Let's say that I have 2 pcs connected to the same router and both have port 80 opened. When you try to access <Ip>:80 remotely. It is the router's ip when you access remotely so how does it know which one to go, can it accidentally access the other one. Or you can access both of them whenever you would like?
Or is it after you port forward, you choose which pc to be accessible?
I'm confused.
Is this the right place to ask such things?
I need to draw up a L1 diagram but having some issues starting this as I have never done it before. All google and other searches come up with are crappy examples showing a network layout of a router firewall cloud and 5 computers with straight lines, nothing detailed or with a large amount of devices.
I found this [example](https://packetpushers.net/network-documentation-best-practices-whats-important-how-to-track-it/) under the L1 section it shows him using basic shapes instead of icons. I like the saving of room by putting the info in the shape rather then taking up room outside of it.
Should an L1 layout include the building layout so that if a Ethernet cable goes to a desk show the true path of the cable or is a representation showing that a cable goes to a specific wall plate good enough?
Any other advice would be great!
Thanks
I'm a mid-level network engineer, and have inherited a network without a whole lot of documenation. It's a campus-based wifi based network, with few hard-wired clients. Looks like a flat network, with a single user vlan and a rather large DHCP scope. I haven't found the actual scope yet (still looking) but my core distro switch arp table shows 800+ current entries, with IPs ranging from 10.0.0.1 - 10.0.14.255.
I'm trying to decide if I should just leave it as is, or if I should try to break up the user vlan, or if it's worth the bother. The main network choke point is the bandwidth of the off-site pipe, but there's also issues with users authenticating with the wifi.
Thoughts? Am I missing something or barking up the wrong tree? This is my first time with a wifi based network of this size.
I have wondered what really makes a good datacenter switch for a while. Embaracingly, I don't understand why some switches are better than others in the datacenter.
I get the need for things like L3, port speed, and larger TCAM (MAC addresses/routes).
What about buffer size? Any other important factors I'm missing?
Also, why pick a nexus over catalyst? Why hpe comware over an aruba 3810? Incert other comparable brands here. (Sorry if I left out your favorite brand. Those were just the two examples I could think of off the top of my head)
What else have I totally missed?
(Sorry for spelling mistakes. I posted from mobile)
Does having ip cameras slow down my LAN.. i have motioneye setup with 3 ipcams does it have any impact on my LAN.
Currently our environment around 80k users, 124 locations, and we use windows dhcp server. Curious what other large enterprises would use? I worked at a smaller firm before we we used infoblox with great success.
Looking for a device that can connect to both a cable connection ( that has a static IP assigned ) and a LTE 4G cellular modem. The device should be able to automatically fail over the clients from cable to LTE cellular modem. Most of the stuff i find on the internet can do this, but they dont handle a static IP assignment on the cable connection.
If the cable connection with the static IP drop and the system switches over to the cellular connection, its ok if the IP is dynamic on the cellular side. I am just trying to ensure the devices within the network maintain an internet connection.
One device that seems do to this is the cradlepoint ARC CBA850 but i cant tell if it can handle the static IP on the cable side.
There was also mention of using a Mikrotik solution but i didnt see any Mikrotik routers with built in LTE modems.
I have a server handling DHCP and DNS internally, so those features are not needed.
I have been asked to provide presentation, how to improve the team, in the requirements i should put the time frame. Any ideas where to put the time frame and how to calculate it in the slides ?
I ran into this weird issue in my home last night and was curious what exactly the cause is.
I have gigabit FTH in my condo, running pfsense on a white box mini pc with only 2 Ethernet ports one wan one lan. The pfsense lan port connects to a 6 port unmanaged dlink switch which connects to the punch down block for all the Ethernet ports in the condo. Guess they did a pretty poor job with the runs because some of rooms will only sync up @ 100mbit and other will run at gigabit.
Anyways I noticed that if I saturate a port synced at 100mbit my wan latency increases by 50-200 ms and really bad jitter. I can nearly saturate my gig connection on another port synced at gigabit speeds and it barely effects latency or jitter of my wan connection.
Would this be caused by the switch having a hard time buffering packet queues between different interfaces synced at different speeds? Can this be fixed by getting a better switch?
I have been learning networking with python because it is fun if you do the right projects ;). if I would look for a career in networking what language or languages would be necessary?
Trying to sort out my uncles business network
Alright guys.... got roped into helping my uncle sort out his business IT situation. His initial complaint was his cameras would come in and out (they do) but I believe his problem has to do with DHCP or DNS. Here’s his setup: ISP -> ARRIS MODEM->edgerouter lite -> unmanaged tp link 16 port switch -> port 15 goes into a mikrotik router board, and port 16 goes to a ipscom phone switch(?) and than the mikrotik router has 2 small cables going to the ipscom phone switch. Basically Im in way over my head but I would like to help my uncle figure this out he got quoted something like 25k for a total rip out and redo but I feel like he has all the equipment he needs already just needs to be better configured. I’m screwed lol
Wish I took some better pics but you sort of get the idea lol. I can plug a pc directly into the mikrotik board and get internet but if I unplug the mikrotik the phones break is the mikro just supplying PoE? Anyways thanks to anyone who read this and possibly feels bad enough to help
Hi, I'm new to this sub-Reddit; I came here just for help with this issue. I'm a mentor on my high school alma mater's robotics team. We do a lot of CAD with Autodesk Inventor, and have previously had access to one of the school's computer labs and a share drive on the school's servers for all our files. This year, the school took away our share drive and computer lab, and we now have a few desktops in our new meeting room to work on. The school just gave us three desktops and a port in the room to connect them to the school's domain network; we supplied our own unmanaged gigabit switch to do this.
Now I'm trying to come up with a way to get our files (that are backed up on a USB hard drive) shared between all our computers, so we can all work with them at once. Also, we have a printer to share as well. My plan is to use a wired/wireless router with a USB storage function and connect this router up downstream of the switch and use it to share the USB hard drive. The goal is to have the USB hard drive and printer be visible to all the computers downstream of the switch. I know I need to connect the router to the switch using its LAN ports, not the WAN port. I think I need to disable the router's DHCP function and set a static IP address so that it won't conflict with the school's servers, is this correct? Can it still host and share connected USB and ethernet devices if it's not acting as a DHCP service? I don't know what the school's network configuration is upstream of our switch, so is there any way to determine the IP address that I'll need to give the router?
Any help is greatly appreciated. We're all on our own to do this; we won't get any assistance from the school's network administrators. Here's a diagram of the setup we have: https://drive.google.com/open?id=1UpnAty8GV5BL0axiEl40I7nKQ2vzUD4B
Hello,
I have Ubuntu 16 server, with subnet announced on it. my squid proxy is not working, my provider said the following
It appears you added the subnet on both the primer interface as well as the loopback. They all need to be on the primary interface of enp2s0 in order to function.
I have added the subnet using
ip addr add x.x.x.x/22 dev enp2s0
But squid proxy is still not working
how do I make squid proxy listen on enp2s0?
I'm having trouble figuring out which network address I would use if I created X amount of subnets and I want the address for the 2nd subnet or the 5th subnet or the 7th. I'll make an example to show the way I'm doing it:
Address 192.128.128.128 /25 where I want to borrow say 6 network bits to create 60 hosts making the new subnet mask /31.
The first 25 bits are part of the network, the last 32nd bit is a host, bits 26-31 are part of my subnets. If I want the 5th subnet from this, then should those 5 subnet bits in binary be 00101 which equals 5 or should they be 5-1 which equals 00100? Basically, is the first subnet here 00000 making the first network address 192.168.128.128 or is the first subnet 00001 making the first network address 192.168.128.130?
whenever i click on router it replaces the other selected router and doesnt open in new tab , same thing happens for VPC ddoesnt make new browser tab for each device
I currently work as a network admin, but I want to make some small cash on the side.
Currently, a colleague contacted me about some company that needed a guy for a one-time project to get all the networking gear up and running. With basic configuration, nothing complex, but they wanted to just pay and be done with it. I accepted this, said my price per hour and we scheduled this for the next weekend.
So I thought why not make this more common and make extra money on the side, but I need some info on how to start all this up. How to get to people and offer my services.
I want to provide maybe low-level "consultancy" to non-IT companies for basic internet/wifi setup, configure cisco routers and switches, or anything in that matter. But still, nothing extremely complex that will take a huge chunk out of my free time. Maybe will step it up in the future, but for now, that will be it.
My main job is flexible around taking days off, arriving late, or leaving early, no hassle there if I need extra time in order to go for this.
Can someone who started like this or is doing this currently can share some info on how to get going?
How much do you charge per hour compared to your main job salary (I know that this is quite relative)?
What gigs do you work on, what types of services are you offering?
Thanks!
Years ago, I had an app called Kerio Personal Firewall. Back then, it was super simple and lightweight - every time an app wanted to open ports, it would prompt you to allow/disallow. Then it simply showed in its interface a list of all the connections that were incoming or outgoing, which apps were using them and which ports.
I am a networking newb, but I really liked this - I felt a bit more secure seeing a list of connections and knowing what they were attached to.
Are there any firewall type apps that do this sort of thing these days?
Edit: this is what it looked like back then https://www.flickr.com/photos/tony1861/401821909
they are lots of information regarding loss in connection of fc/apc and fc/pc type of single fiber connectors.. but is there extra loss in fc/upc and fc/pc connectors? are upc and pc type connector are compatible?
Girls/Guys, what are you using as yours network source of truth(trust)?
As we are using old, not 100% valid excel, and it is not working, as there is a lot of obsolete shit, and a lot of not needed info, I'm quite curious what are u using for that purpoese?
Hi there.
I was wondering what the most powerful router is. Price is not relevant to me, I just want the most powerful one. I will use it primarily to upload heavy files, stream in 4K60fps/8K30fps and game a lot (having low latency is what I want). Could anyone help me find the best wireless router?
My school has a small Linux server but if we connect it to the internet by connecting the router the server is connected to on the access point , we aren't able to host or run many applications, since my district blocks all the good ports. Is there any way to use a VPN or hide the server under a domain to get it online on the server with access to the blocked ports?
By the way our school uses Cisco and a system of access points throughout the school.
Hoping this is a good place to get advice on this issue. I'm having consistent issues playing teamfight tactics on PC. I'm awaiting a response from riot for guidance but wanted to get the thoughts of this community as well.
"Attempting to reconnect" is what i get about every minute and lasts for about 10 seconds until the game resumes. It's like clockwork. I called Charter spectrum and of course their response is "oh it must be the game server". Yeah i've checked the status of the server. I ran a traceroute and will include the export from my extract from WinMTR. The NA server for riot LOL is 192.64.170.1.
I've wired directly to the modem and have the same issue. Could this be something with the modem? I'm hardwired to a spectrum supplied router that's connected to the spectrum arris router. I average about 450mbps download at the moment. I've checked network/DNS/firewall settings pretty extensively and all looks good. Attempted playing with firewalls disabled and it still happens
I could go to the spectrum store and try replacing the modem if there's anyway that could be the result of this. Any help would be greatly appreciated!
Tracing route to 192.64.170.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.1.1
2 * * * Request timed out.
3 36 ms 11 ms 17 ms dtr02clevtn-tge-0-7-0-5.clev.tn.charter.com [96.34.68.97]
4 13 ms 13 ms 12 ms 96-34-119-136.static.unas.tx.charter.com [96.34.119.136]
5 17 ms 17 ms 18 ms 96-34-12-219.static.unas.mo.charter.com [96.34.12.219]
6 29 ms 23 ms 24 ms crr02spbgsc-bue-401.spbg.sc.charter.com [96.34.69.254]
7 31 ms 23 ms 23 ms bbr01spbgsc-bue-4.spbg.sc.charter.com [96.34.2.50]
8 38 ms 32 ms 39 ms bbr01chcgil-tge-0-3-0-8.chcg.il.charter.com [96.34.0.184]
9 58 ms 63 ms 55 ms bbr01blvlil-bue-806.blvl.il.charter.com [96.34.0.37]
10 63 ms 63 ms 71 ms bbr01olvemo-bue-3.olve.mo.charter.com [96.34.0.14]
11 66 ms 71 ms 63 ms bbr02chcgil-bue-2.chcg.il.charter.com [96.34.0.12]
12 62 ms 62 ms 121 ms prr01chcgil-bue-4.chcg.il.charter.com [96.34.3.11]
13 59 ms 57 ms 72 ms 206.223.119.235
14 65 ms 58 ms 59 ms 104.160.131.46
15 65 ms 63 ms 63 ms 104.160.131.103
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
Hello
What do the *** In this trace route mean
I am testing my IPs announced on my server, but they have no internet connectivity through squid
Do these *** in traceroute mean something is wrong
Now that Palo Alto's can run BGP (will be limited not fully participating in Internet routing) but we are using BGP for dynamic routing between two ISP's. When I look at Cisco designs, they want the router to face the internet but for FW's the design is for the FW to face the internet . For instance,
Internet ->Cisco->Cisco->FW
for FW's
Internet->FW->Cisco users and the FW would seperate the servers from the user networks, etc.
Is there a reason to prefer one over the other?
Hey guys , I have got a questions.
I am a college student in India, my college provides free wifi throughout the campus . To access the access the wifi we have to use the proxy server connection , we use apps like psiphon pro to connect. Using this proxy server connection we can access youtube and many other apps but apps like PUBG,netflix etc don't connect to this server and we cant use these.
I just want to know why is that these few apps dont connect to the proxy server while other apps do. I dont have much knowledge about network and proxy servers. Is there any we can use PUBG mobile using college proxy.
I am planning to develop an android application which can allow users to play PUBG mobile using college proxy. Shall I reach out to the PUBG mobile developers , so that they can help out as why is it happening so.
Please tell me what you think about this issue and is there any other way to solve this problem.
I'd like to ensure that I've read and interpreted the rules correctly for setting the local and unicast bits for randomly generated mac addresses. My understanding is that the first octet needs to end with a 2, 6, a, or e, specifically:
Is this correct?
My goal is I need to generate random MAC addresses for SR-IOV VFs and I would like to ensure they comply with standards. Below are the sets of MAC address groups I would like to use (each set would be applied only to particular SR-IOV VFs as a means for easily identify the underling physical device):
This is the /etc/network/interfaces (Ubuntu 16.04) code I'm planning to use:
auto eno1 iface eno1 inet manual bond-master bond0 bond-primary eno1 bond-primary-reselect better post-up echo 6 > /sys/class/net/eno1/device/sriov_numvfs post-up for i in $(seq 0 5); do ip link set eno1 vf $i mac $(printf "22:26:2a"; od -An -N3 -tx1 /dev/urandom | sed 's/ /:/g'); done post-up for device in $(ls /sys/bus/pci/drivers/bnx2x | egrep -v "0000:[0-9a-f]{2}:00" | grep 0000); do echo $device > /sys/bus/pci/drivers/bnx2x/unbind; done auto eno2 iface eno2 inet manual bond-master bond0 post-up echo 6 > /sys/class/net/eno2/device/sriov_numvfs post-up for i in $(seq 0 5); do ip link set eno2 vf $i mac $(printf "62:66:6a"; od -An -N3 -tx1 /dev/urandom | sed 's/ /:/g'); done post-up for device in $(ls /sys/bus/pci/drivers/bnx2x | egrep -v "0000:[0-9a-f]{2}:00" | grep 0000); do echo $device > /sys/bus/pci/drivers/bnx2x/unbind; done auto eno3 iface eno3 inet manual bond-master bond1 bond-primary eno3 bond-primary-reselect better post-up echo 6 > /sys/class/net/eno3/device/sriov_numvfs post-up for i in $(seq 0 5); do ip link set eno3 vf $i mac $(printf "a2:a6:aa"; od -An -N3 -tx1 /dev/urandom | sed 's/ /:/g'); done post-up for device in $(ls /sys/bus/pci/drivers/bnx2x | egrep -v "0000:[0-9a-f]{2}:00" | grep 0000); do echo $device > /sys/bus/pci/drivers/bnx2x/unbind; done auto eno4 iface eno4 inet manual bond-master bond1 post-up echo 6 > /sys/class/net/eno4/device/sriov_numvfs post-up for i in $(seq 0 5); do ip link set eno4 vf $i mac $(printf "e2:e6:ea"; od -An -N3 -tx1 /dev/urandom | sed 's/ /:/g'); done post-up for device in $(ls /sys/bus/pci/drivers/bnx2x | egrep -v "0000:[0-9a-f]{2}:00" | grep 0000); do echo $device > /sys/bus/pci/drivers/bnx2x/unbind; done We've run into a really weird bug on one pair of 9500-40X switches that we're running at my work (it's a SVL pair running 16.12.1) - on ports Twe1/0/23 and Twe2/0/23, multicast streams lose packets corrupting an MPEG TS stream.
This happens on any trunk or access connection made to either (or both) of these ports - but only on VLAN 2202.
We've contacted TAC and they've never seen something like this, just wondering if anyone else had seen something like this?
Hi,
I bought 12 phones from eBay (Cisco DX650), but I am pulling my hair out trying to get them setup! I want to get them to work with 3CX.
I have the phone connected to my internet, but every time I try to go to the phone's IP address to configure the device nothing loads.
When I open the browser on the phone, it doesn't load any webpages. For example, if I go to twitter.com from the phone's browser I get a message saying "Couldn't establish a secure connection."
I am unsure of what to do from here. I would really appreciate any insights you could give me.
Just fishing for ideas on what the issue may be with a problem I'm having.
We have a presence in a cloud provider that has a subset of servers. We purchased a dedicated 1 Gb link (think ExpressRoute) via an ISP but we are getting throughput issues going to the cloud provider. When we do throughput tests we are getting ~50 Mbits using TCP. On UDP we are getting the full Gb speed.
The ISP is saying the UDP test proves the link works fine and that the issue must be the TCP window settings on the servers communicating with each other. Forcing the TCP window size from 208k to 64 M only increases the throughput to ~100 Mb. I am more suspicious of the issue being the ISPs packet shaper even though they insist the only thing it is doing is shaping to 1 Gb on their POP router.
We ran a test using the same two servers but running the traffic out over the open internet and got ~800 Mbits so I think this points away from the servers being the issue but the ISP disagrees.
Any of you have an idea of what the problem here may be?
Hey Guys! Just have a question about load balancing on an EtherChannel
When does it make sense to load balance using the src/dest IP and the src/dest mac?
I know there is also an option to use both the source and dest IP or mac. What scenarios would you use this option?
Thanks for your help!
Distributed gateway: This sounds like a fancy way of saying devices vlans are trunked all over the fabric to wherever the bridge domain lives.
"The ACI fabric decouples the endpoint identity and associated policy from the underlying forwarding graph. It provides a distributed Layer 3 gateway that ensures optimal Layer 3 and Layer 2 forwarding. The fabric supports standard bridging and routing semantics without standard location constraints (any IP address anywhere), and removes flooding requirements for the IP control plane Address Resolution Protocol (ARP) / Gratuitous Address Resolution Protocol (GARP). All traffic within the fabric is encapsulated within VXLAN."
Hi all,
Can anyone help explain how Wi-Fi direct works. I'm of the understanding that it's a peer to peer connection from your existing wifi adapter?
How does this work if your existing adapter has already formed a connection with a WAP? I'm assuming the standard allows this somehow? How does this impact the existing radio?
Has anyone seen issues with this technology specifically when using windows 10 laptops?
I was wondering if your wifi adapter is limited at 150 mbps, how do you get faster internet, how does upgrading your internet service help?
Is anyone having an issue accessing their Cisco account or perhaps their smart licensing failing to authorize?
While on a virtual ASA today I received a very brief alarm, WARNING ASAv platform license state is unlicensed. ASAv will reload in 30 seconds. What a heads up, by the way... I then go to sign into Cisco and it appears to be having issues after entering the username and not able to sign in.
Anyone else seeing this? I do have them on the phone now but was seeing if anyone else is seeing this issue.
Need some advice on running Fortigate 200e in transparent.
I've setup the IP and subnet 10.10.10.99 255.255.255.0 which is the same IP range as the managed switches and mikrotik router.
I've set up ipv4 as per instructions. But no luck.
If I directly connect to FG I can access the admin. But across the network I can't.
Checking mikrotik I have half a dozen vlans. All managed switches appear to be listed in there as well.
ISP router IP range is 192.168.1.0
I read within the FG manual about vlan traffic but it means very little.
Any suggestions as to where to go from here.would be appreciated.
Would it be more sensible to put it on the router IP range?
I started working at a smaller ISP half a year ago and was a bit shocked to find out that almost everything is essentially layer 2. The only routers I've come across so far are edge routers. Is this common practice?
We essentially have like 2 big erps rings that all have their own edge routers that go back to the location where we peer with AT&T and other backbone providers.
Hello everyone,
I'm a sysadmin and I want to dip into networking at a CCNA level, starting from scratch to make sure I don't miss anything. I read that ICND1 and ICND2 are better than taking the CCNA directly for that and are also more flexible in terms of timing for studying.
I don't know if I should buy a course on CBTNUGGETS or just buy the official cert books from Amazon, or if there's a better option than any of those, so I'm basically looking for recommendations on how to approach all this.
Thank you!
We currently use a setup of ISP router <-> Peplink loadbalancer <-> ASA.
The Peplink manages our /30 net of public IPs and does a bit of loadbalancing on the LAN side (small office - can do without). As the Peplinks need to be replaced I consider ditching them completely.
My idea is for the ASA to arp for the public IPs and have a WAN switch point to the assigned MAC-addresses on the ASA.
For a WAN switch I thought about getting a small 8-port HP/Aruba 2530, maybe as a stacked pair for HA. I have to admit that I have only used the 2530 as an access switch so far so I do not know if it is a good choice.
Does that approach sound okay?
Is this true? If you use the SFP+ copper, you will not get 10Gbps.
I got this info from our Cisco, and they advise us not to use SFP+ copper because it is not really 10G because of some compliant issue or something.
I work for a small business and naturally, wear many hats. As the one with the most experience and comfort with technology, I'm the de facto IT guy. This generally works out fine.
We have about 6000sqft of office/workshop space on the first floor, and a 1200sqft mezzanine as a 2nd floor. Mezzanine is floor is concrete on top of corrugated metal, supported by metal girders.
I have the 6000sqft covered with a Linksys EA8300 pretty well. And I can cover the mezzanine with a Linksys RE7000 but only with separate SSID's. This has worked for a while, but now that we have a new VOIP system, the boss wants to use a mobile device softphone as his main phone and he wants to be able to roam about with out switching AP's manually and still receive calls. I'm comfortable telling him he can't roam while he's on a call, but it would be nice not to have to switch AP's each time we swap floors.
The problem I'm having with roaming is not one that I have been able to find other people talking about. Concrete, metal and WiFi do not get along, we all know that. But what if when on the 2nd floor, devices see the downstairs signal as being strong (they usually show up with 3 or 4 bars), but then when you connect to it, the bandwidth and stability is crap? This part doesn't make sense to me, the floor should be killing the signal right? The 1st floor AP's signal shouldn't present that strong, but then crap out. Please correct me if my understanding is wrong.
When I've attempted using matching SSID's and settings with or with out 802.11r enabled, but devices typically choose the 1st floor's AP instead of the 2nd floor AP when upstairs. Even if a device initially picks the 2nd floor AP it usually swaps over to the 1st floor's without moving around.
I'm open to buying more appropriate equipment for the situation, but I don't know what would be the right AP's to buy. Or if they'd actually have settings to handle this. I've read about the Linksys and Ubiquiti AP's but really can't tell if they'd actually be of any use here.
Any thoughts, advice, or more info needed?
Hi All,
I have an ASA 5506, connected to 100Mbps Comcast fiber. The public network is 50.xxx.xx.232 /29. Comcast router is 50.xxx.xx.233, and my outside port on ASA is 50.xxx.xx.234. I have three CCTV DVR's in a DMZ on the ASA using LAN IP's 192.168.1.250, 192.168.1.251 and 192.168.1.252. I am static NATing them to 50.xxx.xx.236, 50.xxx.xx.237 and 50.xxx.xx.238 respectively. After making the configurations on the ASA, I cannot ping or access these devices on the above 1-to-1 NATed IP's from the internet. What's more is if I change the public IP of the outside interface of my ASA to something else on the /29 subnet (50.xxx.xx.235 for example), I have no connectivity. But as long as I use 50.xxx.xx.234, I have internet connection.
Packet-tracer tests are passing without a problem when targeting the IP's I'm using for the NATing on the /29. I am starting to suspect ISP as the culprit, but could use some opinions. I've replaced the ASA with two other units - one 5506 and one 5505. Same results each time. Below is the config, followed by packet-tracer.
interface GigabitEthernet1/4
description To_Zonet_ZFS3024_Unmanaged_Switch_Port_24
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
!
object network CCTV-DVR-1
host 192.168.1.250
object network CCTV-DVR-2
host 192.168.1.251
object network CCTV-DVR-3
host 192.168.1.252
object network CCTV-DVR-1-p
host 50.xxx.xx.236
object network CCTV-DVR-2-p
host 50.xxx.xx.237
object network CCTV-DVR-3-p
host 50.xxx.xx.238
!
object network CCTV-DVR-1
nat (DMZ,outside) static CCTV-DVR-1-p
object network CCTV-DVR-2
nat (DMZ,outside) static CCTV-DVR-2-p
object network CCTV-DVR-3
nat (DMZ,outside) static CCTV-DVR-3-p
Packet Tracer from outside source, inbound to DVR 50.xxx.xx.236:
FW14-SH5506-A# packet-tracer input outside tcp 12.x.xxx.20 8000 50.xxx.xx.236 8000
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network CCTV-DVR-1
nat (DMZ,outside) static CCTV-DVR-1-p
Additional Information:
NAT divert to egress interface DMZ
Untranslate 50.xxx.xx.236/8000 to 192.168.1.250/8000
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object-group Camera-DVRs object-group CameraPorts
object-group network Camera-DVRs
network-object object CCTV-DVR-1
network-object object CCTV-DVR-2
network-object object CCTV-DVR-3
object-group service CameraPorts tcp
port-object eq www
port-object eq 81
port-object eq 82
port-object eq 1024
port-object eq 1025
port-object eq 1026
port-object eq 8000
port-object eq 8001
port-object eq 8002
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network CCTV-DVR-1
nat (DMZ,outside) static CCTV-DVR-1-p
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9405, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow
Trace routes to 50.xxx.xx.234 (ASA WAN IP) make it one hop further than trace routes to any of the IP's I am trying to use for the CCTV NATing.
Has to be ISP right? Question is, what could they be doing to it? It was working fine this morning.
Hey guys --
gear: Cisco Routers
routing: BGP
I have two datacenters, DC-A and DC-B.
I have a default route being advertised out of both. DC-A is the primary, DC-B has its default poisoned as it isn't distributed.
Is there a way, without using ip sla, to prefer DC-A's default route at DC-B and if DC-A's default fails (falls off the table) to use it's static route --- but! then fail back to DC-A when it comes back online?
As of now I've added a static with a local distance of 250 (at DC-B), which works great if the default is already in the table. But if it falls off, the bgp route never takes precedence again. I believe this is because of weight?
I'm not sure if i'm missing something simple or what. I know i can handle this at each DC with two statics and two slas/object tracking, etc... I just wanted to handle it via preference and higher static (which the static would be tracked by SLA for reach ability)
To clarify on the SLA in the above paragraph.... SLA would be used to keep the local default route in the table (at a higher distance in DC-B, default (1) in DC-A)....
Sorry if I'm not making sense...
edit: carrier doesn't support bfd :(
We're doing some testing with zero touch provisioning on Cisco 9300 switches, and a switch that used to correctly run the ZTP script doesn't anymore.There's been no changes to the IOS version or anything, other that "write erase" between testing and reloading.
Basically, the ZTP script doesn't seem to be loading the CLI module at the start of the sample script:
print "\n\n *** Sample ZTP Day0 Python Script *** \n\n" # Importing cli module import cli When the script runs it throws the same error as when the CLI module is not imported (yes the HTTP server is running):
SocketError: Socket /cisco/nginx_shared/pnp_python.sock not present. Make sure to enable http server After the script fails; if you go into python through the guest shell, import the CLI module, exit, then run the downloaded ZTP script everything works fine...
Switch#guestshell run python Python 2.7.5 (default, Jun 17 2014, 18:11:42) [GCC 4.8.2 20140120 (Red Hat 4.8.2-16)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import cli >>> Switch#guestshell run python flash:downloaded_script.py Has anyone else had this issue before? It doesn't make sense to me.
Inb4 "call TAC" ^_^
My set up is a Ubiquity USG for a router. PC is patched up to date, has Norton running and Malewarebytes Premium.
The test fail 17 out of 19 tests. basically anything that was zipped and sent made it through without being caught or blocked....
Anybody ever use this test or recommend a different one?
Hello,
Have someone used the Sundray WLAN Controller.
My wifi clients. (nat) inside the controller can access the external client.
but external clients outside the controller. can't access the inside users.
How can i enable this?
Thank you
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
I've got to configure a pair of new Cisco Nexus 93180's in non-ACI mode and they will need to be in a VPC domain together. Traditionally we have used the dedicated management port for peer-keepalive communication (which does go through separate upstream switches), but I am thinking this is not ideal as it is just a single link.. I 'm considering creating an SVI in it's own separated VRF for this communication going across the port-channel/trunk between the two switches (the VPC peer-link).
Am I way off here? Or do they actually need to be separate links as they currently are? Is the original method not an issue, or am I right to re-think it and do it differently? I have briefly read through this long Cisco guide, but I didn't see where it directly addressed it. https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf
I'm wondering if there are any service provider networks out there that aren't using MPLS? If so how are you achieving customer segregation?
A side question, any providers have 2 or more separate networks? When I say separate I'm talking physically separate. Things like dedicated Metro Networks, dedicated Internet Networks, etc?
We had a situation where client talks to server (both Windows machines). The server showed that there is a TCP connection open. "netstat -a" showed it as ESTABLISHED to client_ip. But when we ran "netstat -a" on client it did not show any connection to the server.
There is a firewall (physical box) between Client and Server and normally connections work.
So question to networking gurus :)
PS: I am a developer and until now i did not think it is possible to have TCP connection in "ESTABLISHED" state on the Server and not to even exist on a Client.
For various reasons, we're looking to configure our hub sites with static neighbours instead of letting EIGRP automatically determine it.
Devices are all within the same AS and all local to site. Site has 2 routers and 2 core switches running EIGRP. R1 and R2 both neighbour to each Core Switch but not to each other.
What I've found is if R1 & R2 both learn a route (10.0.0.0/24 e.g.) via a VPN tunnel, the core switches see both routes via R1 & R2(expected). If i then tear down the tunnel on R1, the core switches still see the route via R2 but the other router doesn't. I would expect the Core's to advertise this route to the other router but it doesn't show (Successor, Feasible or neither)
Without neighbouring the routers directly, can you think of what would cause this?
We basically need to get a wired connection from one building to another. There will be one workstation in building B. Underground or aerial cables are not an option here. It's a very industrial situation and I'm not sure that straight WiFi will pick up from A to B, and the workstation will also have a VOIP phone. We are thinking of doing point-to-point or setting up one AP at one side and a wireless bridge to Ethernet on the other side. What is the best cost-effective way to do this? I guess "best" would be something like a Meraki MR74 on both sides, but that's pretty pricey.
Any thoughts?
Just had a cisco tech tell me that to many DACLs on a switch with overuse the switches memory. Is this true? are scalable groups really the better way of doing things?
I have an interesting situation at work, where something is most definitively NOT configured by any sort of standard, and I honestly have no idea how this even works, so I figured I would throw this out there and see if anybody can shed some light as to how the heck this is even working.
I have a 600Mbps link between my main site and my DR. First I will list the main site relevant config.
MAIN SITE:
interface TenGigabitEthernet1/1/6
switchport trunk allowed vlan 1,313
switchport trunk native vlan 350
switchport mode trunk
interface Vlan1
description MAIN_NET
ip address 172.17.0.5 255.255.0.0
ip pim sparse-dense-mode
end
interface Vlan313
ip address 10.254.255.2 255.255.255.252
end
Pretty striaght forward stuff. Seems like a trunk port that I think is running over a L2 (Probably MPLS link) to our DR site
THEN, I get to the DR Switch
interface GigabitEthernet0/19
switchport mode trunk
end
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan333
description Integral
ip address 172.17.1.150 255.255.0.0
no ip route-cache
!
ip default-gateway 172.17.0.5
This would all make sense. . if the 172.17.1.150/16 were on vlan1. . because that would match with what is at my main site, but its not. It has been changed to vlan 333 here, and I honestly just dont know how that is possible.
We are getting thousands of connections like the following below. Our SIEM is alerting us because they think it is FTP connections but according to the ASA syslog data it looks like it is actually ICMP and the source port is 21? Does anyone have any idea what kind of traffic this is? I can't find any information about an ICMP port 21. Thanks in advance!
Built inbound ICMP connection for faddr 18.229.160.179/21 gaddr 65.X.X.X/0 laddr 65.X.X.X/0
Built inbound ICMP connection for faddr 18.231.45.117/21 gaddr 65.X.X.X/0 laddr 65.X.X.X/0
Built inbound ICMP connection for faddr 13.232.231.197/21 gaddr 65.X.X.X/0/0 laddr 65.X.X.X/0
Hello All!
I've been with my company for 7 years now (Financial Data Company), starting out in Operations, to moving to another team that focused on analytics and now I just landed a job as Systems Admin (couldn't be "engineer" w/o degree/12 years work experience).
In my second position, I did some basic FTP/SFTP support that I fell in love with that ended up with me landing this job internally, so while I know some stuff I would really like to learn a lot more in my off time while training at work. I was wondering the best books/free or cheap sites that can help me really learn when I'm home so I can pick things up faster. Any suggestions would be break, thanks!
I do have a Linux book that I plan to read more of.
Has anyone had any issues with pinging Google DNS's V6 address in North America this morning? We have a few device setup scripts that ping Google's V6 DNS as a check to make sure the device has V6 setup correctly.
Wondering if anyone has any info or if it's working for other people. Trying to figure out if I need to update the scripts or reach out to my ISP and see if it's something specific to them.
Hello everyone.
I'm trying to use L2TP/IPSec on Cisco ASA 5505 as LNS and Win 10 native L2TP client as LNC. The main goal is to connect Win10 to ASA and then forward traffic to Internet. L2TP/IPSec connection between Win10 and ASA establishes successfully but RTT is too high and in a few minutes (or maybe about 2 MB of traffic) after connection I can't get access to Internet from Win10 at all. I changed MTU = 1400 and MSS = 1300, but the issue still hasn't been resolved.
I was pinging 8.8.8.8 from Win10 through the tunnel (because tunnel interface is a default gateway) and saw the following results:
Topology looks something like that:
Radius Server <==> Internet
Cisco ASA5505 (Outside DHCP local address) <==> ZyXEL router (NAT global address) <==> Internet
Win10 <==> Internet
Zyxel router does NAT on ports 500, 4500, 1701 to ASA address.
I don't have any ideas where is the problem and how to troubleshoot that. And when I decided to make this post I thought I can download ping and topology pictures there but unfortunately I can't. :( Sorry for my English. I really need help with that. Thanks for your replies.
Hello, I am a sysadmin at a SMB. A few months ago one of our switches died (a Dlink switch DES-325P) before that there were not really too many issues. Most work stations had an Ethernet jack for our network 192.168.0.x and had another jack for our phone system 10.116.x.x that would connect to our Phone server.
So after the switch died. My boss just plugged back in anything that would fit anywhere. After that people were not able to connect to the network because they were on the 10.116 network and not the 192.168 network. After manually giving out IP addresses most people are able to work.
Another thing to note. Our WIFI is now affected as well handing out 10.116 addresses and no one can do anything that requires and internet connection with their phones.
I know a bit about networking I have my CCENT but I only worked with cisco switches , routers and firewalls.
What I really am asking is the proper steps to go about fixing this so that every port has the correct network attached to it and the wifi works again. If it is manually checking every port number and seeing where it lies on the switch or it is some setting in DHCP I am missing. Any help would be greatly appreciated.
Thank you
I recently discovered in our corporate network Avast also performs a port scan to default gateway and tries to perform SSH and FTP login with some default credentials. Could be part of the smart shield, but is not really wanted behavior for all Avast clients.
Also read a post on Avast harvesting URL click data: https://www.extremetech.com/internet/305344-avasts-free-antivirus-harvests-all-your-clicks-sells-them-to-third-parties
Any thoughts on this or anyone else noticed this?
I recently deployed a new site which is entirely underground in a bunker, it's relatively large (7 Cisco 1815i access points) and have recently been asked to find costings for providing regular cell signal (phone/sms) across the site.
I have absolutely 0 knowledge in this field, so wouldn't know where to start. It will be open to the public and is based in Holland (The Hague, specifically).
Any advice would be much appreciated.
I'm coming in after another guy and of course nothing is labeled. I have close to 500 Cat 5 lines i need to verify the port on. The lines don't have anything connected yet, which just make it that much more difficult. Right now I'm just plugging in a raspberry Pi and watching the log for the port to come up but it's pretty slow. Is there any way to do this faster or is this just going to be a long weekend?
Hello,
I'm having some issues establishing connection from a usb linux machine and the internet.
the situation is this, i have a bashbunny from hak5 that i want to test. the guide simply says to connect the linux machine via usb and configure a fine so that the machine will allow NDIS simulation through usb. Done that i've been able to ssh into the machine via IPV4, the machine is up and running and everything is fine.
Problem is, the guide that explains how to route internet comunications from the linux machine is very poor, it basically says to go in Control Panel\Network and Internet\Network Connections and select the ethernet device, giving it an ip address, then go to the network interface connected the internet and allow internet sharing with the bashbunny. i have done all of this but the linux machine is not able to ping it's default gateway (my computer) nor any website or ip. i can ssh into that but cant ping it? can somebody explain why?
If someone could help me i would appreciate, what should i do?
I already searched for similar issues, but nothing i found on their documentation/forum/discord worked.
Hello r/networking,
I'm trying to figure out the best way to make this scenario work.
Our design is as follow: we are running L2 equipment in our datacenter (Mix of Juniper and Arista switches, in transition toward Arista now). Among other things, our equipment connects our vmware infrastructure, that is shared across customers.
To allow our customers to join this vmware infrastructure from their office, some of them have direct connections coming to our datacenter (some are L3 with MPLS or other flaw, some are L2 , which we are trying to avoid and remove but some are still there).
Historically (before I arrive), the way to protect ourselves from the spanning-tree at customer side was to disable spanning-tree on those interfaces. I don't feel comfortable with this so I would like to find a better way.
What I have done so fare during the transition, is configure bpduguard on the interfaces that are known L3 devices (so typically routers). This works fine except for some equipment (on which we have no access at all).
For those equipments, if I enable bpduguard, the connection is directly shut down. So I have to let it enabled on them.
Problem is that some customers have equipment with a lower priority than our equipement, so they become the root bridge. This is exactly what I want to avoid. I tried to put bpdu guard root, but this has the same effect as bpduguard, in the sense that the port is discarded immediately.
What are my best options here ? I tought about lowering the priority to 4096 on our equipment, but again it doesn't feel like the ideal solution (if their equipment is set to 4096 as well, and their mac address is lower, they will win the battle).
I guess I could also move their vlan to a separate mstp instance, and just let them be the root on their vlans if they want, but it doesn't sound cleaner neither.
Thanks for reading :-)
Hi!
I have an annoying issue, and I think I am missing something really simple and fundamental. I have a Cisco WS-C2960X-48LPD-L and it's connected to a Cisco ASA to a physical interface that has 4 logical interfaces with different VLANs on each (and different subnets). The ASA has 4 src-nat definitions allowing those interfaces to masquerade behind the external address of the ASA.
I can connect to the switch via SSH from a different internal network, and it can ping out to the internet just fine from the CLI. The issue is that if I connect a host to one of the interfaces on the switch, configure a suitable static IP address on the host (for the VLAN of the port it is connected to) and try and ping out to the internet, it never gets there, and just times out.
Few mistakes I made before I got to where I am were:
The firewall rules for the various logical interfaces I've added have an any/any rule. I just can't see what I need to do to get a host connected to the switch to talk to the internet. The switch itself can, but a device connected to it cannot.
Hi experts!
We have 2 ISPs. We're announcing our /20 subnet to both ISPs.
I'm wondering if we could announce a subset of this /20.
Does ebgp allow this? can we make as many announcements as we want? (Im thinking if everyone did this, it would fill up the global bgp route list, and may therefore not be allowed?)
Should the subnet be registered at RIPE etc? Is there a limit to how small network announcement we can make?
Lets say it cant be done. How does BGP prioritize this then.
When using static routes, the most specific route is always chosen. Does the same rule apply to ebgp?
It doesn't seem like a normal thing to do, since google is not helping me.
The use case is. Some of our customers prefer 1 ISP over another, so we want to make different announcements based on that.
Please advice. :)
Hi
We are being asked by a vendor to confirm how much traffic we are sending to their AS, how would we get this information? Is there an application we can use to monitor our usage?
Hello,
I have small network in my home, which contains 1x router, 2x switch, 1x ap, some computers and phones. Aa I also have two servers in cluster (Proxmox) and one QNAP NAS storage, which I used to store the files.
Some months ago I started using IPTV, I have set-top box from Amiko company, and using it to watch television with Kodi. This box is placed on vlan6 (192.168.40.0/24) (which is in LAN segment of the picture) because I know the IPTV traffic should be in separate vlan.
Below you can see logical view of the entire network:
https://i.postimg.cc/Vkck6HB1/Home-networking.jpg
As you see, I'm using Mikrotik hEX as main router, to terminate the ISP public IP address, doing some firewall,NAT and routing stuff. As far the Internet is terminated here, I expect to see some multicast traffic because of IPTV, also Mikrotik have vlan6 enabled, but let see the configuration of the ports:
[admin@hellhound.home.lan] > interface print Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS 0 R ;;; Link to ISP ether1 ether 1500 1596 2026 B8:69:F4:DB:DA:1A 1 RS ;;; Link to Cisco switch ether2 ether 1500 1596 2026 6C:3B:6B:59:94:1D 2 RS ;;; Link to Mikrotik access point ether3 ether 1500 1596 2026 6C:3B:6B:59:94:1E 3 X ;;; Unused ether4 ether 1500 1596 2026 6C:3B:6B:59:94:1F 4 X ;;; Unused ether5 ether 1500 1596 2026 6C:3B:6B:59:94:20 5 R bridge bridge 1500 1596 6C:3B:6B:59:94:1D 7 R ;;; Vlan2 (192.168.0.0/24) vlan2-tag vlan 1500 1592 6C:3B:6B:59:94:1D 8 R ;;; Vlan3 (192.168.10.0/24) vlan3-tag vlan 1500 1592 6C:3B:6B:59:94:1D 9 R ;;; Vlan4 (192.168.20.0/24) vlan4-tag vlan 1500 1592 6C:3B:6B:59:94:1D 10 R ;;; Vlan5 (192.168.30.0/24) vlan5-tag vlan 1500 1592 6C:3B:6B:59:94:1D 11 R ;;; Vlan6 (192.168.40.0/24) vlan6-tag vlan 1500 1592 6C:3B:6B:59:94:1D [admin@hellhound.home.lan] > 1 RS ;;; Link to Cisco switch name="ether2" driver-rx-byte=8 086 346 162 985 driver-rx-packet=8 497 403 137 driver-tx-byte=9 773 452 609 711 driver-tx-packet=9 060 307 937 rx-bytes=8 136 450 389 192 rx-packet=8 500 830 242 rx-too-short=0 rx-64=300 056 rx-65-127=3 184 053 446 rx-128-255=32 101 321 rx-256-511=108 841 856 rx-512-1023=15 702 206 rx-1024-1518=5 167 902 503 rx-too-long=0 rx-broadcast=635 679 rx-pause=0 rx-multicast=7 435 462 rx-fcs-error=0 rx-align-error=0 rx-fragment=0 rx-jabber=0 rx-drop=0 tx-bytes=9 809 890 367 273 tx-packet=9 058 500 770 tx-64=84 233 804 tx-65-127=2 421 432 836 tx-128-255=42 937 817 tx-256-511=137 437 551 tx-512-1023=47 563 760 tx-1024-1518=6 326 702 104 tx-broadcast=230 527 tx-pause=0 tx-multicast=1 576 570 tx-collision=0 tx-excessive-collision=0 tx-multiple-collision=0 tx-single-collision=0 tx-deferred=0 tx-late-collision=0 tx-drop=0 tx-fcs-error=0 2 RS ;;; Link to Mikrotik access point name="ether3" driver-rx-byte=24 904 213 698 driver-rx-packet=31 434 954 driver-tx-byte=117 049 286 733 driver-tx-packet=86 389 672 rx-bytes=25 030 676 572 rx-packet=31 351 349 rx-too-short=0 rx-64=9 944 483 rx-65-127=1 899 968 rx-128-255=3 695 745 rx-256-511=328 864 rx-512-1023=130 332 rx-1024-1518=15 440 208 rx-too-long=0 rx-broadcast=11 047 rx-pause=0 rx-multicast=77 204 rx-fcs-error=0 rx-align-error=0 rx-fragment=0 rx-jabber=0 rx-drop=0 tx-bytes=117 408 472 688 tx-packet=84 677 640 tx-64=5 586 151 tx-65-127=2 562 504 tx-128-255=807 744 tx-256-511=482 810 tx-512-1023=335 192 tx-1024-1518=76 615 271 tx-broadcast=121 167 tx-pause=0 tx-multicast=1 590 865 tx-collision=0 tx-excessive-collision=0 tx-multiple-collision=0 tx-single-collision=0 tx-deferred=0 tx-late-collision=0 tx-drop=0 tx-fcs-error=0 Ok, there is a bridge, which I used to do VLAN tagging things:
https://i.postimg.cc/RVp3XztR/Mikrotik-h-EX-Bridge.jpg
As you see, I'm sending all vlans to the Cisco switch. And I'm only tagging vlan2 and vlan4 to the AP.
So I don't expect to see any multicast traffic on AP interface, but in reality I do. I don't know why..
https://i.postimg.cc/y8XYSXvR/Mikrotik-h-EX-Ether3-Winbox.jpg
Look that, how much multicast traffic I have on ether3, which is connected to ether1 on AP. I can show different picture with the same kind of information:
https://i.postimg.cc/grbmxnh4/Mikrotik-h-EX-Ether3.jpg
Ok, we didn't said anything about cisco equipment, here is the configuration:
interface GigabitEthernet0/1 description Cisco-SG200-08 switchport trunk allowed vlan 2-6 switchport mode trunk ! interface GigabitEthernet0/2 description Do-Not-Work shutdown ! interface GigabitEthernet0/3 description QNAP-TS-431P switchport access vlan 2 switchport mode access ! interface GigabitEthernet0/4 description MikroTik-hEX switchport mode trunk ! interface GigabitEthernet0/5 description proxmox-node-1 switchport trunk native vlan 7 switchport mode trunk ! interface GigabitEthernet0/6 description proxmox-node-2 switchport trunk native vlan 7 switchport mode trunk ! interface Vlan1 no ip address ! interface Vlan2 no ip address ! interface Vlan3 no ip address ! interface Vlan4 no ip address ! interface Vlan5 ip address 192.168.30.6 255.255.255.0 ! interface Vlan6 no ip address ! ############################################################# 2960g#show interfaces GigabitEthernet 0/1 GigabitEthernet0/1 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 0022.bd38.b481 (bia 0022.bd38.b481) Description: Cisco-SG200-08 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 367 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 2000 bits/sec, 2 packets/sec 71462641 packets input, 34064842246 bytes, 0 no buffer Received 1185327 broadcasts (1173073 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 1173073 multicast, 0 pause input 0 input packets with dribble condition detected 179474379 packets output, 252015506771 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out 2960g# 2960g#show interfaces GigabitEthernet0/3 GigabitEthernet0/3 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 0022.bd38.b483 (bia 0022.bd38.b483) Description: QNAP-TS-431P MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:04, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 435 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 62000 bits/sec, 7 packets/sec 5 minute output rate 55000 bits/sec, 13 packets/sec 1870379854 packets input, 2240692066739 bytes, 0 no buffer Received 141380 broadcasts (101038 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 101038 multicast, 119 pause input 0 input packets with dribble condition detected 1923167326 packets output, 1771972517143 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out 2960g# GigabitEthernet0/4 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 0022.bd38.b484 (bia 0022.bd38.b484) Description: MikroTik-hEX MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 6/255, rxload 6/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:01, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1134 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 26340000 bits/sec, 3254 packets/sec 5 minute output rate 26607000 bits/sec, 3289 packets/sec 8974430609 packets input, 9809117899373 bytes, 0 no buffer Received 1803510 broadcasts (1601913 multicasts) 0 runts, 1809976 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 1601913 multicast, 0 pause input 0 input packets with dribble condition detected 8508259561 packets output, 8135592732093 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out 2960g# 2960g#show interfaces GigabitEthernet0/5 GigabitEthernet0/5 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 0022.bd38.b485 (bia 0022.bd38.b485) Description: proxmox-node-1 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 6/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:04, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 249 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 897000 bits/sec, 1193 packets/sec 5 minute output rate 25555000 bits/sec, 2168 packets/sec 4569823856 packets input, 2655578181223 bytes, 0 no buffer Received 1005668 broadcasts (604305 multicasts) 17 runts, 0 giants, 0 throttles 17 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 604305 multicast, 4171 pause input 0 input packets with dribble condition detected 6100296857 packets output, 7939546009895 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out 2960g# You can see the counters, broadcasts and multicast.
The picture attached below are saying exactly the same:
https://i.postimg.cc/d3yJQ8hL/Cisco-2960-G-Gigabit-Ethernet0-1.jpg
https://i.postimg.cc/wBwqwxKT/Cisco-2960-G-Gigabit-Ethernet0-3.jpg
https://i.postimg.cc/LX7HMy6c/Cisco-2960-G-Gigabit-Ethernet0-4.jpg
https://i.postimg.cc/mDhbJxR3/Cisco-2960-G-Gigabit-Ethernet0-5.jpg
We didn't said anything about IGMP on the Cisco switch, but there is no any configuration related to that, I mean the configuration is running on it's defaults.
2960g#show ip igmp snooping Global IGMP Snooping configuration: ------------------------------------------- IGMP snooping : Enabled IGMPv3 snooping (minimal) : Enabled Report suppression : Enabled TCN solicit query : Disabled TCN flood query count : 2 Robustness variable : 2 Last member query count : 2 Last member query interval : 1000 Vlan 1: -------- IGMP snooping : Enabled IGMPv2 immediate leave : Disabled Multicast router learning mode : pim-dvmrp CGMP interoperability mode : IGMP_ONLY Robustness variable : 2 Last member query count : 2 Last member query interval : 1000 Vlan 2: -------- IGMP snooping : Enabled IGMPv2 immediate leave : Disabled Multicast router learning mode : pim-dvmrp CGMP interoperability mode : IGMP_ONLY Robustness variable : 2 Last member query count : 2 Last member query interval : 1000 So on, so forth for all vlan's and interfaces.
There is no IGMP querier configured, no filters, simply nothing.
Regarding the articles which I've read in Internet, because vlan snooping is enables, the vlan flow have to be restricted only to his vlan (broadcast domain), but why I'm seeing all of this broadcast, multicast on AP's interface? There is no such vlan configured to pass through.
Same applies for QNAP port, even the QNAP port is in access mode, it doesn't care about vlan at all.
So maybe I missed some basic things, but I'm not network guy, I just like to play with networking and servers.
Any help/advice will be appreciated.
Thanks.
I'm trying to wrap my head around this, I'm looking through my pfSense firewall logs, and I see entries where the source is on a virtual address of a VPN connection.
https://imgur.com/miE7mMr - all of the traffic in question is on tcp/8090.
I run OpenVPN clients on my router, so the source ip is virtual ip addresses of those VPN clients, but what traffic would be attempting to enter my network on those virtual private addresses?
I assume this is not nefarious behavior, I actually suspect it has something to do with OpenVPN checking if the connection is alive or something, but thus far I've been unable to find any information to verify this.
Has anyone tried out the IOx Application Hosting on the Cisco Catalyst 9000 series (9300 in my case).
I was interested in giving this specific example a try in my lab at work as a i have an available 9300 -
I'm not a bit hosting/container expert but I can see an advantage in generating traffic like this direct from a switch using iperf.
But just as i had a USB stick ready to go I stumbled upon this note:
"Internal flash and front panel usb (usbflash0:) do not support for application hosting."
So reading into this, officially, you have to get a Cisco 120GB-SDD to use this feature:
Now I get how this works. If i don't use the official, expensive (probably, didn't bother checking) Cisco branded drive its unsupported. But wondering if anyone has got this working with a thumbdrive in usbflash0 (front panel) or if a regular SSD will work in that usbflash1 (back port). Before I go messing around with drives and wasting a bunch of time I was hoping the community might have some advice.
A broader questions would be what checks could a Cisco Switch do to determine whether it is an official Cisco USB SSD and what is the recommended drive format for a Cisco switch these days?
Hi! I have read that having the DHCP Snooping database on the local switch (cisco catalysts) may cause an outtage if the switch reboots but I dont understand how losing the database would be an issue. Would it not simply be rebuilt? I am a little confused.
THanks
At my work we have common configurations for every cisco switch deployment we do, and for our QoS settings we apply the following to every single interface:
srr-queue bandwidth share 1 2 3 4
priority-queue out
mls qos trust dscp
Being that this is applied to every interface and there is no shape statements, would this configuration actually do anything?
We have a fibre optic ring around a construction site. Probably about 10km of cable and linked up to 10 switches as it goes. A simple design, just using fibre as the uplink and downlink to each switch around the site, creating a perfect ring theoretically.
However, when/if switch 9 is deactivated, switch 8 also drops from the network, even though it should be supported from the other side by switch 7. The switch (8) itself is still powered up in this instance and providing PoE to the connected devices, it just cannot transmit the data through the link. I have used a tester on this cable (admittedly a cheap one) and it seems to be OK. Unfortunately we cannot run a new cable between 7 and 8 because the ducting is terrible. Other than switch 1, the others are in outdoor environments (protected in IP68 cabinets) so there is only space for a patch panel, a switch and a UPS, with none of the luxuries we can rely on indoors.
Can anyone shed some light on this? It's quite a big issue for us. I have UPSs in place but now and again the battery will completely drain before the electricians can restore power, creating the problem I mention.
Anyone have a cabling contractor they are happy with? Our current partner leaves much to be desired in terms of communications and follow throughs.
So I plan on using an Adtran router (Netvanta) for my small businesses office. However, in the installation manual it mentions attaching a supplemental ground wire to the unit. In my small office we don't have have a networking room and just plan on placing on a tabletop so I don't really have anything to ground the equipment to. My question is whether or not this is just a manufacturers recommendation or if it is required for the safe operation of the switch? The router has a 48VDC power input but is connected to a power brick which plugs into an AC outlet with a 3rd prong. Does that 3rd prong ground not safely ground the chassis of the switch?
I need a wee bit of help here. I have 3 virtual machines on a virtual network. There is nothing else on this network. vm1 is a DHCP server to give out IP addresses. vm2 has snort installed on it. vm3 just exists to do stuff to the other two. It is my understanding that snort listens to all traffic on the interface.
VM1(DHCP) <-> VM2(Snort) <-> VM3(Stuff)
Here's the rule I am trying to trigger:
SID 30225
alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE possible /bin/sh shellcode transfer attempt"; flow:established; content:"Rh//shh/bin"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30225; rev:2;) What I have set up is netcat on vm1 and vm3 with nc -l 999 on one side and nc 172.30.0.1 999 on the other. They connect fine and I can send text back and forth. Wireshark picks it up no problem. When I use scapy to send a TCP packet to vm1 with the content (Rh//shh/bin) from vm3 I don't get an alert. Any insight would be helpful. Thanks.
Here's my python code.
#!/usr/local/bin/python from scapy.all import * # VARIABLES src = sys.argv[1] dst = sys.argv[2] sport = random.randint(1024,65535) dport = int(sys.argv[3]) # SYN ip=IP(src=src,dst=dst) SYN=TCP(sport=sport,dport=dport,flags='S',seq=1000) SYNACK=sr1(ip/SYN) # ACK payload = "Rh//shh/bin" ACK=TCP(sport=sport, dport=dport, flags='A', seq=SYNACK.ack, ack=SYNACK.seq + 1) send(ip/ACK/payload) This is not new information: If a router/switch is advertised for 1Gbps/1Gbps, it can be very sneaky and only handle 1Gbps cumulative.
Similar to how we used to suffer with real-world performance before we could test for buffer bloat.
Now that connections are getting symmetrical more consistently (FTTH residential at 150/150 is fairly common), I feel like someone needs to step up and do the up/down speed tests *at the same time* so that we can really test equipment.
Who's with me!
Is it possible to allow communication between multiple PVLAN communities on different cisco switches? Putting them in the same community isn't really an option because there are about a dozen devices between them and I don't want to span the vlan across that many devices. They currently can ping each others SVI but none of the endpoints in each other's community.
Hi all
My employer are throwing out Cisco 2960 & 4 Cisco 3750 switches. I was contemplating snagging one. I know that Cisco gear requires a Meraki licence, but I wondered if it could function as just a dumb PoE switch without a licence or if the entire thing is totally unusable? I'm aware of the cisco/webinar thing where you get a free switch for 3 years but this is just more of an opportunistic thing and I'm debating whether or not go grab one.
Hi guys, does anyone know why IPVPN over MPLS called IPVPN if it works on layer 2 and not on layer 3?...
I have tried googling but found nothing.
#WARNING: column Hw. Offload collides with Hw. Offload WARNING: column Packet Type collides with Packet Type WARNING: column ARP Src. MAC Address/Src. MAC Address collides with Src. MAC Address/Src. MAC Address WARNING: column ARP Src. MAC Address/Src. MAC Mask collides with Src. MAC Address/Src. MAC Mask WARNING: column ARP Dst. MAC Address/Dst. MAC Address collides with Dst. MAC Address/Dst. MAC Address WARNING: column ARP Dst. MAC Address/Dst. MAC Mask collides with Dst. MAC Address/Dst. MAC Mask WARNING: column Packet Mark collides with Packet Mark WARNING: column To MAC Address collides with To MAC Address WARNING: column Packet Type collides with Packet Type WARNING: column ARP Src. MAC Address/Src. MAC Address collides with Src. MAC Address/Src. MAC Address WARNING: column ARP Src. MAC Address/Src. MAC Mask collides with Src. MAC Address/Src. MAC Mask WARNING: column ARP Dst. MAC Address/Dst. MAC Address collides with Dst. MAC Address/Dst. MAC Address WARNING: column ARP Dst. MAC Address/Dst. MAC Mask collides with Dst. MAC Address/Dst. MAC Mask WARNING: column Packet Mark collides with Packet Mark WARNING: column To MAC Address collides with To MAC Address Those messages appeared after I put a VLAN on a neighbouring Mikrotik, and then I put a VLAN into that VLAN.
We have a client that runs into a strange wireless situation. When they use 5Ghz network, everything works fine however when they do switch to 2.4 they start having connectivity issues.
Our first thought was that this could be caused by interference, but after running Inssider and using Ekahau heatmapper, we discovered that the channels used(1,6,11) by the access points (Dlink 6610 B1) were clear and no other wireless devices were broadcasting around them.
Since their network is consisted of one huge subnet for everything, we thought that maybe the network gets congested however the question remains, why does the congestion not happen on the 5Ghz band? I am not very experienced with wireless but the only explanation I could think of is maybe 5Ghz antennas support more traffic than 2.4Ghz...I've been looking online for the differences between the 2 bands but all I keep seeing is 'less interference because more frequencies'
I would appreciate it if someone could at least point me in the right direction and help me find some materials regarding this issue
Hi.
I am not good at networking. I come here because I meet issue. I am windows sysadmin. My windows servers and my windows clients have "rpc failed". For testing, whole of computers with windows has no firewall. So rpc protocol should doing the job. Unfortunately, not. So I asking myself. Is there any network device can block rpc protocol? Spanning tree can block rpc protocol? I am hopeless because the network sysadmin says windows is bullshit so it's my own problem. On windows rpc protocol doesn't use only port 138, it uses randomly any port from 1000 to 65535.
we have 3 tier architect design functioning as layer 3 (OSPF) Aggregation for edge switches connected to a core switch. Aggregation for data center connected to the same core switch. WLC will be placed in DC while AP will be connected directly to edge switches, local mode will be used for APs (as per cisco's recommendation) our question here is how users will be able to connect or to have network access if the WLC is connected to different network (data center) and the VLANs are not end to end. (vlans in access switches are not found in data center, they are operating as L3 and not L2) As a solution, we are thinking of 2 options: 1- using flexconnect 2- moving the WLC to aggregation switch (facing access) what is the best practice or if we have another solution, note: we have 2 WLCs 9800 HA cluster
Hello, I am trying to test priority tagged EAPOL authentication.
To keep things simple I have a linux host running wpa_supplicant and there is 1 interface that is connected to an authenticator.
Now, I am sending priority tagged (dot1q packet with vlan_id set to 0) EAPOL start by configuring a "VLAN 0" interface in linux:
ip link add link dev eth0 name eth0.0 type vlan id 0 then running wpa_supplicant over this device:
wpa_supplicant -Dwired -ieth0.0 -cmy_wpa_supplicant.conf Problem is that the switch on the other end acting as the Authenticator is replying with UNTAGGED frames which are getting received over eth0 instead of eth0.0 (correctly i assume). Thus wpa_supplicant cannot get any RequestIdentity frames and hence the authentication fails by time out.
Am I doing this wrong? How do you guys test EAPOL with priority tagged frames?
Is there a clear line for this distinction? Does adding 802.11 wireless to the mix automatically make it a (W?)LAN, or if it's just a router serving me and me alone, is it still a PAN?
Not a homework question, just studying and confused on where the line in the sand for this distinction is.
I currently have a bonded DSL line providing 12 mbps down, 1 mbps up (6 down per line). Is it possible to add another bonded DSL line, bringing the speed up to 24 mpbs down and 2 mbps up? I imagine I’d have to pay double to my provider (Frontier), since I’d be getting the same service twice, but can the speed be combined? Thanks!
hi,so i want to know can i upgrade my company windows server 2019 on this current model?
i've been searching on internet everywhere but doesn't really specific on what windows servel series i can use on this model
ps:english is not my first language
I'm unable to find the ability to assign a management vlan in Aruba central. Does it exist somewhere that I'm just unable to find?
Our management VLAN is 200. I create a VLAN 200, change DHCP to Static, and assign an IP and Subnet. No where am I able to check off a box to specify this is now my management VLAN instead of VLAN 1. Also, where do I enter the default gateway?
For VLAN 1, it doesn't seem I can disable the IP address. It only gives me the option to choose DHCP or Static.
I can make these changes in CLI, but I was hoping these were options in Central. Any help would be appreciated.
I have a customer with a server to server communication issue. Server A reports a .5k piece of data to Server B. It is supposed to retry 3 times if it fails. This has worked well for years for many customers however we have encountered one in which the reporting failures several times per day. After much troubleshooting and monitoring the network we have only identified one significant anomaly, the route from server A to B is changing on the customers side regularly.
It is 29 hops from server A to B and hops 10 to 28 change regularly, once every 5-10 minutes. When the entire route changes most of the hops change 4-6 times within 2 or 3 seconds and is then stable again for a while. Even with all this flapping about, I see no packet loss.
Question: Can this flapping cause https sessions to drop? even without packet loss? One theory is that packets may be arriving out of order and breaking the TCP connection in some way. We are using pingplotter to record data for us presently and we will be trying to match up failures with the flap events.
Hi r/networking
I am helping a client implement a network architecture where there are three networks:
I have complete control over the FortiGate firewall, but I have 0 control on the internet facing router. So any solutions would need to minimize the involvement of the router. (I have to get the client's IT involved and it's very troublesome).
The idea is that someone anywhere in the world with internet access can access the jump server, which in turn can access the control network. The way this is set up is:
The business network is public facing, so the router/default gateway of that network is the ISP's connection, and thus, has a public IP address. On this Business network, is connected a FortiGate firewall, which is also connected to and dictates control to the DMZ and Control network.
My question is, how can I achieve the desired effect of being able to remote into this Jumpserver?
My idea was this: Use the FortiGate's VPN capabilities to provide an inroad to the DMZ, thus giving access to the jumpserver, and to access this VPN from the internet, forward the custom VPN port from the main router to Fortigate firewall's business network IP.
Here is an image illustrating my idea: https://imgur.com/a/cyX6jQg
This did not work. The VPN connection times out immediately. So here are my next questions;
Thank you for your time.
So, I've got a Perle SCS that has a modem expansion card in it with a phone number. I'd like to, from anywhere on the internet, be able to dial into that number and have it pick up in order to then console into any of my servers from there. Is there software or a service out there that does it? Or would I need to have something like MagicJack to do this?
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Hello, I work for a public university and we need to do public bidding for our purchases. The issue is, we always bought overpriced OEM transceivers. As we have low budget, I wanted to buy cheaper transceivers so we could use the extra money in switches. But, I'm afraid of removing the compatibility clause from our bidding process. So the question is, is it common to have incompatibility issues between optic transceivers and switches? I for one never had a transceiver that did not work with any switch we have (HP, Fortinet, D-Link).
I backup Mikrotik config using Rancid and I'm seeing preshared keys (in plain text) in config of Mikrotik Access points. Is there any way in Rancid to remove/hide these preshared keys during backup ?
In rancid.conf i can only see options for filtering passwords/SNMP community strings
I can hide passwords in mikrotik CLI with export hide-sensitive , but no idea how to set it "globally"
Posting this over at Cisco too but wanted to hit here as well.
I've had a CCNP R&S for the past 6 years. Recertification has always been "Take one of the three tests (ROUTE, SWITCH, TSHOOT) and your whole cert is renewed for three years. No need to take all 3 every 3 years. Now with the 2/24/2020 changes, CCNP is two tests: One Core, One Specialty of your choice. The prerequisites are also gone. So that BS where if you let your CCNP lapse you have to do the CCNA and all 3 CCNP tests again is (finally) no longer a factor. But, I am wondering if since that pressure is removed, you have to recertify with BOTH CCNP tests (core & specialty) every 3 years, or if it's still "Take one of the two tests and you're fully renewed for another 3 years." I've looked for this answer and haven't been able to find it. Does anyone know?
Obligatory this happened about a week ago, and this is a throwaway account. I had actually been debating on even posting this or not, once the initial sting and depression wore off, and decided I'm going to do so.
I think first I need to start with a little background about myself. I am a network engineer with 15 years of experience in enterprise. I have a CCNP, but never went after CCIE (like many of you here, I imagine.) I've spent my entire career doing route/switch/firewall, again like many of you here.
Over the last two years, I took a hard look at all the warnings online and otherwise that we network engineers should learn to code. It'll save us from going "extinct."
Automation is coming to take our jobs. Dev Ops is coming to take our jobs. Infrastructure as Code is coming to take our jobs.
We've all heard it.
I took it to heart. After over a decade working in the field, I had never once learned to script or code, not even basic stuff. No powershell, no bash, no python, no ANYTHING. I never even wrote so much as an EEM script in IOS!
So to put it mildly, these warnings put a pretty strong scare into me. I was ill-equipped to deal with a future where my skills could become irrelevant long before I became retirement age.
So in response, I set off on a journey to learn to code. I know that sounds silly, but it's exactly what I did. I poured over online books and forums, reading constantly about the different languages out there, and I chose Python, because it seemed to be the one that comes up in conversation the most.
Now what did I do? I bought books, I bought VODs, and training. I took classes on UDEMY, I took Cisco's NETACAD courses, I signed up for K Byers "Python for Network Engineers" course. I even created a new reddit account just for asking questions on various python and dev type subreddits. I poured my time and energy into this.
And it paid off! Or so I thought. In less than a year, actually just a few months really, I was "scripting like a mad man." I made tons of scripts at my job place. Now even my coworkers do certain tasks by running my scripts to fulfill work orders. My scripts have become part of DR plans and continuity binders. Needless to say, I was feeling pretty good about myself.
My crowning achievement was a network OS upgrade automation script. It would log into the IP, determine what model the device was, pull the appropriate code from our FTP server, and then run pre and post checks. It would grab all the routing neighbors, number of routes in the RIB, and the next hop for all those routes, write them to variables, perform the upgrade, and then do a post-check afterwards. Differences it found were immediately drafted into an email and sent out to us.
For the first time ever in my company's history, we performed IOS & NX-OS upgrades without anyone even being AWAKE for them. We felt confident enough to schedule it late at night and just wake up to the results the next day.
So, feeling a little big for my britches, I decided it was time to challenge my newfound skills in an environment that would have more demand for them. So I put my feelers out and started looking for jobs that focused on coding and automation of network infrastructure.
For being in a major metropolitan area, I came up surprisingly dry. But then it came in like a beacon. A recruiter (a headhunter really) contacted me about an opportunity at a Fortune 500 that was looking for a "NetDevOps Engineer." He explained to me that they were really looking for a networking expert that could help coders adapt to this new dynamic. He shared the REQ and I'll be 100% honest, it read like a Network Engineering REQ.
They wanted proven skills and experience managing an enterprise network. They wanted expert knowledge of routing protocols and standard configurations. They wanted the ability to troubleshoot and isolate network faults.
Any mention of python, code, or programming in general, other than the title of the REQ, was just in passing.
It sounded like the dream job to me. I was not expected to be an "expert programmer." I was expected to be a good network engineer first, with a focus on automating and coding this all.
I began reading about Infrastructure as code and had dreams of a long and successful career. "This is the future" I thought, and I was going to be smack dab in the middle of it.
To prepare for the Interview I poured over the technologies listed in the job REQ. My recruiter reassured me that they were mainly looking for a networking guy, who knew python and had written a few scripts on the side. So that's what I prepared for.
Then came the interview. And it. Went. HORRIBLE. I was totally unprepared, and I left there feeling humiliated and knowing I did not get the job.
I was taken completely off guard by the interview. It did not ask a single question about routing protocols or networking really in general. Instead it started out hot and heavy about coding and development concepts. Stuff that I, as a network engineer who had self-taught himself python, knew absolutely NOTHING about.
I'll try to recount the questions I was asked as best as I can but honestly it was just a blur:
How do you manage source control? Something about "single source of truth."
Tell me about how you manage branching, pull requests, bugs and hotfixes?
How have you integrated unit testing, integration testing, and regression testing?
Tell us about linting your code.
Does your code closely follow PEP8?
How have you optimized "oh one complexity, and oh N complexity?"
How have you achieved a repeatable and sustainable code base? Tell us about your SDLC pipeline.
By the end of this interview, my face must have been beat red. I tried to work in a few examples of how my scripts had increased efficiency in our environment, and how a solid foundation of networking protocols was I would bring to the table, but they didn't want to hear about any of that.
The most painful part of this was that even after I had showed I was mostly clueless about any of what they were asking (and I didn't try to lie and stumble through stuff. I just said my experience lay elsewhere and I wasn't familiar with the concept, etc.) they STILL kept pouring on the questions. It was like a dumpster fire.
It's been over a week now and I haven't heard back from the company nor even the recruiter who had initially contacted me. He hasn't even returned my calls.
So I just wanted to get this all off my chest and rant for a bit. If you've spent most of your career as a network engineer, and you suddenly think you're going to turn around and "learn to code" and go to a place like that, I think it's a pipe dream my friends.
These seem like life long crafts. I felt like a caveman being asked these questions. I can't even imagine how I could possibly get to where I currently am to where they wanted me to be.
Have you had similar experiences? Am I letting one bad experience discourage me too much? Because from where I'm sitting right now, I feel like I need to go crawl into a hole somewhere. I got a brief glimpse into a world far more advanced than the one I've been living in, and I felt overwhelmingly that I wasn't cut out for being in that world.