 93108TC-FX seem pretty well for our case. Each location would get 2 for redundancy off course (in vpc). Meaning we need 4. My main issue is QSFP breakout documentation. I can't find the information for these switches. I find for a lot but not for these specifically, is this good or very bad news. Anyway my idea was to cable the QSFP+ ports straigth to a MPO Patchpanel that would break it out in 4*LC ports. Or something like that (don't really know the terminology). So in this way I could connect my 10G Fiber appliances (Palo Alto,Netscaler,...) on this patch panel, keeping it clean. The big question is off course is it possible? It appears that the chipset used is a LS1800FX, and that the 40/100G ports are ports 49-54 , can these be broken out in 10/25G? Supposing the answer is yes, can it be done per 40/100G port or does it automatically count for multiple 40/100G ports (for example 2,3 or 6)? Oops almost forgot I would like to run NX-OS, I do not want to run ACI.
Packetloss from a openVPN-client to a VLAN it's attached to.
Hello,
i am a bit lost with this one und would be gratefull for your help!
The Setup Network consists of HP V1910-24G switches. The whole company is still running at VLAN_ID_1 within 192.168.2.0. The server which is running openVPN-server on Ubuntu Server is attached to VLAN_ID_30 within 192.168.22.0.
In the future, i wan't to create multiple vlans with VPNs which connect to them. So consider this to be the evaluation setup.
The Servers Interfaces The Ubuntu Server is connected to Port 14 on a switch, which is configured like this:
- untagged membership: 30
- tagged membership: 1
- Link Type: Hybrid
- PVID: 30
The interfaces of the server:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 4c:cc:6a:44:e0:db brd ff:ff:ff:ff:ff:ff inet 192.168.22.100/24 brd 192.168.22.255 scope global enp2s0 valid_lft forever preferred_lft forever inet6 fe80::4ecc:6aff:fe44:e0db/64 scope link valid_lft forever preferred_lft forever 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::8e8e:ff24:1aa3:fe9/64 scope link stable-privacy valid_lft forever preferred_lft forever 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:8c:ec:6b:11 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever 5: vlan_1_buero@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 4c:cc:6a:44:e0:db brd ff:ff:ff:ff:ff:ff inet 192.168.2.100/24 brd 192.168.2.255 scope global vlan_1_buero valid_lft forever preferred_lft forever inet6 fe80::4ecc:6aff:fe44:e0db/64 scope link valid_lft forever preferred_lft forever 6: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:54:00:e3:00:d2 brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 7: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000 link/ether 52:54:00:e3:00:d2 brd ff:ff:ff:ff:ff:ff 11: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr0 state UNKNOWN group default qlen 1000 link/ether fe:54:00:03:5f:60 brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fe03:5f60/64 scope link valid_lft forever preferred_lft forever The openVPN config
port 1194 proto udp dev tun ca ...... cer ...... key ...... dh ...... server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "route 192.168.22.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 explicit-exit-notify 1 The Problem I can't ping any device in the 192.168.2.0 net besides the gateway/router (192.168.2.1), over the vpn-connection. 99% of the packets get lost. Here i have a tcpdump, showing a ping-packet, that succeded back to the pinging device.
13:52:33.558835 In ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 51, length 64 13:52:33.558862 Out 4c:cc:6a:44:e0:db ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 51, length 64 13:52:33.558866 Out 4c:cc:6a:44:e0:db ethertype 802.1Q (0x8100), length 104: vlan 1, p 0, ethertype IPv4, 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 51, length 64 13:52:33.559398 In 00:1d:aa:b5:ee:e8 ethertype 802.1Q (0x8100), length 104: vlan 1, p 0, ethertype IPv4, 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 51, length 64 13:52:33.559398 In 00:1d:aa:b5:ee:e8 ethertype IPv4 (0x0800), length 100: 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 51, length 64 13:52:33.559427 Out ethertype IPv4 (0x0800), length 100: 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 51, length 64 Here is a packet which did not reach back to the VPN client.
13:52:34.571763 In ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 52, length 64 13:52:34.571790 Out 4c:cc:6a:44:e0:db ethertype IPv4 (0x0800), length 100: 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 52, length 64 13:52:34.571794 Out 4c:cc:6a:44:e0:db ethertype 802.1Q (0x8100), length 104: vlan 1, p 0, ethertype IPv4, 10.8.0.6 > 192.168.2.20: ICMP echo request, id 5501, seq 52, length 64 13:52:34.572286 In 00:1d:aa:b5:ee:e8 ethertype IPv4 (0x0800), length 100: 192.168.2.20 > 10.8.0.6: ICMP echo reply, id 5501, seq 52, length 64 Seems like for something is wrong with the vlan_tag on the packets.
How can i troubleshot this? Thank you all!
Cisco Anyconnect integration with Aruba Clearpass
Since i havent managed to find much info online, does any one have experience with using aruba clearpass as radius server for cisco anyconnect client?
Is it even supported?
We have tried anyconnect with ISE which works obviously but would be interested in testing aruba clearpass.
Thanks
Cisco WLC new SSID unable to access the internet
Hi,
I have setup new SSID but seem's like I'm not able to access the Internet or even it gateway. We are using just local and not flexconnect.
Question:
- If I'm using local and not flexconnect, client traffic will be forwarded to WLC then to internet right?
- From below comparison, Im able to ping the internet and even sourcing to personal-device interface but when I use test_263 as source I'm not able to ping the internet as well as the gateway address. (am iI using the correct command?)
- Is there anyway I can check if the client under new SSID can access the internet from the WLC?
Checked that there no ALC added on the security tab of the WLC, IS the any thing I'm missing? Note: from ggteway which is the switch I'm able to ping the WLC new SSID interface which is 10.184.58.5.
### INTERFACE SUMMARY Interface Name Port Vlan Id IP Address Type Ap Mgr Guest guest LAG 689 192.168.0.10 Dynamic No No personal-device LAG 688 192.168.16.10 Dynamic No No test_263 LAG 263 10.184.58.5 Dynamic No No ### TESTING (WLC) >ping 8.8.8.8 Send count=3, Receive count=3 from 8.8.8.8 (WLC) >ping 8.8.8.8 test_263 Send count=3, Receive count=0 from 8.8.8.8 (adnt-ea0736ac1) >ping 10.184.58.2 test_263 Send count=3, Receive count=0 from 10.184.58.2 (WLC) >ping 8.8.8.8 personal-device Send count=3, Receive count=3 from 8.8.8.8 ### GAWTEWAY SWITCH TO NEW SSID INTERFACE #ping 10.184.58.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.184.58.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms Thanks
Cloud, is it even worth it? (based on cost)
What's up everyone,
this post was made more with the question towards the big cloud providers as of now,
a simple math calculation for the cost of a csr1000v with a f9 load balancer for a period of 1 year came out as expensive as buying a brand new physical (mid-size) Cisco router with a f9 load balancer.
Obviously the physical appliances will last for years and eventually come out cheaper, even with the electricity bills included.
Am i missing something? for a couple of servers and databases i might find it worthy (if i were to go to a cheaper and not so populair cloud provider)
Something else which does look better on many points would be a private cloud that you own and manage, virtualized environment from appliances to servers and databases, with physical switches connecting to this virtual environment.
Upgrade path from basic pfsense routers? (Shadow IT)
Hi there, I work for an internal tools group inside a relatively-huge company. For various reasons, we've been forced to deploy our own infrastructure pods at various sites to speed things up. At the moment, we use a pair of pfsense boxes as the gateway into the pod, allowing us to have a bit finer-grained access control at that network boundary. (They also allow us to conveniently NAT out certain functions as and when required, and keep other services internal to that pod.) Multiple WAN connections are common, but we don't really do any IPS or IDS, which are corporate IT's problem father up the chain. (These are primarily management devices, not a security barriers!)
Now, pfsense is great and all, but it has a few major drawbacks that I'm sure folks using them may be very familiar with (although it has a killer web UI that's absolutely fantastic):
- No automated setup (API or CLI). (Sorry, the php shell just doesn't really do it for us.)
- Occasional support or purchasing issues due to Netgate's small size.
Required feature summary:
- HA IPv4 IPs (something similar to CARP). (IPv6 obviously supports multiple gateways to begin with.)
- Basic flow-based firewall, no IDS, IPS, fancy features.
- Good API and/or CLI.
- Decent web UI.
- 10 Gbit/s traffic handling in basic layer 3 NAT forwarding role.
- Site-to-site and client VPN capability. (Speed not very critical, sub-gigabit.)
- Reliable hardware.
- Excellent 24/7 support.
What upgrade paths, vendors, etc... have folks tried from a basic setup like this? I'm aware of and have been investigating several (will post results here too for folks to learn from):
- Setting up our own Linux-based routers. (Not really desirable due to complexity and the amount of folks we have available to build and maintain them.)
- Fortinet (investigating in our lab).
- Sophos (investigating in our lab).
- Palo Alto (used by corporate IT, but way beyond for what we need and priced accordingly)
- Cisco ASA (not heard great things).
- Juniper (we're currently an Arista shop, so this is not really being looked at very hard).
[BLACK FRIDAY] EVE-NG 50% OFF Code BLACKEVE2019
I am not affiliate anyway with Eve-ng , I just thought community will be get benefit out of this hence sharing this here
Eve-ng running 50% off for their paid Versions , Commnunity version still free
If you dont know what is eve-ng do check out their website https://www.eve-ng.net
Youtube demo for professional version Youtube Link
Eve-ng Feature Comparison : Features
EVE-NG 50% OFF Code BLACKEVE2019 : BUY
Wednesday, November 27, 2019
Mellanox MLAG problem ?
2x SN2700 connected to each other via IPL/MLAG.
Latest firmware. It worked for a few weeks but then suddenly clients were not pingable anymore.
any idea what these errors mean ?
[MLAG_MAC_SYNC_PEER_MANAGER.NOTICE] Failed to grow the pool size, err -12
[MLAG_MAC_SYNC_PEER_MANAGER.NOTICE] Need to mark the MACs as DENY, cnt:0 < record_num:81
Need help migrating an old Firebox SOHO 6 to a new account.
I have an old Firebox SOHO 6 that was happily running for years under the old administration account. However, I recently replaced all the units with newer models, but I would still like to use this on its own network. (isolated from the main network, as a failsafe more than anything)
The problem is, I would like to be able to upgrade the firmware to a newer version, however the machine's serial number is tied to the old administration account... Is there any way that I can migrate that to my account? The employee that managed it before is long gone.
Thanks everyone -- this is my first post here so I don't know what to expect!
Session close after SIP - BYE is received
Hello, our palo alto fw does not close the session when the sip bye is received. So the session falls into session timeout timer and by default this is 1hour.
This will result in session that are open for more then 3 month and sometimes will get stuck.
As for my understanding, ah sip bye should be like a session end. Can someone explain me why the fw thinks it should not terminate the session? Any ideas? As i cannot understand this default behavior.
Testing Demo Access Points
Hello,
I work for an MSP and we have a vendor who is looking to partner with us. They have supplied us with some access points as we are looking at using them for an upcoming wireless roll out for a client.
I have been tasked with taking these demo units home and testing them. I am just wondering what you guys do when testing things like these? I would love to be able to simulate a high number of users etc.
Cheers
How many WAPs can you put on a single channel using arbitration before you start having issues?
And what do those issues looks like?
I'm a computer enthusiast currently studying for an information security certification in the hopes of turning my hobby into a career. Along the way, I do what I can to familiarize myself with any concept I can, and I'm currently doing some reading on networks. I've recently learned about 802.11's channel arbitration and I understand how it works, but I'm wondering what it's limits are. My questions are:
1) Is there a defined limit to how many WAPs can be on a single channel using arbitration, or is it dependent on other factors?
2) If you do use too many on a single channel, what kind of problems do you run into? Would it just result in a simple disconnection?
3) And although unrelated to the main question, are there any known exploitation concerns with channel arbitration, like causing the coordination between the WAPs to falter and interfere with one another?
Thank you for your help.
Let’s talk event-driven automation.
I think a lot of us here probably agree that network infrastructure configuration management and orchestration is relatively easy to automate, and will probably become the golden standard going forward.
What interests me a lot more, is event-driven automation at the network infrastructure level. I think that the most exciting prospects live there. What do you guys think about event-driven automation? What is already out there? What is possible to attain?
Here’s an example from a NANOG presentation that was recently shared in another thread.
https://archive.nanog.org/sites/default/files/1_Ulinic_Network_Automation_At_v1.pdf (Cloudflare’s self resilient network (starts on slide 66.))
They basically aggregate collection of network performance metrics with configured IP SLA Probe & RPM Probe results in SaltStack and automatically change configuration to either pull anycast advertisement from certain nodes, or disable peering with a transit provider depending on things like interface load, errors, or packet loss.
According to the presentation this results in 120 configuration changes a day on average, all with zero human intervention. This means that their network basically detects certain problems and attempts to correct them automatically.
I find that incredibly cool. And yeah, it’s probably not perfect, and it didn’t seem to mitigate a large scale outage they recently had due to BGP leaking, but how many routine incidents do you think they are able to mitigate with these measures, where users in a certain region who would experience service degradation due to loss and congestion don’t even notice anything because they’re suddenly routing down a different path or even hitting a completely different anycast node as soon as problems are detected?
From an enterprise perspective, I envision event-driven automation in the form of an incident being created automatically triggering a script. The incident must include the user’s pc name or IP, and the destination URL they’re trying to reach. The script would basically check dns resolution, trace the end-to-end path through the enterprise network from source to dest, and vice versa, as well as dump out interface statistics along that entire path, check firewall logs based on src/dst, and even grab the Mac and port info of the user, and automatically update the incident with all of the collected info. Within seconds of the ticket being put in, the responding technician gets all the information he needs included in the ticket to quickly determine if the problem is likely something on premise, or a distant end problem.
Going a step further you could even try to automate “fixing” the problem if certain tests fail.
When trying to think of what else could be automated, think of the last network problem you fixed at work. Could you identify what you observed to determine the root cause, what the fix action was, and what the symptoms were? How methodical was your troubleshooting process? Could it have been done by a script. Or, in other words: could you translate your troubleshooting methodology into a set of scripts, essentially “teaching” your network to “think” and act like you?
Maybe some of what we fix required deep dives into pcaps and conference calls with vendors, but are there a lot other tasks that that were simple quick finds based on some output we found in CLI. “oh, there’s no return route to the host,” or “oh, 50k input errors a second. Let’s shut this port and try cleaning the fiber and checking the SFP.”
What else do you all see developing in the future? I know Cisco is doing some interesting things in the campus arena with their SD-Access. It may not be the most popular thing out there, but the general concept is extremely cool and has enormous potential. (Basically certain configuration like vlan, access levels, firewall rules and more can “follow” a user around the network wherever they go.)
How do you all think event driven automation can integrate into the network to help us do our jobs better... or put us all out of a job, if that’s how you see things. ;) Kidding on that last one. Happy Turkey Day everyone!
Routing through VPN Tunnels
Here's a quick run down of my topology-
Datacenter location (Cisco ASA) 10.0.0.0/24 <><><><>Site to site VPN<><><><>East coast branch office (Fortigate) 172.16.23.0/24
Datacenter has 10+ other remote locations with site to site tunnels in various other subnets- 192.168.x.x/24
My client has request to access the other remote locations from the east coast branch office through the Datacenter. For example from a host in the 172.16.23.0 network wants to access services in the 192.168.x.x range. I checked this out and it looks like because the other networks are connected to the ASA at the datacenter are site to site tunnels and not local networks it's not a matter of adding them into IKE phase 2 selectors. I believe this is "Hair pinning".
Any of you have thoughts on this. I'm trying to confirm if I need to configure routing,etc. on the ASA, Fortigate or both!
Thanks!
DHCP Issues - Dell 4148 OS10 Smart Fabric
New to Dell switches. I guess the model probably doesnt matter as much as it running OS10
I have setup port 50 and 51 to be VLAN13. VLAN happens to be for iDRAC and other mgmt tasks. I tried setting up DHCP on the switch, and I have tried setting them up as DHCP Helper. Neither one worked.
Attempt 1 DHCP straight from the the Smart Fabric Docs
OS10(config)# ip dhcp server
OS10(config-dhcp)# pool VLAN13
OS10(config-dhcp-Dell)# default-router 192.168.1.1
OS10(config-dhcp-Dell)# network 192.168.1.0/24
OS10(config-dhcp-Dell)# range 192.168.1.1 192.168.1.20
Made sure to run no disable So I presume it would hand off DHCP address to our iDracs plugged into the switch. The idrac are set to DHCP. No luck. Seemed pretty straight forward
Since that didnt work I tried using DHCP Relay back to our Windows DHCP Server
On port 50 and 51 I have a R640 plugged into the idrac ports, I ran ip-helper ipaddr_of_our_server I dont think there is anything else to do other than that. They are set to access ports and have VLAN13 configured.
I dont currently have access to the switches to grab the configs, but these are pretty vanilla.
When logged into the switch I can ping the server at the office so pretty sure nothing is blocking. I am sure I missed something simple.
How do devices connect to WiFi Automatically? Man in the Middle Attack related
Assuming the device has the setting to connect to WiFi automatically, how does it determine which one to connect to? Is is based on SSID?
Let's say my default network is called Supersonic-5G and has a password of '123thisisastrongpassword"
and then let's say I go out to the public and there's a Man in the Middle wifi device called Supersonic-5G and it is not password protected. Will my device automatically connect to that device?
Switching Pri WAN gateway on Cyberoam 100ing, static IPv4 route?
So tonight I went about swapping primary WAN ports on my Cyberoam here at work, from a 10mb to a 1GB fiber circuit (do you even call them circuits anymore?).
Anyway, I setup the two WAN ports as a FailOver group, with the new one being Backup, old being Active. Then I unplugged the old one. The FW looked like it failed over just fine.. the new GW came online but no traffic was being passed. Pings, traceroutes, bouncing all teh switches between me and the FW.. nothing was passing to the new GW address. I tried swapping things around a few different ways to include tapping a laptop directly into the UBNT GSW the new fiber provider terminated their fiber on here. On interface ETH1 I could not pull DHCP but I could statically set the laptop to any of our 4 external IP's can be and traffic was passing from it to the internet.
Plug back into the Cyberoam and nothing. That is, until I set a static unicast IPv4 route:
- 0.0.0.0/0.0.0.0 <GW address> PortH (new wan port)
Immediately my idle ping terminal windows began to fill up.
My question to you fellows is.. if the previous setup did not need a static route, why did I have to create one? And should I be worried about not having a multicast route?
Best NIC for ESXi edge
We're a MSP running many public and private VMware ESXi workloads. We mostly use Dell hardware but HP and Supermicro is also employed. We run a mixture of network adapters of Mellanox, Intel, Broadcom and Qlogic chipsets (ignoring vendor implementations) / driver - combos. Interconnects are 1g copper, 10g sfp+ mm/dac and remote is typically Juniper/Cisco/Dell.
We have noticed over the course of several years, using combined experience of several networking/vmware collegaes to conclude that Qlogic/Broadcom 1/10g adapters experience the most outage (side-noting: in almost all cases fw/driver up/down-grades fixed the issue). Intel seems to be the most prefered option among the people I've met on this topic, as these adapters don't seem to be running into issues in the first-place, or at a less greater interval than their competitors.
How has your experience been?
Microsoft Office Academic Course text book
Hey, I'm looking for the pdf version of the MOAC Networking with Windows Server 2016 textbook. Please help
Multiple VLAN trunks on a Mikrotik?
As a Cisco certified idiot it just baffles me how Mikrotiks vlan configuration is totally different(all the other vendors I have experience with copy Ciscos way).
For this context I have a Mikrotik CRS 328 and a RB2011.
Here is what I am trying to do...
-The CRS receives VLANs 2,3,4,5,6,7 and 8 on its trunk on SFP-SFPPlus1.
-Vlan 2 is a management VLAN and I have created a VLAN interface with an IP address and it pings correctly from the entire network.
-I created a bridge_trunk which I use to tag and untag all the vlans on varios interfaces.
-I have created access ports(vlans 7,6,5) and tested them successfully(my laptop received DHCP and internet access from there).
-Now the problem. I also want to create a trunk(vlans 2,3,4,5) that will be between the CRS328 and RB2011. The interface I used for that was SFP20. I put vlans 2,3,4,5 as tagged on both ends. I created a VLAN interface for the management VLAN, but the problem is it won't ping. It starts pinging when I connect it to a trunk on a Cisco. But not when I connect it to the CRS 328.
For the purposes of my testing all the SFPs are connected to RJ45-SFP connectors.
Some sort of PDF showing commands
So I did a bachelors of network security about 4 yrs ago but only got a year into which got me to ccna 2 topics before I had to leave due to some family problems, I’m only starting to get back into it and I’m going over what I have and using packetracer, I can’t seem to find my journal to the router/switch commands for CLI so is there some sort of PDF or something out there so I’m able to jog my memory? Cheers in advance
What in a network will affect TCP window size?
I know that the TCP window size is “completely negotiated by the clients”. However, I’ve ran into the case where I have two separate connections. Both are just ethernet handoffs from two different ISPs. And clients on one of the networks will negotiate a vastly different TCP window size.
One client (let’s call it C1) is at our facility. The other client is a web server in a digital ocean DC.
If I put C1 on network A download a file from the web server (or run iperf). C1 and the web server will automatically negotiate a fairly high TCP window size (1.5-2MB), at least enough to max out the 100Mbps connection.
Now if I take C1 physically unplug it and plug it into network B. Run the same exact test. I’ll see the TCP window size sit at 64k or lower. The download will be all over the place. It will jump from 3-4MB/s then drop down to ~700KB/s and then shoot back up to 1-2MB/s etc. I’ve never seen anything more than 4-5MB/s and that’s not even close to stable.
Connection A is a 100Mbps line. Connection B is a 400Mbps burstable to 1Gbps.
So connection B should be faster but it’s almost 3-4 times slower.
I’ve checked for retransmission, dropped packets, and errors on interfaces but don’t see anything causing the problem.
I’m just looking for anything that might point me into a direction to investigate further. Any suggestions?
Cisco SG550XG to Nexus 3548 10gig fiber not linking
Hello
So I've been trying to get this two switches to link through a 10g fiber. It doesn't link at all, even tho I've made sure configuration is in place on both sides.
Nexus:
Ethernet1/48 is down (Link not connected)
Dedicated Interface
Hardware: 100/1000/10000 Ethernet, address: xxxx.xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx.xxxx)
Description: "LINK to SG500XG-8F8T 1/12"
MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA
Port mode is trunk
Full-duplex, 10 Gb/s, media type is 10G
Beacon is turned off
Input flow-control is off, output flow-control is off
Rate mode is dedicated
Switchport monitor is off
EtherType is 0x8100
Last link flapped never
Last clearing of "show interface" counters never
0 interface resets
Load-Interval #1: 30 seconds
30 seconds input rate 0 bits/sec, 0 packets/sec
30 seconds output rate 0 bits/sec, 0 packets/sec
Load-Interval #2: 5 minute (300 seconds)
input rate 0 bps, 0 pps; output rate 0 bps, 0 pps
Ethernet1/48
transceiver is present
type is 10Gbase-SR
name is CISCO-FINISAR
part number is FTLX8571D3BCL-C2
revision is A
serial number is XXXXXXXXX
nominal bitrate is 10300 MBit/sec
Link length supported for 50/125um OM2 fiber is 82 m
Link length supported for 62.5/125um fiber is 26 m
Link length supported for 50/125um OM3 fiber is 300 m
cisco id is --
cisco extended id number is 4
version 6.0(2)A6(1)
interface Ethernet1/48
description "LINK to SG500XG-8F8T 1/12"
switchport
switchport mode trunk
no shutdown
SG550XG
Port Temp Voltage Current Output Input LOS
[C] [Volt] [mA] Power Power
[mWatt] [mWatt]
----------- ------ ------- ------- ------- ------- ---
te1/2/12 N/A N/A N/A N/A N/A N/A
te1/2/12 10G-Fiber -- -- -- -- Down -- --
interface tengigabitethernet1/2/12
description "LINK to NEXUS Eth 1/48"
switchport trunk allowed vlan add x,x,x,x,x,x
Unit SW version Boot version HW version
------------------- ------------------- ------------------- -------------------
1 1.4.11.2 1.4.0.02 V03
Any help is appreciated! Tried everything!
"8~" Character in ssh session in teraterm
I am using Teraterm to ssh to Huawei devices However in the ssh session about every minute or so I get the following character "8~" which is annoying Any ideas?
HELP: I landed a senior-level position I'm not qualified for.
Hey there, some background info on myself:
I've got 5 years in the industry. 1 as an intern and 4 as an FTE. During my tenure I've gotten some good experience. I've been quick to learn and pick up on things. I like to think I know what I'm doing for the most part. I have my CCNA, I've been to a CCNP bootcamp (haven't taken the test because I knew Cisco was doing a refresh soon and didn't want to bother doing a deep-dive on legacy tech like frame-relay). Most of my current job duties are designing networks for company integrations and acquisitions for a reasonably large company (40k employees).
I recently interviewed for a senior level position because I want to start doing more high-level design work to challenge myself. Lo and behold I was extended an offer, but I feel unqualified. I'm extremely resourceful, but with the tenure and the nature of my current job, I just haven't been exposed to a lot of tech in networking. (I only have rudimentary knowledge in firewalls and higher-level design topics).
I'm pretty resourceful and generally figure things out and I like to think that I do my job well, but I function best when I have someone smarter than me to bounce thoughts off of, and I would be "The Guy" at this new position, albeit a much smaller environment, but still global. This position would be a 44% raise from my current salary. A life-style altering amount of money.
My current company offered my a pretty laughable increase to entice me into staying (not even a quarter of the increase the other company is offering). The only thing really holding me there is the love for my team-members and the stability of the company.
I don't really know what to do. I'm young and I've made the mistake of thinking the grass is greener on the other side before, but it's going to take another 5-10 years to make what this company is offering me where I'm at now and I'm getting jaded with my current job duties. Any insight or advice would be great.
Class E - Reserved for future use
We live in the future, but still we can't use 240.0.0.0/4, why /r/networking ? Don't give me the usual v6 bs.. Most people here surely hate v6.
Cisco CSR1000v AWS use cases?
If you are using Cisco CSR1000v in AWS, then I would really appreciate if you share your use case. I understand it provides same look and feel as your enterprise WAN running IOS-XE based router. I also understand the arguments in favor of enhanced visibility/tools. I am interested in finding out from people who have deployed CSR1000v and what was your main use case keeping in ming AWS offers some of these services (AWS VPN, Transit VPC, VPN CloudHub etc.) . Please note that I went through the Cisco white papers on CSR1000v uses case and there are many (for example VM mobility using LISP). But I am not sure the adaption rate in the broader community, hence this post.
Connecting 2 switches with 2 cat5 cables. Please check me
Both switches have VLAN 10 and VLAN 20
A cable is run from Switch-A (port on vlan 10) to Switch-B (port on vlan 10)
A cable is run from Switch-A (port on vlan 20) to Switch-B (port on vlan 20)
Regarless of STP being on or off, the above will NOT cause a network loop, correct?
If STP is enabled, then it will just block one of the interfaces.
I am not trying to get LAG from this and undertand using trunk/tagging is the way to go, but just curious if the above would cause a loop.
Thanks
VyOS
Hello,
Is anyone using VyOS in production?
What's your thoughts? Have you used the LNS/L2TP?
Looking to review it and potentially trial it in production for DSL services.
Thanks, Pádraig
Tuesday, November 26, 2019
Router dead until Ethernet plugged in
Came home and home router power was blinking red faintly. Tried different outlet and resetting to no avail. Couldn’t find backup. Plugged in Ethernet but couldn’t get to modem page using IP address though I thought I was typing the right IP . (Took off sticker). Went to go find info but came back to the modem working. My Ethernet was plugged in. Just want to see if there is anything that might cause this, maybe the reset took longer than expected?
Syncing Production Configs with Lab Configs
Much of this year has been spent on a long term, complex, project where the risk of breaking things was high. Much of the work that we did this year was performed in a lab before it ever reached production. The process of keeping our lab in sync with how production routers looked was pretty cumbersome. I recently wrote a webapp that makes it a little less cumbersome and ultimately has the goal of being completely automated from slurping up production configs, rendering lab configs, and pushing the configs to the lab devices.
I wrote a blog about this early version of the webapp, which I'm calling prod2lab.
https://netdevops.io/2019/11/26/automated-production-config-creation.html
Meraki versus Sagemcom for my home devices - I should be able to solve this, but can't!
I'll try to keep this short. I'm a sometime network architect, support engineer. Self-taught, probably undercooked in experience. I work with IP networks on a daily basis and have been for 7+ years. I know enough to be dangerous, but don't ask me to wireshark my way out of this :)
I'm annoyed by this, because I feel like it's solveable and I should have the necessary knowledge to get to the solution, but I can't and it's been troubling me for a couple of weeks.
I have cable internet from the second biggest ISP here in Australia (Optus) with their standard Sagemcom F@ST 5353 Gateway.
I have a Meraki MS220-8 switch and two Meraki MR30H APs.
I have two air conditioning units by an Australian brand (Rinnai) with some Chinese Wi-Fi chipset I forget the name of, running an iOS app call 'AC Freedom'. I've managed to get these paired once, via Meraki Wi-Fi but never again after they randomly dropped again. I've followed all the manufacturer rules (2.4Ghz only - no special characters in the passphrase - no spaces in the SSID) and still no pairing to the app.
I had given up, until I got my two new Wyze cameras yesterday. The pairing system between the cameras and the app is eerily similar to the AirCon pairing process - right down to the screen layout, SMS code confirmation countdown timer and the requirements of the network I listed above. Including the fact that it just won't work on Meraki.
The instructions for the Wyze are aimed squarely at the home user with an ISP router ("you'll have two networks, one appended with a 5G or 5Ghz - make sure you don't connect to this one"). So, on a whim I turned Wi-Fi back on in the ISP Sagemcom router and began the pairing process against the default 2.4Ghz network.
BOOM! All good.
Back to the aircon…..yep, you guessed it. Straight in. No issues.
So, why can't the Merakis handle these devices, even with all the 'rules' being followed? I've run out of things to tweak (well, not strictly true, but I've turned off all bells and whistles and defaulted everything down to the basics).
ISP router out-of-the-box: no issues.
Meraki - basic default config - no dice!
I'm so confused and I'd love to get these devices back on to the Meraki network as I'm going to introduce an MX security appliance soon and would prefer my aircon and cameras to be behind something a bit more solid than a ISP router with no firewall.
Any thoughts or lines of investigation you can suggest?
TL:DR - ISP router works for devices but Meraki does not. What on earth could the Meraki be doing to prevent these devices working, that the Sagemcom isn't?
What is your best technical interview question for a network analyst?
I have a supplemental test to give interviewees and need to guage their network knowledge in layer 3, firewall and VPN.
Need help with IPtables redirecting all traffic from one ip:p1 to a different ip:p2
New to this IPtable stuff, tried but looks like I am missing something.So , the issue is we have a host that will try to connect to ip1:9094 but since that ip1 is not accessible from this host, we have a different endpoint and port that we can access i.e. ip2:36397.We are able to telnet to the second ip(ip2), we played with IPtables a bit but no luck.What we are assuming is once we have these IPtables correctly set up, we can telnet to the first ip(ip1) also as that is directing to ip2.Both the IPs are external, are we missing something here? Is it the correct tool to use for this scenario?
When to use WAN Op?
Looking at moving a number of SMB workloads 15ms or so away (<=1ms today). This doesn't seem too drastic, but curious when folks would want to have WAN Op in the mix to ensure SMB performance isn't too drastically penalized.
Enterprise 802.11ax AP deployment for indoor residential environment
We are considering putting in Ubiquiti APs or Aruba AP-515 in our residence. I realize that the Unifi (prosumer) products do not qualify as enterprise and do not yet support 802.11ax, a major draw for us but we are nearly as focused on seamless roaming between APs since we leverage Wi-Fi calling in the home. We do not have good quality cellular service indoors because of 1930s construction techniques used, there are many plaster and lathe walls. Therefore we are looking for a product with excellent fast roaming or 802.11k/r/v support in 2800sq ft and on three floors with three APs.
My question is the following:
What is the best POE 802.ax AP we could put our hands on for under 400 per AP?
What type of switch / gateway / router would you use with it for 1gb symmetrical fiber connection?
Thank you for your feedback!
We stream a lot of video and want to future proof things as much as possible. Will run two Cat 6a POE drops to each AP.
HA active/passive Palo Alto config with a Cradlepoint modem in front. Failover issue.
I'm having a failover issue with a Palo Alto active/passive pair connected to a CradlePoint modem. The CradlePoint is in IP pass-through mode.
The site was originally set up with the primary PAN as the active one. No one tested failover during set up.. Recently they had a power outage and when power was restored, there was no connectivity from any of the connected LANs to WAN.
It was determined that the primary PAN came back up as the active one. An on-site tech logged in to the primary PAN and manually failed over to the backup and everything was able to reach out to the WAN from the backup PAN.
When failing over back to the primary PAN, nothing can reach the WAN again.
What could cause these symptoms? I'm not super familiar with how pass-through works. I thought it should be seamless but it doesn't appear that the CradlePoint is passing through the IP address after the failover. The PAN is configured as a DHCP client.
I'm not really sure where to begin troubleshooting. I confirmed the HA is configured correctly. The pairs are synchronized and everything matches. Nothing in the logs suggests any errors during failover. The on site tech walked me through the wiring on the phone and everything seems to be correct..
Any ideas?
Register IOS Devices in DNS at Scale [1000 devices]
So as the title dictates, I am in a enviorment where DNS has been neglected and I would like to register all of our switches in DNS based on the hostname they are configured with. Is there a way to script this using python/environment variables in Cisco IOS?
I have about 1000 Switches/Router.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
I was asked the following questions when applying for a job, How did I do with my answers?
What is the difference between a layer 2 and layer 3 network?
Layer 2 specifies transmission of frames between connected nodes on the physical server
Layer 3 is used for addressing, routing and traffic control of a multi node network
What use does a VPN have within a business?
A Virtual Private Network allows for a secured networked environment with end to end encryption that only authorized personnel will have access to.
What is the difference between a security and distribution group?
A distribution group is used for the distribution of emails to groups of users. A security group is used to assign access rights to users for specific resources i.e applications/ shared folders.
A user cannot login to their machine, as they have this error message:
“The trust relationship between this workstation and the primary domain failed”. How do you fix this?
Using an Admin Account I would reset the users password via Active Directory
What are DHCP Options used for?
Dynamic Host Control Protocol is used to automatically assign IP Addresses to clients on the network
Unknown mac address probes
Hi , so there is this problem that happens to my wifi each Tuesday morning , my devices won't no longer access to my router , well i tried booting linux and started airodump-ng , in stations i see there is a lot of mac addresses trying to connect to my wifi , they all go like : DA:A1:19 Can u guys help me figuring out what this shit actually is ? I'd be really thankful tho
Anyconnect - DHCP Fixed Leases
Hey,
We have an issue where clients are not assigned the same lease from Infoblox when we can configure Anyconnect to use DHCP.
Infoblox keeps lending different ip address for the same client every time it reconnects to the vpn as the ASA is acting as a proxy and sending its own mac address and UID to infoblox. We have already enabled client UID under the options and that didnt help to resolve the issue
Here is a post with the same issue: https://community.infoblox.com/t5/DNS-DHCP-IPAM/Dhcp-to-VPN-clients-from-Cisco-ASA/td-p/4669
Has anyone found a workaround or come across the problem? The reason behind this is to fix issues with DNS registration so we're trying to move away from using local scopes on the ASA's.
iPerf , network performance stats and a cloud Linux instance
I've been working on a project to log network performance metrics and one of the criteria is performance to the "internet." The plan is to have Python run iPerf3 on Raspberry Pi 4s located at key network points. the Raspberry Pi will go to an Iperf3 server located somewhere on the cloud. The problem I'm running into is finding a place to run the server. The cloud services I've investigated do not specify the bandwidth they offer. I've found that an AWS t2.micro instance only provides around 80mb/s. I need 1gb/s. Azure is equally as vague about their bandwidth offerings, so I'm assuming they offer the equivalent of AWS. Does anyone have any recommendations on where I could run an iPerf3 server?
Looking for a Cloud Billing and Radius Platform?
Convergent billing platform for ISP, Wifi, IPTV, OTT, TV-Anywhere, Pay-TV, DTH, DTT. A complete end to end OSS/BSS Solution Platform which helps ISP and Telecom Operator run their Broadband business
know more https://www.iconwavetech.com/
VMware NSX / NSX-T / NSX-v what does it stand for?
I can't find for the life of me what the acronym / initialism stands for. I'm just going to go with "Network Software Xross" in my head for now. Anyone have any idea?
I might be searching too Englishly to find the American way of finding how this question has been asked before.
Cisco/Arista config for a fix ip depending on the nic
Hi everyone,
I'm using Aristas 7010T and 7060CX swiches (but I could use any cisco able to do what I need) and I maintain a dhcp server service running in a host. As the IPs i'm using are always the same (as I deploy the same configuration in different boxes), I would like to know if there's any way to get rid of the dhcp server and make the switches assign an ip based on the port.
That way, doesn't matter what I plug in Gi1/0/1, the device connected there will be configured as 192.168.1.1. If a device is plugged in Gi1/0/2, it will configured as 192.168.1.2. etc etc.
Is this even possible?
RFC2544 questions
Hi All, so I’ve got a few questions regarding this testing procedure.
We’ve tested a 7gig backhaul link roughly 2k km long with a 500M pppoe client configured for a specific customer. This is done in an ISP environment.
The RFC indicates no frame loss and achieves transfer speeds of 500M over multiple tests. Testing done via our L2 provider.
With a mikrotik on both ends we are getting 200Mbps up/down via the btest.
Is my assumption that TCP requires l2 stability incorrect and that the RFC test is not a be all end all to this issue proving there is no fault? As we are getting similar results when testing with different equipment, pppoe test accounts and different sites traversing this backhaul link.
Thanks
Fiber point to point question.
I have a question. I am familiar with Ethernet but only familiar with the basics of fiber. Mainly dealing with connecting switches. There was a fiber cut in our area with our ISP (Altice lightpath). It affected our fiber point to point with them. When everything came back up one of our two point to points didnt come back up. I tested the sfps and they were ok. I looked at their equipment and at the mrvs at one end had 10db attenuators. I took off the attenuators and the connection came back up.
My question is why? Is it possible when they spliced everything back up the loss makes them not needed anymore? Lightpath told me since it was a p2p they can't check from their end but can send somebody out if I see issues. Its been up all night but wanted to find out why taking the attenuators off brought the connection back up.
Wireless Disconnects when user logs off
Recently we changed out primary wireless network to use 802.1x authentication using EAP and a user certificate generated from our ADCS. Testing went well. We missed something though. when connecting like this the wireless disconnects when the user logs out of their machine. this is a design flaw on our end i know, and it makes sens that it does this. However i'm wondering if anyone knows a good way (Without a wire) to achieve the following.
1) remote administration sometimes requires us to change users. All things considered this seems impossible in the current setup. we have tried connecting to a different PSK based wireless but the connection drops with the connection attempt so you cannot go that route it seems.
2) For machines that are logged out, particularly on overnights how can they get their windows updates
Appreciate any help/feedback.
ISE 2.6p2 - GUI backup is stuck at 0% (been a bug since 1.3)
Guess what, its still there.
(1.3) https://community.cisco.com/t5/policy-and-access/ise-backup-hung/td-p/2788224
(2.4) https://quickview.cloudapps.cisco.com/quickview/bug/CSCvq13817
Recommended solution? Just reload! Simple, easy, and non-disruptive. Truly worth the price companies pay for ISE and all its beautiful quirks. I was testing to see if my TFTP repository worked, since in the past TFTP wasn't even an option for config back-ups so I was surprised to see it as an option now. If you're thinking about getting Cisco ISE, do yourself a favor, and don't.
Network diagrams
2 questions folks. On a physical/L3 diagram, if you have multiple links bonded into an etherchannel do you lay out every physical link or display it as po1 or similar?
How do you go about documenting networks which have multiple vrf's? Draw them separately?
My HLD's are ok, but when it gets down to documenting Low level my diagrams suck!
Monday, November 25, 2019
Arista Switch Help!
Hi All,
I'm having trouble understanding MSTP vs RSTP vs STP. I have three arista switches all linked together in the same vlan via LACP and switchport access vlan 250.
I setup the client ports to use spanning tree portfast and the switch to switch/switch to server ports for default MSTP I imagine.
I see from my logs that even though i setup ethernet port 22 to spanning treeport fast, it is still doing MST0 disabled/forwarding when plugging in a port. So does that mean that my spanning tree port fast isn't really working with this config?
I've linked a diagram of my design. Can anyone help me understand all the different spanning tree portcals and which one is the best to use in my network, since I'm only on one big network, with three switches and one big vlan....
CCNP now or wait?
With the changes coming to the Cisco certification paths I was looking for advice on whether I should try to take route and switch (it translates to Enterprise Core) before the change or wait till the new certification drops next February.
Netmiko question
Is there a way we can get input from the user to enter the interface number. For eg User will be promoted for - Enter interface name :
If the user enters : g1/0/6
It should send_command (show run int g1/0/6)
Using a class E address for private IP addressing
Not seriously considering it, but would network devices actually route class E addresses? I have a lot of Cisco routers and layer 3 switches at my disposal.
Please help, I’m overwhelmed.
I’ll try and make this short. I’ve been in the network (Cisco) field for about 12 years so I’m definitely not new.
I started in a new position about 7 months ago, I’m the only network guy in a group of electrical and instrument people supporting a network spread a cross multiple industrial facilities. The team rebuilt their network last year before I started and the new design (done by a third party) is actually very well done in terms of segmentation and security, and the majority of the gear is very new.
I’ve been working to learn the network and get my bearings while also helping out with some other non-network related projects. In the last few months I’ve had to make a lot of changes in the network to accommodate the new projects and it’s been an absolute nightmare.
We have 250+ devices (switches, firewalls, AP’s, WLC, etc.) spread across half a dozen facilities. Now to my issues, the team has no NMS, no central configuration backups, no change management, and no consolidated way to make changes on multiple devices (for example updating the NTP server on each switch).
I feel like I’m running blind and am doing way more work than I have to. It took me 4+ hours last month to update multiple settings on each switch at one facility.
I’ve just started to use Python and Netmiko to backup configuration on our firewalls and switches via SSH and a couple facilities. I also spun up LibreNMS at home and it may be a good start to getting some visibility into the network. I feel like this is a small step forward and I feel good about it, but I really don’t know where to go next.
What do I need to learn in my free time to make my life easier at work? What tools and technologies are going to have the most ROI for me supporting this network by myself, and what new skills are going to pay off for me the most in the next few years. While IaC and network automation sound sexy, I just need some practical tools and skills to work towards that are going to make supporting this environment easier and make my life better.
The Extinct IPV4
As you all know IPv4 are at the brink of extinction. The numbers of IP are almost used up, and they are getting much more expensive to acquire.
As the world will eventually transition to IPv6. Why haven't the general consumer transistioned to IPv6 yet?
If there is a reason wouldn't it be possible to mask a IPv6 to use a similar format that a IPv4 would use. Such as IP:PORT:USERNAME:PASSWORD.
I am genuinely curious if this is possible to do.
How to do dot1x Monitor Mode on Nexus 9K
As title says, I’m looking to enable dot1x on our Nexus 9K (don’t ask, I didn’t choose them at access layer) switches that act as radius clients for ISE 2.4. I’ve read that monitor mode is the way to go when starting these deployments so you gain visibility before making decisions on who/how to restrict access. The problem is my code of NX-OS (7.0.3) doesn’t run MAB so I have no fallback if say the device has no supplicant. Or do I? Other than upgrading to code 9.x that has the MAB feature is there any other way I could run this deployment in monitor mode?
Only think I can think of is just not running dot1x on ports for sure don’t have modern day supplicants.
Thanks!
Your Wise Advice for a New Network Setup for a Mixed Use Space/Business
Hi,
I’m setting up a completely new network for a business with between 5-23 staff and potentially up to 50 visitors for large projects and keen for your wisdom on network setup, thanks!
Floor Plan
- The floor is approx. 200sqm with all spaces divided with full wall to ceiling height walls and doors between.
- Network/Comms Room that can accomodate multiple racks and commodity PCS. Into this room, comes 1 Fibre Connection directly from the street (as yet undecided/determined connection rate) and all ethernet from the following, with 23 ethernet cables in total:
- 4 Offices - with 3-4 Cat6 ethernet points per office.
- 1 Reception - 2 Cat6 ethernet points.
- 1 Open Plan Area - 1 Cat6 ethernet point and HDMI for a profector (from wall to ceiling mount). Wifi will be only network/internet access here and should be able to accomodate up to 50 clients.
- 1 Printer Room - 2 ethernet points.
Client/User Activities
Depending on the client, day of week, etc, these will be a mix of:
- Coworking/collaborative work between contractors and staff, and of course between themselves - across entire floor, sometimes per office (and open or isolated network eg subnet).
- Courses and small conferences in the Open Plan Area (as per above - using Wifi - up to 50 clients).
- Ad hoc call centre operations over VOIP for promotional and product support campaigns - using ethernet in the largest office.
Core IT Services for Staff and Contractors
All services will be run by staff, but there may be clients who will be given part control of their own services eg creating their own local storage for sharing files within an office.
- Network Management for Internet and LAN.
- Hosting of Web Sites/Apps, Email, and Files.
- Printer Management.
Specific Requirements
- Local configuration - no cloud management - but preferably having a local management dashboard/interface, and if not, the ability to install one or interface via another box.
- Network isolation by office - some collaboration will require this - and at other times all office ethernet connections will be on the same network.
- Wifi - some groups/contractors will require and ndividual SSID and key - Cisco’s Catalyst 9130 looks perfect?
- VPN and all common remote connection protocol support.
- Minimum recognised support/security vendor reputation (contractors and clients collaborating in the spaces will at times vary from designers to bank and government contractors).
My Quick Thoughts
My local IT provider has suggested a Cisco Meraki all-in-one router/switch, but I’ve read many poor reviews about Meraki (including in this sub), and it appears to require cloud configuration, which I don’t want.
I’ve considered PFSense or OPNsense boxes as they provide highly granular settings and extensibility, but am unsure of what hardware would be best for them, and whether it may best to run a bigger brand name for, say the edge router and place a pfsense/opnsense box behind it as firewall. Preferably I want to put everything in a single 42U rack to begin with and as the business grows, seperate out internal and external network gear across a few other racks.
Apologies if I’ve used any terms incorrectly or formatted thi badly - my network experience has been setting up web and email servers (*bsds and linux) in a small startup, in the cloud, but not an office setup and one with such mixed use requirements.
I have the time and budget to learn, there will be enough network expertise to run everything locally, and preferably use the network setup in a training capacity for courses in the future.
I am open to your ideas and wisdom, thanks!!!
Cisco UCS - Fabric Interconnects - VLAN communication - How is this happening?
I have more of an informational/fuctional question.
I am currently not understanding exactly how our UCS system is passing VLAN traffic to our VMware servers and beyond. I was tasked with adding an additional couple VLANs to the FI's in UCS Manager for some new networks that will be for new servers in vmware.
We currently have a redundant UCS system. 2x chassis, 2x Fab A, 2x Fab B. Cisco 6300 Fabric Interconnects. vmware vSphere running on top. The redundant systems are split across the property as our Cold Room (CR) and Disaster Recovery (DR) areas. If CR explodes then DR should take over and vice versa.
From what I am gathering I need to add the VLANS into UCS Manager through the LAN Uplinks Manager -> Vlan Manager. Then apply those new VLANS onto the VNIC template for the ESXI hosts.
My confusion starts here:
UCS Manager CR Site:
We have all the VLANS added into a VLAN Group. This VLAN group is carrying production vlans and is attached to the VNIC template in UCS Manager. I am also seeing this VLAN group attached to the port-channel used for FAB-A and FAB-B. I am guessing I need to add my needed VLANS to this group to complete my task for the CR side? Will this cause any temporary network vnic issues during the add?
UCS Manager DR Site:
This is set up similar to the CR site but the VLAN group here does not have any port-channels attached to it, but this VLAN Group is apart of the VNIC templates for ESXI Hosts. I am unable to edit said VLAN Group. I would say permissions issue, but even the admin account the vendor used to set this up with doesnt allow me to add additional vlans to the group. I can see my new VLAN added into the general pool but I am unable to place it anywhere.
It concerns me to see that the DR site does not have a port-channel attached to the VLAN group and makes me wonder how this is functioning? Does the UCS Manager system just accept and add any new VLAN added? I was under the impression adding a new VLAN here without an associated uplink or port-channel is a massive no no?
DHCP Server part of AD or hardware - what is best practices
A network I am walking into after the previous IT was fired (not important), and I was in discussing what was there vs what we are going to replace, as its in need of an upgrade as well.
Their existing system is an AD server, which is fine, but with DHCP server on it as well. They have made a range, lets say 192.168.0.1/24 and then when they added a machine they wanted static, they would add to exclusion - then its static... I guess. Ive never seen it that way.
What the discussion turned to was replacing the main firewall (the plan anyhow) and having it be the DHCP server, and serving a range, say 192.168.0.150-225 and then static IP'ing the printers and servers outside of that range.
The question came up - which is best practices? Good question to debate I thought. The AD server is a must, and we dont want to change that, but leave DHCP and DNS on that, or move to appliance?
Session server architecture
Hi, I am curious about the session server architecture of application with a lot of user at the same time. A good example is Riot with a big community, how do they handle the amount of players to connect them to each game ?
There is a session server that manages a 10-player game, however there have already been more than 5 million players simultaneously which makes 500k games in the 5 regions of the world. So there are many more connections than ports available so how do they manage players' connection to the games?
I guess there must be a routing system in place but I couldn't find more information in general about the architecture of the session servers.
Does L2 Subinterfaces exist?
I have heard about L2 and L3 interfaces, and I've also heard about subinterfaces. All my Google search only points to L3 subinterfaces. Is there anything like L2 subinterfaces and if it does exist, how is it even configured and what does it do?
Failed TACAS+ Authenticaion When Attempting Multiple Simultaneous SSH Sessions [Cisco ISE]
Hi,
I have TACACS+ set up on Cisco ISE 2.2 and the profile is set up to authenticate users against AD. When I attempt to run a backup job on my Solarwinds Network Configuration Manger, only 2 or 3 devices are successfully backed up out of 45. Looking at the logs in ISE it says that user was not found, despite it being "found" for 3 of the attempts.
To try and see what was going on, I attempted this using a python script which would launch 45 simultaneous SSH sessions (Multithreaded) and return the value of a show command for each session. This also failed, except for a few attempts. So, after trail and error, I introduced a 3 second delay between each thread, meaning ISE would only see one auth attempt every 3 seconds from this user, which got things to work, all 45 sessions authenticated successfully.
At this point, I figure it has to be something going wrong in the communication between ISE and the AD server. To prove this I set up an internal username on ISE and use it it to run the test without 3 seconds delays. The result was the python script worked for all sessions, and also my NCM server was able to complete the whole backup job without issues using this internal user.
So I guess my question is, has anyone ran into a similar issue? Does Microsoft AD have an issue with authenticating the same user over and over in a very short time span?
Subscribe to:
Posts (Atom)