When configure trunk ports on a switch. Are you configuring trunks on the ports that the SFP go in? ideally the Fiber connections carrying the VLAN traffic. OR are you configuring trunks on say a regular port ex: Fa0/1 and connecting it to fa0/1 on the second switch to carry VLAN traffic.
OR
Can you do both in a sense creating redundancy?
I saw an interesting spike in traffic today, it maxed out around 15gbps then fell off back to normal (6-10gbps) after about 30 minutes... The interesting part is I see the spike on our data vlans that go to customers (layer3 internet traffic) but I also see the spike on some of our other vlans that shouldn't be inside the same broadcast domain (different vlans) AND shouldn't be affected by internet traffic spikes or ddos (because they are on a different vlan, different VRF, and have private ip's with no routes going to or dumping into the customer public ip space.. The question is how in the hell do you find the cause? I've got netflow going to an elastiflow stack, i've got librenms polling everything I can and syslogs going to nms etc (a lot of that I still have to review, if I find it i'll just reply "found it" without giving any further details on here.../s LOL)
Right now we have a core cisco 6500, and connected through our plant is 20 IE4010 switches. There are 2 switches in each cabinet. Total of 10 cabinets. They are connected via Gig interfaces and forms a ring from our core.
Surely it would be easier to get rid of the 6500 or even change this from a layer 2 to layer 3 networking solution? Any vendor ideas or best way to go about this?
Should i do L3 routing from our core and have routers replaced in each cabinet?
I just started working for a major enterprise in northern Washington, and when it comes to networking, I am what you would call "wet behind the ears." We are experiencing some weird latency/timeouts/packet loss from our edge router to the first hop to the ISP which shows up as a 10.x.x.x.... I know that 10.0.0.0/8 is a class A non-routable subnet, so how is it that the ISP can have that private IP scheme on the internet?
We run 802.1x on a single SSID and supplicants can auth using EAP-PEAP (password) from their mobile devices since its close to impossible to install certificates on guest devices. We are running into a counter-intuitive problem that requires users to bypass the “untrusted” certificate from our Cert Authority during the first time they have joined the SSID. This causes confusion because nowadays even the most casual users know to not accept untrusted certs.
We have tried to work through this but have reached the conclusion from various sources that devices don’t validate the certificate provided by 802.1x against the pre-installed directory of public root certificates. This means the only way to get rid of the untrusted certificate error is to deploy another convoluted onboarding system to install certificates. The onboarding system is more hassle than its worth so we end up having to tell users to ignore the warning.
Please tell me I’m missing something or this is going to change. This just seems moving backwards and bad for the industry in general especially trying to get users to practice good infosec.
Hello All,
I'm having some trouble with a Cisco 829 that I'm trying to get a cellular data connection. I can see the connection looks good to T-mobile, but I'm not getting an IP address. I can send SMS from my router to my other phones, proving that connection is there.
It's just that I'm not getting an IP address and I can't identify what I'm missing on the configs for my device.
https://github.com/Blackbird242010/C829-Config // Various outputs attached to provide insight.
TL/DR: Currently setting up a Cisco 829, trying to connect over T-Mobile's network and currently unable to get any data access only sms in a limited function.
Fiber to the home, Alcatel modem.
Internet passes from modem to rj45/Ethernet directly to pc. Passes 990+mbps
Connect to old router and it works like it’s is supposed to.
Just purchased tp-link ax1800 and it will not connect!!!
INET light solid orange.
to-link Does pull an IP address I’ve tried, default MAC, cloning my laptop while using web interface, and even custom entering my other working routers MAC
DNS is 8.8.8.8 and 8.8.4.4
I have taken the modem down and disconnected the battery back up, let it reset and still nothing.
I have no idea what I’m missing?!?!
Unless my ISP needs to reset my circuit and allow a new device?
(Fun fact I work for my ISP but on copper DSL side!)
So I'm just here for some help The modem is a SB6121 which four of my friends are using right now with Xfinity. I'm only going for 50Mbps down so it's not like it couldn't handle the speeds. I know it'll most likely be pointless to try to argue with them but I'm just annoyed they're like buy a new one or rent ours.
I have a client who fired a vendor who has begun the ClearPass (Aruba/HPE) implementation. They would like me to review the configuration and possibly complete it. From what I'm seeing, the push is towards HPE professional services rather than providing documentation.
Any guidance on this product would be helpful.
So I have spent a lot of time trying to fix this but I cannot figure out the issue.
So I have tried setting an USG Pro 4 up with Static IP. I have a remote Unifi Controller.
So first of all I discovered an issue with the USG not working with the ISPs DNS. So I tried changing the DNS with echo "nameserver 8.8.8.8" > /etc/resolv.conf this worked but only sometimes. During some resets the USG just would not take the DNS. But anyway that worked I could Adopt the router.
But then the IP issues started so the device would get my Static IP, Subnet ask but it would not save my Gateway. I cannot find any information about setting an static IP with ssh.
After several attempts, multiple resets. Random SSH commands I could not get nothing would work.
The only time I could get the router to connect with the controller was when I used DHCP with Google DNS over 4G...
Why does the USG Pro 4 not save my IP config??
Hello,
I'm on my 4th grade in my engineering circle this year, the 1st year was just overall basics, 2nd and 3rd I had decided to focus more on the Dev side (Web, mobile mostly), but after a few internships and some external work I decided that I liked Networking best.
Now since we have an upcoming internship, I wanted to go back to the basics quicky (last time I learned through CCNA).
Is there anything recommended for me? I want to go through the basics of networking again and learn more about security, should I stick to CCNA or is there anything else (I also watch some youtube videos to learn more about hardware, for exemple layer 3 switches and so on).
Thank you for your help and have a nice day
Hi, I am fairly new to networking. I am trying to set up 802.1x authentication with dACLs on GNS3. In other words, the ACLs must be received from the RADIUS server.
I have tried Cisco (vIOS L2) and CumulusVX, however they do not seem to support dACLs. Does anyone know if there is a GNS3 appliance that supports this feature?
Hi, We have Ruckus Wireless with CloudPath onboarding system. We have 100 user licenses but the system now has 110 users. Going through the CloudPath admin dashboard there are about 25 users who doesnt work with us. How can I delete these users to free up the licenses ?
There is a Data Cleanup option under Administration, however this option doesn't remove the inactive users. I have tried "Revoke All Enrolments" for the inactive users but that doesnt remove the user.
Any help on this will be much appreciated, thank you.
I've heard from multiple people that EVE-NG is like the best network emulation application of all and I tried to install it but I am stuck with the network connectivity and I was wondering if someone can help me out.
Network Topology (up-to-down)
So here is how it is implemented at the moment:
Internet > Laptop > Vmware 192.168.56.1/24> DG .2 > EVE-NG 192.168.56.227
Config EVE-NG
VM Network AdapterNAT + Connected + Connected at power on
Troubleshooting
It seems there is a routing issue between my laptop network and the vm network environment. Any idea to solve this?
I have an option between these two modems. I am after USB 3 which they both have, to use as a NAS. Which one should I get for VDSL Internet?
I have this topology & configs on below link.
https://i.imgur.com/31lUxNQ.png
vPC is up and ospf neighborship between both vPC switches are up. But i am not able to from ospf neighborship between asa & vPC. I troubleshoot a lot but unable to get this working. Could someone pls look and suggest. Thanks
NX-S1# sh ip ospf nei
OSPF Process ID ASA VRF default
Total number of neighbors: 1
Neighbor ID Pri State Up Time Address Interface
1.1.1.21 FULL/DR 00:43:12 10.1.1.2Vlan48
NX-S2# sh ip ospf nei
OSPF Process ID ASA VRF default
Total number of neighbors: 1
Neighbor ID Pri State Up Time Address Interface
1.1.1.11 FULL/BDR 00:43:33 10.1.1.1Vlan48
ciscoasa# sh ospf nei
ciscoasa#
NX-S1# sh run vpc
!Command: show running-config vpc
!Running configuration last done at: Sat Sep 5 06:23:21 2020
!Time: Sat Sep 5 07:09:03 2020
version 9.3(4) Bios:version
feature vpc
vpc domain 1
role priority 1
peer-keepalive destination 1.1.1.2 source 1.1.1.1 vrf peer-keepalive
peer-gateway
interface port-channel1
vpc peer-link
interface port-channel48
vpc 48
(Same vpc config on NX-S2)
I want to use it as a standalone WiFi router.
My university dorm room only gives me an ethernet port to access the Internet.
They have given me info for IPv4 configuration and proxy settings.
So I want to connect one of these to the ethernet port.
I found ads on craigs list and they are both on same price range (used).
Any recommendations?
From this design guide:
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/routed-ex.html#wp998203
“Of these, perhaps the most significant is the improvement in network convergence times possible when using a routed access design configured with EIGRP or OSPF as the routing protocol. Comparing the convergence times for an optimal Layer 2 access design (either with a spanning tree loop or without a loop) against that of the Layer 3 access design, you can obtain a four-fold improvement in convergence times, from 800-900msec for the Layer 2 design to less than 200 msec for the Layer 3 access. (See Figure 4.)”
In RSTP (802.1w) access networks Ive commissioned in the past, i have solid evidence demonstrating sub 30ms convergence times in most cases both for link and switch failures. Am I crazy? Is OSPF/BGP really faster? Even with BFD you usually dont get below 150ms, right? Anyone have a verifiable white paper on the topic comparing the two?
Hello Sysadmins!
I need your help with respect to Fortigate firewall, although I personally dont use Fortigate. So I have no clue.
I have a client who uses Fortigate firewall (He has not disclosed the model number but I believe information below should be sufficient).
I provide them squid proxy server which uses Fortigate as its gateway.
Here is a scenario:
The client has many office branches which use my squid proxy as a centralized proxy.
Everything works fine when we put just 2-3 branches on proxy. Fortigate firewall does not seem to be dropping packets. Ping response shows no packet drops.
The problem starts when we put all branch traffic on proxy, which in turn goes to Fortigate firewall, the Fortigate firewall starts dropping packets. (ping to 8.8.8.8 shows 50% packet loss).
Wireshark packet monitor on proxy shows that ping request is going out but only 50% ping response coming back in from Fortigate gateway.
When the packet drop issue occurs then their other IPs are able to ping fine i.e. other IPs can ping 8.8.8.8 just fine. So based on this my client puts blame on proxy that its my proxy server's issue, that other IPs can ping 8.8.8.8 but not proxy server.
The proxy server logs are not showing any burden on proxy. So I believe that somewhere Fortigate blocks too much traffic coming from proxy and starts dropping packets from proxy server by considering it as somekind of attack.
Can you please tell me what settings need to be done or checked on Fortigate, so that Fortigate doesn't drop packets from proxy server?
OR can it be that Fortigate is simply not able to handle too much traffic? How to find this?
I will be very grateful to you all for replies and help.
Thank you
PS: I do not have access to that Fortigate. So please give detailed answer or proper links. Which I can pass on to the client.
Thank you!
I'm sorry if this isn't the right place to ask this but a question popped into my head today that I can't find the answer for. I was streaming twitch on my phone and started browsing reddit at the same time on the same device. When I did this the twitch stream started buffering. Do phones and other internet-using devices have a limited amount of data that they can use at once? I know it isn't my wifi because I wasn't using anywhere near enough data to slow down my internet. I'm really just curious because I can't find any information on Google.
Chromecasts and Enterprise Network with Aruba Wireless at Higher Ed
Higher ed university and we have an issue where we have Aruba controllers with 4 in a cluster and mobility master on 8.5.0.3 code. We use clearpass and have airgroups on for registered devices. The issue I’m seeing is that users on our Media ssid with both their phone and the Google Home app are able to see a million other chromecasts on the network and often times not their own. I don’t recall this being the case prior years and it’s a problem. Does anyone know what would limit this from happening in the controller or did something change with Chromecasts?
All users on a /16 subnet and no major acls as it’s a walled off part of our network. Airgroups is one with all features utilized on the controller.
I’m a radar maintenance guy who deals with modems from time to time. So apologies for what little knowledge I actually have.
I have modems that are running communications through a 66 block to a telephone company circuit then on to a remote unit in the field. My equipment recently took a lightning strike which ran through the 66 block, to my RJ45, and then ultimately to my equipment modem and fried it. I need to add lightning protection so this doesn’t happen again. Is there a standard voltage/current modems use to push the signals through on lines they’re connected to? I currently have 7.5v 350 milliamp lightning protection to install, but I’m not sure if this is the proper rating for these types of lines. Is there a universal standard or is it depending upon the modems manufacturer?
I hope this is the right sub for this. If not, no worries. Thanks for the help.
Hey guys. Me and the MRS were staying in a hotel and I was explaining to her what a man in the middle attack was and what the untrusted TLS/SSL certificate notice is in Firefox. I was explaining how she’s accepting the risk of someone getting her credentials when she accepts that untrusted certificate. This is when she asked if her Instagram app would notify her if it used untrusted certificates. Can anyone make me look good in front of her and give me an actual answer? Thanks in advance lol.
So here’s my question not to sure if anyone can help but I figured I’d give it a shot. I’m running a home server for a game (specifically Minecraft) and before handing out my ip I’d like to setup a proxy that port forwards 25565 to my ip. I have no clue how to do this and when I went to amazons aws and made a ec2 I wasn’t able to edit some file with linux’s nano command (this was supposed to make the server listen to that port on said ip) anyway I’m just lost and trying to see if anyone has any ideas. Sorry if this is the wrong subreddit lol.
I work for a processing plant, and everything is segmented on l2. The problem is there are a lot of devices connected and barely any documentation.
Are there any programs that can help identify these devices or how I can map this out easier? Right now I'm just looking at the mac address table.
I am responsible for drawing out the end devices and am overwhelmed. Anyone got any tips/suggestions
I'm consulting for a big company where they renewed all their equipment (bladesystem and 3par) with new HPE gear based on synergy 12000 and primera storage.
The Synergy has 4 mellanox SH2200 switches with 40/100gb uplinks but they are turning out to be a nightmare for connecting to customer's core (RJ45 1Gb) HPE designed (In my country HPE is known for bad design ideas) HPE had to provide an Aruba switch with 4 sfp+ ports to connect the Mellanox to customer core switch, but connection has turned out to be very unreliable.
On fiber using transceivers from Mellanox and Aruba it was a no go. (No connection and link stayed down)
Using DACs with a HPE qsfp to sfp+ adapter on Mellanox side works, but sometimes after a reboot or test the links don't come up and stay down between Aruba and Mellanox. ( And only DACs from OEM tyco work, Teralux's OEM DACs just don't work)
We are hoping that a qsfp to quad sfp+ breakout cable will work better for we are not very confident on this, that's why I'm trying to investigate if we are the only ones that have trouble with Mellanox switches.
Have you ever seen anything like this?
If so, what you did to solve the problem?
Thanks.
I'm not really a networking person so sorry if this is overly simple, I'm just trying to troubleshoot an issue I've seen and trace the cause.
So I've got a PC talking to a PLC over a simple ethernet network interface. The problem I'm seeing is that occasionally response time is much slower every few requests (goes from 3ms to like 35ms). Traced it to this point and broke out wireshark and see that those long responses line up with the highlighted line, the TCP ack. 10.79 is the PLC, 10.71 is the PC.
Question: An ack like that, I'm assuming that means the receiving device (in this case the PLC) received the previous message (Job from PC) successfully? The seq number matches the ack number from the previous Job communication sent from the PC. The seq number of the following Ack_Data also matches.
Could that indicate some malformed response or problem in communication or is it more likely just the device (PLC) for some unknown reason took longer to send the Ack_Data back?
Thanks!
I have 2xHP Servers in a rack running each of their own OPNSense Virtual Machine within the 10.1.105.0/24 subnet which is a VLAN on a HP Procurve L2 switch. Idea is to have a HA Virtual Firewall on two different hypervisors that share the same local subnet.
Virtual Firewall #1 10.1.105.2
Virtual Firewall #2 10.1.105.3
Plan is to set up CARP with a virtual IP (x.x.x.1), but first I want to make sure I can reach the GUI on each of them through my VPN network (10.1.137.0/24) and avoid those damn trips to the DC. VPN is only configured on #2 right now. When connected through VPN #2 is pingable, but not #1.
Traceroute from my VPN client towards 10.1.105.3 hops directly to 10.1.105.3 with success
Traceroute from my VPN client towards 10.1.105.2 hops through 10.1.137.1 and fails to hop further
If I connect a VM or a rack cart on the VLAN with 10.1.105.123 as IP, I can reach everything. So guessing something needs to be configured differently in OPNSense (?) Any debug ideas would be awesome. Enjoy your weekend guys, and let me know if I can improve anything with this post.
# Routes on FW1 (10.1.105.1) Destination Gateway default 123.123.123.49 (WAN) 10.1.105.0/24 link#2 (LAN) 10.1.105.2 link#2 (LAN) 127.0.0.1 link#4 123.123.123.48/28 link#1 (WAN) 123.123.123.55 link#1 (WAN) # Routes on FW2 (10.1.105.3) Destination Gateway default 123.123.123.49 (WAN) 10.1.105.0/24 link#2 (LAN) 10.1.105.3 link#2 (LAN) 10.1.137.0/24 10.1.137.2 10.1.137.1 link#7 (VPN) 10.1.137.2 link#7 (VPN) 127.0.0.1 link#4 123.123.123.48/28 link#1 (WAN) 123.123.123.55 link#1 (WAN) I am currently testing switches(Cisco & HP). However, power turns off from time to time at these locations. I've been attempting to see if maybe there was a log command that allowed a user to look at when the network switch power cycled/rebooted. The closest command that I have been able to find is "uptime". But this only shows the uptime from the last boot instance.
Does anyone have a good explanation for why Azure continues to purchase Arista switches in particular (or any branded switches for that matter)? Seems logical they would follow similar practice at AWS and try to whitebox as much as possible and layer on your own internally developed OS (looks like they're doing that with Sonic?). But maybe I'm missing something and Arista has the secret sauce (more so than Cisco or Juniper) that can't just be developed internally. I assume there's less performance going at it alone but I'm sure the cost savings would offset that. Anyway, appreciate the help thinking through this!
My younger brother works for an ISP and on occasion he will get approached with side work from time to time. He recently was asked if he could help an organization setup wireless access points (Ubiquiti) to support 3 classrooms with about 60 kids. The classrooms will likely be temporary, but the organization wants help with ongoing support as they have zero IT presence at the moment. That's where I come in, I've done IT administration work for years. I have never setup an environment from scratch though, which is why I have a few questions.
So my questions are as follows:
At the minimum what would be required to provide the students with a safe and reliable internet experience? (firewall, wireless controller, etc.)
What would be the best way to monitor and manage the students internet usage?
Are there any other considerations to keep in mind when it comes to providing internet access for students?
Thank you for any suggestions.
Hey all, I'm looking around to figure out what configuration management options exist, which are good, bad, etc....
Thanks in advance!
I have a client who is outgrowing their Cisco SG-300 52P which which is handling their Layer 3 routing. Getting close to the maximum # of TCAM entries (462 on this one) and once that happens bad things will happen. It's been a bit of a trooper, causing minimal issues and shockingly is still getting firmware updates. But once you hit the TCAM limit, it's game over.
Almost all their other switches are UniFis, but given how new the UniFi layer 3 stuff is I doubt that's ready for prime time in a production environment. 4 or 5 VLANs, 150ish PCs, two buildings, quite a few servers. Ports and PoE doesn't matter, we can easily get another 48 port UniFi PoE to handle that part.
What's that next level up from the base SMB switches with layer 3? Or maybe the $1000-1500 layer 3 devices can now handle much larger loads than the ones of 5 years ago? These folks keep growing and they will spend money, so I would like a solution with realistic headroom to grow.
Any recommendations would be appreciated, thanks in advance.
If people dont use their Internet does it increase the spped of the others? And on which level does a regulation occur?
A new more effective quantum communication network has been demonstrated in the UK city of Bristol using fibre optics. It was published just Wednesday in Science Advances under the title A trusted node–free eight-user metropolitan quantum communication network [1].
The invention, revealed in the journal Science Advances, has the potential to serve millions of users, is understood to be the largest-ever quantum network of its kind, and could be used to secure people's online communication, particularly in these internet-led times accelerated by the COVID-19 pandemic [2].
The former method would need the number of users multiplied many times—in this case, for 8 users it would amount to having 56 receiver boxes [3]. As the user numbers grow, the logistics become increasingly unviable—for instance 100 users would take 9,900 receiver boxes (using the old method). However instead of making a physical connection, such as a glass fibre, between each and every user, the researchers created a scheme where every user only has a single glass fibre connected to a source of quantum entanglement [4]. To demonstrate its functionality across distance, the receiver boxes were connected to optical fibres via different locations across Bristol and the ability to transmit messages via quantum communication was tested using the city's existing optical fibre network.
Why should you care? This sort of research into quantum communication infrastructure paves the way towards a network of global satellite constellations delivering faster and more secure communications across cities, countries, and continents. And who doesn't want more a faster, cheaper, more secure, more reliable internet?
[4] Cosmos Magazine. (4th Sept 2020). Can entanglement make communication safer?
Written up for /r/lasercom
Hi!
I work for a small ISP and we are looking to switch up our Wan. We are looking in to connecting to an exchange. We would connect to AMS-IX or NL-IX so rather big exchanges with most of the big players connected to it.
Right now we are not connected to an exchange and just have 4 transit lines with different ISPs. My biggest question is if I connect to an exchange what kind of transit lines do I need to keep. We will of course keep at least 1 transit line in case something happens to the exchange or one of the players on it.
What percentile of traffic can we expect to run over the exchange?
Let's say I am connected to 1 exchange and I have 1 transit line, if there is an outage of the transit line can all traffic be routed over the exchange?
Why would I keep normal transit lines over just connecting to an exchange?
Sorry if these are noobie questions but I am kinda new to this side of networking.
Thanks!
Hi, I'm configuring a server chassis (Dell MX7000) with 2 MX9116n for ethernet networking. I have 4 MX740c inside, which runs ESXi 6.7.
The chassis is running in Fabric mode.
Last week I could communicate with the 4 ESXi but I have made changes on the uplinks ports since (not the internals ports !) and I don't know why but it wiped the partitions so I had to re-install ESXi.
Now I can ping from ESXi to ESXi but not from ESXi to MX9116n (and not from MX9116n to ESXi of course).
The internal ports are configured with no teaming, trunking all VLANs. I currently use the VLAN 1 to manage my switches, idrac, ... and for the ESXi. This VLAN is untagged. The compute sleds have a profile applied with the network configuration (vlan) explained just before.
Do you have any idea ? I'm pretty sure I configured correctly the network because it worked last week, and except the modifications to the uplink switches I didn't change anything.
Thank you!
I have a largish piece of land with some buildings 150m apart and others 1000m+ apart in a forested, high snowfall area. I wanted to run some fiber optic networking between the buildings that I could buy some tools for to terminate the connections myself.
I can see that a large number of different fiber types and SFP transceivers can work at these distances. What would be the simplest and most cost-effective type to use in terms of tooling and cable / termination costs?
We have a Linux system controlling multiple PTZ cameras on a large broadcast show and the TCP communication with the camera drops at some point, the camera doesn't answer, I noticed TCP timeouts for a minute. Then the Linux ARP table times out, a new ARP request is sent and all comes back for another hour or 2. The link is a single Cisco router with a VLAN.
Linux does send an ARP request every ~40s with some other machines with UDP traffic only. But with the Panasonic PTZ, we have TCP traffic and it seems like the ARP entry timer is reset with traffic as ARP requests to the camera are never sent. The router doesn't seem to do the same and hits its ARP timeout. I only had access to the Linux machine, I found out that the ARP cache had the right IP/MAC marked "reachable" when the problem appears. I now send an arping every 60s to the cameras and the problem disappeared.
2 questions I couldn't clear up myself:
why would the Cisco drop the connection after the ARP timeout instead of sending a new ARP request itself? Is there a setting for this? (I don't have access to that facility router myself)
is there a way (and should that be a good option) to tell Linux to not use TCP traffic for ARP refresh to still send ARP requests on a regular interval?
Thanks, David
I am having some trouble finding documentation for Cisco's Wireless streaming telemetry (WLC Webhook) feature. I have found the cisco live session linked below, but have not been able to locate any of the yang models referenced in the PowerPoint.
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/DEVNET-1801.pdf
I am specifically interested in knowing what the meaning of event-type, index, and reason-code values for the ap-events model are.
Does anyone know where I can find the models or some additional documentation?
I am using WLC 8540's running version 8.10.130.0
So my friend has a problem where he lives in Texas and wants to connect to FiveM EU Servers to play with his mates. However, his ping from any other EU server should be about 120 ping. Only when he connects to a FiveM EU Server that his ping is about 180-190. We figured out that any time we use tracert in cmd in any other EU server, it goes from Texas to Virginia to New Jersey before making the jump to EU.
However, when doing the tracert for the FiveM EU Server, for some reason, he goes from Texas to California AND THEN MAKING THE TREK to New Jersey before jumping the ocean to the EU which resulted in 180-190 ping.
Any ideas why his IP address would go to California, making a weird extra unnecessary step before going to the EU servers?
I'm trying to deploy a Unifi AP and have it reach my controller but I can't seem to get the AP to accept a DHCP address. I can see in my DHCP server that an address is offered and it can see the mac address and my switch updates it's ARP table to show the address for the MAC address attached to the correct port. However, I can never ping the AP and it can't be adopted by the controller. I decided to packet capture the interface to see what exactly was happening and it looks like after a DHCP Offer is sent the AP starts sending out ARP requests for the default gateway and it never resolves this. My switch continually replies back to the AP with the MAC address for the gateway but it just continues. The packet capture is below:
14:01:24.258194 Out IP 0.0.0.0 > 224.0.0.1: igmp query v2 14:01:24.260177 Out IP 0.0.0.0 > 224.0.0.1: igmp query v2 14:01:24.940126 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:26.259176 Out IP 0.0.0.0 > 224.0.0.1: igmp query v2 14:01:26.260903 Out IP 0.0.0.0 > 224.0.0.1: igmp query v2 14:01:26.879076 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:27.125544 In IP6 fe80::822a:a8ff:fe19:995b > ff02::2: ICMP6, router solicitation , length 16 14:01:28.847581 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:30.743371 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:31.134914 In IP6 fe80::822a:a8ff:fe19:995b > ff02::2: ICMP6, router solicitation , length 16 14:01:32.572936 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:34.448114 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:36.350146 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:36.735177 In IP truncated-ip - 321 bytes missing! 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request [|bootp] 14:01:36.757313 Out IP truncated-ip - 292 bytes missing! 10.4.51.1.bootps > 10.4.51.3.bootpc: BOOTP/DHCP, Reply, length 320 14:01:36.760229 In IP truncated-ip - 333 bytes missing! 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request [|bootp] 14:01:36.778264 Out IP truncated-ip - 292 bytes missing! 10.4.51.1.bootps > 10.4.51.3.bootpc: BOOTP/DHCP, Reply, length 320 14:01:36.890499 In arp who-has 10.4.51.1 tell 10.4.51.3 14:01:36.890852 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:36.950167 In arp who-has 10.4.51.1 (Broadcast) tell 10.4.51.3 14:01:36.950485 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:37.885160 In arp who-has 10.4.51.1 tell 10.4.51.3 14:01:37.885480 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:37.956955 In arp who-has 10.4.51.1 (Broadcast) tell 10.4.51.3 14:01:37.957273 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:38.334141 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:38.885160 In arp who-has 10.4.51.1 tell 10.4.51.3 14:01:38.885479 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:39.086180 In arp who-has 10.4.51.1 (Broadcast) tell 10.4.51.3 14:01:39.086494 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:40.094871 In arp who-has 10.4.51.1 (Broadcast) tell 10.4.51.3 14:01:40.095189 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:40.154973 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:41.895235 In arp who-has 10.4.51.1 tell 10.4.51.3 14:01:41.895549 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:42.143391 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:42.895251 In arp who-has 10.4.51.1 tell 10.4.51.3 14:01:42.895565 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:43.895267 In arp who-has 10.4.51.1 tell 10.4.51.3 14:01:43.895579 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:43.950828 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:45.758998 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:46.901051 In arp who-has 10.4.51.1 tell 10.4.51.3 14:01:46.901367 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:47.708213 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 14:01:47.895276 In arp who-has 10.4.51.1 tell 10.4.51.3 14:01:47.895590 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:48.896285 In arp who-has 10.4.51.1 tell 10.4.51.3 14:01:48.896597 Out arp reply 10.4.51.1 is-at 5c:5e:ab:70:e1:01 14:01:49.645686 Out STP 802.1w, Rapid STP, Flags [Proposal], bridge-id 8000.5c:5e:ab:70:e1:01.822d, length 36 I also am using dhcp-relay because my DHCP server is on a different VLAN.
Is there something else I have to configure on this switch for the AP to properly receive a DHCP address.
So my problem is that every time I open a certain program it completely cuts off my connection to WiFi until restart and before opening certain program it works just fine (and I also have full bars so range is not an issue)
Ok, so first off my office has some Spanning tree issues (I'm working on resolving them) But it's really bad and makes my life hell every so often as acceptable downtime is 0 (including for internal offices) ... 24/7 sucks.
So put that aside I've got a Livewire Edge omnipeek capture. It basically has a admin port, and 8 ports for capturing, (two which are passthrough)
Any case two weeks ago I plugged it in, and somehow I got a spanning tree issue.. Which stopped as soon as I unplugged it. I've got a hpe5406 running KB16 aruba os. At the moment I'm guessing I need to set admin-edge-port, and bpdu-protection..
But aside note what should be set for ports going to a capture device such as this?
Hey, Just wondering What everyone's set up for a caravan park would be. Site is 70 wired units. Plan to Have everything in the one building in the middle
Site is around 500x400m reception in the middle. Plan to run ethernet over fiber to each cluster of units and then from one unit in each cluster, running ethernet to the other units. From there each unit to have it's own wifi router.
Every unit will need 4 ethernet points inside, one for voip, internet, tv and spare. Needing the following features: -data limitations (voucher codes from reception to make more)
Thanks for any recommendations!
Bit too long for ethernet to run
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
I'm afraid I've become too much of a 'unicorn'. I've been interviewing, and I have not found a place that offers enough fodder to feed this 'Unicorn'.
I currently work on a team of 3 (Manger, Architect (myself) and and engineer) our daily duties include DataCenter (Cisco ACI and Palo Alto) Campus (Juniper and Palo Alto) Branch Office (Juniper and Palo Alto) Cloud (Palo Alto (transit vnet and vpc), AWS, and Azure), retail locations Fortinet (Fortigate, FortiAP, FortiSwitch)
We manage this with Infrastructure as Code which is done through Python and Ansible.
I came up through Sysadmin track, I have a deep understanding of Systems and I've been to Defcon pretty much every year since 2006 got my OSCP (Think it's now Pen Testing with Back Tracks) in 2008, and have a deep understanding of security ( Our security team is more policy driven and Network Team implements) I started 2 years ago I got really into Python and Ansible ( I couldn't stand programming previously to this; I just hunkered down and got over the hump) The deepest I went on Networking was my CCIE written in 2012 (never went for a lab).
My current certs include JNCIA Dev Ops, CCNP R&S(Expires this month have not reviewed the new curriculum) , PCNSE, OSCP, MSCE.
As I'm interviewing I noticed myself saying this place does not have cloud infrastructure, that place does not have Cisco ACI or Juniper, Palo is handled by the security team and not Networking at this location; no automation. I find this a turn off. Have I just become too much of a 'unicorn' to the point where I'm jaded?
I need some way to test the fiber cables in the data center I service. I do not even know what to call the cabling we use so I'm uploading images.
https://drive.google.com/file/d/1yZ6ik6V69y4u0E3vO---0vNtCzwvYun0/view?usp=sharing
https://drive.google.com/file/d/1cAJbHD9LK0X6hak4Fvm7HkNDoyp9GJF5/view?usp=sharing
Can you send VLAN trunks over a UNI interface on a Cisco ME 3400? i have a Cisco ME 3400 12ts-s.
Hi folks,
Have any of you configured Cisco AnyConnect to work with Azure as an IDP? We have it working in production (our internal users love it) but when we create a domain account for contractors to complete some work on our network, they are getting Azure error AADSTS90072 because the AnyConnect embedded browser is automatically passing their company's credentials (not what we want). Screenshot edited below to remove sensitive data.
For example, once the contractor hits CONNECT in the AnyConnect app, JOHNSMITH@VENDOR.COM is being automatically logged in. Instead of the account we want him to login with, JSMITH.MYCOMPANY. The Cisco AnyConnect embedded browser gives us no way to log him out of JOHNSMITH@VENDOR.COM, and the Azure SAML page gives us no way to switch accounts.
Since I am god awful at explanations, here is a link to someone else having pretty much the same issue but with Pulse instead of Cisco AnyConnect:
I have tried clearing cache/cookies/browser settings on all browsers on the user's machine and the issue persists. It seems that the embedded AnyConnect browser operates on its own rules for some reason.
I reached out to Cisco TAC and they suggested the force re-authentication command on our Cisco ASA's SAML configuration, but that will require all our users to authenticate on every login attempt, not just the vendors. I asked if there was any way to get AnyConnect to open a default browser session rather than an embedded browser session, but that does not currently exist and would have to be an enhancement request.
Our sysadmin folks call it a limitation on the AnyConnect app, and Cisco TAC calls it a limitation on the Azure page. Truthfully, it seems to be a limitation on both, which leaves me stuck somewhere in the middle on this one.
How can I get this user--or any contractors who already have O365 accounts with their companies--logged in?
I have a 10Mbps connection which gives 30-40 on fast.com, google drive etc.
So I deduced that I have Amazon and Google peering. As fast.com is Netflix product and hosted on AWS.
So I tried hosting a file on my AWS Server and weirdly I'm getting 10Mbps only then I made a personal VPN on Amazon to proxy the traffic but still the same result ;_;
I'm confused what's going on :/
The issue is not the password. What I did was lock down the Web UI and Management policies to a singular Alias that contains two IPs. So I can set an interface as one of these 2 IPs and can physically connect to either active port (0 and 1) but neither IP assigned to those are in the same subnet. I believe I will need to set a static route which I have, but I'm missing something. Here is a very similar setup to the actual one I'm working on, i just made the IPs something simple to make it easier to communicate.
M300 watchguard
Port 0 192.168.1.1 /26
Port 1 172.16.0.1 /27
The two IPs allowed per the rules are
So either of these two IPs should be allowed to manage the firebox through either port on the Web UI or System manager.
I think what I'm really struggling with is:
When I set the static IP to either 100 or 60 address, what default gateway do I set (if any)?
After this, am I correct to assume I need to provide a static route? If so, do I point it at the IP of the interface I just set? Or do I set it to the IP I'm trying to connect to?
I just need to login this way once to add back the actual IP(s) that should also be allowed to manage the unit. I appreciate any help you all can provide. Thank you very much in advance.
We have about 10 FTD firewalls acting as the edge and backbone of our data centers and are getting concerned with the number of bugs we were hitting with these devices recently.
So far we have had a routine firmware upgrade completely corrupt the firewall and a format of the firewall was required, the devices get out of sync periodically which causes them to split the configs between the 2 devices in the HA pair (1 has the NATs and 1 has the ACLs) and stop passing traffic, continuous VPN disconnects occur due to a bug in the code which forced us to upgrade not only the firewall but also the FMC (14 hour process so far), and this is all on top of other issues including SIP calls not working correctly until you disable SIP inspection which we never had to do in our old ASAs.
Does anyone have any ideas as to why these FTDs are such hot garbage? Does anyone have any opinions on the FTDs in general? Would we be better off junking these in favor of another vendor?
So I'm just curious as to why Cisco's throughputs are so low as compared to others that have high numbers - i.e. FortiGate, even Mikrotik. I mean take the 2900's for example. How come they're so weak in pushing packets that can't even achieve >300Mbps despite them having much of a hardware yet the little MikroTik and FortiGate devices have much much higher - 490Mbps for MT Hex Lite and 3Gbps for the 90D? I've been working with Cisco devices all my 8 years in the industry and have now just started learning more on FortiGate, Juniper, and MikroTik, and this huge throughput performance gap with Cisco has kept me wondering why then businesses choose Cisco (aside from the familiarity in IOS and the reputation).
So I'm not allowed to tell you about YouTube channel apparently so I won't make any reference to the video or the name of the channel but as I was tearing apart a protectli firewall to the pull out the hard drive, I noticed that there's a Sim slot on the board so that you put in a cellular modem through the mpcie slot. It even has predrilled holes for the antennas.
Hi guys, I have a problem regarding internet bandwidth on my business firm switch, I'm not a network kind a guy, and need help in understanding where to look at.
Switch is HP V1810-48G J9660A.
Situation is that I have confirmed 100mbps coming from the ISP C 3400 router, on switch port which has configured Link speed AUTO, 1000MbpsFullDuplexCopper.
This port have vlan tag 2 - WAN network.
Bandwidth which comes out of the switch is in range of 20/20 approx (after Patch panel if it is important).
Tried also connecting another Ethernet cable on it directly, in port with same vlan tag, and result still the same.
I hope this approach of testing is ok, but would need recommendations where to look next. Any help is more than welcome!
I think my problem is very simple but I’m a philistine when it comes to advanced networking. I’ve done my google searches and all that, but I’m still having troubles and I have no idea where to go
I have
NAT type 3 Play Online services(final fantasy11)(mmorpg) Araknis 110w router
I’ve tried some port forwarding but that didn’t seem to do it, and I may have done it incorrectly.
I can log into play online services, but when retrieving “friends list data” it times out like its not going through(which I imagine has to do with NAT type 3)
Does anyone have any idea where I can start?
Looking to get our field techs some network testers. Existing techs have the Klein Tools VDV501-823, and it does the job, but of course we're always looking for something better. I know there are dozens of much more expensive (and obviously better options) but 90% of the time all the techs need is to test new cable runs. Also, we prefer to buy on Amazon so something from there is preferable. I looked at pocketethernet and netools.io but neither appear to be available on amazon. Thanks.
Getting these prepped for pickup and removal.
There are two more still in service, but we should have those in the pile in another week or so.
That was about $2M worth of hardware when it was new, and we replaced it with about $2M worth of Catalyst 9400+9500s.
Cat6500 was the most frustrating platform I've yet to work on, but also the most stable, once you get them dialed in just right.
So, fare thee well old friends, your watch has ended.
Hi,
I recently transferred from GNS3 to Eve-NG. I like it so far, but is it me or the nodes have to be turned off before we can connect them together ?
It's pretty annoying.
Hi. I'm setting up the architecture below. Essentially my goal is to do mitm between my iot device and its server.
iot device <--> ethernet to usb conv(eth1) <--> laptop(eth0, bridge between eth1 and eth0)<--> internet
- At first I'm setting up the rules below with iptables
iptables -t nat -I PREROUTING -p tcp --sport 80 -j REDIRECT --to-ports 8080
iptables -t nat -I PREROUTING -p tcp --sport 443 -j REDIRECT --to-ports 8080
iptables -t nat -I OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -I OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8080
-Then I'm plugging in an 'ethernet to usb' converter between my pc and iot device. Setting up the bridge between my lan adapter and external usb lan adapter.
And iot device has internet when I sniff with wireshark over external adapter eth1. With the rules I set I'm able to do mitm from my browser etc. but i can not proxy the packets that comes from/to the external adapter. What am I missing?
Hi community,
As the title says, how do you deal with different monitoring platforms in your environment?
We use Solarwinds, Zabbix, Splunk and Loginsight/vSphere.
I'm looking for a product that could combine everything to 1 dashboard.
Preferably open source, or did you build something yourself?
At the moment I'm learning Python so if you can build something with it I see it as a learning project for myself.
Trying to to a simply QinQ interface on a QFX5100.
I've setup the below on the QFX interface but it's not working:
set interfaces ge-2/0/1 flexible-vlan-tagging
set interfaces ge-2/0/1 encapsulation flexible-ethernet-services
set interfaces ge-2/0/1 unit 200 vlan-tags outer 1000
set interfaces ge-2/0/1 unit 200 vlan-tags inner 200
set interfaces ge-2/0/1 unit 200 family inet address 1.2.3.4/30
I know the switching on the inside is fine as if I replace the Juniper with a Cisco with a similar config it works fine.
interface GigabitEthernet0/0.1000
encapsulation dot1Q 1000 second-dot1q 200
ip address 1.2.3.4 255.255.255.252
Am I missing something in my config?
Thanks
Hi there, I don't know if this is the right sub...
I'm in a student dorm that only allows us to connect through cable. I was given a personal IP address and therefore I think they must have been using only static IPs here. I want to be able to connect my phone and my laptop at the same time. I brought with me a wifi repeater that I managed to set up, also I crypted my DNS queries so the staff can't see them. When I connect to the wifi network I created I can only use that given IP, nothing else. I tried some other ones randomly, but none worked. What's the best approach here? Should I nmap the larger network looking for free IPs? (I'd prefer not to, don't want to raise any kind of suspect). Unfortunately my wifi repeater doesn't seem capable of working as a proper hotspot, with its own DHCP rules...
Good day everyone,
I'm looking for some information regarding the Dell networking associate exam "DEA-5TT1", I'm cisco CCNA certified so I already have a piece of good basic knowledge, I took the Dell practice exam and passed, I'm wondering if the real exam is going to be same as the practice one.
If anyone could point me for some study material or courses, the dell course is 800$ I think its way overpriced.
in case if you asking why I'm doing this cert, it's in my company contract requirements for applying to salary raise :/
and I'm sorry for my non-native English language
Hi, I need to connect to the server with 2fa, and seems f5fpc client (from 7.2.1 APM still don't support 2fa https://downloads.f5.com/esd/product.jsp?sw=BIG-IP&pro=APM_Clients). Maybe gui f5vpn from package 'linux_f5vpn.x86_64.deb' could help me? But, unfortunately, I don't know how to install it on the debian. Seems this package depends on a lot of unknown QT libs. Could you, please, help me with instruction or manual, how can I install gui f5vpn on debian or ubuntu.
Hello all, What exactly means the throughput in a network device???? I'm struggling with the fact that I saw throughout as low as 50mbps on a cisco router. How come if s network device has 1g ports,lets say 3 1Gb port, how come the throughput is only 50 mbps???? What's the while point of have 1gb interfaces if the device won't be able to handle more than 50mbps at a time?????? I'm getting something wrong here, any help?!?!?! Thanks in advance Also, I've notice some vendors refer to 64kb when testing, what does it mean????
I have a smoothwall and I created a vlan and tied it to an interface. I created a new subnet and I gave the vlan an ip.
I went to the dhcp server and added an entry for the new subnet and set up a dhcp scope. I set the vlan as tagged on my switch, but it just isnt leasing IPs. I keep getting an IP from the main subnet...
I can totally ping the gateway I setup for this new subnet. It should have just pushed down those addresses. Am missing a step? I figure someone can see what Im dumbly not thinking.
I'm trying to find out if the telephone cabling in my condo could support ethernet.
It was built in 1990.
Could you guys please help? Here is a picture:
https://ibb.co/FWnqt4z
Thanks.
Hi guys,
Not sure where else to post this but I could really do with some big brain power. Currently got a proxy server running. It works with both transparent and explicit proxy address.
Transparent works when you set the workstation gateway to the proxy server IP content gets filtered perfectly. However, I'd like to be able to force that network wide via pfSense if possible?
So far I've tried a rule similar to below. I've tried changing the Dest Address to WAN Net, WAN Address. Tried changing my NAT port for the proxy to the specified HTTP and HTTPS ports and I've tried the standard 80 and 443 port too. Just can't seem to get the traffic to go through the proxy.
Would greatly appreciate if anyone has any ideas?
Ohio, Michigan and a few others are having issues making outbound calls from the GotoConnect/Jive Voip system. Long distance and toll free seem to be working. According to Jive "They are working on the issue".
Hi All,
I have recently moved to a company that uses Exinda WAN optimising appliances for some customers.
I have discovered an issue with some of them where they no longer seem to be recognising Whatsapp traffic correctly and are not treating the traffic as per the Whatsapp application policy. The traffic seems to be hitting the Peer to Peer traffic rate limit we have in place instead.
Has anyone had any experience with an Exinda doing this before and if so did you resolve it ? I plan to engage Exinda regarding this but just thought I'd reach out on here too.
Hi I'm trying to segment a network with massive number of users, say 2000-3000 devices, I'm thinking of ciscos ise to do the network segmentation but i'm unclear, as to about my choice and various future proof options available. If someone could help me with this, it would be really helpful.
Anyone in South West US notice a small blip with CenturyLink 0240 MST / GMT -7 - 0245? Our external monitoring is not the best but the same public endpoints we monitor seemed to have gone down as did the ones from Sunday's issue. My guess is another brief routing issue or a peering issue with CenturyLink. I've ruled out internal infrastructure as much as I can. I don't see a full drop in traffic via internet during that time so it seems like only a subset of remote endpoints were inaccessible. Packets / sec dropped by 50% during that window as well as remotely monitored endpoints being inaccessible.
I have a windows CE device connected to a switch with multiple other PCs. Every time I set the ststic ip it stays online for few hours and then disconnects and goes back to DHCP.
When it goes to DHCP it assigns to a completely random ip with a random subnet mask with no access to local network. Only happens on this one device.
Any idea where to look, or is it network or device problem
Hello peeps! Is there any latest ccna exam dump reviewer/reference that i can use to review? Im too broke to even enroll myself to a review center.
Hi Everyone,
Controls engineer here. Not looking to get certified (Yet, anyway), but I was wondering if anyone had a source for old CCNA Industrial resources for cheap/free? Just looking to learn some things to make my job easier.
We currently use a TMG server for controlled access to the Internet, and want to replace it. There are no direct openings towards internet with a few exceptions.
Basicly, it has 2 roles -
1. is as an authenticating web proxy. Different Windows groups has different Internet access.
2. With the firewall client, redirects all non-LAN traffic to the TMG, which then, based on credentials, makes decisions to block or allow the traffic. Approx 5000 clients.
Squid can easily handle the web proxy role.
But what can replace the firewall client functionality ? I can not see one single component doing so. I could imagine running lots of split tunnel VPNs, with default route thru the tunnel, and split tunnel to LAN networks. But how would I determine what access the users would get ?
I could likely do something with creating 10 access rule sets, and have each client hit one of those sets. But then I would have to map our existing set of additive groups access to access rule sets, giving some people more access than they have today.
TMG is running on a 4 server cluster, with failover. We would like failover as well (Short lived DNS records and DNS round robin could do as a poor mans failover). Can we run 1500 VPN servers on servers without any issues ? How does VPN solutions scale ? We do not see more than 500Mbit/s bandwidth total among the 5000 clients (after eliminating forbidden traffic).
We also want always-on VPN from home, more or less same functionality. That one gets more difficult. Layering VPN channels is theoretical possible but too complicated. So 2 different always-on VPNs if possible ? Route LAN through one, Internet through another ? or a 3rd solution ?
I have a strange requirement to gather the number of people in a office (returning to work during CV19). Now, i streight away thought about pulling something from the access switches. I also an idea to pull something from the DHCP Scopes as they renew when they are in the office.
Anyone done any of this type of monitoring/reporting?
Hello!
I wanted to put this out there to see if anyone has setup anything similar!
I’m troubleshooting some network performance issues a very large WAN. I’ve done my usual tests but I haven’t found anything conclusive.
I’ve setup two CentOS Linux boxes as network probes one at a branch site and another at our data centre. I regularly run iperf to test performance but I’m really looking for something I could run constantly that wouldn’t take up bandwidth to troubleshoot connection issues.
Wondering if anyone had a similar setup could give me a few pointers of ways to approach this!
Looking forward to reading the responses thank you for your time!
I am posting here as I have no real clue what to make off this.
I have a ClearOS/CentOS Router and had a DLink 10/100 Router feeding my WAN side as a switch only.
It worked fine for ages but I started using VLC Player on my iPhone hooked up to my Wifi.
When I go to "Browse Network" in VLC, all the sudden the DLink appears to partially lockup and not let me access some of the nodes connected to it.
A power cycle and it's fine but does it again using VLC.
I am confused how just using VLC can "kill" a switch.
I have a homemade cable, it does not bring up a link.
Tested with multimeter. All connections fine 1.5-2 ohms. Tried replacing both connectors. No luck.
Any idea what can be the cause apart from vodoo and black magic ?
Been reading the different subs related to networking. While browsing I've noticed; from my perspective, a very high number of users running multiple VRFs in their networks. Please tell me why you're doing this. I hate them and think they're used as a crutch. I'm considering a move to an agency that uses them extensively and has consistent outages/network problems. Help me see it from your perspective.
Howdy,
I'm setting up radius authentication for my company's switches (mix of HP and Ruckus). All the HPs seem to work just fine with config entries like: "aaa authentication ssh login peap-mschapv2 local" On the Ruckus switches I have tried entries like (specifically an icx 7650 for testing): "aaa authentication login default radius local" only for my NPS radius server to come back and tell me that the switch is reaching out to my radius server via PAP: "Authentication Type: PAP The user attempted to use an authentication method that is not enabled on the matching network policy." After doing some digging through the fastiron security configuration guide, watching a couple of youtube videos, and trying a couple dozen different ways to search for icx switch radius config without getting results for Ruckus wireless, I haven't found a way to use PEAP. Am I correct in saying that the icx doesn't support PEAP? From my understanding the icx switches support radsec, is that my only option for secured authentication between my switches and my radius server? Apologies if this is a dumb question or if I'm chasing the wrong issue.
Thanks
Hi, previously I have tried to set up the VLAN tag, the internet is connected, but there is a problem in the voice ip. maybe something went wrong with my previous vlan tag.
i want to set a new ruckus switch with configuration like this :
vlan 88 (local) = eth 1/1/1-17
vlan 90 (voice) = eth 1/1/6, 1/1/10-14
vlan 81 (management) = eth 1/1/18,19
vlan 91 (DMZ) = eth 1/1/20,21
i have 5 ip phone polycon cisco, and i will use it in port eth 1/1/10-14
from the server switch, im using cisco that has already configured with all vlan trunk to port eth 1/1/22 on ruckus.
then, how to set up the tagged/untagged in order to work properly with the voice ip ?
thanks for all help !
I've been comparing some of the major players for a hardware refresh coming up and - am I reading this right - Arista only has a 1 year hardware warranty?! Aruba and Cisco both come with a limited lifetime warranty on hardware, which is 5 years past the EoL date. Am I missing something here? Does everyone just look past it because they like the hardware & software?
Is the pricing that much better to deal with the risk of only a 1 year warranty?
Some background, I passed my CCNA a year ago and I know what a static route is. I've heard of a floating static route, and understand it's purpose and configuration. But during my studies (Self) I never came across a Recursive Static Route. I have a friend who is getting ready to take Net+/CCNA and he has asked me for help with it.
Both of us understand...vaguely...what it is but neither of us understand the purpose of it. At best, it seems like it saves the Router a little bit of overhead by avoiding a second lookup? But what it saves seems minimal.
What are we missing here?
In the last three weeks I've started getting the following messages on two EX3300 stacks:
/dev/md18, mounted on: /var/rundb Storage size changed: 0B -> 117MB (/dev/md18, mounted on: /var/rundb)
/dev/da0s3d, mounted on: /var/tmp Storage size changed: 0B -> 368MB (/dev/da0s3d, mounted on: /var/tmp)
/dev/da0s4d, mounted on: /config Storage size changed: 0B -> 61.7MB (/dev/da0s4d, mounted on: /config)
/dev/da0s2a, mounted on: / Storage size changed: 0B -> 183MB (/dev/da0s2a, mounted on: /)
/dev/da0s2a, mounted on: / Storage size changed: 0B -> 183MB (/dev/da0s2a, mounted on: /)
Each stacks is made up of seven switches running version 12.3R12-S10. My google-fu has failed me in finding a resolution. Has anyone else seen this before?
Every time I log in to my work wifi router, it always stats on the left side "not secure." Is this something to be concerned about? I have all my connections on wifi password with the WPA security.
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Hi all!
So recently I got to Thinking as it’s a topic that has come up very often at work. The idea of being a silo skilled engineer, or a jack of all trades. Now what I want to know is how many vendors do you think a good engineer should have a deep understanding to along with the technology space.I don’t just mean being able to push a policy, I mean being able to debug it deep dive. More so at times cross skilled across different technologies ( automation , AWS, Azure ). I’m still fairly new to networking and security (4 years) and at times I’m finding it hard to get certified on vendors as we support what I think is a lot for a single engineer to know (8 different vendors of firewalls +-) cloud based and on prem.
I have my preferences on vendors but I am more curious as to if I’m being a baby when it comes to how much I want to learn or if it is truly a case of too much? Also worth adding along with firewalls and azure there is still a good amount of routing and switching and wireless and some very limited VOIP..
Dear all,
I'm deploying a VOIP phone Cisco SPA 504G connected to Cisco 3750G which is coolnnected to mikrotik router. I have configured the phone by accessing the webpage. Now I want to create a VPN on my mikrotik routerboard 750G to avoid the port blocking by my ISP. I have successfully configured internet connection. But now I am stuck on this. I know there are site to site VPNs in mikrotik but how these pptp and others work as I have only one mikrotik and it will act as server.
Any link or help will be greatly appreciated. Thanks
We recently had a small ~3,000sq/ft office wired for data, CAT6a. I've found a few data drops that don't seem to work; devices won't communicate with the switch when using them (but using the same device and switchport, but over another drop works fine).
Confoundingly, the data cabling installers basic cable tester says the drops are fine, and my Fluke Intellitone Pro 200 also says that it's fine. Good contact on all pairs, but yet devices simply won't talk over these drops.
Is there some kind of higher quality network cabling testing device that I can buy/rent that will give more info? Something so that I can go back to my cabling vendor and be like "See? It's fucked. Fix your shit."
I'm rusty and I could be doing something wrong but I cannot figure this out =(. I have a setup of five switches
All of the switches can ping and ssh/telnet into the main switch. But when I put the mac-sticky command every port switchport port-security mac-address sticky.
It shows nothing when I do show mac-address table | in (insert last 4 of mac). I would really appreciate if if someone can tell me what I'm doing wrong.
Hi all, I am trying to find an open-source alternative to Tailscale that offers similar speed to Wireguard. Preface, I'm not much of a networking guru. I understand that a solution might just be to "set it up myself with wireguard" but am looking to simplify the process if possible.
I want to run kubernetes nodes on VM's that live on different networks, which are both NAT'ted and un-NAT'ted. I also need to be able to add and remove nodes from the network dynamically (static config would not work well in my case). I believe the best option here is a low-latency VPN. Tailscale makes this very easy. You install it and start it and it just works, UDP hole-punching included to get across NAT's and easily adding network nodes dynamically. However, Tailscale is freemium and closed source.
Nebula by slackhq does something similar. However, looking into it more closely, it runs at half the speed of wireguard. If it ran faster this would be perfect.
The best option would be some open-source solution that utilizes linux kernel wireguard, and can dynamically add nodes to the network while providing UDP hole-punching. I've been unable to find anything like this, so wondering if the community has found anything good for this.
Dear Rediteers, I need to develop a firewall rule to allow a certain application (https://www.saal-digital.eu/software-download/download/?ClientPlatformType=0). Wireshark & DNSQuerySniffer allowed me to narrow down that all communication happens through port 80&443, TCP, IPv4. The initial request is a DNS request but then my issue starts: the following requests are to wildly varying IPs. I tried Whois lookups for those domains and tried adding those neighboring IP ranges to also add all future variations. I did not manage to find the proper ASNs to that company.
So, long story short: how do you profile a 3rd party application to create your firewall rules?
In short, I am helping my completely IT illiterate brother in law setup a network for his small business. A while back he had an ex-employee login and mess with their stuff and is wanting more security. I am great with figuring out computer stuff, but personally I have never really been involved in enterprise networking. I have decided on a Ubiquiti DM, +8 switch, +2 or 3 AP's for hardware as it seems reasonable in price and pretty straight forward to setup (I don't mind opinions if you think there is something better/easier out there).
My main question and concern is, what will be the best way to get the best security from his ex-employees gaining access to their network? Typically in big office settings that I'm used to, everyone has a login, and access to VPN through a login (like fortinet). Is this possible with this setup and what would I need to do? I was thinking of a guest network and just changing the password once a week or something, but that seems like a lot of work for a guy that is computer illiterate. I tried searching for this answer, but either don't know how to narrow down searches, or don't know what its called to really get good answers. Any help or direction is greatly appreciated.
This is a throw away account.
I am/will/was a TAC engineer in cisco.
Before i start my rant. Here is my free advice for firepower customers:
If you are a customer and want to get the proper support for firepower cases, try to open a case in the time zone when Krakow (EMEA) / Bangalore (APAC) / US team (NASA) works. They have best engineers ( for firepower atleast )
All other teams are sub par when it comes to firepower cases.
There are so many internal TAC things apart from the product that i can't just tolerate anymore.
Now coming to BU. ( or engineering team )
It all depends on the contract that you have with cisco. If you are a big customer ( you have paid them big money ) , you will get the best support. You case will be FTS around the clock. Dedicated TAC team / engineering team will monitor your cases 24/7. The engineering team will be fast in fixing your software bugs. you just need the right contacts and some stern e-mails to right people.
If you are a small customer the situation is different for you. Even if the TAC engineers tries to push the case to BU / engineering , they are very slow in responding to any new bugs. It makes sense till one point . I get it , you want to prioritise customers who pay you more , but that doesn't mean that you should fully ignore the small customers.
I have seen bugs been moved around from Firepower team / unit to ASA team / unit and vice versa.
Since firepower uses ASA LINA , sometimes it is really hard to figure out which team should pick the bug. And sometimes engineers use this loop to keep delaying work.
The most bullshit reason that i have ever heard from BU team is : " TS file does not contain the required logs from that timeframe". getting an engineer from BU / engineering on a live TAC troubleshoot session is a huge pain. So many formalities , so many internal mails , its a mess.
The Entire Firepower product
The integration between Firepower / ASA / FXOS is really really bad.
Imagine you are building a car, you start like Toyota. ( ASA ) . the car is really good , it has gotten really good over the years.
Now a new car manufacturer comes in market ( BMW ) , it has really good interiors and up to date electronics.
If you take the engine from a Toyota and put it in a BWM body , would the car be good ?
BMW and Toyota are made for different use cases and different market segment. same goes for Firepower.
the product lineup and integration is so shitty. Firepower modules go on ASA , it can be a standalone device like FTD ( which is basically a combination of ASA + Firepower ) . On top of that , there is Firepower chassis , Firepower management center and what not. Compatibility issues everywhere.
Why cant the product line be stream lined as PALO ALTO firewall. For anyone reading this , please compare PALO ALTO with firepower before buying. Remember that their entire TAC team is in US , so you get the best support possible. They do not outsource their work to employees working in Noida , India
you can refer to firepower rant II post on reddit for more on this
Forget about production environment , FPR devices don't work properly in my lab environment.
Now coming to Fake CCIE certification
When a TAC engineer tells you that he is CCIE , you should not believe him outright. Cisco has internal program where they reward engineers for completing CCIE . Last time i checked it was about 1.5 times a month salary for all blue badge employees.
Candidates know the questions ( 'ccie dumps' as we call them in our lingo ) before hand ( both theory and lab ). They reach out to third party vendors and set up CCIE labs. The labs are exactly same ( topology wise ) to the CCIE labs. Candidates practice the same question over and over again on the devices. It becomes a part of their muscle memory. I have seen people writing down the CLI commands and learning the sequence of commands , not knowing what the command does. even the IP address / subnets are set as same.
Even I know all the questions that were being asked in lab exams last years( pre - covid time )
Now I don't know how do these third party vendors know the CCIE question beforehand, but something really fishy is going on here. It is simply impossible to study for 6 months and pass the certification.
Also , one major factor why people opt for CCIE examination is that they get off-queue in TAC for few days. ( it is basically few days of holidays ) . people have booked CCIE exams with no intention of passing the exam so that they can get some paid holidays.
So it is very possible that you might someone who is CCIE in security but while working on case he has no idea how / what is ARP.
Next time when you see a shiny linked post about ccie, or when an engineer mentions is CCIE ID in e-mail signature do not get fooled. He/she is just good at mugging up and donkey work , not actual troubleshooting or networking.
I did my CCIE last year. Honestly speaking , I did it for the money and off-queue. But I never mentioned to any customer ( nor added any CCIE number in my e-mail signature ). Deep down I know I just cheated on the exam. I have met some of the good experienced engineers who do not even have a ccna certification , but are far better than me.
Now the pressure that we have to deal with
Everyone is after us , eating our head at the same time. I have been on webex calls with people who have no idea what is going on the case. HTOM / account manager / duty managers / sales guy have interfered in the ongoing case so many times. well , if you want a case update why don't you go over the case notes. I just get fed up when some random person who has not even gone through the case notes pings me and asks Problem description and action plan.
Working in TAC is really stressful.
I once saw one of my fellow engineer crying on the call. Another engineer came over and took the call from there , but things like this really demotivate us on the floor.
TAC engineers work on weekends. they work on all holidays. Some of us are really hard working. we have to work in odd timings. Some teams go to work at 10 PM at night ( local time) , some teams go to work at 6 AM in the morning ( local time )
This all takes a toll on our works.
We are over worked. we have sometimes take 4-5 cases per day. Backlogs with over 40 -50 cases were pretty common in the pre - covid times. even right now , VPN + webex teams are getting a lot cases because of everyone working from home.
Now coming to Managers
Some managers are good , some are bad. Few managers really care about the team. Few are just sitting and only thinking about SLA misses and NPS scores. In all the team meetings i have to go through the same bull shit. same questions over and over again. Managers should understand that metrics ( such as NPS) are not everything.
I have gotten 0 NPS scores many times. I have also gotten 10 NPS scores a lot well. But the NPS scores are tied to the engineer's record when they close the case. Even if 10 different engineers worked on one case , the NPS scores get assigned to the person who closed the case.
My manager once sent a wrong e-mail to the customer. He was supposed to follow up for a different case with a different bug but ended up sending e-mail on the case i was working on. Another week of confusion , and back and worth webex / e-mail / phone call. If that happens one time , i can understand it , but such things have happened so many times .
Parity between blue badge and red badge engineers
When the cases come in queue it is assigned to an available engineer. Since red badge employees are on contract and are paid less than the blue badge employees they always have this attitude of ''' i am being paid less for the same work '''. That reflects in their work as well.
there was a recent incident where some red badge employees went on a call pretending to be either a tech lead or manager. they were fired . i am not sure what exactly happened , I just heard it in internal communication. it was a different team ( probably VPN ) and different shift
This is what cost cutting does. It degrades the work quality.
I have seen a lot of firepower TAC cases , and one thing I can say is nothing has improved in Firepower line of devices for the past few years. Yes , the engineering team keeps rolling out changes but core functionality is still very bad.
If you raise a case, and it is picked up by someone who is a really good TAC engineer , you will get the best support from cisco. you will get proper updates , proper hand-off / FTS and proper resolution of your issue.
But there are some really poor TAC engineers as well. They do not wanna do any Lab repro ( because lab repro is time consuming and tedious ), they don't know about the product ,and neither are they wiling to learn. Some engineers are really lazy to even add internal case notes and do proper hand off / requeue.
I have received requeued / hand off cases which makes no sense . Wrong bugs attached to wrong cases , missing logs , missing action plan , case notes pasted in another irrelevent case , I have seen them all. I have seen cases that are going on for 6 months or even more without any relevant internal case notes. Sometimes i have to start my troubleshooting again from beginning ( because the case notes give me no clue ) . I don't mind troubleshooting from scratch , but it gets annoying after some time. ( for customer and TAC engineer as well ) .
We have about 20 of these little machines at our corporation that we need to be able to use WOL on at random times. The included ethernet adapter does not support WOL, so waking the device when it is 100% off is not an option. There are no open PCI slots. However, when the computers are in sleep mode, a mouse or keyboard can wake it from sleep mode. I'm wondering if there is some sort of a USB device that could virtualize a mouse and wake the computer remotely?
EDIT, SOLUTION FOUND: Okay, as I'm typing this, a coworker found this repo using a raspberry pi zero (and presumably would work with a pi zero w). This answers my question but I figured I'd post it anyways so someone else that needs this will find a solution!
I work for a large enterprise. On our client access switches, the standard port config for a client connection looks something like:
description **Client Access Port*
switchport mode access
switchport access vlan x
switchport voice vlan y
Access ports usually contain end user devices such as PCs, printers, etc. while the voice vlan is dedicated to IP phones only. I notice that when a PC connects to a port with this config, it gets a DHCP address from the access vlan (our data vlan) and if I connect an IP phone to the same port it gets a DHCP address from the voice vlan. Recently, I have worked on a few projects where we have installed various "Cisco Webex SMART kit" specifically these devices:
When these tablets are connected to the network, they automatically get an IP address in the voice vlan. The person I am working with responsible for provisioning these devices tells me they need to be in the data vlan instead. This is fine, I can change the IP of the device no problem and it should still work on that port. I was just curious as to what the mechanism or logic was to how a device decides which subnet to request a DHCP address for when connected to a port with both an access and voice vlan associated to it. Any insight would be greatly appreciated.
We have a very secure but antiquated system that’s used by everyone in the company. It requires a computer’s current IP to match existing DNS records in order for a user to login to it. That presents a problem when you have a laptop on Wi-Fi with an IP on one VLAN (10.x.1.x). Then the laptop plugs into a dock that has an Ethernet connection. Then the laptop gets switched to another VLAN (10.x.2.x). The DNS record still shows the 10.x.1.x IP. The user tries to login to this system. They’re denied access because they have the wrong IP. We get a help desk call saying they can’t login. Nslookup shows the 10.x.1.x IP. We have to remote to their computer, run “ipconfig /registerdns” and hope it works fast. Most of the time they can login immediately.
I’ve been told by the vets at my company and by the software vendor the only way around this is to give everyone a static IP. That’s gonna be a no from me, dawg. There’s one vet from another company that used the same system and gave everyone static IPs. I’ve learned to take what others say with a grain of salt because I’ve often found better methods to issues other people have given up on.
I’m new to getting this much into the weeds in networking and backend systems. Can someone explain why this might be happening and if there’s anything that can be done to speed up the DNS update process?
Yeah.
Each door gets a small module that mounts above the ceiling tile. This module accepts input from the card reader, switches power on/off to the mag locks, etc. It is managed and powered over Ethernet. Each module has a NIC that only operates at 10 Half Duplex.
Most of our switches technically support it for now, but I worry about our next access switch refresh. I get the feeling we're going to end up buying a bunch of EOL or crappy Netgear 100MB switches to "convert" this connection.
I have a situation where a small business had to relocate to a home office, and the customer is claiming that the ISP won’t give them a static IP in their neighborhood.
Has anyone ever used a dynamic DNS service for a client SSL VPN before? If so, what have your experiences been like? AnyConnect will be used specifically.
A bit stumped on this. I've gotten this to work with VRF to VRF plenty of times, but in this scenario I'd like to do VRF to GRT. Does this config look right? This is IOS-XE (CSR1000v) in GNS3
This is all local to one router, all referenced interfaces are UP and the default route gateway is pingable (I have another router holding that IP that is connected)
ip vrf INTERNET_A rd 1:1 route-target export 1:1 export ipv4 unicast map DEFAULT_ONLY route-map DEFAULT_ONLY permit 10 match ip address prefix-list DEFAULT_ONLY ip prefix-list DEFAULT_ONLY seq 10 permit 0.0.0.0./0 ip route vrf INTERNET_A 0.0.0.0 0.0.0.0 12.45.78.90 router bgp 65001 address-family ipv4 vrf INTERNET_A redistribute static default-information originate exit address-family show ip route B* 0.0.0.0/0 [20/0] via 12.45.78.90, 00:05:00 show ip route vrf INTERNET_A S* 0.0.0.0/0 [1/0] via 12.45.78.90 ip nat inside source list acl-nat-out int gi6 vrf INTERNET_A overload ip access-list extended acl-nat-out 10 permit ip any any int gi6 ip vrf forwarding INTERNET_A ip address 12.45.78.89/30 ip nat outside int gi1 ip address 172.16.0.22/30 ip nat inside ping 12.45.78.90 (this is the next hop, so NAT should process) timeout show ip nat translations Total number of translations: 0 show ip nat translations vrf INTERNET_A Total number of translations: 0 We are planning for implementing the Server Farm Firewalls with the following points into consideration
In addition to the above, we are also looking for a Web Application Firewall (f5, Imperva) for web servers in DMZ.
The current design is collapsed core. Server Farm access switches are directly connected to Core. The core does inter-VLAN routing and has a default route to pair of Internet edge firewalls which terminate internet connections, VPN and DMZ
I'm looking for a validated design to deploy the solution.
Which firewall would best fit the above requirements Palo Alto, Fortinet, or FTD.
I was always under the impression that within a simple L2 network, an IGMP querier was there only to send periodic membership queries so switches can build tables of which port needs to send what and to who. That the querier is just an arbitrary node in the network which someone has decided will send querier messages.
But....
I've just taken some training which very clearly says that the physical network link to a querier needs to have sufficient bandwidth such for all multicast data traffic on the network, because all multicast data traffic will be sent to the querier, regardless of whether it has been requested by a listener or not. That's just not how I thought it worked and seems to go against the whole principle of intelligent multicast data routing / the reason for IGMP in the first place.
Note that my L2 network is not connected by a router to another at L3. In that case, I can see why someone might say 'dimension the link to the router such that it can handle all potential multicast streams' just in case a remote network asked for them. This is strictly a single L2 network using IGMP snooping - no PIM etc.
Who's correct? Me or the training?