when I run the netflash command pointing to the new image which has been mounted, it just drops out of the SSH session and nothing happens. Problem is I cannot access the web interface so this is my only options.
Saturday, January 9, 2021
Why do some users have multiple IP addresses
I am a little new to networking, I have a program where a user first contacts my web server and using the IP address the user contacted my website and then I allow that IP through my firewall so they can have access to and run a secondary service.
It was working fine for a while, but today I find out some users seem to have multiple ip addresses. When I teamview my users PCs and visit 4-5 different "/www.whatsmyip.org" sort of websites from their PCs I get 2-3 different ipv4 addresses shown.
I have no idea what exactly this is called to try and even start solving the issue, and I would really appreciate if someone could tell me why this is happening, and if there's a name for this technique.
I am trying to see how I can detect and let a user with multiple IPs and let all those ips through a firewall.
Thank you.
Network Admin vs Network Engineer
I jumped right into a network admin position out of college in 2018. It was a blessing to land the position to be honest because I had zero experience whatsoever except for networking classes.
The pay is very nice (overtime included) and the benefits are too. It is a smaller enterprise company with a nice culture. The management is lenient on a lot of things, and they embrace new technology. I've made some nice friends and learned exponentially more than when I was in school taking network-focused classes.
Since I've been there, they funded all of my certifications entirely and gave me time to study on the clock. The downside is that I'm now hitting a plateau, and there isn't an open position higher up and won't be for another couple years they say, even though my boss has told me that he sees me as a future engineer based on my learning ability. My skills have sharpened immensely but I fear I will lose them if I'm not challenged to keep them sharp. I've been told that I have guaranteed job security with my current performance at the company and that covid stuff is nothing for me worry about with job cuts being popular nowadays.
Network admin'ing for an enterprise company is fun at first, but being a tier 3 ticket guy with not many cool projects on the side gets monotonous sometimes.. especially when there are engineers getting all of the cool new projects that I feel I could outperform.
Now after a small amount of job hunting and interviewing, I have been offered a Network Engineer job with a consulting company. This company works with bigger companies to help evolve their networks and troubleshoot any weird issues during a certain period of time after the evolution. I would be assigned one company at a time as a project, and move on to another once the project is finished. The position is also remote, so I wouldn't be bound to any location.
I'm facing a dilemma because, on one side, my heart is telling me that I'll be throwing away a secure, good paying job with decent co-workers. On the other hand, this is an opportunity to grow and learn. With the covid nonsense, job security is a huge deal I feel. But I'm also young and super motivated and want to take advantage of that while I can. The pay at this new position would be basically be a lateral step.
My question(s) to you guys:
In your experience, is which positions have you preferred as a networker? Admin or Engineer?
Is this too big of a risk to take given current world events? I know smooth seas never made a skilled sailor, but I've thought about this from many angles and am trying very hard to make a diligent decision.
I am looking to apply to an Amazon data center but if that doesn’t go well what are other jobs that I could fall back onto. Haven’t been able to find many good jobs around me
So I currently am 20 no college degree and have been working at geeksquad as an advanced repair agent. I usually spend all my free time studying and doing side projects like right now I am trying to set up a pf sense server. And just Get into the networking side of tech.
I have been working here at geeksquad for a little under a year and it’s been a huge learning opportunity for me. I have worked on computers all my life and honestly my manager even comes to me when they don’t know what to do. Not at all trying to brag or be egotistical just saying I feel as if I should be good enough to go to the next step. If that makes sense.
Almost all people who work at geek squad move to Amazon after a couple years just because it pays double what we make and it’s basically a step up in how hard it is. But I’m excited to learn more.
So I have been working with a recruiter who has a 98% success rate that all my other friends at geeksquad went through who are currently working there full time now. (Didn’t impact $/hr”)
So if for some reason this doesn’t work out what are other places you guys would recommend for someone like me who is looking for just any sort of step up in difficulty as I am looking for a challenge and this is something that I just love. I could do This stuff all day every day 24/7
Cisco 9600 admins, any things one should know before purchasing?
Hi Everyone,
Im currently planning my datacenter and after an extensive research Ive chosen the Cisco 9600 series switch.
My configuration is: Cisco C9606R Cisco C9600-SUP-1 Cisco C9600-SUP-1 Cisco C9600-LC-24C Cisco C9600-LC-48YL Cisco C9600-LC-48S
My question is for anyone experienced with those switches, are there any hidden issues that one should know about?
I come from the 4506E era of Networking techies, those were solid as a rock, can I expect the same from the 9600?
Thanks In advance.
Remote access VPN to Azure, AWS and on prem via single logical VPN gateway
Hello, at my company we have resources in two major clouds (AWS and Azure), plus on prem.
Right now, RAvpn is terminated on a ASA HA pair on prem and tunneled to AWS and Azure via IPSEC.
We are planning to terminate the vpn in the cloud, while retaining access to the aforementioned resources. Reason is, most of our users traffic goes to the cloud and we want the user to access the closest regional VPN gateway. Anyconnect is preferrable to reduce the administrative burden (namely, we have Anyconnect and would rather not have to migrate).
The Cisco proposed solution consists of several ASAv deployed in AWS and Azure, next to a dedicated HA pair on prem (https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-mobility/secure-remote-worker-design-guide.pdf page 16). While this would work, it appears to present a substantial management overhead. Additionally, connectivity is not via a single point of access: one gw for on prem, one for AWS, one for Azure. This requires the user to connect to the right gw based on destination.
What I envision:
- user connects via Anyconnect to vpn.mycompany.com, ends up on the closest gateway via geolocation
- user is Authenticated (in our case via Azure AAD)
- user is Authorized: gets assigned Access Packages via Azure AD and is able to access only specific resources based on the access packages assigned (AWS only, AWS+On Prem, etc.)
- user traffic is routed to Azure, AWS, on prem transparently (via IPSec or whatever from vpn.mycompany.com to the other vpcs)
I guess this can be done by setting up say an AWS cloud transit of some sort with multiple cloud gateways (ASAv) - loosely based on Cisco's document above - and IPsec to on prem/Azure.
Is there a service doing this transparently? From my understanding, zscaler with private access does, but it's more of a proxy and it would require all company clients to be provided a different software.
I did expect Cisco Umbrella with SWG to offer exactly this, but I see no transparent bridging to AWS and Azure.
Feel free to tell me this is a silly idea or that I am totally missing the point. This is uncharted territory for me, being an old school on-prem vpn chap. Thanks!
Load balance ELAN's with Nexus 7K question
Hello,
First off, sorry for the length and how confusing this probably reads. I am linking a diagram that hopefully makes more sense. Though we use Nexus's in our DC's, some of the situations I get myself into get confuse me a bit to the paired nature of the cores.
https://imgur.com/a/nYC0kcF <--Diagram
I have run into a deign issue that I am not sure how best to rectify. In each of our datacenters we have a pair of Nexus 7706's in VPC. We have a single Point-to-Point circuit between two of our datacenters (DC1 & DC2)which plugs directly into Core-A at each site. There is an IP placed directly on the interfaces and everything works fine. We use EIGRP internally for routing.
Recently, we purchased several new point-to-point links from other sites to our primary datacenter (DC1) as well as a redundant p2p between. The way the ISP set it up, since so many new circuits were going to a single location, was to place an NNI at DC1 and all of the new circuits will traverse a single handoff separated by VLAN. That seemed simple enough to me. I just create an SVI at each site with the correlating VLAN and use the PE as a trunk. However, I am having an issue with EIGRP the site that has two circuits connecting each other. The new link plugs directly into core B.
Since the cores are VPC pairs, I create the SVI on both cores with their own IP and a shared HSRP IP. When the new link comes up, it establishes an adjacency with the SVI IP between the B cores, but it starts throwing the following errors reset errors for the core A SVI
23:43:06.976 %EIGRP-5-NBRCHANGE_DUAL: eigrp-100 [9341] (default-base) IP-EIGRP(0) 100: Neighbor 172.31.90.20 (Vlan102) is down: retry limit exceeded
23:43:07.048 %EIGRP-5-NBRCHANGE_DUAL: eigrp-100 [9341] (default-base) IP-EIGRP(0) 100: Neighbor 172.31.90.20 (Vlan102) is up: new adjacency
My assumption is that the route tries to establish through core B, goes to core A through the VPC link, and then A sends it through its directly connected P2P link and it fails.
One of my thoughts to try to fix is to change the first L3 P2P to VLAN 102 and put the two circuits into an ether-channel, but I am not sure that is the best play.
Wireguard or Openvpn for Remote access?
I have used Openvpn for accessing remote computer for SSH access. Has anyone used wireguard? If so how does stack up to other VPN protocols?
Something like the “connect” tab on social media platforms- but one for all social medias, and that works better?
I use the “Connect” on twitter and “Discover People” on instagram menu’s for networking and it works quite well, but not good enough. It will handpick certain people for you based on things you like or people you follow, which is awesome, but it often doesn’t give me enough choices, and I also would prefer if I could pick to see options, from different people I like and follow, if that makes sense. Instagrams version honestly kind of sucks but twitter is decent.
Does anybody else use these features? They help me a lot. I also will often goto profiles of people I follow, look at their following list, and find people from there. People that I think would be good to network with in some way.
Does anyone know of a possible platform/app/feature that works the same way? I’m essentially just looking to find suggestions of people online, by what I like and who I follow, but a more in depth version.
Thanks in advance
I can’t find a good WIFI analyzer for IOS. Can someone shoot me a recommendation?
I’m a field tech 1 for an isp and would like to familiarize myself with a WIFI analyzer. I’ve seen many techs use them and figure it would be a good way to optimize WIFI set up.
I haven’t been able to find a good free version to use on my iPhone. I’m willing to pay for It, I just want to make sure I pick the right one.
Thanks
MAC Flapping issue across three Fiber ports
Hello everyone, I’m new to the community but I have a strange problem that has been going on over the past couple days that I cannot seem to find a fix for. At our central office we have one main campus with 2 remote buildings that are routed back to us by our ISP. Since around Wednesday morning I have noticed sporadic MAC flapping issues coming across our fiber ports that all have one straight fiber connection from our data center switch to each building.
Each of the buildings have spanning tree configured with bpduguard set on all the access ports and all unused ports are shutdown. Our core Cisco 9300 stack is set as the root bridge with everything coming back to it, but no switch is sending any ports into an errdisable mode. We have checked all the sites for physical loops and found nothing. MAC address tables on all the switches do not display any duplicate MAC addresses, nor does a wire shark packet capture produce any broadcast storms. Me and several other engineers that have a lot more experience than me have looked at the issue and we cannot find out what is going on. Our biggest issue is port Te2/1/8 on our switch, has a link to our ISP Calix switch, which has all of our routing and VLANs for the schools, speaking with them they really had no idea what to do, aside from saying the only traffic they saw coming out of their vlan was STP. Would anyone have any ideas as to what could be going on? Because I’ve ran out.
New AP's for Small Business
Was told I should post here. Looking for recommendations please
Current access points are Cisco Aironet AIR-LAP1142N-E-K9 & AIR-CAP2702I-A-K9 (yes, old). Boss is not happy with the slow speeds
Looking at TP-Link AX3600 for replacement in new office, but very open to other managed solutions, and been made aware this may not be well suited for enterprise level. Just not wifi-only managed.
New hardware already includes Extreme X440-G2-48P-10GE4 switch & Fortigate 60F with 1gig up/down through ISP. Budget for new AP's is $300-400 USD per.
Needs to support 8-40 laptops at once, depending on workplace events, 8 TV's streaming promotional videos, 4 security cameras, 2 HVAC controllers & multiple handheld devices as needed. Office is 4,000 sq ft and has ethernet & power source for up to 4 AP locations
Any help is greatly appreciated, as I'm no IT expert, but understand a little and am tasked with procurement
Friday, January 8, 2021
Turning on office machines remotely
Anybody have a sure fire way to remotely turn on machines without user intervention? I'm getting tired of reminding office clients to leave machines on so I can work on it after office hours. Often I'll forget to remind then or they'll forget even after being reminded. Thanks in advance.
Advice to a dummy.
Hey guys, I am relocating the screen of my camera while keeping NVR in its current place, does it affect IP assignments of cameras if play around with HDMI cables? Because I don't wanna reconfigure anything if I mess it up
Can access server locally but not externally
I have an MC server, and website. Through my ddns (through freedns.org), I can access all content locally, but not externally through the same URL, and public IP of my subnet.
Help with configuring a basic network
Hi,
I'm at the beginning of learning about Cisco switches. I'm asking for your assistance with a "home" project to help me get a better understanding of basic switching concepts.
I work in IT as a jack of all trades so I have a pretty good understanding of how computers work.
So I am currently using a Cisco 3560G series switch in the default setup where it's a layer 2 switch and everything is on VLAN 1 (192.168.1.x)
My router is a PFsense box with a 192.168.1.2 IP address.
I would like to create a VLAN "100" (192.168.100.x) that has access to the internet and my network printer (192.168.1.27) ( use ACL?).
So my steps are: Create VLAN 100, assign a port to VLAN 100, enable DHCP on the VLAN, enable IP routing (little fuzzy here) and save the configuration. After that parts done I'll config an ACL to limit access to my network printer.
I think I'm missing some steps here. Create an interface for VLAN 100? Have 192.168.100.x with a gateway of 192.168.100.1 that will forward traffic to 192.168.1.2?
Thanks for your help with this. I really appreciate it!
RW
Enterprise Networking Career Change ( Is it a good call for me?)
Let me know if this isn't allowed.
Residential
I work for a Fixed Wireless ISP (West Texas). I install and program Subscriber Modules, Dish's, and Routers(All Cambium Equipment) I also install all sorts of mounts for said Dish's, Ground Blocks, and run CAT5E cabling. I troubleshoot and diagnose issues on service calls, and replace any faulty equipment or fix any programming errors.
Networking
I also sometimes have to fix programming issues on our Tower Mounted Access Points, and Backhauls. I also climb the towers and diagnose issues/replace LMR jumpers, equipment, BCG's. I also troubleshoot our ground level tower equipment including but not limited to UPS(SMX-1000), PDU, Cisco 3560G Series Switch's, CTM's(CTM-2M), P-NET Card Racks.
I'm wondering if it would be beneficial for me to start working towards networking on my own over the next year or so. I'm not going to college because I'm 29 and can't take that much time off. I currently make 55K a year and will probably continue to get raises. Would it be beneficial for me to start working towards getting A+, Network+, CWNA, and CCNA? I really enjoy both sides the Field Technician and the Networking, so it doesn't really come down to what I like more. It comes down to in the long run is what I'm doing going to be beneficial in 10+ years or should I move into Networking. Also could I get a good enough job to support my family Networking without a degree? Any kind of career advice in general would be greatly appreciated. I don't have any friends or family that I can ask about this sort of thing.
Any BGP Ninjas out there? I really need some help troubleshooting an issue.
Hello guys. I would ask cisco but we are broke and I have no support on my gear. Imagine my pain.
I have two ISPs and two Transit routers (cisco 7604s)
Currently I'm getting a just a default route from ISP-A and a full table from ISP-B. Local pref is set higher for my ISP-B and Im using BGP communities on my ISP A to make route to my AS from ISP B more desirable. I've verified that Inbound traffic is coming from my ISP-B and outbound traffic is also going out via my ISP B. Of course I have iBGP between the two TRs.
Everything was great until this morning when I asked my ISP B to also send me JUST the default route. As soon as that happened, I started getting massive packet loss. From my ISP B Transit router, i could ping out just fine sourcing from any public interface (i have a bunch). From my ISP A Transit router If i pinged outbound i would get like 30 to 50% packet loss. On my ISP A Transit, i could see i had no route for say 8.8.8.8 and default route was coming from ISP B TR. I could ping between the Two Transit routers just fine. I shut off peering all together with my ISP A (neighbor shut) and i was still getting packet loss! I asked my ISP B to roll back and as soon as they sent me the full table, i was able to ping out without loss from my network! Can anyone shed any light here for me? I'm really confused as to why this would happen.
Thanks in advance.
What configurations would prevent one computer from reaching another one in a LAN?
Started a new job and I've been tasked with setting up RedMine for us to track bugs/issues. We have a LAN set up and one of the computers is a secure server with the master repo code. I can ping the secure server from another computer just fine. However, when I type in the server's static IP address into a web browser, it can't connect. What configurations should I look at on the server with the master repo code? Fire wall? Group policy? I'm not familiar with modifying those so what should I be trying to do with them? Is there some other configuration I should look at too?
Switch uplink ports
Hello, all. I am just getting started in the networking world. Our current network was installed by some contractors, and I have taken over responsibility for it now.
I have an distribution switch that has multiple uplink ports and no other available interfaces. Can I continue to use one of those ports to uplink and use one of the other uplink ports to ‘downlink’ to another access switch?
Thinking about doing a Nexus Spine/Leaf config with just 4 switches....
Spines: 9332C Leafs: 93180YC-FX
I am tired of users complaining and have been given a massive budget to fix our network issue. We will be doing 40 GB. SAN will feed into the leafs via 40 GB connections and then down to the servers via iscuzzy. I am eyeing the Nexus line to make us ACI ready but am not going to go the ACI route. Am I off in my thinking here. Will a small spine/leaf helpour east to west needs? Currently I am on 10 GB.
Granted, each server will connect to the same set of access/leaf switches so the hop advantage isn't all there but I am still of the opinion that this is probably the way to go. Would really appreciate anyones experience here. A partner is suggesting we go with 9500 chasis meanwhile the Cisco team is telling us that a spine/leaf set up may be beneficial for our use case. Plus it is cheaper than the 2 9500's being proposed. They are also telling me that going the spine/leaf route allows us to upgrade our bandwidth capabilities with ease if the need arises by adding in more spines/leafs.....
Enterprise/building automation recommendations?
We are planning our first factory large network as a BAS company. Most of our jobs are satisfied by 8-16 port unmanaged industrial switches This time we will have 60+ connections so I’m curious if that would warrant a managed switch? It doesn’t need to be industrial grade given it’s environment and our networking knowledge is enough to get by in the web portal or googling our way through the CLI honestly.
I’ve understood managed for a network with VLAN, QoS, etc but we will only have HVAC equipment and controllers which will all be static IPs. Is there a reason to run a managed switch that I’m not seeing?
No dhcp, no VLANs and there will be two PCs on the network with the equipment. There will be one link to the customer network where their routers and firewalls will handle anything that needs to go out.
And then, since we don’t do this a lot- would a HP, Dell or ubiquiti etc be adequate? (Learning the model numbers)? Would you have a recommendation? 2 48 port switches that are reliable for such an application?
Thanks!!!
The whole internet was down after one tiny little mistake
First of all I'm using a throw away account for this post. Something really weird happened and I just thought I would share the story with you guys.
I work for a major telecom provider in a country with a population of about 40mil, we have around 15mil clients (consumers and businesses).
Last week, an engineer in the maintenance/operations team was migrating some public /30 subnets (enterprise clients) configured in our global public internet vrf. He was migrating them from the PE router to a smaller aggregation router.
However, for one client (/30), when he configured the interface on the new router, he put /3 instead of /30.
As a result, thousands of public addresses on our network were duplicated, and ended blackholed, including our DNS servers.
So there was a nationwide outage for a few hours, before anyone could figure out what was going on.
The guy is still keeping his job by the way.
And to be honest, mistakes like these do happen, but I think we should implement something somewhere to keep mistakes like these from causing a huge outage like this.
Has anything like this ever happened to you guys?
Lab Traffic Generators
What do you all use for lab traffic generation? In the past, a company I worked for used IXIA, but I believe there may be many lower cost software options that can run on Windows or Linux.
MPLS Common Practices
Have a few questions regarding MPLS infrastructure and encrypting traffic:
- When an enterprise is using MPLS, is it safe to assume they are using a service provider's infrastructure for such and not running their own? (enterprise the size of a university)
- I'm under the impression that when using a service provider's MPLS infrastructure, the traffic traversing it is essentially going 'over the internet' and thus you should encrypt it. Is this accurate?
- If yes, then why does one not encrypt traffic sent over a non-MPLS WAN link?
I hope these questions make sense. I appreciate references to read up on as well. Thanks!
SIEM - Primary Syslog Collector
Hi All
Just trying to get others opinions/experiences on this.
Our SIEM (Currently QRadar) has basically become the god Syslog Collector in our environment but from an operational side it's a bit of a mess. It's gotten hit with thousands of VMware debugs, junk logs and loads of events that aren't security related which just create noise and impact the actual logs we care about. It's great as a security tool but from an operational event perspective it's not really fit for purpose so I'm looking at splitting it out for security monitoring and operational monitoring.
Do others use their SIEM as an operational monitor (by design or just chance cause it's a Syslog Collector that is there)? Or do you have a dedicated system for operational use?
Cheers!
Question about switchs to be used between WAN CARP and ISP's
Hello everyone,
I am setting up two netgates XG-7100 to be used with High Availability, but I really dont know want kind (and even models or brands) of switchs I should use for WAN side, for this purpose, and the issues that I could encounter.
I am looking for two desktop switches with 4 or 8 ports at maximum, and dont want to buy cheap (with possible weak hardware...) manageable switchs for 30€ used at home or small offices, to add in a system like this.
Thanks in advance!
Bit Confused on how tag popping works
Hey,I've been reading about this subject after I've encountered this in my work. Right now my job is to configure interfaces for our customers, specifically for circuits were we need to buy transport from another provider to get to our network.
The configuration on interface is something like this on the interface we receive the traffic from:
service instance 200 ethernet
encapsulation dot1q 100 second-dot1q 200
rewrite ingress tag pop 1 symmetric
then, we create a pseudowire pointing to a loopback interface on the router that will deliver the traffic to the final operator and, create a cross connect to put together service instance and the pseudowire.
Then on the interface we deliver it to the operator, the configuration is the same minus the tag popping bit.
My understanding is that, traffic arrives to us using the vlan 100, we pop the tag the moment the traffic enters our network and add our own tag to it (200)and then it travels through our network solely using the 200 tag, since this is the same vlan the operator we deliver it to expects, that's it, no further configuration is needed.
However in certain case we do use a vlan translations and the way we go about it is that in the point where we receive the traffic we pop both tags with the "rewrite ingress tag pop 2 symmetric" command, rather than just one and on the interface we deliver the traffic we configure the encapsulation with the vlan the operator expects and a "rewrite ingress tag pop 1 symmetric" command.
My question is, when the packet get to our network, it is composed by a customer vlan (with a value of 1-4096 we don't know about nor we really care) then the operator that delivers the traffic to us adds its tag then, we add ours once it enters our network as we pop the one added by the previous operator.
However, when the vlan is translated, we pop both so that means the information will travel our network without any tag, so my question is, once it gets there how does the destination router knows which service instance that packet belongs to (after all the tag for it was stripped the moment it entered our network) and how to retag it?
Does the router just sees which VC id it came from and thus is able to determine the interface service instance by looking at the crossconnect the pseudowire belongs to and once he sees the physical interface/Service instance associated to it knows what to do or, it does it in another way?
Thanks
Trying to connect to third party RDP but can't connect.
So I have an issue where our client signed up for a "cloud software" solution. Which is they run a VM on Windows with a Line of Business app and give you access through RemoteApp via RDP.
I am trying to connect to the third party RDP but it is constantly failing. Their support says that there is a problem with our network configuration. Which I find odd, since we are running their router/firewall in a pretty default state.
They say they need port 80/443 open so clients can connect over RDP to their hosted app. But no matter what I do, I can't get it to connect and I am running out of ideas.
What works:
1) I am able to add the url into RemoteApp and get it to connect.
2) It will accept the username/password when adding the RemoteApp URL
3) I shows the links to the RDP connections in the folder.
4) When I click on any of the links, it says that it can't connect and to contact the network administrator.
Things I have done so far:
1) Open ports on Windows firewall.
2) Used ping, Test-NetConnection to make sure computer can connect to their RDS server. Was able to successfully connect over ports 80/443.
3) Had them change the username and password on account.
4) Had the client set it up on a non-domain joined machine at home (they got it to work) and bring it in to the office to test (as soon as they connected to the office network, it stopped working.
5) They have port 80/443 set to redirect from their WAN IP to their RDS/Anywhere Access server so they can remote into their work computers from home. Removed these rules and retested with same results.
I feel like our clients firewall is the main culprit over any server config. But I can't think of anything else to test since the work computer is able to talk with the third party RDS servers over port 80/443. Nor do I have access to the third party cloud providers servers to review their logs.
Any help would be appreciated.
DHCP IP Helpers
Hi there,
I have a secondary location that was spun up with a new DHCP cluster. Each location has 2 dhcp servers acting in a load-balancing failover cluster. Currently, I have the two dhcp servers at the primary location as my helpers (ex: 10.0.1.1, 10.0.1.2) and will be needing to add the secondary location servers (ex: 10.0.2.1, 10.0.2.2). I read in this MS doc that if i use broadcast IPs, it would allow me to relay to all 4 servers. Would you all recommend this?
Solution?:
If you have a better solution overall, I'm def open to it.
Ref doc (section: relay agents): https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn338979(v=ws.11))
How would you isolate a device from it's own vlan?
I know this sounds stupid, and that the answer is "make another vlan", but hear me out:
A client wants a machine in the DMZ to be accessible from the internet (web server), but not able to talk to other devices in the DMZ for what are basically political reasons.
A new DMZ vlan means changes to the firewall, routing, and a few switches right before we're supposed to "lock down" configs for the season due to the nature of our work. It's a medium-sized project at a moment where there's no time to do it (and who wants a new vlan for a single machine?)
An obvious answer is the machine's local firewall, but the client wants some network segmentation too.
Next I thought of Port ACLs, which I haven't used much before so excuse me if what follows is idiotic. I made one that was basically:
permit [gateway MAC] any deny any any
With the reasoning that any L3 traffic would have to be sourced from the gateway (maybe I'm wrong about this).
The PACL did its job except it killed their outgoing internet too. Perhaps because broadcasts aren't getting through?
A last way I thought of was to put a small firewall between the hosts and the rest of the network. That also feels sloppy, though, but the client likes this idea for some reason.
Anyway I'm sure there's a better way to do this but I'm blanking. Any help would be appreciated, since I've never been asked to do something like this before.
Thinking about replacing our Cisco MX64 SD-WAN
Hello,
I am a recent graduate who got an IT job with a smaller manufacturing company who has no IT infrastructure other than what a previous company who was in our building left. Needless to say it is a mess and I am the only IT guy in both this factory in US and our headquarters in Canada. I have managed to get all of our devices online and replaced all the old switches with Cisco 2960s which my company considers "new". I have ran Cat 6E cable to most of our devices(some still running on Cat 5E from previous company).
However, the one device I have yet to replace is our Meraki MX64. The device only supports 50 devices according to to Cisco and throughput is only 250 mbps when we have a 1Gbps connection. So, I have been looking at the Meraki MX100 but I feel it maybe too expensive and I am trying to find other options. I am willing to separate the gateway and firewall if needed as we currently use only the meraki for both. If anyone could help point me in the right direction for this it would be much appreciated. I would like to note being the only IT guy it means I have to do networking along with security and sys admin so I would prefer if the device(s) could be easier to config.
Thanks
SD-WAN replacement that is free?
We are getting rid of our SD-WAN appliances, brand at this point doesn't really matter. We are no longer using the bulk of its capabilities due to some restructuring. However, the one thing we do use the SD-WAN appliances for, is load balancing our two Internet connections and for failover/poor connectivity on one ISP etc...
I have done a bit of digging but haven't found much, but I am looking for an open source project that can handle the basic tasks for load balancing / failover etc... Preferably supports HA too. I have looked at PFSense and it might be able to do some of those things, but I haven't used it enough to know for sure. We are also trying to avoid redesigning the firewall at this point, so this I why I am asking.
If anyone has any experience, please let me know, thanks!
HTB QoS for VoIP at sites with residential Internet connections that won't honour your markings
Do any of you guys implement HTB QoS for VoIP at your sites that have Internet feeds that aren't going to honour your markings?
Do you guys see any benefit for doing this or is it just a waste of time since the ISP isn't going to honour the markings? I would be marking the VoIP traffic and then putting them in a HTB priority queue.
IMO I see it being useful in a scenario where the sites WAN Upload is at 100% utilisation in which case the VoIP packets will be sent out the queue before everything else. I see it mainly being useful during 'bursts' of traffic not shown in SNMP polling intervals.
I would like to hear everyone else's thoughts on this.
Palo Alto VM - use virual wire
hi,
we use a virtual palo alto firewall hosted on vmware. do you have ideas to use the virtual wire feature?
Request fellow network engineers to share their troubleshooting notes/SOP
I am a L2 network engineer with R&S, Security (ASA, palo alto) and wireless experience. Whenever i encounter a new issue and eventually solve it, i have always made it a point to note the troubleshooting steps, how a particular protocol works, etc. This is info that is not covered in certs and that one can learn only in real world troubleshooting. This is how i solve many issues that i encounter even after a gap of long period.
My hunch is many others might be keeping similar notes/SOP. Can fellow network engineers share their troubleshooting notes/SOP's?
As there are some areas in n/w where iam week due to lack of adequate exposure, i could use with a few reference material. I don't mind sharing my notes (R&S, ASA, VPN) if someone has a similar need. Hope this is not a odd request :)
Dynamic data latency with CDN
Im particularly interested in cloudflare but my question is probably more on general CDN. There is a website using cloudflare that I want to access its dynamic content at low latency as possible using a vps. As far as I understand, all data to and from the website is routed through one of the closest cloudflare's CDN server from the user. So in order to gain access to live data as fast as possible, do I need to somehow find a vps location close to one of the CDN server, that is also closest from the origin web server? (any ideas on how?)
Or should I just get a vps near the geolocation of cloudflare's IP address?
Another thing is about the ping value. Since pinging seems to return the latency to the assigned CDN server, am I understanding correctly that low ping doesn't represent low letency to live content, but on the other hand high ping does mean high letency? Or is that also not as simple as I think?
ISP & WAN Switching Question
Hi all, our company have recently had a new internet circuit installed in the main office building to replace the old ADSL circuit with a 1GB circuit.
They have provided us with a Cisco C3560 and told us that only port Gi0/2 can be used - so they’ve only given us one interface. However, we have two firewalls - a primary and a backup just in case and we want to setup an interface on them both.
So I have used an unused Dell N1500 series switch to become our WAN switch so we can pass multiple interfaces (one coming in from the ISP, then two going out - one to each firewall). We have more than enough IP’s on the circuit so we can configure static IP’s on the firewall interfaces. I’ve configured a VLAN (100), and I just have two questions.
1) do we need to tag the port coming from the ISP into the WAN switch on VLAN 100 as a switchport access or trunk
2) do we need to tag the port coming from the WAN switch to the firewalls on VLAN 100 as a switchport access or trunk
Thanks in advance, this was the job of a previous employee but sadly they are no longer with us and has been passed onto me. It’s been over 10 years since I’ve done anything like this as I’m now as Service Desk Manager so any help is greatly appreciated.
CG-NAT A10 vs F5
I currently work at a smaller ISP, and getting low on IPv4s like many ISPs around the world. We've been looking at deploying either A10 4440 or F5 i10600 We've gone through their sales presentations, and listened to why they're better then their competition, but do not really have a clear winner in our mind and we do not have time to thoroughly test each platform.
Have any of you used these solutions specifically for CG-NAT and what are your experiences with either?
How RJ45 ports differs on Cisco EPC3928S?
Hello,
I am having a STB device which should use only ports 1 or 2 on this Cisco to have the rewind TV program option enabled, is there something specific about these two ports or?
Thursday, January 7, 2021
VLAN Tagging by MAC vendor ID Meraki
Hello,
Trying to find a straight answer to this.. I was working with someone using Meraki network with a few MX's and Switches. He has many 3D printers in which he would like to do VLAN tagging by device MAC address ID (First 3 MAC Address ID) since they are plugged all over the place with different switches and doesn't want to manually tag them. He would like the printers on a different subnet.
I know how to do this with non-meraki Cisco devices but I'm not sure if this is possible in the Meraki world of networking.
Has anyone done this?
(Wired and Wireless)
Weird DNS issue with W10 VPN
Hey,
I have merkai VPN setup and configured on my laptop (W10)
Some weird issue im having that no one else is. It seems to be random, but all of a sudden, when connected to the VPN, it'll stop resolving using the DNS server I set in the Meraki config
If I do ipconfig /all - I can see the correct DNS set on the VPN client.
I.E: Connect to VPN for about an hour I can resolved internal resources I.E nslookup server
After about an hour it starts failing and using Google's DNS for resolution on internal resources which I do have 8.8.8.8 set as a dns forward but this should starts happening to devices directly connected to the network but it doesn't.. This issue only occurs via connecting through the VPN and not on the network itself.
Does anyone use Ansible + AWX to manage network devices?
Probably one of the most time saver projects I worked on.
We have 50+ remote ASA's + Aruba switches...Man what a time saver
Vendor needs me to allow X port from inside to outside the network on all locations? Np, write out the ASA commands in a yml file, push it to git, import it to AWX, push it out to all the sites. Done within 5 minutes!
Were moving datacenters and I was dreading to setup 50+ new IPsec ikev2 tunnels but now I already have the template of the configuration ready and it's just a matter of pushing it off to all the firewalls. Stuff that would take me hours would now just take about 20 minutes or less.
Best of all is that its open source and free
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
Believability of Speedtest websites
I'm having an issue with the network at my office. My main question is, how much stock do you put in websites that claim to tell you your Internet connection's speed?
For background, the network consists of 4 Windows 10 workstations, a windows 2012 server (responsible for DNS/DHCP), a Sonicwall TZ215 ( I know it's old, I've replaced it temporarily, it made no difference in solving my issue), and non-managed 8 port Netgear gigabit switch (tried replacing this too, it made no difference).
I'm running speed tests (mainly from speedtest.net, but also Google's speed test, and a few other sites) and think there is an issue based on their results. I'm paying for a 200 x 10 connection from Spectrum. Upload speed is almost always around 10 Mbps in every scenario, no matter if I'm plugged directly into the modem, or if I am running through a router/switch/etc.
For download, Speedtest.net consistently tests around 40-60 Mbps on all the office PCs (maybe 80 on a good day) (note: this is when going from the modem, through the Sonicwall, to the switch, then to a PC).
I've tried plugging directly into the modem, so there is nothing to slow it down, and I've 200 Mbps maybe 30-40% of the time, but also around 80 Mbps, and even as low as 30 Mbps. I called Spectrum, they said the modem appeared to be operating normally on their end, but they had a tech come out. He plugged into the modem, got 200 Mbps, and then took off without doing much else.
This has been happening since November, and the reason I tested the speed was because a virtual seminar I was on kept freezing, and my connection was slow on other sites, too. It has been okay over the last month or so, but I've haven't done anymore video conferences. This is an accounting office, and once our busy season hits in a few weeks, I don't want the network crawling once we're running at full capacity.
Thanks for reading.
Console server automation. Any brands to avoid?
Hey All,
I have a project coming up that will require the use of console servers to connect a large number of devices together so that they can be controlled in parallel. Are there any brands that I should avoid? I don't have enough experience beyond some manual use of a perle box to know if any specific brand or brand(s) will be problematic. Any gotchas I should know about?
Thanks in advance :)
Small Business Network Redesign with 2 DHCP Servers
I'm the only software developer and IT guy our company so bare with me as this is still new to me. We are a manufacturing shop with just under 50 employees.
We currently have a Windows Server VM handling our DC, DHCP(the only 1 currently), AD, and DNS. I am introducing a firewall to provide extra features to our network including segregating our network(have a separate guest network, plan on having more).
I've created a quick diagram of what I want to accomplish: https://i.imgur.com/yVkzJMg.png
Since there will be 2 DHCP servers (pfSense firewall) and Windows Server, how do I make sure that new machines in the same VLan as the Windows Server will receive an ip address from the windows server DHCP and not from the firewall? Or how do I improve this design? I also want to make sure that both access points can be used to access different networks(the main one or the guest one).
Hopefully I provided you enough information and that you can lead me to a resource to better understand how to solve my problem. Thank you all!
Sierra Wireless RV50x - what speeds do people get?
We are trying to deploy a Sierra Wireless rv50x as a backup internet connection. It's fully 4g LTE capable. my phone, verizon, will get about 50mb/s down. same location, the rv50x will get about 20mb/s down(also Verizon). I feel like this little device is throttled somewhere. anyone else experience this? We also have several Digi WR21's that seem to exhibit the same 'slower-than-my-cellphone' speeds. they get about 15/mbs on average.
DoublePulsar attack or false alarm
Today on my work computer I noticed that it blocked 2 DoublePulsar threats about 2 weeks ago. When I looked at the source it was my desktop PC on the same network. I've run avast wi-fi inspector on my desktop that the threat supposedly came from but it was a clean scan. Same goes for the malware scan. Are there any potential things that could cause my computer to try to communicate to another computer on the same network that isnt a DoublePulsar attack?
Tool Choices
Hey Everyone;
I'm looking for a couple of ideas on Networking Tools.
I need a good toner- something that goes more then 20 feet. I have like 5 toners at work and they only go like 5 - 25 feet. I'm willing to spend some money for this because it time is money.
I'm also looking for a good ethernet tester- something that can test the speed of the cable rating. Anyone have any input?
Thanks,
Kyle
Credentials for Device Administration - Looking for Sec Best Practices
Whats the best practice for credentials with regards to device administration? We currently utilized ISE & TACACS+ in conjunction with our domain credentials. Is this best practice? Would it be better to use accounts separate from what we login to our machines with? I've looked for documentation on this but mostly just find how to use windows credentials with tacacs.
SSID with different capwap termination points
Currently we have a wlc in a central location that manages all our APs. All capwap tunnels terminate at the wlc Due to serious address overlap of a new SSID I need to have that specific SSID capwap terminate at the 3650 at the remote site while others would still terminate at the WLC.
Ive looking to see if this is possible and am having trouble finding documentation on how others have done this. Would love any info, suggestions
EAP-TLS question
I have an employee BYOD Wi-fi net that lands in a guest VLAN and uses PEAP with employee creds for authentication/authorization. I also use EAP-TLS and PEAP auth internally for wired/wifi nets.
Right now I have an internal CA-signed EAP cert installed on the PSNs that works for PEAP/EAP-TLS on the internal nets, but obviously its not trusted on the devices connecting to my employee BYOD. Users bypass the cert warning and they're good, but I'd like to eliminate that since it does cause tickets. To do this, I'd like to purchase a SAN cert from GoDaddy and import it on each PSN.
I know that it will work for the PEAP authentications, but for EAP-TLS, does the client *and* server certificate have to be signed by the same CA or do they just have to trust each other's chains? In this case there would be a two way trust, but the client is being presented a GoDaddy certificate chain while the PSN is being presented with an Internal PKI certificate chain during EAP-TLS negotiation.
twin and five gig copper ports and half duplex
Anyone know if it's possible to set twin or five gig copper ports to half duplex? Cisco documentation says this:
"Gigabit Ethernet (10/100/1000-Mb/s) ports and multigigabit ethernet ports (2.5 Gb/s, 5Gb/s, 10 Gb/s) support all speed options and all duplex options (auto, half, and full). However, Gigabit Ethernet ports operating at 1000 Mb/s and above do not support half-duplex mode."
I figured that means if you set the speed to 100 on a five gig port you could then set the duplex to half. This is not the case in my testing however. We are running into problems where legacy equipment isn't compatible with the newer switches we are installing.
Any advice would be appreciated.
What's the correct subnet mask ?
Hi,
I don't know if it's the good place to ask this question : I'm still a student and stuying in networking.
I had a question in an exam : What's the correct network prefix adapted on this network ?
- Router A : 172.22.0.62 with Computer A : 172.22.0.37
- Router B : 172.22.0.94 with Computer B : 172.22.0.75
And I had multiple answer : /24 ; /16 ; /20 ; /27 ; /25 ; /28.
I chose none of them but the answer if "/27".
So now I'm trying to understand why it's /27 -> 255.255.255.224. The IP is from Class B : 172.22.0.X...
Can you help me understand ?
Thanks
Site to Site VPN not working for remote VPN users
Hi,
I have a client which has 2 offices connected with open vpn. Users in each network have access to the servers of the other network, however, remote users (connecting from their homes to a office) cannot. To some users the configuration works, coincidentally those users were part of the windows domain but might be coincidence. Other users can't even ping the opposite network's servers.
The open VPN server is on a draytek router, so basicly the config it has is the username and password for the users. This is my client's config file.
client
dev tun
proto tcp-client
nobind
ping 10
remote [IP] 1194
resolv-retry infinite
#verb 5
cipher aes-256-cbc
auth sha256
auth-user-pass
dhcp-option DNS 192.168.10.10
ca oVPN.crt
cert OClient.crt
key OClient.key
#redirect-gateway autolocal def1
persist-key
persist-tun
reneg-sec 3600
The network was already configured, I just implemented the remote (home to office) VPN. Also, if there is any obvious fault in my openVPN Client config, feel free to let me know. I have made the rough diagram of the network, here.
Thank you.
Cisco BGP Config help!
Hi all,
I'm trying to setup some BGP routing from my cumulus leafspine network to a Cisco Nexus.
I can see the vlans hosted on the cumulus ones, when I use 'show bgp all' but nothing on 'show routes' or 'show routes bgp. On the cumulus side, I can see my networks from the nexus but no traffic flows over.
This nexus hosts some vlans, it had no BGP setup before so we enabled the feature and setup a the config as follows:
router bgp 65001
address-family ipv4 unicast
network 172.16.0.0/16
network 172.24.96.0/24
neighbor fe80::9a03:9bff:fefb:4870 remote-as 65101
address-family ipv4 unicast
route-map RFC5549 out
soft-reconfiguration inbound
address-family ipv6 unicast
neighbor fe80::ba59:9fff:fe59:2b0 remote-as 65102
address-family ipv4 unicast
route-map RFC5549 out
soft-reconfiguration inbound
address-family ipv6 unicast
My understanding is this is route map related? Without routemaps is traffic blocked? Or should it all be allowed by default?
I've put the RFC5549 in due to sending ipv4 routes over ipv6 links. I'm running BGP unnumbered on cumulus. and followed this connection/configuration guide for the links: https://support.cumulusnetworks.com/hc/en-us/articles/212561648-Configuring-BGP-Unnumbered-with-Cisco-IOS
Cisco is completely out of my area of expertise so if anyone knows what I'm missing that would be awesome.
Thanks in advance
Separate external/ISP switch?
So, let me preface this in that I'm old, and a layer 3/4/7 security guy these days, and always been of the thought that at minimum your external/untrusted/ISP connectivity should always be on a separate physical switch, and ideally your DMZ on another, and then LAN side switching guys they can do whatever they want (as they usually do).
However I haven't done any switching in over a decade, last ones I really touched in anger were Catalyst 6500s.
What's the prevailing opinion these days? Is is safe "enough" to use a single top of rack switch to provide all connectivity and then VLANs to logically separate?
Slow network speed on Cisco APs @ 5Ghz
Hi,
I just configured some cisco AP catalyst and all works fine, but I see that only connects to 150-200mbps. I miss any wlan configuration, I tried to change some radius configurations without luck? Im very close to AP and I think this is very low speed. On my home router I get 700-900mbps easy.
Any tip to improve this? Thanks!
Tool to send large UDP packets and check PMTUD
Hi,
What tool do you use for PMTU discovery testing? It's easy for me to test with TCP but not sure what would be the best for UDP? Seems iperf does TCP MSS lookup and only sends small packets, I can't seem to get iperf to cause ICMP fragmentation needed packets at least, even by playing with the length parameter.
Do Cisco Mobility Express WiFi solutions use CAPWAP?
In the Cisco Docs, they talk about "converting from CAPWAP to ME", so it sounds as if CAPWAP is a completely different thing. But a person on the internet claimed that ME also uses CAPWAP to connect the APs to the hosted WLC. Which is true? I cant find sources on that. If they dont use CAPWAP at all, how do the APs communicate with the hosted WLC?
Wednesday, January 6, 2021
What's the right topology for this use case?
Looking for more info on this and its hard to Google since different providers seem to call this service something else and results tend to pull up the provider side topologies which don't really matter for me.
We are looking to connect multiple branches to the main branch. There is already a service in place to do this through our ISP (they call it ELAN) It is a layer 2 connection between all of the branches. At the main site is our main connection out to the internet and it has plenty of bandwidth to go around.
My question is, in this case, should we simply connect a trunk port to the service (each branch has one handoff) and use VLANs to break up the branches. The inter vlan routing being handled at the main site (either the firewall or a nice l3 switch).
Or does this call for each branch to have its own firewall and some routing protocol setup?
I inherited this setup so it was halfway done and while some sites were connected directly another had a brand new firewall which made me question the other setups. (Though the firewall had nothing in place yet)
UniFi APs and Controller Kicking Blink Sync Module
Hello Everyone,
I am running into an issue with Blink's Sync Module 2 that basically gets disassociated after being on the WiFi for about 30 seconds. It 100% repeatable on any UniFi system, using any Blink Sync Module (1 or 2).
A little background on me, I am a long time UniFi admin.
I am connecting a Blink Sync Module 2 to an SSID (configured as per below specs) on my UniFi Dream Machine or my Unifi FlexHD access points or both at home.
I also tested on my system at work which consists of 100+ nanoHD Access Points and a UniFi Controller.
The Blink Sync Module will only connect over 2.4 GHz and is named walnut (default name).
The SSID being tested was named IoTRoD (at home)
Securiy: WPA Personal
Wifi Band: 2.4 GHz
WPA Mode: WPA2 only, Encryption: AES/CCMP Only
Group Rekey Interval: Enable GTK rekeying every 3600 seconds
BSS Transition: Allow BSS Transition with WNM
Tried on UDM firmware 1.8.4 and 1.8.5
Tried on UAP-FlexHD version 5.43.19.12493 and 4.3.21 and 4.0.80
Tried building a new controller on version 6.0.43, 6.0.41 and 5.14.23 on Windows and Linux.
I also have a ticket open with Ubiquiti Support and they have suggested I try the following which I have with the same results and log output:
- Disable Auto-Optimize network (was already but I enabled and re-disabled)
- Disable Block LAN to WAN Multicast and Broadcast Data (was already but I enabled and re-disabled)
- Disable Fast Roaming (was already but I enabled and re-disabled)
- Disable High-performance devices (was already but I enabled and re-disabled)
All with the same results with the same message as below.
Radius is not enabled what so ever, which is why it is so confusing to why there are these radius events. No other device triggers this to happen and as stated the exact same thing happens in my stable work environment.
Below is a snippet from the /var/log/messages file
# tail -f messages |grep a0:d0:dc:b1:37:XX
Dec 30 01:59:00 BasementAP daemon.info hostapd: ra1: STA a0:d0:dc:b1:37:XX IEEE 802.11: associated
Dec 30 01:59:00 BasementAP user.info wevent: wevent[17715]: wevent.ubnt_custom_event(): EVENT_STA_JOIN ra1: a0:d0:dc:b1:37:XX / 12
Dec 30 01:59:00 BasementAP daemon.info hostapd: ra1: STA a0:d0:dc:b1:37:XX WPA: pairwise key handshake completed (RSN)
Dec 30 01:59:00 BasementAP daemon.info dnsmasq-dhcp[2146]: DHCPDISCOVER(br0) a0:d0:dc:b1:37:XX
Dec 30 01:59:00 BasementAP daemon.info dnsmasq-dhcp[2146]: DHCPOFFER(br0) 172.XXX.XXX.171 a0:d0:dc:b1:37:XX
Dec 30 01:59:00 BasementAP daemon.info dnsmasq-dhcp[2146]: DHCPREQUEST(br0) 172.XXX.XXX.171 a0:d0:dc:b1:37:XX
Dec 30 01:59:00 BasementAP daemon.info dnsmasq-dhcp[2146]: DHCPACK(br0) 172.XXX.XXX.171 a0:d0:dc:b1:37:XX walnut
Dec 30 01:59:00 BasementAP user.info wevent: wevent[17715]: wevent.ubnt_custom_event(): EVENT_STA_IP ra1: a0:d0:dc:b1:37:XX / 172.XXX.XXX.171
Dec 30 01:59:10 BasementAP daemon.info hostapd: ra1: STA a0:d0:dc:b1:37:XX RADIUS: starting accounting session 562CB5429F4E6E9C
Dec 30 01:59:10 BasementAP user.info stahtd: stahtd[17719]: [STA-TRACKER].stahtd_dump_event(): {"message_type":"STA_ASSOC_TRACKER","mac":"a0:d0:dc:b1:37:XX","vap":"ra1","event_type":"success","assoc_status":"0","ip_delta":"300000","ip_assign_type":"dhcp","wpa_auth_delta":"40000","assoc_delta":"20000","auth_delta":"0","event_id":"1","auth_ts":"19573.719202","arp_reply_gw_seen":"yes"}
Dec 30 01:59:37 BasementAP daemon.info hostapd: ra1: STA a0:d0:dc:b1:37:XX IEEE 802.11: disassociated
Dec 30 01:59:37 BasementAP user.info wevent: wevent[17715]: wevent.ubnt_custom_event(): EVENT_STA_LEAVE ra1: a0:d0:dc:b1:37:XX / 12
Dec 30 01:59:37 BasementAP user.warn kernel: [19610.522673] ra1: AUTH - receive DE-AUTH(seq-28) from a0:d0:dc:b1:37:XX, reason=3
Dec 30 01:59:37 BasementAP user.warn kernel: [19610.522892] Can't find pEntry(a0:d0:dc:b1:37:XX) in ApStaDel
Dec 30 01:59:37 BasementAP user.info stahtd: stahtd[17719]: [STA-TRACKER].stahtd_dump_event(): {"message_type":"STA_ASSOC_TRACKER","mac":"a0:d0:dc:b1:37:XX","vap":"ra1","event_type":"sta_leave","assoc_status":"0","event_id":"1"}
Any ideas on how to fix or troubleshoot further would be greatly appreciated.
S2S between Meraki MX & Azure VWAN
I'm trying to set up a test vpn connection between a Meraki MX and our azure infra virtual WAN.
All the documentation shows how to set one up using the normal vnet, vpn gateway etc rather than the Virtal WAN piece that we have on our subscription - this is supposed to make life easier with auto deployment etc. (which works perfectly with our Velocloud SD WAN) but no matter what I try I cannot get the MX to connect to the newly created VPN Site/Connection.
Does anyone have any experience with this who might be able to push me in the right direction?
Cisco AMP experience -- are false positives common, or is it just me?
We have recently switched to Cisco AMP for device protection. I was given a new laptop, and the new laptop has Cisco AMP. In copying my files from years of work over from the old laptop, Cisco AMP has had hundreds if not thousands of detections that I'm pretty sure are all false positives. Among them include multiple detections of files in a proprietary archive format we use internally that are highly-compressed and not executable, and also Microsoft's PowerShell script for installing the Azure Artifacts credentials provider. Is this an expected experience? If this tool is detecting so many false positives, how can there be confidence in anything it is reporting?
free opensource network OS to use as Virtual Machine with vxlan support for production
does anyone know a free network OS that i can run as Virtual Machine
with vxlan support.
use case: i have 2 sites that i want to connect with vxlan (Layer2 over Layer3)
Network board optimization and manipulation
Hi guys, hope you all had a nice holiday season!
I’m doing a research about high performance systems but I have little knowledge on network or tcp communication so I don’t know exactly where am I supposed to look at. Here is my situation in detail:
I have 3 servers with intel(r) Ethernet 10g 2P x520 and there are 5 different (software and fpga) applications connected to all three sending tcp messages. I’m trying to creat two scenarios:
1 - in one application send a stream of messages optimized for that specific board and therefore processed faster than all the others
2 - in another application send a stream of messages that slows down the processing of the messages and therefore making it and all other applications underperform
I don’t know what configs I should be looking at to achieve that, so I’d appreciate some guidance!
Thanks in advance.
Lock a cradlepoint hot spot to very specific URL's
We have a cradlepoint, and its configured as a hot spot, and currently (after authentication) it directs you to a web page we configured. But, You still are able to surf the internet once you authenticate. Is there anyway to lock down the access so it can only goto that page, Apple store, and GooglePlay?
LAN Issue doing my nut in!
Hi All,
Odd one here:
Router = Draytek 2860 Port 1 no VLANs connected to HP 1920 Switch.
Switch 1 connected via fibre with 5 VLANs to Switch 2 another 1920. VLAN 1 Untagged, VLAN 3-5 Tagged tagging matches both ends.
WIFI Point to Point link connected to Switch 2 on VLAN ID 1 Untagged.
Remote End Point to Point AP connected to Switch 3 VLAN ID 1 Untagged.
Subnet Range is 192.168.2.0 with the router being 192.168.2.1 VLAN ID 1 untagged.
From the remote end beyond the WIFI link clients can ping 192.168.2.1 and the web management page is accessible.
From the remote end you cannot reliably ping any other hosts on the far side of the WIFI link other than the router. Lots of lost packets.
At the remote end you can ping all hosts on the local Switch 3 network.
From the local side you cannot reliably ping hosts on the remote end of the link again with lots of lost packets but you can ping hosts on the local network.
The odd part is the Draytek does seem able to reliably ping hosts on both parts of the network.
Currently tearing my hair out, any suggestions?
Network Assessment Tool
Hey All -
Looking for a new network assessment tool that can be used on various networks. One pain point is finding a license model that is portable, as it would not be a tool that sits forever on one network.
In the past we've used Netbrain 6.x and may look at the newer trains but I believe their new licensing model may be difficult for our use case.
I'd like to focus on:
-
Topology Creation - having a solid topology is the key to having intelligent conversations about the network in my mind. Ideally it could generate L2 / L3 topologies.
-
Device Information - I'd like to get easy reports on the device, modules, code versions, etc. Even sweeter if it could directly integrate with the vendor portals to provide EOS / EOL info right in the tool instead of having to export / import into the vendor tool.
-
Configuration Dumps - The ability to view the configuration of all of the devices and ideally look at them in some "smart-view" way to glean insights easily. Example would be easily being able to identify that most switches are VTP transparent, but then a few are in VTP server mode.
-
Smart Insights - This is really a cherry on top. If it could make some smart recommendations for low hanging fruit that would save us engineering time by catching the most common things like lack of or mismatched NTP.
-
Link Utilization - Another cherry on top would be the ability to look at WAN links and provide some basic utilization.
-
Netflow Collector - Another cherry on top, the ability to glean what apps are on the network and if QOS is being respected.
Totally willing to pay for this tool as well. Any insight would be greatly appreciated.
Migrating Wi-Fi from extreme to cisco catalyst - mitel phone issues
We are migrating from an extreme/enterasys/identifi wifi solution to a cisco catalyst 9800 wifi solution. In total we are replacing 4 extreme controlllers and 700 APs. Everything is working as it should. Except our mitel 5624 wifi phones. Both controller set ups are central switching and are located in the same datacentres. The voip SSID on both solutions leaves the controllers on the same vlan with both the extreme and cisco solution having layer 2 connectivity on that vlan.
For some strange reason, when a wifi phone is connected to the cisco solution it can call a wifi phone connected to the extreme solution, but there is no audio. All other calls to other phone systems on different vlans works fine. There seems to be a networking issue somewhere which is preventing the calls to work from extreme to cisco and vice versa, these phones are in the same broadcast domain just over different controllers.
Has anyone experienced anything similar?
Brother tape for wire wraps (PT-E550)
Hey guys
Just bought a Brother PT-E550 label maker. I am interested in buying the third party tapes, was just wondering which ones you guys have used for wire wrapping specifically that are durable and stay stuck on.
I read the Brother FlexibleID tapes are the best for that, but don’t think there’s much third party “flexible ID” tapes, only the regular ones.
Also recommendations for label widths? I’m mostly doing Cat6 or smaller.
DDOS Questions Fortigate
So im 99.9% positive we had a DDOS attack today. I Think this because the network utilization graph shot from 5mbps to 5gbps and stayed there for probably 5 or so minutes. By the time I figured out that was what had happened it had almost ended. I am in K12 so sometimes Kids hire services to do this. From what I've seen usually the Free ones don't have the capabilities to fill a 5gb circuit. Any truth to this? Not that it matters more just curious. Second Question the fortigate CPUs shot to a 100% so it took down our internal network. This was caused by the miglogd process which im assuming was because it was bombarded by so many packets from so many sources? After it was over I tried to look at the log and couldnt really find much nor was it respnding well most likely because of the magnitude of logs? Is there certain things to look for? Certain things to setup for logging that would give you more insight? I know alot of that doesn't matter because the attack is distributed just curious. The kids are remote so probably little chance of figuring out who started it. Mitigation services are far to expensive from what i've seen to be feesible. I've only seen 2 of these in 15 years and the last one was when we had a school on a cable modem. Just more asking questions for my own skills and knowledge.
Is this setup overkill?
Dear people that knows more than me on this subject.
We are planing to install a network infrastructure in a real-estate with about 12 rooms. We got a suggestion from a networking firm with the following setup:
1 x Meraki MX84 Router
3x Meraki M5120-BLP 1G 8x GigE 67W Pow Switch
1x Meraki MR46 Wi-fi indoor AP
10x Meraki MR36 wi-fi 6 indoor AP
This would cost us about 8 647 dollars.
Is this to advanced for a infrastructure used mainly for the occasional surfing and in the future for 20 person LAN?
Could you recommend a more suitable brand/setup.
We really would like to lower the price so we can buy other cool stuff but we also want a decent infrastructure.
All help would be appreciated.
Cheers.
Trying Out Nornir. Grabbing Current Inventory Methods?
Hey guys, this might be a quick answer for you, but I can't seem to find it on google. I'm looking at nornir for automation, but it says it needs a hosts file, and we have so many devices that manually adding each into a YAML file just doesn't make sense. Whats the best way to grab all of these devices at once and create this file, if possible?
Thanks!
Checking backplane utilization Arista switch
I've been searching for this command to check the backplane utilization but cannot find it, Google is my friend neither.
Anybody that can enlighten me with the correct set of commands?
Is it possible to track IP sessions with packets coming in different threads?
Hi everybody,
Is it possible to track IP sessions when packets are coming into different threads, meaning they could come in different order too?
The use case is the following: I have a very high throughput of network packets and, in order to handle them efficiently, I would like to run the process in multiple threads. So, if there are 4 packets coming to the process, 1st packet might go to the 1st thread, 2nd packet to the 2nd thread and so on... This might result in packets not being processed in the right order, so 3rd packet might be processed before the 1st one. My knowledge says to me that it would be impossible to track IP sessions in that case but what you think? Is there any way to create IP session context and somehow handle it when packets are not coming in the right order?
If this is not possible, I wonder how networking software handles high throughput efficiently?
Thanks!
Weird 0.0.0.1 IP in BlueCoat access Logs
Hi,
i've a bluecoat proxy running. I just checked the logs and found requests to the ip 0.0.0.1.
The IP is e.g. mentioned in the fields cs-host, URL. Does anyone know the purpose of the ip?
Thanks,
Internet Packet Loss - MTR
Hello! It seems like there should be a subreddit for this kind of thing, but I haven't found it yet. Apologies if you feel this is not appropriate for here, but I suppose it is something you folks deal with.
I'm getting occasional heavy packet loss between NYC HE and London NCUK, as observed between my VPS in Los Angeles and a pingbox tester in London:
1.|-- _gateway 0.0% 60 0.4 0.5 0.3 1.5 0.2 2.|-- unassigned.psychz.net 0.0% 60 0.9 10.4 0.7 172.6 32.5 3.|-- [redacted] 0.0% 60 0.7 1.2 0.5 7.2 1.5 4.|-- v807.core1.lax2.he.net 0.0% 60 2.9 7.0 0.6 23.6 8.8 5.|-- 100ge2-2.core1.lax1.he.net 0.0% 60 4.0 10.2 0.6 56.2 12.1 6.|-- 100ge12-1.core1.ash1.he.net 0.0% 60 58.7 62.4 54.9 94.4 10.0 7.|-- 100ge1-1.core1.nyc4.he.net 0.0% 60 60.4 62.2 60.3 74.9 2.9 8.|-- 100ge7-1.core1.lon2.he.net 20.0% 60 140.9 141.8 140.5 151.8 2.3 9.|-- ??? 100.0 60 0.0 0.0 0.0 0.0 0.0 10.|-- po11-13.bdr-rt3.thdo.ncuk.net 15.0% 60 218.5 163.5 162.1 218.5 7.9 11.|-- po4-31.core-rs4.thdo.ncuk.net 23.3% 60 165.1 166.6 165.1 179.6 2.7 12.|-- [redacted] 30.0% 60 168.3 168.5 168.2 169.8 0.3 I have always been a bit confused by an MTR such as this. I do understand that packet loss at any one hop does not mean the packets are stopping there, for example if by hop 12 loss was back to 0% it wouldn't matter if the routers in between returned the pings themselves.
So in this case, is it a problem between hop 7 and hop 8 meaning HE is overloaded crossing the pond, or more likely is it the interconnection between HE and NCUK is overloaded and dropping packets and the 20% loss at lon2.he.net is not really a problem?
Then once I do know who to blame, are there any effective ways to report it?
(I can't get an MTR in the other direction because I don't control the London endpoint machine)
Thanks!
HTB QoS - nbn ISP Network Design
Hi,
I am making this post to get feedback from fellow Network Engineers on my HTB QoS implementation for my nbn ISP in Australia.
One of the selling points of my ISP is that we QoS prioritise specific game traffic on our L2 nbn Aggregation, Backhaul, and IP Transit. I got into an argument with a software engineer on reddit who was saying this is pointless, which I disagree with from a technical POV. I understand that nbn and the IP Transit provider are not going to honour the QoS on their network. I also understand that HTB QoS will not take effect until the link is at 100% utilisation. IMO this doesn't mean it is pointless to QoS prioritise the game traffic on our ISP Routers. A good example of QoS being useful on our ISP Routers is if our links are at 100% utilisation due to Netflix, Youtube, etc then we will prioritise the game traffic to be sent out of the queue.
Am I correct or am I missing something? I have gotten technical stuff wrong in the past, but on this one I think I am correct? I am a Network Engineer by trade and I am always trying to learn and improve. Clarification from other Network Engineers on this will help me sleep at night.
My Network Design can be found here:
For anyone outside of Australia "nbn" is our Layer 2 wholesale access network here.
What you Like vs What you Hate in your current position
Hi Guys,
Thought I make this post to see how are job environments for different roles and companies of network engineers.
I will start:
Position: Project management in a service provider
What I like:
* Abundance of knowledge, technical exposure and support from vendor.
* Great work/life balance.
* Career Safety
* Professional environment (it is good to work only with Network Engineers and not have to deal with customers or people outside the industry)
* Micromanagement is there to a certain limit
What I hate:
* Low pay
* Scope limitation (basically for our department we don't even see routers or have access to them, there is dedicated team for each specific task)
* Painstaking slow and long processes to do any task (it is really hard to show that you are working hard and trying to be committed to the ECDs. Basically delays are always there)
* No career development (3 years in the same rule)
* No efforts appreciating (I am trying to work hard, but the company is too large to make my efforts appear)
* Management decisions that greatly affect project delivery. (this is the biggest pet peeve that I cannot go into detail for confidentiality, but basically I would say that this is the worst point in the whole list)
Let me know about your working environment, I am considering shifting career. But not sure if it is greener on the other sides.
Tuesday, January 5, 2021
Cat9K MPLS Network - CE to CE traffic broken!
I've just recently lost connectivity between a couple of CE's on my mpls network. The PE routers are spitting this out in the log, which I'm guessing is the problem, but I don't understand what it means or how to check the issue:
Jan 5 16:08:23.198 Hawaii: %FED_L3_ERRMSG->3-mpls_resume_create: Switch 1 R0/0: fed: Resuming> create for MPLS LABEL ENTRY resource
Jan 5 16:08:23.199 Hawaii: %FED_L3_ERRMSG-3-mpls_pause_create: Switch 1 R0/0: fed: Critical limit reached for MPLS LABEL ENTRY resource. Create paused
Jan 5 16:08:23.200 Hawaii: %FED_L3_ERRMSG-3-mpls_out_of_resource: Switch 1 R0/0: fed: Out of resource for MPLS LABEL ENTRY. Failed to program local label:903 (2048/2048) in hardware
Anyone know how to troubleshoot this? I am running Catalyst 9300's on 16.9.4/5/6 and 16.12.4.
Does antenna angle/position make a difference?
Suppose you have a wireless router with some antennas; I assume these antennas are dipole and vertically polarized but not sure. Does it make a measurable difference in RSSI if then on the receiver device you position an antenna vertically as well to match the polarization of the transmitting router? I can't find any literature on this at all... I think it should make a difference but it's unclear how much.
Sending default route to iBGP Neighbor.
I have an edge network with 2 ISPs terminating on 2 separate routers. Both ISP's will peer BGP and we'll advertise some ARIN assigned IP space to them. Both of the ISP's are sending us local+1 routes and a default route. Both of those routers connect to L3 switches downstream which are peered iBGP with the routers in a mesh fashion and will only accept the default route.
Our firewalls will sit downstream from the switches and will have links to both switches and use ECMP BGP (fortinet) through a VIP on the switches VRRP or HSRP staggered between 2 /30s to the 2 wan ports on the firewall.
Everything works but I can figure out how to get the default route to flow through to the fortinets, the switches aren't advertising them because they are learned through iBGP. I tried the neighbor default originate command and no luck.
The only solution that seems to work is use a different AS number on the fortigates but they will advertise some public IP routes as well so that could be a problem with the ISP.
I'm sure this is something simple or my design is just terrible but I've hit a wall and figured I'd ask.
Mockup in GNS3 below... disregard the cloud thing attached.
The goal is for the fortigates to receive default routes but be able to advertise to BGP also routes originating.
iPerf for testing WAN/internet speed
I have a 250Mbps circuit from Comcast. However, when I conduct speed test using iPerf, I only get about 23Mbps. What could I be missing?
./iperf3 -c iperf.scottlinux.com -P 8 -t 30 -w 32768
What alternatives to Solar Putty are there for MAC?
Looking for alternatives to Solar Putty for MAC?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Help with my dissertation Internet traffic anomaly warning tool
Hi! I am starting to developed my master thesis, and would like to ask you a simple question to help me understand the usefulness of my tool!
If that is okay, please comment one or more answers for the following question:
Would you consider to use a plugin, on your browser, that warns you when your Internet traffic is having a suspicious behaviour which might indicate that it is being heard / diverted?
a) Yes, I had already tried searched for a tool like that
b) Yes I would try it
c) This risk does not concern me
d) I don't use plugins
e) I didn't know it was possible
f) I can't believe you can do that
Thank you so much for your time!
If you want to also answer my short questionnaire (2 minutes) to help me understand some of your priorities and help me with the implementation, would be very gratifying.
Link to questionary: https://forms.gle/BnGSuWoTV3XusodNA
Segmenting the network of a campus and need some tips
Hey r/
I'm in the process of designing the segmentation of the campus network and just want to confirm I'm on the right path.
The campus has currently over 1200 students and 300 teachers. All of them will be required to bring a notebook with them for class, since the school wants to introduce a BYOD policy. So I have around 1500 laptops and for argument sake, just as many smartphones. Guests arrive at the campus, fixed computers will be added to the campus, so basically a lot of devices.
I've read on some best practices on VLANs and Subnets and there are some posts stating to never go below /22. Since you never need that many devices in one subnet. In the end, we decided that since the campus has 12 buildings, and we have 1500 people, a /22 would suffice. Since the users are spread over the campus. I've read on reddit that one network engineer faced problems, since students would gather at a building where they would not have classes, and turn on their laptops, getting a DHCP IP from that network which caused the IP lease to run out of free IP leases, even with a 2 hour IP lease. So I was rather thinking of using a /20 ?
To keep it simple, I wanted to segment the networks as follows, and for argument sake, lets keep the /22 for now.
- Students - address block 10.1.0.0/16 with a subnetmask of /22
- Management - address block 10.2.0.0/16 with a subnetmask of /22
- Servers - address block 10.3.0.0/16 with a subnetmask of /22
- Teachers - address block 10.4.0.0/16 with a subnetmask of /22
- Guests - address block 10.5.0.0/16 with a subnetmask of /22
- ...
This would mean that I would have 64 subnets of an address block and 1024 hosts per subnet.
- 10.1.0.1 - 10.1.3.254
- 10.1.4.1 - 10.1.7.254
- 10.1.8.1 - 10.1.11.254
- 10.1.12.1 - 10.1.15.254
I was looking into multiple DHCP pools / subnets per VLAN, and while it is possible, it is not recommended. I was also not sure on how to route the different subnets per vlan, so I'm assuming I need to go a level deeper in this?
Instead of assigning the address block VLAN 10, I want to assign each subnet a VLAN for easier management
- 10.1.0.1 - 10.1.3.254 = Vlan 101
- 10.1.41 - 10.1.7.254 = Vlan 102
- 10.1.8.1 - 10.1.11.254 = Vlan 103
- 10.1.12.1 - 10.1.15.254 = Vlan 104
- ... up to Vlan 164
Since every VLAN has its own range, I need to define all these ranges in a Windows Server DHCP role, assign intervlan routing so that the entire "student" vlan range can talk to each other and printers.
Or should I just whip out a /16 and have huge broadcast domains since most devices and programs tend to go to multicasts rather than broadcasts?
802.1x - Design Understanding
Hey Everyone,
I may be walking the line between sysadmin/network subs but this seems to be an allowed topic here.
I'm designing an 802.1x implementation and am trying to wrap my head around everything. I'm hoping I can recite this back and ya'll can nail me to the wall if my understanding is wrong. My intention is to make this process easily repeatable.
My Goal
Setup wired/wireless 802.1x (EAP-TTLS/PAP, so radius 'server side' cert only with clear text wrapped up in TLS) between Windows 10 supplicants and Freeradius 3.x with Active Directory group membership for authorization and using bind-as instead of kerberos to handle authentication (to avoid using Samba).
First off, I realize EAP-TLS with client certs would be more secure but I am unable to bear the administrative overhead at this time.
Assuming the above can work securly, I understand the process as follows:
- Supplicant initiates EAP-TTLS/PAP connection to Authenticator (the access point/switch) over EAPOL.
- Authenticator forwards connection to radius server after stripping off EAPOL.
- Radius Server responds in the existing flow back to workstation with TLS certificate bundle.
- Supplicant verifies radius server certificate is trusted and continues EAP over TLS.
- Radius server decrypts TLS (removes EAP-TTLS encapsulation) and process PAP (plain text) password.
- Radius server binds to Active Directory over TLS (a separate certificate) using LDAPS with a service account to gather group membership info of user.
- Radius server verifies user group membership against local policy and continues to authentication.
- Radius server rebinds using users credentials (PAP, so clear text) over LDAPS (secure) to Active Directory.
- Bind is successful so Radius knows authentication has succeeded.
- Radius tells Authenticator ACCEPT-ACCEPT
- Network device/Authenticator enables port/allows association to continue.
- Workstation gets IP address and is on network.
If anyone can shed some words of wisdom or "hey stop now because..." or maybe even a "yeah that should work well enough", I would be much appreciative. Thanks
US/India - Shipping Meraki and Cisco equipment
We are hoping to reuse some existing networking equipment from Cisco and Meraki for our new office (India). We need to ship from US to India.
Has anyone done this before? Any issues with customs or using this equipment from the US in India?
What has a bigger performance impact: Latency vs Fragmentation?
We have two data centers that used to have a layer 2 point-to-point with a 1518 MTU. There are servers at each site that do iSCSI replication back and forth. The interfaces on the servers set their MTUs to 1500. (I unfortunately don't have access to them and cannot tell yet whether Path MTU Discovery is enabled).
We have migrated to SD WAN and now the same circuit is used between our Silver Peak appliances at each data center. Now data-center interconnectivity is via 3 underlays: The original p2p, and 2 Internet connections. However with the encrypted tunnel overhead, the MTU is 1488 over the WAN.
So the replication used to occur over the layer 2 point to point with 1 ms latency and 1512 MTU.
Now it's going over the SD-WAN - specifically in an overlay tunnel that has 10 ms latency. The server admin has mentioned that the replication takes longer than it used to.
Hypothetically, if the Servers are sending 1500 byte frames and don't have Path MTU Discovery - would they benefit more from switching to an overlay that has lower latency (sub 1 ms), or if the servers were to enable Path MTU Discovery and reduce the frame size?
Working around a faulty 10Gig SFP+ port on a 2960X - Is EtherChannel viable?
Sorry in advance for the amateur question, but here goes. I have a Cisco Catalyst 2960X-48FPD-L where one of the 10Gig SFP+ ports has gone bad after a power outage - it won't recognize any transceiver inserted into the port even after multiple swaps with known good ones (and the fiber tests fine), so it's definitely the port itself. Unfortunately that port is what linked this switch to another 2960X-48FPD-L on the other end of the building (and the second 10Gig interface on the switch links it back to our MDF, so I can't use that one). The ideal solution is "replace the switch", which doesn't make financial sense as we're scheduled to pull and replace all of these in a few months anyway. The fiber run is the only thing currently connecting those two physically distant switches together.
As a stopgap measure I found a mothballed 2960X-48FPD-L where half the Ethernet ports don't work (but the SFP+ ones do); I plugged the transceiver into that one and it works fine, but now I need the least goofy way to trunk it back to the switch with the bad SFP+ using the remaining functional Ethernet ports. Right now it's connected via a single sad Ethernet cable, which works as a temporary solution but will likely run into bandwidth issues seeing as there's a reason these were specced for 10Gig speeds in the first place.
Would this be a workable scenario for a temporary EtherChannel setup? Could I set aside (up to) 8 1Gig Ethernet ports on both switches and at least in theory get something between the current flimsy 1Gig and the original 10Gig connection between the two, or am I completely on the wrong path here and about to do something silly? I do realize that this switch will likely end up with more bad ports down the line, but I just need to keep the boat afloat until the new gear comes in.
Thank you in advance and apologies if the terminology here is off, I'm by no means an expert in this stuff but I'm learning!
Trying to add static IPv6 Address in PFSense and struggling to do so
In picture one here, lists the current active lease and the corresponding address issued to my PiHole for IPv6- I'm trying to add this as a static one, even if its not the original one that PiHole has (I can always change it) but I've been battering my head around this trying to understand IPv6 addressing, and I just can't figure out the format.
The UDID I get, its a unique identifier that includes the MAC of the device, but the format to set it to a static address I'm not sure how to do that, and what it looks like.
Would appreciate any help, thanks
OpenVPN create an interface per user. Trying to replicate a Mikrotik feature on Linux.
Hoping someone here has some good Linux network or OpenVPN experience. I'm decently versed in Linux networking but can't figure out a way to do this.
Mikrotik RouterOS has a pretty sweet feature where you can define an OpenVPN server interface that's tied to a particular user ID. So under `/interface ovpn-server add` if the interface name is ovpn99 and the user is set to jbrown, then every time jbrown connects, they are bound to ovpn99. This allows you to do things like, bridge that interface into a VLAN or bind it to a VRF that other users don't have access to.
I want to do this with OpenVPN on Linux, but I'm not really sure how they do it. Maybe they just maintain a fork of OpenVPN where they do the magic internally. I'm hoping to use it with tap interfaces and bridge each user into a particular VLAN.
Anyone have any ideas?
OSPF lsa type 4 confusion
I'm getting stuck into the finer details of lsa's. I understand why lsa type 4 ASBR summary is needed..but i've a lingering question. If R1 is an ASBR in area1..won't R2 in say area2 know of R1's routes via the 'normal' route summarisation flooding between areas ? So won't R2 know that the route to the ASBR is via the ABR joining area 0 with area 2 ? Why is an lsa type 4 needed ???
Question about dns loadbalancing setup on aws/Route 53
So here goes,
I am essentially the sysadmin for a small nonprofit studentorg. We just received some AWS credits through one of our sponsors so Ive been looking to switch over our infrastructure from an azure load balance to something on AWS so i'm not paying for it out of my own pocket.
Our current setup:
Client ----DNS lookup---> (Cloudflare as DNS and Proxy) ----Cname record(alb generated domain)-----> (Azure Load Balancer)----IP----->(Origin server with Cloudflare CA)
I am a bit of an AWS and DNS novice, trying to learn as I go, so if this is completely wrong, just be brutally honest lol. What I am most unsure of is the DNS/certificate setup between Route53 and Cloudfront wise. I have been playing with this a bit today and I haven't gotten it working quite right as cloudfront seems to be very picky with its certificates. If it's not clear from my diagrams I would prefer that it would be HTTPS traffic all the way to the origin
My Idea of what could happen on AWS:
Client ----DNS lookup (mywebsite.com)-----> (Cloudflare as DNS for mywebsite.com)-----Cname record(cloudfront autogenerated domain)---->(Cloudfront Distribution)---Cname like route.mywebsite.com---->(Route53 DNS on route.mywebsite.com with latency or geo routing)------IP----->(Origin servers with lets-encrypt cert for mywebsite.com)
Any ideas or suggestions would be greatly aprecaited!
Diagnosing intermittent network issues?
I recently inherited a site with a dozen SPF fiber lines ran out to dozens of various switches. The network keeps randomly going out altogether for 10-15 minutes, some wifi devices just stop being able to pull DHCP until they're rebooted, one switch simply can't pull DHCP at all but all static traffic works, just some weird random BS.
Anyone have some go-to tips to examine this traffic and see what's going on? My guess is a broadcast storm so I need to just sit at each end of the site and monitor wireshark, but I'm not too savvy in monitoring these things.
Any tools to help diagnose extremely odd network behavior before I just start yanking and recabling 11 acres of facility?
Port errors accumulating during network boot
I've noticed over the years of my career that when a server or a switch is in auto-provisioning mode (PXE/ZTP etc) in it's reboot loop that switchport errors will sometimes start incrementing. The number is very high, way higher then you'd expect from the number of packets being sent out during the network boot attempt.
Observations: It only happens sometimes. i.e. you can have two servers that are in network boot mode and one interface will increment errors, whereas a different one will not.
It doesn't matter if it's a server or a switch.
When the switch/server is finally provisioned the errors no longer increment and everything is fine.
I've only ever seen it on arista switches as the ToRs, but that is only because the companies I've worked at use Arista. No idea if it happens on others.
So the question is, what is causing those errors?
Note that this isn't a problem, but it does cause our port error monitoring to alert sometimes while we are provisioning new servers/switches and I'd like to have an explanation for whenever interested parties ask.
MST instance 0 question
Is it possible to prune MST instance 0 by explicitly saying what VLANs are on it? Or does it just default everything and you can only remove VLANs by adding them to other instances? Thanks
Allow PCs to use VPN to connect to Clients
A few of our clients want use to connect to their PCs and run reports. To do this they want us to install their VPN client on the users PC and allow it to connect to their network and then RDP to a server. The problem I have with this is if the clients network is compromised we could also be compromised over the VPN connection right? Is there a better solution?
Subscribe to:
Posts (Atom)