Hello guys,
I am trying to make a script to retrieve vendor's for all hardware addresses (MAC) via NETCONF. The command is simply 'show arp | match ae0 ' but for some reason it times out waiting for the RPC reply. I am guessing it's due to cli length, if I log in to the router and issue 'show cli screen-length 0' and run the script again, it works. Is there any way to pass this cli option as parameter?
Thanks for any advice.
Hi, I just finished my junior year of college. Last fall, I took a networking course where we coded our own implementations of TCP/IP (based on rfcs 791 and 793). This summer, I don't have anything to do, so I was hoping to do some independent learning about more advanced networking topics, and also take on another coding project.
However, I'm a bit lost, and I don't know how to move forward. There are a LOT of topics in networking, it seems, and they are all very complicated and overwhelming. For example, I was interested in SDN and Openflow, but I'm just totally lost trying to do more reading on the subject.
So, I'm asking for help, if anyone knows any worthwhile topics that I should look into? I'm looking for things which are relevant today, which I can feasibly grasp at my level, and which I could even come up with a coding project for.
Thanks very much!
I'm designing a network for my CCNA final project and I'm having trouble getting the DHCP to talk to the end devices.My configuration needs to have the following all working on it:-10 or more "host" devices-2 or more routers, configured with PPP and CHAP, OSPFv2-2 or more switches-4 or more VLANS-Inter-VLAN routing-DHCP-NAT
Screenshot: https://imgur.com/a/mfGFAdp
Here's the link to the pkt file, for those who would like to look over it:
https://www.mediafire.com/file/xozykrik5k7i1ca/CCNA4_FINAL_PROJECT.pkt/file
Please let me know what I'm doing wrong
-------------------- FALCON-HEIGHTS -------------------- en conf t no ip domain-lookup banner motd #UNAUTHORIZED ACCESS TO THIS DEVICE IS STRICTLY PROHIBITED!!!# hostname FALCON-HEIGHTS username ROSEVILLE secret cisco int s0/3/0 encapsulation ppp ppp authentication chap service password-encryption enable secret cisco line vty 0 4 password cisco login logging synchronous exit line con 0 password cisco login logging synchronous exit ip dhcp excluded-address 192.168.0.1 ip dhcp excluded-address 192.168.0.129 ip dhcp excluded-address 192.168.0.193 ip dhcp excluded-address 192.168.0.225 ip dhcp pool WORK-VLAN default-router 192.168.0.1 dns-server 8.8.8.8 network 192.168.0.0 255.255.255.128 ip dhcp pool AWAY-VLAN default-router 192.168.0.129 dns-server 8.8.8.8 network 192.168.0.128 255.255.255.192 ip dhcp pool HOME-VLAN default-router 192.168.0.193 dns-server 8.8.8.8 network 192.168.0.192 255.255.255.224 access-list 1 permit 192.168.0.0 0.0.255.255 ip nat inside source list 1 interface g0/0 overload int s0/3/0 clock rate 128000 ip address 10.0.23.1 255.255.255.252 ip nat inside no shut exit int g0/0 ip address 172.16.23.254 255.255.0.0 ip nat outside no shut exit ip route 0.0.0.0 0.0.0.0 g0/0 router ospf 1 network 10.0.23.0 0.0.0.3 area 0 default-information originate passive-interface default no passive-interface s0/3/0 exit ----------------- ROSEVILLE ----------------- en conf t no ip domain-lookup banner motd #UNAUTHORIZED ACCESS TO THIS DEVICE IS STRICTLY PROHIBITED!!!# hostname ROSEVILLE username FALCON-HEIGHTS secret cisco int s0/3/0 encapsulation ppp ppp authentication chap service password-encryption enable secret cisco line vty 0 4 password cisco login logging synchronous exit line con 0 password cisco login logging synchronous exit int g0/0 no shut int g0/0.21 encapsulation dot1q 21 ip address 192.168.0.1 255.255.255.128 ip helper-address 10.0.23.2 exit int g0/1 no shut int g0/1.23 encapsulation dot1q 23 ip address 192.168.0.193 255.255.255.224 ip helper-address 10.0.23.2 exit int g0/2 no shut int g0/2.22 encapsulation dot1q 22 ip address 192.168.0.129 255.255.255.192 ip helper-address 10.0.23.2 exit int s0/3/0 ip address 10.0.23.2 255.255.255.252 no shut exit router ospf 1 network 10.0.23.0 0.0.0.3 area 0 network 192.168.0.0 0.0.0.128 area 0 network 192.168.0.128 0.0.0.192 area 0 network 192.168.0.192 0.0.0.224 area 0 network 192.168.0.224 0.0.0.240 area 0 passive-interface default no passive-interface s0/3/0 exit ---------- SILVER ---------- en conf t no ip domain-lookup hostname SILVER banner motd #UNAUTHORIZED ACCESS TO THIS DEVICE IS STRICTLY PROHIBITED!!!# service password-encryption enable secret cisco line vty 0 15 password cisco login logging synchronous exit line con 0 password cisco login logging synchronous exit vlan 21 name WORK vlan 22 name AWAY vlan 23 name HOME vlan 24 name MGMT exit int g0/1 switchport mode trunk switchport trunk native vlan 24 int f0/16 switchport mode access switchport access vlan 23 int f0/18 switchport mode access switchport access vlan 23 int f0/23 switchport mode access switchport access vlan 23 exit ---------- GOLD ---------- en conf t no ip domain-lookup hostname GOLD banner motd #UNAUTHORIZED ACCESS TO THIS DEVICE IS STRICTLY PROHIBITED!!!# service password-encryption enable secret cisco line vty 0 15 password cisco login logging synchronous exit line con 0 password cisco login logging synchronous exit vlan 21 name WORK vlan 22 name AWAY vlan 23 name HOME vlan 24 name MGMT exit int g0/1 switchport mode trunk switchport trunk native vlan 24 int f0/13 switchport mode access switchport access vlan 21 int f0/15 switchport mode access switchport access vlan 21 int f0/17 switchport mode access switchport access vlan 21 int f0/19 switchport mode access switchport access vlan 21 exit ---------- BLUE ---------- en conf t no ip domain-lookup hostname BLUE banner motd #UNAUTHORIZED ACCESS TO THIS DEVICE IS STRICTLY PROHIBITED!!!# service password-encryption enable secret cisco line vty 0 15 password cisco login logging synchronous exit line con 0 password cisco login logging synchronous exit vlan 21 name WORK vlan 22 name AWAY vlan 23 name HOME vlan 24 name MGMT exit int g0/1 switchport mode trunk switchport trunk native vlan 24 int f0/7 switchport mode access switchport access vlan 22 int f0/9 switchport mode access switchport access vlan 22 int f0/11 switchport mode access switchport access vlan 22 exit
[question] Hi everyone, I am trying to build a network emulation on EVE-NG , but i am still learning, my first question is will I be able to access this network from another VM to use with a network monitoring tool ? Say for example I have EVE-NG on 192.168.1.100 The network nodes I created were 10.10.10.1 and 10.10.10.2
I have another VM 192.168.1.200 , on it I have a network monitoring tool , how can I access the devices 10.10.10.1 and .2 from the monitoring tool ?
Also how can I simulate the traffic in the EVE-NG network to be able to get some data in the network monitoring tool ?
A bit newbie , still a lot to learn , appreciate your help .
Looking to get a linksys router & netgear modem or a netgear router with a linksys modem. I was wondering if they are both compatible with each other? Also what kind should I get and do you guys recommend?
I'm currently using serf on some (very low resource) embedded systems to discover nodes on the network. However, because it's based on Go, it's requiring too much ram (given that I have only 128mb per node). I was wondering if anybody here know a similar solution that may cost less in terms of memory. Thanks in advance.
I need to convert a used Infiniband switch (not yet purchased) to Ethernet. L3 management would be nice, but I can live without if that requirement makes the conversion too complex or expensive. 16 ports are enough, if count matters.
I've spent hours searching this topic with limited conclusive success. People in other forums say they've done it easily. Some for free, some for a couple hundred bucks for a license. Others say support is spotty and don't do it, even within the same model/family due to changes in firmware or varying components. Some have done it through undisclosed methods, some by purchasing a license, and some by flashing an open OS. Reports are all over the place, and unfortunately, so many posters didn't bother listing what model they succeeded or failed with. Thanks, uncertainty.
So, r/networking, what's the real deal on repurposing surplus Infiniband gear for Ethernet and saving it from the dump?
For those who have done it, which switch did you use, how much did the license cost (if any), and were there any pitfalls -- especially if I'm reloading software as some have suggested?
Would anyone recommend a specific model for ease of conversion, low cost of Ethernet licensing, or strong compatibility with third party firmware / operating systems?
In short, where's the trap, how do I avoid it, and is there a golden ticket out there?
My current network design is IP based if there is an existing phone line, and I want to use it for OOB management for a terminal server so I can connect to network device/s. we need a modem onsite to dial into, but on the remote end, if there is no phone line, what can we use to dial in? Maybe I'm overthinking. I never paid attention in the past how ISPs had this setup I will log into a server and dial in.
Trying to avoid getting another isp for OOB
Please bear with me - I am very green here and this is not my area of expertise.
I am trying to be able to access two different work PCs from home via RDP (not at the same time). Both office computers are Win 10 PRO and have RDP setup to allow access. I am geting stuck with the router config on my TP link router...
I added a rule in the router for service and internal 3389 with my IP address 192.168.x.xxx. Everything worked fine, and I was able to connect to the first PC from home. I can get the second PC to work if I modify the original rule and change the IP to the second PCs IP address, but I cant seem to add a second rule to allow both PCs. When I try to add another rule, I get the flowing message:
The entry already exists or its port is contained by another one.
What am I missing here? How can I allow myself to remotely connect to two different PCs on the same work network? Any help is greatly appreciated. Please let me know if I omitted any prudent information. Thanks again
Good morning networking collective!
I work at a service provider and came across an inconsistency in our network this this morning while doing a service turn-up: on some distribution routers we redistribute connected into OSPF, and others we redistribute connected into BGP. All of these are customer-facing provider ports where we are the gateway.
Our network is a pretty standard OSPF on infrastructure + BGP overlay, which is why I find it interesting that we're redistributing connected into OSPF ... I can only think its because a predecessor -- or even previous me -- put that in as a quick 'make sure the routes get in' solution. Our normal policy is "internal routes+infrastructure in OSPF, ALL customer routes in BGP!" which is why I was surprised to see OSPF redistribution turned on.
What is the best practice for this? Redistribute connected+static into BGP only, plus OSPF passive-interface as default, then enable OSPF for only specific interfaces? That is where my head leads me.
Thanks for your input!
So I’ve only ever worked at one company my entire career ~13 years. We pretty much had full reign to our laptops. Things went south there and I just started at a new company. I can’t install things like keypass, wireshark, secureCRT, not even putty. I couldn’t even enable telnet. Looks like I’ll have to open a support ticket for everything I do. Is this a red flag? I’ve only ever worked at one place and they gave IT guys admin rights, so I don’t really know. Also hit a few blocked websites.
My position is senior network engineer, if that adds any detail.
Hi, I bought myself two NC522SFP NIC's along with two Cisco FET-10G 10-2566-02 transceivers. After plugging both of them into the same card and attaching a 5m OM3 Aqua Fibre Optic cable between them and finding drivers for the NIC's online it just says 'Network Cable Unplugged'
Do I need specific SFP+ transceivers or are my Cisco ones fine and its just a driver problem.
Thanks a tonne in advance :)
Also the SFP+ modules get very hot like 40C so I'm assuming that they are working haha
Hi all,
I've finally got Oxidized working for JunOS, but am struggling to gather any meaningful config backup for our Palo's. I've checked that the maintainers have been working on this for a while, but I don't see where the functionality has been implemented.
I'd really like to be able to config Oxidized to use SSH for JunOS and to make an API call for the PAN's. The problem is, I don't really know where to start. I'll paste my config below.
Current config (sanitized, no HTTP): https://pastebin.com/cQXiuXVj
I'm also curious if it possible to specify input per device group. Something like this:
groups: palo: input: http #http stuff here I deployed a python server a few weeks ago, but for that I had to use nginx.
And following the tutorial, I talked about enabling https / ssl.
Okay, I did that.
Now I am studying Nginx to better understand how it works, but in the Ningx course (Linux Academy) it doesn’t cover things so much about https / ssl, it only covers things like enabling using lets encrypt and certbot.
But I want to understand how it works behind the scenes.
What readings are recommended for this?
PS: all tutorials on how to enable https with nginx use certbot with lets encrypt.
Hi!
I am thinking about building automated system for planned works impact on customers and network visualisation.
With that I mean if there is planned work I can select device or transmission and it gives me a list on which customers will be affected. I want to mention that we are not huge ISP so expended $$$ is of essence.
It would consist of two parts:
first - device discovery and device database and visualization (eNMS/LibreNMS)
second - service impact tool to which I have not found already so I have some ideas how to do that.
Like each customer link has unique ID which is configured on device and then some scripts would then extract that from device and give me output I need.
But before I jump to programming I want to ask community knowledge.
Maybe there is something open source already available for second part? Which would reduce overall time to implement this solution.
Cisco now has a policy that you can't change the email address on your cisco.com account. Supposedly you can transfer certifications, although it's not as clear if you had subscriptions at learning for VIRL or CML. Allegedly the policy prevents data from the old employer from bleeding over to the new one. Anyone worked around it and preserved their subscriptions, community conversations, and other cisco errata?
Ive studied CCNA before so i understand the concepts about these two protocols.
In real production environment, could you please share your experience on these protocols of when/how did you use them?
Id really appreciate your response.
Iperf showed no issues but actual data transfer shows impact <1Mbps (SMB).
Basic Ikev1, nothing fancy no custom config.
About 20-30 ms between the sites.
Thoughts on what to look at at this point?
With a site to site (SonicWALL to Azure) VPN up and running I can access the network in both directions without issue. But when I RDP into a Windows Server running on Azure I get frequent disconnects - the session will drop, then auto reconnect, on the first attempt.
With a point to site VPN from Windows 10 to Azure (on the same machines) there is no issue with RDP.
This leads me to think that everything is fine with the local OS and the Azure VM and that the issue is somewhere in the site to site VPN configuration. Does that sound right?
Any idea what could be causing this and, more importantly, thoughts on how to fix it?
edit - just to be clear, the timeouts are happening while I'm actively using the connection, not if I let it sit unused.
ISPs, software vendors and others are planning to turn off IPv4 connectivity on February 1st, 2030. IPv4 Flag Day. Are you ready?
I'm still pretty new to IOS-XR, but I'm looking to validate my thinking before I publish this change. Should this advertise out only 198.0.0.0/24 and 198.0.51.0/24? I'm receiving full tables, but I want to make sure that I'm not becoming a transit area as I'm peered with the same provider to multiple locations.
router bgp 65000 bgp log neighbor changes detail address-family ipv4 unicast network 198.0.0.0/24 network 198.0.51.0/24 ! address-family ipv6 unicast network 2002:0::/48 ! neighbor 10.32.0.1 remote-as 65999 address-family ipv4 unicast route-policy bgp-deny-inbound in route-policy bgp-allow-outbound-v4 out address-family ipv6 unicast route-policy bgp-allow-outbound-v6 out route-policy bgp-deny-inbound if orf in bgp-deny-private then drop endif end-policy route-policy bgp-allow-outbound-v4 if orf in bgp-outbound-list-v4 then pass else drop endif end-policy Using the napalm_install_config with replace_config set to true, I always get changes when running my playbook. The diff file from Napalm is saying:
!
!The following order-dependent line(s) were re-ordered
!boot-start-marker
!boot-end-marker
However, this is the order I have put them in my assembled configuration file.
Assembled config: https://pastebin.com/tXxkmbEH
Device config: https://pastebin.com/VndvQCqt
I followed the excellent guide on networklessons.com ( https://networklessons.com/uncategorized/ssh-public-key-authentication-cisco-ios ) for setting this up and it's working fine on a few 2960x switches we have running IOS 15. I'm working in my lab at home and one of my switches is a 3560 running 12.2 and the ip ssh pubkey-chain command does not exist. Is there a different method of accomplishing this if this command is missing?
im having some troubles with this code, and I dont know if it is an Ip. Can someone help me?
Reviewing a Cisco SmartNet renewal, and noticed this time there are two tabs on the Excel sheet - SmartNet, and ECMU.
On this ECMU Tab, they are charging about $600 per license, per switch, per year, for our Nexus 9000 licenses.
I questioned our CDW rep, who said all Cisco licenses are "subscriptions" and this is our renewal. When I sent the documentation showing our licenses are perpetual, he asked his Cisco guy, who said this is for "updates and support" on the licenses.
As you know, there is no such thing as a software update for a license. Licensed features get updated with NXOS, and I get those updates through SmartNet.
So my question is what is ECMU, and do you guys pay it?
Thanks in advance.
I found this interesting read, here is the abstract:
The COVID-19 pandemic dramatically changed the way of living of billions of people in a very short time frame. In this paper, we evaluate the impact on the Internet latency caused by the increased amount of human activities that are carried out on-line. The study focuses on Italy, which experienced significant restrictions imposed by local authorities, but results about Spain, France, Germany, Sweden, and the whole Europe are also included. The analysis of a large set of measurements shows that the impact on the network is significant, especially in terms of increased variability of latency. In Italy we observed that the standard deviation of the additional delay -- the additional time with respect to the minimum for a given path -- during lockdown is ~3-6 times as much as the value before the pandemic. Similarly, packet loss is ~1.4-7 times as much as before the pandemic. The impact is not negligible also for the other countries and for the whole Europe, but with different levels and distinct patterns.
The full paper can be found here: https://arxiv.org/abs/2005.06127
Our current Azure setup is such that all incoming traffic hits a public load balancer first, and then gets forwarded to one of two palo alto firewalls in the backend pool.
This is great from a resiliency standpoint since its easily scalable and makes it easier to do maintenance with no downtime...in theory.
The problem:
Unfortunately, we also have about a dozen VPN tunnels that terminate on one of the backend firewalls. In my mind, this single point of failure makes the setup more fragile than it should be, since any downtime on this particular firewall will necessarily cause a service disruption.
My hypothesis:
To fix this, I was thinking of moving the VPN peer IP from the firewall and onto the public load balancer. That way, remote sites will be able to establish tunnels to any firewall in the backend pool instead of just this one
My question:
Does this design even make sense? Is this the best way to solve this problem?
It seems reasonable to me, but I haven't been able to find any documentation on this kind of design. Frankly, I don't know what I don't know.
Hi there,
we started this week a discussion how ip- allocations actually works. Some said, that providers dont have enough ips to provide one for each customer and thats the reason why we have dynamic ips.
My opinion was different, cause i said the router from the customer is always connected, so they have to provide enough ips for their customers.
How is it actually working?
We have a customer who is complaining about slowness/timeouts when accessing application. After doing the usual checks, the application did not seem to be at fault. The cusotmer has multiple servers, with all of them talking to each other, running multiple applications. These are virtual servers on ESX.
So we asked for tcpdumps of the network, and found a few things - zero-window packets, duplicates, keep-alives, etc. I believe those are normal in busy networks.
But there was something interesting - there were multiple retranmissions, which continued until a timeout.
Now I do understand some retranmissions are normal, but these have a pattern:
It appears that whenever a connection is initiated by a server, it is being throttled/blocked or being silently dropped. And this isn't true for all requests - just for some of them.
I do not have much experience with troubleshooting networks, so wanted an opinion from the experts here. Is my conclusion correct, i.e., there is something throttling these requests? If so, have any of you faced this before, and would know what would cause it?
If I'm wrong, please let me know as well - I would like to learn more.
Apologies, I do not have details of the network architecture - all I know is that the servers on on ESX. But let me know if any more information is needed, and I may be able to help.
I am unable to find a clear an concise answer from CMTS device documentation, the toplogies I see are depicted as CMTS->CM, but that assumes the end point is not swapped out with another CMTS.
Dumb question but...
I understand 100m is the max length that a cat cable should be. Is this the max length per cable or total?
For instance if I have 15m cable running from the jack to my router and and 60m to my pc and another 60m to another pc, making the total length 135m which is more than 100m. Does it work like that or is it just per cable?
Hi everyone, I am a network engineer that recently came across this switch and would like to get it installed in my lab, its old but it has a lot of features i want to play around with. The problem is its on very old firmware and i cant seem to find newer firmware anywhere. If anyone could point me in the right direction it would be appreciated.
In a shop with two major data centers, one centered on a multi-VRF VXLAN EVPN fabric built in Nexus 9Ks, DC-A), the other currently using 7Ks to host SVIs for VLANs trumped down to 5Ks and 9Ks (DC-B). We’re gearing up to build a new VXLAN EVPN fabric on Arista gear in DC-B but it got me thinking: once we’ve migrated enough VLANs into the fabric to completely empty a 9K pair why not repurpose them as leaf pairs in the Arista-based fabric? Are there any gotchas (beyond configuration syntax being different for some of the same concepts) to be on the lookout for when attempting this?
We install ‘stations’ in areas available to guest/public. These stations are being labeled with all the IP info (address, mask, dg) and ip of server it belongs to. The reason is to make it easier to swap if one fails.
Is this a big no-no... or is this equivalent to hidden an ssid in a wireless network?
Not looking for ACI which requires a PhD to operate and half a million dollars to set up.
I’m looking for something cheap, reliable, and lightweight. Preferably something like SD-WAN/Meraki for the Datacenter. It should abstract as much configuration from the end user as possible and should feature drag and drop for vlan/server deployments. No knowledge of Routing to set up and maintain but should be able to flexibly scale to 100k+ VMs easily.
Edit: should also have built in UTM/AV at every layer, and full end to end encryption.
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
The Modem got an option to plug in an external hard drive and to share it with the Network. i tried to set it up multiple times but couldnt get it to work.
The plugged in Device is a USB 3.0 Toshiba external Hard Drive with 1TB Space and its FAT 32 i think.
when i plug it in the modem sees the device and everything seems normal and working. (also tried with a 32GB USB Stick)
But when it comes to finding the Hard Drive, i cant. I checked the user manual multiple times and tried the steps over and over again and it didnt work.
i tried it with the name and the ip...
Having trouble getting the information through Broadcom support. I'm looking for what is the latest recommended version for the OS running on a PS400. 11.10.2.2 build 235775 is what is running on it now.
Thank you.
I just had an issue where we have a stack of two Cat 9300 switches. We monitor them via the OOB management interface. We only have the one on the top (master) switch connected.
Last night the master spontaneously rebooted leaving the stack working but the OOB management unreachable. It was connected and up but got no MAC address out if it.
Is this as designed? i.e. only the management interface of the master switch works no matter which one is connected?
Hello all,
It's been several years since the announcement of 2.5 GB/s and 5 GB/s ethernet that was promised to run over regular old CAT 5e and CAT 6 cables - basically upgrade your existing network without changing the cables. I know not everyone was super excited about this smallish speed bump when 10 GB was already available and not super expensive anymore, however there are folks like me where rerunning cables is downright impossible.
What happen to this technology path, can it be found anywhere I check out amazon and newegg, and stopped there assuming that if its not on a consume site the price is not reasonable.
Thoughts, suggestions, ideas?
Thanks so much for your time and comments!
Edit: I did fine one NBASE-T switch on Amazon https://www.amazon.com/TRENDnet-EdgeSmart-10GBASE-T-Protection-TEG-7080ES/dp/B07BV2VYVF/ref=sr_1_2?dchild=1&keywords=NBASE-T+switch&qid=1589470013&sr=8-2
Price seems pretty high though IMHO
Not sure if this is just network equipment, but this is generally the best group for answers.
So we are revamping our network.
We have a dozen or so sub-offices, a couple will have RODC, but the rest wont.
They are all domain joined, and WAN links are over MPLS or VPN.
I am wondering how to set it up so that if the Primary DNS server at head office fails, the sub-offices will still be able to connect to the internet.
I'm pretty sure the behavior of windows 10 DNS is that after a failover to the secondary, it will remain on that secondary until a reboot, or until the secondary fails. Either way, I have had a multitude of problems in the past by using the windows client secondary DNS pointing to anything other than a DC
Hi and thanks in advance. I'm relatively tech capable, but network hardware and software is a big blindspot for me. Long story short, I have a few "smart" air conditioners that are connected to my network with static local IPs. A ridiculously buggy and inconsistent app sends signals over IP to control them. I don't think the app will continue to work for long, so while it does, I'd like to use it to try to mimic it's normal operation signals so I can keep using it by sending the same data without the app. I can packet sniff with wire shark and see the data going to the AC. Is there some preferred method of copying and resending these data on command? I've googled around but I'm mostly finding hacking related preventing injection type articles! Can anyone point me in the right direction, or let me know if I'm mistaken that this is even a viable plan?
Hello all,
My company is moving out of a shared office into our first building as we've out grown the space. Wifi was provided as part of our lease. As the new space requires setting up a network, I've been tasked with building this new network.
I'm a junior network admin, and so far the only experience I have is with Palo Alto and Cisco products. So I'm not sure who offers the best experience for each piece I need.
Company growth wise I need it to support up to 65 users in approximately 4200 sq feet with at least a 5 year life cycle. Currently were 21 people moving into a ~1700 sq ft space. Figuring two wireless devices per user.
I've been allotted $7,250 for the budget.
So far I have:
Firewall / Router : PA-820/850
Switch: Need a 16-24-port PoE model, tempted to go with Cisco here unless Juniper or another vendor has a better product.
Wireless: I really don't know who to go with for this piece. I figure starting off with one-two APs initially and buying additional ones if needed for coverage.
In regards to wireless coverage, what wifi site mapping software and tools are worthwhile? While I probably won't buy any wifi tools it would be nice to know for the future.
Thanks.
We intend to replace our current 'core' switch. It has 12x SFP+ ports which are used to link to other switches and 2x physical servers (VMware ESXi hosts). We are currently at max capacity on it, and want to move away from a single point of failure (understandably...).
I say 'core' because I don't know a better word. That switch is definitely a SPOF currently, and concerning. All traffic must go though it to get to the servers (2x VMware ESXi hosts) and by extension the FortiGate VM. We're not really big enough to have real defined areas of the network as core, distribution and access. All 'access' switches are directly connecting to this current 'core' switch.
Currently using a 'router on a stick' type network with inter-VLAN routing being handled by a FortiGate VM on the VMware cluster. I would like to move to inter-VLAN routing being managed by L3 switches, but currently most of the 'access' switches are managed L2. Only the current 'core' switch - and 2x 'access' switches - are L3. The FortiGate's 'IPv4 Policy' also gives us a better control than L3 ACLs, although at a major throughput disadvantage compared to L3 routing.
The 2x 'access' switches that are L3 capable are Aruba 2930F-48G-740W-PoEP-4SFPP, and we intend to replace the rest of the 'access' switches with these, and hopefully go with full on Aruba AirWave for management.
We need a solution to replace the current 'core' switch, one that will handle at least 48 SFP+ connections, to allow for two links per switch and server, and for growth room.
Currently thinking about 2x Aruba 3810M 24SFP+ 250W Switch (JL430A), if that switch is suitable we'd probably run one link from each switch / server to each of the switches, then maybe 2x links from each 3810M to each ESXi server.
Another option is using just one switch, but 48x SFP+ ports on it and redundant internal controllers? IE firmware upgrades or 1x control module failure etc result in no network downtime. Then using link aggregation on that switch to the other devices.
I have used simple link aggregation before to connect switches to the current 'core' switch, and understand having an actually redundant path is a lot better, as with link aggregation you still have the SPOF by using 1 switch (unless it's dual controller).
I'm not a networking expert, but I'm well acquainted with VLANs, firewalls policies and routers etc. I haven't needed to modify spanning tree settings on any devices so far, so will definitely need to do some more learning on it before I start looking into changing this network to make it actually redundant. I've never worked with BGP, OSPF etc. I know there are far more complex protocols for managing networks with multiple paths, but what would you recommend I do in this scenario? No need to go overboard, but it needs improved from what it's at.
Much appreciated.
A question of curiosity...
How many of you out there have deployed Arista's PoE switch line that they came out with last year? Although I'm not currently looking for any switches at the current time, I haven't seen or heard of a lot of people talking about them since they came out with them.
Are they a strong product line for you? Too late to the game? I liked spec-wise what I saw when they debuted, with the exception of lack of stacking, but wonder how many have actually real-world deployed them and what your experience has been. I've deployed a lot of Cisco over the years, and I do like Arista's core products; I just wonder how that is translating to the access/distribution layer for them so far. I really liked that all their switches, no matter the model, run the same EOS image. Just looking for people's pros/cons and general experience so far from those who are using them.
Hi Folks, I'm representing a network solution architect team in huge country-wide organization with numerous (~1000) branch offices and reseller points. Yes, we going to migrate an old setup with newer approaches and tech in mind. Currently we have a mixture of IPsec/OpenVPN/ugly RA and site-to-site connections. We have redundant RASes distributed over few locations. The whole idea is to provide access to some Central services (hosted in AWS) and have access from HQ to particular IP-ready equipment in remote location. That's the baseline we have now.
The way this network operates now is less efficient you might think . There is numerous outages, fat finger mistakes, HW failures, long restoration time, and much manual config required on remote side (I meant both remote hands and central initiated provisioning).
We going to build new implementation which involves few new concepts (SDN), techniques (DCI, VXLAN) and technologies (OvS/WireGuard/EVPN) . In general we going to create an overlay on top of existing underlay backbone, and soon decommission old gateway hardware. We'll start with shipping appliances which will host kvm/docker images with preinstalled software which going to build up connection to out HQ. Then we will use this appliance as reverse-proxy for accessing remote resources and finally will switch on-premise to use appliance as main GW. Most remote locations has internet-routable ipv4 address, so appliance will serve also as NAT GW (needed bw is very small).
Here is summary of connect requirements we've defined: 1. automation provisioning of RA outbound tunnel (remote side is requester) 2. direct IP connectivity inside created overlay (branch to HQ and vice-versa) (VRouter functionality) 3. possibility to isolate and to grant spoke-to-spoke flows 4. ability to tunnel L2 to remote location 5. ability to tunnel trunk with 10 VID to remote location 6. appliance redundancy for SW components (HA inside host kvm) 7. cryptography to secure tunnel creation
So, finally a questions part: - what open-source software products you can suggest (OvS)? - what SDN controller to use (we looking at Tungsten Fabric, old OpenContrai from Juniper)? - what CI/CD stack to implement (ansible/terraform) - what proactive monitoring approach to use
Any kind of input from you will be very valuable for us. Understand me correctly, we now only in the phase of considering possible options. Grats!
Hello all,
I wanted to integrat skype with cisco CME so that when I make a call on skype, it will go through the CME. Is it possible? And how?
Thank you all.
Head there and see the links in the description of his video. Free courses on Linux, Python3, and open flow.
Link only good till Saturday I believe so jump on it.
Hello,
Recently I've been learning about QUIC protocol and considering its viability for multiplayer games. Currently, all multiplayer games use their own implementation of UDP-based protocol to achieve reliability and ordering. There are few more widely used implementations like raknet, but those implementations only aim to achieve single goal, making them fit only small set of projects. Using standardized protocol could benefit network programmers, making it so they don't need to create/learn new protocol for every new project they start.
QUIC might be that standard in the future, as it's performing those same functions (reliability and ordering) while staying fast. However, its focus on HTTP makes me wonder if it will stay flexible enough for other applications. I found a paper from 2015 considering its use in multiplayer games, but all it concluded was "it might be used for that, who knows."
I wanted to ask you guys for your thoughts on the matter.
As the title says, I am experimenting with a smooth shift from a legacy "traditional" network using routers into a fully functioning SDN network. I am using Riverbed Modeler. I have built an entire legacy network and ran a simulation. Then I build an SDN network with a controller (POX running and listening on a VM) and got the simulation running as well. Now the tricky part where I want to build a hybrid network. I want to make sure the controller can handle non-SDN switches on the network. So what I want to do is to work backwards on the fully SDN network and replace one of the SDN switches with a traditional router after programming its ports. But I don't know how the controller would handle it. I know that POX have different components within it and one may develop their own as well. But I'm not sure if an SDN component generally can handle non-SDN routers. Has anyone here worked on similar situations who can advise me?
Many thanks in advance.
Software I am using:
Riverbed Modeler v. 18.8
VirtualBOX 6.1 Running Ubuntu image
Python 2.7
POX (eel)
A federal judge in Washington, D.C. has ordered the White House to turn over 20 emails directly relating to President Donald Trump’s decision to withhold congressionally appropriated military aid from Ukraine. The administration has refused to produce the communications thus far, claiming the documents are protected from public release by executive privilege.
The order, issued by U.S. District Judge Amy Berman Jackson, stems from a Freedom of Information Act (FOIA) lawsuit filed by the New York Times which sought communications between Michael Duffey, Principal Associate Director for National Security Programs at the Office of Management and Budget (OMB), and Robert Blair, a senior advisor to then-Acting White House Chief of Staff, Mick Mulvaney.
In response to a court order to produce the requested records, the administration withheld 20 documents contending that they were covered by the Presidential Communications Privilege and were therefore exempted from public disclosure laws.
“Specifically, the documents in this category are emails that reflect communications by either the President, the Vice President, or the President’s immediate advisors regarding Presidential decision-making about the scope, duration, and purpose of the hold on military assistance to Ukraine,” OMB Deputy General Counsel Heather Walsh, the official in charge of overseeing the department’s FOIA request responses, previously stated of the decision. She reasoned that disclosing the communications could “risk harming the quality of the information and advice” available to the President.
The Times challenged the exempt classification of the documents, claiming the government failed to provide any evidence that the information fell within the privilege which requires “an actual advisory relationship between the President and the staffer as to that specific document.”
“[T]he Government relies principally on the presidential communications privilege to keep documents secret but has failed to justify invocation of the privilege, submitting a thread-bare declaration from an agency FOIA lawyer who traffics largely—and improperly—in hearsay evidence and then testifies about the operations of the White House’s national security apparatus, a topic about which she has no apparent foundational knowledge and, in fact, claims none,” the Times argued in its motion for summary judgement in the case.
In a rare move, Judge Jackson, the Barack Obama-appointed judge who presided over the Roger Stone trial, decided that instead of relying on the government’s assertion of the privilege, she needed to review the documents herself in her chambers, ordering the government to deliver them within one week.
“[I]n order to assist the Court in making responsible de novo determinations in this case, including any determination for purposes of the presidential communications privilege, concerning the nature and extent of the relationship between any particular communication and presidential decision-making, and, for purposes of the deliberative process privilege, whether a particular communication is both predecisional and deliberative, defendant [OMB] is directed to deliver copies of the documents that have been withheld pursuant to Exemption 5 to chambers for in camera inspection on or before May 20, 2020,” Jackson ordered Wednesday.
Another federal judge recently ordered the Department of Justice to hand over a copy of the unredacted Mueller Report for in camera review. U.S. District Judge Reggie Walton was quite clear about why he felt the need to review Attorney General William Barr’s work.
I live in a rural area in Canada where the only internet service is 1Mbps non LTE coverage. I was looking into getting fiber installed with my neighbors and the infrastructure is actually very cheap only $2000 per house if we install it ourselves. My question is should it be set up as a GPON 1GB single fiber network or 10GB full duplex 2 fiber? It is about 300m-500m between houses.
So I have a situation where I'd like to control both directions of a traffic flow *within my network* based on BGP communities. I've figured out that I can create route filters based on the community to control which path the routes are announced on to control inbound traffic, but I can't seem to figure out a way to also control which path the outbound traffic takes.
What I'm looking for is "if community 1234:5678 is on a prefix from peer C, announce it to peer A and also direct all outbound from that prefix traffic toward A, otherwise announce it to peer B and direct outbound traffic from that prefix towards B."
I'm using Aruba CX 8325 switches, but I'm curious if this is even possible with other vendors.
I was trying to make a Minecraft server and that step was an absolute last resort because I didn’t know what else to do. If the person I gave it to was a hacker, what would he be able to do with it?
I’m just curious on the difficulty of installing one of these into my works office system. I’ve always been intrigued with the whole networking and computer systems. I do have some knowledge of vpn and command. Pretty much my boss bought one for our office, and I volunteered to give it a shot. He didn’t know I was interested into computers/networking and now talks about sending me to school for it, so now I’m nervous about whether I’ll blow it or not. What are my chances of some success?
I could use a brain check/fresh minds on this. Any Cisco gurus up tonight?
I've got a Cisco ASA 5516-X that is sitting behind the gateway (NATted), trying to establish a VPN to a Sonicwall with a public IP address. The Cisco has a private IP on its GigE1/1 / outside interface, and a /30 used on GigE 1/8 / mgmt and the FirePOWER module. The purpose is to create a VPN back to a private network on which sits an FMC environment.
I've built a bunch of tunnels Cisco > Sonicwall where both sides have public IPs. So many that it's beyond routine - I have a template. The problem I'm having is with the Cisco initiating.
My normal processis to turn on keep-alive in the Sonicwall, since it's just a checkbox and main mode/IKEv1; it's simple and straightforward. In this case I need to get the Cisco to establish the tunnel, and on that point I'm stumped.
I have my ACL, transform-set, crypto-map, NAT exclusion - I think everything is there. I can ping the SW's WAN from the Cisco CLI. PCAP in the SW doesn't show any attempts to even start phase 1.
! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 10.0.208.75 255.255.255.0 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 10.250.0.1 255.255.255.0 ! /// ! interface GigabitEthernet1/8 nameif mgmt security-level 100 ip address 172.20.44.1 255.255.255.252 ! object network 172.20.44.0_30 subnet 172.20.44.0 255.255.255.252 object network 172.25.0.0_16 subnet 172.25.0.0 255.255.0.0 access-list 100 extended permit ip object 172.20.44.0_30 object 172.25.0.0_16 ! nat (mgmt,outside) source static 172.20.44.0_30 172.20.44.0_30 destination static 172.25.0.0_16 172.25.0.0_16 no-proxy-arp route-lookup ! route outside 0.0.0.0 0.0.0.0 10.0.208.1 1 ! /// crypto ipsec ikev1 transform-set WORKVPN-TSET esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map WORKVPN-CMAP 20 match address 100 crypto map WORKVPN-CMAP 20 set pfs crypto map WORKVPN-CMAP 20 set peer AAA.BBB.CCC.DDD crypto map WORKVPN-CMAP 20 set ikev1 transform-set WORKVPN-TSET crypto map WORKVPN-CMAP interface outside ! crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 /// tunnel-group AAA.BBB.CCC.DDD type ipsec-l2l tunnel-group AAA.BBB.CCC.DDD ipsec-attributes ikev1 pre-shared-key ***** ! Anyone know the CLI command to convince the ASA to make the first move? I'm sure I can figure it out from there. TIA.
I should have asked this years ago. But it dawned on me I still play this out by ear. You have two or three vendors pitching you their latest wundertech. They've brought sandwiches (well before Covid), sharpened their pencils, brought in their most senior engineer who practically invented the dern thing. And now the big day comes and it's somebody else. What do you tell the losing party? What should you never tell the losing party?
Hi, not sure exactly where best to ask this. I bought a 3560 to play with and learn on (because it was extremely cheap) and I'm looking to build my own rack mount rails and such. Does anyone know where to find mechanical drawings / schematics of the Cisco Catalyst 3560?
Hopefully this makes sense.
Hopefully this is easy and I'm missing something obvious - I'm banging my head against trying to span/mirror/monitor a port on a 7150S, but for some reason Wireshark is showing only broadcast traffic for the port I'm interested in. I can swap to any other port on the system as the source and immediately traffic appears. Perhaps counter-intuitively, every port on the device is a trunk except for the one I want to capture - setting the access port as a source results in only broadcast traffic showing in wireshark.
Config on the source port is almost as simple as it can be. I don't know to what degree config on the destination port matters, but as I mentioned all traffic comes through fine if I use a different source. Promiscuous mode is checked in Wireshark. Multiple devices trying to capture produce the same result. What am I missing?
I was wondering -- for a company with a few remote offices in the same city -- all offices are using the same ISP connecting via fiber at each site. Traceroute shows the same external IP of ISP switch between all sites. Wanted to get thoughts if the recommended practice should be still paranoid and use best ciphers -- or can one be lax and use weaker ciphers to maximize on throughput?
Hello,
This is my homework and I hope this falls for displaying effort, i really can't find any solution to this and no, teacher doesn't provide any lessons to that, he just gives us exercises like that, that we're supposed to figure out ourselves.
How do i set up firewall on server in this network? The color blocks represent different departments, each of them should get different permissions for ftp, http and pinging the server while they're supposed to ping each other.
I thought I will have to just type in particular addresses and particular local ports but i guess it doesn't work like that? My guess is that in order for that to work i would need to set different ips on different departments, so for example yellow would be 20.0.0.0, blue 30.0.0.0 etc. and set rules for each particular network, but as far as i understand they wouldn't be able to ping each other. Other solution that i thought of is different subnet masks, and that with wildcard mask setting i should be able to differentiate those departments but it doesn't work.
What's the solution to this? I can't add/delete anything from the network. If you know any articles that might help me please link them!
I'm investigating a ticket and found an old ticket where someone said the customer would like a full FAR done if a RCA cannot be performed or provided. My google-fo has not helped me identify this acronym. I was thinking "Field Assessment Review".
Can someone talk me through their thoughts on the pros and cons of terminating an internet or mpls circuit on some catalyst 9300's vs terminating those same circuits on an ISR/ASR? It seems to be a pretty divided camp as ive seen both done out in the wild but i dont ever get really good reasons as to why either side has chosen their path. Im curious what this communities thoughts are on the subject.
From my perspective, a newer switching platform like a Cat9k w/ proper advantage licensing will do "full" BGP and while it may not have enough memory, though I would need to check, to consume a full internet routing table, it can certainly perform the same BGP functions as an ISR/ASR. Leaving out things like voice/multicast as I am not sure on the deficiencies the cat9k platform may have with those, what other reasons do folks terminate a circuit onto a switch? If we back out the SDWAN conversation then are we witnessing the slow death of the branch router as switching platforms today are more than capable of accomplishing the task?
hi guys! using the image provided, i have some questions
i have 2 questions: 1. what is the purpose of having two routers in a network (on different ends)? 2. what is the purpose of having the 4 hosts (PC10, PC13, PC16 & PC17) attached to the routers and outside the network, instead of attaching them to a switch?
any advice would be greatly appreciated!
Anyone run into this issue with the 9200's? We thought it may be CSCvq03753, but the issue doesn't follow the PS to other switches when swapped. A PSU working in another 9200 will present the same log messages when added to Switch 2 slot A.
I have been looking at starting to migrate our cisco switches to Aruba switches, and I have been seeing that some people have said to pair aruba with palo alto firewalls. I am now thinking about possibly looking at moving from cisco 5500 asa's to palo alto. Does palo alto have VPN systems? How are they in comparison to the 5516s and 5508s? Are they easy to configure? In terms of cost, cisco is very expensive as it relates to IPS, URL licensing, does PA operate the same way? Will PA be able to connect to cisco via site 2 site vpns for remote office access? Interested in hearing everyones thoughts.
Do you guys have specialized appliances or just a couple of locked down Linux VM's?
Traceback (most recent call last): File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\ntc_templates\parse.py", line 5, in <module> from textfsm import clitable File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\textfsm\clitable.py", line 41, in <module> from textfsm import texttable File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\textfsm\texttable.py", line 42, in <module> from textfsm import terminal File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\textfsm\terminal.py", line 25, in <module> import fcntl ModuleNotFoundError: No module named 'fcntl' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "C:/Users/<REMOVED>/PycharmProjects/test_project/napalm_netmiko.py", line 1, in <module> import napalm File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\napalm\__init__.py", line 12, in <module> import napalm.junos File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\napalm\junos\__init__.py", line 18, in <module> from napalm.junos.junos import JunOSDriver # noqa File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\napalm\junos\junos.py", line 30, in <module> from jnpr.junos import Device File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\jnpr\junos\__init__.py", line 3, in <module> from jnpr.junos.factory.to_json import PyEzJSONEncoder File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\jnpr\junos\factory\__init__.py", line 4, in <module> from jnpr.junos.factory.factory_loader import FactoryLoader File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\jnpr\junos\factory\factory_loader.py", line 14, in <module> from jnpr.junos.factory.factory_cls import * File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\jnpr\junos\factory\factory_cls.py", line 7, in <module> from jnpr.junos.factory.cmdtable import CMDTable File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\jnpr\junos\factory\cmdtable.py", line 18, in <module> from ntc_templates import parse as ntc_parse File "C:\Users\<REMOVED>\PycharmProjects\test_project\venv\lib\site-packages\ntc_templates\parse.py", line 7, in <module> import clitable ModuleNotFoundError: No module named 'clitable' Process finished with exit code 1 Hi, i'm getting these errors above while attempting to load a script i've done, here is the script below:
driver = napalm.get_network_driver("ios") ssh_napalm = driver( hostname="10.1.1.1", username="admin", password="pass", optional_args={"secret": "pass123"} ) ssh_napalm.open() output = ssh_napalm.cli("show ip int bri") print(output) ssh_napalm.close() It's only a small one so i can start getting my hands dirty with napalm that's all
Hello everyone!
I'm currently on my first new server/rack deployment and I'm having some trouble. I'm trying to track down a budget friendly switch that has at least 4 10G and is stackable. I thought I had hit gold with a SG350X from Cisco only to realize the site I was looking at incorrectly listed the 48 ports as 10GBase-T when in actuality they were 1G :(
The problem I'm having (especially with cisco) is finding switches that are current. It feels like every time I find a model even on their site the switches are End of Sale and only a couple years away from end of service.
Is there any good 3rd party site to input the specs you are looking for that will output relevant models? Most Vendor and 3rd party site are meh, CDW's is pretty good but they are the ones who inaccurately listed the port specs so i'm kind of gun shy.
Or if anyone happens to know of a good solution for us that'd be welcome as well. We are trying to stay in the $1500 and under range as we are a non-profit organization, and are trying to put as much money as possible into our hypervisors. We have a demand for 40 ports (between both switches total) if they are non stacking switches and 38 ports if they are stacking. It's not a super demanding case so Forwarding rate and such do not need to be super high. Also need capability to create LAG groups
24 ports+ we’re going to have 36 connections going into the switches.
We do not need PoE
We are looking for the switches to be stackable
And preferably have 4 ports capable of 10Gig connection on each switch.
Preferably around the same price point (under 1300 per switch if at all possible including trancievers)
Hello. I searched this subreddit before posting but couldn't find my answer.
Currently there's no IT in the company, I just happen to have some ok knowledge with computers in general and trying to figure out the situation.
Usually, we have one PC at work where everyone (8 other PC) connect to access Excel files. If I have the Excel file open on my PC and another person try to access the file, Excel will tell them the file is being accessed on another PC at the moment.
Is it possible to connect my home PC to that LAN so that I can keep working the same way? The office PC is connected to the net.
Remote Access software is not a solution given that up to 8 people could try to connect to that PC at once.
I don't know either what exactly I need to search for. I would really appreciate some help.
This doesn't seem to make any sense to me, if you've got an AP capable of 300/800mbps Wi-Fi why would you stick a 100mbps port for uplink back to the switch?
We currently have two sites (each site has a HPE 8212zl J9091A) that are link to each other via a microwave link. Each site has an MPLS layer 2 link to our ISP where out firewall (Smoothwall) is located. Currently the two sites use OSPF between each other over the microwave link while the Smoothwall has static routes (only supports static or RIP) to the VLAN's on each site.
We would like to add a third layer 3 device (well fourth) that supports OSPF at our ISP colo so that we can have dynamic routes between our sites not only over the microwave link but also over the MPLS link between each site and the ISP colo.
We are looking at the JL693A and JL258A 2930f as this supports OSPF which we are currently using on our HPE 8212zl J9091A but the spec sheet lists it as "Access OSPF routing". Doing some searching I found this and for the most part everything that "Access OSPF routing" supports suits our limited needs.
Can anyone see any reason that the 2930f series would not be suitable for our needs? I am not sure what " Maximum of 8 OSPF interfaces supported for each OSPFv2 and OSPFv3" actually impacts, is this likely to be a problem for a fairly simple network? Is there something else we should consider? We currently use HPE/Aruba and have been very happy with them so would like to stay within the HPE/Aruba Procurve ecosystem.
Hi there, i work in theatrical lighting and in the time of covid im trying to set something up so both me and a partner can view the same instance of our program, EOS nomad, remotely over the internet.
Basically, eos can connect two different instances of the same program and keep them in sync as long as they're within the same subnet mask to each other. In theatre we use, say, 10.0.0.1 and 10.0.0.10 to connect these different instances, but they're over the same network or more likely physically connected over CAT5. I need to emulate this over wifi somehow with people hundreds of miles apart ... And i have no idea where to begin.
Any advice even where to start researching would be really appreciated! Thanks y'all!
So, I work for an MSP, who has a customer that uses charter as a secondary connection for 100+ locations through some type of broker, not sure of the deal.. We've been experiencing packet loss on a few of these connections ranging from 5-10%, and opened tickets on a couple of the more problematic ones where i saw what looked like layer 1 issues on the cable line. I got a surprising reply where they asked me to not access their "configuration" page (192.168.100.1) in the future.. Mind that it's a completely non password protected page that doesn't allow you to change anything.. I plan on going down the malicious compliance route and opening tickets on every minor blip I see asking then to check the line, but just wondering, is this a normal support response or is this broker just not wantIng to deal with us and figures if I can't see errors on the line, I won't bother them. My understanding was that the status page was there for the customer to check things before they went to support..
These are all fairly rural/small town locations, and in 7 days, I've seen interfaces bounce 92 times at 26 locations.. My opinion is that cable modems are inherently unstable (im a DC guy where if we see issues more than once every 6 months, I'm calling my AM to see what is going on).. and this is just how they act, but definitely interested in some professional opinions with more experience in branch type locations.
Hi.
I'm in the market for an NAC solution for a simple network setup.
Here's the overview:
- Flat network/subnet. Cannot be changed at this time.
- Switches are not capable for utilizing VLANs. Switches cannot be changed out at this time.
- DHCP Server is Windows-based.
Here is what we are hoping to achieve:
- Prevent unauthorized devices from getting accessing the network (essentially, no DHCP for unauthorized devices)
- Should work for both wired and wireless devices
- Allow connectivity for devices pre-registered by MAC address (aware that MAC addresses can be spoofed)
- Allow for BYOD with sign-in portal based on Active Directory login credentials
Currently looking at Aruba Clearpass, but unsure if possible to implement this on a flat network, unless the Clearpass (or another NAC solution) was capable of intercepting DHCP requests and forwarding them to the DHCP server once they were authenticated.
Hi,
I have two fibre links with two seperate /29 networks reserved for them. I have to setup BGP across both links. However, i have Cisco ASAs in Active/Standby setup. Fibres are terminated on Juniper switch and then that juniper switch have one physcial fibre each to Active and Standby ASA. How can I setup both BGP sessions on Active ASA in the event when Active ASA fails both will be established on the standby.
Say I am in a densely populated area, is it better to provide LTE service using large area macrocells or smaller cell sizes?
Hey guys. I got something I'd like to get running but not sure the correct path.
I use a capture one pro for work and am looking for a way to set up a remote web server.
In capture one, a photo editing and teathering program. There is an option to set up a web server so someone on the same network can view the images that are coming in as someone shoots into the program.
I would like someone who is not on set to be able to access the webserver remotely.
What is the best way to achieve this. VPN?
Basically I would like a secure way to access a remote server.
Without! Having to have admin access to the routers/switches/dashboard... On either side of the connection
Thanks!
I work at an MSP in California that focuses on setting up office networks and WiFi, over time we're expanded our services to help our customers choose an ISP for their office. We handle all the quoting and comparison of options and then have our customer sign with the ISP that makes the most compelling offer. After signing we handle project managing the installation of the connection, riser work, and then support the customer through any issues they may have over the life of the connection. Our customers love the service but our costs to provide it are scaling as our volume grows. We're looking to offset those costs by generating revenue either by transitioning to buying connectivity wholesale and reselling, or signing on with a master agent to earn residuals.
Enough ISPs in our market have agreed to let us wholesale that we can pursue that route, but we take on more risk financial holding those contracts in our name. The master agent route reduces our financial exposure but I'm not the most excited about introducing another party into the mix with our customer, the ISP and ourselves.
Has anyone made this decision before and have some feedback to share? Any veterans of the telco channel or agent game care to chime in?
One of the questions we've been trying to understand is if being successful as a subagent and driving a good volume of contracts will help help us get access to some of the better wholesale programs in the future if we decided switch to wholesale.
How many hops could a ping take using default routes? If I have 4 routers A through D, each with a default route pointed to the next; could a ping from A make it all the way to D? My thinking is that it should because it doesn't know where the ping wants to go but it knows to forward it to the next hop. I know there are IGPs and and BGP for more complex and specific routing.
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Hello all,
I am having a weird issue that i am trying to fix for a couple of days.
Here goes:
My /23 subnet [1 Mikrotik Router(ccr1036)] [My Own Public AS ] ------ BGP ------- PROVIDER 1
------ BGP ------- PROVIDER 2
If i announce my network /23 to both providers some of my websites hosted on ip's from my /23 network wont load when accessing them via the browser (chrome,firefox).
The very weird thing is that traceroute, ping, telnet(80,443) works to the websites /23 ip's or fqdn but sites wont load in the browser.
If i announce my /23 to only 1 (either of them) of the providers everything works well and all my websites loads correctly.
If anyone can give me a hint will me much appreciated.
Tnx.
Hi everyone
We are a large healthcare facility. Our IT engineers demands to use personal laptops to access servers while they are inside the premises. So how do you handle BYOD on your network to meet such requirements securely.
We have Cisco Wireless deployment and now we are planning for Cisco ISE with BYOD and Device Posture compliance.
Any thoughts and suggestions ? How do you manage ?
I have a Verizon router that has a wired connection though the walls to a room where I have a netgear router setup as an access point. HTTP traffic works fine wirelessly and wired through that netgear router. However, I can't ssh to a remote server that way. But if I connect to the wired connection directly through the Verizon router, I can SSH out.
When it doesn't work, I get this after about 30 seconds
packet_write_wait: Connection to <IP> port 22: Broken pipe
The admin settings don't allow much. I have ACL turned off which is the default. Is it happening because it's an access point? I want the verizon router to hand out the IP's which is why I have it setup like this.
I have fully functional cisco Anyconnect VPN running on Cisco ASA5585-X and today i got requirement that there are some remote public sites we need to whitelist our VPN public IP to access them over VPN, so anyone over cisco anyconnect can access those remote sites.
my remote sites address is 222.222.222.222 and they have whitelisted my VPN outside interface IP 111.111.111.111 (which i am trying to access using anyconnect client from my home)
Cisco ASA version is asa964
same-security-traffic permit inter-interface same-security-traffic permit intra-interface ! ip local pool ANYCONNECT-VPN-POOL 10.5.250.10-10.5.250.254 mask 255.255.255.0 ! object-group network obj-NET-PRIVATE network-object 10.0.0.0 255.0.0.0 ! object network obj-ANYCONNECT-VPN-SUBNET subnet 10.5.250.0 255.255.255.0 ! group-policy GroupPolicy_ANYCONNECT-FOO internal group-policy GroupPolicy_ANYCONNECT-FOO attributes dns-server value 10.10.0.10 10.10.0.11 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value ANYCONNECT-ROUTES-FOO default-domain value foo.com ! access-list ANYCONNECT-ROUTES-FOO standard permit 10.0.0.0 255.0.0.0 access-list ANYCONNECT-ROUTES-FOO standard permit host 222.222.222.222 ! nat (any,outside) source static any any destination static obj-ANYCONNECT-VPN-SUBNET obj-ANYCONNECT-VPN-SUBNET no-proxy-arp route-lookup ! nat (any,outside) after-auto source dynamic obj-NET-PRIVATE interface What i am missing here, i can see 222.222.222.222 route getting injected to vpn client but i can't ping or access that ip.
Curious what best practices for installing a network into a medical office is, also curious where to find the exact code that covers this. I search local low voltage and fire code, we seem limited vs other states. So what are the best practices concerning EMT and Grounded ethernet at each workstation?
3 chair dental office, will have wall mounted stations, phones, cameras, data for equipment throughout the office.
On j-net forums there are unresolved topics both old from 2016 and new from last month about the newer jdhcp daemon config not supporting dhcp attribute settings in static bindings. For example, you can not tell a specific host to use a specific boot server or a different name-server, etc.. Only the host name and IP can be specified for a specific host. You can only specify other dhcp attributes for the entire pool.
That seems like a core feature of a dhcp server and I am trying to figure out what to make of it not being addressed by juniper in over 4 years.
In general, neither SRX dhcp implementation seems very complete and issues brought up on j-net are not addressed by juniper. The operational commands to monitor the leases/bindings are not very robust. You can not tell if a lease is a associated with a static binding. The newer jdhcp daemon does not support listing the static bindings at all until a client obtains a lease against it!
Do you think that most people that use SRX as a gateway use something else as the DHCP server? I am going against the grain by expecting an SRX to be a good DHCP server?
--BobG
If we consider a video of 720p, with the resolution we should have a total of 1280x720 pixels and each pixel should be an RGB value, and considering a frame rate of 30fps, we need a data transfer rate of 79.1MBps. Obviously, there is something wrong with this calculation. So can you point out where I am going wrong?
I plan to implement a small display and audio mirroring device and I realize that I need to get past this problem first to implement it. A detailed explanation in terms of protocol or algorithm will be appreciated. Thanks in advance
Edit: I understand there must be some sort of compression in place, so can you pinpoint the exact compression being used
Looking at one of these 4 in 1 NIC cards:
Does something like this support full 1 gigabit throughput at the same time?
Background info: I'm not an experienced windows server admin but know how to setup vlans on firewalls that run there own DHCP.
situation: i need to setup vlans in my new company since everything is on the same network. i want to setup 4 different vlans but they have a DHCP server that has one address pool which is a /22. so any device recieves a dhcp address from that pool. the vlans will have a /24 subnet.
Question: do i need to setup an address pool for each vlan on the DHCP server? if the vlans have a different subnet then the one currently setup, will i have to manually change all static ip's subnet mask?
Thanks: any information is helpful!
Hey everyone,
Currently doing a complete infrastructure overhaul for a small school. All of their switches, servers, AP's, etc. are getting pulled and replaced with brand new Aruba gear (access points, switches).
I'm curious if anyone knows of any enclosures for Aruba 303 Access points? They often have gym class indoors (kickball comes to mind), and the last thing I want is for some kid to yeet a ball right into the access point.
Much appreciated.
Hi there,
I can connect via VPN to a mapped drive using this procedure:
start and login to the VPN
Enter drive address
Login to my network space
(work)
Disconnect drive
Disconnect VPN
Now if I "forget" to disconnect the mapped drive in windows and close the VPN...whenever I try to save something, my computer will hang/slowdown because it's (I assume) looking for the "mapped drive" for like 10 sec or so. Just trying to disconnect the "mapped drive" also takes 10 s.
Is there a way to avoid this ?
Hi guys, for educational purposes I decide to implement a DNS server. I now encounter the problem of what should I do when the response for the query is larger than 64kb. DNS fragmentation is limited to ~4kb and DNS truncation (over TCP) is limited to 64kb.
How can a DNS server respond with an answer larger than 64kb?
Thanks :)
We have this extremely weird issue, one of our customers have a payment terminal (People put in their cards and pay). Its a very simple unit, its connected via RJ11 (in the terminal) to RJ45 into a switch, all it needs to work is internet, simple enough. Its configured with static IP (DHCP does not make it establish a link)
The problem is that its randomly stops working, and the issue is that the link to the switch goes down, i can move the terminal to ANY other port and nothing happens, if i plug in a PC in the same port it works instantly. Its almost as if the MAC is banned or something, but the switch is a very old HP and have no such feature that i know of.
Ive tried turning off STP and all other features on one port but i cant get it to establish a link, there is nothing in the logs (Because the switch is so old) that says anything about the port. Now for something even more weird, we get a new payment terminal sent to us because the old one wont establish a link to the switch, connect the new one and it works instantly (Probably because it has a new MAC), all is good for about a month and it stops working again.
I take the payment terminal, plug it into our switch at the office and it works instantly, take it back to the customer and it wont establish a link. I then take a dumb non-manageble HP switch not connected to anything, plug the terminal in and it works, take the cable out and put it back in a few times, and then the ports stop working one after one until i get to the 4th port, this one seem to work all the time.
I take this new small switch, plug it into the big switch, then the terminal into the small switch and it works... Until now, now no ports work in the small switch with this terminal, i can plug a PC into any of the ports and it works instantly..
What on earth could this be?
Hi everybody My name Yacine, i'm 32 and a father of two, i live in Paris suburbs area, France.
I have been a supply chain manager and a teacher for most of my career, but now i really want to change path for numerous reasons.
I've been interested in networking recently and read a lot of articles/watched videos about it. I understand that networking is demanding learning wise and that i will have to put the hours in to get good at my job, get my certifications and stay sharp with my skills my whole career.
My plan is to do a one year school training starting in September which will give me a professional title of "network and system administrator". Then get into the market and keep studying until i make it to engineer.
My questions are the following :
1- after you get an engineer position, how many hours a week do you have to study/tinker on average? I'm ok into puting 2/3 hours of technology watch every weekend to keep up with the industry. Would it be enough ?
2- is the work/life balance good ? I have some health problems (neurological/auto immune condition) and need time to take care of my health. If the job is 60+ hours a week each week AND stressful i will not be able to stay consistent on the long term i think.
Thanks a lot for your responses !
Hi, I'm trying to understand more about Diffie-Hellman Groups and which I should use or avoid.
At work we use Cisco ASA which supports 14, 19, 20, 21 and 24 (leaving 1-5 which I should avoid as far as I am aware of).
So far I've learned that I should also avoid 24.
Now we try to set up a tunnel with AWS but they only support 14, 15, 16, 17, 18, 22, 23, 24.
It seems as if besides 14 and 24 there's no value I can choose from. But is there a reason I should use these other groups that AWS offers? Are they more secure?
Can anyone offer a good source for knowledge on this topic? I've tried google a lot but so far I got more questions.
Thank you :-)
Hello, I am trying to host a minecraft server, I open ports on my router, I allow access in my firewall but the ports don't open. Any ideas?
Stupid question about Spanning tree per vlan: Couple of Nexus7k ( first is root bridge for vlan 10 and the other is secondary root Bridge)
In vPC there is connect a couple of Nexus5k
Each N5k has a single link to a switch in access on vlan 10
So loop could occur cause vlan 10 is between the N5k and down to the other switch.
Where vlan 10 will be block by spt? I think one down to the switch
I have a 5th generation 3TB Time Capsule (A1470), which I use as my primary router and also as my one and only network drive. I have slowly started running out of space, which has prompted me to start considering whether to:
My top priority when deciding is the speed wherewith I can read and write from and to the network hard drive. For example, I wanna be able to play 4k and 5k video seamlessly from the network drive. I am no expert when it comes to these things but I have read somewhere that when 2 or more hard drives are connected in RAID, the speed is much higher than one would get from a single hard drive.
I would appreciate any reasonable advice. Thank you in advance!
I was just thinking about this the other day. It seems like in legacy architecture, everything is behind a VPN/firewall and mostly contained within the corporate network / corporate physical hardware. So all the traffic isn’t actually hitting the internet.
As we transition to the cloud there is less reliance on servers on prem and now all in the cloud. As more and more business move to the cloud that is really moving more and more traffic over the public internet.
Especially during this time I’ve seen very inconsistent network results from my ISP (Ookla, iPERF, etc.) theoretically, do you guys think the current internet infrastructure could support all businesses really starting to use the cloud or do you think business and home ISP providers can’t handle this sort of massive increase in demand?
My understanding of MPLS LDP is that it allocates a label per destination prefix in the FIB. So, If I advertise the global internet table between routers connecting over LDP enabled interfaces, will I exceed a label limit or set fire to my router?
Some context; I have several routers iBGP peering with each other, enabled for the IPv4 and VPNv4 address families. The global table on these routers connects to the internet, learns a default route which is redistributed, all happy. There are several MPLS VRFs, VPNv4 routes being exchanged successfully, also happy. Several (virtual) devices act as gateways to their respective MPLS networks, eBGP peering with both their VRF and the global table - no issues.
Now rather than just a default route, I need to start ingesting the full internet table and redistributing it into my iBGP. My concern is that my router will try to allocate a label for every single global destination prefix, and exceed some capacity. I'm doing some reading on LDP merging but it sounds like it's only relevant for P routers.
So what's the solution? And if any of my understanding is incorrect please let me know. - Run MPLS VPNs and Internet tables on different hardware? - Different iBGP peering(s) for IPv4 and VPNv4, and keep IPv4 off LDP interfaces? - Run the internet table in it's own VRF so there are many fewer outer MPLS labels? Not even sure if this would work because there's still the inner label? - Maybe iBGP next-hop-self reduces the transport labels down to one per router?
What are some good resources to learn about Direct Sequence Spread Spectrum block diagram for transmitter and reciever? Explanations will be helpful obviously
I just bought Mikrotik's 4 port 10g switch for about $150. So far, I'm blown away by how many features this thing packs into a small and high performance chassis. I can't get over how inexpensive this thing was.
Am I missing something? Are these things horrifically insecure? Does it come with Chinese malware?
Hello all. I'm reaching out to see if anyone can help as I'm stuck.
I have inherited a small network in an office building which provides an internet connection for a Mitel PBX and a handful of Mitel VOIP phones. This network used to have a household Netgear router at its core and I have now upgraded to a Netgate SG-5100 running pfSense.
The issue I'm struggling with is that due to people working remotely we have the need for a few of these Mitel phones to work from the users' homes. This was functioning fine using the Netgear router configured by the previous IT admins but I'm having trouble with TFTP and pfSense.
I have gone as far as configuring a 1 to 1 NAT from a public IP to the PBX and allowing any and all traffic but the phones still fail to provision via TFTP. I have also enabled the "TFTP Proxy" available in pfSense on all cominations of the interfaces but I still cant get it to work.
If anyone has any ideas I would really appreciate the input.
Thanks.
I am a new and the only IT/Sys Admin person for my small company in a small rural town. We upgraded to fiber and in doing that had to switch to the other ISP provider in our area. The fiber hardware and circuit are installed and tested and we have the new IP block and subsequent network information. My question is, our current copper circuit is connected to our switch. We were given a hand off port on the new fiber modem, but I am not sure what to do with this, or how to connect the new fiber connection to our existing switch (hardware wise). We have a firewall and all other necessary hardware that is managed by vendors, I just need to figure out the physical switching of the patch cables to enable the fiber connection... Any help is appreciated.
We do have a media convert fiber to copper on our new fiber modem to allow us to use our current hardware.
Thanks!
Was wondering if you guys have any experience with Gigamon or Netscout? Or actually any "on the wire" TAP vendor dedicated to pure packet capture. I have used OPNET(now Riverbed ARX..was ok). It was only fed by SPAN though. Not against SPAN at all. Used it a lot over the years, but I want to look at a TAP with some SPAN type solution. Trying to look at different architectures. Anyway was just curious what folks here use.
I was just wondering, how long would we have internet on this planet, assuming some catastrophe (like a pandemic) prevents all maintenance for servers around the world?
Hello. I just tried to do my first lab from gns3. I got specified image and imported it as an .bin file (without decompressing it) but I still get The image xxxxxxxxxxx.bin is missing
Any solution?
And are there any other places similar to GNS3 vault?
Hi,
to begin with: I originally posted this in r/HomeNetworking but didn't get a single reply. I guess this was too advanced for them. I'm usually the guy that answers posts there but this is even for me too new.
I currently have 3 sites (connected via NanoStations), one EdgeRouter 4, and a bunch of VLANS. This ER4 is the single point for inter-VLAN-routing and internet access. I want to connect another Family and their business to our network so we can share internal traffic but their private/business traffic uses their ISP and not ours.
I have a good knowledge about VLAN and firewall rules but only basic knowledge about NAT rules and no L3 and static routing knowledge. I fear that I need to use the latter for this project though. I am an IT-Student and worked a little bit as a 2nd level support for MS networks but got laid off until covid disappears. I have very good computer knowledge and networking is my hobby. My "home lab" is my running config though so I can only do stuff in the night but I'm kinda nocturnal anyway.
(just to be clear, we're the same family, but operate different businesses. We get along but don't want to share everything)I belong to Family 1, so if you find words like "us, me, our" then they refer to Family 1."their" is Family 2.
Here's a simplified network diagram of the network: https://imgur.com/a/rkgwr2aThere's also a description on the picture which I have written before I wrote this post. Some information may be new but I try to include everything in more details here. The diagram does not depict every single device. Only network devices and important ones for this project.
If you believe I should clarify some points then please say so. I hope I haven't forgotten anything.
Mandatory: English is not my native language, you know how it works...
I will answer all questions. I know how hard it is to follow the description of a network that is not yours. If something is unclear, please let me know.
Thanks for reading this and hopefully I get some constructive ideas/solutions from you guys.