I'm trying to set up what's called a "manual" killswitch which results in my internet becoming inaccessible if my VPN connection drops.
I've tried the method of going into cmd and removing default gateway after connecting to VPN but it ends up just killing my whole connection.
My setup: PC, Win 10 and I connect to Internet via wi-fi router. My VPN uses OpenVPN protocol but other protocols are also availabe in certain server locations.
My "route print".
Network admin here, have never seen anything like this, wondering if anyone here has. Ran some wire, started to strip ends to punch a patch panel and noticed that on the white/blue pair, the white jacket is missing, it is bare copper. It is not clear/transparent, it just looks like the machine ran out of material or someone forgot to load material during manufacturing. The orange, green, brown pair conductors all have insulating material, no exposed copper. The blue-blue of the white blue pair is covered in blue material as you would expect.
Pic: [Cat-6 with bare copper conductor on wht/blu pair!] https://i.imgur.com/EJ33tOK.jpg
Can/should I even punch these runs down or re run all new cable? Not too concerned about the Keystone jack station side, but worried about patch panel side since more length is visible and close to other adjacent wires on the back of the patch panel. I know PoE doesn't run on that pair, but I believe data does for Gigabit Ethernet.
The box of wire is Cordata Labs (a Superior Essex brand, made in USA) Cat-6 sold at Graybar. Emailed their support asking if this is a QC issue, but it is the weekend so probably wont hear back until Monday if at all. Other boxes of Cordata Cat-6 cable bought that day are ok, the conductors have white and blue on them as they should.
Thank you, Squelchtone
So in a year and a half i'm forced to move to a shithole city and they have a company that provides fiber in that area but only to a microscopic amount of people. I tried asking them but they said we need a exact address to give you a cost and since it is far away I obviously don't have a address yet. I saw people saying hundreds of thousands of dollars which doesn't seem correct. Has there been any people who have had it done from big companies like above?
looking for a /24, arin based.
Checking the ususal places, but there have been several here in the past that have had some for sale.
My question is can you repurpose a sonicwall tz300 that a previous business used? it's not binding to anyone's business by license correct? Also same questions about sophos firewall.
I understand I'd need to purchase new licenses through sonicwall for these.
I'm just wondering if I can just do a factory reset and re register the new license with a new business.
Does anyone know if that will work?
I'm not a network professional, so bear with me...
My wife had a website built for her new business venture (travel agency). Whenever someone visits her site, she gets a notification on her phone via the Wix app that there is a visitor and their location. She's always excitedly telling me whenever she gets visitors from other countries... So one night while we're laying in bed and I decided to mess with her a little, I fired up the ExpressVPN app on my iPhone, set my location to Germany, and browsed to her site... almost immediately she got a notification of a visitor from Germany. Then I changed to another country, closed Safari and re-visited her site.... no notification... I repeated this with several different locations, but she never got another notification of a visitor...
I went to "whatsmyip.org" and verified that my ip changed when I changed locations in ExpressVPN, and it did. I also have a static IP from my provider, and none of the IP addresses reported by "whatsmyip" were my address... I'm trying to understand why this alert feature wasn't working? Is there somehow cookies keeping track so my subsequent visits to her site don't look like new visits? Wouldn't this defeat the purpose of VPN? TIY...
The ability to continue a connection after switching networks is really cool, but everything else seems like just a reimplementation of TCP. Whatever benefits you might get by combining encryption with transport will get cancelled out by adding the overhead of UDP+QUIC. If applications have to integrate stream prioritization themselves, they may as well implement the actual prioritization themselves from a compatibility standpoint.
Am I missing something here? I’m baffled that the IETF would consider using it, let alone making it the basis for HTTP/3.
Hi all, I'm wondering where should I look to build up a suite of fail-over protocols to use on my custom networking stack. Do I look at the RFC'S or is this kind of thing solved with scripting? Thanks in advance.
I currently live in a dorm and we have free wifi that we can use. I need ethernet cable connection for a device. I've been told that I can achieve this with a travel router or other kind of bridge. Could I get confirmation that this is possible?
Also, can I create my own network from that dorm wifi in a way that the original wifi only sees the router as a client of the network and then I can connect devices to a different IP address that the router provides? And if I can, can I also connect devices with ethernet cables to the router that will be part of my own network?
Hello Everyone,
I am a student of Networking and System Security, and I'm trying to establish a connection between a Ubuntu Client and a webserver on different lans.
PC1 on LAN1 has to connect to Webserver2 on LAN2 PC2 on LAN2 has to connect to Webserver1 on LAN1
They are all in the same WAN network
All encrypton parameters and other stuff are the same. I've managed to connect PC1 to PC2 but not with webservers.
I've been struggling with this for a few days so I had to come to reddit hoping for a shed of light.
Thank you for any help.
Imgur of the sketch to help understand http://imgur.com/gallery/AxjRjaY
I am toying with an idea of connecting several machines through PCIev4 interface.
There are cables for this kind of stuff ( mainly from Bitcoin etc crowd), but those are short.There are also PCIe bridge cards that communicate through fiber up to couple 100m, but those are hard to get and cost a fortune.
So i thought about using active QSFP modules, that should be able to transfer 4 pairs bidirectionally.
QSFP-100 should be good for 2GBit per pair, which should cover PCIe v4 nicely.
So my question is - is there an obstacle that would prevent me from doing so ?
Do these things sample I/O signals and demand that they be properly clocked ( and at the right rate etc) or do they simply transfer signal that they get, possibly in digital form ?
They do have 4 Rx/Tx pairs, so in theory I should be able to transfer PCIe x4...
I've taken over a poorly managed network which is suffering from issues - i've remediated the majority of issues including VOIP call complaints by implementing QOS / moving trunk ports from 100mb to 1000mb uplinks (fibre modules will be next) but have a VLAN question.
The network consists of 9 Edge switches, we have multiple VLANs but one VLAN in question is our server vlan, id 1. Every single client port, (400 end users) is carrying this vlan1 data as tagged down their switch ports.
They dont need to receive this data as they're clients but i'm curious to know would this be causing broadcast / network congestion across the network ?
I'm using WinMtR is it appears that it's strictly a GUI version with no UDP mtr as would be available via command line on Linux. Any work-around for this?
Dear everybody.
I would like to get some guidance from you all regarding how to create VLAN. I have fortigate firewall and I have create some VLAN DHCP routing. Do firewall able to create LAN PORT 1 as trunk port?
Then I have Dell Switch N2048P, and I have no idea how to create vlan trunk/access as well.
Hope you guy can guide me, thanks!
Hey fellas,
I was offered a server as a trade for an item I'm selling and i was hoping you guys could give me a rundown on what exactly i could do with it haha. Coming from someone with almost zero networking experience, how long would it take me to actually make something happen with it? I'm intrigued by the prospect of trying it, but I'm worried I'll get it and be overwhelmed and it'll end up just sitting on my shelf. I'll list the specs he gave me below. Thanks for any feedback!
Specs:
Dell Poweredge T620 2 - Intel Xeon E5-2620 6-Core CPUs 48GB RAM, 6-8GB RDIMM 1600MHz PERC H310 RAID Adapter 4 - 600GB SAS 15K RPM HDs configured as RAID-10 Internal Dual SD Module with 2 - 2GB SD Cards 2 - Hot Plug Redundant 750W Power Supplies 8 - 3.5" Hot swap Drive Bays DVD+/-RW SATA Drive
I'm looking at deploying a network with IPv6-only and rate limiting IPv4/NAT64 to about 500KB/sec/client. When asked about it, I'll tell the client that he slow websites only have legacy IP addresses, and that they need to contact the provider. How are you helping to deploy IPv6 worldwide?
We are utilizing the Megaport Service Exchange Product for connectivity into Azure and AWS and are planning to connect our two physical datacenters together with it also and drop the current site-to-site VPN connectivity.
They offer a VXC (virtual cross-connect) for this purpose, but it must be a unique tagged VLAN, cannot be an untagged VLAN, and cannot be a VLAN trunk.
I'm noodling through how to set this up and hoping someone can let me know if I'm on the right track.
Here is how we're currently configured:
Both datacenters have unique L3 subnets for each VLAN and their own gateway to the internet. The VXC is delivered straight to each switch via fiber. VLAN routing is done in our gateway/firewalls, not on the switch. (Hold over from initial set up 12+ years ago - if it ain't broke ...)
I'm thinking to make this work - just create a unique VLAN on the VXC, assign it a small subnet, give each gateway an IP on that subnet, add the VXC VLAN to the gateway trunk port, then add static routes at each end pointing to the gateway IP so the subnets at the other end will be accessible.
Does this make sense?
https://news.ycombinator.com/item?id=19475986
Read this and other threads/articles recently. TLS 1.3 and QUIC basically break Palo Alto/Fortinet, etc in terms of HTTPS decrypt. And with traffic trending toward 100% encrypted, this basically means you can't see much.
Now, there are a few short and mid term options:
1) Rely more DNS filtering and other "black list" type filters.
2) Block TLS 1.3 and QUIC from your corporate endpoints. For now this just causes a non disruptive fallback to TLS 1.2 and HTTP/TCP.
Long term... I think the answer will have to become that traffic decryption/inspection has to happen on EVERY NETWORK ENDPOINT. This means endpoints will need appropriate security software installed on them in high security corporate/government environments. So much for BYOD unless people are willing to install this software on personal devices.
One example if know is starting down this path is Sophos: https://community.sophos.com/kb/en-us/121607#What%20traffic%20is%20checked
Thoughts? Is this not really that big of a deal? Or is the modern NGFW dead in 5 years?
I wanted to see if anyone could offer some good advice regarding an issue I'm having with modem and router mentioned in title.
Problem: If the router is ever reboot (manually or accidentally from power outage/settings change/etc), it will not reconnect with the Arris modem. The R7800 continues to work perfectly fine locally, but won't gain internet access UNLESS the modem is power cycled. Once modem is power cycled, it resolves the issue.
This issue has persisted throughout my years of ownership with R7800 regardless of firmware version (Currently V1.0.2.68).
On the router log, all I see is this (when I power cycle modem):
[Internet connected] IP address: 24.162.***.***, Friday, January 10, 2020 22:20:50
[Internet connected] IP address: 192.168.100.20, Friday, January 10, 2020 22:20:04
[Internet connected] IP address: 192.168.100.20, Friday, January 10, 2020 22:19:54
[Internet connected] IP address: 192.168.100.20, Friday, January 10, 2020 22:19:43
I've done all the normal stuff (factory reset, changing cables, etc). The only thing I haven't done is test a different modem. However, I don't think changing modems would be necessary as I recently tested DD-WRT V3 Beta (Build 40559) on my R7800 and while on DD-WRT this problem went away. While on DD-WRT firmware I can make changes to the router and reboot it a thousand times and it will reconnect to the internet every time without having to power cycle the modem.
It's got me wondering if there is some kind of option within the stock Netgear firmware that's causing this since the it performs exactly as it should on DD-WRT.
Any and all help is greatly appreciated.
Hi all, I have a pair of Mellanox MCX353A-FCBT coming my way.
I want to setup a point to point (no switch) 40Gbe link between a workstation and server.
I was digging through documentation and came across this: https://www.mellanox.com/related-docs/prod_cables/PB_MC22061xx-00x_MC22071xx-0xx_MC22101xx-00x_MCP170L-F0xx_MCP1700-B0xxx_56Gbps_QSFP+_DAC.pdf
I am kinda confused about the description column.
Do some cables support VPI and Infiniband, and others support ethernet only?
For example:
MC2210126-005 Mellanox® passive copper cable, ETH 40GbE, 40Gb/s, QSFP, 5m
If I buy this and setup 40GbE can I not do infiniband with the same cable?
MC2207126-004 Mellanox® passive copper cable, VPI, up to 56 Gb/s, QSFP, 4m
If I buy this can I do ethernet via VPI but not infiniband?
MC2206125-007 Mellanox® passive copper cable, IB QDR, 40 Gb/s, QSFP, 7m
If I buy this am I relegated to only infiniband?
Thanks, and sorry if this is obvious... I am very new to the hardware here.
Hey all,
I'm not going to describe the reasoning here, as it's not mine, but here goes:
I have an Elementary School with an HP 5406zl for a core. A separate site connected via an IDF running on older Cisco gear (Cat 3750/3560). Edge at the Elementary are HP 2920 (which is also how the separate core is connected - and worked before the following scenario). Admin decided to conform to Cisco, so they ordered 3 Cat 9200s for a new IDF during a site upgrade. Once that 9200 came online, the 3750 router went down. These two are not directly connected. This topology is making me nuts, and it's moving in the right direction, but I am hoping to find a bandaid in the meantime.
Rundown
HP 5306zl
vlan 18
name "3750G-12PS" < model
tagged C1-C8,C10-C24,D1-D8,F1-F8 < all those admin ports
ip address 10.18.0.1 255.255.255.0
ip helper-address 10.46.1.53
ip igmp
ip igmp forward C1-C24,D1-D8,F1-F8 < forwarding info
ip ospf 10.18.0.1 area backbone
exit
HP 2920 edge hosting 3750 router
interface A2
dhcp-snooping trust
arp-protect trust
name "Trunk to Cisco 3750G-12PS"
exit
Cisco 3750G-12PS
switchport trunk encapsulation dot1k
switchport mode trunk
ip dhcp snooping trust
ip arp inspection trust
Cisco C9200L-48P-4X
Added vlan 18 and interface 18 with no interface.
Switch is acting as an edge switch
Hi Folks,
Currently I manage a small network of a handful of PC's and numerous wireless clients, for which I adopted a homebrew solution, a TP Link AC2300, plus a couple of TPLink EAP 245 AP's that have been working great so far, however their wireless throughput does max out at about 600mbps (1350/2).
So now I'm looking for a reliable AP that can deliver 1GBps, since we will be soon upgrading our circuit. Never been a fan of ubiquiti, however their UAP-AC-HD looks promising @ 866mbps (1,733/2) which is close, although on the pricier side. (I paid around $60 for the EAP245 on amazon sometime ago.
Any other suggestions for a Gigabit AP ?
Thanks!
So, I have a PA850 on the perimeter, and downstream into my datacenter (4 Hosts, 1 SAN 100 TB,...) our existing virtual to storage infrastructure is utilizing a Dell N4032F 10g, we wanted an easy backup solution in the event of a device failure.
One of my partners is quoting me about $10,000 (with modules + cables) for the same 4032f switch while just as a second opinion (typically don't do that) another partner was asking me to think beyond Dell's networking and look at Arista. Not familiar with them at all. But when i checked, he might have a point - I am still learning my work in parts, so any input will help here.
All,
The company that I'm at has a network of around 100 sites ranging from one or two users up to several hundred. Around half of them have multiple internet circuits. Some are DIA fiber, some are business broadband, some are still freaking T1s.
The network is currently configured as a partial mesh of static crypto-maps (GRE over IPSec) with distribute lists everywhere making management a hassle, especially when the VoIP guys come up and ask for new tunnels to connect to other sites to trim the latency incurred by transiting a hub site. Hundreds of tunnels have been built over the years with no documentation about what connects to where. To say that it is a pain to manage is an understatement. I literally get angry every time I think about it. I haven't had to deal with a network like this since the late 90s/early 2000s.
All that being said, I have finally gotten approval to convert to DMVPN. A more current SD-WAN solution is out of the running due to budget constraints. I have to work with existing hardware, which is a mix of Cisco ISRs (some of which are too old for Viptella images) and ASRs. I'm kicking around the idea of going full-on IWAN to take advantage of the PfRv3/QoS/NBAR application based routing decisions. I'm just trying to determine if the juice is worth the squeeze.
I have been working with DMVPN since 2005 and I'm really comfortable with implementing and troubleshooting it. Not so much with PfRv3 though. I have it up and running in the lab, but that can only tell you so much. What are your thoughts, oh great ones of the internets?
We have 3 mobile offices that move around town regularly. These offices are occupied by 2-5 staff members. Currently, they're using CradlePoints to connect to Verizon's cell network for Internet connection. However, there are some locations that Verizon has very poor coverage. It's the same story with AT&T. Other carriers are worse. Is there other alternatives I can explore that is more reliable? Thank you.
Hello, I get this error while creating new internet connection on my PC. It displays that login credentials are incorrect. However, I am entering correct login details.
Thanks for any help!
My org has its own ASN and portable /24 from ARIN. Our HQ currently has two 1Gb circuits from two different providers (one is Spectrum, the other is a local regional provider that doesn't have much of a network outside our metro). We have 120+ remote sites that are all using Velocloud (SD-WAN). A decent chunk of those sites have Spectrum in at least one form (either coax or fiber DIA, sometimes both because there are no other alternatives as many sites are out in the middle of nowhere), so while we're not forced to use Spectrum, we do a lot of business with them and there are latency advantages.
The regional ISP has a relatively high cost and I'd already been considering replacing them. I was most recently being courted by Crown Castle. I don't know a ton about them, but I know they have a decent sized footprint as they own a lot of cell towers.
We are buying a different building and relocating HQ sometime this year. For various reasons, we prefer to continue to host in-house. Plus, the new HQ we are buying already has a massively overkill server room (raised floor, room-sized AC and UPS, generator, etc), the previous owner seemed to be using it as one of their own regional datacenters. The "new" building is already "on-net" with several ISPs; I don't have a full list yet but I know Crown Castle is one of them.
As previously mentioned, we will probably keep Spectrum as one of the ISPs, but I'm open to anything for the second pipe as long as I know the ISP is well-run and well-connected, and the price is competitive.
I just don't have any clue how to "evaluate" peering / connectivity, other than poking around in looking-glasses (which seem to be harder and harder to find these days) and running traceroutes to our most-used web apps. The main website we rely on is hosted out of Chicago but I don't know what datacenter or provider it is with. (We're slowly doing more with Azure / O365 but right now we just have a few toes in that water, Exchange is still 98% in-house.)
Is there any scenario where it makes more sense to get dark fiber / "private transit" from the building to a real datacenter, and then buy a single cross connect at that site to get "Internet"? This seems even more complicated since then I don't have a single entity to blame if I have problems with that "circuit".
My understanding is these companies build their own server/storage products (technically they design them and then ODMs build actual products). Why don’t they do the same thing with switches/routers instead of buying them from the Cisco’s and Aristas of the world?
Is there something fundamentally more challenging about networking vs compute/storage equipment?
Packet #61 - my client releases the IP Address 192.168.130.173
Packet #83 - my client renewes the IP Address by sending a broadcast, trying to find the DHCP Server
Packet #85 - DHCP Server sends me the packet directly to my former Address, giving me the same address again.
I've ever seen it like this:
client to broadcast: request
server to broadcast: ack
This trace is kinda different:
client to server: release
client to broadcast: discover
server to client: offer
client to broadcast: request
server to client: ack
I wonder why that's different.
Mainly: Why does the DHCP Server directly address me with my former IP, how does my PC accept it (if it has no IP, especially not the one previously used and released).
I understand that the Server does cache the mac-ip pair in case I want to re-use the address, but I specifically tell my (windows) PC to release it, I assume release does not mean "completely forget"?
I was trying to find out how ipconfig release actually works, but I couldn't find anything so far.
Here is the filtered trace, in case you wanna check it out: https://drive.google.com/file/d/1qZPQBg_lc80zwzJvPZkAu53yy6uySOt4/view?usp=sharing
I'm having a disagreement with a co-worker, he's saying that when using LWAPs in flexconnect mode the switchport needs to only be set as access on the AP management VLAN. To me this defies logic since it's not tunneling back to a controller, but doing local switching so I'm trying to explain to him that an AP port in FlexConnect environment needs to be a trunk, with a native vlan of AP management.
Can anyone elaborate further?
I have a strange issue on a Cisco ASR920. I'm setting up a simple L2TP tunnel from a cheap CPE to the ASR920. The ASR920 has a connection to a radius server to authenticate the user as it comes in over the L2TP tunnel.
The L2TP tunnel connects and the user connects fine, I see the radius connection and the ASR920 builds the virtual-template.
If I check the routing table I can see circuit as a connected route and if I check the CEF table I also see it attached. It has the correct IP issues by the radius server.
Finally if I try to ping the IP of the virtual-interface from the ASR920 then it pings fine.
So all looks great...however. If I try to ping the IP from outside of the ASR920 then it doesn't route it to the virtual interface.
In fact if I try to ping it from outside the ASR920 I get a TTL expired as the packet get's to the ASR920 and then it hits it's default-route sending the packet back out the same WAN interface the packet came in on and round and round it goes.
For some very odd reason if a packet destined to the virtual-circuit comes in from outside the ASR it doesn't seem to use the routing-table or CEF table to route it to the virtual-interface despite it being present on both?
Now I've used the same setup on a few different Cisco ISR's and it works fine on all of them. I've also now tried three different IOS versions on the ASR920 to try and resolve the issue as it does seem like a bug.
My next step is to open a TAC case but I just wanted to see if anyone has seen a similar issue before I do so.
Thanks
This is less of a question on who may have some experience in this area (although such would be highly appreciated), as much as a sanity check, maybe stemming from not enough understanding on how some of these pieces could function together, but still seeing an opportunity in it.
Details: merger btw two different organizations, each with its own SD-WAN solution, one having a heavy on-prem hosting presence, combined with AWS hosting, on path to a multi-year migration from on-prem to AWS activity, while the other having largely AWS hosted stuff, plus some other SaaS, and both having either DXs or VPNs, tied into their own SD-WANs, in diff parts of the world. Little needs to have the two networks "see" each other (critical point in what follows)
Options:
or
Can anyone please link or PM me some API documentation for FortiOS v.6.2.x? That would be great.
I have nor the time nor the patience to pander to their mafia-like affiliation scheme.
Hi,
Does anyone have experience with Check_MK snmp reading cisco small business switches? ( SG 500 model)
The problem i have is the switch will choke (CPU 90+ %) and check_mk services will go stale
I can sort of resolve it if I limit check_mk to a certain amount of interfaces it can monitor, but CPU utilization of the switch will be around 30% all the time where it normally is 6%
I tried:
-snmpv1 (bulk walk disabled)
-snmpv2
-snmpv3
I also tried different snmp views
-cisco-mib
-default
-custom-view
Our current monitoring system (whatsupgold) does not have any issues with snmp reading the SG 500
any help would be much appreciated
...on the WAN side. IPV6 is only really needed on external networks. This means non-private and external beyond higher level IPs correct?
Hello,
I am about to graduate from WGU with a BNOS Degree. I started a new IT Manager job for a small company, I am the IT manager but I also do all the IT work as well. I am having an issue with 3 computers that have a slow internet speed on a wired network. They are getting between 10 and 30 Mbps when other computers are getting 80 to 100 (100 is our service level). I can't figure out what is slowing them down. I have checked the duplex settings which are fine. they have 1000mb NICs.
The PCs are fairly new and they are all connected to a 1 gig unmanaged switch that leads back to the router.
Any Idea would be so helpful.
Hey guys,
I work for a company and we setup a bunch of switches. I used RSTP Edgeport bpdu guard. I was assuming that the edgeport part of that line would enable port fast but it didn’t.
Now I know that if I enable spanning a tree port fast that my port will begin forwarding immediately but I’m confused.
What if or can I, add rstp edge port command by itself? So like this:
RSTP edge port RSTP edge port BPDU guard
Or:
Spanning tree portfast RSTP edge port BPDU guard
I was under the impression that rstp replaces Stp, but from my previous posts on this thread it seems Stp portfast is still required... am I correct?
My company is looking at Velocloud for SDWAN, and we have a lot of sites which are daisy chained together via PtP wireless links. Many of the critical sites have dedicated internet links for backup but due to the rual locations most of the time the best bandwidth and performance is via the wireless backhaul to one of our main aggregate sites.
So far I can’t get a clear answer on how Velocloud would handle these types of scenarios, we are trying to get a lab up and running but it seems like there should be a guide for non-traditional WAN topologies? We don’t have MPLS just lots of PtP/PtMP and Internet.
Does anyone have experience with Velocloud and PtP or PtMP circuits mixed with Internet links?
Any thoughts or guidance is appreciated.
Hey everyone,
So, for whatever reason, the God's have seen fit that I'm sort of "in charge" of our enterprise network. We use Juniper gear for our switches and firewall (SRX340 for firewall, EX3400 for Core, and EX2200 for Access) and Unifi for our wireless access points. We have about 530 employees, but only about 400 in office with the rest being remote. Nothing really on-prem as we're basically a zero-trust network.
Does anyone have any best practices for an enterprise network like this? Any configurations that NEED to be set up on our switches or firewall? Is there some magic list somewhere that tells me what I should be doing?
Anyways, any feedback or advice would be rad.
Thanks all.
I have a remote Cisco ISR that's using a public cellular APN to connect to an enterprise firewall via IPSec. The router is using IPSec for a majority of its connectivity, however I've had to add a script to the ISR without IPSec to generate interesting traffic (pinging Google DNS) to initiate and keep the Cellular alive. If I try to do this using the IPSec, then it seems the cellular doesn't see interesting traffic.
I've added all IPSec designated traffic to individual VRFs. The script is in the global routing table.
So I have three problems with this.
I have been beating my head against a wall for a little over a week now trying to set up a IPSEC VPN tunnel between my CISCO ASA 5525 and an AWS VPC. The relevant show commands and logs show that phase one and two of the tunnel are up, and the show crypto ipsec sa shows my firewall encrypting packets, but I am not receiving anything.
I do not have access to the AWS end, but the tunnel portal shows up on the primary tunnel and down on the secondary (as expected, the other tunnel is secondary and only comes up when the primary goes down). AWS support claimed it saw traffic leaving the VPC tunnel gateway, but not receiving anything back from me.
Any help would be greatly appreciated.
Hey all,
I'm looking to set up a home lab to get better with networking. My ISP at home is FiOS and I was able to take home from work an old Cisco 891F ISR. I've reset the cisco router and am using it essentially with default settings. Here is a picture of my current setup: https://imgur.com/a/Vmk0BMu
The issue I am having is some connectivity issues between the networks. I am assuming there is a routing problem but I'm not sure how to fix it. All hosts have internet access as I added ip route 0.0.0.0 0.0.0.0 192.168.1.1 to the Cisco router.
PC1 can ping 192.168.1.3, but not 10.1.1.1 or the server IP. Server1 can ping 192.168.1.1 but not the PC1 IP.
I also tried to add route 10.1.1.0 255.255.255.0 192.168.1.3 to the fios router, but that didn't seem to give me anything either.
Any help would be much appreciated. Thanks guys!
We have servers located in Germany, and one of our Canadian offices is having terrible speed issues accessing those servers. Further diagnoses indicates that there is some sort of upstream issue in the network path from the German servers, to the specific ISP (Bell) in the Canadian office.
How do I get the attention of network engineers, or report this issue, instead of dealing with the small business tech support hell at the ISP level? Uploading FROM the DE servers TO the Canadian office is a crippling 10mbps, while the opposite direction works at gig speed.
Doing a traceroute, I suspect it's one of these (especially the bolded ones):
tcore4-montreal02_1-7-0-0.net.bell.ca [64.230.79.33]
tcore3-newyorkaa_hundredgige0-8-0-0.net.bell.ca [64.230.79.142]
bx10-newyork83_ae0.net.bell.ca [64.230.79.209]
ae9-0.nyk10.core-backbone.com [80.255.14.73]
ae10-2021.fra20.core-backbone.com [80.255.14.6]
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
So, my ISP delivers internet and iptv to me. Their normal setup is that you use port 1 for internet and port 2 for iptv.
Port 1 and 2 are located on the device that has the fiber connection, converting it. Usually you connect a router to port 1 to manage network for the rest of the household as the isp usually only provide one up address.
I know that port 1 delivers iptv hidden away in a vlan. For Telia it was 845 and it was really neat to just send that up to my vlan-aware switch by the tv and then separate internet and tv to the different devices compared to having cables all over the house.
Now to my problem, I want to do a tcpdump on that port 1 to see what vlans are hidden there.
I don’t seem to get my edgerouter to really see it using tcpdump on the interface connected to port 1.
Where is my mistake?
Regards Jonas
If I was to register a caller name for a US number with the CNAM database, would calls to mobiles in other countries from this number also show the name, or would it only work for local US numbers?
Thanks.
I inherited a less than ideal network setup:
They don't have much equipment (~250 systems), but with many laptops, personal phones, tablets, watches - we hit the DHCP limit often. They had the spreadsheet tracking IPs on different networks (10.10.5.x VMware/servers) - so I get what they were trying to do. Trying to get them to resubnet the network with proper /24 VLANs and subnets similar to my last employer setup.
My last employer we had /24 VLANs for everything, segmenting out DHCP on proper VLANs/subnets: workstations, wireless, printers, facilities equipment, security systems, etc. Servers were on a static VLAN, everything was planned out great.
My current place I inherited - DHCP is handled by the primary domain controller, so I thought to move off the superscope I created /24 scopes on secondary domain controller (10.10.195.x for internal DHCP wired, 10.10.196.x for guest wireless , 10.10.198.x for internal wireless) I know I need to implement VLAN tagging and IP helper, and am also working at getting the Dell/Aerohive firmware on our client switch stack. Aerohive has both DC's listed for DHCP, but only the first DC is handing out addresses.
Other thought/direction was to VLAN off the DHCP workstations, move them first to free up some IPs for wireless devices.
Ideally I'd also move the guest wireless to completely separate network, with no internal access. So DHCP off the Aerohive for guest wireless?
So I know where I'd like to get to, it's just getting there is the issues - looking for ideas where to start.
Thanks,
B
I come from a Juniper background, and I remember in their books they declare BGP AS Paths as "The path to the route's source AS, declared "... 3rd 2nd 1st". The route "back"." or at least that's what's in my notes and that's based off of the JIR v18a course.
I'm at work looking at one of our homegrown tools and they declare them in the standard ASN ASN ASN ... syntax, but with the next(1st) hop, 2nd, 3rd, ... and I've been wondering... Has it always been like this? I might've misinterpreted the examples used in the books, it just occurred to me that they might've been using examples from the pov of another device that wasn't the source. It just makes more sense being left to right, unless I've just confused myself even more.
Is there a way two have two different isp’s broadcast there ssids’ on one wireless access point. For example att has ssid: blueclue And Comcast has ssid:cathouse
Can these separate networks be broadcasted on one wap?
Thank you.
to follow up on my last thread of "I can't afford 9 firewalls, only 2 because budgets and I'd really-really like to replace all 9 at the same time..."
what is decent gear that's out there? I based my initial project on Fortigates, but it's simply unaffordable after budget-cuts. I currently have very very old ASA's 5510 and 5505.
Most of my facilities have standard "business" cable internet, 75down/5up or something like that so almost any device will handle that, 2 of my locations have 200/20 service and may grow/have more, I'd like to future-proof those two devices with something stout (I know those are nothing in today's world, but the 5505 in that one location is struggling to not be a bottleneck there).
Feature-wise I need almost nothing, #1 need is site to site VPN, #2 would be a nice end-user VPN client for remote users, other than that I don't really need much other than stability/reliability. I would like to maybe one day buy into some IPS/IDS/Malware protection but it's not critical and it always costs a subscription fee so it wouldn't be part of the year 1 anyway.
sophos? ubiquity?
EDIT: What about barracuda firewalls? I just (literally) learned they make some, lol, I had no clue..
Hello!
I have a peculiar problem. I have a few Yealink phones with the desktop plugged into them. I have the phone tag the PC port VLAN 1 and the WAN port on VLAN 154 (phone vlan).
192.168.254.1/24 (VLAN 1 - DATA)
192.168.154.1/24 (VLAN 154 - PHONES)
I have two main switches (routers) that have all ports VLAN 1 untagged (pvid: 1) and tagged all ports VLAN 154 (pvid: 1) - I believe this is correct. I don't do port based tagging, just vlan setup on the phones.
The phone connects to the PBX just fine, and the desktop PC can ping anything on the .254 network. However, if the phone is plugged into a standard (non-router) switch, and that switch connects to the main router. I cannot ping ANYTHING on that small 5-port switch in the .254 network.
For example, I have a printer connected to a small 5-port switch, along with the phone/PC pair, and I cannot ping that printer. But if I move the printer to the main switch, I can ping it just fine.
Why is this? Is it because the "dumb" switch isn't VLAN aware, or doesn't have Layer-3 features? Excuse my ignorance, I'm still new to vlans.
Thanks for any direction!
Hi there!
Wondering if anyone could lend a hand here. I've been tasked with blocking traffic from file share apps such as Dropbox/GDrive/Box
Link above is what my access rule looks like (added dropbox app, box and google drive to the list). I enabled the rule but am still able to freely upload/download files via Dropbox. I briefly read that I also need to configure SSL Decryption, but is there any other way around this?
Hello, I have been getting ridiculous packet loss for about a week and wondering what anyone's thoughts on this screenshot? I live in a condo and I play pc games like bf4 and ark. I keep loosing connection every 15-20minutes intermittently. Not sure if it could be my neighbors doing something or what. Thank you.
I recently redesigned one of our largest campuses and deployed a new FTD appliance (yes, I know. I have plans to move to PA in the next 18-24 months). To give a better user experience, I changed their internet routing from corporate out circuit 1 and guest out circuit 2, to ECMP where both internet circuits are equal candidates for outbound internet routing. This mostly works and user experience has mostly improved in terms of bandwidth availability, however now we're having issues where certain websites do not work as they're supposed to. I have been able to resolve a few of these by adding static routes - Ultimate software, Ariba, and other applications that our HR dept uses that are locked to our specific static IP. But now, I've begun to get reports of other sites not working that are hosted on AWS and other CDNs. Even worse, it's only certain parts of these sites that don't work. For instance, Canvas (LMS that our training division uses) mostly works, but the file upload feature does not. I'm guessing there's an ancillary connection that it makes to some other cloud-hosted service that does not like ECMP. At this point, I'm kinda running out of ideas as to how to resolve this, and I'm even more scared to think that we will eventually be deploying SD-WAN here which may have the same problem. These internet circuits are business-class but because this site does not house one of our main data centers, we do not advertise our public address space to its carriers, so at any given point, any internet traffic can appear to be coming from 1 of 2 IP addresses.
Any advice that anyone can offer would be much appreciated. Thanks!
Hi Networking sub,
I work for a MSP/ISP that has a few data centers I help manage. We are currently a Cisco shop using Nexus 9504 Spines, 9336 Leafs, and also 93120 leafs in NX-OS mode. We also have a few ASR 9000's for our MPLS WAN between facilities.
As of the last several months, we have had such a terrible experience with Cisco TAC support we have decided to evaluate other vendors that hopefully have better development cycles than Cisco. We have notifications of bug releases every day which is more than we're willing to tolerate at this point and we are told to upgrade every time we call in and that they don't have a specific bug ID or they just can't flat out figure out why our routers and switches suddenly stop forwarding traffic after a basic config change (such as deleting a vlan or changing a route metric).
The feature list we use is shown below as they will be required (or something comparable) for us to proceed with a new vendor ...
Switch Requirements
--
vPC (or MLAG as Arista calls it)
VXLAN
OSPFv2/3
BGP
VRF
LACP
VRRP
PIM/MSDP
Some flavor of PVST (We currently have to use MST which we don't like but must because of line card limitations)
Router requirements
--
MPLS (For both L2VPN and L3VPN) w/ TE
BGP (full internet tables)
OSPF
Rich QoS preferably with 6+ queues
BFD
We already have some Juniper gear that we are retiring so we would rather stay away from Juniper as well as our counterparts on the ISP side have been having fits with Juniper support as well. Any other vendors are game however and we will be requesting some demo gear to put in our lab before we actually pull the trigger on a fairly large order that will be all forklift upgrades.
We intend on evaluating Arista as they have a few switches that fit the roles of what we are doing today with the Nexus gear. We're open to other router vendors as well. What other vendors do you all recommend based on experience of using their gear in your network/data centers?
TIA,
max
Hello,
I am quite new to Terraform, using it for development environments on both AWS and Cisco ACI for the moment.
My main tool for Cisco ACI automation has been Ansible, but i have seen some added value in using Terraform for the ability to track the state of objects.
Now i am running into a problem that is very specific to the relation between Cisco ACI and Terraform. The .tf files are able to create the objects without any problems. In ACI terms this means that Terraform is able to create EPGs and Bridge Domains,....
But the relation between the objects is not created, so this means that and EPG will need a relation to Bridge Domain, however this relation is optional but for production it's really needed.
Also posted this in /r Terraform
resource "aci_bridge_domain" "webbd" {
tenant_dn = "${aci_tenant.default.id}"
description = "Bridge Domain for Webtier"
name = "bd_web_tier"
annotation = "webfrontend"
arp_flood = "no"
ip_learning = "yes"
bridge_domain_type = "default"
unicast_route = "yes"
ep_move_detect_mode = "garp"
relation_fv_rs_ctx = "${aci_vrf.default.id}"
}
For example here i create a bridge domain as a resource for terraform, all the options work but for the "relation_fv_rs_ctx". This does not get applied.
This is the same for the EPG example:
resource "aci_application_epg" "web1" {
application_profile_dn = "${aci_application_profile.web.id}"
name = "web-frontend-tier"
description = "EPG for the front end web"
annotation = "webfrontend"
flood_on_encap = "disabled"
prio = "unspecified"
relation_fv_rs_bd = "${aci_bridge_domain.webbd.id}"
}
Again the "relation_fv_rs_bd" is not called upon creation, however it looks properly defined.
When i perform a terraform plan i can see this:
# aci_application_epg.web2 will be created
+ resource "aci_application_epg" "web2" {
+ annotation = "webbackend"
+ application_profile_dn = (known after apply)
+ description = "EPG for the backend end web"
+ exception_tag = (known after apply)
+ flood_on_encap = "disabled"
+ fwd_ctrl = (known after apply)
+ has_mcast_source = (known after apply)
+ id = (known after apply)
+ is_attr_based_e_pg = (known after apply)
+ match_t = (known after apply)
+ name = "web-backend-tier"
+ name_alias = (known after apply)
+ pc_enf_pref = (known after apply)
+ pref_gr_memb = (known after apply)
+ prio = "unspecified"
+ relation_fv_rs_bd = (known after apply)
+ shutdown = (known after apply)
}
So it looks like it is called, but not applied. That is for the relation between the EPG and the Bridge Domain.
Same issue for linking an L3Out with a Bridge Domain subnet:
resource "aci_subnet" "websubnet" {
bridge_domain_dn = "${aci_bridge_domain.webbd.id}"
ip = "10.110.1.254/24"
annotation = "webfrontend"
scope = "public"
virtual = "no"
relation_fv_rs_bd_subnet_to_out = ["${aci_l3_outside.default.id}"]
}
Here it's a bit different also, because the resource expects a set of strings, so a list i presume.
Again in a plan:
# aci_subnet.websubnet will be created
+ resource "aci_subnet" "websubnet" {
+ annotation = "webfrontend"
+ bridge_domain_dn = (known after apply)
+ ctrl = (known after apply)
+ id = (known after apply)
+ ip = "10.110.1.254/24"
+ name_alias = (known after apply)
+ preferred = (known after apply)
+ relation_fv_rs_bd_subnet_to_out = (known after apply)
+ scope = "public"
+ virtual = "no"
}
Basically something is wrong or i am doing something wrong (Most likely the case), It really looks like i am missing something.
Cisco ACI it self will show me an error that the MO relation does not work and reverts to the relation with the common tenant object, and this is why terraform it self will not throw an error.
Anyone with any idea's?
I work for a large global company and for a number of years we went with Meru throughout all of our buildings and for all those years have had nothing but problems. Meru telling us that these AP's would work fine in this situation, then coming back a year later and saying it would not work in that situation and the initial suggestion was inaccurate. On all new buildings, we finally transitioned to Meraki and they have been utterly fantastic.
The company recently sold and we're no longer forced to use one thing, if the price is good and it works, we can pretty much use it.
So, currently, we're having issues with WiFi at another location. It's either add more Meru AP's, or we can just replace with Meraki. So, either you spend the $600 (per AP) on adding Meru. The $800-1000 (per AP) on Meraki.
However, I was also looking at Ubiquiti, their top AP is $350. That would be huge savings if we replaced with those. However, it's not something we've tested and the general feelings from some at the company is that Ubiquiti is for SOHO. Yet, I visited a major University some time ago and their IT dept told me they had just switched to Ubiquiti campus wide and they felt it was the best decision they had made.
Good Morning Fellow Redditors~
Just wondering if anyone working in an enterprise setting can give me an idea what time of year businesses usually upgrade their network(s).
Also... how much infrastructure overhaul is needed to accommodate Wifi 6 implementation (and when do you think mass adoption will take place??
Thanks for reading~
Networking Newb~
Hello everyone! I hope you are doing well :)
I’m trying to setup a VPN connection from my home to my office to be able to access devices from home at work and the vice versa. I don’t know much except that I need to establish some type of VPN connection between the two sites. If possible I would like to buy a VPN device for my home and business networks each that basically create that link with as little configuration as possible. If anyone could provide some ideas that would be greatly appreciated.
Thanks so much! James
hi everyone,
I want to use fail2ban with eve-ng to stop brute force attacks against the login page how ever i couldn't find any good tutorials or doc,
the fail login error generated by eve-ng is:
<SourceIP> - - [08/Jan/2020:21:47:03 +0300] "POST /api/auth/login HTTP/1.1" 400 423 "http://DistIP/"
under this dir
/opt/unetlab/data/Logs/access.txt
Note: i can't use VPN it's block at my company
Cisco used to have a route summary tool (https://cway.cisco.com/tools/RouteSummary/) but it looks like it has been retired.
please does anyone have a copy of this tool or know of any online tool where i can summarize a bunch of IPv6 addresses
thanks
I just go started learning about networking, and I am reading up on WAN technologies. For some reason I cannot understand why MPLS is more efficient than Frame Relay. From what I understand, Frame Relay can send frames to its next hop based on a DLCI located on the header. MPLS seems to do the same thing but with labels yet I have read that it is faster than frame relay. What is the difference and advantages of using labels vs DLCIs?
I am trying to set up some SNMP and SSH to one of our Virtual ASA's . I have SNMP enabled but it doesn't seem to work. We do start with a deny all access list and permit from there so I am wondering is there something I need to do to allow SNMP traffic to/from a collector??
i did some digging in the past years projects, and they cover 4g network topics very well. so i don't think the commission gonna take any other 4g projects, thus I'm stuck with 5g topics that is quite new, i did some search and i found an idea about 5g non-standalone and how a mobile operator can use the current EPC core and e-NodeB for signaling and control while the 5G NR ( or g-nodeB) maintain the data. the thing is i don't know what to do in the application chapter (emulation...)
about SDN i'm intrested in SD-WAN failover and how it is compared to MPLS redundancy, but i don't know what tools to use to reach that cuz i can only emulate or simulate things
so any ideas are appreciated
thanks
Does SNMP modes (v1, v2c, v3) have any effect on SNMP Traps?
I have a Cisco 3504 with all SNMP mode disabled (see screenshot) and still sending trap messages?
https://i.imgur.com/6TMbIQY.png
Are those settings only applicable for SNMP Queries/Pull?
Thanks
If you have access to a BGP speaking router and wouldn't mind lending a hand in troubleshooting some connectivity issues to as57335.net, please reply with the following:
show ip bpg 185.203.204.0/22 (or equivalent for your device)
show bgp ipv6 unicast 2a0c:d2c0::/32 (or equivalent for your device)
traceroute 185.203.207.10
traceroute 2a0c:d2c6::53:5:7335
Also if you have access to a unix machine in the same location as your router, please also:
$ dig @8.8.8.8 ns.as57335.net
Thank you for your help!
I need to replace two of my firewalls, unfortunately I have 9 in total to connect 9 facilities but I cannot afford to replace them all... am I in for a shitshow if I replace the ASA 5505s in two my main sites with Fortinets? I need the other 7 to have working site to site VPN to these two fortinets afterwards (IPSec I suppose? I don't really care as long as it works and passes all traffic in-between :) )
On a side note my remaining ASA 5505s are very old , without smartnet and unpatched for years.. not my proudest moment, but it is what it is. Could that complicate things? (well lack of support might I guess)
Trying to wrap my head around this, but what is the difference between:
Please let me know if I am not understanding this
So I'm a storage guy trying to help out while we're between IT guys. Currently, we have an ASA 5506 that has our LAN network 192.168.2.0/24 and our voip network 192.168.40.5/24 directly connected. I'm trying to get it so our local work stations can reach 192.168.40.5 the PBX so they can reach their voicemail GUI. I have them both set up as security level 100 and same-security-traffic permit inter-interface same-security-traffic permit intra-interface both set up. I'm still not able to ping 192.168.40.5 from the 192.168.2.0 network. I can ping it from the ASA. What else do I need to set up? Would I need NAT? Thanks ahead of time.
Hey everyone, first year in IT here at a small company (>100 people) a few employees have started to complain that an application they use is suddenly running slower than usual this week. I don't know how quickly the app should run, but I'm confident given that multiple people are now recognizing this drop in speed that there might be something going on. The employees are on site, using an accounting app on Windows 10 and when they connect it opens a remote desktop connection. My limited knowledge in IT gives me the idea that I should be able to monitor the traffic of the application somehow (the ports it's communicating across?) to see if there is some kind of an issue on our side. What kind of information do I need to gather and what tools can I use to start diagnosing this issue (assuming there is one.) Sorry if the question is kind of vague, I am still learning how to identify and diagnose issues like this.
My boss asked me to come up with a training plan for our 3 man networking team. We're a mostly cisco shop, with some F5 and Fortinet sprinkled in. We also handle outside plant fiber.
We're all at least CCNA level (coworkers both have their CCNP's), and I've already taken 2x ccnp courses last year to fill out the budget.
Any other good ideas for training? I was thinking MAYBE some fiber optics training on how to use an otdr so we can better manage some of our fiber rings and not rely on vendors?
Any other cool ideas? We usually go to Cisco Live yearly, but no other conferences other than that.
I'd like to replace one of my "dumb" Netgear 8 port switches with a wireless access point... Static IP's are used, and the Netgear switch is nice because it doesn't require setting an IP address. (IT has allocated a limited number of addresses I can use)
Is there a wireless access point that can be used similarly... Something where I can set the configuration via some kind of maintenance connection, but looks like a Ethernet switch to the network?
Hey guys,
just a small reminder for anyone who has Aruba APs managed in Aruba Central and did not get the announcements from Aruba.
tl;dr: Upgrade your firmware to 8.6.0.2, 8.5.0.5, 8.4.0.6, 8.0.3.11, 6.5.4.15 or 6.4.4.8-4.2.4.16 (depending on your possibilities).
If not, IAPs can not establish a new connection to Central anymore and return to being a locally managed cluster.
If the affected customer deployments are NOT upgraded by Feb 07, 2020, then,
• IAPs will continue to provide client connectivity and forward traffic as designed. There is no impact to WLAN operation of the Instant cluster.
• Existing connection of IAPs with Central and AirWave will continue to remain as is after February 07, 2020. However, if that connection were to reset due to either a loss of Internet connectivity, a reboot of AirWave, or a reset of Central, the impacted versions of IAP will not be able to reestablish a new SSL connection back to the management platform. This issue only affects connectivity between IAP and management platforms.
This issue does NOT affect the following Instant deployment scenarios with any IAP platforms.
• Airwave managed deployments using PSK-based device authentication
• Instant customers not using Central, Airwave, or Activate, but locally managing Instant clusters
• Future deployments of un-provisioned APs in factory-default state
• If un-provisioned APs in factory-default state are deployed in an environment that offers connection to the internet for the APs to reach Activate, then Activate will be able to force an upgrade to a software version with a fix for the issue over an unsecure channel. The upgraded APs will then come back online, set up a secure connection with Activate, and proceed to the next step that includes redirection to Aruba Central or AirWave successfully.
• If un-provisioned APs in factory-default state are deployed in an environment that offers no connection to Internet for the APs to reach Activate, then Activate will not be able to perform an upgrade of the APs automatically. In such cases, the customer must manually upgrade the APs to a software version with the fix, by either using AirWave with PSK based authentication or using local management option within the master AP of the Instant cluster.
• New controller-based AP deployments
• If Internet connection is available to the APs in a new controller-based deployment, the APs will still reach out to Activate and Activate will force an upgrade of the APs to a software version with the fix. After the upgrade, the APs will connect to the controller.
• If Internet connection is not available, the APs will still be able to connect to the controller.
Should you require any assistance or clarification regarding this advisory, you can open a support case through the Aruba Support Portal at https://asp.arubanetworks.com. To call, please use the numbers found @ https://www.arubanetworks.com/support-services/contact-support/
Out of interest, has anyone done an ISE upgrade out there?
Did you have to re-join the devices? I'm just trying to get a feel for how likely this is. I'll have the account ready to go regardless.
Currently working with an enterprise customer who has an MPLS network and a bunch of different branch offices. I’m trying to understand their network topology for a large IP camera system we are quoting. The head of IT there says that none of the branch offices have a public IP address, and they only have one IP company wide at HQ and all of the branch offices are tied back to HQ over the Internet. Each branch has its own internet connections. How the heck can you have internet connection without a public IP? Is what he’s saying accurate? I would think every office at the least would have a dynamic IP, right?. I’m not very familiar with MPLS and have been doing my research to try to understand it to the best of my abilities, but have had no luck finding out about the IP question. Thanks for any help to further my understanding of MPLS!
Edit: thanks to all of the helpful and kind redditors, I understand how this all works and is setup. You learn something new every day! Thank you so much everyone!
Hi everyone,
I have the following scenario -
HSRP1 router with 5 VLANs:
And this is connected to an ISP - both have BGP.
However I cannot simply advertise network 192.168.0.0/16 - is this a limitation or how its supposed to be?
Or i need to do additional configurations?
HSRP1:
router bgp 12345
bgp log-neighbor-changes
no synchronization
neighbor 1.1.1.1 remote-as 1
network 192.168.0.0 mask 255.255.0.0
Same thing if I try to set network 0.0.0.0 on the ISP router as a default route.
If I advertise the VLANs separately its all good but was just wondering about a summarized network space.
Does anyone know of an easy to configure or off the shelf VPN hardware device which supports multi wan? I have a block of 5 ip's that I have ordered from my ISP. I want to setup a remote access VPN with each WAN IP assigned to a specific user. User needs access to Internet only, no local resources. I don't want to use a 3rd party service for this. Can anyone recommend anything? Thanks!
Hi all. I received a Dell Force10 S25-01-GE-24T from a decom. However, I am able to connect to it via a console cable to do a factory reset but it seems to not recognize any keyboard input. When it gets to the point where it says "Hit any key to break into BOOT_USER mode" I try but nothing happens. I have also tried Ctrl C and Ctrl ^. After it completely boots it will say that con0 is now available and Press RETURN to get started but still wont accept any keyboard input and eventually get Exec session is terminated for user on line console.
I have tried Hyperterminal and PuTTy using 9600 baud, 8 data bits, 1 stop bit, no parity or flow control. Any other settings that I have possibly missed? If I try different baud speeds, I just get garbage on the screen.
It is release 8.4.2.7
Currently it seems to work as a "dumb" switch since I cannot reset it in order to manage it.
Any assistance is appreciated.
It is famous because it's low prices, but how good Mikrotik is when looking from aspect of quality and reliability?
We're currently planning the following but I'm not familiar with employing STP protocols between Juniper and Cisco switches,
https://i.imgur.com/Ho2gcUW.png
Has anybody done similar and know which protocol would suit best for the above set-up?
Thanks in advance.
Hey there,
I have a bunch of old Cisco Press networking books that are taking up space in my office, I would like to give them away. All I ask is that you pay for the shipping of whatever books you want and I will ship them to you.
If interested, DM me and reply to this indicating you've sent a DM. I will respond as soon as I can.
Below is a list of the books I have on offer:
Routing and Switching
Voice/Collab
Design/Miscellaneous
For anybody operating in a data center you have any control over, this scenario is near the top of “bad things that happen”. I only worked in a “physical” data center for three years before I moved to the cloud where backhoes can’t reach.
My stupid question is how does the ISP fix a situation where fiber to a data center has been destroyed by a careless backhoe? My understanding is you can’t just splice and rejoin fiber like you can copper. Do they have re-trench and run fiber from the nearest junction?
Here is the scenario:
I have DC connected to AWS using directconnect. The MTU on the directconnect link current is configured as 8500Byte. Now I want to run IPSec tunnel (between Cisco ASR1K and CRS1Kv) over the directconnect link and assuming I do not change the MTU on directconnect, what could be the MTU of the IPSec tunnel? Will it simply be "8500-IPSec encapsulation header size"?
I am basically trying to figure out if there would be fragmentation and if so, where would it be and will the fragmentation pre-encryption or post-encryption?
Basically our setup is a Dell server and a Dell N3000 switch.
Server: Trunk connection to the switch, 2 * 1GB ports bonded (LACP/802.3ad). Two VLANS, one for internet (VLAN 10) and one for voice traffic (VLAN 20). VoIP softswitch installed on the server with two configured interfaces. One on VLAN 10 and one on VLAN 20.
Switch: We have 3 Directly connected carriers that we receive from and relay VoIP to. Each of them with 2 IP addresses each, one for sip and one for media on their respective vlans. (Excluding P2P IPs)
Our job is basically to receive traffic from carrier A and send to Carrier B or carrier C, depending on destination.
We have all necessary Static routes configured and pings work, but when we push SIP traffic (UDP) to a destined carrier, it get's dropped on the switch (Never progresses from VLAN 20). Happens with all connected carriers. I determined this with a packet trace.
The issue persisted until we setup Policy Based Routes on the switch. This fixed it. And also ruled out any Firewall suspicion.
Weird behavior that still baffles me and I'd like to know the root of it. So it doesn't cause me problems in future.
Important to note that I am totally winging all of this, and any reply will be appreciated. Thanks
Looking for an IT/tech show or conference in Europe which is multivendor, where you can get certification training or meet tech guys from various network vendors. Any recommendations?
tl;dr - Aruba 7030 does not work with Cisco/Ruckus switches - but works fine with a Unifi switch, or a x86 box with Intel NICs.
Our router is a x86 box running pfSense - the NICs are Intel I211-AT.
Our switch is a Cisco 3650-24PD, running IOS-XE 16.09.04.
We have an Aruba 7030 wireless controller.
For some reason, when we plug it into the Cisco switch, there is no LAN activity light for the Aruba 7030, and the device is not reachable (nor can it reach any other hosts).
Likewise, when we tried with a Ruckus 7150-C12P switch - the LAN activity light also stubbornly stayed off, and "show interfaces brief" seemed to indicate the interface was down.
However, this is the weird thing - when we plug the Aruba 7030 into either a Unifi switch (US-8-150W), or directly into the pfSense router directly, the LAN lights do start blinking, and the controller is reachable.
I'm completely dumbfounded - I even tried disabling POE on the Ruckus for that port, but still no luck.
Any ideas what is going on?
(And the even weirder thing is - we have other networks with Aruba 7030 + Ruckus 7150-C12P, which seem to work fine).
Has anyone replaced their laptop with ipad pro for work?
what apps and USB-C dongles do you use?
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Is anyone using PoE lighting? Have you tried it? Are you using regular PoE switches or something special?
I suppose this could be an *Update* from my "Today I screwed up post"
So with this most recent outage a lot of eyes have been placed on ACI. We have had 3 outages in the last 6 months tied to ACI. The first being a bug in the upgrade process that caused a data center interruption that could of been far worse if it happened today. At the time we had only moved a handful of SVI's from our 7k into ACI. During the upgrade process all SVI's that were controlled by ACI failed hence killing those networks during the upgrade process. Today we have close to 100 networks being controlled by ACI which would be awful.
Our second outage with ACI caused our leafs to reboot at the same time due to a bug in the default configuration of how netflow is configured or rather not configured.
The third outage was my post from last week, this one fell squarely on me as I deleted the parent profile and not the specific child vpc profile. We are providing a feature request to Cisco in hopes that we can tag objects to prevent accidental deletion. Similar to how you do it in AD with OU objects.
So on to my question, we have discussed internally quite a bit about what benefits has ACI provided us, and at the time we feel that from a traditional network perspective we would be better off running like we did pre ACI. As a company our data center is just far to small to see the benefits, if we had dozens if not 100's of leafs ACI could be a real asset.
The big area we really felt ACI won on was from a security perspective. The idea of going to an application centric network with contracts built out specifically to control what traffic is allowed. Obviously the caveat here is getting to this point, and to be honest I do not see any easy way of taking an established network and beginning to lay contracts down on it without the high chance of causing some severe interruptions as we migrate towards it.
The question was posed to me, if we backed out of ACI and went back to a more traditional approach how would we secure the data center? I guess that is the question I am hoping you all might have some insight into. Cisco is going to push us towards tetration which I am not opposed to, but I will not lie when I say I am a person that prefers a simplistic approach to a complicated one.
A firewall seems like an expensive alternative to ACI, but I could see how you would gain visibility that ACI does not provide out of the box. This would allow us to build out rules that start in monitoring and then slowly builds into an actual firewall restricting traffic without interruption of services. Outside of a firewall does anyone have any other suggestions, as I do not see that being a very well liked suggestion.
I also wanted to thank everyone for their comments on the last thread, it really was helpful. I appreciate it everyone.
Thank you
Need:
400 ports worth of switches, 8 x 48 or so over 3 offices
at least 2x 10G ports SFP+ ports each
trying to stay under $1600 per switch (this is the hard part)
Nothing too heavy lifiting, it's zero compute, zero serious storage, just mainly users getting on internet and local file shares. Not mission critical application, just annoyed users if there was a problem.
PoE, not even PoE+ required
Optionally:
L3, it can't really hurt.
cloud config as the MSP is remote
The MSP is a Meraki shop and we have the firewalls, but I just can't in good faith support Meraki's business model of renting the hardware you own, feature limiting it, charging premium+, and vendor lock in. Any more than one shady business tactic and I'm likely to avoid you.
My options are Ubiquity Gen2 line, maybe Ruckus has a cheapish option, HPE has non-Aruba branded, Cisco SG350X and maybe the 550X doubt there is anything Catalsyt in my budget. IDK, Dell? ZyXell
I'm just stuck. Buying (fucking) switches should not be this hard! It's not like I'm asking for the moon. It's not like any of them are doing advanced packet heuristics and security, they're switches.
I'm about to throw my hands up, but Ubiq Gen2, cloud keys, and have an on hand spare - 1/2 because they are a good deal and 1/2 because I'm mad at the MSP for making my life harder.
What do you like at my budget?
Hey all,
I am rather new to the checkpoint platform so I am learning slowly. I am familiar with FTD and ASA so basically I have halfway decent firewall knowledge so now I am just trying to understand a new platform. We are having some intermittent connectivity issues to the point where users are experiencing websites that work sometimes and at other times they don't. Basically all users are going through a proxy server and that proxy server hands off to our checkpoint VSX. The VSX has a NAT setup and the outside world perceives http/https coming from a single source.
What I am seeing in the logs is that occasionally I will see a Xlate NAT Source port with a value higher than 65535 and it seems to correlate to web requests that are having issues. I am seeing values on the xlate Nat Source port of numbers like 65892 and 65734. These don't seem to make sense to me as ports higher than 65535 wouldn't be valid on a standard source port.
Does anyone have any thoughts on this behavior?
Hi guys I am doing 1:1 NAT for the first time.
One of our customers have their own router behind our own. They have VPNs and similar stuff on it. I have absolutely no access to their router and I only know their address trough ARP.
I have first tried this(1:1 mapping on that link):
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
The customer was able to create outbound connections but inbound traffic towards their router did not work.
I have then tried this:
https://wiki.mikrotik.com/wiki/How_to_link_Public_addresses_to_Local_ones
But as of this moment I have no idea if it works as I don't know how to test this without access to the customers router.
I thought PoE+ would easily carry us through the next refresh cycle, given our vertical (K12) and how few devices even approach the 30w limit. But just this week our camera installer dropped in some BT gear on an injector (270 degree camera w/ 3 integrated cameras), so now I'm second-guessing my assumptions.
Do you foresee a lot of demand for BT in the next 5-7 years, such that it makes sense to pay the premium for PSEs that support it? If you were refreshing your access layer in the next 12-18 months, would you include BT for all access switches in your list of requirements?
Anyone know of any materials out there to study for the ACCA exam? I've been searching for a few days now with little to no luck on any materials. I wanted to gain some knowledge about Clearpass before attending the Clearpass Essentials class in February. Is the Clearpass Essentials class the only way to be able to study for the exam? Any help is appreciated, thanks!
Can a (.net) file be used to take control of computers? Also can it be used in a malicious way?
Hi guys,
I struggle to find a solution for SNMP monitoring of a certain type of traffic that hits a Cat 4500-X CPU.
My aim is to monitor the L3 Glean traffic. The command I am using on the console is:
show platform cpu packet statistics
This outputs (snipped) something like this:
Packets Received by Packet Queue Queue Total 5 sec avg 1 min avg 5 min avg 1 hour avg ---------------------- --------------- --------- --------- --------- ---------- Host Learning 46 0 0 0 0 L2 Control 186439 0 0 0 0 L3 Glean 1 0 0 0 0 Adj SameIf Fail 2898680 0 0 0 0 L2 router to CPU, 7 277613 3 0 0 0 I have searched several CISCO MIBs without success. How can I find the OID for the L3 Glean packets for 5 sec and 1 min avg?
Thanks in advance!
Been running into issues between Fortigate and Cisco routers "talking" BGP, due to the fact that Fortigate disables dynamic capability (see here, as well as the unrecognized capability code 70 len 0).
My Q: how critical are these dynamic capabilities, vs the risk we would take by upgrading to a new (6.0) version of Fortigate, which supposedly fixes this, but who knows what else may bring along?
Hi everybody,
I m asking something about public ip adresses providing by the ISP.
If you choose a range of ip adresses, how works the authentication and the delivry of the DHCP (dhcp).
Thks ;)
I am currently connected to the internet with a router that stands behind the router of my service provider. The router from service provider gives IP over DHCP to my router and all is fine. Their router has a public IP and I need to ask them to port forward to me.
As I want to remove the middle-man, I wanted them to provide me with IP, network and gateway to enter into my router which setting I have elsewhere.
They replied asking if I need public IP for NAT-ing, but I don't know what that means.
Thanks!
Hardware: VS-SUP2T-10G and WS-X6724-SFP
Topology: pc (192.168.5.10/24) <----> gi1/8 (C6800 192.168.5.1/24) <--> 0/0
Configurations:
object-group ip address some-group host-info 10.10.10.1 192.168.0.0 255.255.0.0 ip access-list extended priority-traffic permit tcp any any eq domain permit udp any any eq domain permit icmp any any echo permit icmp any any time-exceeded permit icmp any any echo-reply permit ip any addrgroup some-group ip access-list extended other-traffic permit ip any any class-map priority-class-mark_in match access-group name priority-traffic class-map other-class-mark_in match access-group name other-traffic policy-map internet_in class priority-class-mark_in set dscp default class other-class-mark_in set dscp CS1 class-map priority-class-mark_out match ip dscp default class-map other-class-mark_out match ip dscp CS1 policy-map internet_out class priority-class-mark_out police cir 80000000 class other-class-mark_out police cir 20000000 interface GigabitEthernet1/8 ip address 192.168.5.1 255.255.255.0 no ip redirects no ip proxy-arp service-policy input internet_in service-policy output internet_out What I want to achieve is that traffic that hits access-list priority-traffic should get 80M data rate and traffic that hits access-list other-traffic should get 20M data rate.
What happens now with current configuration is that everything gets 80M data rate. It doesn’t matter what I put in priority-traffic access-list.
I there something obvious that I am missing? This is my first time creating something with dscp-values.
I have created workaround that works with following configuration, but I’m interested to know what’s wrong with my dscp configuration.
class-map match-all priority-class match access-group name priority-traffic class-map match-all other-class match access-group name other-traffic policy-map internet-traffic class priority-class police cir 80000000 class other-class police cir 20000000 interface GigabitEthernet1/8 service-policy output internet-traffic Hello Networking,
This is kinda home question - but also a good discussion about what there can be done?
So i'm living in the small Denmark, and have a connection at home from my work ( Working at an ISP ). We have a transit peer probably the biggest ISP in Denmark. Most of our traffic is going out towards this ISP. This includes traffic going towards France.
So what i have figured out is that when my traffic hits AMSIX and enters OVH's ASN i get packet loss in the evening.
Right now, i have started using a VPN towards Poland because then my traffic is not hitting this saturated link in AMSIX and that means i have no lags going to the France server.
I spoke with a former colleague working at the big danish ISP, and he actually said that they know about a problem - but this has turned into politics. Meaning nobody wants to pay for this connection that these 2 ISP's have together.
So what should or could i even do here :/?
Hello,
We use OSPF for all of our internal nodes in our WISP network. It's reliable and helps route around power outages or lightning strikes.
We use mainly Airfiber5XHD and Airfiber5 equipment, with some 24/60Ghz links as well. Each POP/Tower has at least one Edgerouter.
While the OSPF cost metric varies inversely based on the link capacity, the other parameters we've set are the same everywhere, this from our Vyatta configs:
set interfaces ethernet eth0 ip ospf retransmit-interval 5 set interfaces ethernet eth0 ip ospf transmit-delay 1 set interfaces ethernet eth0 ip ospf dead-interval 40 set interfaces ethernet eth0 ip ospf hello-interval 10 set interfaces ethernet eth0 ip ospf priority 1
Sometimes links take a while to renegotiate, and in the worst cases even if a broken link has come back, we may require hard rebooting both ends just to merge back into the OSPF topology.
Looking for advice here, does anyone have suggestions on how to tweak our OSPF settings or make use of the data carrier drop options in Airfiber5XHD to improve OSPF healing time? TIA--
is anyone aware of equivalent of ACI L4-7 service chaining in BGP EVPN?
I have an office which has two ISP managed MPLS connections and an internet link. Here is my current design for the end state: https://i.imgur.com/PTLUf4n.png
The two MPLS routers are already configured and installed, but the L3 switch, the firewall, and the Internet are yet to be installed.
I am wondering how to best configure OSPF in this network, so that the 10.0.0.0/8 traffic outside this office will travel via the MPLS network and the internet traffic will then go via the internet connection, but can failover to the primary MPLS, and if needed the secondary.
I am concerned that because the ISP has configured that inter-router network link and is running iBGP that it's going to cause routing issues if I peer the two MPLS routers in OSPF.
So, would the config that I have laid out in my diagram be okay, or do I need to ask my ISP to remove the iBGP peering. I have a feeling their are running it for BGP routing resiliency between the MPLS router uplinks.
So, I feel I have a few options:
I feel like I'll probably need to lab this out and also set up a meeting with my ISP to find out what the best option for this network is, but I wanted to get some feedback here as well.
Thanks!
We have a country wide ISP managed MPLS network which all our offices connect to, we want to have two data centres on either side of the country which will serve as the exit points for internet (also same ISP). ISP managed eBGP is already running over the MPLS network.
Note: the two new DCs do not have an interconnect between them, they will have to use the MPLS network to send traffic between them.
If we peer with the ISP eBGP network at each DC and we advertise a default route from each DC into BGP, then the default route in the routing table at each office should choose the default route of the closest DC (the shortest AS path).
I'm just going by the BGP route selection criteria, and as the default routes propagate through the MPLS network, each router should choose the default route with the shortest AS path.
We have no weight set, no local pref. set, and both DCs would be redistributing at static default route, so AS path should be the deciding factor. Then if both AS path lengths are the same, then the next likely criteria would be the oldest route, which should be fine for tie-breaker.
So at the MPLS PE for each office there will be two default routes in the BGP table and the one with the shortest AS path will be the one in the routing table, or the one with the oldest route.
I should hopefully be able to verify this when we start peering with the MPLS PE at the DC and check the AS path from different locations. I can also run some tests with a shared dummy network.
We can then migrate from our current DC by advertising both the two new DCs (for a total of 3 default routes), and then remove the old DC when the two new ones are ready.
Is my thinking correct?
