I feel tired and bored of being an enterprise network engineer. I feel like i am ready to transition to the business side or closer to where the money is made. Has anyone of you made this transition and if so, how easy was it i.e presales, technical project management, director/manager etc
Saturday, January 16, 2021
Link between switchports and power consumption
Hey guys, I'm looking for some information on the link between the number of ports on a switch and the power consumption. Looking at 3560 series switches for use on my home lab collapsed core/distribution layer.
So I'm looking on ebay for some older layer 3 cisco switches but I couldn't really find any concrete information about average power consumption of switch ports though. I just had a few questions and figured you guys might know a thing or two about switches.
Does a 48 port switch consume a meaningful amount more power than a 24 port switch?
Does shutting down a switch port make it consume less power than an active switchport?
Failover LAG to firewall
Hi all,
Hoping somebody can point me in the right direction, I really only know a little networking normally enough to get by but I am having an issue with setting up a connection between a switch stack to 2x sophos xg 310s
We have 2 310s running in an active passive setup. To connect these to my user stack (dell n3000) I have created 2 LAGS in active mode.
Port TE 1 from switch 1 and 2 in the stack are in port channel10 and connect to 2 10gb ports on the primary sophos device. Port 2 on switch 1 and 2 are port channel11 and plug into the failover sophos device.
Lacp lags are also configured on the sophos devices.
I thought this setup should work but when everything is plugged in there seems to be packet drops all over the show.
Although the sophos devices are in a failover setup, the way they run the ports on the failover device never shutdown.
Thanks in advance for any tips to point me in the correct direction.
Forecpoint - does anyone know this manufacturer
does anyone know this manufacturer or the product itself and can say something about it?
I do not know it and somehow I can not classify this company so.
It's not like Cisco, WatchGuard, Fortigate, Checkpoint or PF-/OPNsense where you work with it every day and even non-specialists know the name and what they do.
Cloud host refuses disabling ICMP
I'm moving my server from DigitalOcean to a local cloud host. On DO, I have inbound ICMP disabled to prevent a DDOS attack - because DO has transfer limits, enough network traffic will knock a prepaid server offline or incur high charges against a postpaid server.
My new host doesn't have a transfer limit, but they're refusing to disable inbound ICMP. I can't understand why since I see no downside, and it seems suspicious to me. Is there any good justification to allowing inbound ICMP?
Friday, January 15, 2021
Strange NAT issue occuring on single vm, need some insights (TCPDUMP included)
This is now solved!
Hi everyone!
My server recently had a fit, and now one of my ubuntu VMs is acting strangely. I am unable to make a NAT'ed connection over a site-to-site VPN that worked just fine prior to this and I hope someone can shed a light on where the problem might be.
Setup is as follows:
155.55.55.55 (fake) - Public IP of remote side on site-to-site LAN
10.20.0.1 - IP of router/default gateway on remote side of site-to-site VPN.
192.168.0.1 - IP of device setting up local bridging of site-to-site VPN.
10.20.0.203 - IP on site-to-site LAN
Prior to my server having a fit, I had a working forward from 155.55.55.55:80 to 10.20.0.203:80.
The forward would work as follows: Device (pfSense) with 155.55.55.55 on its WAN interface (10.20.0.1 on a LAN interface) is configured to forward port 80 to 10.20.0.203, which is an Ubuntu VM that resides in said LAN, but on the other side of the site-to-site VPN. The bridging to the remote side of the LAN is performed by a pfSense instance as well.
The bridge works just as expected, and is described so you have an idea of the setup.
The problem arises when I attempt to do a NAT from the remote public IP: 155.55.55.55 (80) -> 10.20.0.203 (80)
When I attempt to connect to the public IP on port 80, the forward works just fine towards 10.20.0.203 (80). The problem is that the ubuntu VM doesn't ack the TCP connection, leading to timeouts. You can see an image showing this here: https://i.imgur.com/Ita4b60.png
This is a tcpdump performed on the ubuntu VM that is the destination of the forward. It shows that a telnet connection attempt actually reaches the VM which has netcat listening on port 80 (the big blue bar is my public IP I am trying to access the forward from, you can see on the right it hits *.http, which is port 80.) None of the SYNs are acked, and I do not understand why.
Here is another dump from a host on the remote side LAN (10.20.0.151) connecting with telnet successfully: https://i.imgur.com/p2Y0blq.png
I have ruled out the port forward as an issue, as it works just fine with another exact duplicate freshly installed ubuntu VM. Does anyone have some experience and can guide me on how I should go about diagnosing this?
CGNAT vs NAT
With IPv4s being expensive and hard to come by. I had some questions about carrier grade NAT. I have tested a IPv6 only network and found several issues with using strictly IPv6 being an ISP. Some web sites only being IPv4, routers with IPv6 stack not enabled by default, routers not accepting certain prefix sizes, roku no ipv6 stack, etc. The only realistic way I can see based on what I have read is to run dual stack (IPv4 & IPv6) simultaneously. For IPv4 hand out customers private IPv4 addresses. Several distributors sell CGNAT capable equipment. What features and functionality do these CGNAT have over normal NAT that you would find on a consumer level router.
Dell ACL on VLAN Interface dropping VRRP traffic
Anyone seen traffic;specifically VRRP, traffic being thrown away by an ACL on a VLAN interface? I have attempted to allow multicast traffic, I specifically called out the multicast IP used by Dell VRRP, I even put a permit any any rule and VRRP continues to get blocked. I have even attempted IP 112 which I read was what VRRP talked on but still nothing.
Dell support couldn't figure it, so just wondering if anyone has seen this?
Transceiver Manufacturer Recs
I'm just about to start moving my network to Juniper from Cisco. I brought this on myself.
During the transition there will be a mixed environment with sfp on the cisco side, sfp+ on the juniper side, a mix of SM and MM fiber, twinax cables...
I was looking for a transceiver manufacturer that can supply all the new ones I'll need. Both for the mixed environment and the final product. So far prolabs looks like it has everything I need. Who has experience with them, or give me some other leads?
Bridging SFP+ to RJ-45 10GbE on 2960X-48FPD-L
Hey all,
I have a Cisco WS-C2960X-48FPD-L switch that I'd like to connect to the 10Gig Ethernet port on a Synology DS1817. My first inclination was to use a SFP+ Copper RJ-45 Transceiver, but after looking at the compatibility matrix for the switch and judging from some related forum posts, it sounds like it actually working is a "maybe, try it" situation as those Transceivers seem to be a bit of a novelty.
Before I throw $60 out of the window, has anyone tried using a similar transceiver on this model, and is there anything I need to keep in mind before ordering one and a Cat6a cable (aside from the 30 foot limit, which I'll be well below)?
Thanks in advance!
Incredibly slow upload speed?
I have a wired gigabit connection getting 800 - 900mbps download speed with 10mbps upload
Google dns
Stock wave provided router..
Cat5e ethernet cable
Any ideas to speed it up or is the provider limiting bandwidth?
Recommended Aruba Training?
Any recommended resources for learning Aruba AOS 8 and building a new multi-site deployment from scratch? I’m a Cisco CCNP who took over management of a 40+ site/600 AP Aruba 6.5 deployment (still Cisco on the wired side). We’re looking at replacing the aging 6.5 gear with a new AOS 8 deployment, but that looks like building a new configuration from scratch (every rep I’ve spoken to doesn’t recommend the migration tool and this would be a chance to cleanup old config garbage).
Any tips on YouTube playlists or other sites for learning AOS 8 (special focus on Mobility Master/child site configuration). I may also be able to pay for professional training (was looking at the ACMA or ACMP courses) too. For paid training, any recommended authorized trainers?
Router Behind a Router - Good/Bad?
Hi guys. We have 2 Check Point firewalls with redundant ISP links in one of our offices and we are trying to find ways of routing traffic to local websites over a specific ISP link, rather than routing it via the default route.
Policy-based routing is not possible due to incompatibilities with features that we have enabled on the firewalls. My colleague has suggested adding a new router between the firewall and one of the existing ISP routers and forwarding traffic this way:
[All traffic] FW > New Router > Existing ISP router > internet
[Local traffic] FW > New Router > Other ISP router > internet
So, essentially, all traffic will be ultimately routed by the new router and not the firewall. To my knowledge this isn't a good idea due to double NAT in particular and it seems a bit much to do this to route traffic for a few websites.
Am I right or wrong? It's not something I've done before so I am keen on hearing what more experienced people have to say!
EVPN-VxLAN arp suppression disable on border-leaf
I have arp suppression enabled on all my Leaf switches but because of TCAM memory limitation i can't enabled ARP suppression on Border-Leaf switch (I don't have any server connection to border-leaf).
Does it going to create any issue or misbehave in terms of traffic flow or silent host discover?
[Packet Tracer] ASA 5506 NAT won't translate
Whenever I send ICMP packet from a device with an IP address of 192.168.5.2 through The ASA 5506. It won't translate the packet's address to the outside interface's address. But, if I send a ICMP packet from the router itself. It will therefore translate it into intended address. Why doesn't it translate the packet from the other device?
Worth mentioning:
I also connected a PC directly to the ASA. Which it sends a ARP message at first to the ASA, and once it is done. It then sends the ICMP packet, and translates successfully.Does the ARP message to the ASA somehow updates its table, and makes it possible to translate?
Please take a look at the imgur images to get an understanding how the network looks like:
Help would have been appreciated!
ASA Configuration:
ASA Version 9.6(1) ! hostname ASA names ! interface GigabitEthernet1/1 nameif inside security-level 100 ip address 10.0.0.1 255.255.255.252 ! interface GigabitEthernet1/2 nameif outside security-level 0 ip address 209.165.200.226 255.255.255.252 ! interface GigabitEthernet1/3 nameif DMZ security-level 50 ip address 172.16.1.120 255.255.255.252 ! object network intranet subnet 192.168.1.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 209.165.200.225 1 ! object network intranet nat (inside,outside) dynamic interface ! telnet timeout 5 ssh timeout 5 !
Advice needed: 2nd hand Dell S5148F-ON vs Arista DCS-7060CX-32S
Moin
Seeking for experienced advice in effort to get the most educated purchase shot.
We are small IT-consultancy and upgrading our backbone to 25G and possibility to go 100Gbe as soon as there would be nice deal. I aim at used market mostly to get best deal for the buck, but we want something that is at least getting regular firmware updates in near future. Easy access to firmware updates is important. Our nodes are all 25Gbe Mellanox Cards (Connect-X 4 and Connect-X 5). We will need to interconnect with some Mikrotiks, so need something that is not picky on the DAC brand.
I got few sub-2k deals on ebay for 2nd hand 25G and 100G switches and after much comparison, the choice is now between Dell S5148F (48x 25Gbe + 6x100Gbe Cavium) and Arista DCS-7060CX-32S (32x100Gbe, Tomahawk), Arista being just a bit more expensive.
On port budget, we are fitting into both, Arista will be even almost empty, and cabling Dell will likely cost us more (DAC per port for Dell vs for Arista we will need much fewer QFSP28 splitters)
All in all I tend to favor Arista more, partly because it's cheaper cabling, partly because Cavium is killed, partly because I had bad experience with Dell switches in general (X- series). However with Arista, I feel it may be overkill.
As for firmware both are open for me: for Dell the open question is getting OS10 updates, for Arista the problem is getting EOS updates. Both seem to require some sort of registration and proof of contract, that I want to avoid, a bit afraid to also buy non-updatable iron
Anyone favors one over another? Is there better option to look at, even if it'll cost slightly more? Appreciate any other advices
Palo Alto Log Filter
Hi All,
Anyone know if there is a way to filter on the name category under the threat logs for a keyword and not the full string? I can't figure out the proper syntax and I have to believe they'd include that so we don't have to sift through pages and pages of junk to find what we're looking for. For example, I want to see every threat alert that came in with keyword "macro" in the name field, but when I try to build a filter, there is no contains, only equal or not equal.
Cisco ISR Blocking ICMP Timestamp/Port 22
Looking for some feedback to make sure what I am doing will accomplish what I need it to without causing undesirable behavior. Admittedly I've lost a lot of my network/cisco skills over the years as my job roles took me more into sys admin than networking; Hoping to just get a "sanity check" before I do anything.
Long story short, our vulnerability scanner tagged our new router for listening on port 22 (even though SSH is disabled) and responding to ICMP timestamp requests. To fix this, I've come up with the below ACL I intend to apply to the interface where these are being detected.
access-list 100 deny icmp any any timestamp-request access-list 100 deny icmp any any timestamp-reply access-list 100 deny tcp any any eq 22 access-list 100 permit ip any any int g0/0/0 ip access-group 100 in Does this make sense? Am I missing something obvious here? The plan is to first issue a reload in 30 before making any changes just in case it causes issues. Only after a successful implementation would I commit the changes to the startup config. Ideally, I won't have to rely on the reload but being risk-averse I tend to have some CYA.
If there's a better way to do what I need to do, I am all ears. For context, the router is an ISR4451 running Cisco IOS XE 16.06.04.
TCAM carving question for Cisco Nexus 9396PX
I have Cisco Nexus 9396PX and configure for IPv4 with IPv4 RACL on SVI to block some basic traffic. Now i have configured IPv6 and trying to configure access-list but its saying you don't have TCAM space so i started looking around to see where i can borrow and this is what i have.
As per document i may need 512 slice for ipv6 doble-width.
Question:
- can i combine two 256 to create 512?
- what is IPV4 PACL (i don't know who is using it and how to find out if someone using it?)
- I am using BFD on this switch ( does BFD using redirect tcam space?)
# show hardware access-list tcam region | exclude 0 IPV4 PACL [ifacl] size = 512 IPV4 Port QoS [qos] size = 256 IPV4 RACL [racl] size = 512 Egress IPV4 RACL [e-racl] size = 256 Ingress System size = 256 Egress System size = 256 Ingress COPP [copp] size = 256 Redirect [redirect] size = 512 NS IPV4 Port QoS [ns-qos] size = 256 NS IPV4 VLAN QoS [ns-vqos] size = 256 NS IPV4 L3 QoS [ns-l3qos] size = 256 VPC Convergence/ES-Multi Home [vpc-convergence] size = 256 Ingress ARP-Ether ACL [arp-ether] size = 256 ranger+ IPV4 QoS [rp-qos] size = 256 ranger+ IPV6 QoS [rp-ipv6-qos] size = 256 ranger+ MAC QoS [rp-mac-qos] size = 256 sFlow ACL [sflow] size = 256 IPv6 has zero allocation
# show hardware access-list tcam region | grep IPV6 IPV6 PACL [ipv6-ifacl] size = 0 IPV6 Port QoS [ipv6-qos] size = 0 FEX IPV6 PACL [fex-ipv6-ifacl] size = 0 FEX IPV6 Port QoS [fex-ipv6-qos] size = 0 IPV6 VACL [ipv6-vacl] size = 0 IPV6 VLAN QoS [ipv6-vqos] size = 0 IPV6 RACL [ipv6-racl] size = 0 Egress IPV6 QoS [e-ipv6-qos] size = 0 Egress IPV6 VACL [ipv6-vacl] size = 0 Egress IPV6 RACL [e-ipv6-racl] size = 0 IPV6 L3 QoS [ipv6-l3qos] size = 0 NS IPV6 Port QoS [ns-ipv6-qos] size = 0 NS IPV6 VLAN QoS [ns-ipv6-vqos] size = 0 NS IPV6 L3 QoS [ns-ipv6-l3qos] size = 0 ranger+ IPV6 QoS [rp-ipv6-qos] size = 256 This is what my utilization tables looks (its saying PACL used 3 does that means i can't take that slice?)
ACL Hardware Resource Utilization (Mod 1) ---------------------------------------------------------- Used Free Percent Utilization ------------------------------------------------------------------- Ingress IPv4 PACL 3 509 0.58 Ingress IPv4 Port QoS 4 252 1.56 Ingress IPv4 RACL 32 480 6.25 Egress IPv4 RACL 3 253 1.17 SUP COPP 214 42 83.59 SUP COPP Reason Code TCAM 8 120 6.25 Redirect 7 505 1.36 Ingress Ether ACL 15 241 5.85 VPC Convergence 1 255 0.39 sFlow Northstar ACL 0 256 0.00 LOU 2 22 8.33 Both LOU Operands 2 Single LOU Operands 0 LOU L4 src port: 1 LOU L4 dst port: 1 LOU L3 packet len: 0 LOU IP tos: 0 LOU IP dscp: 0 LOU ip precedence: 0 LOU ip TTL: 0 TCP Flags 0 16 0.00 Protocol CAM 2 244 0.81 Mac Etype/Proto CAM 0 14 0.00 L4 op labels, Tcam 0 0 1023 0.00 L4 op labels, Tcam 2 1 62 1.58 L4 op labels, Tcam 6 0 2047 0.00
SFP Switch
I'm in the process of upgrading our backbone. I've been looking around but can't find exactly what I'm looking for. To share our upgraded fiber out from our MDF to all of the IDF's I was told there is such a thing as a SFP switch. I'm looking for just SFP ports. We use HP switches. Any ideas or specific terminology I should use in a search?
I should probs be looking at a modular switch?
DR site design and technologies
For 2021 we have been asked at configuring one of our other sites as a dr site, I haven't looked at doing this for many years and was wondering what you all do for DR/Busininess continuity. We are a fortigate/vmware/aruba switch shop no current load balancer technology deployed.
In the past and many moons ago at a different company our DR was pretty simple but required manual intervention. ie. we kept a vmware instance replicated at site B and I simply changed the server vlan at site b to reflect the subnet from site A and added that network to be advertised out via our dyn routing protocol from site B.
The desire is to see what the viability/cost is to implement an active/active failover scenario
Layer 2 circuit behind firewall or outside the firewall?
I'm building a Layer 2 connection between two locations through a 3rd party service provider for some specific traffic. Current the traffic is serviced by a VPN but the VPN can't keep up with the amount of data that needs to be sent. I'm fairly confident that putting the layer 2 circuit outside the firewall will be fine but I want to make sure there is not some security issue doing so that I'm just not thinking about.
CISCO DataBroker training?
Is there and Data Broker training anywhere? Preferably free, but paid is ok. I can't find any training videos. I can see the configuration guides, but like most Cisco configuration guides it is very clinical and not conducive to some one with no knowledge of DBs. I will be implementing a new DB set up replacing a gigamon set up and clueless at this point. Any suggestions welcome.
CISCO ISE Training and Labs
Hello!
I'm on a quest for additional resources about CISCO ISE. I've gotten a little collection of ISE training and practice material. But I'd just like to know what everyone is using to practice, read up on and/or lab up CISCO ISE. GNS3 has resources which I've downloaded. Just wanna see if there's any hidden gems out there (books, labs, anything) that are musts that I have missed. Thanks!
Extending WiFi over 3 floors
I've got WiFi in a fifth floor unit of a commercial building. We've recently took on a new unit on the second floor and are wondering if it would be possible to extend the WiFi from the fifth floor all the way down to the second.
The unit on the second floor isn't too far away from the unit on the fifth in that it's just 1 unit beside, 3 floors down.
Would a WiFi extender/repeater work? We do not have access to power points outside our unit.
Thanks in advance!
Edit: if I'm lucky, I am sometimes able to have 1 bar of wifi reception when I'm on the second floor unit
Edit 2: both units are small (approx. 190 sqft)
Thursday, January 14, 2021
Fibre to Ethernet Media Converter
Hey All,
I am about to upgrade my internet service, and my ISP, uses a FTTC infrastructure. The have a direct LC Fibre optic cable into a SFP router (provider by the ISP)
I would like to change the router out to a better, and private unit.
My question is, considering there is a direct LC Fibre cable and no modem to connect an Ethernet cable. Would I be able to use a media converter to connect the LC cable and then a Ethernet patch cable into my new router?
If so, is there a certain type of media converter I should.
Thanks in advance.
OSPF RID duplicate from itself
I recently had an issue where OSPF RID duplicate messages popped up on N9K switches.
Both N9K switch is interconnected with L2 link and running HSRP.
They have 192.168.1.252(SW#1) and 253(SW#2) as their SVI IP.
%OSPF-4-DUPRID: ospf-10 [1287] (default) Router 192.168.1.252 on interface Vlan100 is using our routerid, packet dropped This log was captured from SW#1. SW#2 also had the same log entry with the address of 192.168.1.253.
So it basically tells me that there was an OSPF RID conflict from itself.
What can cause this issue? Bridging Loop perhaps?
HPE OfficeConnect 1950 opinion
Greetings r/networking, have not been posting much but doing alot reading and require input.
I've been tasked to revamp the office network which comprises of:
2x 3750x stacked as a core and HPE 1810-24g switches at the edge/access.
Due to 802.1x requirements and age, we've decided to replace the whole stack.
Core would be 2x 2930M stacked w/10G uplinks to each floor with HPE-1950-24G for edge access.
We've decided to go with the office connect 1950 as they're stackable for ease of management. Switch would only be configured to run in L2.
Could anyone advise if the reported 802.1x issue with the switches are resolved - based on the R3208P16 firmware release?
I haven't done any 802.1x deployments - but our required goal is for wired LAN is to deny any non-company owned/non-domain joined laptops to connect to the wired network.
Authentication I understand would need to be by domain authentication via a NPS server.
My vendor claims that this setup doesn't work is this true?
Any input is welcome.
Networking Tips
What are some of the best books or tips to learning about networking more efficiently.
Help with 802.1q and Vlan ID 0
So I have a device that transmits untagged and tagged frames. It's using 802.1q to add 802.1p PCP for class of service stuff on some of those frames. However it's using the Vlan ID of 0 when doing this. The end goal is to propagate all traffic(tagged and untagged) from all the devices on the switch through a set of ethernet radios to another switch. I'd like to retain the 802.1q header till it reaches the far switch. Topo is like
Device---ExtremeSwitchA--EthernetRadioA---EthernetRadioB---SwitchB(possible Aruba or Extreme).
In most of the trunking configs I have to explicitly state what VLAN ID I'm permitting across the trunk. ID 0 is not an option. However I've read that when switches receive a vlan ID of 0 in a 802.1q header they retag the header with the native VLAN ID i.e. which is the VLAN the trunk port is in.
I'm hoping to set up all the Vlans to an ID of 1 (for testing) enable trunking between the device the switches and the ethernet radios and see what happens. I can set up a hybrid trunk port that takes tagged and untagged packets
Has anyone had experience with trunking with VLAN ID of 0
Webex BW Consumption
Does the avarage BW used by the participant in a meeting is specified by Cisco? i would like to know the minimal and maximum BW consumption for the below cases:
1-Users are Using just voice in the room.
2-The presenter is sharing content.
SSL/TLS VPN vs IPSec GlobalProtect: Odd
So my internet headend has the remote workers using GlobalProtect, and for some reason when I set it up years ago I never ticked the IPSec box for the tunnel.
Today I'm setting up another internet headend, and when I configured GlobalProtect I did tick the IPSec box.
I immediately noticed my connection was not laggy anymore. using Google maps as a benchmark when RDPd into a computer the SSL was laggy as hell, but on IPSec it was almost smooth.
Iperf shows the same speed, about 20mb for both connections, on UDP the jitter is less by a bit on IPSec.
So why am I seeing a huge rdp performance increase when using IPSec?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
NMS Evals
Hola-
We pulled the plug on solarwinds for all the reasons, and we’re undergoing nms evals.
We keep coming back to librenms as it meets reqs and is not trying to cure cancer on mars.
What are the cool kids doing nowadays for node/interface monitoring/alerting?
Going way back, we were netsaint -> nagios -> opsview -> solarwinds -> ??????
Not a huge deployment, 1000 nodes, 3000 interfaces, and we need "API first" design.
Thanks!
Anyone have experience finding a new job in networking with a misdemeanor or criminal record?
In 2017 I was charged with domestic assault and 5th degree assault after a short scuffle with a roommate. I was offered a plea of disorderly conduct for the vulgar language I used and took it because I did not have $10k to fight the charges and prove it was in self defense. Even though I was only convicted of disorderly conduct, a non violent offense most companies see the charges (domestic assault and 5th degree assault) and immediately cut contact even though I have truthfully explained the situation. Whats a guy to do to get a job again? Its been almost 5 years since this incident with no other problems and it was a one off situation in the first place. I have gone from $70k a year to lucky to get a job for $17 an hour. Does anyone have advice?
Network Diagram Help
Okay so I am new to networking and I am managing my parent's business. With the pandemic we decided to expand part of our business to a home office.
I need the home office to be always connected to the main office (Vlan1). I am planning to put our phone system on AWS with FreePBX + Asterix (Still learning how to implement this).
I have also recently bought a Synology NAS DS920+ that has 2 purposes. It will be serving as a main folder sharing server on VLAN 1. Additionally it will be serving has a media server for the rest of the house on VLAN4. There are 3 departments in Office 1 and the PCs cannot communicate. The printers ideally would be available in all VLans however they are a bit old and I am not sure if it is possible.
I know I probably need to get new equipment for Office 1.
I am bit overwhelmed and I probably need some help implementing this. Are there any courses that you recommend? Any tips on things I am overlooking/ changes I should make (equipment or diagram wise)? I am studying computer engineering however this is a bit out of my comfort area.
Thank you for your help!
Measuring latency/jitter/throughput/etc between multiple sites
Hi all,
Looking for a good approach to take measurements of these metrics between multiple sites (~20). Ideally something scalable with not a ton of manual triggering. So something that can just run in the background and take measurements periodically (once a day or something?) and record results.
I expect to have a host at every site that would be facilitating these tests/measurements.
And ideally it's something open source/free and simple and a bit turnkey. Obviously I can set up iperf at every site, icmp/ping sweeps at every site, etc, but that's going to be a huge slog to get measurements between each site if it's all manual.
Maybe there's some FOSS solution out there that does what I'm looking for? Again, not looking for buy some mega software for this if it can be avoided. Just looking for those few metrics to get a 'baseline' of network performance between all our sites, that can run at regular intervals and records results.
Thanks!
Adding Expansion Module to Active/Standby Cisco ASA
Hello Everyone,
I need to add an expansion module to a pair of Cisco ASA 5585's in a Active/Standby failover configuration. My initial plan is below.
- Power down standby/secondary unit and install the module.
- Bring the standby unit online and promote the device to active.
- Repeat the steps for the primary/active unit.
My worry is that step 2 will cause a failure when the secondary tries to sync with the primary. This would be due to the fact that the devices will not match. If this is the case, what is the recommended procedure to doing this? Sadly, I do not have 5585's in the my lab or else I could test this.
Thanks!
Question for those who are doing / have done Spine/Leaf DC configurations.....
My question pertains to the WAN, Firewall, and routing.
-
I assume you are terminating WAN Links into an HA pair for firewalls that then feed into the leafs?
-
Are you doing all of your routing (outside of VPNs) on the switches or on the firewalls?
The question is 2 fold I know. I am more curious about your WAN deployments in spine/leaf DC configs and why you chose to do it the way you did.
Cisco ASA w/firepower module failover
I've got two ASAs in an active/passive configuration. I have the inside and outside interfaces monitored, but not the management interface. My question is, should I be monitoring the Firepower Management interface? My gut tells me no, but I have that feeling in the back of my mind there's a reason it's enabled by default...
Thanks!
Policy Based Routing on Dell N3000 switch
I am migrating to a new firewall. I'd like to migrate with both the existing and new firewall active. I have a core N3048 switch that is connected to my existing firewall. I'd like to connect my new firewall to the core switch and route one of my VLANs to the new firewall.
I think I can accomplish this through Policy Based Routing. Is this correct? And if so, will configuring PBR for this VLAN affect any other VLANs or any other operations on the switch. I have 'IP Routing' configured on the switch and I plan on applying the PBR to one VLAN interface only.
Recommendations for inline 10G copper switch
Hello all,
I have been tasked to find a 48port switch that can do 10G copper without SFPs. I initially recommended 2 Cisco 9300UX and making a stack since those don't come in 48 port models. I got a reply that those are too expensive and to look into other options. I'm sure anything Cisco will be too expensive (even after a massive discount), so I was wondering if anyone had any recommendations.
I looked at extreme networks 5520-48T and not sure about it, but I am not familiar with Dell, Juniper, HP, or others unfortunately.
Any input is greatly appreciated.
Open Port Monitoring
Hi Everyone,
I am hoping that someone can point me in the right direction. I am looking for free software that can help us monitor specific ports on our network. We have approximately 100 routers around the country that are connected to NVRs and Alarm Notification Systems. As these systems are remote and run on battery / solar mostly, we need to keep an eye on if these systems go down and we are currently doing it by manually port scanning 5 ports on our internal VPN network,
I am looking for some simple software that we can put our IP addresses in, define the ports we want it to watch and send an email alert if a port has been down for say longer than 10 minutes.
Does anyone have any specific recommendations?
Thanks in advance.
Cisco courses worth?
Hey everyone i hope you have a great day :).Im a college student on computer and multimedia and i recently also started ccna course and Im thinking to follow Cisco security courses what are your thoughts on this? Are waste of money? Also are there any alternatives to get into networking? -Thanks for reading
SD-WAN Control and data planes
Greetings all
I have a question regarding separation of control plane and data plane for SD-WAN terminology , what I cannot get is that some providers says that they support separation against other vendors , what I cannot get is what is the value of such a term and is it real that some vendors such as Velocloud cannot do this?
Thanks!
Tutorial - Developing NetBox plugin part 3 - search panel
I've published part 3 of my NetBox plugin tutorial where I show how to add search/filter functionality:
There's also repository with the code used in the post:
https://github.com/progala/ttl255-netbox-plugin-bgppeering/tree/bgppeering-list-search
Hope you enjoy it and I'm happy to try and answer any questions you might have.
Dell force10 port-channel issue with spanning-tree edge ports
Noticed a weird issue of port-channel breakdown on VLT dell switches while using "spanning-tree rstp edge-port" command on port-channel edgeports. Without edgeport command on physical ports topology change events keep going down the entire RSTP domain creating connection stability issues.
The main issue is that with that command ports begin to work independently and not within port-channel on switches. Tried various combinations of "spanning-tree rstp edge-port" command on physical ports as well as port-channel itself, however, the issue remained. Port-channels work fine without the command.
Has anyone ever encountered a similar situation where port-channels can't establish themselves normally on switch side while using something similar to "spanning-tree rstp edge-port" command?
Topology:
Switch model: S4048-ON Dell EMC Application Software Version: 9.14(2.8) (same on both switches) interface TenGigabitEthernet 1/1 no ip address spanning-tree rstp edge-port ! port-channel-protocol LACP port-channel 1 mode active no shutdown interface Port-channel 1 no ip address portmode hybrid switchport vlt-peer-lag port-channel 1 no shutdown #show interfaces status Port Description Status Speed Duplex Vlan Te 1/1 Up 10000 Mbit Full #show interfaces port-channel brief Codes: L - LACP Port-channel O - OpenFlow Controller Port-channel A - Auto Port-channel I - Internally Lagged LAG Mode Status Uptime Ports L 1 L2 down 00:00:00 Catalyst 2960 IOS 12 to 15 upgrade - ROMMON?
Hi there,
We still have some C2960 on IOS12 and as they will still have to do for some unforseeable time we decided to at least upgrade them to IOS15.
Do you know if I need to upgrade the ROMMON?
They are currently on 12.2(55)SE5 and we want to upgrade to 152-2.E9.
More and more bugs on CISCO ..
Another one.. GG CISCO !
Model Number : C9500-24Y4C
Cisco IOS XE Software, Version 16.12.04
C9500(config)#int twentyFiveGigE 1/0/15 %ERROR: Standby doesn't support this command ^ % Invalid input detected at '^' marker. A lot of bugs with N9K, C3850, C9000 etc etc and licence system is now ******** bull**** ...
The quality of the code is getting worse and worse !
Now we are afraid every time we have an upgrade or something to do !
What do you think about cisco ? It's time to switch to Aruba ? another ?
Out traffic interface is different than In traffic
Hi,
I have a question, I have seen in one hub and spoke network design that the default route is going through DMVPN interface to Hub. And all replays from internet are going to branch through MPLS interface.
So in other words, the Request have different interface than the reply interface. So is this normal or it could do unusual behavior in future ?
Wednesday, January 13, 2021
IP Routing but not all VLANs
Hey Everyone,
TLDR: I have VLANs A,B,C,D. How can I enable IP routing between VLANs A and B, C and D, but not A or B to C or D?
I do a lot of industrial networking as a consultant. The industrial world doesn't really do a TON of dynamic routing, this case everything will be static. I very frequently use a L3 Core switch to do IP routing between all my VLANs. Almost as frequently I use a Firewall as a Router between all VLANs.
(Overly simplified) I have a situation where I have 5 departments all connected to a core switch. Each dept has 25 VLANs within it. All depts share the same core/ distribution switches and there is no good way to change that.
Within a department I want to route all 25 VLANs on my L3 Core switch so they can talk freely but I want to route between different departments on the firewall for additional inspection. How can I make this work? ACL? Something else? I'm stumped but possibly missing an obvious solution.
This particular environment is all Cisco Catalyst.
Thanks!
aapitten
-CCNA Industrial
Automated network diagram software?
I am wondering if any of you use any automated network diagram software?
What worked well? What would you recommend staying away from?
New management has come in and is now willing to get us more into automation. We mainly are a cisco shop, but I know we are headed more to a vendor-agnostic approach. We have the money so I'm not too worried about the cost.
Cascading network issues, looking for a temporary solution
I've got a relatively unique network (for me) that I have to clean up. Made more complicated by two major hurricanes devastating the area this past year and the pandemic on top of that preventing me from travelling on site (I'm about 350 miles away).
We have 2 offices at a very large location. Our offices are tiny (2 people each) and the larger location is a separate company. So we're very limited when it comes to running new equipment or wires. The two offices are also separated by a few thousand feet.
This location is also very remote so internet options are extremely limited. We were able to get a fiber line but to get service it has to go through the main company's service closet which we do not have access to.
Setup is a Netscreen 5gt on static IP from fiber service feeding two fiber convertors, one convertor for each office. The termination point for the convertor near the offices is about 100 or so feet from the office.
The problem I'm having is that one office is having major printing issues to a network printer. The printer is only like 6 feet from the computer, but I suspect the signals are going up that long chain to the service closet and then back down causing some lag that the printer just can't handle.
So I thought what the hell, temporary solution let me send them a router and talk them through installing it, and essentially double nat their computers and printer to a smaller network inside their office. That's actually seemed to improve the printing situation as print jobs don't leave their room now, but I've run into a secondary issue.
The Netscreen for some weird reason has a 10 device limit on it. We were right at the 10 devices apparently. The 2 computers per office, 2 voip phones per office (I didn't double NAT those), and printer. So 5 devices per office. 10 total. The router is now triggering as an 11th device and causing 1 random device to get dropped.
This seems odd to me since I would think anything behind the second router would only appear as a single device, but the Netscreen logs are showing the devices inside the NAT in the device list even though their on a completely separate subnet. Main network is 192.168.10.*, smaller double nat is 192.168.50.*.
Ultimately I need to replace this Netscreen with something that isn't as limiting on devices, but being a high risk person and not able to get vaccine anytime soon I can't travel there to do the work so I'm trying to do what I can talk people through.
I tried working with the people at the other main company that owns the site, but they don't really want to deal with our network issues. So I'll need to be onsite to replace that main netscreen router.
Is there anything I can do to keep the double NAT devices appearing as a single device to the main router? If this first router worked out I was going to send a second one to the second office and do the same there (double NAT the PC's and printer, keep VOIP on original NAT)
Just trying to figure out how to put a patch on this situation until I can get there and put a more permanent solution into place. Any thoughts or suggestions are greatly appreciated.
Looking for network engineers for side work
I'm looking for network engineers that want to do contract side work. I have several jobs a month come in that I can use some extra staff. The work can be done remotely and after-hours. DM me if you are interested
Split DHCP on Subnet
I've got an unideal situation with a few options. The option that will likely be chosen is to expand the network from a /24 to a /23.
Lets say the network is currently 192.168.3.0/24 and is out of IPs. Static devices are assigned between 3.5-3.99. The DHCP scope is 3.100-253.
Expanding the network to a /23 makes the new range 192.168.2.1-192.168.3.254. Obviously this is not ideal considering the static devices are now in the middle of the range. The default gateway is also set to 192.168.3.3.
If we move the network to a /23 and set the DHCP scope to 192.168.2.1-254 this would leave the gateway as 192.168.3.3. Obviously not ideal but should still work at least in the interim until a full network update has been done.
Using a FortiGate firewall would we also be able to set a secondary DHCP scope in the 3.x range such as 192.168.3.150-250 to allow for additional devices?
Long term we would want to move all the static devices into the lower end of the range, but that will require quite a bit of reconfig for over 100 static devices, printer mappings, etc.
Alternatively a secondary DHCP network could be setup, such as 192.168.4.0/24 (which would allow for easily moving to /23 if needed in the future) and no existing static devices would need to be modified. I'm thinking this might actually be the easiest to do once I get vendors to update VPN tunnels.
Any suggestions or thoughts? The goal is to do it with the least amount of effort and cause as little downtime as possible. I'm not against doing a bunch of pre-work to make sure this goes smoothly, but if we can avoid having to update static devices that would be ideal.
Hamstrung by 40GbE yet CapEx-out!
Hey fellow enterprisers! Stuck on a 40GbE network of Mellanoxes and CX3 cards. All 40GbE QSFP+ interconnecting the 80 servers in the company. Firm has one of the new NVMe NAS boxes by QNAP, but that's SFP28. We want to maximize the pipes connecting the servers to the NAS. Is there any way to efficiently communicate with this NAS given our 40GbE network?
Transit/Management VLAN Question
Heya,
Was wondering if anyone has advice for implementing transit VLANS.
Currently, we have a setup where each site has a L3 head switch and then has static routes back to our distro switch.
I am wanting to validate that best practices have the transit VLAN between the L3 Switch and Distro Switch look something like 192.168.1.0/30, giving me just the 2 usable in that network. To clarify the L3 Switch and Distro would share the Transit and the Management VLAN built out on the L3 Switch side would point to the transit for all traffic leaving the site?(as well as any other VLAN built out on the L3 Switch) ---- Please validate or correct ---
If you give examples it helps my brain!
Thanks in advance!
Question about Cisco QoS
I've never had to worry about QoS before, so i'm not really familiar with it. Default has always worked for us in the past. But we're now deploying a bunch of non-cisco phones and i've been told i need to put new QoS policies on our switches to make Cisco trust their dscp markings.
My question is when i put these policies out and add them to the switch interfaces that have the non-cisco devices attached, do i have to worry about anything in between that doesn't actually have the phones directly connected, but is just passing the traffic along? I'm assuming, possibly incorrectly, that once the traffic is trusted and prioritized on the interface connected to the device, the rest of the network will trust that classification when the traffic passes through.
Cisco IP/SLA configuration on cEdge devices
I know with Cisco SDWAN gear and with vManage you get some really nice stats. However, we're looking at reporting out of some older snmp-based network management systems while also working with newer NMS's.
On our older Cisco gear, we use Cisco IP/SLA Jitter probes to report on Jitter, packet loss and latency.
I had heard that if you configure IP/SLA probes on Cisco XE (used to be called cEdge) devices, you lose automation and go back to having to manually configure your cEdges.
Is this the case? Or can you set up CLI templates you can push to a group of cEdges, providing they are all talking to the same responder?
Anyone doing Cisco IP/SLA probes on their new gear so they can integrate them with existing snmp tools?
Loopback interface in my environment. Should it be assigned its own subnet?
My hardening process is asking to set an IP on my loopback interface. We currently aren't using routing protocols. Everything is statically assigned.
I need to bind the loopback as an AAA source interface, NTP and ip tftp source interface.
Our management VLAN is 10, 192.168.10.250. Our NCM is using 10.1.1.162 and uses TFTP. NTP server is on 192.168.20.66.
Will any privately assigned IP work in this instance or should it be in tune with the MGMT VLAN subnet(192.168.10.X)?
AnyConnect Certificate Authentication Failure
I am having a persistent Certificate Authentication Failure. How the heck do I troubleshoot this? I have a common CA which I used to build the trustpoint on the ASA.
Same CA created the private key, csr, and signed the cert for the Windows 10 machine. Added the certificate to the user store as well as adding the CA cert to the Trusted Certificate Authority store.
I built the VPN using the Configuration Wizard, enabling IPsec. I have a hunch that it has something to do with the FQDN. I used just the hostname "ASA", "Win10" instead of the full FQDN. Could that be why?
I have added the IP to the Windows host file and I am still getting these prompts:
Certificate does not match the server name.
Certificate is from an untrusted source.
And, I am not getting the Choose Certificate prompt on AnyConnect.
Networking is Cool
Working a little over 1.5 years as a network analyst, and Im really enjoying my job. Got a new manager who is mad technical, getting projects thrown my way to actually do network related work and feel like I have some autonomy to make design decisions. Studying and actually enjoying learning instead of it feeling like a chore or pointless. I just feel super optimistic, lucky and wanted to share. This is such an awesome field.
Networking is cool.
Cisco VDC
If I had physical hosts plugged into a switch but i wanted to split half of those physical hosts.. esxi.. bare metal etc into a VDC with the same vlan ID as the hosts in the other VDC. if we setup proper routing statements would it be possible for those two vdc's to communicate with each other? or in other words for those hosts in each vdc be able to communicate with each other. Could they even have overlapping IP's? maybe there isn't enough info here.. let me know and I can help clarify
Verizon Fios Business Static IPs
Random question...
Anyone aware of how Verizon Fios delivers Static IPs on the routers they deliver to customers? I’m walking into a situation totally blind... someone else ordered a block of 13 statics from Fios. Trying to plan ahead here for setup.
Are all 13 public static IP’s available to assign directly to my devices if I plug my devices into the LAN connections on the Fios router?
Any insight is greatly appreciated!
Thanks
Palo Alto Third Party Support - GoldSeal Support?
Has anyone ever used GoldSeal Support for their Palo Alto devices? Our VAR is pushing it and it's cheaper and seems to be better than going with directly to Palo Alto support services.
Fiber Connection/Adapter
Can anyone help to identify these exact connector types on this one Cisco 6500 switch?
https://1drv.ms/u/s!AmPyrdPKrQrcge9r4l6AxH8s200HFg?e=CVLgn6
https://1drv.ms/u/s!AmPyrdPKrQrcge9s0lJDDeje4DlfIA?e=WMl2FM
I need to move this connection into a new Juniper switch with different fiber connectors which I'm fairly confident are LC Duplex connectors.
https://1drv.ms/u/s!AmPyrdPKrQrcge9uw2YzY25Q4HXuPg?e=Fo7Azc
https://1drv.ms/u/s!AmPyrdPKrQrcge9tr1wTXBDocu7AxA?e=BWSB0c
Once I'm able to confidently identify these connectors I'll be looking for an adapter if it's possible.
PPP and VPN
Hi!
So I am having trouble understanding PPP and VPN.
As I first understood it PPP is used to have a secure layer 2 connection between routers(replacement for HDLC). If thats the case I began to think of a scenario. Lets say that I have two sites, site A and site B. Would it be smart to use PPP over VPN to make the connection extra secure? Doing a google search I got confusing answers. It seemed that PPP is used for connecting sites to(????), but VPN is the better alternative(????).
Right now I am really confused, so if someone can clearify abit I would really appreciate it.
Question About Hard Resetting Modem w/Ubiquiti Access points on Office Network
First off, please delete if not allowed, but this is a question about our office network.
I have been in charge of our company's basic IT/Helpdesk duties for about a year, and I've been asked to do some work on our network in the vein of blacklisting timewasting sites etc. I have very basic networking knowledge, and have only ever worked on my home network prior to this (I have a PiHole on my home network and have set up SMB shares in the past, so i understand the basic terminology).
The office has an arris dg1670a modem, and Ubiquity access points. It seems to be a fairly simple network setup from what I can tell. We do not have any servers, and the only clients on the network are standard desktop users over ethernet and wifi for mobile devices. I cannot access the admin settings of the router, as the previous IT Director set up a different password and never told anyone. I know how to hard reset the router to reset it to the original credentials, and plan to do this soon. I understand that the Ubiquiti access points also serve a similar function to a wireless router.
My questions are as follows:
- If I am only hard resetting the modem, and the APs are wired to our switch by ethernet, will the APs continue to function as normal? Or is there something different about the setup and connection process that I will need to enable in the router settings?
- Being that I've never performed a reset like this on a network this large, are there any other settings i should make sure to review or enable/disable to make sure the network is optimized?
The network seems very simple and straightforward to me, but I wanted to bounce these questions off of folks with more experience. Screwing this up would obviously not look good for me so any help is appreciated!
Limited access over a VPN tunnel to and from AWS
Hi,
I've got a weird one. The short of it is, we have a VPN tunnel from our office to a demo environment in AWS. It's a pretty basic setup.
- We've used the built-in utility on our SonicWALL to configure the VPN.
- On the Amazon side of things, we have a public and private subnet.
- Security groups are allowing all access from our LAN on both subnets.
- Firewall rules are on the SonicWALL to allow all traffic from our AWS subnet.
- In AWS, I can ping any service that should be pingable, like our firewall or a NAS device.
- In AWS, I can verify open ports to any port that should be open, like 80 on a NAS or our management port on the SonicWALL.
- On the LAN, I can ping any service that should be pingable, like the servers we've deployed.
- On the LAN, I can't verify open ports to any port that should be open, like RDP.
- In AWS, even though I can ping and test ports, if I try to browse to the management interface of a service (like the NAS), I get "connection reset". Likewise, I can't browse shares or join the domain.
I've tried:
- Recreating the tunnel both manually and with the utility. Setting up AWS is a pretty common thing for us, so I have our base environment setup with Cloud Formation.
- Disabling firewalls on Windows Servers (temporarily and even though basic services like the NAS don't work, either).
- Creating a new instance in AWS without any of our stuff on it. Can't join the domain or browse to the NAS or management IP of the SonicWALL.
- Verified ACLs and security groups in AWS are allowing things.
- Disabling security services on the SonicWALL one-by-one (and re-enabled) to test.
- Enlisted our firewall management company to take a look. They say there's no traffic coming into the SonicWALL except for my pings.
- Turned on logging on my VPC to Cloud Watch. It's reporting these connections, like 3389, as being accepted in both directions.
It's also worth noting that this was working before Christmas. It's a demo environment, so no one's really been using it. I guess I just don't understand enough about networking to know how a port could be open, but just time out. It's like the second half of the TCP handshake is being blocked coming back to AWS, but there aren't any firewall rules to justify this behavior.
Thanks and sorry for the wall of text!
Network Administrator Day to Day Role
Hi, I'm currently working as a Net Admin in a WISP company and my day to day role is I monitor the network(obviously) and check our backhauls if it has a bad signal, checking client if they still have a stable connection, part of my job also is configuring devices and some other stuff as well. After all of that when there's nothing to monitor or configure I'm free to do something else. I'm wondering what's your day to day role as a net admin and I know that a day in the life of a network admin is not repetitive but could you guys at least share what you do in a day because I want to know what you guys do after you monitor all of you network infrastructure. I'm only 19 and it's my first job and I really want to grow and improve I really want to know how you work in your job.
ASA MAC addresses collection
We are providing over 100 ASAs to our customer so our network can be connected to theirs. We will be configuring and managing these firewalls. A problem with this is that the customer requires the MAC address of the ASA so they can provide us an IP address from their network (idk if they are using the MAC to authenticate us or something). This will require me opening up, powering on, and collecting the MAC address of the interface we will be plugging into the customer's network as the box of the ASA only provides one MAC address and none of the interfaces match to this MAC (I'm assuming this is the MAC of the device itself).
Any recommended solutions for this? I was thinking I could assign a locally administered MAC address to the interface when it comes to building them so I can provide a list of MAC addresses to the customer straight away and there's no need to unbox them to get the MAC.
Do Net Engineers need to know Python in depth?
Do you actually need to be able to compile your own module?
Or can you get away with just knowing modules like Netmiko/NAPALM and how to create a basic script with them?
GNS3 or Cisco CML
Hi,
I'm looking to build a virtual lab to test scenario's/upgrades for our datacenter setup (3 fortigate firewall stacks, 10 switch stacks cisco/arista/Mellanox/HP/Lenovo).
I have already started setting up a GNS server, while I discovered Cisco CML. I gave it a test drive and seem pretty neat, and seems to have most features GNS has. So no I'm a bit undecided which route to go.
Is there any reason not to go for CML? CML seems a lot more user friendly than GNS, but I'm afraid it has limited support for non-cisco devices, especially stuff like Mellanox and Lenovo.
Thanks!
Tuesday, January 12, 2021
BAS Switch
We have a large BAS install where all devices will be static IP and we will need 2 48 port switches
We have narrowed it down to these three - we will have one spare switch in the rack but functionally a unmanaged switch would work. The folks here convinced me we may as well go managed. With the budget these are the options i see, do you have a recommendation? We are not network admins. The web GUI will be used if we ever want to check in on them and not the console port (almost certainly). Beyond troubleshooting features we won’t need to configure them much it’s a simple network with 60 or so devices
- Ubiquiti edge switch 48 lite
- HP 1920s 48 port
- Cisco SG220 48 port
Those are all around the same price - and we are leaning towards the HP
How to test UDP packet loss from Windows to VPN gateway
User with Cisco AnyConnect connecting to the ASA via ssl vpn have connectivity issues. Only few users in a particular country has the issue(not china). We have users connecting from all over Asia without any issue.
Now because we use DTLS, I suspect due to congestion/throttling, UDP is being dropped by the ISP. A simple ping test won't cut. Can't have iperf. Is there anything we can ask ask the user to check so that we can see whether UDP is being dropped?
Installing 3rd party applications on the users laptop might not be approved.
Trying to help someone leverage two circuits for terrible uptimes in the area.
I have a family friend who is a plastic surgeon and the building they are in has extremely unreliable comcast. I am trying to pinpoint the root cause but the other professionals in that building also complain. My daughter split open her chin and the ER didn't do such a great job, he fixed it up and I paid nothing.
I am mostly Cisco so I need some help as the Cisco solutions to bring in 500Mbps to 1Gbps connections are going to be expensive and noisy.
My goal is an easy to setup head end that can use Comcast and possibly AT&T (I am open to cellular backups, but I worry about coverage within the building) and then some better WiFi device(s) than the Comcast all in one. I would like fanless devices if possible or those that are quiet.
The office is maybe 1500sq ft. about 5 exam rooms, the doctors office, lobby and a receptionist and imaging/record storage area.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
What are your essential Cisco commands on first run?
Surely most of us will do a no ip domain-lookup and a few basic others, but do you use a template?
Which commands do you consider essential after switches and routers first boot?
Fiber Optic Speed Over Distance
I'm new to the fiber thing so I'm looking for some general advice here.
I work at a location that is running 62.5/125 multimode fiber between data closets. We are budgeting an upgrade in internet from 1 to 5 Gb and not sure if we would need to budget running to fiber cable to go with the new transceivers.
Googling I've found that OM1 is good for 10 Gb up to 33 meters, but fall off to 1 Gb at 275 meters. Question is, how fast does the speed drop off? For example, is this as simple as adding both together and dividing by two to know where the 5 Gbps mark would be (i.e.: 33 + 275 = 308 / 2 = 154 meters)? Or is the drop off much faster similar to what we see with 5 GHz Wi-Fi networks?
What is considered a good foundation in networking knowledge?
I recently had a meeting at my job where my boss, his peers and their boss asked about future plans and how they can help us grow in the company and achieve our goals even if it's not with the company. I told them I was in school for networking but still had a ways to go before completing that. They let me know that they will eventually need more people in their IT department and as long as I have a good foundation to bring to the table they'd be willing to invest in me when that time comes.
Thing is, I don't think I want to get a degree. I hate school and I only took a class to get some understanding before studying for some certifications... But this is a really good opportunity for me to stick my foot in the IT door with a company I like and to gain that experience without school that I can take anywhere. However I also know more than a few people who work with me and either have minors or certifications already, who were also waiting for IT positions to open up...
What can I study or what certifications can I take that will give me and prove that I have that basic knowledge and foundation they're looking for? I already have the most recent ccna test books, did a little studying on cbt nuggets, and took an intro into networking class. I'll probably need my network+ but idk... I think my advantage above the others seeking IT positions is that I am already a part of leadership and they think that I do a good job. I just don't know where to start for that foundation without school... I think that it's rare a company actually cares and invests in their team like this, so I want to take advantage of the opportunity.
802 authentication with Windows NPS server
Hi all,
Just looking to see if i am correct with my assumptions of 802 auth with Microsoft NPS server.
I have set it up for certificates, but i can only see an option for user or computer cert. Not user and computer so it will only require one of the certificates not both of them - is this called EAP chaining?
I dont think this is do-able with NPS server but if we were to purchase a copy of Cisco ISE it would be?
Does PeeringDB has accurate information about all ISPs point of presences within public and private facilities?
Should I rely on the information given in the website? Do ISPs actually use this website indefinitely?
Analog into switch ?
Hi, might be a dumb question but can I put an analog line into a network switch?
SMTP stateless or stateful
I'm currently wondering if SMTP is considered a stateless or a stateful protocol. I've found conflicting answers online. Most were saying that it's stateless though. Personally, I was inclined to believe it's a sateful protocol, atleast in the scope of one session. Because you first authenticate and then get an acknowledge back. Afterwards, it goes back and forth for a bit before the message is sent. In that case I'd image that the server needs to somehow track the session details making it a stateful protocol. I'm really curious which it is and I'd love to have an explanation for it since the online sources I've found just mentioned it as either stateful or stateless without really going into detail why.
Random link flapping issues on some switch ports. How can i troubleshoot this mess?
Configuration:
- 3 stacked HP Switches (MAIN)
- 2 other HP Switches in the same network closet connected together with a trunk ethernet (PRODUCTION)
- MAIN and PRODUCTION are connected through a fiber trunk link
- STP is enabled
Issue:
A new machine has been installed and connected to one of the PRODUCTION switches, after few days of tests the machine technician complained that our network seems not really stable.
Investigation:
So we checked the logs of the HP switches and found out many "port status change" events with this kind of pattern:
I 01/11/21 13:08:02 00076 ports: ST1-CMDR: port 3/26 is now on-line I 01/11/21 13:08:53 00077 ports: ST1-CMDR: port 3/26 is now off-line I 01/11/21 13:08:57 00076 ports: ST1-CMDR: port 3/26 is now on-line I 01/11/21 13:08:58 00077 ports: ST1-CMDR: port 3/26 is now off-line I 01/11/21 13:09:01 00076 ports: ST1-CMDR: port 3/26 is now on-line W 01/11/21 13:09:01 02672 FFI: ST1-CMDR: port 3/26-Excessive link state transitions We collected all the logs in one Excel spreadsheet and realized that:
- These events happens pretty randomly in all the switches
- Some days we have hundreds of events like these and others we have only few of them, also when the company is not working we have none (surprise?)
- Some ports are more affected than others, we even made a chart
Some of the affected hosts are Windows computers so we tried to check for "link loss" events in Event Viewer but what's weird is that most of the times there were no warnings, so the port in the switch turned off for a bit but for the computer the link was still ok.
So it seems like we have found out this problem only now because we connected a device who is more sensible to these kind of issues.
How can we troubleshoot this?
PTP Design for MPLS Network - Need Advice
Hey there, I was hoping some of you more knowledgeable people might have some suggestions on PTP designs for MPLS networks.
Background: 300 router network: Nokia 7750-SR7/7705 SAR platforms. Fiber(1gig, and cwdm/dwdm nokia 1830) and various microwave for backhaul. Utility with lots of TDM we still need to migrate.
Our timing is currently mixed with Sync E and BITS at key microwave sites as well as ptp. An EX-coworker somewhat implemented PTP by getting two grandmaster clocks at separate locations and setting one as a primary ptp source and one as a secondary ptp source. All the nodes have a ptp reference but it is the secondary on a good number of routers(with Sync E or bits being main). Our clocks also keep shifting resolution between 100ns and 25ns but that's a separate issue.
Does anyone have any tips or resources for PTP clocking design?
With the Nokia gear you can set a device up to be PTP source and then create slaves but this is very messy and would require us to have a number of sources based on location.
We need the timing setup so we can do our TDM over the mpls. As it sits now we have migrated very little due to timing issues.
We are in contact with nokia to try and figure out the best way to move forward but I was hoping someone could point to some resources or offer any first have experience.
Thanks!
Need help understanding how my Spectrum Business setup is working
Hi... first post in this sub; normally I'm in the Ubiquiti sub but this topic seems more relevant here.
I have a small office with Spectrum Business cable internet service. I recently upgrade to the the 1Gbit service plan, and they replaced my single cable modem (a Hitron) with a "two-box solution" that consists of a modem and a router (the Sagemcom RAC2V2S). They told me the two boxes were needed since I have a static IP and was at the highest speed tier. They explained that the router had all of its Wi-Fi and routing disabled, so I expected it was basically in bridge mode.
Downstream of this I have a Ubiquiti DreamMachinePro as my own router, with its WAN network setup with the static IP information I was given, and a cable from the UDMP WAN port to one of the 4 LAN ports on the Spectrum router.
I was curious how this was all working, so I plugged my laptop ethernet into one of the other LAN ports on the Spectrum router. Surprisingly, I got a DHCP IP in the 192.168.0.x range assigned, which is also the same range as I use on the UDMP. This was surprising since I expected the Spectrum router to be in bridge mode. Also surprised it was using the same subnet as I use on the UDMP, and wonder if that is cause for concern.
I was able to hit the router IP and login with admin/admin (haha... I later changed this password!)
I see that the Spectrum router has "Dynamic NAT" setup, which I guess is doing 1:1 NAT thru to my UDMP router? So does this mean I am not in double-NAT? I'm not familiar with Dynamic or Static NAT settings on routers, and have only loosely heard about 1:1 NAT.
Here is the Spectrum router configuration screens:
(NOTE: I did change the default DHCP range from 192.168.0.x to 192.168.111.x to not conflict with what my own router does)
I guess I'm not sure why I can't just go direct to the Spectrum cable modem while defining the static IP setup in the UDMP's WAN settings. I tried connecting from the modem direct to the UDMP WAN port, but it never linked up.
ACI intre bridge domain communication
I'm looking for some reading on how to do this and seem to be finding issues.
Say I have two separate Application Groups, each with a different VLAN and each within different Bridge Domains that are in the same VRF. How can I get the hosts connected to the EPGs in different Application Groups to communicate with each other? In our normal switched environment we would have an OSPF instance within the VRF that could route between the different VLANs.
Xconnect vs bridge-domains
Hi,
as of last month I've started a job in an ISP that provides transport to other providers and the first task they put me on was configuring services on our routers. We usually do it through the usage of xconnect with MPLS pseudowires when the router we collect traffic from and the one we deliver to are on different sites however, when the two routers are inside the same data center the configuration obviously varies a bit.
What happens is that routers in the same data center have a l2 interlink between them. Said L2 interlink is always a member of a Port-channel even if its just one interface (for future scalability reasons I assume)
So, the way I go about this, is to create the service instance under the two physical interfaces and then under the l2 Port-channel present on both routers. However, rather than using a xconnect to put together the service instance on the physical interface and the one on the Port Channel, company mandates to use bridge-domains. Both for scenarios like this were the collecting and delivery interfaces are on two routers with a l2interlink between them or, in cases were the interface we collect from and the one we deliver to are on the same router.
I've been doing some reading about it and I came across this post:
So what I gather is that xconnect is a "dumb" solution, everything it receives, it passes on the other end and that's it. Bridge domains however do their forwarding based on a destination mac address and are capable of learning them.
I think I see why we use bridge-domain the scenario were the interfaces we collect and deliver traffic from are on the same router since they would be learning external mac addresses. However, I can't come up with a rationale as to why we're using bridge domains to bridge together the physical interface and the l2 Po in the scenarios were the two interfaces are on two interlinked routers.Wouldn't a xconnect in these circumstances work just as well?
I've tried to ask to my supervisor but got no answers besides "That's just how we do it" Anyone could offer some more insight?
Thanks
Alternative to Meraki
Looking for suggestions on an alternative to a Meraki setup. Trying to get out from under the steep licensing cost.
Medium size nonprofit at a single location. Fiber internet. MX84 running the show, with Ubiquiti switches making up the bulk of network with a handful of unmanaged switches. Unifi APs providing public and private WiFi access throughout the campus. VoIP phone system as well as IPCams. Total of 8 APs and 14 managed switches. VLANs for LAN, VoIP, IPCams, and Guest WiFi.
We got a Ubiquiti Dream Machine Pro and I have been working with it for about a week. The UDM pro just does not seem stable enough yet to pull off what the Meraki setup does with ease. It especially struggles with our windows domain controller.
Just looking for other alternatives to save on costs.
Dock station (to USB C) with PTP support.
Does anyone know of a dock station with ethernet interface with PTP support?
I have a MSI Laptop (GS63 Stealth 8RD) with a Thunderbolt (USB C), and I need PTP support, I think maybe could be a dock station which I could connect with this feature.
Do you know any product with this carachteristic?
How to tap/mirror LACP
Hi!
I am using a Fortigate Firewall, that is connected with LACP to two Arista 7050s (MLAG).
Now, I want to mirror/tap the traffic to a network monitoring / IDS system.
How do you monitor LACP-interfaces? I can tap each of the physical members to the IDS, but is this enough? Is there any better solution to do this?
Thank you for your help!
ITStril
Please make sure your equipment's NAT or firewall implementation respects RFC5382‘s REQ-5
If you are running Carrier-grade NAT on your equipment, please make sure your TCP established connection idle-timeout isn't too short. Otherwise TCP keepalives will get dropped, killing open connections (e.g SSH). Test if your NAT setup (or firewall) violates RFC5382‘s REQ-5 (2 hours 4 minutes) using this tool i wrote: https://github.com/AndersTrier/NAT-TCP-test.
I wrote a more thorough description of the issue here, and also described how it may kill idle SSH sessions.
Backbone capacity ISP
I am just trying to learn a bit more about networking, especially backbone networks for ISPs.
So in my country I know that the maximum capacity in the backbone of at least one ISP is 800Gs. However, I really have a hard time grasping how that is enough. I mean, I know that depending on where the signal goes from and to it doesn't necessarily needs to go through the entire backbone and take up capacity. But still, many 1G connections are available for e.g. regular consumers, and more for companies etc. And in my mind I find it kind of insane that with the amount of available 1G connections, that there isn't e.g. 800 users using the max bandwidth of their fiber or coax connections, which has to go through the backbone in order to get outside the country etc.
What am I missing here ?
Connection issues to devices on stacked Catalyst 9200L switches
Hi everyone,
A few days ago, i changed two WS-C2960-24TT-L switches with two stacked Catalyst 9200L switches.
Ever since i made this change, i noticed that every single device has a really slow connection, i'm losing ping to the devices, SSH is really slow, RDP is really slow etc.
I have 2 uplinks, GigabitEtherner1/1/1 is to our CORE switch, GigabitEthernet2/1/4 is to other ACCESS switch.
I tried troubleshooting the switch/ports, but can't come up with an idea what could be the issue.
Here is the output of the 2 uplink ports:
GigabitEthernet1/1/1 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 3c13.cc5f.ec31 (bia 3c13.cc5f.ec31)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseSX SFP
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:08, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 74
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 3637000 bits/sec, 709 packets/sec
5 minute output rate 1056000 bits/sec, 404 packets/sec
95814614 packets input, 70190377800 bytes, 0 no buffer
Received 11880694 broadcasts (8867720 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 8867720 multicast, 0 pause input
0 input packets with dribble condition detected
66824525 packets output, 12782824914 bytes, 0 underruns
Output 4969609 broadcasts (0 multicasts)
0 output errors, 0 collisions, 4 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
GigabitEthernet2/1/4 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 802d.bfed.8434 (bia 802d.bfed.8434)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseSX SFP
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:15, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 7870
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 103000 bits/sec, 65 packets/sec
5 minute output rate 351000 bits/sec, 247 packets/sec
30022847 packets input, 17905254827 bytes, 0 no buffer
Received 7811898 broadcasts (3510541 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 3510541 multicast, 0 pause input
0 input packets with dribble condition detected
36110786 packets output, 14828748859 bytes, 0 underruns
Output 3778534 broadcasts (0 multicasts)
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
I don't see any issues with the uplink ports, could there be an issue with the stacking configuration?
show switch
Switch/Stack Mac Address : 3c13.cc5f.ec00 - Local Mac Address
Mac persistency wait time: Indefinite H/W Current
Switch# Role Mac Address Priority Version State
*1 Active 3c13.cc5f.ec00 15 V01 Ready
2 Standby 802d.bfed.8400 14 V01 Ready
show switch stack-mode
Switch# Role Mac Address Version Mode Configured State
*1 Active 3c13.cc5f.ec00 V01 N+1 None Ready
2 Standby 802d.bfed.8400 V01 N+1 None Ready
Since this is my first time stacking Catalyst 9200L switch, is the Active/Standby Role correct? Is the Mode N+1 correct?
ANY questions or help about this issue would be really appreciated, i will gladly help!
Regards
Monday, January 11, 2021
Double NAT and DNS Loopback
Hi all,
i'm setting up an EdgeRouter X with two WAN connection in front ad an UDM Pro. I'm doing this setup to use the edge router to make a load balance of my connection.
I need some help with the setup of two functionality:
- In the EdgeRouter i setted up two DDNS updater, one for each WAN IP but using the hostmane generated by the DDNS i cant' access my services inside the UDM Pro network. I think i need something like NAT Loopback, but how i can make this functioning with my Double NAT setup?
- How i can bypass totally the EdgeRouter firewall (like a DMZ) to manage my port forwarding directly from my UDM Pro for both WANS and so make the EdgeRouter "invisible"?
Thanks
Can anyone vouch if is Kirk Byers paid Python course worth it? Confused about how the course is structured..
Some background, Network engineer (CCIE R&S) looking to get into automation, have taken the Automate the Boring Stuff course on Udemy and feel like I've got a good grasp of the core python concepts, loops, string methods, dictionaries, functions etc.
Have automated some simple tasks at work which is great, but looking at taking the next step into networking automation, from the research I have done on reddit this course has received the most recommendations: https://pynet.twb-tech.com/class-pyauto.html
I was under the impression it was an on-demand video series like Udemy, but looks like it has a start date and is done via email. so just had a few questions before I pulled the trigger for $800:
1.Are the videos distributed as a live lesson format, or just a link to an on-demand page we can do in our own time?
2.Are you able to join a course half way through? or stop for a certain period and pick it back up?
3. With my current knowledge level, is it still recommended that I take the free course first, annoying thing is that it starts 2 months away, and I'm eager to get the ball rolling.
4.Whats the time commitment required for each day?
Thanks in advance
Cisco 1142N lightweight to autonomous
So I was given a whole bunch Air-LAP1142-N-K9 access points. They are in lightweight mode I cannot access conf t commands. I am trying to set them up and I've spent about 6 hours now researching why I cant load a new Image to them for autonomous.
So far I am able to connect the AP and hold mode and it brings me to the boot process where it attempts to grab c1140-k9w7-tar.default from my tftp folder. When it reaches my tftp folder I always get an error stating that it does not have permission to access the folders.
-My firewall is turned off
- I used tftp64 and solarwinds
-I used two separate machines to host the tftp server
-I have allowed the port to be forwarded on my router.
-The file is exactly the same name as the one that the AP tries to grab.
-I tried changing my ip 10.0.0.2 But Im not sure if this would even work in my network. that Ip is in a different subnet so idk.
I'm basically throwing in the towel at this point but its really annoying me that I cant get them to work so you guys are my last hope. Im not sure what permissions I can change as well I messed around with a bunch of security settings but no luck.
Cisco switches on 03.03.04SE, which CIS standard should I refer to?
We have quite a few cisco switches on 03.03.04SE and scan the current compliance level with tenable, which CIS is more applicable for this case?
A few questions about Passive Optical Networks.
I don’t currently work in IT. I’m a computer science student and I’ve always been fascinated by how the internet works, and I think I’ve got most of the basics down with how passive optical networks work, but I have a few questions. I previously posted in another subreddit, but they said that is one would be a better fit. Please excuse my ignorance.
I want to know more about upstream bandwidth allocation. What protocol(s) does the OLT use to tell the ONTs when to transmit upstream data? I suppose that each PON variation is different, so for this purpose, I’d like to know the protocols for DWDM-PON and GEPON. I think I’ve read somewhere that it’s got a gate, request, and acknowledge command, but I don’t know the name of it. Is it at OSI layer 3?
I live in a rural area and I doubt I’ll be starting an ISP, but would it be theoretically possible to split a fiber at each service drop instead of having the splitter at the central office or “stacked” splitters (please forgive me, the name of that configuration also escapes me)? Would that be horribly inefficient? Could an asymmetric splitter do such a thing and still have the network go 20+ km?
Why do optical amplifiers cost so much? What’s the best network configuration so that you don’t have to run so many miles of fiber (tree, ring, any others I don’t know about)?
And finally, is it possible to stack a passive optical network on top of a passive optical network? More precisely, is it possible/easy to configure (I assume probably not feasible) to have each ONU on one passive optical network feed into an OLT for a smaller passive optical network?
I apologize if these questions are too hypothetical, if these are basic questions, or if they’ve already been answered. I welcome all answers. Thank you.
Can only send a maximum of ~3mbps from our head office to site with a CentOS router either side. All other traffic to/from elsewhere saturates the link -- Any ideas?
Hi all,
Been looking at this loosely for a couple months now. We can't send more than 3mbps/tcp to one of our sites from the head office yet both can saturate their respective links up/down just fine for any other communications. For the nginx reverse proxy, and the inter-site VPN (tcp OR udp) this has been a slow nightmare. For testing I've been using iperf3 with various window sizes and mtu changes with no budging on this ~3mbps limit with direct tests.
Scope of problem
- NBN FTTP 250/100 service
- * CentOS gateway (Public IP on onboard gbit interface) LAN behind it on different interface
- * Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [10ec:8168]
-
- Driver: r8169
-
NBN Wireless 75/10 service
-
- CentOS gateway (Public IP on onboard gbit interface) LAN behind it on different interface
-
- Intel Corporation Ethernet Connection I217-LM [8086:153a]
-
- Driver: e1000e
MTU is set to 1500 on each side which is has been appropriate for communicating to any other public host just fine, saturating connections as expected.
Both services (Tested direct on the router's themselves) can saturate their respective up/downlinks to public iperf3 testing services and any on speedtest.net. As far as I'm concerned, the network connections are great and have been serving well beyond expectation and the routers are doing a fine job.
-
Sending from the NBN Wireless service router to the FTTP service manages to saturate its 10mbps upload speed which is max, so that's good.
-
Sending from the FTTP service router to the NBN Wireless service seems to cap out at around 3mbps/tcp instead of getting anywhere near the NBN Wireless connection's max 75mbps downstream.
-
- iperf3 shows zero retries for these tests, like the FTTP router isn't even trying.
Both routers are running the stock CentOS 7 sysctl window sizes and rmem/wmem window scaling. Playing with it in memory hasn't resulted in any change and they've been rebooted back to default since.
Both services public IPs are same /22 subnet of the ISP and pass through their border network gateway (BNG02) however this problem has been ongoing since before this change were made. Right now the two services a beautiful symmetrical single hop route between each-other through BNG02.
This problem only seems to be present on direct communication from the FTTP router's public interface to the NBN Wireless router's public interface. The most important part for our infrastructure.. and to our only other office. The one place that these links matter.
Some gotchas I've noticed
-
Port Forwarding the iperf3 port to an internal host (5201/tcp) and running the test through the FTTP gateway, via an internal centos7 machine successfully saturates the NBN Wireless connection's downstream (What we want to see from the FTTP router itself)
-
- I tried applying all the same iptables rules (WAN interface name matches and copied all the sysctl rules to this newly spawned VM... the next iperf3 it did from inside the FTTP LAN was still perfect to the NBN Wireless connection.
Plus, live booting the FTTP router itself into an Archlinux usb stick temporarily and ran iperf3 again and was also able to max out the NBN Wireless link again.. this time on the router metal itself.
Plugging in a little USB3 ethernet adapter into the FTTP router and changing the iptables rules to use that as the WAN and dhcp'ing on it (Appeared as enp0s20u1) to make that the public-ip wan interface? Perfect iperf tests again.
All of this seems to stem from the onboard Realtek [10ec:8168] Gigabit Ethernet Controller.. but I am not sure what just yet.
Been completely mind blown about this for a few months and taking the occasional glance hasn't gotten me very far. Our ISP has been very helpful in trying everything in the toolbox to get some decent connectivity but everything seems to point to something unique to the FTTP CentOS and maybe the driver? But port forwarding to an internal machine and iperf'ing to that is perfectly fine.. through the same wan interface in the end. Or live-booting into a newer distro on the same interface, still good.
Pulse VPN Client Automatic Update
Enabling or Disabling Automatic Upgrades of the Pulse Secure Client Per the Pulse KB:
After you deploy Pulse Secure client software to endpoints, software updates occur automatically. If you upgrade the Pulse client configuration on your Pulse server, updated software components are pushed to a client the next time it connects.
Can anyone verify for me if this works on Windows Endpoints where the user is not a local admin?
Thanks...
Layer 2 ISP Loop Issue
I have a client that has two layer-2 circuits from two separate providers. One Cox one AT&T. Recently it was discovered that one of the circuits was ordered incorrectly with a vlan tag and they wanted it untagged so we had them remove the tag but now that both layer 2 circuits are untagged we have created a layer 2 loop.
Before we got to telling the customer to simply create a LAG to stop the loop, I found that on the juniper switch I control into the Cox network that when both circuits were up that the access port facing his Dell switch would go into BPDU error detected and disable the port. I have to manually clear the error for the port to come back online and it will go back into a disabled state within about 5-10 seconds if the AT&T circuit is up. If we disable the AT&T circuit/path and clear the BPDU error the Cox circuit stays up just fine.
"If L2PT-encapsulated packets are received on an access interface, the switch reacts as it does when there is a loop between the service provider network and the customer network and shuts down (disables) the access interface. Once an interface is disabled, you must explicitly reenable it using the clear ethernet-switching layer2-protocol-tunneling error command or else the interface will remain disabled."
xxx@xxx> clear ethernet-switching layer2-protocol-tunneling error interface ge-0/0/8 {master:0} xxx@xxx> show ethernet-switching interfaces ge-0/0/8 Interface State VLAN members Tag Tagging Blocking ge-0/0/8.0 up vxxx xxx untagged unblocked {master:0} xxx@xxx> show ethernet-switching interfaces ge-0/0/8 Interface State VLAN members Tag Tagging Blocking ge-0/0/8.0 down vxxx xxx untagged Layer2 Protocol Tunneling - loop detected. When we looked at the interface on the Dell facing my switch and I look at the interface facing his Dell we see that both of us are sending BPDU's but we are both not getting any.
The vlan that we are L2PT across the Cox service network is set to tunnel all protocols so I don't quite get why we're not getting any BPDU's across the link.
Here is the configuration of the customer-facing interface and the service provider facing interface.
set groups xxxxx interfaces ge-0/0/8 mtu 9216 set groups xxxxx interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode access set groups xxxxx interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members v1011 set groups xxxxx interfaces ae48 unit 0 family ethernet-switching vlan members v1011 set groups xxxxx vlans v1011 vlan-id 1011 set groups xxxxx vlans v1011 interface ge-0/0/8.0 set groups xxxxx vlans v1011 interface ae48.0 set groups xxxxx vlans v1011 dot1q-tunneling layer2-protocol-tunneling all set interfaces ae48 mtu 9216 set interfaces ae48 aggregated-ether-options link-speed 10g set interfaces ae48 unit 0 family ethernet-switching port-mode trunk We like 1 of 2 things to work. Either setup a LAG and eliminate the need for STP basically. Or leave it with a loop in a properly blocking state so if one fails the other comes up and takes over like STP should do.
How to increase the screen buffer size on a minicom session?
I am trying to see if there is way to increase the screen buffer size on a minicom session and I haven't been able to find a solution yet.
I am SSHing to a Linux machine and from there I'm running the command <minicom -b 115200> to access a Juniper router. The screen buffer is too less and the moment I go beyond a screen size I am losing everything in the previous screen. Appreciate the help!
Ubiquiti tells customers to change passwords after security breach
Just saw this elsewhere.
Turn on 2FA if you haven't already. At a minimum, change your password.
https://www.zdnet.com/article/ubiquiti-tells-customers-to-change-passwords-after-security-breach/
Completely at my wits' end trying to load an image to an AIRCAP-2702I wireless AP [x-post /r/cisco]
I am at a total loss right now and have tried every single thing I can imagine under the sun to get this image loaded but nothing works. Even if it's something stupidly simple that I missed at this point I don't care because I just want this Cisco nightmare to end.
Quick summary: I found a spare AIRCAP-2702I-A-K9 that I wanted to add to our network. Booted it up and it added itself to our WLC no issues. I am wanting to use this AP in autonomous mode though instead so I downloaded the correct firmware (not the lightweight one), renamed it correctly as a .default, placed it in the tftp directory, went through the MODE method and.... nada. I got an error for invalid argument, etc.
Well after several attempts, resets, power interruptions, etc. the booting of the AP became wonky. I reset everything and actually had to format the entire flash: directory as well.
Now when I do the MODE method it tries to open my tftp server but I instantly get hit with:
%Error opening tftp://255.255.255.255/filename.default (no such file or directory)
I have used this tftp server already through the GUI and elsewhere so I know it works. Plus, I can see activity on the tftpd64 screen as the file is trying to send over but it times out with a "TIMEOUT waiting for Ack block #1" message.
Here are the screenshots: https://imgur.com/a/LDHZKf9 I have spent hours on this trying every method suggested in the Cisco forums but none of them proved useful.
Also note that I don't have any firewalls going when I try this, the AP is on the same subnet, I've set my computer to be within the suggested range, etc.
Any help is greatly appreciated!
Subscribe to:
Posts (Atom)