/r/kvm/comments/eguks9/split_networking/
Saturday, December 28, 2019
Meraki for LAN monitoring?
Hi, large enterprise here with MPLS network connecting multiple sites. Our perimeter is pretty solid but I'm looking for a security appliance that will give us good visibility into the LAN at each facility to monitor inbound/ outbound traffic, bandwidth, endpoint online status, and that includes anti-malware and intrusion detection/prevention. No routing. No VPNs. Just set up as passthrough. I've used Meraki in the past and especially liked the intuitive dashboard. It enabled us to identify problems rather quickly and respond to security incidents.
What are your thoughts on this use case and is there anything out there that is similar?
TP-Link EAP 225 firmware 2.6.1
Omada reported a new firmware update to the EAP 225 and I am unable to find any notes on it. Does anyone have any eyes on a changelog? The TP-link forums don't have any information, and I don't really want to create an account there either. The build is:
2.6.1 Build 20191022 Rel. 42463
Radius and TACACS+ Solutions
We are looking for an AAA solution mainly for login management of network switches, routers, and access points for our network techs. Vendors include Juniper, Cisco, Calix, Adtran, Nokia, Mikrotik, and Ubiquiti. Some of these network operating systems support both radius and TACACS+ authentication methods, whereas others only support radius (Mikrotik for example). Is TACACS+ even widely used anymore?
There does not seems to be a dominant hosted solution for this out there today, so I assume many people have rolled their own with opensouce or commercial offerings. What solution do you have in place?
Ideally something with a nice GUI and logging capabilities. Integration into an external LDAP or IDP would be preferred as well.
How does one get started? Good resources to learn from the very basics
I’ve been into networking & sysadmin type things for a while - but I’m just... struggling to learn?
Honestly I’m mildly disappointed with myself at this point, as everyone I know who’s into tech just kinda thought themselves - but I’m struggling to find all the resources as to what I need to learn or where to start. I’m still in HS but don’t want to be that one person who gets into college without knowing anything... ( as most people already seem to know a lot by that point )
Can anyone recommend me some resources as to what exactly I need to learn, and where to start? I’ve been watching a ccna crash course, but it’s kinda just getting exponentially more confusing.
Firewall Help
Hello everyone
I got a part time work where a client requires me to setup a firewall .I need help with setting up Firewall ,I have little bit of IT background but i am not an expert. I really need this job for my growth/experience in IT and for some extra cash SO PLEASE GUIDE ME
So the scenario is
There is 1 head office and 2 stores in separate buildings with separate internet but Same ISP
Head office has around 22 PC's - Stores have around 10 PC's each .. so total of approx 40 PC's
The client wants
1.limit users internet access (facebook,youtube etc)
2. Client has a cloud based software and wants all the PC's to connect through a secure VPN to that software.
My Questions .
Which Firewalls should I buy that will be easy to configure ?
Is this a very difficult task or Amateur IT Support guy like me can handle it ?
A Little bit of guide on how to configure the cloud based software VPN and firewall setup
TIA
(Sorry for bad english ,not my 1st language)
Networking - from OSI to Load balancing
Over the last 3 months, I have created and posted videos from my Networking basics course on the r/netsecstudents. So far it has been received very well! Now that the playlist have been extended with more than 10 videos I would like to speople on this subreddit as well in the hope that someone here can beenfit from them as well. Feedback is very much appreciated as I'm doing these video as a way to get a deeper understanding of networking.
The entire Playlist can be found here:
https://www.youtube.com/watch?v=rIZ61PyDkH8&list=PLR0bgGon_WTKY2irHaG_lNRZTrA7gAaCj&index=1
Or the first half of the individual videos can be watched below, should some people be interrested in specific topics.
Introduction to Networking - OSI Model
Introduction to Networking - IP addresses
Introduction to Networking - MAC Addresses
Introduction to Networking - Routing and Switching
Introduction to Networking - TCP / IP
Introduction to Networking - TCP & UDP
Introduction to Networking - Ports / Protocol
Introduction to Networking - DNS
Introduction to Networking - Wifi Security
Friday, December 27, 2019
OSPF Path Prepending?
I apologize for the dumb question, I am banging my head on this one. I currently work for an Organization with 14 Sites and two Colo/DC's. We currently have an L3VPN over MPLS with a typical BGP peering session between the PE and CE. Due to a number of different reasons (Carrier Reliability, Cost), we will tentatively be moving to a L2/Metro-E solution for the WAN Connectivity to the branches and using OSPF as the routing protocol for simplicity. What I can't wrap my brain around is how we announce the DC and default routes to the WAN. We have our Servers split between two DC's. DC-A servers are in VLAN 10, DC-B in VLAN 20. Several years ago, we added OTV into our environment and have been moving servers to a single server VLAN, VLAN 30. VLAN 10,20 and 30 are all apart of the OTV Domain and using Vmware we can migrate servers between DC's for HA (pretty standard), We currently use route maps to Prepend the routes to force all DC-A traffic to DC-A unless unavailable and likewise for DC-B, then announce the Defualt (Internet-bound traffic) via DC-A unless unavailable. (Failing to DC-B). Is there a way to easily accomplish this with OSPF or should I look at something else?
Thanks in Advance
Why does my router show DoS Attack ICMP flood blocked? What are people trying to do to me?
Why would someone try to DoS me? I just casually search the internet and play video games online.
How do Cloud VoIP Providers guarantee qos and call quality if you access their services over the Internet?
As we all know as network professionals there is no qos honored on the Internet between different carriers. Dscp is usually stripped off or at least ignored. We also know as network professionals that VoIP cannot work without qos.
If you send 10 udp packets from your location to another location on the Internet chances are all 10 packets will each take a completely different path, hitting different routers and even different autonomous system numbers. This is just how the Internet is designed, and if at any hop your packet meets a loaded interface your packet will be buffered and transmitted best efforts after any carrier grade traffic is given priority.
This means two big things.
-
The time between the packet being sent will not match the time between the packet arriving. This is important because RTP sends a steady stream of packets each packet sent at exact time intervals.
-
The packets may not arrive at the same order they were sent. This is important because each packet has a small sample of audio data
My question is how do Cloud VoIP providers guarantee good call quality and qos on their product if you are using a best effort medium to reach them?
If you have got a tier 2 isp for example your VoIP might go through 3-4 differ transit provider before it reaches your provider.
I am just wondering how businesses are able to use Cloud VoIP and the users do not notice any problem? How is that working so good? Many businesses are using this Cloud VoIP so I’m wondering if there is something going on where they found a way to protect this traffic and give it qos?
Spanning vlans between sites - failover implementation?
Inherited this weird DC setup which was meant to be temporary - presence in equinix and cyxtera in CH2 Chicago but with a need to pass a vlan between the two. Was meant to be temporary but has become semi permanent due to other issues in moving out of one of the floors
ASR at each site is passing one vlan through using x-connect over public internet. It's taken is nearly a year to get a proper cross-connect up between the two sites and we are now passing the vlan directly between switches in both sites instead.
My question is, is it possible to keep the x-connect as backup incase the cross-connect goes down (without causing some kind of loop)?
Do bpdus get passed through a x-connect? Would spanning tree save our arse or would it do us over?
Weird ESXi Networking Issue
TL;DR
A VM on ESXi can't ping VMs in the same VLAN on another ESXi host, but can if vMotioned to a third host. Changing the virtual NIC's MAC address resulted in the same issue, but different source and destination problem hosts. Changing the virtual NIC a 3rd time and now it can't connect to VMs on any host on a different VLAN (but can reach other non-virtualized network devices and other VMs are able to connect as expected).
Long version:
I have 4 ESXi 6.5 hosts, each with 2 10Gb up-links, one each to 2 Cumulus core switches in MLAG. The core switches are the default gateways for the VLANs. Each VLAN is in it's own VRF, and inter-VLAN traffic is routed up to the firewall. We have several VLANs/VRFs, important ones are VLANs 1 and 4 which are trunked to all hosts.
Round 1:
I noticed our monitoring system (VM1, Solarwinds on Windows server 2016) which was hosted on host 1 in VLAN 4 was unable to reach any VM on host 3 VLAN 4, but could reach any other VM in either VLAN 1 or 4 on hosts 1, 2, and 4, and any VM on host 3 in VLAN 1. Also, other VMs on host 1 VLAN 4 could reach anything, including VMs on host 3 VLAN 4. Watching in Wireshark on VM1, I could see it sending out ARP requests for the IP of VM2 (a VM in vlan 4 on host 3) and I could see the ARP requests coming into the core switches (watching via a span port). However, watching Wireshark on several of the target VMs I never saw any of VM1's ARP requests at all. If I vMotioned VM1 to any other host, everything worked perfectly as expected.
So... weird. After much experimenting and head scratching, I tried removing the VM1's virtual NIC, and adding a new one (new MAC address, identical IP config). Immediately everything worked as expected.
Round 2:
Weeks later, VM1 got moved to host 4 and immediately lost access to all VMs on host 2 VLAN 4, but again, access to all other hosts and VLANs worked as expected, no other VMs seemed to experience the issue, and everything worked perfectly if I moved VM1 off host 4. Same behaviour with the ARP requests, I could see them leave VM1, see them cross the switch, but never see them in any target VM. I again deleted it's virtual NIC and re-added it, this time as the VMXNET 3 adapter type rather than E1000. Access to host 4 VLAN 4 started working again, as well as VLAN 4 on all other hosts.
Round 3:
Five minutes later, I get alerts for everything in VLAN 1. VM1 is not able to ping any VM on any host in VLAN 1, but can reach everything else (anything not virtualized) on VLAN 1. I can see the packets coming in the switches, up to the firewall, and back into the switches on the correct VLANs in Wireshark. However, watching in Wireshark on several of the VMs in VLAN 1, I don't ever see the echo request. But, physical servers and other devices in VLAN 1 are no issue.
What the hell??? I guest the fact that things change when I change the virtual NIC made me think it was some kind of weird layer 2 connectivity issue with ESXi, possibly related to the MLAG load balancing config somehow? I've gone over and triple-checked both ends of the MLAG up-links, and don't really see anything that looks unexpected. The ESXi end has one virtual switch, with 2 uplinks, the load balancing mode is "route based on IP hash". The switch side has the up-link added to a bond with the CLAG ID matching on both switches and the bond mode set to balance-xor, layer3+4 mode.
Any thoughts?
VOIP Vlan between two sites.
Hello everyone,
I am trying to wrap my head around this. I would like to separate our VOIP from our PC network. We have a Aruba 2930F L3 switch and Sonicwall firewalls with sire to site VPN.
We have two locations with a PBX in each location. Separating the VLANd locally is not an issue because the L3 would handle the intra vlan connections but how would I get the Aruba switch to forward the traffic to the sonicwall so that it can pass along the traffic to the second location when someone wants to make a call to the branch office using the internal extension number?
The GUI doesn’t seem to have any way to configure routing. Is this only possible trough CLI?
Chrome duplicate three-way handshake?
Does anyone know why when you do a wireshark capture of a chrome web socket, it sends two three-way handshake protocols? Or am I the only one who noticed?
How to setup Cradlepoint CBA850 with LP6 modem for failover
I have business that I own and do IT for. I need backup cell data in case our main internet goes out. I have Arris Modem from Spectrum (which I cant configure as they restrict access). I bought cradlepoint CBA850 with the LP6 modem. I plugged in att sim card and was able to get data from lan1 working. I followed directions here for failover. Its not working because I dont have router after cradlepoint to act as the nat/dhcp host. How do I configure that in cradlepoint?
I know its tricky because if data comes from arris modem then that acts as the dhcp server and hands out ip addresses but if it switches to cellular data then everything will have different ip and mess up entire network. Id like to keep the ip addresses and range the same if landline internet vs cell so network doesnt get affected.
Cisco Polycom 7937 = WTF!! Need some help!
Okay so I have this weird shit going on with a Polycom 7937 conference room IP phone. I plugged this phone in at my desk and I was able to get it configured correctly. I also verified that I could make and receive calls on it. So I am like okay cool, let me deploy it to the conference room where its going to sit.
A few days earlier I also verified that the port on the conference room table works, I plugged my laptop and got an IP, and I also plugged in a regular Cisco phone and it was working.
So this morning I go to plug in the 7937 and it stays stuck on "Configuring VLAN" so I am like huh ... okay ... I unplug and plug it back in. Same thing .... so I plug my laptop in and I get an IP. I verify I can reach the server and devices on the network. So I plug the phone back in, nope back to "Configuring VLAN"
So I unplug it and plug into the port on the wall for the TV and boom it works! So now I am like WTF is wrong with that port. I just on the shitty switches they have here (SMB SG220s, and SG350s, I know lame) and I verify that the port on the table is configured EXACTLY the same as the one on the wall. I go to plug the phone in and I get stuck on configuring VLAN again. So I am like OKAY I know what I am going to do. Since it worked on the pot on the wall I am just going to go move the patch cable and move it to the working port.
I go move the cable to the port I know it worked on, I plug the phone in and BAM!! "Configuring VLAN" again I did this a few times with different ports in the room I could get it to work on any port except the table port even if I move the patch cable.
What say you Network superheroes? Any ideas as to WTF is going on here?
Cisco’s development of Snort 3.0 stalled?
Does anyone have any updates about Snort 3.0? There is basically nothing but radio silence on their official webpage/blog about its development?
Cannot access Azure resource from a particular ISP -- works everywhere else
I am having a weird issue that I can't quite wrap my head around. I know it focuses on an Azure resource, but I feel the issue is network/ISP related more than an Azure related issue -- hence the post here.
I have deployed an instance of Azure Files SMB for a client. let's call it companyfiles.file.core.windows.net
Azure Files SMB 3.0 runs on port 445 for direct connections and this share has a public facing endpoint with RBAC controls.
Connections to this resource works just fine on all of our sites except one out near the Poconos in Pennsylvania. Connections time out, Test-NetConnection and Telnet fail to connect to the port only at that site. I opened all ports on the site's router -- I even bypassed the router and firewalls entirely and hooked my laptop to their Brocade switch/modem, assigned the WAN IP and still could not connect to :445 -- While still connected I VPN'd to another site, works just fine so the resource is live.
We're using Adams Cable and they swear up & down that they don't block any ports for their customers, and I believe them. They ran an nmap scan from their data center to the IP of the Azure Files endpoint I am using and they found only port 80 and 443 open, not 445 which made no sense to me, but nmap scan to my WAN IP showed 445 open.
Azure has almost no settings for Azure Files networking on public endpoints so there's no configuration its an all-or-nothing config so nothing to mess up there; bypassed the site's firewalls and router so no issue there; used online port checkers against the Azure Files endpoint shows the relevant ports/services are open; to me it has to be the ISP or something upstream from our ISP?
On the ISP with no VPN it fails a Test-NetConnection but when I do a tracert from my laptop directly on their modem I get the below result
1 21 ms 1 ms <1 ms SITE.WAN.IP.ADDR 2 24 ms 25 ms 27 ms chi-8075.msn.net [208.115.136.27] 3 25 ms 25 ms 25 ms ae31-0.icr02.ch2.ntwk.msn.net [104.44.237.21] 4 34 ms 32 ms 32 ms be-122-0.ibr02.ch2.ntwk.msn.net [104.44.11.8] 5 32 ms 32 ms 32 ms be-4-0.ibr02.dsm05.ntwk.msn.net [104.44.19.253] 6 32 ms 32 ms 33 ms ae162-0.icr02.dsm05.ntwk.msn.net [104.44.22.188] 7 * * * Request timed out. 8 * * * Request timed out. 9 * * * Request timed out. 10 * * * Request timed out. 11 * * * Request timed out. 12 * * * Request timed out. ... 30 * * * Request timed out.
What can I do to troubleshoot this further? Is the ISP blocking it? Is their upstream blocking it? I am far from a networking guru yet so I am stuck....
Any recommendations for an open-source multi-point VPN
Trying to find a non vendor specific VPN (supported on Routers/Firewalls IOS), which is able to connect multiple sites. Such example is Cisco DMVPN but as the name implies it's vendor specific. Any suggestion is greatly appreciated.
Zyxel USG 50 VLAN setup
Hey /r
Somehow I'm unable to get VLAN's working in my lab setup which we will implement to our customers once we get some more understanding on it. We have an USG 50.
In my setup I have created 1 vlan, assigned it to the LAN port and hooked up a client to the LAN port.
I setup DHCP on my vlan but the notebook is refusing to get an IP address.
There is no switch between the USG 50 and the client.
I also do not understand how the Notebook should know it is assigned vlan10 ?
I am used to cisco devices to which a specific vlan was assigned to a specific port. Yet this should be able to work with tagging? We want to configure this port to have (for example, VLAN10, VLAN20, VLAN30, etc...) and that servers will get vlan20, clients vlan30, AP devices vlan10, etc....
This is my current setup:
hardware-watchdog-timer 10 ! software-watchdog-timer 300 ! interface-name ge1 wan1 interface-name ge2 wan2 interface-name ge3 lan1 interface-name ge4 lan2 interface-name ge5 dmz ! port-grouping lan1 port 3 port 4 port 5 ! port-grouping lan2 ! port-grouping dmz port 6 ! account pppoe WAN1_PPPoE_ACCOUNT ! account pppoe WAN2_PPPoE_ACCOUNT ! ip dhcp pool LAN1_POOL network 192.168.1.0/24 default-router 192.168.1.1 first-dns-server ZyWALL starting-address 192.168.1.33 pool-size 200 lease 2 ! ip dhcp pool LAN2_POOL network 192.168.2.0/24 default-router 192.168.2.1 first-dns-server ZyWALL starting-address 192.168.2.33 pool-size 200 lease 2 ! ip dhcp pool DMZ_POOL network 192.168.3.0/24 default-router 192.168.3.1 starting-address 192.168.3.33 pool-size 200 first-dns-server ZyWALL lease 2 ! ip dhcp pool Network_Pool_VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 starting-address 192.168.10.3 pool-size 30 first-dns-server 192.168.1.1 second-dns-server 8.8.8.8 lease 2 0 0 ! interface wan1 ip address dhcp type external ! interface wan2 ip address dhcp type external ! interface lan1 ip address 192.168.1.1 255.255.255.0 ip dhcp-pool LAN1_POOL type internal ! interface lan2 ip address 192.168.2.1 255.255.255.0 ip dhcp-pool LAN2_POOL type internal ! interface dmz ip address 192.168.3.1 255.255.255.0 ip dhcp-pool DMZ_POOL type internal ! interface vlan10 port lan1 vlan-id 10 ip address 192.168.10.1 255.255.255.0 upstream 1048576 downstream 1048576 mtu 1500 type internal ip rip send version 2 ip rip receive version 2 ip ospf priority 1 ip ospf cost 10 ip dhcp-pool Network_Pool_VLAN10 ! interface wan1_ppp account WAN1_PPPoE_ACCOUNT ! interface wan2_ppp account WAN2_PPPoE_ACCOUNT ! address-object LAN1_SUBNET interface-subnet lan1 address-object LAN2_SUBNET interface-subnet lan2 address-object DMZ_SUBNET interface-subnet dmz address-object IP6to4-Relay 192.88.99.1 ! eps warning-message windows-auto-update enable ! eps warning-message windows-security-patch enable ! eps warning-message personal-firewall enable ! eps warning-message anti-virus enable ! isakmp policy Default_L2TP_VPN_GW mode main transform-set 3des-sha 3des-md5 des-sha lifetime 86400 local-ip interface wan1 peer-ip 0.0.0.0 0.0.0.0 authentication pre-share local-id type ip 0.0.0.0 peer-id type any xauth type server default deactivate group2 deactivate ! crypto map Default_L2TP_VPN_Connection ipsec-isakmp Default_L2TP_VPN_GW encapsulation transport transform-set esp-3des-sha esp-3des-md5 esp-des-sha set security-association lifetime seconds 86400 set pfs none scenario remote-access-server adjust-mss auto deactivate remote-policy any ! vpn-configuration-provision authentication default ! router rip ! router ospf ! zone LAN1 interface lan1 ! zone LAN2 interface lan2 ! zone WAN interface wan1 interface wan1_ppp interface wan2 interface wan2_ppp block ! zone DMZ interface dmz block ! zone SSL_VPN ! zone IPSec_VPN crypto Default_L2TP_VPN_Connection ! zone TUNNEL ! ip http server ! ip http secure-server cert default ip http secure-server ip http secure-server force-redirect ip http secure-server cipher-suite aes 3des des rc4 ! hostname zywall-usg-50 ! ip ssh server cert default ip ssh server ! console baud 115200 ! ip ftp server cert default ip ftp server ! ntp ! snmp-server ! ip load-balancing link-sticking activate ! no firewall activate ! ! session-limit activate session-limit limit 1000 ! session-limit6 activate session-limit6 limit 1000 ! idp signature update auto ! idp signature update weekly sun 0 ! idp signature LAN_IDP base lan ! idp signature DMZ_IDP base dmz ! idp anomaly ADP_PROFILE base all flood-detection tcp-flood block flood-detection udp-flood block flood-detection icmp-flood block flood-detection ip-flood block flood-detection icmp-flood threshold 1000 flood-detection ip-flood threshold 1000 flood-detection tcp-flood threshold 1000 flood-detection udp-flood threshold 1000 scan-detection sensitivity medium scan-detection block-period 5 flood-detection block-period 5 ! idp signature rule 1 from-zone any to-zone LAN1 bind LAN_IDP activate ! idp signature rule 2 from-zone any to-zone LAN2 bind LAN_IDP activate ! idp signature rule 3 from-zone any to-zone DMZ bind DMZ_IDP activate ! idp anomaly rule 1 from-zone any to-zone LAN1 bind ADP_PROFILE activate ! idp anomaly rule 2 from-zone any to-zone LAN2 bind ADP_PROFILE activate ! idp anomaly rule 3 from-zone any to-zone DMZ bind ADP_PROFILE activate ! idp anomaly rule 4 from-zone any to-zone ZyWALL bind ADP_PROFILE activate ! anti-virus rule 1 activate no from-zone no to-zone scan http scan smtp scan pop3 scan ftp scan imap4 infected-action destroy infected-action send-win-msg no bypass white-list no bypass black-list file-decompression no file-decompression unsupported destroy log ! anti-virus update auto ! anti-virus update daily 0 ! no bwm activate ! policy controll-ipsec-dynamic-rules activate ! app SMTP defaultport 25 ! app POP3 defaultport 110 ! app SIP defaultport 5060 ! app HTTP defaultport 80 app HTTP defaultport 8080 app HTTP defaultport 3128 ! alg sip defaultport 5060 ! users retry-limit users retry-count 5 users lockout-period 30 ! users update-lease automation ! app-watch-dog activate ! htm phase 1 add all ! force-auth exceptional-service DNS ! force-auth default-rule authentication unnecessary no log ! no usb-storage activate no diag-info copy usb-storage ! no logging usb-storage ! logging system-log suppression logging system-log category forward-web-sites disable ! logging mail 1 category all level all ! logging mail 2 category all level all ! vrpt send interface statistics interval 15 vrpt send system status interval 15 vrpt send device information interval 3600 Catalyst 3650 and flash core directory
Hi guys!
I'm needing to upgrade a 3650 and I'm memory short. Seeking where is the shit, I found that I have a lot of this:
hostname#dir Directory of flash:/core/ 85361 drwx 4096 Dec 20 2017 19:50:25 -03:00 modules 38814 -rw- 1 Dec 27 2019 11:32:57 -03:00 .callhome 38818 -rw- 5139267 May 20 2019 12:32:20 -03:00 hostname_1_RP_0_nginx_11572_20190520-123208-CHI.core.gz 38819 -rw- 4673333 May 20 2019 12:32:31 -03:00 hostname_1_RP_0_nginx_29257_20190520-123220-CHI.core.gz 38820 -rw- 4672672 May 20 2019 12:32:42 -03:00 hostname_1_RP_0_nginx_29549_20190520-123231-CHI.core.gz 38821 -rw- 4673332 May 20 2019 12:32:53 -03:00 hostname_1_RP_0_nginx_29746_20190520-123242-CHI.core.gz There's a lot of this files (around 800 MB of those) and I can't find info about what they are and if I can delete them.
Inside each of those .gz files there is one binary file with extension .core
Does any of you have any idea about this?
Write-up on how to start with Nebula
Nebula is a new overlay style networking tool publicly released by SlackHQ a few weeks ago. It allows the secure connection of devices across the internet and within internal networks. When I first looked at Nebula I couldn't find any detailed information on how it really functions or even how to setup an environment for it. So I decided to make some documentation myself. I have 2 posts so far and I have a third one waiting to be edited.
https://www.spikefishsolutions.com/post/getting-started-with-nebula
This is my first write-up and any advice is very appreciated!
NSX DC to Viptela Integration
Hi All
I have a scenario where the end customer already has NSX at his DC , currently he is evaluating Viptela and concerned about the end to end story.
Is it possible to integrate SD-WAN from Cisco with NSX from VMWare (DC)?
Thanks
vCenter to NetBox Sync Tool
Happy holidays, Everyone!
Recently on the NetBox discussion group there was a conversation around methods of syncing data from vCenter to NetBox. I've been a huge fan of NetBox and wanted the opportunity to give back to the community and this looked like a good chance.
After lots of successful internal tests, I'm now comfortable moving it forward. I'd like to work open it up to beta testing before making a 1.0.0 release. If you have a dev instance of NetBox and are interested in collecting data from vCenter I would love your feedback. I've also added a cleanup function so you can wipe all the synced data when finished testing.
Thanks so much! A very happy new year to all!
Zyxel Vlan "Base Ports"
Hey r/
I'm busy with testing VLAN setups on Zyxel Firewalls since my company has no experience with VLAN's.
I noticed that there is a "Base Port" setting. What does this mean?
I've set the "zone" to LAN1 so I assume that traffic for VLAN10(in this case) is going to LAN1.
The "Base Port" is by default set to WAN1. Is this meant to indicate the interface to the internet?
Serial Connection to the DNA Center Appliacne
Hello everybody
We got a DNA Center Appliance from Cisco for the next 3 Months to test it.
but it is allready a pain in the ass, as i put it into the rack, patched all cables as written in the manual.
patched also the CIMC + Serial.
First of i had to realise - CIMC is NOT on DHCP on default - so fuck that i have to go over the Serial to configre the CIMC.
fuck that also as i cannot connect to it and there is no info on the internet about the settings to connect to it.
i found out it has to be 115200 Baudrate. but nothing else.
it does not work when connected to our Console Server as when i connect to it with my Cisco Cable.
Does anyone here have any idea how the hell i can get the serial connection to work?
as i realy dont have time to get a screen, a keyboard, go to the datacenter and set tall this shit up.
Thursday, December 26, 2019
HP Aruba SSH "CLIENT" Configuration
Hi All,
We have a few HP Aruba switches (5400R ZL2 to be exact). I'm working up some systems to take automatic backups over SFTP (I'm a Linux admin by heart).
I'm working on adding a scheduled job to automatically backup the configurations. So far I have only been able to do this manually as I have to enter a password each time to upload over SFTP.
I'm unable to find any information on generating a private/public key FOR THE SWITCH itself so that it can SFTP without a password but the only results I get on Bing/Google are about adding SSH keys so that operators/managers can SSH to the switch itself without a password.
Can anyone point me in the right direction? Having some issues tracking down exactly what I need (assuming it's possible?) from HP or search engines.
Pfsense, Unifi, and this Dell N2048 switch. This switch is frustrating me.
My setup:
Pfsense box - Pretty sure I have this setup correctly. Three vlans, full access, guest access, and IoT access.
Dell N2048 switch - This is what I am struggling with. Setting up the AP’s so all three vlans are available on them.
Unifi AP - These are pretty straight forward.
My question:
I am trying to get the APs setup to broadcast all three vlans so I can manage what the clients have access to. The current config I am running on the switch is attached.
!Current Configuration: !Software Capability "Stack Limit = 12, VLAN Limit = 4093" !Image File "N2000Stdv6.5.1.6" !System Description "Dell EMC Networking N2048P, 6.5.1.6, Linux 3.6.5-e3cd5a07" !System Software Version 6.5.1.6 ! configure vlan 10,20,30,40 exit vlan 10 name "Full_Tubes" exit vlan 20 name "Guest_Tubes" exit vlan 30 name "IoT_Tubes" exit vlan 40 name "External" exit stack member 1 4 ! N2048P exit ip routing interface vlan 1 ip address 192.168.50.2 255.255.255.0 exit interface vlan 10 ip address 192.168.10.2 255.255.255.0 ip helper-address 192.168.50.1 dhcp exit interface vlan 20 ip address 192.168.20.2 255.255.255.0 ip helper-address 192.168.50.1 dhcp exit interface vlan 30 ip address 192.168.30.2 255.255.255.0 ip helper-address 192.168.50.1 dhcp exit ip default-gateway 192.168.50.1 username "xyz" password xyz privilege 15 encrypted ip ssh server application install SupportAssist auto-restart start-on-boot ! interface Gi1/0/1 description "WAN port, dont fuck with it" switchport trunk native vlan 10 switchport trunk allowed vlan 10,20,30 exit ! interface Gi1/0/2 description "MacMini" switchport access vlan 10 exit ! interface Gi1/0/48 description "AP Mac - 80:xyz" switchport mode trunk switchport access vlan 10 switchport trunk native vlan 10 switchport trunk allowed vlan 10,20,30 exit snmp-server engineid local support-assist server "default" proxy-ip-address "192.168.50.2" port "443" username "xyz" password "xyz" xyz exit exit no hiveagent exit In this current config the AP is not seen via the Unifi controller. I am also pretty sure I don't have interface Gi1/0/1 setup correctly.
Any help on this would be great.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
XPOST from r/Juniper, MPLS traceroute behavior
/r/Juniper/comments/eg2088/mpls_traceroute_problems_nopropagatettl/
8 port fiber switch (10gb)
I'm looking for an 8 port fiber switch (minimum) with 10gb on the fiber ports. Less than 16 ports are needed, but the more fiber ports, the more $$$$$, which is why I'm looking for a minimum of 8 but more than 16 ports aren't needed.
I'd like to stick with Cisco, Dell or HP. I'm also looking for a budget switch. I'd be ok with the cisco small business line even if people advise against it. I was told to not look at enterprise versions of switches to save on costs.
With that being said, please don't recommend the 16 port ubiquiti xg fiber switch, they are having firmware issues and they have not been resolved.
I found this, but it is being phased out.
Thanks
ELI5: Layer 3 switch, but Router Firewall over TCP Ports on Layer 4?
I get Layer 2 mac routing, and I get Layer 3 IP routing in switches. I also understand Layer 4 TCP port routing, usually reserved for router devices instead of layer 4 switches (but could be in the L4 switches too).
What I'm having trouble with designing a school's network is: what kind of router do i need to firewall/filter Layer 4 traffic, if I have 10 Gbps links to multiple servers across 4 VLANs?
E.g. If the Layer 3 switches are offloading the 10 Gbps VLANs and IP subnets routing within its hardware at wire speed, but I want to restrict certain ports on certain IP devices, does this mean I need to route those VLANs on the "trunk" all to the single router to allow/deny the ports across the VLANs?
Wouldn't that mean the router is now my bottleneck across those VLANs for the TCP port restrictions? Say I had only a single 1 Gbps link between the router and the switch(es)/VLANs: that would mean all cross-VLAN traffic that i want to limit TCP ports for must go through the router's interface.
I have 2 Brocade L3 switches I am starting to run drops for and program - but haven't decided on a router yet. Was thinking of a Mirotik RouterBoard.
So... Is this why we want multiple inputs into a single router? So with 4 VLANs, I'd want 4 links into my router, so each VLAN gets its own dedicated uplink/trunk for bandwidth.
With that said, am I correct in assuming that to keep 10 Gbps bandwidth between VLANs, I'd need a router with multiple 10 Gbps ports?
Was actually thinking of the Mirotik RB4011 series with a single 10 Gbps port for the single trunk uplink from the switches. That would be better than 4x1 Gbps links (and easier to program).
Thanks for your time!
Avaya Switching Expert Needed - T&M + Travel Expenses
Hello Networking
I am looking for an Avaya switching expert whom would be available for a contract project for one of our enterprise customers. Our Sr. Engineering staff does not have Avaya experience and we have a customer in need of troubleshooting and configuration.
We are a systems integrator in the PNW region of the US. Customer is located in greater Seattle region and their legacy Avaya switching infrastructure is configured incorrectly. The on-site staff have no resources with the skill-sets to troubleshoot or configure.
Requirements:
- Avaya experience with VSP 4850 GTS-PWR+ Series Switches
- Would contract under our company name
- Time line is tight - looking to execute within 1 to 2 weeks
- Time and Materials pay + Travel + Expenses
- Estimation of 1-3 days on-site with potential for long-term project work or full time employment if talent set and personality aligns with our company
- Willing to travel on-site to complete the work. No remote access.
- Must be USA Citizen
- Willing to submit to WA State and internal background check - this is a requirement due to the sensitivity of the location and function. Security details will also remain with you for the duration of the work.
Please PM me if you are interested. Can discuss any qualifying details over phone.
Thank you
Help! Weird issue with 802.1x and MacOS Mojave Macbook Pro
Good Morning everyone,
I hope you all had a good Christmas! So I am hoping someone here can shed some light on a very weird particular issue I am having at work this morning.
So we are in the midst of deploying 802.1x for wireless authentication and we are just about their! We are currently testing various devices to make sure they are working. And I have one particular Macbook pro that is having an issue.
We can get all the devices to authenticate correctly. All the wireless androids and all the wireless PC laptops are working. So far I have tested my iphone and 2 mac minis that have both authenticated and gotten an IP with no issues.
but I have this macbook pro on Mojave that authenticates but will not get an IP. If I manually assign the IP it works. But if I leave the DHCP option on it won't get an IP. The one thing different that I noticed between the macbook pro and the mac mini is that the mac mini says "Authenticated via PEAP (MSCHAPv2)" and the macbook pro says "Authenticated via EAP-PEAP (MSCHAPv2)"
Now on the NPS server the only EAP type we have selected is "Microsoft: Protected EAP (PEAP)" and none of the other less secure authentications methods are checked off. And I can't figure out how to get the Macbook Pro to switch to PEAP authentication ... unless it's the same thing? Anyway any light you can shine on this would be great.
Missing Default Gateway
As the title suggests, on our network the default gateway on numerous workstations regularly ends up getting "removed" in their network adapter settings and causes workstations to not be able to connect to the network. No one except for I.T. has the ability to even view those settings so no other staff is removing them.
Some of the situations that cause this is if the workstation is rebooted 98% of the time it will lose the network settings. I have tried to rebuild workstations that have this problem and in some cases only reinstalled the network adapter to see if that fixed the problem. This never permanently fixes the issue. Also, given that probably at least 75% of the workstations on the network have this problem, I do not think the issue is with the workstations themselves.
I can only guess that it is the DNS server or the umbrella service it uses. I say guess, because I don't have access to the group policy or DNS server settings because the I.T. director and the 3rd party network group only have access to those. I am trying to figure out the resolution for this since it has been going on for years and neither of those people are doing anything about it. I have an open ticket I created on this issue with that network group from a year ago already as it is. Thanks in advance.
OM3 Fiber Patch Cord
Hi Folks,
Can we terminate OM4 cable on OM3 patch panel and use OM3 patch cords? Will I get the 25/40g speed ?
Should I attempt the CCNA even though I don’t have much networking knowledge?
I heard it’s better to get this one over and done with since the new one would be much harder, however I don’t really have much networking experience and would have to study from scratch, is it fairly difficult to pass by studying alone? Or shall i join one of those courses that assist with obtaining the qualification?
Thanks
New job, need some basic network knowledge.
Hi,
I just got a new job and I'd like to get some basic networking knowledge. I don't need to be a pro, but I'd really like to understand the basics of everything, routers, switches, DHCP, subnet masks, all of that is really vague for me.
I was looking at the basic Cisco networking course on Coursera https://www.coursera.org/specializations/networking-basics
Would anyone recommend it, or recommend other resources?
Thanks
What would you say is the most "fun to work with" networking area?
I just finished my CCNA and I've been thinking about studying something new. I had fun working as an ISP NOC operator in the past, but it felt somewhat repetitive and i ended up burning out.
Cyber security and network automation seemed really interesting to me, but I think those areas would be even more repetitive in my daily work.
I do realize that most of the time the job as a networking engineer isn't really thrilling and fast-paced ; but I'm really curious about opinions from people who work in other areas. Thanks in advance!
HP Switches - ProCurve
Hi All,
We currently have 8212zl , 5412zl ,5406zl (Procurve) switches which have a lifetime warranty 7years.
These are quiet robust switches do we need to look at replacing these since Aruba have taken over ?
What are best replacements for these ?
how the socket works
how the socket works? any Suggestions, great people or blogs or open source projects?
Routing to vpn only for one vlan
I was wondering if it's possible to set up a network so that only members of a particular vlan is routed through a vpn connected to my other site, and all the rest of the vlans are routed out to the Internet? Is it doable with only two Cisco-routers or do you need a firewall and do policy-based-routing? I want to accomplish it without firewalls if possible. I have some isr1111 to tinker with, and gns3 of course..
What I want to accomplish is have site 2 setup with one vlan that goes to the Internet, and one vlan that connects directly to my main-site for accessing servers and whatnot. It's not a real scenario so I will just lab it up and test, so I'm open to several solutions:)
I've been searching a couple hours without finding any good material.. Does this kind of routing have a particular name? If anyone could point me to some cisco-technotes or any sort of reading material I'll be happy to figure out the rest.
Cheers!
CCDP
Hi, I passed the CCNP R&S almost 2 years back now and it will expire in Feb 2021, i was thinking instead of retaking one of the 3 exams i passed for it i'll do the ARCH exam before Cisco changes the entire exam structure in late February of next year.
I'm wondering if anyone else has any previous experiences taking this particular exam and what they thought of it? I have a ton of material i have written and saved from studying my CCNP and i was wondering if i reread those will that come in handy for this one or how different is it from the other exams? And if it is could anyone point me in the write direction to a site that has the best material for the exam....
Thanks everyone in advance
Anyone have resources for power planning?
Have recently picked up some responsibility for planning remote node installs, and need to survey current facilities and identify upgrade requirements for HVAC, power etc. in addition to telecom upgrades.
Anyone have any good resources, books, etc to get spun up on basically how electrical infrastructure works?
Anybody using Cloud APIC and mso?
Anybody using Cloud APIC in azure?
Looking to implement apic mso across 3 aci fabrics and into azure. Is anyone using these products and do you feel they assist in simplifying day to day networking operations?
Wednesday, December 25, 2019
Cisco FMC IPS
Hi Reddit community,
I am trying to understand the logic for a part in the Intrusion Event Record Field.
Blocked - Value indicating whether the event was blocked.
- 0 — not blocked
- 1 — blocked
- 2 — would be blocked (but not permitted by configuration)
As for 0 and 1, it is understandable. But what about 2?
Does that mean the traffic is not blocked and is somewhat permitted in the network?
Thanks!
Please help save my vacation sanity: new Meraki equipment added to network, and my MacBook Pro seems to break local DNS resolution for everyone when connected to it. What am I missing?!
We have multiple office suites in the same building, each connected with either ethernet or fiber uplinks. It's a flat network, totally vanilla, nothing special going on. Here's what we have:
- FortiGate 100E (DNS & DHCP)
- 4 Cisco 2960L switches in 3 office suites, with UniFi APs
- In a new office suite we just opened, we have a Meraki MS225-48LP switch and MR45 access point. The switch is all default settings, and the AP is set to bridge mode with a single SSID.
Everything's been working fine in general until this new office was added. Yesterday we got the Meraki gear installed and the fiber uplink connected, and I put my MacBook Pro (10.15.2) on Wi-Fi to test it out. Within a few minutes I got reports that people couldn't print or access other devices on the local network. Internet access was unaffected. I could get to the printers/devices by IP, but not hostname.
I checked some basic stuff and couldn't find an obvious problem. Since it only started after we connected the new office, I pulled the fiber uplink out, and everything was immediately fixed.
To test again, I reconnected the uplink and left my Mac offline, but connected my iPhone. No issues at all. Connected my Mac, and within a few minutes the problems resurfaced.
I disconnected the fiber again and took my Mac over to another suite where we have UniFi APs and Cisco switches, and no issues there. Took it back to the Meraki network and reconnected the uplink, same problem.
So I've narrowed it down to specifically my Mac (or any Mac, presumably) on the Meraki network, but I for the life of me I can't figure out what the issue is. I called Meraki support and they couldn't pin it down either, and because it was so late on Christmas Eve we had to leave the ticket open and pick it back up after the holidays. But here I am on vacation and I can't stop thinking about this stupid problem.
Please help save my vacation.... what am I missing here?!
how is the TCP congestion control mechanism (TCP Reno, Vegas, etc) chosen? At the client/host level?
https://web.archive.org/web/20160103040648/http://www.isoc.org/inet2000/cdproceedings/2d/2d_2.htm
hello, just a CCNA here, so please pardon my ignorance :)
question: how is TCP congestion control chosen? according to the above page, it appears to be determined by the sender
if that's true, how is it determined by the sender? does it vary by application? Does my Chrome browser always use a certain kind of TCP congestion control?
is it possible for middle devices to modify the TCP congestion control method?
Looking for a kvm or alternative for a 19” home rack that has 14 inches of depth
I need some help figuring this out. I have found ultra short depth kvms that are 16” but not used and very expensive (and still too deep)
What do people do with residential racks?
I know I can remote into the server but much prefer ability to make changes while at the rack
I’ve been researching for awhile and can’t find a reasonably priced solution
Gigabit question
I was wondering if you could help me understand what network speeds I should be expecting. I just bought a newer modem/router and upgraded my ethernet cables to Cat 6 and I have been experimenting with speeds across my network.
I am getting the full download and upload speeds from my ISP, which is limited to what I am paying for.
Across my network I am looking at 80 MB/s (640 Mbps) download speeds and about 50 MB/s upload speeds for some reason. Should that be the maximum I should expect to get out of gigabit speeds when you take into account the reality of imperfections, or should I be looking for where I am losing performance?
Thanks
Best setup for small apartment building?
Three floors with ~10 rooms each. Current solution is a single high end Netgear router. Tenants at one end of the building don't get a signal.
Third floor signal near single router is fine.
Was thinking six routers, two on each end of each floor, with scheduled restart times twice a day.
I can't think of a good way to connect six routers to one modem, and I don't want to use extenders.
Tuesday, December 24, 2019
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Does the a bottle with electrical tape actually work to extend your WiFi strength on your router
With salt on the tape So pretty much the title in saw it the other day and was curious if it actually worked.
Confusion over the "ip default-network" command. Doesn't seem to work, or it's not working in the way I thought it does?
I'm labbing a bunch of stuff in GNS3, and I always thought the ip default-network command was the recommended method of setting a route of last resort/default route. But that doesn't seem to have any effect in the software I'm working with? I've entered the command to the default route I'd like to use, but it's still saying that the gateway of last resort isn't set.
Here's the running config, as well as the show ip route
My goal is to set the route out of Fa0/0 as the default route (I've got a router set up as a fake internet cloud, I can ping the .1 address on that subnet fine)
What am I doing wrong?
Encrypt sFlow Exports out of OVS Switch?
Hi Networking Wizards,
I just got sFlow exports working on my OVS switch, using this command:
ovs-vsctl -- --id=@sflow create sflow agent=\"eno0\" \
target="\"10.10.10.10:6343\"" header=128 \
sampling=1024 polling=10 \
-- set bridge MyBridge sflow=@sflow
This works great, and I’m really happy with the results. Trouble is, my 10.10.10.10 collector is a remote machine, and I’m pretty sure this command sends the sFlow exports in cleartext. I’d love to encrypt those exports.
I’ve Googled “OVS,” “ovs-vsctl,” “security,” and other assorted terms, but I don’t see any ovs-vsctl option that turns on a security feature. Am I right in thinking there are none? Put another way, if I want to ensure encryption of sFlow exports between the OVS switch and my collector, is my only option to put a VPN tunnel between them, i.e., encrypt everything within the network?
Thanks!
RFC 8700 - Fifty Years of RFCs
Just published today. Found it to be a good read on the history of RFCs.
confused by results of show arp
Hi all,
I am auditing a switch getting ready to be upgraded. Needed to do a show arp of a vlan to see some mac addresses, and found an issue. I have never seen an arp table from HP/aruba show a bunch of zeroed out addresses that shouldn't exist.
Has anyone else seen something like this? None of my other vlans are showing these zeroed out MAC addresses.
Aruba2920-01# show arp vlan 30 IP ARP table - VLAN 30 IP Address MAC Address Type Port --------------- ----------------- ------- ---- 192.168.30.1 013b29-616be3 dynamic 1/37 192.168.30.5 015056-bd4b91 dynamic 2/37 192.168.30.10 181373-f7b74b dynamic 1/37 192.168.30.20 d47ed9-f46ab9 dynamic 2/37 192.168.30.21 005156-80171a dynamic 2/37 192.168.30.96 000000-000000 dynamic 192.168.30.97 000000-000000 dynamic 192.168.30.98 000000-000000 dynamic 192.168.30.99 000000-000000 dynamic 192.168.30.100 16feb6-d28eb7 dynamic 2/13 192.168.30.101 16feb6-d28eb7 dynamic 2/13 192.168.30.102 b4b4d9-ecb5ec dynamic 1/23 192.168.30.103 000000-000000 dynamic 192.168.30.104 000000-000000 dynamic 192.168.30.105 000000-000000 dynamic 192.168.30.106 000000-000000 dynamic 192.168.30.107 000000-000000 dynamic 192.168.30.108 000000-000000 dynamic 192.168.30.110 000000-000000 dynamic 192.168.30.111 000000-000000 dynamic 192.168.30.112 000000-000000 dynamic 192.168.30.113 000000-000000 dynamic 192.168.30.114 000000-000000 dynamic 192.168.30.115 000000-000000 dynamic 192.168.30.116 000000-000000 dynamic 192.168.30.117 000000-000000 dynamic 192.168.30.118 000000-000000 dynamic 192.168.30.119 000000-000000 dynamic 192.168.30.120 000000-000000 dynamic 192.168.30.121 000000-000000 dynamic 192.168.30.122 000000-000000 dynamic 192.168.30.123 000000-000000 dynamic 192.168.30.124 000000-000000 dynamic 192.168.30.125 000000-000000 dynamic 192.168.30.126 000000-000000 dynamic 192.168.30.127 000000-000000 dynamic 192.168.30.128 000000-000000 dynamic 192.168.30.129 000000-000000 dynamic 192.168.30.130 000000-000000 dynamic 192.168.30.131 000000-000000 dynamic 192.168.30.132 000000-000000 dynamic 192.168.30.134 000000-000000 dynamic 192.168.30.136 000000-000000 dynamic 192.168.30.137 000000-000000 dynamic 192.168.30.138 000000-000000 dynamic 192.168.30.139 000000-000000 dynamic 192.168.30.140 000000-000000 dynamic 192.168.30.141 000000-000000 dynamic 192.168.30.142 000000-000000 dynamic ------------goes all the way to 192.168.30.254---- A show run of vlan 30 shows only the tagged and untagged interfaces and the vlan name.
How do you guys relax when on vacation?
I took Christmas week off and I just keep thinking about how much stuff I'm going to have to catch up on when I get back. Fortunately I'm not on call this week so there's that. But I just don't see how I can really enjoy this week knowing the shit storm I'll likely be walking into next week. How do you guys deal with it?
Traffic from the gateway to the next hop question.
To my understanding, when you send a packet to the default gateway, it is going to the next router so it can eventually reach its destination. But how is the data read from one router to another? Doesn't it strip all of the data off of the packet, up to layer 3 so it can travel from one network or another?
I was watching the CBT nuggets video about packet walking and when he was explaining this part, he said that this is only true for LAN networks but when you get to a WAN network, this explanation won't work. What does he mean by this?
How to deal with extremely aggressive vendors? Calls made are daily
As the title says. Lately at my company, I've been receiving calls from Cisco everyday. I've tried to inform them that they've been in contact with us daily. They acknowledge it but still we receive cold calls from them. After asking to speak with a supervisors I've been hung up on. twice. They also refuse to give me their contact e-mail.
How do i proceed with this situation?
Noob trying to play ISP
Hey there! I am trying to provide internet to multiple apartments via an mikrotik cloud router switch (CRS125-24G-1S-IN). This is my first time doing anything of this scale and outside of home networking so please be gentle lol (ofcourse y'all can give constructive criticism, i want that!). I am trying to configure it so that every rj45 port gets its own dedicated subnet in which talking between eachother is allowed, and talking to the internet is allowed, but nothing else is. Sort off like port isolation i guess? i dunno this just seemed like the best setup to me for this use case but again i have 0 theoretical knowledge beyond some googling. Heres the current config:
# dec/24/2019 09:52:33 by RouterOS 6.46.1 # # model = CRS125-24G-1S /interface ethernet set [ find default-name=ether1 ] loop-protect=on name=1_WAN set [ find default-name=ether2 ] loop-protect=on name=2_Man set [ find default-name=ether3 ] disabled=yes loop-protect=on name=3 set [ find default-name=ether4 ] disabled=yes loop-protect=on name=4 set [ find default-name=ether5 ] disabled=yes loop-protect=on name=5 set [ find default-name=ether6 ] disabled=yes loop-protect=on name=6 set [ find default-name=ether7 ] disabled=yes loop-protect=on name=7 set [ find default-name=ether8 ] disabled=yes loop-protect=on name=8 set [ find default-name=ether9 ] disabled=yes loop-protect=on name=9 set [ find default-name=ether10 ] loop-protect=on name=10_234 set [ find default-name=ether11 ] loop-protect=on name=11_234A set [ find default-name=ether12 ] loop-protect=on name=12_234B set [ find default-name=ether13 ] loop-protect=on name=13_236 set [ find default-name=ether14 ] loop-protect=on name=14_236A set [ find default-name=ether15 ] loop-protect=on name=15_236B set [ find default-name=ether16 ] loop-protect=on name=16_236C set [ find default-name=ether17 ] loop-protect=on name=17_236D set [ find default-name=ether18 ] loop-protect=on name=18_236E set [ find default-name=ether19 ] loop-protect=on name=19_236F set [ find default-name=ether20 ] loop-protect=on name=20 set [ find default-name=ether21 ] disabled=yes loop-protect=on name=21 set [ find default-name=ether22 ] disabled=yes loop-protect=on name=22 set [ find default-name=ether23 ] disabled=yes loop-protect=on name=23 set [ find default-name=ether24 ] disabled=yes loop-protect=on name=24 set [ find default-name=sfp1 ] disabled=yes loop-protect=on /interface list add name=Appartementen add name=WAN add name=Management /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=pool10 ranges=10.10.10.11-10.10.10.254 add name=pool11 ranges=10.10.11.12-10.10.11.254 add name=pool12 ranges=10.10.12.13-10.10.12.254 add name=pool13 ranges=10.10.13.14-10.10.13.254 add name=pool2 ranges=10.10.2.3-10.10.2.254 add name=pool3 ranges=10.10.3.4-10.10.3.254 add name=pool4 ranges=10.10.4.5-10.10.4.254 add name=pool5 ranges=10.10.5.6-10.10.5.254 add name=pool6 ranges=10.10.6.7-10.10.6.254 add name=pool7 ranges=10.10.7.8-10.10.7.254 add name=pool8 ranges=10.10.8.9-10.10.8.254 add name=pool9 ranges=10.10.9.10-10.10.9.254 add name=pool14 ranges=10.10.14.15-10.10.14.254 add name=pool15 ranges=10.10.15.16-10.10.15.254 add name=pool16 ranges=10.10.16.17-10.10.16.254 add name=pool17 ranges=10.10.17.18-10.10.17.254 add name=pool18 ranges=10.10.18.19-10.10.18.254 add name=pool19 ranges=10.10.19.20-10.10.19.254 add name=pool20 ranges=10.10.20.21-10.10.20.254 add name=pool21 ranges=10.10.21.22-10.10.21.254 add name=pool22 ranges=10.10.22.23-10.10.22.254 add name=pool23 ranges=10.10.23.24-10.10.23.254 add name=pool24 ranges=10.10.24.25-10.10.24.254 /ip dhcp-server add address-pool=pool10 bootp-support=dynamic disabled=no interface=10_234 name=dhcp10 add address-pool=pool11 bootp-support=dynamic disabled=no interface=11_234A name=dhcp11 add address-pool=pool12 bootp-support=dynamic disabled=no interface=12_234B name=dhcp12 add address-pool=pool13 bootp-support=dynamic disabled=no interface=13_236 name=dhcp13 add address-pool=pool14 bootp-support=dynamic disabled=no interface=14_236A name=dhcp14 add address-pool=pool15 bootp-support=dynamic disabled=no interface=15_236B name=dhcp15 add address-pool=pool16 bootp-support=dynamic disabled=no interface=16_236C name=dhcp16 add address-pool=pool17 bootp-support=dynamic disabled=no interface=17_236D name=dhcp17 add address-pool=pool18 bootp-support=dynamic disabled=no interface=18_236E name=dhcp18 add address-pool=pool19 bootp-support=dynamic disabled=no interface=19_236F name=dhcp19 add address-pool=pool20 bootp-support=dynamic disabled=no interface=20 name=dhcp20 add address-pool=pool2 bootp-support=dynamic disabled=no interface=2_Man name=dhcp2 /ip neighbor discovery-settings set discover-interface-list=all /interface list member add interface=10_234 list=Appartementen add interface=11_234A list=Appartementen add interface=12_234B list=Appartementen add interface=13_236 list=Appartementen add interface=14_236A list=Appartementen add interface=15_236B list=Appartementen add interface=16_236C list=Appartementen add interface=17_236D list=Appartementen add interface=18_236E list=Appartementen add interface=19_236F list=Appartementen add interface=20 list=Appartementen add interface=21 list=Appartementen add interface=22 list=Appartementen add interface=23 list=Appartementen add interface=24 list=Appartementen add interface=1_WAN list=WAN add interface=2_Man list=Management /ip address add address=10.10.10.0/24 interface=10_234 network=10.10.10.0 add address=10.10.11.0/24 interface=11_234A network=10.10.11.0 add address=10.10.12.0/24 interface=12_234B network=10.10.12.0 add address=10.10.13.0/24 interface=13_236 network=10.10.13.0 add address=10.10.14.0/24 interface=14_236A network=10.10.14.0 add address=10.10.15.0/24 interface=15_236B network=10.10.15.0 add address=10.10.16.0/24 interface=16_236C network=10.10.16.0 add address=10.10.17.0/24 interface=17_236D network=10.10.17.0 add address=10.10.18.0/24 interface=18_236E network=10.10.18.0 add address=10.10.19.0/24 interface=19_236F network=10.10.19.0 add address=10.10.20.0/24 interface=20 network=10.10.20.0 add address=10.10.21.0/24 interface=21 network=10.10.21.0 add address=10.10.22.0/24 interface=22 network=10.10.22.0 add address=10.10.23.0/24 interface=23 network=10.10.23.0 add address=10.10.24.0/24 interface=24 network=10.10.24.0 add address=10.10.2.0/24 interface=2_Man network=10.10.2.0 add address=10.10.3.0/24 interface=3 network=10.10.3.0 add address=10.10.4.0/24 interface=4 network=10.10.4.0 add address=10.10.5.0/24 interface=5 network=10.10.5.0 add address=10.10.6.0/24 interface=6 network=10.10.6.0 add address=10.10.7.0/24 interface=7 network=10.10.7.0 add address=10.10.8.0/24 interface=8 network=10.10.8.0 add address=10.10.9.0/24 interface=9 network=10.10.9.0 /ip dhcp-client add disabled=no interface=1_WAN /ip dhcp-server alert add disabled=no interface=10_234 valid-server=CC:2D:E0:8E:78:A5 add disabled=no interface=11_234A valid-server=CC:2D:E0:8E:78:A6 add disabled=no interface=12_234B valid-server=CC:2D:E0:8E:78:A7 add disabled=no interface=13_236 valid-server=CC:2D:E0:8E:78:A8 add disabled=no interface=14_236A valid-server=CC:2D:E0:8E:78:A9 add disabled=no interface=15_236B valid-server=CC:2D:E0:8E:78:AA add disabled=no interface=16_236C valid-server=CC:2D:E0:8E:78:AB add disabled=no interface=17_236D valid-server=CC:2D:E0:8E:78:AC add disabled=no interface=18_236E valid-server=CC:2D:E0:8E:78:AD add disabled=no interface=19_236F valid-server=CC:2D:E0:8E:78:AE add disabled=no interface=20 valid-server=CC:2D:E0:8E:78:AF /ip dhcp-server network add address=10.10.2.0/24 gateway=10.10.2.2 add address=10.10.10.0/24 gateway=10.10.10.10 add address=10.10.11.0/24 gateway=10.10.11.11 add address=10.10.12.0/24 gateway=10.10.12.12 add address=10.10.13.0/24 gateway=10.10.13.13 add address=10.10.14.0/24 gateway=10.10.14.14 add address=10.10.15.0/24 gateway=10.10.15.15 add address=10.10.16.0/24 gateway=10.10.16.16 add address=10.10.17.0/24 gateway=10.10.17.17 add address=10.10.18.0/24 gateway=10.10.18.18 add address=10.10.19.0/24 gateway=10.10.19.19 add address=10.10.20.0/24 gateway=10.10.20.20 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set api disabled=yes set api-ssl disabled=yes /lcd set backlight-timeout=never default-screen=informative-slideshow /lcd interface set "1_WAN" timeout=1s set "2_Man" timeout=1s set "4" timeout=1s set "5" timeout=1s set "6" timeout=1s set "7" timeout=1s set "8" timeout=1s set "9" timeout=1s set "10_234" timeout=1s set "11_234A" timeout=1s set "12_234B" timeout=1s set "13_236" timeout=1s set "14_236A" timeout=1s set "15_236B" timeout=1s set "16_236C" timeout=1s set "17_236D" timeout=1s set "18_236E" timeout=1s set "19_236F" timeout=1s set "21" timeout=1s set "22" timeout=1s set "23" timeout=1s set "24" timeout=1s set sfp1 timeout=1s /lcd screen set 0 timeout=1s set 1 timeout=1s set 2 timeout=1s set 3 timeout=1s set 4 timeout=1s set 5 timeout=1s /system clock set time-zone-name=Europe/Amsterdam ASR9001 and 40Gb MPA cards
I'm pretty sure it will but can't find any Cisco documentation confirming for sure. Does anyone here know if the ASR9001 supports two of the A9K-MPA-1x40GE cards being installed?
It has two MPA slot's so I'm pretty sure it would be fine but I don't want to spend £46,000+ before finding out it only supports the one.
I almost made this mistake with thinking it would support the A9K-MPA-2x40GE card as standard.
Thanks
Can't seem to get QSFP+ ports on EX4300 working as switchports.
So I recently picked up a EX4300 for my homelab and I am having some trouble getting the 40gb QSFP+ ports working. I am pretty new to Juniper, having used almost exclusively Cisco gear, so I am hoping to get a more experienced set of eyes on this to make sure I am not missing a setting somewhere.
Following the guides I found I first deleted the ports out of the virtual chassis config with "request virtual-chassis vc-port delete". After which I went ahead and configured the et-0/1/# interfaces for switching and no auto-negotiation as we are using QSFP+ DACs. We already reached out to the DAC vendor (FS) and they sent us back screen shots of this model working in their own EX4300, but I just can't seem to get them to show up in the chassis inventory under PIC 1
Anyone know if I am missing a step here?
interfaces { et-0/1/0 { ether-options { no-auto-negotiation; } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members all; } storm-control default; } } } et-0/1/1 { ether-options { no-auto-negotiation; } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members all; } } } } et-0/1/2 { ether-options { no-auto-negotiation; } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members all; } } } } et-0/1/3 { ether-options { no-auto-negotiation; } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members all; } } } } home-ex4300-sw1> show chassis hardware
Hardware inventory: Item Version Part number Serial number Description Chassis ************ EX4300-24T Routing Engine 0 REV 11 650-044936 ************ EX4300-24T FPC 0 REV 11 650-044936 ************ EX4300-24T CPU BUILTIN BUILTIN FPC CPU PIC 0 REV 11 BUILTIN BUILTIN 24x 10/100/1000 Base-T PIC 1 REV 11 BUILTIN BUILTIN 4x 40GE PIC 2 REV 05 611-044925 ************ 4x 1G/10G SFP/SFP+ Xcvr 0 NON-JNPR ************ SFP+-10G-CU1M Xcvr 1 NON-JNPR ************ SFP+-10G-SR Xcvr 2 NON-JNPR ************ SFP+-10G-SR Xcvr 3 NON-JNPR ************ SFP+-10G-SR Power Supply 0 REV 01 740-046873 ************ JPSU-350-AC-AFO-A Power Supply 1 REV 01 740-046873 ************ JPSU-350-AC-AFO-A Fan Tray 0 Fan Module, Airflow Out (AFO) Fan Tray 1 Fan Module, Airflow Out (AFO) home-ex4300-sw1> show chassis pic fpc-slot 0 pic-slot 1
FPC slot 0, PIC slot 1 information: Type 4x 40GE Builtin State Online Uptime 9 minutes, 8 seconds home-ex4300-sw1> show virtual-chassis vc-port
fpc0: -------------------------------------------------------------------------- {master:0} home-ex4300-sw1> show version
fpc0: -------------------------------------------------------------------------- Hostname: home-ex4300-sw1 Model: ex4300-24t JUNOS EX Software Suite [13.2X50-D15.3] JUNOS FIPS mode utilities [13.2X50-D15.3] JUNOS Online Documentation [13.2X50-D15.3] JUNOS EX 4300 Software Suite [13.2X50-D15.3] JUNOS Web Management [13.2X50-D15.3] JUNOS py-base-powerpc [13.2X50-D15.3] {master:0} Happy Holidays!
From all the mods at /r/networking - Happy Holidays! May your traffic run un-congested, and your TTLs never expire!
Monday, December 23, 2019
Need Help With Setting Up Network For a Gym
I am on the management team for a new gym and am attempting to do all the networking as we are trying to keep costs as low as possible, this is certainly not in my job description. I have basic IT experience, and have done a good bit of home network setup, but this will be my first time setting up a network for a small business and I am hoping I didn't bite off more than I can chew. Any help and guidance you all can provide would be very appreciated.
We have a gigabit fiber line to the business and the ISP installed a NetVanta 5660.
The internet needs to be routed from there to 5 wired workstations, and one wireless access point.
The wireless access point needs to provide internet access to gym staff's devices, and also to customers.
The gyms software is all cloud based and any documents will likely just be stored on Google Drive, meaning each device just needs to be able to connect to the internet, we don't need an intranet or shared drive/server.
I have already ran CAT6 cables from the network room to the locations of the workstations and wireless access point.
The big question is what hardware I need and how it all needs to be configured.
Again to keep costs low I was hoping to make due with a EdgeRouter 10X and one UniFi AP AC PRO. And then, just connect the NetVanta 5660 to the EdgeRouter 10X, then the workstations and the UniFi AP AC Pro to the EdgeRouter 10X. Create a staff wireless network and a guest wireless network. Do some QoS to give priority to the wired devices and staff devices and limit the bandwidth any one device can take up.
Do you think this will do well, am I missing anything? I am hoping the EdgeRouter 10X built in default firewall, blocking all incoming web traffic, will be enough. Additionally, how easy would it be to set this network up, do I need to do much configuration? Do you think anything specific needs to be done security wise for the workstations that will be doing transactions?
Thank you!
Adtran Netvanta 4430 Config Questions (similar to Cisco)
Hi folks,
Trying to set up a Netvanta 4430 to do a few things for me...
- 5 VLANs (ID 2-6) (all using encapsulation)
- set up DHCP for said VLANs
- make it so that VLANS 2, 3, and 6 can access VLAN 4 but no one else.
- make a DHCP reservation for two IP addresses on VLAN 4
So far I have the IP ranges for the VLANs set up, DHCP set up for all the VLANs, and have all the reservations made. Now I am hitting an issue with the third point; I am a bit confused about the difference between access-lists and access-policies so I can do the whole inter VLAN routing. I am following the guide on Adtran's site but I am really confused on what goes where, as in the nat translation. NAT is all new to me so I'm trying to figure it out, but it looks like I should specify the translated IP should be the public IP of the system... right?
Here is the guide I'm following, I specifically mention page 25 at the top. https://supportforums.adtran.com/docs/DOC-1657
Workaround for corporate network that doesn't allow desktop switches?
I work end user support for a large company. I do a lot of IMAC services, imaging, troubleshooting, etc. Things get really busy on occasion, and I'm asked to be in three places at once, image many devices per week, or what have you. The powers that be refuse to make an exception for their no desktop switch rule. I understand the point of the rule, in that they don't want end users daisy chaining multiple junk switches, and making it difficult to track down issues. I'm not an end user. I need a workaround to do my job effectively.
This is certainly a situation where it's much easier to ask for forgiveness then it is to ask for permission. Maybe they're not set up to allow this ability for one person without opening it up for everyone. I don't know. How might I cut through this restriction?
How to determine the round trip time between two geo coordinates?
I am solving a problem as follows:
Write a fully working program that takes two inputs:
a) The geographic coordinates to a customer somewhere on Earth. Give this location a name.
b) The geographic coordinates to two edge caches somewhere on Earth. Give each location a name.
The output is simple:
Provide name of the location that the customer would likely get a better experience from.
Extra1: What is the expected round trip time from the customer to that cache?
Extra2: What is the maximum expected bandwidth from the customer to that edge cache, given a bandwidth delay product of 10MB?
I have currently written a python program to calculate the Round trip time between my computer and two servers with URL Google.com and Facebook.com, which works well.
import time import requests bandWidthDelayProduct = 10 def calc_time(url): t1 = time.time() r = requests.get(url) t2 = time.time() diff = t2-t1 return diff def calc_bw(rtt): return bandWidthDelayProduct/rtt def better_experience(cacheLoc1, cacheLoc2): roundTripTime1 = calc_time(cacheLoc1) roundTripTime2 =calc_time(cacheLoc2) if(roundTripTime1 > roundTripTime2): print("The customer gets better experience from: " + cacheLoc2) print("The max BW from the customer to that end cache is: "+ str(calc_bw(roundTripTime2))) elif(roundTripTime1 < roundTripTime2): print("The customer gets better experience from: " + cacheLoc1) print("The max BW from the customer to that end cache is: "+ str(calc_bw(roundTripTime1))) else: print("The customer gets better experience both locations") print("The max BW from the customer to that end cache is: ", str(calc_bw(roundTripTime1))) customerLocation = 0 cacheLoccation1 = "http://www.google.com" cacheLocation2 = "http://www.facebook.com" better_experience(cacheLoccation1, cacheLoccation1) But my question is how to perform the same computation between 2 Geo Coordinates i.e, the customer and the edge cache. I am very new into CDN(content delivery network). If you can show how I can how I can do it, it would be very helpful. Please go easy on me.
Thank you so much.
Assistance auto connecting to device over VPN
Apologies in advance, this post will be slightly vague because it's work related but also because I'm sonewhat out of my depth.
At work, we have access to multiple remote cabinets via a VPN. The primary device within these cabinets is running Linux. Attached to this primary device is a secondary device connected to the primary device via Ethernet. To make changes to this secondary device we have to use proprietary windows software and be plugged into the secondary device in person.
Today I got the idea that this device should theoretically be remotely accessible like any other device in the cabinet. First, I hooked up a travel router to the secondary Ethernet port on the device. Sure enough, connecting wirelessly to the travel router network via my laptop allowed me to connect to the device and run the proprietary windows software wirelessly. Good first step!
I then disconnected the travel router and ran an Ethernet cable between the secondary device and the cabinet switch. Theoretically, the secondary device should now be accessible via the VPN. However, the problem is with the proprietary software. When you open the software, it auto finds the device via IP. If it doesn't auto find it, there's no way to connect.
When the secondary device is plugged into the cabinet switch, the software on my laptop does not auto find the device. However, if I'm plugged directly into the device, or on a wireless network plugged directly into the device, it does auto find the device. It's like the .Net software can scan my wireless card or my Ethernet card for the IP or specific device info it needs, but once on the VPN, it can't find the device remotely.
Does anyone have ideas? It's like I need to create a virtual windows Ethernet device and somehow mate it to the IP of the device behind the VPN. Then when the windows software scans available cards/connections, it will find the device.
Any suggestions? Am I way off? Thanks tremendously in advance for the help.
Effects of Firewall response timeout increased.
So I have a firewall that is acting as a web proxy for users, the issue is whenever users try to generate report from a cloud application, It fails and I get an error message that says "response timeout 5xx error code"
After further investigation, I found out that the firewall http proxy response timeout is set to 60seconds. I increased this timer to an hour and users were then able to generate reports that took very long to generate (report generating could take as much as 20minutes)
However I am not sure the inherent risk of doing this, all I could think of is I may have increased possible sessions the firewall will hold with unresponsive web servers, and may overwhelm it's performance.
Besides this effect, I want to know what are the possible risk I may have incurred by increasing the response timeout from 60secs to an hour.
Thanks
ip source verify?
Newb question. I'm the junior guy on the team and I'm stumped on this one despite my coworkers lackluster explanation. We've replaced a few failed 2960's recently and *most ports have required me to turn off ip source verify, shut the port down, turn the port back on, let the end device get an ip address, then turn ip source verify back on.
If I don't do this, the end device can't pick up an ip address.
Can anyone steer me into the right direction for a whitepaper or an article that can explain why? I've done this for about 15 ports and I really need to figure out why I'm doing it.... not just "do it." Thanks in advance.
Self-Hosted SMS gateway
Hello All,
I have been tasked with creating a design proposal that reviews multiple SMS gateway solutions. I am required to look at least 2 self hosted options and 2 managed service solutions. So far I have found:
- PageGate ( self hosted solution 1)
- PagerDuty (paid hosted solution 1)
- Clickatell (paid hosted solution 2)
I am still looking for another software solution similar to PageGate that we can host in our DC. I'm having trouble finding anything good though. Our main use case is to receive solarwinds alerts via SMS. Email to SMS is not an option as the boss is against it.
Any ideas?
What happens to your current Cisco certification expiration date come February 24?
A coworker and I are having a disagreement. Assuming someone has their CCNP prior to February 24, what happens to the expiration date? Coworker is claiming that everyone that has the current CCNP will be rolled into the new enterprise CCNP and everyone's expiration date will be pushed back 3 years which makes no sense to me. I am arguing that while you will get the new CCNP, the expiration date of the new CCNP will be the same as your current CCNP.
Does anyone have anything in writing from Cisco as to what their policy is? I can't find anything written in stone from Cisco. Thanks in advance for any help.
Network Address Translation/Default Gateway question
I have a PLC on a private network connected to a managed switch (AB Stratix 5700, which seems to be a rebranded Cisco IE2000) using 192.168.3.1 as the default gateway. This switch connects all of the ethernet/ip devices used in the control system. My goal is to translate the local IP address to a public address on our network using an Allen Bradley 9300-ENT (simple 1:1 NAT device), but have never done this on a managed switch.
I have two questions:
Will changing the default gateway of the PLC hinder the communication between other ethernet/ip devices on the private network?
I believe the managed switch has 1:1 NAT, but I am not sure where the public network uplink would go because the switch is connected to two more (unmanaged) switches via the dual-purpose uplink ports. Would any port on the unmanaged switches be sufficient?
Thanks for any help
Stupid IGMP issues...
Hi! This is probably a superstupid issue, but after 5 hours troubleshooting i thought i might ask for a hand here :)
I'm having a bit of trouble setting up my IPTV in my home, using my own cisco-equipment instead of my ISP issued equipment. Now my setup is as follows : ISP Router (bridged mode) --> Cisco ISR1111 --> Cisco C2960 ---> IPTV decoder.
The ISP Router is bridged, but probably doing some vlan-tagging to separate internet from IPTV-traffic, so LAN port 1-2 is for IPTV and port 3 is for internet. I have connected port 1 (IPTV) into one of the Layer2 switchports(port0/1/2) in my ISR and tagged it with VLAN 20, then i'm trunking vlan 20 to my 2960 switch (port gi0/1/7 on ISR to port gi0/1 on 2960) and i have my IPTV decoder connected to port gi0/4, as an access-port in vlan 20. The ISP router is giving DHCP on the IPTV-ports.
I can get TV-signals just fine, and i have IGMP Snooping enabled on both devices. But after 120 seconds IGMP on the ISR sends a leave-message to my trunk and my TV goes black, naturally.. This is due to a report-timer expired message, and i cannot seem to figure out whats causing this. The switch does not seem to pass any reports to my ISR that it has active members of my IPTV streams..
If i disable IGMP Snooping on the ISR then everything is working as it should.. I have enabled debug ip igmp snooping on both devices and i see the following on the ISR:
Dec 23 16:24:06.863: IGMPSN: Received IGMPv2 message for group 0.0.0.0 received on Vlan 20, port Gi0/1/2Dec 23 16:24:06.863: IGMPSN-2: IGMPv2 General Query received on Vlan 20, port Gi0/1/2 Resp time 10000 (100 100) msecs, LLQ time 2000 (2 1000) msecsDec 23 16:24:06.863: IGMPSN-2: IGMP general queries received on Vlan 20 updates all groupsDec 23 16:24:06.863: IGMPSN-2: timer: start report_timer 10000 msecs of vlan 20Dec 23 16:24:06.863: IGMPQR: vlan 20: GQ with src addr 192.168.10.1 received on port Gi0/1/2 in Disabled stateDec 23 16:24:06.863: IGMPSN: router: Received IGMP pak on Vlan 20, port Gi0/1/2Dec 23 16:24:06.863: IGMPSN-2: router: port Gi0/1/2 is a router port on Vlan 20Dec 23 16:24:06.863: IGMPSN-2: router: Learning port: Gi0/1/2 as rport on Vlan 20Dec 23 16:24:06.863: (l2mcsn_flood_l2mc_pak) IGMPSN-2 flood pak to vlan 20Dec 23 16:24:16.861: IGMPSN-2: timer: report timer expired on Vlan 20Dec 23 16:24:16.861: IGMPSN-2: sync group for Vlan 20 robustness variable 2
but none of this information is shown on my C2960, so it seems as none of the queries pass down to the 2960? Is there something blocking multicast traffic from trunks?..
If i switch channels on my IPTV then i get picture and everything is working fine, until the 120 second timer expires and i have to switch channel back and forth to make it work again..
I have set the mrouter on both devices uplink ports, tried setting querier on both the ISR and the switch but nothing seems to help except for disabling IGMP on the ISR and letting it behave as broadcast traffic.
I am new to all IGMP stuff, so if you guys have any idea of whats happening i would be very happy for some help :)
edit: just clarifying that my ISP is plugged to a L2 port on the ISR and not doing any routing.
I have a question, do mesh networks have a viable future?
I was doing some research to help some budies of mine dealing with internet shutdowns in india, and I stumbled across mesh networks. That provided an excellent jumping point that helped us find some resources to help protesters maintain communication during internet shutdowns. However, I noticed a number of cities had some local projects by college kids such as sudo mesh to start building mesh networks. I'm not a networking guy, my understanding of computer science while above average is definitely not college or university level. However, I would like to know more about it. Which brings me to my question, are mesh networks potentially a viable alternative to the current internet infrastructure in the near future? What are some obstacles they'll have to overcome? Should we expect more mesh technology to become more popular and wildly used?
Question: Network diagram drawing pad
You have no access to a marker board, but you want to doodle network diagrams for troubleshooting electronically as to not waste paper. What drawing pad that connects to your pc do you use?
CCNP Service Provider
I want to study the ccnp SP online. Can someone tell me who's the best instructor or has the best videos for that course? Thanks in advance.
Quick question about the dell x1052P
In our new suite, we had this dell x1052p hooked up to a patch panel with an up link heading to our main server rack. With that in mind, while we were serving one problem we figured we would update the switch and finalize some management stuff on the GUI side of things. Once we had done that, it had dropped uplink connection (presumable due to port security when we assigned a static) multiple times. Once we had gotten that tackled a little bit, updated the firmware, and got the switch working it was not allowing our polycom IP phones to grab IP's from the DHCP server but was pre configuration. With that in mind, has anyone run into as many headaches as I have with these dang dell switches? I'm a big cisco guy so I dislike this switch a lot.
newbie question can't ping my gateway from new load balancer - help debugging
Hello, I'm pretty new to networking and my issue is I'm installing a new load balancer (A10 device) in one of our CORP zones that's behind a firewall ( Model: srx4600, Junos: 18.2R3-S1.7).
The brand new load balancer doesnt have any config on it (NO ACLs on LB yet) and I only set up the management interface (which is UP) and the ip gateway:
interface management
flow-control
ip address 172.29.0.16 255.255.255.0
ip control-apps-use-mgmt-port
ip default-gateway 172.29.0.1
I should be able to ping my gateway which is the firewall, 172.29.0.1 but can't :
LB1-1#ping 172.29.0.1
PING 172.29.0.1 (172.29.0.1) 56(84) bytes of data.
From 172.29.0.16 icmp_seq=1 Destination Host Unreachable
the firewall is definitely up and accessible from the rest of the network.
I also have a VLAN set up on the LB to a TOR switch -- vlan 230:
vlan 230
tagged trunk 1
router-interface ve 230interface ve 230
name vlan230
ip address 172.29.30.4 255.255.255.0
this vlan is up
Total arp entries: 1 Age time: 300 secs
IP Address MAC Address Type Age Interface Vlan
---------------------------------------------------------------------------
172.29.30.1 0010.dcff.2002 Dynamic 224 ethernet 6 230
^ But my prb remains that I can't ping my gateway and I'm not understanding why that is as it should be directly connected and show up in my arp table yes?
I've been going through A10 docs and its difficult to find debugging commands that are helpful in troubleshooting this issue:
traceroute to 172.29.0.1 (172.29.0.1), 30 hops max, 60 byte packets
(172.29.0.16) 3051.828 ms !H 3051.732 ms !H 3051.711 ms !H
and here's the route on the firewall for the IP management of the load balancer and the interface:
FW2> show route 172.29.0.16
inet.0: 306 destinations, 528 routes (306 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.29.0.0/24 *[Direct/0] 8w2d 16:28:58
> via reth1.100
mgmt_junos.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 8w2d 16:28:58
> to 10.250.243.1 via fxp0.0FW2> show interfaces reth1.100
Logical interface reth1.100 (Index 95) (SNMP ifIndex 569)
Description: MANAGEMENT
Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.100 ] Encapsulation: ENET2
Statistics Packets pps Bytes bps
..... etc.....
Allowed host-inbound traffic : bgp ospf dhcp ike ping snmp ssh traceroute
Protocol inet, MTU: 1500
Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 30, Curr new hold cnt: 0, NH drop cnt: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.29.0/24, Local: 172.29.0.1, Broadcast: 172.29.0.255
Protocol multiservice, MTU: Unlimited
Can anyone please help guide me as to where else I should be looking for any useful commands to narrow down if the issue is on my side with the load balancer or on the gateway/fw side? (please note I logged into this new LB via console)
ACDX Exam This Afternoon
Absolutely bricking it as anyone would. Swotting up on the ACDP book because Aruba thought it was cool not to make any study material for the ACDX written exam ðŸ˜ðŸ˜ðŸ˜
Sunday, December 22, 2019
What causes the STP root to constantly change?
I've got a mix of Cisco, EnGenius, and Netgear switches and have had various problems with network dropping out while the STP root changes multiple times 20 or so times in the span of a minute.
There isn't anything special on my network (hub and spoke switch arrangement, no LAGs) only modification compared to a factory default config is a VLAN for guest WiFi traffic.
We've got Fortigate firewalls with STP enabled on the LAN interface
We also have ACTi security cameras, UniFi UAP's and a CloudKey
Moronic Monday!
It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask!
Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.
Netbox Demo Site (netboxdemo.com)
Site NetboxDemo.com
For anybody interested in adopting Netbox (the DCIM, IPAM, etc documentation tool): I set up a demo site at NetboxDemo.com.
You can log in with netbox\netbox for full read/write access. I also created some example devices/prefixes/ip-addresses/etc so you can browse around and see how it works without starting from scratch.
The database resets every night at 08:00 AM, UTC (Midnight PST) so don't enter any important info you're not willing to lose.
Edit: Somebody got in and changed the password. I restricted the user tables so the password can't be changed now. Should be back up
Update Stealthwatch Management Console Identity Cert Best Practice?
I have an SMC, Flow Collector, and Flow Sensor VMs deployed. They are all on version 7.0.
When I initially added the Flow Collector and Flow Sensor VMs to SMC I accepted the default self-signed SMC cert. I'm going to be replacing the SMC identity cert with one signed by a CA.
In all the documentation I read on doing this it cautions "Your certificates are critical for your system’s security. Improperly modifying your certificates can stop Stealthwatch appliance communications and cause data loss."
Is there a best practice on how to do this without breaking my SMC, FC, and FS deployment? Do I have to remove the FC and FS from SMC, update the SMC identity cert, add the chain to the FC, FS then re-add the FC and FS? Or do I just add the chain to the FC and FS then update the SMC identity cert, then reboot the FC and FS without removing them from SMC?
Any help is appreciated as I don't want to permanently break my deployment.
Multicast only flows with ip igmp join-group command
Hi,
I'm facing a issue where we working in a PIM/IGMP environment. We have a dedicated connection to our IPTV service provider. (IP of the provider 10.200.37.2) The service provider has is own PIM network what we can't join. They have a passive pim interface on that site. We also have the same setup in our site.
We can only join the stream when we do a ip igmp join-group multicastadres on the 150 VLAN*.* In all documentation of Cisco they said that is cpu processed, (software switches) i dont see that in the CPU utilization (PRTG) but not the way to go?When joined the stream will flow in our pim environment to the clients. Is also work if we do a IGMP helper (10.200.37.2) on the VLAN (VLAN 60) where the setupboxes are running. In my opion we woudnt want that all the client traffic of igmp joins going to the provider. What is one STB leave a group an another watching the stream? Stream gonna stop ?
What can we do so this going to work without the ip igmp join-group under the interface. We running a Cisco Catalyst C9300 stack.
interface Vlan150
description *** IPTV Provider ***
vrf forwarding IPTV
ip address 10.200.37.1 255.255.255.248
no ip redirects
ip pim neighbor-filter 10
ip pim passive
ip igmp join-group 224.0.252.126
ip igmp join-group 224.0.252.127
ip igmp join-group 224.0.252.128
etc
etc
etc
!
interface Vlan60
description *** Test VLAN to STBs ***
vrf forwarding IPTV
ip address 192.168.60.1 255.255.255.0
no ip redirects
ip pim sparse-mode
!
ip mroute vrf IPTV 0.0.0.0 0.0.0.0 10.200.37.2
!
ip pim vrf IPTV rp-address 10.200.37.2
!
access-list 10 deny any
Where would be the best place to find some Fiber optic 101 resources?
I have found some videos that do explain the cables along with the tips and what they are used for but I was hoping to find something a little more in depth. Thank you in advance!
Windows NPS and Eduroam Radius Profile For Aruba/Unifi Troubleshoot
We are setting up a new WiFi network at work (a school) that uses an ancient aruba controller (with aruba 105 APs) following the principles of eduroam listed here and the radius server is windows NPS again following the docs here.
Initially I copied the existing config we have got for our current wifi to no avail. The current network still works fine but no one can remember the details (and it is not in keeping with the BYOD route we are going down).
I have consistently been getting an error message of "authentication failed due to user credentials mismatch" (error 16 Event 6273) which most people have suggested through various forums means that the APs shared secret does not match - I have checked this more than once it does! Additionally I have checked the obvious account user/pass out and again it is correct.
In order to try and diagnose the problem further I brought in some of my unifi gear from home and spun up a completely fresh DC/CA/NPS server in a test environment. Same error but this time I have also installed wireshark.
If I "accept users without validating credentials" in the CRP then NPS returns a access-accept response, but the client still is unable to connect to the network (client reports dot1X timeout followed by operation was cancelled/server reports success) - this leads me to think it is something wrong client side?
Then if I switch the CRP to authenticate on this server (client reports explicit eap failure recieved followed by network is not available/Server sends an string of access-request/challenge immediately before access-reject) presumably this means that it is waiting for correct verification from the client?
CRP settings are:
- Conditions
- NAS port Type - Wireless Other or 802.11
- Username - .+@schooldomain\.org\.uk$
- Settings
- Authentication Provider - Local Computer
- Manipulation attribute rules - Replace "@schooldomain\.org\.uk$" with "@schooldomain.local"
- Target - User Name
- Override Auth - Disabled
Network Policy settings are:
- Conditions
- NAS Port Type - Wireless
- User Groups - SchoolDomain\Eduroam
- Settings
- EAP Config - Configured (PEAP with secured password EAP-MS-CHAPv2)
- Ignore Dial-In Properties
- Grant Access
- Client is supplied an IP
- Tunnel Medium 802/Type VLAN/Tunnel-ID 66
- Encryption Enabled
So I have been battling with this for several weeks now and banging my head against a wall would be more productive...
Anyone got any pointers?
Subscribe to:
Posts (Atom)