If anyone knows how to unlock admin privileges or whatever I’d be forever grateful as this is a huge annoyance for me lmfao, below I attached a detailed pic of my router information.
Thanks in advance!
Saturday, May 2, 2020
Host unreachable when pinging
I am in an internal network with two VMs and on one host I try to connect to the default gateway but it tells me the destination host is unreachable.
I want to test connection between the two hosts
One host is windows other host is linux
Output:
Pinging 10.10.10.112 with 32 bytes of data:
Request timed out.
Reply from 10.10.10.111: Destination host unreachable.
Request timed out.
Reply from 10.10.10.111: Destination host unreachable.
New Data Center - ToR Singlemode or Multimode?
I'm trying to build a cable plant design for a new data center. I have to spec out a lot of multimode fiber for the server folks who insist on using fibrechannel for storage, but for regular ethernet traffic should I also stick to multimode or should I go with singlemode? As speeds push to 100Gb and 400Gb is multimode no longer a viable option? I'm just getting up to speed on 400Gb now, but it seems like there is no bidi option for multimode but instead requires a full MPO24(!)
Any thoughts from data center folks?
CCIEs of reddit: how long was your average read/day?
Hi everyone.
I struggle. I have always struggled. I do not know whether I am too lazy or borderline ADHD. But my max. concentration study time is 2 hours/day. After that my brain cannot absorb anything else and I would just stare at the void as I am unable to store any new information.
Should I just quit my dream target or is there a trick to it?
Recently passed my CCNA, worth picking up JNCIA?
Hey peeps,
I recently passed my CCNA before the certapocalypse and managed to get my CCNA R&S. I recently came across the JNCIA and saw that the first level is free.
Is it worth picking up?
Software to Make a Network Diagram?
Howdy!
I am keen to make a network diagram for a small business (~50 people, maybe 200 devices). Any suggestions as to what type of software to use or any other handy info?
Thanks!
why TCP BBR throughput still significantly affected by packet loss.
After reading this medium post [1] about BBR, where they simulate packet loss using the following command :
sudo tc qdisc add dev eth0 root netem loss 1.5%
But throughput drop from 8.55 Gbits/sec to 2.49 Gbits/sec with TCP BBR.
Since BBR is designed to respond only to actual congestion by modeling the real available bandwidth I don't understand why the throughput is reduced this much.
Is it because the model still assume the available bandwidth is this small ?
[1] https://medium.com/google-cloud/tcp-bbr-magic-dust-for-network-performance-57a5f1ccf437
Juniper:EVPN:VXLAN - Router id mismatch with source vtep
Dear, I hope you guys doing well and safe!
Juniper noob here trying to learn EVPN VXLAN
after loads and loads some digging, I arrived to the config shown below, but really I can not find why my commit fails, with the following error
Router id mismatch with source vtep: router-id:0.0.0.0 lo0.0:10.100.100.1 error: configuration check-out failed This is the config I have on one of lab MX
jcluser@vMX1# edit routing-instances [edit routing-instances] jcluser@vMX1# show EVPN { protocols { evpn { encapsulation vxlan; extended-vni-list 34; multicast-mode ingress-replication; } } vtep-source-interface lo0.0; instance-type virtual-switch; bridge-domains { BD { vlan-id 34; routing-interface irb.34; vxlan { vni 34; ingress-node-replication; } } } route-distinguisher 10.100.100.1:34; vrf-target target:1212:34; } [edit routing-instances] jcluser@vMX1# top edit interfaces lo0 [edit interfaces lo0] jcluser@vMX1# show unit 0 { family inet { address 10.100.100.1/32; } family iso { address 49.0001.1010.0100.0000; address 49.0001.1010.0100.0001.00; } } [edit interfaces lo0] jcluser@vMX1# commit [edit routing-instances] 'EVPN' Router id mismatch with source vtep: router-id:0.0.0.0 lo0.0:10.100.100.1 error: configuration check-out failed [edit interfaces lo0] jcluser@vMX1# Why oh why!!
Have you seen this before?
Is there any easy to follow one workbook for learning EVPN / VXLAN?
I appreciate your comments and directions
ppacv
Can this be done more elegantly? Forcing an app to use 1 network interface over the other
I have done it using a CMD line program called ForceBindIP, but I was wondering if there was a better way of doing something like this.
I have two internet connections are home, a 5g router and my main connection. The idea is I want program A to use my 5g routers connection via the wifi network adapter, and everything else just use the ethernet adapter to connect to the internet. This is so program A can keep running in the background doing whatever it wants with no negative affect on my main internet connection.
I thought something this simple would be easy to do in windows but I guess not. So yeah any better ways of doing this than using ForceBindIP?
Good networking books
What are some good networking books for introductory, intermediate knowledge? Any classics or modern network philosophies?? Thanks!
Upnp zero config?
This setting is enabled, and has an option for zero config can someone explain the difference between zero config on and off?
Juniper Campus EVPN-VXLAN Fabric
Has anyone here used Junipers campus EVPN fabric? I am looking at different solutions for VXLAN overlays to allow layer 2 connectivity across a fabric without creating a huge L2 domain like I have today. This is required for different vendors that have statically assigned mobile devices and cant do DHCP.
Has anyone used the Juniper solution on their EX series switches, creating a spine/leaf architecture? Most the info I have found from an end user perspective is their data center solution. Does anyone have experience with the campus solution? How stable has it been? Have you ran into any issues? How easy is it to configure and maintain? Have you used this with multiple routing instances (VRFs)?
Thanks
Am I missing something ? /32 subnet mask for PPPoE
Hey fellas,
First post ever, so go easy on me.
So I got my CCNA and got my first networking job. We have a small customer who bought a router from us and wishes to use it with their existing pppoe connection. They don’t have their own IT, just a 3rd party support, and we asked them for the connection type so that we can pre-configure the router prior shipping.
So according to them we need to set a static IP on the PPPoE interface but with the subnet mask of /32..?
Since I’m a newbie , I did not want to question their network engineer, but even my colleagues were surprised (they are located in the US, so they are not really familiar with this type of “old connection”).
Is there a gap in my knowledge regarding any speciality with pppoe or did the guy just made a typo and he wanted to write /30 for p2p connection ?
Any comments are highly appreciated, thanks
upgrade to FGT 6.2.3 and issues with an office reaching our EMR and VMware View
Hi - we are a small hospital that recently upgraded our Fortigate firewall from 5.6.11 to 6.2.3. The upgrade went smoothly, albeit a couple minor issues, one being that our SSLVPN users couldn't reach our internal ADFS / SSO server due to a caveat in the new code, which tech support was able to remedy by enabling auxiliary session (https://docs.fortinet.com/document/fortigate/6.2.3/technical-tip-enabling-auxiliary-session-with-ecmp-or-sd-wan/19/fd47765)
However, one issue remains, and that is that a healthcare org that we closely work with is no longer able to reach our EMR (which is publicly accessible via a pub DNS record and SSL cert), as well as our VMware View connection server. Both of these should be reachable over 443, and from our firewall rules should be allowed in. I've confirmed I am able to publicly hit both from the internet, regardless of where I am, can access both on my smartphone for example, AND I can successfully access both via this healthcare org's PUBLIC wifi (seperate network).
But this healthcare org it seems to be timing out when navigating via https while on their wired and secure wifi network - the telnet port tests show connectivity over 443, but to me it seems like a TLS issue - their web browsers are showing "Cannot connect to this site securely". I don't have any control over this org but as far as their IE Security options go, they allow TLS 1.0, 1.1, and 1.2, but they're all grayed out due to GPO policy that I can't edit. They say they are allowing all 3 and I believe them based on what I see, but why can't they then hit our 2 sites on 443 securely?
The POC I worked with Friday said he whitelisted our domains with wildcard entries for our domain name on their webfilter, but I'm still skeptical. If I can reach these sites right now from my home machine, what would make this "our issue"? And I don't doubt that we have some part to play in it; the issue occurred following our firewall upgrade, so I am open to any insight or suggestions. Thanks!
New FTTH connection, problems with SSL VPN, slow file opening
Hi,
i'm here to ask help to identify the root cause of a FTTH connection that is acting very poorly to open files via SSL VPN.
Here the spec:
- 60 mbit up/down symmetic FTTH Connection. Is a business grade one with bandwidth reservation (600€/month)
- Zywall USG 210 Router Firewall.
- The server on i'm opening the files is a Windows 2016 file server VM, full patched, 4 core, 6 gb RAM.
- The infrastracture in new: 2 HP DL380 Gen10, 10 gbit networking between the 2 esxi host and principal switch
Previusly, we had a RDSL 15 mbit download and 3 mbit up at that site and opening a file took actually less time.
What i'm seeing: when i'm connected via SSL VPN (provided by the Zywall) to that server, if i try to open a 3 Mbyte excel file i get Excel freezing for about 10 second, then i see that excel is actually opening the file, i see the progress about at 15% increments, each one last about 3/4 second.
Total time to open a 3 mbyte file is about 40 second. This doesn't change if i use my workstation or another, or if i have Excel already opened or not.
What i've done until now:
- Tested bandwidth: i have a full 60 mbit down/60 mbit up with 2/3 msec ping from a speedtest
- I've adjust the MTU of the wan port to 1490, as i see it started to fragment at 1464 size and does not at 1462
- Running iperf from my home connection using VPN i get transfer speed about 12/15 Mbits. I have a 100/20 mbit connection at home and it was not loaded with other tasks at the moment (netflix,ecc)
- The problem does not occupr on local Lan
- Running Wireshark at my point. I get some TCP Spurios Rentransmission error and TCP Dup ACK error repeatly.
In wireshark i tried to get some data (this data has been created today, when the performance seems a little better but i'm the only one connected today, yesterday with 5 people via VPN the opening time in SMB2 report was 23 seconds)
SMB2 Service Response Time Statistics - Ethernet 2:
Index Procedure Calls Min SRT (s) Max SRT (s) Avg SRT (s) Sum SRT (s)
---------------------------------------------------------------------------
SMB2
Close 6 208 0.017751 0.123955 0.027319 5.682350
Create 5 205 0.018134 0.123470 0.030133 6.177226
Find 14 30 0.050237 0.087804 0.056980 1.709402
GetInfo 16 92 0.018054 0.104919 0.025832 2.376504
Ioctl 11 16 0.018615 0.057483 0.025317 0.405076
Read 8 54 0.018147 1.829909 0.245593 13.262049
Tree Connect 3 6 0.018539 0.022023 0.019451 0.116708
Write 9 12 0.018514 0.066883 0.023869 0.286423
SMB2
---------------------------------------------------------------------------
Free Certifications and IT Conference Registrations (where they usually give out codes for more free certifications)
/r/sysadmin/comments/gc3ac1/free_certifications_and_it_conference/
Looking to pick up a pcie wifi card for my pc
I was wondering what are some decent pcie wifi card?
i have been hearing about ax wifi. is that needed?
my build is from haswell generation, if support is an issue.
found this https://www.amazon.com/OKN-2974Mbps-Bluetooth-802-11AX-Wireless/dp/B07X462KRK wondering if that is decent one to get?
Networking Theory - From OSI to Authentication and beyond
As this subreddit is dedicated to networking I wanted to share my Networking series here for people to benefit from. Feedback is appreciated and feel free to share your resources in the comments for me and others to benefit from.
Full playlist:
https://www.youtube.com/watch?v=rIZ61PyDkH8&list=PLR0bgGon_WTKY2irHaG_lNRZTrA7gAaCj
Individual lectures:
-
OSI Model
-
IP addresses
-
MAC Addresses
-
Routing and Switching
-
TCP / IP
-
TCP & UDP
-
Port / Protocols
-
DNS (Domain Name Service)
-
Wifi Security
-
VPN Tunneling
-
VPN Protocols (IPSec)
-
Authentication
Cant connect to internet after changing ip adress
I recently changed my ip address and ever since i did, i can no longer connect to my internet. It just says no internet, connected. And it also says "wifi doesnt have a valid ip configuration". When i try to do ipconfig /renew or ipconfig /release it says two networks are not on. Ive tried everything i could to fix it with no success. Drivers are up to date, network settings are fine. What can i do to fix this?
Why can i manage a domain on multiple platforms?
Hi all,
I'm a sysadmin for a while now and I study hard to keep up and keep learning new things. I am by no means a networking expert. Today I ran into something that was really weird in my opinion. We host one of our domains at a Dutch supplier. We manually add and modify records and it's all fine.
Because of some certificate issues in a webserver hosted at AWS, I was involved in that environment for the first time, and a colleague showed me around. Then, I noticed that they have multiple records for the same domain I host at my Dutch supplier, I only saw local records though. So, to the DNS guru's out there: how is it possible that one single domain has records at multiple domain hosters?
Friday, May 1, 2020
Palo Alto Free Certification Discount Codes
/r/sysadmin/comments/gbzblp/palo_alto_free_certification_discount_codes/
Double adapters for split inter/intranet access
So, I have a rather interesting problem, my internet will cut out due to some power issues (that issue being paranoid fears over how WiFi is bad, blah blah blah, so it gets turned off when not in use), so I've been running on mobile hotspot. The situation I have now is that I think I need a separate network for just LAN access, and wanted to see what your guys suggestion would be. The partial reason why I need a separate access is because one, I probably will run Parsec from a Windows desktop to a Linux laptop, and two, that windows desktop has no long-term display available temporarily (living situation, thus parseccing to access the windows system, and short term wise, I got a rather low Res projector as a gift, so using that as a temporary monitor, but those things are Hella loud.)
In the future, I plan on reassembling this entire network and instead have everything routed through a rpi with pihole(which will be a whole nother post here eventually if I can't figure it out, but I'll be damned as a networking student if I don't try) though hardwired ethernet, and a monitor for the desktop, but for now, are there any ideas on this? I had one idea where I pass over access to the default adapter on the desktop to a VM running pfsense under bridged access, and then another adapter as direct access to the wireless. So, wireless will have three adapters, one for the os itself and to share, one for the VM to share, and one for the VM to use for parseccing.
Puzzled over a trunk that wont work unless it's running on a 100Mb/s interface
I know what you're probably thinking - but hear me out.
Recently, a vendor ran two CAT6 links from an IDF inside the org (CAT5e patch panel) to a terminal outside the building to support network connectivity for a temporary structure we've put up.
I installed a 3750 (48x FE copper, x4 GE SFP) in the structure and configured it to trunk with a 6500 chassis which sits inside the IDF. When it came time to plug everything in, I found that the interfaces which were supposed to be trunking were actually in a notconnect state. The configs are super simple - no VLAN pruning or native VLAN bullshit. Just "switchport mode trunk" on both sides. So, I started looking at the hardware.
I swapped SFPs (tried multiple GLC-TE and GLC-T copper SFPs), tried multiple GE interfaces on the 3750 and 6500, swapped cables (CAT5e and CAT6), verified speed/duplex settings, etc. Nothing worked.
I finally yanked the trunk link from the GE interface of the 3750 and slapped it into a FE interface - and behold, it worked! Trunk was up, phones started registering, etc.
For the sake of troubleshooting, I swapped out the 3750 for a brand new 9300 and tried again. No dice. The trunk simply won't come up on a 1Gb interface.
I need the 1Gb uplink to support some bandwidth-hungry equipment which will sit in the temporary structure. I only have two copper lines, so the best I can do with a port channel is 200Mb/s on the 3750.
The vendor claims that they used CAT6 cables all the way through and terminated on a CAT5e patch panel in our IDF. I assume , but do not know, that the temporary structure (which was brought to us by a vendor and already has some cabling infrastructure) uses CAT5e at least, since they have their own gigabit switches which they offered to provide for us.
I'm at a loss at this point. How else could this be broken for 1Gb connections, but not 100Mb connections?
100GB infiniband or 100GB ethernet?
hi all, I'm tasked with building out a 100GB Infiniband network for a group of Nvidia GPU servers which will use GPUdirect RDMA. The issue is we have a storage appliance that is 100GB ethernet (GBe) only. It is a toss-up what is more important for our users, storage performance or GPU direct RDMA performance. Having the "fastest" is important. We have nothing built so far, we are in the planning stages, also money isn't too much of a factor. Of course, we don't want to spend money just to spend money. I am new to Infiniband, GPUs and RDMA and don't want to miss something to cringe/embarrass on later.
Should we build-out with:
- both 100GB ethernet and 100GB Infiniband, or
- just 100GB Infiniband and include a 100GB ethernet to 100GB Infiniband gateway, or
- just 100GB ethernet and use RoCE for GPU direct RDMA
advice, opinions, pros/cons.
thanks!
I Want a High-end Router and Amplifiers that can cover All my Family’s Houses (40 Devices)
First of all, we live in the Countryside and WE DO NOT HAVE INTERNET CABLES, WE ONLY HAVE DATA SIMs.
We have 8 Houses in total, And here is their Layout:
https://m.imgur.com/gallery/OYacBzi.jbg
So we wanted to Unite our money and buy a Really Good Router and Amplifiers instead of having a Router in each house.
So What Router and Amplifiers do you Suggest i Buy? (The Router must have a slot for SIM)
And is it even Possible considering we don’t have DSL or Ethernet?
And can the Data SIM bear the 40 Devices connected to it?
EDIT: We Have full 4G coverage, and with my Huawei B315s Router the Speed vary between 5-25 mbps.
Network defense course project guidance.
I am working on my Network Defense course project and I'm looking for some guidance. We have to create a fictional company and then provide security measures. My idea for the company is on-demand remote IT services so I have some concerns about covering all the bases for remote connection. Here is my company plan and the corresponding security measures I have devised so far:
Workstations / Servers:
VLAN 1: 1x CEO/Operations manager, 1x HR, 1x accounting / payroll, 1x outreach / media coordinator, 2x Sales persons.
VLAN 2: 6x Remote IT Specialists.
VLAN 3: Management server + IDPS console, storage server.
DMZ Segment: Webserver, mail server, database server.
My network map is where I'm beginning to second guess myself:
Internet > Packet Filtering Router > Firewall > Switch > IDPS Sensor > VLAN 1 > IDPS Sensor > VLAN 2 > IDPS Sensor, VLAN 3 > IDPS Sensor > DMZ.
Router: appropriate ACL lists.
Firewall: set to block all inbound remote connections on the appropriate ports but allow outbound remote connections.
Switch: close unused ports, assign static IP addresses per port.
IDPS / VLANs: appropriate routing to the IDPS management server.
DMZ: Harden the bastion servers, disable all unnecessary features etc.
Are there aspects or different security measures I should be implementing? Especially in the case of remote connections?
Any advice would be greatly appreciated, this project has got me second guessing myself and stressed out trying to make sure I cover all my bases.
Using SCP and/or SFTP in Cisco Prime Infrastructure
Thank you in advance for any answers. We have been using Cisco Prime for switch management and pushing updates from prime to the switches via TFTP successfully but due to security we are being told to start using SCP orsftp to push iOS updates. I've been trying to get this working but had no success. I used ssh to get into prime and set up a device:/SCP folder in prime. I then in the GUI went to where you would add your server, added the server, ip, admin username and password and tried to add the download location but it won't allow device: because apparently the : isn't allowed so I tried device/scp which failed verification. I went online and someone suggested localhost/scp which failed also. Has anyone set this up successfully that can tell me what I'm missing? We are using ver 3.4
Need suggestion for a setup to provide automatically IP addresses with isolation in between.
Hey everyone, I could appreciate some talk and help with this scenario.
I want to create a three-point WiFi network with 50-100m in between each device. For now at least, may increase in range in the future. Planning on using three Ubiquity LocoM2 devices or something similar and provide wireless internet access.
When clients connect to the said network they should get an IP address via DHCP but due to security concerns, I need to have them isolated from each other.
Each client should seem like in different subnet and without possibility to scan or detect other devices connected to the same network.
The whole plan is like this:
- The network can be on 2.4GHz and/or 5GHz, dual-band will be excellent but for the initial testing only on 2.4GHz would suffice.
- Client devices must be isolated when connected.
- The AP's will have a full line of sight visibility, there will be no interference.
- Some bandwidth limit or burst limit, so one client couldn't take up full utilization of the link.
- Thinking about 10Mbit/s U/D for now, and around 20 clients on average.
- VPN connection for central monitoring and configuration.
Can the basics of guest zone/network suffice for this scenario? I have to mention that I have limited experience with larger-scale wireless networks.
Here is my initial diagram, please chime in for corrections.
https://i.imgur.com/Wog0ViG.png
Thinking about the cabling and ethernet length limitations, also I may be able to omit the switch if the supplied router will have at least 4 ports.
Is all this plausible, am I on the right track?
Thanks
Helium pinger, any users here?
It is used to insert ip addresses save them to a file and then ping all those addresses as needed. I just found it today and seems to work well but I am not finding very much documentation. I want to use it to ping about 1000 IP’s a couple of times a day. Don’t want to find and insert all those IPs if it is going to be a buggy piece of software.
UPS showing miswire on 4th and 5th pair...?
I have a trip-lite UPS smart1500LCD. I just got a cable tester and messing around with it lead me to see my UPS is showing miswired.
picture ...looking up on the internet I am not seeing this error elsewhere. Is this an actual issue? Or is it expected? Anyone here seen it before?
Anyconnect profile doesn't stick after pc reboot
I'm trying to enable start before logon on the anyconnect. I've enabled it on a profile in the ASA. The issue is once the computer reboots the option for SBL is gone. I figured that when using the profile editor on the ASA that it would overwrite the XML file stored on the PC.
Exchange Server 2013 SMTP Relay via F5
Hi,
We are trying to use two CAS servers to load balance all internal application relay. he is the problem I have run into. All connections made from F5 automatically connects to the default receive connector rather than the custom receive connector. The only way we can connect to the relay connector from the F5 VIP is if we allow 0.0.0.0-255.255.255.255 on these connector. With anonymous relay allowed we cannot allow open relay on this VIP. Is there any way we can make F5 to use the correct connector.
BTW , SNAT enabled for VIP.
Thanks
4 digit ASN?
While checking the current price for IPv4, I noticed that also 4 and 5 digit ASNs are being auctioned. As there were actual bids and closed sales, some for a significant amount of money, I came to wonder about the inherent value in a two byte ASN.
I would have thought that by now almost everybody supports 4 byte ASNs. Is there some actual value in having a 2 byte ASN or is it more a vanity thing?
Error 502 Bad Gateway with Cloudflare and DigitalOcean server with Name.com registrar. My site doesn't work
I did some changes in configurations in these hours. Site still doesn't work.
My current configuration is:
- Name.com: I put there the Cloudflare nameservers.
- DigitalOcean panel: I made that the domain points to my server ip.
- Cloudflare: says that I'm under cloudflare and that everything is ok, but it isn't, since if I connect to my site, it shows a 502 Bad Gateway. Pic: https://ibb.co/FXGbgMP
Also, if I go to domain setting in cloudflare, it says that my domain is not on cloudflare: https://ibb.co/1nKy37m
It doesn't have any sense... Cloudflare says everything is ok but then it tells me that my domain is not under Cloudflare..
If I `dig` my domain, the IPs returned are cloudflare ones, so it should be ok.
These are the last lines of the error log of nginx:
2020/05/01 12:43:41 [crit] 503#503: *115 connect() to unix:/run/php/php7.3-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 162.158.111.11, server: MYSITEDOMAIN, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "MYSITEDOMAIN", referrer: "https://MYSITEDOMAIN/"
2020/05/01 12:44:05 [crit] 503#503: *117 connect() to unix:/run/php/php7.3-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 162.158.111.197, server: MYSITEDOMAIN, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "www.MYSITEDOMAIN"
2020/05/01 12:44:23 [crit] 503#503: *120 connect() to unix:/run/php/php7.3-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 162.158.111.11, server: MYSITEDOMAIN, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "MYSITEDOMAIN"
2020/05/01 12:52:24 [crit] 503#503: *126 connect() to unix:/run/php/php7.3-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 141.101.77.36, server: MYSITEDOMAIN, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm.sock:", host: "MYSITEDOMAIN", referrer: "https://MYSITEDOMAIN/"
These are the last lines of nginx access.log (most of the IPs requesting my site are cloudflare IPs):
162.158.111.11 - - [01/May/2020:12:43:41 +0200] "GET / HTTP/1.1" 502 559 "https://MYSITEDOMAIN/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36"
162.158.111.197 - - [01/May/2020:12:44:05 +0200] "GET / HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36"
141.101.77.102 - - [01/May/2020:12:44:07 +0200] "GET /favicon.ico HTTP/1.1" 404 187 "https://www.MYSITEDOMAIN/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36"
162.158.111.11 - - [01/May/2020:12:44:23 +0200] "GET / HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36"
162.243.142.103 - - [01/May/2020:12:45:21 +0200] "GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1" 444 0 "-" "Mozilla/5.0 zgrab/0.x"
173.19.158.0 - - [01/May/2020:12:50:23 +0200] "POST /spywall/timeConfig.php HTTP/1.1" 400 157 "-" "XTC"
128.14.133.58 - - [01/May/2020:12:51:50 +0200] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
141.101.77.36 - - [01/May/2020:12:52:24 +0200] "GET / HTTP/1.1" 502 559 "https://MYSITEDOMAIN/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36"
162.158.111.11 - - [01/May/2020:13:03:54 +0200] "GET / HTTP/1.1" 502 559 "https://MYSITEDOMAIN/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36"
162.158.111.11 - - [01/May/2020:13:07:18 +0200] "GET / HTTP/1.1" 502 559 "https://MYSITEDOMAIN/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36"
This is `tcpdump -ni any port 53 | tee dns_problem.log` if this is useful:
12:42:48.003261 IP MYSERVERIP.33954 > 67.207.67.2.53: 16402+ AAAA? ams3.sonar.digitalocean.com. (45)
12:42:48.003593 IP MYSERVERIP.37054 > 67.207.67.2.53: 11556+ A? ams3.sonar.digitalocean.com. (45)
12:42:48.003973 IP 67.207.67.2.53 > MYSERVERIP.33954: 16402 0/1/0 (103)
12:42:48.003974 IP 67.207.67.2.53 > MYSERVERIP.37054: 11556 1/0/0 A 5.101.110.176 (61)
12:44:48.014388 IP MYSERVERIP.43089 > 67.207.67.2.53: 54807+ AAAA? ams3.sonar.digitalocean.com. (45)
12:44:48.014787 IP MYSERVERIP.39228 > 67.207.67.2.53: 49774+ A? ams3.sonar.digitalocean.com. (45)
12:44:48.015243 IP 67.207.67.2.53 > MYSERVERIP.39228: 49774 1/0/0 A 5.101.110.176 (61)
12:44:48.015245 IP 67.207.67.2.53 > MYSERVERIP.43089: 54807 0/1/0 (103)
12:46:48.021926 IP MYSERVERIP.48429 > 67.207.67.2.53: 21229+ AAAA? ams3.sonar.digitalocean.com. (45)
12:46:48.021995 IP MYSERVERIP.52767 > 67.207.67.2.53: 38688+ A? ams3.sonar.digitalocean.com. (45)
12:46:48.022608 IP 67.207.67.2.53 > MYSERVERIP.48429: 21229 0/1/0 (103)
12:46:48.022769 IP 67.207.67.2.53 > MYSERVERIP.52767: 38688 1/0/0 A 5.101.110.176 (61)
12:48:48.030531 IP MYSERVERIP.5607
Datacentre Network Re-design - An easier way to manage ACLs?
Hi all, I've got two questions relating to data centre networking, firstly is if I've got our new re-design correct in my head and secondly following that plan we'll have an increased reliance on ACLs on our switches and I wanted to know if there's an easier GUI based way to manage ACLs.
Firstly, our current set up consists of an HA pair of firewalls doing all L3 in the DC, including all inter-VLAN traffic which is the main reason we want to move away from this set up. The firewalls have an internet breakout, WAN link DMZ and multiple other VLANs on them, prod, test, dev, voice, SQL etc. We currently manage rules between VLANs using the firewalls which have a decent GUI making it simpler to manage and harder to make mistakes. South of those firewalls is a pair of nexus 5k switches, 3 UCS chassis and a iSCSI SAN.
The problem with this is that there's only a 1gbps link between the nexus and the active firewall with all of the default gateways for our VLANs being sub interfaces on the 1gbps interface. Not a great design I know, we used to have a pair of 3925s doing our inter-VLAN routing with ACLs controlling traffic between VLANs. They were a bit of a pain to manage as there was only me at the time who had knowledge of working with them. Our MSP suggested those routers were unnecessary when they upgraded our firewalls (the previous ones only had 10/100 interfaces). We've grown a lot since the last upgrade though and are back in a position where we need to re-think things.
The plan is to use the Nexus switches for the inter-VLAN routing (they're currently only doing L2). Create a new small subnet between the Nexus switches and the firewalls and set the default route on the Nexus to point at the new firewall IP. This plan takes all of the inter-VLAN traffic away from the firewalls, freeing them up to do what they were intended for. However, we lose the nice GUI based method for controlling our inter-vlan traffic and would be back to ACLs on the Nexus switches (something I'd like to avoid). Is there a solution that can help us manage the ACLs with a GUI and ideally where changes can be verified before being made? We use proper Cisco in our datacentre but are migrating to Meraki in our branches and their dashboard has spoilt me with how easy it is.
I realise it's a wordy post so thanks for sticking with me.
Network engineer getting started with Vim and bird2
I'm a network engineer with over 10 years of experience running Cisco and Juniper networks.
I have some sysadmin skills, for example running DNS servers, RADIUS servers etc, and use debian / ubuntu daily.
I've recently started using the bird2 routing daemon on debian, editing config files in vim. I'm not a programmer, I can't write code. Using bird2 feels very much like a programming language compared to Junos/IOS.
I guess my question is, is it just me that finds this difficult to configure and understand the syntax as an experienced network engineer, not a programmer? Can anybody recommend any vim plugins to make configuring bird config files easier? I'm just using the arrows on my keyboard to navigate, and I feel really slow configuring everything.
3 weeks with glitchy/intermittent RDP over ASA 5512-x VPN, Cisco TAC just keeps "checking internally"
Events/Troubleshooting/Attempted solutions so far -
Beginning of April - The ASA I inherited, running 9.9(1), started crashing due to bug CSCvi16029, so I updated it to 9.9(2)66, and also upgraded my ASDM to 7.12.1 and my AnyConnect to from 3.x.x to 4.8.02045 on April 8.
April 9 - Everyone except for my IT-coworker and I are unable to RDP into their workstations. They can connect the VPN and ping their workstations, but get that "Remote Desktop can't connect" error (this never happened before). I also cannot RDP via VPN into any other workstations or servers on the network besides my own, which isn't configured any differently in RDP settings than any of the other machines.
Discovered that RemoteVPN->DNS setting is pointing to old decom'd DC, so I fix setting and am able to reach payroll server until HR person tried to RDP into it and then everyone was locked out again except myself to my own workstation.
April 13 - Everyone's ability to RDP suddenly came back up, then dropped, then came back up again by the end of the day.
I discovered a No NAT rule that allows all trusted users access to all necessary internal VLANs, and the only "deny" ACLs I could find are blocking QUIC and "hostile traffic" which doesn't seem to have anything to do with RDP.
April 21 - RDP stopped working again for office staff, so I did a packet capture while unsuccessfully trying to RDP into the payroll server:
1: 14:52:58.060497 x.x.x.x.55749 > x.x.x.x.3389: S 3006513269:3006513269(0) win 8192 <mss 1366,nop,wscale 2,nop,nop,sackOK>
2: 14:53:01.058483 x.x.x.x.55749 > x.x.x.x.3389: S 3006513269:3006513269(0) win 8192 <mss 1366,nop,wscale 2,nop,nop,sackOK>
3: 14:53:07.058621 x.x.x.x.55749 > x.x.x.x.3389: S 3006513269:3006513269(0) win 8192 <mss 1366,nop,nop,sackOK>
Tried sh cap asp | inc x.x.x.x (payroll server ip) which showed no drops from the firewall.
April 22 - I noticed on the the Firewall Dashboard in ASDM that the workstations denying RDP access are listed at "Top 10 Protected Servers under SYN Attack" and sure enough, there are the ip addresses of the Business Officec computers plus the 3389 port #.
I then learned this, and lowered the TCPMSS to 1300 and everyone's RDP started working again for almost a week ...
April 28 - Discovered that the RemoteVPN->DNS setting keeps reverting back to the old decommissioned DC, so I sent this info to Cisco TAC.
Yesterday - the Business Manager and I were able to to RDP into everything, but other staff could not connect to their workstations. I asked Cisco TAC if the ASA has some kind of DNS mapping in its config that's causing the VPN/DNS settings to revert, so they looked at my "show tech" and noticed that a firewall-object-network object had been configured linking the old DC to the ip address which now belongs to the new DC. So, I fixed that to point to the new DC.
The Business Manager lost her ability to RDP around 2pmEST, so I did a packet trace to her machine, and am waiting to hear back fro Cisco still, and there's a Zoom Board Meeting on Tuesday that's breathing down my neck ...
Ingress Capture – RDP packet
17:11:44.716134 x.x.x.x.59777 > x.x.x.x.3389: S 3869117268:3869117268(0) win 8192 <mss 1300,nop,wscale 2,nop,nop,sackOK>
17:11:47.709954 x.x.x.x.59777 > x.x.x.x.3389: S 3869117268:3869117268(0) win 8192 <mss 1300,nop,wscale 2,nop,nop,sackOK>
17:11:53.709374 x.x.x.x.59777 > x.x.x.x.3389: S 3869117268:3869117268(0) win 8192 <mss 1300,nop,nop,sackOK>
Egress Capture – RDP Packets
17:14:25.581436 x.x.x.x.59788 > x.x.x.x.3389: S 2051428495:2051428495(0) win 8192 <mss 1300,nop,wscale 2,nop,nop,sackOK>
17:14:28.578232 x.x.x.x.59788 > x.x.x.x.3389: S 2051428495:2051428495(0) win 8192 <mss 1300,nop,wscale 2,nop,nop,sackOK>
17:14:34.579163 x.x.x.x.59788 > x.x.x.x.3389: S 2051428495:2051428495(0) win 65535 <mss 1300,nop,nop,sackOK>
Is a VPS like a VPN?
Lets say I want to watch a Canadian only show in netflix called Kanada and I live in the U.S. If I buy a VPS in Canada, and download netflix in there, should I be able to watch Kanada in netflix??
Network Project Documentation Fears
I was hired 3 months ago and the hiring manager believes he's hired me for the 'strong documentation' skills I put on my CV at my last job. Now he's expecting me to use those skills in helping to write project documentation for our new LAN refresh project that my colleague and I are about to undertake. It sounds like they brought me in on the strength of my documentation stills. However, I've never done anything like this before. I'm only used to making small infrastructure changes which, whilst these involved strong change management and strict documentation, they were nothing like the documentation this latest project requires. I'm just used to working off a low level design document that someone has prepared for me, and I simply go off and implement whatever's been described on it. Or I'm used to copying existing documents for repeatable changes. I'm scared to death of telling him that I don't think I have the documentation skills he thinks I have. I'm willing to learn whatever I have to, in order to become a better engineer. I don't know what documentation I'd need to deliver this project. I'm not talking about Visio, I'm not bad with Visio. I'm talking about written documents detailing the project, deliverables, requirements etc.
Thursday, April 30, 2020
Wireless bridges vs Hardline
The I work for, just bought a big building (offices occupy 1/3 of the building, the other 2/3 is a warehouse). We (the IT department) are tasked with providing network connectivity to the back of the building for outside cameras and outdoor wifi.
The warehouse part of the building will have AC pipes and air outlets all over the place in the warehouse part.
I want to run a line (fiber or Ethernet) inside conduit to the back of the building where the switch will be located, my friend wants to setup a wireless bridge to connect the back of the building to the IT room.
I told him there will be interference with the AC units that are on the roof, the AC pipes in the warehouse and the possibility of a lot of people using their phones/hotspot. I said running a single line would be best. He disagrees.
Am I wrong?
Sorry for the text, cellphone writing.
What “proof” should I get to have someone look into an issue I feel we are having?
Have 1Gbps business line from Comcast that we manage in our lab. Enterprise recommends we swap to the “enterprise lab infrastructure” that they manage.
The problem is the throughput is total crap compared to what we currently have.
Our lab ran internet connection is a Comcast 1Gbps business line. The enterprise one is supposedly a 1Gbps CenturyLink connection they route around over their MPLS circuits in the same city but eventually hits the 1Gbps CL (at least that’s what I gather).
There shouldn’t be any issue to the “end user” between the two. I can understand some variance but the CL connection is a total dog for throughput in comparison to basically 95% of sites. Yeah you can pull up a browser and browse around but downloading any type of packages (OS packages, datasets, etc) it’s way slower than 90% of them.
We noticed it when updating our servers with drivers (like 400MB NVidia drivers) from Ubuntu mirrors. Our old connection could easily download this at 50-60MB/s (400-500Mbps) and be done in seconds. The new connection we get like 1-5MB/s (10-50Mbps).
After seeing this from multiples sources. I went and did some testing from vultr, AWS, FDCServers, Ramnode, DigitalOcean etc. Downloading files from those data centers in the same city (Seattle) on the old connection with 3-6ms pings we can get 80+MB/s. Most of them are 90+MB/s. The new connection varies from 8-12MB/s on one test from one of the providers and all the others are between 2-5MB/s (in seattle).
Running tests from different city’s LA, San Fran, Denver, ATL, Chicago, NYC, Washington DC. The Comcast connection slows down some depending on the distance but it’s routinely above 30MB/s on all of them. The new “enterprise” connection is between 1-2MB/s.
I ran the same tests on my home connection (Google Fiber) across the country (AL) to these same data centers in Seattle and get better speeds than this “enterprise” connection.
I’ve complained about it and enterprise just tells me “it’s the general internet” we can’t do anything. I’m like there HAS to be something wrong somewhere otherwise this thing is borderline useless. If it’s the “general internet” get CL to prove that because this thing is dog slow to EVERY damn site. There is not a single site it’s even close on. Then they just tell us our TCP window size is too small or some shit when basically the same system 2 feet away is getting 80MB/s.
I tested about 15-20 different sources spread across the country. And the comcast connection never had one below 10MB/s (100Mbps) even from ATL to Seattle or Washington DC to seattle. The new connection I think there was 1 or 2 that was 10-15MB/s the rest were in the 5MB/s even from Seattle.
Is there anything that you would want to see that would be hard to deny that there is a problem? Maybe it is the “general” internet being shit and CL is total shit in their peering or routing or whatever but is there anyway to prove that? Or am I just wrong and CL is just that bad?
If you would like to see my test results I can share if needed.
SNMP trap handling best practices on routers
Hey friends!
What are your thoughts on best practices on SNMP trap handling for routers and switches?
At my workplace we had a discussion and have 2 options:
-
Activate all snmp traps that are possible on each device and let the monitoring tool filter what events are important (and which ones should raise Incidents)
-
Activate just the snmp traps that are interesting for us (our configs differ a lot today. We would need to define templates for each device model)
NIC Offloading
Trying to understand the full scope of the term NIC Offloading.
A quick Google search indicates it allows TCP sequencing/error control to be offloaded to the NIC. Cool.
What other items can be offloaded to the NIC apart from TCP calculations?
IPSec failing when there is an F5 device in the middle
Hi Experts,
I know this was asked before but I still did not found any solution.
Scenario:
Site A(ASA)——(Internet)——(F5)—-(ASA)Site B
All ike parameters are identical.
Public IP on F5 and private IP on ASA Site B.
Public IP on ASA Site A.
Virtual server created on F5 and a route pointing to ASA Site B.
Virtual Server got all ports set for the service port.
NAT-T enables on ASAs.
ADDITIONAL INFO:
In Site B I am receiving the proposals from Site A with the original public source and destination IP.
Any other ideas? Thanks in advance!!
Cable toner error
I'm trying to track down an unlabeled port but my cable tester won't let me switch to toner mode because of a weird error. I assumed it was a bad termination and re-terminated the cable but I'm still seeing the same error. I spent time looking through documentation for this cable tester and I didn't see the error anywhere else.
Does anyone know what this error means? I assume it's something wrong with wires 3 and 4.
I'd appreciate any help/advice, thanks!
Is there a list of IPv4 ranges that Comcast uses to NAT their IPv6-native customers that connect to IPv4 destinations?
I'm implementing various layers of access controls for a secure file transfer service (implementing sftp with ECDSA authentication and IP range verification) and one of my new data transfer partners is a "native ipv6" customer on Comcast. When they connect to an IP4 endpoint (when DNS lookups provide an A record rather than an AAAA record), I understand they're routed through carrier-grade NAT to provide an IP4 source address for these connections. Are these Comcast customer NAT egress addresses known or published? I'd like to whitelist them in the access rules for this customer.
Cisco Networkinf Academy - PT Skills Assessment Accuracy
So I just took a PT skills assessment for a Cisco 2 course. I have taken other PT skills assessment tests in the past as well. The one I took was a Chapter 7 Practice Skills Assessment - PT. It seems like there was stuff I did correctly inside of the test that the automated scoring system marked wrong. For anyone thats taken a Cisco course, are the packet tracer assessments accurate?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
IPAM with NMAP integration
Hi Guys,
anyone aware of any opensource/free IP Asset Management (IPAM) with NMAP integration or scanning feature?
I've tried GestioIP and phpIPAM, very great tool to record asset however very basic scanning features which only get IP and Hostname(if reverse lookup was enabled).
Appreciate your feedback to this.
Best Regards!
N5K static routing issue
Just connected up a C5596UP and started adding it into my network fabric. Found the SVIs it owned worked fine with directly connected devices but routing to anything beyond via the default route were dropped, looks like all my static routes are sitting as pending. Anyone know why that might be?
I thought this might need the LAN base services license, but after installing that, it made all static routes disappear and L3 not ready messages on the SVI. I installed the L3 module but that shows as offline and I can't figure out how to bring it online. Not too sure what's going on here, any advice would be very helpful, tia.
Unable to create VPN tunnel using Cradlepoint
Hi all, my company purchased a Cradlepoint to use as a failover ISP for when our primary goes down.
We can not seem to get a VPN tunnel created when using the cradlepoint.
The ASA is stuck on MM_WAIT_MSG2, they are Cisco ASAs on both ends.
It doesn't seem like the other end is getting the request we send, however if we bring up the other interface for our primary ISP the tunnel builds just fine.
I can link the debug file from this end, the error seems to be:
Sending delete/delete with reason: Ignoring IKE SA (dst) without VM bit set;
Also fwiw the Cradlepoint is in IP Passthrough mode, and that interface is setup to dhcp that address.
DC network with only few switches
How would you design a DC network with 4-8 switches per DC (total 2 DCs)? Seems like wasting money to build a complete spine-leaf architecture with so few switches. (We're mainly running hyperconverged stuff so we're not needing that many racks any more)
I'm thinking about doing basically a "ring" of the DC switches (theyre in MLAG pairs) and then connecting the other DC from one/two pairs depending how many fibers we can get. OSPF or BGP in the underlay and EVPN overlay.
Spine-leaf architectures are all about equal distance between every servers but do you see this kind of setup problematic?
Can anyone help me?
I wanted to know why it is recommended to have IPv4 eBGP session and advertise IPv6 prefixes from it, rather than creating a separate eBGP session for IPv4 and IPv6.
OSPF over Nexus VPC
Hi gurus
I have a router connected to a switch which then has two trunks connecting to a pair of Nexus 3k switches. There is a VPC peer link between the Nexus, and the two connections to the switch are setup as LACP in a VPC group. I’d like to bring up an OSPF neighbor between the router and both Nexus for redundancy but I’m not sure how it will work.
VPC peer routing is configured on the Nexus. My assumption was I can make a /29 and give each device an IP in that subnet and it should form neighbors with everything. My concern is making routing loops. Will this work at all?
Juniper SRX to Cisco ASA VPN - No phase 2
Hi all,
I think i'm missing something silly here, but after setting up a site-to-site VPN between an SRX and an ASA, the phase 1 IKE (v2) comes up fine, but Phase 2 never does, nor does it even seem like its ever trying.
The story here is that SRX has replaced a Draytek, so the ASA has stayed the same and im sure the config is still fine on that.
Some details:
ASA local Subnet: 192.168.1.0/24
SRX local subnet: 192.168.2.0/24
Originally I thought the issue was because the default VLAN 0 on the SRX was set to 192.168.1.0/24 and was conflicting with the remote range on the ASA but ive changed this to 192.168.100.0/24 and still no dice.
SRX Config:
## Last commit: 2020-04-30 17:32:19 UTC by root
version 12.1X44-D40.2;
system {
root-authentication {
encrypted-password "xx"; ## SECRET-DATA
}
name-server {
}
services {
ssh;
xnm-clear-text;
web-management {
http {
interface [ vlan.2 vlan.1 ];
}
https {
system-generated-certificate;
interface [ vlan.2 vlan.1 ];
}
}
dhcp {
name-server {
}
router {
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file kmd-logs {
daemon info;
match KMD;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members D1;
}
}
}
}
fe-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members D1;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members D1;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members Exchange;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members Exchange;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members Exchange;
}
}
}
}
fe-0/0/6 {
disable;
}
fe-0/0/7 {
unit 0 {
encapsulation ppp-over-ether;
}
}
pp0 {
unit 0 {
apply-macro BT;
ppp-options {
chap {
default-chap-secret "xx"; ## SECRET-DATA
local-name ["xx@xx.com](mailto:"xx@xx.com)";
no-rfc2486;
passive;
}
pap {
local-name ["xx@xx.com](mailto:"xx@xx.com)";
no-rfc2486;
local-password "xx"; ## SECRET-DATA
passive;
}
}
ppD1-options {
underlying-interface fe-0/0/7.0;
idle-timeout 0;
auto-reconnect 5;
client;
}
family inet {
address x.x.x.x/8;
}
}
}
st0 {
unit 0 {
enable;
family inet;
}
}
vlan {
unit 0 {
family inet {
address 192.168.100.254/24;
}
}
unit 1 {
family inet {
address 192.168.20.254/24;
}
}
unit 2 {
family inet {
address 192.168.2.254/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop 81.148.160.1 {
metric 1;
}
}
route 192.168.1.0/24 next-hop st0.0;
}
}
protocols {
stp {
disable;
}
}
security {
ike {
policy ike-policy- {
mode main;
proposal-set standard;
pre-shared-key ascii-text "xxxxxxxxx"; ## SECRET-DATA
}
gateway ike-gate- {
ike-policy ike-policy-;
address 94.229.76.114;
external-interface pp0.0;
version v2-only;
}
}
ipsec {
proposal main {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
}
policy ipsec-policy- {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn ipsecvpn {
bind-interface st0.0;
ike {
gateway ike-gate-;
ipsec-policy ipsec-policy-;
}
establish-tunnels immediately;
}
}
address-book {
global {
address D1-Cisco 192.168.20.253/32;
address D1-Server 192.168.20.250/32;
address D2-WebDav1 192.168.2.13/32;
}
Exchange-Network {
address Exchange-Network {
wildcard-address 192.168.2.0/24;
}
attach {
zone trust;
}
}
Exchange-SK {
address Exchange-SK {
wildcard-address 192.168.1.0/24;
}
attach {
zone vpn;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set Nat-Rules {
from zone untrust;
rule WebDav {
match {
destination-address x.x.x.x/32;
destination-port 8443;
}
then {
static-nat {
prefix {
mapped-port 8443;
}
}
}
}
rule Cisco-VPN {
match {
destination-address x.x.x.x/32;
destination-port 8080;
}
then {
static-nat {
prefix {
mapped-port 8080;
}
}
}
}
rule D1-HTTP {
match {
destination-address x.x.x.x/32;
destination-port 444;
}
then {
static-nat {
prefix {
mapped-port 444;
}
}
}
}
rule D1-HTTP2 {
match {
destination-address x.x.x.x/32;
destination-port 4444;
}
then {
static-nat {
prefix {
mapped-port 4444;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy Cisco-VPN {
match {
source-address any;
destination-address D1-Cisco;
application Cisco-VPN;
}
then {
permit;
count;
}
}
policy D1-Web1 {
match {
source-address any;
destination-address D1-Server;
application [ D1-Web2 D1-Web1 ];
}
then {
permit;
}
}
policy D2-WebDav1 {
match {
source-address any;
destination-address D2-WebDav1;
application D2-WebDav;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy trust-vpn- {
match {
source-address Exchange-Network;
destination-address Exchange-SK;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-trust- {
match {
source-address Exchange-SK;
destination-address Exchange-Network;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
fe-0/0/0.0;
fe-0/0/5.0;
fe-0/0/3.0;
fe-0/0/2.0;
vlan.2;
vlan.1;
fe-0/0/1.0;
fe-0/0/4.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
fe-0/0/7.0;
pp0.0;
}
}
security-zone vpn {
interfaces {
st0.0;
}
}
}
}
firewall {
family inet {
filter Block-Inter-Vlan {
term Block-Inter-Vlan {
from {
source-address {
}
}
then {
discard;
}
}
}
}
}
applications {
application Cisco-VPN {
protocol tcp;
destination-port 8080;
}
application D1-Web1 {
protocol tcp;
destination-port 444;
}
application D1-Web2 {
protocol tcp;
destination-port 4444;
}
application D2-WebDav {
protocol tcp;
destination-port 8443;
}
}
vlans {
Exchange {
description Exchange;
vlan-id 20;
interface {
fe-0/0/4.0;
}
l3-interface vlan.2;
}
D1 {
description D1;
vlan-id 10;
l3-interface vlan.1;
}
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
IKE Status:
root> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
164005 UP 0fb34fe6eef146cb 5823116028c5c6a5 IKEv2 x.x.x.x
IPSEC Status:
root> show security ipsec security-associations
Total active tunnels: 0
Stats on the web gui for phase 2 show 0 IPSEC packets sent. I've tried pinging a remote address (192.168.1.4) but no reply and no phase 2 coming up.
Any ideas? Thanks in advance!
Juniper Export Policy for advertising both full tables and a default route
I have a customer that has requested we advertise both full tables and a default route via BGP. They are currently receiving full tables.
For most of my BGP connected customers, we don't configure an export policy on their BGP Session which automatically advertises full tables to them. If they request just a default route, I have an export policy that expressly provides them a default route and rejects everything else...
policy-statement bgp-default-route {
term default-route {
from {
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term deny-everything-else {
then reject;
}
}
If I create a new policy similar to the one above, but leave out the last term of deny-everything-else, does this accomplish what I'm looking to do without any side effects?
Since the customer is live and currently receiving full tables, I don't want to make changes that will adversely affect his service.
Any ISPs using Juniper have a working example?
Thanks in advance.
How to Keep Networking Skills Sharp
Hello I completed ICND1 and ICND2 as part of college curriculum earlier this year (WGU Network Operations and Security for the win). After completing ICND2 in January I needed to pass 4 more classes to finish my bachelors and to do that I archived my Cisco memory folder deep in my mind lol. I am wondering if anyone has any tips or tricks to getting all that knowledge to the forefront again. I am planning on just re-watching Neil Andersons videos and running through some packet tracer labs from Jeremy's IT Lab YouTube channel. I am currently unemployed (stay-at-home dad life) and will be until November so just looking for help on keep my skills sharp while i have all this free time.
Serious question, why do businesses use Cisco equipment with licenses?
Recently switched over a site which had all cisco gear, including aironets, switches, yada yada.
Unfortunately I can't disclose the costs, but the figures were in the low 5 figures. I was absolutely shocked.
Switched them out to a mix of Ubiquiti and Mikrotik equipment, no complaints and the cost is quite literally 80% less than before. There are other sites running the same hardware for 8 years with no issues.
So my question is, why do companies pay so much for Cisco?
Trafic Control using a Raspberry Pi 3
My router doesn't have bandwidth control per IP/MAC feature. I was wondering if there's a way to use my Raspberry Pi 3+ (that's already used as a pi-hole) to control the bandwidth for each IP/MAC in my network.
Is there a way to use the raspberry pi as a front to the router (using port forwarding or MiTM for ex) and then control the bandwidth using the Trafic Control library ?
NB : This is my network that I 100% own.
VRF-lite capable used L3 device suggestion
Hey all,
I have a lab with a couple of servers, which is used to simulate and try out stuff. Networking part of it is basically two used L2 switches (Arista 7124SX and a Cat 3650). It's getting kind of convoluted, with ~20ish VLANs and no inter-VLAN routing at the moment. While this Arista is a L3 switch, this particular box does not support VRF routing (you can configure VRFs and assign interfaces to 'em, but routing between them is not happening). So, in order to tidy things up a bit, I'd like to plop in a VRF-capable L3 device (router on a stick), and spread out my VLANs into appropriate VRFs. Of course, this is a lab thing, so unsupported/EoL devices are okay (until something dies and I get threatening calls about why isn't the lab up, but I'll deal with that when I get there). So, the requirements are:
- Budget dictates it's going to be a used device (500-ish US$/Eur +- 20%)
- VRF-lite capable
- At least 1x10G interface for connecting to the existing topology, two would be excellent
- (Optional) Redundant AC power supplies
What I've been looking at:
- Cat 4948-10G w/ Enterprise services image
- ASR 1000 - way out of my budget from what I've been able to find
- ASR 900 series (920 would be great) - there aren't that many of those to be found used, and the prices are high
I'm not familiar with Aristas and Junipers and HPs. Any recommendations?
Thanks in advance!
Wednesday, April 29, 2020
New to networking! Thoughts on this diagram I cooked up?
This is my first design EVER, done for a school project. Just wanted to know what you guys thought I could add/remove/modify. Not sure how well designed this is. All criticism is accepted! Thanks.
If QUIC is UDP based, how does it manage packet loss?
I was reading about HTTP2 and it says QUIC is UDP but UDP does nothing against packet loss.
Networking skills for the cloud?? What the heck do I search for!
Hello everyone,
First, I hope you're all safe.. and good job keeping the data flowing through this insanity!
I'm an enterprise type network admin, with about 10 years of industry experience and 10 more years before of regular IT related experience. To give an idea of my skill level, most of my work has been with a university LAN/WAN and other similar infrastructure, and I've stood up a couple BGP routers (with a lot of help from other engineers at partnering organizations). I can code, and if I get in a groove sometimes it's decent code.
The reason I'm posting here, is I'm not sure what I should be looking for? Is there a type of position that would benefit from a decent skill set in networking, and something that would allow growth of a programming skill set?
The end goal is to find a position that is 100% remote, with the ability to take on/schedule work from a pool of uncompleted jobs, and take on as many or few jobs as I like based on my availability. Does this mystical thing exist, and what is it called? I've been searching job sites and I just can't seem to find something to fit!
Thanks for reading, stay safe.
Pmacct buffer size
Hi I'm testing pmacct in small network and it works just fine. But when i test it in my real network(with over 400 clients)it doesn't work completly fine. In my real network it should prints data to my database every 60 seconds but it prints data only when i close nfacctd. Here is my config file
debug: true ! for this example, I wan to run nfacctd by hand and look at the output daemonize: false pidfile: /var/run/nfacctd.pid ! remember to configure logrotate if you use logfile !logfile : /var/log/nfacct.log
! returns warning messages in case of data loss ! bufferization of data transfers between core process and active plugins (default 4MB) plugin_pipe_size: 102400000
! The value has to be <= the size defined by 'plugin_pipe_size' and keeping a ratio < 1:1000 between the two ! Once a buffer is filled, it is delivered to the plugin plugin_buffer_size: 102400
! automatically renormalizes byte/packet counters value basing on information acquired ! and take count of the sampling_rate in the (s)Flow sample nfacctd_renormalize: true
nfacctd_pipe_size: 1024000
plugins: memory[m], print[print] ! check primitives list in CONFIG-KEYS aggregate[m]: src_host, dst_host, src_port, dst_port, proto, tos, etype
aggregate [print]: src_host, dst_host, src_port, dst_port, proto, tos, etype
! by default file is overwritten print_output_file[print]: /opt/1m.json print_output[print]: json print_history[print]: 60s print_history_roundoff[print]: m print_refresh_time[print]: 60 ! we want to run this script after purging cache (but that's another story) : print_trigger_exec[print]: /opt/pm2influx.sh
I think maybe buffer size is the problem.
Please help! Thanks
Type 1 Hypervisor vs Dual Boot
What is the difference between the two? From my understanding, a type 1 hypervisor is bare metal VM, so it has direct access to the hardware without relying on virtualized hardware. How does that differ from dual booting an OS, which also has direct access to the hardware?
How are you running/invoking your network automation?
Having a central source of truth, writing automation scripts and keeping them (and configs) tracked in git is pretty straightforward. But I'm interested to know the different ways you all call your network automation scripts (and why) because it seems there's a whole bunch of ways to do it.
- Individual engineers
git cloneand call scripts from the commandline running on their workstation - The above, but on a shared central automation server
- Web interface only, which functionally just wraps the scripts
- Run from a different system (e.g. NetBox custom scripts)
- AWX / Ansible Tower
- Git server automatically running via git hooks
- Git server running via manual pipeline
Also how are you handling logging and approvals?
Anyone know the OEM behind the $30 managed 8 port switches
See subject I would like to be able to white label. Are all the $30 Zyxel/TP-Link type switches just relabels of an OEM?
Network Automation - Cisco ISE API Calls (Download policy)
Good afternoon all,
I am working on an ISE project and I would love to be able to download the policies from one ISE installation, modify them and recycle. Has anyone done this before? What kind of cool API calls, useful stuff have you dont with API calls and ISE?
Question about calculating Network Bandwidth Utilization (Explained Inside).
I'm working on a word problem for some python homework, and I've been tasked with writing a script that is responsible for calculating the Network Bandwidth Utilization for every line in a csv file. At a high level, i'm curious to know if there is a universal calculation that is used to derive this value.
Now, to dive more specific into the data set I'm using to calculate the values from. There are two CSV files at hand, one is named 'bandwidth.csv' and the other is 'netbitrate.csv'. I've taken a screenshot of the files here: https://imgur.com/a/f6nvmot (they are very small files for the sake of this exercise, 6 & 20 lines each, respectively).
Additionally, I'll include the files below:
---bandwith.csv--- Server,InterfaceName,Bandwidth server1,eth0,20 server1,eth1,40 server2,eth0,80 server3,eth0,5 server3,eth1,10 server4,eth0,160
---netbitrate.csv--- Timestamp,Server,InterfaceName,NetBitRate 2019-05-07 19:17:23,server1,eth0,1000 2019-03-30 19:41:33,server4,eth0,200 2019-06-18 07:38:11,server1,eth0,100 2019-03-08 08:29:38,server3,eth1,80 2019-04-21 04:50:41,server3,eth1,500 2019-04-06 06:28:31,server4,eth0,660 2019-05-02 08:33:40,server1,eth1,1000 2019-06-06 06:02:10,server2,eth0,1000 2019-02-28 20:16:54,server4,eth0,1000 2019-04-05 23:57:00,server2,eth0,500 2019-04-21 23:31:19,server1,eth0,400 2019-06-24 09:49:58,server3,eth1,80 2019-04-04 10:34:24,server1,eth1,1000 2019-06-14 15:13:36,server2,eth0,660 2019-02-13 19:19:49,server4,eth0,800 2019-02-03 19:03:03,server4,eth0,1000 2019-01-07 00:49:05,server3,eth1,100 2019-05-08 13:14:21,server1,eth0,500 2019-03-23 23:36:03,server1,eth1,100 2019-02-06 14:44:09,server2,eth0,100 So now that you see the data I'm working with across these two files, my question is how should i go about crafting the calculation that would give me the Network Bandwidth Utilization for each line of the 'netbitrate.csv' file.
If you have any questions or would like me to clear anything up for you, please let me know!
cheers.
Do Meraki switches support BiDi SFPs?
Meraki isn't very discerning when it comes to SFPs, but they don't sell any BiDI SFPs. It doesn't mean it won't work, but it's an unknown.
https://www.fs.com/products/11802.html
At that price I am planning to just buy a handful and test them, but you could save me some time.
Has anyone ever run one and had it actually work? Just in the planning stage here and we have a chunk of single-strand single-mode fiber and it would help the project if we could use it.
LISP ROUTING
I was reading the new Cisco ccnp/ccie 350-401 official cert guide and came across lisp. The section on it was short and had no config examples. My take away from it was that it is dns like routing in that routers asks and receive routes on demand instead of storing like ospf.
-
What are some use case scenarios of the routing protocol?
-
I read somewhere that it increases mobility. How does it accomplish that?
-
Is OMP basically the same thing because sdwan routers talk back to vsmart/obond/vmanage. Maybe omp phases it out?
DSCP
Hi Networking Gurus,
I’m trying to wrap my head around some DSCP implementation, and need some advice.
I need to map 4G Mission-Critical QCI QoS to L3 DSCP.
Currently I’m mapping as follows:
QCI=70, DSCP=20 (MC data)
QCI=69, DSCP=44 (MC signalling)
QCI=65, DSCP=42 (MC voice)
But all online documentation recommeds to map QCI=69 to DSCP=41.
Is DSCP 41 > DSCP 44?
And if so, does anyone care to explain why?
Edit:
I need signaling to have highest priority, then voice traffic followed by data last.
Would my implementation ensure that signaling (dscp44) has higher priority than voice (dscp42)?
Juniper JunOS training
I am mostly familiar with Cisco devices, I have my CCNA and am pretty familiar with networking through that level. My workplace will be switching a lot of stuff out for Juniper and I'm looking for some interactive online training to help get me and my coworkers somewhat spun up on juniper. Any suggestions? Paid or free, curious what you guys have used and liked.
SSH to one public IP with multiple ports for access to multiple devices for configuration
Hey guys,
I have a high level understanding of SSH/Telnet, NAT/PAT, etc. however I have always worked on the presale aspect of the business and never configured this for production.
Now, the company I work for, we support service providers. We manage the deployment and configuration services for different kind of IT equipment. In this case, we provide customers access to multiple public IPs so that they can remotely log in to multiple firewalls for configuration before shipping them to the end user location. My question is, for example, instead of using 10 public IPs to configure 10 firewalls, can we use one public IP (for example 10.0.10.10) with multiple ports?
Ex: 10.0.10.10 port 12345 10.0.10.10 port 23456 10.0.10.10 port 34567 ... and so on
Sorry if this is a dumb question and I know how PAT works but I guess I’m just confused and need validation from hopefully someone out there that has done this in the past.
Also, again maybe another dumb question, but from the client en wouldn’t they only need to specify the IP and port number to connect?
Thanks and looking forward to getting burned here (hopefully not)
Best Practices for backing up a Dpm server?
I'm a relatively new network admin, and we have a DPM 2016 backup server for our physical and VMs. I want to backup the actual dpm server and wanted to know what you're using to do this?
Cost is an issue, especially right now.
Do you enjoy your career in networking?
Do you find it fulfilling? Are you passionate about what you do? Do you feel a career in networking affects your mental health? How does a career in networking affect your personal/off-call time? If you could turn back time, would you do something else?
Help needed with Windows 10 and Libreswan
Hello! I followed this guide (https://dc77312.wordpress.com/2019/01/08/libreswan-ipsec-vpn-on-centos-7-and-windows-10/) to setup a VPN server, but upon connecting all I get is "Policy match error". I cannot find what Windows is proposing, or why it is failing. Could anyone help?
I tried adding other algorithms and hashes to the config file, and even tried these that another server negotiated with Windows: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
I also added the registry option to enable modp2048.
One of the leads I tried following is this PRF_HMAC_SHA2_256, which I tried adding, but would not pass config verifications.
But no debug option would tell me exactly why it's failing or what proposal was being requested. The log only states NO PROPOSAL CHOSEN. How do I get it to tell me the REQUESTED? Also, information about how to get more information from Windows' logs would be greatly appreciated.
Log file is too large: https://docs.google.com/document/d/1-84JBWh4s6wjQ2zlmkkJzUx2Qbixnr-A2qegwtaFRY4/edit?usp=sharing
Problems with PHPipam...HELP!
My company is giving PHPipam a shot and there are a couple things I'm having problems with that I can't find answers to and was hoping you kind people who have been using the software for a while can help with.
First off when I scan a subnet I get no hostnames. I've added one of our DNS servers under nameservers, but still no luck.
The other issue is I can't scan a /16 network, its ends up locking up the server and timing out. Are we really limited to /20s and less?
Thanks for the help!
Networking completely borked after Windows update, help!
Windows 10 1909 working fine on one of my work laptops up until yesterday when I applied Windows Update KB4534132. After that I can't get on the internet, my ethernet is there but doesn't connect to the internet and my wifi is not detected at all. In device manager both the ethernet and wifi adapters are there and working properly.
My research has led me to believe this is an issue with corrupt DLL files. I first saw this when running Firefox, it would not open and gave me an error of "firefox.exe - Bad Image" and telling me that dhcpcsvc.DLL was either not designed to run on Windows or it contains an error. This happens with Edge Chromium as well. When I try to do something like IPCONFIG in the command prompt I get the same error. So somehow my DHCP is not working due to corrupted DLL files??
Steps taken:
Run disc scan: SFC /scannow: shows corrupted files but cannot fix them since I can't get online
Safe mode: still can't get online
Network reset in windows settings: doesn't do anything, doesn't reset or reboot PC
Windows troubleshooting: Lol?
I've downloaded the app Tweaking.com and tried to re-register services and other repairs. I've run scans for malware and rootkits, nothing. I have uninstalled all the Windows update up until 1909 which was installed a month ago and otherwise has no issues. I have even tried system recovery back until before this update, that didn't help. I tried to replace dhcpcsvc.DLL but can't get permission to do so, I'm logged as administrator, but I'm hesitant to do this as I can't find a more recent version of the DLL file and don't know if this is the right thing to do.
My last resort is to reset the PC, but this is a work PC and has a lot of older programs installed that I don't even know if I can find, much less setup again. I'm trying to avoid a reset as otherwise the PC functions perfectly. Any help would be appreciated.
Tier 2 vs Spine-leaf broadcast BUM handling
3 years ago we build small datacenter with vPC using cisco nexus, HRRP all sort of things but later we just started adding more and more racks and now i have 45 racks and and around 100 switches including 2xTOR and core etc.. now it's giant L2 network (yes we are using vPC so every link is active-active) but question is do i need to worry to add more 10 racks in existing network?
STP is dangerous for large network but does it act differently with we use with vPC (reduce BPDU etc?), same way i am also worried about BUM traffic in L2 network.
Now it's too late to convert Tier 2 design to Spine-Leaf :( we know spine-leaf eliminate STP at leaf level but now question does it going to help with BUM traffic using evpn? (if yes then how much it help with BUM)
Soon we are going to open datacenter in one more co-location and i want to make sure i understand everything before we say let do Tier 2 vs Clos design. what do you think?
Cost per user for the network
Hi all,
Bit of an odd one, but an external company has taken over part of our business. The staff will move over but they will remain on our sites, eventually using their own laptops etc.
As the network and security dogsbody, I've been asked to come up with a cost per head for their usage of the network/firewalls/Wi-Fi etc to charge back to them. Has anyone else ever had to do this and how did you go about it?
Packet Captures for displaying TCP Congestion Control
Hi all,
I’m very here and I need a very urgent help from y’all. I hope you’ll able to help me out.
I have to give a presentation tomorrow on Congestion Control and Avoidance tomorrow. So initially, I did think it’s a straightforward thing where I just give a very brief overview.
But I’ve just been informed that this is a 3 hour sessions and I should show packet captures and what not.
Now I must be frank here, I don’t work with Networking related aspects at all, and I only know the very very basics. All I know about TCP is the 3 way handshake and I did read up the very basics of congestion control and avoidance over the weekend.
If any of you could tell me where I can get the required packet captures from and where I’d be able to learn much more in detail about Congestion Control, I’d be eternally indebted.
Looking forward to hearing from y’all
Addressing on Tunnel Interfaces
When using tunnel interfaces for IPSEC to enable dynamic routing, what's the right way to address them?
I took a /24 from the larger subnet used at this company and broke it up into /30s for addresses on each tunnel. That's all working fine and routing is working properly.
This has led to each of those /30s showing up in the routing table across all routers. I'm not sure whether that's a problem and a sign that I'm doing something wrong or if it's normal and I'm just not used to seeing it.
Devices are sonicwall. I'm using tunnel interfaces and ospf so that I can control link costs and because many sites have multiple ISPs, Ethernet point to point links, etc.
SPF records: Will records, not included in the spf record at root level of a domain, validate emailservers ?
Hi,
I have a question regarding spf records.
Do records, not included in the spf record at root level of a domain, validate emailservers ? For example: I have a domain (company.com), which has a nameless record (record 1) with these values:
v=spf1 include:_spf.company.com ip4:123.123.123.123 include:_spf.domain1.com -all
So there is another record (record 2): _spf.company.com which include some other values.
I see why this is working. Record1 points to record2 and therefor an external mailserver is validated as valid sender and mail is being deliverd.
But, there is some other records that seems to be on it's own: (record3) E.g _spf_orphin.company.com - v=spf1 include:ip4:111.111.111.111 include:_spf.otherdomain.com -all
I don't see another record pointing towards it.
Will mailservers included in this record (record3) be validated, or will they just be skipped because no other records points to it ?
Or do all records who's value starts with: "v=spf1" count as a valid spf record to which spamfilters can validate ?
Thanks in advance !
Dot1x Issues with Lenovo Thinkpad Dock station
Hi!
We recently tried to deploy wired dot1x in one of our environments (machine authentication), but some of the clients would not authenticate properly. It seems that the users that have a Lenovo Thinkpad 40A1 Dock Station would not "present" their certificate properly (or authentication server simply states that there is an unknown CA in the Certificate Chain), but when the client was directly connected to the switch it would authenticate without any issues (bypassing the dock station).
We also got it to work by removing the configuration from the client NIC (and keeping the configuration on the dock station NIC) which complicates things since not all clients are using this type of Dock station and it would be near to impossible to keep apart in the GPO Dot1x settings. It would also cause the client to not authenticate properly if/when roaming to conferance rooms (utilizing other dot1x enabled switchports).
Authentication Server: Cisco ISE
Switches are 2960X(TS&PS)
Do you have any ideas on how we could proceed/investigate this further? Anyone with similar issues?
Changing work laptop
I've a work laptop which is part of the work domain. Is it possible to clone the disk to a newer laptop and retain all rights of the domain? My issue is that work laptop is quite old which is not being upgraded hence I would like to buy a new one and use that at work. However, I do not want admin to get involved. I've admin rights on my current work laptop if that makes any difference. Thanks
Does CE5880-48T6Q-EI support 1+1 fan module backup?
Does CE5880-48T6Q-EI support 1+1 fan module backup?
Tuesday, April 28, 2020
Netmiko save config on Cisco question
start_time = datetime.now() net_connect = ConnectHandler(**device) cmd = 'copy flash:/c880data-universalk9-mz.154-2.T1.bin flash:/test1.bin' output = net_connect.send_command( cmd, expect_string=r'Destination filename' ) output += net_connect.send_command( '\n', expect_string=r'#', delay_factor=2 ) end_time = datetime.now() Hi, so i've just started getting into Python and Netmiko and i'm wondering what exactly this part of a script does? I think i have a fairly good idea but a few things are confusing me.The.....
output += net_connect.send_command( '\n', expect_string=r'#', .....part. This script is to get around a prompt from a router when asking for another answer to the save config on the Cisco CLI. It looks like its using the expect_string Destination filename to look for that in the output from the command, okay fair enough i get that, but it looks like the output variable is being combied with another send.command() command as well looking for a new line and then expect_string=r'#' which i've no clue what it is doing...I know the delay factor is used for timeout, it's mainly the other things i've mentioned which i'm at a bit of a loss about...
Thanks again everyone for the help
Update after more thinking.....
Is the "expect_string" argument just looking for that identifier, so a "#" and "Destination filename" and once it finds it, it moves onto the next piece of code?
Viasat is blocking and spoofing responses for TCP Keepalive packets
I've been running packet traces to some of my servers with Wireshark from the Viasat network while generating TCP keep alive packets using https://github.com/davepacheco/tcpkatest and it appears the Viasat router is blocking and spoofing responses to all of these packets, this is causing major TCP connection drop/reliability issues with many of my applications.
I've confirmed that the TCP keep alive messages are not making it to my server by running packet captures on the server at the same time as I generate them from my laptop, I've also verified that my test server is capable of receiving TCP keep alive packets by sending them from a virtual private server on a completely different network.
In addition the router appears to be spoofing responses to the keep alive messages with the responses coming back faster than the minimum Viasat latency would normally allow for so I'm fairly sure it's the router itself blocking/spoofing these packets.
Has anyone else seen anything like this before?
Subscribe to:
Posts (Atom)