So I changed the A record on our secure vpn site to point toward our new firewall at the request of our firewall provider. Problem is I did not read the email clearly and was no supposed to change the current a record I was supposed to add a new one and point that toward the new address. Do you all know how I could find that previous address so that I can change it back? It’s not listed on any interface on our new firewall and I cannot find any record of it from the precious IT admin.
Saturday, December 14, 2019
Rukus ICX7150 Issues (Coming from Ubiquiti)
I recently purchased a new Lennar home that came with the Rukus ICX7150-C12-Switch for all of my IoT devices around the house (Ring/Rukus APs/Lutron/etc). However, I decided to use a Ubiquiti PoE switch (8-port 150) as my main switch since I am using the beta UDM Pro as my router/controller.
I currently have the ICX switch connected to the UDM Pro via SFP+ (DAC) so I have a 10 gigabit uplink. I do not have any devices connected to the Rukus switch currently. I also enabled the http interface, disabled telnet, and enabled ssh. However, I noticed that the web interface and ssh intermittently becomes unavailable and I am not even able to ping the switch. I also found my switch uptime to be 4 days (should be 14) as I left it alone when I installed it.
How can I determine if the Rukus switch is failing or if the SFP+ port on my UDM Pro is defective? Can/Should I upgrade the firmware?
Also, are they any tutorials or additional documentation on all of the features and setup? Or possibly any tips you guys have?
Thanks
VoIP troubleshooting, what are we missing?
My team and I (small WISP) have been troubleshooting some over the internet VoIP issues for a couple of customers throughout the past few weeks and are running out of ideas as to what the problem could be and/or things to test. Looking for a sanity check here as well as ideas.
Also I should throw it out there that most will read this and think, wow this guy went way deeper than he should have, but, we truly care about our customers and the experience they have with our network and our team. For us, it’s worth the time investment.
Scenario:
A customer called and mentioned that people on the other end of the line can not hear them. Sure enough, if they call me, or if I call them, the audio is very choppy. They can hear my fine though. Their phones are hosted with Nextiva and they get a 50x50Mbps connection from us. They rarely peak to even 20Mbps up/down so plenty of headroom.
What we’ve done so far:
We’ve ran some Ping Plotter tests to their CPE’s management IP, as well as to their firewall’s WAN IP (public IP /30, routed to the internet, no firewalls in the data path on our end, Cisco routers only). Packet loss fluctuates between .1% and most of the times it’s 0.0% according to PP. Ping interval is .5 seconds.
We did notice a few errors on the CPE’s (UBNT PowerBeam iso 400 ac) ethernet interface so we had the cable replaced/certified just to be sure.
Customer’s MSP (we have a great relationship with them) has replaced firewall with 3 different models to rule that end out. They’ve also verified no errors or PL on the LAN end. We’ve even plugged a phone directly into their switch to eliminate internal wiring.
We also got the vendor, Nextiva, involved to validate their config on the firewall and network. In addition, we’re running a ping plotter trace to the Nextiva IP where the phones connect to, its a ruler flat 25ms, never any packet loss. Worth mentioning though the router/interface where our upstream (HE) and Level 3 peer at drops around 80% of the packets. HE confirmed our suspension that this is indeed control plane policing, which were no worried about since the traces to the Nextiva IP are perfect.
FWIW - Nextiva’s highest tier of support is clueless for what it’s worth. They told us there must be firewall rules on the switch (flat network, L2 only switch) that are causing the problems 🤨.
We ran a call quality simulator/test tool from the customers computers to ring central and it came back with a perfect score in every area, 1-2ms of jitter, near perfect MOS. Obviously this is a different data path, but, does validate that it’s likely not an on net issue on our end.
In addition, we made concurrent phone calls from the customers desk phone to our office and a PSTN call from an app on my mobile connected to their WiFi (Microsoft teams). The call on the Nextiva phone of cut out and the Teams call was crystal clear. In addition, if the customer makes a call from the Nextiva app it’s clear both ways.
We have a tool that actively scans our network to look for interface errors on our route/switch/wireless network and it’s 100% clean. I even did a show interface on every link along the data path to confirm no output drops, CRC errors, queuing, etc...
So at this point we thought, ok, this has to be on Nextiva’s end. Until... we got two other customers complain about similar issues and they’re on different towers, with different VoIP providers. Now it’s possible these are just coincidental, though we very rarely get any support calls at all (customers are all business customers) so the fact that multiple people are calling in has us thinking it’s something to do with our network.
Theories/Suspicions/interesting observations: We monitor our connectivity to popular sites like google, Facebook, etc... HE has been having saturation issues with Google recently, latency will go from 8ms to 200ms for a few hours. They acknowledge this and are working on it. The thing that doesn’t add up here is the Ping Plotter traces are perfect to Nextiva.
Ping plotter claims that even though control plane policing may be show loss at some routers it still maybe indicate an issue. I wonder if our upstream or maybe even level 3 is prioritizing ping to skew the results?
I’m going to do a wireshark capture on the customers port when they make a call to see if the calls are maybe hitting a different IP address other than the phone provided by Nextiva. Given their piss poor support, I’m skeptical that he address they gave us is correct. I’m wondering if maybe the SIP traffic goes to one IP and audio stream to another.
Anyhow, if you got his far, congratulations! Any input/ideas/questions are all appreciated.
Why do I "need" SD-WAN?
Hello, everyone!
I am looking to get some feedback from those of you who have gone down the path of SD-WAN and get your opinions on if it makes sense for my current environment. I don't think my company is in need of SD-WAN but I have been tasked with working with vendors to select a service. My boss seems pretty sold that we should go down this road. I don't. I want to make sure I am not missing something. Let me lay it out for you.
Current Environment:
- There are 2 of us responsible for building and maintaining the current infrastructure
- I have over 100 locations that all need to connect to Azure
- Current connectivity to Azure is an IP-SEC to a VM firewall in Azure w/split tunnel
- I would say that less than 2% of our combined time involves troubleshooting the VPNs
- Cradlepoint routers are the edge devices at the remote locations
- We have a DIA and LTE connectivity for each site with LTE acting as failover only
- Failover times are in the 2 packet loss range and less than 10 seconds in total to bring LTE and VPN up
SD-WAN "Requirements":
- Improved WAN Management
- Automated or Reduced time building/maintaining tunnels
- Metrics overview
- Decreased costs over current solution
- Automated PCI compliance
- Increased uptime for POS (Currently at 99.99% or better for things in my control)
So far we have looked at SD-WAN solutions with 3 different ISPs and Fortinet. Two of the ISP packaged solutions use Velocloud and the third uses Nuage. I brought Fortinet in as I believe it will allow me to retain the most control over my networks and is already a system I am fairly familiar with. From all of the calls/meetings we have had with the ISP solutions, I honestly feel like I am handing everything over to a third party and will loose most of the control I have over my systems. Based on what I have seen, if I need to make changes or troubleshoot issues, I will have to call in, hope and pray I get a competent tech and go from there. There are only two things I have seen from these solutions that we could benefit from having is a metrics/reporting dashboard and packet persistence. The thing with those though is that for the metrics I am sacrificing overall control. And with packet persistence it requires the ability to duplicate the packets and send them through both WAN interfaces at the remote site. This is just simply not cost effective for us on a pay-per-GB data plan! I also feel like the solutions presented by these ISPs are very new to them and that this is all being built on the fly to capitalize on the latest buzz word.
Another reason I am not too keen on these ISP bundled solutions is that we previously tried an MPLS solution with NBS. It. Was. Awful! I can't tell you how many hours I spent on the phone trying to diagnose why certain traffic was failing at the NBS address, being told by the provider "nothing is wrong", then magically everything works again with a closed ticket saying "came clear while testing". This would happen at least once a month and sometimes even more frequently. With that, I would rather be handed a DIA circuit and be the one responsible for the routing/fire walling from there.
The Fortinet solution is great as far as I can tell and allows me to have my cake and eat it too for the most part. The only issue I have here is that I still need LTE failover capability meaning I will still need a Cradlepoint or other LTE modem device thus essentially doubling my cost per location on hardware/licensing.
Am I missing something?
IPv6 politics. How did you convince management to deploy V6.
Hi all,
I would like to hear examples on how you have convinced management to let you deploy IPv6 in a non-ISP/MSP environment.
I cant think of a valid reason as to how IPv6 would be a priority for my workplace, and I want some ideas to be able to sell it to myself first, my peers and my line manager.
I am currently working in a multi-billion global organization that already has some IPv6 but not everywhere and is so big that has more than a /8 block of public IPs for internal use.
Set up to fail.
I managed to mid-sized company and we are in the current process of redeveloping production line. The maintenance manager has taken it upon himself to redesign the network and is setting it up for failure. He has taken hubs and place them all throughout the plant and is only having his guys run one Uplink back to the switch. I have configured the ports with root guard to prevent Luke from taking down the entire VLAN. Do I have any other suggestions from anyone on how to minimize this most likely hood of disasters?
Updated Android networking question on an enterprise network
I'm going to start out by saying I'm a coder, not a network professional. I do know what VLANs and VPNs are and what they do, but I probably couldn't connect to a Cisco router and manage it without a lot of help.
The network I'm dealing with has various VLANs. The one that is connected to multiple WAPs has some shared storage, domain servers, printers, and an exchange server. The Wireless password is always changing and each managed device somehow gets the password. I'm guessing through the MDM on Android devices and I have no idea how Windows laptops get the new password. I imagine its through the domain controller.
I received a new Pixel 3 that is managed by the IT department and it connected to the WAP just fine. I was playing around with the phone and turned on the hotspot. I noticed that wifi didn't shut off. I connected a laptop to the hotspot and sure enough, the laptop had access to all the network resources on that VLAN. I brought to my IT department's attention and I guess I opened up can of worms. With the latest version of Android, it appears that hotspotting can't be turned off at the carrier. Wifi sharing is now the standard and the only way to turn off tethering is to buy an even more expensive enterprise level MDM subscription. Even then, sometimes hotspotting is necessary and shutting it off isn't the best option. I also think IT would shut off all the WAPs before they pony up the cash just to shut off hotspotting.
I did notice a few VPN features that might fix the problem. On Android, VPN connections cannot be shared without root and only one VPN can run at a time on an Android phone. This is great, because if an unauthorized user gained access to the hotspot from a mobile device, they couldn't use the VPN unless they installed the VPN on their own device had supplied the correct credentials.
Is there a way to setup a VPN that acts as a gateway? I don't want internal traffic going out to a remote VPN server then coming back to the VLAN. If I could setup a VPN that keeps internal traffic in the VLAN and allows external traffic to access the internet when needed, that would be great. The issue with using an external VPN is network traffic would be insane with the number of mobile devices accessing it and the amount of VPN accounts would add greatly to the cost.
I guess a basic network diagram would be:
Phone ----> WAP ------> VPN? -----> VLAN
best combination 1G and 10G switch?
I'm looking for a network switch that's got 2-4x10GbE ports and (8+)x1GbE PoE ports.
All RJ45. Can stretch to the 10GbE being SFP
Does anything like this exist?
Can i run a PDU off a household extension lead?
Ideally want the PDU on the opposite side of the loft to where the main plug is. Can i use an extension lead to get a plug to the other side of the loft and plug the PDU into that? Or is that dangerous?
In need of new Network Topology advice
Hello everyone,
I'm a novice network/sys administrator out of college as of 7 months ago. Me and my IT manager are in charge of facilitating our move to a new building from a network construction perspective. There are around 35 employees, maybe less, so it's not a huge deployment. We plan on feeding VLAN 16/32 for Data and VLAN 64 for VOIP to the Polycom phone and then using the second port on the phone for the internet to the MacBook. That way we save an extra port on the Cisco switches for each workstation.
I've made an initial network diagram, using the network gear that is available to us. Here is a link to it, I'd love some feedback from you experts if something like this is feasible at least. I also have some initial questions:
- Where inter-VLAN routing should be done if at all? Is it possible to do it on the firewall level?
- Where should DHCP be handled, on the firewall? IPs for .16 and .32 and .64 need to be provided on some level.
- Is it possible to route multiple VLANs on one Firewall port? I would love to have those two Cisco switches connected to one "LAN" port on the FortiGate/Meraki
- Should the two Cisco switches be daisy-chained? What would be the proper way?
- For the access-port side of the Cisco switches (To the phone), Since VLAN 16,32, and 64 will be used, the ports facing the phones need to be trunk ports correct?
- What's the best way to assign VLANs to the ports? Just segment some ports for the developers (VLAN 32), and then VLAN 16 for the corporate employees?
I really appreciate the help. I can provide whatever info or additional context that is needed.
Dual network internet routing issue
Hello everyone! I have a question that seems like it should be a fairly simple solution to fix, but I am having trouble searching for the answer. My scenario: I have two networks, one internal with no access to the internet that is connected directly to my PC via wired LAN. My internet network is through my WiFi adapter. Both networks work great, but the issue I'm having is when both are connected and I try to go to anything on the internet, e.g. google.com, the computer tries to use the wired connection and times out (due to no internet there). The wired connection gateway is 192.168.1.1 and the wifi with internet is on .0.1. I need to still be able to access the wired network from the browser.
Is it possible to use a different connection for a specific program?
I currently live in an area with bad internet( 1.5 mbps download and the ping is 400+). Because of this I use my phone as a mobile hotspot( about 1mbps download but ping is 40). I am able to play games without much issue, but when I open apps last discord or websites I assume the bandwidth is stretched to then and the game starts lagging and discord becomes robotic sounding. I am aware of being able to use software like speedify to bind a connection for faster download(unfortunately the ping remained very high) but is there a way to be connected to both my hotspot and the Ethernet for the internet and assign one connection to my game and the other to discord? If not is there any other suggestions anyone has to maybe help with my situation?
DNA licensing for Cisco SD-WAN
The documentation doesn't make it terribly clear, but is all the licensing for Cisco SD-WAN RTU?
For instance, with an ISR4331, on a regular license, it's locked at 100Mbps, unless you buy and apply a performance license.
What about for SD-WAN? are the routers performance locked? How does it determine if you have a DNA Advantage or Premier license?
Expressroute options
Hi,
We will need to order an Expressroute circuit soon and as we have not procured private cloud connectivity before, we wanted to get a feel for the market.
For those who have Expressroutes, what are the underlying technology used to present the connectivity to your network (i.e. MPLS, VPLS)? How did you differentiate between providers? And do you encrypt your traffic over them? Full end to end encryption seems to be a little challenging as you would need IPSec tunnels to NVAs?
Thanks.
Modem Router upgrade after fibre jnstall
Hay all So I've just been upgraded from VDSL to Fibre (finally) And having problems with TeamSpeak (specifically) getting high packet loss and voice chat becoming robot like.
Looking to upgrade my Modem/router to a more commercial type instead of what I'm using now (fritzbox 7560) Potentially thinking of getting the Ubiquiti Dream Machine as the modem router,
Getting speeds of 900 D 400 U with a ping of 9ms and a jitter of 1 I wonder if my increased capacity is now taking its toll on the router and can't keep up.
What are you guys using at home or in a commercial instance for high throughput situations
Greg
Is it possible that an individual can have an ASN number assigned to them?
I was talking with a customer, and they expressed interest in owning an IPv4 address, they knew they needed an ASN number but did not know what to do to get one.
This customer told me its cause their ISP refused them a static address for their home internet.
I advised them that I don't think, it's a good idea, that ARIN would assign an ASN to an individual, and that they would have an ISP that they could use it with.
While it may be crazy, assuming that they afford the fees ARIN would hand them, could it happen?
Friday, December 13, 2019
VPN not allowed, but I do it anyways.
Hey guys,
I’m a networking/media tech guy for an isolated media network. The network is about 100 users connected to a media server for video editing.
The server itself is 8 chassis stripped together as one big server with 128 HDDs. So the Maintance for this server is a big job. Plus it’s about 5 years old already!
Our media network works behind the client run internet. The clients parent company owns the building and provides Internet.
So to my question. I want to monitor the server remotely. But the parent company is no internet. But it’s not our clients policy, it’s the execs policy above her.
So I have a secure 256 aes open vpn tunnel that uses WAN whitelisted blocked IPs and certificates with TA keys. My OpenVPN network is set to auto update the OS and as an additional security measure it auto blocks any WAN attempt to get in. Only a few guys have a key and cert to access the tunnel.
On my tunnel I have Zabbix and nagios to monitor and report the health of the server.
So I’ve already tested the client network and it does allow my “phoning home” connection to establish. So I know they are allowing vpns. Most likely due to their own IT needs to administer the network.
It seems to me that if you let the IT guys tunnel in then you should let the media network guys tunnel in. I’m pissed they are going to take away my monitor solution. It’s gonna be so hard to maintain that server a long with all the other servers we maintain from other clients.
What would you guys do? Hook up a low key vpn server on site, or through in the towel and wait for the client to call when they are having issues?
Record keeping and networking
This post should be acceptable per r/Networking rules, but I'm working on my CCNA and trying to learn more about networking and can not find any answers to this question.
How does a network engineer keep track of each switch's configuration? For example, in a large enterprise network with hundreds of switches and various vlan databases, how is this information stored for safe keeping?
SD-WAN Design/Vendor
Greetings all
I work for a bank and I was asked by the board to start looking for 5 SD-WAN solutions (from technology perspective and Gartner report) and then shrink the list to 3.
I have started looking into SD-WAN solutions to consider where my picks were :
Cisco (I cannot ignore the fact that they were leaders in 2018)
Velocloud
Versa
Silverpeak
Those who I have chosen and did not know what the 5 to consider!
I need your help with the aspects that I should build my decision on taking into consideration that we are a bank and security is a main concern , do I really need WAN optimization with SD-WAN? I have tried to collect reading resources , for Cisco I have found a lot , for Velo not bad information , for Versa so little (if anyone share like design guide or something) and for Silverpeak also a little bit of information.
Before forgetting we have IaaS/SaaS as well , so this is something to consider
Sorry for the long post but I need help : )
Cheers
enterprise networking, slow, but only in one section
This will be a little long so be warned.
I'm upgrading a office building to windows 10. (yes I know they are behind in the tech game) We have 4 floors with 1000 computers and 2000 people all with roaming profiles. everyone is running pretty well taking no more then 30 seconds to log in or log off. But I got one spot that of 20 computer in there own wing of the building. that are taking 15 miniutes to log in and out. Any one got any ideas.
Also I was contracted to do this I don't regulay work in this building.
802.1x and printers
Half rant, half seeking advice here. We have a wired 802.1x setup with NPS dolling out dynamic VLANs, and printers have been the bane of my existence since setting this up. We’re doing EAP-TLS for user workstations and PEAP for devices like printers. We use MAB we’re needed as well.
The problem is that printers, even if they “fully support 802.1x,” fall off the network and the end users need to manually power cycle them to get them back up. This is even the case for MAB printers.
For MAB at least, I see the issue. When entering power saver mode the printers flap the port and delete their MAC from the port.
For 802.1x I suspect power save mode is to blame as well.
Ive set the control direction for 802.1x to “in” on all printer ports but am still having intermittent issues. I’ve also setup a persistent ping to the printers to try and keep them alive, but it feels stupid and hacky. Setup NTP with low update intervals, switched to DHCP, and many others settings have been changed to try and keep the NICs on these damn things alive too.
Anybody else run into similar issues and have any tips, or can at least sympathize with me?
I’m thinking the fix is just going to be turning off all possible power save settings, and potentially keeping the persistent pings going which may make the bean counters unhappy.
Potentially spineless EVPN VxLAN. Is this even possible?
So I've spent a week trying to wrap my head around VxLAN with EVPN and its configuration on Cisco. I'm still very much confused about many aspects of it, since the documentation and guides found on the internets are quite different and mainly meant for the standard leaf-spine architecture. Please forgive me if my use of terms in this post does not make sense at times, I'm still very green in this.
I have 3 physically different locations with the following devices connected to eachother: Catalyst 9300 stack <-> Nexus9k VPC pair <-> Nexus9k VPC pair. There's already a production environment on them with plain old stretched L2 (trunk from C9k to the N9k on the other side). Currently I also have only one physical interface available for these connections on each switch (which is already configured as L2 trunk port), but in the future we will potentially upgrade this to more physical connections for redundancy. It is entirely possible this is already a show stopper for what I'm trying to achieve, since I my only option is to use a vlan SVI for the VxLAN underlay, instead of a routed port, which is the suggested design in every guide I've read. I have not found any explanations yet on why I could not use an SVI, tho.
I'm trying to stitch it all together with EVPN VxLAN, but as you already know, it's not the standard leaf-spine design. I could in theory configure the middle N9k as a Spine, but I need to be able to have all the switches act as VTEPs. (Am I trying to create a monster? :)
From what I have read so far, I understand that it is possible to avoid using multicast entirely for BUM traffic with EVPN Control Plane (head-end replication). Just a minute ago discovered that this is not an available feature on our current C9k Fuji firmware version and will have to upgrade it, which is not a problem.
At first I tried to use only one instance of (e)BGP for underlay and overlay, but could not figure out the configuration for it and had lost the guide which mentioned this possibility. Maybe it's not possible on Cisco after all. But it seemed elegant to use only one instance of BGP for all the routing.
So right now I have configured OSPF for underlay, where I redistribute the Loopbacks for eBGP overlay. The neighboring for EVPN is up and running, but since I'm missing the head-end replication future I can not test it out yet.
Anyways, my question to the more wise is: Is it at all possible to achieve such a design, where we have basically 3 different switch stacks, which all act as VTEPs without any spine? Or if it is possible to make a spine (the N9k pair in-between) act as a VTEP as well? The role of the Spine is very much confusing for me still, besides route-reflecting in the iBGP design & interconnectivity between the leafs & load-balancing with ECMP. Do they have any other "special" roles? What I mean to ask is, could I not just connect leafs to leafs, if I have an EVPN connection between all of them?
Also might there be any problems with EVPN on these platforms? For example, I have read Catalyst 9300 can act only as a leaf. Which is not a problem in our case, but there might be some other similar caveats I'm unaware of.
Some of you may be thinking: WHYYY?
We just want to move away from this stretched L2 to a flexible L3 solution. So we could stretch L2 in that L3, if need be. ;)
This is not a setup for a datacenter. It's a budget setup for a small company, which houses user access ports on the Catalyst and some server access on both of the Nexus pairs. We do understand there are better (and thus more expensive) designs possible, but I hope this does not become the focus of this post. :)
Routing problem with Juniper SRX550 and AWS Site2Site.
I've run into a really weird problem :
I have the following scenario :
PC ip : 10.10.10.11/24 ] --SRX550--Site2SiteVPNtoAWS--[ VM ip : 10.255.255.55/24
The SRX550's address on the interface connected to the PC is 10.10.10.10/24
The PC is natted.
The PC can ping the VM and I get replies. However the VM can't ping the PC. I can see that there are requests packets comming from the 10.255.255.55 address on the PC's interface, but there is no response getting to the VM.
I CAN ping the 10.10.10.10 address from the VM.
root@srx-0> show security flow session protocol icmp Session ID: 19965, Policy name: ALLOW_ALL/4, State: Active, Timeout: 26, Valid In: 10.255.255.55/1 --> 10.10.10.11/21562;icmp, If: st0.1, Pkts: 1, Bytes: 84 Out: 10.10.10.11/21562 --> 10.255.255.55/1;icmp, If: reth1.1337, Pkts: 0, Bytes: 0
I see that the traffic is going in, I see that the traffic is going out. The firewall knows about the 10.255.255.0/24 network from the bgp :
10.255.255.0/24 *[BGP/170] 00:39:56, MED 100, localpref 100 AS path: 64543 E > to 161.252.77.9 via st0.1 [BGP/170] 00:39:49, MED 100, localpref 100 AS path: 64543 E > to 161.252.26.25 via st0.2
What am I doing wrong ? This is the whole config - > https://pastebin.com/twFzbXBf
the quest of the catalyst
Dear networking community,
A customer of mine is currently using Cisco7606 with 2x RSP720-3CXL-GE. He recently hit the cap of IPV4 routes. He is looking for a catalyst switch where he could go over 1024k IPV4 routes. I am not able to find any model that fits the customers need, so I would love some input from you guys.
Thanks in advance!
Integrating a second Server with OpenVPN
So, followings setup:
Server 1 with OpenVPN installed.
Internal IP: 10.10.10.1
OpenVPN config excerpt: push "route 10.10.10.0 255.255.255.0"
Server 2
Internal IP: 10.10.10.2
When connecting with the OpenVPN client the route gets pushed but Server 2 is not reachable.
Anyone got insight into what I could be missing?
Add switches to Stack
We have 2 old Cisco 3750 stacked and we need to add 2 new switches in the stack because we ran out of ports.
The LAN switches are connected with stacking cables. They act as one single switch and share their configuration and a common management IP address. One switch has the role of stack master and the other one is backup or member. The configuration is stored on both switches. If the master should fail then the member becomes the new master.
I have 2 2960 S switches available, can I add them to my current stack? Are the models supported?
Once I connect them with stack cables, what configuration needs to be done, is it all covered here: https://vmguru.com/2010/03/hot-adding-or-removing-a-cisco-3750-from-a-stack/ or anything else to do?
Cheers
How do you make it work with network teams split across countries/timezones?
I know it might not sound like a networking question based on the title, but we're a network engineering team and having an issue I believe is fairly common for larger/international organisations. I'm curious how other network engineering teams in the same situation make this work.
Two thirds of the team is based in one US location, the other third of the team is based in one EU location. Everyone in the team reports to a single team manager who is in the US. This means that the EU team reports directly to a remote manager. There is a 6 hour time difference between the two teams. This provides effectively a 2.5 hour window each day for collaboration. By the time the US team rolls up at 9am, it's already 3pm in the EU. By the time the US team has their coffee and gets settled and ready for the day around 10am, it's already 4pm and the EU team heads home at 5:30pm EU time. This isn't a lot of overlap to get shit done, and most people get into their groove later in the day, not first thing in the morning.
Additionally, there is a skills/focus disparity between the US and EU teams. They US team is largely focused on route/switch and the EU team is largely focused on automation. There is a third Ops team that handles most of the day-to-day operation of the network, but occasionally Ops work comes to our team and the US team largely handles this.
There have been attempts at cross-pollenating skills and focus, but it's difficult to teach someone automation when you only have a 2.5 hour window, and conversely it's difficult to involve people in route/system planning when most of the meetings take place at 8-9pm for the EU folks. We are fairly siloed, which makes the weekly 1.5 hour team meeting torture for the EU folks who have to sit and listen to the US folks talk among themselves about stuff they're working on.
There is also an issue with on-call work. The US team is disgruntled that they have to do all the on-call work. The EU team is only "on-call" during their normal working hours. This is because such unpaid after hours on-call work is simply expected in the US location, but is illegal in the EU location. Instead of offering double pay and/or PTO in exchange for on-call work in the EU, the company simply offered time and a half (and only for when actually responding to a call, not while chained to your phone/laptop in case something happens), which the EU employees are under no legal obligation to accept. Additionally, the company has not bothered to setup any infrastructure to record this time, let alone add extra pay to pay-checks. The network team manager is not in a position to change this as it's abstracted away to other departments (in the US location). I should also mention that the US engineers get paid substantially more than the EU team members, so there is a tradeoff.
Upper management has considered installing more middle management as the solution and giving the EU team another manager to report to. This new manager would be a general manager for multiple different EU infra teams and would not be providing any direction to the EU network team. (Honestly, I don't see what the point would be. The EU team would effectively still be reporting to a remote manager and coordinating with a remote team. The new middle manager would just be a needless extra hop)
I really don't know what a solution to these issues could be. It feels like there really needs to be two separate teams, one focused on RS and the other focused on automation, each driving their own initiatives. The time difference makes working together really difficult. If the EU team wants to be involved with what the US team is doing, they usually have to join remotely in the middle of the night because the US team isn't going to get up at 4am to join remotely...
Are any of you on networking teams with a similar situation? How did you solve it, or is it a continuous issue?
Will these cables work at 10G?
Hello!
I have some wall enclosures with optics panels. There are "MM 6f 50/125 OM2" between panels and the panels have "SC/MM PC DPX adapters". Switches are HP 2610 and have 1Gb transceivers (850 µm).
If I change the switches to Aruba 2540 with 10Gb transceivers, will these cables (panel2panel and panel2switch) work with 10Gb?
Dell EMC Powerswitch S Series - General Consensus
Hey team,
My company is looking at doing a network overhaul and replacing all our current switches. Basically, the budget does not allow for any Cisco gear and one of our vendors has suggested a Dell solution. I however have not had any experience with Dell switches, what is the general consensus out there? Have any of you ever worked with them?
Cheers
Thursday, December 12, 2019
Cisco VPN RV 345 local IP Lan
Hello,
Anyone have the knowledge regarding Cisco VPN Router RV 345? Cause i have stumble some problem with the usage of it.
I want to migrate my old VPN settings, which is RV 325 to the new one RV 345. All according to plan except one thing making 1 port having more segment. In my RV 325 there are some settings that allow me to insert custom segment of ip address to table, and i can access it locally by changing my local ip setting into specific one.
Example i change my laptop ip address to 192.168.2.105 and i can access the router settings in 192.168.2.1 and additionally i can access the router setting in 192.168.1.1 too.
But in RV 345 i can't do that because i can't find the settings, the closest thing i can find is the VLAN settings, which can only make one port have one IP so when i have 2 vlan i can only access one vlan setting at a specific lan port.
Example i have 2 vlan settings which is 192.168.1.1 and 192.168.2.1 the first vlan is untagged and the second one is tagged. and when i change my laptop ip address to 192.168.2.105 i can't access the router settings in 192.168.2.1 like RV 325 did.
(First pict is my RV 325 setting that make it possible and second pict is my RV 345 settings right now : https://imgur.com/a/8KvtV8j )
So is there any way i can do it in RV 345? Because i already ask the cisco support but they still checking.
Thanks in advance to anyone can help.
Does JumboFrame setup need to be end-to-end?
I can setup/enable jumboframe on server and TOR switch. But does it need to enable jambo frame end-to-end? I mean if there are two or more switches between the client and server, I would need to configure jumbo frame on all the switches?
If I only configured on server NIC and TOR switch, will the TOR switch do fragementation when sending traffic to client?
Netflow bug in nx-os 9.2.x
Just a heads up for anyone else deploying netflow within their infrastructure that when configuring flow options you'll have strange XXXXXGB worth of chatter if you configure "collect counter bytes long" the OS throws in "collect counter bytes" above it anyways.
Seen on a Nexus 9k model, but not tested on other models.
Had a laugh when our Flows showed 52TBs of data within last 5 minutes on a really low use setup.
Supported device count in meraki dashboard
What is the max amount of devices that are supported in the meraki dashboard?
Testing
Anyone know of other products similar to this that will test and identify with 24+ remotes? This is the first one I have seen that does more than 8 at a time.
Old School Enterprise Network Engineer Wishing to build a NAS/ESXi environment...
I fully realize this post probably belongs in a different subreddit. Chastise me as you please, but I'm posting here only because I'm interested in what other fellow network guys would say....
Anyhow, on to the meat of it... I found some old servers. One is a C22 M3 (2x 2.4Ghz 6 Core Processors w/8 600GB Drives), another is a C24 M3 (2x 2.1Ghz 8 Core Processors w/24 500GB Drives). Im basically just trying to find a way to use one, or both of them to build myself a pretty neato home set up to A. Have a NAS for me and the rest of the family to put stuff on. B. Be able to run test VMs or any other VMs of whatever on.
To keep the power budget low, I was thinking of only using the C24, installing ESXi on the internal USB drive, then creating two virtual disks of 12 drives (RAID 6 if I can). Then, I would Have a NAS VM running in ESXi, something like FreeNAS,... I guess? Suggestions? To access one Virtual Disk dedicated to it, the the other 12 disks dedicated to VM storage. Is this a bad idea? How much of a performance hit will I take since the NAS software is virtualized? Would I be better off to run two servers?
Slacks Nebula vs Zerotier? Any tangible use-cases outside of the dev/hosting space?
Curious if anyone in the msp/internal IT world has successfully tested/used either of these platforms in prod (or similar sd-wan/tunnel/sdn combo product). I can easily see the value from a dev/devops perspective, just looking for a sanity check before I deep drive into a new stack and bug the crap out of my coworkers with all the shiny new toys.
Nebula - https://github.com/slackhq/nebula
Zerotier - https://www.zerotier.com/
Any gotchas working with public clouds or UTM's? What are the biggest real world benefits you've noticed, does this make networking easier to digest/support for your lower tier technical staff? Are there better solutions in the market and these are just neat opensource projects that are essentially reinventing the wheel?
Bouncing bgp to aws dx
I have a aws dx connection that hits an asa firewall for bgp over two separate vlans. The bgp connections seem to go from established to idle every 15 minutes. The logs pop a holdout timer expiring. Thoughts on what to look at? I only have access to the asa and not the aws account.
Having issues with faxing
So at our offices we've been having multiple problems with faxing lately. Sometimes the faxes will only partially send, sometimes we get the confirmation that they sent but when someone calls to confirm they didn't receive them, and sometimes they just straight up fail. We have tried sending it though a fax finder client and the fax machine itself. We have tried multiple different numbers when sending from and sending to. We have also tried multiple different fax machines. The faxes do eventually send if we just keep retrying over and over so we can confirm that the numbers are real. Does anyone have any thoughts on a fix?
Cisco vs Ruckus for access switching
We are medium size business (virtualized servers and ~200 endpoints). We currently have Cisco 2960S in our access layer and Catalyst 3850's for our core. The suggestion has been raised whether we should continue with Cisco (Catalyst 9300) or move to Ruckus (ICX 7150). Personally, I would like to stay Cisco, however, if there is no good argument to do so, we have to look at alternatives. Any thoughts, opinions or experience? Any replies are greatly appreciated.
Create two way vpn tunnel or proxy between countries
Both people have internet access, both have access to multiple routers etc.
I live in the UK and need to access services that only work in my home country Czech Republic and need to access my friends network
He lives in the Czech Republic and needs to access UK services such as Netflix, BBC iPlayer, etc. and my server (contains movies), i.e. he needs to simulate being connected to my network, again we both have internet and need to somehow have either a proxy on both sides or have a VPN tunnel somehow, we need this to be independent and not run from other services such as pre existing VPN's etc.
Since i am quite new to this, could i please be given either youtube tutorials that will help and cover everything, detailed instructions and links to software or some kind of online tutorial
Thanks
Martin
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Slack Nebula is a flexible, open source VPN mesh tool
Slack just posted an open source tool which dynamically creates VPN tunnels between two endpoints bypassing the central server / location. It looks interesting and I though worth posting.
Trouble setting up VLANS with Juniper
Let me preface this by saying I am fairly new to networking; I've been studying to be a network engineer (with Cisco learning materials) and have obtained my CCNA Routing and Switching, but have no REAL experience in the field other than lab work and exams. I was recently taken on as an intern in a small company that has a super small IT department to work on some network projects they have. They have no in-house network anything and have been paying their ISP to set up any network related thing they may happen to need. The main issue I am running into is, I was trained solely on Cisco, and they solely use Juniper. I understand the concept of VLANS is universal, but I am finding the Juniper CLI difficult to master. My main goal here is threefold:
-
They have completely flat network with no Vlanning whatsoever, so first and foremost is get 2 Vlans, 1 for voice and 1 for data
-
Once I've done this, further segment the data vlan to have every department in its own VLAN (keeping full inter-connectivity, they will implement ACLs for the VLANs later down the line)
-
Help them migrate ISP's since they hate their current one and are swapping. This might actually be step one, as swapping around routers and all that might mess with previous configurations.
I am fully confident that I can manage the task ahead of me as the network is still quite small (they currently have 6 routers, which will be shrinking to 1 after the ISP swap, and 14 L3 switches, with maybe 200-500 hosts total, across about 5 sites). The scope of it is not enormous, but I have no resources to call upon other than what I already know and the internet.
The main questions I wanted to directly ask about are, do I need to add every Vlan to every switch, even if no ports on that switch are IN that Vlan, and as far as VOIP is concerned, since I'm implementing it after the network has been established for so long is it fine to just enable a voice vlan on every port on the switch so that I don't have to hunt down and find out which ports IP phones are on. Additionally to that last point, how to I make sure that the PCs attached to the phones aren't on the Voice Vlan and rather are on the data vlans (essentially putting a voice AND a data vlan on every port).
I have many other questions, but as I work on this and get more familiar these are the main two I'm trying to work out. I've looked on Juniper's website but the tech documentation is a little convoluted and I'm not 100% sure I'm doing this right. I appreciate any help I can get, and if further information is needed I can try and provide some insight.
"Blended" Carrier Bandwidth - Sanity Check
Apologies for the long post!
I've been working this issue for a few weeks and nearing insanity.
We're redesigning the internet edge at a DC so a greenfield style deployment. Two new ASR 1001HX routers going to a pair of layer 2 switches which "distributes" the internet to some firewalls, SD-WAN boxes, VPN boxes, etc. We have a new /23 block and ASN and this is the only point we are advertising from.
We've ordered a new 1g, 3g burst circuit with 2 /30 handoffs from the DC itself which is "blended" with 4 carriers. The handoffs are 10g LR.
So after installing the circuit, I placed a laptop behind the primary ASR, gave myself one of our public IP address and did some bandwidth testing. Test showed 300mb down / 1g up to a few test servers. Opened ticket with carrier and they of course blamed the ASR and whatnot. So the handoff is 10g making it difficult to test direct, so I used a fresh out of the box Cat 9k layer2 switch ran the 10g handoff to it and tested using the DC's public IP (from the /30). The download speed jumped to 750mb and the upload stayed at 1g.
My logic at this point is I have two issues, #1 I'm not getting the full bandwidth downstream and #2 the issues is amplified behind the ASR.
Opened TAC and Carrier tickets.
TAC reviews ASR config/license/port speed/duplex/SFP etc. Switched out 10G LR Optics, LR Cable. All clear. Our SE from Cisco does the same, no issues.
Carrier says everything is great and that speed test and iperf are unreliable. I requested I get access to plug directly into their equipment and test, same results 750Mb down, 1g up. They blame the test. I connect to my other 1G provider and run the same test, close to 1G up/down! They gave me a iperf server IP to another DC they own in the same city, 750Mb. Then they blame iperf as faulty.
At this point no one will accept responsibility for the issue! Please help, Is there anything I'm missing?
Cisco ASA AnyConnect VPN - Connects and can route internally, but cannot route to internet
Howdy,
I’ve setup a Cisco AnyConnect VPN - when I connect with a client, I get an IP and can route to internal resources fine.
However, when I connect, I cannot route out to the internet?
I’m not split tunnelling, all traffic is routing via the tunnel. The internet traffic is going out the same interface clients connect on.
Do I need to NAT the VPN clients back out?
Any ideas would be very helpful!
Switching from MPLS core to EVPN core
Now that quite a few vendors have BGP EVPN over VXLAN capable access switches, I'm wondering if anyone is doing their core network with these technologies?
We're currently running MPLS in our own network and routing between VRFs happens on the DC firewalls:
https://pasteboard.co/IKVL8wT.png
Each building has an aggregation switch that also talks MPLS towards the core, and terminates all the VLANs from the access layer. Access layer is L2.
We have lot's of different buildings and 50+ different segments for different use cases so just configuring L3 on the access layer would be somewhat nightmare to manage with all the ACLs etc. Also we would lose visibility over the traffic between the segments.
Wondering also how do you do traffic engineering, for example have workstations to use core link 1 in the picture and cameras to use link 2 as the primary path.
Not really here trying to solve any major issues but rather wondering how EVPN would work and how it would differ from running MPLS. Any thoughts?
Thanks!
Cloud Based Service Platform- Seeking Beta Testers
Hi Everyone,
We are a team of developers behind a cloud based platform that allows venue owners to better engage with their clients via wireless networks. Our platform docks with some of the leading cloud based vendors such as Cisco Meraki, Cambium Networks & more.
We are looking for 10 beta testers for our new platform, that ideally meet the following criteria:
- Currently use Cisco Meraki as an Access Point
- Basic Networking Skills
- Manage a Physical Site/Venue
We are looking for beta testers who are willing to provide valuable feedback, suggestions and error reports. You will be among the first users to be on-boarded so expect a few bugs.
If you are interested in trying our platform & providing valuable feedback for which we would be very grateful, please reach back out to me.
All the best,
Zero Trust everything and SD everything
Hello wonderful people.
I have a few questions around Zero Trust Networking and SDP
-
Looking at how networking is evolving with things like ZTN and SASE, do you think network engineers need to solidify their security knowledge?
-
If I have a ZTN solution that uses certificates and agents for identity and authentication to the network, do I still need a NAC solution like Aruba clearpass or Cisco ISE?
-
Is software defined perimeter any better than traditional VPNs
I am working for a startup that's implementing zero trust model and I can tell you that it's very promising. We are slowly getting there. We treat internal network the same as public network.
Best Practice on IPSec Settings
Good morning r/networking,
Theoretical question here today:
Wondering if anyone had any subjective experience on setting IPSec settings, and how to go about determining what is best for a network.
Assuming relatively fast hardware, such as what is available today in whitebox routers and switches, why not just max out everything (Auth, Encryption, Forward Secrecy, Short Re-key intervals).
In my lab, I see minimal impact on performance when these features are at their maximum available settings, but in the real world, I've only ever seen the same old 3DES/AES128 scheme being deployed, despite running on several thousand dollars worth of firewall.
Maybe I'm missing something here...
Fiber patching between ODFs
I have a question that I hope some of you may know the answer to!
My company has a rather large building with two big sections. These sections are connected through a common technical room where fiber connection from both sections are patched to two different racks. In one of the sections, there are many stories as well.
The question is: is it possible to patch the fiber signal from one section to the other in this common technical room by just patching a SC to SC fiber cord between the racks? Or do you need some kind of switch to do the some sort of routing as well?
TL:DR: I want to just forward the fiber signal from one section to another in a big building through a common technical room.
Any help would be appreciated!
AWS Advanced Network Specialist, Anyone?
I posted this in /r/AWS but got no response, hoping I might get more hits here.
I have been using AWS for like five years. Primarily EC2, S3 and R53, but I have used a lot of other services and understand what the majority of them do and how they work.
I've been through the AWS training class done by AWS Training Team and was pretty bored through it as I knew it all (what at least was taught).
I recently stood up a site-site VPN from our on premise Palo to a Virtual Gateway and got all of that working and finally understand all that.
I bought the Official Study Guide for Advanced Networking and thinking about taking that test first. Has anyone here taken it and have any things I should focus on? Obviously, no NDA breaking, but just looking for general help.
Requesting Assistance with EEM Script for AP
I'm using an EEM script that auto-detects an AP when it's plugged in and configures the port accordingly, that part is working fine. However, I'm trying another one that would reconfigure the port if an AP goes down for longer than 2 minutes but I can't get it to trigger. Any assistance would be greatly appreciated.
Here is the first script:
event manager applet DETECT-LWAP-PORT-CONFIG
event neighbor-discovery interface regexp Ethernet.* cdp add
action 1.0 regexp "(AIR-)" "$_nd_cdp_platform"
action 2.0 if $_regexp_result eq "1"
action 3.0 cli command "config t"
action 4.0 cli command "default interface $_nd_local_intf_name"
action 4.1 cli command "int $_nd_local_intf_name"
action 4.2 cli command "macro apply MACRO-TRUNK-LWAP"
action 5.0 cli command "end"
action 5.1 cli command "write"
action 5.2 syslog msg "EEM script configured AP port and saved config"
action 6.0 end
Here is the second:
conf t
event manager applet undo-AP-port-config authorization bypass
event syslog pattern "LINEPROTO-5-UPDOWN.* changed state to down"
trigger occurs 1 delay 120
action 1.0 regexp "Interface ([,]+)" "$_syslog_msg" match intf
action 2.0 cli command "enable"
action 3.0 cli command "show int $intf | inc Description:"
action 4.0 regexp "-AP" "$_cli_result"
action 5.0 if $_regexp_result eq "1"
action 6.0 continue
action 7.0 cli command "config t"
action 8.0 cli command "default interface $intf"
action 9.0 cli command "interface $intf"
action 12.0 cli command "macro apply MACRO-ACCESS"
action 13.0 cli command "end"
action 14.0 cli command "wr"
action 15.0 cli command "exit"
action 16.0 syslog msg "EEM script undo AP port config and saved config"
action 17.0 end
Why host id in ip address when using NAT?
Hi!
I was wondering why your ip address need to be divided inte network and host id if it is uses only one public address with NAT
thanks in advance
Lejonkingen
Can someone help me figure out these two questions? (Avg network delay/deviation delay)
I'm not sure how to solve iv and v on this question. If someone can point me in the right direction it would be much appreciated. I don't know either of the formulas referred to in the questions and i'm not sure where to look https://imgur.com/a/9Mw6WGq
I'm misunderstanding something fundamental, I think. Can someone help me out?
Can someone help me understand why this broke? Here's the high-level design:
There are several thousand clients on each network. In an effort to throttle the amount of bandwidth available to Network 2, I statically set the connection on Link 2 to 100FDX. That link was constantly saturated. When that connection would saturate, Network 1 would turn to shit. Lots of packet loss and latency jitter. To my understanding, doesn't each individual interface have a buffer? Even if Link 2 filled its buffer I would think I'd only see those issues on that network. I never saw a large number of packets waiting in the global buffer on the firewall.
What gives?
After setting Link 2 back to auto (1000FDX, no more bottleneck) all of my issues on Network 1 disappeared.
GNS3 - Layer3 Switch
Got FTDv, FMCv, 9000v, IOUL2, and CSR1000v all working and have been able to replicate my environment in a lab for the most part, however I can't seem to find a layer3 switch solution that works - far too many licensing problems with IOUL3 (used keygens to no avail) so I decided to move to a c3725 router in "etherswitch router" mode... the problem is I can't do any true layer 2 configuration so it basically doesn't work for my setup ('vlan xxx' isn't available, nor is STP)
I think I need to get IOUL3 working so I was wondering if anyone here had any success? If so is there a guide you followed that works you could link me to? I've tried a bunch so far but it could also be user error.
Can Port Control Protocol (PCP) work for two ISP customers that want to host a service on same port within CGN?
Let's say there are ISP customers that were assigned to a shared address space of CGN. connections were established and PCP client is enabled. Now what happens if two customers wanted to host a webserver on port 80? Can PCP establish that connection on two simultaneous identical hosts behind CGN? Or will it reserve the first port request to whoever customer requested the incoming connection first?
Wednesday, December 11, 2019
Parent firm moved my company and 3 others to a new building, with no IT staff, and it's becoming my problem
Hey reddit,
A couple months ago, my company moved into a new space that is halfway through the remodeling process, at the behest of the investment firm that is our primary shareholder. The new space is going to house the investment firm, my company, and 2-3 other companies like ours that the firm "owns". We moved in first because we're the smallest (startup of under a dozen people), with the parent firm branch mostly moved in as well, and the other companies to follow in a few months when their part of the space is done with construction.
At the time we moved in, I (an idiot) inquired what the network situation would look like, since I was at the time looking into servers for our internal use, and so I (like a moron) offered to help another engineer run to Best Buy and rig up 4 routers as access points to get basic wifi up and running during this transition period. At present, my company and the investment firm employees are all sharing this one wifi network, which is mostly comprised of Linksys' out-of-the-box settings with a new SSID and password.
Turns out, there are no standing plans to get any kind of professional IT staff in-house. Today I overheard some talk between managers that leads me to believe that the network I set up needs some changes, and from this I intuit that soon I'm going to be asked to change passwords or configurations or some such.
The thing is, I'm a mechanical engineer. The extent of my IT knowledge comes from building my own gaming computers and hanging around with software engineers in college. I am at best a hobbyist-grade nerd. The current network setup is woefully inadequate with respect to security, my ability to administrate it, and likely bandwidth, if any of the other companies do anything network-intensive.
At some point in the near future I'm going to have to make a strong case for hiring professional IT staff, and I simply don't even know all that I don't know. How can I best make my case for why they should spend the money for a real IT professional? I want to point out all the things that could go wrong with multiple distinct companies all sharing a single consumer-grade network, but I'm not technically well-versed enough to think of all the ways that this could go wrong and the reasons this is a bad idea. Furthermore, this isn't my job - every hour I spend googling "how to change an IP address" is an hour I'm not doing the job I was hired to do, and so I don't want to frame it in a way that ends with "sounds like you need to do some homework" and it stays my problem.
What should I bring up in a future meeting to convince the higher-ups to shell out for an expert? How do I best explain to a non-technically-versed manager why the current setup is not acceptable for a building of 5 companies?
Looking for a 10G core switch...
So, until recently I was using VLANs to break apart my networks. I used my Sonicwall router to route traffic between subnets...
Well, I also recently upgraded my network and I have 30G LAG connection between floors, and 20G LAG connections to individual 48 port switches, and 20G LAG connections to each server.
With this much bandwidth, the router is just a bottleneck, and I should stick to using it for Internet access, and inbound rules, not much else.
So, I figured I need a core switch, which is really just a switch with L2 routing support. I've never used one before, so really don't know what I should be looking for. I really need something that supports 10G. SFP+ is preferred.
What other features should I be looking at?
I'm looking at the less expensive end of the spectrum, any models that anyone can recommend?
SMA Coax Cable
I need to purchase a SMA Coax cable at a store tomorrow instead of ordering online.
Does anyone know of any stores that would sell something like this?
1.1.1.1 cannot resolve youtube?
Did anyone else experience the issue of getting DNS_PROBE_FINISHED_NXDOMAIN when using 1.1.1.1 and 1.0.0.1 for youtube, outlook, reddit and others?
I've had my router configured to use 1.1.1.1 and 1.0.0.1, Cloudflare's DNS for a couple of years now. However, thirty minutes ago I tried opening youtube on my smart TV and it would fail every single time. I gave up on that and went on my computer to check up on reddit... same problem even on my phone, it seems the DNS queries kept failing.
I've had a similar problem at work before and the answer was that my server's DNS wasn't configured that well so I checked my router and switched from Cloudflare to google's DNS (8.8.8.8 and 8.8.4.4) and the moment I did that everything went back up and I was able to access all my favorite websites.
I can pick up a lot of info at once and already have a decent base. Any long youtube videos or sites? I use Linux already and kind of want to get into networking"hacking" and all the tools that go along with it. Im assming general networking is important as well as penatration testing?
Finally, is kali linux my best option? I have Lubuntu im assuming the difference is just programs preinstalled? Im not really trying to go onto the dark net or anything like that so I dont need tails just a good Distro but not too complicated unless it needs to be
Looking to start an ISP, what am I missing
Hi,
Let me know if I’m in the wrong place
So I’m trying to start my own isp by following this guide https://startyourownisp.com. I don’t plan on doing a wireless backend it would all be wired.until it gets to CPE I understand that it’s missing a few things a few things like bgp. How can this be setup? Is there a way that I can have this set and managed automatically? Is there anything else here that I may be missing?
UDP NAT timeout 3 days
A VOIP provider who provides/manages 2 x on-prem PBXs at our 2 sites has asked us to increase the UDP NAT session timeout on our routers from 180s to 259200s (3 days) to try and resolve some issues we are facing with calls not forwarding to internal extensions between the two sites.
Does this sound like a reasonable thing to ask? My concern is that UDP nat session table will fill up and cause unintended consequences.
If it helps, both devices are SMB type fortigate/draytek routers with < 100 clients at each site.
Any input greatly appreciated. Thank you.
Sanity checking a simple network to replace one exit network
New place, trying to make sense of it.
We have 5 offices. Here's the current setup
| Office | Employees | Internet | Routing | Extra info | Filesharing | Current Voice |
|---|---|---|---|---|---|---|
| LocationA | 32 users | No internet | Out through Location B via 1gig VPLS | Server farm. Mostly people connecting occasionally back for files from B,C,E | Going to have small scale DFS to locationE | A separate digital non-ip phone system |
| LocationB | 26 users | 100/100mbps | VPLS exit point | DC / Fileserver | Have their own server for local access | A separate digital non-ip phone system |
| LocationC | 17 users | No internet | Out through Location B via 1gig VPLS | Going to have a file server | Going to have their own local server | IP phones route back to LocationB via site to site |
| LocationD | 8 users | 10/10mbps | Site to Site VPN back to LocationB | no ISP in area, satelite dish pointed to nearest point. | Assumed little to no usage back to A | IP phones route back to LocationA via site to site (throughB?) |
| LocationE | 8 users | 100/100mbps | Site-to-site vpn back to LocationB. | Located in a different country. | Going to have a smallscale dfs replication to LocationA | Have their own separate cloud system |
1gig vpls is up for renewal, phonesystem in A/B is outdated and want to switch to cloud voice. the VPLS is only seeing 100mbps traffic according to ISP.
We have Meraki MX64/MX65 in B, D and E. The MX64's have a max VPN throughput of 100mbps which is what our internet connections are so i don't see a point for going for anything larger than that.
We're currently getting numbers for a VeloCloud setup that is WAY more complicated than what we need it for. We really only need site-to-site VPNs and figure out how to correctly QOS the voice to be prioritized.
What I'm thinking getting internet connections for B(hopefully a 250mbps and C (100mbps), putting an MX84 in LocationA and an mx64 in locationC.
Weird IP address conflicts
Hello all!
Running into a situation that I've literally never seen before.
Running multiple Windows 10 boxes in a air-gapped Server 2012r2/2016 environment. Win10 boxes are connected to a Cisco 3850 with ipbasek9 license (15.2 OS) via copper SFPs. All systems are given a static IP.
Whenever we boot a system, it comes up normally. When the system reboots, it tells us that there's an IP conflict, and it gets an APIPA address. We've verified that there actually is no IP conflict on the network. When we reboot, the systems go back to normal, no APIPA address, and they're happy with their statically assigned IP. We reboot again, and it goes back to IP conflict mode. Reboot again, back to good. Repeat... forever.
Digging in a bit further, I was looking into the event log, I see that on every machine, there's a 4199 event for the IP conflict. Now here's where it gets weird.
Every box says:
The system detected an address conflict for the IP address 0.0.0.0 with the system having the network hardware address of XX XX XX XX XX XX. Network operations on this system may be disrupted as a result.
The MAC address is the MAC addy for the switch port that the PC is connected to. Somehow, the systems are having an IP conflict with their own switchports.
We've tried:
-
Adding HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | DWORD "ArpRetryCount" | Value= 0
-
Changing HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces<Interface GUID> | DWORD "IPAutoconfigurationEnabled" | Value= 0
-
Issuing the "ip device tracking probe delay 10" command to the switch
-
Switching SFPs
-
Resetting the interface
Any advice would be greatly appreciated, because this is just boggling to me.
Feature Extraction from PCAP file
I was following along this paper: https://cyber.bgu.ac.il/wp-content/uploads/2017/10/07346821.pdf and I was curious as to how they extracted the data from the PCAP file. According to the authors, this was what made their approach to malware detection unique and special.
The full list of features they were able to extract can be found here: http://www.ise.bgu.ac.il/dima/Network_Traffic_Features_Set.pdf
Does anyone have any experience doing this? Other papers I have looked at simply say they used the feature extraction tool from this paper, but I am not understanding it well enough to implement it by myself.
Suggestion on how to do this, or repositories where code needed to do this can found would be greatly appreciated!
SFP Module Question
Hello I need help deciding on a SFP module. The am currently not on site, so I need a little help on choosing the proper SFP module for a new WAN setup. I was told the wavelength is 1490. I need help deciding which SFP module get.
One module transmit end is 1490 and Receive 1310 while the other one is Transmit 1310 and receive 1490. They are both SMF. Any help appreciated.
I can ping 8.8.8.8 but browser never loads
I’m sitting at a Windows 7 machine last updated in 2017 that controls a PLC and can ping 8.8.8.8 but the browser never loads it. When I go to diagnose the issue I get the message “DHCP is not enabled for this machine”.
Am I being paranoid that this is an easy target for a malicious actor?
How do OPSF Areas affect routing tables?
So I understand how SPF works and how it chooses which route to take within a network with ospf areas configured but I'm not that sure on routing tables still.
Say you have 2 copies of the same network one with ospf areas and one without what effect would this have on the routing table and how do they differ in metric values assigned? I've tried looking into it but can only find basic videos about ospf with not many talking about routing table differences.
Configuring Cisco Merakis locally?
So, I'll admit, I've not had a huge amount of experience setting up Cisco Merakis. I've gone to reconfigure one today that the provider installed yesterday to a new line, i believe they did some initial config on it.
I've connected in, got IP through DHCP, (192.168.128.10/24) and my gateway is 192.168.128.1
Setup guide says to connect to setup.meraki.com. This fails however, it resolves to 192.168.193.1 which I can ping, but cant connect to over HTTP, HTTPS or SSH.
So, I'm guessing config changes have to be done through the Meraki dashboard? Well I logged in, tried to claim the device by entering the serial number and it says device is already in use (presumably under another account, I guess the ISPs)
What options do I have now except to get whoever is currently managing it to 'unclaim' it? Are there literally 0 options to configure it locally?
Thanks
I am Craig from VeloCloud - AMA!
I am Craig Connors, Chief Architect for VMware SD-WAN by VeloCloud. I've been in the SD-WAN space since joining the initial engineering team at Talari Networks in 2007, spent time in Cisco Advanced Development and have been with VeloCloud/VMware since 2013.
Ask me anything - about VeloCloud, VMware, SD-WAN, network design, protocols, coding. I will be candid in my answers but I do work for a public company - any opinions expressed are my own and if there is something I cannot answer I will say so explicitly.
I'll try to cover all time zones as best as possible by answering questions from 6AM-11AM PST.
Proof:
https://twitter.com/egregious/status/1192076960282877952 https://www.linkedin.com/in/craigconnors/
Frame Symbol Errors - What Are They?
What is a symbol error? Something to do with frame interpretation? What could cause a symbol error in optical Ethernet? Will a symbol error be detected by CRC?
Help IPPBX with unlimited internal phone numbers
Hi all, not sure if this the correct place, but i have a query.
Can i have say 1 phone number(pri line) and unlimited internal numbers in my office?
Basically, i want only a few phones to be able to receive and call outside, and the others to be able to only call within the organisation.
Is such a thing possible? And how do i go about it. Can you guys point me in the right direction please?
Thank you.
Fix for DHCP failed, APIPA is being used
Relatively new to networking, I'm looking to implement DHCP to a router before allowing it to support a VoIP phone
I've done the config terminal, setting up ip dhcp pool, network and default-router. DNS servers and excluded addresses aren't required for the assignment
I'm new to this sort of stuff so Ive probably missed out something basic
any help is appreciated
The Office Web Server Getting lots of attention lately
Curious, After seeing a day of alerts from SEP on the server, we now daily get handful of alerts that malicious activity is attempting to be done on web server. SEP is blocking it but I fear that eventually they may hit it with something that will not be blocked. What can I do to prevent this daily access? This all happened after a day that seen "mass scanner" attack blocked on this same server. example log below.. IP does change but always foreign
A high-risk intrusion was detected on server.domain.local within group Modified Policy Users on 12/11/2019 12:59:11 AM.
IPS Alert Name
Attack: an intrusion attempt was blocked.
Status
Blocked
Attack Signature
Web Attack: Masscan Scanner Request
Targeted Application
SYSTEM
Attacking IP
80.82.70.118
Targeted IP
192.168.10.6
MX480 port activation
I'm looking to purchase a MX480 and I would like to know if I need to get any kind of license to use the 10G and 40G ports or is it only JUNOS related?
Has anyone ever used Port Triggering
Network Engineer here, I do probably 30% Firewall work, 10% Routing, 20% switching and the rest on Load Balacing, so I think by now I've seen every sort of network configuration. My question regarding Port Triggering is that every $20+ Home Router has this feature that I have never seen on an enterprise firewall or appliance. You know the one, the one that says, if I detected x I'll open y, like how is that useful?
Does anyone know any examples of when they have needed port triggering, and more specifically if they needed it in enterprise network?
AP in DHCP or PPPoE?
So I have ethernet cables running from my switch to 2 routers acting as an AP. I’m a new employee and just wanted to check what the network looks like. It seems like a lot of people have problems of their networks dropping and some don’t even seem to be able to the SSID for a few minutes. After logging into the AP, I saw that they were set up in PPPoE mode. I was wondering if this creates any issues and would it be better to use DCHP instead?
Also, one AP gives out 200Mbps and the one gives out a speed of 5. What?
Patch panels in top of rack design
Hi Folks,
Do you install
a. copper patch panels in each server rack or connect servers directly to top of rack switch?
b. fiber patch panel to connect top of rack switch with master switch or directly interconnect using patch cords?
Any suggestions ?
Tuesday, December 10, 2019
Anyone's network ever been compromised?
If so, how did you detect it, what was the attack vector, and how did you remedy it?
Costs/estimates to terminate installer fiber?
My old man had fiber run, when he had his house built, though the fiber was never terminated. Any idea the going rate to terminate fiber per drop with a LC connector? I know the labor costs can vary, though he doesn't live in an expensive metro area.
I have terminated a lot of Cat5e in my life, but I know fiber is a whole different ball games. I bought a fiber termination kit about 20 years ago, but never used it. I would consider doing it myself, though I live 1200miles away.
Thanks in advance!
Telecommunications: Do VoIP phone number still live on Class 5 switches?
I read something recently that suggested that phone numbers of VoIP providers are still actually owned by a LEC, and that they would be routed to the relevant Class 5 switch before being handed off to the VoIP provider's network. Is that true? Like if I call an AT&T VoIP number from the PSTN, it would have to be routed to a local Class 5 TDM switch before being handed off to AT&T's VoIP network? Seems ridiculous. I always thought that VoIP carriers essentially had "virtual" Class 5 switches (made of Broadsoft servers and such) that would interconnect with like a Class 3 switch or something for PSTN connectivity.
1 port console server
I am looking for a 1 port console server so I can assign a static ip address and can console into cisco switches remotes. I have a large deployment and wifi and cell service is limited
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Purposely breaking patch fiber for a training lab
I'm working on a barebones link troubleshooting training lab and I want to take a patch fiber and break it in a way that's not visually obvious.
The goal of the labs are to really explain things very simply. Tx/Rx and how light circuits work vs. electrical circuits, which most people are quite familiar with. Focusing more on the troubleshooting logic, assumptions that can/cannot be made, etc.
The people I'll be working with are generally fairly bright, so I need to make them actually troubleshoot instead of going "the one with the heat shrink on it is bad" or whatever. Basically eliminating all context that could lead to them to 'cheat'.
For the labs we're simulating light with VFLs instead of using actual optics, for reasons of cost, mobility, and safety, so hoping to figure out way to stop the light completely as we're not going to get into things like 'bad' light, etc.
Thought about moving the strain relief and cutting there, but as we'll be plugging/unplugging a lot as the lab moves forward, I don't want to be pulling one out and have the entire fiber come out, making that cable a dead giveaway, either. I've also thought about just taking a Sharpie to the end, but I'm not sure if that will just come off and/or maybe foul the couplers/coupled fiber when it's plugged in. It might also be a giveaway if the person sees the end. I basically want them to use their IR Card (I will never train someone to look into fiber) and see if there's any light or not.
Anyone have experience in fiber sabotage?
Desperate for Arista Help re routing c-VLANs!!
Arista pros -- need your help here! On the 7280 series how can we route traffic for c-VLANs? In other words, our 7280s are receiving QinQ double tagged vlan traffic and we would like to route traffic for the inner VLANs. We looked at dot1q tunnels, pvlans, routed ports and vlan mapping commands with no luck. Any help would be greatly appreciated!
Sizing the [network] buffers analysis
Very nice and comprehensive analysis on a topic of never ending interest: sizing the network buffers analysis.
Anyone with fully IPv6 networks out there?
I am thinking futuristically in asking this question but I want to know if there are any full IPv6 networks in existence yet.
With the exhaustion recently of RIPE's last remaining IPv4 block allocation, I am wondering if any of you out there have begun or interacted with a network that is entirely IPv6 native yet. Meaning, there is absolutely, 100%, zero IPv4 space allocated within the network, either as a public IP space or private IP space.
If that is the case, then drilling down into what a fully-native IPv6 network looks like:
- What does your routing internally look like?
- What does your public routing infrastructure look like?
- What were some design considerations and best practices that you used for:
- IP address space allocations
- Point-to-point routed links
- VPN tunnels, if any exist?
- What did your transition look like from IPv4 to IPv6? What are some challenges and objectives you had to overcome?
- What was the total project cost? How much did you have to dedicate in equipment upgrades, man hours, outages, etc.?
Part of this is that I am kind of dreaming out loud here, but I also know that eventually one day this shift will have to happen and I would rather start thinking about it now rather than when it absolutely must happen.
Real Discussion about Single Mode Fiber vs Multi Mode Fiber to the end user device (desktop/VDI/printer etc...)
Been out of the "on prem" networking scene for a while and just had some questions on what the industry is doing for new network installations for new facilities. In particular single mode fiber vs. multi mode fiber to the end user device (desktop/VDI/printer etc..). So some of my co-workers think multi-mode is the way to go to the desktop and single mode only for WAN/Data Center connections. They state cheaper optics as one of the main reasons and that the industry runs multimode to the end device and not single mode...
So, what I'm trying to gather is what is the current take on running SMF vs MMF to end devices and using it outside of the data center/WAN realms? I've read some stuff online about "future proofing" with SMF by running it all the way to the end user device but wasn't sure if the optics cost is still too much to make this a valid reason.
I need some input so feel free to jump in and lets start this debate!
PC to Internet question with diff answers
I’ve asked this question to few people and kept getting different answers so I wanted to ask here to get the communities answers and see if it matched.
Simple scenario
PC --> L2 switch ->> Router
You can assign generic Mac addresses to each device above. The Pc you can assign your own ip as well other devices too like the router.
The PC is brand new and just booted up with statically assigned up and user types in Facebook/google.com and then a second type with a httpS website
I tried to look online if any had answered but didn’t find an article that laid it out in a diagram or table format .
Question:
Fill out the table below with the packets/frames in rows that occur as soon as device is booted up till it goes to browser and types in the url:
Src Mac | Dst Mac | src Ip | Dst IP |protocol
OSPF Troubleshooting
Good morning,
I wanted to bounce this off the hive-mind, maybe I'm missing something easy.
I have 3 pairs of QFX-5100's on my network and an MX80, Two of the QFX vc's are currently sitting in area 0 with my MX.
I tried adding the third QFX, and this is where my problem starts.
Once I add the 3rd device, my MX receives the hello and builds the adjacency, even lands a 'Full' state. Although the MX states it's sending the hello/adv packets out, the two switches that were currently adjacent stop receiving the advertisements, and eventually time out. If I clear neighbors on my MX, it temporarily comes back until the 40 second timer expires again. I'm at my wits end trying to see why the advertisements seemingly disappear over the wire while the MX says it's sending them.
I have not and certainly will do a packet capture on the vlan1 interfaces, but I'm only able to drop the network in the very early hours of the morning.
I don't have a diagram, but the layout is very linear currently. MX -> switch -> switch -> switch
The plan is finish fully routing the network to aid in redundancy, but currently we're leveraging ospf to keep a handle on our multiple /16's of internal routes.
Any troubleshooting steps you have will certainly be helpful.
iBGP peering issue between Cisco N3k's
Hi all,
I am hoping you can provide some help with an iBGP peering issue. I have a customer site where there are two circuits (same carrier) for redundancy that terminate into two separate Nexus 3048s. I have eBGP configured on the uplinks and I am trying to configure iBGP between the two units. I do not have OSPF running as an IGP, just static routes for the peer subnets.
interface Vlan105
description L3 Uplink to Matrix LAN
no shutdown
vrf member matrix
no ip redirects
ip address 192.168.105.5/28
hsrp 105
preempt
priority 150
interface Vlan951
description Private VRF
no shutdown
vrf member matrix
no ip redirects
ip address 172.16.72.2/30
vrf context matrix
ip route 0.0.0.0/0 172.16.72.1
ip route 10.5.160.0/24 192.168.105.1
ip route 172.16.0.0/16 192.168.105.1
ip route 172.16.72.4/30 192.168.105.6
matrix.maumee-spectrum.n3k# ping 172.16.72.6 vrf matrix
PING 172.16.72.6 (172.16.72.6): 56 data bytes
64 bytes from 172.16.72.6: icmp_seq=0 ttl=254 time=1.186 ms
64 bytes from 172.16.72.6: icmp_seq=1 ttl=254 time=1.17 ms
64 bytes from 172.16.72.6: icmp_seq=2 ttl=254 time=1.116 ms
64 bytes from 172.16.72.6: icmp_seq=3 ttl=254 time=1.04 ms
64 bytes from 172.16.72.6: icmp_seq=4 ttl=254 time=1.536 ms
matrix.maumee-spectrum.n3k# sh ip bgp vrf matrix summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.72.14 32732 6145 5613 23 0 0 3d21h 15
172.16.72.64 65101 0 4480 0 0 0 3d21h Idle
router bgp 65101
log-neighbor-changes
vrf matrix
address-family ipv4 unicast
network 10.5.160.0/24
network 192.168.50.0/24
network 192.168.55.0/24
network 192.168.60.0/24
network 192.168.65.0/24
neighbor 172.16.72.1 remote-as 32732
description eBGP to cor01.d35
address-family ipv4 unicast
soft-reconfiguration inbound
neighbor 172.16.72.6 remote-as 65101
description iBGP to matrix.maumee-att.n3k
address-family ipv4 unicast
soft-reconfiguration inbound
Thanks in advance,
AT
BiDi or MPO for 40G, 100G, and 400G for 'future proofing'?
I speced out BiDi, but then an architect wanted to avoid BiDi and just said that was for 'future proofing'. Kind of made me go 'hmm...'.
College Thesis Help - Snort / Suricata
So I have a solid networking background and understanding of so of the systems involved. I am currently working on a project that uses either Snort or Suricata I haven't decided which yet. but the idea is for this system to be able to capture and display details in clear text for a keyword list. for example, someone googled something that was against policy of the company it would alert that "EMAIL / USERNAME" searched for "KEYWORD" on "127.0.0.1 / GOOGLE.COM" at "DATE / TIME". I can't figure it out as I'm new to both snort and Suricata so I need to learn one, how do I write a rule that will capture usernames, email address, full names, or message keywords such as "KEYWORD"... so maybe a way to parse the packet for data such as "username = BOB" and save that data to an SQL table for that IP address. can anyone help me with this ? its a completely new project for me, I know I will need to strip SSL/TLS and degrade the traffic, I have a understanding of that already... Thanks in advanced
10G / 25G cross-compatibility
Hey networkers, server guy here!
Been checking datasheets - but honestly I'm not convinced yet and answers I got inhouse were kinda mixed as well. So maybe someone can confirm or deny ...
We'll likely update the switches to 25G ports in the server range and I'm checking my options. If I understand correctly, whether or not SFP28 25G transceivers support 10G data rates seems "some do some don't", for example Intel says the transceivers for their xxv710 25G cards do support 10G while Arista says theirs don't and HPE seems to largely ignore 25G anyways.
Now I've cleared up most things but, from your experience - can I expect this to work:
Intel XXV710 cards with SFP28 25G SR transceivers connected to HPE 5700 or 5900 switches with regular SFP+ 10G SR transceivers (no direct-attach here). I know SFP28 or SFP+ doesn't actually matter here, it's just for further specification what I'm trying to ask. ;)
That'd be cool because I wouldn't have to "mix and match" cards and transceivers and could just go with 25G-only in new servers ....
Thanks!
I'm a network newbie - alternatives to Flukes to just find VLAN number
Hi guys
I'm on a project that has various Cat6 run off in to the ceiling that then plug in to a desktop FTTO switch. Each port is configured with a VLAN for the end device functionality.
however, we only have 1 linkrunner and, yes, we can probably buy another couple but, i'm wondering if I can do this simple check with Wireshark on a laptop or android alternative alternative?
I have tried Wireshark and I can usually get it to show a lot of TCP/IP stuff but sadly, the VLAN (802.1Q?) info isn't listed where it is on the Linkrunner.
Devices: Windows 10 Surface Go
or
Samsung Note 9
Both connecting via an Euasoo USB Type-C Hub Pro (ES-HB300C) with an RJ45 socket. Windows shows this network card as an "SVN" in device manager and is made by Huawei. I'm unable to find any info on registry settings to pass the VLAN data up the layers for this card like I can find for Intel.
Am I heading to a dead end?
Thanks!
Setting up a new enterprise network on a shared gigabit fiber.
Hello! I'm responsible for setting up a network on a new location for our small business. I have more of a coding background rather than networking, but being the only tech-literate person around I get throw everything else too. There is a gigabit fiber going into the property, and there is already another business set up on this connection. What I need to do is set up a new LAN completely separate from the existing one. Before I start buying hardware it would be nice if someone can spot any issues in the setup that could cause me trouble down the line.
There is a fiber converter connected to the other companies WAN-router. I figured the first step is to connect a new router right after the fiber converter and just run this in bridge mode and no DHCP. Both businesses connect their routers to this one with static IP-addresses set up.
From this router I can then run our DHCP, NAT, firewall and NAS. I'm planning on running 5 UniFi APs for full coverage and seamless handover, hopefully with PoE if I can get the budget for the right hardware.
Couple of questions: I need a total of 16 wired Ethernet-connections. Are there any up/downsides to getting a router with 16-18 ports and skipping the switch altogether vs getting a smaller router and run it all via a switch? Does it matter in terms of Wifi performance and client handover if the APs and router/switches are from the same company or not? Is it better to split the connection right after the fiber converter and skip the first router altogether? I assume that would entail messing with the ISP to give us several WAN IPs etc.
Thanks for any help! I hope this isn't too low level for this sub, but if it is I apologize. =)
Expanding access to a site to site VPN tunnel
I have a (probably a bit silly) networking question regarding linking networks via VPN tunnels.
I have three sites, A, B and C
A can see B and B can see C, what are my options if I want A to access C?
If I want to access network C from A I can add network C to link 1 and I assume you have to add network A to Link 2 so the traffic gets back?
Is there any way of just using static routes instead of editing the encryption domains to get the same result?
https://i.ibb.co/QcQ7fW5/Capture.png
This problem comes about due to having a site to site connection to an external network that I can't change. But I want more than one subnet to access this external network.
Monday, December 9, 2019
If there's a double cable connection from A to B. How are both utilized without either connection being blocked by STP?
I saw some network diagrams with redundant connections between switches placed in different buildings, I figured either one would be blocked by STP to prevent loops. Could anyone clarify how both cable connections could be utilized at the same time? Or is the second connection just there in case of failure of the first connection?
Configuring a vEdge device locally?
With Cisco SD-WAN, if you have a vEdge device that is managed via vManage, and you try to configure it locally, you get this message:
Aborted: 'system is-vmanaged': This device is being managed by the vManage. Configuration through the CLI is not allowed.
Is there some way to work around this? What if you lost connection to the vManage, and the only way to re-establish connection is to modify an interface setting via the console?
IKEv2 - Fortigate 60E to Sophos XG, AUTHENTICATION FAILED ?
Hello,
This one has me banging my head against the wall.I have a fortigate 60E with a 4G USB modem using NAT (fortigate gets internal IP of 192.168.8.100).
Trying to establish an IPSEC tunnel using IKEv2 to a Sophos XG device.
I have checked over the Phase1 + Phase2 details several times, triple checked the pre shared key, everything looks correct, but I keep getting the following in the debug output of the Fortigate;
ike 0:Cloud - 4G:6: sent IKE msg (SA_INIT): 192.168.8.100:500->SOPHOS-PUBLIC-IP:500, len=440, id=6e5994e70f76b7e8/0000000000000000 ike 0: comes SOPHOS-PUBLIC-IP:500->192.168.8.100:500,ifindex=27.... ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=6e5994e70f76b7e8/28193c1977894caf len=448 ike 0: in 6E5994E70F76B7E828193C1977894CAF2120222000000000000001C0220000300000002C010100040300000C0100000C800E0100030000080300000E0300000802000007000000080400000E28000108000E000068A6CE15EC64E1CDF548F6EB49E88EC1037617F60A3BEA8A4BAD43AD93D65C49D3533C5CAE82530E1CCF845584D3DE1F63F31562253C08A4D7D39A14A62D3C9894653E5E1B1627720D6E7D19A8CEF3762869A5D96C8D6C56B632537F39B9155423E31FE4A19A8C777CB2B42340614A165A48AF50E8AE77546BE1188DDBC55FF8AD667FEA75556BE60A852C5FB4ADA2346C743487CF35783407118FFC5E9880634440D94A3DB6883C40AE66F4E3FA697CD8D6F5CC6FFB86DEC91167F087AE86424975DC3A2CB43AC528669828F667D86BD0FA6A4A4B57F38F5A6057A8E3DFBE9AA1A1F5D06A64E4742B02BFA303A5EEF27E3430395510151BA2501A3F7AD5AA65290000247102C8E4401E931B75B35E938660548067FE711D65F871181944F1EA7FCECDEE2900001C00004004E7AF37D8336824E5DD66777E56027684655902312900001C0000400596BB1A59A9CF71F70762C5FC27DAD2307D36DC1C290000080000402E0000000800004014 ike 0:Cloud - 4G:6: initiator received SA_INIT response ike 0:Cloud - 4G:6: processing notify type NAT_DETECTION_SOURCE_IP ike 0:Cloud - 4G:6: processing NAT-D payload ike 0:Cloud - 4G:6: NAT not detected ike 0:Cloud - 4G:6: process NAT-D ike 0:Cloud - 4G:6: processing notify type NAT_DETECTION_DESTINATION_IP ike 0:Cloud - 4G:6: processing NAT-D payload ike 0:Cloud - 4G:6: NAT detected: ME ike 0:Cloud - 4G:6: process NAT-D ike 0:Cloud - 4G:6: processing notify type FRAGMENTATION_SUPPORTED ike 0:Cloud - 4G:6: processing notify type 16404 ike 0:Cloud - 4G:6: incoming proposal: ike 0:Cloud - 4G:6: proposal id = 1: ike 0:Cloud - 4G:6: protocol = IKEv2: ike 0:Cloud - 4G:6: encapsulation = IKEv2/none ike 0:Cloud - 4G:6: type=ENCR, val=AES_CBC (key_len = 256) ike 0:Cloud - 4G:6: type=INTEGR, val=AUTH_HMAC_SHA2_512_256 ike 0:Cloud - 4G:6: type=PRF, val=PRF_HMAC_SHA2_512 ike 0:Cloud - 4G:6: type=DH_GROUP, val=MODP2048. ike 0:Cloud - 4G:6: matched proposal id 1 ike 0:Cloud - 4G:6: proposal id = 1: ike 0:Cloud - 4G:6: protocol = IKEv2: ike 0:Cloud - 4G:6: encapsulation = IKEv2/none ike 0:Cloud - 4G:6: type=ENCR, val=AES_CBC (key_len = 256) ike 0:Cloud - 4G:6: type=INTEGR, val=AUTH_HMAC_SHA2_512_256 ike 0:Cloud - 4G:6: type=PRF, val=PRF_HMAC_SHA2_512 ike 0:Cloud - 4G:6: type=DH_GROUP, val=MODP2048. ike 0:Cloud - 4G:6: lifetime=86400 ike 0:Cloud - 4G:6: IKE SA 6e5994e70f76b7e8/28193c1977894caf SK_ei 32:81AB95DD798FD080153402F78337C5183343011C465B0A3AEBEA3722C79E0EFD ike 0:Cloud - 4G:6: IKE SA 6e5994e70f76b7e8/28193c1977894caf SK_er 32:0F9489F3B16EC5F117C6B6C65D091194CCA1D068DF2284292B65F030C6C49FE8 ike 0:Cloud - 4G:6: IKE SA 6e5994e70f76b7e8/28193c1977894caf SK_ai 64:92FAD96313278A498883B0BD5C76C3F963927273E7871B3BD60873DB56AA9F655DC96935349EF26B8F16AEC33D54C38290451944896CC136674EEF697CBC18A8 ike 0:Cloud - 4G:6: IKE SA 6e5994e70f76b7e8/28193c1977894caf SK_ar 64:00108652A91924C81E956757B6808C2FD7261BCC99C0FBB7E4D34B352F6E7062E1EDB60B1201654C0D8D9F8EFE5DD2A452D710973DAD805FF30A0E9E7056424C ike 0:Cloud - 4G:6: initiator preparing AUTH msg ike 0:Cloud - 4G:6: sending INITIAL-CONTACT ike 0:Cloud - 4G:6: enc 29000015020000003139322E3136382E382E313030270000080000400029000048020000002E93B171D5344B14EE4103DEAECFCD21F0503D9288B137DB0C65F1367A90A8F0398F8E5679B6C5F0A80FBB6FFDE83C6D07D8BA6E602976EC478D506F5F3EF39721000008000040242C00002C0000002801030403BB6624F00300000C0100000C800E0100030000080300000E00000008050000002D00001801000000070000100000FFFFC0A80100C0A801FF0000001801000000070000100000FFFFC0A88500C0A885FF06050403020106 ike 0:Cloud - 4G:6: detected NAT ike 0:Cloud - 4G:6: NAT-T float port 4500 ike 0:Cloud - 4G:6: out 6E5994E70F76B7E828193C1977894CAF2E2023080000000100000120230001045EDE90245CB99F865DF60148D562CD554A6EC71BB8A9EEE17B35DA3988582ED401901EDC11D98A72C2F2EC78B4A0BBD22B17BE4F189849F4273EDB97B1B223717E7097E037DDE1431BF443FEE472FEE0956FFEDE7A2C7E2BD0D1439D9CF94ADDDD99673668C9CB06B591BC72C7963EC2CB3925E1E3744ABB981BBD2B4A70786380E85DAF2674D9A35289A9779E55D432939EFDC45B535B0086F57F2E5FD06903CCB9B7AD2F8CDF288403926D9A8236ECDA6E184927C5D5333D4D6D8085609C48EFF466CC7313F737226B561371B5C69C2497C964EAD116BB35EA06410319774FEEFB72BB310D6E89E656F9F7806BB2894C2EBE9E6592009D4B5012B2B3468A2B ike 0:Cloud - 4G:6: sent IKE msg (AUTH): 192.168.8.100:4500->SOPHOS-PUBLIC-IP:4500, len=288, id=6e5994e70f76b7e8/28193c1977894caf:00000001 ike 0: comes SOPHOS-PUBLIC-IP:4500->192.168.8.100:4500,ifindex=27.... ike 0: IKEv2 exchange=AUTH_RESPONSE id=6e5994e70f76b7e8/28193c1977894caf:00000001 len=96 ike 0: in 6E5994E70F76B7E828193C1977894CAF2E202320000000010000006029000044679D16E3A34E813C9FFDA0762B42C427565D084536806509082952DC3C08DBFCE509DFED9F6D0315AF10F14BA4858237543CA1756C76A8D447C5A10E63DD0369 ike 0:Cloud - 4G:6: dec 6E5994E70F76B7E828193C1977894CAF2E2023200000000100000028290000040000000800000018 ike 0:Cloud - 4G:6: initiator received AUTH msg ike 0:Cloud - 4G:6: received notify type AUTHENTICATION_FAILED ike 0:Cloud - 4G:6: schedule delete of IKE SA 6e5994e70f76b7e8/28193c1977894caf ike 0:Cloud - 4G:6: scheduled delete of IKE SA 6e5994e70f76b7e8/28193c1977894caf ike 0:Cloud - 4G: connection expiring due to phase1 down ike 0:Cloud - 4G: deleting ike 0:Cloud - 4G: deleted Wondering if anyone has any ideas?
I did get the tunnel to establish over IKEv1 briefly in earlier testing.
Thanks
Subscribe to:
Posts (Atom)