From Cisco IOS we can run command "telnet <IP> <port>", but what is the similar command in Versa OS ?
Saturday, October 3, 2020
"Tyler Durden: "Now as a question of etiquette"".... iPXE dedicated vlan, or mixed?
Out of curiosity, and function, those of you whom run iPXE for installers, or ram resident... do you run iPXE on a native vlan and then have your o/s attach to a tagged vlan, or do you run both iPXE and system mgmt in one vlan? This question brought to you by: "WHY THE F*** WONT YOU BOOT FROM USB!?!?!?!"
[OC]Firewall Log Geo-Analysis using ELK Stack
The blue markers on the Map show the geolocation of Public IPs and the connecting lines are the users connecting to the internet on our premises. Trying to find out a way to recognize DDoS and other types of attacks using the firewall logs. Constructive criticism is welcomed.
Tools: ELK Stack
Firefox WLC GUI certificate error
I had my 2106 WLC set up and was able to access it. I reset the config on the WLC and I am not able to access the GUI. I have redone the config a few times, each time with a different IP and Firefox is preventing me from access. This is the error Firefox is giving me
"you are attempting to import a cert with the same issuer/serial"
Does anyone know of a fix for this? Thanks
Firefox error trying to access WLC GUI
I had my 2106 WLC set up and was able to access it. I redid the config on the WLC and I am not able to access the GUI. I have redone the config a few times, each time with a different IP and Firefox is preventing me from access. This is the error Firefox is giving me "you are attempting to import a cert with the same issuer/serial"
Does anyone know of a fix for this? Thanks
Cisco AIR LAP1142N home lab
Can someone help me get these set up on my lab? I have a 2106WLC that is set up and I have accessed the GUI, but my two 1142s are not being discovered by the WLC. On start up I can see my router assigning the 1142s an IP via DHCP but the APs are showing me that the radio is disabled, there are some certificates failing as well. I can see this while consoled in, but I get no options to input any commands on the CLI. Can anyone offer some advice?
Looking for some rack mount ears for cisco sg350-28
Hi guys,
Story:
I purchased for a client 15 of the sg350 switches. unfortunately one of the boxes was damaged and the ears disappeared.... I have the option of a discount on the damaged bos switch (switch tests fine and no damage itself) or wait 5 weeks for a replacement (am in Chile and this is the wait time for getting these from the distributor). Getting a replacement through Amazon or someone else would be very expensive due to the price discount we got from the distributor.
Need:
I am looking for a set of SG350-28 rack mount ears with their screws. These are not the same as sg300 ears (thanks Cisco) of which there are lots of places to get them. I have had no luck anywhere finding replacement ears so I am hoping someone recently replaced some SG350 and has them laying around. I will pay for them and all shipping.
Please let me know if you can help
Can someone see what websites I've visited using my IP address?
Ok, so I'm wondering if someone has my IP address can they see my search history or the websites I've visited, even when using a private browser. I know that my IP address can give out my location, but is there a way for someone to see what sites I visit? What other types of information can someone find with my IP? Thanks and sorry for my ignorance.
How are switches connected to the SDN controller?
While learning about SDN, I often come across this kind of diagram where the switches have some kind of virtual connection to the controller. But how does that translate in real life? Isn't there a bootstrapping issue for fully software-defined networks?
Consider the following network:
controller <-> switch1 <-> switch2 <-> switch3 <-> host
How will switch3 be able to receive instruction from the controller? Does someone manually configure within switch3's CLI what's the IP of the controller? Is there authentication?
I guess another way to ask the question would be "What are the steps to set up from the ground up a full SDN network?".
Extended 4G LTE WLAN network question: 2 routers (Huawei b525s - 23a)
Hi all,
A question to networking enthusiasts/pros and networking hardware SMEs.
Just to make it short I will describe the situation in the following format:
- Objective: extending 4G LTE wifi network for better coverage.
- Hardware: root AP is Huawei B525s-23a (Not flashed, no bridge/wds mode), repeater AP Huawei B525s-23a (Flashed, bridge/wds mode, v. 11.182.61.00.778).
- Problem: when bridge mode is enabled on the repeater AP all configuration options are disabled to actually configure the router to act as a repeater.
So my questions are as follows:
- Is it possible to extend 4G LTE Wifi network?
- If so, is it possible to do it using two identical routers, in my case Huawei B525s-23a.
- If yes, has someone done it successfully and could provide some guidance/tips?
- Also, I have tried reaching my objective using TL-WR841N router as the repeater AP, however was unable to do so - I could connect root and repeater APs to a single LAN but the repeater would not connect to the internet (tried disabling authentication and/or firewall security, putting both in the same channel, mainly following https://www.tp-link.com/us/support/faq/227/ and other guides.)
Would someone be able to share their experience or any tips on how to achieve my objective?
Much appreciated!
Edit: apologies if the sub is not the right one for such question as the scale of the problem is not that of one in enterprise networks.
Is there a power line adapter I can use for my 2 plug outlet for gaming?
Moving/replacing the outlets not a option
Passive scanning, possible to get firmware and OS details from endpoints?
Hello In the world of OT, actively scanning endpoints is not possible because they will more than likely crash them. Crashing the OT devices could cause big issues.
I've setup a rspan which is working and dumping everything, I'm wondering is there a way at all to collect firmware versions etc from this data?
I've gone through the pcap using wireshark and can't see anything relating too the firmware, doing a active scan obviously you can get this info.
Any advice is appreciated
Thanks
Friday, October 2, 2020
If it isn't the same as 802.11(letters) what networking standard does cellular use?
I'm trying to figure out how different it is from WiFi and what RFC
Weird bandwidth cap on mGRE?
I have a mGRE tunnel at a datacenter on an ASR 1002-HX. There are over a dozen remotes connected with bandwidths varying up to over 100 Mbps for a remote. I implemented a couple of new remote sites via this hub tunnel but they couldn't go above 4-5 Mbps without their video streams breaking up. These remotes use ISR 1101s. Their ultimate destination is not the datacenter but another spoke (NHRP mGRE). Doesn't matter if it's direct spoke to spoke or via the hub, these specific remotes could not go above 4-5 Mbps. The egress at the remotes was indeed 8 Mbps (target bitrate) but by the time they got to a test box at the data center or destination spoke it was only 4-5 Mbps. If you drop the bitrate down to 4 Mbps, the stream works fine.
Now here's the kicker. I built a DMVPN directly between remotes and it works fine over that. So there is something at the data center ASR that is capping the mGRE tunnels for these specific remotes only. Very strange. Anyone seen this before or have some insight? Reading around it doesn't seem like I've hit some sort of licensing or capabilities issues on the ASR. There is no egress QoS on the sending remotes interface. I'm stumped.
How to troubleshoot network issues in industrial environments
Hi I'm a PC programmer working in the automation industry.
Our software communicates with several devices (PLCs, labelers, scanners etc), eventually one of the devices might have connection problems...
This is where I begin to struggle because my knowledge of networking is kinda limited. I'm looking for tips and tricks on how to diagnose issues aside from using the classic ping command. I have Wireshark and TCPView installed but i use them in very a basic way.
Here are some problems that happened recently, what should I check? 1) Can't connect to labeler socket from a NATted network but I can ping it. Socket connection works in a Lan. 2) Sometimes labeler socket communication drops and the only thing that fixes it is restarting the labeler.
I'm not looking for specific solutions for the above-mentioned problems, I just mentioned them so you have an idea of what i usually deal with, any suggestion is appreciated.
Thanks
Question about PCIe NIC throughput
Am just wondering, why does some card has options that makes me confused with?
For example:
there's quad-port lan card with x1 interface and only has PCIe Rev.1.1
which means, the max throughput it can get is 2.5GT/s (or roughly ~250MB/s)
with that being said, quad-port lan can max up to 8Gbit/s (considering maxed out full duplex per port (2x 1Gbps)/port)) (or roughly ~1GB/s), therefore it wouid not get the full speed if all 4 of them is occupied and fully utilised.
is it just a marketing bogus, or it's more than I think it is?
noob harware question to get wifi into my shipping container
hello! i need help selecting hardware to get a wifi signal from a google nest about 100 feet away and tunnel it into my shipping container tiny home.
the signal is strong outside the container but zero signal inside.
i want to pick up the signal with a device that will output to an ethernet cable. then i can run the cable inside to a router and have wifi in the container.
that at least is my hope. is this called a bridge? i don't need a booster, just an antenna, right?
this device SEEMS to be close to what I'm looking for:
https://www.tp-link.com/us/business-networking/outdoor-radio/cpe210/
is this overkill? it says it goes 7km, i only need 100 feet.
thank you in advance r/networking !
Interface speed negotiation
If an interface on a switch is set to auto-detect, and the status shows 10Gbps, can I trust that it's actually operating at that speed?
Let's say I connect a 10Gbps SFP+ interface from 2 switches with a 60 meter long cat6 cable. Do the interfaces just advertise "Hey, I can handle 10Gbps" and both agree to use 10Gbps, showing that in the interface status? Or can they actually measure/detect that, even though they're capable of 10Gbps, they're actually only getting 1Gbps reliably so the status shows 1Gbps?
Whitepaper for wireless deployments in stadiums/arenas?
Does anyone know where I can find a good whitepaper or case study on a wifi deployment for a large stadium/arena, or generally any largely populated but densely packed area?
Calix B6/E7 SSH script
Does anyone know of any SSH scripts that are already written out for Calix B6 or E7 devices? I have these written out in powershell using the Posh-SSH module. That module isn't compiled in .NET Core so I'm not able to run it on linux - which is what I need to do now.
My plan is to re-write in python using netmiko since it specifically supports Calix B6. I feel like someone has already done this so I figured I would reach out first.
The goal of the SSH script would be to run commands and collect output.
Blocking torrent traffic on anyconnect
I have a cisco ASA with anyconnect license and it's configured to use the outside interface to PAT. Is there anyway I can block torrent traffic outbound? I have users torrenting movies and I need to stop them.
Multimhoming with BGP to 2 providers
Hi all,
I'm kind of new to multihoming and BGP on the internet so apologies if some of these questions seem stupid. My company recently acquired a /24 from ARIN. Currently we have 1 ISP for which we have a router that we manage. There is a /30 WAN block and a /27 LAN block on it of ISP provided IP's currently. We are in the process of getting a second ISP and a public ASN and my eventual goal is to do multihoming using BGP with both advertising our new PI space in addition to using the IP space they provide. A couple of questions I had are:
Should we have the current ISP statically route it temporarily until we can get the 2nd ISP and public ASN so we can start using it?
Should we use secondary IP address for this new LAN block or sub-interfaces on the router?
In either case should it be broken up into multiple smaller networks on the router (multiple secondary addresses/sub-interfaces) as that is how we intend to use it? for example a /29 for firewall Outside interfaces, a /28 for public DMZ etc.
Okay to use the same router for the second ISP or better to go with a new one and run some sort of iBGP between the 2? If its the same router then do we put the routes and interfaces for each ISP in different VRF's?
Any help would be appreciated. Thank you.
Does anyone have any experience with rakwireless PLC boards or any other low voltage powerline communication systems?
I work for a company the installs internet connected instruments underwater. Recently we started to work with power line communication to increase our potential range. However, we are see some odd behavior. We are able to get good communication between the modules when on the bench but get intermittent failure when using a longer cable. For example: we connected two units together with a 2 conductor, 16 gauge, 1000ft SOW cable rolled up on a spool. The units failed to communicate. So, we started to unroll by ~100 ft lengths, again and again, and retested each time. One of the guys in the shop is convinced the coil is the problem. The units wouldn't communicate until we got the whole cable off the spool. As an experiment we re-rapped about 50ft on the spool and tested again, it didn't work. Slowly we removed the cable from the spool trying to prove it was the spool causing the problem and find the number of coils that cause failure. Well, even after we got the cable off the spool again the units still wouldn't communicate! To make things worse, we re-rapped the whole cable and took the spool of cable and the two units to our engineer to show him the issue and with the cable on the spool the two units communicate just fine... We bring everything back to the shop, hook it up again, and nothing...
We are running 48v through the SOW cable with the comms, and it powers up the unit on the other side so we know things are hooked up correctly (continuity wise). Its just inconsistent as to whether the two will start up the communication between the two units.
Any ideas on what we might be going wrong? Is rakwireless hardware any good, I haven't been able to find any good guides or reviews for their stuff?
Thanks in advance!
Issues with Cradlepoint WiFi as WAN Feature - IBR600LPE Routers
I've assumed the IT responsibilities for the company where I work. It's not my primary role, but we don't have anyone else that can do it right now (very small workforce). We have 2 groups that work almost exclusively in the field. Our primary needs are reliable internet access and wireless printing capabilities. To accomplish this, we use Cradlepoint IBR600LPE routers. We first check to see if there are ethernet jacks in the room that we're working in. If so, these work about 80% of the time. In about 20% of the cases, we are unable to connect (maybe MAC address filtering or dead ports?). From there, we attempt to use the WiFi as WAN feature. This has been a major disappointment, as I find that it almost never works (maybe a 20% chance that it will connect). We're then stuck with using 4G which is a major hassle.
I was doing some testing with the Cradlepoint yesterday in our office. I added a WiFi as WAN profile, and it didn't appear to work. I kept checking, and the the router was still on cellular. I got distracted with something else and realized that it had finally switched over to WiFi as WAN. I thought maybe it had something to do with the failback settings, but they seem to be okay. I'm not sure if changing the failback mode to "Time" would make a difference. Is it possible that I'm missing some configuration setting? When the Cradlepoint is on cellular and an ethernet cable is attached, it switches almost immediately (even seems to be faster than the failback settings). I have the WAN priority set as ethernet----Wifi as WAN----4G/Cellular.
I appreciate any help or advice.
Switch Question - 10Gb Arista and 1Gb Cisco
I've got a 12 port Cisco Catalyst with all 12 ports full at 1Gb and a 24 port Arista with only 4 ports used. 3 servers with 10Gb links for ISCSI and 1 uplink to the Catalyst. Both have only SFP ports.
Should I keep it this way or would it make better sense to put everything on the Arista?
Answer to "Why Are WAN File Copies Slow"
Hi All,
I handle mergers and acquisitions, and during that process we are responsible for transferring terabytes of data from one old company to the new company.
I wrote this "how to / guide" for the guys doing the remote office file copy to the data center.
Though this is for huge data, the limitations are the same for everyone who now can get large network WAN pipes for cheap money but don't understand why their file copies / data transfers are running slow. This post is design for Network IT staff to point business users to this post for understanding as to why file copies are slow over giant WAN network circuits in "GENERAL".
** This post also contains solutions to beat the limitations - Do not do this stuff when on a shared network with lots of users who ALL depend network performance. It could easily saturate the network and drop users from WAN file shares, applications, etc ..
Anyway, here is some of my recommendations / you will need to test which solution(s) work best – I am sure many of these you’re using already. Hopefully a few of these are new and can help:
First a reference point: Network speed is in mbps (mega bits) and file size is in MB (mega bytes) Not that it is possible, but in theory to send 100 MB file almost instantly you would need a 800 mpbs /1gig network (8 bits to a byte).
If I had a 1gig network, Why can't I actually send files instantly?
- File checking – Small files create a significant problem because Windows will check that the file does not exist first and then copy. This check on small files could take longer than actually coping the file.
- Network overhead – 100 MB of files is usually around 110MB of data once wrapped in network headers, etc
- Network latency – the further you are away from the destination the longer the systems WAIT for acknowledgements between each packet group sent.
a. Why are the systems waiting? Send 10 data packets – WAIT for a reply that the other side received the data then send 10 more – repeat – when you send Billions of packets, the WAITING is the killer in WAN transfers
b. Example - When systems are sending data but in WAIT state - no data is sent so it appears that the network utilization / transfer speeds are really low.
c. Not actual but examples to demonstrate my point
i. Houston Tx to Dallas Tx perceived network utilization average of 80mb of 100mb line (5ms latency)
ii. California to Dallas may look like file copy speed of 15mb of 100mb line (50ms latency)
iii. If I upgrade the WAN network from 100mb to 10gig monster circuit, California to Dallas is still 15mb copy speed because you did NOT change the network latency. The wait time is the killer.
iv. You can not improve network latency as networks are mostly built on fiber optics. (your limited by the speed of light in long haul circuits)
Solutions:
- Multi-treaded RoboCopy using xxx threads where x=Site Network bandwidth / 5. – with high latency and fat network pipes – each thread should be able to grab a perceived 5mbps
a. Treads are like opening up a different window and running copy x times from different windows.
b. The improvement comes from using the WAIT window to burst a different set of data.
c. Example on how to calculate thread count – 150mbps WAN connection = 150mb/5mb = 30 threads
d. Change thread count based on actual tests from the site (max 128)
i. Run a test with 100mb files with x threads
ii. Run a test with 100mb files with Y threads
iii. Adjust as needed – Crazy high thread count may be worse as multiple reads hit different areas of a local hard drive and will create it’s own internal wait time issue.
e. https://pureinfotech.com/robocopy-multithreaded-file-copy-windows-10/
-
Most USB drives can’t push 100mb, not even close. Copy the files to the local disk if you can before copying to the DC.
-
Encrypted local drives also reduce performance
a. Faster CPU improves decryption / grab a new machine not an old one to do the file copy.
b. Test in the office laptop to laptop to determine laptop limitations
i. Use this to gauge how many laptops you need. (see below)
-
Disk reads from a single disk are limited by drive spinning speed. SSD drive preferred but still have limits. Remember it is not burst speed it is sustained read speed that is important to copy files, which is a slower rating and not usually advertised.
-
Desktops are FASTER across the board
a. Laptops are designed to be energy (battery) efficient.
b. Desktops use hardware, which is fast / not energy efficient.
c. RoboCopy is a program – uses CPU, etc .. you don’t want energy efficient
d. Network card drivers are a program – it uses CPU
e. Usually you get twice as many CPU cores on a desktop which helps off load other apps running at the same time as the copy
f. Disable any power saving features
- You should be able to obtain the same performance improvement or even better than
aggressive multi-threading if, you take the data set and spread it across multiple desktops or laptops with multi-threading robo-copy.
a. User home drives A to P on one laptop
b. Users Home drives P to Z on another
c. Department shares on another
d. etc.
-
The best solution would be server to server where file data is striped across multiple drives and using high speed disk controllers and killer CPUs / OS designed for file transfers using multi-threaded robocopy.
-
There are registry hacks that allow for WAIT window tweaking but my preference is for multi-threads / multi-copies as in theory the windows operating system will adjust the WAIT window on it’s own based on response times.
-
Don’t forget there is also a limitation to how fast data can be written to the Data Center storage solution. It isn’t just you writing data, thousands of people use it all the time during the day and backup job contention at night. If your using laptop to laptop over a WAN, remember Disk reads are usually twice as fast as disk writes. The writing could become the weakest link.
a. Don’t grab 50 laptops from an integration and saturate a 1gig WAN connection which in turn sends 1gig of data to one Storage Solution .. that will impact everyone using the file share or the backup process.
b. The receiving storage solution also has a preferred received thread count – more laptops and threads isn’t always better. Again – test with 100mb of data and determine what works best.
There is a sweet spot in the middle somewhere, just need to find it.
(Reminder - this is not written for network guys - this is summarized for business users where generalizations where used so no need to hate on parts that are not perfect)
Windows Server NIC Teaming and bandwidth aggregation - what is the real expectation?
There seems to be some difference of opinion on the effect of NIC Teaming on bandwidth aggregation.
From my tests using dual 1GB teaming, I see up to 2GB throughput in or out, as long as that data is going to or from more than one other servers (i.e. 1GB each to or from two other servers). Server-to-server I only see 1GB maximum bandwidth at any point, regardless of how many 1GB NICs are in their teams. This seems to match the conclusion I've come to from most of what I have read.
But then I come across the odd reference where it seems that bandwidth is aggregated as if it was the native speed of a single connection.
For example, in the last post on https://serverfault.com/questions/754502/windows-2012-r2-nic-teaming-does-not-aggregate-bandwidth, JJ Nace seems to imply that using Switch Independent mode with Dynamic load balancing does aggregate bandwidth in every sense in their setup.
Could someone provide a definitive answer (ideally with source) on whether bandwidth can be aggregated as if it were a single connection? If it is possible, what configuration is necessary?
Thanks.
IPs or IP Unnumbered on spine-leaf ?
Experts,
what majority of people prefer when it comes to decided ips or ip unnumbered with spine-leaf design what are the advantage or disadvantage and how to overcome them when it comes to troubleshooting?
Help me you're my only hope
Hello all
I've been sent to a office site which has been having on and off phone issues for a while. I've found that when the phone system is connected to the network, all phones stop working. When the ethernet cable connecting to the LAN is pulled out, the phone system starts working again.
Theres a handful of IP phones not working either, theres 3 that are plugged into the phone switch directly works. But reset when the phone switch connects to the LAN
I can't find any network loops, theres no VLANS or any fancy networking settings. Just can't figure out the issue, any ideas?
If this sub doesn't allow help me posts, please remove.
Thanks,
Is there anyway to check ISP Traffic Shaping?
All previously available tools such as Glasnost and Sharperprobe has been shut down. I'm sure that my ISP is shaping my traffic but I currently have not way to prove it. Are there any alternative tools to check for shaping?
Question regarding correct VLAN configuration
Hi guys,
I'm a sysadmin for a SMB and haven't done alot of networking recently.
I have done some research and I think I know hot do do it but I would really appreciate a second opinion.
At the moment we have a firewall (sophos xg) with 6 interfaces which are all in use.
We have configured VLANS on the switches but not on the firewall.
The connection firewall -> switch is for each VLAN an untagged port on the switch to the firewall port.
Now I need to create 3 additional VLANs and I'm not sure how to configure it.
I know I need to create the VLANs on the Firewall and attach them to a port.
But what's about the Port on the switch? I think it needs to stay untagged on the VLAN it already had and tagged with the additional VLANS. Is that correct?
Thanks in advance
vEdges are almost end-of-sale
What is everyone doing about it? ISR1100-4G is about 75% more expensive than vEdge 100b. Yes it can do way more IPSec throughput, but customers with 200 sites with 10Mbps WAN links don’t care.
This has really screwed our approach to SMB customers.
Anyway, that’s my vent done. What do you guys think?
Just checking out about access and hybrid ports.
Back before I joined we put all our CPE on access ports. Problem is, now we want to push our management VLAN onto the CPE(which we control), but we can't. My idea is to reconfigure those access ports into hybrid ports. I am fairly certain into the procedure, I just want confirmation from some other heads as it is never nice when customers go offline.
On one end I have a Cisco switch, on the other there is a Mikrotik CPE.
The Cisco port is configured as follows:
description CustomerXY
sw mode access
sw access vlan 200
The Mikrotik port on the other end is just a simple wan ethernet port with a static IP address.
Now step 1 that I would do is put the hybrid port configuration on the Cisco while the port is still in access mode:
description CustomerXY
sw mode access
sw access vlan 200
sw trunk encapsulation dot1q
sw trunk native vlan 200
sw trunk allowed vlan 200,420
Step 2 would be to turn the port into a hybrid trunk port and keep my fingers crossed it does not disconnect:
description CustomerXY
sw mode trunk
sw access vlan 200
sw trunk encapsulation dot1q
sw trunk native vlan 200
sw trunk allowed vlan 200,400
Step 3 if it does not disconnect and I am not in brown alert mode would be to just add the vlan subinterface on the Mikrotik side. The Mikrotiks from what I have read are clever enough to automatically do a hybrid port once put in a trunk.
Thursday, October 1, 2020
Single User VPN Issue
A user has started complaining saying she's getting much slower download speeds through the VPN. Gets about 10Mbps normally but only 1.5Mbps when connected though our companies remote access VPN, everything seems slower when connected to VPN, always lagging etc on calls. Our company has a 200Mbps WAN link which barely ever reaches even 50% of its capacity, and 1Gbps LAN links that are also never anywhere near full capacity. Her VPN bandwidth is obviously reduced over our VPN right? because of the encryption added overhead on the packets? Does the VPN encryption really cause that much bandwidth to be lost? Ideally I'd like to do some calculations, I've never really thought about it before if I'm honest. When I'm at home without VPN I get 13-17Mbps download, and 5-6 Mbps upload, then with the VPN I am getting a lower 11Mbps download but same 5-6Mbps upload speeds. I don't know what else to tell the user other than to increase her home broadband speed.
Passing WAN through VLAN. Help.
I have a home lab and a network rack. The house connects to the network rack switch which is a Dell power connect 5524p and also holds my modem. My server rack contains a Dell power connect 5548 stacked with the other 5524p using HDMI. It also contains my router which is running Pfsense.
Network rack: * Modem * Dell 5524p switch
Server Rack: * Pfsense Router * Dell 5548
I currently have the modem directly plugged into the 5524p with the port tagged to VLAN 900. On the 5548 I have the tagged VLAN going into the WAN on the router. This gives me a really clean setup only that only requires 3 cables between the rack and network rack power and 2 HDMI.
PROBLEM: While this setup is working I noticed my speed test is showing 20/20 mbps. So I hooked a cable up direct from modem to router and boom it's back to 200/20 mbps that I should be getting. I checked all the cables and switches it is all connecting at gigabit speeds. I ensured nothing else is on VLAN 900. I am at a loss as to why I am seeing this behavior. I also checked qos is disabled. Does anyone have any ideas?
Thanks in advance!
CCIE Enterprise advise needed
Hi all,
My CCNP RnS will expire on January 2021, i am planning to take CCIE Enterprise on March 2021, kindly advise should i take (ENCOR) or (ENCOR & ENARSI) before the Lab to fulfill the requirements as per the new update from Cisco.
Thanks in advance.
Recommendation for quiet switch with multigigabit and SFP+
I have a team of 16 people which will be connecting to a NAS and working on it for photo and video editing. I want to give them a 10G connection, as it's become much more affordable. Not everyone in the team will need 10G, but I was hoping everyone could get at least 5G, as the adapters for those are a lot less inexpensive and there are multi-gig switches out there.
The switch will be in close proximity to them, and I don't want to pull a bunch of Cat6a cables to a closet because it's ugly and I'm lazy.
What I need:
- Quiet or fanless
- Desktop variant , as small of a footprint if possible
- More than 8 ports. 16 would be ideal. RJ45 preferred
- Either all ports 2.5/5/10G or mixed (for instance 8x 2.5/5G ports on some and rest 10G)
- No PoE is needed as they will only connect their macbooks to it.
I've done my homework and the closest I've found that matches wht I need is :
Zyxel XS1930-10
https://www.zyxel.com/products_services/10-12-port-Multi-Gigabit-Smart-Managed-Switch-XS1930-Series/
Though 10 ports only which is not as many as I'd like (maybe I could stack two of these on top of each other?).
Was hoping maybe someone here can share their thoughts.
NAS (Non Access Stratum) Question
Hey everyone, sorry if this is the wrong place, but I have a quick question regarding how NAS counts work. I am reading the 3GPP documentation and it states that the receiving device estimates the NAS count used by the sending device.
Just wondering if anyone here knows what method the MME or UE uses to estimate this count?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
2.125 Gbps SFP Transceiver?
I just got a transceiver in that looks like it supports a max data rate of 2.125 Gbps, but I can't for the life of me find an 802.3 stand for the 2.125 Gbps data rate... Someone with some tribal knowledge help me out here!
Post-Production Managed Switch - 10gb + 40gb connections
Hey All –
I thought this would be a good place to ask for some advice.
We are a small creative agency in Cleveland and have a fully unifi setup for our network. This includes a Unifi 16-XG switch which is run through a patch panel to our small network of workstations connected over CAT-6A. Right now we've been running a small set of servers, one of them connected to it through two 10Gbase-t connections that are LAG'd together through the unifi profile.
We're upgrading our server to an iXSystems M40-HA which features 40gb QSFP+ (I think it's +) ports on it. Right now we have our order in to split that connection into 4 x 10gb SPF+ connections but I think it would be much better to purchase a new switch that has one of those ports on it that we can break out into our workstations. iXsystems agrees but they don't seem to have a preference for a switch, only that it will work with nearly any managed switch and that eBay is a good source of cheap datacenter switches.
I'm curious if anyone can give me some guidance on this since a lot of the switches that are cheap scare me off a little bit because I've never worked with them before and something like a Juniper switch while nice, worries me because I'm not sure what kind of licensing issues I might run into with something like that.
As of now, we're only using half of the 16 ports on the unifi switch and are using transceivers to convert the copper to SFP+.
Dealing with Access-List bloat in a Service Provider environment?
I have been working at a healthcare managed services provider for a few months. We provide solutions and services to thousands of clients worldwide. In the team I work on, we have around 600 clients. They host in our data centers, but they still have devices on their own sites which need to connect back to our data center.
I was shocked to learn that we still use access control lists to define access rules for individual hosts. We use Cisco Security Manager and each firewall/router has hundreds of lines in their ACLs. What’s worse is that most of those lines are overlapping or redundant rules, and over the years apparently there has been no consistent policy in creating or managing changes done to these lists. New clients are provisioned with a default policy but then there are site specific additions and that’s where it gets extremely bloated.
Today I got a request from one of our clients to double-check access for about 15 servers and I can’t believe I have to sort through lines of individual hosts to double-check that they’re all there. And there are many redundant rules, rules with overlapping protocols, etc.
I’m relatively new to networking, but what kinds of solutions exist to replace ACLs? Especially in a service provider environment like ours. I’m not sure if it’s incompetence or what but again I can’t believe it was allowed to get this bad. Also should I feel compelled to try and fix this for each client or would it just be a wasted effort? I have read about using groups and subnets instead of individual hosts, but there are both in our ACLs and they’re still overlapping in a lot of policies. It’s just a nightmare.
Failover Setup With VPLS
Hey All,
We are running into an issue that we... well, didn't plan properly for. We have a VPLS circuit connecting 2 data centers. We are using OTV and extending the VLANs to the 2nd datacenter because that is going to be our new primary DC. We are using this for data migration and host creation at the location.
The problem we are facing is, should that circuit drop, we have no redundancy. The obvious solution is to get another private circuit, however, that would prove difficult with out time frame that we would need it in. Obviously, the problem comes from extending the VLANs. IPSEC VPN tunnels are not really an option that I am aware of for this. Please correct me if I'm wrong.
We have DIA circuits in place, which is why I was hoping to be able to somehow use one of them for redundancy, but I cannot figure out how to pull that off.
Any help for this would be greatly appreciated.
Thanks!
TCP Socket Programming - should I wait until I get a response from server?
I'm new to network programming and I'm making an application that works with TCP sockets on android. Currently I made it so that when a request is send, I wait for answer, then I update UI and after a set period of time I send the request again. If I get certian information back, I want to send a different request. I don't know if this is good approach, but I can't seem to make it work unless I get some sort of answer before making the next request. One problem with this is, that if the server doesn't respond I get stuck, which I could go around with a timeout.
AS1221 (Telstra) BGP hijacks 266 ASNs in 51 countries
Surprised no one is talking about this...
On Tuesday, September 29, 2020 AS1221 - Telstra announced 472 prefixes in a BGP hijack event that affected 266 other ASNs in 50 countries, with the most damage rendered to the U.S. and UK based networks. Worldwide it affected more than 1680 IPv4 prefixes, creating almost 2000 path challenge conflicts.
via https://radar.qrator.net/blog/as1221-hijacking-266asns
ProtonMail's thoughts on the matter: https://protonmail.com/blog/bgp-hijacking-september-2020/
What emerging technologies will impact networking most in the next five years?
In order to predict coming changes in networking practices it is necessary to understand which technologies will be most impactful in the near future. For those who work in the industry or have insights into transitions that will be occurring in the fields of networking: which technologies would you deem likely to be most impactful and why?
C3850 MPLS ip forwarding
In an interesting spot, have a c3850 that is configured to run vpnv4, but is not forwarding packets received to the requisite interface.
What I've done: -BGP routes are being propagated for the vrf, and are showing correctly in the routing table -mpls ip is enabled on the connecting interfaces, verified mpls ldp neighbor -Done a capture on the mpls interface and on the end device. Traffic coming from the mpls network makes it to the interface, but isn't routed out the ip interface
When traffic originates from the ip side, it is shown on both captures, as ip and as mpls on the outbound interface.
I've dug through plenty of Cisco documentation, but am at a loss as to the next step. I'm on the mindset that it's something akin to the "ip routing" command
Thanks
VPN user monitoring from a networking perspective
I've been tasked with finding a solution that would allow a networking admin to determine whether a VPN user has a good quality connection to our network through his local network (wired, wireless), through his ISP and past the VPN gateway. So far, I've found three options: - ThousandEyes, but it's strictly a SaaS platform, so no-go - Keysight Hawkeye, but it's way to expensive - Aternity, but doesn't give the expected KPIs
What I know the solution must have is a locally installed client on the monitored laptops, an on-prem, centrally managed server(s) and a bunch of KPIs such as ping, jitter, PL, maybe even throughput tests, that can be reported in case of incident. Ideally, I'd like to see the user's WiFi strength, first-hop latency, our VPN gateway's latency, and some other server's latencies within our network.
Is there such a tool available? If so, can anyone point me in the right direction? Thanks
Changing VPC Peer-Link Ports
I have a couple N9k's who are using a pair of 10g ports as their peer link, and I want to upgrade them to 100g ports.
In my config, the peer link is Po1. What would be the best way to move the peer link to a port channel using my 100g ports? I've thought of the following:
-
Mirror the config of the Po1 member ports to the 100g interfaces, creating a port channel with four interfaces (two 10g, two 100g), then just remove the 10g ports from the channel group.
-
Create a new port channel with the 100g interfaces and change the config to use the new port channel.
I think it's probably obvious that I'm trying to do this with the least amount of downtime and possible trouble. What I'm not sure of, is can I even create a port channel with interfaces of different speeds? I guess I've never tried that before...and will that work? It seems like the first option is the easiest and most straight forward, but I want to make sure I'm not overlooking something.
Thanks in advance.
Edit: Answer received. Thanks for the quick responses!
MicroSegmentation, intra-VLAN segmentation, DHCP Option netmask /32
Hello Guys,
I'am wondering what technology you guys are using to segment traffic **within** a given VLAN.
Here is the ultimate goal we want to achieve : for users subnet, we would like to redirect ALL the trafic to the gateway (which in our case is a firewall), even trafic towards other computers in the sale VLAN.
With Cisco WiFi, it's easy: you just have to check "Forward trafic to upstream" and it's done.
However, when it comes to switches (wired), it's another world.
Currently, we are kind of using a hack to handle this : we send by DHCP a netmask option with the value 255.255.255.255 (/32).
This was tested after observing how some cloud providers are doing. We first tried it in a test subnet, and now a few years laters, we have 10k devices configured like that.
With this configuration, all the devices think that they are alone in their subnet and thus send all trafic to the gateway, even if behind the scene the destination is in the same VLAN.
This actually works like a charm (at least with all majors "users" OS - Windows/MAC/Linux/BSD/Android/IOS).
I'am well aware that it only works for Unicast; Multicast and broadcast are still received but still, there isn't any major risks with multicast/broadcast.
However, I literally never seen anyone doing this and there I found close to 0 information about this.
So here is my questions :
- What do you think about this? Do you see anything that could go wrong?
- What would be the "cleanest" way to achieve the same thing? Any other protocol/technology in mind?
We are using full C9k Cisco devices in Legacy mode (so no SDA Fabric).
Soft Robotics Podcast Hosts Jack Rhysider
Hello Guys,
I am going to host my favorite podcaster Jack Rhysider the host of the amazing Darknet Diaries, I found his story is inspiring for leaving his job after 10 years to do his purpose in the storytelling of hacking stories which isnpired people to take pursue a career in network security and even education, I found this the beauty of the podcasting and how a voice can be a life-changing beyond traditional education.
Please let me know if you have questions for Jack, I am curious to know what you think?
Aerohive/ExtremeWireless Bonjour Gateway
Hi Guys,
Just wondering if anyone knows how bonjour gateway works on aerohive/extreme. In my lab I have two vlans, 10 and 20. I configured an AP as BDD master priority 254, I have configured my bonjour gateway settings to scan vlans 10 and 20 and allow various different services such as '._airplay._tcp.' '._raop._tcp.' to 'any any' vlans but still I can only airplay to my TV at home from the vlan the TV resides. I think I just misunderstand the technology, wondering if someone could explain it to me. From my reading, it simply relays multicast info to other vlans such as relaying mdns so devices on other vlans can discover these apple devices.
How often are VPNs used across leased lines?
Teacher explained today that Full Mesh VPN topology comes with an additional cost per connection. I then asked him "Why? Aren't VPNs used as an alternative to buying multiple leased lines?". He then told me that you'd still want to use a VPN across the leased line.
Thinking about it, I understand that this would add extra security, but how often is it really done? Is there any downside to this?
After enabling STP portfast, will bridge looping start?
If there are four switches interconnected to each other in a square topology.
And each switch is connected to a router on one of its port.
After enabling spanning tree portfast command, will bridge looping start?
How to troubleshoot a network that is having random issues?
I've been troubleshooting an issue with a client of mine but I can't seem to solve it.
Problem : internet will randomly disconnect.
What i've done so far :
*Found a bad RJ45 which caused disconnects.
*Found a sonos with a bad ethernet port that caused high latency in the network. Moved that one to WIFI, latency issue solved.
*Swapped a bad modem from the ISP. It wouldn't generate the correct speeds the customer was paying for. After swapping it for a new one that issue was solved
*Found an old 10/100 switch. Replaced that one.
What's left?
I'm about to replace a 24 port switch that's next to the Modem. But I'm not confident I'll locate the problem.
Is there any logging software that i can use that might monitor the network so I can find this issue?
Is Cybrary CCNA course good for Hacking?
I’ve been doing CCNA course of cybrary and it feels like i am getting no where right now.
Wanted to ask if that’s the right course to learn networking for hacking?
And please provide some informational resources too if possible.
Wednesday, September 30, 2020
Want to connect office to the data center
Hello,
I have devicws in my office that need to appear that they are coming through the data center wan address. I was thinking of creating a site to site VPN but I don't think that the wan address would appear as the data center wan address. Any thoughts?
What's Austin like
I am increasingly developing interest to relocate to Austin TX. Am a CCNP with over 8 years on my hands with cloud + network security + a few more skills. I am in the Boston area pulling in a figure above 120k. Boston is getting expensive and want to move down South.
How is it in austin for senior network engineers? Is the pay good?
Palo Alto Best Practice Assessment vs CIS Benchmark for firewall configuration
Looking for some advice regarding Palo Alto hardening configurations.
My company has adopted Palo Alto as our perimeter firewall and has tasked me to decide on the specific hardening standards we should be adopting. I am looking at the Best Practice Assessment feature and also CIS benchmark for comparison.
It seems to me that CIS benchmark is a subset of the best practice assessment after doing checking the results. As we are using CIS benchmark for servers, i would to prefer to use CIS benchmark as well. And given that CIS benchmark seems to be a subset of BPA, using it as the first step in setting up the internal benchmark seems to be a better idea.
What do you guys think?
P.S. I came from an IT audit background and tbh i don't have a strong knowledge over networking but might be planning to get one in the near future. Need some profession advice from pros over here.
Cisco UCS C220/C240 M4 Firmware - 3.x or 4.x?
Hey folks,
I have a couple of C220 and C240 M4 UCS's that are due for a firmware bump up from 2.x to the latest and greatest, if nothing else than solely to fix Field Notice: FN - 70545 - SSD Will Fail at 40,000 Power-On Hours - BIOS/Firmware Upgrade Recommended before I have a bad time.
Cisco's current starred releases for both models is 3.0(4r) & 4.1(2a), has anyone got any particular reason to pick one version over the other as it looks like both tracks have recent releases?
I'm going to ask TAC for their thoughts of course but I wanted to see if there's any real world experiences people can share
How do I maximize throughput across multiple devices?
*Please feel free to remove this if this doesn't fit into the spirit of this subreddit
I work for a sensor company that normally communicates to a host PC using unmanaged 1Gb network switches (and to factory networks, etc.). We've recently made advances in sensor speed and multisensor stitching which is causing us to run into a bottleneck with our network throughput.
I've tuned the sensors to the bare minimum but I'm still at a (calculated) throughput of 600Mb. We've noted that when testing some low-end unmanaged switches we see packet collisions at around 200Mb and on some managed switches up to 550Mb before we note issues.
We've reduced the transmit rate of the sensors and that helps a little by transmitting larger chunks less often.
- Would I be looking at a switch with a large buffer (32MB is the max I believe) at 1Gb speeds to maximize throughput?
- Would using a 10Gb switch with a 10Gb PC/network and some SFP+ adapters be a better fit for this application?
If you have a resource to help me understand this I'd love to read them.
Thanks!
VRF aware PBR on Nexus 9k
Anyone know if there is a way to achieve this? It rather happily will allow you to do PBR within the given vrf, but any commands along the lines of "set ip vrf <X>" or "set ip x.y.z.z vrf <X>" seem to be unavailable under route maps unlike some IOS based devices, even with the PBR feature set turned on.
No commentary on the merits of PBR itself requested or desired.
Is my boss an idiot?
I started my first IT-related job on Monday, having only an associate's degree. One of our networks is 192.170.30.0/24 (and no, we are NOT Hewlett-Packard, to whom this globally routable network is assigned). The boss believes that this, and all the rest of 192.x.x.x, is all valid private address space. The network has been running for years without issues. Isn't the RFC1918 range 192.168.0.0/16????? Not that it matters, since arguing with the boss on my first week is universally wrong even if I'm right...
Advice for my future
Hi all. I've been working with Networking (professionally) for 7 years now. I have a college degree in the field of Networking and IT-Security.
However, I feel just during these 7 years, that things have changed so drastically. From going from CLI to GUI. From going from MPLS to SD-WAN. From going from WiFi to 4G/5G. Work is being outsourced to India. Things are just so much more automated now.
Every day just feels like there is less and less need for a network engineer. I really can't see so much of a future in this. In the meantime I really love what I do, but its hard, when you feel its not worth it. I make quite good money.
I cant see myself to buying an apartment etc. just cause I feel my job is so... worthless in a sense, even though I support 100+ locations, wireless network for 2000+ users etc. I've been responsible for migrations from on-prem solutions of Wi-Fi to Cloud, from MPLS to SD-WAN etc.
What do you guys feel is for us in the future? Should I try to go to a ISP and get a management role? Am I just in the wrong field? I can take changes, but when they change so quick and fast, its just quite depressing to be honest. Does anyone agree?
Moving VMs from one data center to another while keeping the same IP addresses
Hello, we are reducing our data center footprint and have the following wish list. The reason we want to keep the same IPs (if possible) is that it will reduce the risk of application errors because IP addresses are hardcoded. I'm starting to gather information on whether the steps below will be possible, and the best approach given what's in play.
We plan to do the following (if we can make it work):
- Convert physical servers to VMs in DC1, keeping same IP
- VMotion VMs one at a time to DC2, such that the same subnet would be active in both DC2 at the same time.
- When the step above is done, we'd remove the subnet from DC1.
Facts about our network
- MPLS WAN between data centers. WAN routers use OSPF to advertise their subnets.
- Core routers are firewalls in routed mode, also participating in OSPF.
- This means no secondary IP address for servers from DC1 that will serve the same function as servers already in DC2.
- We use VMware for virtualization.
Is there a better way to move a large file (image) from one network share to another?
I am trying to move a large image 30gb atm (with more on the way) from one share to another. Both are at our companies network maybe different servers.
I don't recall if me copy/pasting from one to the other adds a middle man to the time? Its going like 1.5MBs max atm and was wondering if there was a way to remove myself from the middle (if its even effecting anything).
I dont have any control over the network but if its caching or generally slowing down due to my methods like like to know, I am working from home and VPNing in so I know stuff sent from my machine to the network is this slow, but dont think network to network should be this slow imo.
Thanks
Pulse Secure
After the update, the client defaults to putting the domain prefix before the username, which isn't how we have it setup to authenticate. Does anyone know what to edit after the fact so that the domainprefix\username is trimmed off?
IOS-XR Show Commands with Regex?
Hey all.
I have tried googling this and can't find an answer. And I refuse to believe you cannot do this with IOS-XR. So, if I wanted to pipe out any show command using the formal argument, and if the last number is a 0, 1 or a 2, it will output EVERYTHING that has that number within the include portion. It's best if i show an example as it's harder to explain. If I did the following:
sh run formal | i TenGigE0/5/0/1
...and I JUST wanted to see everything configured for that interface (IGMP, multicast, etc), it will spit out 0/5/0/1, 0/5/0/11, 0/5/0/12, 0/5/0/13..etc
I've tried using a $ at the end of it. I tried wrapping it in quotes. I tried combining both of them. I CANNOT figure out how to output just the one interface without the OS spitting out all of the other ones that match that include statement.
This has to exist, right? Can someone let me know how to do this? Thanks
Issues pinging from VM to VM
Im a student and very early in my education, so bear with me if i sound like a newbie. I have 2 clients on 2 different LAN's connected through a WAN, i've configured my cisco 1941 routers and switches, and everything seems to be working as expected, im able to ping and tracert without any issues. On each of my clients i have installed 2 VM's in Hyper V, im using virtual switches, installed as external. I can ping from the LAN-1 VM to the physical LAN-2 client and vice versa just fine, but for some odd reason i cant ping from VM to VM, it tells me "destination host can't be reached" etc.
I've been trying to fix the issue by myself today for many hours, trying to reinstall hyper-v, the virtual switches, upgradig one of the clients to a more recent windows version etc, no fix so far.
Could anyone give me a few tips? Thanks
Connect dome camera with ethernet to existing WiFi network.
I have a dome ptz camera that comes with ethernet and internal PoE adapter. My question is can I connect to my existing WiFi network (tp-link plc) with an adapter from ethernet to WiFi?
Small business routers recomandation
Hello guys so I do want a router that isn't wireless that has no port forward rules limit or at least 100+ rules that can be added.
I saw this: Router MikroTik AL21400 not sure how many port forwards rules I can open. Thank you!
Watchguard IPSec VPN default parameter
Hi there,
I have half functional IPSec VPN between a Checkpoint (our side) and a Watchguard FW (customer). Tunnels are up and traffic flows for one of two customer side subnets. However nothing going through the tunnel from the other customer subnet.
I suspect that the watchguard might be set on one tunnel per gateway while it's on one tunnel per subnet on our side. Unfortunately I can't get any info from the customer.
Does anyone here know if the default for a Watchguard is one tunnel per gateway?
Question about monitoring fan inlet temperature on Cisco 3850.
My goal is to monitor the inlet temperature of a Cisco 3850 fan and have the switch notify me if the temperature goes over X degrees. I have many remote locations (50+) would like to take advantage of the temperature monitoring already inside my Cisco gear.
It doesn’t appear that I can adjust the temperature thresholds for GREEN, YELLOW, and RED from the “show environment temp status” command. If I could then temperature alerts would show up in Solarwinds. Correct me if I am wrong, but I believe these values are hard set.
I think that there might be a way to do this with Cisco EEM (Embedded Event Manager). But I pretty new to this feature and I am not sure how to implement this. The fan inlet temperature seems to be what I should be watching.
Has anyone solved the problem of monitoring room temperature using the existing Cisco gear?
Is there another direction I should be looking?
Blown fuse on new 5700 Stratix switch?
Not sure what happened as I used an output 12V charging plug. I plugged positive and negative in the right spots in power supply A. Once I plugged it in, the wires sparked and the fuse blew.
I plugged into B with a power strip and it powered up fine. This is a new switch out the box and now had a burnish mark on the faceplate
I will RMA this. Can Anyone good with electrical explain this? There's no reason why it should have sparked
Remote desktop license confusion
Hi, I'm wondering if someone could help me, first time building a remote desktop server for a small organisation but it's about to run out of its free license, I understand there is two license to choose from a cal for a machine or a user.
Can anyone tell me what one I need? We have one remote server that people remote into to use a virtual desktop.
Many thanks J
Recommendations...
I'm looking to replace my remote site Sonicwalls with something that offers central management and reporting, I really like Ubiquity as I use their wifi and switches, but many tell me to stay away as they're not enterprise gear. I know about Meraki, but it's too pricey, does pfsense offer something like Unifi perhaps? I really just need a vpn tunnel to my data center, qos for phone and seperate lan port for public guest network that would use PBR to send the vpn traffic back to the data center for the lan1 port, and everything else like phones and public access over the local wan port. Suggestions?
How much time will it take?
hello reddit!
i just wanna ask how much time will it take to configure about 60 devices (im gonna use dhcp), setting them up in one office with cables and raceways, and assembling about 5 mounted (wall) racks? will it take days or is one day enough? if you guys also know any research about this, i'm glad to read them all. it's just a personal project of mine this quarantine and i wanna learn more about planning networks.
thank you!
VPN with Digital certificate enrollment question
Greetings everyone,
I am learning Digital certificates on the ASA.
My question would be whats the difference between "enrollment self" and "enrollment terminal"
Now obviously with "enrollment self" the ASA is generating its own self signed Certificate
I tought that if I give out the "enrollment terminal" i would be able to import an existing certificate via pasting its "crypto ca certificate chain" into the console.
But asap I give out:
conf t
crypto ca trustpoint Our_New_CA
enrollment terminal
exit
!
crypto ca enroll Our_New_CA (With or without the "noconfirm" keyword)
what happens is that the ASA does not promts me to give a copy-paste input of an existing key chain, it just gives me the following text:
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
MIICljCCAX4CAQAwGjEYMBYGCSqGSIb3DQEJAhYJUHJpbWFyeUZXMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjJgmV3GYrP21UJoQ2u0gOdD4H/fC0Q/Y
Q7vjg/8HT9CiVw9m0SN9RTVga8gnuqf1JjCQZIPRwtwowq1WImIFN6NMJPjlTNRM
jkMI0lrG31/iR5koBBx9m/+3a9tQRFThETpkTrIzYAJGLQ5zZHS1x6r37+EbC+ui
UoVH7SxETOj+0MYT4WjwpvNRlttcdXUin1sCJUKUrZIVCL3rYAaogoXhOPAb99is
ZNIa2566137OzLvEuqZu/G0EXtVtdWjyrcGpEnbfosU2EVA4ZJkHdHyTbFnsAuvI
jARmVzIkhCwreH47lIT1Q7Cw7ckVoOeBjf6d8u2pzwE8H6vUfT++jQIDAQABoDcw
NQYJKoZIhvcNAQkOMSgwJjAOBgNVHQ8BAf8EBAMCBaAwFAYDVR0RBA0wC4IJUHJp
bWFyeUZXMA0GCSqGSIb3DQEBBQUAA4IBAQA2RM2UlU2wyfC3dhPYmcUfiYLMHqYu
MKT05T12PzXNwxyt/yQ0XguOTA3x8bEBQnTQMJVgacUXMKkTjG5Wt9dSWabq2E/C
F8oKSAYYOh3+a/24SN+/DorLoqXwNz+Gfp48AKLJAOaouA1XG9wX5gczltnhA7eI
nHcCa0Ob4UPY8GVNQDodq3/uZvQA9beh1fFC2lyM3dXCNZhmgijJk49koQL9mW+6
X5utUAKV1xWIWoZmbMCxOJ1u0wtvJI31d/hSMF2nYYWuaR2EtkQFF++/n6L6s356
1s3cGL/KTzSjPUM6MkRL1vOR16ufCSkP7lddm4Rh8z4uTNCE5hTOkqtV
-----END CERTIFICATE REQUEST-----
Redisplay enrollment request? [yes/no]: no
What did I do wrong here?
Is it how this intended how this is supposed to be working?
Port Forwading limit bypass
Hello guys so I do have multiple raspberries (40+) connected with ethernet cables to my router. Each raspberry needs to have 12 port forwards.
The router that I got now, only allows 32 port forwards rules which enables me to port forward only 32 raspberries with port forwading range.
Someone told me that I can daisy link another router and open a port forward range to the second router and then I will be able to port forward multiple raspberries in the limit of the second router.
Do you have any ideea of any other solutions that may work ? The one that I have presented above should work or at least it work for the guy that provided me that solution.
Question about DHCPOFFER through a Relay
Question for you...
Is the source IP address (in the IP header) of a relayed DHCPOFFER specified in any standard/RFC?
I have seen platforms where:
- The source IP in the relayed DHCPOFFER is unchanged (i.e. the DHCP server's address)
- The source IP in the relayed DHCPOFFER is exchanged for the relay agent's address (giaddr).
FZ
RackFoundry is literally a scam
I could go on and on about how awful they are. Nearly a year and they still hadn't finished deployment. Just a half baked cluster-f. Their CEO literally pretended to be one of their employees. It was unbelievable.
When it came time to pull the plug they just ceased all communication, they weren't even trying to pretend anymore. I'm happy to answer any and all questions you might have about their "company" and "services".
I just hope someone takes the time to reach out so they can avoid also being scammed to the tune of 100's of thousands of dollars.
Tuesday, September 29, 2020
Avant Communications - The State of SD-WAN and SASE
All,
If you're interested in SD-WAN and SASE, a colleague I produced a podcast with Avant Communications on the state of SD-WAN and the SASE markets.
The podcast is called "Two Tech Tools". If interested, please check it out. We are available on iTunes, Spotify, and most major podcast hosts.
https://www.buzzsprout.com/510874
Thank you, the Two Tech Tools!
Does ARP suppression without SVI on Spine-Leaf
Does ARP suppression works on cisco nexus switches if we don't have any SVI or anycast gateway on leaf ?
Wireless AP Density
The veeps decided they want to cover one of our warehouses with APs for a trial...
So it's about 5 acres. I detailed 40 to cover the area. I don't have any fancy Fluke software, just using the unifi maps. They are freaking out about the cost. The cost is about 20k which included the APs and all cat6 cabling.
Does this seem out of line at all? If anything to me it seems a little less than I should do.
If I used cisco APs it would be 100k+.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Do any of you have Altn/BLK in your production network?
Layer 3 fabrics have become all the rage, in both the DC and LAN environment.
Even older designs migrated a long time ago to things like VSS, MLAG, vPC, Stackwise with Multichassis Etherchannel, etc.
So, I’m really just casually wondering: do any of you actually have Altn/BLK in production right now? If so, what’s your story?
Network Design Tool for IP Flows
This is for all you IP designers who have had to design a secure system with a set of elements communicating over an IP network,
The elements each have multiple interfaces (management, others..) and each element resides in one of many security zones in one of many sites.
The only elements that span security zones are control points, which are usually firewalls. Any IP traffic traversing zones must be whitelisted in only the appropriate control points/firewalls.
An IP flow has a source subnet, port, protocol, host element ID and interface ID, destination host, interface ID and subnet. It also has a primary and secondary path, determined by rules defining which control points they must traverse to reach the destination security zone (which, yes, translates into next-hops ultimately). A flow may need to traverse multiple control points to reach its' destination. A list of IP flows is often called a communications matrix.
I have many dozens of elements needing to talk to each other. It multiplies to many thoussnds of flows. But it's not a full mesh. Each element interface has a particular set of other elements and interfaces it has to reach, and be reached from, according to function (and other factors, like geographical placement).
I need to generate a list of firewall rules that are to be implemented into all the correct firewalls whenever an element is added or changed.
Listing every IP flow on a spreadsheet is unscaleable. Prone to human error. I know this, my sheet is vast.
The spreadsheet could be a final artifact, but it needs to be generated by a tool upon which I can model these elements, their interfaces, their flow characteritics etc. Then when I add s new element to my model, I want to define the sit, its name, interface subnets snd far-end hists I wsnt it to be sbke to resch.. I want the tool to generate the flows from that.
I have no such tool, and don't know of any. Tools abound to discover elements and flows once deployed, but I need a design tool to let me provide these flows before deployment commences.
Has anyone any advice, or knows of a network design tool with such capability?
Thanks for any & all help.
Overcomplicating Network design?
Reddit, I need some guidance. I work for a rapidly growing startup, and am in the process of redesigning their current Network infrastructure.
For all of the access switches, I am stacking several Dell N2048 in each IDF. For some context, there are three floors, with roughly three to four IDF per floor. There are also various 24 and 48 Port patch panels leading to various laboratories.
I want to know if I'm over complicating the following, right now I have each switch stack with the next available IP, for example, ground floor, IDF A has three switches stacked, and share the IP address of 192.168.10.10. IDF B switch stack is 192.168.10.11, and so on and so forth.
My goal, was to change each floor to have its own set of IP addresses that correspond to its floor. For example all switches in IDF A, B, C, ect. on floor 1 would be 192.168.10.x, and 2nd floor IDF would be 192.168.10.2x, 3rd floor, 192.168.10.3x.
My logic behind this, I figure if you're trying to hit one of the excess switches on the second floor for example you can just simply hit 192.168.10.2x, and easily know where you are.
Since switches will be stacked in most cases, using up the entire floor IP shouldn't happen.
Or just tell me I'm crazy, and just label all of them one through 20ish and if they're labeled call it a day.
Trying to find a gigabit poe switch with a high temperature range but having trouble finding one
I'm having trouble finding a gigabit poe switch that can support temps up to 60/55c. I only need 3 ports on it but what i've found is the smaller ones can't support as high temperatures. Budget is up to 150$. Anyone have any recommendations?
Work From Home Post Covid
I'm curious if work from home as a perk will continue for many network engineers after Covid. I think it is reasonable to have 1-2 days a week work from home and the rest of the days in the office. Covid has taught businesses the importance of having an IT infrastructure that can be remotely managed. I am hoping that work from home will become a regular perk offered to network engineers. Many network engineer positions at top companies like Facebook are embracing a full remote work setup even after covid-19. Perhaps the roles that involve more automation and coding will lead the way for more work from home flexibility?
What are your thoughts?
Gel filled or not for outdoor ethernet?
I’m putting in a big order for supplies, and am just curious about people’s preferences.
Let me start by saying I’ve never had a cable failure, but I’ve purchased both gel-filled and dry outdoor/UV rated ethernet. The latter is a bit cheaper, and, perhaps more importantly, easier to work with than the gel one (although ez-RJ45s make it a bit easier to deal with the gel.
I’m basically out of both. Should I buy another one of each, or just gel-filled? I have done a fair amount of underground conduit stuff, some direct burial rated, some not.
What are your thoughts on this? I guess gel filled is the safer choice.
Basic Networking Help
I am in the process of replacing our aging equipment with new Aruba 6200, 6300, and 6400 series switches.
I'm having trouble getting the new switches communicating with the old switches.
Old switch (port14) ---- New Switch (port 1/1/42)
oldswitch
interface 14
name newswitch1
interface 23
name mdfswitch1
interface 24
name mdfswitch2
vlan5
name clients
untagged 1-20
vlan30
name management
ip address 10.10.30.35 /24
vlan 900
name interswitch
untagged 23-24
What I did for now was add port 14 to vlan 900 as an untagged port
vlan 900
name interswitch
untagged 14,23-24
I then setup a basic config on the 6200 series vlan 5 name Client vlan 30 name management vlan 900 name interswitch interface mgmt no shutdown ip static 10.10.30.7/24 default-gateway 10.10.30.1 nameserver 10.10.18.16 10.10.18.15
It appears at this facility all the switches are connected to one another via vlan 900 and their ports are untagged.
Going from the older hp / aruba series to the newer series.. i thought i'd have to use the following command
int 1/1/42
no shutdown
vlan access 900
That did not work.
I then attempted to create a trunk on both devices
oldswitch
trunk 14 trk1 trunk
new switch
int 1/1/42
vlan trunk allowed all
I still wasn't able to ping the management interface or the default gateway
What am I missing?
Cisco Switch Stack Console Ports
I can't seem to find a way to do this. Is there a way to determine what physical piece of hardware you are connected on that is part of a Cisco switch stack? For example, I have an OpenGear OOB with 16-ports and a (5) Cisco WS-C3850-48F-S stack and my local guys look like they plugged in switch 1 which is my active to port 3 and who knows where the other 4 go. Is there a command I can run to show Port 1 = X serial number. Then I can direct them where to move the cables around so it represents my switch stack appropriately.
Church - Should I plan to upgrade my router (from Ubiquiti USG) or look into a better option
So, slowly but surely. I have been upgrading the church’s network, that I help support. To get them in to this centennial, I currently have an Ubiquiti USG, POE switch for cameras and AP’s. I’m curious what other’s use? Not sure if I need to go more enterprise level router or not. Fortigate, Juniper, Meraki, many others out there that I have been reading on. I like Ubiquiti just for the fact, I don’t have a yearly fee, so that’s a plus. I’m just wondering for security or other features that I may be missing. Or am I over thinking this and move on...
Cisco n9k won’t let go of root bridge
I have a Cisco N9K in our core network at a DC, and we have a DF strand running to our new office space, where I have another N9K. I am trying to trunk 2 VLANs over the link, and STP is failing because the new N9K won’t let go of root bridge. I’ve tried changing the priority, but no matter what I do (or have done), it still makes itself the root bridge. The actual root bridge is the N9K in the DC, and as such it is blocking the port with Type listed as Dispute P2p. I feel like I’m missing something stupid easy here, any suggestions?
Both sides of the link are configured as: switchport mode trunk switchport trunk allowed vlan 98,899
How to achieve 10Gbit/s on small UDP packets?
Hey /r/networking
I have a unique problem that requires fast throughput of 9k packets through UDP, currently with my current benchmarking i can only achieve 3-4Gbit/sec, i have increased the buffers to their max limits on windows and also increased MTU on my network cards to 9k. Is this an issue where the payload is too small to take advantage of the bandwidth?
Microscanner POE and CableIQ Information
Hello all!
I am interested in buying a new network tester (currently using the Noyafa NF-388), and was looking at getting one of those Fluke Network testers. I had some questions about them, and was wondering if anyone on this subreddit would have some experience with these tools. The two tools in particular I was looking at are the Micrcoscanner POE and the CableIQ. Here are my questions.
- The Microscanner POE says it checks advertised speeds, but does this in any form confirm the speed? I.E. a 300ft Cat5 line could advertise 10g but not actually be able to preform even 100mb, right? I know it isn't reasonable to ask it to certify cable, but just wondering the value of the speed check feature.
- Does the CableIQ do POE checking, and if so, does it do it to the same standards at the Microscanner POE? I.E. 802.3bt?
- Is it possible for the CableIQ to check 10g cable? I know it checks 1g cable, and it isn't DSX or anything, but I feel the 1g check is a tad bit dated.
- This is a personal question, but would you recommend either the Microscanner POE or the CableIQ? I work in the AV industry, not the IT industry. I feel the Microscanner is more of a field techs tool and that the CableIQ is a bit dated, but I could be wrong. I know other companies make testers too, but I am just at the moment interested in learning about these two tools.
Thank you, hopefully this all made sense!
Accessing a Server without Port Forwarding
In my area, the only high-speed internet option uses a shared IP meaning I cannot use port forwarding (trust me I have tried everything) . I usually just use AWS but a local company wants their servers local. Does anyone know a way to launch a AWS instance where my server can attach to (via vpn? I'm not sure the best way) then create a virtual link between the outside world? I'm not sure what this would be called. Thank You!
Can 10GBase-T travel 100 meters?
We have a NAS that I'm attempting to locate in another building. We're using a Cisco SG350XG switch on one end and an Intel X540T1 on the other. I'm attempting to connect them with 300ft Cat 7 Ethernet. Before running the cable through the buildings I figured I would bench test everything. After plugging the things in, it auto negotiates to 1G instead of 10G. I grabbed a shorter cable, 8ft, it negotiates to 10g. The 300ft cable is still coiled, I rolled a couple feet of one end for bench testing. I got the specs off the Intel X540T1, the max reach is 300ft but I can't find the max reach on the switch. It just says 802.3an, which I'm taking as meeting the 100meter spec for ethernet. Also, I've turned off Short Reach & Energy Efficient Ethernet in the Cisco switch. Is this actually going to work, or are we going to need to install a fiber run?
vlan/dhcp issue
I am having an issue with a vlan getting ip addresses (sometimes). Here is the situation:
Unifi gen 2 controller
6 x Unifi 48 port switch.
Windows DC w/DHCP, DNS
Cisco ASA
There are 7 networks setup through the unifi controller.
Lets say we have:
.10.x setup as a LAN network, using vlan 10.
.50.x setup as a LAN network, using vlan 50.
.101.x setup as a LAN network, using vlan 101.
.2.x setup as a LAN network, using vlan 2.
.100.x setup as a LAN network, using vlan 100.
.1.x setup as a LAN network, not a vlan.
we have a trunk setup as vlan only, as vlan 12.
Everything works, sometimes. Every once in a while, like once every other day or so, I get a problem from a computer on vlan 2. The computers network will just cycle as being not connected, to connected, over and over, very quickly. it will usually get an error about a duplicate ip address too. If they wait long enough, it just fixes itself, usually after an hour or so. It is not happening from a specific switch. If I change a port on a switch in the basement to vlan 2, it has had the same problem as a computer plugged into one of the other switches with a port on vlan 2. If I change the port to vlan all, it gets a .1.x address just fine. If I switch it back, its a coin flip on if it will still have the network cycling problem.
In the controller, the computer will show an ip address, and it will show the same ip address in dhcp, but sometimes (not always), it will show a different ip address in dns. On the actual computer when I check, it shows no ip address like it is not plugged in at all.
We are a 24 hour shop, so its not possible to just take down the network and go piece by piece.
Anyone have any ideas on what I could do to figure this out? I am not familiar with using wireshark but I was thinking I could run that somewhere to see where the traffic is stopping maybe?
AT&T Successfully Deploys dis-aggregated core routing platform.
Curious what you guys think about this blog post from AT&T's new supplier DriveNets... https://drivenets.com/news-and-events/press-release/att-deploys-drivenets-network-cloud-in-their-next-gen-core/
Seems like a pretty big shift where they are starting to run a lot of the routing functionality on x86 servers? Curious if this is a big deal or just a really good blog post out of the DriveNets marketing team? It doesn't' say how the new core differs from the old, but I am assuming they were previously running hardware from a vendor like Cisco or Juniper and now they are running things on white-boxes and x86 servers?
I mostly only really followed the major cloud driven open compute projects like SONiC/SAI, so I am kind of surprised to see a telco like AT&T push something that seems similar in routing.
Arris SBG 10 - Suddenlink - High Uncorrectables?
Seeing multiple RCS Partial Service, then SYNC Timing Synchronization Failure.
Have no splitters in the lines. The ground is still good at the box. Happens with my neighbor as well, usually drop at the same time for 5-15 seconds. Wanted a good way to communicate that. Thanks for the help. Could it be a bad ground or bad node? I believe only myself and neighbor come from the same node.
Status (Down/Up) - Last 22 Hours.
DHCP IP / Subnet change. Lose all DHCP / PXE functions
We had a DHCP server on 20.239 vlan 192. Worked fine, but we are migrating the network. Now its on 28.248 vlan28. Lost our pxe function. Have rebooted the server. Restarted the services. No luck. Are there things in the switches that need to be changed to pass the DHCP service? I cant find anything related to the old IP in the switch configs but I am not a network engineer so I am unsure if I am missing anything.
Any assistance is appreciated.
Small Business Mesh Network
I work for a small business and we will be moving into a 11,000sqft building that has offices through most of the building and we will have 600mbps internet service. We only have 8 people working at this location so we don't need a commercial network setup, I was looking at the Orbi RBK852 with two or three additional RBS850 satellites. At most we should have 20-25 wireless devices connected at a time along with 10-15 wired devices.
Has anyone used the Orbi to cover a larger area like this, if so how did it work? If this doesn't sound like a good setup does anyone have any other suggestions? We are open to suggestions for enterprise mesh setups as well. Thank you in advance.
Brake sequence with Cisco devices
I am not able to send brake sequence from my hp pro book laptop to cisco nexus 9000 series switch over usb adapter and cisco console cable.
I tried every posible button combination.
I do not understand who is making the problem? Is it my laptop vendor? Is it Windows 7? Is SecureCRT or Putty? Is it Cisco switch?
Malware from vm to network
I have this friend that had this program that triggers many av's on virustotal but he had it for years without ever experiencing anything suspicious.
I want to analyze it on a vm which is easy enough to set up, however i'm not sure if the program is going to attack my network and so i want to know how to make it safe just in case so that my ohter devices host included are safe.
GRE Issue
So I was wondering if people have had the same issue with GRE that I am currently having. We have GRE tunnels out to a 3rd party vendor that filter web traffic and I am getting this weird issue that whenever something goes over the tunnel quick, like I ping the dest router over the tunnel, 2 pings get through and the rest drop untill it stops for 3-4 seconds. I've messed with MTU sizes, and I get the same thing whenever I try to do an extended ping to figure out a good size. I'm starting to wonder if there is something weird on the ISP's side blocking this. I have another tunnel using IPSEC but that isn't having any issue at all. It's just the GRE tunnels. For refrence the ISP is comcast
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.11
!!........
Success rate is 20 percent (2/10), round-trip min/avg/max = 24/28/32 ms
I guess CISA issued an emergency directive to federal government agencies, there's a critical elevation-of-privilege bug on windows server.
I Don't post here ever because I'm just getting into my networking career but I found this article quite interesting. Did anyone else know about this? It seems like pretty serious vulnerability from what I've read here. Let me know your thoughts!
Monday, September 28, 2020
(Cisco) What happens if a host receives a router advertisement from 2 routers at the same time?
Hosts send out router solicitation ICMPs in order to get the necessary information to configure the prefix. When this message is sent out, all the routers within that subnet will respond with a router advertisement. What happens if 2 RA are received by one host at the same time? Is there a lowest cost decision that is carried out like with RSTP?
I get to pick our next vendor for our upgrade. Do I stay with Cisco? Go with juniper? Any other suggestions?
Well. Just got the task that I will be upgrading all the existing infrastructure as Its been 5 years. To be honest our current Cisco equipment does the job fine, but hey they want new stuff so I will not argue.
We are using a catalyst 4500 for our core, IE 4010s and 2960s for distro, and IE 2000s for our access.
I was thinking of transitioning away from IE distro/access as any switch will do our l2 routing.
So what vendor should I go through? Should I diverse it and get a different vendor for each layer?
I think the 4500 upgrade is the 9600.
DOCSIS CMTS Band Plan
I'm specifying a linear tv band plan this week and want to make sure it's as wide open for DOCSIS 3.1 as possible. Here's what I've gathered for a specification, how it look to the Reddit hive mind?
- Television service must avoid DOCSIS return path <45 Mhz, frequencies lower than EIA 2 are reserved
- Television service should avoid DOCSIS 3.1 mid-split return path <85 Mhz, frequencies at or below EIA 6 are reserved
- Television service should avoid DOCSIS 3.1 high-split return path <204 Mhz, frequencies at or below EIA 22 are reserved
- Television service ideally would start at EIA 23 and extend continuously until the channel lineup is full.
- Television service ideally would end at EIA 61 (allowing for DOCSIS in EIA 62 and up and/or MoCA E & D bands).
DNS Infrastructure Question
The organization I work for is looking at renewing/upgrading our current internel DNS/DHCP infrastructure, and there has been a divide over a specific question. I would appreciate any feedback.
Should DNS be split to use more than one vendor and product? So DNS would have Server1 be Vendor A, Server2 would be Vendor B, and they would update each other.
One side says yes, so that a single bug/issue doesn't take down DNS.
One side says no, as it adds too much complexity for an isolated chance.
My router's WAN IP address
Just trying to make sure I understand this.
My router has WAN port configured as DHCP.
This then goes directly to my cable modem which has a private network address (RFC-1918).
So my router's WAN port gets the routable IP address from my ISP ... and not another private/ non-routable address?
Conntrack not deNATing return packet's source IP when DNAT destination IP is same subnet. Why?
My understanding is when a DNAT rule is applied to change the destination IP of an outgoing packet, conntrack automatically deNATs the reply packet's source IP back to the original destination. However, I've noticed this only works when the the DNAT destination IP is not on the same subnet. Why is this happening?
Here's a worked example with tcpdump to demonstrate (br0 has subnet 192.168.1.0/24).
On my router, I've added a DNAT rule to forward any DNS requests from any IP on port 53 to another another server like this.
iptables -t nat -A PREROUTING -i br0 ! -s 8.8.4.4 ! -d 8.8.4.4 -p udp --dport 53 -j DNAT --to 8.8.4.4 Doing a DNS request to 1.1.1.1 ("dig @1.1.1.1 google.com") from a client connected to the router, and running a tcpdump on all interfaces on the router shows that the source IP of reply packets is changed back (client is 192.168.1.2, XXX.XXX.XXX.XXX is public IP):
12:23:36.603761 IP 192.168.1.2.56892 > 1.1.1.1.53: 28134+ [1au] A? google.com. (39) 12:23:36.603761 IP 192.168.1.2.56892 > 1.1.1.1.53: 28134+ [1au] A? google.com. (39) 12:23:36.603849 IP XXX.XXX.XXX.XXX.56892 > 8.8.4.4.53: 28134+ [1au] A? google.com. (39) 12:23:36.630553 IP 8.8.4.4.53 > XXX.XXX.XXX.XXX.56892: 28134 1/0/1 A 172.217.14.206 (55) 12:23:36.630613 IP 1.1.1.1.53 > 192.168.1.2.56892: 28134 1/0/1 A 172.217.14.206 (55) 12:23:36.630617 IP 1.1.1.1.53 > 192.168.1.2.56892: 28134 1/0/1 A 172.217.14.206 (55) We can see above that DNAT rule changed the destination from 1.1.1.1 to 8.8.4.4 correctly. Then when the packet came back from 8.8.4.4, the return packet's source IP was changed backed to 1.1.1.1 before getting sent back to the client. Also looking at conntrack entries, we can see the entry:
udp 17 18 src=192.168.1.2 dst=1.1.1.1 sport=58664 dport=53 packets=1 bytes=67 src=8.8.4.4 dst=XXX.XXX.XXX.XXX sport=53 dport=58664 packets=1 bytes=83 mark=0 use=1 This also works when I forward to another server on the same system as the router but in a different network namespace+subnet. Example with this rule (10.0.5.3 is the IP of a DNS server on the router that is in a separate net namespace and subnet than br0):
iptables -t nat -A PREROUTING -i br0 ! -s 10.0.5.3 ! -d 10.0.5.3 -p udp --dport 53 -j DNAT --to 10.0.5.3 Doing a tcpdump test with a DNS request from a client, we see the source IP of reply packets gets changed back:
12:36:17.577910 IP 192.168.1.2.64194 > 1.1.1.1.53: 55319+ [1au] A? google.com. (39) 12:36:17.577910 IP 192.168.1.2.64194 > 1.1.1.1.53: 55319+ [1au] A? google.com. (39) 12:36:17.578019 IP 192.168.1.2.64194 > 10.0.5.3.53: 55319+ [1au] A? google.com. (39) 12:36:17.578022 IP 192.168.1.2.64194 > 10.0.5.3.53: 55319+ [1au] A? google.com. (39) 12:36:17.578829 IP 10.0.5.3.53 > 192.168.1.2.64194: 55319 1/0/1 A 172.217.14.206 (55) 12:36:17.578829 IP 10.0.5.3.53 > 192.168.1.2.64194: 55319 1/0/1 A 172.217.14.206 (55) 12:36:17.578895 IP 1.1.1.1.53 > 192.168.1.2.64194: 55319 1/0/1 A 172.217.14.206 (55) 12:36:17.578899 IP 1.1.1.1.53 > 192.168.1.2.64194: 55319 1/0/1 A 172.217.14.206 (55) So again, the DNAT changed the destionation to 10.0.5.3, which replies back, and then reply packets get deNATed correctly changing their source IP back before sending it back to the client. Again, conntrack shows the entry
udp 17 26 src=192.168.1.2 dst=1.1.1.1 sport=64194 dport=53 packets=1 bytes=67 src=10.0.5.3 dst=192.168.1.2 sport=53 dport=64194 packets=1 bytes=83 mark=0 use=1 Now, here's where the problem happens. If instead I choose to redirect to a server on the subnet of br0 (like 192.168.1.1, which is an external server connected to the router on br0), like so:
iptables -t nat -A PREROUTING -i br0 ! -s 192.168.1.1 ! -d 192.168.1.1 -p udp --dport 53 -j DNAT --to 192.168.1.1 Now, doing a DNS request from a client results in an "reply from unexpected source 192.168.1.1" error, and tcpdump on the router shows that the source IP of the reply packets never gets translated back:
12:53:45.406527 IP 192.168.1.2.63500 > 1.1.1.1.53: 46258+ [1au] A? google.com. (39) 12:53:45.406527 IP 192.168.1.2.63500 > 1.1.1.1.53: 46258+ [1au] A? google.com. (39) 12:53:45.406647 IP 192.168.1.2.63500 > 192.168.1.1.53: 46258+ [1au] A? google.com. (39) 12:53:45.406651 IP 192.168.1.2.63500 > 192.168.1.1.53: 46258+ [1au] A? google.com. (39) ... 12:53:45.428014 IP 192.168.1.1.53 > 192.168.1.2.63500: 46258 1/0/1 A 172.217.14.206 (55) 12:53:45.428017 IP 192.168.1.1.53 > 192.168.1.2.63500: 46258 1/0/1 A 172.217.14.206 (55) 12:53:45.428014 IP 192.168.1.1.53 > 192.168.1.2.63500: 46258 1/0/1 A 172.217.14.206 (55) We can see that the DNAT changed the destination IP correctly to 192.168.1.1, but then the reply packets from 192.168.1.1 never had their source IP changed back to 1.1.1.1. This results in the client (192.168.1.2) seeing the packet as coming from 192.168.1.1 instead of 1.1.1.1, and spits out the unexpected source error since it sent the request to 1.1.1.1. Looking at conntrack we see the following entry,
udp 17 23 src=192.168.1.2 dst=1.1.1.1 sport=63500 dport=53 packets=1 bytes=67 **[UNREPLIED]** src=192.168.1.1 dst=192.168.1.2 sport=53 dport=63500 packets=0 bytes=0 mark=0 use=1 Note how the above conntrack entry says UNREPLIED, while the other ones didn't. But the conntrack entry looks correct (the src/dst/port), so I don't understand why it's not deNATing the reply packets correctly and changing the source IP back like the other examples above.
Can anyone illuminate why the source IP is not changing back when the destination DNAT is on the same subnet, and why the conntrack entry shows UNREPLIED even though the src/dst/sport tuple matches the reply packet? Is there anything I can do to fix this so it works properly like for the first two examples with external IPs to the subnet?
Thank you!
Can an RJ45 ethernet cable Tester destroy equipment that was accidentally left plugged in?
I was testing an RJ45 cable with my Tester and accidentally left equipment plugged into the other side of the line while my Tester was on. Could having equipment on while the Tester is sending the electronic signals to each wire, harm the equipment?
This is my tester: https://www.amazon.com/iMBAPrice-Network-Cable-Tester-Phone/dp/B01M63EMBQ/ref=sr_1_4?dchild=1&keywords=ethernet%2Bline%2Btester&qid=1601316559&sr=8-4&th=1
What do you guys use for Out-Of-Band-Management console access?
As the title states, I'm curious to what solutions you guys use for out of band access. I have several remote sites with Cat4500 switches. I need to be able to reboot the switches and still have console access to the devices. I appreciate any suggestions!
Subscribe to:
Posts (Atom)