So what's the difference between Ubiquiti's Unfi equipment and their Edgemax Equipment? Is one better then the other?
Saturday, April 11, 2020
Is there a part of DHCP that registers hostnames for a local DNS server?
I have a DNS server running on a piece of hardware (home AIO router) but this could be any piece of hardware. It allows me to reach other UNIX machines on the network via their hostname; presumably by simply registering them via DHCP or something.
I am familar with Bonjour and friends but I don't think that's in play here.
I tried to finding extensions and reading the RFC but I can't find things that let people register their hostnames via DHCP.
Is that a thing?
A simple question with frustrating Google results...
Hey guys, hope I am not breaking any rules but I am getting like network tutorials and basic router setup answers to my question. I am trying to broadcast an open wifi signal for guest access, preferably with a landing page. Do I need another router as a gateway? I am a programmer, not a network specialist. Sorry if it isn't worded correctly. I am on Windows 10. Trying to avoid using my computer as the hotspot if possible but I cannot seem to be able the change my router settings to make only the 2.4ghz signal open so I can use the 5.
(CSF) I can't detect the ip of each incoming connection, it shows me the my WAN ip for everyone!
it turns out that on the PC of the "physical firewall" I have CSF installed to control all incoming traffic, and from there I route the ports to different applications located on other machines to the rest of the lan.
It turns out that the IPs of all the clients that connect to these applications on different ports and machines of the lan, all appear with our IP WAN and different connection ports.
Does anyone know that I am forgetting to configure to be able to get this vital information for user control ?, suppose that if they ban one user by ip, they ban everyone, including ourselves (the latter I suppose).
And honestly, it would not be an optimal solution at this stage of the project to try to ban by other methods than IP. Since each application is managed in a totally different way and it would take us months to develop some system of prohibition by mac and other methods, etc.
I hope ideas!
Thank you
HP RGS remote video editing VPN solution
Hey guys,
Are any of you guys managing a VPN so video editors can edit from home on HP's RGS soultion? What is your experience like with dual monitors vs single monitor?
We have a few editors having some problems with lag or pixelations. The internet on both sides is good. The latency and the bandwidth are good.
Our VPN seems good. It gets around 50Mbps per thread. So if I do an SMB speed test I get around 50Mbps. And if I do a FTP transfer across ten threads I get around 300Mbps.
I’m wondering if the single thread way the vpn seems to bottleneck has anything to do with the lag. The editor has 1 gig up and down and so does the office. So it’s not bandwidth.
I can see that the bandwidth uses around 30Mbps per user. So I’m a little hesitant to blame the VPN.
Anyways I just want to know what your guys experience is with RGS?
-MudKing
[Idea validation] Cloud-based Mininet platform - Would you join it?
Hey folks,
Does anybody here use Mininet? Would you be interested in a SaaS app that would be a Cloud-based platform for Mininet where you could run and debug your Mininet scenarios.
Does this make sense? If so, what features would you like it to have?
Would you join such a platform? If so, would you pay a monthly fee to use it? I just had this idea and wanted to check what the market wants before building anything.
Thanks!
I did something stupid and need help!
/r/homelab/comments/fz7qfg/i_did_something_stupid_and_need_help/
Help w/ Case Study VLSM
Networkers,
My partner and I are struggling to get through our CCNA final case study project. We've reached out to our online professor multiple times for this same issue and she gives us back one liner replies which haven't shown effort or offered any real advice, so here we turn to you advanced vets for guidance.
The project regards building out a network design for a fictitious company which has the following requirements:
- 22 employees in the Research and Development group.
- 10 employees in the Sales and Marketing group.
- 8 employees in the Administration group.
- 6 employees in the remote sales office.
- Lifetime Max of 6 servers on separate subnet, regardless of company growth.
- Use subnet 210.210.200.0 /30 for connection to the Internet router.
- Use public class C network 222.0.0.0 for internal addressing.
- Use VLSM for IP addressing.
- Expect 100% growth of current IP requirements when determining size of subnets.
- All networking devices must have IP addresses
So to account for the 100% growth rate in each of these departments, we created the following VLSM schema: (imgur links to a table covering the network address ranges and subnets)
So great...now we think what we have is the proper addressing scheme for this companies network and we're looking to pop into packet tracer to build this layout. Upon configuring the routers, though, we're getting an error stating that our networks are overlapping with the networks given to interfaces at the other side of the router. Heres a picture of what I'm talking about: (imgur links to a screenshot of our packet tracer build and the CLI of router #5 with which we are getting the aforementioned error.)
So we sent out professor 2 different e-mails asking about help with this issue and got the following response:
"When setting up ips start with the most needed to the least." and "the .131 is not a valid network."
Truthfully, I'm not sure if that makes sense to any of you, but it didn't help me at all whatsoever, not even a hint of an idea came from these replies. We've already spent collectively 6 hours on this phase of the project and haven't been able to build this network. We've tried changing up our VLSM schema, but no matter how we have it set we get errors just like this.
If any of you have any input or suggestions they would be GREATLY appreciated as my partner and I have pretty much exhausted all of our resources and our professor does not seem to want to put in the effort to help us..
Thanks so much for all your time,
-Tony!
Can I make my own GPON network with ONT and OLT sfp modules?
I have some GPON ONT sfp modules, and I know they behave like normal Ethernet SFP modules, as I'm using one in a switch to replace my ISP's router. I also have some optical fiber and I saw that GPON OLT sfp modules are sold on eBay and they are not expensive. What I don't understand is if I have to use those modules with dedicated hardware, or if I can just plug them in a switch like I did with the ONT module. Can anybody clarify?
I'd like to build my own little GPON network. I know it's not very useful in practice, but I just want to understand the technology.
Thanks!
Bell Canada - 3rd party routers
Hi all,
I was hoping by any luck that there are some other people in my boat here that might be able to help me out.
At my office we have a fibre connection from Bell using there R3000 model and it does the job internally but now I need to be able to remote in from home so I picked up a Cisco RV042G to have the router act as a firewall in order to leverage some of the vpn/PPTP capabilities so I can remote in from home but this has been nothing but pain and Bell support has not been able to help.
Issues I am running into is that I can place the router in the Advanced DMZ list so the router can pick up the WAN address this works fine the router picks up the same WAN IP as the modem so I thought I was good at this point so I went ahead and enabled PPTP, setup an account but cannot make the connection.
To further troubleshoot I was not able to reach the default gateway from the router all pings fail so is it something I am doing wrong here or is this a limitation with Bell equipment?
Access Points not working | PT Lab
Hi all,
I hope you are all safe!
I having some difficulties setting up access points in my lab. I am working on packet tracer and I have Wireless Controller 2504 which is connected to a SW. I already set management IP to my controller and logged into it to create Sample Guest SSID (I am not the best in wireless btw). On the other side I had one access point (Lightweight) connected to another SW, the port connected to the SW is on VLAN 100 (AP VLAN) and the controller is set to be in IT VLAN (I do have into VLAN routing so everything is printable)
Logging into my controller seems fine, it can see my AP and DHCP gave the AP IP from the AP's Pool)
The problems is that laptops with Wireless card are not able to connect to that access points and I do not see why.
I hope someone has explanation here otherwise I am stuck with AP's not working :(
Thanks!
If someone can build a routing protocol for you, what options would you like it to have?
Thought about the awesome and genius people that actually invented the protocols that we daily use. That's where this question popped out.
So if you can custom order a one to be built, what options or properties would you like it to have? What would they be? Infinite scalability, maybe zero convergence time, or with some kind of machine learning algorithm? What problem would you like it to solve that bugs you with our current protocols?
Just write it out, let's have some fun in these quarantine times.
Remove port-channel/EtherChannel
What would be the process to remove port-channel (EtherChannel) configuration on a cisco switch so I can move away from "Route Based on IP Hash" on the vSphere side. Trying to migrate vSS to vDS.
Question about bringing materials
I am looking to take the Net + test sometime in may. I am going over submitting and found prof messer's seven second submitting video. In the video be mentions creating a chart and using that on the exam. Am I able to create a similar chart and bring it to the exam or would that disqualify me? Would I just have to create the exam during the test time? Thank you in advance
How are you guys securing your in-band and out-of-band management networks?
This isn't an active design challenge that I have, but I'd like to have an idea about how you all are securing your management environments today.
- Are you relying on special jump hosts, VDIs, or VPNs for your administrators to use?
- Do you have a physical NOC set up with its own privileged subnet?
- Are you leveraging 801.1x or similar technologies to ensure your administrators' devices are assigned to privileged subnets?
- Are you not putting any network-based restrictions on access to management IP addresses?
- Have you adopted some alternative strategy?
The Jump Host option seems extremely dangerous, since a network failure could prevent you from accessing the very infrastructure you need to fix the network. But leaving everything open, particularly for out of band, seems risky too (anyone with the console line credentials could access a network device).
I would approach this by using 802.1x to ensure that all administrators belong to a special IP subnet, and allow that subnet access to the VTY lines and out of band terminal servers. If 802.1x wasn't an option, I probably would allow the entire enterprise IP space to have access to the VTY lines, but set up a special jump host for out-of-band access.
What do you guys think? How are you doing things today / how would you prefer to do things if you could re-engineer your network?
Friday, April 10, 2020
Connecting my Nintendo Switch to my mobile hotspot with a wire
There have been a lot of issues with my home internet recently, and I have enough data to play online with my Nintendo Switch. I've been connecting my Switch to my hotspot wirelessly, and it works with a few hiccups once in a while.
Since I'm enjoying this solution, I want to connect it through a wire. How would I go about doing this? My Switch will mostly be docked when I'm doing this. I've heard some solutions of a router connecting to the phone wirelessly and connecting to the switch through ethernet, but as there is a wireless portion I fail to see how that would be better than connecting to my hotspot wirelessly. I only want it to connect to the one device through wire, my Switch. Somewhat like USB tethering to the Switch.
How do I know what fiber cable I need to buy?
I'm looking at a Mellanox NIC that comes with two transceivers. I can't seem to find any info easily about them so I'll just put what text I can see on them below.
Mellanox
MFM1T02A-SR
FTLX8571D3BCL-ME
Class 1.21 CFR1040.10
LN#50
SCP FXOS from one Firepower to another
Is it possible when you using the download image command (CLI) to SCP the image from another firepower? What’s is the path for the SPA file? (download image scp:username@x.x.x.x//path/file)
3650 QoS access-group match statement not working.
Hi, I'm trying to add CoS classification to traffic coming in from access ports. The policy-map stats for the example interface are below. I'm not getting any matches on the specific match access-groups although I am getting hits under the general policy-map. Why am I not getting any access-group matches? ACL statement is correct. I even tried an all IPs (0.0.0.0 255.255.255.255 ) statement. What can I do to classify packets coming in on a specific access-port to CoS 4? Thank you.
class-map match-any VIDEO match access-group 51 match access-group 48 class-map match-any non-client-nrt-class
policy-map VIDEO class VIDEO set cos 4
example interface: int g1/0/15 service-policy input VIDEO
s policy-map int g1/0/15
GigabitEthernet1/0/15 Service-policy input: VIDEO Class-map: VIDEO (match-any) 2211246 packets
Match: access-group 51 0 packets, 0 bytes 5 minute rate 0 bps Match: access-group 48 0 packets, 0 bytes 5 minute rate 0 bps QoS Set cos 4
Edit: Sorry about the jacked format. Also of note, I did do a packet capture and verified the packets aren't being classified as desired.
Any VPN appliance with SMB/CIFS optimization to the clients?
Any dedicated appliance or firewall that endpoint VPN client (MAC and PC)will do optimization over the VPN for CIFS/SMB,? I have Mac's and understand the CIFS and SMB with a Mac tend to be problematic.
Thanks!
ASA 5506 and Century Link 1G Fiber
I need a second or even third opinion. Is an ASA 5506 Firewall and good solution for a small business with lets say 15 PC/Servers and for 5 users to use Anyconnect to RDP into workstations all running over a 1Gig Fiber connection from Century Link. If I am reading and understanding the documentation correctly the 5506 really can't handle the throughput of this. The best speed any one user will get is maybe 100Mbps or so. I don't think the 5506 can truly utilize with the 1Gig fiber delivers.
Please be gentle. lol
Windows DHCP server for multiple VRFs?
We are using Windows DHCP and the "ip-helper" command on our Cisco switches to facilitate central DHCP. Now, we have some VLANs in a separate VRF. I'd like to use the servers for their DHCP scopes as well, but cant seem to get it working.
I've read conflicting info. Some say it can't be done, some say you have to use "ip-helper" with the "global" keyword, yet that doesn't seem to work. I also read that I can configure a dhcp relay instead of the simple forwarder, but that it requires dhcp snooping to be setup. I messed with briefly but it didn't seem like what I want.
Is there an easy way to achieve it? I'm guessing that the switch is forwarding the dhcp request, but from the source IP of the vlan in the other VRF, so there's no return path. I haven't done any packet caps to prove it though. we have mainly catalyst switches.
ideas?? thanks all!
How does a residential ISP 'provision' someone's modem?
Something I was thinking about as I go through a course on DHCP... Are residential ISPs taking the MAC from someone's modem and manually assigning an IP address? Or is there some other access control which works at layer 2 that is used?
Google DNS Ping History
Does anyone know of there’s a site that has historical data on Google DNS pong performance? I’m seeing a weekly reoccurrence with 8.8.8.8 having slow responses and am trying to identify where the latency is.
Wake On LAN behind cascading access points
I'm trying to set up Wake On LAN for a work computer. The computer is connected to an access point which is then connected to router.
I have binded the MAC address of the computer in the router's ARP table and also set a static IP for it in the DHCP listing. I have forwarded port 9. I have changed the BIOS settings to allow wake on LAN from S5 state and have changed the appropriate Windows 10 settings about the network card too.
It still isn't working. Do I also have to change settings in the access point that the computer is connected to? It's just an access point (router with AP mode), so DHCP is of course turned off so I wouldn't know what to change.
It's not working when I do it from behind the LAN either.
Understanding encrypted DNS
Probably a dumb question - even if my DNS query is encrypted, surely the IP that I am accessing is still exposed to ISP, packet sniffing etc... which defeats the purpose in encryiting the DNS as anyone can look up the address of that IP?
Moron question: IPv6 - in a nutshell would it simply take all the eggs out of one basket and put them into a bazillion little baskets?
Is one of the fundamental issues with IPv6 distributed security? And also, if you had a (theoretical) 100% IPv6 "LAN" then would you theoretically just have scattered your eggs into many difficult to secure baskets?
I'm working with IoT drivers and firmware and I'm trying to create little home automation tools while I'm stuck at home and I'm wondering what the world of networking would be if someone managed to get their entire environment IPv6-atized in terms of security.
How can I ssh from multiple locations using the same IP address?
I need to ssh into my client's firewall from anywhere in the world. The Access policy on their firewall should be limited to a single IP address. What are my options?
Executive Summary ASA 5515s and FMC?
Hello.
I'm a wrench turner so this is kinda out of my typical work but i've been asked to prepare a "slide deck" to "prove our security system is working" or what have you.
My boss said he will take care of the Email portion as we have 0365 hosted. However, he asked me if I could look to the firewalls or Firepower Management Console (We have ASA's running software SFR modules not FTD appliances) to prepare some kind of charts, graphs, etc to show the actions being taken and the stuff that's being dropped/filtered?
Can anyone fasttrack me on what I am looking for here, I would greatly appreciate it. I'm familiar with the monitoring in ASA and reading through connection events and writing policy in FMC to troubleshoot connections and get stuff allowed that needs to be, but i've done very little with reporting.
Preferably something non-technical user friendly.
Thanks!
A good reference to build simple networks?
I should make a very simple network: a server and a couple of nodes connected to this server... I'd like the server to have linux... I could find no basic tutorial/reference for making such configuration on linux.. so for example how to configure the file /etc/network/interfaces and stuff like that... I would use virtual box for testing.
Thank you!
DMVPN PHASE 3 and IPSEC COMMUNICATION ISSUE?
Hi ALL, I studying DMVPN phase 3 and would like to ask if you can answer some of my question and issue that I'm working on right now.
Topology: https://imgur.com/ZLYelUk
Description: From the topology, I have 3 sites A, B and C and all routers are DMVPN configured. From the topology also you can see that Site B and C (spoke-to-spoke) communication is working but Site A & B is not working.
Questions:
- In which specific database HUB stores the route information from its spoke routers ? if is based on RIB, FIB or NHRP database ? with this, HUB know where to forward the traffic and also this being use to send a redirect whenever there a better path that spoke could use.
- From the topology, Site A has a preferred path from HUB perceptive which is to forward Site A lan network to another PE and not directly to HUB. With this, this affect the spoke-to-spoke communication. Could you give input about this, Does hub needs to have the best path towards to its Peer tunnel to send a redirect (related to #1)?
- Can we able to run a spoke-to-spoke test between Site A and Site B using their tunnel interface IP addresses since it is directly connected and not being manipulated?
example: Site A - R2 (tunnel 0 - 192.168.1.10/24) Site B - R (tunnel 0 - 192.168.1.20/24) SiteA# ping 192.168.1.20 source 192.168.1.10 Result: Working SiteA# trace 192.168.1.20 source 192.168.1.10 Result: 2hops away - HUB -> SITEB ROUTER Same result with Siteb to Sitea ping and trace. - All spoke routers have IPSEC profile configured but Site A and Site B spoke-to-spoke communication unable to fully form phase2 IPSEC. All policies, attributes are the same since we cannot form an adjacency with hub if there something missing... So believe this is due to the fact we cannot form a spoke-to-spoke communication because of the preferred path? BTW im using the tunnel interfaces to test (see #3 sample).
Debug Output from SITEA router2: 46 CEST: ISAKMP-PAK: (15727):received packet from 222.1.1.1 dport 500 sport 500 INTERNET (R) QM_IDLE 46 CEST: ISAKMP: (15727):set new node 1832717634 to QM_IDLE 46 CEST: ISAKMP: (15727):processing HASH payload. message ID = 1832717634 46 CEST: ISAKMP: (15727):processing SA payload. message ID = 1832717634 46 CEST: ISAKMP: (15727):Checking IPSec proposal 1 46 CEST: ISAKMP: (15727):transform 1, ESP_AES 46 CEST: ISAKMP: (15727): attributes in transform: 46 CEST: ISAKMP: (15727): encaps is 2 (Transport) 46 CEST: ISAKMP: (15727): SA life type in seconds 46 CEST: ISAKMP: (15727): SA life duration (basic) of 3600 46 CEST: ISAKMP: (15727): SA life type in kilobytes 46 CEST: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 46 CEST: ISAKMP: (15727): authenticator is HMAC-SHA 46 CEST: ISAKMP: (15727): key length is 256 46 CEST: ISAKMP: (15727):atts are acceptable. 46 CEST: IPSEC(ipsec_process_proposal): peer address 222.1.1.1 not found 46 CEST: ISAKMP-ERROR: (15727):IPSec policy invalidated proposal with error 64 46 CEST: ISAKMP-ERROR: (15727):phase 2 SA policy not acceptable! (local 59.46.230.254 remote 222.1.1.1) 46 CEST: ISAKMP: (15727):set new node 3820497615 to QM_IDLE 46 CEST: ISAKMP: (15727):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 140005555332392, message ID = 3820497615 46 CEST: ISAKMP-PAK: (15727):sending packet to 222.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE 46 CEST: ISAKMP: (15727):Sending an IKE IPv4 Packet. 46 CEST: ISAKMP: (15727):purging node 3820497615 46 CEST: ISAKMP-ERROR: (15727):deleting node 1832717634 error TRUE reason "QM rejected" Can we have technical inputs about this?
46 CEST: IPSEC(ipsec_process_proposal): peer address 222.1.1.1 not found 46 CEST: ISAKMP-ERROR: (15727):IPSec policy invalidated proposal with error 64 46 CEST: ISAKMP-ERROR: (15727):phase 2 SA policy not acceptable! (local 59.46.230.254 remote 222.1.1.1) Thank you
BANNED Information Wesite
Hello,
If for exemple a governomental antity decided to block an information website by poisning Dns or block data from IP
How detect the pb ?
What options i have to unblock the access ?
I need some adviced, i want to know how detect and where is the banning occured.
Best regards
Static Routing Weirdness on Linux
Using Cent7. I have two routes to the same remote subnet 192.168.0.0/24. "ip route get" says one thing but clearly it is not what's actually happening. I've already done an "ip route flush cache". Any ideas why it's not doing what ip route get is saying it should be doing?
# route -n Destination Gateway Genmask Flags Metric Ref Use Iface ... 192.168.0.0 192.168.100.3 255.255.255.0 UG 0 0 0 tun8 192.168.0.0 192.168.100.2 255.255.255.0 UG 10 0 0 tun8 # ip route get 192.168.0.1 192.168.0.1 via 192.168.100.3 dev tun8 src 192.168.100.4 cache # ping -t 1 -c 1 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. From 192.168.100.2 icmp_seq=1 Time to live exceeded VXLAN EVPN - Constant ARP issues (NX-OS mode with DCNM)
Hey all,
We are running multiple nexus leafs (93180yc-ex's, and 9348's, with 9364 spines) all running 9.2(4). Since having deployed this, we have had a lot of issues with arp.
Devices getting put on a new VLAN, but then it has two arp entires, and it is not flushing the old arp out.
Devices with correct IP on correct VLAN being able to be reached via local leafs and not over the fabric.
Devices moving from one site to another site, keeping the same IP, and with the wrong vlan interface.
Or even better yet. Device with correct IP, on correct VLAN interface, arp just randomly stops working, and we have to issue the below command:
luckily this command is our saving grace:
clear ip arp 10.0.0.1 vrf overlay force-delete
Do any of you have any suggestions on how to fix this, or optimize?
ACL inbound vs outbound
Trying to get my head around the difference for a test. Why would I ever use an outbound acl? Is it not just a waste of resources on the router. I’m confused as to why it would ever be used?
FASTPATH-based switches: switchport mode general vs. access/trunk?
Hi
Being mostly a systems engineer these days I also have to tend to some networking in our school here and I've been working with a couple of FASTPATH-based switches from Netgear, Ubiquiti and Dell lately and int the past.
From time to time I'm trying to revisit old habits in order to check if I an initial choice was good or not if time allows. I'm trying to decide whether switchport mode general vs. switchport mode access/trunk are wiser to use or if it's just a matter of personal taste. :-)
Most of these FASTPATH-based switches tend to use "switchport mode general" by default where VLAN partiticipation, tagging and PVID has to be defined (also ingress filtering often is not enabled by default). Based on checking with older models of those vendors, general mode used to be the only available mode in FASTPATH. Access/trunk modes have their origins in IOS and were added by Broadcom a couple of years ago and now exist alongside seemingly without an intend to drop one or another config mode.
I've compared a port config of an access port when in general vs. access mode as well as general vs. trunk mode. The port configs tend to be a bit shorter and (by my personal taste) less clunky than in general mode. (roughly 2 lines per port)
Of course mixing both general vs. access/trunk usage is likely unwise as it might rather lead to confusion... but any preferences from day-to-day experiences?
Vlan or networking scheme help
Hello
For my home lab, I tried to implement VLAN for securing and reducing broadcasts, but found so many issues (multicast discovery etc) that I went back as flat scheme. So here is the list I have at home -
I am using flat 192.168.1.0/24 as of now.
1x Firewall - Sophos XG. It running in esxi, and I have dedicated one NIC for WAN. For LAN, it goes to vswitch.
6x Mikrotiks, all being controlled by Capsman.
5x Linkplay Audio (I have yet to find the UDP multicast to see how it does it)
4x Apple TVs
10x Sonoff Tasmota, rnning KNX. My KNX router accepts multicast from 224.0.0.1 on all addresses.
10x Hikvision camera
Intercom is run by 3CX
They are interconnected by 2x Cisco SG300 swtches.
What i wanted was -
VLAN10 = All IOT (Tasmotas, Mikrotik talking to each other on L2 for Caps), Server
VLAN20 = Audio (Linkplay) and TV (Apple)
VLAN30 = All Cameras
VLAN40 = All of us (family members)
VLAN50= Staff
VLAN60= Guest.
The interlinks required were -
VLAN10 can only be accessed by VLAN50, VLAN40.
VLAN20 can be accessed by Guests (VLAN60), that means multicasts?
VLAN30 only by VLAN10 (hikvisions storing data) and by VLAN 40.
VLAN50,60 can get internet.
What I tried -
Tried making VLANS on Cisco SG300, also on XG firewall. All VLAN routing was to be done by XG. Created all the interfaces in LAN zone and also enabled firewall rule to interconnect.
Nothing worked. What did I do wrong.
I am ready to restart fresh (fresh plan, fresh assignments etc)
Thank you
Nitin
Installing ISE on EVE-NG
Hello all,
I am trying to install ISE on EVE_NG, so I should install it on the VM-ware.
when I am installing it on the VM-ware, an error is occurring saying that ISE needs a CPU speed of 1.8 Mhz but my laptop is 1.5 Mhz.
is there any other way to install it.
thank you.
Using QinQ on HPE 5710 switches
I need your help with a problem.
I'm trying to setup basic QinQ between a distribution-switch (DLS) and an access-switch (ALS) but it doesn't seem to work.
Between the two switches I use VLAN 10 as the management VLAN and both switches have an IP-address on the VLAN interface in the subnet 10.0.10.16 /28. Without QinQ they can both ping each other without any issues. I use VLAN 10 as MGMT and VLAN 1010 is supposed to be the outer vlan-tag.
The DSL is a HPE 5710 switch, and the ALS is a HPE 5130 switch.
Config DLS (port):
port link-mode bridge description Link To ALS port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 1010 port trunk pvid vlan 1010 qinq enable qinq transparent-vlan 10 undo stp enable Config ALS (port):
description Link To DLS port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 101 to 124 undo stp enable This should work right? Tho' as soon as I enable QinQ on the DLS, I lose connection with the ALS trough VLAN 10. I can't ping anymore. Do I have to enable QinQ globally in some way on the 5710?
I've tried this setup on several other switches including the last setup with two 5130's and it works just fine. There seems to be something with the 5710's that just doesn't work.. Any ideas?
Thanks in advance!
/Rob
Thursday, April 9, 2020
Why is Cisco pushing multi-gig access switches with 25/100gb uplinks? Just who is this supposed to be appealing to?
I work with several large enterprise customers and most of them are getting rid of their onsite data centers. They are either moving all their applications to cloud providers, moving their DCs into colocations, or doing a mix of both. This means that soon enough, all client-to-server traffic will flow over the WAN, with the campus essentially becoming one large remote-site. As for client-to-client traffic, I won't say it doesn't exist, but it is relatively inconsequential. VoIP RTP sessions don't take up much bandwidth, and the same goes for Machine-to-Machine IOT traffic.
Now that I've established what current and future traffic flows look like, let's talk about WAN connectivity. Outside of DCs, none of my customers have any circuits larger than 1gb; in fact, line rate, dedicated GigE circuits are still pretty rare. As DC sites, they all have 1gb to 10gb circuits for branch WAN aggregation, centralized corporate internet/cloud access, and data center interconnection. But what will happen to these sites when they no longer host DCs or provide branch WAN aggregation? Well, I fully expect my customers to decommission their 10gb circuits and move to 1gb or even 500mb services at their campuses.
We're looking at a future where (1) all substantial traffic flows will be constrained to the size of WAN links and (2) WAN links at former "hub" sites will be sized only based on the needs of local users. So why is Cisco pushing access-layer switches with multi-gig access ports and 25/40/100gb uplinks? It seems to me that 1GigE access ports and 10GigE Trunks are still more-than-sufficient for today's requirements. Now I get why someone might argue for 25gb uplinks - switches don't have nearly the same buffering capabilities as routers, so you want your campus backbone to be oversized. But giving a user or a single AP a switchport that's sized like a WAN circuit in a world where everything goes over the WAN? That sounds like nonsense to me.
I get that there's product lifecycle to consider, but until you can get a 25GigE circuit for the same price as today's 1GigE's, (not something that I see happening in the next 5 years...) this whole technology and "push" from Cisco seems pointless to me. What do you guys think?
ICS (Internet Connection Sharing), VPN and split tunneling
With WFH situation, i need some guidance. We have some devices that required our VPN connectivity. So our solution is to use ICS (Internet Connection Sharing) from the VPN connection from a Windows PC with 2 NIC. It works well as it is. However, I am wondering if there is a way to force the devices to connect particular URL with the Internet interface and not the VPN. I tried adding to ipv4 route table but didn't work.
Network Destination Netmask Gateway Interface Metric 4.4.4.4(example) 255.255.255.255 192.168.1.1 192.168.1.148 51
VPN interface (shared to ICS interface) - 10.10.0.10 Internet interface - 192.168.1.148 ICS interface - 192.168.137.1 Device (connected to ICS interface) - 192.168.137.192
sorry. I am not really good to explaining stuffs.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC.
Discover switch port a client device is plugged into?
So I have an original Fluke LinkSprinter that I've been using for a while now, but while it works, it's not the quickest utility. What I really like about it, is the ability to tell me which switch, switch port and VLAN a wall jack is patched to.
I have the data of wall jack to patch panel, but from the patch panel to the switches, not so much. For budgeting reasons, I was shot down on serialized patch cables. So now I get to do the "I Told You So" and spend more money than we saved on my time to trace all the cables.
Most of our workstations are Ubuntu anyways, so if I had a script, a quick Ansible job could let me document my network better than it is.
Ideally, I'm looking for a way to script gathering this data using Python or something, and be able to either plug a laptop into a jack, or run the script via Ansible, and record all the data of what is plugged into what switch. :)
I'm not sure how the LinkSprinter gathers this data, but I can only presume it's something like python on the little embedded device, so I'm looking to replicate that for simplicity, in theory. :)
Innovation Idea (Game Changing)
Just thought of an invention that is potentially the next big thing to happen in the networking world (core services / access layer.) problem is that although I have a proof of concept I need help building it because there are specialized areas that require certain specialist. Really just looking for a group of people who are willing to listen to the idea and who have the potential to take it off the ground. I’ve already looked through USPTOs patent search and have found nothing remotely close to what I’ve thought of. Next step is to maybe 3D print the ideas physical portions but after that I’m not sure where to go next.
Any ideas?
OpenVPN high availability configuration - help with routing
/r/sysadmin/comments/fy1bg3/openvpn_high_availability_configuration_help_with/
Upgraded the ASA and AnyConnect software, everything worked fine yesterday ...
I heard there was a new zero-day attack on AnyConnect, so I grabbed the newest off of Cisco's website (3.1.09013), and also updated the ASA-5512x to the newest 9.9(2) release, and everything was fine yesterday. Today, more and more people aren't able to RDP into their workstations. The VPN connects, and the workstations can be pinged, just not remoted into. I can reach some of the servers, and can't reach others. I can still remote into MY workstation and access all other nodes from within the LAN, but not through the VPN. Is it possible that the new update is detecting and shutting down RDPs sessions randomly? I'm stumped ...
What options could make you consider changing isp?
Topic kinda says it.. im wondering which options/addons/premium services could swing you towards a new/different isp?
Both private and in regards to company.
Could be as simple as free dns hosting as part of your subscription to direct cloud connect services..
Upgrading 3850 stack 16.6.x (bundle) to 16.9.x (install) FAILS
The problems I've been facing
- the boot system was set to packages.conf, on both switches it was for different versions. Is there a command that will copy the .bin file to flash on all the stack switches? I used the following **Switch# copy tftp://10.76.76.160/cat3k_caa-universalk9.16.09.04.SPA.bin flash:**
- I'm using **Switch# request platform software package install switch all file flash:cat3k_caa-universalk9.16.09.04.SPA.bin new auto-copy** to install the target image to flash. Is this correct command ?
- Should i convert my 3850 16.6.x from bundle to install as a first step. And then upgrade to 16.9.4?
- I use **boot system switch all flash:packages.conf**. Do i need to use .bin file here?
Edit: formatting
Cisco order of operation ACL and sniffer
Hi,
Looking on this http://ciscorouterswitch.over-blog.com/article-cisco-ios-order-of-operation-114424332.html and was wondering about following scenario. Lets say that i have acls applied on an interface in both sides. I add a monitor session for that port. In the capture should I see the traffic that is being denied by the acl or not?
Internet connection cuts out 30 seconds into an application, browsers work fine, help?
f I attempt to play a game, download something in steam, use discord etc everything will be fine for about 30 seconds then the connection is lost. I can load into a R6 Siege game, get through matchmaking and pick my character in the lobby, but once the actual match starts it disconnects me from the service.
Troubleshooting my windows 10 network status gives "The remote device or resource wont accept the connection," hitting further details gives "The device or resource (WPAD.home) is not set up to accept connections on port 'The World Wide Web service (HTTP)'"
The assumption is its my wifi adapter (Realtek 8812BU Wireless LAN 802.11ac USB NIC) but it worked a week ago? Ive updated every thing I can, windows, drivers, etc, and done every help list I can find. A different motum doesnt change anything, 5g or 2.4g, but ethernet works perfectly
Any help or ideas are appreciated
800gb announced but is anyone even using 400gb yet?
Just saw this story on Tomshardware: 800-gigabit-ethernet-gbe-spec-standard I know these specs are always several years ahead of the industry but it seems the ethernet speeds are jumping leaps and bounds above what is even needed right now. My data center is looking to move to 40/100gb for the backbone this year but we're barely using the 10gb LAG'd lanes we have. Anyone out there pushing 100gb to its limit or needs 400gb for any of there data needs?
Best way to represent a ring topology in Visio/tips?
So we have a core catalyst and 3 segmented networks going to 9 different cabinets. For a visio diagram, would it be better to represent each network separately or combine the 3 in an overall topology?
VIRL 2.0 renamed to CML
To all of you who have supported the VIRL name, we thank you, and we know you’ll understand why we are announcing today that the product has a new name: Cisco Modeling Labs – Personal (or CML-Personal). We plan to release CML-Personal on May 12th. This will allow us to do the work necessary to rename the product.
As you may know, Cisco Modeling Labs v1.x has been the enterprise version of the VIRL platform. We plan to release the new Cisco Modeling Labs – Enterprise on April 14th.
Clarification on EVPN-VXLAN L3 Gateway for vlans/vni's....Juniper training
Thanks to the users who answered some of my noob questions earlier this week.
My company bought an account with all access pass from Juniper and two of us are doing the DC course. Here is an imgur link to a screenshot from a slide where they configure the gateway on the spines for the vlans ar IRB sub-interfaces.
- What's the difference in design/functionality when the gateways are on the leafs vs the spines? (Nothing plugged into the spines except leafs)
- If you have 300+ vlans in a data center and 30+ leafs, won't that be a heck of a job to either put all L3 gateways on all leafs or keep track of which leafs need which gateways since not all servers are on all vlans on a leaf pair?
- If you had to migrate from an legacy 3-tier Juniper/Arista network to a new Juniper fabric, how would ytou transfer the L3 gateways on the previous legacy distribution layer to the spines in VXLAN?
Thanks for the help mates.
Where to place Full Packet Capture
I'm thinking out loud but don't know if these are good suggestions...
Client network, server network, maybe trust boundaries?
Do you know some and why it is best to place it there?
JAVA multi-threading in NETWORKING
Hello friends!! Which advanced features of JAVA multi-threading (for example, completable futures, fork-join framework) have applicate at developing network applications?
Another Cisco AnyConnect Split Tunnel Question...(DNS Exclude)
I'm having an odd issue on one of my ASA clusters, or more likely a lack of experience/knowledge.
I tunnel all 0.0.0.0/0 traffic via the ASA. Any traffic destination for O365/sfb/teams etc, I include in a DNS-split-exclude configuration.
I also use proxy-pac files and whitelist domains to send traffic direct/local if I do not want the domain to use the internal proxies.
If connected to ASA cluster one (DC1), which currently has no DNS-exclude split tunnel configuration added, and is only using proxy pac config, it works. I can traceroute to domain name (i.e login.live.com) and I can see the next hop is my local router.
If Connected to ASA cluster two (DC2), which has DNS-exclude split tunnel config, it does not work. I can see traffic hitting our proxy and traceroute fails.
Please note, we do not add any proxy config to the AnYConnect profiles/Group policys, we just use the browser pac file to direct https to the internal proxies, unless excluded/whitelisted.
I just added DNS-Exclude split tunnel configuration to DC1 cluster and it is still works. This is the DC that was previously working without this configuration and is still working with the configuration. In short, both DC's now have the split exclude config, but only one works. I'm clearly missing something, but not sure where to look or explore.
I can't specifically understand why the traffic isn't hitting my local hop when on the DC2 AnyConnect...bit miffed.
Cisco ISE 2.4 ARL check
Hello,
I'm looking for your help because my Google skill failed me and I can't seem to find any information about this in Cisco documentation.
We have a Cisco ISE deployment working fine with MAB for years and now the next logical step is using 802.1x with certificate.
Certificate means checking the CRL from the sub-CA delivering client certificats and I don't have any problem to configure this.
My issue is that the security team want us to check the ARL (Authority Revocation List) and I can't find a way to do this. Is it just checking the root CA CRL, is it an other option that my missing or is it just not possible ?
ps : I'm not a native english speaker so if you see any error feel free to correct me.
Wednesday, April 8, 2020
Cisco or Robert half job offer
So I have currently two (( final )) job offers , one from Cisco Meraki as a network support Engineer for 100k plus benefits and a job from Robert half with a contract to hire for a big hospital in orange county for 90k
I still didn't give a final word to either as Iam still indecisive....
Pros for Cisco Merkai : - Well ..it's Cisco - huge experience - nice CV builder
Cons for Cisco
- Cost of living in San Francisco is high
- I will have to relocate (( i live in OC ))
Pros for hospital network Engineer job
- in OC so it's near my home
- low cost of living in OC
Cons
- Managing a hospital network will not give much experience in the long run
PS : I'm certified CCNP and CCNA
So what is your advice ?
Options for monitoring for prefix hijacking
I’m needing to do some research and costing for monitoring for prefix hijacks. What are you all using and what are the costs? Do any of these solutions monitor for possible permutations of a subnet, do they only monitor for IPv4 or do they monitor for IPv6 as well? How often are they scanning the internet routing tables and what are the alerts/notifications like?
I’m trying to get an idea of what people are generally doing and which are more popular before I get sales calls and emails from every possible solution. I’d really appreciate honest answers and from people managing large and small numbers of subnets.
Thanks in advance!
Kirk Buyers Nornir course... Is it worth the money???
Hey guys, I'm just looking for feedback from folks that have taken the Nornir course from Kirk Buyers site pynet. Was this course worth the price? It seems this course is priced outside the affordable for the masses range. Which I assume weeds out all folks that just sign up and never do anything with it.. Not sure. I know some of this is perspective in what you want to accomplish and have you been able to do it on your own stuff. Any feedback you can offer would be greatly appreciate it. Thanks!
Network automation engineers I need your opinion $$$
To anyone who's in a network automation can you share your salary experience? I've just gotten a new role in network automation and I think my employer is trying to pull one over on me. I think they are definitely planning on under paying me for the work I'll be doing.
Have you found that your position generally pays higher or the same as a vanilla network engineer? I believe I'm going to be compensated like a network engineer when thought this would be a definite increase in pay over regular network engineering.
Cisco Anyconnect Split-DNS issue (weird)
I've been beating myself trying to figure this issue out for weeks. With a Cisco TAC case open actively trying to get it resolved. I've heard of this issue popping up Pre-COVID but very rarely and a reboot always fixed it.
We have a handful of users who lose their split-dns functionality after they are connected to the VPN for awhile. Basically regular internet resolution works and the tunnel actually still stays active. (They can ping internal resources by IP only). When they try to ping internal DNS name, using the on prem Microsoft DNS server it just says "Ping request could not find host xyz.helloworld.local Please check the name and try again." In the browser it will say they recieved a NXDOMAIN response. Doing a packet capture it doesnt look like the traffic even makes it to the DNS server.
Funny enough nslookup will work, but I researched that it stated:
Note: Avoid using NSLookup when you test the name resolution on the client. Instead, rely on a browser or use ping. This is because NSLookup does not rely on the operating system (OS) DNS resolver, and therefore, AnyConnect does not force the DNS request via a certain interface.
So I am back at square one. I debated tunneling all DNS requests, but seems unfair for only 5 users having a problem. Since this can also cause geolookup issues and I dont even know if it would resolve the issue.
One of the users I uninstalled and reinstalled anyconnect it did not work. Last issue close to this I had was a year back some IPv6 users were having issues so I had to enable "client-bypass-protocol enable" on the group policy.
KVM switch for 3 monitors using displayport to 2 computers?
Ok I have a personal and a now office computer at home. They both have 4 display-port graphic cards and work great when extending to my 3 monitors. I have been unplugging all components and moving back and forth between the desktops as they have their own individual secure setups with vpns and software. Since I need to keep them separate, I want to see about having them running at the same time and switch between them to where I can use the same mouse, keyboard, and monitors without unplugging/moving/re-plugging them in. I have been looking at the kvm switches and I am not opposed to paying $200-300 for the right switch as long as it would work correctly. I am not having much luck finding switches that have 3 inputs from 2 computers with 3 outputs to the monitors. Has anyone done something similar? Can you give some advice? Thank you in advance
Networking Tool Tips Thread
I'm pretty lazy when it comes to my job so I will programmatically solve my problems within reason. I thought it would be cool to share tool tips or tricks that make fellow JANG's lives easier and I'll start with two.
-
You can use excel to build out network interface description commands that can be copy and pasted. (Cisco Example) Use Excel columns to built out the chunks of the command and use CHAR(10) to insert new lines. I used this particular solution to configure the interface description of 36 Cisco 6513's in minutes.
-
Notepad++ support Python scripts. This is somewhat niche (?), but I'm migrating from a firewall vendor that exports configuration to XML to a firewall vendor that supports configuration API that is in XML format. I've been using the PythonScripts plugin in Notepad++ to automate the conversion because I can't be bothered with doing it the manually on the fly with changes being made on the source firewall while we wait to cut over.
Share your tips and tricks that make your networking life easier!
is jperf still a suitable free traffic generator? I see on sourceforge it hasn't been updated since 2008.
I'm not sure if it means it' abondoned or not, I'm just trying to use it for a project to get some nice looking graphs from PRTG
I just want a nice gui so I can click and collect random info.
DWDM - 100G (1310nm) on single strand
Hi guys. I have 2 sites, about 5km apart and only one fiber strand available. I want to achieve 100G (on 1310nm). I know 10x10g LAG option but that is not what I am looking for.
I want to know if there is any simplex (single fiber) DWDM box that can give me 1310 port and few other DWDM ports for 10g side projects.
Anyone seen any good nxapi projects on Git?
I'm looking for some examples of logging in and doing show commands to get a better handle on it. What was your best resource for figuring out nxap?
Cisco 5508 WLC - %DOT1X-3-WPA_SEND_STATE_ERR
I've got clients unable to connect to one of our Cisco APs and within the logs of our WLC, I'm seeing this error for the client MAC address trying to connect:
*dot1xMsgTask: Apr 08 12:00:49.406: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client 38:89:2c:bb:2b:fb
Did my fair share of googling to try and solve this but couldn't really find anything that would resolve the issue. Curious if anyone here has encountered this and may know of a fix.
Thanks.
WatchGuard AP420's intermittent performance issues
Let me know if this isn't the proper subreddit for this:
About a year ago we redid the wifi in our building. We went through a vendor that handles our network switches and firewall/vpn appliance. They mapped out the area, determined the optimal positioning of the APs, and we had another vendor that pulls our low voltage cabling to do the cable runs and mount the APs in the predetermined positions. After they were installed and set up, the vendor made another map of the radio signals to confirm that the coverage was optimal.
We have 15 WatchGuard AP420s installed at our production facility. They are using POE+ injectors (only some of our switches had POE+) and are split up between our MDF and two IDFs. Some days the wifi is stout and we get the speeds you would expect to see. Other days it is horrible to the point where it's almost unusable. Today I was trying to move install media from a network drive to a client workstation. It was roughly 5 GB and it was transferring at a rate of ~250-750 KB/s and estimating that it would complete it 2+ hours. When I connected to the ethernet, the transfer took about 1.5 minutes.
The kicker is, right now over 50% of our company is working remotely and there are not nearly as many wireless clients as we would normally see. I have reached out to the vendor numerous times, and any time they've come on site, there are virtually no issues and the system is working as expected. We get billed for the vendor's time, and I can't keep justifying to my boss to have them make a site visit when ultimately nothing results from the visit. I know the system is capable of performing well, but at times it is unusable. Any recommendations on where to begin troubleshooting?
Can a domain be regionally blocked?
I have a .host domain that hosts taboo content, not illegal or malicious. I simply added an A record for a subdomain recently and all records stopped resolving in about half the world overnight. I can continue to make record changes, and they update globally in some regions fairly quickly, but for certain regions is is just unresolvable completely. It's been four days since the change so plenty of time to propagate. The registrar claims up and down that they are good and it's not an issue on their end.
To give examples, the domain is not resolving in the US, Ireland, Spain, Germany, India, Malaysia, Australia. It is resolving in Brazil, Mexico, Canada, Denmark, Russia, China, and South Africa, just to name a few.
I have no idea where to go with this. Any ideas?
Panasonic PBX to Zoiper
We have recently changed from a virtual PBX to a Panasonic with Premicells.
As we are constantly on the move, we opted to use the Panasonic Mobile Softphone app on our cellphones and each of us has an extension allocated.
The app unfortunately is untrustworthy to say the least. It keeps crashing or cutting calls during a conversation of 5 to 10 mins.
The provider first said it's a "connection problem" so we literally switched over to a better service/provider. The problem still persists.
Then they blamed the premicells, which we also fixed and "sorted". Again the issue persists..
Lastly, they changed all the PBX settings and, yeap, still the same issue.
The reviews on PlayStore are also really bad on the app, and I'd like to give the previous app we used (Zoiper) a try.
I'm not going to lie, the Phone Contacts integration is poor on the app (I have to scroll through 2,500 contacts to get to the right person) and overall delays and crashes are really taking a toll on my work.
I've asked them if we can set it up on zoiper but they dont know how..
So my question is if someone can tell me how to install the SIP Account on Zoiper.
The information I have is the following:
SIP username - this is my extension name Password SIP Server Address (Remote) SIP Server Port (Remote) SIP Server Address (Local) SIP Server Port (Local) - Same as remote Service Domain - Same as SIP Remote server
Zoiper requires the following
User name @PBX/Voip provider Password Host name or Provider name Authentication name (optional) Proxy (optional)
Any help would be much appreciated!
6 Users, 40+ Devices, 1 Annoyed Dad.
Hey, so I've just been getting REALLY frustrated lated with the limitations of my router. As the title says, I have 6 Users (including me) and have a ton of devices that are connected to my router via WiFi. The router isn't in the best location in the house, it can't reach the opposite end of the house's 2nd floor efficiently due to walls and stuff. The signal is VERY weak in that one room. Constant disconnects and unable to see/connect to the wifi point at times. Also, 1 device seems to be hogging up the majority of the bandwidth, a PC connected via ethernet.
With all that said, I'm looking for a mesh wifi system, or even a singular wireless router that will provide good coverage of 2,500 sq.ft. , that allows me to control/set bandwidth limitations per device, WITHOUT some kind of subscription. All this subscription based shit just blows my mind and there are limits to subscriptions I'm willing to pay for.
fritz box 7530 wont open ports
Hi, i have been trying to open ports, but nothing works, disabled firewall , open range, open single port, then i check the port "canyouseeme" website, its still closed... this is a f'ing nightmare. anybody can help ?
Please help blocking tiktok
I am using 1100 Mikrotik as a core router. The network belongs to a rural municipality in Far West Nepal. After the lock down whole network is congested with Tiktok traffic. I have tried everything and it is not working properly. Properly because I have blocked the tiktok on desktop computer but I'm unable to block on mobile devices. Please suggest me way to fix this issue. The network is almost unusable due to this. We are getting only 10 Mbps for whole village. So now people can't even use Gmail. I have been through at least 100 websites. This is my third day. I was thinking of posting this first day but I thought it would be an offending idea to post such silly questions on first day.
Hope I get help.
Find out someones IP
Hey guys, I'm currently in a battle with a friend to find out his ip address. Do you know a way to find it out? Btw, I asked him, he said it is fine to ask other people
Non blocking datacenter switch
Are data center switches non blocking? Is it an important feature in a data center switch?
For example, Cisco Nexus C36180YC-R,
It has got:
- Switching capacity: 3.6 Tbps (48x25+6x100=1800 Gbps half duplex x2)
- Forwarding Rate: 1.67 Bpps
I calculate the forwarding rate as 1800x1.5= 2700 Mpps= 2.7Bpps, so I understand this switch is not Non-blocking, so it has got oversubscription in its ports
It is the same with HP 8325-48Y8C or Huawei CloudEngine 6865-48S8CQ-EI.
C9500-48Y4C interface naming
Hi all,
I need to prepare the configuration upfront, before getting the devices. I will be using a mix of SFPs, mostly 1G, 10G. I am wondering what would be the downlink ports interface naming on this model? GigabitEthernet, TenGigabitEthernet or perhaps TwentyFiveGigE? Somehow i could not find this information. Regards
Tuesday, April 7, 2020
Benefits of RED/WRED
So how do you use RED/WRED at your company? I've done a lot of QOS implementations, and I've always questioned the value of RED with how most companies implement it.
I've heard arguments that it helps prevent TCP global synchronization, but is synchronization actually happening in your network without a RED profile? Most of the research I've read showing global synchronization conducted their testing in a controlled environment with flows having similar characteristics (algorithm, latency, processing time, RTT). I have not seen global synchronization in our production network, nor have I seen it in a lab where we weren't explicitly trying to create it. Reading through some research where different RTTs and different processing times are used, you don't see global synchronization occurring.
What's consistent with a lot of the research I've read through is fairness and latency. RED is fairer to bursty traffic or traffic with long RTT. But for the most likely scenarios, tail-drop works fine or may even be better for smooth non-bursty traffic. In any case, the average of drop probability and throughput between tail-drop and RED are pretty identical. While latency can be far lower with RED, that's because you're essentially lowering the queue depth. This could be ideal in specific scenarios, especially with WRED. But that kind of granularity requires engineers to have an excellent understanding of their traffic flows and needs.
What I often find with most deployments, RED/WRED is implemented without really knowing if it provides any benefit. There are a few scenarios where I could see the benefit, but I don't even know if the benefit is worth the added complexity.
So if you have RED/WRED implemented in your network, how is it implemented and what benefit does it provide? How did you determine the min and max thresholds and drop probability? Have you done testing to show that it actually provides an advantage over just doing tail-drop, or is it all theoretical?
Specific IP on switch getting flooded
10.0.0.0/24 network. I recently installed a ESXi on two NUC’s, and the management NIC was set to 10.0.0.198 and 10.0.0.199. The two work fine on the router, however 10.0.0.198 seems to time out after being connected to the switch.
Switched ports, and swapped cables, changed flow control, restarted switch, but the issue persists. If I change the port or take it down I can momentarily ping it, but the latency builds doubling each time it is pinged until it is not reachable.
There is a blade switch connected to one port, but that port doesn’t have spanning-tree port fast enabled. I dumped config for the switch and internal firewall, but there were no static routes to the IP address.
There are other VLANS, outside of PVID 1, but they are on separate Subnets. I am about to just use another IP address, but I think it is weird that this single IP is having a problem only when on this switch.
Before I change the IP I am going to open up wireshark and see if I can view any traffic being broadcasted. If anyone has seen this before I am open to suggestions.
Defining SLAs (Viptela) and App aware routing
We’re entering our optimization phase of our sdwan project and wanted to use SLA classes for app aware routing on sites with multiple transports. The Issue is how do we go about defining the minimum SLA requirements for different apps? Is there some sort documentation out there with recommended minimums for different apps?
Cisco ASR9k for GPS NTP Source?
So I've been playing around with the idea of getting a real stratum 1 time source in my network. Best I can figure is to actually hook up to my ASR9k RSP 880s and just use them as a source, have local servers pull from those, and now bam, got a better NTP time source I can keep locally.
I'm having a hard time figuring exactly what I need though. I have an old Symmetricom different system meant for retiming T1 circuits with a db9 connector. No outputs from it for the lil' SMA connectors the ASR9k wants.
If I want to do a true time source, what should I look for? Best I can figure is get some sort of new GPS antennas, get an active amplifier system (For current devices and add on future devices no problem), and then connect it up and be ready to go?
Network administrator role
So I been desktop, server and network support for a company for 17 years. Been working with Cisco gear and VoIP all 17. I'm maxed out position wise at my company because I am remote. Didn't ever mess with the CLI till about a year ago. Recently got my CCNA. What else do I need to do to land a network administrator role with a company? Are those hard to come by because they usually promote from within? Am I going to have to make a parallel move to another company and be desktop support to move up? I don't seem to be getting any hits on my resume. Nor do I see that many network administrator roles, I see 20 network engineer openings for every network administrator job. Just trying to get something so I can start to climb up the ladder.
2 Years Later: Any replacement for Internet Health Report?
Over 2 years ago, Dynatrace killed their Keynote Internet Health Report, which displayed latency and packet loss among top ten global ISP peering points.
Here at r/networking, there was a thread discussing the issue, but no concrete answers. 2 years have passed, has anyone discovered a good replacement? I've been relying on http://internettrafficreport.com but it's not great.
Converged switch? half 10g cat6 other sfp+ and 4 or 6 40g? 48 or 54 port?
Hi,
I have a need for a new switch thats 10g cat6 and a handful of SFP+ 10g, with a couple QSFP ports.
I thought nexus line had this in the fixed line, unable to find it.
Thanks...
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC.
Threat intelligence data, which feeds do you use generically and with Cisco firepower/FMC?
Hello, which feeds are you using to get threat data using common protocols like TAXII? I'm trying to register Alienvault OTX feed inside FMC firepower but it is stuck in "parsing status" since days... does anyone was able to use Alienvault with Firepower stuff? (p.s. there is a bug I spotted on Cisco site related apparently to this... but I want to share before doing some of the "suggested workaround".... (like killing mongo databases, resetting redis stacks... etc... wow how many things are inside this thing??? :) )
Insourcing from MNSP
Background: We have a new CIO that wants to insource, everything else has been in-sourced now, networking is the last thing remaining.
Scope: Route, Switch, Wireless, DHCP, DNS, Network Security, UC, Webex, A/V
Size: 1500 Switches, 2500 AP's, 500 Routers, 40 Firewalls, 6000 Phones, etc
The part where I need r/networking:
- Building 24/7 IT Operations Center
- How to size Staffing?
- Ticket load per person?
- Ratio Tier 1 to Tier 2
- Automation
- What are you using?
- What scales really well?
- We are focusing on Python and looking at using Nornir over Ansible
- Source of Truth
- do you leverage your monitoring system as your SoT?
- What am I missing?
Am I the only one slightly paralyzed by that ASA/ASDM/Firepower Compatibility Matrix?
So, passing the CCNA with a 963 made me feel like maybe I had a handle on things, and then my ASA decided to develop a bug during a pandemic shutdown while I'm WFH and is rebooting itself once a day. "Just upgrade it, here's a compatibility link", Cisco says. And I was told by a peer to update ASDM *first*, so it can handle whatever versions you update the ASA and Firepower to. Does that sound correct?
Specific Anyconnect Policy Requirements
With the influx of people WFH, I've ran into an issue permitting specific groups of people to services via Anyconnect. My user base is split into staff/students that use Anyconnect, which have assigned pools for them to use when they join the VPN. Now I get the odd requirement to put a rule in, whereby only specific staff users X and Y should be able to RDP into PC Z via Anyconnect. But given that all staff share the same VPN pool, this is just not possible. It's all or nothing. Has anyone else ran into this, and how did you overcome it?
PS: This is on a firepower box, managed via the FMC, and auth is done by AD via ISE.
Edgecore ECS-4210 disappearing from network, but still switching
My ecs-4210 keeps disappearing in less than 24 hours from the network. No response to ping, and all arp tables gone.
However it's still happily routing packets.
Nothing in google to suggest if this is a known issue or not.
Vlan 1, no network segregation, rebooting the unit brings back the GUI, SSH, telnet etc.
Suggestions on methodology to fix?
Lower round time latency, 4G
Hello everyone, im currently studying networking and we are in the startups of a project utilizing 4G. In our solution we are looking to get the best possible round-time latency while still having an encrypted connection for a realtime videofeed and a script which controls an end-node. We're using the TELTONIKA RUT950 LTE router.
Simply put; We're looking for configurations which help us get a better average round-time latency. So far we've discussed wether working around strict NAT would help, any other suggestions?
NetBox Napalm multiple users, passwords (one pass to rule them all)
Is there a way to define multiple napalm user/pass credentials within netbox config file? Not all devices on my network have the same username/password. I know you can call Netbox API and define custom credentials, but I need this functionality only for status of the devices on Netbox webGUI.
Part of the netbox config: #Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM. NAPALM_USERNAME = 'admin' NAPALM_PASSWORD = 'admin' Connecting 2 core switches and STP
Hello networking guru's,
so i am trying to figure out how the best way would be to set up the following:
- 2 core switches, 2 different companies.
- STP needs to work for both companies but should not interfere with the other.
Normally i would choose to place a router in between the two core switches but in this case it is not a possibility. The switch managed on my end is a Huawei CE6810 (running "stp root primary") and i think i need the following commands (on the uplink to the other core) to achieve what i want/need:
stp disable
stp bpdu-filter enable (does this even make sense if i disable stp?)
Is this enough to achieve what i want? I have no control over the other core switch so i can not confirm its config but i want all incoming bpdu's ignored, and send none their way. But i don't want the port to go down either.
To my understanding using "stp edged-port" here would shut the port as soon as any bpdu's are being noticed is that correct?
Thanks in advance.
NAT from internal routed subnet to internal NATed service on fortigate
Hi
I have a situation with Fortigate (501E), no VDOMs. Routing is "on a stick" - no L3 switches.
- There is a web server on 10.10.104.31 (VLAN 104) with VIPs (x.y.89.164:80-> 10.10.104.31:80 and ICMP x.y.89.164 -> 10.10.104.31)
- There is a policy which allows ANY -> VLAN 104 for these VIPs
- There is a routed network x.y.78.0/24 on internal network (VLAN 71)
- There is a server x.y.78.30 on said network (VLAN 71)
- There is policy which allows VLAN 71 -> ANY
The problem is server x.y.78.30 can connect anywhere on the internet EXCEPT this service (x.y.89.164)
On the diag debug flow (with filter "addr x.y.78.30") I can see only packets going in, and they are allowed by policy, ant correctly DNAT'ed to 10.10.104.31
On the other hands ping (x.y.78.30 -> x.y.89.164) works, but the ping reply comes from 10.10.104.31!
asymroute is enabled.
I just can't wrap my head around this, is this NAT somehow not registering ? But it doesn't show even reply direction packets from 10.10.104.31 (even when using ping).
If this would be a same internal network - I would just hairpin NAT to router IP ant call it a day, but on webserver's logs I want to see the real IP (x.y.78.30).
Do you have any ideas?
Microsoft Expressroutes connection maintains after disconnecting from VPN
Hello. Strange network issue I have just noticed that I would like to attempt to solve before I bring it up to management. Any assistance would be appreciated. We have been using MS Teams for some time now. I connect to our VPN - a Palo Alto box - which has a connection out to the internet to our express routes to Microsoft. After work I disconnected my laptop from the VPN. I noticed that I was still getting messages from Teams. I checked my IP. My corporate IP address was gone (tunnel to PA) and my 192.168 local home IP address was all I had. How is this TCP/IP connection being nailed up if my IP address is now gone? I did a netstat to check what I was connected to. As it turns out i was still connected to the Teams 52.170.0.0/18 express routes! What the hell? Can somebody tell me where to start looking to troubleshoot this?
what type of connector is this?
https://i.imgur.com/R27rZ7Y.jpg I need to order a couple of cables with this connector on both ends. It's used for patching network cabling. looks like LSA strips. do you guys or gals have any idea?
Remote Desktop and 802.1x
Hi there,
We just started to implement 802.1x at the office (I know, we're a bit late to that party) - still in the early stages. Authentication is through NPS. PCs get their IP and assigned to a vlan based on the user who logs in. So far so good.
However, most people working from home just have a dummy laptop that they use to establish a VPN connection and then remote desktop into their desktop PC in the office.
How can I make that option still be avaibale with 802.1x? Assign a default IP and vlan based on the PC's MAC that will only allow people to remote desktop in? Would that work?
Getting wrong fromat csr from switch
Hi all,
I want to rollout locally signed certificates to my switches (ArubaOS-S / f.e. 2540) via their API. It all works fine so far, but the API seems to return me wrong CSR.
I can look into the CLI and get the correct CSR, so the API call for creating the CSR is correct, it's just the wrong value returned.
Maybe I need to decode it or something? The return value is named ' certificate_detail_base64_encoded '. I tried importing the CSR to xca but it doesn't recognize the format. Also, the API returns me a long one-liner, no linebreaks.
Here is what I get from the API:
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0NCk1JSUJvekNDQVF3Q0FRQXdZekVVTUJJR0ExVUVBeE1MVTNkcGRHTm9YekkxTkRBeEN6QUpCZ05WQkFzVEFrbFVNDQpRNHdEQVlEVlFRS0V3VkJhWEpKVkRFVU1CSUdBMVVFQnhNTFRHRnVaMlZ1YUdGblpXNHhDekFKQmdOVkJBZ1RBaw0KUkZNUXN3Q1FZRFZRUUdFd0pFUlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQWw0SEVlSzINCjlONVVYYW9TNFg1NjZIVXFGL2U0QndoZktBdWh3UldwZWIrbkV6c2JDOHBQVXJuelBEWUdNSmtBY3l6L21zaEYyDQpxam1mK1M3dmtIb21TY1o3cG81SHVuOUZZS0xoaXVnU0lvUmZOeXd4K3plbVdrZDh4bGxVY0pLcEFpSEtiSmRvRA0KVUs1cUtIWEF1bnlKM1hqWFEzRmw4WWtiZUJqL0tsQjlPVUNBd0VBQWFBQU1BMEdDU3FHU0liM0RRRUJCUVVBQTQNCkdCQUEyT25rVTQ0N20vZ3VyQUo3RzVyeUhrNit6OVN5ZGdoUnFTTzhBMXBFYTlMOWlJTGRjYmlvaVFlbTRMUVk3DQpRZHYwall3endKQjhKenBhME5Na0hsb0lHK3lWWVdHN3ZyTklkTElVb214MkllQXdOSkFZUG5RN1pZcm5rdm0wOQ0KWVVFUStVVjFHS3ZXVHpnb2t3dWMwV2JyMXhxeVFYYjlVTTRpYUR1emo0UksNCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQ0K Here is what the same CSR looks like in the CLI:
-----BEGIN CERTIFICATE REQUEST----- MIIBozCCAQwCAQAwYzEUMBIGA1UEAxMLU3dpdGNoXzI1NDAxCzAJBgNVBAsTAklUM Q4wDAYDVQQKEwVBaXJJVDEUMBIGA1UEBxMLTGFuZ2VuaGFnZW4xCzAJBgNVBAgTAk RFMQswCQYDVQQGEwJERTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAl4HEeK2 9N5UXaoS4X566HUqF/e4BwhfKAuhwRWpeb+nEzsbC8pPUrnzPDYGMJkAcyz/mshF2 qjmf+S7vkHomScZ7po5Hun9FYKLhiugSIoRfNywx+zemWkd8xllUcJKpAiHKbJdoD UK5qKHXAunyJ3XjXQ3Fl8YkbeBj/KlB9OUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4 GBAA2OnkU447m/gurAJ7G5ryHk6+z9SydghRqSO8A1pEa9L9iILdcbioiQem4LQY7 Qdv0jYwzwJB8Jzpa0NMkHloIG+yVYWG7vrNIdLIUomx2IeAwNJAYPnQ7ZYrnkvm09 YUEQ+UV1GKvWTzgokwuc0Wbr1xqyQXb9UM4iaDuzj4RK -----END CERTIFICATE REQUEST----- Any ideas?
Monday, April 6, 2020
Gear for super small remote sites
We have an upcoming project in ideation. We currently have a fairly large number of very small sites that are essentially unmanaged from the network perspective. Mostly residential ISP connections with consumer equipment that was setup by local staff or region technicians. We intend to try and upgrade about 80 sites with managed switches, access points, and firewalls. Sounds great so far, right?
Now the not so great part. Most of these sites are really small, like 3 people and a drobo small. Normally we use Juniper gear at a lot of leased line sites, but I'm starting to think that the cost of the project might get a bit expensive for the return. Also, site-to-site VPN is out of the question for now so to some policy / political stuff for now. That makes remote management more troublesome as well.
Where do you all draw the line on these things. Is their a $x per employee rule of thumb?
Zip ties
I have this poe switch in my network distribution in my home:
https://images.app.goo.gl/zwpW46PFumDbmhr7A
https://photos.app.goo.gl/rDuTVUZfoH1UZKtn6
Unfortunately, the cat6 feeds coming into this box do not reach all the way down to the bottom, and the brackets with this switch do not Mount correctly in this box.
I ended up using gorilla double-sided tape to Mount it in the middle network box so that the cat6 feeds could reach. I'm not sure of the doubles-sided tape is sustainable. I would need long zip ties to get through the holes in the network box, and completely around the switch. Does anyone have suggestions of where to get those zip ties for a decent price, or another method of securing the switch inside the distribution box?
What are the different security features in 802.11/a/b/g/n/ac
how secure are the different protocols?
Network Security at FAANG companies.
Hi guys,
What is day to day network security look like at FAANG companies? Do they have a separate security team or its taken care by the network engineering team itself. What are the specific skillsets needed to get into these kinda roles apart from being a brilliant network engineer?
Myricom switches with Ethernet ports?
Myricom’s Myrinet M3-E64 switch has a lot of Myrinet ports, and two Ethernet 8P8C/RJ45 ports, labeled "Ethernet main" and "Ethernet Aux". As I can’t find a manual for these switches somewhere, what are these ports for?
Plain Ethernet management ports, or bridge ports between Myrinet and Ethernet?
Ansible. Cisco IOS XE. Getting partial "facts" after adding tacacs.
I'm new to ansible working through the process with some Cisco routers. I was able to gather facts without an issue until I added the devices to the ISE server and enabled tacacs. I've tested both ldap and local ISE user accounts with no difference: all can log in and run every show command. However the get facts is missing net neighbors and net resources data with all selected.
with the exact same setup, if I remove tacacs I have absolutely no issues gathering all the facts for net neighbors and net resources. AAA tacacs configuration and ISE server settings are fairly standard no restrictions at all. All show commands work successfully with any of the user accounts tested.
Anyone ever encounter to this before? Cisco IOS XE 16.09
Newb in need of a little help regarding port type on Cisco Nexus switches
I'll start this off by stating I am by no means a networking expert if this a repost please forgive me.
I currently work in an environment with a multi datacenter setup. We are connecting the datacenters via private cross connects using the colo's backbone. On the initial setup we ran into spanning tree issues that were beyond my understanding (tri node colo setup).
After further investigation we noticed that the VLAN we were using for the cross colo connection was identifying its root bridge as being on both switches in each datacenter. We resolved this by setting the spanning-tree priority on the VLAN lower on one of the datacenters. It was also recommended that instead of using access ports for the cross datacenter connection we use trunk ports and only allow the particular VLAN across.
IE: Instead of switchport access vlan 1000
we were recommended to change the port type to:
switchport trunk allowed vlan 1000
switchport trunk native vlan 1000
I know this is a very poorly described scenario but would someone be able to explain the difference between an access port and a trunk port where you are only allowing 1 vlan across? Is there a difference or preferred method?
Lastly,
Say i have two Cisco Nexus switches in a VPC domain in each datacenter(1 vpc domain per DC). If i am going to set the root bridge priority on one side(IE: Datacenter A) should that priority be specified on both switches in the vpc domain or just the switch the particular link is connected to? (Note the cross datacenter links are orphaned ports, it only uplinks to 1 switch and is not in a port channel as it is not a dual handoff setup)
Sorry for the lack of details. If anyone has any questions feel free to ask. If anyone is able to shed some light on this it would be greatly appreciated!
What's a good fit for the network?
Would a Dell r710 be good enough for VyOS to NAT for 1 gigabit, 10 Gig? Since this is a school environment, we can't afford any new routers and only have a PowerEdge 2950 (Which we are currently using for VyOS) or the r710. We have 2 Aruba's connected via SFP+ going to the VYOS but the VyOS only has 1 gigabit connection coming in right now. We also are running a Wireguard tunnel through the VyOS and would like at least 1 Gig through the tunnel.
Which server is best?
Networking Projects for Students
I am in a 200 level networking class in college and our professor has given us the option to do a project in place of our final, however I am having trouble thinking of something that would be easy enough to do at home while still staying relevant. Some of the topics and tools we have covered in our class are network protocols and standards, virtual machines, wireshark, ssh, basic cyber-security, MITM, Evil twin, and spoofing. Mind you, this is an entry level networking course and I don't have very much hardware I can access while quarantining...regardless, let me know if you guys have any ideas, anything helps lol.
Firewall placement in EVPN + VxLAN design
If i am building EVPN + VxLAN design using cisco nexus 9k switches in that case where i should park my Cisco asa firewall and how does anycast gateway route my traffic via firewall for some ACL check?
VPN boxes for 5000+ users?
We've been using the same hardware provider for 15 years, 1000 users license and so far, so good but with the Covid-19 situation we've had to scale up to 5000/6000 users and, can't disclose, but let's say that were a couple of things about licensing they didn't told us when we bought the "emergency license", so fuck'em. We're not renewing. we've been taking about a couple alternatives but i would like to know what you're using.
Barracuda FW and ADFS
Hello all, i hope everyone is healthy,
We're evaluating a VF-series barracuda firewall for SSL-VPN access. I'd like to setup ADFS for authentication but i'm struggling with the certificates. Also, when i export the metadata from the barracuda the data in the file is all sample data, not what i expect to see (maybe because i havent created the certs correctly).
If anyone has setup ADFS with Barracuda firewalls, could you help me understand the certificates and how they map to ADFS?
Thanks all!
VF-1000 barracuda v8.0.2
ADFS 2016
Anyone else's infosec department using Tenable Vulnerability Scans?
We use tenable throughout the entire scope of our enterprise networking environment, mostly without issue.
When it comes to scanning our corporate environment, we've been having a lot of issues out of the scan. Our corp office consist of 2 6807xl VSS core and 2960x 15.2(7)E0a stacks for the access layer and the Nessus scanner is only scanning the management interfaces of the network equipment. There are no firewalls that it is scanning through.
I dove into all the logging and NetFlow information I can, and it appears that as soon as the Nessus scanner starts the SYN part of the scan, the switches start throwing Spanning tree PVID inconsistency errors or SSTP BPDU with bad TLV errors. The VSS attempts to mitigate whatever causes this by blocking and unblocking VLANs on the aggregate links (lacp active) to no avail, and within 4 minutes of the scanner starting, I get switches that begin crashing and throwing traceback and IPC errors and will make and render the switch unmanageable/unaccessible and stop forwarding traffic.
Also from what I can gauge, the SYN scanner seems to be doing an "all at once" scan and it looks very aggressive, INFOsec manages the Tenable/nessus scanners themselves.
This a reproducible issue with the scanners and I'm waiting to hear what TAC has to say about it. Has anyone else had issues like this to where a nessus or port scanner basically crashes switch stacks?
"Immovable" VPN Client Solution
We currently have a deployment of Microsoft's Direct Access VPN which provides us the functionality however the deprecation of the product has us looking for something else. The Microsoft replacement we don't really like and having to manage machine certificates is something we'd like to avoid as well. Are there any VPN clients out there that use a secure structure such that a savvy user or attackers can't gleam all the necessary settings to replicate the VPN client to a different machine?
RRAS in Azure with Meraki VPN Concentrator issue
/r/AZURE/comments/ftm4xv/rras_in_azure_with_meraki_vpn_concentrator_issue/
Basic: How do I find what's using my bandwidth?
I run some servers in a colo facility behind a Juniper SRX firewall. Nothing special, just NAT and ipv4.
Suddenly our outbound traffic has ramped up and is causing me issues. I need to find what the traffic is, but it could be from any of 50 servers.
I believe I need to use "netflow" or "jflow" for this, but I can't find a decent thing for collecting / reviewing it.
What are you all using? I need something free/quite cheap as this is for 1 device only and we're only a small company.
SIP DDoS expected? Customer got a notification about their Avaya SBCE - seems odd and unlikely they could know of this coming attack but curious if anyone knows more.
Reports of this from at least 1 customer who uses Avaya SBCE; anyone else hear anything about this?
Supposedly they got this from a reputable source but I'm wondering how anyone could know of any impending attack - ?
“It has come to the attention of the Avaya security team the potential of a major SIP Denial Of Service attack in the next few days.
As far as we know, the attack is targeted to be launched against major US infrastructure companies in telecom, oil, healthcare, and insurance sectors in a couple of days (perhaps even as soon as Monday). State-sponsored hackers called Advance Persistent Threats APT-28 (Fancy Bear) and APT-29 (Cozy Bear) are believed to be affiliated with Russian GRU (military intelligence) and with some Iranian factions. They are acquiring enormous quantities of BOTs on the Dark Web in preparation for DDoS attacks and training their devices with lists of IP addresses that respond to SIP.
They are using RPC Portmapper DUMPs and SIPVicious scanners to detect IP addresses that respond to their (currently) benign traffic queries that are used for portmapping target devices and networks.
What follows will be a major (terabit/second) attack on major infrastructures in the West. I wanted to share this with you whether you use Avaya SBCs or not.
If using Avaya SBCs, our guidance is to reprogram the SBCs to turn on Denial of Service prevention attacks. SBCs are usually set to “observe” mode. It will need to be turned on and traffic shaping/limiting turned on to prevent further damage.
We can’t confirm 100% this will happen, but I wanted to give you a heads up in case you wanted to make the decision to proactively adjust or have a plan in place.”
http packet analysis - no packet loss but lots of missed data
I'm trying to get better with tcp packet analysis but I'm stuck here.
A client in Frankfurt is downloading a 10MB file via wget from a server in New York. There's no packet loss and traceroutes come back clean with the expected latency. I did a pcap on the client side and the download starts off okay but a few packets in, the client keeps ACK'ing for the same sequence number, which tells me it's not receiving all the data sent by the server. Here's a screen cap with sequence numbers and ACKs underlined: https://imgur.com/a/31jy4W1
This happens frequently throughout the transfer, which results in very slow download speeds. I've tested this from a few different locations globally and most are okay, with only some showing the slower download speeds and exhibiting the same symptoms. My question: if there's no packet loss and latency is normal, what could be causing the client to be missing data from the server?
Service Provider Employee's, how are you managing the increase in bandwidth?
From what I have heard most of the stress is coming at the access layer (esp on the uplink side). Curious how your companies are responding? Are engineers able to manage things remotely or are a lot of employees required on site to install new hardware?
LTE modem failover hardware that doesn't need a subscription
Hi all,
What are your recommendations for LTE modem failover hardware, preferably something that can take a SIM from whatever provider, and can just sit there.
I currently have a Cradlepoint ARC CBA850, and it won't get firmware updates anymore because those are locked behind a paywall. :(
So I am looking for something with similar functionality and reliability, that doesn't need a subscription to update it.
When VIRL 2.0 release coming out?
I am waiting for VIRL 2.0 badly and i have some lab work need to do, i can download 1.6.x but not sure if 2.0 come out then can i upgrade or i have to stick with 1.6.x?
Firepower multi-instance experience
Let's not get into rant about Firepower, we all know that...
On paper multi-instance tech looks rather good - full separation with independent upgrades, resource allocation and so on. I would have two FTD instances on 4000 series (two HW boxes, active/passive HA between instances), basically one external and one internal firewall. They will be managed by the same staff, but are serving different purpose and splitting them makes sense to me (currently they are two different physical FWs). They can be merged in case there are strong points against multi instance approach and going classic HW active/passive HA.
What I'm worried in case of multi-instance is more or less reliability - instances are rather new feature and are run by docker, which may not come with direct performance penalty, but that's one more layer of complexity and technology that may go wrong. And it's not like FP is free from issues even without counting this...
Feel free to share any experience with FP multi-instance deployments - stability, reliability, etc.
Access-list for network ID address?
I have an access-list like this:
access-list 100 deny ip 192.168.12.192 0.0.0.15 any
Access-list 100 permit ip any any
As my understand that the Access-list will just deny the addresses from 192.168.12.193 -> 192.168.12.207 (included broadcast)
But when I test with a host 192.168.12.192/24, the Access-list also denies this host. Please explain why it happens, thanks for reading.
Searching For Partners!
IN SEARCH FOR NEW BUSINESS PARTNERS
Fellow Entrepreneurs, my team and I have decided to offer you a unique opportunity for the development of your E-Commerce for FREE.
Currently we have an agency with over 50 projects out of which a lot of them are successful E-Commerce projects, therefore you can be sure that you'll get a high quality solution in cooperation with us.
Our ideal partner is an Entrepreneur who currently has an established business with regular customers (either online or offline) and is interested in the creation of a new revenue stream through their E-Commerce.
Our usual prices for the creation of these kind of projects, where we take care of the design (UX) and coding is charged on average about 5000€.
In this opportunity you will get this solution absolutely for FREE, in return we will arrange a commission out of the revenue generated from your new webshop. As well, we will maintain your webshop for free (for which companies usually have to hire a developer/store manager with fixed salary).
Since the development of E-Commerces is time consuming and complex we are able to offer this opportunity to limited number of Entrepreneurs.
To be precise in the next two months we have three open spots and as soon as we fulfill this quota, this offer will no longer be valid.
So, if you are interested and feel like you are a good fit, please PM us and we will try to establish our new partnership.
Best regards
Cisco ASR 9006 upgrade
Hi,
Anyone knows if the upgrade process of ASR9006 from 5.x to 6.x is any different to the upgrade of 9001? I'm wondering especially regarding the dual RP in 9006.
Thanks.
Hello All - minor site to site ipsec issue...
I am using pfsense for my side of a site to site vpn. Due to conflicting subnets we have had to NAT each subnet using a feature built in to the ipsec tool. If you'll stay with me, here are the details and issues I am seeing and I am a bit confused.
Not actual addresses
- Gateway 192.168.1.254
- Remote side 124.0.0.48 via 150.11.75.128
- Pingable between 192.168.1.1 - 124.0.0.48
- 6 subnets - example of no ping; 192.168.5.100 (NAT to 192.168.15.100) - 124.0.0.48
6 subnets - only 1 of them can ping the remote side (this ip is in the same subnet as the gateway).
The remote side uses a pubic ip address so I have had to specify a static route to use the tunnel to get there.
On our first tests, we were able to get connectivity on 192.168.15.0/24 but this was only after the remote side pinged the device (192.168.15.100) in that subnet first. Now the remote side are saying they can't ping that device... though nothing has changed to my knowledge (their problem?)
I have just run a packet capture on our pfsense box to see if I could determine where the issue is. All I can see is a bunch of "No Response ", not even a type 3 unreachable. Is there anything more I can do to identify the issue or prove that this is not an issue on our side?
One of our sites has everything running except for the Silverpeak device
The site went down due to non payment of bill from Spectrum.
After the bill was paid all the following devices except for the SDWAN Silverpeak (NX-5500 & NX-3500 device has come up.
- Meraki MR42 Cloud Managed AP
- Meraki MS120-24P Cloud Managed PoE Switch
- One PDU
- One Opengear
What could be the reason for the Silverpeak device to be still down? The ISP modem connected to the wan port of the silverpeak device could be down. But if that's the case, all the devices should have gone down.
Python script working correctly for pure ASA but not on ASA image on Firepower
Have a small script that logs into multiple VPN gateways and fetch the data. On pure ASA, no issue. But on FXOS with ASA image, it does not work. Log in works fine, but it does not show the output. For Is there any way I can check what is going on ? I don't want to run debug on the FP.
Here's the code. https://pastebin.com/Fg5TTGNL
Subscribe to:
Posts (Atom)