Hello everyone,
I'm a little new to this subreddit but I'm interested in traceing the routes that my packets take to go to a specific server, say an AWS server.
As far as I can tell that ISPs have control over the routes that packets need to take to get to server.
Is it possible to bypass this and figure out your own route to a server?
Let me know if I'm not making sense.
Hi, I'm using VyOS 1.3, eth0 is my WAN port, br0 is my LAN port. When I configure NAT reflection to reach my website from my LAN using my WAN IP it does work, but causes *all* websites to direct to the web server on my LAN.
This page perfectly describes the issue I see but I can't work out how to translate the netgate instructions there into VyOS config: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-reflection.html
Here's my nat config, it's basically what tha docs say to do (https://docs.vyos.io/en/latest/nat.html#hairpin-nat-nat-reflection):
destination { rule 10 { description "SSH to server" destination { port 22 } inbound-interface eth0 protocol tcp translation { address 192.168.0.3 } } rule 11 { description "NAT Reflection SSH" destination { port 22 } inbound-interface br0 protocol tcp translation { address 192.168.0.3 } } rule 20 { description "HTTP to server" destination { port 80 } inbound-interface eth0 protocol tcp translation { address 192.168.0.3 } } rule 21 { description "NAT Reflection HTTP" destination { port 80 } inbound-interface br0 protocol tcp translation { address 192.168.0.3 } } rule 30 { description "HTTPS to server" destination { port 443 } inbound-interface eth0 protocol tcp translation { address 192.168.0.3 } } rule 31 { description "NAT Reflection HTTPS" destination { port 443 } inbound-interface br0 protocol tcp translation { address 192.168.0.3 } } } source { rule 100 { outbound-interface eth0 source { address 192.168.0.0/24 } translation { address masquerade } } } Is it possible to configure NAT Reflection without it translating all internal sourced traffic in VyOS?
Hi all. I'm working on a packet tracer in double NATing two networks with the same subnets. I'm using 2 routers on each subnet to do the NAT and BGP. Both subnets are being translated to different subnets. Both routers are using different BGP AS numbers. I'm using EIGRP for the IGP. I used a null route on the translated address subnet and then advertised it out BGP. However, when one side attempts to traverse the network using the destination translated address it drops the packet due to the null route on the opposite side. Here is the topology https://i.imgur.com/USsnhrm.png. Do you have any tips to get this to work? I'm translating the subnets when they reach their respective routers and then advertising the translated addresses out BGP.
Hello fellow network rats, I have a question regarding how for one should summarise a network.
According to our lovely professor the following network:
10.0.4.192 / 255.255.255.192
10.0.0.128 / 255.255.255.128
10.0.0.0 / 255.255.255.128
10.0.1.0 / 255.255.255.0
10.0.5.0 / 255.255.255.0
10.0.6.0 / 255.255.255.0
10.0.4.0 / 255.255.255.0
10.0.10.0 / 255.255.255.0
10.0.2.0 / 255.255.254.0
10.0.8.0 / 255.255.254.0
Will be summarised to:
10.0.0.0 / 255.255.252.0
10.0.4.0 / 255.255.254.0
10.0.6.0 / 255.255.255.0
10.0.8.0 / 255.255.254.0
10.0.10.0 / 255.255.255.0
after maximal prefix aggregation. Couldn't it be summarised to just 10.0.0.0/21?
I have a course in internet protocols and our lovely professor isn't answering questions so this is my last resort. Also if by any chance my professor is reading this; u mom a hoe
I am having an issue with an L3 Switch in my project. This switch is not running VLAN just yet. All PCs are on the same subnet.
IN_PC1 can ping the other PCs connected to the switch but it cannot ping the switches e0/0 interface. Shouldn't the PC be able to ping that interface too?
Topology
https://www.imgpaste.net/image/ORnAe
Running config
I work as a network engineer for a regional ISP. We use Solarwinds NPM for our network monitoring system. One disappointing limitation with this system is the inability to build alerts on anything other than a static threshold. For example:
If an interface with a description containing "Backbone" is at 80% utilization, send alert.
For obvious reasons, this sort of static alerting threshold doesn't scale well. I would love to implement an alerting system that uses something like a standard deviation from an expected utilization level, or some other method for anomaly detection.
I'm curious - what have been other peoples' experiences with using static thresholds? How have you grown beyond using them? What tools do you use for this purpose?
Does anyone know of a linux command line tool that can take multiple subsets (in standard or slash notation) and provide a summary based on a requested output mask length. For example, lets say I wanted to summarize the following networks to the nearest /16:
10.1.1.0 255.255.255.0 10.1.10.0 255.255.254.0 10.1.50.1 255.255.255.255 10.2.1.10 255.255.252.0 I would want the tool to output 10.1.0.0 255.255.255, and 10.2.0.0 255.255.0.0.
Thanks!
Hello all,
How do you guys stay concentrated while reading cisco press books ? do you read it like a Novel cover to cover, do you read it while taking notes or do you use it periodically like a dictionary to get specific information ?
Hi all, We’ve purchased a new redundant NAS storage system and the vendor has asked that we configure as follows:
“Multicast must be permitted on Storage VLAN that the NAS servers communicate on. IGMP Snooping must be either disabled OR if enabled, must have a querier”
I’m running HSRP on this VLAN and also using VPC to connect between our two Nexus 93180YC-FX’s switches and the NAS servers.
If I disable the igmp snooping on just the storage VLAN is this goes to adversely affect HSRP or VPC?
Thanks all!
Our AV equipment gets moved to different venues and thus has different wan networks it is plugged into for internet, hardly ever having a public IP. A Ubiquiti Edgerouter acts as a Firewall, DHCP Server, Wireguard VPN, and allows Routing between the internal subnets. The problem is when the wan network (typically a convention center or university) conflicts with one of our internal networks, it wrecks the routing table as both networks are directly connected. Is there any way to avoid routing conflicts in these situations?
I've avoided common default networks (192.168.1.0, 10.0.0.0, etc.) But occasionally it does conflict. I'm currently using 192.168.10.0-192.168.40.0 (all /24), and that is usually good. I wanted to transition to 10.100.0.0-10.200.0.0 for other reasons, but those I've found are even more common.
One way could be to double nat with a consumer router upstream of the Edgerouter, but this is kludgey and confusing in most cases.
Having trouble wrapping my brain around this.
Old setup:
Switch port1 on VLAN0 (data) for 192.168.0.xxx plugging in to router port1 defined as 192.168.0.1
Switch port2 on VLAN1 (voice) for 192.168.1.xxx plugging in to router port2 defined as 192.168.1.1
New setup:
Switch port1 on VLAN0 (data) for 192.168.0.xxx plugging in to Fios G3100 (This seems very residential for a small business device)
G3100 set as 192.168.0.1 and gateway for network... no option to define different it's eth ports differently.
Switch port2 on VLAN1 (voice) for 192.168.1.xxx won't go anywhere on the G3100
The G3100 has an option for entering static routes. Switches too (Dell Powerconnect 6248) I'm not sure what to do or where to do it.
Hello,
I'm shopping for 10G SFP+ modules and I was trying to find cheap alternatives to go with.
I've found these: HP AJ718A 8Gbps SFP+ which cost almost nothing.
I've looked around and I think these are not compatible with 10G SFP+ modules,am I right?
I'm just hoping someone can let me know if I'm right or if there is a possibility of it working!
My Mikrotik switches are:
- CSS610-8G-2S+IN
- CRS328-24P-4S+RM
I'm very new to this SFP+ and fibre networking world so I'm hoping you can help me!
Thanks,
Have a great day!
Anyone got a how-to link to setting up a CentOS server as a VPN (IPSec) gateway to the internet? (Strongswan or similar)
I need to make a CentOS server into a simple VPN gateway and connect to it with a router over IPSec.
I'm awesome at VPNs and Networks but not good at Linux.
As far as I know SFP+ is suppose to be a standard with compatibility within its form factor. But, from my research each brand codes theirs so that they are incompatible with other brands.
I've quite a few QSFP+ and SFP+ cards and I'm trying to figure out the best way to move forward with them.
I've quite a few HPE 779793-B21 546SFP+ network adapters and trying to find a low cost solution for getting 10Gbe going.
Closest thing I found brand new was via FS with their HPE 813874-B21 Compatible 10GBASE-T SFP+ Copper RJ-45 30m Transceiver Module (https://www.fs.com/products/89562.html). Manufacture direct is $625 which is crazy expensive. The cheapest I've found brand-new is $45 but its via sfpcables.com and not familiar with their quality.
I noticed that fiber modules are relatively inexpensive and seem to have a surplus while RJ45 are a bit price.
Anyone have insight into sourcing these modules? y.
For more than a decade I have been working primarily with SonicWall so I know them very well. I also know their problems. We are coming up on a hardware refresh and are being pitched a FortiGate 201F from our preferred vendor. I have some issues with our current SonicWall, namely that the SSL VPN (Mobile Connect) is awful. NetExtender is fine but it routes internally whereas Mobile connect goes public for split DNS (preferred). It also has horrible throughput when going across sub-interfaces (VLANs) and we from about 130MB/S to 30.
Having no experiance with FortiGate I am hesitant, I'm sure they have their issues just like SonicWall so I'm looking for some feedback.
I'm curious what process folks use to deploy new hardware: Do you do all of the initial configuration via console on a lab bench while disconnected from the network, or do you prefer to rack and connect all of the physical layer first and THEN do the configuration? Or plug in one ethernet and then do all configuration via SSH?
I realize this post may violate Rule #1 as it has to do with a network I use in my "home" but regardless I am posting as I hope this may eventually help someone else in a similar situation as I have been unable to find *any* information on this topic as it has to do with Aruba switches that are EOL/EOS.
I have a pair of switches, Aruba S2500 and S3500 connected via a LACP Port channel. Plugged into the S2500 is a TiVO DVR and into the S3500, is a pair of "TiVO MINI" boxes that rely on multicast to work properly it seems.
Anyway, to cut to the chase: The Aruba S2500 and S3500 seem to come with IGMP Snooping enabled by default on VLAN1. I've spent *hours* reading through crappy HP documentation for newer models of Aruba switch that does not match the commands for the S3500 nor the S2500 since these are "end of support" devices HPE no longer even has configuration PDFs available from what I can tell.
The issue is: If I disable IGMP Snooping v3 and then turn it back on, the TiVO Mini boxes connect, and they can pick up the stream from the main DVR on the 2500. However, after a short while, they stop streaming and it seems the only solution is to remove the IGMP VLAN Policy from VLAN 1 and then re-add it, and Bam, it starts working again for a short while.
Is there a way to completely disable IGMP Snooping? should I be configuring it differently? I'm sure I'm overlooking something simple, but it seems setting the policy to "no snooping" and "no snooping v3" turns it off, but again, the "Mini" boxes cannot connect until I turn it on and wait for the IGMP table to show data again.
Does anyone have documentation and/or a configuration guide on IGMP for the Aruba 2500/3500 series? or any info on how to work around this?
Thanks.
EDIT: In case this helps, here is the output of the current IGMP Membership:
-----------------------------------------------------------------------------------------
(ArubaS2500-1) #show igmp-snooping membership
IGMP Snooping Multicast Membership
----------------------------------
VLAN Group Port Expiry UpTime
---- ----- ---- ------ ------
0001 224.0.0.251Pc1 00:00:00 12:02:22
0001 224.0.0.252Pc1 00:00:00 12:02:22
0001 224.0.0.253Pc1 00:00:00 12:02:23
0001 233.89.188.1Pc1 00:00:00 12:27:17
GE0/0/0 00:02:19 12:27:17
0001 239.255.255.250 Pc0 00:03:52 12:27:17
Pc1 00:00:00 12:27:18
GE0/0/4 00:02:20 12:27:18
GE0/1/0 00:02:17 12:27:15
0001 239.255.255.253 Pc0 00:02:19 12:27:17
Pc1 00:00:00 12:27:17
-----------------------------------------------------------------------------------------
(ArubaS3500-48T) #show igmp-snooping membership
IGMP Snooping Multicast Membership
----------------------------------
VLAN Group Port Expiry UpTime
---- ----- ---- ------ ------
0001 224.0.0.251Pc0 00:00:00 11:57:38
0001 239.255.255.250 GE0/0/36 00:03:29 12:26:09
GE0/0/45 00:02:59 12:26:08
GE0/1/1 00:03:35 12:26:04
Pc0 00:00:00 12:26:09
0001 239.255.255.253 GE0/0/36 00:03:32 12:26:00
Pc0 00:00:00 12:26:00
Title. We're trying to put better process around when we stand up a new internal IP range. The list seems endless and complex. Need to add it to any number of systems for scanning, AD Sites and Services, internal routing, DNS, DHCP, PAC file entries. Does it have a public gateway? Register it with X, Y, Z public providers as being part of our network.
This is just scratching the surface. We tend to always forget SOMETHING when provisioning a new network and is often found months after the network is in use and either tickets are re-routed eternally or users just deal with a bad experience for a while.
We'd like to work toward getting it right the first time. I think we can gather most/all of the THINGS that need to be done, but how do we put this data to use and make it effective to consume?
How are other enterprises approaching "new network onboarding"?
Currently running Aruba Campus AP's and Switches. Dual Mobility Master in cluster with dual Mobility Controllers in cluster. Public School with 1-to-1 Apple iPads managed under MDM. Users have a WPA2-PSK pre-loaded on their device. Clients can connect and roam to majority of devices.
HOWEVER, some devices are not able to connect to certain AP's. Not that the AP's won't accept ANY clients. They have each decided to not accept certain clients.
For example Clients A, B, and C cannot connect to AP-1. But, they can connect to AP-2, AP-3, etc...
Clients D, E, and F cannot connect to AP-2. But, they can connect to AP-1, AP-3, etc...
And so on...
Not all clients experience the problem and not all AP's demonstrate the problem. No clear pattern between clients and AP's. Once the problem occurs, it persists indefinitely (weeks so far).
I have confirmed the PSK is correct. When failing to connect the client device reports that the PSK is incorrect and the AP reports PTK Challenge Failed. Initially the problem was only reported on iOS devices. iOS devices are the VAST majority of our Wifi clients. However, an Aruba (Cape Networks) UXI sensor is now showing the problem.
I have checked coverage, channels, and interference.
Offending AP's are running identical configurations and connected to the same controllers as the non-bugging AP's.
OKC, Validate PMKID, 802.11k/v/r have all been turned on/off in various combinations to no effect.
I created a new, different WPA3 SSID with a different PSK. Bug persists.
We have been using AP-515's but yesterday we had some of them changed out for AP-555's. Once provisioned, some, but not all, of the 555's are demonstrating the bug.
I have a ticket in with TAC, who seem stumped and have escalated the issue as a possible "future firmware patch." I've only been Tech Director since June, when does the internal screaming stop?
By the time I was done writing the comment, the post was locked. I hope these recommendations are helpful to someone. They reflect a small glimmer of years of careful tool crafting.
Generally, prefer learning standard UNIX tools over OS-specific ones unless there's a clear advantage.
macOS-specific tools:
screen or other CLI tools, but I so rarely need to use a serial console that having a GUI makes it a lot less mental burden.UNIXy stuff:
brew install vim arping coreutils fping git ssh-copy-id pwgen tcptraceroute telnet nmap watch mtr/private/tftpboot and launch the serverpbcopy and pbpaste are built in. Use them
# traceroute with ASN lookup and pipe output to clipboard. BSD-only option for ASN. traceroute -A example.com | pbcopy # iterate over items in your clipboard (e.g., a list of hostnames # you copied from your NMS for host in $(pbpaste); do nc -v $host 22 || echo "Can't connect to $host" done Ok so am working on a project for school where my group is designing an implementing a solution for a made up company. the network is almost entirely virtual in vmware and connects to the schools internet. Due to certain rules and requirements we are limited on certain actions. I will explain the problem I am trying to solve.
I have a virtual router connected to the schools network which is where I work from( we Nat to this network and it is treated like the internet, but obviously its not). the router connects to a physical network (which will be ignored for this problem) a group of subnets for host VMs and a services network. I have a windows server with a rdp gateway as a possible way to allow users in the school network to remote into the host VMs but I can not get it to work. The problem is the cert (self signed which I was able to add to root trusted certs on the client machine) does not match the gateway IP in the client computer because I have to use the WAN IP to reach the server because the domain is private so the FQDN wont work and the routes are also not advertised to the schools networks (it is treated like the internet basically.)
My question is what is the best way that you know of to accomplish remote access to the host VMs? Can I make my private DNS advertise to this network somehow or perhaps make the WAN IP port forward to it so that either the rdp can connect to the gateway without an issue or route the client DNS to my server? Maybe I can set up my router as a DNS and list it as the clients DNS? I have tried a lot of things and I keep running into solutions that would require either a direct server connection to the internet (not allowed) a public domain (not applicable) or 3rd party certs(not really in the scope of the project and require public domain)
other notes: RDP works if i just port forward to an individual host
I tried to edit the client hosts file but do not have permission.
I am not a professional but am a student so some obvious things may not be obvious to me.
sorry if this is a bit jumbled but I am having more trouble than I thought I would and have gone a bit loopy after messing with this the past few days.
Any suggestions or ideas are welcome thanks for your time and help.
Do Network Administrator or Engineering jobs require lots of standing and walking? I'm curious because I'm interested in entering this field but need a job that's mostly sitting down, as I have arthritic knees and gone through multiple surgeries the last few years.
Hello,
I just received my new first macbook. Can you advice me the best tools you are using with your networking job?
Thank you
So here is my current setup:
I have a production server named : Server A at 192.168.1.2 It currently has a CNAME of server.company.com associated with the A record.
All clients connect and use the CNAME for connectivity.
Here is what I want do:
The server has a second NIC. I would like to assign the second NIC an IP address on a different VLAN. Both VLANS can talk to one another.
Can I assign the same CNAME of server.company.com to this second IP address?
Is it possible or is there a better solution?
Hello. So I'm not sure if what I'm about to describe is a "Virtual private network", but essentially what I would like to achieve is the following:
Let's say I need to set up Microservices. We need 1 gateway that is public and is accessible to any other host that wants to make a request or connection to it, this would be the "proxy" takes in requests. This proxy would or could have an authentication server set up so it'll check if the user is authenticated, or have them authenticate so that a session is created.
Every time they use our client (our frontend app or if they want to make a request to our API), we would check the credentials at the proxy level, and if it's valid we'd forward the request straight to our "microservices", which would be apps that sit behind a firewall or in the private network that is only accessible from the gateway server.
If this is so, is it a recommended way to set up your own microservice architecture? Is it a good idea to have 2 servers, one with a firewall that only allows HTTP(s) to the IP of the gateway, so that no one else can target it directly?
Hi there,
My company has a domain that some DNS in the world can't resolve correctly. I thought that the piramidal structure of DNS would cure itself passing some time, but it didn't.
We have found some DNS that wrong resolve our names, and we'll alert the owner of these... but we can't be sure that they listen us and can't be sure that they are the uniques poisoned DNS.
What can we do?
What I can say is that my on-premise DNS are OK and my authoritative DNS are ok too...
Hi,
This may be a fairly well known thing...
Cisco 2960 16 port PoE switches have a total PoE capacity of 120W, so 120/15.4 = 7.79 Which means a 16 port PoE switch can actually only support a maximum of 7 AP's in this case?
The switch reports 15.4w per port being used by the AP or is this a default reporting thing as the device has a max draw of 15.4w?
Interface Admin Oper Power Device Class Max
(Watts)
--------- ------ ---------- ------- ------------------- ----- ----
Gi0/1 auto on 15.4 AIR-CAP2602I-E-K9 3 30.0
Gi0/2 auto on 15.4 AIR-CAP2602I-E-K9 3 30.0
TL;DR - Can i run more than 7 AP's on one of these switches as in the real world, each AP wont actually draw the full 15.4w?
Wireshark captured from a pc connected to a switch is showing tcp retransmission followed by RST for wireless clients.
Would like to know the retransmission is on the wireless side or wired side.
Would I see wifi retransmissions from a wireshark capture taken while connected to a switch via an ethernet cable?
Thanks
Or are your users happy with laptops and do not need to connect to their office PCs remotely?
Users from our company for such a scenario are devs and finance gals. For energy saving and security reasons (fire risk), we do not want to leave their PCs on over the weekend or during the night.
Hi all,
We came across some strage cases on our DC Cisco devices when nothing was connected to the port, but the interface was left in admin up state. There were signs of network loop, we got mac-move alerts on switches, on router's the routing protocol got back it's own system id. These did not happen at once, but from time to time we face some strange behaviour. And it disappeared without any intervention.
Do you think that the DC provider is able to loop the lines if it is not connected to anything? Have you met anything similar?
I did not hear anything from the DC yet that could cause this and to be frank it is hard to put the whole thing in words and find the right question to ask.
Just looking to see if someone can confirm something, I have been looking over info about stackwise virtual and it only seems to mention between 2 switches.
Is that 2 switch stacks or just 2 singular switches?
Hey networkers,
Thought i'd share some updates on a small open source networking project netpalm.
https://github.com/tbotnz/netpalm
Haven't heard of Netpalm? It's an async ReST broker for most network devices ( supports telnet/ssh/rest/restconf/netconf/snmp southbound ). The goal of netpalm is to provide a flexible and scalable API layer between your network and systems.
Some of the new features are:
we also run a channel #netpalm on networktocode slack. Feel free to join us!
Hello,
As in topic, I'm looking for a cheap SFP+ 10Gbit switch. 24 ports MAX (only few of them will be used, but it will be futureproof.
I used Cisco SmallBusiness SG350X-24p switch, they're fairly cheap, but had a lot of bugs & problems with this switch, so I'm looking for some alternative in similar price range (maybe something from Extreme Networks or Ubiquiti - because I never had any possibility to work with them).
Hey guys, I'm not sure if this has been answered before but im studying for my ccna so go easy on me.
Is the sole purpose of a subnet mask to indicate the network and host part of an ip? My brain smol trying to understand this.
Also is the OSI model still relevant today even with the tcp/ip model being used?
This is me explaining what I'm doing/conceptualizing my thinking. a tl;dr is at the bottom for the main problem I'm facing. I need to use packet tracer though as a requirement (it's a class project) above all else.
I have a distribution layer of switches (3560's in a Port-Channel w/ LACP) which I was wanting to attach to a L2 switch to one of them via a trunk. The DLS switch is running DHCP for the access network, I (wrongfully) thought that the DHCP packets from my client devices would seamlessly pass through the light weight access point, but that was not the case and why I'm here.
My initial design idea was to have all my IOT wireless devices be in the 172.16.10.0/24 subnet on VLAN 10. This is me trying to isolate IOT devices from the rest of the network.
I tried to use the Home Gateway instead, but it wants distribute to clients a private class C network and have 172.16.10.0 be the internet.
My Ultimate goal is to have IOT devices in a isolated vlan 10, while having the IoT server in the 209.10.11.1 network as a representation of being an external network the IOT devices phone home to.
tl;dr: I have the configured wireless LAN controller, and the accompanying Light weight access point (LAP) is registered with my DHCP server. However, clients connecting to the LAP are not obtaining an IP from the DLS DHCP server, but the LAP does receive a DHCP address. Goal is to have IOT devices communicate with server in the 209.X.X.X network
Configs DHCP server(DLS Switch):
! hostname DLS2 ! ip dhcp excluded-address 172.16.10.1 172.16.10.10 ! ip dhcp pool IoT network 172.16.10.0 255.255.255.0 default-router 172.16.10.6 option 150 ip 172.16.10.8 ! ip routing ! port-channel load-balance src-dst-mac spanning-tree mode rapid-pvst ! interface Port-channel1 switchport trunk native vlan 666 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate ! interface FastEthernet0/1 switchport trunk native vlan 666 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 1 mode active ! interface FastEthernet0/2 switchport trunk native vlan 666 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 1 mode active ! interface FastEthernet0/3 switchport trunk native vlan 666 switchport trunk allowed vlan 10,20,40 switchport trunk encapsulation dot1q switchport mode trunk ! interface Vlan1 no ip address shutdown ! interface Vlan10 mac-address 0050.0f26.2701 ip address 172.16.10.6 255.255.255.0 ! interface Vlan20 mac-address 0050.0f26.2702 ip address 172.16.20.6 255.255.255.0 ! interface Vlan40 mac-address 0050.0f26.2703 ip address 172.16.40.6 255.255.255.0 ! router ospf 1 router-id 5.5.5.5 log-adjacency-changes ! ip classless ! end ! hostname ALS1 ! ! ! ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! interface FastEthernet0/1 switchport trunk native vlan 666 switchport trunk allowed vlan 10,20,40 switchport mode trunk switchport nonegotiate ! interface FastEthernet0/2 switchport access vlan 10 switchport mode access ! interface FastEthernet0/3 switchport access vlan 10 switchport mode access ! interface FastEthernet0/4 switchport access vlan 10 switchport mode access ! interface Vlan1 no ip address shutdown ! interface Vlan10 mac-address 00d0.bae7.5701 ip address 172.16.10.7 255.255.255.0 ! interface Vlan20 mac-address 00d0.bae7.5702 ip address 172.16.20.7 255.255.255.0 ! interface Vlan40 mac-address 00d0.bae7.5703 ip address 172.16.40.7 255.255.255.0 ! ip default-gateway 172.16.10.6 ! end Sorry for the imagebb link, imgur stopped working for me.
Here are the images of the WLC configs,
Hi networking!
Can someone recommend an appliance that will replace my FortiWAN? This appliance load balances multiple ISP’s together for our data center. It also is a split brain dns. We don’t use too many of its features, so the new appliance can be pretty basic.
I don't know about you guys but i got my start in networking by getting certs and labbing out all night and then going to work for fun and i'm pretty good at it and have learned a lot. I've only been in this engineering role for 10 years but i am honestly starting to get tired of this field and considering doing something else because im typically exhausted when i get off with all the hours. I feel like all those years of studying led to a high paying job that i'm still very successful at but at some point i might get out. These days i no longer even do anything IT related in my time off and do other stuff. I am just ranting lol. Always make sure you do other stuff in your free time. Today I just worked a 9 hour shift and have more work tonight for a maintenance. If i don't get out i might look for another shop that has a smaller network thats less intense with a more focused role. I do a variety of things such as manage the network, phone system, wireless and even some small firewall related tasks (we have a security team for that). How about you guys?
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
Hi folks!
We are working with GTT as a broker to provide DIAs for our offices, we recently purchased a circuit in the US. We're a Dutch based company.
I don't know how the order process works via a broker for new lines but my colleagues using the line in the US are now geolocated in Netherlands, hence receiving their Google search results in Dutch and getting geo block restrictions on US based websites because they appear as European...
I have opened 3 tickets with GTT, they closed each tickets saying they fixed the problem in ARIN but they couldn't tell with location provider the network provider was using, that it could take a week, a month or even never happened. I have escalated the issue but after a month its going nowhere. To me it sounds like BS, they work with providers so they should try to contact them, so they can at least know which geo DB they are using they contact the DB folks to have them fix the issue. The US provider is L3.
Any tips?
Self study network Automation course with lab access. Anyone know of a place that provides self study and guided labs to play with network automation? I have no problem paying for it just want to dive in an sandbox environment to play with it.
We are still rocking some 5406zl v2 switches at our core and are looking to add some 10G interfaces, however only the newer J9150D, J9151E, J9153D are for sale currently. Can we use the newer modules in our older Aruba switches?
As the title suggest, do you typically handle server security in your environment. Specifically in small/medium environment for customers who have the typically ISP > Firewall > L3 switch and an AD server and a file server. Typically I just put the servers on their own VLAN and restrict anyone on site from admin rights but I've been wondering if I should be creating ACL's to limit only needed traffic (389/53/3389) instead of keeping things wide open.
Admin, if this is the wrong subreddit for this question please delete it.
I was wondering, what kind of routers the internet runs off of? What type of interface is the cabling, i assume its not sfp, I tried googling but my search terms just brought back router ads.
Specifically I want to see the switches where all the routers for the backbone connections are.
If anyone can give specific info so i can google it that be rad. Pictures even cooler.
Thanks in advance,
blu
Hi,
I have made a visio drawing with network devices and connected the ports using the connector tool.
Is it in any way possible to get visio to automatically make a table of all the connections?
An all stencils I have filled in the shape data with names and device model.
It would be nice if Visio supported automatically generate a cable map/table.
Hi there. I was handed the task of wiring the brand new computing classroom of an elementary school while the kids are away due the pendemic, mostly becasue I am the only known person to them that knows the difference between wifi and carrier data. They are going to get 30 computers (31 counting the teacher's one) and want them all hooked up to the school's internet connection.
Right now the school only has the ISP-provided Nokia 7368 ISAM ONT G-240W-B router. Accodring to the principal we can negotiate more bandwith with the ISP if the case calls it. Because the school does not need anything fancy (and limited budget), my idea is to bring an ethernet cable from that up to the computers classroom into an unmanaged 48-port network switch, like the TP-LINK SG1048.
I am also considering adding school-wide wifi support. Because, again, the school does not need anything fancy and expensive, I found in a local electronics brand this Steren COM-8200 2.4GHz repeater. Becasue it has a 19 meter range (at least according to the page) I found using the building blueprints that only 4 can cover the entire area. I was thingking to use one of the free remaining ports on the switch to give data to the first repeater, and then daisy-chain the rest, but I'm also considering hoking the first onw wirelessly to the modem.
Here is a quick diagram of what I'm planning to do. let me know what do you think.
Hello dear network Enthusiasts
I would be curious if your dot1x deployment on ios-xe 16.12 still is done in ibns2.0 style?
I went over the xonfig guude for dot1x and ibns is not mentioned at all. And as dar as i see there is not a need anymore for ibns styled config?
Just need confirmation that a short cable run could be causing NEXT and or Return Loss.
Running out of ideas, I'm going to test it by pulling a 10m link in, anyone got any ideas.
Has been retermed multiple times
The run is 5.3m (cab link) going into Excel Cat6a cassettes
Hi everyone. I'm trying to set up a proxy on a remote server (Oracle Free tier VM, Ubuntu Focal 20.04). I can't understand how to open a specific port to the VM. I already made an IPtables rule on the vm (also input default action is set to accept), i did add the port i want to open in the security list of the server but if i run a port scanner, the port is shown as closed. Based on this diagram, it seems like i have all the requirements to make the server visible to the internet and the ping/SSH rules do work (by requirements i mean public subnet with a public ip address, internet gateway, security list and all that). Screenshot of the firewall tab: https://imgur.com/yzPRmA5 (apologies for the language).
Ps. i know there is an Oracle Cloud subreddit but it seems a bit dead.
Morning guys,
Wondering what people’s recommendations are for label printers, looking for ones that could do a simple wrap around, I’ve been looking at the DYMO XTL 300 or the Panduit MP300E
Also what are your best practices with label formats? I was thinking having the below layout on our labels
End A To: sw1 gi 1/0/38 From: r2 gi 1/0/1 2m (length)
End B To: r2 gi 1/0/1 From: sw1 gi 1/0/38 2m (length)
Thanks in advance!!!
Is the Pearson Network Simulator no longer available to the public or am I being premature? The new version is copyright 2021, but it's marked "Not for sale" - with copies available for media, instructors, etc. Another site had it available for "Instructors" and "Students" - both Pearson sites.
Does anyone have any information on this (or a similar, competing package with a lab and sim?). How about opinions on a text to buy with the best labs for the CCNA 200-301?
Thank you!
Hey All,
Im having a really hard time configuring a management interface on a few of my 7210 SAS-D (and Dx).
primary-image cf1:\both.tim primary-config cf1:\config.cfg
uplinkA-port 1/1/10 uplinkA-autoneg uplinkA-duplex full uplinkA-speed 1000 uplinkA-address 192.168.1.171/24 uplinkA-vlan 0
wait 3 persist off console-speed 115200
But, I cannot ping the MGMT interface from the same LAN. I've been reading over the Docs, but I seem to be missing something.. Any ideas? :-)
Will be pretty hard to word things because i don't know the full picture as i just barged in half way through but i went to this company as an intern for study and the task is they want to set up a Wi-Fi guest network. They probably thought I'm a free cisco expert for some reason who would solve their issues right away.
There's Cisco 350x (192.168.255.254) as the main switch (which has a backup stacked) and the Aruba AP (192.168.255.84) which distributes the Wi-Fi company workers use.
There are several VLANs:
192.168.55.0 through 192.168.175.0 are used as subnets for different divisions (planning, soft dev etc.)
192.168.255.0 is the main Wi-Fi network which workers use for their devices through Aruba's AP device.
192.168.200.0 (specifically 192.168.200.100 ~ 192.168.200.200) <--- is reserved for guest wifi network.
I've double checked the windows 2016 server and DHCP server. The scopes seem to be written correctly.
The cisco DHCP server isn't used and is relayed. The VLANs are configured in the cisco interface.
Every other VLAN, aside from 200, has devices listed under Dynamic Addresses in the MAC Addresses Table tab in the cisco GUI.
I don't have enough knowledge about the ports, trunked, tagged and such and no idea if it comes to play.
---The task is to configure a guest AP with the range of 192.168.200.100~200 (and is it even possible to begin with since its a different subnet?)
The problem is that the win DHCP server doesn't want to give out ip addresses for 200.0 subnet since its different from 255.0 one and i cant seem to make it work. When i try to connect my phone via DHCP the ip for my phone is shown as 0.0.0.0 in the Aruba web interface.
If i set it to static and connect it, manages to connect but it says internet isn't available and there's no connection.
I've tried to set up the Aruba DHCP server but it just gives me "ip-range is too small or mis-aligned and can not be used with client count 250".
p.s. I have access to cisco 350x via terminal but I cant reboot it since all the work in the office will be halted
I went through several Google search pages but couldn't find any list of vendors that supported by rConfig. I'm looking to implement a free configuration management application In my company. We got Palo alto, checkpoint, Cisco Nexus, Cisco wlc mainly. Additionally if it supports emc storages and brocade sans switches it would be great. But at least the networking equipment support is great. Anyone here using rConfig to get config backups of devices I mentioned?
How do I get a cable(cat6) manufactured by a company certified by TIA? What documents should I submit ? Thanks!
I'm trying to solve this mystery, maybe someone here can help.
I have an Intel 7260 card which has a 2x2 radio. I've only been getting 433 mpbs PHY link rate, which is the max for a single antenna on 802.11ac with an 80 MHz channel.
So one of my antennas is not getting good reception. Or maybe it's the extension cable. I'm trying to figure it out. So in troubleshooting, I disconnected it completely, including the pigtail cable that connects the SMA connector to the wireless card header. And then lo and behold, I'm getting 520 mbps with the remaining antenna.
That should be impossible. 520 mbps PHY link is a dual antenna configuration only in 802.11ac 80 MHz. And no, I am not using a 160 MHz channel.
This means that somehow both antennas scaled down to 64-QAM 2/3 and I'm getting 260 mbps from each. But there is no way the completely disconnected antenna is getting 260 mbps. Especially when it couldn't get that when it was fully connected.
So by disconnecting one of my antennas, I am getting a higher PHY link, and furthermore it's one that's impossible to get on a single antenna.
So I'm very confused. Hopefully that wasn't too complicated an explanation. Thoughts are welcome. Thank you for reading.
How I see ACI structure:
How I feel trying to process in my head:
Hey all. Buying a new home and want to drastically upgrade my networking setup.
I also want to VLAN my Cameras, Home Assistant/IoT setup, and have private networks for work, home, and guests.
My main office will hold the stack with the layer 3 switch. I’ll run a long patch cable to the other side of the house into a Layer 2. Will this work or will I need to have two Layer 3 switches? Are there any smaller than 24 PoE+ L3 managed switches?
Full setup idea: 2500 sq ft single story, wood framed. Cat6 for PoE+
Main office: - Ubiquiti USG into L3 PoE+ - This side will run 1-2 inside AC AP pros, 2-3 exterior AC AP pros, and 4-5 4K PoE Amcrest cameras. (Any switch recommendations for this would be great as the other side of the house is almost mirrored hardware wise)
Long run of Cat6 (less than 300ft) across the house to another PoE+ switch in my master bedroom closet.
Master Switch: - 1-2 inside AC AP pros, 2-3 outside AC AP pros, and another 4-5 4K Amcrest cameras.
*** I was thinking of stopping the long Cat6 run in the middle of the house (front door foyer), to have a middle switch for front door cameras and another AP AC pro to balance out the WiFi.
I live on 1.25 acres so I’m trying to do a few long runs outside with conduit to keep WiFi across my property but also have a few PoE cameras closer to my driveway entrance, inside my detached garage, over my pool/pond.
If you’ve read this far, I’m relatively new to all of this and am looking for insight to make sure my research is paying off.
Thanks!
We have Cisco catalysts every where. They are solid, and great switches. But every time they add some new cost, or dumb licensing requirement I start looking elsewhere. Right now, if you want to buy a current-gen Catalyst, you are required to purchase a minimum 3-year subscription to DNA, even if you aren't going to use it. Thus I'm looking again.
I'm always told that Cisco is the most expensive enterprise network hardware, but when I reach out to get quotes for Ruckus, Aruba, etc Cisco seems to be pretty much the same price.
What are you guys doing for enterprise switching?
Hey! Kinda of a noob so apologies. Is there anyway to prove sip alg is enabled without accessing the firewall. One way audio tried 3 different headsets wired on all. Wired and wireless internet connection on others. Could very well be a NAT issues as sometimes client can’t hear agent but agent can hear client. Thank you!
We have a data center that also acts as an ISP (fiber only) in a few counties.
Currently we are getting fiber handoff from transport and taking customers back to the data center over L2 and thus we have no demarc.
For a number of reasons we’d like to start putting CPEs on site during install. Must support QnQ as we will only be allowed 1 VLAN back to our network from the transport provider.
I’ve looked around and Juniper seems to have a stronghold for sure in this arena. Who should we consider?
Hi all,
I'm working on a project where one piece of equipment comes from the factory with an IP address of 10.10.254.x, where the rest of the network is 192.168.1.x; I'm new to the world of networking at this level, so I've been trying to figure this out but I'm a bit stuck and thought you might be able to help. Here's what I (think) I know so far:
So it seems I need to use a router between the two devices. I guess my question now is, how much work does it take to configure a router to make this work?
Thanks for any help!
Hi guys There is a Old Cisco Catalyst Data Center designed very bad. There are four 6500 that form a square with several 3560 linked to them. There is also attached a couple of Nexus 7k (new DC) and a juniper VC to aggregate firewall and F5.
6500-1 is the root bridge for all vlans.
Some of these vlans are trunked to the Nexus and to the juniper.
Problem: We have a lot of Mac Flap on Catalyst vlans, when flaps occur nexus and juniper are affected (mac move are present in logs) and we can see disconnections and issue everywhere.
Could be a L2 loops but we cant find the root cause, Mac that are Flapping are from different vlans and dislocated on different switch.
I read about L2 autonegotation protocols like DTP could be the cause. Catalyst have autonegotation, nexus and juniper no.
I red here about this ( https://serverfault.com/questions/790841/how-to-troubleshoot-a-mac-flapping-between-switch-ports-cisco )
Hello everyone
we are in the process of setting up multiple vlans at a customer and are wondering about some setting concerning DHCP relay.
We are using a switch to relay DHCP requests from different vlans to our sophos SG firewall which has DHCP servers for the scopes and knows they are behind a relay. Between the firewall and the switch there is a transfer network just for internet and DHCP.
Now, we can see the DHCP dicovery coming from the switch to the firewall in a packet trace but the firewall is unable to answer it.
If we create the following static route on the firewall everything works fine:
Destination: Subnet in which we want DHCP | Gateway: Interface of DHCP Relay in VLAN between DHCP Relay and Server
Is this routing rule required and should we create a route for all subnets that will receive an IP address via DHCP, oder is there something wrong with our configuration?
Thanks in advance and best regards!
Florian
So here's the deal: I need to monitor the status of a home internet connection remotely (for a family member), and would like to have 2-3 shell scripts running from time to time to update a dynamic DNS name.
Even a Raspberry Zero seems to much at this point. Is there any sort of super mini device that can run plugged in the USB-A port of a modem and that would just run scripts I put in it? Bonus if I can SSH into.
I think I'm dreaming and Google didn't help, but maybe I missed something...
Thanks
I read through the ACL not sure what im missing.
Im applying this ACL to a VLAN which will apply to traffic from inside the vlan to outside (Aruba 3810).
Outside to inside is currently not configured so by default all is allowed but as soon as I apply the ACL, computers in the VLAN lose access. I've permitted the VLAN to our Firewall (Switch -> Firewall -> Internet) & DHCP/DNS/AD ports are all permitted so im not sure what im missing :s
DC/DHCP/DNS = IP of the server
FIREWALL = IP of the firewall (its in the default VLAN of 1)
10 permit ip DC/DHCP/DNS 0.0.0.255 172.25.61.0 0.0.0.255
11 permit tcp PrintServer 0.0.0.255 172.25.61.0 0.0.0.255 eq 139
12 permit tcp PrintServer 0.0.0.255 172.25.61.0 0.0.0.255 eq 445
13 permit udp PrintServer 0.0.0.255 172.25.61.0 0.0.0.255 eq 138
14 permit tcp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 464
16 permit udp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 389
17 permit tcp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 389
18 permit tcp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 636
19 permit tcp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 3268
20 permit tcp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 3269
21 permit tcp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 53
22 permit udp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 53
23 permit tcp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 88
24 permit udp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 88
25 permit tcp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 445
26 permit udp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 445
27 permit tcp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 67
28 permit udp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 67
29 permit tcp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 68
30 permit udp 172.25.61.0 0.0.0.255 DC/DHCP/DNS 0.0.0.255 eq 68
31 permit tcp 172.25.61.0 0.0.0.255 PrintServer 0.0.0.255 eq 445
90 permit ip 172.25.61.0 0.0.0.255 IPCamera 0.0.0.255
91 permit ip 172.25.61.0 0.0.0.255 FIREWALL 0.0.0.255
I'm having difficulty getting a Juniper which is acting as an LNS to assign IPv6 addresses via IA_NA
I've setup multiple pools on the Juniper as described on the Juniper websites as follows:
set access address-assignment neighbor-discovery-router-advertisement IAPD-PPPOA-POOL set access address-assignment pool delegated-pool family inet6 prefix 2a02:123:c05e::/56 set access address-assignment pool delegated-pool family inet6 range d1 prefix-length 64 set access address-assignment pool IAPD-PPPOA-POOL family inet6 prefix 2a02:123:c05d::/48 set access address-assignment pool IAPD-PPPOA-POOL family inet6 range IAPD-RANGE low 2a02:123:c05d:1::/64 set access address-assignment pool IAPD-PPPOA-POOL family inet6 range IAPD-RANGE high 2a02:123:c05d:ffff::/64 set access address-assignment pool v6-ia-na-pool family inet6 prefix 2a02:123:c05f:1000:0000::/64 set access address-assignment pool v6-ia-na-pool family inet6 range v6-range-0 low 2a02:123:c05f:1000::1/128 set access address-assignment pool v6-ia-na-pool family inet6 range v6-range-0 high 2a02:123:c05f:1000::ffff:ffff/128 but no luck.
I think it's probably as I've defined the v6-oa-na-pool but there is no reference to it anywhere to use this pool for IA-NA assignment.
The things is if I look at the Juniper site it also doesn't have details of where it should be referenced. I'm obviously missing something here
Thanks
Hi all,
I want to make sure how feasible it is to configure CoPP on the management SVI on a 3750E and 3850 with version 03.x.x code since the command "control-plane" does not exist.
A quick google search shows nothing about those modules and I want to ask if there is any workaround (something to the likes of policing anything that hits the device SVI).
Has anyone encountered this before?
Hi.
I wonder if anyone have implemented some kind of selfservice-portal to do reservations in the DHCP-server? Our local IT-staff currently installs printers and other stuff with static addresses and I would prefer them to use DHCP with reservations instead.
I'm not so keen to give them direct access to the DCHP-server.
I'm thinking a portal were they can add (and remove) reservations themselves should be helpful. We already let these users add MAC-addresses in a portal for MAB to our 802.1x-solution.
The DHCP-servers are Windows.
If anyone has done something like this and have some learnings to share it would be great.
Our network is serving approx 12k endusers in 100 locations, 802.1x on (almost) every switchport, and one of the reasons I want to increase the use of DHCP is to prepare for more profiling in Cisco ISE.
BR
Have two locations connected by ASE (ATT Circuit) with a 15Mg CIR. Customer is complaining about performance, speedtest consistently shows ~1Mg of throughput. When I run Iperf3 I'm seeing high packet loss for the TCP test but no packet loss for UDP:
UDP TEST (no packet loss)
Tims-MacBook-Pro:Applications tpfannes$ iperf3 -c 10.208.37.226 -t 120 -i 10 -f m -b 10m -u
Connecting to host 10.208.37.226, port 5201
[ 5] local 10.175.9.82 port 59649 connected to 10.208.37.226 port 5201
[ ID] Interval Transfer Bitrate Total Datagrams
[ 5] 0.00-10.00 sec 11.9 MBytes 10.0 Mbits/sec 8632
….
[ 5] 110.00-120.00 sec 11.9 MBytes 10.0 Mbits/sec 8633
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Jitter Lost/Total Datagrams
[ 5] 0.00-120.00 sec 143 MBytes 10.0 Mbits/sec 0.000 ms 0/103591 (0%) sender
[ 5] 0.00-120.00 sec 143 MBytes 10.0 Mbits/sec 1.137 ms 0/103591 (0%) receiver
TCP (lotso packet loss)
Tims-MacBook-Pro:Applications tpfannes$ iperf3 -c 10.208.37.226 -t 120 -i 10 -f m -b 10m
Connecting to host 10.208.37.226, port 5201
[ 5] local 10.175.9.82 port 56069 connected to 10.208.37.226 port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.00 sec 6.26 MBytes 5.25 Mbits/sec
….
[ 5] 110.00-120.00 sec 4.28 MBytes 3.59 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-120.00 sec 50.7 MBytes 3.54 Mbits/sec sender
[ 5] 0.00-120.00 sec 50.6 MBytes 3.54 Mbits/sec receiver
Any suggestions as to why this may be happening? Recommendations for next step? Not sure where to go from here. Thanks!
Currently looking into this for a client. They run Juniper switches, and in the Cisco World inwould be looking at the “authentication control-direction in” port config.. but I cant bring my google fu to bring me the same in Juniper language?
Anyone?
Hey,
short Question. I setup dhcp-snooping and arp-protection, so far no problem - everything as intended. In the past I never setup a remote dhcp snooping database but on this setup I want to store the DB every 5 Minutes to a TFTP. Also no Problem here, setup everything, file is writte works.
Now the point: If I look at the DHCP Snooping Info it says "Read at boot: no" how to change that? I mean why to store all the leases if they are not recovered?
sh dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled VLANs : 1 200 246 Verify MAC address : Yes Option 82 untrusted policy : replace Option 82 insertion : Yes Option 82 remote-id : mac Store lease database : Yes URL : tftp://10.246.246.1/200.dhcp FT Port : 69 Read at boot : no Write delay : 300 Write timeout : 60 File status : delaying Write attempts : 10 Write failures : 0 Last successful file update : Wed Dec 2 12:33:31 2020 Authorized Servers ------------------ 10.200.0.1 10.246.246.1 172.16.100.1 Max Current Bindings Port Trust Bindings Static Dynamic ----- ----- -------- ---------------- A1 No - - 1 A2 No - - 1 A3 No - - 6 A5 No - - 6 B3 No - - 1 B12 No - - 1 Trk1 Yes - - - Ports A4,A6-A24,B4-B11,B13-B24 are untrusted Thanks!
Hello,
It's maybe an easy question, but I can't figure it out.
I've assigned a Switch a client vlan and a management vlan. The ports for the clients are correctly configured. I can ping from outside the client vlan and the clients but not the management vlan.
Do I need to assign the management vlan to a port?
Kind regards
glistal
Just curious how it actually works...
Usual setup: PCs are connected to the phones (Cisco IP phones) and phones are connected to the switch.
Are the phones doing the actual 802.1x negotiations with the switch with the credentials provided by the PC or how does it work? Port mode is single host.
Hello !
We're using ERSPAN on Catalyst 3k and Nexus 3k to mirror several VLANs traffic to a virtual monitoring appliance for voice analysis. This works great, as the monitoring application can natively decapsulate ERSPAN and look at the SIP or RTP original packet.
But we also sometimes need to start longer capture sessions, directly via the linux CLI using (until now) the tshark program, usually in a screen session to keep it running during hours or days.
Since we've switched to ERSPAN (we were using a SPAN session from a physical switch interface before, as the monitoring appliance was a physical server), we can't use source and/or destination IP as tshark filters, as the src/dst IPs are always from the two devices on the ERSPAN session (switch mirroring the traffic, appliance receving the mirrored traffic).
We would thus need a tcpdump or tshark filter to match the original IP headers inside the ERSPAN (GRE) packet. I've read many articles (ie. below), but I wasn't able to filter out the wanted traffic yet.
I've tried the ip[x:y] == hex/decimal value but no luck. I'm not sure why they use 40 as the starting byte for source IP in one article, and 54 in the other though..
And as they are not specifically talking about ERSPAN, I guess I could have a different overhead size too.
If this Is this something you have already done, I would gladly take any pointers you can give me ;)
Thanks !
How secure is it to port forward to for specific ip of a device for things such as cloud key controllers that require additional ports forwarded from the internet?
To me it has always seemed a risk but probably because I dont fully understand everything in networking yet.
Any guides or information articles on this would be appreciated. I know how to do it I'm more looking for info on security implications?
What is the most practical and good looking tool/file cabinet for computer/network technician?
Has anyone else experienced any significant inaccuracies with v3 using windows? We're seeing perfect TCP results on fibre links yet it has abysmal UDP results, with the same bandwidth (no other options changed). The opposite occurs on smaller LANs, where UDP is average, and the TCP is absolutely woeful. Trying to convince clients they need to try a unix box has been interesting...
I am having a bit issue with regards to announcing bgp flowspec rules.
I am trying to announce to different types of rules but for some reason, when one rule is in place and when i announce 2nd rule, the initial rule is withdrawn.
For Ex:
1st Rule Announced for BGP Flowspec Rate-Limit to 100Mbps to 2.2.2.2/32
cisco_router#sh bgp flow-spec ipv4 destination 2.2.2.2/32 detail
BGP Flow Specification rules for VRF default
Router identifier 7.7.0.4, local AS number xxxx
BGP Flow Specification Matching Rule for 2.2.2.2/32;*;
Rule identifier: 140589008397264
Matching Rule:
Destination Prefix: 2.2.2.2/32
Source Prefix: *
Paths: 1 available
64512
from 10.252.152.188 (10.252.152.188)
Origin INCOMPLETE, metric -, localpref 100, weight 0, valid, external, best
Actions: Police: 10 kbps (1.25 kBps)
When i try to announce a Flowspec Redirect to Next Hop, the Flowspec Rate-Limit is replaced.
cisco_router#sh bgp flow-spec ipv4 destination 2.2.2.2/32 detail
BGP Flow Specification rules for VRF default
Router identifier 7.7.0.4, local AS number xxxx
BGP Flow Specification Matching Rule for 2.2.2.2/32;*;
Rule identifier: 140589008397264
Matching Rule:
Destination Prefix: 2.2.2.2/32
Source Prefix: *
Paths: 1 available
64512
from 10.252.152.188 (10.252.152.188)
Origin INCOMPLETE, metric -, localpref 100, weight 0, valid, external, best
Actions: Redirect IP: 1.1.1.1
**when i withdraw the Nexthop Redirect rule, there no longer any rules for the prefix while the flowspec rate-limit rule is still being announced from its bgp peer.
Have anyone experienced this in the past or can explain why this is happening?
Also I tested this with more specific like adding protocol to the flowspec rate-limit and this does NOT happen it is only happening to less specific flowspec announcement which is what i am looking to do. I am looking to basically limit all traffic to a dest prefix.
Abstract
Free space optical (FSO) inter-satellite links could often be non-reliable due to the imperfect line of sight (LOS) links. To achieve more reliable communication, the authors propose hybrid inter-satellite links. However, this leads to new challenges like switching physical (PHY) layers at the satellite's transmitter. In this work, they propose a novel hybrid radio frequency-FSO (RF/FSO) satellite system. For it, they develop a novel best beam selection policy (BBSP) and switching of FSO and RF to improve the reliability of the inter-satellite links. To obtain more insights, they investigate the performance of BBSP by deriving expressions for the outage probability, average spectral efficiency, and average bit error rate of the BBSP. For the PHY switching, they compare the instantaneous error probabilities of RF and FSO links and find the signal-to-noise ratio threshold at which it is more efficient to switch to RF. They further improve this threshold by considering a satellite transmitting multiple beams and choosing the best source beam. To validate the analytical findings, they simulate the proposed model with CubeSat level parameters. They and that the BBSP delivers superior performance in terms of various performance measures, which shows its applicability in next-generation satellite systems.
Always fascinated to find out what's going in the field of space based lasercom. If there are any similar papers, drop them off onto /r/lasercom.
Wondering if anyone else is in this boat due to covid and more people working remote that never had the ability to before. We're dealing with SAP right now, drops the connection after retransmissions happen. Seems fundamentally impossible to avoid with consumer broadband connections but we're unable to convince the SAP team it isn't anything we can do and they should adjust their app (run on vdi/xenapp or switch to the stateless html version).
Anyways, was just looking to see if anyone else has been put in a similar situation due to the massive increase in remote users lately.
Hi all, first time posting here.
I am working on reorganizing the network of the small company where I work at (we are moving to a new location) and was thinking in separating the DMZ servers from the production network servers by using VLANs on the hypervisor. In the testing scenario, there are 2 virtual machines on the same hypervisor: one in the DMZ and the other in the production network.
The whole idea is implemented as follows:
- Firewall: defined 3 separated networks where one is for management (10.0.1.0/24 - VLAN id 100), one for internal servers (10.0.2.0/24 - VLAN id 200), and one for the DMZ (10.0.3.0/24 - VLAN id 300). There are explicit firewall rules blocking any traffic from the DMZ network (10.0.3.0/24) to all other internal networks and vice-versa. Also, firewall rules block traffic between the management and production network in both directions. Finally, NAT 1:1 from a public IP to the DMZ VM, with rules allowing inbound traffic to ports 80 and 443 only.
- Switch: configured as L2, plugged to the firewall. Port where the hypervisor server is plugged allowing VLANS 100, 200, 300. No native VLAN defined (only tagged traffic allowed).
- Hypervisor server: only one NIC being used. Over the physical interface, one virtual interface on VLAN 100 (IP 10.0.1.10) and 2 bridges (one with a virtual interface on VLAN 200 other with another virtual interface on VLAN300 - both interfaces without IPs). The production VM is connected to the bridge on VLAN200 (IP 10.0.2.10) and the DMZ VM plugged to bridge with VLAN 300 (IP 10.0.3.10). The gateway for both VMs and the hypervisor is the firewall (10.0.1.1, 10.0.2.1, and 10.0.3.1).
Based on the tests I made, all communication between both internal VMs or from the hypervisor to the VMs always passes through the firewall (which is good and expected). With the rules in place, both VMs cannot reach the hypervisor management interface and the hypervisor cannot reach the VMs.
I know this approach relies solely on the software stack (hypervisor) and that physical separation for DMZ is always better when possible, however this approach above would be cheaper for us for not needing to buy more hardware.
Do you guys see big problems with this approach?
Thank you in advance for any opinion or thoughts.
hunting for some ethernet cable combs to 3D print to make swap-outs easier, haven't had much luck on the googleBox
Like this:
https://www.changerv.com/index.php?main_page=product_info&products_id=96554
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Our current campus design is "MPLS PE router" at every building and each PE router (well OK L3 switch) has several different VRFs and then in the DC the VRF is connected with /29 towards the FW cluster. All traffic between VRFs goes through the DC firewall cluster which advertises default to every VRF.
Now we're starting to implement Aruba AOS-CX switches that do not support MPLS but EVPN with VXLAN. So I'm wondering how well EVPN kind of campus would scale in the future if we decided to go with that? Currently we still have our MPLS PEs at each building and the access will be AOS-CX switches, but I guess there is no point of running your own MPLS network if EVPN/VXLAN would do the same?
Not really that familar with EVPN/VXLAN stuff so I'm wondering if we can have the same situation where the building switches just advertise whole subnets, or do they need to advertise every IP/MAC address towards the DC? Can we have the /29 towards the FW or does the FW need to see all the IP/MACs?
Or any thoughts about how to configure the underlay network? Would it be too much to have something like 1500-2000 switches in the same OSPF area 0 and in the same AS BGP wise? Fiber connectivity between switches is quite stable anyways. I think we're way past the 90's "max 50 OSPF routers in one area" but how well does it scale nowadays? Or should I just have eBGP between buildings and DCs and run separate OSPF area 0's at every building?
Hey So this AP is POE Powered and I was trying to use a Ubiquiti POE Injector and an RV320 Router and it did not seem to work. Has anyone ever worked with these and had experience with them that could help me out?
I swear I've tried every which way and it doesn't seem to want to work.
My suspicion is it's just a Ubiquiti device will only work for a Ubiquiti device
Any Kind of help would be helpful Thank you!
Router 1 in the brown box (topology image) is unable to ping 209.10.10.2, at first I thought it was something wrong with my static routing, I'm admittedly always bad at remembering what is my next-hop. But Router1 neighbors with ASA's G1/3 interface when I configure OSPF on both of them.
I'm not sure if there's something I'm missing about ASA's or if it's an issue with packet tracer.
ciscoasa#show route Gateway of last resort is 209.10.10.1 to network 0.0.0.0 172.16.0.0/24 is subnetted, 2 subnets C 172.16.0.0 255.255.255.0 is directly connected, inside, GigabitEthernet1/1 C 172.16.100.0 255.255.255.0 is directly connected, inside, GigabitEthernet1/1 209.10.10.0/30 is subnetted, 1 subnets C 209.10.10.0 255.255.255.252 is directly connected, outside, GigabitEthernet1/3 S* 0.0.0.0/0 [1/0] via 209.10.10.1 ciscoasa#show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 ciscoasa# ciscoasa#show nat Auto NAT Policies (Section 2) 1 (inside) to (outside) source dynamic inside-net interface translate_hits = 0, untranslate_hits = 0 ciscoasa#show run : Saved : ASA Version 9.6(1) ! hostname ciscoasa names ! interface GigabitEthernet1/1 nameif inside security-level 0 ip address 172.16.100.1 255.255.255.0 ! interface GigabitEthernet1/3 nameif outside security-level 0 ip address 209.10.10.2 255.255.255.252 ! interface Management1/1 management-only no nameif no security-level no ip address ! object network inside-net subnet 172.16.100.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 209.10.10.1 1 ! object network inside-net nat (inside,outside) dynamic interface ! telnet timeout 5 ssh timeout 5 ! router ospf 1 log-adjacency-changes router-id 3.3.3.3 network 209.10.10.0 255.255.255.252 area 0 network 172.16.100.0 255.255.255.0 area 0 default-information originate ! Router(config)#do show ip route Gateway of last resort is not set 172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks C 172.16.80.0/30 is directly connected, GigabitEthernet0/1 L 172.16.80.2/32 is directly connected, GigabitEthernet0/1 C 172.16.100.0/24 is directly connected, GigabitEthernet0/0 L 172.16.100.2/32 is directly connected, GigabitEthernet0/0 209.10.10.0/30 is subnetted, 1 subnets O 209.10.10.0/30 [110/2] via 172.16.100.1, 00:04:30, GigabitEthernet0/0 O*E2 0.0.0.0/0 [110/1] via 172.16.100.1, 00:04:30, GigabitEthernet0/0 Router# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 3.3.3.3 1 FULL/DR 00:00:36 172.16.100.1 GigabitEthernet0/0 I have a case open with Cisco. And they're kinda demanding the AnyConnect message history logs for the time the issue occurred.
I'm not aware of any specific log location for Message History logs. Even looking at my own computer, I do not see them. Any advice on where these might be stored?
Hello,
In our compagny we changed our Cisco router for a couple of SRX 380, Is there a best practises for SSH filtering ? We have many public IP, and an OOB link for management, but SSH is open on all IP by default.
The service company that made the configuration is no longer present, So I'd like to not block clients with a shitty rule on the routing engine.
Thanks !!
Hi together!
I have been playing around with mac spoofing lately and I noticed a strange behaviour dependent on the way I change the mac.
If I change the mac like this:
nmcli radio wifi off
sudo macchanger -r wlan0
nmcli radio wifi on
Everything is fine. The mac is changed, I get a new ip address and I can connect to the internet.
If I use
sudo ip link set wlan0 down
sudo macchanger -r wlan0
sudo ip link set wlan0 up
I don't get a new ip address my interface isn't even sending a request and sometimes I can't connect to the internet because my arp requests stay unanswered. By now I couldn't figure out when the arp requests stay unanswered and when everything works fine.
The major thing I don't get is why the nic does not request a new ip when using the second method. Where is the difference between these both methods. The logs of dmesg look the same to me.
Would be really glad if somebody could enlighten me. :)
Does anyone have any experience with downgrading an FTD 2100 series appliance running in FTD Mode? I've scoured the Cisco documentation and there's plenty of notes on upgrades, but rolling back to a previous version is not obvious.
We're looking at pulling the trigger soon on an upgrade, the only problem is I don't see a clear procedure for downgrading if we hit an issue.
To be clear, were moving from 6.2.3 up to 6.4. is it just as simple as clicking install for the 6.2.3 again, or is it a complete re-image of the box?
I just moved cross country, and am looking for a good but budget friendly (within $150 ideally) modem and router that is compatible with xfinity voice. Any help or recommendations would be greatly appreciated!
I am attempting to understand an issue we faced this morning with our network. My first call came in and people could not connect to several systems. After getting onsite, I was able to pull up Wireshark and begin troubleshooting.
Before I get into the details, my question is, I understand the principals behind a broadcast storm and while we have multiple switches throughout our network, there are no redundant links, possible loops, STP issues, etc. The best thing I can come up with is the original PC caused something on PC2 to flake out and it somehow reflected and regenerated the traffic using the same IP and MAC as PC1 (original PC). But to me, this doesn't make sense. Has anyone ran across anything like this?
We do not have any fancy tools and use a lot of poor boy methods! Here is what I found.
Is it possible for PC2 to reflect the UDP Broadcast traffic? I've never seen anything like this. I've seen were a single PC was the culprit, but nothing like this. It do not see any signs of compromise or breach. Just a driver that flaked out and caused a serious network glitch.
Anyone seen anything like this?
Hi All,
I have a branch location with an ASA 5505 (192.168.181.0/24). It has a site to site VPN to my data center. I need to reclaim the subnet of that branch location and allocate it to another location rather urgently (to make a /23 for a different site running out of IPs), but I can't do it properly (re-IP the branch site) due to Covid restrictions.
So I am wondering if for now there is a way I can NAT the LAN subnet (192.168.181.0/24) of that branch location to a different LAN subnet (i.e. 192.168.182.0/24) so that when it arrives at the data center over the VPN, it will be seen as 192.168.182.0/24 and not 192.168.181.0/24. I am willing to NAT on either side of the VPN to make this happen (branch or core). Any assistance is appreciated.
SOHO here with a few employees, is there a way to:
A: Block traffic from a specific app? I don't want employees surfing FB or Instagram on my wireless. Are apps essentially web browsers managed via dns?
B: Wireless router that plainly tells me what websites are being accessed by the URL vs IP address.
C: Is there a small home use router that plainly shows apps using wifi?
All I'm trying to monitor network bandwidth usage per ip. My initial thought was netflow, but I don't need all of that data(we are setting up to saturate a 10gb connection, so that would mean 10 gb going to the netflow collector as well?) all I'm trying to see is the bandwidth utilization.
Snmp was another option but I believe falls short if I'm looking at a per ip option. It works off of interfaces.
Is netflow the only option or is there something better?
We are using ubiquiti edge router though are switch to mikrotik.
If netflow is the best way, is there a solid open sourced collector/analyzer that runs in a server architecture and not as a desktop app(solar winds programs seem to be desktop?) it looks like ntopng is the best option, perhaps a tick stack would work too?
Hi, everyone.
I'm currently looking to buy a combination router/switch box. I'm planning to plug the ISP's ONT (w/ a MOCA adapter) straight into this box. Please no Ubiquiti (personal choice).
Must have: 8 port, Gigabit, VLAN, Low powered, Quiet, Stable
Nice to have (but not necessary): QoS, Port Security, PoE, Port Mirroring
Does anyone have any recommendations? Thank you.
I have a Dell R710 server with ESXI 6.5 on it. Server is connected to a switch. I have a laptop connected to the switch as well.
SW: 192.168.10.1
ESXI host: 192.168.10.2
EVE-NG: 192.168.10.3
LAPTOP: 192.168.10.4
I installed the free version of EVE-NG on a VM.
During the initial EVE-NG set up wizard, I assigned a static IP for the management network.
However, every time the VM is rebooted, it loses it IP address. The linux console login prompt shows "Eve-NG (default root password is 'eve') No IP address on interface eth0"
Is there something I misconfigured from EVE-NG or is it ESXI VM that is misconfigured?
Hi there,
I'm trying to get the ports from our switches that are in the auth failed status. However, with the CISCO-PAE-MIB I can only get the successfully authenticated users.
I tried cpaeAuthPaeState 1.3.6.1.4.1.9.9.220.1.10.1.8 that should give me the auth state for each port if I understood that correctly. However, the Catalyst I tried I get 'No Such Instance currently exists at this OID'. I'm not sure if that's due to our slightly outdated IOS image or if that OID doesn't give the port state.
Just got some Ubiquiti Access Points and remembering reading articles on a few things that I should do with them to get the best out of them? Here's the bits I think I remember but not sure on exactly and an extra query
I've got an IOS router which for some reason is choosing port 5061 for the inside local for an outbound SIP registration inside of a random higher level port.
I've tried a new IOS as I remember this being an issue on some IOS revisions but no luck
Usually this wouldn't be an issue but as the router is choosing port 5061 it's opening it up for dodgy IP's to come back in on.
I've put an ACL on the router to close it down but I also want to stop the router from choosing a common port for the nat translation.
Is there a way to remove the ports from being used during the nat tranlsation?
thanks
Successfully installed GNS3 imported CISCO IOS Layer V2 Switch template and everything is connected. But when I run the program I get the above error as mentioned in the heading. Please refer screen shots below to know the error.
Tested with both VMWARE Workstation Pro and VIRTUALBOX. Used latest version of GNS3-2.2.16 and GNS3.VM.VirtualBox.2.2.16 or GNS3.VM.VMware.Workstation.2.2.16 for virtualbox and vmware respectively. But both times get the same error. GNS3 connected to the VMWARE GNS3VM and Virtuabox GNS3 vm successfully.
see below link for screenshots of error message
Hi
I'm familiar with network automation with python (ansible, netmiko,nornir etc...)
Just wondering about the network automation support with other languages like golang, powershell etc...
Would be great if you guys can share your experiences and frustrations using other languages/ frameworks and tools
Hi,
What is the recommended way to simulate network devices to develop and test network automation ?
I've installed GNS3 VM (vmware player) and started running cisco IOS but I'm not sure about the "how to interface it to localhost" part so that my network automation tools can connect to IOS device for checking and updating it's config.
Thanks In Advance
I can't seem to figure it out. Segment is what a packet is called when it's on the transport layer, right? And it is called a "frame" when it's on the data link layer. But how does the datagram fit in all this?
Hi Everyone:
Im doing a project for my university and im stuck on this. I talk on the project about how fiber works and blah blah, now comes the network part (which i dont know too much) and i need to decide how to create my own network after i get my fiber connection.
Lets say i want to haul fiber to a town with 100 people. it will be GPON , im still stuck on what L2 and L3 equipment i need(its in progress) but now i want to focus on what protocol do i use.
BGP? OSPF? IEGRP? , do i use MPLS? do i need to think in the future in case i need to haul to another town with more customers?, does the ISP needs something from me to connect to their network? peering?
I know fiber its expensive(digging and all that) but its been a fun project so far.
Thanks and regards too all the amazing network people on this sub!
I would love to get your feedback's!!
Check it out! https://github.com/odedshimon/BruteShark
\#Pcap \#Cyber \#Network \#OpenSource
I can complete this with an ISR pretty easy, but they are louder than this doctor's office wants. They have a very unreliable comcast 500mbps to 1gbps connection. They'd like a solution to provide better uptime since they lose their phones as well.
I was thinking of bringing in an AT&T run or do a cradlepoint. However; I need a router or device that can switch connections when one drops.