Stupid idea but possible, I just can't figure it out. I have 2 locations with Ubiquiti Routing and Windows Servers on each side. However one location has 1gbps copper and the other has 50mbps fiber. I would like to aggregate these networks, but I don't know how. Is it possible to use port forwarding? Any other option?
Saturday, November 7, 2020
Spectrum of an unstable network using ping
Before getting to the actual question I have, allow me to give a bit of context. I'm developing for my portfolio a series of Python scripts to probe a server (that is, to know the status of the connection). I won't get into the beef of the code, but a question has arisen and I'd like to know if you would be able to give me a hand with it.
I know that the greatest sign of an unstable connection is notable response speed differences along a huge amount of packages (this last condition being just the statistical law of "the greater the sample, the closer to the full population"), and a friend of mine who is specialized on this has recommended me to do streaks of at least 50 packages for this.
I have implemented in-code the statistical functions needed for this task: the average and the standard deviation (on a sample), which allow me to get the values which the response time moves inbetween.
Now, I know I said the word "notable" before, yet at this lays our problem. As you can guess I'm a newbie when it comes to networking (I decided to take on this project as to have a bit of diversity and not just focusing on a single thing), and I know barely the bare minimum.
Plus, I am not able to work that well when it comes to small quantities: were this happening on the 70's when response times were long as hell there wouldn't be that much of a problem but now it's measured on milliseconds, which is too much of a short time for me to comprehend notable differences.
That's why I'm asking for an informed opinion on the matter: how much undulation should I take in account to consider a connection unstable? Thanks beforehand and excuse the inconvenience
Tcping help
I’m wondering what I need to type in to terminal to actually ping an IP. Whenever I put tcping (IP) 80 it just says port 80 is open. Can someone help pls
Vyos autoshutdown new neighbors missing?
In follow up of my last post asking about Vyos I'm now at the point I'm configuring it like my production setup to see if I'm missing something (using the 1.3 rolling release)
At the moment I'm noticing 2 things.
- I'm missing the auto shutdown new neighbors option, is it moved somewhere else I'm missing it? I found the command still existed if I look it up in vtysh but that doesn't seem to do anything if I try that.
- Network-import-check doesn't seem to be working, it was trying to re-announce a full table, without a route-map in place because it went straight online after I created it.
OTV implementation with multi-homed data centers.
Has anyone ever implemented OTV? And if so were those geographically separated data centers multi-homed? So that each data center could route for the single VLAN? Or is that even possible?
Industrial networking resources? Who is the leading standard for OT leaning from an IT prospective?
I just recently started working for a processing plant/OT network and would like to learn the foundations of it. There seems to be a convergence between the two happening as a current trend. I wanted to take the Cisco Industrial Networking Specialist cert but it has be retired.
I cannot find any training resources on this. For anyone IT administraros in the field of OT/Scada, what are good resources for me? Is there a standard certification for OT learning from an IT perspective?
Thanks
RJ45 IP POE Cam issues
Does anyone know any obvious reason why a cat5 cable i have installed works when I connect via a cat5 faceplate and patch cable both ends but not when I connect my own rj45 jacks which then go on a rj45 directly into my nvr and camera. I have tried reterminating both ends over and over and believe the colour code is correct. It is for a hikvision nvr and Poe camera.
The cable even works as a standard Ethernet cable in my PC and I used method B. Attached picture, am I being stupid and done the rj45 back to front or something?
I have tested for continuity etc
Need some help diagnosing some issues WFH
So I will try to be as descriptive as possible but minimal to avoid releasing information. I WFH and have a ton of disconnections with Cisco Finesse. I am behind a Cisco Meraki Firewall that the company has provided. But, Finesse disconnects all the time! I am on a FIOS connection, but I don't use Frontiers hardware. I ran my own hardware. ER-X 5-Port from the ONT on CAT6 terminated by myself. No Security, aside from what's in the companies hardware Firewall. Since I really don't have much access to the Cisco servers logs, is there anything I can do from my side using Wireshark to determine the cause of the issue?
Edit: Work cannot seem to identify the issue, they believe its my ISP, but several of us are having the same issues, and they are on Spectrum as well.
What labelling scheme do you use to label workstations?
Hello,
Is it a good practice to label workstations? If so, what is an appropriate labelling scheme that each workstation should have?
All I can think of at the moment is something along the lines of W001, simply labelling each workstation numerically with a prefix of "W" for "workstation". Is there any additional information that I should add?
I thought about adding a location, but I would prefer to label each workstation with an integer and document the location in a separate document to avoid having to constantly change the label/workstation name if the workstation gets moved.
Thank you.
Network segmentation is required in 2020 ?
Since I started my carrier in networking , I always find my self in difficult place to answer , why I am going to great lengths to segment managed and non-mangaged end user devices and run them through and basic an L4 inspection engine (this is not IDS/IPS just basic SPI with permit and deny rules). Wondering how practical these type of architecture is these days when tons of OS based IDS exists ?
DMVPN routing headache
Hi,
I'am trying to setup a DMVPN topology but i ran into an issue and I couldn't find the root cause.
I have to say that I'am fairly new to DMVPN, even though I'am used to the underlying technologies (GRE, IPSec, ...).
Basicaly here is my topology (simplified) :
*************** LAN ********************//*********************WAN*********************
Server--------------(Cat6880)-----------------(Cat9500)--------(Internet)-------------(Telco NAT)-----------(ISR1111 LTE)
Server has public IP address.
Cat9500 is the Hub and has a Loopback with a public IP Address.
ISR1111 is the spoke and has a Private assigned IP from the provider, which is NATed at the provider side.
I've setup my tunnel between the Cat9500 Hub (from a Loopback with a Public IP Address) and the ISR1111 LTE Hub (from it's physical Cellular interface, which is private and later NATed by the provider).
On both side, I can see that ISAKMP (with the telco public NATed IP) and IPSEC SA (with the telco private assigned IP) are UP, GRE tunnel is also UP.
I have OSPF running everywhere, redistributing connected routes (except the Cellular one to not face and egg-chicken-tunnel-issue).
OSPF neighborship is also doing great trough the tunnel.
I checked the routing table everywhere, everything looks absolutely fine.
From the Hub to the Spoke (and vice versa), I can ping any IP of the destination router from any local IP, either tunnel IP or any loopback, SVI, etc...
So it really looks that everything is fine.
However, when I try from the Spoke to reach something farther than the Hub (for example the Server), nothing works.
When I run an ICMP from the ISR1111 (Spoke) to the PublicIPServ, I can see on packet captures that it actually arrives on the server, and the reply leaves the server, but never arrives to destination.
When running a MTR from the server to the Spoke, it stops at the Hub.
I've triple checked everything regarding routing, everything looks absolutely good.
Is there anything obvious that I'am missing? Or particular with DMVPN tunnels?
directly connected routes and OSPF crashes
Hi, I'm just double checking my understanding of OSPF.
When an interface in R1 with OSPF enabled (e.g. "network" statement on IOS) goes down, R1 sends an LS Update and its neighbors remove that route from the routing table. So far so good.
If we enable OSPF on the links between neighbors (say R1-R2, 10.0.0.1/30), that directly connected route will not disappear from R2 until that link is actually down. As that link goes down, the directly connected route disappears from R2, and R2 will update its OSPF neighbors accordingly. As a result, any of R2's neighbors (say R3) will remove the route to 10.0.0.1/30 from their routing tables.
Now, let's say the OSPF process on R1 crashes.
R1 cannot advertise anything. R2 realizes its neighbor is down and will update its neighbors accordingly. Therefore, any route that was previously advertised by R1 gets removed from the routing tables.
However, because the link R1-R2 is still up, R2 will still keep its directly connected route to R1.
In this case, when will R2 stop advertising the directly connected route? I think never, because that link is still up/up, but I'm not sure. Am I right?
Just to be clear, this is not homework (I'm past college...) and I tried finding an answer on RFC2328 but didn't find any (maybe I just missed that?). If there is indeed nothing in the RFC about this, is it a vendor-dependent behavior?
Opendaylight and mininet
Hey guys anyone familiar with this error, im trying to access openflow manager via an ssh connection between mininet and odl Controller error : cannot load topology data from controller, check connection settings in config
Netgear M4300-48x switch stacking
Hi, I have 2 Netgear M4300-48X switches and I’m looking to stack them. However, I’m concerned about the bandwidth between the two switches since there will be a lot of traffic between the two. My question is - does adding extra ports as stack interfaces increase the bandwidth linearly. Aka if I use 8 10Gb ports between the two switches in the stack, will my bandwidth between the two be 80Gb?
Issue with Performance on VDSL connection
Hello, as title. Show controllers vdsl0/0/0 shows the attainable rate as 60+mbits
However, looking at the Ethernet interface, it shows the bandwidth to be only in the order of 8mbits, not sure if this is a red herring.
Could someone let me know how these 'talk' and what I can check to look for issues.
I am getting about 11 megs on speedtest.net. With ISP router I get the full 60+
https://pastebin.com/u72BUyTL, Any help would be appreciated
Connectivity between data centers
With the increasing bandwidth requirements for video, etc. How are companies handling interconnects between their data centers? Let's say a company needed 400Gb between data centers. Do the telecom carriers provide 400Gb wavelength services in the real world? I find a lot of articles on theoreticals, or future technologies coming down the pike, but can't find much detail on what's happening now in the real world. I appreciate any insight!
How can I set an Adtran virtual lab so I can practice and improve my skills?
I don't think EVE-ng supports AOS but it will be nice if I can play around with it a multi-vendor topology. Any ideas?
Route table change tracking and diff'ing
Ive run into a situation where I need to track route table changes on a few cisco devices over time. Im curious how others have approached this.
I have a running Rancid implementation which I think would be great if I could get it to additionally collect a 'show ip route' for specific devices and keep revisions for diffs like it currently does for configs.
It seems some others have been down this road before
Someone even wrote a patch for an older version of rancid to do this. Unfortunately Im using rancid 3.11 and struggling to sort out how to get similar functionality with my version.
It seems I could define a new device type in rancid.types.conf but thats not panning out for me either. Which in all honestly could be due to my ineptitude.
I did search around here too. Some others here have asked similar questions. Answers were provided to some degree but they all essentially come to " just run a script to get the tables and then diff em".
eg:
- Routing table change - monitoring.
For those unfamiliar, this is precisely what Rancid does (collect configs, save revisions for diffing) in an already well developed package.
Im not particularly married to the idea of using rancid, I just keep mentioning it because it does seem like it would be viable for this use case.
Perhaps there are better tools for the job Im missing or someone whos more familiar with Rancid who could point me in the right direction?
I know with perl, expect, python... I thought it made sense to ask the experts here before I just end up crafting a NetMiko python script and cron'ing it out to run periodically.
Thanks in advance for an awesome sub with great contributors.
Always enjoy reading what others are up to and solutions they come up with.
Anyone having used authentication-based Bluecoats in AWS, behind ELB, with by-pass of systems not supporting auth?
Ran into an issue associated with a recent attempt to leverage an on-prem solution, tactically, by duplicating the functionality in AWS (while in the process of migrating DC svcs into the cloud): the on-prem egress Internet access happens via Bluecoats, with authentication, behind F5, and by-pass (where auth is not possible) via X-Forwarded-For headers + whitelisting of IPs belonging to systems not supporting auth, on the Bluecoats.
The AWS solution leveraging ELB fails to provide the necessary functionality for X-Forwared-For headers, when servicing Bluecoats. Any similar experience / ideas on how to resolve this, short of standing up F5 in AWS?
Firepower 2130 running ASA
What software version are you all running? We are looking for a stable release. Cisco's recommended releases are all interim release.
Our company is currently running 10 ASA 5510 across the globe and they are currently running great. But there's been a mandate from above to upgrade to Firepower 2130. So we already purchased 10 units to replace.
Its been a slow process because the first site we migrated to has been a total nightmare. Dropping multicast packets, constant power cycling. Just recently we took it out of service to upgrade the firmware from 9.8.2 to 9.8.4.26. Then Cisco just recently came out with 9.8.4.29 and we decided to install that but .29 seems to be buggy as well, so we rolled back to .26. I can't go into all the details of bugs, but major ones are the multicast module hangs, fxos failing ftp/sftp/scp/tftp downloads at 85% and random power cycling on standby unit.
I'm wondering if any of you currently have firepower 2130 running ASA and what software version are you running. And is it stable? We already have 10 firepowers purchased and it is too late to return them.
Thanks in advance.
Cool Emotional Intelligence Messaging Tool
Hi Everyone,
Like many of you, I am often busy with constant interviews, coffee chats, and work. I realized that I spend a non-trivial amount of time every day proofreading emails and Slack messages to make sure I come off the right way.
I wanted to share a tool called Kairos. Kairos tries to bring emotional intelligence into messaging. As part of its free beta, the team provides custom messages written by professional copywriters for FREE.
If you need help with your messages, just submit a request on the website, and a professional copywriter will generate a custom response for you in minutes.
Attached is the link to the website: https://trykairos.launchaco.com/
Thank you, and I hope you have a good day.
Need some help finishing this network
Hey all,
I am the IT dude for a midwest USA fire department, Our station is badly in need of a good qualiy wifi that covers the entire station and doesn't drop out all the time. When I took over as IT it became one of my goals to work on and I think I am about done however, I am good enough with computers to get in trouble but I'm no network engineer. Our department is completely volunteer, but we are rather busy as volly depts go. We have a cadre of officers who regularly work from the station and a program where college kids live at the station as residents and respond to calls but also do lots of school (especially now with COVID) at the station and require a functional internet connection.
I started digging into the network and found some issues from what I have found are causing most of the problems.
- The distance from the modem to the main comm room with the main router is well over 200 ft in Cat5E and runs through the bays where all the trucks and radios are (lots of interference)
- Access points are a linksys velop system, we have 6 APs strung around the building. They are decent but can't handle the number of devices (easily 50+) on the network at one time.
- The network controller is simply the velop base station... It isn't enough to run the station during larger events. (we often host classes and large events that could add an extra 50 devices to the network for the duration)
I have a few solutions to the problems listed above
I recently discovered that when the station was built a fiber line was installed from west room to the central comm room. I've had a local tech company terminate and install sfp ends on it. I want to get a unify Dream Machine Pro installed in the west room then, use the fiber line to the comm room where I will put a 48 port ubiquity switch. I am familer with Ubiquity, I use their stuff in my own home but it is obviously a lot less complecated.
In conjuction with using Ubiquity system, I plan on getting 6-7 APs to spread across the bays (2) , the office areas (3), and the dorms\dayroom (1-2).
My questions are,
I know very little about fiber and working with it. Lots of youtube is helping that. the lines have been terminated to this connector, photo link. what modual do I need to place in between these and the ubiquity appliances?
I can't make up my mind about the exact access points I will be using, finances are a concern but i have been given the green light to just get it working. I am going between a combination of Flex HDs, AP AC LRs, and AC Mesh APs. I have the plans in the ubiquity design center. if there is someone who would be willing to look at them I can share screen shots.
For the time being, I want to get the appliances in, we will continue to use the Velop system for wifi and near the beginning of the year (Government budgets...) I will be green lighted again to upgrade all the station AP's
Friday, November 6, 2020
Dell s4810p cannot set the management-route
Using this command:
management route X.Y.Z.0 /24 A.B.C.1
in my flat network i'm use management route 10.0.0.0 /24 10.0.0.1(default route)
i've also tried management route 10.0.0.0/24 managementethernet which appears to take but it doesn't show up when during do show run management-route
with the first line it gives error that the ip address is not on the same subnet as the management interface
management is set at 10.0.0.22/24
any help here would be appreciated.
Thank you
Manufacturing VLAN Question
VLAN Neewbie here. Currently I don't have any VLANs setup on my network.
I know I need to, but I need some tips or clarification on how and why this should be done.
Here is my scenario:
I have a few manufacturing devices that are running an Embedded Windows OS.
These devices need to communicate with a Windows Server VM that has a software called Ignition installed on it and our DC for Authentication. In turn that Ignition VM needs to communicate with our production SQL VM.
If I put the embedded device in a VLAN (to keep it off the production network) But use intervlan routing to allow it to communication with my production vm's... What good does that do?
If it gets infected it will still infect the production VM's Right? what I am I missing? In theory VLANs make since, but when I try to put this in play, it just does not make any sense
Is there a way to only allow certain types of traffic across the VLAN?
Alerting tool for ElasticSearch?
I have all my SNMP metrics, logs, and netflow going into Elasticsearch, and visualized with Kibana.
One problem with this approach is putting alerts for certain devices into "maintenance mode".
I believe Prometheus Alertmanager has a way to mute alerts based on a filter ("for alert X, mute if device=Denver*"). It doesn't look like Kibana has this option, just the option to mute an entire alert.
Is there an alerting platform that can create alerts based on Elasticsearch queries, and silence/mute based on an additional query filter?
IOS XE Log files do not have the username of a failed auth attempt
I posted this in /r/cisco as well, but I thought posting it here might improve my chances. If it doesn't belong here, i'll remove it.
I'm trying to finish setting up my syslog server and I'm noticing that my IOS XE switches do not log the username of the failed auth attempt. The log message reads "Login Failed [User:] [Source: 192.168.1.2] [LocalPort: 22] [Reason: Login Authentication Failed]"
Am I doing something wrong here? It's obviously getting logged, just not what username was attempted.
Untagged VLAN in EVPN+VxLAN issue
I am dealing with very strange issue but wanted to check with experts if i am doing anything stupid or not. I have small size EVPN+VxLAN clos network (OSFP+iBGP+Multicast+Arp-suppression (no anycastgateway) is in my setup) very standard configuration. My leafs in vPC for redendency. My leafs connected to HP c7000 bladecenter switch 6120XG.
Network Diagram: https://ibb.co/KzPXCQL
Problem: On blade server i have two 10G nic (nic1 connected to blade-switch-A and nic2 connected to blade-switch-B) so i have configured bonding active-backup because 6120XG doesn't support MLAG. Everything working great at this point. I have Linux PXE kickstart server and i have dedicated VLAN 70 for PXE which i have untagged on 6120XG switch (because PXE doesn't support VLAN tagging). when i reboot blade server and go to PXE boot to kickstart i can see my PXE get ip address from DHCP but after that it stopped pinging that IP and kickstart failing saying no network connection (in short i can't ping that pxe IP).
I have all my VLAN/VNI configured for arp-suppression. if i remove arp-suppression for PXE VLAN/VNI then everything works, PXE successfully able to kickstart my all servers but as soon as i add arp-suppression it stopped working. Any idea how EVPN+VxLAN handle untagged VLANs?
Leaf NVE1 interface config
interface nve1 no shutdown description ** VTEP/NVE Interface ** host-reachability protocol bgp source-interface loopback1 member vni 10064 suppress-arp mcast-group 239.1.1.1 member vni 10065 suppress-arp mcast-group 239.1.1.1 member vni 10070 suppress-arp <---------- if i remove this it PXE works. mcast-group 239.1.1.1 member vni 10100 suppress-arp mcast-group 239.1.1.1 member vni 10555 associate-vrf Bladecenter switch untagged VLAN 70
vlan 70 name "pxe" untagged 1-16 tagged Trk1 no ip address exit resources for learning to use repositories for network configurations
ive realized that i need to learn how to properly use repositories like GIT in order to better manage configurations of devices if i want to really get into network automation. i have no experience using them today, so im coming in from a beginner level. Does any one have recommendations on good resources to start with and perhaps stuff target more specifically at network infrastructure (routers, switches, firewalls, etc) configuration management.
identifying what is actually using CDN traffic
we manage wan and internet connectivity for a number of clients, and as im sure plenty on this form have ran into before, we see lots of traffic from CDN networks like Akamai. when ever there is congestion on a link and we check netflow (we use solarwinds), theres a pretty good chance there will be a good amount of traffic going to CDNs. Were well aware that CDNs are hosting all sorts of content. But ultimately when there is high bandwidth usage and the flows are full of Akamai destinations, the clients start asking us to help identify what the traffic is. Unfortunately, i have yet to find a good way to really help clients identify the actual use of this traffic, such as being able to say "oh thats adobe udates" or "thats facebook traffic" oh what ever may be getting hosted by akamai since its all encrypted and it all just shows up in net flow as what ever CDN.
the only thing i have really come across is plixer having some sort of solution that claims to be able to analyze traffic to determine what its atually for. is there any other methods, tools or solutions out there for identifying the actual CDN traffic?
Proprietary Spectrum Modem / Router and Static IPs
Hey everyone,
I've been building out a new site, and I'm attempting to get a secondary tunnel established over a Spectrum Business connection. I've bought a /29 and have a few devices that will be in this subnet. Normally I would install an edge switch and have all of my public facing devices connected here as one would expect. However, as I've just discovered, Spectrum has done a whole revamp of Spectrum Business and has these new proprietary modems and routers that don't have the configuration available I would expect to see.
Before I ask my question, I've called into their Tech Support line twice now and they have no idea what I'm asking about, so I'm hoping someone here has run into this and can point me in the right direction on what I need to ask them for specifically.
If I have their Spectrum Router directly connected to the modem, it will receive an IP within the range I've purchased. However, if I put my switch inline between the modem and their router it receives a DHCP address within an entirely different subnet instead. My own devices connected to the switch are unable to reach the gateway of the subnet I've purchased, however as a test if I change their WAN ports to DHCP they do get an address and can route to the internet.
Has anyone run into this or a similar issue? I've asked them if their upstream device has a MAC ACL or something that dumps the static config if it doesn't detect their router directly connected to the modem, but they have no idea. I would put their router in bridge mode if I could, but that does not appear to be a configuration they provide with these proprietary devices.
Hosted EVE-NG vs GNS3 (EVPN VXLAN)
Our team wants to get some early hands-on in building our first EVPN/VXLAN fabric on Arista, Juniper and Cisco and rather than screw around trying to get an EVE-NG/GNS3 environment setup, came across the hosted option of cloudmylab.com.
Does anyone have experience in working with them? If possible, we'd like to be able to share configs, but give every engineer their own environment to play with. If money were no concern, would you pick GNS3 hosted, or EVE-NG hosted, or still build your own? Why?
Thank you!
Network router with firewall
I want to block all in- & outgoing traffic to my security cameras and other iot devices that do not need to talk to the outside world.
I am not a pro in networking so I would ideally not want to setup segmentation and vlans, because that would be a way to big of a project for me to wrap my head around.
I am looking for a router or hardware firewall that can block all traffic in and out from specific local IPs. I hoped someone could help me find a suitable device that is able to do as I would like. I read that a TP-Link router would be able to do so with ACL, but that was a very old post and the router could only handle 120 mbps. So I instead bought a newer TP-Link router that said it had ACL, but this one could only block device mac addresses to not connect to the network at all, so that was a waste of money...
Hopefully someone here can help and I am asking at the right place.
Basic Routing question
Hello,
is there a way to route between 2 layer 2 interfaces only via the VLAN interfaces?
QOS Shaping and queue | Class drops w/out congestion
Hi Guys,
I would like to ask what would be the cause of drops under a specific class (example q-crit) even there no congestion happening. Most of the traffic being match or used on this q-crit is TCP.
interface GigabitEthernet1/1 service-policy output shaping-out ! policy-map shaping-out class shape-v police 8000 conform-action drop exceed-action drop violate-action drop class shape-m police 8000 conform-action drop exceed-action drop violate-action drop class class-default shape average 10000000 service-policy output-queue ! policy-map output-queue class q-voip priority percent 35 class q-vid bandwidth remaining percent 36 random-detect dscp-based class q-crit bandwidth remaining percent 35 random-detect dscp-based class q-sig bandwidth remaining percent 9 class q-bulk bandwidth remaining percent 15 random-detect dscp-based class q-sger bandwidth remaining percent 1 random-detect dscp-based class class-default bandwidth remaining percent 4 random-detect dscp-based
LOGS: Class-map: class-default (match-any) 281235753 packets, 169972732763 bytes 1 minute offered rate 2672000 bps, drop rate 3000 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/2811876/0 (pkts output/bytes output) 278376134/167782760950 shape (average) cir 10000000, bc 40000, be 40000 target shape rate 10000000 Overhead Accounting Enabled Service-policy : output-queue queue stats for all priority classes: Queueing queue limit 512 packets (queue depth/total drops/no-buffer drops) 0/14/0 (pkts output/bytes output) 6256268/1179379084 Class-map: q-crit (match-any) 124995944 packets, 116048365542 bytes 1 minute offered rate 866000 bps, drop rate 0000 bps Match: ip dscp af31 (26) af32 (28) af33 (30) Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/132908/0 <-- Drops (pkts output/bytes output) 124863036/115877406581 bandwidth remaining 35% Exp-weight-constant: 9 (1/512) Mean queue depth: 0 packets dscp Transmitted Random drop Tail drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob af31 15254083/2341204955 43/5686 676/78391 28 32 1/10 af33 109608953/113536201626 4219/5874580 13456/18535019 20 32 1/10 Class-map: q-crit (match-any) 125203698 packets, 116222904682 bytes 1 minute offered rate 921000 bps, drop rate 0000 bps Match: ip dscp af31 (26) af32 (28) af33 (30) Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/132918/0 <-- Drops (pkts output/bytes output) 125070780/116051933227 bandwidth remaining 35% Exp-weight-constant: 9 (1/512) Mean queue depth: 0 packets dscp Transmitted Random drop Tail drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob af31 15278539/2344989282 43/5686 676/78391 28 32 1/10 af33 109792241/113706943945 4229/5887074 13456/18535019 20 32 1/10 <--- DROPS INCREASING
Question:
- Please help me to understand the above "shaping-out" policy, So currently we are limiting approx. 10mb of data traffic and queue policy is applied also... Then so if congestion take place in outbound direction I still have 36% of 10m and 35% of 10m that will be allocated to class vid and voip for example..before droping the packets? Is the below computation is correct ?
Computation:
q-crit 35% = 3.5m will be allocated for queuing / q-voip 36% = 3.6m will be allocated for queuing .
-
Regarding the drops seeing on Q-crit is this due to microburst?
-
How can we possibly eliminate the drops at q-crit class and protect the data under this class?
-
Should we adjust the q-crit to properly tune this? What could be the advantages of it and effect to other queue class ?
Thanks in advance and hoping you can shed some light regarding the QOS method.
WAN & MAC router addresses
Hi! So I'm a student and I live in the university dorm, the person responsible for the campus's internet asked me for my router's WAN address, my question is can he hack my devices if I gave it to him and why would he need it in the first place ?! Because from what I know that he might need the router's MAC address but not the WAN I don't actually know what they represent tbh, but I tried to read on the internet some information about them still didn't quite understand Any help is appreciated, Thankss
ISC DHCP - Option 82 filtering
Hello,
I need help with option 82 parsing in ISC DHCP. We pushed AVP "Framed-pool" from Radius server to BNG /DHCP relay. It successfuly adds this suboption to dhcp discover/request.
From BNG are DHCP requests relaying in this format:
DHCP options:
[82] Relay agent information: len = 45
[1] Circuit-id: ced-BNG|273|GRP-3921|pw-3921:0
[9] Vendor-Specific info: len = 11
Enterprise [6527] : len = 6
[13] dhcpPool: test
I need to use the suboption 13 (dhcpPool) for pool selection/static reservation. But all my attempts failed.
Do someone have experince with that? Thank you.
SSH access to switch with VTY password
I would like to know how it's possible to login with putty (SSH) to the (cisco) Switch without having an user configured but instead using the password set on the VTY line. I tried to Google it but didn't find many results and I'm kind of new to networking so I hope someone can help.
Radio Link Protocol (RLP)
Does anyone know an application that can play a RLP stream/read the rlp:// URI scheme
Thursday, November 5, 2020
New NIST whitepaper on Zero Trust Architecture
I just discovered https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf which was released 8/2020. Its the (US) National Inst. of Standards & Tech whitepaper / introduction on Zero Trust Architecture. I though it was useful and actually informative without being vendor sponsored.
What are you guys doing for users in China?
We recently expanded into China, our users currently connect via always on global protect client which utilizes split tunneling. Users are complaining about not being able to watch YouTube links, I can’t find definitive info regarding whether back hauling internet to our home base in Canada breaks any Chinese laws. It makes sense to me that if we have employees working and living in China they would need to adhere to Chinese law, is this an issue?
Load balancing via the network - VRFs, route-leaking, PBR, and NAT
Hi everyone,
I'm in the early stages of network design for a new application which my team will be hosting. Due to the latency needs of the application we are opting to implement the application specific load balancing (for lack of a better term) within the network infra itself rather than use a dedicated solution like an L7 loadbalancer (Haproxy, F5, etc). We have come up with a few ways to accomplish this but I'm having a disagreement on which is the best solution to move forward. I'm hoping for some clarity on a these design decisions as I am m possibly missing something here.
For the network infrastructure we will be going with a spine/leaf architecture using eBGP between all switches and servers. Customers (and various service providers) will have cross connects with us onto a set of leaf switches (customer leaf) peering via BGP and the application servers will be connected to another set of leaf switches (application leaf) with routing on the host, peering via BGP using FRR.
The basic premise is that we want to have all of our customers connect to a single IP address which with the actual destination being spread out across a number of servers connected to the fabric. There is an element of network automation here which involves dynamically moving customers between application servers based on application configuration that may or may not be relevant to this conversion (I can expand upon this more if needed but don't think it matters related to design decisions) . So far we have discussed 3 ways to accomplish this at the network level and are in disagreement on which is the best solution.
Solution 1: VRFs spanning the entire fabric with route leaking at customer leaf
The idea would be to have each customer peering in it's own VRF (2x bgp sessions per VRF - likey with a couple hundred unique customers connecting at max) as well as each single application server peering in their own individual VRFs (one BGP session for each with these application servers being used as the detination to the "load balancing" - say 20 to start). The applications servers themselves will all advertise the same IP address into the fabric using a dummy device which will be isolated into it's own VRF by the application leaf switches. We would then span these VRFs across the entire fabric using 802.1q on the links between the spine/leaf switches, with each VLAN being associated with a VRF.
At the customer leaf switch we would leak the approriate routes between the customer VRF and the VRF belonging to the application server that we want them to actually connect to and thing would route cleanly through the fabric within that specific application servers VRF.
Pros:
- Pure routing through the entire fabric
- Setting ourselves up to easily deal with scenarios where peers that we connect to for other services wish to advertise the same networks to us on each BGP session (currently a pain in our infra)
- I'm fairly certain this would have the lowest latency as it is simply BGP routing end to end
Cons: - Potential limitation with the number of VRFs that we can use being associated with vlan limitations - As I understand using lots of VRFs can lead to memory issues on your switches
Disclaimer: This is my solution and I am biased towards as it's my own, so really pick it apart if I'm overlooking something obvious. I think that using pure routing through the entire infrastructure is elegant and a breath of fresh air compared to the years of NAT/PBR cruft that our current network has accumulated and turned into an administrative nightmare.
Solution 2: DNAT on ingress
The second solution would be to either scrap VRFs completely or to only use VRFs for our customers we peer with. Without using VRFs we would simply peer into the default table and then DNAT based on source IP address to the correct application server that we want the customer to connect to. If we wanted each customer in an isolated VRF we would leak the routes between the customer VRF and the default table at the customer leaf switches where the DNAT would then take place.
Pros: - Simpler confuration as a single change only needs to be made on the customer leaf switch
Cons: - I'm really opposed to using NAT as I think it's ugly and always seems to make the network more complex than using pure routing (the NAT in our current infra is a huge mess) - Adding latency where the NAT translation takes place
Disclaimer: I really dislike NAT. I understand it's importance and where it can be used, but I personally think it should only be used as an absolute last choice in any design decision. This bias may just be because of how much a mess our current infra is with hundres of NAT rules on every firewall/router which always end up causing issues as people add new rules to make something work without consideration to how NAT rules are processed, breaking 10 rules after it. Unless I can come up with some compelling reasons on why this is a bad decision, this is the way I'm being pushed to go and I'm very unhappy about it. Maybe you guys can change my mind and lighten me up to this type of design.
Solution 3: VRFs only on leaf swithes combined with PBR
This was the original solution we came up with that I'm not even sure is viable. The idea would be to only implement VRFs on the leaf switches and to leak routes between customer/application VRFs and the default table as needed, with things being routed through the infrastrucure on the default table. Each application server would still be in it's own VRF and would advertise the same IP address into the fabric. To get customer traffic to the correct server, we would use PBR on the application leaf switches to send traffic into the correct VRF. Thinking more about this now, I'm not even sure that this would work unless all application servers were connected to the same leaf switch since the PBR is happening all the way at the edge and traffic from the spine could potentially arrive at an application leaf switch that doesn't contain the correct application VRF...
Pros:
- Eliminating spanning the VRFs across the entire fabric reduces the complexity of the configuration between the spine/leaf switches
Cons:
- I'm not sure how much (if any) latency mixing in PBR would add vs using pure BGP
- As stated above, I don't even know if this is a viable design choice given that there would be multiple application leaf switches
I know that the above is alot to take in and want to thank anyone who is still reading this far. Leaving aside all of the interesting automation considerations that we are looking at to tie the application mappings to network changes (which I can explain further if it helps understand what we are trying to accomplish), what are your thoughts on the above three designs? Am I being too biased towards my own design, hating too much on NAT where it may be a sensible option in this case, or do you guys see any glaring issues that I'm missing?
Thank you for any advice/help!
Huge head scratcher - Remote Desktop Protocol (RDP Client) Connectivity Issues
Hopefully this is the right subreddit....
Let me preface to say, this is a domain environment, with Windows 2016 server, all client computers running Windows 10 Pro version 2004. I will also preface, NO changes have occurred lately on the network - no software changes, firmware changes, or network appliance changes. The environment running perfectly fine then all of a sudden BAM....All RDP client connections to remote server are slow and disconnecting.....
Users reported having issues with RDP client trying to access remote server. When the session starts, the session is slow, sluggish, typically unresponsive with keyboard or mouse input. Then all of a sudden the session ends and the user is dropped and kicked out of the session. There are no error messages or dialog boxes, just the session ending and disconnecting. At the top of the remote window where it shows the network/server address you are remoted into, to the left is the connection bar status symbol that shows only 1 out of 4 bars white, indicating low connectivity. Clicking on the connection status symbol, it says: "The quality of the connection to the remote computer is poor and UDP enabled."
Reboot of the computers and local server (domain controller) have taken place. A reboot of the network switch, gateway/modem, and firewall appliance all took place - twice. Network cables were swapped out with different cables. Rather than plugging network cables into wall jacks, ran network cable straight from computer RJ-45 jack on computer straight into network switch directly. Ran network speed test - reports solid connection of 120Mbps download, average 30 Mbps upload. Disabled antivirus on local computer(s). Reviewed firewall rules, allowing incoming connections for UDP and HTTP/TCP of Remote Desktop Services. Examined and did ping tests of remote server - tested network connection on server. This just all randomly happened today. No other changes have taken place.
Does anyone have any tips at all what might have gone haywire or what may be tripping everything up? Any advice or tips would be greatly appreciated.
Does Manual URL Filtering in Firepower support Full URL filtering ?
Hi everyone,
One of our biggest clients is seeing many attacks against one of their web servers targeting specific path, now the client doesn’t have a URL Filtering license on their device for me to be able to use URL Filtering based on reputation and categories, that’s understandable. But I read on Cisco that you can use Manual URL filtering with no license where you can create the URL object and just add it to the policy, but my question is does it support adding full URL path http://xx.com/qbc/abc/des.php where it can match and when it compares the HTTP request to it.
Or the standard license doesn’t support that and they need to purchase the URL filtering license. i am really to figure out a way that they can achieve the same thing if this won’t work.
Thanks
Cisco link
Eve-ng csr1000v nodes take too long to boot
Eve-ng csr1000v nodes take too long to boot. I've had to reinstall my lab and move to proxmox. I've tried giving more resources and doesn't really make a difference but this generally isn't needed.
Packet loss pattern - VDSL
Hi All,
Seeing a packet-loss pattern pinging across a private WAN for one connection in particular. The packet loss is say every 20 packets when any load at all (eg a speedtest from a directly connected laptop) is applied to the link.
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to172.16.6.18, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!.!!
!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!
!!!!.!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!
!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!
!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!.!!!!!!!!
!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!
!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!
!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!
!!!!!.!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!
!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!
!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!.!!
!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!
!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!
!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!
!!!!!!!!!!!!!!!!!.!!
Success rate is 96 percent (961/1000), round-trip min/avg/max = 15/20/99 ms
To me it seems like a policer/shaper that the link is hitting. Not configured on our CPE or our LNS (same profile and config at 400+ other sites) - potentially applied by carrier.
I dont want to pre-empt any suggestions by giving too much info but some basics summarised below.
> Cisco CPE (same symptom across multiple models 887, 927)
> Cisco LNS (ASR1K)
> Australian NBN - FTTN/VDSL
> Attainable Rate: 142968 kbits/s 55949 kbits/s
> Subscription: 60/20Mbps
Anyone seen such a uniform packet loss pattern on a connection like this before?
Thanks
Need recommendation for VPN software
We're looking to move our AWS workload behind private IP, instead of BeyondCorp-style HTTP gateway.
We have the following requirements for VPN that would allow user access:
- Our sibling company use Pulse Secure, so this must not be Pulse Secure as some people would need to have 2 VPNs on at the same time. We have no control over the sibling company's networking.
- I believe we need to move our network to IPv6, as most private ranges are probably in use by the sibling company. So, the VPN software should be able to tunnel IPv6 traffic (but connect over IPv4)
- Support macOS, Linux and Android
- Group ACL that allow a user to be in multiple groups (eg. group A can access service i, j, but Mr. B in the group can also access service k)
- Authentication with Google Account, or Certificate/User account plus 2FA
- We might implement device trust in the future, so having that available or in their roadmap is a big plus
- Only carry private traffic, no DNS/TLS eavesdropping
- Cloud-based would be nice, otherwise must be AWS compatible
Management wouldn't approve the HTTP gateway-style like Cloudflare Access or Pomerium, only ones that would feel like a traditional VPN from the client side.
From the list I believe Zscaler Private Access fit the most of it, but I'm not sure about IPv6 support and Linux support is non-existent at this time.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
Small business trying to upgrade, care to make suggestions for upgrading?
So I have 7-8 items hooked into the back of an old router and one switch coming off the router. After moving this to a new location my speeds fell greatly, Comcast suggested getting a new router. Since I'm not relying on WiFi that didn't seem right but IDK.
My limited knowledge tells me to ditch the router, run out from my Comcast business modem into a new, bigger switch and install an access point. Assuming that's reasonable, What would you recommend I look into? Also would replacing my current setup screw up my existing Network?
If you decide to chime in, I thank you for your time, I'm grateful.
Juniper EX3400 stops a network loop, but still causes network to crash. Was able to fix, but want advice please.
Hi everyone! Tuesday morning we had our entire network go down. It took me about 3 hours but I was finally able to trace it to a single patch cable which then led me to the damn network loop that caused the outage. Someone plugged a small switch in their cube and then the other end went back to the wall...
Anyways, I thought STP was supposed to prevent this? I looked on my switch and found storm control was enabled on the ports. It looks like it did its job because I would get intermittent pings etc. and all the switches weren't completely locked up like I have experienced in the past with loops. The issue is though that even though it SEEMED to stop the loop, we still experienced about 50% packet loss throughout the company which really screwed up almost all connections etc. except for the most basic like web surfing which just slowed to a crawl.
I did some brief research but wasn't able to find anything concrete. I apologize if this is a dumb question, but isn't the entire point of storm control or STP or whatever to prevent this type of issue? Is there more to the configuration than I thought and maybe I just need to enable some more advanced features? I was hoping it would shut down the port completely and save us but I'm not sure if switches are smart enough to know where the loop is coming from.
Any insight is appreciated, I'm curious to see how professionals handle network loops in their environment or I would just love to hear your "fun" story! I swear about 2 hours into it I was about to have a panic attack but eventually I just started unplugging switches until I realized the issue. I am just a lonely sysadmin so I'm not a network guru but I'm in charge of the whole company's infrastructure. Its about ~175 users and like 8 Junipers scattered throughout the building.
Thanks!!
Changing OpenDaylight routing algorithm
Hello all,
I am running an experiment with SDN networks. Right now, I have a running simulation of SDN switches running openflow v1.3 and some hosts. I am using OpenDaylight Oxygen as the controller. I have also installed OpenFlow Manager and I can get it to work smoothly (creating flows.. dropping packets..etc)
I have reached a point in my experiment where I want to change the routing algorithm of ODL controller. I have the web client working and I installed Yang and DLUX features, but I don't know where to find the routing algorithm code. Can anyone help?
thanks.
Software used:
Ubuntu
Mininet
OpenDayLight Oxygen
OpenFlow Manager
Moving from MPLS campus to EVPN/VXLAN campus
Our new DC is EVPN on top of VXLAN, and one of our newest building has EVPN/VXLAN capable access switches too. Our campus/rest of the core is done with MPLS capable switches. I'd like to see us to transition to full EVPN/VXLAN fabric but the other networking guy who has something to say about this has a long ISP background so he prefers MPLS. However we do not use any TE/FRR features and not many people now how to debug MPLS networks if we had any issues. So far we haven't had any that would have been related to the MPLS part so it's quite hard to convince migrating to EVPN/VXLAN fabric would make sense :)
So any other benefits of going towards EVPN/VXLAN in the LAN side too, besides just having one set of protocols and not both MPLS and EVPN/VXLAN there? Currently the switches we use for MPLS are cheaper than the ArubaOS-CX switches with same amount of ports so the price point isn't one reason.
On the EVPN/VXLAN downsides are there any issues running something like 1500-2000 switches in the same EVPN/VXLAN fabric? Or should we somehow try to split the fabric to smaller parts? Our current MPLS setup is just VLANs from the access switches to the "PE switch" which is part of the MPLS network and the access switches are just very simple switches. So the MPLS network does not have that many devices doing routing and MPLS.
Thanks for any ideas!
How do You segment your network?
Hello i am curious how granular other engineers do segment their network.
My basig approach: Internal and external infrastructure is seperated like:
Internal zones: -dns -dhcp -active directory -ad fs -app x front (if microsegm. Then integ and prod micro segmentated) -app x back (data base) -management (oob) -net services (tacacs, radius, syslog ec.) -monitoring -load balancing -wireless infra -clients with edr
External -dns -dhcp (for guest and so on) -clients without edr (guests iex) -external accessible apps frontend -load balancing -net services (radius for guests)
I like to read some feedback and some other approaches
VMWare NSX and OVSDB hardware
We are currently looking at moving one of our two data centres to a cloud provider and deploying VMWare NSX. We spoke to our network vendor recently and they discussed VxLAN and OVSDB and including our data centre routing hardware to manage the VTEPs and bring our physical routers under control of NSX to manage from single point. When we have spoken to VMWare sales about NSX they weren't really interested in discussing OVSDB and physical networking hardware and just said NSX will handle everything in software and all we as the network guys had to worry about was providing and maintaining a working L3 underlay network that can move traffic from one place to another. Reading online there is mention that hardware offers performance benefit over virtualised networking as it is built for the purpose but perhaps this is outdated view? Should we look to involve ourselves in the overlay network, or just leave it all to VMWare/NSX stuff and worry about the underlay? The technical sales guys seemed to just be trying to tell us as the networking guys not to worry and that it was all easy (as they always do). The more I learn about this stuff the more complicated it seems and the more questions than answers I have but everyone else is buying the sales talk of simplicity.
Unusual Response During Circuit Outage
This is about a month old now, but I thought some of you might get a laugh out of this. We have a data center in Denver, CO which took a hit in late September when there was a fiber cut during some construction digging downtown.
Zayo, our layer1 provider for connecting two of our data centers, hastily determined root cause for the outage and promptly sent in a repair team. Everything was going well for a couple hours, when suddenly I get this message from them.
Zayo Customers At this time we are having to stop all activity in the vicinity of Clayton and Detroit st in Denver where our construction and splice crews have been working. Unfortunately, the vicinity of this area has become an active crime scene and our repair teams have been mandated to leave the area by the local authorities until further notice. We will continue to work with our local repair teams to obtain a time-frame when they will be allowed back into the area to complete the remaining repairs. We understand how impactful this is to your business and sincerely apologize for the delay.
Unfortunately, I could never get an answer from them on what happened, or maybe what they found while digging. However, this has to be the most interesting reason I've ever been given by a service provider on while they needed to stop repairs.
Does anyone else have interesting/funny reasons for either an outage or stoppage of work?
Question about Etherchannel
Hi
First of all sorry if this is a dumb question, but I couldn't find an answer online and even asked people at work but nobody answered...
I have my CCNA exam on Tuesday and I'm doing NetAcad labs to prepare myself.
However, I came across this task on a packet tracer exam and I don't understand it and why my answer was wrong.
Task: Create EtherChannels according to the EtherChannel Port Assignments Table. Use the Cisco LACP protocol. Both sides of the channel should form the channel without negotiation.
There's a couple things that confused me.
1st: LACP is open standard and not Cisco proprietary right?
2nd: If both sides of the channel don't negotiate, what is the point of LACP?
I set the channel-mode to 'on' because that's the only mode that creates an EtherChannel without negotiation and that was wrong on the assessment. If I configured passive on both sides, no channel will be made. And if I configured active on either side, the channel would be made WITH negotiation.
Any help is appreciated and thanks in advance!
Any HPNA gurus out there?
To make a long story short, it'll probably be easier for me to get an answer here than go through the steps of accessing vendor support right now, so hopefully someone can answer what I hope to be an easy question.
We have some devices configured to allow HPNA to log in and back up configs. A subset of these devices apparently work in a cluster mode where slaves/standbys will not respond to communication requests, so HPNA is reporting that it cannot take snapshots of these devices. Is it possible to create a group in HPNA where as long as HPNA can take a snapshot of one of the devices in the group then HPNA will consider that a success for all of the devices in that group?
I've already confirmed these devices are in HPNA using separate IP addresses, this is not a case of two different devices being put into HPA using a floating VRRP address or something like that.
Is this Megabits or Megabytes dedicated bandwidth (1:1)?
I just want to know if this is a mistake on the website or they really are providing Megabytes per second. I am very confused.
Edit: I contacted the TATA salesperson and I ask him specifically that are you providing bits or bytes and he said that he will give 1 STM in which I will get 155 Megabytes. I am really confused right now.
Switch Port QoS to WLC
We have a Catalyst L3 Switch C9300-48P GigabitEthernet1/0/9 connecting to WLC AIR-CT5520-K9. We have lots of Total Output drops in millions over last 3 weeks. But there are 0 output errors. Current Queueing strategy is fifo. What would be the best queuing strategy for this port. Or Should I just try an ether channel to increase the bandwidth between?
GigabitEthernet1/0/9 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is d4ad.bd2d.4c09 (bia d4ad.bd2d.4c09) MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 55/255, rxload 57/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX input flow-control is on, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 280748031 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 226549000 bits/sec, 46950 packets/sec 5 minute output rate 217600000 bits/sec, 42123 packets/sec 19713046898 packets input, 11814567797426 bytes, 0 no buffer Received 14286820 broadcasts (11317565 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 11317565 multicast, 0 pause input 0 input packets with dribble condition detected 16347560425 packets output, 11315695952318 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Thanks in advance.
Advice on moving to redundant, multiple uplink router strategy.
Here is how our network currently looks: https://imgur.com/a/LkEDJNT
We've basically got one linux-based router, with a four-port NIC connected to four different switches, configured to bridge into one connection on the router. We've also got a set of switches that are for internal traffic that are not represented here (we also have far more servers than represented here, but the graph gets to messy).
We've got full BGP tables from two providers, and then the third is an exchange where we are peering with participants.
We are upgrading to a 10gbe link on one of the connections, and want to move to a redundant router setup. Our goals would be to eliminate SPOFs, have some ability to engineer traffic to balance the costs with different providers, make things easy to manage (we do not have a lot of routing knowledge, and the bus factor increases every time we add new complications to our routing setup), be relatively low cost (we are running linux routers), and finally we want to be able to build something that will not cause us problems when we need to scale.
There seem to be a few ways that we can go:
-
each router is connected to each of the three providers. This would mean two connections to each provider. This doesn't scale well, and might be cost prohibitive (depending on what the transit providers would charge us for the additional connections).
-
we divide the transit connections between the routers. We could simply just lose one, and the traffic would then go to the other. Can we do this without iBGP? Like configure two static routes on our servers to handle this?
-
we do the same thing as #2, but with iBGP and a cross-connect between the routers. If I'm not mistaken, we'd need all of our servers to run some internal routing daemon. We'd also probably want our switches to be able to do L3 OSPF, which we currently do not have available (we have L3 RIP capability in the switches).
-
we have a router on standby, with VRRP to fail-over if the hardware dies, moving the connections to the other router. This would only solve the SPOF for our hardware, and not for the links.
It seems like these are the options, can you suggest others?
From reading posts here, it seems like #3 is really the only viable way to go, but it introduces a lot of additional undesirable factors (switch replacement, complicating management with needing routing daemons on all of our servers, iBGP and OSPF cognitive load).
Cisco WLC mixing AP models for monitor mode
I have 2702 access points for serving clients but was curious if anyone had thoughts on using some of the old 3602 APs for monitor mode. Not sure if that makes sense since it’s not the same as what is serving clients... any input would be appreciated!
Routed-Design in Campus
Hi i been doing some research about Routed-Design but what do we do about the server farm were we normally ran some form of FHRP and we could easily run 2 different Ethernet cables to the 2 different L2 switches but what is the solution to this in a Routed-Design?
-Also what do people do about wifi?
Different Subnets
Connection: PC A ---- SWITCH S ------ PC B If PC A and PC B are in different subnets, say PC A: 10.10.10.1/24 PC B: 20.20.20.1/24
At what stage would the packet get dropped? Would the packet arrive at switch?
What difference would it make if SWITCH S is a layer 3 switch? Would the packet arrive at switch then?
Quick survey as part of research for my university
*university course
Hey guys,
If this isn't allowed please just go ahead and remove it. I have made a quick survey as part of my data collection for a research project at university. It is pretty simple and large areas may have already been covered. (we're just being marked on the data collection and report mainly). However it is along the networking sort of lines and I'd really appreciate if some of you guys could fill out this survey for me, it only takes a few minutes.
https://forms.gle/kd2ULk6AgNz9cgdG7
Thanks guys
2960X End of Sale & End of Life announcement
Not a surprise but just in case any of you haven't heard about it yet.
Netbox change validation
We are using Netbox to configure Arista devices through CVP (Arista Cloud Vision Platform) and the idea is that netbox should be the only source of thruth and basically it's working, but the issue is that when user makes a change in netbox the changes are written directly in netbox database and the source of truth changes at this point. This is ok for minor changes that are done by regular users, but for more challenging changes we would like to implement a workflow that would allow us to validate the change for example making a git commit and merge request. The problem is now that the instant we make the changes in Netbox, the source of truth has changed, but the running config on the devices has not changed until the change has been accepted and source of truth and the reality on the devices is in conflict. Is there a way to commit the changes into netbox only after the changes have been approved for example in git?
all help are appreciated
Frame relay query.
I trust you are all well community. I am preparing for my Network + exam and i am really struggling to understand what a frame relay really does. I have watched youtube videos and but i still could not understand. Can someone please explain it to me like as if i am totally beginner. Meaning in very very simple term.
Cisco SD-Access Experts, Need your inputs and thoughts
Hello everyone,
I'm currently working on a Cisco SD-Access presentation, and thought that would be helpful to have your thoughts and ideas about the benefits, pros and cons. And if you had the chance to compare it to other vendors / developers of SD-Access solutions
In general, What are the technical aspects that make Cisco SD-Access better than those of other vendors, and what are the cons that make it less interesting ?
Have a nice day guys
Wednesday, November 4, 2020
Hi there - less tech and more sales(y)
Hey all - does anyone know a reliable buyer within the NYC area for CISCO/Meraki (unclaimed, new in box)? Company I was working with went under so we are selling some of the extras. This isn't my forte and the two numbers I received were to people who said they would definitely help - but aren't in the area and would require sending boxes to them first, etc, etc. Apologies as I know this isn't exactly what this subreddit is for, but was hoping to get any advice on a lead.
Azure Cisco ASA Tunnel routing
Hello Pro Collegues
So here is my situation:
i have a cisco asa to azure vpn tunnel config using vti and bgp.reason being that we have point to site vpn users that come in thru azure and access on prem resources. accessing on prem resources is fine. the issue i am having is the vpn clients accessing external sites that require the client to be sourced from the company ip address since its whitelisted on their end.i have a "route vti 10.10.0.0 255.255.0.0 207.47.x.x outside" statement on the asa.... any thoughts or insights are highly appreciated....thanks
Stumped on this Meraki MX + strange ISP setup at a remote site with satellite broadband modem
Hello, bouncing from ISP support to Meraki support and banging my head against the wall with this.
The ISP has Juniper gear with a Hughes Net modem and have given x.x.x.84/30 to the setup. x.x.x.85 is the modem, x.x.x.86 is the usable IP for the firewall, x.x.x.87 is the broadcast.
The LAN port on the modem has DHCP, ip: x.x.x.86, Gateway: x.x.x.85, Mask: 255.255.255.252
The WAN port on Meraki is configured as dynamic, but is showing some conflicting info: https://i.imgur.com/VaIrq9D.png . In one spot the WAN1 IP is showing as x.x.x.85, and also the DDNS hostname of the Meraki resolves to x.x.x.85, which is the modem or it's default gateway. These should all be x.x.x.86
It does have connectivity, and I can reach its status page by IP x.x.x.86 if I add my own public IP to the allow list. However Meraki Client VPN is failing from any client. I've done some packet traces from my own Meraki, this Meraki and even did one with the ISP on the modem while trying to connect, the one thing they all show is that client reaches out on 500 and 4500, Meraki responds on 500 but 4500 is unreachable: https://i.imgur.com/8cSYTxq.png (the .120 is my own public IP). According to the ISP all ports are allowed/forwarded.
One other strange thing is the Meraki is doing ARP requests for it's own IP with "tell 0.0.0.0": https://i.imgur.com/0gyCMUc.png which may have to do with the weird ISP setup.
I think all the pieces are here but some of this is just beyond me to figure out what specifically to tell the ISP. I'm fairly certain it has to do with their setup, we have dozens of Merakis including several at remote locations like this with satellite or LTE modems that have a dynamic WAN IP with a public address, but they are usually on /29 or /28, not /30. The ISP has not been helpful and at one point asked if we could change the IPSEC port to something else. Meraki support hasn't been great either, the support rep had literally never seen a dynamic port with a public IP and said they couldn't help unless we plugged a windows computer into the modem and showed them the IP it got.
Unlimited Wireless 4G LTE Providers
Does anyone have any recommendations for a wireless 4G LTE provider that I can get a mobile SIM from to run a primary internet connection. Specifically for AT&T.
I have a camp site that is in the middle of rural Wisconsin that only has a reliable internet connection through AT&T. It's the only service that is available out there for a good enough connection.
Does anyone know of true unlimited 4G LTE service that can be ordered to potentially get the sim and put in an existing modem?
Thanks for any suggestions/direction.
Recommendations for a low cost (or reasonably priced) Network certification tool that I can save results
I'm looking for a reasonably priced Fluke (or other recommended) network certification tool for my business. We install and service point of sale systems for restaurants. I have an upcoming project that requires us to certify CAT-5 (up to 40 lines) then save the results and share in a report to the customer. I have an old Fluke tester that still works, but I'd like to purchase at least 2-3 more to distribute to the team. Any tips and recs from the experts would be appreciated. Thanks for reading!
NCM Recommendations
Hey /r/networking/
Recently I started a new job, one of the first tasks I've been given is looking into a new NCM solution. I've worked previously with Rancid and SW NCM, but I'm curious if there is anything out there in production use by you that you'd recommend as well.
The company I work for isn't afraid to spend on a good solution, but something reasonable would be nice (I'm not sure what a reasonable limit is).
After doing some looking around, Oxidized, Unimus, and Kiwi CatTools came up as other options.
What would you recommend if you were going to deploy out a new toolset for network config backups? I'd prefer something with a decent search and diff viewing tool as well so we can track changes over time.
Thank you!
WAF-Cloud vs On-Premise
We are looking at deploying WAFs for our enterprise network and are trying to short list some vendors. We have web services & portals published that customers user over the internet.
We are leaning towards deploying Cloud based WAF.
Any of you have good/bad experiences with cloud deployment that you would be willing to share. Is it a good option.Any pros & cons?
As of right now, the short list looks like F5 ASM & Imperva.
Appreciate any help
BGP Question
So this my first time setting up BGP but wanted to run by users that probably know better than myself. I was requested to setup BGP between an Azure instance and on prem environment now these connections already have a Site to Site VPN tunnel however the on prem location has a backup internet. So the client would like to setup a BGP route between the backup connection and azure instance. I see all the locations of which I need to configure BGP but my confusion comes in with the neighboring/ ASN.
From reading online what I gathered is the ASN is given by the ISP so my assumption is I need to reach out to an ISP to obtain this and that it cant just be made up like a PSK on a site to site VPN?
Second part is the neighboring. Where a client showed me a connection it looked like their neighboring was using a private Class A Address. I dont believe that would be the case here since if the VPN broke how could it reach out so it would have to point to a public IP.
Cisco ASA VTI tunnel into a Google Cloud eve-ng instance: anyone pull off getting eve-ng topology to talk outside without ugly NAT or custom routes?
Spent quite a bit of time last month revamping my homelab at https://kd9cpb.com/initial_setup to use a Cisco ASA VTI tunnel with BGP into an even-ng instance running on GCP. Overall I'm happy with how it turned out, and help from posts like https://www.reddit.com/r/networking/comments/iyveoc/eveng_google_cloud/ really came in handy when troubleshooting! The only problem is I feel that I'm being sloppy when it comes to getting traffic in/out of the eve-ng topology and onto the VTI tunnel. I'm really curious if anyone has pulled off something cleaner than the following:
-
Setup eve-ng instance in GCP (enabling ip forwarding both within GCP and on eve-ng), get simple VTI tunnel going into my on-site ASA
-
Create a route to the RFC1918 address space I'll use within the eve-ng topology towards the eve-ng instance in VPC Routes
-
Advertise custom BGP route on the VTI tunnel to this RFC1918 address space
-
Pray that I didn't mistype anything in the manual labor involved during steps 2 and 3 so that I can pass traffic through the VTI tunnel
In my perfect world, I'd like to do something more dynamic than the manual custom route in step 3, or somehow trick GCP into letting me use the Cloud0 management interface bridge, eliminating the need for step 2's separate RFC1918 address space within eve-ng topology. I don't want to do ugly stuff with NAT, and after attempting some stupidity with static ARP entries & alias IP ranges, I'm just about ready to throw in the towel.
Maybe the custom VPC route and advertising a custom BGP route is actually the cleanest way to do this, even with hand-jamming this config into GCP console. Currently I'm too cheap to buy a static IP with my ISP, so I have to manually re-enter the custom BGP route every time my WAN IP changes, which is quite often as I turn off my noisy ASA 5512-x every night. Not the end of the world, someday I'd like to automate this manual labor away with cloud shell, but curious if any other eve-ng and/or GCP gurus out here have other thoughts on cleaner ways to do this GCP eve-ng topology outside world communication.
-
Can't access single website from ONLY this network
Hey all, I'm the network guy in the sense that I know when to stop and ask someone else... So this one is beyond me right now:
So, we can't access our company website (normal website, not an internal one.) from our network. Using cell phones' own data service will work fine, customers are purchasing orders, etc. I can ping the server IP from inside; but any attempt to load the site fails with a timeout. Ping and Traceroute from the gateway work fine.
I even went so far as to pull down the SDWAN that is managed by the ISP (No control AT ALL, and is just handing out DHCP for a single flat /24, I needed to go anyway) and replace it with a new Mikrotik router that I was configuring for another use.
We're stuck on Frontier, so getting them to look at this will be a nightmare, so I need to have any ammo I can to have them look into it. All machines can't access, and ONLY our machines; and ONLY this one site. I had our web team look at the logs, and they don't even see any access from our IP. Not sure where to go from here before I fight the good fight with our ISP. Any help with diagnostic advise would be appreciated!
Struggling to remember networking commands for switches/routers.
Hello,
Currently learning networking and I don't have 28127171 years + ccna experience in this field and i'm still somewhat new. I'm struggling to remember like exact commands for such important protocols.
My question is how do people remember every exact command to do in switches/routers? do you have them saved for backup or is it just built in for muscle memory?
I'm trying to learn DHCP and have been studying it in practise labs but honestly trying to remember the commands is the hardest part.
Anyone have any advice/struggled with same concept?
NMS that support distributed polling?
I'm looking for a SNMP polling solution that can scale horizontally. That is to say that I can just "add more pollers" without having to manually configure poller 1 to poll half the devices, and poller 2 to poll the other half.
It seems like LibreNMS supports this, and it also seems like SolarWinds supports this. Are there any others?
I looked into Telegraf+InfluxDB, or Logstash, but with both Telegraf and Logstash, I don't see an easy way to add more instances to spread the load out (the polling configuration is local to each instance).
VPN setup with 2FA
Hi everyone,
Recently, I've been tasked with setting up a VPN connection with 2FA for a customer with at least 50 users. They used to be just using SSL VPN, which was accomplished simply by setting up a VPN profile in a Cisco ASA 5520, and using Cisco Anyconnect client to establish the connection.
I dont have any experience with setting up 2FA, so am kind of looking around for solutions.
Our first solution was to buy a Fortigate 101E, using Forticlient VPN software, and buying Fortitokens for 2FA. Kind of fuss free, but the one of the most pricey solutions
Second solution was to use an existing Cisco ASA, using Cisco Anyconnect, and setting up a Ubuntu Server installed with FreeRadius, and using Google Authenticator App for 2FA. Literally free solution but requires alot more setup and research.
Third solution is to buy a Fortigate 101E, and consult with a third party vendor to assist with the 2FA setup. They have their own 2FA mobile app and radius server. Based on what they said, forticlient VPN is not able to use their mobile 2fa app, since it does not support Radius authentication. Will have to use OpenVPN instead. We will just have to import their config into our VPN server and client.
Any recommendations or things that I could have missed ? I am under the impression that Cisco Anyconnect can only connect to Cisco ASA, and Forticlient can only be connected to Fortigate VPN.
Any good cat8 qualification testers that won't break the bank? I don't need a certification tester (aka, expensive fluke dsx-8000). Anything under $500 or close to?
I will settle for a 10g-base qualification tester if the equipment is out of my price range.
15 second outage every 6 hours.....right on the dot.
This is not business grade so there's probably no real SLA on this but I'm trying to solve some logs and help figure out which one of the devices is the chink in the chain. Do these timers look familiar? 15 second outage to all external WAN IP's 2 times a day, 6 hours apart, for 15 seconds. Using the cheap builtin mode and started my monitoring to Default Gateway, Specrum Pop, Google DNS to determine if it is inside the network on the LAN. Does this look fairly normal to any service provider?
Net Uptime Monitor Failure Log (NetUptimeMonitor.com)
11/2/2020 4:23:04 PM Log Start
Failure Start Length
11/2/2020 9:17:31 PM 0:00:12
11/3/2020 3:17:29 AM 0:00:17
11/3/2020 9:17:31 AM 0:00:15
11/3/2020 3:17:30 PM 0:00:17
11/3/2020 9:17:30 PM 0:00:16
11/4/2020 3:17:33 AM 0:00:14
11/4/2020 7:08:08 AM Log End
Monitor Duration 38:45:02
Failure Summary:
Count 6
Total Downtime 0:01:34
% Downtime 0.07
Minimum Length 0:00:12
Maximum Length 0:00:17
Average Length 0:00:15
What do your syslog setups / configs look like?
I have a small network. 15 Cisco (IOS-XE) switches, a Cisco ASA and a couple of Cisco routers.
I’ve been tasked with setting up a syslog server. I have kiwi syslog set up (that’s what the company bought the license for, so that’s what I have) and I’m wondering what your syslog configs look like.
Currently I am disabling debug logging on the everything, then setting the trap level to debug. This way, when I turn on debugging for something I don’t have to change what is being sent to the syslog server, just enable/disable that debug.
I am enabling link status logging to keep an eye on port flapping.
I am using log facility local7, which I think is correct, but if someone wants to tell me why I’m wrong I’ll gladly listen.
One of the reasons I ask is because some of my switches are logging every command that I run on them, when some of them only log when I authenticate and disconnect and I’m not sure why.
Utility like jnettop to produce an aggregate report of local port, remote addr and total over a period of time?
So I want to monitor a network interface and produce a report over a period of time that lists the local port, the remote ip and the bytes transferred, in the simplest way possible.
This works in theory...
$ jnettop -i ens5 -n --display text -t 20 --remote-aggr port \ --format '$src$:$srcport$ $dst$:$dstport$ $totalbytes$' 172.30.1.180:443 xxx.xxx.xxx.xxx:AGGR. 77491 172.30.1.180:123 xxx.xxx.xxx.xxx:AGGR. 180 172.30.1.180:443 xxx.xxx.xxx.xxx:AGGR. 6833 172.30.1.180:57096 xxx.xxx.xxx.xxx:AGGR. 6761 172.30.1.180:3306 xxx.xxx.xxx.xxx:AGGR. 948 172.30.1.180:51164 xxx.xxx.xxx.xxx:AGGR. 182 (xxx.xxx.xxx.xxx redacted)
But seems to not produce results reliably especially for time periods longer than a few seconds, either producing nothing or demonstrably not producing everything (traffic intentionally generated not recorded).
Can anybody suggest a better way to do this?
Tuesday, November 3, 2020
Vlan Rewrite on Ubuntu 18.04
I am in need of some Linux bridging help on a Ubuntu 18.04 server. The server is connected to a trunk port and that trunk port has multiple Vlans on it. So far I have been able to create the bridge and Vlans using Netplan, but my packet captures show that the Ubuntu server is not removing Vlans at ingress and pushing Vlans on egress. (tags are being maintained through the server) Does anyone know how to configure the Ubuntu server to push and pop Vlans in a bridge? Any links to documents would be appreciated as well.
Hopefully if this takes off there will be money to do it right and put a switch in front of the server that will do all this tag manipulation, but for now I am trying to get it working as a proof of concept.
Edit- I got it working for the server to talk to the remote devices. Remote devices can't talk to each other through the bridge on the server, but that communication isn't needed for this application. The application running on the server has to be restarted when you add or remove an interface to/from the bridge for traffic to flow correctly.
Probably in over my head.
Hey everyone! I don't post often on reddit, but I thought hey; what can it hurt.
Here's the short of it: bachelor's in Information Systems, no experience in business networks (college wasn't the best of teachers, and I wasn't the best of listeners, admittedly.)
I work for a multi-million dollar company that specializes in shipping product from an auction site. The problem? They run this company off of two computers. No network, nothing. All orders are printed out.
Well, we're growing rapidly. And they want to implement a POS system that integrates with the auction site. Time passes, we get the contract for the POS, and I'm the one in charge of installing and integrating the entire thing. I'm more than a little nervous about it! I believe in trial by fire, but I don't want to mess this up for them.
Basically, I have to set up the entire network (server, workstations, APs, etc.) Any good advice to give? I know I can do this, but... I can't shake the feeling I'm missing something and it's gonna kill me.
Thanks in advance everyone, from what I've read on the subreddit, y'all seem real cool.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
EIGRP Routing Manipulation - Bandwidth
All switches are layer 3 switches.
Something I'm not understanding about EIGRP but if I'm running EIGRP processes, one of the main concepts of EIGRP is the minimum bandwidth of a link to a neighboring router/switch. If I leave in the defaults of 1000000Kb (1Gb) of bandwidth across the other interfaces but I modify the port connecting switch 2 and switch 3 to 300000Kb (300Mb), it doesn't make a change to the topology table in EIGRP.
One thing to note that I'm pondering as I'm typing this, is that between Switch 1 and Dist 1, the EIGRP process is running across a VLAN 'transit interface' for the routing between the two switches rather than at the physical interface. The same applies between switch 1 and switch 3. The routing process takes place across a VLAN 'transit interface' between Switch 1 and Switch 3 and not on physical interfaces. So layer 2 happens from switch 1 to switch 3 and then the neighbor relationship is formed.
Appreciate any insight you might have.
Can a QSFP28 to SFP28 breakout cable work in a QSFP and SFP+ ports? I know they are backwards compatible but just double checking.
We are trying to future proof our cabling purchases and just want to verify with some of you that may have done this. We are trying to do QSFP28 to SFP28 breakout cables to connect, right now, Netapp equipment that as of now have QSFP ports on the switch end and SFP+ on the node end. Thanks for any comments and advise in advance!
Attenuator failure rate vs transceiver failure rate risk
Does anyone know if there has been a study of failure rate of fiber attenuators compared to transceivers that might run on the hot side that are still within specs?
For example, will adding a attenuator make sense when running at -1dB (while specs allow up to +2dB) to lower transceiver failure risk compared to the extra risk of adding an attenuator that could fail?
My theory would be that if light levels are within specs, then attenuator failure rate risk would be higher then just leaving it a little on the hotter side. I tried to do a Google search on that but found nothing useful.
DNS question - why using a recursive resolver (e.g. 1.1.1.1 or your ISP's) instead of running it locally and querying directly the DNS root servers?
I couldn't find an answer to this one. Negate says on the pfSense docs that the resolver (unbound) that is installed and enabled by default ignores any recursive name servers set and instead query the root servers directly, unless configured otherwise. (https://docs.netgate.com/pfsense/en/latest/services/dns/resolver.html). So I was thinking, in a privacy point of view, why having an intermediate and send them all your browsing history? Cloudflare implements, for example, DNS over TLS, DNS over HTTPS and even encryption of SNI (so "your ISP can't really see the names you are querying"). But ISPs can see the IPs you are accessing and, therefore, can trace back the IPs to their corresponding names. It looks like a bogus sense of privacy only to convince the users to send them their DNS requests. Besides, running it locally could bypass censorship on the DNS level (yes, it happens sometimes in my country, very "democratic") and the local cache could not only speed things up but also really improve privacy by reducing the number of queries sent though wan (and, obviously, excluding intermediates). Idk, maybe I am misunderstanding the functionality of the DNS stack. Am I missing something? Could someone help elaborate? Thanks!
How do you go about troubleshooting latency?
Recently been having some issues with latency, mostly internal with images booting on thin clients. We use all cisco switches. I do the normal stuff like check logs and check counters. If I see errors, I will swap SFPs, clean fiber, swap with new fiber, etc. What are some other steps to take when troubleshooting latency? Our latency is usually pinpointed to one or 2 areas at a time. Not our entire network.
Rate Limiting and QoS
TL;DR: Conceptually, how is QoS and rate-liming handled in carrier networks? Is there a way I can improve reliability for VoIP and video conferencing when actual bandwidth isn't the issue?
Context: We're a small reseller that provides internet service to some business and residential customers.
Our business customers have strands of fiber that interconnect directly with our head end, and terminate at a switch. We don't have a PON OLT (yet). Basically our fiber service is one big LAN.
Previously each business customer would get a 100Mb/s loop that would simply operate at line speed. We used to have a bunch of crappy 100Mb/s media converters jumbled into a switch but I've since replaced that with an SFP switch. Customers wanted an option to save cost when they didn't need 100Mb or 1Gb service. My solution was to configure rate limiting on the switch ports.
The problem I have now is that when demand is high, packets that exceed the rate limit are dropped. Customers experience some stutter and occasional drops during voice and video calls. This is particularly vexing given the current remote work and school situation.
I've been trying to wrap my head around QoS but when I do a packet capture on the inbound traffic, it all comes in with the same DSCP value. Is that typical?
BGP Prefix List for Odd and Even Routes in Juniper
Hi Team. I am looking for a way in JunOS to be able to filter odd and even routes in the 3rd octet of a subnet. For example:
- All even routes x.x.EVEN.x routes via RTR1.
- All odd routes x.x.ODD.x routes via RTR2.
I have done this before with Cisco Routers prefix-list, however in JunOS I am not sure what is the right way to do this. Thank you in advance.
How do you detect DOS and DDOS attacks?
Hi,
We run a really heterogeneous network -basically because we offer services to several thousand customers who host with us their infrastructure- we have our own DDOS detection and scrubbing system, which is mainly build for volumetric detection and we also divert traffic via BGP announcement to an external provider for big attacks scrubbing. Basically we have several taps on our network, and traffic is sniffed by machines running iptables with some high performance rules, that are able to detect attacks.
It's running quite well, but as it's basically designed to be a volumetric attack detection system, some small attacks are not really detected because their are under our detection threshold.
These small attacks should be theoretically handled by our customers directly, as they are so small their own infrastructure should not have problems handling them, but I'm trying to anyway improve our own system.
What I always found quite difficult is to find DOS or DDOS attack "definitions". I know for example there is malicious traffic which is quite easy to identify (UDP port 0 or similar) but I've never been able to find kind of "definitions" for DDOS attack detection. I would like to find some "definitions" with things like "hping3 SYNs have the ACK flag set" (unless -L 0 option is used) that would make really easy to write custom rules to detect and block this kind of traffic.
So I'm wondering, what do you use for DOS or DDOS attack detection? And also, is there any kind of definitions out there that could be used to identify most common attack traffic?
Thanks!
Why would I still get ping replies when I set TTL to 2?
I am trying to build a traceroute program and started by testing pings with different ttl values.
Ping 8.8.8.8 with TTL 1, I get a TTL exceeded message from my gateway, as expected.
Ping with TTL 2, I get a response from 8.8.8.8.
Ping with TTL 3, I get another TTL exceeded message from an Internet router.
Why am I getting a response with TTL 2?
Help setting up network on Hyper-v VMs so that they can communicate with each other
I need to configure 3 vms so that they can communicate with each other on the same network for my apprenticeship project.
the network address is 192.168.1.0/24
All machines are using the same virtual switch in Hyper V
When i configured the tcp/ip settings i set the ip for one machine to 192.168.1.2 and the other to 192.168.1.3
The subnet mask on both machines is set to 255.255.0.0
When i try to ping the ip of one vm on another vm the request just times out
Is anyone able to help i have no idea what im doing and i cant find much on google for networking Hyper v virtual machines
Subscribe to:
Posts (Atom)