I have an port (6881) and I dont know how it opened. I have an android (galaxy s9) and I do an nmap scan on my device. Poof... open port 6881. How do shut this on my android? I have no port forwards on my router or on my android. I have 3 access attempts from China, Germany and from Amazon. Yes Amazon, help??
Saturday, January 25, 2020
BIRD export filter conditional next hop
When exporting routes to an EBGP neighbor by default the next hop is set to the IP address of the connection.
Using BIRD 1.6.x per the docs you can set "next hop address <ip>" but when I attempt too add that for a neighbor I get a syntax error, ie:
protocol bgp FOO_1 from BH_SERVER {
neighbor x.x.x.x as 11111;
export filter RTBH_OUT;
next hop address y.y.y.y;
}
I get a syntax error for the "next hop address" line....
I know you can set the bgp_next_hop in the actual filter, but I need to be able to set the next-hop based on the neighbor/peer AS....
Ideas?
Any ideas as to why CERNET (China Research and Education Network) in Wuhan is shutdown every day from midnight to 6 am for three consecutive days?
/r/China_Flu/comments/eu042i/any_ideas_as_to_why_they_are_shutting_down_china/
Extended Layer 2 over Layer 3 (L2 over L3)
I have a senario where my boss wants to use old 6500 as L3 gateway over a New Layer 3 Core conencting them instead of using 1 gig conenction to 6500- how can i achive this
------------------------------------------
Layer 3 Gw- 6500 ( Vlan 100)
--------------------------------------------
I3
I3
---------------------------------------
New 6800 - Core - Layer 3
---------------------------------------
I2
I2
-------------------------------------------
New 9000 - Layer 2 (Vlan 100)
---------------------------------------------
Web content filtering
Hi all,
I'm looking for some ideas for web content filtering.
We've got a guest WiFi network setup in a community centre (which is also used as a youth club during the week).
We are using a Ubiquiti Unify Controllee, couple of Unify access points and a couple of split WiFi networks (including guest WiFi by which guest access).
The youth centre manager has pretty high standards for web filtering for those using the centre.
Any ideas of where we should be looking? Don't mind paying but not significant sums of money (ideally free but not sure if free and high quality web filtering will go together!!).
Thoughts welcome.
L2TP VPN routing to other networks?
Hello all
I've set up an L2TP VPN connection to my ASA which is working great, configured just like below. I can access network 192.168.2.0 from the VPN. But my problem is that I also want to access another network 10.10.3.0/24 which is connected to the ASA via an IPSec VPN tunnel.
I can access 10.10.3.0/24 from 192.168.2.0/24 but not from 192.168.100.0/24.
I've added the L2TP VPN network into the encryption domain of the IPSec VPN tunnel but i got quite stuck there, can anyone perhaps point me in the correct direction?
ASA Version 8.4(2) ! ! interface GigabitEthernet0 nameif outside security-level 0 ip address 47.47.47.100 255.255.255.0 ! interface GigabitEthernet1 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! ! object network local_lan subnet 192.168.2.0 255.255.255.0 ! object network obj_192.168.2.0 subnet 192.168.2.0 255.255.255.0 ! object network obj_192.168.100.0 subnet 192.168.100.0 255.255.255.0 ! ! ip local pool L2TP-Pool 192.168.100.1-192.168.100.100 mask 255.255.255.0 ! ! nat (inside,outside) source static obj_192.168.2.0 obj_192.168.2.0 destination static obj_192.168.100.0 obj_192.168.100.0 no-proxy-arp route-lookup ! object network local_lan nat (inside,outside) dynamic interface ! route outside 0.0.0.0 0.0.0.0 47.47.47.47 1 ! ! aaa-server LDAP protocol ldap aaa-server LDAP (inside) host 192.168.2.100 ldap-base-dn DC=testlab,DC=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password Y0u@rmyl1fe ldap-login-dn CN=ASA Admin,CN=Users,DC=testlab,DC=com server-type microsoft ! ! crypto ipsec ikev1 transform-set L2TP-set esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set L2TP-set mode transport ! crypto dynamic-map client-map 10 set ikev1 transform-set L2TP-set crypto map outside-map 65535 ipsec-isakmp dynamic client-map crypto map outside-map interface outside ! ! crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! ! group-policy L2TP-Client internal group-policy L2TP-Client attributes dns-server value 192.168.2.100 vpn-tunnel-protocol l2tp-ipsec default-domain value testlab.com ! ! tunnel-group DefaultRAGroup general-attributes address-pool L2TP-Pool authentication-server-group LDAP default-group-policy L2TP-Client tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key cisco tunnel-group DefaultRAGroup ppp-attributes authentication pap no authentication chap no authentication ms-chap-v1 no authentication ms-chap-v2 ! ! : end Asus RT ac3100
I am attempting to open a few ports for a game server but when I go the check the port it says it's closed.i have the port right and the device ip
I’m studying for a CCNA and am trying to find affordable equipment.
I’m currently taking the NetAcad course through college. I have done great at the packet tracer exercises, but feel I need more hands on with live equipment. I have already tried to acquire some components, a 2900 series router, and 3750 switch. However, the router arrived DOA.
Would anyone be able to recommend a good reliable source for working equipment that would be beneficial to use to studying? I’m near Raleigh if there is a physical location.
What equipment would be best to have for practicing for the CCNA Switching, Routing and Wireless (v7) as well as the CCNA Security.
Does having a server with different services make a difference in practicing or is just having Raspberry PIs to return pings be acceptable?
Is there anywhere else to obtain worthy practice exercises beyond netacad?
strange problem with an ISP and arris modem. Any thoughts ?
This is a little strange so I will try to explain the problem as clear as I could,
we got 2 ISPs in our location,
1 is Fiber to the node then comes is with coax and provides an Arris modem also we get public IP via DHCP.
ISP 2 FTTH and the thing I do not really like is they use PPPoE.
for the problem, we mainly have ISP 1 at the moment and the issue is when the Arris is put to bridge mode, download torrents, for example, Linux ISO kills the speed that the torrent speed goes to 0 and trying a speed test it also stays between 1 to 2 mbps, I also tried plugging the PC direct to the modem with sane problem I tried fq_codel with 3 routers with the same problem, now for the strange part putting the Arris to router mode this does not happen and I can't really understand why torrents download fine.
To make sure nothing is wrong with our hardware we tried the second ISP and everything works fine when is bridge mode, so something is going on with ISP 1 and really am curious what's going on.
I would love to hear any thoughts from you experienced guys.
Thanks alot.
Your preferred visual traceroute software? (like pingplotter)
I have been using pingplotter free edition for a while now, and have been thinking about buying the standard edition.
Just wondering what's your opinion about similar tools, both free and paid.
Feature wise, is pingplotter standard missing something other tools offer?
MAC-conflict theoretical question
Imagine the following stupid scenario. (I am aware that this should be avoided in the first place, but I am curious about the theory and behaviour)
Two hosts connected straight to each other:
host-A: 192.0.2.1/24
host-B: 192.0.2.2/24
Now, both hosts consider their own MAC address to be 01:02:03:04:05:06, i.e. there's a MAC conflict.
Would they be able to communicate to each other at all? (would it just fire out as if point-to-point? leaning towards "no" because the subnet is defined as /24)
Or would the frames-to-be-egressed just get swallowed somewhere in the stack internally (where? why? This is where my understanding is lacking) What would be the technical basis of the "don't do that, you dumbass" answer?
What would (or should?) happen if we introduced manual ARP table entries to give each host the information that the other one's MAC is 01:02:03:04:05:06 (still identical)?
Apologies if this is a bad channel to ask such qustion. I've considered /homenetworking and /homelab, but this place just felt like a better fit.
SMB access via VPN (subnet issue?)
Hi
I have an instance of openmediavault providing SMB. I can access files locally ok (192.168.1.182) but I'm trying to configure the VPN server that I run of RaspberryPI 4 (pivpn) (192.168.1.50). The open VPN connects fina from WAN, I can browse the internet as if I'm home. The problem is, the VPN server puts me on a subnet (10.8.0.2) when connected and I'm not able to detect shares.
I understand this is the desired behaviour, my previous router came with openVPN server and I was able to log in to my local network to access the files, Id like to replicate this again since my old router is retired. I played with WINS but without much success
Any pointers?
BGP flapping every 2-3 minutes - Mikrotik <> VPS with BIRD
Hello,
I am using a Mikrotik RB450Gx4, using BGP with my ISP for announcing my own AS and my /24. For this all is good.
The main problem is that I am using also a VPS located in a remote location, linked with my router via GRE tunnel, and that VPS is connecting me to DE-CIX internet exchange in Munich. I have set BIRD on VPS, created GRE tunnel between the VPS and my Mikrotik, established BGP with DE-CIX Route Servers. The problem is that when i try to establish the BGP between the Mikrotik and the VPS, the BGP connects successfully, import a couple of routes from the VPS, and then the connection flaps. Therefore it can't stay active. I tried to place some filter, contacted DE-CIX support and the owner of that VPS service, but nothing successful. It used to work in the past... maybe someone have any idea why the BGP session is flapping?
Things i've checked:
- MTU: tried to lower it from 1480 to 1432 and 1400. Same issue.
- Filter the IP address of the VPS itself, in order to not receive it from the RouteServer also, does not solved the issue.
- Applied some other filters, but nothing changed.
- Modified some settings also on Mikrotik and BIRD configuration - it didn't helped.
Regards,
WoL and dynamic VLAN assignment
How do you handle Wake-On-LAN with port authentication and dynamic VLAN assignment?
You don't know which station is currently connected where, if it is switched off and currently no auth session is open (which is the point of having WoL in the first place -> switching it on).
At most you could have static "WoL-VLANs" on the ports per location (which defies the dynamic nature of device roaming or dynamically assigned VLANs). However, and assuming WoL traffic needs to be routed, you'd have to send a directed broadcast to a different broadcast address than the usual one for the devices in question. Not sure which configuration mgmt tools allow that...
Friday, January 24, 2020
Network Bandwidth Manager?
Hello! Sorry for a noob question. I'm looking for a bandwidth manager I can use at work that doesnt need the connection to pass through a single point, like a dedicated computer? Maybe something that uses a client/host application?
I'm using Netlimiter now, and it's great, but I've been having problems with it having some delays when connecting to clients and i'm trying to figure that out.
I was wondering if there are other better alternatives out there?
Thank you!
How can we determine if IP address belongs to VPN or not.
How can we determine if IP address belongs to VPN or not. Thanks
WiFi Puzzle
Hello Everyone, I have some quick question. Is there any way I can setup some puzzle to give internet access to user? Basically What I want to do is, I want to give user initial passport to get into wifi( for security reason) and further they have to solve puzzle to access to internet. I have seen similar kind of system in some restaurant where users have to enter or do something even after wifi is showing in their device? Do anyone has some resources or knowledge how that is configured? Any help is appreciated.
What’s the next step (or half-step) after 10GBASE-T?
I run a small video editing business and plan to upgrade various equipment this year. We’ve been running 10GBASE-T (direct to a small QNAP NAS; no switch) for five years already and it’s been good; no major complaints. But I want to be forward-thinking and consider everything. So hypothetically, what are next steps after cat6a 10GBASE-T? Right now I’ve got a 10k budget for a new NAS and network improvements (if any). Thanks guys!
Docked and WiFi..same IP?
We have some apps that are presented as shortcuts on their desktop. This has worked well but we have deployed laptops with docks and the apps don't like getting a new IP when they switch to WiFi. We are hoping the web version of these apps will be released this year but in the meantime I'm considering having wired and wireless on the same VLAN/subnet. It appears MS DHCP won't give out the same address for 2 different MACs..a good thing. So has anyone done this successfully? I could spoof the WiFi adapter to match the dock...or use dnsmasq which appears to allow dual MAC addresses? I know plenty could go wrong but they shouldn't be connected to both at the same time.... Has anyone done this? Cheers
The Value of A Diploma/ Degree
Hello,
I am studying Computer Science, but I find the program to be an unfortunate waste of time. The curriculum leaves a lot to be desired and actual learning is close to null. I am jumping through hoops and stressing myself out financially and psychologically doing this.
I enjoy learning about I.T (ON MY OWN), and have a few basic certifications (like CompTIA Net+ and some Microsoft). I am currently studying for my CCNA on the side while in school full-time.
I am curious about different opinions in regards to the value of an I.T. related diploma/ degree in this field. I understand it is an ambiguous question. But I'd appreciate any opinions from people in the industry:
Do candidates with a diploma/ degree always receive precedence in the hiring process? Could I potentially land an entry level position after obtaining a CCNA?
Is this certification becoming saturated with so many people having it now?
Are my opportunities for advancement far lower without a formal education -- am I potentially closing too many doors?
Is there anyone else who went through or is going through a similar mind-loop -- questioning the efficacy of a post secondary education in the field?
Personally I am tired of wasting my time and money while killing my soul learning nothing relevant. I'd far rather bet on myself and pursue a real education on my own; however, I don't want to shoot myself in the foot if there is a real value to a formal education on a resume in the world of Networking.
Thanks
Help with Dissertation ideas for Bsc
Hey there! I am currently on my third year of University in Cyber Security and Networking. I am currently looking into ideas for my Dissertation paper. The one I'm most interested in so far is looking into the security or lack thereof within the IoT. I was just curious if anyone here had anymore ideas that I could think about and possibly delve into?
Thanks!
Y2K in 2020
So we have an old NTP appliance, but it still worked so, who cares? Well... Today we were working on the security system and noticed the time stamp was WAYYYYYYYYYYYYYY off. It was like 6/9/2000, so we first checked to see if we had the security system requesting time from our time server. It was... Below is me checking the time server's clock, and below that is me on my desktop checking the offset from realtime.
https://imgur.com/a/VTljbGF
https://imgur.com/a/FAtuQo8
From this, I guess this time server just can't f**king handle 2020 and decided to try to pull a Y2K on our Windows Domain.
Advice/resources for transitioning into a cloud network engineer role?
I work as a data center network engineer for a multinational company. The executive leadership at my company has drank the cloud cool-aid and has seen fit to dramatically scale back many of our on-prem data center/colo locations around the globe to simple POPs and move a majority of the company infrastructure into google cloud.
At the moment, some aspects of our infrastructure and services can't be moved into the cloud, leaving us with a large traditional data center and a hybrid cloud solution. I can see the writing on the wall, and as much as executive leadership is trying to prevent a panic among the engineering teams that support traditional data center/colo locations, I know they're working as hard as possible to find a way to move the remaining bits of our infrastructure to the cloud.
When that happens, my team will have no more data centers to administer. Other SRE and platform teams are very politically powerful within my org and have been trying to snipe things from our control. There's a campus networking team and it looks like business is considering moving all networking responsibilities to them after they close all our data centers and let my team go.
I'm not sitting idle waiting for a pink slip. I've taken steps to make sure I'm in a good place should I be "made redundant". I've got a multi-month emergency fund saved up, I've brushed up my resume, and I went out and got my CCNP. I've also been learning python, ansible, and kubernetes while using those daily at work and keeping a portfolio of automation projects I've completed.
I'm not a fan of "the cloud" (other people's computers) and I think firing all on-prem infra engineers (along with their institutional knowledge) and outsourcing your company's infrastructure to another company is a disastrous idea, but I'm not in a position to argue this with the people making the decisions. It's a large company and I'm just a low level engineer within one of many infra teams. The people making the decisions are multi-millionaires and billionaires.
Nonetheless, I want to adapt, survive, and thrive so I'm looking at how I can transition into a "cloud network engineer" role. I'm not desperate to stay with my current company, but if I did have some cloud networking certs when the axe falls, I could argue that keeping me on would be worth it. If anything, it'd buy me more time to look around and open more doors for me elsewhere.
The problem I'm running into is that it seems that resources on cloud networking are fairly sparse compared to when I was studying for the CCNP. This is understandable since "cloud" is still relatively new. I'm trying to take advantage of the opportunity I have at my company to interact with a large scale gcp operation and learn as much as I can about that. I've been eyeing google's "Professional Cloud Network Engineer" cert and enrolled in their courses on coursera since that's the most immediately relevant to my day job. I'm also wondering if it might be worth it to look into AWS or Azure certs, though I don't have any direct on the job experience with those.
Most of the stuff that comes up when I search for resources and trainings on cloud networking is just bullshit marketing presentations or information more geared towards people developing apps in the cloud, not really infrastructure people.
Has anyone here made the jump into a more cloud networking focused role? What resources did you use? Any books you can recommend? Courses? Videos?
Contract to hire
Looking for advice. I’ve been hired on a contract to hire basis. This is all new to me. I’ve always been a FTE. Are there things I should be looking out for? Thank you kindly.
Am I Getting Fucked Friday, January 24th, 2019 - Normalcy
/r/sysadmin/comments/et8xbq/am_i_getting_fucked_friday_january_24th_2019/
hire remote hands ?
guys i got a remote site that i need to pull the equipment (router / switch / ups) from and get it mailed back to me. Where do you guys go for contracting basic IT work ? Id rather not blow 1500 bucks on a plane ticket and lodging for 2 hours of work.
Fortinet Firewall, Mikrotik router
Hello
I've got the following set up and need some advice on filtering my traffic through a Fortinet 200 router/firewall. I'm way out of my comfort zone on this, but I'm stuck with trying to fix this until my new guy starts.
I can follow instructions and have some basic knowledge of networks, but still treat me ike an idiot.
We have a router from ISP currently connected to a Mikrotik router which connects to a cicso managed switch.
All my traffic should be filtered by our Fortinet200, it appears that our IT guy (who bailed after being found to be less than effective) decided to not route traffic through the fortinet and basically give free access to the internet to all.
We were using a fortinet in the past, I can't remember though if it was prior to the network upgrade or not. So I dont know if at any point the new 200 Fortinet as been used or not.
Is there a simple way to place the Fortinet between the mikrotik router and the WAN and let it just filter everything for the time being until my new guy arrives?
I don't care if it is rough and ready, as long as it is filtering properly. I know it cant be as simple as just plug it in and set a WAN and LAN side to the fortinet but I'm hoping there is something close to this.
We used to have individual logins for the network, that all appears to have stopped other than the wifi which remains and is through the mikrotik router as well.
Thanks in advance
Current perspectives on SD-WAN
I am reading myself into SD-WAN, and have read a lot of different views on it. Most of the negative views haven't tried it out yet, and the positives are sometimes a bit to positive to my opinion.
Info from the vendors is specked with awesome features and must haves, but that is all talk from sales, and not from an engineering standpoint.
I read another post from about a year ago and was mainly curious if some of the views has changed.
I haven't spoken with any vendors or carriers yet.
HP A5500 Switch Troubles
So I looted an HP A5500 switch from work and plan to replace my home switch with it. The only problem is I have absolutely no fucking clue what I'm doing. I've got it talking to my pc, got into the boot menu skipped current configurations and tried to start configuring but I can't seem to get it talking to my router at all, not can I get it to ping other devices on the network despite the fact it acknowledges the connection and says link is UP.
Can anybody point me to a complete setup guide for total noobs?
Also: By looted, I don't mean stolen. Boss let me take it.
Replacing a Cisco 6504 with a Cisco Nexus 93108TC-EX?
Looking to move from 10Gb links to 40Gb links which would require buying new supervisor cards and new line cards for our aging Cisco 6504-E series switches.
Instead of going down this route I've been looking at the potential of replacing them with the Cisco Nexus 9300-EX (N9K-93180YC-EX).
This has plenty of 10Gb/40G ports for our needs. It would be used for simply pushing packets in a BGP free core so it would just need to push MPLS labels and have OSPF to run on them.
As it needs MPLS-L3 I'm thinking I would need to add the advantage 'ACI-AD-XF' license.
Am I missing something obvious here? Would I be better going down the NX-OS license path instead? To be honest it sounds like the switches do a LOT more than what is required but they are at a good price so I don't mind lots of features going unused for the ability to have 10/40/100gb ports.
Thanks
Help me find the bottleneck in my network
I have host A set up as my main gateway / wireless AP, configured in bridge mode. Host B connects to host A over WiFi and is able to access resources both on host A as well as on the bridged Ethernet network behind it.
Throughput between host B <---> everything behind host A is fine in both directions (>300 Mbit/s), as well as from Host B ---> Host A. Throughput from host A to host B, however, is not fine - it's stuck at around 5-8 Mbit/s. This is a problem, since host A is also a media center / file server.
But here's the most interesting bit. If I run a VM / container on host A, the problem disappears: data from the VM / container to host B flows at full speed.
Same story whether it's TCP or UDP. I checked with tcpdump, no dropped packets or retransmissions or window sizing issues.
All hosts running Linux (Arch, Ubuntu 16.04).
Any leads would be appreciated!
Resources for the new CCNA
Where can I find resources for the new CCNA? I haven't managed to find them on the official Cisco site and was wondering whether it's best to wait until after the exam is actually released?
Thursday, January 23, 2020
Wake On Lan through Dlink 2750U
Hi All
I have configured WOL from LAN and it is working fine. To work Wake On LAN from internet, i configured port forwarding in my dlink 2750 and the destination is configured as broadcast address (eg: 192.168.1.255). Any idea how to crack this in dlink 2750 as i can understand this modem is not broadcasting the magic packet from the internet to LAN even i did the port forwarding and its configuration.
Cisco 2960X Dot1x strange behavior
Hey guys, I am troubleshooting a strange problem with dot1x on several Cisco 2960Xs. When a host is rebooted it can not communicate until I clear the current authentication session. Strange thing I notice in the authentication session detail information, is it lists the client computer on a 169 IP. These workstations are statically configured with IP addresses no dchp. I have included an example below and can supply the debug output of dot1x from the switch saying the host is authorized.
I have tried setting the NIC power save mode to off and updating drivers on the host machines (which are windows 10 computers.) I also tried disabling hyberboot, none of these resolved my issue. Any advice you have I would love to hear, thanks!
example (scrubed PC & Switch Name and actual IP address in last snippet as it had identifying info)
Switch#sh auth sess int gi1/0/20 det Interface: GigabitEthernet1/0/20 MAC Address: 9890.96c6.044e IPv6 Address: Unknown IPv4 Address: 169.254.82.151 User-Name: host/PCNAME Status: Authorized Domain: DATA Oper host mode: multi-domain Oper control dir: in Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: N/A Session Uptime: 25s Common Session ID: 0A663C050000001E00071404 Acct Session ID: 0x00000014 Handle: 0x11000013 Current Policy: POLICY_Gi1/0/20 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Server Policies: Method status list: Method State dot1x Authc Success Switch#clear auth sess int gi1/0/20 Switch#sh auth sess int gi1/0/20 det Interface: GigabitEthernet1/0/20 MAC Address: 9890.96c6.044e IPv6 Address: Unknown IPv4 Address: 169.254.82.151 User-Name: host/PCNAME Status: Authorized Domain: DATA Oper host mode: multi-domain Oper control dir: in Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: N/A Session Uptime: 1s Common Session ID: 0A663C050000001F0007C104 Acct Session ID: 0x00000015 Handle: 0xDE000014 Current Policy: POLICY_Gi1/0/20 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Server Policies: Method status list: Method State dot1x Authc Success Switch#sh auth sess int gi1/0/20 det Interface: GigabitEthernet1/0/20 MAC Address: 9890.96c6.044e IPv6 Address: Unknown IPv4 Address: 10.x.x.x <- Legit IP address User-Name: host/PCNAME Status: Authorized Domain: DATA Oper host mode: multi-domain Oper control dir: in Session timeout: N/A Restart timeout: N/A Periodic Acct timeout: N/A Session Uptime: 4s Common Session ID: 0A663C050000001F0007C104 Acct Session ID: 0x00000015 Handle: 0xDE000014 Current Policy: POLICY_Gi1/0/20 Local Policies: Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150) Server Policies: Method status list: Method State dot1x Authc Success Replacement for Ruckus wifi
Hi all,
We've moved in to a larger office, and we've brought across our 3 Ruckus 610 APs running on Unleashed. We haven't had the greatest success with Ruckus, and their support in Melbourne, Australia is terrible.
We're wanting to improve coverage and performance, so I'm seriously considering cutting our losses and going with a different wifi solution.
I would like (but don't need) something that can manage two sites. The largest being single floor, 150 users, non-open plan.
What are your suggestions?
Switch Recommendations
I work for a medium sized NPO that runs on love when times are tough. I say that because lots of our equipment is donated but we do buy new with support when needed.
Currently our access and distribution layer are running Cisco 3560's and similar with Palo Alto's at the Core/Edge.
All our floors/access link up to the distribution via fiber, which is quite limiting for redundancy topologies since we're limited to 4 sfp's per device running our distribution layer. You get the picture.
I'm interested in buying two SFP switches to allow us to run redundant fiber from each switch over two distribution switches. Knowing that Cisco would cost us our entire operating budget (joking) is it stable to run trunks between cisco/non-cisco? If so, any recommendations on manufacturers for these distribution switches?
If ISP installed 2 coax outlets, do I need 2 modems?
Hi all,
Moving into a new place, and we’d like Ethernet in 2 rooms. The ISP heard this, and instead of wiring Ethernet ports into each room, they wired coax into each room. We were provided one modem/router combo.
Do I need to buy a separate modem/router to have wired internet in room #2? I really would’ve expected the ISP to install Ethernet jacks in each room and have the modem/router in the master closet, wired to each room
NAT issue with home DIY Router... Can PING Gateway but not WAN, Router sits in front of Gateway.
Hey all,
I've had this custom DIY home server / router going for over a decade and I finally decided to get around to upgrading my wireless NIC. The first NIC I tried didn't work so I upgraded my server from Ubuntu 16.04 to 18.04, hoping the later version would have improved support... it didn't.
So, at 16.04 with the older NIC, that's the last time it worked correctly. New NIC arrives, I'm already on 18.04, and the wireless device comes up as wlp3s0 instead of the usual wlan0. I tried renaming the device and got frustrated (was tired) so I figured it would be "easier" to just reconfigure everything... how hard could that be right?
Well I've got everything reconfigured, I'm just spelling this out to say that since it was last functioning I've gone and upgraded the OS and reconfigured about a half-dozen config files, so its entirely possible something got borked along the way... but this is an odd problem I don't believe I've seen before.
I've got DHCP working and Wireless AP functionality going, it's connecting... but the connected devices are saying "no internet". Hitting up a command line I'm finding I can ping the wireless device (192.168.2.1) and the LAN's NIC (192.168.1.1) and the WAN port on the router (DHCP)... but most-suprisingly I can also ping the gateway which sits behind the router.... the Comcast Cable modem. I currently have it setup in bridge mode though, so it's got an accessible IP of 10.0.0.1, but it's basically relaying it's WAN IP over to the router.
So I'm really struggling to figure this out... maybe I'm rusty... but how the hell can I have a NAT issue on the router which somehow doesn't prevent me from accessing a device beyond it?
Shouldn't this indicate a NAT issue at the Gateway / modem? But how could that be if it's in bridge mode?
At any rate, I could really use some suggestions... I'm all outta ideas on this one.
Thanks!
Ethernet/IP
How many of you have had conversations with your OT people about Ethernet/IP only to find out later the OT people were talking about the worlds worst named layer 7 protocol and not the layer 2 /3 standards we’ve grown up with. This guy has.
Need some assistance with N9K Multicast Routing config
I'm trying to get multicast setup to route between two separate VLANs and failing miserably.
This is the topology I'm working with:
Device (VLAN 552) <-> Switch <-> Router (Nexus 9K) <-> Switch <-> Server (VLAN 16)
Nexus config:
feature pim ip pim auto-rp rp-candidate Vlan5 group-list 239.0.0.0/24 ip pim auto-rp mapping-agent Vlan5 ip pim ssm range 232.0.0.0/8 ip pim auto-rp listen interface Vlan5 no shutdown ip address 10.91.5.2/24 ip pim sparse-mode interface Vlan16 no shutdown ip address 10.91.16.2/22 ip pim sparse-mode interface Vlan552 no shutdown ip address 10.110.32.2/19 ip pim sparse-mode show ip pim group-range PIM Group-Range Configuration for VRF "default" Group-range Action Mode RP-address Shrd-tree-range Origin 232.0.0.0/8 Accept SSM - - Local 239.0.0.0/24 - ASM 10.91.5.2 - AutoRP Am I missing a crucial step somewhere? Any help would be appreciated, thanks!
Need help with a mask between phone's IP and sim card's IP
Hi guys,
I am working on a project where I need to automatically get the IP address of the simcard(10.50.14.xx). When I connect via USB tethering, the IP I get on my computer is 192.168.xx.xx.
The problem with this is, I have written a script using Google's API where it will automatically update the IP address of the computer(192.168.xx.xx) onto the google sheets. This is not what I want, I want the IP of the Sim card (10.50.14.xx) to be updated on the google sheets.
How I usually check the IP now is by going to the phone, settings> status>sim status>IP address.
How am I able to bypass this mask and retrieve the IP from the Simcard directly on my computer? The phone I am using for this project is the oppo reno 5G.
Thank you!
ASA Upgrade / Downgrade Questions and Advice
We have a smattering of ASAs of the 5506, 5515, 5516, and 5525 variety serving various critical and non-production purposes. All run pure ASA code with no FTD. Most of them are due for security updates, which is what prompted this post. Most are on 9.0 to 9.8 which will be trivial to upgrade to the latest interim 9.8.4.
However, several of the newer installs were deployed with (not my fault, but probably my oversight) various flavors of 9.9.2 installed. This has now been depreciated, and so we need to move to a main branch release. Normally, this would be 9.10.x or 9.12.x as we like to stay with starred release trains. However, neither train is a starred release for the 5506/5516 models. We would also like (ideally, but not at all a deal breaker) to keep everything on the same version (9.8.4) for simplicity's sake.
So assuming we downgrade from 9.9.2 to 9.8.4, my questions for those who have first-hand experience are:
- Is downgrading an ASA as technically simple as an upgrade?
- Can I follow the same upgrade path rules in the release notes but backwards?
- Does anyone have experience downgrading active/standby pairs?
- Is it worth upgrading the ROMMON code, if available, even if not required?
I would also like to run a single ASA on the new code for a few days to make sure we don't have any issues with the new OS.
- Is there an issue running an active/standby on upgrade-compatible but different OS versions for any length of time? If we do have issues, I'd like to be able to fail-over the pair to the old software--is this asking too much?
We don't ask much of our ASAs. The critical devices are basically NAT appliances with basic zone-based rules. All the crypto and VPN tasks are done on non-critical, standalone devices.
Thanks
LinkPro 10/100 PoE factory reset?
I picked up one of these LinkPro 10/100 PoE for a few bucks. Model PSE-800W-130.
Its idea for my security cameras, they dont need gb.
However.. I need to factory reset it. I cant find anything except sales pages.
There is a reset button but it seems to do nothing, I've held it down for various times, up to 1 minute.
Any hints?
Zscaler zpa end-point security and good?
Anybody out there you zscaler zpa? we are looking for a zero trust product but I'm not sure exactly how this thing works. Is it truly secure or is it just marketing and PowerPoints?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Startup company - Modelling and managing the network
Hi guys, I'm a junior software engineer at a startup company of about 15 people which has no dedicated network person. I studied networks briefly at university and do some minimal work at home so have decided to take on a side task at my job of manging the networks. We currently have a managed switchconnected to a stock ISP provided router and there is no extra security nor any sort if topology information yet. What are some of the things I can do to start managing and securing our network?
DHCP Failover offering clients new IPs well before the lease is up
Hi. I'm at a total loss here and could really use some pointers, or possibly an explanation of some network logic I'm not seeing. I am relatively new to networking, so please excuse me if I use the wrong terminology when describing the issues here, but I've done by utmost to read all the pertinent documentation that has anything to do with what's happening here and I'm still stumped. I'm convinced I must be missing something about how this works or should be working, so I'm going to describe what my network looks like and how I think dhcp failover works, and if there are any red flags, let me know.
DHCP leases on my network in a particular VLAN don't seem to be consistently honored. We're running a DHCP failover pair with the default 50/50 split. Rather than expand the subnet, the previous engineer combined three subnets under one SVI (one primary IP, two secondaries), and extended this one VLAN to an absurd amount of users. The SVI has IP helpers to both DHCP failover peers (infoblox), does not have proxy arp enabled, and no IP redirects. In infoblox, the three subnets are configured as a shared network, and each subnet has a DHCP range serviced by the failover pair. This seems to be the correct configuration, based on DHCP failover documentation from ISC and infoblox themselves.
It is critical that devices retain a single IP, without receiving a new one. If I'm correct, a DHCPDiscover arrives at both failover peers, and the MAC is hashed to a value between 0 and 255, with hashes < 128 going to peer 1 (m1) and > 128 going to peer 2 (m2), since we have it configured to 50/50 load balance. Here's where I think I understand, but correct me if I'm wrong: only one peer handles the offer, request, and ack, and when done, updates the other peer with the lease information. If the other peer continues to see DHCPDiscovers with an elapsed time value == max load balance delay, it will send an offer as well.
The devices that connect to the network can be expected to reboot extremely frequently, connecting to the network to get instructions from a controller, before rebooting again. It is critical that these devices retain their IPs across reboots, since changing IPs will break their relationship with the controller and ruin a lot of people's afternoons.
Occasionally, one of these devices will, at some stage of this, not receive the same IP it had before, which completely derails these tests. It's maddening! In the logs for both members, I can see that for some reason, both members seem to be responding to all DHCPDiscovers, despite the elapsed time value not increasing. They usually both respond with the correct IP in their offer, until one of them doesn't.
This has apparently been happening for years. The previous engineer worked with infoblox TAC to decide that it was an issue with IP Device Tracking, but this does not seem to be the case currently. I personally wonder if shifting the load balancing from 50/50 to 95/5 would help not send the wrong lease information, but this doesn't seem like a fix at all.
??????????
What certs needed for an entry level IT job??
Hi I have an associates in applied sciences in something unrelated to tech but really want to get into the field. What certs would I need to get myself a job? I’ve heard of ccna, comptia A+, MCSA... any help would be appreciated
2.4 Antennas for Wi-Fi
Do you guys have any recommendation for 10,12,15,18 dbi rp-sma connector antennas?
Huawei Routers - How worried should we be?
I work in healthcare in the UK, one of the organisations we support have recently selected a new provider for their WAN MPLS network. This provider seems to be cutting costs on their routers by using Huawei equipment, in particular huawei ne05e-sr routers. When I Google this particular model there's hardly any information on this router? For instance where can I find security bulletins for this product, vulnerability info etc... Should we be worried about these devices being installed into our networks?
Office internet blipping every 3 days
Hi All,
I've had an issue ongoing for a year since our business internet was installed, and the ISP is seemingly unable to determine where the issue lay, of course they are pointing fingers at my environment. I'd appreciate your thoughts on what the hell else I could look at troubleshooting here. The topology is a Rogers cable modem (Coda-4582) 1000/50 static IP configuration, to a Sophos XG firewall. The Sophos alerts when the gateway goes down, and this happens approx every 3 to 3.5 days. It seems to be a full power cycle, as Rogers reported that the online time and registered time both reset when this event happens. The rack is powered by a Tripplite line interactive full sine wave UPS - and no other hardware is having power issues. I have escalated to "Business Management Office" and the tech is suggesting power issues on my side.
I've tried the following with no change in the behavior.
Modem replaced twice (now on the 3rd unit)
Powering the modem directly from 15A circuit without UPS
The unit is passively cooled and I measured the heatsink temp at 85 degrees Celsius. I suspected it may have been overheating so I put a 120mm fan on the side, dropped temp to 40.
Disconnected the modem from my infrastructure and it continues to power cycle with only it's coax and power attached. (Thankfully I have redundant ISPs or I wouldn't have been able to wait the 3 days to test this).
onsite ISP tech thought the signal looked a bit low, so replaced the coax from the primary floor cable to the distribution point, and from the distribution point to our office. Signal is good now.
Suspicions I have left are - perhaps there is some strange AC power harmonics and the UPS can't filter out, and the power supply in the modem is of poor quality and can't handle it. Or perhaps the modem is trying to reach some provisioning or NTP server in the ISP environment and can't, so it reboots itself on a set interval +random offset value.
I've suggested that last idea to Rogers several times but they keep dismissing me. Funnily enough I've had this happen with my residential connection, where the modem would drop out every 24 hours, and it took 3 tech visits, truck roll to fix lines on the street, and lots of calls by yours truly, for them to realize it was the modem failing to reach the NTP server, and so would kick itself every 24 hours.
Dual Failover - For two companies? (One group)
Hi,
Looking at our network, we have two companies (in one group, and aren't allowed to talk to each other)
Essentially, I've been thinking about how exactly we would make sure failover works for well, both companies. We have an ISP connection coming in for both companies , and they both come in through a core switch. We do have a couple of watchguard firewalls connected too. This is our current setup
They go through a layer three switch, prior to anything else. The router that we have isn't used for anything much more than WiFi, and a PPPoE connection for another circuit
I had a look first, and noticed that there was a line on the config saying if the next hop to the firewall is deemed to be down, then disconnect, and that sorta makes sense, except of course that has a connection to the ISP
Now, I'm thinking that perhaps, if we do something like this
https://ibb.co/ymzX8zX
Perhaps that would force the internet to still work, if one ISP went down? I saw "dual failover" routers, but then I guess that in itself needs to be redundant. If one router dies, we'd lose both lots of internet connectivity.
Leaf Spine vs 2 tier ?
We’re looking at refreshing our current DC network, which currently follows a classic three tier architecture. We have approximately 2k VM hosts in our environment plus another 75 servers (tin)
Our DCs are geographically within 5km of each other connected by dedicated fibre.
Vendors have been pitching the Clos model but im trying to work out the overall benefit and if we’d even need that level of potential scale.
So the options are
1) two tier architecture with DC core switches connecting ToRs using MLAG
2) Clos architecture with two spine switches and dual ToR in each cab. Approx 16 cabs across both DCs
With option 2 is vMotion supported over VxLan?
Enterprise WiFi issues with macOS
Hi Everyone,
Long story short is that we're having trouble with macOS clients getting stuck on access points even when the client is reporting awful RSSI. The effect being that when a user moves around the office they won't switch to a stronger access point until after minutes with no throughout, obviously this is frustrating a good deal of people. If they toggle on/off their WiFi it connects to the preferred access point and their throughput is good to go.
I've seen this issue online specifically with macOS and there hasn't been a great solution that I've found and I'm getting desperate.
Hardware: Peplink Balance 710 core, 5x Peplink AP One access points
Context: Our network is WPA2 Personal, 5GHz only, and we've scanned channels several times and set static channels for each AP (we're in a very noisy environment with other business next to us, below us, and above us). We have about 150 clients in that office at the very most (typically less), and it's about 2500-3000 sq ft in the shape of an L.
We've tried setting the band to 20MHz and that helps roaming SOMEWHAT but then throughput can get pretty sketchy if there's a ton of people in the office. Putting it at 40MHz obviously makes throughput better but then the roaming issues persist. I feel like we've tried virtually everything with output power, client signal strength threshold (which as I'm sure you all know can be reported vastly different to the AP than the client), max number of clients.
I even found a setting for Macs that allows you to set the JoinMode to the strongest AP and we pushed out an ongoing script that makes sure that's set for all our macOS clients which can be found here. However I've also read that this has been built in to macOS since 10.10, so I'm not sure.
I completely understand that without seeing my environment and being here there's limited help available to me, and I'm ready to call a consultant or contractor to have a look, I just wanted to pick the brains of r/networking first to see if anyone has dealt with macOS in the enterprise before and has any pointers.
Happy to provide any additional information you need!
Cisco ASA 5585-X module firmware upgrade
I have Cisco ASA 5585-X in HA but today when i reboot one of hardware it got stuck in rommon> and i have to type boot to load software after google i found this could be my problem https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtn87652/?rfs=iqvred
This is what i have in ASA (HW Version 1.3 / Fw Version 2.0(7)2 )
asa-fw1/pri/act# sh module Mod Card Type Model Serial No. ---- -------------------------------------------- ------------------ ----------- 0 ASA 5585-X Security Services Processor-20 wi ASA5585-SSP-20 JAF1530BNNJ Mod MAC Address Range Hw Version Fw Version Sw Version ---- --------------------------------- ------------ ------------ --------------- 0 44d3.ca34.ec38 to 44d3.ca34.ec43 1.3 2.0(7)2 9.6(4)36 Mod SSP Application Name Status SSP Application Version ---- ------------------------------ ---------------- -------------------------- Mod Status Data Plane Status Compatibility ---- ------------------ --------------------- ------------- 0 Up Sys Not Applicable Mod Slot ---- ----------------------- 0 Slot 1 (Dual SSP Mode) I have search everywhere to find to upgrade firmware but didn't find any info about where to obtain this. I don't have Cisco support so can't contact cisco but if there anyway i can get this code?
BGP trouble - Out of my depth
So we have a public block of IPv4 /24 that our ISP is advertising for us, since our equipment would be unable to handle the routing table required. (BGP)
We've been using this setup for a while now with no major issues.
Yesterday morning I started receiving reports that websites we're unavailable, so I put on my Sherlock hat, grab my coffee and get to work.
It came down to: clients on certain providers we're unable to reach us. With online tools for trace route, 1 in 3 took the wrong way home and ended up in a black hole somewhere. ISP says they can't do much because it's too far upstream.
What would be the best course of action to have this fixed? Any advice appreciated.
Finding a devices unknown IP address and subnet
Hey all, I have some manufacturing equipment that needs to get on our network. These basically all came preconfigured with static IP and subnets unknown to me; some may be able to accept DHCP, but I don't know if that's the case for all of them. The PLCs contain a broad array of industrial ethernet switches with which I have zero experience. I need to get into the GUI of these machines and reset the static IP so it can communicate on the VLAN I've created.
My question is: How do I find out what these IP and subnets are that have been statically set on these devices? For all I know, they could be class A, B, or C private addresses.
I was thinking connecting the devices directly to my laptop with an ethernet cable and running a wireshark capture, looking for ARP broadcasts. But wouldn't my laptops NIC need to be set up on the same network as the device it's connecting to, i.e. if the device is on 192.168.0.0/16 network, my laptop would need to be on that subnet as well, in order to even see the broadcast traffic?
Any advice is greatly appreciated.
manually config iptables/routes for VPN tunnel on WiFi router
After countless sleepless nights I’ve finally compiled a working kernel mod to enable wireguard on a netgear LTE router.
I’ve messed around with ip [-6] route and iptables but the most I’m able to achieve is to successfully forcing all IPv6 and IPv4 data from the router shell itself through the tunnel like when I run curl or ping while I’m SSH’d into the router. When I connect a device via WiFi, none of the traffic goes through the tunnel despite the default gateway of the router being set to the tunnel network interface. I've tried things like ip route add 155.254.96.50 via 10.38.125.65, ip route add 0/1 dev wg0, ip route add 128/1 dev wg0, etc
What do I need to do manually with routes and IP tables to set up forced VPN tunneling for devices connected via WiFi?
Here’s my default config untouched by my changes except for the addition of the wireguard interface. I connect to WiFi primarily on wlan0 based on the MAC address.
```
~ root@mdm9650 ❯ ifconfig bridge0 Link encap:Ethernet HWaddr 10:0C:6B:79:B9:86
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::604f:e2ff:fed6:678b/64 Scope:Link UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1 RX packets:2741 errors:0 dropped:0 overruns:0 frame:0 TX packets:2593831 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:178838 (174.6 KiB) TX bytes:1223449056 (1.1 GiB)
eth0 Link encap:Ethernet HWaddr 02:29:CE:CD:34:E9
UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:1036 errors:0 dropped:0 overruns:0 frame:0 TX packets:1036 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:544167 (531.4 KiB) TX bytes:544167 (531.4 KiB)
rmnet_data0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.38.125.66 Mask:255.255.255.252 inet6 addr: 2600:380:5221:52a4:e870:cb70:7bee:8a5e/64 Scope:Global inet6 addr: fe80::e1b1:5e20:6636:ce96/64 Scope:Link UP RUNNING PROMISC ALLMULTI MTU:1430 Metric:1 RX packets:1834 errors:0 dropped:0 overruns:0 frame:0 TX packets:3098 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:336379 (328.4 KiB) TX bytes:468256 (457.2 KiB)
rmnet_ipa0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP RUNNING MTU:2000 Metric:1 RX packets:1834 errors:0 dropped:0 overruns:0 frame:0 TX packets:3098 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:343715 (335.6 KiB) TX bytes:468256 (457.2 KiB)
rndis0 Link encap:Ethernet HWaddr E6:8C:C1:46:4F:00
UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.65.187.205 P-t-P:10.65.187.205 Mask:255.255.255.255 inet6 addr: fc00:bbbb:bbbb:bb01::2:bbcc/128 Scope:Global UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1 RX packets:7 errors:0 dropped:0 overruns:0 frame:0 TX packets:18 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:984 (984.0 B) TX bytes:1256 (1.2 KiB)
wlan0 Link encap:Ethernet HWaddr 10:0C:6B:79:B9:85
inet addr:169.254.1.1 Bcast:255.255.255.255 Mask:0.0.0.0 inet6 addr: fe80::120c:6bff:fe79:b985/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29162 errors:0 dropped:0 overruns:0 frame:0 TX packets:44110 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3000 RX bytes:248 (248.0 B) TX bytes:367112 (358.5 KiB)
wlan2 Link encap:Ethernet HWaddr 10:0C:6B:79:B9:86
inet addr:169.254.2.1 Bcast:255.255.255.255 Mask:0.0.0.0 inet6 addr: fe80::120c:6bff:fe79:b986/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:1095 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3000 RX bytes:0 (0.0 B) TX bytes:76088 (74.3 KiB) ```
``` ~ root@mdm9650 ❯ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i rmnet_data0 -p tcp -m tcp —dport 443 -j DROP
-A INPUT -i rmnet_data0 -p tcp -m tcp —dport 80 -j DROP
-A INPUT -i rmnet0 -m state —state INVALID,NEW -j DROP
-A INPUT -i rmnet+ -m state —state INVALID,NEW -j DROP
-A FORWARD -i bridge0 -p tcp -m state —state INVALID -j DROP
-A FORWARD -p tcp -m tcp —tcp-flags SYN,RST SYN -j TCPMSS —set-mss 1390 ```
~ root@mdm9650 ❯ iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -A POSTROUTING -o rmnet_data0 -j SNAT --to-source 10.38.125.66 ~ root@mdm9650 ❯ ip route default via 10.38.125.65 dev rmnet_data0 10.38.125.64/30 dev rmnet_data0 scope link 192.168.1.0/24 dev bridge0 proto kernel scope link src 192.168.1.1
~ root@mdm9650 ❯ ip -6 route 2600:380:5221:52a4::/64 dev bridge0 metric 1024 fc00:bbbb:bbbb:bb01::2:bbcc dev wg0 proto kernel metric 256 fe80::/64 dev bridge0 proto kernel metric 256 fe80::/64 dev rmnet_data0 proto kernel metric 256 mtu 1430 default dev rmnet_data0 metric 256
DNS Provider - Who do you use?
Hey guys/gals!
I know most companies use their ISP for hosting their DNS records. We are looking to move away from being stuck on a particular ISP for hosting our DNS, and are looking at 3rd party options. Who do you recommend? I am looking for fast timers, great UI, and good support and features.
I'd appreciate any insight.
Need help figuring out how to force a patch across a network
Hey guys, newcomer here. I've been attempting to push a hotfix across a network that I am new to managing but unfortunately can't figure out how.
We have SCCM but my superiors are wanting it to be forced so we know it went through, though SCCM doesn't seem to be functioning anyway. I've been looking through things such as powershell, which I'm terribly new to using as well, though I'm struggling to find things that will assist in this.
(If this is not allowed then my apologies! Was just attempting to seek help while digging through google still.)
Connect switch in two different data centers
Hello,
I have cages located in two different data centers. I. One data center I have a Cisco catalyst 3650 and the other data center I have a Cisco 9300. Our data center uses a cross connect, meaning that we have the ability to connect to our network across town. I hooked up the 9300 to the patch panel and I'm not receiving a link light on my gigabit port. My question is do I need to create and uplink on both switches? How would I do that?
Scripts to Change multiple IPs
So I'll be doing this on a semi regular basis where I need to change specific addresses in multiple configuration files, I've created a shell script to rename specfic parts in multiple configurations name but thats as far as my knowledge goes.
I can't seem to get my head around replacing specfic IP at specific line IN the configurations itself, any ideas who to go about achieving this?
Why should you use a feature-driven development?
FDD or feature-driven development is an Agile framework - a certain process that offers businesses feature-rich systems that support them in controlling their ever-growing nature. Even from its name, we may immediately guess that this framework organizes software development around making progress on features. As we know, the future mainly depends on customers and architecture, so these are essential points in this FDD process
FortiGate unreasonable DNS error 53/udp
Hi guys,
having an issue where I experience multiple DNS errors on our FortiGate (v5.4.5) following by a successfull DNS session from same client to the same destination (8.8.8.8 / Google).
This is all happening on the same subnet (Guest-Wifi). Policy basically allows all traffic from that subnet to the Internet without restrictions (any/any). So no Ports blocked here.
Yet the same Policy ID that allows DNS traffic is the same that declines it. Destination Interface/Port is the same and I can't figure out why those drops are happening. Result is that some URLs can't be loaded while others are resolved without any issues.
I've read multiple articles & posts in forums now and the issue seems to be somewhat common but I'm yet to find a solution. Maybe anyone has experienced this before.
Need help: traceroute from 2 PCs
Took a traceroute from 2 PCs. They have the same exact 10 hops, but RTTs can be vastly different at different hops from one PC from the other when taken at the same time (difference of up to 200ms). Sometimes PC1 will be faster, other times PC2 will be.
Any thoughts / suggestions / advice would be greatly appreciated.
Cisco ASR920 output drops, even when there is no congresstion
Hello my dear networking fellers.
I am facing a strange issue with output drops on noncongressed interface at ASR920. These are not policy-map drops, since none are applied on ports.
diag:
Primetime 5min averages max (Po1 ~ 1.36Gbps, Gi0/0/1 ~ 530Mbps, Gi0/0/2 ~ 850Mbps).
stats:
https://hastebin.com/raw/dekazuceri
The problem is that there are output drops present on both gi0/0/1 and gi0/0/2, even in non primetime. Naturally the drops increment much more faster during prime. Also they increment faster on gi0/0/2.
I have already tried extending output hold-queue, disabling input FC, but no luck.
Have you got any ideas, what is causing ASR to drop the packets on output?
Wednesday, January 22, 2020
Management GUI for Cisco switches
Hi everyone,
I'm starting the planning for implementing VLANs on our Network (~70 users). In a perfect world, I would have the budget to replace all of the SG300s we have mixed with out 2960x models, but this is the real world.
I'd like to have a management interface for the switches. Cisco Network Assistant seems promising, but it doesn't seem to be able to manage the SG300s. I will primarily be the one doing the VLANs, so CLI isn't too big of an issue (although GUI preferred as this is my first implementation).
Are SG300s too old for CNA or is there a better alternative?
Thank you!
Improving the bandwidth in the Office.
Hi r/networking,
I'm not an expert at this field, but I do have minor experience. please forgive me if i said something that will make you cringe,
Problem 1:
We have some "special" type of cat5e cables wired in this building, the one where you can't just put in a regular straight cable or cross for you to connect to the wall directly to the workstations/laptops. it's a customized version where only 4 wires are in use (not the complete 8). My first concern here is that with the bandwidth speeds today, would they need those 8 entirely or still only 4? Maybe i need to know what is the function of those 8 cables first.
I know well that a Cat5e can support up to 1gbps of data in a 300 meter cable. but when i set them on the switch as 1g, they tend to drop intermittently. and when auto negotiation it seems ok.
when I ran a speed test, it's only getting about 7mb download and 12mb upload and that seems slow for a 1gbps line.
I also want to test the speed from our internal network, from one workstation to a server, how do i do this?
Problem 2:
We have a server that has 4 LAN ports on the back, and I was wondering if this is something we can utilize to increase the bandwidth of the server or if there is a configuration you guys have encountered to convert them into like MPLS or some sort where the two NIC's are combined together so it can have double bandwidth.
Thanks for those who have the time to read and/or respond.
What kind of fiber optic tester do I need?
In my job, we use two multimode fiber optic cables. One has LC connectors and the other has ST connectors. They are run through the ceiling before I arrive on-site, and I want to do a quick check to make sure they work. If there is a fault, I don't need to know specifically where it is; I only need to know if the cable is functional or not.
So, what should I be looking for? I'd appreciate both general advice and specific recommendations for a good, compact (I travel by air with my tools) unit.
Thanks!
Remote mount file
I am looking to be able to remotely mount a veracrypt container that is either hosted online or on my personal NAS. I need the file to show up almost like a NFS or Samba share but over WAN. I had looked into this in the past and if I remember correctly the easiest method was iSCSI if anyone has any recommendations that would be super sweet.
LAN download speed falls but Wifi doesnt?
Ok this is weird
When connected via LAN cable to the router, the download speed falls (from ~100MBps to 20MBps) after 5 mins of usage. Note that ping and upload speeds do not fall/change.
When compared this to a wireless connection to the same router, the download speed stays normal (~100MBps).
Some observations:
. i tested this on 2 systems ensuring its either a router or LAN cable problem.
. LAN connection IS capable of giving me 100MBps when i restart my router, even tho its for 5 mins only.
. I did factory reset my router and saw no changes.
Is there any router tweaks that i gota do? Should i replace my router? or my LAN cable?
UPDATE - actually checked with another LAN cable, same slow speed results. Now that i know the problem is 100% with my router, do you think mac IP binding might help?
Any negative experience of local government blocking SD-WAN ?
Hi everyone,
I'm currently researching WAN solutions and had a question about SD-WAN and government policies.
We are planning to move away from MPLS towards SD-WAN. but have experienced with our China and Egypt subsidiaries that they block the network for VPN/IPSec (China does it permanently).
Are there more countries that tend to do this, and is there a workaround/solution to this?
Peer Review Tool Idea - Interest?
Syn/Ack and all that... happy 3rd Monday everyone.
So throughout my career I've seen a few times where small changes while attempting to implement something simple like a new VLAN/SVI/VRF/Trunk/Etc lead to an outage because some small part of the change was done incorrectly. Additionally, I worked at Google for a few years and had good exposure to the changelist/peer review process for software (SWE's/SRE's). I haven't seen a good product that can kind of find a safe middle ground to get a small team closer to the way the big 4 tech companies treat their infrastructure prior to a full feet-first committment to Infra as code involving either new hardware/OS's or maybe something like Salt/Ansible.
So my idea that I'm looking to see if there's any community/industry interest in is as follows: I plan to develop something in Python with a backend that provides a lightweight map or listing of network devices in your environment. When you want to implement a new change, you grab the devices that will be necessary to make changes to, and the software pulls a current configuration from those devices and starts a changelist. At this point, you make proposed changes to the configs of all devices, and submit the change for a peer review... which will roll up a Diff comparison of old/proposed and allow another network engineer to quickly review for sanity check. Once approved, the changes could be made (manual or automation driven potentially). I know if all network configs were in Git or some version control, this would be easily doable... but for some traditional environments there's no VC integration at all, which is where I think this software could help potentially.
There's plenty of other ideas in my head about bringing in unit/integration testing, etc... but at a very basic level that's the idea to take a traditional infrastructure and provide a tool to slightly bridge it towards a more infra as code managed environment and potentially cut down on small user error driven outages.
Is this something anyone would want to try out or could see themselves using? Is it something that's a waste of effort due to XYZ? Thanks for any feedback.
Where can I find a list of vulnerabilities on FTD
I want to find a list of vulnerabilities for firepower software affecting version 6.2.3.15. I need to make a use case to upgrade to 6.4.x, so I just need a list of vulnerabilities.
Multicast Routing
So the network im working on is a hub and spoke's. All sites connected to the hub through tunnels. One of the spokes recently is recieving multicast video from a device.
I wanted to know how i would allow all sites to have access to the video feed. I looked online and from what i read you route the source address through the network to that spoke site, rather then what i had originally thought (routing the multicast ip through the tunnels) But im pritty shur im missing something.
TLDR: how do i route multicast through tunnels.
Any help would be appreciated thanks.
Snmpwalk and Link Aggregation Groups
Hi!
In my company we have a PowerShell script to find in which switch port a specific IP address is connected to. It is something like this:
Import-Module Proxx.SNMP $SwitchesIPs = ("192.168.40.1","192.168.40.2","192.168.40.3","192.168.40.4") $MAC = "48 4D 7E FE 17 EE" foreach ($IP in $SwitchesIPs) { $OID = (Invoke-SnmpWalk -IP $IP -OID .1.3.6.1.2.1.17.4.3.1.1 -Community public | Where-Object { $_.Value -eq $MAC }) $OID = $OID.OID.Remove(0, 23) $SwitchPort = (Invoke-SnmpWalk -IP $IP -OID .1.3.6.1.2.1.17.4.3.1.2 -Community public | Where-Object { $_.OID -match $OID }).Value } Since the person in charge of the switches configured a LAG on them, all we can find using that script is the port of that LAG.
Does anyone knows a way to find again that information even with LAG configured?
Rack layout and cabling type
Quick questions:
1) In a server rack / misc rack (not networking): Would you install patch panels at the top or middle of the rack (assuming cables come from raised floor)? Most seem to recommend top but using the middle of the rack would require to stock less sizes of patch cables.
2) For intra-DC connections (rack-to-rack), less than 20m, which kind of Cat6A would you use? F/UTP, u/FTP, FTP, ....
Thx
Cradlepoint hotspot limit question
Hi. We have some Cradlepoint 4G hotspot routers providing a free WiFi service to our users on public transport. We have had issues with excessive usage by a small number of users resulting in increased carrier charges. We have looked into ways to limit usage per users but this doesn't appear to be an option. Our supplier has also been unable to advise, and the only options available seem to be applying bandwidth limit per user (which we have already done) or a global data limit that cuts off the whole unit once the cap is reached. Is a per user data limit really missing from these units? Seems like a basic feature, or are these units more aimed at providing WiFi for fleets like police cars etc with single users? Thanks.
ASA, this one has me stumped
I've an active standby ASA 5510-x pair in production which has been humming away merrily without issue for a few years.
Suddenly yesterday roughly every 30 - 60 seconds it'll stop responding to pings on any of its interfaces, including the mgmt int.
If i console on during this period, the reverse is also true, i.e. i cant ping out either. nothing on thew config has changed, I've tried failing over and cold reboots of both devices, (alternately and simultaneous).
all interfaces stay in the up state, arp tables look fine, clearing conns and xlate sessions doesn't elp
Unfortunately neither device will stay up long enough for me to update the firmware, but unless I've hit a very weird bug that survives a power cycle I'm not convinced that will fix it.
any ideas/tips to look for?
cheers
Rich
STEM Activity
Hi all,
I’ve been asked to set up a table at a careers fair for 7-11 year olds. The idea is to set up a snappy activity where kids can come by to try. I’m finding it difficult to think of something related to networking that can be quick and snappy? I’d be grateful to hear your ideas!
Thanks in advance :)
Tuesday, January 21, 2020
BYOD on WLAN with Cisco WLC
We have IT employees connecting to WLAN using their laptops and we want to give them access to internal servers. So what is the best way to achieve. We have Cisco WLC 5508 We also want the employees to authenticate before gaining access to resources
Internet for Forti AP not working but can ping google.com and internet.
Hi to all,i created new SSID with ip subnet on fortinet and allow traffic to pass to all Forti AP. I created also policy from source SSID to outgoing interface (Internet). I can ping 8.8.8.8, however i cannot search through internet. I tried it on my mobile and all apps like fb messegner are working. Please take note that all services are allowed on my policy rule. But when i use browser to search on internet, it doesn't work. Also, the old SSID for internet is working, i just copied all the config and policy to new SSID but not working. The fortinet is configured to be a dhcp for SSID and also to be a wlc for forti AP.
Math Degree For Network Engineer?
I'm currently a Junior finishing up my Bachelors in Math. Will my degree help me get a foot in the door for internships and entry-level Network Engineering positions when I graduate? From what I've read, problem-solving is huuuuuuuge and I have a strong grasp in problem-solving just from the rigorous coursework in my Math degree.
Need suggestions on Next generation monitoring network monitoring tools
We have moved from MPLS to SD-WAN network.
We are starting to have several issue with Solarwinds and Solarwinds support team has not been helpful either.
Also, we have gone to through 2 or 3 Solarwinds upgrade with software and hardware as well so far!!!
So I am looking to see if we can find another network monitoring tools that we can replace Solarwinds with it.
Please give me your feedback/suggestion on some good network monitoring tools.
Please send me the name of the network monitoring tools that you recommend so I will add it to my list to get review before we make final decision.
The new network monitoring tools needs to meet the following requirements:
Network monitoring tools need to be able to work/monitor the following network hardware:
1- SD-WAN connection using Silver-Peak device
2- LAN switch using Meraki switch
3- Wireless using Meraki access point
4- UPS using APC
5- Open-Gear and Trip-Lite
Network Size:
1- Around 475 branch offices
2- Two Data Centers
Monitoring requirements:
1- Monitor and send alerts for all network equipment for up and down status.
2- Be able to create monthly Capacity Management for all of our WAN circuits.
3- Managing the WAN with correct bandwidth size for each interface in the monitoring tools
4- Be able to create monthly Availability Management for all of our WAN circuits
for Monday through Friday between 7 AM and 7 PM ONLY.
5- Measuring VOICE quality at each of our offices and be able to send alerts pro-actively for any Voice issue.
6- Be able to find the slow response application from user point of view and find any network issue pro-actively.
Note: Network monitoring tools needs to be able to deliver the above basic functionality out of the box without writing any custom API.
Thank you so much in advance
Extended Upstream Transmit Power - Netgear AC1900
I just got this new Modem/router today and noticed I could enable the Extended Upstream Transmit Power. I tried googling it and can't really understand it very well.. Will enabling this option make my wifi stronger?
Help with creating a S2S VPN tunnel
Hello,
I have been tasked with creating a VPN tunnel between our organization and Cisco's email service. I have a form to fill out but I do not understand the difference between 2 spots on the form:
https://www.ciscofeedback.vovici.com/se/6A5348A724AA4248
What is the difference between...
Supply a network (preferably /24) that is convenient, otherwise will default to 192.168.2.0/24. Desired RFC1918 IP range (Datacenter 1, minimum /27)
and
Routed hosts/networks?
I looked at other S2S VPNs that exist on our network and it appears that some unused IP space was carved out of our 1918 space and dedicated to this connection? I assumed all it would really need was a /30 but they are requesting and we have previously dedicated more space than that to other tunnels. Why? In a frame relay, P2P or MPLS connection, all you need to allot is a /30, why does an IPSec tunnel require more?
Thank you very much :)
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Stretch layer 2 to AWS with NSX Cloud?
First of all, I understand AWS is L3 environment from vPC perspectives and it is difficult to stretch L2 (broadcast) domain from on-Prem to AWS even with direct connect transport.
But say I have NSX-T on-Prem and NSX cloud in AWS (not the VMC on AWS), will I be able to take advantage of NSX overlay network to stretch L2 to AWS and implement EC2 instances on the same subnet as servers on-prem? One use case could be server/service Clustering with multi location redundancy, assuming transport latency is not an issue.
I donot think so based on what I know about the NSX-T but I stand to be corrected!
Aruba, Juniper, or Cisco?
I am reworking our entire network design this hardware life cycle and switching from Extreme Switching to a more "enterprise" networking platform(please don't say extreme is enterprise). The design is going to be a spine leaf EVPN Vxlan(BGP) network to "combine" 2 data centers over a <5ms MPLS. The main thing I am aiming to fix is near seamless VMware VMotions cross site without re-IPing, L2 database replication(no multicast) as well as many other L2 benefits.
Now is where the question comes in, Juniper is pretty much the creator of EVPN and is tried and true when it comes to tunneling technology(currently have 4 juniper routers for VOIP connections). Cisco is obviously been the big dog and has proven to always preform well and be of sound quality with integrations of new tech. And last but not least is Aruba Switching, these guys have been rather up and coming since the replaced HP switching a couple years ago. The new CX series switching looks to be the bees knees for new switching technology and with our current Clearpass integration we all know that same vendors tend to integrate the best, my only fear is they are rather new and there are almost no companies near us that use it.
So tell me what you would what ones you love and what you hate, and if you have done a EVPN solution some lessons learned are always great :)
UPS with Lithium batteries worth the cost?
I am putting together a list of UPS's that I want for some of our sites to keep the network/phones up during small outages. I see that Eaton sells some models with lithium batteries for a bit more money. Is this a no brainer? Is lithium the way to go?
I hate UPS maintenance. Batteries are heavy, I'm getting older. The years just fly by. Any advice? I haven't dug deep into this, some of the bigger UPS may need to remain lead acid.
THANKS!
LACP for NetApp project
I'm assisting our sysadmin with the networking portion of our netapp project. There are two controllers with 2 pairs of 10Gb connections on each controller for a total of 8 ports across both. He let me know that we will need to create link aggregation groups for all of those connections across our server switches. The question is, how many LAGs do we need? My initial thought is one per controller, but he seems to be under the impression that we need 4 LAGs.. basically 2 10GB connections per LAG. Has anyone done the network config for a Netapp that can give me some insight? The documentation I've found hasn't been clear, and we can't get through to support.
My thinking is that since we have 4 switches that we will be connecting to that each controller will have 2 ports going to each switch for redundancy as well as separate link aggregation groups.
Here is a picture of what my Sysadmin gave me: https://i.imgur.com/471l4j5.png
Quick and easy question about wildcards
Turned up some strict firewall rules, broke AWS RDP in the process. Instead of tracking down all of the amazon subnets, I just want to wildcard out the FQDN. The question is:
If I am wildcarding everything on amazonaws.com, will *.amazonaws.com encompass everything?
Example of the FQDN: ec2-(redacted IP separated by dashes).us-west-1.compute.amazonaws.com
My concern is that a wildcard will only take effect in between decimals. So would I have to go with: *.*.*.amazonaws.com?
This is a WatchGuard firewall btw.
Thanks in advance. Bit of a noob question, but something I haven't ran into before with length sub-domains.
The blue and white telephony wire
Strange question, but does anyone know the official name for the solid copper 2 conductor wire used in telephony to patch extensions to memory locations before everything went digital?
Thanks
Fiber to 10G ethernet
Hello, sorry for the noob question.
My workspace has fiber run from a storage server to all the desks. My workstation does not have room for a fiber card, as all my PCI slots are occupied. My workstation does however have 10G ethernet built in. Is there some sort of converter box that could convert fiber to ethernet that wouldn't impact speeds too badly?
Outdoor IDF design
Putting in WLAN coverage for some playing fields. Need to put in a small IDF in a storage shed. Shed has power and locks but no AC or ventilation. Needs to power 3 APs with ports for a few cameras in the future, so 8x1GbE w/ PoE+ would be fine. Backhaul via PTP WIFI (no fiber/SFP requirement).
Our WiFi VAR suggested this, which looks like exactly what I want, just not enough ports. I guess I could daisy-chain 2 but that seems wrong. I'm fine with putting in a full cabinet/rack and standard 1RU switch, but then cooling becomes an issue and I'd rather keep it simple. I like the idea of a ruggedized switch inside a NEMA enclosure. Searches came up with tons of options, trying to get an idea of what I actually need. Interested to see what others have done.
Edit: looks like the Catalyst IE3200 is a good fit, any suggestions on an enclosure?
Central DNS resolver for Global SD-WAN
I'm currently setting up Meraki MX boxes for an organisation. They a pretty small, but they do have offices around the world. Some services like AD and DNS will be hosted at one central location and connected over VPN. But Internet access will be local for each office.
Will using a central DNS resolver cause issues with websites using anycast DNS? like American users connecting to European google servers because the DNS resolver is in Europe?
I've been living under a rock, where do I even start?
I've been in IT since 2000 and with my current employer (ISP) for over 10 years now. I'm thinking of making a move but I have been out of the market for so long I'm not even sure how I want to go about this. Most of my career has been network related but I have hands on lots of projects. For the last 3+ years I've been doing more management things and running a 60/40 ballance now with 60 in the trenches. I'm in the Southern United States now.
My questions to you all: In your opinion where would you focus your energy in looking for a new employer? Are direct hires a thing still or are we all going contract to hire now? Any tips or advice to someone who has been living under a rock for so long? Thanks.....
Cisco C960G-8TC-L Question
Hi, I’m able to get a good deal on a Cisco WS-C2960G-8TC-L switch and was wondering if anybody has had any experience with it. I’ll be hooking up 5 clients and have 1gbps up/down from isp and want to make sure I won’t have any issues in throughput. Any quirks and stuff I should know about?
Setup: ISP device-> opnsense box-> switch-> 5 wired+ubiquiti ap (15 wireless)
Question with Cisco switches
So currently at my job, we run no 802.1x or any type of radius/tacacs server. We are still using port security with sticky mac and a max of 3 addresses per port. We are getting cisco ISE in the near future, but that date is still TBD. Our sysadmins refuse to build a radius server for us, so we are stuck with what we got for now.
One of the networks we run has a vlan for people to BYOD. These people have to get their laptops approved to be on our network by our cyber security team, and then their MAC is added to a list and we verify once they connect whether they can have access or not based on the list of MACs.
When we do this, we either go into cisco prime and look at connected clients, or go into each switch and verify macs that way. If we see a MAC not on the list, we shut down the corresponding port it is connected to.
This is a very tedious and time consuming task, so I am wondering if anyone has any suggestions to make this easier? Is there a way I can do a local database on the switch and have it only allow certain mac addresses? We run sort of a "collapsed core" type network, so its access switches > core switch > firewall > IDS > router. Is there a way we could build a database on the core to only allow a specific list of MAC addresses? Or am I stuck doing things this way until we implement a radius/tacacs server?
WiFi range extender for Meraki network
Hello all,
Please excuse my inexperience, I am one year into Networking as the previous guy just got up and left leaving me to fill in the gap. I am looking for advice on a WiFi solution. Our business office currently has a one Meraki MR42 AP set up in the middle of the office that goes back to an MX250 (Everything is cloud managed). One of our corner rooms is almost a WiFi deadzone as the connection is intermittent and I'm sure the giant Plasma TV in-between doesn't help with interference. I am considering on getting a WiFi repeater (TP-Link N300) as I think it would be a more cost-effective solution compared to getting another MX250. Are there any precautions? Would it work? Do I have to configure anything on the Meraki back-end to have it work?
Thank you so much for your time.
Bridge mode on Ubquiti firewall
When people talk about bridge mode on Ubquiti firewalls is this just basically saying the router traffic goes to the firewall which then scans it before pushing onto the local network & same for the other direction?
So bridge is just a way of connecting the 2 devices together? Just got a Ubiquiti firewall for a testing
What is the best and most practical way to connect 2 offices with broadband connections?
What is the best and most practical way to connect 2 offices together with broadband technology? (specifically XFINITY cable 150mb/s down 10mb/s upload) I currently have 2 offices; one site houses 7 staff members, the other site houses 2. All 9 users have to use the Intuit Quickbooks Premier Desktop edition, which requires a Windows Server with a database manager application running on Microsoft Operating System only. I currently have Meraki MX64 appliances at the 2 locations, the location with 7 users (Site A) houses my central server, while the other 2 users (Site B) connect to this server via a VPN client connection using the Meraki MX64 equipment.
I don't believe the setup is currently at full potential because Meraki was sold under the umbrella that the 2 sites build "auto VPNs" with one another that I don't necessarily find true. I am able to create a VPN client session and connect that way, but I don't see the "Site-to-Site VPN" functioning. As well, when the 2 users at (Site B) open our large Quickbooks company file, it can easily take 5 minutes for the application to load, I know this is a limitation with my upload speeds which I am open to altering but limited to either Xfinity for broadband or some form of Wireless (4G), wished my 2 sites were eligible for ATT Fiber but they aren't. I would prefer (Site B) housing 2 users to full time, automatically see the other machines at (Site A) and vice versa. Any help here would be greatly appreciated.
I'm not totally dependent on the Meraki only hardware at this time, meaning: the 2 appliances are up for license renewal, and Cisco Meraki is PROUD $$$ of their equipment and licensing cost, and if a better more simplistic solution sits at my disposal for a reasonable cost, I'm most definitely interested.
Deployed New Cisco ASA 5508-X
so I successfully deployed a new Cisco ASA 5508-X Firewall with the help of CiscoTAC. Got it all up and running and I had to remove the username by using the "no username" command. Now I can't get into the firewall using ASDM or Putty. Any suggestions??
Thanks,
Looking for feedback for my side project
I am building an enumeration and reconnaissance tool for web apps, called "reconYa".
It's not bug-free obviously, but I can say it's taking steps on becoming an early stage product.
My goal is to create a tool that professional pen-testers and web developers use in order to find out more useful information about their websites, servers or targets.
The first step in analyzing a system's infrastructure is reconnaissance, so I want to be able to give them a dashboard with all they need.
I am working on geo-location and various other features, releasing new updates. The UI is in a very very early stage and only to get things started.
I really want to build something useful and interesting but it's hard to keep on the right direction so, please be harsh and let me know what do you think.
- What would you like to see ?
- What would be helpful for your day to day work operations?
MU MIMO questionnaire
Hello guys,
Can a 4x4 access point serve four 1x1 clients at the same time or there are other constraints?
Remotely managing an isolated network
I am pretty new to the field, I graduated college last May. I am working on a project with a few isolated networks. I am wanting to connect a few of these isolated networks to the plant network and only allow ssh, and maybe http to communicate between them. What do you guys thing is the best method to achieve this?
QoS Help
All,
I'm new to QoS and seeking some advice. As far as i am aware, we only have QoS set up on our MSP provded router to our ASA.
As an example, one of our sites is configured as per below:
Client PC ----> Cisco 4507 (NO QoS configured) ----> Cisco 3750 (NO QoS configured) ----> Juniper SRX 110 (MSP equipmet, QOS) -----> WAN -----> ASA 5516 (NO QoS configured) -----> Internet....
Could someone explain to me if we are actually utilizing QoS or does it have to start from the endpoint (Client PC)? If we are not, would someone be so kind to point me in the right direction in to getting QoS fully working on our network?
We are currently using a Mitel VOIP system and use Skype For Business as our go to audio/visual meeting area.
Thanks
EDIT: We are currently using a Mitel VOIP system and use Skype For Business as our go to audio/visual meeting area.
Certificate introspection in real time
Hello,
I'm constructing a smart home environment, and I want to control the traffic of my devices. For this, I want to do some type of app (proxy-based) that inspects in real-time the packets that are received and sent, and if the certificate authority matches with one specific that I want (my own), I allow the connection, instead, I drop/block it. It is possible to do this with scapy?
Is there any tool that you know that already make this?
Thank you.
Capturing network users' status and auto exporting logs
Hi all,
Bit of a weird one, but i'm getting a little desparate on where to look for some answers to this.
What do I need?
I'm actually in the middle of a networking 'art project' thing of sorts, where I'd like to run a private internet server where users can join, access the interent at their leisure and when they leave the network, a log file is saved automatically saying when they connected, their device name (IP, MAC and whatever else information if possible) and when they left the network. This log file would ultimately be printed through a reciept printer as a kind of representation of network activity in real time. So e.g.:
You connect to the network at 10:50 --> Leave network at 11:00 --> Log file is saved with Info --> Print
What do I need now?
Software! I cannot for the life of me find the proper software to do this. I'm utterly gimped on a mac as I'm not at home with my PC for a while just to add to the trouble. I gave wireshark a go, but I don't know how best to filter it, as the packet stream is so thick its hard to decipher what is and isn't useful. I would like to have set up some auto logging on something like NirSoft Network manager, but thats PC only. So if anyone knows how to filter Wireshark for connections, or of any software capable of logging connection status that would be awesome!
Thanks so much!
OpenVPN Access Server
Hi,
We, a university college/EDU, are looking to replace our current remote access VPN solution (F5) and are evaluating OpenVPN Access Server as a "good enough and affordable solution" besides the usual vendor solutions (Pulse Secure, Cisco AnyConnect, ...) but would like to hear some real world experiences about OpenVPN AS before we start with a PoC. The traditional vendor solutions are often quite pricey, especially Pulse Secure but probably very capable, which necessitates us to first look for other solutions.
At the moment we're using F5 SSLVPN for remote access (200 CCU's) as this was what we got "for free" with our F5 load balancing and reverse proxying solution some years ago. However this setup is nearing it's eol and as a whole has diminished in usage over the years because of various cloudmigrations. The remaining load balancing and reverse proxying duties are being transferred to a HAProxy Enterprise setup which we're finding surprisingly capable and a lot more affordable.
So this leaves us with the F5 SSLVPN remote access solution that we want to replace with something else. Currently authentication happens based on machine certs in combination with user credentials for role assignment. We're using this solution purely for remote access and are not doing any posture checking. Over the years our experience with the product was OK, as long as it worked, but miserable when it didn't work. Clientlogs are a big mess and give the impression of a jumbled together solution under the hood. We've had numerous problems with the helper services such as SSO that sometimes didn't feel like reusing the Windows credentials. Each time after an upgrade we always had a small percentage of clients that stopped working correctly. More often than not the only solution in those cases were reinstalling the client and if even that didn't work even reimaging the workstation. Linux support was abominable which forced us to also provide a couple of AnyConnect licenses for those users.
Subscribe to:
Posts (Atom)