Hey guys I’m a recent grad and I’m really trying to learn networking. I have a basic grasp of networking (OSI model, some protocols etc) but I’m wanting to start fresh learn everything. If you guys could recommend any free (or relatively cheap) resources that’d be greatly appreciated.
Thanks.
hi everyone, hoping someone has come up against this before and can give some advice as i haven't been able to find exactly the answer from searching.
i've got a cisco 880 series (the cpe) doing a tunnel to a hub (using ipsec+gre). the cpe then bgp peers to the hub, and advertises a /32 publicly reachable address, and thus has direct internet access via this method (underlying network is CGNAT'd) from a bgp originated default route. this works great, as basically a cheapo sdwan type setup (cpe gets a publicly reachable address whilst behind CGNAT'd networks, and can be made easily redundant with an extra tunnel or 2 via other networks like a 4g connection, dsl, etc..).
my question is... should it be possible to then run up an l2tp w/ipsec server on the cpe, via the /32 loopback address? i know typically you'd put a crypto map onto the interface directly facing the internet to watch for traffic - but in this case, the physical interface is behind CGNAT and would only see encrypted traffic coming in anyway.
is this even possible? can you put a crypto map on a tunnel interface, or even the loopback? i know there's a lot of overheads in this design, but that's not an issue
surely someone has done this before?
Hi,
I have an environment where I have a bunch of devices such as Avtec Outpost appliances that have a single Ethernet port and have no provision to install a second port or a replacement network card. I also have some point to point wireless links with the same problem - a single Ethernet port - resulting in the wireless backup link going away when a switch reboots or fails.
I want to attach the devices to an Ethernet switch, and have the connection failover to a *second* Ethernet switch if the primary unit is offline. For example, I need connectivity when the primary switch reboots during a firmware upgrade. So I am not looking at a switch "stack", or at some flavour of LACP. I am looking to have the device to connect to independent switch 2 if switch 1 goes offline and then resume the connection to switch 1 when switch 1 is back online. (Or it can stay that way until Switch 2 goes offline, no difference really)
I found the Omnitron iConverter GM3 which is a "Carrier Class Network Interface Device (NID)" that appears that will do the job, but it does about 20 things I have no interest in and is quite expensive per port.
Does anyone have a suggestion on a device that can do this? Preferably something that is rack-mountable and not hugely expensive.
Thanks
We all read the news. If the situation were to arise could your infrastructure handle it? Not trying to fearmonger, but we are stuck dealing with the results of those that do. I believe the answer for myself is no.
Sorry to break the usual stream of yummy techincal problem solving posts, but I need some folks to weigh in on something. While this is a serious question, I refuse to mark it as such because I just may need the levity at this point.
Have y'all ever gotten to the point where you think you have hit the highest level of competency in your field that you can? I am not talking about the run of the mill "imposter syndrome" that any engineer with an ounce of humility experiences once in a while. This is more of a long period of time where learning new tech seems almost out of reach or is at a minimum moving glacially slow. I haven't been in networking very long...6-7 years and I started very late in life. I am almost 50 and never worked in IT prior to this and never thought I was bright enough to do it. Maybe it's an age thing??? I don't know...
I have no room to complain really...I have gotten extremely far in a short period of time. I have a pretty amazing job, but the amount of learning that we have to continually do seems like a wall at this point. We cover a good bit of ground where I work, so we work on quite a few different platforms. However, just as most enterprise size companies, we are always on the cusp of major changes. I am comfortable for the most part with my networking chops at this early point in my career, but I am just starting wade into devops and I seem to always be in fog. Is it possible that we have just so much RAM and that's it??? Can't learn anymore? I just keep at it and hope that an ah ha moment is around the corner, but at 48 years old with a family I don't have the time after work to put into knowledge seeking. So do we peak? I don't know. Giving up is not an option, but I am, starting to feel a bit...tired.
I really hope y'all have amazing careers and thanks for being mentors to folks like me.
I have the following UDP broadcast forwarding success and issue...
From the inside private network src: 10.1.1.99 dest 10.1.1.255 port 6001 broadcast UDP with ip-helper in vlan 100 of 10.0.1.210 & ip forward 6001, results in outside private network unicast udp output from G0/0/1 src: 10.0.1.33 dest: 10.0.1.99 port 6001 (this is intended). I also have src: 10.194.234.1 dest 10.0.1.210 port 5207 packets on this network. These packets are not wanted on this outside network.
From the inside private network src:10.1.1.87 dest 10.1.1.255 port 5207 broadcast UDP with ip-helper in vlan100 of 10.194.234.99 & ip forward of 5207, results in outside private network unicast udp output from G0/0/1 src: 10.194.134.1 dest of 10.194.234.99 port 5207 (works as intended). I also have src: 10.0.1.99 dest 10.194.234.99 port 6001 packets on this network. These packets are not wanted on this outside network.
I'm looking for a way to selectively filter via access-list or some method the unwanted packets from each outside private network. I have attempted several iterations of extended access-list on the VLAN source, but it is unclear to me since it is a multillayer switch if this is the appropriate location for the access-list. I have also attempted standard access-lists on the G0/0/0 and G0/0/1 ports, as well. This had no change either. I'm looking for any and all suggestions. They are most welcome and appreciated!
What would be an economic "good" switcher to learn? I'm thinking buying the NETGEAR 8-Port Gigabit Ethernet Smart Managed Pro Switch (GS308T) from Amazon, but the reviews have me confused.
Any recomendations?
I have been trying to figure this one out for almost a week and it's one of the most confusing things I've ever seen.
We have Comcast ENS connecting 5 sites to one another, and starting early this week, all of the sudden we are seeing severe packet loss (20-50%+ depending on destination/time) to and from certain hosts at our main site. The Comcast router is an ISR4431, and our core switch is a Catalyst 6500. The output from a remote Cisco device to these hosts will show pretty consistent, intervaled loss (e.g. !!!!!.!!!!!.!!!!!.!!!!!) where only every so many ICMP packets are dropped, anywhere between every other and every 10-15 packets. The frequency of dropped packets also generally increases with ICMP packet size, so it seems to either be dropping after so many bytes or so many milliseconds.
The strangest thing is that the packet loss is only to half or less hosts at our main site, and basically 0 loss to other hosts. The ones that exhibit packet loss seem to be consistent across sources at the other remote sites, and there is no loss between one remote site and another, so we feel that we have isolated the problem to something at our main site. Comcast did L2 tests between their switches and found no drops, errors, etc. including by the BUM filter.
We unfortunately do not have direct access to the ISR4431 as it is managed by a third party, but I did get them to send us a show tech-support output. I found some posts about a Catalyst switch having stuck-open TCP sessions where they were seeing the same kind of intermittent packet loss only to certain hosts, but doing a "show tcp brief" on the 4431 and our 6500 only showed a couple open sessions each.
We are kind of at a loss here, and aside from rebooting the ISR (which we can do, but have to schedule an outage wndow) don't know what could be causing this. Routing? OSPF routes are /24 and different hosts in the same subnet/VLAN are showing no packet loss or quite a lot, so I don't think it's that. Some sort of ARP issue? Any assistance/ideas would be awesome.
Hey guys,
I am setting up a WiFi network at the new office and found this
There are 3 ports for AP’s in the bottom right corner, which work but don’t provide PoE to the AP’s.
My set up consists of 3 unifi AP’s and an edge router X.
I’m wondering if I’ll need a switch to get them working or if I’m maybe missing something here.
Thanks in advance for all your help
One thing ive never understood is MPLS LSP auto/bandwidth. I have googled this but without much success.
What happens when the traffic being sent is over the allocated LSP bandwidth? I understand that auto-bandwidth increases the bandwidth for LSP with some preconfigured variables, but i do not know the importance of the bandwidth value itself
Does such a thing exist? I me t with a contractor and they told me they needed 2 copper connections. We can extend the run via fiber with media converters on both end. I get all that, but I only have 1 fiber pair available. He mentioned stick a dual out media converter on it and done. I have yet to find one. Anyone know what he's talking about?
Ok, so I have to admit I'm a bit of a noob with vlans. I've never really needed to separate my network until now.
I have 3 vlans with unaware devices on 2 old 26 port dlink switches (des-3526). There's also a router providing internet access (old sonicwall)
Yes... I need to upgrade ;)
To make a long story short, I'm trying to use ports 25 and 26 on the switches to uplink from the router to the first switch, and the first switch to the second. Vlan ports are untagged, and the uplink ports on each vlan are tagged. Egress is selected for all ports included in the vlan, with forbidden for ports that are not. Vlans with matching id's are created on all devices.
Ports 25 and 26 aren't accessible from any of the vlans, though. The manual isn't much help - dlink seems to use some odd terminology. I'd normally call ports 25 and 26 a vlan trunk, but "trunk" to dlink seems to refer to link aggregation...
I can't help but think I'm missing something incredibly simple here... Any clues for me as to where this noob should start?
I'm analysing my company's Internet log data and I'd like to make use of IP data in my model. I'd like to use some kind of grouping of IPs as a feature, both because I don't know what the lease timeouts are of any given address, and also because I expect people on a similar block (e.g. spectrum home internet, some company's IP block) will behave similarly to one another.
The problem I'm running in to is that there doesn't seem to be any one canonical entity. Subnets (like a /24) aren't guaranteed to all be assigned to the same source. ASNs as found in BGP broadcasts (e.g. at https://iptoasn.com/) seem like a good option but some ranges aren't broadcasted, for example T-mobile has 26.0.0.0/8 but it doesn't seem to belong to an AS. It does appear as a netrange in ARIN (https://whois.arin.net/rest/net/NET-26-0-0-0-1/) but I don't know of a good way to do a bulk lookup of thousands or millions of IPs, or if a netrange necessarily belongs to just one organization.
I'm obviously not a network engineer and I'm missing a lot of information - what would be a good way to roll up IPs into similar groups?
Hello Everyone
I need to setup a new Dlink PBX DVX-2002F specially outbound route.
Currently I successfully receive calls and register IP-Phones successfully, but I can't create a working dial plan.
It will be great to find help here
I dont know if you guys are familiar with them but we have hardware covered by ParkPlace for Dell servers and Cisco switches.
For Dell hardware we usually have Dell Pro Support but because of budget restrictions we keep some servers sometimes up to 8/9 years so since Dell wont support after 5 years, ParkPlace comes into play.
So far we are happy with the service, we had a couple of hardware failures, they were able to find replacement parts, send an engineer to location and voila....
Now we have some Cisco ASAs and Cisco 1941 that are going out of support soon and I am wondering if there is any point covering these with ParkPlace since they require a licensed security module, would an ASA or 1941 need to be replaced we wouldnt be able to use it without the securiy license activation.
The reason I am thinking about extended support for this hadrware is because we will refresh the equipment in around 10 offices but there will be a period (couple of months) where the ASA/1941 routers will be running annd will be running without any support.
Hello all
I wanted to ask if there are other vendor technologies similar to the 5k and 2k Fabric extender switching which can be considered as an alternative.
Effectively wanted to keep the costs low and with the 5548UP no longer in sale. Perhaps it might be time to see if other vendors are doing this?
Peferrably would like to use the vPC functionality to dual home the fex to the 5k.
Thanks for any advice.
I have a router with sim card based network and recently I have faced an issue regarding accessing one specific server on one specific laptop on specificly 4g connection....
When I have 4g enabled on my router and I try to access League Of Legends on my laptop, it doesn't load ("TImed out" or something, which basically means I am unable to access that server). But when I try to access League Of Legends server on a different device with the same connection it works with no problems. The same happens if I only change the router to a different one ( or just put the sim in phone) - I can access League of Legends server through my laptop with no problems.
Also if I change the router to use only 3g then everything also works like a charm ( except slower and weaker connection).
So the problem is between 1 specific router with 4g connection, 1 specific server(league of Legends) and 1 specific device.
I have tried changing DNS server, reseting router to factory settings, use ethernet cable, reinstall Legue of Legends but nothing seems to do the trick. So I am a bit confused on what exactly could be the problem between the combination of 3 things....
Hi, I am finding a jitter network simulation tool available on Windows or Mac.
Clumsy is a great tool and it is very easy to use, but it does not support simulate ping jitter.
WANem seems able to simulate ping jitter, but it is Linux only and a bit tricky to set up.
Is there any jitter simulation tool available on Windows or Mac? Thanks a lot.
I currently have 300 mbps internet and I am seeing these third-party routers from companies such as TP-Link that offer speeds such as 3200 mgps. I looked up internet plans and saw that you can get speeds up to 1000-2000 mbps. Does that mean these routers boost the speed of your current wifi?
Hey all,
Just set up a Cisco 5506-x running FTD 6.2.3
Basically I was playing around with some NAT policy's and ended up borking the management interface 😑. Does anyone know how I can clear the NAT policy via the console port from cli? I can see the bad policy if I run show Nat detail however I cannot find a way to remove a policy. Any help is appreciated!
If I wanted to use CHAP on serial lines in a multilink bundle would I configure the CHAP on the lines individually or the multilink interface?
Thinking about best approaches for securing remote access (think road warriors) to SAP via the legacy thick "SAPGUI" client (let's assume the web client only isn't an option).
Ideally, I'd like the server components to stay isolated and SAPGUI packets can only reach it after the underlying client has gone through an initial round of authentication (including MFA), posture checking, etc. Sessions remembered for some period of time thereafter for convenience.
Today we can achieve the above with VPN (Pulse Secure), but one has to fire up a client manually first. This can continue to work, obviously, but I'd love to get to a more seamless approach, perhaps via a sort of transparent lite-client that is triggered with SAPGUI tries to make its initial connection.
Is something like Pulse Secure's SDP capable of doing this? Akamai EAA? What else should I be looking at? Our SAP environment sits in Azure so am thinking the access gateway could sit there...
I anticipate other workloads like this in the future and would appreciate a solution with some flexibility.
TIA
Hi,
i have a server that i want to publish so that outside users can access it, so i want to port forward from public ip to the internal server, so when the users outside write https://<public ip>, they will directs them to the server which has an ip of 172.16.12.7
so what i did is on the ASA is that i configured an interface with an ip of 172.16.12.220, and this interface is connected with a cable to a core switch that has a port in a vlan of such subnet, and the coreswitch is connected to other L2-switches where then connected to servers
then i configured this nat on the ASA:
object network serverpublish
host 172.16.12.7
nat (FwInsideServer,FwoutTerra) static 1.1.1.2
access-list OUTSIDE_IN permit tcp any host 172.16.12.7 eq 443
access-group OUTSIDE_IN in interface FwoutTerra
and the interface on the ASA is:
interface GigabitEthernet1/6
nameif FwInsideServer
security-level 65
ip address 172.16.12.220 255.255.255.0
but i couldn't access the server from outside, is there something missing or anything wrong?
can you please help me?
thanks in advance!
I took pcaps to verify some Wifi 6 features, and I think I am missing some frames.
Setup:
- 2 Cisco 9120's: one in flexconnect, one in sniffer mode
- Laptop that runs vWLC version 8.10.105 on Virtualbox, and serves as server for a speedtest.
- Laptop running Wireshark 3.2.1, receiving the frames from the WLC
- One client with Intel AX200 chip, one Samsung Galaxy S10
vWLC and client confirm that 802.11ax is used. When performing a speedtest on the clients, the pcap shows a ton of consecutive RTS, CTS and 802.11 Block ACK frames, but no Trigger and/or data frames. I suppose that I should also be seeing these? Or are there any restrictions in what frames the sniffer sends to the WLC/Wireshark?
I would like to check stuff like which client gets which amount of RUs etc.
Thanks in advance!
Hello all. Here's the deal. I'm rolling out certificate-based authentication to all our corporate-owned devices obviously including Pixel 2 devices. We use an MDM solution to push profiles to these phones. I'm trying to push a profile to Pixel devices that contain a client certificate, our internal root ca, our internal sub ca, and the radius server certs these phones will be authenticated by.
These phones are unable to join a wifi network in said profile because the client is rejecting the radius server certificate. I understand this means the phone doesn't trust the radius server cert, but what I do not understand how I get the phones to trust it. Am I to install the server cert directly onto the device and if so should I be able to do that from the same MDM profile? Does Android need a specific format for the cert? .cer DER? Does the Android need the private key of the server cert? Does the server cert HAVE to be a public cert in the trusted root ca store?
Sorry about so many questions at once but I can't figure out the problem. Thanks in advance!
Hey, my networking class of 5 is having a project to mess with the networking fundamentals class. We have 2 windows 2019 servers with DHCP. Is it possible to have them send out multiple classes of ips? Like having one send out class A and another send class B? I've found the possibility of them sending ranges from the same class but not different ones. If it is possible, can I get an explanation of how?
Hi, one question regarding ssl based services. I know that client send "client hello" saying what version of protocol support and other connection settings. What if client send two same connection frame. Like send first, but because of network congestion after some time it doesn t receive answer he resend "client hello". How server will react on second frame?
Hi,
how can i debug this problem ?
nameserver and dns lookup are configured on the router, waas can reach internet
vWaas is deployed as ova on the router.
Thank you.
I am due to upgrade a couple of Juniper MX routers this weekend. Im in the UK and the devices are in USA.
As a precaution i wanted to ensure that OOB access was up before i prep for tomorrow, and ive realised that i left the OOB unplugged after my last visit to DC in january..........dope
Would you carry on with upgrade remotely regardless? or better to play it safe and hold back until oob is connected?
hello, any ideas on how to configure a static route in a nokia isam7330 with nant-a card?
the default route is no problem with configure system management default-route x.x.x.x
but i cant find a way to configure a second route that i need.
thx
I currently have a R700 operating normally in my network. It is in standalone mode and works great !
Then, i thought that i need more 5ghz coverage so i snatched an awesome deal on a R720.
After it arrived, and because it defaults to 192.168.0.1, i used my trusty USB->Ethernet adapter and configured it (no problems, login just fine and updated the firmware to the latest unleashed succesfully).
Unplugged it from the USB adapter and plugged it in my normal network.
Then, the mistery started.
My network simply CAN ́T SEE the R720.
I have a Edgerouter (not using it ́s passive POE) and a Mikrotik switch (not POE) . In the Switch the port isn ́t even active. The port is enabled and was being used by the R500 just fine ! I ́ve tried to
I use an AXIS 60w POE injector brick that can provide all the power that the R720 can devour, but to no avail, it simply isn ́t there.
But when i go back to the USB adapter it work just fine !
I know that the Mikrotik don ́t support or do LLDP, but this hasn ́t stopped the R700 from working (LLDP is active in the router, but connecting the R720 directly to it didn´t help).
Can anyone shed some light/insight ? I am at my wit ́s end here :(
So I have some KeyMaterial codes, from the netsh wlan profiles xml file, which are crazy long. How would I convert those to text? Is there an algorithm/formula or something? Or is it just HexD or something else?
I tried googling but didnt find anything that can help. Thank you!
Hi guys,
Recently i have very weird problem. I pay for 300mbit and wired connections i have it. But weird thing: On laptop i got those 300mbit most of a times but on my phones its like a lottery. For half an hour i got those 250mbit+ but then out of the blue i got 1mbit xD I found on router settings that normally my phone negotiate ~780mbit speed but when that problem happen i got 30/18mbit negotiated. Can somebody tell me why is that? Router is 2-3 meters from me, no walls, i scanned networks nearby and on 5ghz there is few wifi's at channels ~40-50 but my router automaticly switch to free channel ~120.
Any ideas why my phone negotiate so low speeds?
I hope it's alright if I ask a question. I'm pretty new to network configurations and protocols but I've loved learning it so far. As a fun project, I decided to use some old hardware and make a static HTML page. Everything's all and well except that I cannot access the page unless I'm on the same network through the DHCP. Do I need a static IP? I don't think it's a firewall or DNS issue. In case the answer is relevant, I'm also interested in setting up an IRC server but am having similar issues. I would really appreciate any thoughts or suggestions. Thanks so much.
Periodically, I run a free course on Python for Network Engineers. The next course starts this Tuesday.
This course is aimed at Network Engineers that want to learn Python. It covers Python fundamentals, but using exercises and examples that are more relevant to network engineers. That being said the course is definitely oriented towards beginners (from a Python programming perspective).
The week-by-week schedule for the course is as follows:
Week1 - Why Python, the Python Interpreter Shell, and Strings
Week2 - Numbers, Files, Lists, and Linters
Week3 - Conditionals and Loops
Week4 - Dictionaries, Exceptions, and Regular Expressions
Week5 - Functions and the Python Debugger
Week6 - Netmiko Basics
Week7 - Jinja2 Basics, Introduction to YAML and JSON, Complex Data Structures
Week8 - Libraries, Package Installation, and Virtual Environments
The course is taught using Python3.
The course format is a lesson a week for eight weeks. The lessons are all delivered via email and consist of videos, exercises, and additional content. The course is self-paced i.e. you can work on it on your schedule.
A bit about myself: I am a long-time network engineer (CCIE #6243 emeritus). For several years, I have been working extensively in network automation. I am the creator/maintainer of the Netmiko-Python library. I am also a core maintainer on the NAPALM-Python library. I also work quite a bit on both Nornir and Ansible.
Sign-up is available here:
Im curious to what is the current percentage of companies making or having made the switch over to SDWAN. I hear it being talked a bout a lot but i dont see many job postings asking for these skills compared to things like ACI/NSX.
Are most companies still sticking dmvpn over mpls circuits? Do you think 2020 is year where sdwan hits critical mass?
Okay, this is really bothering me. The new USB standards support up to 10Gbps and some of the chips for it are less than two dollars. Even hubs are less than 10 dollars I feel like we're being either ripped off or straight up being taken advantage of. Is it really just a supply/demand thing or am I missing something? I don't know much about ethernet circuitry but unless I'm missing something i don't see why there's such a cost difference between USB3.0 and 10GB networking.
Cisco recommends using the least amount of SSIDs and I believe best practice is limiting ~254 hosts per vlan.
If an SSID can only be mapper/tagged to a single vlan, how could this be accomplished?
For example, if I forward all traffic to a wireless vlan and then route to other vlans as needed, wouldn’t the wireless vlan be overwhelmed with control traffic?
Thanks
Good evening, i need to replace couple 48 port PoE switches (for 8 f our WAPs) at work and looking for suggestions. Mondays and Tuesdays, we have a lot of remote workers come in and usually network traffic gets increased but haven had any complaints, the number of users is between 100-150, everybody is a heavy internet user between SharePoint, teams for VoIP and more. More expensive or newer isn't necessary better in every case, any comment or suggestion is greatly appreciated.
Just some questions for TAC Engineers
How do you find your role (day to day)
How is the stress?
What is your career projection?
How long have you worked in TAC?
How do you make the most of your role?
Any best practices for working in the role?
Revelations you've made that help you everyday in the role?
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
So I've used this configuration a lot in my workplace, but since I'm not the one who administrates the network, I had a thought the other day and it started to confuse me.
So our network is set up to have a separate voice VLAN.
From the wall, the Ethernet cable connects to the LAN port of the phone, and then the workstation that the phone is sitting with is plugged into the PC port of the phone. Now, from what I understand, the phone essentially contains a three-port switch -- one for the PC, one for the phone, and one connecting to the switch in the server room.
Also from my understanding of networking, a port has to be trunked if it is to pass data for more than one VLAN. So, does the port on the switch in the server room that the PC and phone connect to need to be a trunk port for the link to the phone to be able to carry both voice and data? After all, if it essentially contains a 3 port switch, wouldn't the port need to be a trunk port on both sides in order to successfully pass data?
I've also heard that, for example, on Cisco switches, you can use a command to designate a voice VLAN on a port. So people will say, for example, that they have the voice data tagged for the voice VLAN via configuration on the phone, and then leave PC data untagged. I think here my understanding of VLANS starts to get shaky. How does this work? Does this essentially create a specialized trunk port that only allows untagged traffic and traffic tagged for one specific VLAN (the voice VLAN)? And also, perhaps where I'm getting tripped up -- is the untagged VLAN of a port specified on a port by port basis, or does it go for the entire switch? As in, does the switch have one cumulative native VLAN, or is the native VLAN designated separately on each port? If that's the case, I think I understand -- it doesn't matter what VLAN a PC is on if the untagged VLAN can be set to that whatever that PC's VLAN is, and then the tagged VLAN can be set to the voice VLAN. To further elaborate, if a switch port is set in access and NOT a trunk port, does it really just support a single "native" VLAN and that's it? If that isn't the case, I'm very confused.
Hi Everyone.
I just started my job as a network/system engineer for a Full Solution Parking automation company, and I have a weird issue. We have a customer that's claiming our really old ASA 5505 firewall isn't allowing traffic, and I can't figure out why.
It'll disallow any connections to a few IP addresses in our credit card solution's public IP block, but allow connections to others in that same block. This is despite defining any-any acl rules on both the outside and inside interfaces.
Our firewall runs through someone else's ruckus switch and pretty much just goes through to the ISP. I've talked with the other company multiple times to confirm that my firewall is just hopping across a couple of switches.
I'm at a loss. Is my 5505 broken? Is there actually a firewall that no one knows about?
I'm super new to this, so if I'm missing some things let me know and I'll clarify.
I have recently taken some classes on DevOps and automation for our existing network infrastructure (mostly Juniper). My company is looking to bring more automation methods for infrastructure management, specifically supporting NETCONF for use by Ansible and running Python scripts. However, we would like to configure this securely from the start. I have looked at Ansible Vault for password storage. However, I was interested if there are any SSH key storage solutions which could provide multi-user access to stored keys. I haven't find anything in particular by Googling so far. Does anyone have any recommendations?
I know that is kind complicate question, but I am studying automation network tools like ansible,python "paramiko" and other stuffs.
And I also have to pickup theme for my thesis, and maybe I could use something about automation..but I could find a "idea"...so maybe someone could help me...Or maybe doesnt make any sense...Maybe a brainstorming .. hahaha
Thanks a lot.
Hello networking,
I just can't wrap my head around this scenario:
The Dell 02 Switches needs a link to HP 02 to get some redundancy.
Dell 01 and 02 are connected via VLT interconnect.
But HP 01 and 02 are only connected via a simple trunk. So no switch-interconnect or the like.
HP 01 and Dell 01 are already connected. But connecting HP 02 and Dell 02 will create a loop, wouldn't it?
But how to prevent? Was already thinking about a LACP port-channel on the Dells. But what to do then on the HP side? Or is that BS anyways?
+-----------------+ VLT Interconnect +-----------------+ | Dell 01 |<-------------------->| Dell 02 | | | | | +-----------------+ +-----------------+ ^ | v +-----------------+ +-----------------+ | Procurve 01 | Simple Trunk | Procurve 02 | | |<-------------------> | | +-----------------+ +-----------------+ Hi,
We're going to be demoing a couple of Firepower 2100's solely for the role of AnyConnect VPN concentrators. We have extensive experience using ASA 55xx-X's for basic firewalling duties but are a little put-off by reading all the bad experiences with Firepower so some questions upfront:
I'm implementing a hyperflex topology and we have 3 cisco UCS node and 2 FI. when today we powered on FI there was fort failed error (F0277) on all ports all were red. Can anybody tell me how to tackle this, or I'm being stupid by missing something basic.
I have a Cisco 350X switch with a bunch of un-managed switches in user offices. One office in particular, I have four users that tie into one un-managed switch. Two of them work where the other two do not. What is going on here? My Cisco switch is barely configured. All I have done is give it an IP address and made all the ports access ports on the switch. What else do I need to do?
Anyone have experience with the blonder tongue CMTS? I’m struggling with getting VLANs to pass to my CPEs. We define a VLAN add option 60 info add snooping info and the only traffic I see is coming out untagged. The vendor is basically asking me to verify I have a DHCP server in that network and asking for packet captures. If I put an SVI and DHCP client on the CMTS itself it gets a lease in the right network so I’m not sure why they are pushing it back on me as the likely culprit.
We're using 100Gbase-LR's for connectivity within a rack, or across adjoining racks (1.0 to 5.0 metres).
Yes, I know LR is overkill - but these are the optics I have access to, and we do need 100Gb. (This is for a Ceph cluster).
I've been told that at such short ranges, the high power can actually permanently destroy optics over time.
Hi, could use some direction here, as I have no experience with the Sonicwall.
Currently, the customer has a flat network, with two ports being used in the Sonicwall, WAN, and LAN.
There are currently 3 cabs.
Core Cab:
- 2 x Leased Lines
- 1 x Sonicwall TZ300
- 2 x GS1920HP Switch (1 directly plugged into LAN port & the other is used for a wireless network within the warehouse)
Cab 1:
5 x Cisco SF300
Cab 2:
5 x Zyxel GS1920HP
Idea:
Setup RSTP, give core switch lowest priority, followed by 1 x Cisco SF300 in Cab 1, then the others. However, i wanted to see if it was possible to configure one of the other ports on the Sonicwall to act as a LAN port should the main line into the core switch fail.
It's been some time since i've done any kind of networking, so just a few more opinions would really help.
Thanks.
I use nginx for udp reverse proxy server. like
client ---(1)--> nginx ---(2)--> server
When i re-install my server, udp proxy dies.
In most cases, the client stream(1) and server stream(2) die together, nginx try reconnect reverse proxy.
However, sometimes client stream(1) is alive, only the server stream(2) dies, then nginx doesn't try reconnect reverse proxy.
So server can get message from client, but cannot send to message to client.
The result of tcpdump like,
client > nginx:port
nginx:port > server
server > nginx:port
nginx:port > client
...
(2) only dies
client > nginx:port
nginx:port > server
server > nginx:port
...
No 'nginx:port > client'.
My error log when (2) only dies,
2020/02/27 17:41:13 [info] 34906#0: *647 udp client 192.168.0.184:49153 connected to 0.0.0.0:11325 2020/02/27 17:41:13 [info] 34906#0: *647 udp proxy 127.0.0.1:51513 connected to 127.0.0.1:31114 2020/02/27 17:41:13 [error] 34906#0: *647 recv() failed (61: Connection refused) while proxying and reading from upstream, udp client: 192.168.0.184, server: 0.0.0.0:11325, upstream: "127.0.0.1:31114", bytes from/to client:43/0, bytes from/to upstream:0/43 -- No reconnect -- Error log when (1) (2) die together,
2020/02/27 17:41:25 [info] 34906#0: *651 udp client 192.168.0.184:49153 connected to 0.0.0.0:11325 2020/02/27 17:41:25 [info] 34906#0: *651 udp proxy 127.0.0.1:60319 connected to 127.0.0.1:31114 2020/02/27 17:41:25 [error] 34906#0: *651 recv() failed (61: Connection refused) while proxying and reading from upstream, udp client: 192.168.0.184, server: 0.0.0.0:11325, upstream: "127.0.0.1:31114", bytes from/to client:43/0, bytes from/to upstream:0/43 2020/02/27 17:41:29 [error] 34906#0: *651 sendmsg() failed (61: Connection refused) while proxying and sending to upstream, udp client: 192.168.0.184, server: 0.0.0.0:11325, upstream: "127.0.0.1:31114", bytes from/to client:129/0, bytes from/to upstream:0/86 2020/02/27 17:41:31 [info] 34906#0: *653 udp client 192.168.0.184:49153 connected to 0.0.0.0:11325 2020/02/27 17:41:31 [info] 34906#0: *653 udp proxy 127.0.0.1:58601 connected to 127.0.0.1:31114 How can I change my configuration that nginx force reconnect proxy when only server stream closed?
Which cable should be used for connecting T1/E1? On some posts I found that CAT-6 is OK while other say that it should be 120 Ohm 4 wire cable.
Which one is correct? What is the max lenght for CAT-6 cable?
Newbie here, is the above possible? I am trying to send some data from a remote site into a private network
Almost 5 years of experience and a few certs (CCNA, Net+, A+) plus time and freedom to dedicate to the craft leaves me wanting to do and see more than what your standard NOC/ISP/MSP roles can offer. What has your experience been in finding these types of roles? Does anyone have any tips, experience or recommendations on finding/landing remote and/or travel roles?
A branch with 10+ users and a couple of printers connected to the Head office through outdoor access points. For one week the connecting started getting lost twice in an hour. changed the switch (PnP). tried some basic troubleshooting which didn't lead me anywhere instead one of my printers got totally disconnected. I mean IP is there, the cable is connected still can't ping the printer. so changed the patch cable as well as the keystone jack. but the problem remains the same. so I gave a direct connection with the printer to check if any problem with the patch panel. again, no change in the situation. the next day another printer's also gone. did the same as 1st printer but the problem remains the same.
Next, I took out the patch panel and gave a direct connection to the switch. still connection keeps on dropping. I did some windows update at the starting of this month so I thought that was causing the issue and uninstalled them. again the problem is there.
Now today, one of the pc is not pining from other systems but all other systems I can ping from that one pc. any suggestions will be great.
Hi all,
I have a customer wanting directional wifi towards a block of units about 30-40m from his house (Family live in there). I've suggested direct CAT6 to each unit but he would rather wifi.
I've used alot of extenders with SMA but Im just wondering if anyones aware of a product that uses CAT instead of SMA? I'm trying to keep costs down for said customer.
Thankyou!
Hi,
Any free tools can i use to test local network connection speed between local client to local servers.
I set up a WiFi network for a small local bar that a friend of mine owns. He got a letter from his ISP that someone downloaded a movie on the network- so we need to beef up restrictions a bit.
I’ve seen plenty of similar posts, and many responses seem to highlight that you can’t block 100% of torrenting . I get it, that’s fine. I just want to dissuade people from downloading movies and shit on the free WiFi. 95% is fine.
The current router doesn’t allow blocking individual ports or domains, or reducing the bandwidth on the guest network only. I’m guessing we might need to pick up a router that allows that.
Any suggestions on router models that allow the things I listed above, without breaking the bank? And after that, which ports or domains to block, or other suggestions?
Thanks in advance!
Hi all,
I have a issue with my design. I am using Nexus 9K for double sideVPC with AGG and SF01,02, detail below picture.
And all port connect from SF01&02 to Firewall is orphan port, non VPC. Firewall have P1, P5 is Inside and P2, P5 is Outside.
I have some question.
Do my design have problem? And do it's?
When I perform failover on Firewall, all service in server farm is down and I have must restart SF01, after that my system is work normally.
I hope we will disscuss.
Look for some help on an issue we are facing. We are installing Rukus ICX-7150 switches and attempting to attach Brocade 10GB SFPs from FS. After inserting the SFPs and connecting the fiber, we are not getting link lights and the interface shows as down. Anything special need to be done to activate the Brocade transceivers? Anything special need done to allow third-party SFPs on the Rukus equipment?
I am running into an issue where DNAC is having issue pushing the "Banner" configuration to a device.
Is there a specific format that I have to do?
I have this:
<MLTCMD>
banner motd ^
BANNER
^
</MLTCMD>
Honestly, if we weren't going to leverage DNAC , and we did not get it for free, I would just use Python... Maybe ill take a look at the APIs DNAC offers.
Our team handles route/switch, wireless, VoIP, SDWAN. We are looking to leverage Python and Ansible to automate everyday tasks or run daily health checks . Just wondering what some of you are doing today in your environment?
Do you use these playbooks so that your HelpDesk can gather information depending on the issue being reported and to verify overall functionality?
Thanks for the comments in advance!
I have been trying to convert a Cisco 1700i all day and I cannot figure out why it's not loading my file correctly. I setup tftp, renamed the file to end in .default and the AP recognizes the file but spits the following:
"Premature end of that file" "Image is not a valid IOS archive"
Anyone have any idea what I'm doing wrong? Any help is appreciated, thanks everyone!
We are looking at getting some ASR 9901's, but we are struggling to get any concrete answers on how the licensing works. We've reached out to our Cisco SE's and VARs but I don't think we are going to get any answers out of them as they don't know much about ASR9K.
From what I have figured out we just need to get the I-VRF license along with the ASR9901 120G and we are good to go?
Other than VRF count, is there any extra functionality added in the AIP license over the I-VRF license?
Additionally, is there any good resource that explains the ASR9901 licensing? I think I have a good picture now, but I have pieced it together from dozens of PDFs and forum posts.
Thanks.
Howdy,
Not sure if this type of post is allowed after reading the sidebar so I'll try to be specific as possible. I have a homework topic where I have been tasked with setting up a network for a small office who would also like a guest wifi section in their reception. Within their own network they will have 11 Desktop Computers, 1 server and 2 printers.
My plan for this is to use VLANs on a managed switch to separate the two networks but herein lies the problem as I have never used them before, only briefly looked at them. I have made a very simple mock network in packet tracer but I am unable to add IP addresses to the switches interfaces, it will be a managed one so it will need them, I also have no real idea how to setup VLANs in packet tracer but it does seem straightforward from playing around in the switch settings.
Basically I am asking if my proposed plan and IP Addressing Scheme is acceptable and will work, is there anything I should add or remove from the word table? Feedback of any kind is appreciated.
Hi All,
I need to configure some ACLs to restrict inter vlan communication. I also want to permit only accepted IP traffic out of the subnet in question.
Subnet - 192.168.35.0/24
Firewall - 192.168.10.254/24
My draft ACL is as below which i intend to apply to the VLAN. I would be grateful if somebody could cast their eyes over it and sanity check it. The default gateway for this vlan is 192.168.35.254 which routes to my firewall 192.168.10.254 - do I need an ACL line for that IP too?
Inbound Rule
Block all access apart from my management network 192.168.10.0/24
Outbound Rule
Block all traffic out of the network apart from to 192.168.10.5 , 192.168.10.16 , 192.168.10.9
IP access-list extended "PCI ACL List"
REMARK "Rules for Inbound Traffic PCI VLAN"
10 deny ip 0.0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
20 permit ip 192.168.10.0 255.255.255.0 192.168.35.0 255.255.255.0
REMARK "Outbound Traffic PCI VLAN"
40 permit ip 192.168.35.0 255.255.255.0 192.168.10.5 255.255.255.255
41 permit ip 192.168.35.0 255.255.255.0 192.168.10.16 255.255.255.255
42 permit ip 192.168.35.0 255.255.255.0 192.168.10.9 255.255.255.255
Again, do i need a permit ip to 192.168.10.254 (firewall for internet access) ?
Thanks all
Hi all,
I can't seem to get Juniper vSRX to boot up in my GNS3 VM. I've imported the .gns3a appliance and imported the qcow from Juniper, but it keeps going in a loop.
GNU GRUB version 2.00
+--------------------------------------------------------------------------+
|Juniper Linux |
|Juniper Linux Debug |
|Juniper-Linux-Recovery |
| |
| |
| |
| |
| |
| |
| |
| |
| |
+--------------------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, `e' to edit the commands
before booting or `c' for a command-line.
The highlighted entry will be executed automatically in 0s.
Booting `Juniper Linux'
Loading Linux ...
kvm: already loaded the other module
GNU GRUB version 2.00
+--------------------------------------------------------------------------+
|Juniper Linux |
|Juniper Linux Debug |
|Juniper-Linux-Recovery |
| |
| |
| |
| |
| |
| |
| |
| |
| |
+--------------------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, `e' to edit the commands
before booting or `c' for a command-line.
The highlighted entry will be executed automatically in 0s.
Booting `Juniper Linux'
Loading Linux ...
kvm: already loaded the other module
GNU GRUB version 2.00
+--------------------------------------------------------------------------+
|Juniper Linux |
|Juniper Linux Debug |
|Juniper-Linux-Recovery |
| |
| |
| |
| |
| |
| |
| |
| |
| |
+--------------------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, `e' to edit the commands
before booting or `c' for a command-line.
The highlighted entry will be executed automatically in 0s.
Booting `Juniper Linux'
Loading Linux ...
kvm: already loaded the other module
GNU GRUB version 2.00
+--------------------------------------------------------------------------+
|Juniper Linux |
|Juniper Linux Debug |
|Juniper-Linux-Recovery |
| |
| |
| |
| |
| |
| |
| |
| |
| |
+--------------------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, `e' to edit the commands
before booting or `c' for a command-line.
The highlighted entry will be executed automatically in 0s.
Booting `Juniper Linux'
Loading Linux ...
Hi all,
After a recommendation for a solution to replace BIND DNS servers, we wanted to do a hybrid DNS solution with Route53 private hosted zones but this isn't possible due to a Route53 limitation (we've had this confirmed by AWS support).
Requirements:
- Ability to create MX, TXT, A, SRV, CNAME records
- Authoritative DNS
- Easy to manage zone files
- Split horizon DNS (have records for internal and external names)
Thanks in advance for any suggestions or recommendations
Looking to get pointed in the right direction. I work on a networking team as a jr network admin. Trying to learn more about troubleshooting with wireshark. Our sysadmin team uses Citrix for our thin client images and an issue we have a lot of the times is slow boot times. How could I use wireshark to troubleshoot that issue? And what I mean is what are some types of things to look for in the packet captures that would point it to being a network related problem? I know from the server side, the sysadmins tell us they see a lot of "retries" from time to time. From videos I have watched, that is something you would see in wireshark correct? Thanks!
Hi,
As the heading says. What cat6 cables are best for cable management? Need cables that are a bit softer because it is a bit cold in the data center.
For connecting inside one rack so no do it yourself RJ45 connectors.
I have done prepending and it is my own own blocks I am prepending. I saw a configuration were someone prepended blocks of a different AS. Will this work? I have read you can prepend in or out. Are there specific times you would choose one way over the other?
I read that when the image file name includes "k9w8" it runs in Lightweight mode, but #show version doesnt give me an image name in the first place - i feel like i am either doing something insanely wrong, or the AP / iOS is screwed.
The AP currently runs on 8.3.102.0, i wanted to upgrade it but Cisco apparently hates hobby networkers that dont have a service contract so i cant get a newer version.
So, even though - as far as i can tell - my AP *should* already be running on Standalone mode (the name doesnt include LAP, so it should be standalone out of the box, and as far as i know its new), i still get heaps of errors regarding CAPWAP and something like "waiting for uplink IP and reachable default gateway" or "[*02/16/2017 04:19:44.9400] grep: /storage/base_capwap_cfg_info: No such file or directory", and i cant #config terminal - i just want to use the AP as a workgroup bridge.
Can someone enlighten me how the hell i can get to where i want to be? Or should i just get another AP? Im rather new to the field so sorry if i forgot something
Okay, I'll try again...
We are looking for a new FW (HA pair). requirements are ~250mbit throughput, handfull of site-2-site VPNs and RA VPN for about 20 users. IPS would be awsome.
For Cisco products I know we could use an ASA 5008 or a Firepower 1010 (my favourite but management is not happy about license subscriptions).
I checked Fortinet and the 60E and 80E look promising. Do they have any license requirements? Our preferred supplier only says that a service contract is required.
Palo Alto has the PA-220 but again license subscriptions... Also, do you need to pay extra for the Panorama?
Anyone recommending SonicWall or WatchGuard?
Hello, is it possible to have for example: VLAN A - subnet 192.168.10.0/24 VLAN B - subnet 192.168.10.0/24 on same switch and communicate each other by using router? when I am trying to do intervlan with router on a stick, I can't assign IP address on one of subinterfaces because of overlaps Additional, I want to telnet from one source (but this source is in two different VLANs) to one destination
Hey guys,
So I've taken this exam twice and failed both times.
The third attempt is a different exam code. Was wondering why that might be ?
Does any other vendor do something like this ? If so why ?
Hello i'm learning about bpdu. Can anyone help me out with these questions? I have a switchport with voice VLAN and untagged data VLAN and with bpdu guard enabled on it.
1 if i connect an unmanaged switch Will it deploy the bpdu guard imediatelly or do i have to connect One or more machines to that unmanaged switch for the bpdu guard to be deploid? Or will it not deploy bpdu guard at all? 2 if the bpdu guard is deploid, Will it shutdown the switchport (no link activity at all) or Will it simply block/discard traffic, keeping the link up? 3 if the unmanaged switch does block the switchport, and since i have voice VLAN and untagged data VLAN configured on that port, if i put the unmanaged switch behind and IP phone Will it still deploy bpdu guard?
Thanks in advance for all the help i can get, since the b**S at work won't help me out with these doubts. Well it's a cruel world. Seems at work everything GOES, to f up the partner. Regards
Hi guys,
i have a cisco asa that i want to port forward through it from a public ip to a server inside, so i want users on the internet to access this server, i have made the configuration, it looks like this:
object network serverpublish
host 192.168.2.60
nat (FwInside,Fwoutinternet) static 1.1.1.2
access-list OUTSIDE_IN permit tcp any host 192.168.2.60 eq 443
access-group OUTSIDE_IN in interface Fwoutinternet
is this correct? i have an interface in which public ip 1.1.1.1 is assigned so that all users inside can access internet. so i want to use the public ip 1.1.1.2 for the port forwarding, is the configuration above correct?
Thanks in advance!
So, we are in the marked for a new FW (HA pair). I only have experience with Cisco FWs but we want to consider other vendors.
We are looking for something in the league of an ASA 5508 or baby Firepower (1010). What model would match in the Palo Alto or Fortinet portfolio? Any other recommendations?
Hi guys. I'm hoping you can lend me your advice on which networking gear to seriously consider for our specific use case.
Depending on your definition, we're either large SOHO or small enterprise.
At HQ we're a single floor, open plan, with about 100 people. We have two remote sites with 30 people each. Most of the staff in each site are call center reps using a cloud-based phone system (RingCentral). We are almost all PC-based and don't have particularly high network bandwidth or latency needs - typical office apps and the occasional video conference. Fairly vanilla. Not a regulated environment but we do have PCI-DSS obligations and care about security.
All the gear at each location is pretty old and ready for replacement and I'm considering my options.
At the main HQ we have 2x Cisco 5525-X firewalls and 5x very old netgear managed switches. Wifi via a Cisco controller. The other sites have mid range prosumer gear. We have some tech resources and helpdesk folks on staff but no real network people so will be using an MSP for configuration and maintenance.
Our main use cases include:
Reliable, secure, fault-tolerant, and centrally manageable wired and wifi. I want a switch or firewall to be able to die and it not be a giant disruption.
Separate vLANs for some of our PCI obligations.
No need to connect across locations: AD is in Azure and everything else we use is cloud-based. No SD-WAN or MPLS needs etc.
VPN access for a couple dozen users while on the road, to access resources which are ip-whitelisted.
Security features (UTM, data exfiltration, malware protection, etc) would be a plus - though I am snake oil allergic and much of this stuff strikes me as very expensive and hand-wavy.
Cost matters. Brand, not so much.
My MSP is in love with Uniquiti solutions but I'm not familiar with them and am skeptical that they're not quite robust enough for us. I'm open to having my mind changed, and I do see a lot of good stories on them.
What info did I fail to provide which matters? What would be your top choices for gear in this sort of environment?
I have three sites connected in a redundant ring; two of them hold a significant amount of AP's (120) per site with one WLC in each location. The third site is a small branch but has no WLC, but it's reachable via our internal leased backbone fiber via routing. Do I need to configure flex connect to add four Cisco AP's or they can connect without doing so? In Cisco's documentation, I see them changing the AP's from local to flex connect, and the Diagrams show a WAN internet connection (FLEX AP to HQ). How will that be possible if that location has no WLC? Will the WLC detect the AP's in a different subnet?
If needed, let me know how I will go about this with Flexconnect. Any document, blog or videos will be great!!!
So, I have (2) SFP switches that I want to connect to each other via fiber. Do I need to cross the fiber lines to connect the two, or just straight through? For example:
Switch 1: Patch fiber 1- Patch fiber 2
Switch 2: Patch fiber 2- Patch fiber 1
Thanks.
Hey all!
Take this down if I'm posting in the wrong place, but I've currently got my phone connected to a public WiFi hotspot at an airport and my assigned IP address is listed as 100.70.24.138. As a network engineering student I was super confused by this seeing as it lies outside of the assigned private address blocks. Can anyone shed some light on this for me? I checked my PC and the address is similar. Why are the clients on this network getting assigned unusual addresses like this?
Can anyone with experience tell me if there is a way to view some basic information about the number of requests that came into an F5 load balancer during a specific time period? It does not need to be super detailed log information, even just something as simple as x number of requests between this time and this time. A bonus if you can get data that you could plot in a graph that shows the rise and fall of requests over that period of time.
I'm working with a 3rd party that controls the environment in which I deploy an application to. He originally mentioned that he could get numbers like this, but not detailed logs about the requests. He is now backing out of that statement and is really refusing to give me a reason why other than "it just cannot be done".
It sounds like something that should be available, but I haven't found anything helpful after doing some google searching. I just want to know if I can find some information and how to do this and pass it along to him so that I can get the information I need.
Thanks!
I was hoping some folks here have had some experience with Forcepoint Triton Manager.
A few of our users want access to a website that doesnt allow them to login unless you ARE NOT behind the proxy.
I have added the necessary URL exceptions to the proxy, and if I run a test through the proxy: AD user + URL, Forcepoint is telling me that is allowing the exception.
Yet, when I try to log in to the website behind the proxy I get the error: Your IP address has recently changed. If I take the proxy off? No problem, and login is fine.
Googling around for issues with permitted URLs in forcepoint doesn't yield any helpful info, and our support contract is up.
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
I think this is mostly a straightforward question but I want to make sure I'm not being dumb. I've got a customer with a /28 and /29 asking if we can prevent their traffic from flowing over one of our peers. I can direct their outbound traffic, but for inbound no peer is going to accept an advertisement adjustment as they don't have a /24, right?
Am I missing anything?
We're being forced to use it and was wondering if the forced usage is legitimate or just big dick waving.
Thank you.
Cross posting from r/sysadmin since none of them really gave an answer to the question posed.
So i have a small SAN that consists of an HP MSA with 8 host ports (192.168.0.1-8), 2 Nexus 9300s, and a windows host with 4 10gig NICs on 2 cards. Each card has a single connection to both switches. I setup a NIC team consisting of all 4 NICs on the windows server then created 6 vNICs (ISCSI1-4, MGMT, and cluster). The ISCSI vNICS are assigned IPs 192.168.13-16. I have setup VLAN 1000 for all switch ports connecting the SAN as well as on the ISCSI vNICs.
After getting everything setup i was surprised to find that i could only ping half of the host ports on the MSA from any given ISCSI IP. This would be expected if only utilizing physical NICs but i thought the LBFO on the team would be smart enough to send the packets out the correct physical ports. Is this expected behavior or do i have something configured incorrectly? If anybody could point me in the direction of where i can find more information on how teams/vNICs interact with the underlying physical hardware that would be awesome.
Thanks in advance!
For months we cant get Nest Camera's to work behind a WG Firewall.
We Added to exceptions; http, https, content inspection, webblocker, and added to the policy wherein all of those domains bypass the proxy
Only way to get it to work is to whitelist ALL of Google's IP addresses. Which is a terrible idea!
Thoughts?
When my users turn on their machines first thing in the morning they cannot connect to our network for about 1-2 minutes. After that time, they are able to connect with no problem. Is there a way to lessen this blocked time?
Additional info:
We have unmanaged/managed switches in each office space (with default configs), which I feel is part of the problem. With other switches we have used in the past, this was never a problem. I know Cisco gives you greater control on your switching fabric.
hi,
some i'm well versed with internal systems, and mostly with higher end stuff. Anyone want to take a stab at this?
" I am on the board for a small local non-for profit 9-hole golf course and I have been asked to investigate WIFI antennae for our club house and an extender/directional antennae to provide coverage at our maintenance shed that is approximately 200m away but within direct line of sight of the club house. I have done some internet research but the products are all over the place and it is difficult to figure out what would work. Would you have a recommendation on what would work that won’t break the bank?!! "
recently this issue made a comeback for me and i'm wondering what to do about it. Cisco TAC helped me the first time with setting up the queues and buffers using a service policy (i'm not a Packet shaping pro). Anyway, my understanding is that these output drops are coming from over subscription on the Gig ethernet port. how can this be when it's a gig to gig connection and it's never topped 60Mbps? Further how does one troubleshoot or monitor for this instance? the dropped packets appear to be causing disconnect issues with the ESX host NIC connected to this port, but the port state on the switch never changes.
I am an event planner and my company puts on a fairly large St. Patricks day parade every year. We struggle getting good data and numbers around attendance, popular areas along the route, average dwell time in areas, and basically any consumer behavior trends that can sometimes be gleaned from access point connection data. This company approached us about accomplishing those things via a sensor that passively scans for MAC addresses and sends the address, signal strength, and time stamp to their back end system for processing and analytics. While they are not explicitly claiming they can tell us exactly how many people showed up they are promising "data backed estimates," along with heat map analysis of peak times and dips, average dwell time spent in range, and if a MAC was seen at one or more other sensor locations. The sensors and service are fairly low cost when compared to other people counting tech like facial recognition so I'm not worry about getting completely ripped off. My concern comes from conflicting reports trying to research this type of data collection. With MAC randomization it seems like it could be bullshit, but at the same time the randomization doesn't seem to completely expel their claims around showing peaks/dips, but some other things like dwell time and route trends seem to be more difficult to accomplish. However there does seem to be a lot of doubt around how effective the randomization even is on IOS/Android, and even claims that Android manufacturers rarely implement MAC randomization in the first place. So tell me is it bullshit or does these guys seem to have a sound product?
Hello!
I search for a replacement for my current BGP router used for a session with IX-es and peerings. Now we use Cisco6500 with VS-S720-10G sup. We have almost reached the limit on CPU and TCAM. I looking to Juniper MX and Cisco ASR for this purpose, but maybe other vendors have interesting options?
We need mostly BGP functionality, 4+ 10GE ports, and 500K or more prefixes.
Thanks!
Hi,
My Firewall detected alot of ICMP toward different IPs from my exchange servers and i want to know what process causing this connection.
Is there anyway to find which process initiating ICMP connection(Windows), I tried all the possible ways i know and i search for but with no results :(
Can anyone help me with this ?
Hi To All,
I have a cisco SG500 switch and I want to connect it to 9300 series switch.
I have a OM4 multimode fiber line.
May I ask what type/model of 1GB cisco SFP i need to use for my SG500 switch and 9300 core switch?
Thank you
Need advice from you!
I live in Sweden, and I will finish my bachelor degree in June. Iam 35 years old. Currently I'm working for a company that handles an ISP's configuration of Cisco router and switches. I have been working here for 15 years. And we only delete IOS and add the newest IOS to these switches. Then the ISP send an unique startup-config for each router/switch, and we copy/paste that config to each router.
I wanted to develop, cause I started to like the config files and tried to understand them and all the commands(BGP, QoS etc).
So now I have taken CCNA and soon my degree( computer engineering - network).
What should I do when I finish university? What type of job should I approach? Here in Sweden there arent a lot of network engineering jobs, but here are plenty NOC jobs.
Is NOC a good job? Please advice me because Im confused what to do.
Thanks in advance!
I have some Cisco device and as per my understanding looks like a APIC L2 server(brand new) but I am not sure. So, I need some help to confirm same and market value of the device. Here are the details:
1> Label on the device says 'Apic L2' 2> Hard Drive: USC-HD12TB10k12G 12 Gbps 10k SAS 1.2 TB and N20-BBLKD 3> Model - UCS C220 M4 4> Product - Server 5> Two ethernet interface - ETH 1-1 and ETH 1-2 6> Cisco 770W AC Power Supply 7> Cisco USC-SD400GSAS3EP/ 400GB
I am happy to share more information and if needed pictures
Hi everyone, we will be replacing our current core (4900M) and layer 2 switches (3750X) with C9500-24Y4C with advantage license and same for the L2 switches with another pair of C9500-24Y4C with essentials license. Currently we are doing HSRP on the cores for all SVI's. I was looking into doing stackwise virtual on the new cores instead to try to eliminate spanning-tree so wanted your opinions if that is something you recommend. Also, for the new L2 switches, since they don't have the advantage license I will need to set those up as standalone switches connecting back to the core so my question is that servers connecting to these will have one link going to each so will that cause any layer 2 issues since there isn't going to be any spanning-tree config? Thank you.
Apologies in advance, this is a long one. I have an opportunity to do a (relatively) green-field BGP deployment for a small data center environment (3 locations, smallest 2 racks, largest 6 racks). I say relatively because it's one net-new greenfield deployment, and 2 existing locations that will need to be retrofitted. Those two locations, however, currently only leverage BGP to peer with ISPs, receive a default route, and announce one /24 per site. I've settled on what I think is the approach I want to take, and am looking for people to shoot holes in the design (be gentle) / offer suggestions and answer a couple of questions. So here goes...
Each site has two ISP-facing routers (Cisco ISR 44xx line), each peering with 2 ISPs, which connect into a pair of public switches to aggregate router / firewall / VPN concentrator connections. The new location will be running in a leaf/spine design with VxLAN and EVPN (overkill, perhaps, but it's the proof-of-concept to roll to other locations), but this isn't really what I want to focus on. It's relevant only because what would otherwise be the "public" switches will be doing double duty, serving as 'spines' between the two cabinet ToR's and exit switches to the ISP routers. The exit switches will be the default gateway for the publicly routed /24 that each site has. To this end, I'll be running a 'wan' VRF for the WAN routing. There's also a VPLS circuit in the mix to provide connectivity between the three locations, which I plan on terminating into the aforementioned exit switches.
Since a picture is worth a thousand words...
Let's assume AS 1234 is our public ASN, and 80.80.80.0/24 is the public IP block for this site.
I think that covers the highlights, so aside from general feedback, a few targeted questions:
If you've made it this far, thank you! I'm looking forward to any thoughts you may have!
So there are two main ISP's here where i live. I've gone back and forth a couple times. And now im back to the one where i can't connect to the domain i own, from inside my local network.
ie i own example.com and am serving up plex and other things at thing1.example.com and thing2.example.com
i can reach it no problem from work etc. but in home, no dice.
apparently some isp allow this local loopback(?) and some don't.
im not even sure what the terminology is for the use case to google it.
previously i was advised to use a $5 droplet as a proxy server, which i did for the few years. until i switched ISPs and didn't need to anymore. fast forward to now, and i switch isp again. meaning i need to setup a proxy again, or figure out a simpler/cheaper solution cuz i dont see the point of spending the $5 extra
thanks for any help
there’re 24 ports and 3ports says L/A 500 what is mean?
Long story short our stratum 1took a dump on us today, so I need to get some options.
Stratum 1, satellite fed preferred.
tldr: I had a trunk port connected to a switchport for 4 days before it erred out and then after it erred out due to spanning tree, I still had link. Why would this work for so long?
Had a weird issue at the office today. To give some background, my company recently moved into office space that is shared with our data center. This data center has a 100G fiber ring around the town, and we have several VLANs on this ring that runs to our rack, one for each of our customers that is on the ring, allowing us to get traffic from their network to ours without touching the internet. When we moved into this office space, we worked with them to split off another VLAN for our offices, so that we could access our own fiber ring around the city. The way it was set up is that the Ethernet jacks in our offices would be access ports on the data center’s switch on VLAN X, and then that VLAN would be troubled back through their switch stack to the lag or port channel that goes to our rack. When we moved in last Thursday, we configured a Cisco 3750 POE (just what we had laying around) with the uplink port as a trunk port, and the remaining ports as access for whatever equipment we would need to plug in. All day Thursday and Friday there were no issues with this set up, and up until around 9:30 or so this morning, everything was fine. Then, we lost connectivity to our rack. Opened a ticket with the data center and spent a couple hours troubleshooting my own equipment. After I concluded that the issue was not to do with my own equipment because I had link on every port that was connected to something, I sat waiting for the data center to answer the ticket. Around 3pm or so, they finally got back to us saying that they found that their port was erred out because of a spanning tree problem and that the problem was on our network. My first thought was, we don’t have any loops on our network, none of our switches threw a spanning tree error, and if their port is erred out, shouldn’t we not have link? Then they emailed over the actual error messages from their switch, and it shed some more light:
*Feb 24 08:53:16: %SPANTREE-SP-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernetA/Z VLANX *Feb 24 08:53:16: %SPANTREE-SP-7-BLOCK_PORT_TYPE: Blocking FastEthernetA/Z on VLANX. Inconsistent port type.
So now I realize that the issue is because their ports are configured as access and ours are configured as trunk. Personally, I don’t have the technical knowledge to understand why this makes a difference to spanning tree, but I understand enough to see that this is the problem. Once changing our switch uplink ports to access and essentially turning our 3750s into dumb switches, we got connectivity back. Here’s what I’m having trouble understanding: why did this work just fine for 4 or so days and why did I still have link on my ports if the other end of the link was erred out?
Im just kicking off a huge project of implementing Extremes Campus Fabric, or as it used to be called, Avayas SPBM Fabric. Throwing out STP and excited for it!
Anyone have any experience or good pointers? We have a great VAR team, but time is money.
It seems pretty straight forward, and I'm cruising through putting my base configs together, but now I'm at a decision point of using XMC (extremes central management center) to manage everything via a GUI, or rely on CLI.
Problem is, gut says XMC for the orchestration piece, but it's not the most intuitive of programs, and it feels like there is still some time needed in the oven for the fabric module they bolted on to cook.
Thoughts, stories, advice?
I'm well aware of some of the posts on here about the headaches with Cisco Firepower (FTD & FMC). It sounds like most people here recommend against it, but looking elsewhere for reviews through Google (like Gartner), all the comments are overwhelming positive. How could this be? Are the other review sites filtering out bad reviews? Are users/reviews on Reddit here inaccurate?
Back story is management just decided on the replacement of our Palo Alto's to FTD 4120's and I'm worried.
Hello all, I have a general question that I can't seem to find the answer to even when dealing with Cisco TAC.
I have an ASA configured for AnyConnect VPN and the connection profile is set up for AAA as the authentication method to a Cisco ISE server. I match on PAP ASCII AuthC rule in ISE from my internal users. This works fine.
However, when I switch to certificate as the authentication method and specify ISE as the AAA server group on my ASA, I never see any radius logs during the connection and the client fails to connect. I've issued certs to my client. So, my question is can an ASA act as an EAP-Pasthrough for certificate authentication? Where the ASA would be simply forward the RADIUS authentication packets and certificate to ISE in the same way a WLC would for EAP-TLS?
Hey all,
Wondering if anyone has used or made a network traffic flow visualisation tool? Abit like netflix’s vizceral?
Essentially looking at defining some core nodes and visualising the traffic in/out of the WAN interfaces and interlinks to show failover taking place.
I came into an environment that's having a lot of devices going end-of-warranty/support, and I've discovered that there are many companies offering troubleshooting/replacement parts support contracts for EOS Cisco switches. Our old, discontinued iWatsu phone system is also being supported by a third party vendor. I'm trying to find out if anyone has had luck with third party support for Dell fiberchannel switches or other vSan/storage equipment? Extended warranties directly from the vendor are super expensive ...
Just saw 2 reviews on Youtube of a Cisco Small Business class router (RV345). Pretty impressive. What do you think? Reviews are fairly thorough.
Wanted kind of a sanity check....Whenever I use the following config for my sla it converts the name of the hostname to an IP in the config. The google.ca is just an example but I was intending on using a DDNS name as I can't get a static IP on one of our lines.
Can you use the following config and will it update the IP address:
ip sla 4
icmp-echo google.ca source-ip 10.27.1.2
timeout 10000
frequency 10
Thinking of using ubiquiti products.
1 5 or 6 pack of Unifi UAC PRO AP's
1 24 Port PoE Unifi Switch (250/500 watt) still not sure which wattage I'll need but 5 or 6 Access points at max wattage I still don't know how much wattage the access points can pull (yes i will google for this)
Unifi USG
The owner lives in an adjacent building. I'm just trying to figure out how to divide the network between the customers home and his business.
Anyone use Ubiquiti out there who knows how I should create SSID's to give him two separate SSID's with separate ranges using one internet connection? I suggested he get a second internet connection from a competitor so he would have a fallback connection from a different provider. I was thinking the ubiquiti for the business and an easy to manage mesh system from Amzn Eero/Linksys Velop/Netgear Orbi etc. I would just use the Ubiquiti network for the whole house and business if I knew for sure that I could set up separate networks for the home and business.
Mostly looking to just prattle on with some of you about my choice of systems and to discuss things like SSID LAN issues and possibly Network cable grade. I was planning on using CAT 6 and was wondering if people consider going above CAT 6 as overkill for this project.
thank you in advance for any advice!
The company I work for has multiple sites which connect back to our corporate hq via GRE tunnels over IPSec VPN tunnels. A hub and spoke design. This has worked great for years.
We're looking to setup a disaster recovery site. All servers are virtualized using VMWare.
My plan is to setup a similar configuration used at our other sites using a GRE tunnel for the replication and management of the DR site. We are replicating our production servers but want to segregate the DR production servers from the network. I could use a separate router for this scenario but feel that there is a more efficient way of accomplishing this using the existing router which is used for the replication and management GRE traffic.
I plan to setup failover IPSec and GRE tunnels to the DR production servers but since both the management and DR production subnets are on the same router, I don't want EIGRP to replicate the DR production IP's unless the failover routing is activated.
I hope this makes sense.
Hi guys,
Anyone knows if there are some free interactive network mapping tools that show traffic flows in real-time?
Hi there. This is my first time configuring this sort of network and I am just struggling to grasp a couple of specific concepts, and I was hoping someone might be able to shed some light on them.
I am configuring a set of Aruba switches, which are grouped into a core stack plus three separate access switch stacks. Each access stack is linked to the core using 2x10gb fibre running LACP. We are going to have a number of VLANs to separate traffic destined for different destinations and security levels.
I am currently trying to work out the best way to configure spanning tree on these switches. My primary goal with spanning tree is to block accidental loops. Both the old school broadcast storm kind, but I also want to ensure that someone can't accidentally bridge two separate VLANs together.
Given this, my questions are:
How does RSTP interact with VLANs? Does it send and receive BPDUs over newly connected ports regardless of what VLAN is set on it? Does it only send BPDUs over the untagged VLAN on a port? What happens if there are no untagged VLANs on a port?
How does RSTP interact with LACP trunks? Does it just count it as a single link?
Will RSTP block ports if I connect say a port untagged VLAN10 and a port on the same stack untagged VLAN20 together?
Any help would be much appreciated. Thanks.
Hi all,
I have moved my home office to a office building.
Switches are managed by an IT company. From the IT company we get an IP address on VLAN xx to connect the server. (Dynamic IP range, gateway, DNS and static IP).
Since the switches are catalyst 2960+ switches they operate at 100mb.
My server is a DL160 gen 10 with a HP 368i and since they don't support 100mb I've attached a HP 1820 switch. But can't seem to get the connection up on the HP switch.
Anyone here have an idea how I can get the switch sharing the internet from the cisco?
I hear the Xfinity router is garbage, so I'm looking to get my own. What is recommended for an 1800sq ft home?
Hiya. I'm trying to dump just raw tcp data in readable format by using tcpflow, tcpdump but has not been successfull yet. Anyione with experience?
On this network (https://i.imgur.com/IM1cLZP.png) I'm attempting to setup NAT on vIOS1 so that any packet with a destination of 192.168.1.X/24 coming from the 172.16.0.0/24 network is translated to the destination of 192.168.0.X/24 with the same host portion of the address. I've already setup the NAT rule in one direction with match-host without issue but cant seem to find the commands to go the other way, I've attempted a few different configs but I always end up with destination unreachable when pinging from 172.16.0.2 to 192.168.1.2. Is there something I'm missing?
I was looking into pfsense and Squidguard and was wondering if any other medium to large companies are using it and if there were any thoughts on it? Thinking of using it as a backup firewall/web filter...
We have a range extender, all other devices are working awesome. Except my phone which connects and then shows an exclamation sign.
Evening all,
sorry if this is the wrong place!
I'm currently setting up my Edgerouter and unifi switch and I've hit a brick wall!
Edgerouter is currently configured so 0.0.0.0/0 is routing through eth1
eth2 is currently setup and using 192.168.2.1/24 with DHCP on edgerouter and works fine!
eth2.20 is currently setup with a vLAN 20 (10.0.20.1/24 - DHCP server on the edgerouter)
I create a network vLAN-Only on the unifi switch as vLAN 20 and assigned that network to Port 2 on the unifi switch, but i lose internet on the device its connected to and im unable to ping the gateway (10.0.20.1). as soon as i change it from vLAN 20 to ALL, it begins to work with no issues on the 192.168.2.1/24
It is worth mentioning we are not using a USG
I'm missing something, but im not sure what it is! I'm offically fried! Sorry!
