I want to send short messages from computer A to computer B. Computer B is on a cellular hotspot. Computer A is at the user's home. My goal is to have rather low latency so I'm hoping to setup a direct UDP "connection" between the two. I read about UDP hole punching but I don't really want to setup a public server. I was hoping there was a service (free or paid) that would do the signaling part of the hole punch. The way I imagine it is there would be a server that would receive a UDP packet maybe asking to connect User A to Service A using password A, and if there was a user B asking to connect to Service A at the same time it would send User B the port number of A and vice versa. This seems like a common need for the IOT community. Is there a service that can do this or something like it?
Saturday, February 15, 2020
how do i monitor what my router sends ?
wireshark and other tools only shows what i and the other devices sends and receive from the router not what the router sends to the outside ... is there any way to do it ? my router have telnet only enabled by default and there is no option to enable ssh !
Packet loss, but only on my PC.
I did a ping plotter test, and my internet had very heavy ping spikes. What are some ways to fix?
Active Directory mishap
Somehow the Active Directory entry for a workstation on our network got deleted. The computer is somehow still able to access network resources (shares, etc), however it will ONLY let the user who usually uses it login. I can't login, other accounts can't login, not even the domain Administrator can login to it. It complains about "The security database on the server does not have a computer account for this workstation trust relationship.". I've tried manually adding a new AD entry with the same computer name but I'm assuming it's not taking because it's not linked to that workstation anymore.
Anyone have any tips or maybe point me in the right direction on how I can un-f* this computer?
Thanks!
Side notes-
Workstation: Windows 7 Pro
Server: Windows Server 2008 R2
does a valid TLS certificate require an internet connection ?
not self trusted or self signed. Does it require internet connection for validation ?
problems with strongswan log?
Hi all,
Who or where would it be recommended to send a strongswan log to? I'm having some issues, not with connecting, but the connection itself. I need someone who knows more then I to lead me in the proper directions. I've spoken with my VPN, and they are greatly one sided, just going in circles, no help at all. I've read strongswan documentation extensively and cannot find any answers. As well as documentation on my connection type (extensive IETF files). Still to no avail. Any help is greatly appreciated!! My apologies if this question somehow does not meet the criteria! Feel free to delete :)
Ip route 0.0.0.0 0.0.0.0 0.0.0.0
I get that a default route means if nothing more specific then route to address inputed in the ip route command.
Can someone explain the logic behind this specific command? Ip route 0.0.0.0 0.0.0.00.0.0.0
My understanding is that any address will be routed to all interfaces. Im most likely wrong because im unable to ping across the network.
https://imgur.com/a/qIcdbPt Topology for reference.
Router 3 is an "isp" and im not allowed to use and routing protocols.
Change IP address on vlan
We currently using vlan 99 with ip address 10.xx.67.1-254 I am going to install new switches using vlan 99 with ip address 10.xx.68.1-254. Can this be done I can I can add this subnet and access both subnets remotely using standby ip?
Anyone else going through a agile re-org ?
My company is having our Infrastructure area go through a reorg to adopt agile / scrum / jira and so far it's felt like a train wreck. With the amount of fire fighting our area does and the amount of specialization (LAN, WAN, DNS, Packet brokering, Load Balancing, WAN Op) it seems like a pipe dream for us ALL to participate in sprints, do project work, fire fighting and also do cross training?
This is nuts. Yes, it works for appdev but I don't see how this applies to infrastructure.
Am I crazy here? Is this the future of infrastructure or is this going to fail?
Don't know if this is the right place to ask. I was just wondering if there is any reason to install PuTTY on a Mac?
I've been doing a lot of research as to why people are installing it on their macs and in tutorials they never specify why they are showing how to install it on Mac. Mac OS comes with SSH and you are able to save connections and everything so I am just wondering what you guys might know that I am not seeing.
Enjoying Saturday with Firepower Bugs
Well, I am currently enjoying my Saturday dealing with some Firepower bugs. Our firewalls have been pretty reliable for the most part until today. We hit a bug in VDB database version 331 that causes the SNORT process to crash on the firewalls. The real bummer about this is that when snort crashes, the firewalls stop passing traffic. This bug took out both firewalls in an HA pair simultaneously and took the site down. Not super great. Luckily we have an old trusty ASA in our other site so traffic failed over as expected. TAC is now having me update FMC to 6.4.0.8 immediately and then we are rolling back the VDB version to 330. So, if you run into Firepower issues today, maybe this post will help you :)
Aruba Wifi
Hi All,
We have a Master Mobility Controller at one site and a Local Controller at another site configured in a HA pair running 6.5.4.12. 7240XM.
We also have wired airplay servers that are discovered when screen mirroring from phones and laptops.
It seems that the discovery of the airplay servers is instant with APs associated to the Local Controller. However with the Master we are getting instant discovery if we have below 700 users connected but anything above that we are getting 15-30secs delay in discovery.
I need some expert advise from existing Aruba network engineers on what my next steps should be. We already have BC/MC on all the vlans. A reboot of the Master improved the speed but its slowing down again. There is no obvious signs the controller is overloaded.
What steps should I take next ?
Do I install another Local Controller to take load off the Master ?
Do I upgrade existing version ?
Do I have re-architect and go for AOS 8 ?
Ideally need a solution asap without causing too much disruption.
ITIL - Do any of you have it? What are your thoughts?
Just looking for opinions, I know having a certification is better than none. Just want to know how valuable it is.
Cisco 7600 edge router
Can someone explain me what is an edge router? How does this particular model look like? How many customers can be connected to this edge?
Blacklist "Discrimation"
Hellow,
I was wondering if any of you know network fendors. That can Blacklist basted on vendor/OS. Example if i have a network and what no Android or rooted android/IOS devices on my network or no Samsung/ Huawei devices and only Apple devices.
Anyone that know this?
Greetings
Friday, February 14, 2020
Is there any RFC for GRE tunnel Keepalive?
I could not find the GRE keepalive related RFC on google. Is there any such thing? All I could find was this cisco support document. Is it Cisco's proprietary mechanism? Do other vendors implement the GRE keepalive mechanism similarly?
Any help is appreciated.
Campus Network Architecture and Design Principles
In the four Principles, what is the difference between Flexibility and Modularity? They both seem like the same thing to me.
Or perhaps I should be asking: why are they separated into 2 different Principles?
I tried Google but could not even come close to finding an answer.
MTU on trunk links
Can someone please explain to me how I can have an MTU of 9214 on the trunk ports on the enterprise switch, but all the host ports and the hosts themselves are 1500MTU.
Would all packets be sent across the trunk link in 1500 bits? I'm just curious why the previous network administrator made his trunk ports 9214 between switches, but all the hosts are 1500. Does the jumbo frames between the switches actually help performance?
DHCP security on DELL FTOS switches
Hey Guys,
I know there is a way to allow only one port on the switch to broadcast DHCP messages, but is there a way to allow only the internal layer 3 switch to broadcast DHCP messages? I looked everywhere but can't figure it out.
We use Dell S4810s and Dell S60s with ranging FTOS operating systems versions 8.3 - 9.10. I can't figure out how to isolate the dell switch itself, to be the sole broadcasting DHCP server. We keep running into rouge devices that are broadcasting DHCP addresses and messing things up. Once the IT team plugged in a sonic wall to our isolated media network, and then the host computers started getting the wrong IP scheme!
Please any help, other than telling me that I need to install an additional piece of hardware, would be appreciated.
-MudKing
FMCv Version with Restore and Re-association
Hi everybody,
Weird issue I know (but what isn't weird with FMC/FTD?), but here's the TLDR:
Can I re-associate a FMCv with a FTD appliance if the FMCv is running a newer version from the last policy deployment?
Longer version:
I need to restore a FMCv from backup after hardware failure. My most recent backup was off of 6.2.x. At the time of failure, my FMC was running 6.3.x and I don't have a backup from 6.3.x. Last policy deployment to FTD was from 6.3.x.
I've rebuilt my FMC on 6.2.x and restored from my 6.2.x backup. Do I need to upgrade to the version of 6.3.x I was using at the time of failure and then re-associate with my FTD appliance, or can I upgrade from 6.2.x to the the latest gold start (6.4.0 plus 6.4.0.7 patch) and then re-associate?
I realize I could just ask TAC but I value real-world experience more with some of these FMC/FTD quirks.
Thanks and enjoy your Friday.
Cheaper cisco eBooks?
Hi,
At my new job, they are using cisco FTD firewalls and I want to get a better understanding of this product. I saw a well rated book on amazon, but it's 55$ ! for the eBook. Is there a way to get is cheaper? I couldn't find it anywhere else.
Vlan randomly dropping
We are experiencing an issue where a vlan is randomly going up and down on one of our switches and then stabilizing. Neither the uplink interface nor the host interface are bouncing. What could be causing this to happen?
Log Buffer (4096 bytes): eb 14 04:12:07 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:12:17 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:12:17 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:12:48 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:12:48 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:12:53 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:12:53 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:12:59 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:12:59 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:01 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:01 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:05 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:05 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:06 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:06 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:14 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:14 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:18 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:18 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:20 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:20 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:24 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:24 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:26 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:26 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:32 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:32 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:42 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:42 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:46 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:46 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:13:46 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:13:46 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:14:18 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:14:18 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:15:26 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:15:26 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:15:57 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:15:57 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up .Feb 14 04:16:09 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to down .Feb 14 04:16:09 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan666, changed state to up Uplink FastEthernet1/8 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 7001.b5f3.8f8a (bia 7001.b5f3.8f8a) Description: Uplink MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 52/255, rxload 53/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:04, output hang never Last clearing of "show interface" counters 23:57:55 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 32 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 20994000 bits/sec, 2344 packets/sec 5 minute output rate 20532000 bits/sec, 2108 packets/sec 104294441 packets input, 114856748374 bytes, 0 no buffer Received 485390 broadcasts (458835 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 458835 multicast, 0 pause input 0 input packets with dribble condition detected 95047409 packets output, 110239191014 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Host FastEthernet1/3 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 7001.b5f3.8f85 (bia 7001.b5f3.8f85) Description: Server MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:04:05, output 00:00:00, output hang never Last clearing of "show interface" counters 23:58:45 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 14000 bits/sec, 5 packets/sec 5 minute output rate 46000 bits/sec, 9 packets/sec 661276 packets input, 261701907 bytes, 0 no buffer Received 5957 broadcasts (3610 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 3610 multicast, 0 pause input 0 input packets with dribble condition detected 1076200 packets output, 676022355 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Vlan Interface Vlan666 is up, line protocol is up Hardware is EtherSVI, address is 7001.b5f3.8fc1 (bia 7001.b5f3.8fc1) Description: Private Network Internet address is 192.168.1.20/24 MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 1d00h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 2 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 219640 packets input, 25640446 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 14057 packets output, 2612243 bytes, 0 underruns 0 output errors, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out Can't get more than 1 UDP/RTP video stream on my network
Can anyone help me out with UDP or RTP video streaming? I'm trying to send 5 video feeds from 5 different PCs running OBS to a central PC where I can stream them. I can consistently get 1 video stream to open on UDP and RTP but nothing more (even though I know the ports are open)
VPLS Tunnel Between Cisco and Juniper Help
Ok /r/Networking, I am way over my head and running out of time. We currently run mostly Juniper equipment where I work, but it looks like we will be adding in some Cisco. We have a VPLS connection to extend Layer 2 for some phones. This is not negotiable and has to work. We are slowing changing the equipment out as well since this is over a pretty large geographic area and need to make the Cisco and Juniper equipment play nicely together. Ideally we would only need to make changes to the Cisco congif as the Juniper is in production and working as is. I was not the one who originally designed this setup, and that person is no longer with the organization and it seems like they made this more complicated than it needs since there is a GRE tunnel involved as well as BGP, LDP and IS-IS. Since this is a lengthy problem I am going to try and save space by trimming the configs down to what I believe is the most relevant of pieces. The equipment is a Juniper SRX 550 running 12.3X48-D70.4 and The Cisco is C9300-24UX on CAT9K_IOSXE 16.12.02.
Juniper Section:
set interfaces ge-6/0/11 vlan-tagging set interfaces ge-6/0/11 mtu 9000 set interfaces ge-6/0/11 encapsulation flexible-ethernet-services set interfaces ge-6/0/11 unit 100 description "Juniper - Cisco TEST VLAN" set interfaces ge-6/0/11 unit 100 encapsulation vlan-vpls set interfaces ge-6/0/11 unit 100 vlan-id 100 set interfaces lo0 unit 0 family inet filter input LIMIT_MGMT_FILTER set interfaces lo0 unit 0 family inet address 10.230.139.254/32 set interfaces lo0 unit 0 family iso address 49.0002.0192.0168.1139.00 set protocols bgp local-address 10.230.139.254 set protocols bgp local-as 65001 set protocols bgp group VPLS_iBGP type internal set protocols bgp group VPLS_iBGP family inet unicast set protocols bgp group VPLS_iBGP family l2vpn signaling set protocols bgp group VPLS_iBGP neighbor 10.230.44.254 set protocols mpls interface gr-0/0/0.1 set protocols isis interface gr-0/0/0.1 set protocols isis interface lo0.0 set protocols ldp interface gr-0/0/0.1 set protocols ldp interface lo0.0 set routing-instances Cisco-Juniper_VPLS_VLAN100 instance-type vpls set routing-instances Cisco-Juniper_VPLS_VLAN100 interface ge-6/0/11.100 set routing-instances Cisco-Juniper_VPLS_VLAN100 route-distinguisher 10.230.139.254:100 set routing-instances Cisco-Juniper_VPLS_VLAN100 vrf-target target:65001:100 set routing-instances Cisco-Juniper_VPLS_VLAN100 protocols vpls site-range 100 set routing-instances Cisco-Juniper_VPLS_VLAN100 protocols vpls interface ge-6/0/11.100 set routing-instances Cisco-Juniper_VPLS_VLAN100 protocols vpls no-tunnel-services set routing-instances Cisco-Juniper_VPLS_VLAN100 protocols vpls site 100 site-identifier 2 set interfaces gr-0/0/0 unit 1 clear-dont-fragment-bit set interfaces gr-0/0/0 unit 1 tunnel source 10.230.139.4 set interfaces gr-0/0/0 unit 1 tunnel destination 10.230.44.4 set interfaces gr-0/0/0 unit 1 family inet mtu 9000 set interfaces gr-0/0/0 unit 1 family iso set interfaces gr-0/0/0 unit 1 family mpls mtu 9000 Cisco Section:
l2 vfi ER-VFI point-to-point neighbor 10.230.139.254 100 encapsulation mpls ! l2 vfi ERVV100 manual vpn id 100 ! interface Loopback0 ip address 10.230.44.253 255.255.255.255 ! interface Loopback2 ip address 20.20.20.20 255.255.255.0 ! interface Tunnel1 ip address 10.230.44.254 255.255.255.255 ip mtu 9000 mpls ip tunnel source 10.230.44.4 tunnel destination 10.230.139.4 ! interface TenGigabitEthernet1/0/11 description "Cisco - Juniper Test VPLS" no switchport no ip address no keepalive ! interface TenGigabitEthernet1/0/11.100 encapsulation dot1Q 100 mpls ip mpls label protocol ldp xconnect 10.230.139.254 1 encapsulation mpls ! router isis ! router isis tag1 net 49.0002.0192.0168.1140.00 ! router bgp 65001 bgp router-id 10.230.44.253 bgp log-neighbor-changes neighbor 10.230.139.254 remote-as 65001 ! address-family ipv4 network 10.230.44.152 mask 255.255.255.248 network 20.20.20.20 neighbor 10.230.139.254 activate neighbor 10.230.139.254 send-community extended neighbor 10.230.139.254 soft-reconfiguration inbound exit-address-family ! The GRE tunnel is working and I have gotten some of the sections to come up, but not everything. I feel like I am either really close or completely off base with the Cisco config. The problem is this is just too far out of my depth and I have read so many articles on this that things are blurring together. The added complexities as well as it being a Juniper/Cisco setup aren't helping. Here are some of the tests I have ran:
root@TEST-Juniper-SRX> show ldp database Input label database, 10.230.139.254:0--10.230.44.253:0 Label Prefix 3 0.0.0.0/0 27 10.64.0.0/16 16 10.64.96.0/20 17 10.64.240.0/22 18 10.64.248.0/22 19 10.64.254.0/24 20 10.64.255.0/24 65 10.177.203.0/24 64 10.178.8.0/24 63 10.191.18.64/27 62 10.191.18.96/27 61 10.191.18.128/27 60 10.191.32.0/24 59 10.191.33.0/24 58 10.191.34.0/24 57 10.191.35.0/24 56 10.191.36.0/24 55 10.191.37.0/26 54 10.191.37.192/27 53 10.191.37.224/27 52 10.191.54.112/28 51 10.191.187.0/24 3 10.230.44.0/25 21 10.230.44.144/29 22 10.230.44.152/29 3 10.230.44.160/29 3 10.230.44.253/32 23 10.230.44.254/32 66 10.230.139.254/32 3 20.20.20.0/24 24 Sanitized IP 50 Sanitized IP 49 172.16.1.0/24 48 172.17.188.0/22 47 172.17.248.0/22 46 172.18.10.0/24 45 172.18.11.0/24 44 172.18.162.0/23 43 172.18.164.0/22 42 172.21.0.0/24 41 172.21.132.0/24 40 172.21.133.0/24 39 172.21.134.0/24 38 172.21.135.0/24 37 172.24.8.0/22 25 172.25.148.0/29 26 172.25.148.8/29 36 192.168.11.0/24 35 192.168.68.0/24 34 192.168.99.0/24 33 192.168.121.0/24 32 192.168.125.0/24 31 192.168.126.0/24 30 192.168.129.0/24 29 192.168.133.0/24 28 192.168.249.0/24 67 L2CKT CtrlWord ETHERNET VC 1 Output label database, 10.230.139.254:0--10.230.44.253:0 Label Prefix 300048 10.230.138.254/32 3 10.230.139.254/32 Input label database, 10.230.139.254:0--10.230.138.254:0 Label Prefix 3 10.230.138.254/32 300304 10.230.139.254/32 Output label database, 10.230.139.254:0--10.230.138.254:0 Label Prefix 300048 10.230.138.254/32 3 10.230.139.254/32 root@TEST-Juniper-SRX> As you can see, we have another VPLS on the Juniper that is working and I find it odd that the Cisco seems to be just vomiting all of their LDP info to the Juniper. Checking on the VC of the Cisco I get this:
Cisco-Test#show mpls l2 vc detail Local interface: Te1/0/11.100 up, line protocol up, Eth VLAN 100 up Destination address: 10.230.139.254, VC ID: 1, VC status: down Last error: Local access circuit is not ready for label advertise Output interface: none, imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 1d17h, last status change time: 1d17h Last label FSM state change time: 23:18:09 Signaling protocol: LDP, peer 10.230.139.254:0 up Targeted Hello: 10.230.44.253(LDP Id) -> 10.230.139.254, LDP is DOWN, no binding Graceful restart: not configured and not enabled Non stop routing: not configured and not enabled Status TLV support (local/remote) : enabled/None (no remote binding LDP route watch : enabled Label/status state machine : local ready, LruRnd Last local dataplane status rcvd: No fault Last BFD dataplane status rcvd: Not sent Last BFD peer monitor status rcvd: No fault Last local AC circuit status rcvd: No fault Last local AC circuit status sent: DOWN(not-forwarding) Last local PW i/f circ status rcvd: No fault Last local LDP TLV status sent: No fault Last remote LDP TLV status rcvd: None (no remote binding) Last remote LDP ADJ status rcvd: None (no remote binding) MPLS VC labels: local 67, remote unassigned Group ID: local 65, remote unknown MTU: local 9000, remote unknown Remote interface description: Sequencing: receive disabled, send disabled Control Word: On (configured: autosense) SSO Descriptor: 10.230.139.254/1, local label: 67 Dataplane: SSM segment/switch IDs: 0/0 (used), PWID: 3 VC statistics: transit packet totals: receive 0, send 0 transit byte totals: receive 0, send 0 transit packet drops: receive 0, seq error 0, send 0 Cisco-Test# I have tried looking into why the "Local access circuit is not ready for label advertise" but all I ever find are bug reports so that isn't exactly helpful. This is all in a test lab so I can run any tests and make any changes you guys and gals recommend.
How to enable the signal strength slider when opening Air Magnet site surveys?
I can't seem to find how to enable the signal strength slider in a site survey file that someone else captured. I need to raise the threshold to determine when a spot on a floor plan exceeds the minimum signal strength standard from 1st AP and 2nd AP.
Cisco took down my router, but how?
Hello All,
We had a Cisco TAC call yesterday in order to troubleshoot a VPN tunnel. Phase 1 comes up, but phase 2 never negotiates. So through a Webex I let their engineer work on the router and he wanted to create object groups to match the style of access lists on the other side of this tunnel. I didn't think it makes a difference, but I'm all for building test access lists to test this theory out, so that's what he was going to do. I sat on the call and watched him type and had a Putty log running. I was remote through a gateway to my desktop in the office. After he created a new test access list and modified the dynmap for this particular client to use the new access list, we lost all external connectivity. I was disconnected from my session and users in the office reported they no longer had internet access.
Since I was remote, I had to call a coworker to just reboot the entire device. Once it was back online I was able to get back in.
Below is the Putty log for changes that the Cisco engineer made. I am not very familiar with Cisco IOS, but I'm fairly certain creating a new ACL and calling that ACL in a dynmap should not affect anything but that dynmap. I'm hoping someone here can look at this output and tell me where we screwed up so I can avoid doing that in the future. We have another call scheduled with Cisco, but I'm a little nervous to let them make any changes until I understand why this went down.
Any thoughts are greatly appreciated! :-)
I have sanitized the log so that none of our IPs are in this log, nor any of the names we actually use. I also left spacing alone as it's off in a couple of places and I'm not sure if that is relevant.
ROUTER#conf t Enter configuration commands, one per line. End with CNTL/Z. ROUTER(config)#object-group network Vendor2Client ROUTER(config-network-group)#network-object host 1.1.1.151 ^ % Invalid input detected at '^' marker. ROUTER(config-network-group)#network-object host 1.1.1.152 ^ % Invalid input detected at '^' marker. ROUTER(config-network-group)#network-object host 1.1.1.153 ^ % Invalid input detected at '^' marker. ROUTER(config-network-group)#network-object host 1.1.1.148 ^ % Invalid input detected at '^' marker. ROUTER(config-network-group)#network-object host 1.1.1.149 ^ % Invalid input detected at '^' marker. ROUTER(config-network-group)#host host 1.1.1.151 ROUTER(config-network-group)# host 1.1.1.152 ROUTER(config-network-group)# host 1.1.1.153 ROUTER(config-network-group)# host 1.1.1.148 ROUTER(config-network-group)# host 1.1.1.149 ROUTER(config-network-group)#host 1.1.1.150 ROUTER(config-network-group)#exit ROUTER(config)#no object-group network Vendor2Client ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)#object-group network Client2Vendorobject-group network Client2Vendor ROUTER(config-network-group)#host 1.1.1.151 ROUTER(config-network-group)# host 1.1.1.152 ROUTER(config-network-group)# host 1.1.1.153 ROUTER(config-network-group)# host 1.1.1.148 ROUTER(config-network-group)# host 1.1.1.149 ROUTER(config-network-group)#host 1.1.1.150 ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)#exit ROUTER(config)# ROUTER(config)# ROUTER(config)#object-group network Vendor2Client ROUTER(config-network-group)#host 192.168.15.150 ROUTER(config-network-group)#host 192.168.15.149 ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)# ROUTER(config-network-group)#exit ROUTER(config)#access-list test_test extended permit icmp object-group Vendor2Client object-group Client2Vendor ^ % Invalid input detected at '^' marker. ROUTER(config)#ip access-list ? extended Extended Access List helper Access List acts on helper-address log-update Control access list log updates logging Control access list logging match-local-traffic Enable ACL matching for locally generated traffic persistent enable persistency across reload resequence Resequence Access List role-based Role-based Access List standard Standard Access List ROUTER(config)#ip access-list e x t ROUTER(config)#ip access-list ext e ROUTER(config)#ip access-list extended test_test ? <cr> ROUTER(config)#ip access-list extended test_test ROUTER(config-ext-nacl)#permit ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling object-group Service object group ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol ROUTER(config-ext-nacl)#permit icmp ROUTER(config-ext-nacl)#permit icmp ? A.B.C.D Source address any Any source host host A single source host object-group Source network object group ROUTER(config-ext-nacl)#permit icmp obj ROUTER(config-ext-nacl)#permit icmp object-group Vendor2Client object-group Client2Vendor ROUTER(config-ext-nacl)# ROUTER(config-ext-nacl)# ROUTER(config-ext-nacl)#exit ROUTER(config)# ROUTER(config)# ROUTER(config)# ROUTER(config)#c crypto map dynmap 95 ipsec-isakmp ROUTER(config-crypto-map)#no match address VPN-CLIENT-ACL ROUTER(config-crypto-map)# ROUTER(config-crypto-map)#match add ROUTER(config-crypto-map)#match address test_test ROUTER(config-crypto-map)# ROUTER(config-crypto-map)# ROUTER(config-crypto-map)#exit ROUTER(config)#exit ROUTER#sh run | be NSX-T Training
I just found out that I have to go to NSX-T training out in Phoenix. VMware is hosting the training, but it’s for three week spanned across three consecutive months (which means three round trips). Has anyone taken training on NSX-T? Is it beneficial?
Best practices for wireless networking maintenance? hire third-party for check-ups?
In a ≈450 employee environment with pretty much no walls inside between employees.
19 HP/Aruba 325 access points with a few of them quite often reporting to be very "noisy" or lots of interference.
But this was all installed maybe when there were 300 employees.
I am just a sys admin, we have no real networking team. I am not a wireless expert.
Shouldn't this be something a third-party is hired to come in to evaluate and advise? Aren't there special tools for this type of stuff, like getting metrics and statistics, seeing neighboring companies that might be interfering, detecting issues we can't see in a basic Windows or HP Aruba Instant web server for the environment...
PEPlink
Hi I would like to ask a question if peplink can limit or block ssh connection from the server?
Problematic ethernet installation
Hi guys,
I'm very bad at networking, and I asked my electrician to install an ethernet cable through the wall.
Very easy setup.
I have a cable internet modem that goes into a wireless router.
From there everything works great (for example if I plug with an ethernet cable my laptop to the router, it works great).
The problem started when I asked to run a cable through the wall.
The speed at the other side drops (from 350mbs if I'm connected to the router with the cable to 10 MB if I'm connected the other side of the wall) and it doesn't work with docking station (I don't know how they relate, but I don't believe in coincidence).
Any suggestion?
I know you cannot troubleshoot remotely, but I'd like to have some suggestions at least on the basic to check and to discuss with the electrician.
Thanks a lot
Rob
NAT Q - public IP Nat'd to an IP located over an IPSEC tunnel
Hello All,
I have a question about a NAT config I am trying. We are migrating from and on-prem DC to a Cloud solution. From that DC's ASA I have a IPSEC tunnel to the cloud provider which has a private IP range of 10.100.60.0/22. Routing is place and everything can be accessed from on-prem to cloud.
We are trying to NAT a public IP at the ON-PREM DC to an IP in the Cloud for testing purposes. Can this be done? This public IP was NAT'd to an on-prem server that crashed so we moved it to the cloud and would like that traffic to traverse the tunnel now to access the new server.
We had something like this below, which was removed.
object network OBJ_10_50_0_251
nat (inside,outside) static 1.1.1.1 dns
!
The new IP is below
object network obj 10.100.60.22
tried to drop that NAT in did not work would an outside,outside work? Am I missing something here. Appreciate the help.
Windows traceroute actually doing ping
I have a windows server that always returns a hop count of 1 for any destination. It sends out the ICMP packets as though they are pings with a TTL of 128 even though I am executing tracert.
Anyone know how to cure this?
E.g.:
C:\Users\X>tracert 8.8.8.8
Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:
1 10 ms 9 ms 9 ms dns.google [8.8.8.8]
Trace complete.
Thursday, February 13, 2020
Routing issues between Internal Network and DMZ
I have the following network:
- Internet connected to Sophos Firewall on WAN interface
- LAN interface with address 10.0.0.1/24 connected to DMZ Switch
- On DMZ Switch I have a server, with address 10.0.0.111/24 gw 10.0.0.1
- Additionally, on DMZ Switch I have the WAN interface of a second Unifi Firewall with address 10.0.0.2/24 gw 10.0.0.1
- From the second Firewall LAN interface with address 10.0.1.1/24 I go to a switch
- On this switch I have a host with address 10.0.1.222/24 gw 10.0.1.1
10.0.1.222 cannot talk to to 10.0.0.111. After further investigation, I saw the response traffic from 10.0.0.111 trying to go out the Interent on the WAN interface after being NATed, so I added a static route on the Sophos router that points traffic to 10.0.0.0/16 to gw 10.0.0.2
Now traffic does not go out the WAN interface, but traffic is being captured by rule 0 on the Sophos, stating that the response from 10.0.0.111 to 10.0.1.222 was invalid as it was not part of a pre-established connection.
It is obvious what is happening: Traffic from the internal host exiting the internal firewall goes directly to the server as it is directly connected to the network. But the return traffic does not know how to get to the original source (the internal host) so it goes to its gateway, the sophos firewall. But the Sophos firewall detects that returning traffic as spurious and discards it...
I used to have this configuration working with OpenBSD as both firewalls, but I cannot seem to make the Sophos work...
How is this issue called so I can look for it on the internet? How can I research a fix for my problem? I've tried adding rules on the Sophos firewall to no avail. I would rather not change the Server default gateway to the internal firewall because most traffic will be redirected to the Internet...
So how can I make this work? It is almost as if I had to add a static route to the Server to point to 10.0.0.2 for any 10.0.0.0/16 traffic... But in reality "Server" are many different devices, from Servers running in Linux to IoT devices where I cannot configure them directly...
Any help is greatly appreciated,
Don’t trust charter aka spectrum enterprise, fiber just as bad as coax
We just got a gig fiber circuit and not even 48 hours in we have an ongoing 8+ hour outage. Our original tech who installed it came back and he’s been working with tier 2/3 for 8+ hours. One theory is the sfp+ at the head end wasn’t fully seated so it popped out randomly. Another theory is the connection went down at the exact same time they completed the “acceptance” test and that made a change that broke everything. They see light at both ends but have failed for over 8 hours to get it linked up.
If they were not a monopoly in our area we would NEVER have gone with them, but there is NO other choice.
Equinix Customers, how happy/unhappy are you?
Their sales staff is pretty tight with the company I work for (we're a partner) and I've of course been preached to about the wonders of having a performance hub connected to their cloud exchange fabric. However... speaking completely off the record here... are customers typically happy with their services?
DELL Switching Help - Consistent Packet Loss on User VLAN
Hi All,
New to the community. After an acquisition of a small office, I’ve recently inherited a DELL network environment. I’ve always worked in Cisco shops, but the past few years I've focused entirely on voice/video. Our sr. network engineer just quit, so i'm back in the hot seat. The previous sysadmin of this new site left during the transition, so I’m doing the dance of discovery/support.
After migrating the site from onprem VOIP to a cloud PBX(last week), we started getting complaints of call quality. A few pingplotter scans to the cloud pbx showed all our packet loss occurring on the LAN side. after some more testing I isolated the packet loss to the user VLAN . ( pingplotter on a local server hit the internet with no packets dropped). The VLAN gateway on the core switch (s5000) seems to consistently drop packets (3-5%), which is killing voice quality.
After a quick call to DELL I found the switches are out of warranty, so a call with support would be BIG $$$. I decided to kick the cores after business hours to try and shake things out (this was an hour ago). It's worked before! Unfortunately, packet loss started popping up again 10 minutes after the switch reload.
Feeling a bit defeated, but I have tomorrow morning to troubleshoot further, as I’m ET based and this office is on the west coast. I’ll be calling DELL tomorrow, but wanted to see what the community thought. I’ll be posting some config files once I hit the office; sorry I know it’s a party foul to ask questions without giving you guys hard data.
The mile high environment...
MDF
- S5000- core
- 3048
- 3148
IDF
- 3048 - fiber run to S5000
- 3148
while the network has a small footprint, the only oddity is that internet comes into the IDF and hits a sonicwall FW then the L3 3048 switch. This traffic is then routed to the MDF S5000 switches.
I finished the night by starting fresh pingplotter scans. One PC serviced by the MDF access switches, the other PC by the IDF. My thought being, if one comes back clean and one doesn’t, I’ll know to focus on either the IDF 3048 or the MDF S5000 ( from a routing perspective)
Any advice would be huge, sorry for the wall of text!!
Usb device over network through 2 PCs
Hi I don't know if this is the correct sub but I need to connect a usb device in one of and have another pc read that usb device as native. Any ideas how I could achieve this?
How does your org manage change requests and shared rules for firewalls?
I'm trying to improve information availability and change management on my team. Since we're upgrading some of our boundary equipment, it seems that now is the best time to try and change things for the better.
From my experience, it seems that Palo's lend themselves to enterprise management much more so than Juniper or Cisco variants. However, our Palo deployment is relatively young and we still have plenty of other vendors to support. Excepting the Palos, all of our management of other vendors is CLI-only.
Basic information / issues:
-
All FW Change requests are submitted via ticket.
-
Post-deployment, customers frequently do not maintain records of their ticket.
-
Internally, it is up to the engineer to track the tickets they work (e.g. it is not tracked in a central location outside of the ticketing system).
-
Customers frequently request after-the-fact additions to their changes (sometimes submit a new one, sometimes not).
-
No internal documentation or tags/notes on the FW on a per-ticket basis for rules.
What the above means is that, depending on the person doing the ticket, we may have one rule that allows the original request but the follow-on rule (even if it is technically only adding a single IP) may be a separate rule entirely. This has lead to pretty severe bloat with rules, especially if the ports or IPs submitted are superfluous. Does your org implement timely rule reviews and delete any unused or modify 0-hit rules?
This issue is somewhat compounded by having multiple DMZs and multiple egress points, so some DMZs may have a rule or NAT that needs to be replicated / advertised / etc. in case of failover, which may add a layer of complexity to tracking changes or migrating rules.
Additionally, how does your org standard object names or rule sets? This is, again, dependent on the engineer and there may be objects such as "1.1.1.1-32-DEPT1" or "DC1-DNS." It's not terrible, but I'd like some type of order.
And finally... with all of this combined together, sometimes we have rules that just draw blanks. No idea why it's there, who it belongs to, etc. but we still need them to exist. The ultimate goal is to eliminate that and make the rules easily trackable and engineer-readable.
Would appreciate any suggestions!
Full Lab Re-Design Ideas
I've been running a lab environment within a corporate network (tech company) for the past 6 yrs and am in the process of a redesign.
Layer 3 was given to me by corporate IT. I support about 6-8 racks with virtualized workloads, containers, bare-metal boxes, etc.
My users are primarily engineers who need to conduct experiments with the equipment with configurations changing every 1-3 months.
If you had unlimited budget...what would be your approach? I'm looking for ideas to make this as self-service and easy as possible for them (and me).
How long of a water leak sensor should I get for our network closets?
I've just been tasked with deploying water leak sensors in my company's network closets to help warn us of any impending water damage. Luckily (knock on wood), I've never had to deal with water damage like that before, so I wanted to hear some of your experiences. I think I want to get ones with sensing cables that alert you if any part touches water, but I'm wondering how long the cables should be. If you've used water sensors before, what cable length has worked well for you in the past? Where did you run the cables in relation to your network racks? Thanks!
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Visualize RFC 1918 space
Does anyone know of a tool that can generate a visual representation of private ipv4 space much like this public ip address map?
https://www.techrepublic.com/blog/data-center/visualizing-ipv4-addresses-on-the-internet/
Ntp appliance recommendations
My org has asked me to investigate some ntp appliances. We are looking for something we can place in our data center and dr center that will provide ntp services for all of our physical servers, vms, and network gear.
We are specifically looking for an appliance and not a vm so that The device will be independent of the server team, and we are looking for a device we can get smartnet level of support on.
Has anyone had experience with an ntp appliance they can recommend I look at? I have reached out to a few vendors but want to cast as wide a net as possible and then whittle it down.
Best tool for backing up traditional Cisco router/switch configurations?
Hey All,
I was just looking for the general consensus on the best tool or service for automatically pulling Cisco backups. In the past I've just done it manually through TFTP. I'm currently looking into Kiwi CatTools, but wanted to do some crowd sourcing as well.
Thanks all
Cisco RV220W - custom software
Does anyone know of such software? Seems like RV220W would have been prime candidate for such transfusion. Yet, my search reveals nothing
What implications has CGNAT had on your environment/customer base?
Hi All - I'm going to be implementing what will be a fairly large-scale CGNAT deployment for the ISP I work for. We're a fairly new org in the UK thus IPv4 address space acquisition is a big issue for us. One /18 goes currently for around $300k+. This cost isn't sustainable with the subscriber numbers we're planning for. CGNAT is a must. I've read significant documentation on the matter and know of the majority of risks and features implementing this will break - so IPv6 and the ability to assign our customers static IPv4 addresses are an essential prerequisite to the deployment. That said documentation can only get me so far - I would like to ask people here what deploying CGNAT broke within your network, and what the majority of complaints you received were? What did you learn from your deployments?
Also I'm sure someone will say - "just deploy IPv6" - we are as mentioned, but customers still need the ability to get to the v4 internet, thus either some 6to4 conversion needs to take place (which is still CGNAT as multiple customers will be shared behind a single v4 address) or we do the NAT444 scenario we're currently moving forward with (due to CPE hardware support, and because we would like customers to be able to use their own CPE device, there is no way for us to do MAP-T/MAP-E or Lw4o6 currently - same goes for 464XLAT which is really only used by mobile carriers).
ASA frequent connection drops
I am getting frequent reports about RDP traffic dropping for 10-20 seconds at a time. Upon inspecting port traffic on our ASA, this is what I found:
*Note: outside int is a single gigabit interface to a L3 switch
*Note: gi0/5 is a single gigabit interface trunking to a core L2 switch
*Note: Above mentioned switches show no port errors
ASA5515# sh int out det
Interface GigabitEthernet0/0 "Outside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MTU 1500
1386271557 packets input, 1514697309849 bytes, 0 no buffer
Received 570510 broadcasts, 0 runts, 0 giants
52686 input errors, 0 CRC, 0 frame, 52686 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
603785584 packets output, 221632398587 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (492/362)
output queue (blocks free curr/low): hardware (454/203)
Traffic Statistics for "Outside":
1386196774 packets input, 1489545780829 bytes
603785584 packets output, 210319081779 bytes
20903033 packets dropped
1 minute input rate 3342 pkts/sec, 2478208 bytes/sec
1 minute output rate 3356 pkts/sec, 2252799 bytes/sec
1 minute drop rate, 5 pkts/sec
5 minute input rate 6668 pkts/sec, 7657228 bytes/sec
5 minute output rate 2866 pkts/sec, 1354408 bytes/sec
5 minute drop rate, 5 pkts/sec
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
ASA5515# sh int gi0/5 | i L2 | error
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
11444613 L2 decode drops
0 output errors, 0 collisions, 0 interface resets
CPU and Memory both seem to be doing fine:
ASA5515# sh cpu
CPU utilization for 5 seconds = 9%; 1 minute: 11%; 5 minutes: 11%
ASA5515# sh memory
Free memory: 3427174896 bytes (80%)
Used memory: 867792400 bytes (20%)
------------- ------------------
Total memory: 4294967296 bytes (100%)
I'm not very familiar with some of the more advanced features of the ASA, so my current plan of action is to create an ether-channel group on the WAN interface to address the overruns. I'm not even sure what to do about the L2 decode drops, going to start with an audit of our VLANS and make sure that only relevant ones are being sent over that interface.
Am I on the right track?
Why is OSPF considered a better protocol than EIGRP for larger companies?
I'm a first-year CS student looking into networking for an exam and we're going over protocols for networks, I'm struggling to understand why OSPF is better than EIGRP for companies. Granted im not terribly adverse in networking so i could be missing something simple here. Is it because OSPF uses SPF and that is the only dependant on bandwidth? Whereas EIGRP uses DUAL? And that uses bandwidth as well as delay to calculate the composite metric?
Cisco 9500 route certain URLs down backup connection
We have an OSPF based network, but at our core we statically route some things away from our main ISP connection to another ISP. We are needing to route traffic for a group of URLs that has to many IPs to statically configure (e.g. *amazon.com) away from our main default connection to our backup connection. Most of what I was looking up pointed towards Policy Based Routing. Class map the hosts, give it a dscp value in a policy map, apply it to an access list, and routemap it to the second line. Is this the best way to go? Can it still be used in conjunction with some of the static routing we already have to the secondary connection? Appreciate the assistance.
How much of your time at work is actually “technical”
In my current role (network engineer for enterprise with 10k plus users) im starting to feel like im spending the majority of my time doing non technical things such as circuit orders, talking to an ISP to make sure their mpls circuit is activated, coordinating with remote hands for correct cabling of equipment, ordering new equipment, excel spreadsheets, meetings, and the list goes on...
i feel like i only spend about 20% percent of my time actually solving any issues or creating configurations.. is this normal for the rest of you guys as well?maybe its time for a change
IPv6 ICMPv6 type 134 RA, what's the difference with broadcast ?
Hi guy's,
I'm learning about IPv6 and i learned that when host need infos they send RS to the FF02::2 all-router multicast address.
When the routers recieved that, they will answer by sending the data to the FF02::1 all-node multicast address.
I was wondering, why do the router use the FF02::1 adress and spam every host when he could use the SRC address of the host which is asking about infos ?
Correct me if i'm wrong but it looks like IPv4 broadcast ??
Thanks :)
PSA: O365 diagnostics update
For all ye engineers out there to use Cisco Umbrella, you may get tickets this morning saying that users are experiencing cert issues for their Outlook Email.
api.diagnositcs.office.com CNAME of 0365diagnosticsnew.trafficmanager.net which is a CNAME of ods-diagnostics-prod-eus.cloudapp.net . ods-diagnostics-prod-eus.cloudapp.net was newly created domain being blocked by umbrella for review currently. may want to whitelist it =)
That is all. Happy Friday Eve.
Cisco Ip phones model and serial number
Hello all,
I have 350 Cisco IP phones, and Am trying to extract the model number and the serial number of each phone. Is their any way to extract them as a group? or I have to get them phone by phone?
thank you.
VXLAN: VLAN Filter Processor Usage
Hello everyone,
I took a VXLAN Test active yesterday and the first message that I was greeted with was:
VFP-Slice-0-Linecard0/0 table utilization is currently at 98%, crossed threshold 90%
Now its only the first of the 4 Slices, with a total usage of 35% currently, but its still something Im questioning whether it might be problem in the future.
Sadly, I wasnt able to find out much about the VFP:
VLAN Filter Processor - pre-ingress Content Aware processor (the first thing in the Broadcom Ingress pipeline). It has maximum 1024 entries. FIP snooping filters for example, belong to this group.
Question is what exactly uses the VFP TCAM and whether I will need to expect scalability issues?
This Test is running on Arista Hardware, but from what I can see this applies to all Broadcom based switches.
Thanks for your help.
Wednesday, February 12, 2020
[Troubleshooting] DHCP failure/ network dropping.
Hello All, I dont know if this is the right place to post this but after reading the subreddit rules it seems to fit here.
I have listed the hardware at the bottom of the post.
I have been racking my brain for about 3 weeks now on a client site that is completely dropping its network randomly about once a week. I am starting to bald from pulling out my hair and am reaching out to this community for any shared knowledge that may assist in remedying the issue. I will attempt to give as much detail as possible.
Client calls about the network being down and having no LAN or WAN access. I am not on-site as it is a small business and I advise to reset the modem/router until I am able to arrive and diagnose the network. After a reset of the router/gateway (Comcast Business modem) and the main switch the network comes back up. I arrive on-site and pull the logs for the incident from the modem but am not seeing anything logged for the droppage. I find this odd being that the network went down so I do some tracerts, check routes, pings to check latency and throughput and everything looks great. I advise that we will need to keep an eye on it but it may have been a hiccup and we shouldn't dive to deep into the issue until we can verify that there is a persistent problem.
Fast forward 5 days and the client calls me in the AM stating when they arrived the network went down again over night and had remained down until they reset the equipment. I immediately headed to them and upon arriving found everything to be working correctly without any issues. I advised that we should reach out to Comcast and attempt to see if they have any information or logs that we were unable to see on their equipment. Comcast advised that their equipment was running fine and there were no outages/drops. Comcast also advised replacement of the switch stating that the problem was nothing to do with their router/gateway. After discussing the issue with the client we decide to install a brand new switch in hopes that it was simply intermittently hanging.
4 days later client calls again, same issue. At this point I am starting to feel that the Comcast equipment is having an issue and we are getting the run around. Upon contacting Comcast support they attempt to tell the client that their network is having issues due to having to many devices for their modem (about 22) and they would need to upgrade to a more expensive plan and new router to remedy the issue. My client was not happy with this as they understand enough to know when they are getting the run around. Instead the client decided to purchase their own Modem and router to replace out the Comcast equipment in hopes of resolving the issue which we were feeling at this point was a issue with the Comcast router/gateway. I install and activate the new modem, setup the new Router with a standard /24 and static ips for the important stuff (AP, Server,etc).
4-5 days later at around 1:30 am the network goes down again (a Saturday/Sunday morning) Client calls on Monday to let me know the network dropped again, same story reset equipment everything is fine. I remote in and pull logs from a few machines and a NAS box and find the NAS has logs stating DHCP unreachable and then reupps with a APIPA address. I decide to write a script for the client that will test the network while it is down thinking maybe I will see where the drops are happening. Client runs the script at the next outage and it is a complete drop, as in not even able to reach the router:
Tracing route to 192.168.119.1 over a maximum of 30 hops
0 ****Desk [192.168.119.74]
1 ****Desk [192.168.119.74] reports: Destination host unreachable.
At this point we have a new Modem, Router, and Switch. I think maybe there is a intermittent power issue and we replace out the surge protector with a new UPS w/battery backups. Problem persists a few days later, once again in the middle of the night.
While doing research I came across this article but it is specific to homegroups and there are none to my knowledge in the network: https://answers.microsoft.com/en-us/windows/forum/all/w10-losing-ip-connection-to-isp-drops-dhcp-and/fdb417d0-7b10-4dd3-8393-cefa46aa392c
One last bit of info we did upgrade majority of the machines from 7 to 10 in Dec as like most clients they were wanting to wait until they had to migrate before doing so.
Here is the hardware in the network:
Netgear GS108 Gigabit desktop switch
Asus RT-ARCH13 Router
Motorola MB7420 Modem
Ubiquiti LR-AC AP
I am at a loss as it is acting as if the switch is failing but I have a hard time believing that two switches were bad in the exact same manner, especially a brand new one out of the box. Has anyone here seen issues like this before and what did you find the culprit to be? This is a small business with 5-10 people working through out the day, and I cannot find any information in any logs that helps to point to the issue.
Router logs show no droppage, Modem logs show no issues, Windows logs state DHCP unreachable on some machines but not all.
Any help or ideas would be appreciated.
Low speed transfers
Hello everyone, There is a PC in the network I manage that is experimenting lower speed as expected when transferring files to a server in a another part of the network, it is 3 switches away from the server, they are gonna do a transfer test tomorrow and I'm supposed to get info from that, to see if there's a bottleneck somewhere, I'm not quite sure how should I face this test, What I did so far was create a sensor in our monitoring tool to sense the traffic for the interface of the PC. Other people are able transfer without problems to the same server so I'm guessing the problem is in the PC side, any recommendations in how to get info during the test, or any general recommendations?????? Thanks in advance!!!
Dual Wan Load Balancing.
I have one connection(CenturyLink) with 6Mbps down and 22ms latency, and another connection (ViaSat) with 20Mbps down and 655ms latency. What is the best way to configure load balancing on a Unifi USG?
Traffic Visualization on GUI
Hi all,
How we can get network traffic visualization on GUI? Which products do you more recommend?
Actually, I want to visualize traffic base on VLAN in my network.
Fiber Connector Fit
I dont have a lot of experience with fiber but was under the impression that all ST connectors were the same.
I ordered a new patch cable and it wont plug into the patch panel. The bayonet looks nearly identical but it doesn't fit. Is there some spec for this that I am missing? Does it coordinate with cable type somehow?
Thanks!
Help enabling RIP between two sites and firewall
Hi, I have two sites both with HPE 8212zl J9091A switches running K.15.18.0016. Sites are linked together by a microwave and use OSPF to advertise routes to one another via the microwave link. Site A is our main site and it use to be how site B would get it's internet connection over the microwave link. We recently had a connection brought into site B and now site B directly connects to the internet and the microwave link provides access to local resources such as file shares and our VoIP system.
As part of the process of adding an internet connection into site B we relocated our firewall (Smoothwall) into our ISP's datacentre and each site connects to it via an MPLS layer 2 link.
What I am trying to achieve is setting up RIP (the Smoothwall doesn't support anything other than static and RIP routes) on the three devices (the two 8212zl and the Smoothwall) so in the event (it has happened a couple times already) that a site loses either it's connection to the internet or the microwave link RIP will be able to route our traffic through the Smoothwall or microwave link so each sites remains connected to each other and the internet.
On site A 8212zl I have enabled RIP
HP Switch(config)# ip routing
HP Switch(config)# router rip
HP Switch(config)# router rip enable
I have redistributed all connected routes
HP Switch(config)# router rip
HP Switch(rip)# redistribute connected
But when I do a show ip rip I get nothing
HP Switch(config)# sh ip rip
RIP global parameters
RIP protocol : Enabled
Auto-summary : Disabled
Default Metric : 1
Distance : 120
Route changes : 0
Queries : 0
RIP interface information
IP Address Status Send mode Recv mode Metric Auth
--------------- ----------- ---------------- ---------- ----------- ----
RIP peer information
IP Address Bad routes Last update timeticks
On our Smoothwall I have enabled RIP following this document, enabled both the RIP interfaces (one MPLS interface for each site) and direct routing interfaces (one MPLS interface for each sites) and have NOT set a password. When I check the logs I get the following error messages
Routing service rip1:<site B IP address> send me routing info but he is not my neighbor
Routing service rip1:<site A IP address> send me routing info but he is not my neighbor
On the site A 8212zl if I do not get any peer information
HP Switch(config)# sh ip rip peer
RIP peer information
IP Address Bad routes Last update timeticks
--------------- ----------- ---------------------
What am I missing? The HPE document isn't supper detailed (better than the Smoothwall's when it comes to routing information) but I believe I have followed it correctly. Any help would be greatly appreciated.
Thanks
Experience working for AWS?
I've been offered a gig with AWS FTE Network Development Engineer. I've heard some horror stories about work/life balance , boring repetitive work, and high turn-over. The money is about 15% more than I make now but I'm not sure its worth the 1 hour+ commute and 60 hour work weeks.
Has anyone here working for AWS in the past? Would I be making a mistake turning it down? I'm in my mid-thirties so job hopping is unappealing to me.
SDWAN Lab(Viptela)
Im in the process of creating my Viptela Lab. My company does have a smartnet account but i was wondering if the license onboarding process of cEdge/vEdge devices would incur any costs to my company? I was planning on using CSR1000 i got through my virl subscription. Any other gotchas when creating a viptela lab? Im using a esxi server
MTU Size Port vs VLAN
I’m working on a storage project with a peer that’s a system admin, I don’t change these settings often so sorry for my ignorance. He’s having issues with slowness and the storage company recommend an MTU of 9216. We have HP Comware 5700 switching between the storage and the following options are available:
Jumbo frames are on by default per port.
Layer 3 mtu size can be changed from default mtu of 1500 up to 9008 (so 9216 is not possible then?)
Layer 2 physical port max is 10,000
Currently we have storage passing on vlan 782 with mtu set to 9008 for that vlan only.
Does this setup make sense or is there some way to do it layer 2 to maximize the 10,000 size for the port?
TFTPD32 Server Downloads
We have been using Solarwinds TFTP to backup configs to a different server, but the installer/server 2016 combo appears to be having permission issues and I can't even get it to install running as admin. I'm not really expecting Solarwinds to service a free program, but did open a support ticket with them just in case.
Since this is a new server I figured I'd check out TFTPD32 and tinker with that. It would appear all the links to download on the official page (bitbucket) don't work. Has anyone else ran into this or is the site just having a bad day?
2.4ghz Wifi Noise on Channel 6 with observed intermittent spikes on Channel 4
Greetings all,
I'm a bit stumped on this one so I figured I might see if anyone else may have some ideas. I've got a new Cisco 9800-80 and DNA Center with Assurance. DNA is reporting that a number of our new APs are showing High Noise on 2.4ghz. When we look, virtually every one of these APs with High Noise is on Channel 6. These are spread out across three buildings with at least a few hundred yards between each of them. As I understand the terminology, Noise is going to be from a non-wifi interferer.
We broke out our Ekahau Sidekick and observed a large intermittent spike but only on Channel 4 (actually, it shows on the graph slightly before the Channel 4 mark). This spike has been observed at each location so, on a hunch, I had my team go outside away from a building. The spike can still be observed at basically the same power levels at each of the outdoor locations they tried. The spike gets up to -50dbm or -45dbm. If I look at the waterfall view, this spike causes a red dot on this channel in a noticeable series.
I'm not sure if this would be triggering the notice in DNA or not but it's the only thing I've found so far in the range of channels the wireless is using for 6.
Anyone encounter anything like this before and figure out what it was and maybe how to fix it? I'd love to shut off 2.4ghz but we're not there yet... in a BYOD environment with residence halls, there are simply too many devices that still require it.
Thanks in advance!
Connecting the office network to the VMware server network.
Hello,
I have a 4-node vSAN ReadyNode cluster connected to dual Juniper QFX5100s in a virtual chassis (VC). The rack right beside that has dual Juniper EX3400s in a VC for the office network. Currently they are connected via a trunk with dual 1Gig ports in a LACP LAG.
Would there be any benefit, besides avoiding STP, to change from a trunk to a L3 routed interface?
Should I be increasing from two to four ports in the LAG so that each switch in the server VC has a connection to each switch in the office VC? We're not close to maxing out the current link, unless backups start running in the evening.
For anyone else using QFXs, have you had to tweak the CoS buffer pools for optimal performance?
Any other suggestions/tips are appreciated.
Thanks
Cisco SG550XG 100% CPU utilization
Hi, I noticed this afternoon that my Cisco SG550XG switch's CPU is running at 100%. This switch has been in use for 2 years and I have not seen this behavior before. No topology or config changes for months. Does anyone know if its possible to pinpoint which process is responsible for the high CPU utilization? I cannot find any any commands that return process information (as was possible on other / older Cisco switch models). Any ideas would be appreciated!
CPU utilization
---------------
five seconds: 100%; one minute: 100%; five minutes: 100%
Creating new 10 gig network
I am looking to implement a 10 gig setup. Currently everything is running on 1gb. MUST have 5- 9's up time. So i am looking to implement the 10gb in conjuction with the current 1GB and eventually switch everything over to new SAN and network.
I have a VMware 6.7 3 host cluster. just focusing on one host right now. 4 iSCSI networks , 1 mgmt network and 1 vmotion network. Purchased a 2 port 10gb card for the host. 24 port Dell switch 10gb and Dell V3020 SAN with 10GB ports as well.
Primary question (and please let me know if this is in fact NOT the primary question) can i run 6 networks (4-iSCSI, vmotion, and mgmt) networks, through vlans and trunking on the Dell switch, to 2 physical nics on my host?
Basically can i through layer 3 routing, run 6 networks, iSCSI and Lan traffic, across 2 physical nics on my host? From what i am told, it can be done on the switch side, but can it be done on the host side using 6.7 vmkernal adapters? Can i run multiple vmkernal adapters on the same physical nics?
I think i will need separate physical nics for each network i am running, i also feel that is best practice.
Thoughts everyone?
Tutorial: Cisco/Juniper syntax highlight via SSH
Hello,
I found a quite easy way to get Cisco, Juniper and more or less any vendor syntax highlight while working via SSH on a node. Example below with show run on a Cisco router:
http://image.noelshack.com/fichiers/2020/07/3/1581517429-screenshot-2020-02-12-at-15-21-52.png
This work by running a terminal inside Neovim. For Neovim, your terminal is a file, so neovim can apply file syntax highlighting. I know this sound tricky, but it works super well, and you can use it in your favorite terminal emulator for any language supported by neovim (I tested with Junos and IOS).
Installation:
- Install Neovim. This does not work with regular VIM with my tests.
- Install a plugin manager for Neovim, suck as Vim plug: https://github.com/junegunn/vim-plug.
- Create the file
~/.config/nvim/init.vimwith the following content: https://pastebin.com/BQcq9P2P
You're all set. Now you just need to SSH to a device doing the following steps.
- In a terminal, start neovim:
nvim - Create a shell inside neovim with the command
:term - You're are now in a terminal inside a neovim buffer. You can use
iandEscto switch between terminal mode (where you can write like in a normal terminal) and normal mode (used to run Neovim command). From here, SSH to a router/switch/... - Use the command
:set ft=ciscoto activate syntax highlighting. Replace cisco by junos for Juniper nodes.
Cisco Voice Router Licensing
We currently have a 2921 with a UCK9 installed. As the router is getting a bit old we are looking for a replacement but are not sure about the license.
Can we use any ISR 4300 series or 1100 series as a voice router and purchase the matching license? Or can the old license be transferred?
Networking noob - entry level question
Hey there guys. So I'm familiar with DNS and networking protocols.
But when jobs say they want someone familiar with HTTPS/SSL/DNS, what exactly does that mean? For entry level help desk type jobs, what exactly would you be doing or tinkering with that necessitates interacting with the aforementioned?
I know if you're a full-on Network Engineer you'd be doing a lot of that, but for an entry level role? Do you interact with the CLI or 10.10.10.10 or Router login? I don't know.
Please give examples, thanks.
Versa Networks anyone?
I'm playing around with Versa SD-WAN on my lab, anyone in this process to 'compare notes' ?
Why is "isbn" considered a URN while http and sftp not?
I know http and sftp are protocols. But so is ISBN a an ID system for books. In the context of the web, I see both of them as "namespaces", aka URN. I understood URN as a "namespace" you give to URLs to preserve uniqueness. Like how android, angular and thymeleaf all declare their own namesapce on top of their respective XML layout files so you can do stuff like:
<p th:value="hello"></p>
Without fearing a naming collision by 3rd party software that may also name it's elements in the same manner. So in that case, why isn't http considered also a namespace? I see it as a namesapce.
EDIT: I gave it a little thought and I now start to doubt my idea of http being a URN/namespace since SSH and HTTP connections to the same locator URL offer two completely different results, so maybe protocols could be thought of as "connection meta data" not related to the locator. But if that is the case, which part of the common structure of http://www.example.com is the urn? ISBN is always given as an example but maybe 1% of us deal with ISBN enough for it to be a reference.
ZTE zImage File Download
Does anyone know where I can get a copy of the zImage file for ZTE ZXR10 2918E?
Layer 2 Router?
So fairly sure that what I'm after is not called a layer two router.
What I need is a device that bridges three network interfaces but using layer three (IP) packet inspection of the frames to forward frames out a specific interface.
Because the ports are bridged it should be invisible to the devices connected. I imagine it would have to do some kind of MAC address masquerading.
I'm wanting to bridge two of the interfaces with the frames sent out the third interface only if the packet inside the frame is addressed to a particular group of IPs.
At the moment I'm looking at something like the Routerboard RBM33G but it's not clear to me whether RouterOS supports what I'm wanting to do. Otherwise maybe an embedded PC running Linux can do what I want. I'm comfortable configuring Netfilter but if this would require any kind of kernel hacking then I'm not interested...
Tuesday, February 11, 2020
How to?
Can someone tell me how to do this type of connection?
https://imgur.com/gallery/zDx8pkL
The scenario is if the user connects to www.site-A.com via url in the browser then click the transaction tab it will redirect to www.site-B.com.
So my questions are how can I do these?
I tried to whitelist the public IP of the www.site-A.com from the firewall on the otherside and vice versa . But telnet to port 80 cant pass, even though the port 80 is enabled in the server?
firewalls in the servers are disabled. and the public ip of the urls are both whitelisted on both sides.
Do I need also to whitelist the public IP of the server itself?
Kindly suggest thank you
ASR-1000x 10Gbe dual ISP redundancy config help
I am trying to prove a different configuration for my edge infrastructure for the company I work for.
We have 2 ISPs that can offer up to 10Gbe for each
Currently, we have 4 ASR-1000x which only allows 3 10Gbe interfaces in a redundant configuration
I believe we have them in a complex configuration and would like to optimize the 10Gbe ports but still have redundancy. Also it seems that traffic favors one ISP over the other due to the cost that is advertised down the route.
I also have Nexus 5Ks in between them too to create more complexity. Any suggestions would be much appreciated.
I have no certs to forgive my ignorance.
DIA fiber circuit question
When an ISP offers Dedicated Internet Access over fiber does that mean the customer receives one long dedicated fiber optic cable from a switch at the ISPs office? Hoping anyone who works for or has worked for an ISP can comment.
Being Pulled in Too Many Directions?(Expert Certs)
Anyone feel this way? Now a days im not sure what to focus on anymore. I currently have my CCNP , wrapping up my AWS SA , and also doing a couple of SDWAN projects at work. What im not sure about is what to focus on next career wise. I feel like the networking field has been given so many different technologies that its become hard for network engineers to pick a career path or even a certification track to progress on after building a solid foundation. I was contemplating going down the CCIE path but then id be too focus on that and wouldnt be able to learn other things my job might require(cloud,sdn,security,automation). Are expert level certifications not the way to go anymore in terms of deep learning and progressing to expert level roles?
Cisco SDWan DIA
Hi, does anyone here already has an experience deploying Cisco's Viptela SDwan with DIA? Ie, when a branch looses internet connectivity, it will route thru the mpls then exit at DC for internet traffic. I cannot seem to make it work using their document.
Link: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-dia-deploy-2019nov.pdf
Setup: 7 branch 2 transport (biz and mpls)
Why Computers need routing tables??
If your computer is on a LAN why would it need to maintain a routing table? (I'm thinking the print route command in cmd prompt)
It's going to send all traffic with a remote destination to its default-gateway correct?
I can't wrap my head around this one, anyone help?
Infrastructure Upgrade Question
I need some help. I'm working on upgrading my small business's network (adding jacks during a renovation) and am beyond my scope. I've become my company's de facto IT manager because I know more than my coworkers do about computers, but I know next to nothing about network infrastructure.
Is there a way for me to successfully route connectivity from a 24 port switch to 2 24 port patch panels? We are moving to about 35 connections, and all but 5 need to run through the switch from what I have gathered. Do I need to get another switch along with the patch panel?
I know this doesn't fit in with professional questions here, I'm just trying to handle this project the best I can without bringing in a contractor. Any help is very appreciated!
HELP,How to connect automatically to Mikrotik Router without typing username and passwrod every time???
i am trying to connect to Mikrotik Wifi router without typing my Username and Password each time i connect is there any software or useful tips???? i am really bored of typing my username and password every simgle time to connect,
i have drawn a diagram that describe the problem you can check it out here (Imgur link): https://i.imgur.com/WxUc6Pc.png
Who's running Stealthwatch ETA on their Cat 9k switches?
Getting started on a Stealthwatch deployment. Only about 50 switches. One flow collector.
IOS XE16.9.2+ is recommended on Cat 9300 for ETA. I have all of my 9300 currently running 16.6.6. Wondering if I really need/should upgrade to 16.9.4 or 16.9.5 for ETA? I have it configured on one of our 9300 and it's fine so far on 16.6.6 but I'm early in the process so I don't really know yet what I might be missing or if I'm going to run into undocumented bugs.
Following the ETA deployment guide, plan is to configure ETA on the access ports so that we capture all flows for those devices, not just the inter-vlan traffic.
I'll throw this TAC's way as well but I like to get perspective from fellow customers.
We use ISE 2.4 for dot1x/mab so it's critical that the version of IOS XE at the access layer works well with ISE.
From what I'm reading, Smart Licensing is REQUIRED for 16.9.x on Cat 9300?
Datastream distribution from networking noob
I've been given a task, to read a data stream into a VM used as a proxy which will then be used to distribute the stream to 5 other VM's.
How can this be done, is there tools for this?
I've been looking at Apache Flink just because it seems to be a data processing engine but I may not even need to use it
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
DoD IP addresses on Telstra cellular interfaces
Hi all,
I have a bunch of cellular devices with "internet access SIMs" on the Telstra network in Australia. These usually get the IPv4 private addresses in a 10.x range and are NATted via a 1.144.x address to the internet which is as expected.
My, not so much of an, issue is that some of these devices are getting allocated a 22.x IP which is still NATted as expected but the whois of these IPs are the DoD...
It is not service affecting as they are IoT devices running a specialised application to an AWS server but it does seem odd.
Obviously, if you are NATting then you can use whatever you like as long as the internet is accessible but it seems like really bad practice when I would normally expect an RFC1918 or an RFC6598 address.
Does this seem "right" to you all or has APNIC and ARIN just not updated a transfer of ownership or did I miss a reallocation of a range into a special use range?
Fiber cleaning/testing tools.
Hello everyone,
I was wondering if there is a top 5 list of fiber cleaning/testing tools that every enterprise should have.
Last time I was engaged with a "cleaning/testing tool" like that, I was told that the equipment was worth thousands because of how specialized it was.
I am sure there are cheaper solutions, but do you have brands/models to suggest?
Access-List: Permitting Services to a Host while denying the same services to all and permitting all
Hi all,
I was just checking if this is possible.
I need to permit services to a host behind my router from specific hosts (eg 22 and 80), while denying services to same host from any on the internet, but also permitting other traffic. Is this a possibility eg:
ACLS:
1. Allow web access to 192.168.1.2 from only 10.10.0.0/24 network
2. Allow SSh access to 192.168.1.2 from only 10.10.0.0/24 network
3. Deny all Web access apart from the above to 192.168.1.2
4. Deny all ssh access apart from the above to 192.168.1.2
5. permit all traffic
Alternative to Dynamic Access Policy (DAP) on Cisco FTD
We are in a testing phase with Cisco FTD. Currently we have FP9300's but run traditional ASA managed via CLI, and ASDM. For one of our VPN contexts (used for vendors) we use DAPs to control user access to certain servers. I know DAPs are not currently a feature for remote access on FTD. Has anyone successfully replaced DAPs with an alternative access policy method on FTD?
Secure segmentation in VMWare.
My networking group is working with our applications group about virtualizing one of our enterprise systems. This system has a lot of sensitive information on it. My infosec team is not keen on virtualizing the host and secure network it sits on into our virtual infrastructure for fear of crossing a Host/guest os boundary or the virtual VLAN switching boundaries. Has anyone has any experience with something similar? Is this in fact a threat to our infrastructure? Ask questions if there is anything I need to clear up. thanks
Anyone else having intermittent 802.1x issues with windows 10 clients?
I've been losing years off my life over this mess. We're a full NAC(purple) shop, all edge ports have multiauth enabled. The authentication hierarchy is 802.1x->MAC auth->unregistered black hole. Not unlike a precocious child, these end systems all over the place will intermittently lose their 1x sessions and drop the network access until the interface is reset. I'm 100% certain this behavior is on the client end, but I'll be damned if I can find exactly what's causing it.
Typical setup is a voip phone(Cisco) with a PC daisy chained to it, however this behavior persists on direct connections too. Basically, it breaks down like this:
Two sessions become established when a PC is logged into, a 1x which takes priority, but it also establishes a MAC session tied to the NIC, which gets thrown into unregistered hellban. Multi-auth has to be on because of the phones, so a full setup will show a 1x session to the PC, a MAC session to the phone with voice policy, and a MAC session to the PC unregistered. This behavior with the sessions is typical and hasn't caused any problems before. All that being said, all endpoints have been pushed to windows 10, along with around a thousand pc's replaced with newer hardware, along with the OS upgrade.
At seemingly random intervals the 1x auth session is dropping, which reverts the port back to unregistered and kills the PC's network traffic until the client interface has a state change. I can see it clearly in the logs that the heartbeat between the NAC and client eventually fails from the client side. In simpler terms, the NAC asks the PC "are you still there" at a steady interval, but for reasons I cannot seem to figure out, the PC will stop answering. As designed, the NAC drops that 1x session after the PC stops answering. the PC's don't seem to want to re-authenticate after this happens and it sits in purgatory until the NIC changes state.
I've done packet captures from the PC port, the Uplink port on the switch and the interface from the NAC and can prove that this isn't any kind of network failure. I can't figure out for the life of me why these PC's stop answering NAC challenges. GTAC swears it is either OS power management configuration or drivers that need to be updated. I'm pushing the driver angle hard since most of what I have seen have drivers from Microsoft and not Intel. Manually installing drivers straight from Intel seems to lower the occurrence but not fully cure the problem.
Any ideas?
Wireshark Malicious Activity Analysis
I was given a pcapng as a task and this clue:
You should find the outer IP address of the attacker by investigating malicious activity.
This challeng will require you to think out of the box, good luck.
So the pcapng has 212k packets of all sorts and we need to find an anomaly.
The key to reaching to that ip is from that anomaly. A port scanning was seen by tcp rst and ack on several ports.
But its a dead end.
Any suggestions/tools on how we can find the anomaly?
P.S.
There are 26k packets of SMB2 that contain info if that matters.
My ccnp r&s exp.
I failed route twice. The second try i had to restart the exam 3 times as the ospf lab had a shitty bug. Took my 3 times 10minutes just waiting for the exam to be restartet. Was nice to fall out of concentration everytime.
Switched failed once. I just finished the lab after about 30minutes. Was on verify - then the whole exam crashed. The guy tried to repaired it. But no chance. I was on 1h 7 minutes left. I could restart where it crashed BUT on 1h 7minutes. And had to go again for the whole lab.
I now have gotten pearson vues phone number. How big will my chances be to get a free retake on this exam?
Cisco netacad "Account Under Compliance Review"
has anyone run into this problem trying to login to packet tracer or the natacad page ? I tried contacting their support email and facebook support but they won't respond.
Constant packet loss
recently i've been getting packet loss for 5 seconds every 2-3 minutes, sometimes alot on a day. i play rocket league competitively and this packet loss really bothers me, so i tested some more today and i dont know if im sending the screenshots right but here :(https://imgur.com/a/QudyIrL) this screenshot was few days ago, now the pl is more frequent. would appreciate the help alot
Netmiko multithreading - no output but commands running.
It's a weird one. I know the commands run because I see them (and their correct output) in the debug log.
The session just never ends and I don't get any output (outside the first date/time) in my window or my output file. The output file creates successfully.
It's like it's hanging or waiting for something once it's run all its commands.
Script below:
"Cisco" SG300 and RADIUS do not want to cooperate
dear /r/networking,
I am trying to setup the RADIUS authentication on a Cisco SG300 switch with Windows 2012 NPS. I've checked (also using packet capture) that NPS is sending Access-Accept with Vendor specific attribute set to shell:priv-lvl:15 but when try connecting via ssh or http I can't login and I get %AAA-W-REJECT entries in the switch logs.
Any ideas?
Relevant configuration is pretty basic
encrypted radius-server key <encrypted> radius-server host <nps ip addr> priority 1 ip http authentication aaa login-authentication http radius local aaa authentication login authorization SSH radius local aaa authentication enable authorization SSH radius enable line ssh login authentication SSH enable authentication SSH Can you tell a Cisco device type just by it's serial number?
I am trying to determine the device type (router, switch, ap) from it's serial nr (I am going to recieve a large nr of serial nr in order to do zero touch provisioning). The thing is I would like to do data validation before provisioning them (for example check that the serial nr of the router is actually a router serial nr).
I've found this explanation of Cisco serial numbers:
To decipher the serial number, here's how it is composed.
Cisco S/N format is LLLYYWWXXXX.
LLL = Location code (i.e. FOC = FoxConn China)
YY = Year code (08 = 2004...09=2005...etc...)
WW = Week code (weeks 01 to 52)
XXXX = Base-34 Alpha Numeric Unique identifier (Includes 0 to 9 & entire alphabet except I & O).
I thought the first three letter would be a good indication of the device, but seeing that it's just the location where the device was manufactured I am having doubts that it will work. Does anyone know if for example FOCYYWWXXXX will always be a switch or can it also be a router?
Site to site VPN to Azure
We have setup a site to site VPN connection to Azure using our Cisco ASA. For now we only have one static route to redirect the traffic for the Azure VLAN to the VTI interface.
That means that as it is only the ASA VPN clients know how to reach the VMs in Azure.
Since we have a DMVPN network set to advertise networks with EIGRP, I am thinking of adding the Azure network to EIGRP. THe ASA is already advertising the VPN clients subnets to the same EIGRP AS as the DMVPN routers, so as a test I have configured an interface on the ASA on the Azure subnet and added our Azure subnet to the EIGRP config of the ASA. The network starts to advertise but no route shows up.
The subnet shows up if i run: show ip eigrp topology
But show eigrp route doesnt show the subnet
Is that because I already have a static route on the ASA (it sets the gateway for Azure subnet to the VTI interface).
If i remove the static route how can I make EIGRP make sure to route all Azure traffic to the VTI interface?
need vlan mapping
Hi All, I need a device to perform a one-to-one mapping to translate vlans coming from a WLC that retrieves overlapping vlan information from an authentication server.
Unfortunately all switch models which I have do not implement this feature.
In your experience, would you advise a specific device for this need, either a switch or linux/unix machine.
Thank you!
Monday, February 10, 2020
Cisco Catalyst 9000 Series pre-onfiguration from factory
Had a Google search and there is nothing. Why would Cisco fill the 9000 series full of config like the below?
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description Inter FED, EWLC control, EWLC data
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
!
policy-map system-cpp-policy
And a VRF for good measure;
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!