How many subnets can I create with four masked bits on a Class C address?. It's 16 right?
Saturday, September 19, 2020
Hardware Recommendation
I'm looking for some high end hardware i can use for pfsense/opnsense. Cost isn't a concern, but it would be nice if it wasn't a full desktop PC size (but it doesn't need to be a small NUC either).
Requirements:
- 1gpbs up and down with packet inspection
- Ideally 500-1000 mbps VPN
- 3 network ports
Nice to have:
- 2gbps up/down with packet inspection
Any recommended hardware out there? Would prefer to not have to build something myself.
ISP Routed Handoff with SRX
I have a new AT&T ADI circuit being installed to replace a cable connection. At the same time I'm replacing a very ancient ASA with an SRX. The ASA has to stay in place past the day when the circuit is live.
I can do this with a switch between the circuit and both firewalls, but then I lose shaping ability. I am thinking of asking AT&T for a "routed handoff" and a /28, and using the SRX to split off half of the /28 for the ASA to use.
What I'm proposing is this topology. I can't see a reason why this shouldn't work, and I'm going to lab out what I can with spare equipment - but are there any gotchas I should look out for? It's only a 50Mb circuit so performance should not be an issue.
Load balancing a /24 BGP prefix?
Assuming you have a /24 of public IP assigned to you, and BGP peering to 2 different service providers, is it possible to somehow load balance incoming traffic?
I would say "split the subnet into 2 smaller subnets and advertise a longer AS path on each side", but I've heard that you can't advertise smaller than /24? Is this true? And if so, are there any other options?
Job prospects for a person with no IT experience
I am 30 years old and looking to make a career change. Networking seems very interesting to me, even though I have no experience in IT. I am already enrolled in Community College to get an Associate's degree that comes with a CCNA, before transferring to a Bachelor's in Networking, all while trying to get some initial certs (CompTIA A+, Net+, Sec+) on my own. I don't mind starting out from the bottom, but wanted to have the potential move out of help desk quickly. Also, I'm determined to dabble in code and learn at least some Python. How realistic is it for me to land a first job in the US in a medium to large sized city with at least the A+ certs so I can at least get some experience while I knock out other certs/the BS degree? I just get really nervous with how much emphasis there is on experience in IT when I'm making the switch at 30. I'd like to make a comfortable income after a few years of experience (70k at least? I was making 60k as a teacher). Thanks!
Making my own network ?
I wasn't sure if this is the right sub-reddit for this type of question or where it would be better at.
I also am not sure if making my own "network" is the correct terminology.
But so I am from a small city and the fastest internet I can get at my current location is 1.7 down, and 0.5 up. Yes I live in the USA, yes this is the fastest internet I can get I have called and talked to all providers... trust me.
So I already have a DSL cable ran, and I was wondering what would be like the price range for something like that, say I could also provide internet to other households who also can't get fast speeds in the area. Like if anyone could point me in the right direction or provide me with the right resources for the info I am trying to get that would be awesome..
TLDR; Slow internet ( can't game and barely stream videos sometimes I can't even do that )
Interested in figuring out how I can faster internet weather that be starting my own internet providing service or what just looking for more info on something like this.
textfsm not working in expected way. Help me resolve it
I have CLI data:
interface gpon 0/0
MA5608T(config-if-gpon-0/0)#display ont info summary
{ portid<U><0,7> }:3
Command:
display ont info summary 3
Command is being executed. Please wait
------------------------------------------------------------------------------
In port 0/0/3, the total of ONTs are: 2, online: 2
------------------------------------------------------------------------------
ONT Run Last Last Last
ID State UpTime DownTime DownCause
------------------------------------------------------------------------------
2 online 2020-09-04 15:00:24 2020-09-04 14:59:15 dying-gasp
3 online 2020-09-17 16:46:07 2020-09-17 16:45:16 dying-gasp
------------------------------------------------------------------------------
ONT SN Type Distance Rx/Tx power Description
ID (m) (dBm)
------------------------------------------------------------------------------
2 SNAABBCCDDFF123B HG8546M 4239 -22.07/2.16 Fname_Sname_zone_Sec
3 SNAABBCCDDFF456B EG8141A5 3963 -12.47/2.26 Fname_Sector_5
------------------------------------------------------------------------------
MA5608T(config-if-gpon-0/0)#
textfsm template is :
Value ONT (\d+)
Value RUN (\w+)
Value UPTIME (\d{4}\S\d{2}\S\d{2}\s\d{2}\S\d{2}\S\d{2})
#Value UPTIME (\d{4})-(\d{2})-(\d{2})\s+(\d{2}):(\d{2}):(\d{2})
Value DOWNTIME (\d{4}\S\d{2}\S\d{2}\s\d{2}\S\d{2}\S\d{2})
Value CAUSE (\S+)
Value SN (\w+)
Value Distance (\d+)
Value Description (\w+)
Start
^\s\s+${ONT}\s\s\s\s+${RUN}\s\s+${UPTIME}\s+${DOWNTIME}\s+${CAUSE} -> Part
Part
^\s\s\d+\s\s\s+${SN}\s+\w+\s\s\s\s\s\s\s\s\s\s+${Distance}\s\s+\S+\s\s+${Description} -> Record Start
Output I'm getting:
['ONT', 'RUN', 'UPTIME', 'DOWNTIME', 'CAUSE', 'SN', 'Distance', 'Description']
['2', 'online', '2020-09-04 15:00:24', '2020-09-04 14:59:15', 'dying-gasp', 'SNAABBCCDDFF123B', '4239', 'Fname_Sname_zone_Sec']
Expected output is:
['ONT', 'RUN', 'UPTIME', 'DOWNTIME', 'CAUSE', 'SN', 'Distance', 'Description']
['2', 'online', '2020-09-04 15:00:24', '2020-09-04 14:59:15', 'dying-gasp', 'SNAABBCCDDFF123B', '4239', 'Fname_Sname_zone_Sec']
['3', 'online', '2020-09-17 16:46:07', '2020-09-17 16:45:16', 'dying-gasp', 'SNAABBCCDDFF456B', '3963', 'Fname_Sector_5']
What would be a good hands on workshop to teach college students about networks?
I'm leading a student club centered around teaching students applicable, hands on skills used in the tech world that can help them find their calling/career path so to speak. Coming up next is our networks workshop. So I'm looking for something to dip everyone's toes in to get an idea of it. Many students have already taken their fundamental networking class, but there are the few that haven't.
I'm trying to find something that everyone can enjoy and get something out of. Something that says "this is what networking is, this is a hands on practice of what you'd be doing in a networking job". Off the top of my head, I'm thinking on a Wireshark lab, but I wanted to see if anyone else had any good ideas?
Edit: this would all be done over Teams since we're not allowed to meet. I'd do the hosting which is on the uni network and I can't setup servers or anything. Some students are on campus and some are remote. But the entire lab would be remote and online
Access control in traditional hierarchical design
Hello
I've been lurking here for a while, learning tons of stuff - thanks to all the experts staying active :)
I have been pondering this challenge for a while, and I can't seem to find the right approach (at least I'm not sure).
I'm in the process of changing this network from flat to segmented. We're using the traditional hierarchical network design;Core -> Distribution -> Access layers, but I'm in doubt how to control access between segments and servers.
We use the second octet in 10.0.0.0/8 space for host functions and third for buildings.. i.e. 10.2.1.0/24 would be users in building 1, 10.3.5.0/24 would be printers in building 5.
For now, I've been applying ACL's for each segment, denying access to other segments that shouldn't communicate..
ACL example:
ip access-list extended ACL_USERS_1_INremark deny to other user segmentsdeny ip any 10.2.0.0 0.0.255.255remark deny to printer segmentsdeny ip any 10.3.0.0 0.0.255.255remark allow all otherspermit ip any any
Im thinking about actually maintaining these ACL's in the future - it's gonna be a nightmare! especially since there are some exceptions to the rules, so I would think I have to create a unique ACL for each segment, unless I put all exceptions into the same ACL and be accuate about specific source/destinations - this would create a very long ACL (probably ~~1000-1500 entries) for all segments though - would that hurt performance noticeably?.
Is this the right approach? how are you guys doing this? (link to ressources is appreciated!)
I've done a couple python scripts in the past, so I could write a script for maintaining these ACL's.. I would just like to know if I'm doing it right before I go all the way :)
Any inputs on controlling access to servers? I've been thinking whether or not to have a firewall as distribution device in the server block (hierarchical model)?
I apologize if my question is low level :)
PS. We're an all-Cisco shop.
Having issues with download/upload
I've recently upgraded my subscription from 50mbit download to 250 and upload from 5mbit to 25. While checking any Speedtest. I noticed that upload changed from 5 to 25, but download speed is still at 50-60 not going higher then that.
Any help is appreciated
Static route not redistributing into BGP
Hello everyone,
Topology and config:
https://i.imgur.com/XTlMEKk.png
My perimeter firewall is having bgp neighborship with Singtel-ISP. Also per-fw is connected to internal routers (CORE-R1 & CORE-R2) and per-fw configured with two default route with different AD value (default route to CORE-R2 having highest AD value) and tracking is enabled so when it loses rechability with CORE-R1 , default route towards CORE-R2 will be in routing table.
Now i am not able to redistribute this default route to SINGTEL ISP, though redistribute static command is configured under bgp routing process.
I tried below config as well on per-fw.
prefix-list DEFAULT_ROUTE seq 5 permit 0.0.0.0/0
route-map DEFAULT_ONLY permit 10 match ip address prefix-list DEFAULT_ROUTE
router bgp 100
redistribute static route-map DEFAULT_ONLY default-information originate
exit
No luck.
Any suggestion would be helpful. Thankyou
Why we see 2 different IP address when we type ifconfig in Linux and search for our IP address online ???
Well I am newbie in networking . And I couldn't figure it out why we see two different IP address one when we command the terminal ifconfig and look for our IP address online , It would be great if you can help ! ...
Fiber speed upgrade
This might sound like a dumb question but I can't find an answer on Google so I'll just ask here.
My ISP is Vodafone (Spain) and they offered me 600mbps fiber and limitless data and calls on my phones. I currently have 50mbps fiber.
I was wondering if I would need to change the fiber installation/router in some way or if I get that offer, it will automatically change the speed of my internet without having to do anything.
My router is ISP provided Sercom H500s which is compatible with gigabit speeds so that shouldn't be a problem, right?
Sorry if this isn't the place to ask and thanks if you reply
Should I be traffic shaping the interface that is plugged into PE equipment to match the CIR?
Hi,
TItle says it all.
Will I get better performance out of a circuit if I hard code the bandwidth to match the CIR we are paying for?
Ie, shape bandwidth to 50mb on a 50mb pipe?
Minimum cat6 length
In the past the minimum length was determined by talk back, and wave normalization (so I've heard). But I want your opinion on the shortest length without negative impact. I run my patches as short as 6 inches without interruption or degradation.
The future of data network engineering
We all keep hearing about and participating in automation discussions/designs and implementations and Im trying to get a grasp at where we might be in 5 years in the enterprise. Automation is becoming easier and more modular every single day and the biggest front runners continue to show up more on job postings. My thought is that in five years we will have architects and automation engineers and that is it. The hardware installation is already extremely generic and a high schooler can configure a router and switch by powering it on and connecting the mgmt interface for automated remote config via a cellular connected opengear.
How do we position ourselves to be relevant in 5 to 10 years? Id consider myself a route/switch/datacenter specialist and Im just now starting to focus on automation tools like ansible and python. Is it a lost cause, should I be looking for a new job 100% focused ok automation even if I have to take a pay-cut to do it? Im worried those who are not automation experts won’t make it unless you are an architect in your enterprise with the ability to focus on driving automation system development without automation low level skills.
Other than python/ansible/git, what cloud systems should I be focusing in on?
https://gomindsight.com/insights/blog/what-automation-means-for-the-future-of-network-engineering/
https://thinqtanklearning.com/blog/the-future-of-network-engineers/
Open source syslog server
Hi. I want to build a home open source siem, with central syslog Server. Any sugestion? Graylog? Syslog-ng? Elasticsearch? Kibana? Suricata? Whats the Logic sequence? Thanks!
Friday, September 18, 2020
Cheaper alternative to fluke network probe and tone
I have a pretty cheap probe and tone device what I actually like but I know I can't use it when the cables could possibly be plugged into a POE switch as it may damage it, I've been looking for a digital probe and tone device like some of the fluke network equipment but it seems pretty pricey and wondering is there a cheaper alternative?
Is there something wrong with the ethernet cable CAT 6 and with the ethernet connector?
It's a DIY ethernet cable, is it okay? What are the proper parts for making an ethernet cable?
My internet speed slows down when I plug in my ethernet cable on my computer. What's the problem?
https://ibb.co/1QgGWrn https://ibb.co/Q62fdWg https://ibb.co/w7PjVYz https://ibb.co/X449M07
Does power line adapter work?
I am going to switch to a power line adapter from WiFi because of occasional packet loss and ping spikes. Will a cat 8 cable and a power line adapter from tplink remove packet loss?
Advice - Where to Start?
I just got my CCNA last year and will be graduating with my Bachelor’s Degree in IT with a concentration in Networking Systems. I also have my Associate’s Degree in Computer Networking Systems.
What would be a good place to start, to either move my way up into a Networking job or start right off in the field?
I also have general IT experience from a co-op working at an MSP.
Looking for an all-in-one outdoor networked GPS receiver for NTP purposes
I'm looking for a networked GPS receiver with the following features:
- Designed to be mounted outdoors on a pole/tower
- Serves as Stratum 1 time source
- Powered via PoE (I can give this one up, but it would be ideal)
Does such a device exist?
I know that Ubiquiti and MikroTik both make outdoor devices with GPS receivers, but it doesn't seem like you can use them as Stratum 1 time sources. (Ubiquiti just doesn't expose this functionality that I can find, and MikroTik says "maybe in RouterOS 7" which is not something I can deal with)
All suggestions appreciated.
Help understanding license enforcing (Ruggedcom, Sierra Wireless, Cradlepoint)
Hi,
I’m doing some research on multiple vendors before recommending a purchase. Does someone know how each of these vendors enforce their licenses for the Hw and sw?
- Warnings of expiration (syslog, etc)
- Partial / limited access or limited config
- Limiting or throttling features in the hw
- Disable the hw
Thanks for your help...
Where do I start from building access lists from scratch?
I just got a new job as a network engineer. The company I'm working for had a non networking guy set up everything.
Everything seems to be segmented with VLANs. They use SVIs depending on the subnet/network.
Anyway, I am trying to segment the network for security, as the firewall has a bunch of general acls with any any in the statement.
I want to use ACLs to better segment the traffic. What is the best approach for doing this? Should I use packer tracer? Install netflow and check where the traffic is going? All suggestions welcome.
Looking for a basic router to set up VPN L2TP to connect back to a Unifi system
I have a unifi system and I want to set up a VPN on a 2nd router (off site) and send the traffic from various IoT devices back to the main site.
I'd prefer do this with a Unifi Device, but I can't figure out how to set up a VLAN that would send all traffic back to the other site over VPN.
I assume Mikrotik has a lower priced unit that could do this but I'm not sure what would be best.
Thanks,
Bil
Outside wireless antenna interference
I work for a grocery store chain that also runs fuel stations at some of their stores. Most of these run a fiber connection to the store but there are a couple one off stores that connect via a wireless bridge/antenna.
One of these stores is in Montana where the smoke is pretty heavy due to the fires right now. The connection till now, while slow (with or without smoke), has been functional. On the night of 9/16 they did a network upgrade and replaced the basic cisco bridge and catalyst switch with a Merakai switch and similar bridge. The new bridge is an Aironet Antenna ANT2588, With an AP1562E outdoor AP. (I'm trying to find the model of the old one).
The connection to the fuel station seemed OK for the first few hours and then dropped completely. Tons of packet loss to the point that the Meraki switch in the fuel station showed no connection for a few hours. It then would bounce between connected and not connected. This started around 1pm MST and continued to around 10pm that night after the fuel station closed. Shortly after that, the connection seemed to stabilize and the register was able to finish booting up. I ran a ping test on the equipment overnight to monitor the speeds. They are around 200ms which, sadly, is the norm for this. I thought we were in the clear but around 7am when the fuel station opened, ping times spikes to 900-1300ms and a fair amount of lost pings. The register functions but with massive delays in response.
Cisco believes the smoke in the air could be the issue due to all the particles in the air but it wasn't a problem on the old antenna. My boss is leaning towards it not being the smoke. I'm not sure on either right now. I find it odd that it stabilized once the fuel station closed (running the pumps on card transactions only) and then spiked again once it opened. Any thoughts on this either way?
What is the difference between sending data via a SOCKS proxy and SSH Tunneling?
What is the difference between sending data via a SOCKS proxy and SSH Tunneling
New Firewall won't take old IP Scheme
I am upgrading a Watchguard firewall for a customer and I can't get traffic through when I use their existing IP setup. The current DHCP scope is:
198.249.148.x
When I use this, I get no traffic to the network. If I use a standard 10.0.1.x traffic passes fine. I don't see any special setting in the old firewall that would cause this to work so I thought I could just copy over the settings from old to new. Is 198.249.148.x an invalid scheme? I am just confused because it works on the old firewall.
Fortigate Web SSL VPN - Bookmark times out after login screen
I just set up an SSL VPN and want to use Web Mode to provide remote access to a web-based service hosted on-site at one of our location. I can reach the Fortinet SSL VPN login page, log in successfully, click on my bookmark, reach the log in screen of our service, enter the credentials and click login - then the connection times out. This only happens when using the web mode - when connected to the same SSL VPN portal in Forticlient everything works perfectly.
Fortinet support seems stumped. I've talked to 3 different techs. Initially they wanted me to upgrade the firmware from 6.2.0 to 6.2.4, which I did and which did not resolve the issue. They're taken packet captures and could not locate the problem.
The last tech analyzed the HTTP header during the login process and saw a number of "NS_ERROR_NET_ON_WAITING_FOR" followed by "NS_ERROR_NET_ON_TRANSACTIONS_CLOSE" before the page timed out.
The tech mentioned there potentially being an issue with logon screens over the SSL Web VPN? Is there a workaround for that? I guess I'm just very frustrated with Fortinet support. Has anyone experienced an issue like this before?
ISP NID with Small Footprint
Just curious what other ISP's are using the hand-off 1Gbps service to customers via direct fiber? So far we've looked into Accedian. Mainly just need remote management, vlan support, copper hand-off, rate limiting.
Church assistance - HDMI over IP extenders
May not be the best place to ask, but looking for advice. I help out at my church for Tech support. Need to upgrade their S-Video from pc to projectors. So here is the setup I am thinking.
Network is already in place. Just looking for TX and RX equipment to be used over the network. PC in balcony > transmitter > Ubiquiti (managed switches) > Fiber > Main Ubiquiti switch > Fiber > 8 port Ubiquiti > Receiver > HDMI to Projectors.
So I am looking to get the PC signal to the projectors. Any help or assistance is appreciated. I’ve found Star Tech and gofanco but they say unmanaged switches. I am thinking if I just create a VLAN and put those on that.
CGN Deployment Advice
We're a small service provider that has been been native dual stack since early 2014. However, we are now approaching IPv4 address exhaustion (a /19 and a /20 today).
Though we're contemplating purchasing an additional /22 - /20 to kick the can a little further down the road, in the long term, CGN seems unavoidable.
As a result I would be appreciative to hear from other service providers, universities, etc that have already implemented CGN.
In particular what does it absolutely break, and can you provide any tips, tricks or configuration recommendations to make it less painful?
Presently I'm investigating configuring CGN directly on our CMTS (Cisco cBR-8 with SUP160s running IOS-XE). We would need to support about 10,000 subscribers, but as of this writing I am unsure if it's up to the task.
I haven't ruled out a dedicated CGN appliance if those have more horsepower or better features than letting our CMTS or an ASR do the job.
Once we ultimately deploy CGN we will still have native IPv6 and will offer a static IPv4 adddress to those that ABSOLUTELY need it.
SNMP not reaching my network monitoring. Anyone have any ideas?
I am just stuck here and looking for any suggestions. The configuration is right for the snmp, i even tried v1 to see if my NMS would discover the device.
How can I check if the snmp packets are making to my NMS? My firewall is open so its not blocked. Its going from Cisco switches to a VM hosting opmanager
Is EVE-NG Community Edition only free for Personal use?
I went through the user agreement briefly on their site but I do not get a clear understanding on the Community Edition?
If anyone knows, the EVE-NG Community Edition is only free for personal/home use?
Dialing out to POTS device?
Hi,
We have to dial out to devices in the field that are only accessible via POTS. We currently do this with a real modem connected to a real server via a USB com port cable. The server is on its last leg and everything else we have are VMs.
I’d like to replace that setup with a device that plugs into a real phone line and presents itself as a network resource that can be used by software running on a VM. I’m not sure what you call such a device, modem over IP/Ethernet?
Does anyone know of such a device? How are large organizations doing dial out to field devices via POTS? I know there aren’t a ton of people doing this anymore, but there must be some.
Thanks!
Proxy configuration on router
Hello,
Some of my users have to access certain sites that are IP blocked in the country they are working from, and they also need to access those sites as if they were accessing them from different countries (some times as if they were accessing them from Germany, or Japan, or Finland, etc.).
Right now we are using a browser VPN (Tunnel Bear) to accomplish that but I'd like to switch to a configuration transparent to the user with proxies.
Would it be possible to configure a FortiGate Firewall (acting also as a router) so if destination is (for instance) specifically www.webpage32.com it sends the request to a specific proxy of our choosing?
Would it also be possible to make it so if the target site is fr.webpage32.com then the FW would send that request to a proxy server in France and if it is de.webpage32.com to a proxy server in Germany? Could fr. and de. be aliases configured in the Firewall for my purposes so it would know where to route that traffic? Could that be doable?
Thank you.
Connecting non-Cisco devices to TACACS on ISE Appliance
Hello everyone,
I'm trying to figure out how to connect non-Cisco devices to our ISE appliance for TACACS+ authentication authorization. I believe I need to pass user attributes via a shell profile but I can't figure it out.
For specifics: I'm trying to connect a Raritan console server to TACACS+, I see my account passing authentication and authorization in the logs but I can't log in. If I remove the shell profile, I CAN login, but without access to anything. I'm trying to pass an attribute to say I'm part of the Admin group, but nothing I try seems to work.
Anyone have experience with this that could point me in the right direction?
Thanks in advance
Ont(coax) splits to a Verizon router and a switch(B). Verizon router has an Orbi plugged into it. Devices on both Orbi won’t see devices on switch(B)
This should be simple but I’m losing my mind.
Does Verizon router (g1100) need to be in bridge mode? Seems it is?
Help me understand inter VLAN routing
Hello,
We are now in the process of segmenting our network into different VLANS as the first part of our Network Access Control journey. Today there are no restriciton and everything can be accessed as long as you're inside the LAN.
I work as a infosec advisor and rarely touch network. We have contractors who will help us set this up, but we still need to give the directions. And I really want to understand this aswell. It keeps itching in the back of my head.
So lets assume that these are the VLANs we're setting up.
VLAN 1 Servers VLAN 2 Wireless VLAN 3 Users VLAN 4 Others/guest
We were going to use a firewall to segment our traffic based on ports, but had to opt out since the FW cant handle redundency. We will use a layer 3 device (router) which will route between VLANS based on IP address. And give access to print servers etc etc. Its less safe that port based routing, but we cant afford to upgrade the FW. I will start closing ports we're not using.
So to my questions:
-
Is it possible to only allow VLAN 1 to initiate connection to other VLANS? But other VLANS cant initiate connection, except to the allowed IPs? I use OpenVas and would like it to still be able to scan the entire network for vulnerabilites.
-
We will setup a jump host so IT admins can RDP/ssh to all servers safely. We will place the jump host in DMZ. It will not face the internet, only internal. Would it be better to place it inside VLAN 1 instead? Whats the benefits of placing it in DMZ?
-
Setting up a new service on VLAN 1, will require setting up a rule in the router that allows traffic to or from other VLANs, correct?
-
VPN. All users who access our network through VPN is placed on a differnt VLAN. Is it possible to place all VPN connections inside VLAN 2? So kind of a bridge.
Thank you for the help.
Need Help : Cluster of local network with wireless internet
Devices :
- Modem
- Router for modem/internet
- Router
I want to create my own network where routers connect each other with wire or wireless (required both) and share the resources on their LAN ports, or even the wirelessly connected resources.
I have ISP issued router, that connects to modem and is the only one with with local and public IP address. It has 4 LAN ports, all filled with local resources, that have internet access.
My two personal routers connect with this router. One with wire, another as WAP mode. All of their LAN ports are occupied with devices like desktop, or raspberry Pi's.
Now I want all of my resources available to any clients that is connected with either of those 3 routers either with wire or wireless. Here is where I Failed badly, and sadly.
My approach is to disable the DHCP on client/local routers, and make them static router, with same IP range of the public/internet router. Since I need wireless and LAN capability on all of the routers, I can not make the LAN and WAN share the same IP Range. It has to be different - 192.168.0.XX, or 192.168.1.XX, so it is the beginning of problem.
Please help me.
Sample Network Structure:
Thursday, September 17, 2020
2Gb traffic flow cap on single source-destination transfers on 10Gb line?
All,
I have never heard of such a limitation. Has anyone heard that this line below? Its a bit concerning to me since Cogent is offering a bunch of savings to us. Why I am skeptical is because I see single flows on my current Crowne Castle line exceed 2Gbps. Any information is helpful here. Doing some more research.
"Cogent always provides the full CDR that our clients purchase, so if you have a VPLS or any other L2 port with us on a 10GE port, you would have the full 10Gb of throughput available across that line. We, like all Type-2 providers, do have a 2Gb traffic flow cap on single source-destination transfers, which is there to prevent hashing errors in the unlikely event of a fiber cut. This is due to the inherent way the chips in the network cards are built and not a limitation of Cogent specifically; we are just more cautious about it than other ISPs to ensure a quality connection to our clients.
Basically, this just means you can use a total of 10Gb across that circuit like 1Gb here plus 100Mb there (aggregated traffic), and they all add up to 10Gb. It is just single the single TCP/IP session flows that exceed 2Gbps which possibly can be an issue. However, plenty of our customers do that all the time provided we have proper planning and capacity. With that in mind, if you do need flows larger than 2Gbps: how large are they and what frequency would you need them available?"
Hpe 1920 lacp trunking fun
Hey /r/networking
So I've been having a bit of fun with an hpe1920. (not 1920s) When initially connecting the switch to the network it connects no problem and I can access the switch interface, but as soon as I introduce an lacp port group between it and my Aruba 5406r (2port lacp group) everything stops. My router no longer sees the switch. Any thoughts or ideas? I can post my config if anyone can tell me what I'm doing wrong. (note: lacp trunk works from the Aruba to my server no issues, but as soon as the switch goes in, connectivity screaches to a halt. Also, I can get my other vlans to trunk no issues but can no longer access the interface or connect to the switch at all.
Zenbook doesn't detect any Wifi networks
Today my mother brought me here laptop, showing that it could not see any of the home or neighboring Wifi connections. I checked the device manager and saw that the network adapters had the Bluetooth Device(PEA) along with the WAN Miniport drivers. I have a feeling that she is probably missing a driver, as the troubleshooter did not detect any problems.
It is a Zenbook UX305F
Help with ACL
Hey guys,
I have an old FTOS 8.3 Dell switch. I need to isolate a workstation on that switch.
So the network is 192.168.255.0/24 The workstation is 192.168.255.35 The Storage is 192.168.255.34 The firewall/router is 192.168.255.1
There is a bunch of other stuff on the network. I want to block the workstation from everything except the storage and internet.
I can create a rule on the firewall to block the workstation from access to other systems but that’s only layer 3.
I guess an ACL is also layer 3 but works on the switch so it should prevent the workstation from seeing out, except to the storage and the router.
Would I use a standard ACL for this or an extended ACL?
Say for example the workstation is on gigabit Ethernet port 34. What would the command look like and would I apply it inbound or outbound?
Armored solid core STP cat6a vs armored simplex SMF for a church live stream setup
I am helping out a local church with their streaming setup. We want to run a 90m cable for the sake of reliability to replace the current WiFi AP being used. I had to drop the WiFi modulations down to 802.11g levels to stop packet loss on WiFi, although we don’t consider WiFi to be a good long term solution.
Initially, I wanted the cable run to use armored solid core STP cat6a terminated to keystone jacks with stranded twisted pair patch cables connecting the ends to equipment through the keystone jack, but I cannot find a cable that meets this description (although fs.com has a non-armored bulk cable that matches the other requirements). I wanted it to be armored for rodent resistance just in case because it is an old building. I wanted it to be solid core, shielded and cat6a to ensure signal integrity. I wanted the keystone jacks to ensure that there is minimal movement to prevent failures from metal fatigue.
After thinking about it, even if I could find a suitable cable, a high quality copper twisted pair cable is pricy and the budget is limited. I decided to suggest to the rest of the team that we run an armored simplex SMF, which is both much cheaper. It is also the cheapest possible fiber configuration that I could find at fs.com:
- https://www.fs.com/products/20745.html
- https://www.fs.com/products/75335.html
- https://www.fs.com/products/75336.html
- https://www.fs.com/products/100957.html
It adds up to about $120. The others involved with the project are skeptical about the reliability of active components between the two endpoints, but I countered by saying that it is both immune to electrical interference and likely easier on the budget than a good copper cable.
I was under the impression that fiber optics are more reliable than copper over long for copper distances. What do others have to say about this?
Also, I did not want the signals being too strong, so I picked the lowest distance transceivers that I could find. Is there any risk of the cable needing optical attenuation given how short it is?
Lastly, I actually need a switch at the end where the streaming equipment is (which is a tough sell because of other team members’ skepticism of active components), but the budget is limited. Would it be terrible if I used this mikrotik device and given the limited budget, are there any cheaper options with good reliability?
https://www.amazon.com/MikroTik-Gigabit-Ethernet-Router-RB760iGS/dp/B07F7HDRKX
Methods to redirect a specific URL?
If someone wanted www.domain1.com/* redirected to www.domain2.com and the web files hosted on one web host provider, but they want single directory such as www.domain1.com/virtualdirectory1 to not be redirected to domain2.com, but, instead redirecting resolving that URL to a completely different web host maintaining the www.domain1.com url, what are all the most common methods available to accomplish this?
Can this be done with firewall rules or is there a better way to do this?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
SSL VPN: keep accessing internet while tunnel established
Issue : Once mobile vpn client (cyberoam SSL client for me now but has the same issue on other vpn clients previously) connected, internet access is lost. I share with you the fix that worked for me : On computer: 1-modify interfaces metric to prioritize WiFi interface over RJ45 interface. 2-Remove 2 routes on my computer. Using powershell: remove-netroute -destinationprefix 128.0.0.0/1,0.0.0.0/1 -confirm:$false
As I have to run this command each time I connect the VPN client, I would be glad if you share any better way you use to keep simultaneous access to internet and ssl tunnel automatically once you connect your vpn client. Maybe something to add on the ssl configuration file.
I also wonder if this introduce any security issue ?
ISE MAC Address Lookup Might Fail with Android 10 and Apple iOS 14
Well we knew this day would come! This field notice is out if anyone wants to have a read. I did a quick search and couldn’t find this posted already.
Field Notice: FN - 70610 - Cisco Identity Services Engine MAC Address Lookup Might Fail with Android 10 and Apple iOS 14 Devices Due to the Use of MAC Randomization on the Mobile Client Devices - Workaround Provided
https://www.cisco.com/c/en/us/support/docs/field-notices/706/fn70610.html
Enterprise networking becoming Vendor Proprietary?
As you all know companies like Cisco are pushing a lot of "sdn" solutions. The WAN is SDWAN, the Campus is ACI/NSX, and the campus is SD-Access (atleast they are trying to). I can see that eventually most if not all of the networking we do will be based on a vendors solution which to me makes it harder to make career shifts if you somehow get stuck supporting a solution that isnt the market's favorite.
its made me lose a lot of interest in the enterprise and has made me move towards SP where a lot of the standard technologies are still in use(MPLS, EVPN, BGP). is anyone else sharing the same sentiment?
Add a "super" password for Comware switches on Oxidized
Hello, I hope you're all doing great !
I'm using Oxidized + LibreNMS to monitor / backup all my switches.
Everythink works fine on "regular" Comware switches but I have a few where I have to use the "super" command to have access to all the comands.
The issue is that Oxidized backups those switches successfully but the config looks like this :
# HP Comware Platform Software
# Comware Software, Version 5.20.99, Release 2221P07
# Copyright (c) 2010-2014 Hewlett-Packard Development Company, L.P.
#
# HP A5120-24G-PoE+ EI Switch with 2 Interface Slots with 1 Processor
# 128M bytes SDRAM# 16384K bytes Flash Memory
#
# Hardware Version is REV.B# CPLD Version is 007# Bootrom Version is 621
# [SubSlot 0] 24GE+4SFP+POE Plus Hardware Version is REV.B
#
# ^
# % Unrecognized command found at '^' position.
# ^
# % Unrecognized command found at '^' position.
^
% Unrecognized command found at '^' position.
I haven't found anything related to the "super" command in the comware.rb file. Is there a var that I can use to specify the super password ?
Thanks a lot for taking the time to read.
Have a nice day :)
Question about Switches
Okay so I have to upgrade my switch because it does only support 100 mbps. I am looking to buy a switch that supports at least 250 per port. So my question is as following: A switch that is described as having five ports supporting 10/100/1000 does that mean that all of the ports supports 1000 or is it only one of them doing that? An example of a switch is TP-Link TL SG105.
Data center networks
Hope everyone doing well!
I've been in IT support in networking from last 1 year. Can anyone tell me if server team need or to host a new vm server in the DC, what do they actually request from the network end?? I've no idea about data center networking..
Thanks.
Spotty connection to my web host, but they say it's not them. Help?
I'm having the weirdest issue with my web host and I was wondering if anyone knows of a way I can test the connection, to figure out the problem, because their Level 2 techs are unable.
So at work, we have a website that is hosted on a web host. The ISP I'm using at work, is the same one at another location. At that location, it works flawlessly... never had an issue ever. At work for the last three months I would lose connection, and then it would magically start working again 5 minutes later. This all stopped two days ago, where now it only works for a few seconds and then stops. This does not happen at the second location (again, same ISP). We do have a firewall, but it's not blocking anything at all. If I switch our public IP address, the website starts working again magically for a few minutes... and then it stops again - sometimes for hours at a time. Switch IP? Works again for a few minutes. We have a FortiGate firewall.
My web host claims the problem is NOT on their end, and that they've whitelisted my IP. They don't know about my secondary IP address which I test with, but it has the same exact result.
My question is, how in the world can I figure out what's going on here? I've even asked them to migrate my site to another server which solved the problem for about 90 minutes, then it went back to its old self again. Are there tools that I can use to connect to a webserver and test connectivity? They have cPanel - is there something from within there that I can use to test? I want to make sure it is on their end, which I suspect it is.... but I don't know anymore.
To clarify, everything except for ICMP fails when I'm "blocked". FTP, Web, Email, you name it... I can't access it... but pinging works just fine.
Thanks!
android phones obfuscating MAC address for dhcp
Spent a few hours trying to troubleshoot client identification in Meraki reporting. We were puzzled by a number of devices showing up that didnt match our phone deployment list (using MAC addresses).
Well, lo and behold, while looking at the DHCP table, none of our Android phones are actually reporting their physical MAC address, but rather an MAC address that doesnt even match a hardware vendor!
a bit of searching confirmed :
https://utcc.utoronto.ca/~cks/space/blog/tech/Android9MACRandomization
so, question for everyone : I'm pretty used to using MAC addresses during troubleshooting processes. What are we supposed to do now for either identification, adding reservations or tracking down problems? I understand the security thing, but this seems a bit extreme to me!
Does anyone use LISP (Location Id Separation Protocol)?
In the CCNP ENCOR, Cisco tries to sell us LISP. However I am struggling to find any decent use cases.
I have seen a youtube video of someone migrating a datacenter from one physical place to another, and used LISP instead of a L2 overlay technology, with one of the reasons being to avoid spanning-tree calculations.
However, I struggle to find a good reason as of why would someone go to this trouble.
I mean, I know that there are 10 year old technologies for roaming in wireless networks and that seems to work with a click of a button, but does anyone really need to roam around with static wired IP addresses among campuses? Or am I missing the big picture here?
How does an ISP update http request between browser and server.
Have few years of application development experience without a cs background, but have studied comptia and understand http requests well enough.
Just observed that my isp is embedding own name in requests and responses to a HTTPS website and haven't found a good resource online which can explain that.
Aruba TAC refused to RMA AP-125 with brittle plastic casing
So we just RMA broken AP-125 that won't boot. Unlike the newer AP, AP-125 has plastic casing including the mounting. But since the unit was up for almost 10 years, the plastic becomes brittle and when we tried to remove it from the mount, the mounting mechanism on the unit broke. It's not the first time this is happening to us and we always get the replacement unit.
However, they refused to service our unit this time and keep saying that it's physical damage. But come on, the brittle plastic has nothing to do with unit not booting up and it's clear that the unit hasn't been dropped or something. Already escalated the case, but they still refused to service them. What should I do in this case?
Isolate servers into groups
Hello All,
Need to pick your brains on how things are done these days...
How to segment/isolate servers into groups? The reason is should one server become infected by malware etc not to pass this down the chain.unmanageable
Have 90 VM servers on 5 ESXi hosts all have the same VLANs (15 in all). None have the Microsoft FW enabled..it became unmanageable so they dropped it. Looked into NSX..company could not afford it. From a Cisco (100% used here) or another vendor point of view what can be done?
Is it still ACLs between hosts (ACL between hosts on the same VLAN possible?) still the norm?
If ACLs I would find it difficult to identify the traffic (no visibility of internal traffic ) required and likely block good traffic.
Open to other technologies or ways of doing things.
- ACL??
- Divide servers into groups based on what??
- Drop a firewall can it be used on a host to host base??
Please could you help any info appreciated.
Jas
High availability and fault tolerance in SDN
How can SDN provide high availability especially with its centralised control plane ? Also what if that central control plane fails for some reason, does it mean all of the devices fail ? If this is true, why are we still considering SDN as the future ? Sorry if it's an obvious question, still a noob in networking
Field WiFi deployment - over 1km
Not sure if this is the appropriate sub, but this seems to comply with the rules...
TL;DR: solution that enables an Android tablet to be in the same network as a Windows Laptop over a 1km radius.
We have a customer that works with multiple DJI Matrice drones to map terrain on a pre-programmed path. There is some app on an Android tablet that connects to a service on a workstation laptop to retrieve and send data and REQUIRES to be on the same local subnet (we have tried via Public IP - no go). The client needs to connect from this tablet about 500m-1km away to the endpoint hosting the service (laptop) to control/monitor the drones.
There seem to be 3 options:
- Find an AP that has 1km omi-direcitonal range - does such a thing exist?
- Find a point to point WiFi solution - the issue second side has to be portable and be able to connect to the Android tablet
- Deploy a portable mesh wifi network - dropping mesh APs in the field (quite literally)
The first solution would be ideal, but I doubt the low powered Android tablet WiFi will be able to connect to such an antenna... I don't really have a good understanding of RF though...
Welcome to any suggestions.
IPv6 DNS
Hello. I plan to implement a by default dual stack for our customers some day soon.
Our IPv6 routing is basically ready(in fact we already have some IPv6 customers happily routing along).
Our DNS is not. And since my DNS guy is a IPV6 sceptic I doubt it will be soon.
Can't I just give googles or cloudflares IPv6 DNS address?
In fact, I can neither confirm nor deny that we are already giving that to our less important customers with IPv4.
Disaggregated Networking, Whitebox Switch, NOS
Dear community,
We are considering to deploy Edgecore AS5916-54XKS which has 800G capacity with external TCAM, the use case we consider is BGP Peering.
I have 2 questions?
1- Does anyone have experience with whitebox for BGP Peering? which NOS (Network Operating System) is recommend for scale and performance? (there are many options Arrcus, IPInfusion, Volta, Exaware,...)
2- Any idea, what is the estimated price for the NOS license? as stated the NOS will be licensed for a 800G whitebox.
Thanks!
Dan
Catalyst 9500 Traffic Shaping on SVI
Hi Everyone,
Looking to limit bandwidth on a per SVI basis. This was possible on the 6500’s, but doesn’t appear to be on the 9500’s. It states in the white paper that its on able to do this on a physical interface, unless we want to do nested policy maps on sub-interfaces.
Has anyone had any experience with configuring the nested policy maps on sub-interfaces? Are you aware of any implications on the dataplane/CPU should you require many of them?
Thanks
Wednesday, September 16, 2020
What's a blogging site/sites similar to Tumble and Reddit?
I need help expanding my brand, Instagram is good and all. But it gets boring after a while. I was hoping to blog, have fun, and at the same time make a name for my brand.
I know Tumblr was very active from 2011-2016, now it's irrelevant last time I heard from friends. Getting followers here on Reddit is tough too, but possible.
Any links to subreddits that can give me advice on this would be great.
Drew VM Network for Class, Need Critical Review
I'm still confused. I'm sure this diagram is wrong.
But are all VM's going through NAT to connect to each other then to the HyperV?
I'm obviously missing lots of connections, but the line from ELK to HyperV is because Kibana GUI shows in the HyperV VM itself.
Just need people to tell me how I can make this diagram make more sense.
what is the bandwidth of a signal
I am studying data communication and i can’t figure out what is bandwidth and why it is the difference of the highest freq and the lowest
i‘ll be grateful if someone helped me :)
Shared Laptop Wi-Fi alternative
Hello!
I built a PC about a year ago now, but it does not have built-in wifi. With my graphics card, I cannot fit a PCIe wifi adapter and I've had terrible luck with latency using USB dongles. What I've been doing is using my MacBook Pro Mid-2010 as a bridge (I think that's the right networking label). Here is the sequence of how I'm connected to the internet on my PC.
PC > Ethernet > MacBook (with shared Wi-Fi on) > Wi-Fi > Router > Ethernet > Modem
I recently upgraded my Mac's RAM and got a SSD for it and I want to replace the battery soon. To try and preserve the new battery, I don't want to keep it plugged in all the time like I do now. I was looking up alternative devices to do the same setup but just replacing the MacBook in the sequence. I looked up using a Raspberry Pi 4 to do it, but it looks costly and I am not super comfortable with programming yet.
Does anyone have a suggestion for a replacement device?
I'd also like to know if there is a way to have the same setup, but have it configured like the PC is directly connected to the router while passing through another device. I ran into issues with trying to set up a server on my PC but couldn't figure out how to pass through the MacBook's Wi-Fi card.
Thanks in advance. :)
Corporate enterprise network with no routers, switches, or firewalls?
I am working on a concept to pitch to my CTO for a modern corporate enterprise network without any routers, switches, or firewalls.
The basic framework involves all client based agents on the endpoints. Every endpoint would have a ssl forward proxy client, like zscaler, a segmentation client like Illumio, as well as a traffic monitoring agent like ThousandEyes. These would be on top of whatever basic host-based security agents you’d typically see, like your AVs.
The majority of the workforce would be remote, working from home, in what I’m starting to think of as a Bring Your Own Network (BYON) configuration.
All corporate enterprise resources would be hosted in the cloud. Either Public Cloud or direct Hosted. No on-premise servers or resources allowed (or else we would need things like switches, routers, or firewalls!)
Now this may sound like a framework that would only fit certain business models. But what about business models that require real estate (corporate offices, retail outlets, campuses, etc.) The simple solution here is to employ a carrier manager 5G solution. Ideally all corporate real estate would have viable 5G coverage, and all user endpoints would be 5G-capable devices with a SIM card ready to rock.
I’m still working out a few kinks. Printers are a big issue. Corporate enterprise networks tend to use printers. Printers tend to require things like switches (and routers!) for connectivity. A solution like 5G-ready, cloud-based IoT printers is a bit too fringe. I’ve no doubt something is out there that fits the bill, but would it be affordable and scalable? An ideal work-around would be an all-digital business culture (no printers/scanners/faxing—its all email or secure web portal repository.)
There are other obstacles like the typical IoT and SCADA equipment we have on our networks—IP Cameras, Door Controllers, HVAC Controllers, etc. Any number of these devices necessitates the need for on-prem network infrastructure.
Basically the framework works only for certain business models right now, but it achieves infinite scale, zero trust architecture, I mean you basically don’t have a NETWORK. This goes even further beyond the CTO dream of not having a Data Center.
What do you guys (and gals!) think? Please feel free to share your comments, critiques, and opinions. Feel free to tell me I’m crazy or why this would be a bad idea, or a good one.
Thanks!
QSFP BiDi vs QSFP SR4
Is there specific reason that makes people still choose QSFP SR4 (MPO12 connector) over QSFP BiDi (LC connector) in their deployment?
I heard that BiDi can basically reuse the current LC-LC cabling infrastructure. Just need to replace switches from 10/25 to 40/100.
Free Streaming AWS Flow Log Monitor on GitHub
Made a Free Streaming AWS Flow Log Monitor. Check it out on GitHub.
Monitor and analyze Amazon AWS Flow Logs from EC2 network interfaces, VPC subnets or entire VPCs on a dedicated AWS cloud server streaming network traffic statistics in real-time to your browser via DUPI Streaming AWS Flow Log Monitor (DUPI = Deep-Universal-Protocol-Inspection).
An AWS lambda function exports all relevant flow data to a dedicated cloud server to enable observation of aggregate protocol statistics across multiple virtual sites to view network traffic in your business as a 'whole' or at individual sites.
Analyze your network traffic in real-time for deep visibility into actual traffic patterns. Define detailed alerting rules per specific protocol field on various metrics as request rates, bps, pps, lengths, counts and geo-location info.
Explore network traffic at your sites easily and interactively from the comfort of your browser. Quickly switch protocols, fields, intervals and apply specific filter conditions in the web application for instant streaming results.
Multiple nics server 2019 same gateway
So I am trying to figure out a way to use a secondary nic on a trunked port on 192.168.6.x and have a teamed 4 port nic that is also on 192.168.6.x but can't figure out how to get them both working. If I set them to drop they both get an ip and work correctly, but when I set them to static only 1 works. It appears to be a gateway issue, but setting the default gateway on both causes neither to work, and when I only set 1 and try to set a rout for the other, that option doesn't wok either.
Switch is a Meraki ms250
Tried mac reservations and had similar issues.
Anyone have any thoughts?
IPAM For Networks Reusing Same IP Space?
I manage multiple networks, some that just happen to share the same IP space. The current workaround is to assign those sites to a VRF in netbox, so those IP blocks don't get associated with each other. In reality, all the sites are in the default VRF. Well we are taking on a few more sites to manage and as luck would have it, they have VRFs.
While I can continue to make this work, I'd like to look into possible solutions to limit any conflict and confusion down the road.
Looking for suggestions to solve this issue without having to standup multiple netbox instances.
NSX-T/Unifi Home LAB HTTPS Internet
So I built a home lab for NSX-T lab. Everything is setup and works fine except HTTPS out of my NSX-T segments 172.16.10.0/24 172.16.20.0/24. From these subnets i can do the follwing.
Ping anything on the internet.
Ping anything on my local network behind the unifi USG behind 192.168.0.0/24
I use test-netconnection from a machine and it can query google.com on 80 and 443 but i can't curl google.com, it just hangs.
http://msn.com and http://bing.com work fine but are super slow.
I'm lost as to why these machines can't access HTTPS.
Welcome to Maven. Get Paid For Your Expertise,
Maven makes you smarter. We're the experts on expertise. Use Maven to connect, consult, and profit from your expertise and from the smart people you know.
Need to discover network for network monitoring tool on VM
We have a network in the 192.168.20.X range that we are trying to discover on our opmanager. They are all cisco devices.
Our NMS (opmanager) is on a VM in the 10.1.1.X network.
We tried to plug a switch from the 192.168.20.X network to our firewall. It is an access port with VLAN 20.
Still unable to ping my 192.168.20.X network.
Should i do an IP route from our core to our firewall? Not really sure how I can reach this. What if I trunked a port on a switch in the 192.168.20.X network, to our sonicwall. Will I be able to see the 10.1.1 network through the trunk
TOPOLOGY https://postimg.cc/p5twqn98
Curious about how you guys would go on about improving this network.
I support a network that is composed of multiple MPLS links all over the country.
Some of these links are radio since the locations are remote.
Most of the MPLS uses OSPF, the CPE's are Huawei.
The network has 2 internet links, a main one on the headquarters with a Checkpoint firewall, and a backup with a shitty router.
Default route is advertised only on the main circuit, backup is manual. On the headquarters, the L3 of the internal lans is on the switch.
Each of the remote sites have equipments used by different vendors that i would like to isolate from the internal network. These days this is achieved by ACLs on each CPE which honestly is hard to manage.
The firewall solution is to be replaced soon.
Now this is how i would change the network.
Buy Palo Alto for the main link.
Take the Checkpoint firewall and place it on the backup.
Maybe replace OSPF with BGP. I'd like some thoughts on this.
Create VRF's for the third party vendors, maybe one for each or one for all vendors, manage their access on the firewall only.
Extend dynamic routing to the firewalls instead of having static default routes. If not, at least use NQA.
Cisco Smart Licensing Satellite model is messed up
I work for a company that has multiple subsidiaries, the subsidiaries are on different subnets. We only have a single Cisco Enterprise Agreement when it comes to the phone system, but as Cisco may be unaware, each site runs its own CUCM and CUCNX clusters and hardware. One of the sites decided to run a Smart Licensing Satellite in their subnet since the phone network does not talk to the Internet. That's fine but now the Enterprise Agreement is tied to this only Satellite and we cannot issue tokens for any other Satellites from Cisco Smart Licensing to use for other sites. Now all the sites will need to be network routed to that specific site with the Satellite, which is a huge internal political issue. WTF Cisco? Anybody else encounter this?
Juniper EX4650 vs QFX5120-48Y?
I'm deploying a small 100G network, to be used for an HPC cluster, and I can't for the life of me figure out why I would recommend one switch over the other. The only difference I see is one is a "datacenter" switch, and the other is a "campus" switch. Everything else, including chassis and features seem identical.
I would ask my Juniper rep, but he will just recommend whatever is more expensive.
Anyone have any experience with these two models?
Wi-fi training
Hello!
What's the best training related to implementing wi-fi in a Cisco environment?
We will need to deploy C9800 WLCs and C9120AX APs in January. We will also use FlexConnect for remote branches. Next year DNA will be installed and we already have ISE up and running.
I'm the one who will take care of the wireless part. My company is willing to pay me a training (boot camp). I saw the ENWLSI certification but it looks like it focuses more on PI instead of DNA.
Any ideas?
Thanks
HT vs VHT in re: signal quality.
Hello! Easy question of the day:
I’m going through our wireless network to optimize some settings and limit interference which is a problem here. We have so many APs in such a small area. Our APs on our network are broadcasting our SSIDs on dual band. However, the 5Ghz is broadcasting on HT20 which IIRC is 802.11n. I want to move this to VHT20 (802.11ac), but not modify the channel it’s on (yet). From what I’ve read, the difference in the two, as far as this setting is concerned, seems to be processing on the physical chip rather than frequency or power changes. So it shouldn’t change anything as far as interference is concerned. Right?
HP SFP Addon Module Cost Jump
Hello All, Is there an overall cost increase for fiber modules or is this specific to HP in going with different models of switches, or why have I found that the SFP add on modules for the rear of my HP 2920 1Gb access switches which were 1-200 dollars are now almost 1000? I was hoping to add 10Gb uplinks in utilizing newly laid OM3 and SM fiber, but now don't have the funds to get the modules. Shall I just get new switches rather? What a price jump! These are the HP J9731A modules..
Cisco Anyconnect VPN with Microsoft certificate services
Currently the VPN setup I have configured uses SSL encryption and for authenticating users the ASA uses the local AD accounts + local user certificates. These user certificates are generated by the ASA's local CA server. I'm trying to implement Cisco failover but this can't be done while the ASA has a local CA server enabled.
So I'm trying to find an alternative CA server that will allow me to configure user certificates so the user can authenticate using these certificates, while at the same time still authenticating with their AD account. I've decided to try and use Microsoft 2019 server CA function.
What I'm asking is that is it even possible to do what my current ASA setup is doing (e.g. users have installed their unique user certificate and are presenting it to the firewall when connecting) but with Microsoft's CA server. I haven't found much information on the web on how to implement this with Anyconnect, only guides I've found is the use of SCEP. The users are pretty technical so manually installing certificates is no problem.
Any help will be greatly appreciated.
Backing up Mikrotik routers with Ansible - help needed
I am a long time sysadmin who in the past year has done more and more network admin work. I decided to start backing up Cisco Switch configs with Ansible last week and have that working, mostly because there is lots to google on the subject. My boss LOVES the project and would like me to do the same with Mikrotik routers. I enabled SSH to one router and am trying a host file and playbook that I have found online and cannot get any combination of values to work. Any help on the subject would be greatly appreciated. Below are the technical details I am working with.
Ansible VM Ubuntu Desktop 20
Hosts file I am working with (Cisco switches are backing up normally.
[Switches:vars]
ansible_python_interpreter=/bin/python3
ansible_connection=local
device_type=cisco_ios
ansible_user=user
ansible_password=password
[Switches]
Core2 ansible_host=xxx.xxx.xxx.xxx
Core3 ansible_host=xxx.xxx.xxx.xxx
Core ansible_host=xxx.xxx.xxx.xxx
[mikrotik:vars]
ansible_python_interpreter=/bin/python3
ansible_connection=local
ansible_network_os=routeros
ansible_user=user
ansible_password=password
[mikrotik]
Main ansible_host=xxx.xxx.xxx.xxx
Cisco playbook that works
---
## Playbook to get system time and append it to backup files
- hosts: localhost
tasks:
- name: Get ansible date/time facts
setup:
filter: "ansible_date_time"
gather_subset: "!all"
- name: Store DTG as fact
set_fact:
DTG: ""
- name: Create Directory
file:
path: ~/etc/ansible/Backups/
state: directory
run_once: true
- hosts: Switches
tasks:
- name: Backup Catalyst Switch
ios_config:
backup: yes
backup_options:
filename: "--config.txt"
dir_path: /etc/ansible/Backups/
I have tried to piece together a Mikrotik playbook, but get failures when running.
---
## Playbook to get system time and append it to backup files
- hosts: localhost
tasks:
- name: Get ansible date/time facts
setup:
filter: "ansible_date_time"
gather_subset: "!all"
- name: Store DTG as fact
set_fact:
DTG: ""
- name: Create Directory
file:
path: ~/etc/ansible/Backups/
state: directory
run_once: true
- hosts: mikrotik
gather_facts: no
tasks:
- name: Performing backup of Mikrotik to local storage
raw: /system backup save name
- name: Exporting current configuration to text
raw: /export file=/etc/ansible/Backups/
The error in Ansible is pasted below (without the device name)
fatal: [Main]: FAILED! => {"changed": true, "msg": "non-zero return code", "rc": 127, "stderr": "/bin/sh: 1: /system: not found\n", "stderr_lines": ["/bin/sh: 1: /system: not found"], "stdout": "", "stdout_lines": []}
Again, any help is greatly appreciated!
Splitting geographically separated non-backbone OSPF areas?
I'm a network engineer for an air gapped military network. We run a worldwide WAN in which we control the WAN routers, downstream are customer owned Nexus's that hang off our routers which we do not control. Currently we have our own internal OSPF process, we have static routes pointing downstream for the customer owned IP space that we redistribute into OSPF to advertise the sites to each other. They just have a default route pointing to us because we are their only way out.
We've been mandated to integrate them into our OSPF process which is fine, not a big deal. My question for the design, can we incorporate all of them into one non-area 0 area? Or should each site be in its own area? We have geographically separated sites spread out across the US, Europe, and Asia. I'm not sure if it's pertinent but we are going to configure each site as a total stub because we are their only way out and because we also need to advertise a default route down to them. I don't want to use default-information originate because each of our routers have their own individual default route to get out to their respective "internet" and I don't want one site learning another sites default route.
I was leaning towards putting each site in its own area because I don't want every device to have to rerun the SPF algorithm if the downstream link flaps or something but my coworkers want to keep all the customer facing interfaces in the same area for simplicity. Google tells me there is nothing inherently wrong with non-connected non-area 0 areas but I can't seem to find anything definitive especially with high latency wan links.
Shitty drawing: https://i.imgur.com/zHArBMc.jpeg
Thanks in advance for any help/insight.
CCNA to CCNP
A bit of context ,so I'm trying to find a location in the south-east of England to to my CCNP which I'm having a really hard time trying to do, I'm not looking for intensive 3 week training but a place that has labs and equipment to train on. The problem is the only places I've found locally are not hosting due to COVID or other issues till at least 3rd quarter 2021.
The question is will I passing the 1st module of a CCNP renew or hold my CCNA qualification or will I have to redo the CCNA regardless if I've started a CCNP even though I've not completed it?
Need help with port forwarding on a PPPoE connection.
I have a PPPoE connection and a TP-Link router, I wanted to do port forwarding and in my router settings there is an option called "NAT Forwarding" where in i have entered my PC's IP Address which is connected to my router using ethernet cable, in external ip i have 3737 and in internal also i have 3737. So to test this i ran a python http.server module and tried to connect from my mobile using mobile data but it doesn't work it says connection timed out. But when i connect from my mobile using my WiFi it works.
Pleae Help.
Is mikrotik hAP ac² Router-AP appropriate for small business - alternatives ?
Hi all. We currently rent some space for a new startup business and there are some UTP sockets on the walls. You just plug the cable and you get internet access. The thing is that we plan to increase the security and and also create a local WiFi network. The main idea is to buy a mikrotik hAP ac² and then plug on it a switch to share the internet connection through wires. Also we can create a WiFi. In this case I suppose that we can use the features of the mikrotik to setup a firewall, make the devices use specific DNS and stuff like that. In other words to secure a little bit our network.
The reason I'm asking is that I understood that mikrotik runs on proprietary software and I was wondering if there is any other better solution or similar solutions that we can use that runs on open source.
Any ideas or comments are welcome.
Tuesday, September 15, 2020
Colocation ESXI Networking Sanity Check
I'm getting ready to send a small dev server (a NUC) off to a colocation facility in another state, and I was wanting a quick sanity check regarding the configuration.
The colo provider has assigned us a /29, and instructed us to configure the following IPs:
- xxx.x.xx.202-206 host addresses
- xxx.x.xx.201 gateway
- 255.255.255.248 netmask.
Here is the configuration:
- Server is running ESXi, and has one physical NIC.
- ESXi vmk0 management interface is set to static, and I configured one of the IP addresses in the block with the above settings. Will lock it down using the ESXi firewall to only allow connections from my IP range; turned off everything but web management.
- There is a VM running PFSense, configured with a WAN adapter on vSwitch0 (uplinks to the NIC) and a LAN adapter on an internal vSwitch with no uplink.
- PfSense WAN interface set to static, /29 subnet, with the upstream gateway listed above. LAN interface will hand out private IPs to future VMs.
- The remaining public IP addresses are configured as Virtual IPs/IP Alias in PFSense
I connected my laptop's ethernet to the NIC on the server, and set a static IP on the laptop that was in the subnet. Everything seems to be working as I would expect.
Am I missing anything?
Cisco configure replace vs startup (Cisco 9500)
Hey guys,
I have a situation where I have to build a 9500 config in the lab and will be uploading this config file to the flash: of a different 9500 in production.
Would it be best to use the “configure replace flash:new-config” feature with timers, or should I backup the running config on the production 9500 and then do a copy flash:new-config start-up and reload? I’m okay with an outage. Which method would you choose?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Core switch upgrade HP Stackable ?
Gday, Im not a networking expert, But we are wanting to replace our HP J9575A 3800 2x stacked switches with 2x Stacked HP switches with minimum 24 port Gbe. 10x 10gbe and 6x SFP per switch minimum. Any advise appreciated!
I've tried searching but can't find anything suitable. WOndering if anyone can assist with any info? Much appreciated.
Layer 2 or Layer 3 for multi-building LAN
Looking for some input on whether layer 2 or layer 3 would be a better design choice for a network that has 4 buildings connected by mm fiber runs and probably 500-600 phones, some analog but most ly IP phones. You know, its not a massive site so I don't want to over-complicate it, but I also don't want tons of broadcasts to bring down the whole network. Is it feasible to use all layer 2 and use port channels to trunk the VLANs between the separate buildings? Or would you rather have a router per building running its own layer 3 network with OSPF to link them all up.
Need Some Assistance on Possible Router Upgrade
I'm and IT Admin that could use some assistance. We are small company with about 50 users looking to update our Router. We currently use a Dell SonicWall NSA 2600 with Licensing for SSL VPN, Gloval VPN Client Enterprise, and Comprehensive/Advanced Gateway Security Suite with our Content Filtering: Premium Edition (Expired) and Analyzer. We only use our VPN access to connect to our Security Cameras.
Our MSP is quoting us a Cisco Meraki Router MX 250 with Advanced Security License and Support for 13k.
I'm at a bit of learning curve and trust my MSP but this seems like a little much.
Do i need to upgrade my SonicWall if so why would I need to?
Would I be better of going with and MX 84 or MX100 or maybe even a smaller applicane?
Thank you in advanced for any feed back.
Precision Time Protocol vs. Network Time Protocol
Hello Networking Community,
I am hearing and seeing alot of buzz around the new Precision Time Protocol (PTP). Any experts out there in this area that can provide the documentation you use on this? I've come across a few helpful links but I just don't know enough about PTP to translate a clean comparison.
https://timemachinescorp.com/2018/11/06/ntp-vs-ptp-whats-the-difference/
Asus AC86U manual dhcp ip assignment not working
I got an nvidia shield which is connected via wifi, i have mapped the network drive with the ip address ending in 19
I then connected the shield via ethernet and disabled wifi, it did give the shield a new ip ending in 50, i checked the router and the ethernet has a different mac address than the wireless
I gave the ethernet mac the ip of 19 and saved it, restarted the shield and it will not grab the 19 address, disabled ethernet and reenabled on the shield and no change, i am able to assign a static ip in the shield settings giving it the 19 address but i want the router to do it and i dont know why its not working
Cabling getting more expensive?
Is it my imagination, or is cabling a lot more expensive right now? I've contacted a couple companies to do some cabling for me in SW Michigan, and wow, double to triple what I expected.
Unifi Cloudkey VLAN configuration
So I have a single Dell N2000p switch which has 5 Multiple VLANs configured for different areas of the network. Switch is on vlan 100.
The Unifi cloudkey and APs are in vlan 101 and are all configured in trunk ports with the native vlan being 101.
I have configured 2 SSIDs and these are vlan 104/105 and tag their traffic on the AP.
102/103 is my client and voip vlan and all Ethernet switch ports are configured as a general port with pvid as 102 and voip as 103.
Now uplink from the switch goes to my firewall where the vlans are also configured. The firewall controls DHCP for each vlan.
At the moment each vlan can route to the others so for example on the client vlan (102) I can access the switch on vlan 100.
My issue is that I cannot connect to the unifi cloud key on vlan 101 from any vlan other than 101. Oddly I can access the APs which are also on the 101 vlan.
Does this indicate a switch issue? I read that the cloud controller doesn’t support a management vlan but I can’t find anything official.
Firewall Design Suggestions
Hello Reddit mates,
Referring to my previous post on Reddit, I am reposting again;
I am working on implementing a data center firewall and F5 (WAF) with the following consideration:
- To secure and control the access from the user (access layer) to server farm such as IPS, Access policies, AV
- To secure Web Servers in DMZ
- East-West traffic inside server farm for stopping malware propagation for critical servers.
Please comment on this design or any suggestions for improvement, if it is good
https://www.dropbox.com/s/r39z14byvia7kmw/architecture.png?dl=0
nbssh - netbox backed concurrent ssh runner
I've thrown together a NetBox specific SSH command line tool. Yes, I know, it's Yet Another SSH Runner, but I wanted a lightweight tool where I could leverage properties in NetBox as a query for target devices and in a quick/ad-hoc manner issue commands against all those devices. If this sounds like a useful tool for your toolbelt, check it out.
Cisco 9400 + Palo Alto 10GE DAC cable interop
Trying to get Cisco 9410 connect with PA-5220 using Palo Alto DAC cables:
PAN-SFP-PLUS-CU-5M SFP+ form factor, 10Gb direct attach twin-ax passive cable with 2 transceiver ends and 5m of cable permanently bonded as an assembly, IEEE 802.3ae 10GBASE-CR compliant
It's not coming up on Palo end comes up with weird media type on Cisco end
Cisco IOS XE Software, Version 16.11.01 Line card model: C9400-LC-24XS
interface properties Name : Te2/2/0/2
Administrative Speed: 10000
Administrative Duplex: full
Administrative Auto-MDIX: on
Administrative Power Inline: N/A
Operational Speed: 10000
Operational Duplex: full
Operational Auto-MDIX: on
Media Type: 1000BaseCX SFP
Any suggestions? Perhaps there's a hidden command. I've connected Cisco Nexus and servers with 3rd party DACs in the past, it's all passive stuff yet this time around no bueno.
OSPF EXT2 routes with OSPF internal (forward) metrics to BGP
Basically I have BGP and static routes coming into OSPF (on R1 and R2, from ) and I want to redistribute them to BGP (at R7 & R8) with proper metrics. What are my options? Preferably the solution should be as automated as possible - meaning we do not want to use any route-maps and the like to modify metrics, if possible.
Routing diagram of the network
All OSPF internal metrics are ignored for External Type 2 routes, when redistributing from OSPF to BGP.
The BGP endpoints (R9 & R10) will get the routes from two different routers (R7 and R8), so having the same metric is undesirable, since the endpoints would have no clue, which route to prefer and would choose the oldest one.
Which means it can happen, that R9 chooses a path of R9 -> R8 -> R2 -> R1 -> R3 -> R5 - the path colored red on the diagram.
How to always consider the metrics of the E2 routes coming from the R5 and R6 (and also static routes from R1 and R2) and have the traffic go the most direct path in such a situation?
We can only modify heavily the configurations of R7 to R10. A solution that works, but is not preferable is to use AREA 0 OSPF for R7-R10.
How are you documenting your switch infrastructure, switch port mapping and vlans?
See title. I'm looking for a solution to document different vendors and models, collaboration friendliness and dynamic changes without destroying your whole overview.
So far I tried the following and it's not really sufficient: - excel sheets (easy to update, but also easy to destroy the layout) - viso/draw.io (hard to update, not so easy to destroy the layout)
We have different sized customers, so it should also be scaleable in terms of the amount of switches.
Any recommendations?
Thank you!
802.1x and IP Phones
Hi, Noon question
I’m looking into 802.1x and how we can use it with IP phones.
In Multi-Auth mode documentation states only one device is allowed in the voice domain.
Before reading this I set up an environment that had 3 IP phones in the voice domain on the same port? Am I missing something will the tagged traffic be affected?
Thanks
Cisco Firepower SSL reporting
Greetings, I'm looking for guidance on getting visibility on SSL decryption with Firepower 21xx. Goal is to get as much info on SSL traffic composition, connection rate and transaction size + encrypted vs unencrypted ratio + any errors around SSL. I realize that's a tall ask but is there any combination of built-in reports and cli commands to get this? Cheers.
User Access Control
I'm hoping this is the right place for this kind of help. I'm looking for a small scale, per user, WiFi access control system for about 50 users that will change regularly. I've done some research and I've come across some subscription-based captive portals but recurring costs aren't possible, I've also looked into wpa2-enterprise authentication but it's a little beyond my abilities at the moment, if there is somewhere I can learn how to implement this I'm open to it.
I'd really appreciate any suggestions and ideas.
Anyone want to share their experience with ISSU on a ToR?
Does anyone have experience with using enhanced ISSU on Nexus 9300 or Anet-7050 that they trust in their production network? If Nexus spins up an standby SUP why does it have any control plane downtime?
Is 10Gb possible 10GBASE-T SFP+ Transceivers?
Starting to upgrade more systems to ones that have 10Gb built in, in the form of 10GBASE-T. Most workstations I oversee have already been connected via short runs of CAT6a (~ 12-20m). The quick solution to hook them up, would be utilizing the 10Gb SFP+ ports on the Juniper QFX-5100-96S “core” stack in my facility.
I’ve tested a small handful of SFP+ to 10GBASE-T transceivers, but I can’t ever seem to get better throughput than 5Gb/s. I’m sure there are better ones out there. I’ve been eyeing the SmartOptics, since that’s normally what I use for the QFX. I would also like to utilize some of the SFP+ ports on a handful of Brocade Ruckus edge switches, for the small handful of systems that are too far away.
My question is, as in the title, is it even possible to get full 10Gb out of an active adapter like this? If so, what brands would one recommend? Thanks in advance.
Monday, September 14, 2020
C3850 switch software upgrade issue
I have a spare C3850 switch that I wanted to use and the code was version 3. I attempted to upgrade to the newest stable release but after the switch going into reboot, it has been stuck with the "SYST" light flashing for about more than an hour. Is this normal behavior or is something wrong? I don't remember it taking this long on another C3850 I was working with a couple weeks ago.
Wifi connectivity switch
How can i make my home internet connection turn auto off and on, at a particular time(children), without disturbing power to (router/access point), or its software configuration.Any beginer materials.
Any feedback on Cisco trainer KB and his SDA Bootcamp
Am thinking about buying KB's SDA Bootcamp that starts next week. Has anybody here learn from him / have any suggestions about alternate courses I should explore.
Here's a link to the course — https://kbits.live/courses/sda
It seems comprehensive, and he seems to have a decent rep but I just wanted a quick sense check from the folks here.
Work has not set up ethernet internet for me in 18 months. I'm still working. Will plugging an ethernet switch do anything to the network?
Plugging an ethernet switch into a wall port and running 2 ethernet lines from it? For a coworker, one who has ethernet ready internet, and myself the hotspot user. Will anything weird happen if this is done?
So both of us would be running off the same wall port
ASR920 untagged BDI spanning tree?
Hi,
i'm relativly new to cisco when it comes to bdi interfaces, port channeling and high availability.
we have problems with our cisco asr configuration and need some advise how to fix that.
How do we prevent the customers from creating loops / blocking the second port?
here is an example of how our infrastructure looks like:
We can not get spanning tree / BPDU running.
if a customer is bridging the 2 interfaces which we provide them we get loops and that brings down both Ciscos and we lose the BGP Session to our provider.
Here is a config snipped of our ASRs:
version 15.6 no service pad service timestamps debug datetime msec service timestamps log datetime msec localtime service password-encryption no platform punt-keepalive disable-kernel-core platform bfd-debug-trace 1 platform xconnect load-balance-hash-algo mac-ip-instanceid platform tcam-parity-error enable platform tcam-threshold alarm-frequency 1 ! hostname Router-RZ01 ! boot-start-marker boot system bootflash:asr920-universalk9_npe.03.18.08a.SP.156-2.SP8A-ext.bin boot system flash asr920-universalk9_npe.03.18.08a.SP.156-2.SP8A-ext.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging buffered 32768 ! no aaa new-model clock timezone MET 1 0 clock summer-time MST recurring last Sun Mar 2:00 last Sun Oct 3:00 facility-alarm critical exceed-action shutdown port-channel load-balance-hash-algo src-dst-ip ! ! ! multilink bundle-name authenticated ! ! license boot level advancedmetroipaccess ! ! spanning-tree mode mst spanning-tree portfast default spanning-tree portfast bpduguard default spanning-tree portfast bpdufilter default spanning-tree mst 0 priority 0 sdm prefer default ! redundancy bridge-domain 1 bridge-domain 100 bridge-domain 101 ! transceiver type all monitoring cdp run ! ! ! bridge irb ! ! interface Loopback0 ip address XXX.XXX.XXX.XXX 255.255.255.255 ! interface Port-channel1 no ip address spanning-tree portfast service instance 100 ethernet encapsulation dot1q 100 rewrite ingress tag pop 1 symmetric bridge-domain 100 ! service instance 101 ethernet encapsulation dot1q 101 rewrite ingress tag pop 1 symmetric bridge-domain 101 ! ! interface GigabitEthernet0/0/0 no ip address load-interval 30 shutdown negotiation auto ! ! interface GigabitEthernet0/0/19 description Customer1 no ip address load-interval 30 negotiation auto cdp enable service instance 100 ethernet encapsulation untagged bridge-domain 100 ! ! interface GigabitEthernet0/0/22 description Customer2 no ip address load-interval 30 negotiation auto cdp enable service instance 101 ethernet encapsulation untagged bridge-domain 101 ! ! interface TenGigabitEthernet0/0/24 description PortChannel1 no ip address spanning-tree portfast channel-group 1 mode active ! interface TenGigabitEthernet0/0/25 description PortChannel1 no ip address no negotiation auto spanning-tree portfast channel-group 1 mode active ! interface TenGigabitEthernet0/0/26 no ip address shutdown ! interface TenGigabitEthernet0/0/27 description Uplink ip address XXX.XXX.XXX.XXX 255.255.255.252 ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! interface BDI100 description Customer1 ip address XXX.XXX.XXX.2 255.255.255.248 standby 0 ip XXX.XXX.XXX.1 standby 0 priority 250 standby 0 preempt standby 0 authentication md5 key-string 7 XXXXXXXXXXXXXXXXXXXXXXXXXX load-interval 30 ! interface BDI101 description Customer2 ip address XXX.XXX.XXX.114 255.255.255.248 standby 0 ip XXX.XXX.XXX113 standby 0 priority 250 standby 0 preempt standby 0 authentication md5 key-string 7 XXXXXXXXXXXXXXXXXXXXXXXXXX load-interval 30 ! ! router ospf 100 router-id XXX.XXX.XXX.254 auto-cost reference-bandwidth 100000 redistribute connected subnets redistribute static subnets network XXX.XXX.XXX.16 0.0.0.7 area 0 default-information originate ! router bgp XXXXX bgp log-neighbor-changes neighbor XXX.XXX.XXX.XXX remote-as XXXXX neighbor XXX.XXX.XXX.XXX description Link ! address-family ipv4 network XXX.XXX.XXX.0 neighbor XXX.XXX.XXX.XXX activate exit-address-family ! ip forward-protocol nd ! ip bgp-community new-format no ip ftp passive ! ! control-plane 4x Core switches with two PSU each using 1 to 4 Power split???
Reddit,
Building a new MDF and going over the power requirements. Currently we have 4 Dell S4148 Core switches that have two PSU's each. C13 to C14 Power cables.
Curious to know if this is smart or stupid. Since there are two redundant PSU on each switch, and we have two circuits with two PDU's on each side of the rack, would the following one-to-four power cable be OK to use ONE slot on the PDU to feed 4 of the Core switches?
The following Amazon link is what I'm considering purchasing, thoughts?
I figured, nobody should be unplugging power cables anyway, this would allow the cables to look SUPER clean and labeling would be a breeze. The catch though... it's only one cable to four switches, however, it's also the same on the redundant side. Is it really that much of a concern? After all, that ONE PDU only has ONE cable going to the ceiling.
tl;dr - one to four C13 to C14 power cable smart or stupid for Core switches? and... really any 'pair' of devices?
IT documentation - logical system connection.
Hello.
I`m familiar with Visio and use MediaWiki to write some details. I don`t need to evidence hardware on sites. I wonder what to use to document application? OK create in Visio export to png and add to MediaWiki, but maybe it is something better, faster? It is easier to send someone from mgmt png in mail or link to png, not Visio file (probably will not open attachment). App servers, DB servers, Users from WAN and Internet FW, LB etc. This kind of documentation/notes. Some tools that check and report to creator in time that "in this documentation there was no changes since [DATE] or i.e. 3 months". I wonder how to control change? Probably everyone of us has documentation from first run of application and then changes in hardware are made and not update on documentation. I need network information on diagram s2s name, maybe sysadmins department name or IP or in LoadBalancer info about Pool (i.e. 3 servers in pool). Normal stuff put in Visio.
Any suggestions? Or stay as it is and use Visio, upload to MediaWiki, and png as a thumbnail?
Brocade switches
Has anyone here had experience with brocade switches? I found a good deal on a ICX6450-48P and just wanted to check and see if it was any good. Also, I saw that there are references to port licenses on brocade's website. It this something that I have to worry about?
Sample python scripts
Hello everyone,
Not sure if I have posted this before but I want to get some ideas as of where a python script can help in my day to day life in an enterprise network.
We have Cisco equipment, Solarwinds management server with NCM module installed and recently Cisco DNA.
The thing is, we don't do much in regards to config. Most of the stuff is being configured from the team in India, which leaves us room for project work.
However, I have never seen a need to automate anything with Python that our tools cannot do. Solarwinds NCM has good features in regards to identifying and reporting missing or excess lines of config, and if I need to configure an interface, it would be easier to do it myself.
So what are some good cases that you have used in production that made python worthwhile?
Subscribe to:
Posts (Atom)