Hi I tried setting up a GRE Tunnel to my home server using this guide. https://community.hetzner.com/tutorials/linux-setup-gre-tunnel
It works for things like https but anything being run in the docker container does not go the VPN and times out. I'm not sure what is causing the problem but I know it has something to do with docker networking.
I just took delivery of 2 Cat 9500-32c's for our core, 4 Cat 9500-48Y4C's for distribution, and just under 100 9300's for access layer switches to replace our network infrastructure. This is replacing a bunch of 3750/2960's and a Meraki MS425 core stack. I am using stackwise virtual between the core switches and the 2 pairs of distribution switches. I have 2 40G connections (LACP) between the distribution layer and core switches and will have 2 10G connections (LACP) between distribution and access. An HA pair of Palo Alto 5220's will connect to the core and handle our two redundant 10G internet connections. I am looking at QoS and the config on the 3850/9000 series is new to me. We have Cisco VoIP and quite a few staff doing a lot of Zoom meetings but nothing else to speak of. QoS is basically non existent in the environment. I have been reading and trying to wrap my head around it and have come up with this for a user facing port:
class-map match-any Voice match ip dscp ef class-map match-any Zoom_Video match ip dscp CS5 cmass-map match-any Zoom_Audio match ip dscp CS7 policy-map ACCESS class Voice priority level 1 police rate percent 1 conform-action transmit exceed-action drop class Zoom_Audio police rate percent 1 conform-action transmit exceed-action drop class Zoom_Video police rate percent 1 conform-action transmit exceed-action drop class class-default bandwidth remaining percent 100 The way I understand it, assuming a 1G connection to the client this would ensure 10M of bandwidth for each of these classes. I don't know if I am going about this the right way at all and I know know what would be best to do on the uplinks between access and distribution and distribution and core. Any advice is appreciated.
Hello r/networking!!
Question:
What are your thoughts on a virtualized pfsense deployed on a production Server cluster for inter-VLAN/edge routing?
TLDR:
Discussions are taking place to remove a large part of our network infrastructure and move routing away from CoreSwitches/Edge Router to virtualized router on our production cluster. I think I need to be against this decision, and am looking for opinions as to whether I am right or wrong in my stance.
Context:
We are a 4 person IT team spread across 2 sites (1 helpdesk/1 Sysadmin at each site). I am the junior person at my site and overheard a conversation between the Sysadmins on replacing our firewalls and edge router and VPN concentrator that will be EOL next year.
I am a helpdesk technician with a BAS in Cybersecurity holding CCNA/Security+ certifications; while my role is helpdesk, but I do assist a lot with higher level work at the network/server/security level so I believe my input does have some influence.
The current school of thought is to implement a PFSense cluster(if this is possible?) to handle the edge routing/VPN. While the thought of placing our production cluster on the Edge of our network is unappealing, I do understand this idea as it would mitigate capital costs of purchasing hardware.
However, I am not so onboard with migrating our InterVLAN routing from Cisco 3850's to the same PFSense routers. The justification for this is that it will "segment our VLANs properly". we are a manufacturing facility with the critical infrastructure consisting of: HMI/PLCs that are offline, IBM I instance used to support the manufacturing processes(used extensively by most departments), and file servers; so, I believe that there is no need for any network segmentation beyond what the 3850 can offer us.
Performance concerns:
Moving from ASIC routing for LAN traffic to OS routing is a bad move for us IMO; we have dual 10G fiber (not implemented as port channels as far as I know) running from each of our 2 ESXi hosts to the core 3850s which handle everything from iSCSI to backups, so I believe that adding not only every LAN packet, but all external/internal traffic would not be so good for throughput purposes.
Router on a stick would be a downgrade IMO from our current design.
Additionally, since we use iSCSI to the NAS, the loss of our (single) production NAS would be detrimental to our production network as we would have to rebuild the whole infrastructure from backups.
Security concerns:
While I have not found good knowledge about the risks of a virtualized edge router, I think that there is increased potential for compromise since the same hosts that will be running our Edge routers, will also be running our production environment/ VEEAM backup servers (pointed towards a different NAS). Also, there is the risk of human error if we accidentally put a VM on the Edge Vswitch/VLAN.
Additionally, Internet traffic will now be traveling across our Core switches which goes against my instincts. Unless we utilize our external switches and implement new NIC's in the servers (this has not been discussed)
Wrap it up already!!!
Am I wrong to have these concerns?
Should I just leave it to the System Administrators and keep my head down?
Long post I know, thank you if you read all of it; your input is greatly appreciated.
Hi,
My plan is to create 2 routers. One for a VPN client (OpenVPN or Wireguard) and other is for pfsense firewall for my local network. I want to achieve it through virtualization. One VM running Ubuntu or somether linux version, for VPN client and the other VM should be for pfsense.
Problem is I only have one onboard NIC on my host machine.I have an L2/L3 switch though(TP-Link Jetstream 8port). Is it possible to bypass networks of both the VMs through the single NIC onto the switch and assign a Wan and Lan ports to each VM on Switch? I know a quad port NIC would do the trick. But NIC cards are little out of my budget now.
So please help me to put all this together.
PS: Both VMs should be on seperate subnets.
Simplest way I can say. We have about 50 Fortigate 3400Es in our environment across 3 company-owned major datacenters, as of now they are managed via a Fortimanager, we rely heavily on change control, no undocumented changes, all pushes are at a documented time with validation of all changes and rules. Lately our org is expanding to Azure and we're standing up several Fortigate VMs, some that scale, some that don't but ultimately that has lead us to currently 3 Fortimanagers and a 4th one in the near future. They are saying they will 'eventually' consolidate down to one FMG in cloud and maintain the one fmg for on-prem. Currently we're running on newer code in the cloud and the on-prem FMG can't manage the newer version ones(but we just ran into a code bug for VPN which will require the FMG to upgrade to a newer version that CAN manage the cloud firewalls)
One of the hardware engineers is vehemently against having one FMG citing these reasons:
from the ops perspective, there's a growing demand with object control, group control, we're leveraging global objects and policies which will be spanning datacenters and into the cloud for akamai purposes. Addtionally, why would be want to support our central management of these firewalls to be hosted elsewhere when we already have the infrastructure and opportunity to host it in a more secure environment, one that we control not to mention a reduction in cost... it doesn't make sense to me.
to top all this off, they say fortinet, the vendor, has given their blessing to separate management, which in my opinion is an extremely obvious case where a vendor is going to recommend any opportunity that utilizes more revenue for them.. so on a partial level we shouldn't trust their recommendation this.
I have previously worked in a major ISP that acted as an MSP for business customers using fortigate equipment, we had multi-tenant devices and used vm fortimanagers as well physical vms and neither one had a problem managing physical or vm devices. I think the engineering team has a weak leg to stand on taking this stance, but i am willing to listen to reason if there are real legitimate concerns, yet i don't really see any. i'd love to hear from other experiences.
I apologize in advance if this question is too simple for the group, I just haven't had experience with this topic and am having trouble finding this exact situation with my Google-fu. I work for a consultancy where we usually send a small team to work at the customer's site. We bring our own network components and are usually isolated from the customer network. I got dubbed the "Network guy" just because I have been willing to take the task on, but it's not really my wheelhouse.
At the site where I am currently, the customer would like to connect our network to theirs to ease some analysis that we are doing. They are proposing that we connect our router to one of their larger switches. They have a ton of VLANs on that switch that segregates traffic for various different reasons and acts as a layer 2/3 device, routing between VLANs where it is necessary. They have given me a couple of snippets of their switch config (they don't want to share the whole thing, which is fine).
The snippets that they gave me are the definition of the configuration for the switch port and some of the VLAN definitions. They have established a /30 network on the port that will connect to our router and designated a router-interface on one of the VLANs that is configured on that interface. The plan is to make that switch port address the next hop for a set of static routes that I will set on my router that let me reach the networks on their side that we need to work with.
That's all fine and seems reasonable to me, but they also made the port a VLAN tagged interface for each of the VLANs that holds the networks that we need to reach. I think that's not right? Shouldn't that be an untagged interface, since it connects to a non-switch port on my router? I questioned them about it, and got a sort of gruff, "that's so you can get to our networks" type of response. I was just hoping for some feedback from the group before I go back to them since the customer rep is kinda difficult to work with.
Thanks!
Gotta modem, Motorola MB8600 Docsis 3.1 and I'm using a tp-link ac1750. Things are good. I've established a connection via the router. How do I get rid of the modem connection under connections.
This is a windows machine, win7sp1, but I see it on my win10 laptop too. Thank you.
I’m setting up a raspberry pi to connect to 2 networks via Ethernet and WiFi. Hosts on both networks are reachable but I am experiencing problems when trying to acces the outside network:
Let's say I connected the Pi to: WLan#1 throught WiFi and to Lan#1 throught Ethernet. If the external gateway (the one which is connected to WAN) is on WLan#1 I won't be able to reach external hosts from the Pi itself since the device automatically uses eth0 iface as the default one (so it where it redirects all requests to unknown hosts).
Any ideas on how to overcome this issue? I just want the Pi to be able to acces the outside network. Lan#1 does not need to reach the outside network so no pass through/relay mechanism is needed on the raspberry pi. The raspberry pi uses dhcpcd
Hi,
Since the pandemic we’ve been relying on remote access vpn heavily but so far these haven’t been reliable. Using Barracuda in one location and Sophos UTM in another. I have calls on a daily basis that are VPN client related. I’m also looking to secure this with Duo MFA.
Is Cisco AnyConnect any more reliable than Barracuda and Sophos? I know it supports Duo but just looking for feedback on how good of a VPN solution this is.
Thanks.
Hey folks,
I recently upgraded to 1gbps up and 1gbps down and my r7000 is having issues handling the amount of traffic I'm putting through it. Only about 1/3 of the bandwidth can be utilized and it's not a wiring issue and probably not a software issue.
I've been looking at upgrading to a big boy network and now seems like the best time to do so.
Currently the network is as follows:
vlan 1: internet
vlan 2: business network. (2 servers, 1 nas (possibly adding a flash storage nas in the next year), work laptop, work PC
vlan 3: home network. (phones, laptops, tablets)
vlan 4: IOT
vlan 5: guest.
I'm more so worried about the business end of the network and having 10gbps internally between the main PC, Servers and Nas.
My initial thinking was to get a pfsense box and a mikrotik switch and use the r7000 as an AP. This would allow me to get a switch with layer 2/3 features and enough SFP+ and RJ45 to likely handle everything.
Now I'm kind of leaning towards ubiquiti. The dream machine pro looks like a shockingly good product for it's price range, the AP setup seems simple and I could get the 16 port aggregation switch for high bandwidth connections to my PC/build/machine learning servers.
Budget should ideally come in under 3000 Canadian Ruples or $2250 USD.
I guess I'm just looking for verification in my plan and to see if it makes sense. I might hold off on the aggregation switch as I have a 4x SFP+ mikrotik switch to keep the costs down.
I also think I might be torn as I like the idea of using pfsense since it's open source and I like my current mikrotik switch but ubiquiti is just looking nice and easy and comes with the software.
I don’t know if this is the right place to post this please tell me where else to post if not. I’m making an rc plane but can’t ask that Reddit as they don’t know about LTE direct and complicated coding/networking. My question is how should I go about creating and LTE direct connection between a iPhone 7 and a windows computer to essentially form a private network similar to a private wifi network not connected to the internet. What hardware Should I use preferably on the cheap side. And what software? I don’t mind doing a bit of coding I know how to code just not very skilled on networking and cellular communications. Also is it possible to establish and LTE direct network between two phones without any hardware? To share things like sensor data video and audio? I don’t want to connect my ground station and the plane to the cell towers and internet because the amount of data I want to transfer and the speeds I need could get quite expensive. But it’s free if I go device to device and I don’t need internet access anyway. Also most phones use SIM cards to get information on how to connect and to get authentication. Is it possible to do this without SIM cards or would I have to make and program SIM cards. Also I’m not to worried about licensing laws and stuff it’s going to be private and short range in an area where there isn’t many cell towers. It’s not going to bother anybody and I’m not going to get caught using these frequencies without a license. I’m sure there must be legal ways to do LTE direct but pls do tell either way hypothetically how it would be done.
Sorry if this isn't applicable to this group, but I am in town for a job and am trying to find cage nuts for purchase, preferably 10-32 thread, but 10-24 or M6 will do if screws are also available. I can get them delivered to my hotel from Amazon Tuesday, but would like to get them this weekend or early Monday.
I remember watching a very interesting and informative video a few years ago what about (I think) TCP handshakes. It was a presentation / lecture style video, not one of these new-age fullstack certification / training videos. The most specific things I remember is that the speaker was a bald white guy and he went into detail about syn/ack diagrams and the rfc's that led to TCP.
Does this ring a bell to anyone? Would love to find this video again
Is there a TCP function helps with "fairness" when dealing with overloaded networks? Does that fall under congestion avoidance?
If your guys would be buying a mid grade or I expensive router today, what would you buy ?
There's so much out there and all you hear is bad wifi or disconnects or slow speeds or limited device connections.
What's an all around solid choice you'd make
Hello there. I wanna buy an antenna for p2p bridge for 10 km distance which antenna should I buy, with how much dbi and other details.
I have an outdoor 50m Ethernet cable, is there a device I can connect it to to get WiFi there also ?
Hi everyone,
I am seeking some help with what I believe is a recursive routing issue. I have checked with my Upstream IP Transit provider and they seem to think everything looks good on their end.
I am receiving a Full BGP table from my Upstream IP Transit provider on Router-01 fine. This Router-01 I am receiving the Full BGP table on is an iBGP peer with my other Router-02. The iBGP Router-02 peer is NOT receiving the Full BGP table from Router-01.
If I look at the Mikrotik Routing table for Router-01 I can see the Full BGP table (800k+). The issue is that all of the eBGP routes are marked as 'gateway-status=103.xxx.xxx.94 unreachable'. This doesn't make sense to me since I am able to ICMP/ARP ping the 103.xxx.xxx.94 fine and I can see a Directly Connected route for 103.xxx.xxx.94 via sfp-sfpplus3 in the routing table. There is also an entry in the ARP table for 103.xxx.xxx.94. The sfp-sfpplus3 interface is meant to be directly connected to 103.xxx.xxx.94 via a cross-connect. sfp-sfpplus3 is configured as 103.xxx.xxx.95/31, as you can see it is in the same subnet as the 103.xxx.xxx.94 gateway.
Here is where it gets even more strange. I have a default route to an alternative Internet path (this is how I am currently able to manage my equipment).
0 A S dst-address=0.0.0.0/0 gateway=221.xxx.xxx.201 gateway-status=221.xxx.xxx.201 reachable via ether1 distance=240 scope=30 target-scope=10 If I enable BGP multihop with this eBGP peer I start to learn the 103.xxx.xxx.94 gateway recursively via 221.xxx.xxx.201. The strange thing is 103.xxx.xxx.94 is meant to be directly connected via sfp-sfpplus3 so this doesn't make any sense to me...
17 ADb dst-address=1.0.133.0/24 gateway=103.xxx.xxx.94 gateway-status=103.xxx.xxx.94 recursive via 221.xxx.xxx.201 ether1 distance=20 scope=40 target-scope=30 bgp-as-path="x,38040,23969" bgp-origin=incomplete bgp-communities=19996:19996,x:3,x:104,x:1400,x:11000,x:11001 received-from=x-eBGP-peer 18 ADb dst-address=1.0.134.0/24 gateway=103.xxx.xxx.94 gateway-status=103.xxx.xxx.94 recursive via 221.xxx.xxx.201 ether1 distance=20 scope=40 target-scope=30 bgp-as-path="x,38040,23969" bgp-origin=incomplete bgp-communities=19996:19996,x:3,x:104,x:1400,x:11000,x:11001 received-from=x-eBGP-peer I'll be the first to admit I have a lot to learn when it comes to eBGP/iBGP. I tried adding all static routes I could think of with no luck. I also changed BGP settings (removed filters, Nexthop Choice, Multihop, Update Source) with no luck. The last things I can think of which requires me to visit the Data Centre is that I am not 100% certain the cross-connect sfp-sfpplus3 is plugged into is the correct one. We also purchased Layer 2 Aggregation from them and sfp-sfpplus3 potentially could be plugged into the Layer 2 Aggregation cross-connect. Maybe when I do the ICMP/ARP Ping to 103.xxx.xxx.94 it has been going via my alternative Internet route? The last thing is either the TX/RX need to be swapped around, but if this needed to be done I am not sure how the eBGP session is working fine over it. Also, we confirmed MAC addresses with the Upstream IP Transit provider so I think it should be the correct cross-connect.
If someone could help point me in the right direction that would be great.
Hi!,
I've managed to get a hold of an old pair of S4048-ON switches which are running an old software version 9.11.2.5p1 from 2017. I don't know a lot about these switches and i don't have an force-ten account and can't create one since they are out of service/warranty.
Does anyone have a link to the latest version 9.14.2.8 for these switches?
Also these switches seem to be able to run OS9 and OS10, are there any real benefits in upgrading?
Thanks!
Z
Hey all.
I was wondering whether DNS Amplification DDoS attacks can happen with DoT or DoH servers. I understand DNS amplification attacks work by sending thousands of DNS requests over UDP with a spoofed IP (of the victim's open DNS resolver), which causes the upstream server to flood the victim's DNS server with replies, essentially DDoSing the victim. Can this spoofing also be done for a TCP connection with DNS-over-TLS (on port 853) or DNS-over-HTTPS (on port 443), and end up DDoSing the victim on those services? An extension of that question is do these attacks work with normal DNS over TCP too, or is this attack only valid over UDP?
I am a student learning the way's of CLI management and administration on Cisco stuff through their networking academy. I also buy cheaper/used stuff on the side for lab purposes to see what it's like using other networking stuff as well as finding videos online for more expensive equipment. I've come to see that a lot of newer networking stuff uses predominantly GUI, such as Cisco WLCs and APs and switches and routers (though there are the usual options for CLI management as well, but their GUI has come very far), all variety of Netgear stuff (high and low end), Ubiquiti, Fortinet Firewalls, HP and Dell, etc etc the list goes on. So this makes me wonder, what do you, the people of r/networkng prefer and why? And which do you think will be more widely used in the future?
Network situation: I need to build a w12 server environment. In that i have to build an app "reporting system". Now the teachers demand that i work with sql server and access. But i already worked with phpmyadmin. Now i have to search a way to link php with sql on the same server. For the microsoft access, i will just get a export of the database and then link it or so..
Also, right now i worked with xamp and in the apache config, i put the server ip. Now i try to access the app via a client but it doesn't work. When i change the localhost to an ip in wp config, it won't open in the client. I can access the port and see the directory but i can't open the folder with the app. I think the problem lies in the wp config but idk how to tackle that..
I worked with a vpn network from zerotier. And the client and server have communication (i pinged and got replies).
Any links/ideas?
My work recently gave me some Corning Unicam kits for terminating fiber. (I think it's this kit)
We already have the test equipment (e.g. fiber scopes, OLTS, OTDRs etc.)
We are using single-mode UPC fiber, with duplex LC, and 10Gbase-LR and 100Gbase-LR4 for networking.
I read several other posts which seem to discourage terminating your own fiber, and just to hire a contractor.
Assuming we already have the kits and test equipment - is this still worth pursuing?
What fiber do I need to buy, in order to use with the Corning Unicam kits?
Sorry if this is a naive question - but I assume there's just some raw cable on a spool I can roll out, to cut and splice on these ends?
I work for a small ISP with around 6000+ customers. We are planning to rebuilt the infrastructure, you can say upgrade if you want to. The think is, we want to provide 1Gbps for VPN/Internet connectivity per customer( the actual average per customer is 10Mbps) yeah we want to do a pretty big step. But the budget is pretty limited. So it must be at the lowest cost as possible. So, what gear do you recommend to look at? It could be used, refurbished, or even new, of any vendor world wide.
It is a MPLS ring topology, so I think we'll need around 10+ switch/router 100Gb capable. For the customer side or CPE switch/router, any 1G/10G as cheap as possible.
I'll appreciate any advise.
I have Frontier FIOS and love it. It's been nothing but great and cheap but today I came home and noticed my network was up but no pages would load so I looked at my router's logs and noticed somewhere around ~10 hours ago things went wrong with their DNS servers so I hopped on my desktop to check and same problem even though I have it configured to use Cloudflare's 1.1.1.1 service (my laptop is set to use automatic, so Frontier's). Within a minute or less Frontier's servers went back online after that so this outage didn't really affect me but now I'm stuck wondering why my desktop couldn't resolve domain names. Does my router's settings trump any OS level config or what's going on here? Edit: I realize this is for enterprise networking so if there is a better sub fit for this question please redirect me. I appreciate the help!
Hey there,
I'm evaluating a Moxa hardened switch (EDS-G512E).
Naturally, the manufacturer locks compatibility to optics with the right ID. -_-
Does anyone know of a command similar to 'service unsupported-transceiver" that works on these things? Worse case I buy a couple moxa flashed optics.
Thank you kindly for any insights.
Hello,
So I've been trying to look around on Google before deciding to ask for your help here.
I was wondering how IP bans work if most IPs are assigned dynamically anyways, if someone were to get IP banned on IP address A, would it be tainted for it's new lease?
Or does every new IP address lease come as a clean slate? How do they keep track of this?
Side question, I heard that you could change your IP address by chaning the MAC address of your modem or router? I'm not sure which it was, and then letting the DHCP lease renew. Is this accurate information?
Thanks in advance,
TechieWasteLAN
Hi I'm not the most tech savvy person but I'm doing my best, I've noticed web pages loading slowly on all of my devices but when I switch to a VPN or use mobile data I have no issues, after doing some pings I've figured out I'm having a lot of packet loss, what steps can I do to solve this issue? My ISP thinks it's my router but if I'm using a VPN with zero issues it's still going through the same router right? So would that really be the issue?
I can ping default gateway and viceversa but when I try to ping in another vlans I can't reach the ASR 920.
The network only use Layer 2 capabilities so I don't have ip addresses on the interfaces, so I enabled BDI 10 to troubleshotting.
I have a switch with Cisco IOS and I can reach it without problem. The BDI interface is the correct way to have a admin IP? Any suggestion?
Ex. PC1 can ping ASR 920 and Cisco ME.
PC2 can ping Cisco ME but no ASR 920
Config ASR:
interface GigabitEthernet0/0/1 description to Core no ip address load-interval 30 negotiation auto cdp enable service instance trunk 30 ethernet encapsulation dot1q 1,10,20 rewrite ingress tag pop 1 symmetric l2protocol peer cdp stp udld bridge-domain from-encapsulation interface BDI10 description Interfaz para administracion ip address 10.0.1.10 255.255.255.0 encapsulation dot1Q 10 ! ip default-gateway 10.0.1.1 ip forward-protocol nd
CISCO ME:
interface GigabitEthernet0/1 port-type nni switchport mode trunk switchport trunk allowed vlan 10 load-interval 30 interface Vlan10 ip address 10.0.1.20 255.255.255.0 no ip route-cache ip default-gateway 10.0.1.1
I have recently got a new ISP connection and I'm facing constantly losses and complete network drop the whole day.
My ISP says things are fine from his end. So I started to dig up and found that my Rx Value is -23dBm which I guess is bit high but fine?
Is there by any change cause of high Rx the loss is there? I have even read inserting a paper between the PON Input and ONU can help reduce the Rx. Will this make my connection stable?
I can ping default gateway and viceversa but when I try to ping in another vlans I can't reach the ASR 920.
The network only use Layer 2 capabilities so I don't have ip addresses on the interfaces, so I enabled BDI 10 to troubleshotting.
I have a switch with Cisco IOS and I can reach it without problem. The BDI interface is the correct way to have a admin IP? Any suggestion?
Ex. PC1 can ping ASR 920 and Cisco ME.
PC2 can ping Cisco ME but no ASR 920
Config ASR:
interface GigabitEthernet0/0/1 description to Core no ip address load-interval 30 negotiation auto cdp enable service instance trunk 30 ethernet encapsulation dot1q 1,10,20 rewrite ingress tag pop 1 symmetric l2protocol peer cdp stp udld bridge-domain from-encapsulation interface BDI10 description Interfaz para administracion ip address 10.0.1.10 255.255.255.0 encapsulation dot1Q 10 ! ip default-gateway 10.0.1.1 ip forward-protocol nd
CISCO ME:
interface GigabitEthernet0/1 port-type nni switchport mode trunk switchport trunk allowed vlan 10 load-interval 30 interface Vlan10 ip address 10.0.1.20 255.255.255.0 no ip route-cache ip default-gateway 10.0.1.1
I'm implementing a cisco-based network for an industrial application. AP's are going to be dual band 2.4/5.8Ghz. The 2.4Ghz band needs to be reserved for some mission critical automation communication. I need to implement a temporary battery powered node in certain volatile areas, and plan to mesh connect to the last SFP hardwired node.
My Question: Can I mesh and transmit client traffic both on the 5.8GHz frequency without causing issues? What kind of issues might I face? I have to assume interference will be one, especially because my application has extremely high signal reflection due to small enclosed spaces.
I have 3 interfaces (from the same switch) in a port group with a monitoring policy applied. Seemingly randomly about a week ago Prime stopped recording utilization data for one of the 3 interfaces. Any thoughts on where to start trouble shooting?
Long story short, our company is looking at moving our office location to a building that makes more sense for our company size (we are greatly undersized for our current building). The logistics of the market dictate that we might not be able to find an office and warehouse space in the same location, and that we might not be able to move both spaces at the same time
This has led our IT Team to decided we are going to look at co-locating most of our network infrastructure at a hosted datacenter.
This excludes the obviously necessary gear for each of the new sites, Firewall, router / layer 3 switches, wireless controller and AP's, etc. We will be purchasing all new gear for both new site locations as most of our internal infrastructure is old
Currently our internal network addresses fall inside 10.0.0.0/8 network
Some equipment will go to either of the 2 new office locations, most will be in the COLO Datacenter.
Due to this split, obviously we would have overlap on subnets/IP's, which of course we could get around with NAT, but would a cleaner way be to simply re-IP the few devices going to the new office locations and carve out subnets for each, either in the 172.16.0.0/12 or 192.168.0.0/16?
The only networking devices needed at each new site would be a physical domain controller / DNS / DHCP (single box), Wireless controller + AP's, and some new switches.
We arent looking into private circuits between locations due to cost, so will be relying on a site-site tunnel between fortigates at each location
Has anyone been through a process similar to this and have advice / what you have learned to avoid during such an undertaking?
thank you all!
Hi all,
I have to connect about 20 fiber connections between three buildings on our campus. I'll have the fiber terminated in to patch panels, but I need to convert them to ethernet. I'm wondering if you have recommendations on the hardware to do this.
I've used stand-alone transceivers in the past, but only for a couple of connections. Now that I have more connections, I'm thinking transceivers is not the best way to go.
Started a new job at a company that has a lot of very legacy gear. Particularly a Turin Networks "Wide Bank 28 DS3 Multiplexer". Used for our VoIP solution. My question is as follows: does a MUX typically need configuration of any sort or, since it's just multiple input, one output, does it just function based on which ports are plugged in, and where?
Never done anything like this before, happily. SIP trunks are the way to go, not a multitude of T1s as we're doing here.
Does the WMN node itself switch and route data within a subnet (doesn’t have to return to a physical switch), or does it only relay data BACK to a switch which gives it instructions on where to send the packets? I.e is it simply an advanced set of communicating repeaters or is it intelligent and functions as a switch?
Hello, I'm trying to set up a tunnel between a remote device that is not capable of VPN to the main office. I need the remote side (router/firewall) to have built-in port security (MAC filtering). I tried the RV160 from Cisco but it only has 802.1x which would require a RADIUS server on the remote end. I really only need 1 LAN port. The remote end also would have a dynamic IP and be behind a firewall.
The concern is that if the remote termination device (router/firewall) is stolen or lost, no one can just plug it in anywhere and have a connection back to the main office until something can be done to cut access.
Has anyone found any good solar based PTP or PTMP radios? Or solar panels and NEMA set ups for PTP/PTMP?
We have to install some IP cameras at a couple locations between 400 and 1000 feet from the nearest switches, and were looking into some unifi stuff. BUT, the locations have no power nearby.
Any suggestions?
We've seen a general increase in DNS traffic over the last week, probably about 10% up. Anyone else seeing the same?
My ISP (BT In the UK) has provided a Cisco 4400 Series router for their 1G FTTP Leased Line. This is managed by them.
I'd like to connect this to my Dream Machine Pro via SFP Port 10. This will then free up port 9 which will allow me to set up a WAN Failover.
At the minute I am connected from the CISCO to port 9 of the Dream Machine Pro via ethernet and all is good.
I have a spare one of these cables that I used to connect to my Unifi 48 POE Switches.. this all works good.
https://www.amazon.co.uk/gp/product/B01H6EOI2I/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
Was thinking it might have worked between the CISCO and the Dream machine PRO but no luck.
What Cables / Modules do I need to do this... i.e what will work with the both?
Thanks
Hello, I've made a post few weeks ago - https://www.reddit.com/r/sysadmin/comments/ikihzj/bad_performance_of_software_after_upgrading_from/ but the issue still exists.
Long story short: After updating desktops to win 10 a software which communicates with the NTFS storage(clustered share)started performing really slow(the PCs are with okay hardware), nothing else was change on the server storage or network. A lot of things were tried in the process of troubleshooting the client - updating drivers, fresh install of win 10, reinstalling the software, messing with the registry, trying other versions of SMB, etc.
As I monitor with task manager and Wireshark during the freeze I've noticed few things:
Any tips or ideas for resolving this issue or troubleshooting it will be strongly appreciated, thanks!
Hey everyone.
I’m managing a project regarding certificate authentication to our networks using radius, PKI and our Meraki. Still very new to certificates.
Getting a PKI seems crazy expensive, we’re looking for 800 device certificates, and it seems to be impossible to get below 15.000 dollars. Anyone got any recommendations of any kind to reduce costs?
We have an ASA 5512 that seems to be under attack frequently, we monitor memory and CPU but nothing out of the ordinary, it's just that from time to time the device is flooded with TCP packets from various sources.
The only thing we can do is to reboot the device which now happens every month, since it is located in a DC, we have to pay 250$ for an engineer to do it for us.
I would like to get some pointers as to what to do, the device is used as a VPN concentrator and also as a FW in front of a file server (not published publicly, only accessible from our LAN segment).
I have looked online on DDOS protection settings but I can only find TCP Sync settings and it seems to protect servers that are published more than the ASA itself
class-map tcp_syn match port tcp eq 80 exit policy-map tcpmap class tcp_syn set connection conn-max 100 set connection embryonic-conn-max 200 set connection per-client-embryonic-max 10 set connection per-client-max 5 set connection random-sequence-number enable set connection timeout embryonic 0:0:45 set connection timeout half-closed 0:25:0 set connection timeout tcp 2:0:0 exit exit service-policy tcpmap global Should we look at a CloudFlare type of services or are there other first response things we can do?
Just need some pointers on static routing and what IOS commands to use.
Attached is an image of a question from a quiz with some network topology, any tips would be appreciated. Been struggling to pick up the basics, any tips would be greatly appreciated
If I bring my laptop to work and use it to study and do homework in the 7 hours of downtime I do by connecting it into an access port on a Cisco cp7861, should I expect internet access? Should i just ask networking? I would definitrly not be comprimised. I would buy a fresh laptop and practice safe internet protocols.
My understanding of anycast is that it selects the topologically nearest node for connection.
I've heard others say it connects to the geographically nearest node...
Is there a difference between the words "topologically" and "geographically" when it comes to anycast addresses?
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
I am a network engineer with over 10 years of experience. I have always wanted to start my own company and of late, I have given it much thought. At my job, I hire a lot of cable installers as well as field hands and support folks for remote sites. I would like to enter the market but with enough understanding of cabling because that's where the money starts.
How do I learn the physical cabling? I am interested in fiber and ethernet pulls and splicing. I can do everything else networking.
I am targeting Austin metro area.
I appreciate your help.
Guys,
I do provide Tunnel GRE Layer2 and 3 Services through internet
Basic topology mostly STAR, a concentrator tunnel GRE device aggregate customer ends tunnel in one broadcast domain, bridge.
I have added another concentrator in different AS to minimize BGP route flapping.
RSTP does elect root port and alternate port, so layer2 topology would be like this - https://imgur.com/572YUI9, so when there is route flapping there is minimal impact but Spanning Tree does not handle packet loss, I did design a algorithm to handle packet loss and disable tunnels based on how much % packets are lost
In layer3 services, routes are transported between nodes via OSPF.
OSPF was not designed to do this, even though it "works", the OSPF domain get LSAs from others entities through OSPF, that could lead to an unexpected behavior.
An overview of the topology is here - https://imgur.com/qmLNeOq
Those project were already implemented when I got in this company, I did some upgrades and planning to
I'm studying to implement VPLS, layer2 and layer3. The only issue is I'm not sure about how MPLS handle more than one Label switch path
So the discussion is, what do you guys think would be a better topology/protocols?
I am currently managing an existing network with 3 vlans. We have about 25 nodes.
I need to create a private vlan with the following requirements:
What I've done so far:
My questions:
How do I set up the uplink port so that it works with our current vlans and the private-vlans? I've already done the following:
When I try to do the following command (switchport mode private-vlan promiscuous) I lose connection to the switch. The log says that there is a Native vlan mismatch.
I cannot find any workable commands that specifies the native vlan for that port. Our primary vlan on our network for all machines is 3, but on each port the native vlan is 1.
When I do a show interface *** switchport it says the native vlan is 1 just like the other ports.
What am I missing here?
So bet this topic has been brought up many times but I’d like to hear your opinion. I am architecting a network and being as small as it is it will have a fortinet NGFW doing security and routing, being the gateway against the ISP and a L3 switch to have servers, backup, cameras, VMware cluster etc segmented
I went straight for a Cisco switch but the latest models are kind of a pain in the arse when it comes to licensing costs and maintenance. Basically is like once you buy a device you will never stop paying for it.
I’ve heard of alternatives like Aruba and others. Has anyone escaped the Cisco ties and had a wonderful experience? Please share !
We bought two FP2140s over a year ago. Found out how much of a dumpster fire FP is (thank you r/networking!) and decided to implement PAN instead.
I am now reconfiguring these two boxes with ASA only. They will be our VPN endpoint and may replace our perimeter 5516-X in the future. We also have a small FW that serves as an endpoint for vendor IPSEC connections that I might integrate into this.
Has anyone had issues with FP2140s running ASA in multi-context mode? Especially with VPN? I remember VPN wasn't supported in multi-context in the past. Anything else they don't support?
I'm also trying to decide if it's even worth it to run separate contexts for perimeter FW, AnyConnect VPN endpoint and IPSEC VPN endpoints. Or is it better to simply run all these functions on a single context with different interfaces (the 2140 isn't lacking on interfaces).
Multiple contexts can get complicated and be a management hassle. I don't know if separating these duties into different contexts will provide any extra security.
Who combines their perimeter & VPN into a single firewall cluster?
I'm also going to ask Cisco about this. It's good to have some real-world experiences to keep them honest.
I’m wondering if anyone is using dell switching and how your experience has been. I haven’t been impressed with the price point for Cisco and Aruba campus switches. Insight into campus and core switching would be greatly appreciated
Toasted!
For the 2nd time in a year, a lightning burned our router, amongst other devices.
We know that nothing can stop a lightning, but we want to protect as much as possible our equipment.
Lightnings come into the rack from the phone lines as we have surge protectors on the electricity lines, plus multiple UPSs with stabilizers.
As we have multiple VDSL lines (100Mb/s), we're wondering if it is better to protect line-in to the modem (RJ11) , risking a signal degradation or go for an Ethernet RJ45 surge protector on the modem output?
Any brand/model suggestion? We need 5.
Hi all,
we're using CheckPoint Endpoint Security as VPN solution. Is there a way to do some configurations in Windows to route traffic from given applications / ports / to a given network address using a different adapter? Unfortunately, when connected to the VPN network, it's not possible to establish a rdp connection from a private network to that notebook.
Thanks
Hi,
Has anyone been able to make a connection to the Internet from their devices in a Eve-NG topology in Google Cloud ?
My eve-ng instance has a nic0 with an IP of 192.168.2.55/24 with a default gateway of .1. When I SSH into the instance I can ping the outside no problem. Now when I create a lab and connect my device (G0/0) to Cloud0 in EVE-NG, I put G0/0 an IP address of 192.168.2.22/24 and ip route 0.0.0.0 0.0.0.0 192.168.2.1. I can ping my eve-ng instance (.55) but I cannot ping the outside. I can also ping other devices in the same VPC (192.168.2.0/24).
I'm new with Google Cloud but I guess the gateway (.1) has a 1-to-1 NAT rule with the 192.168.2.55 address so it blocks everything else in that subnet. The packet arrives to the gateway with a source IP of 192.168.2.22 so it gets deny. That's just a guest maybe it doesn't work like that, like I said I'm new with Cloud stuff.
Any ideas ?
Thx!
Hi guys,
i"m required to move a FW VIP address range (Fortinet) that does a DNAT from one ip range to another.
For example : 10.10.10.5 - 230 mapped to 10.20.10.5 - 230. the Mapping should be static (one to one accordingly)
I've tried to figure out how can i make this work with cisco but i"m stuck.
Any help appricated.
First of all, sorry for bad English.
Currently, we got a "Quick & Dirty" Network Enviroment. I have the Task to change it.
So, i want to Split our Network in serveral Segments like:
Clients 192.168.10.0/24
Server 192.168.20.0/24
Backup 192.168.30.0/24
(..just as expample)
For each Network will be a Gateway on our Sophos XG configured. For Some Networks i need to create a VLAN.
Is this practical? Or is there a good IP Address Cookbook for IP Segmentation?
I need some advice.
Hi there everyone!
Just hoping some of you wizards could assist me with a question regarding dynamic VLAN assignment on Juniper EX switches. If it helps, we would be using Cisco ISE as the Authentication Server.
I've been reading a deployment guide that states you must configure as follows... (I've cut out the set protocols dot1x and set access radius-server stuff to keep post brief)
I was under the pretense that the whole reason for dynamic VLANs was to analyse the device per specific set of attributes (e.g. MAC, IP, etc) and then assign a VLAN based on those, however, if you configure the interface with line 1 and 2, surely this defeats the objective of examining those properties?
Can somebody help explain to me where my understanding is wrong on dynamic VLANs?
Unsure if this is just a Juniper-only thing, or whether the configuration follows suit across Cisco, Brocade, etc.
Ever grateful for your responses,
Thanks so much!
I 1 would like to move approx. 150 LWAP from one WLC to the other (without Cisco Prime). I would prefer to do this by CLI and in bulk (I have a CSV with all my 150 LWAP AP names).
As I see it, I have two options:
1) Copy paste "capwap ap primary-base <WLC-sysname> <IP-address>" 150 times.
2) Write an Ansible-Playbook.
Am I missing something? Is there an easy way to use the CLI with a csv or something like this?
goodmorning,i am evaluating (and trying to wrap my head around) the pros and cons of having a generic application cluster (say db, web server, whatever) with one node in site1 and the second in site2, interally connected to allow replication of local data/san, and on the wan side each site is announcing a /24 with bgp voodoo to accepting external request.
in case the l2 is going down all the two nodes will be in split brain? is this an application/middleware problem more than a netwoking possible solution?
I mean it is better to think about it as two monolithic site in each one with its own midlleware and try to sync then in some other way? for example, aws i think suggest to make the application site-fault resilient deploy two different single node and then load balance them with dns?
I am saying somethink terrible wrong? how the big boys do this stuff?
thank you!
I'm asking for tips & tricks to troubleshoot our customer's(senior high school) WiFi problem.
We are using Aruba 2540-48G-Poe switches and Unifi-UAP-PRO/HD/SHD in our site. We have configured fault-finder broadcast-storm limit(warn&disable 600 pps 300) on our switches. During normal schoolday one or two port gets closed randomly by fault-finder and broadcast-storm. And it's always the port where access point is connected. So i'm suspecting that the device sending broadcast could be student's laptop or something else. This started happening in last week, and we haven't made any changes to the network.
So i decited to mirror and monitor those AP ports with wireshark. Now i have captured few gigs of log from them, and managed to get log's from the port where broadcast-storm was happening.. So i'm asking for an advice, what i need to filter out from those logs to get closer my suspected device?
If i forgot to mention something that needs to be said, please do tell me.
Hi:
Hope you guys/gals are doing fine. I'm here to seek some ideas from you... here is the situation:
Simplified network diagram - Note: I omitted a lot of other switches/aps/clients that are irrelevant for this question.
Notes: All APs are broadcasting all VLANs(except voice). SonicWALL is doing the routing.
Problem:
Devices trying to connect wirelessly (through the APs) to any network that is not the native one, do not get a DHCP lease (DHCP handshake not happening)
This happens on AP1, AP2, AP3, and AP5. AP4 is fine. AP6 is fine.
Tests:
1)Switch 1 -> Wireless devices connect successfully to Corp VLAN, but not to the rest. Changed switchport to MM VLAN, then used AP1 to connect a wireless device to all VLANs being broadcasted. Connection happened successful. Of course, I was getting IPs within the MM VLAN range(since the switchport was set to MM VLAN only for testing purposes). Here I'm thinking OK, the MM VLAN is reachable.
Repeated the same process, but changed the switchport to Volunteer VLAN only. Wireless devices connect successfully but get IP from within the Volunteer subnet. This is OK since I set the port to that particular subnet.
Conclusion: Maybe this is a problem with the trunk? - Checked switch configuration and was OK. All relevant ports where set on trunk.
2)Switch 1-> Remove the AP from interface X4, and connected a laptop using cat cable. Everything works fine, no matter what VLAN I set the switchport to (trunk or non trunk). I can reach all devices no matter on which VLAN they reside, which makes sense since the SonicWALL is routing my requests.
3)Switch 1-> Setup an unused port as trunk, then connected AP1 to that port. Wireless devices are able to connect to ANY VLANs. This is the behavior that I'm expecting. I'm thinking that maybe the previous switchport was not behaving correctly.
4)Switch 1-> Setup another unused port as trunk, then connected AP1 to that port. Same issue. Wireless devices can only connect to Corp VLAN. All other broadcasted VLANs cant get the DHCP handshake finished.
5)Took AP1 to SW3. Opened a port as trunk. Everything works fine.
All the APs on SW3 work fine, no problem.
AP4 let devices that want to connect to the MM VLAN get an IP address. Only difference is that the switchport that AP4 is connecting is set to MM, not to trunk.
The rest of my conclusions:
1) SW4 works OK. If it would not be working OK, or there is a problem with the trunk, why does test number 3 worked fine?
2)Not an issue of the APs, since I tested them plugged into SW3 and they work OK.
While using AP1 for running tests, I captured some traffic with Wireshark. Seems like when I try to connect a wireless device to any broadcasted network other than Corp, I only get DHCP discover messages.
DHCP handshake failure - Wireshark
If I run the same test, but this time connecting to the Corp network. I get the DHCP discover, request, and acknowledge. Thus, I get an IP address and everything works fine. In this test, I first tried to connect to the MM, then to the Corp, back and forth. That is why you see lots of discovers, then offers, then discovers again, etc.
I apologize if I was not clear enough. Feel free to ask any questions. All switches are Unifi (I HATE them). APs are Unifi too.
I would appreciate any guidance you can give!
So we have typically used multicast over gre/ipsec and we just got our first Paging GW. I know it does the unicast to multicast conversion. I have this thing all set up, its registered/talking with our Informacast paging server. The PGW device website shows hundreds or attempts and all successful, but i'm not sure what that means. It seems that from the server to thee PGW, we are talking.
This device is sitting on the voice vlan at this site. My understanding was that it would use the phone speaker config from the server to get the mcast info and it would perpetuate it onto the network. The switch has igmp enabled. I figured that should be enough for paging to work.
I will say that i do have the PGW as the destination in the recipient group where the phones typically are, configured within informacast. The switch is a Meraki MS switch. Web is enabled on the phones. We have been paging for some time, just new to the GW. I saw web was enabled on phones, not sure if that was requirement or not.
I am curious is to whats going on exactly from the gateway to the phones. I am assuming that its multicasting on its LAN. In that case, not sure what else to look at. I may try a packet capture on the meraki net listening for the mcast address as the host, during a paging test.
Hey All,
I have an ASA that currently is using the defaultl2lgroup for a dynamic VPN policy. I'm a point where I actually need another dynamic policy with different interesting traffic, it appears you can't use multiple dynamic policies if you're using the defaultl2lgroup. I'm just trying to get confirmation before I rip out what's already working and create multiple dynamic policies. I have attempted to create a new dynamic policy but I can never get the tunnels established.
I see some threads in the community from 5 years ago with some members running LDP & VPLS on Ubiquti's EdgeOS. Now 5 years has passed and not much can be found in terms of development or posts about it.
Is anyone still rocking it? Was it really that short lived? If so, how has your experience been? I inquired in the Ubiquit subreddit but received crickets.
I'm looking for some community feedback on this one:
TLDR: My entire IT team including my boss were fired this month, I'm the only one left and need to know what is fair pay for 10 years experience, enough certs, 24hr support for 4 locations across 3 states.
So when COVID hit we had an IT team of 4, myself included. Together we provided all the sysadmin, network, hardware and dev support for a logistics company spanning 3 states, with for locations, 100~ end users, around 12 servers on three physical hosts, VOIP, IP Cameras, mobile scanning systems, countless label printers and all the wired and wireless networking in the offices & warehouse to support it.
The first two were let-go after a furlough, all the dev stuff got outsourced, and my boss just got fired yesterday. So now there's just me, for all of it, 24 hrs a day, and they don't plan on hiring anyone. I'm supposed to be talking to the EVP about my new role on Friday and want to get some feedback from the community on what's fair for salary.
Let me know your thoughts and questions, appreciate any feedback!
Edit: ok my last edit didn't save, the 24hr period is not year round, it's 4 months out of the year. I am brushing up the resume and looking for ne work but I have the opportunity to make some extra pay until a better gig comes along. Any advice on a figure would be most helpful, I think we all agree this is not a sustainable situation.
I’m trying to get my dream job and have a good idea in mind of what to do but thought I’d ask all of you. Here is the part of my interview where I present and come up with a topic. Here is what they sent me listed below.
We would like to have a presentation that demonstrates your ability to teach, as a major part of this role is to not only help customers to resolve their issues, but teach them how to use their technology to the best of their ability. The team also spends a fair amount of time teaching each other in the department, so this could be applied in how they would teach a Tier 1 how to complete a task. So no, this is not so much about learning about you (though if you can cover a topic that does both that would be very interesting).
What all do you think I should present on and how should I present it?
Thanks in advance.
I'm somewhat familiar with RFC 3021 (use of /31 for point to point links). I get why the broadcast IP address can't (shouldn't) be used as a host IP.
What is the purpose of not using the network IP address (let's say IP address 192.168.0.0 for 192.168.0.0/24)? If I set my host IP to that IP, would that not work?
What is the purpose of the network IP address? I was thinking it might have something to do with the routing table and routers storing the network IP address, but given any IP address and a netmask, the router should be able to determine the network.
I've tried pinging my network IP address, and got interesting results. Seems my default gw responds, but also another device responds, resulting in (DUP!) packet messages.
The reason this has come up is that I'm trying to figure out why I can't access a new IP from a new location. I was given an IP from the provider. Though I can't ping that IP (confirmed default routes are set), I'm able to ping the network IP, gateway, and broadcast IP over the internet, which I thought was strange.
Thanks.
I am working on a project which requires me to capture packets that don't pass the CRC 32 check. I did some digging and came across ethtool utility, using which we can change ethernet device parameters.
To allow the capture of packets, which do not pass the CRC 32 I need to use the following command:
ethtool -K DEVname -fcs on
ethtool -K DEVname -rx all on
However, for most NICs this option is fixed.
I need help finding cards that are capable of changing the -rx all option. Also, How can we check if a particular card has the option non-fixed, before purchasing it as I was unable to find documentation that explicitly specifies this. I am looking for cards that have open source wireless drivers such as the atheros ath9k
Thanks in advance.
I'm having the following problem: I'm running two Cumulus Linux (Edgecore 5812-54X-O-AC-F) switches in a VRR setup, a couple of access switches (also CL) with dozens of clients (Windows, Linux, voip). In a few vlans/subnets I'm seeing the following issue.
A client sends out an arp request for its default gateway, gets a response and is able to ping to anything. Then after a few seconds no ping replies are received anymore and the VRR switches show a STALE entry on ip neigh show. One of the VRR switches will still respond to arp requests. Whenever the client reconnects the same behavior is shown. Does anyone have an idea what the underlying issue could be? The behavior is not apparent on all vlans/subnets and the clients affected seem to be at random.
I've seen the following behavior on the VRR switches regarding their ip neigh entries: DELAY, PROBE and then they go into STALE on both switches. Other, working, clients show a REACHABLE state. Any pointers are appreciated!
Hello guys, I'm new to the community and would like to say hi to everyone who reads this...
I'm working on a project and I don't know how to build something. I didn't found solutions anywhere.
Me---> VPN Server 1 ---> VPN Server 2 ---> Destination
I'm looking to buy a new factory sealed Juniper switch, however, the switch is not from an approved Juniper vendor. I have a few questions below in regards to this.
- Is that ok? Will the switch still work properly?
- What are the downsides of buying a factory sealed switch from a non approved vendor?
- When you buy a new switch from Juniper, and you unbox it, what are the steps needed to do to make the switch work? Does the switch need registered with Juniper after powering on the first time? Does a license need to be entered entered on the switch before it works?
- Will I be able to get future firmware updates for the switch?
Any help is greatly appreciated.
Hello,
I'm struggling to get this working. My setup for this test:
It seems like when I do mixed WPA2/3 is when I run into issues. The phone attempts to associate and finally gives up saying "unable to join this network". Seems to maybe have something to do with FT config as well. Of course FT is tied into WPA3/SAE so the options are limited there. When I kick back to to WPA2 config, the phone joins with no issues. Also - when I have WPA2/3 configured other devices seem to be able to join just fine (Nintendo WiiU, Raspberry PIs, etc.).
At one point I had an 1832 AP running ME, and my phone was still on iOS 13.x. I was able to configure a WLAN as WPA2/3 and join my phone at that point (I had other issues with the 1832s though, another story...).
Anyone have this working or know what I might be missing ? I will likely post over at the Cisco Community forums as well but figured I'd try here first. Thanks.
I've just been looking at a slow speed issue on a Cisco 4431 which has the 1Gb license upgrade. The issue is it's getting below the 500mb mark.
I figured it's a carrier issue but I've just thought. If it's got a 1Gb license and is on a 1gb link is it going to ever get that 1gb on speedtests?. If you have a laptop plugged in the lan and you are downloading then if the LAN is pushing 500mb traffic to your laptop and the WAN is also downloading 500mb then that's the 1gb right?
If you wanted to get the full 1gb speeds on a speedtest you would need a 2Gb license? That doesn't sound right but I'm wondering if it's the case.
thanks
Hello all,
Could somebody advice some good budget proxy SG materials please ? I found some courses however they are really expensive.
Some apps on my phone (OnePlus 7 Pro) like Play Store, Snapchat and Twitter are not working on my wifi. Twitter wont load new feed and snapchat doesnt send or recieve new snaps. Youtube is working fine on the other hand. On my laptop is everything fine. i tried to use a VPN and that seemed to work, but after a little while, no VPN can connect to a server anymore. Is there a way i can fix this problem? Thanks in advance!
I work in a K12 environment and recently was promoted from helpdesk to sysadmin. I have been trying to get an idea as to what our baseline network activity is and one thing that is causing me some confusion is the behavior of some random hosts. Usually they are Wireless, but occasionally they are IP phones.
In the span of 1-2 minutes, the host will flood the DHCP server with requests, which in turn generates about 2k-6k Renewal logs. Our DHCP lease is 8 hours, so if I understand correctly, they should only be renewing once every 4 hours or whenever they reconnect to the network. I have yet to be able to catch a device in the act, as it seems pretty random.
Curious if anyone has seen this type of behavior before and has any investigative tips. Some other notes:
Majority of the devices are on our guest network, which requires accepting a EULA. I thought maybe it might have something to do with this?
Most of the devices seem to be apple products. iPad/iPhones. The occasional IP phone are cisco.
There are a few chronic repeat offenders. However, sometimes it will happen with a random device and then it will not do it again.
There have been a couple IP phones as stated previously. After the flooding occurs, I was able to call one and it was a busy signal. I remotely rebooted the phone and it solved the problem. This leads me to believe that the wired culprits might be due to aging infrastructure/physical issue.
Bonus Photo of graph in graylog which shows spikes in DHCP renewals
Looking for some guidance. We are in the process of hiring more CSRs which will be using VoIP over AnyConnect. We've run into quality issues in the past, and we're looking to alleviate that nonsense ASAP so these new folks don't give us an ear full.
Can we apply QoS specifically for VoIP to an AnyConnect profile/session? If so, does anyone have documentation that would be beneficial for it? Really looking for input into whether or not this is a good idea or even feasible, too.
Thanks.
This is setup on Linux... not sure if that matters.... I don't know if this is a 'multipath' question or not...... I am trying to setup a new gateway on my network.... the existing setup is something like:
Internet -> WAN -> gateway-box-0 -> LAN -> local network. (active)
Internet -> WAN -> gateway-box-1 -> LAN -> local network. (in test)
Currently... ALL Internet traffic comes and goes through: gateway-box-0 AND my 'local network' has public ip addresses but my public subnet is routed through gateway-box-0.
The 2nd gateway... gateway-box-1 is setup and sort of works. If I change the default route on one of my Lan boxes to be
route add default gw gateway-box-1
and delete the main/working route
route delete default gw gateway-box-0
I can ping out via gateway-box-1 but any tcp traffic where it comes in on gateway-box-0 and goes out on gateway-box-1 does not work.
wget https://google.com for instance does not work.. the initial tcp request goes out via gateway-box-1 and the response comes in via gateway-box-0.... the source address for the request will be the same ip address but the path will be tcp traffic out on gateway-box-1 and tcp traffic in on gateway-box-0.
both gateways boxes see the box that the traffic starts on:
XXX.234.67.5ether 00:26:9E:58:67:76 C eth1
XXX.234.67.5ether 00:26:9e:58:67:76 C enp1s7
I've setup routing before where a box is multi-homed and has eth0 and eth1 and traffic that comes in on eth0 has to go out eth0 and traffic that comes in on eth1 has to go out on eth1... but in this case... all of the local network boxes just have eth0 and eth0 can talk to both gateway-box-0 and gateway-box-1 on the same network.
Is there a simple TCP flag I can setup on the boxes in my local network that make them care less about multiple routes or is this something that just won't work?
- jack
Hi all,
I am getting deeper on building networks and I am a bit confused about the following.
Lets put a use case of an office with 5 desktops used for internet services (email, cloud products like Microsoft 365 etc..)
apart from the usual switch-router setup, a firewall should also be in place. Now a days Next Gen FWs are the way forwards but im confused on :
- Should I remove the router and let Cisco ASA to handle routing, VPN and security?
- Would it be better to have a router for routing and VPN and let a FW handle security like (i.e FortiGate NGFW)
What would be the criteria to use in here? any guidance will be much appreciated you beautiful minds
I've been asked by my IT director to provide a price on providing seamless wifi in our student residences instead of having multiple setups (think your home ISP setup in each of the 274 rooms).
Because of only one cat5 cable in each room I'm looking at in-wall access points in the rooms from extreme networks (we use their ap's in the rest of campus) which also has 4 ports in the bottom for wired devices.
The solution has private pre-shared keys which allows each person to have their unique network space isolated from others. Their ap's also connect to extremes cloud IQ that gives pretty detailed ai and insight into device/system performance.
Incoming network is not an issue.. we have multiple 10 GB connections and also sit on an educational computing network with a lot of CDN peering..Microsoft, google, facebook.
The cost of the setup plus ongoing license is 1/4 of our current bill.
Oh, i'm the sole network guy at a university of about 2500 students...
I may get an additional helpdesk staff member to help with the support calls..
Am I nuts???
I work for a small cyber security company and I’ve been tasked with writing a security review for a clients Palo Alto. I’ve gone through and reviewed security profiles, security policies, NAT policies, firmware, licensing all that. My next step is writing a report and I’ll be honest I’m not good at reporting writing. Any recommendations for what you would want to see in a report? Any insight would be helpful.
I've been asked by my IT director to provide a price on providing seamless wifi in our student residences instead of having multiple setups (think your home ISP setup in each of the 274 rooms).
Because of only one cat5 cable in each room I'm looking at in-wall access points in the rooms from extreme networks (we use their ap's in the rest of campus) which also has 4 ports in the bottom for wired devices.
The solution has private pre-shared keys which allows each person to have their unique network space isolated from others. Their ap's also connect to extremes cloud IQ that gives pretty detailed ai and insight into device/system performance.
Incoming network is not an issue.. we have multiple 10 GB connections and also sit on an educational computing network with a lot of CDN peering..Microsoft, google, facebook.
The cost of the setup plus ongoing license is 1/4 of our current bill.
Oh, i'm the sole network guy at a university of about 2500 students...
I may get an additional helpdesk staff member to help with the support calls..
Am I nuts???
After Upgrade CUCM 10.5 to 11.5 we are unable to push images in IP Phones.
1 Check Image resolution and size
2 Upload all images as .PNG and XML
3 Restart TFTP service
Now I can manually select image as background image, Now i have a Question we are unable to push images through third party application (Previously i Used VOIP INTEGRATION-Background Deployment) Also checked AXL services and User settings but unable to push images. I have to push images to 100 ip phones at ones
I really appreciate If anyone suggest me to a method or application to resolve this
Does anyone here have experience with distributing multiple gateways in DHCP? (RFC 2132, 3.5)
I'm interested in how clients will handle it, such as Windows boxes but also things that might have less than optimal DHCP support (iDRACs, PDUs etc)
Hey guys, I don't make a lot of posts..mainly just lurk but I have stumbled into a problem recently. I have a old IBM keyboard(quite small) that I have adapted to USB and I have a small USB wireless keyboard that works pretty good too, I think it came with some junk Kano kit that I bought on clearance for the Pi inside. Anyways, I really like to have a portable keyboard...wireless or not and on the CLI I have had issues with both of mine doing things like - & * / _ | ; or any of the other somewhat common CLI characters that aren't [A-Z]<<<i'm sure the [ and { doesn't work right either. Anyways, usually I can get around it by switching a lock or something but it really slows down the fun. Anybody have a portable keyboard they have for spontaneous projects or does everybody store a cheap USB keyboard in their trunk?
Not sure this is 100% networking but it seems a lot of folks would have something similar in their EDC or at least consider it!
Hey guys, I don't make a lot of posts..mainly just lurk but I have stumbled into a problem recently. I have a old IBM keyboard(quite small) that I have adapted to USB and I have a small USB wireless keyboard that works pretty good too, I think it came with some junk Kano kit that I bought on clearance for the Pi inside. Anyways, I really like to have a portable keyboard...wireless or not and on the CLI I have had issues with both of mine doing things like - & * / _ | ; or any of the other somewhat common CLI characters that aren't [A-Z]<<<i'm sure the [ and { doesn't work right either. Anyways, usually I can get around it by switching a lock or something but it really slows down the fun. Anybody have a portable keyboard they have for spontaneous projects or does everybody store a cheap USB keyboard in their trunk?
Not sure this is 100% networking but it seems a lot of folks would have something similar in their EDC or at least consider it!
Like the title says, it's been down for three days now. It's due to a break in the fiber the ISP claims. Usually our provider is pretty on the ball about getting fiber cuts repaired, so it was weird that this one was taking so long. Turns out an encampment below a bridge somehow lit the fiber on fire. After seeing this picture they sent us, I think their delay is justified.
For an ERO to take a specific hop by hop strict path through a network, does each hop have to be configured to go to the next hop? If not, how does it know which label to use? All of the configurations I’ve seen show the LER identifying all of the hops, but no changes on any of the transit devices. I don’t understand how a label shows up on a transit router and it knows which label to add to achieve a strict path.
Hello,
This would be my first post. I apologize if I break any rules.
I have been working to automate certain fucntionality of a ciena 6500 device( only runs TL1) . I use python for the automation and need to establish the initial connection object. I have been having issues with netmiko where it raises an exception while making router SSH connection- Timed out waiting for data.
Which packages would be the best to use?
So I'm doing this presentation for my networking class. It's basically about video compression and the role of codecs in decreasing bandwidth consumption. I did a diagram on Powerpoint where there's a big cube representing data and a pipe representing bandwidth, before compression the cube cant pass through the pipe while after compression, it gets smaller and can pass eventually. I'm not sure how accurate is this simplistic representation, if anyone can approve or disagree.
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Hello, I need to buy SC/APC <-> SFP transreceiver for using Turris Omnia with a 1000 / 200 Mbit/s internet connection, but I don't know where to buy it and which manufacturer to choose
Or would I have to connect directly by IP?
hi, I have 2 physical networks, with 2 isp I would like to add failover wan from one to the other, is there a way to do this? the 2 networks can be connected with a physical connection, basically, I want when one isp fails the other network should take over via VPN or another interface
any help would be greatly appreciated
This week the Netdev 0x14 conference has published our paper about high performance TLS handshakes: Tempesta TLS establishes 40-80% more handshakes per second than Nginx/OpenSSL and reaches up to x4 lower latency! The paper also discusses many performance and security aspects of the modern TLS implementations and cryptography, e.g. TLS 1.3 vs 1.2 performance and side channel attacks vulnerabilities in modern commercial TLS implementations.
https://netdevconf.info/0x14/pub/papers/35/0x14-paper35-talk-paper.pdf
Hello r/networking,
I'm looking for a little guidance on a noob question. A potential client asked me to setup a War Room at a local hotel where Attorney's can discuss the case on a secure network. My first inclination was to setup a VPN to their main office and they work off USB printers, but they will require 3 networked printers. I thought about setting up a print server to accommodate this - would a VLAN be the way to go to achieve this?
Maybe the current IT for the hotel could assist in doing so?
I have Ubiquiti equipment to cover if necessary.
What the setup entails:
- 9 people working off a secure network of their own
- 3 Network printers
- potentially the ability to plug in directly to a wall jack to gain access to the secured network
Some hotels have removed ethernet jacks so that last option may not be worth the consideration.
What would you guys do in this situation?
Hello :)
I have a private house network to which about 5 devices are connected simultaneously, one of them using a wired connection directly to the router, and the other 4 using wifi.
I'd like to throttle the download rate for the devices using wifi, but im not sure how. im pretty sure my router is a netgear n600, though a modified version my isp made. Anyway i tired looking inside the router settings for a throttle option but the one i found throttles all the connections, while i need to throttle only the wireless ones.
If someone knows some kind of software I can use, or a way to do it using my router settings I'll be glad to hear it.
I'd appreciate any help I can get!
Image of my router traffic settings: https://imgur.com/a/caMheWv
Hi All,
I'm currently facing an issue right now which Excessive flaps on HSRP and track down being detected, from the IPSLA I'm able to see 2-3 failures(1hr interval) only.
Device: ISR4331 v16.6.7
Configuration:
ip sla 1 icmp-echo 192.168.1.1 source-interface GigabitEthernet0/0/0 <--- GATEWAY frequency 5 ip sla schedule 1 life forever start-time now track 1 ip sla 1 reachability interface Port-channel1.100 encapsulation dot1Q 100 ip address 10.1.1.2 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp standby 1 ip 10.1.1.1 standby 1 priority 115 standby 1 preempt standby 1 track 1 decrement 20 LOG-1:
<cut> Sep 22 11:51:52.427 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 2 state Speak -> Standby Sep 22 11:57:30.471 GMT: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down Sep 22 11:57:30.727 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 1 state Active -> Speak Sep 22 11:57:35.472 GMT: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up Sep 22 11:57:36.443 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 1 state Speak -> Active Sep 22 12:17:15.552 GMT: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down Sep 22 12:17:17.859 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 1 state Active -> Speak Sep 22 12:17:20.553 GMT: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up Sep 22 12:17:23.038 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 1 state Speak -> Active Sep 22 12:19:40.564 GMT: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down Sep 22 12:19:41.539 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 1 state Active -> Speak Sep 22 12:19:45.564 GMT: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up Sep 22 12:19:47.168 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 1 state Speak -> Active Sep 22 12:20:50.569 GMT: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down Sep 22 12:20:52.181 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 1 state Active -> Speak Sep 22 12:20:55.569 GMT: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up Sep 22 12:20:57.146 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 1 state Speak -> Active Sep 22 12:31:26.357 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 2 state Standby -> Active Sep 22 12:31:31.629 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 2 state Active -> Speak Sep 22 12:31:40.617 GMT: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down Sep 22 12:31:42.365 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 2 state Speak -> Standby Sep 22 12:31:42.914 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 1 state Active -> Speak Sep 22 12:31:48.005 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 1 state Speak -> Active Detected as UP but still HSRP states changes.
LOG-2: Sep 22 11:03:30.277 GMT: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up Sep 22 11:03:31.391 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 1 state Speak -> Active Sep 22 11:25:51.346 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 2 state Standby -> Active Sep 22 11:25:56.597 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 2 state Active -> Speak Sep 22 11:26:06.966 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 2 state Speak -> Standby Sep 22 11:27:15.240 GMT: %HSRP-5-STATECHANGE: Port-channel1.100 Grp 2 state Standby -> Active IP SLA STATS:
IPSLA operation id: 1 Type of operation: icmp-echo Start Time Index: 12:12:46 GMT Tue Sep 22 2020 RTT Values Number Of RTT: 326 RTT Min/Avg/Max: 7/19/65 milliseconds Number of successes: 326 Number of failures: 4 <------------- Start Time Index: 11:12:46 GMT Tue Sep 22 2020 RTT Values Number Of RTT: 718 RTT Min/Avg/Max: 7/13/110 milliseconds Number of successes: 718 Number of failures: 1 <------------- From the above, the HSRP states change every 10-20min interval and it affects the network connection since the active router will change every 10-20min.
Note That verification on transport has been conducted and several circuit testing has been completed to fully verify the circuit.
Question:
Thanks
I upgraded some uplinks from 1G to 10G and was having issues with getting the link up. Realized that the C3850 brought down its port when the 1G SFP was swapped with the 10G and nothing would bring it back up besides inserting the original 1G.
Also during my troubleshooting, I swapped out a 10G SFP on a C9300 for a 1G SFP and that also brought the port hard down, shut no shut and reloads do not bring it up.
The only solution to this problem is to put the faster (or different) speed SFP into a totally unused port.
How do you use the same port with a different speed SFP?
Got this from CNN - figured it could be very interesting to Network Engineers!!
(CNN) For 18 months, residents of a village in Wales have been mystified as to why their broadband internet crashed every morning.
Now engineers have finally identified the reason: A second-hand television that emitted a signal that interfered with the connection. A crack team of engineers-turned-detectives have become heroes in the village of Aberhosan after finally finding the source of the problem, according to a press release from Openreach, the company that runs the UK's digital network, published Tuesday. Staff had visited the village repeatedly and found no fault with the network. They even replaced cables in the area to try and solve the problem, but to no avail.
Then local engineer Michael Jones called in assistance from experts at the Openreach chief engineer team. After carrying out a plethora of tests, engineers had a theory that the problem could be caused by a phenomenon called single high-level impulse noise (SHINE), in which an appliance emits electrical interference that impacts broadband connectivity. Engineers used a device called a spectrum analyzer and walked up and down the village "in the torrential rain" at 6 a.m. to see if they could locate an electrical noise, Jones said in a statement. At 7 a.m. -- "like clockwork" -- the device "picked up a large burst of electrical interference in the village." "The source of the 'electrical noise' was traced to a property in the village. It turned out that at 7 a.m. every morning the occupant would switch on their old TV which would in-turn knock out broadband for the entire village."
Jones said the resident was "mortified" by the news and "immediately agreed to switch it off and not use again." Since the old TV was retired there have been no more problems with the connection, said Openreach. Suzanne Rutherford, the company's chief engineer's lead for Wales, said that this kind of problem is more common than people think. "Anything with electric components -- from outdoor lights to microwaves to CCTV cameras can potentially have an impact on your broadband connection," said Rutherford, who advised the public to check if their appliances are certified and meet current standards. Earlier this year, UK telecoms regulator Ofcom warned that microwaves could reduce Wi-Fi signals. Ofcom issued several tips on how to keep households connected as millions of people started working from home at the start of lockdown.
So basically I do not work for the ISP in question.
However, the owner of the ISP has reached out to me for help.
Problem:
So what do you guys think is the optimal solution to shift existing EPON customers to GPON without having to run around?