I’m looking at doing the 100 Days of Code Challenge to improve my Python skills as a network engineer.
I’m really bad coming up with ideas, so I though I would ask the community. What would you like to see scripted and automated in your workplace?
Saturday, March 20, 2021
SD-WAN HA Licensing
Hi all
I am working with a customer validating different SD-WAN solutions and one of the concerns for our end requester is the branch architecture (HA). I have read a lot about several solutions such as Cisco , Velocloud , Cloudgenix and so on.
What we have been discussing so far is : Do we need license for HA pair or each device of the HA should have it is own license?
Example : Meraki has license for HA pair devices , what about others as well ?
Any clue would be appreciated.
Switches in same Cab - Difference between Copper and Fiber?
This is probably an age old debate, so whats the real truth regarding copper and fiber performance on a small run?
I'm talking two switches, in the same cab. I know that ultimately fiber will almost always perform better, but when the copper run is 0.5 metres, is there any noticeable difference at all if you were to connect these switches with copper instead of fiber?
Thanks
IP Tracking Threat
I had a GMB owner respond to a 2 star review that was left under a google account after visiting the establishment of ZenSmiles in Frisco TX. The owner created a fake Gmail account under my name and threatened legal action for defamation and says that they can locatre the IP address. Is this true? How would or could they do this? What information would present itself in the IP address? Is this even legal to do that? I feel like the owner is just using " threat" tactics in hopes that I will remove the authentic Google review.
BGP Route Maps, Prefix Lists, and Access Lists
I am currently diving deep into BGP and was hoping someone could help me find where I am going wrong with this please.
My current setup is 3 FRR routers in full mesh all on the same switch. They neighbor together just fine and are sharing routes. In order for updates to be sent between the routers I need to have setup some filters because of RFC-8212 ( ebgp-requires-policy ). I spent a couple of days reading through FRR's documentation and researching filtering/route maps and was able to get all the routers to share their routes with happy pings all around. This was achieved by setting the default-map defined below as both the outgoing and incoming route map for each neighbor.
ip prefix-list no-default-route seq 10 deny 0.0.0.0/0 ip prefix-list ClassA seq 10 permit 10.0.0.0/8 le 32 ip prefix-list ClassB seq 10 permit 172.16.0.0/12 le 32 ip prefix-list ClassC seq 10 permit 192.168.0.0/16 le 32 ! route-map default-map permit 10 match ip address prefix-list no-default-route ! route-map default-map permit 20 match ip address prefix-list ClassA ! route-map default-map permit 30 match ip address prefix-list ClassB ! route-map default-map permit 40 match ip address prefix-list ClassC If I am understanding the documentation correctly, this route map would deny the advertisements of a default route and only accept routes to networks in the private IP space. When I had one of my routers advertise a 0.0.0.0/0 network, none of the other routers added it to their learned routes so I believed that I was on the right track.
However, I do not think I setup the filtering correctly. When I tried to dive a little deeper into route maps to help further confirm that what I was doing was correct though, things stopped working as expected. I had Router 3 advertise out 10.50.50.0/24 and then used the following route map on Router 3 to try and change the weight and next-hop address when being advertised to Router 1 ( neighbor 10.20.20.1 route-map change-dummy-network out ).
access-list dummy-network seq 10 permit 10.50.50.0/24 ! route-map change-dummy-network permit 10 match ip address dummy-network set ip next-hop 10.20.20.4 set weight 30000 route-map change-dummy-network permit 20 call default-map I assumed that this change-dummy-network route map would first check if the network being advertised was 10.50.50.0/24 and if so change the next-hop to 10.20.20.4 (dummy address) and give it a weight of 30000. If the network was not 10.50.50.0/24 it would then send the network through the default-map and deny or permit accordingly. This is not what happened though as Router 1 never got the 10.50.50.0/24 network from Router 3.
(Note: This snippet is from after I had turned off FRR on Router 2 which was done to help reduce variables for troubleshooting)
Router 3:
R3(config-router-af)# do show bgp detail BGP table version is 86, local router ID is 10.20.20.3, vrf id 0 Default local pref 100, local AS 65003 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.1.0/24 10.20.20.1 0 0 65001 i *> 10.0.3.0/24 0.0.0.0 0 32768 i 10.50.50.0/24 0.0.0.0 0 32768 i *> 172.16.1.0/24 10.20.20.1 0 0 65001 i *> 192.168.1.0/24 10.20.20.1 0 0 65001 i R3(config-router-af)# do show ip bgp update-groups advertised-routes update group 19, subgroup 17 BGP table version is 86, local router ID is 10.20.20.3 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.1.0/24 0.0.0.0 0 65001 i *> 10.0.3.0/24 0.0.0.0 0 32768 i *> 172.16.1.0/24 0.0.0.0 0 65001 i *> 192.168.1.0/24 0.0.0.0 0 65001 i Total number of prefixes 4 R3(config-router-af)# do show route-map change-dummy-network ! took out zebra part BGP: route-map: change-dummy-network Invoked: 4 Optimization: enabled Processed Change: false permit, sequence 10 Invoked 0 Match clauses: ip address dummy-network Set clauses: ip next-hop 10.20.20.4 weight 30000 Call clause: Action: Exit routemap permit, sequence 20 Invoked 0 Match clauses: Set clauses: Call clause: Call default-map Action: Exit routemap Router 1:
R1(config-router-af)# do show bgp detail BGP table version is 67, local router ID is 10.20.20.1, vrf id 0 Default local pref 100, local AS 65001 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 0.0.0.0/0 0.0.0.0 0 32768 i *> 10.0.1.0/24 0.0.0.0 0 32768 i *> 10.0.3.0/24 10.20.20.3 0 0 65003 i *> 172.16.1.0/24 0.0.0.0 0 32768 i *> 192.168.1.0/24 0.0.0.0 0 32768 i Displayed 5 routes and 5 total paths R1(config-router-af)# do show ip bgp update-groups advertised-routes update group 20, subgroup 18 BGP table version is 67, local router ID is 10.20.20.1 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.0.1.0/24 0.0.0.0 0 32768 i *> 10.0.3.0/24 0.0.0.0 0 65003 i *> 172.16.1.0/24 0.0.0.0 0 32768 i *> 192.168.1.0/24 0.0.0.0 0 32768 i Total number of prefixes 4 I did the usual troubleshooting of do clear ip bgp *, restarting the FRR service, rebooting the router, etc. If anyone would happen to know what I am doing wrong with my route maps, prefix list, and or access lists I would greatly appreciate it.
Thanks!
One way device discovery between VLANs on a C3560
Let me start this off by saying that in no way am I a professional or even up to snuff with networking. I'm currently a CS student who is starting to branch out into more networking / security learning paths. I'm currently an IT intern at a local library and our network specialist has tasked me with finding a way to allow devices on one VLAN to be discovered by another, but only in one direction.
Here is the scenario:
VLAN 10 - Staff VLAN
VLAN 20 - Public use computers and printers
We want to be able to manage hosts on VLAN 20 from within VLAN 10, but we don't want to allow hosts on VLAN 10 to be accessible from VLAN 20. From the research I've done, I thought we might be able to use a Reflexive ACL, however this is not supported by our hardware. I'm sure there is a good deal of information I've left out unknowingly. Any suggestions are greatly appreciated and I will try to clarify any details if there are questions.
Decrypting SSL/TLS data on an in-house device
I have a wired ethernet device on my LAN (part of my solar panel setup) and I'd like to know what it's doing. If I port-scan it there are no open ports at all, although it responds to pings. There USED to be a web server on port 1234 that gave some basic stats but this no longer works, so I presume that a firmware update has blocked it.
Using Wireshark I can see that the device is talking to a server that's in AWS's IP address range. But it won't talk to me directly, and the traffic I'm capturing is encrypted.
Purely as an academic exercise I'd like to be able to decrypt the captured packets. How easy is it to grab the necessary keys? Which tool should I google for first?
The device and my PC are both wired, btw. No wifi required. My switch allows port mirroring which is how I can see the device's traffic.
Encountering Weird HTTPS issue
My team has a fairly small lab environment at work. There is one Nexus 2K in that lab that acts as a ToR FEX. I have a fair amount of experience deploying Nexus 2Ks and as far as I can tell; it is working. We have a handful of hosts connected to the N2K: cameras, laptops, and servers.
For our users to be able to remotely access the lab from their desks, they must connect to an OpenVPN server on our production network, which then provides access to that lab's VLAN (VLAN 14 - 192.168.14.0/24). Note that the desks and lab are in the same building, so no WAN.
I've installed the Dell servers in the lab's racks, connected the cameras, set-up a few laptops, etc. These are all directly connected to the N2Ks via access ports (switchport access vlan 14). Pretty basic stuff. The users and myself can ping all of them from our desks. We can also access these devices via ssh and telnet. The cameras only support HTTP, and that works fine. The Dell iDRAC port is accessible via HTTPS. So far, so good.
About 2 weeks ago, I decide to install ESXi 6.7 on 2 of our Dell Servers. Again I've done this countless times, installation goes smoothly, I give it an address on the same subnet, I ping it from my desk, I ssh into it, and I access both ESXi's web UI via HTTPS.
When I come back the next day, I am no longer able to access ESXi via HTTPS. I can still ping it and SSH into it from my desk, however. So I physically go to the lab and try to access ESXi's web UI with one of the laptops - it works. I now go back to my desk and attempt to access the Dell server's iDRAC web UI via HTTPS - it works. So for whatever reason, I decide to re-install ESXi on these same Dell servers, but version 6.5 instead. Installation complete... both ESXi's web UI are again accessible via HTTPS. I come back the next day, ESXi are once again no longer accessible via HTTPS (from my desk) ... The FF browser loads endlessly with a message of "Waiting on TLS handshake...". When I curl the address, I get "301 - Moved Permanently".
This has been mindboggling and I am unsure how to proceed. I would very much appreciate any troubleshooting tips.
Cheers
Minimize downtime IIS Web server from VMWare to Azure Site Recovery failover
Hi,
First of all ,We don't have any HA Load Balancer solution. After failover VMs, I want to fail over their IIS services to the Azure Site ASAP.
what other methods are there to ensure that all traffic gets routed to the live server if one server goes down?
- DNS Failover
- Azure Traffic Manager
- Anything else method ?
Specially , I am wondering your experiences of IT experts that have similar environment. What is your DR plans for web server failover scenario?
Kind regards,
Bridge the gap between NOC and implementation teams.
I have started a new position as a NOC engineer the issue i face is that i troubleshoot complex issues related to hundreds of sites for different technologies, some sites ofcourse not similar in configuration and design , i have learnt a lot of stuff and I do learn new things everyday however I always find that the implementation team members are more aware and even can troubleshoot better than me because hard complex cases are always referred to them and they fix it, i feel that they do so because they are much aware of the solution because they have built it, and they are likely to have more years experience away from NOC plus they have the best talent engineers I have to admit that , is there anyway to bridge or atleast decrease this gap? Do other NOC engineers feels the same or its just me? If there is any tips and advices on how to become better in Troubleshooting its more than welcome.
Solid networking background from uni, different career path from job
Hi, as stated, I received 9 modules of Cisco Networking, one semester with a bootcamp, took and passed the CCNA Certification exam, and even had a subject about Network Management. All these thanks to my university. However, I graduated during this time of pandemic, which pushed me to accept a job which is an Infrastructure Engineer.
I thought it was related at first. But going deeper into my role, I'm starting to realize that I'm slowly moving away from the network path (which I love, by the way), and leaning towards cloud. While I know that cloud and infrastructure is more advantageous, computer networks is what I really love.
Applying for a new job is too early since I haven't spent 6 months yet onto my first one, and the pandemic makes it more complicated since most Network Engineer jobs are on-site (I'm advised to stay since my current one is fully WFH). I cannot risk going out because the covid situation in our country is really not good (Philippines).
Since everything's clear, my main question boils down to- Will I ever have the chance to go back to the career path that I wanted? Will it not be too late to shift from an Infrastructure Engr to a Network Engr after the pandemic?
I'm seriously worried since I might get left behind especially since I would be staying indefinitely with my current role. Thank you!
zScaler client connector with PAC file
Hi everyone.
I am trying to figure out the relationship between implementing a PAC file and the client connector.
If both are implemented, how does zscaler determine whether to use the correct forwarding method. Does it use the PAC file when on a trusted network then connector while on an untrusted network. If yes, how does the browser determine how not to use the PAC file while using the connector?
I hope this makes sense and thanks in advance.
Friday, March 19, 2021
Smart TV / Webcam
Not sure if this is the right group to ask this question and I apologize if its not. We have a 70" LG Smart TV in our conference room. We want to hook up a webcam to it to use for video conferencing people in the conference room with remote users. Will any webcam work as long as its plugged into the USB port of the TV? Also once a meeting is started on the laptop (thats connected to the TV) using zoom, go-to, webex, ect.... we would just need to choose the designated wecam connected to the TV?
Why aren't there WiFi-to-Ethernet adapters? They're all to USB...
I tried finding one, but couldn't. I'm sure there's a reason, just not readily apparent.
Looking for the best route to go
Im a newbie in networking and looking to get into cybersecurity. Im struggling to know, which certifications to aquire. At the moment, im starting off with CCNA - routing and switching and then do comptia security +. Is this the best way to get into cybersecurity. As when i go through job descriptions, the requirements seem out of my grasp.
Help! Remote wireless access point solution?
Hey there!
I have a coffee shop about 20-30 meter from the beach, inside my shop the WiFi is great, but I want to be able to provide those customers on the beach good WiFi connection as well, so is there any wireless access point out there, that are battery driven.. that doesn’t need to connect to a wall socket? Or what are my options? Thanks you 🙏
SNMP detecting only interfaces and not ips
I have an ip configured on interface gig0/0/2 and the SNMP is detecting only interfaces,but not ip.
why VM and My machine have different IP range
im just a noob trying to learn, my VM(linux WSL) ip is 171.19.231.41/20 and my machine(windows) ip is
Is not that devices in the same network share network id and subnet mask?
sorry my bad eng btw
Looking for resources on network scheduling
Hi all, I’m writing an essay on scheduling of non-cpu resources, and I’m struggling to find information that is useful and/or relevant. I was hoping you guys might be able to help? Any papers or articles written on the topic would be amazing. Thanks!
Cisco 2504 WLC: Running 7.6.120.0 - DTLS errors
After searching through I found the config ap cert-expiry-ignore command, but from my SSH session the command fails.
The 'config ap ?' doesn't display a 'cert-expiry-ignore' option. Am I missing something?
NTP server recommendations
Looking to replace a couple routers running as NTP masters. Any recommendations? Hardware or software based
Network Engineer looking for advice for Career shift to Network Reliability Engineer
Title explains most of what I'm asking - I'm a Network Transport Engineer in an ISP Environment, but I'm looking to speak with others who may be in a Network Reliability Engineering Role. (Or adjacent role.)
Recently there's been an opening locally with a competitor company that I'm applying to, I'm incredibly interested in the NRE role and even if I miss the opportunity here I'd like to seek other opportunities in the same vein.
The Primary ask is: How can I be the most successful? Where should I fortify my skills? What advise would you give?
I'm incredibly skilled in the Networking aspect as far as: Layer 2, 3, routing protocols (IS-IS, OSPF, BGP, EIGRP), DWDM/Photonic Systems, MPLS/VPLS, etc
I've been trying to strengthen my Python scripting to fortify my ability to produce script generators for gear, I've also been working on my JSON abilities for REST-API programming within Postman. I'm also incredibly skilled when it comes to CFM/fault monitoring.
TL;DR - Network Engineer wants to transition to a NRE-type role, what advice could you provide to help me be the most successful and suited to the role? Thanks!
Is it impossible to get a cloud based NAS?!
Hi all, I'm new to this so please excuse my ignorance.
We're a small office of less than 10 people. We currently have a NAS on-site that isn't backed up anywhere. Recently we're been plagued with brownouts which have caused the NAS to reset and become unresponsive, nearly losing all of the data.
There's 1TB of business info on there, with 4-5 users accessing word docs/excel etc daily.
All I'm after is a simple solution where I can replicate this in the cloud and allow people to connect from the office and at home.
I've spoken to Microsoft Azure, but it seems you can't just buy an off the shelf online storage solution. You need to explain your "data requirements" to them, then their sales team call you back in 3-5 days with a proposal and price?
I've looked at our 365 accounts which seem to have 1TB of space with them, but don't allow a collaborative space.
Apparently our NAS (Buffalo LS-WXL26D) is too old to have cloud storage connected to it, for an off-site backup.
Is there not a simple solution of moving our local backup to the cloud, that people can work on collaboratively?
802.1x wireless authentication - server certificate confusion
Greetings,
I am working on a enterprise authentication system for my company. Got a NPS (RADIUS) server configured to authenticate wireless clients using PEAP-MSCHAPv2. This method uses server certificates to verify the identity of the server the client is talking to.
The NPS, whose name is myNPS is joined to my cloud domain (Microsoft's cloud version of Domain Services - Azure AD Domain Services), let's say the domain name is aadds.mycompany.com, so the FQDN for my NPS is myNPS.aadds.mycompany.com .
Use case #1: Android
When connecting to the Wi-Fi from Android, for the CA field, I can select the option to 'Don't validate' which doesn't check the server certificate at all. I can authenticate just fine but no server validation means someone can do damage using the evil twin method.
The option I want to use is the 'Use system certificates' option together with a public CA which comes preinstalled on Android. The cert I want to try out is from Let's Encrypt whose CA is DST Root CA x3, which is preinstalled on Android. This way I don't have to distribute any certificates to my end users.
This is where I get confused (which may stem from my bad understanding of certificates) - when I select the 'Use system certificates' option, I need to input a domain.
- What domain does this need to specify? aadds.mycompany,com? The FQDN?
- How does it provide the connection between the server certificate the NPS server provided upon connection and the public CA that signed the server certificate?
What I thought of doing is generating an Let's Encrypt certificate specifically for the NPS server (perhaps using the FQDN?), after which the user enters the FQDN in the domain field which matches the FQDN in the cert and the user successfully gets authenticated.
Am I approaching/thinking about this correctly? Would this work?
Use case #2: iOS
When connecting to the Wi-Fi from iOS devices, the device just displays the cert on the screen and asks the user if it wants to trust the server. I really am not a fan of this since expecting the users to manually check the domain name in the certificate (which is shown on the screen) introduces the factor of trust, where I trust (I don't) my end users to actually do that step every time.
For iOS I am baffled about what to do.
Any useful comments are very much appreciated!
Mesh Networks and issues with iOS devices
I have a D-Link Mesh router connect between my firewall (router connect to the firewall) and my network switch. Wi-Fi works reasonably well except with iOS devices (not sure about Android) which it constantly drops out but shows still as connected which is a pain as I am constantly having to switch it off and on to get it back up and it lingers as connected when I move out of range . It also shows on iOS devices as week security. This is apparently are known issues (as least the iOS security one which if I knew I would not have bought it) as per links from D-Link US forum site (http://forums.dlink.com/index.php?topic=75849.0 and http://forums.dlink.com/index.phptopic=75867.msg308167) seem to indicate issues. Should I dump my Mesh network and get a proper Wi-Fi access point (am looking at the Linksys Business LAPAC1200C (https://www.linksys.com/au/p/P-LAPAC1200C/) as a replacement) or persist? And if persist is the option how could I fix these issues?
iperf server at or around Quebec, CA
Hello. Thanks in advance for your assistance and feedback.
Looking to test bandwidth around the Quebec area using iperf on a gig connection. Is anyone aware of a server that can be used in that area?
Thanks again
Cisco 2960x upgrading into older version even though boot statement says otherwise.
Hi Folks,
Wondering if anyone has ever seen this behaviour. I'm upgrading a bunch of Cisco 2960x, 3650 and 3850's. In one 2960x I'm going from c2960x-universalk9-mz.152-2.E7.bin to c2960x-universalk9-mz.152-7.E3.bin. So far they have been the most reliable with very little issues. However this switch is still reloading into the older version even though my boot statement says otherwise. Before I look at Cisco TAC has anyone seen this before, am I missing something obvious? File size matches to 26714112 also.
switch#show boot
BOOT path-list : flash:c2960x-universalk9-mz.152-7.E3.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : yes
Manual Boot : no
Allow Dev Key : yes
HELPER path-list :
Auto upgrade : yes
Auto upgrade path :
NVRAM/Config file
buffer size: 524288
Timeout for Config
Download: 0 seconds
Config Download
via DHCP: disabled (next boot: disabled)
switch#show version | in .bin
System image file is "flash:/c2960x-universalk9-mz.152-2.E7.bin"
Directory of flash:/
2 -rwx 18208 Mar 19 2021 11:24:49 +00:00 config.text
3 -rwx 856 Mar 19 2021 11:29:44 +00:00 vlan.dat
5 -rwx 21284864 Jun 12 2019 02:52:25 +01:00 c2960x-universalk9-mz.152-2.E7.bin
6 -rwx 5489 Mar 19 2021 11:24:49 +00:00 private-config.text
7 -rwx 26714112 Feb 17 2021 23:41:39 +00:00 c2960x-universalk9-mz.152-7.E3.bin
10 -rwx 3096 Mar 19 2021 11:29:50 +00:00 multiple-fs
8 drwx 512 Mar 13 2016 11:49:12 +00:00 dc_profile_dir
switch#verify /md5 flash:c2960x-universalk9-mz.152-7.E3.bin
..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Done!
verify /md5 (flash:c2960x-universalk9-mz.152-7.E3.bin) = 7ea76e3413f6ebe5d0644bdb419dcd73
Is "STIG'ing" switches overrated?
I understand our pals who work for certain agencies have regulatory requirements. But for the rest of us, it has become the norm to apply all these "STIG" and "NIST" configs to our switches.
The resultant configuration is like 50k lines long, using all kinds of obscure commands that are only talked about in an old white paper from 2005, and breaking all kinds of stuff that doesn't need to be broken.
The result is huge problems managing the device, and half the config becoming invalid when you update code on it.
Are attackers in 2021 really saying "Let's go after the switches!" Like really, if you just throw a management ACL on there, lock down net services to known server IPs, you should pretty much be golden.
Thoughts?
Need help to Upgrade my network 1Gb/s to 10Gb/s spf+
Hi everyone ,
Im working as in IT Manager and i manage like 70 machines
I have some questions before doing the upgrade ,
it is necessary to have a router with sfp+ slot or i can work with my older one who have sfp 1gb/s slot and connect it with a switch sfp+ ?
i will buy 6 switchs do i need to have all ports spf+ or i can transfer data with 10gb/s speed with cat6a ?
Best regards ,
VRF or VLANing traffic on Edge HA Firewalls
We have pair of HA firewalls at the edge, connected to core switch on trunk port carrying all vlans. Client and Servers VLANs have their default gateway on the core switch. Firewall have enough capacity and throughput.
We want to segment some VLANs for Servers, IOTs, HVAC, CCTV, Access System and terminate L3 on firewalls. So inter-vlan traffic for those VLANs will happen on Firewall.
I am wondering if that solution looks viable? Is it good to use Internet Edge firewalls for that purpose.
How to predict fortinet cost of ownership
Hi everyone,
I'm considering buying a FortiGate 60F for my company, but I'm a bit lost about the licensing, What I want is to deploy a firewall with an IPS that can update it's signature base and detect threats, should I buy a bundle or is the IPS and updates included with the device ? It seems to me like they would not offer that without a subscription fee but I'm not sure as all bundles seem to include the IPS service
Second thing, they talk about an antispam service, how does that work ? All my SMTP/IMAP traffic is encrypted so I'm at a loss at how it could filter out spam/viruses, is it an additional gateway where I have to redirect incoming smtp traffic before delivering (our mail is hosted in the cloud)
Thanks a lot =)
Juniper MX40 VRRP and cli question to
Hi, I've been working on Juniper equipment for over a year now, EX, QFX and SRX equipment mainly but we also have a pair of active/active MX40's at one of the data centres as well that i've only ever had to go on so far about 3 times (I've come from a heavy Cisco background), the weird thing i've spotted is that if you do a traceroute to our website that is hosted at that particular data centre then it goes to one of the outside physical interface IP's we have in the active/active pair always whereas it should be going to the VRRP IP, i have looked on both routers doing a "show int terse" and on the outside irb interfaces the public physical IP's are obviously there but on only ONE router is the VRRP VIP there to under the physical IP, so this obviously caused some suspicions...Doing a "show vrrp detail" everything looks alright for that group to be honest, master, backup, local and VIP are all what they should be...
We have other irb interfaces with VRRP as well and both routers have both their own physical IP's but also the VIP under them both to. Anybody any ideas as to what is going on here?
Oh and as a side note...The "show services sessions" command shows up absolutely nothing on the cli as well which i found odd. Anyone any ideas there to?
Thanks everyone
Firewall Rule Not Working
Hi guys, I'm having a bit of a weird issue where machines in one of our subnets are unable to ping machines in another local subnet. I have configured a firewall rule allowing any service between the two subnets, but even then pings aren't working. I've been told it's worked before but I can't confirm that as nothing appears in the logs. Even when I ping nothing comes up in the firewall (Check Point) logs.
The machine we're trying to ping to is a Linux one managed by our external supplier. I have asked whether there are any iptable rules being applied that will drop the pings but apart from that I've no idea where to start. Any advice would be hugely appreciated.
10G WAN Switches recommendation
Hi,
We are looking for new WAN switches as we plan to go for 10G ISP in the near future.
In our datacenter we use ArubaCX series, but the price for 2 x (Aruba 6300M 24SFP+ ) seems a little steep for a switch where we will use 5-6 ports and only basic functionality.
The requirements are:
- Minimum 10 SFP+ ports
- Dual Power Supply
- VLAN support
- LACP support
I have found a 2 options that fit my requirements and do not break the bank:
FS S5860-20SQ
https://www.fs.com/de-en/products/108710.html
MikroTik CRS326-24S+2Q+RM
https://mikrotik.com/product/crs326_24s_2q_rm
For me the specs seem fine on above switches.
I have no experience with FS / MikroTik so would like to know if i should stay away from them or if its good enough.
Any advice is apricated.
Thanks
Thursday, March 18, 2021
Do you need an SIP trunk for inbound and another SIP trunk for outbound?
Do you need one SIP trunk for inbound calls and another SIP trunk for outbound calls?
Can I get one to cover inbound and outbound needs?
4G/5G modem wired to bluetooth to tablet (underwater)
Hi,
My boss has given me the mission of trying to figure out of it's possible to run a zoom class underwater, as in one person is underwater with an ipad. We have the underwater ipad housing, which works fine. Audio is an issue, and I think for running it zoom through the ipad it's not going to be practical.
I know that wifi and bluetooth do not travel through water well at all. I gather from a bit of reading that you can get okay bluetooth connection within a couple of cm in seawater. So the idea would be to have a bluetooth unit, in a small housing, stuck to the back of the ipad housing.
So how easy would it be to find a 4G modem that can be wired to a bluetooth unit that can provide the ipad with internet, where the modem sits on the surface, the wire runs underwater to the bluetooth unit, which is in a waterproof housing.
We're exploring other options like running video from a wired gopro or similar, and audio from a separate unit, and joining them on a computer on the surface, then streaming that, but it'd be nice to know whether running internet to a tablet is possible as well.
Thanks for any opinions
Advice for first time network deployment!
Hello r/networking peeps!
I am fresh Systems Engineer grad, and I am planning to deploy a small-ish network for the company I work for. This is my first proper project outside of labs and schoolwork. I am not the most proficient in networking and I highly specialize in programming/software engineering, hence why I would like to ask for some advice! I have only been trained in Cisco and Mikrotik...
The building is relatively old and was formerly occupied by a non-for-profit organization. This organization had left the building mostly intact and there are pre-existing cable (looks like cat5e? but have not tested thoroughly). There is a data cabinet that contains 2 patch panels? and 1 NEC switch. Here is a link to the images I took of it:
The network will be relatively small. Here is quick a rundown:
- 2-3 Desktops (Wired)
- 2-3 VoIp Phones
- 10-30 approx. Laptops
- 1 Printer/Copier/Scanner (enterprise type)
- Random Mobile devices
Time allotted is 8 working days. Budget is all up in the air but the Boss is happy to spend on equipment that is necessary but manpower is not gonna be available (I might work with an electrician but it will mostly be me). What I want is a lean and mean approach. Something that I only ever need to configure once and I can just leave it be. Reason being is I am the only IT personnel and the buildings are located hours and hours apart from one another. I have to maintain much of it from the Central building and I do not want to drive all the way just to check up on the network every single time. Besides, I am also creating software singlehandedly for the company. I barely have enough time as it is.
My plan is to:
- Replace the Patch Panel with a new one. Any advice regarding this? Model/brand? Approach?
- Replace the cabling to Cat6 but... time is tricky and it will not be physically possible according to other networking peeps I have asked around. So realistically, will be using the existing cabling. Any advice on this approach?
- Replace the current switch to something more current or industry standard... like a Cisco Switch. Any advice on a model I should use?
My Network Topology Plans:
- I have a network topology and here is a link of what it looks like:
So, the ISP modem will be in Bridged mode -> Connecting to possibly a Cisco/Billion Router with it's own Firewall? (DHCP will come from here but I do not know if DNS should be setup on this router or the ISP modem)? This router will connect to the switch and the Access Points (will be using Ubiquiti Access Points to handle all that traffic).
Anyway... pardon the long post. I would really appreciate any kind of feedback or advice. Thank you all and have a nice day!
Thoughts on Ciena in the last mile?
We are exploring the use of Ciena in our last-mile access network for aggregation and demarcation. We're exploring their layer 3 capable 5000 and 3000 family devices. Our core is all juniper and up until now we have been rolling Juniper for metro aggregation but we are interested in deploying more capable boxes that support a richer OAM feature set. The ACX line while great doesn't seem to have the depth of the Ciena family of devices. I would love to hear people's thoughts and experiences with Ciena hardware, software (SAOS, MCP,), support, etc. Their stuff isn't cheap but it's also not the most expensive on the market (I'm looking at you Cisco). Thanks in advance! We would love to roll with a white box solution from edge-core or ufiSpace but the NMS and FCAPS solutions are not there yet and we don't have the development resources to build them ourselves and continue to maintain our existing functions. We are primarily exploring solutions from Adva and Ciena but would love to hear thoughts/ideas on anyone else we should be exploring. Thanks in advance.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
At work we are on a sub-network (192.x.x.x), but we'd like to get access to a SQL server on the main network (173.x.x.x)- can it be done?
At work, in our building, we are on a peer-to-peer 192.168.x.x network.
We gateway to the main network in a building near our building which is on a 173.44.x.x. We are connected physically to that network and get things link Internet access through it.
How would I go about getting the ability to access an SQL server sitting on the 173 network from my 192 network?
Netmiko and threading
I'm looking for a bit of assistance with Python. I wrote this script to log on to each device in my network then ping all of the other devices. It can take a long time though so I am looking to be able to use threading to speed this up. My script iterates through a list of routers, then in each iteration/loop it pings all the other routers in the list. I have tried to look at various threading examples online but they have been simple examples with one command, e.g. 'show run' I'm struggling to incorporate that functionality into my current script because I need to pass in multiple varibles and do a for loop etc. I also want to be able to specify the number of threads. (I have seen some examples where you can do this and some seem to just try every device in the list at once)
I have pasted my code below. Ignore everything to do with the csv file, I know I need to either move to a DB or use a Dataframe if I'm going to use threading but I can take care of that. I just want to know how I can have each iteration/for loop run separately. E.g. if I have 200 devices in the list, I want it to connect to the first 20 in the list and then ping all the other 199 routers.
Thank you very much
Edit: I removed the code and put it on Github gist as it looked horrible here.
https://gist.github.com/tars01/eaf9bb99b8002de7d4fd5037ee9e5c8e
BGP ISP question
I have a remote office in Europe where I've carved out a /24 out of my /22 and and i'm advertising it out of that office. The ISP was SONY so i had to make sure my Orin-AS is set to SONY ASN in RADb. Everything was working fine. We changed ISPs and I updated my RADb. The problem is that using a looking-glass i only see that /24 from 2 countries in Europe. Everywhere else they see the more broad range (/22) and of course those regions can't reach my office. What gives??!?!
Any Benefits of Converting 2 Existing Physical Networks into VLANs ?
Hi guys, I recently inherited an environment that was setup with 2 physical networks that operate side by side, both on unmanaged switches. The primary network is for all domain joined systems operating on the 192.168.1.1 network and all the other devices be on the 192.168.2.1 network. This includes things like Wi-Fi APs, wired kiosks, and laptops. I plan on purchasing managed switches to create VLANS for the Wi-Fi to be able to use some of those laptops to login to our domain. I would create another 192.168.3.1 VLAN network and put the guest Wi-Fi on that. Would there be any benefit to adding the existing 2.1 wired network devices into say the 3.1 or maybe even create another 4.1 VLAN for those devices?
I hope I'm painting a clear picture. I've never done a migration like this before but I feel like with my understanding of VLANs it shouldn't be too bad. The only real benefit I see to combine the wired 2.1 devices would be having more information gathered by the managed switches
2 seperate switches mixing up IP's
I have 2 HP switches each connected to a different network (one to network 192.168.10.0/24 and the other one to 192.168.20.0/24). My issue is that on one switch, on some ports, the PC's get an IP address from the opposite network(!?) and have no internet connection.
How is this possible? is this a switching issue or would it be the PC?
My switches are 'dumb' and not interconnected:
hostname "ProCurve Switch 2610-24/12PWR"
snmp-server community "public" Unrestricted
vlan 1 name "DEFAULT_VLAN"
untagged 1-28 ip address 192.168.10.0 255.255.255.0
exit
Can't connect to SOME subnet addresses
My company uses OpenVPN to connect to some CenturyLink VMs. We have 4 VMs in total:
- 10.120.95.12
- 10.120.95.15
- 10.120.220.36
- 10.120.230.37
The two X.X.95.X addresses seem to connect just fine. I can PuTTY in like nothing's wrong!
The two X.X.220.X addresses have been giving us a whole hell of a lot of issues the last two mornings. Both days we've rolled into the office (or WFH like in my case) to find that we just can't get any connectivity at all!!
I'm not the network admin. Honestly you'll all probably hate me, given how little I understand, but I'm the only resource I've got at the moment with my boss (the network admin) on vacay this week.
Anyway, my gut said to run a tracert and see what comes up. Here are the results:
Traceroute to 10.120.95.12 (Working as far as we can determine)...
Tracing route to 10.120.95.12 over a maximum of 30 hops: 1 29 ms 29 ms 29 ms 10.255.220.1 2 30 ms 30 ms 30 ms 10.120.220.1 3 30 ms 29 ms 30 ms 10.120.95.12 Trace complete. Traceroute to 10.120.220.37
Tracing route to 10.120.220.37 over a maximum of 30 hops: 1 29 ms 30 ms 30 ms 10.255.220.1 2 10.120.220.230 reports: Destination host unreachable. Trace complete. So outside of speaking to a CenturyLink rep (they'll be calling back in a few hours), what can I do with this information? Does anyone have any crackpot theories? Am I unaware of a very useful troubleshooting step?
Seriously—any help would be super appreciated!
ISC Class Match Statement
Hello!
I have a client that has multiple cable modem termination systems that connect to one ISC server on CentOS Linux version 7. We do firmware upgrades for their modems. I'm looking into a way of only doing firmware upgrades for one specific CMTS and I cannot figure out the logic to get that done via my class match statement.
CMTS: 10.2.20.1
Class Match Statement:
class "CM820A" {
match if pick-first-value(option modem_info.modnum, option modem_info.xmodnum)="CM820A";
if ( known and ( not ((modem-config="noservices.cfg") or
(pick-first-value(option modem_info.swver, option modem_info.xswver)="9.1.103S5AR" )))) {
filename = concat( catch-me, "/", "upgrade/820-upgrade.cfg" );}
}
Your help would be greatly appreciated!
VMWare - Azure Site Recovery networking question
Hi,
Hopefully someone here can point me in the right direction since I'm sure everything we want to do is possible, but I currently lack the knowledge on where to start.
In Azure, I have the following:
- Virtual network: 10.100.0.0/16(Azure-REAL-FAILOVER-VNET)
---- Associated subnets : 10.100.10.0/24 10.100.20.0/24 10.100.30.0/24 10.100.40.0/24 , associated with its own NSG
- Virtual network: 10.200.0.0/16(Azure-TEST-FAILOVER-VNET)
---- Associated subnets : 10.200.10.0/24 , associated with its own NSG
- Multi Site VPN between Azure and on-premise network (Azure-PROD-FAILOVER-VNET with virtual network can only have one VPN gateway)
- There is no peering between Azure-PROD-FAILOVER-VNET and Azure-TEST-FAILOVER-VNET
My question is :
- I will do DR failover for my customer. There are 20 VMs.
My DR plan :
- Disconnect multisite VPN simulate for real disaster recovery
- Start failover for all 20 VMs inside Azure Portal
After these failover , I want to connect all VMs via RDP. How can we connect ? P2S ? or anything else ?
- is it possible to connect via P2S with one VPN gateway?
If so, any advice on how to make this work?
Thank you to anyone with insights and is willing to take the time to respond!
Kind regards,
USB to USB RS232, will this work?
Hello all,
I was curious, I bought this cable a while ago for use on my current Dell server (this one I bought the null modem version):
https://www.amazon.com/gp/product/B0769HDTS8/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
Works great, but I also was curious about setting up a test box for simply updating configs and testing before running it on my main box (pfSense), would this adapter work since the only thing I have on my test box is USB? (This one I bought the FTDI chip version, male to male):
https://www.amazon.com/gp/product/B0769HDTS8/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
Thanks all!
Are WiFi 6E APs going to be expensive?
I was reading about the new Qualcomm 6E chipsets https://fonow.com/view/259675.html
... and that got me thinking about how new APs would built. It looks like 2-4 new spatial streams will be added to each model. So the current dual band 4x4:4 APs 8 spatial streams will now grow to 12. Are we likely to see price jumps like going from a Cisco 9120 to 9130 now? Aruba equivalent would be the price jump from a AP-535 to AP-555.
Virtual Router with socks 5 support
Hi people,do you know any virtual router who support sock5 with authentication?
Tnx in advance !
Wireless Access Point causing print problems
I experienced printer problems. Printing to my (wireless) printer resulted in 'printer offline' or 'busy' and no print resulted. Same from my MacBook, my wife's Windows laptop, another PC etc. Rebooting the printer released the queued print jobs but then the same offline problem again. A factory reset of the printer got me no further forward. Intermittently ping worked, then not.
Only after a restart of the (Unifi nanoHD) WAP did normal reliable printing begin again. Throughout this, all other wireless devices connected via the nanoHD (IP cameras, mobiles, video doorbell etc) worked perfectly. I'm at a loss to understand just what was going on in the nanoHD WAP to cause the printer problem. Can someone provide an explanation? Ta.
2-tier network with modular switches vs 3-tier network with stackable switches?
I am designing a school campus that needs to support about 1 000 users. It's a big building with three floors, some classrooms will be connected wired, others wireless. I am still a student and have almost finished the CCNAv6 course. I can configure a network if you tell me how to, but I seem to get stuck when someone tells me to design a network myself and select the right hardware.
When designing a hierarchical network, Cisco makes a distinction between a 3-tier network with a core, distribution and access layer, and a 2-tier network with only a core/distribution and access layer. Since schools often don't have that much of a budget, I was wondering: would it be better to implement a three tier network with stackable switches at the core and distribution layer, or could a company save money and simplify the network by collapsing the core and network layer and using a modular switch to have more ports on one layer?
3-tier could be:
- DIST: 1 L3 switch like C9500 on each floor, maybe 10G ports
- CORE: 2 L3 switches like C9500 for redundancy, maybe 25G ports
2-tier could be:
- DIST/CORE: one C9600 on each floor, 10G ports to connect to access layer, and 40G ports to connect the modular switches to each other.
I find these design choices very difficult to make. Stackable seems to be the default choice for most SME's, but when does one start using modular devices?
Can anyone provide some help with QinQ and Metro ethernet switch config
I am using a Cisco ME3600-X and using the config guide but unable to get any traffic to pass. Just not sure if the switch is tagging packets outbound with S tag and stripping them off on way back in. It is a hub spoke topology with a few customer VLANs at remote site and those vlans should be deleivered at hub with the outer S tag.
Wednesday, March 17, 2021
What are the major pros of getting a PoE switch for WAPs vs just using power injectors?
I am going to add 2 WAPs to get 3 total and currently the one WAP is into our switch via power injector. Normally I would have a PoE capable switch but in this case I don't.
What are the compelling reasons to get a PoE switch and run the three WAPs off of that instead of just buying two more PoE injectors? I'm planning on using 802.1x on them.
ASA or Firepower for SSLPN? Some thoughts and questions
Okay, I recently came across a post here on r/networking regarding this and I swear I can't find it so I figured I'd reach out to get some opinions.
Also, I realize that FTD/FMC experiences are mostly sour on here and most of which I can confirm. Being that I've been in networking for just shy of 4 years the FTD/FMC was the first real experience of settings up a firewall from scratch. All other ASAs were just from other peoples work and I thoroughly enjoy using the ASDM/CLI to learn.
We've had Firepower 2140s in HA (6.6.1 with vFMC) for about 3+ years now and they are our primary firewalls. They handle our internet traffic as well as our site-to-site VPNs and here recently due to the pandemic, remote access VPNs using SSL. To cut to the chase, the experience has been pretty subpar when it comes to RA-VPN on the firepower.
During COVID I've been getting rid of some older ASAs in our environment. One of which was handling our RA-VPN and I believe it was either a ASA-5512 or 5510. The experience was actually really solid and our group of users who were on the ASA and now firepower have told us personally it was better back during the ASA.
So fast forward, I'm about finished cleaning up older ASAs and I have 2 x ASA5585-X. For now we have just a few networks that sit behind it and they will be moving to the firepower shortly and my thought was to start from scratch on the ASA and use those in a HA pair and use them only for VPNs. Whether that's just the SSL VPN or eventually move the site to site back, I'd like to utilize what life I can out of them as we still have SmartNet on them. I'm aware of some licenses we would need to purchase but I think in the long run it would provide a better experience for our users.
As of now, I'll have users report disconnects once or maybe twice a day where AnyConnect completely disconnects and then eventually reconnects after about 15-20 seconds. I've been back and forth with TAC regarding the issue and we've tried a few things to improve the experience. Adjusting the MTUs on the Connection Profiles seem to work best, but I'm still not satisfied as I keep looking back during the ASA times.
I would say I'm about a month out before being able to reconfigure the ASAs. My question really is if this is a good idea or am I just wasting my time? I would place the ASA behind the FTDs so we can utilize the IPS/IDS functionality of the FTD at the same time. We are talking about 200 users altogether.
My thoughts are a bit over the place and I apologize. I'm still going to engage TAC to see if I can essentially turn this frown upside down and see what I'm missing, but so far they've confirmed my configurations were solid.
Thank you all for your time today!
Anyone got the ova type of talari sd-wan from oracle?
Hello members, I would like to do some research of the oracle sd-wan, but I can't download the virtual appliance of the oracle sd-wan, anyone can share the download link of the virtual appliance? Thanks.
How to add the yang model to the xml file for Cisco switch version 1741?
Hey guys so I found a python script to add ports to an existing vlan. However, I could not understand how to add the yang models to the xml attribute xmlns? I provided a link to the model on github and tried with and without the '.yang' file type. It just doesn't seem to work.
Any idea on how to include the correct yang model or if the url is wrong?
The code is provided below and so too is the error.
Thank you so much.
'''import modules to code''' '''import modules to code'''
from ncclient import manager
import xmltodict
import xml.dom.minidom
'''XML encoded YANG data - YANG vlan data model and YANG interface data model for IOS XE version 16.9.3
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
<vlan>
<vlan-list xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-vlan"><id>{vlan}</id><name>VLAN {vlan}</name></vlan-list>
</vlan>
</native>
'''
netconf_add_vlan_to_if = """
<config>
<native xmlns="https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/1741/Cisco-IOS-XE-native.yang">
<interface>
<GigabitEthernet>
<name>Gi1/{number}</name>
<switchport>
<access xmlns="https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/1741/Cisco-IOS-XE-switch.yang">
<vlan><vlan>{vlan}</vlan></vlan>
</access>
</switchport>
<description> Configured by NETCONF </description>
</GigabitEthernet>
</interface>
</native>
</config>"""
''' loop through 10 interfaces and assign vlans'''
for i in range(1,6):
if i <= 3:
vlan_id = 20
else:
vlan_id = 110
''' use ncclient to push down config'''
netconf_data = netconf_add_vlan_to_if.format(number=i, vlan = vlan_id)
with manager.connect(host="192.133.8.245",port="333",username="admin",password="Cisco123",
hostkey_verify=False) as m:
netconf_reply = m.edit_config(netconf_data, target = 'running')
'''print status'''
print("The configuration payload to be sent over NETCONF.\n")
print(netconf_data)
print("Here is the raw XML data returned from the device.\n")
print(xml.dom.minidom.parseString(netconf_reply.xml).toprettyxml())
print("")
print(str(i) + " OK")
Thank you.
[Running] python -u "c:\Users\blah\Documents\LinkedIn\Web Programming\Cisco\Switch\ncclient_vlans_netconf.py" Traceback (most recent call last): File "c:\Users\zahid\Documents\LinkedIn\Web Programming\Cisco\Switch\ncclient_vlans_netconf.py", line 70, in <module> netconf_reply = m.edit_config(netconf_data, target = 'running') File "C:\Users\blah\anaconda3\envs\flask_trial\lib\site-packages\ncclient\manager.py", line 239, in execute return cls(self._session, File "C:\Users\blah\anaconda3\envs\flask_trial\lib\site-packages\ncclient\operations\edit.py", line 75, in request return self._request(node) File "C:\Users\blah\anaconda3\envs\flask_trial\lib\site-packages\ncclient\operations\rpc.py", line 367, in _request raise self._reply.error ncclient.operations.rpc.RPCError: {'type': 'protocol', 'tag': 'unknown-element', 'app_tag': None, 'severity': 'error', 'info': '<?xml version="1.0" encoding="UTF-8"?><error-info xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"><bad-element>config</bad-element>\n</error-info>\n', 'path': '\n /rpc/edit-config\n ', 'message': None}
[Done] exited with code=1 in 1.663 seconds
For those of you who leverage MPLS as an SD-WAN transport type, what is your reasoning?
Just curious to know - is it due to existing contracts? Are there requirements for at least one transport type to have an end-to-end SLA? Are there concerns about the public internet being a shared failure domain?
DC Network Managed by different teams
Hi guys, A customer that is a group of different companies want to implement a DC Network (vPC based or Spine-Leaf with VXLAN EVPN/ACI - we are still defining which option to use). This network will integrate all the current networks of all the companies for sinergy, but each company must be able to configure and manage only its Tenants/VRFs/vDCs and so on. Which options do we have? I know ACI with its security domains, that allows for separate management of specific tenants, is it possible to do something similar with VXLAN EVPN or classic vPC multi-tiered?
Thanks!
Is an ARP reponse mandatory in the context of plain ethernet or A Virtual Private LAN Sevice if the node recieving the broadcast does not have the IP address?
My professor is steadfast in his statement that a reply is sent even if the address is not there.
That seems like a waste.
Terminal server security
If I have 10 computers on my network that need internet access and access to all the same programs is it more secure to have them all just access a terminal server that has everything they need then to have each individual computer loaded with the programs accessing the internet?
Wireless Bandwidth Throttling
Any particular reason why wireless devices may become severely bandwidth throttled, but not wired? Currently managing 25 Ruckus R510 11ac Wave 2 access points controlled by a ZoneDirector 1200 and randomly sometimes , internal connection speed on a wireless connection becomes severely degraded to about <1Mbps. I have carried out multiple iPerf tests on a wireless and wired connection to our main DC and with it being hardwired it's fine, but on wireless it's not. It's temperamental and intermittent. Tested on multiple devices and the issue seems to only pertain to wireless devices. For troubleshooting, I attached my laptop to an AP that connects into a Cisco SG350-28P as well as hardwiring in into the same port and again, connected wirelessly it's severely degraded but hardwired it's not. I even connected my laptop into the passthrough port on the R510 and it was fine. I can't explain it. My only thought is possibly the wireless system struggling with encryption and decryption so I was going to test this on an open network. My fall back option would to factory reset it and rebuild it from the ground up. I can't imagine it being a physical issue but maybe wrong. Just seems like it's being throttled massively somewhere or by something. There are no network policies or configurations in place that should be causing this. Any troubleshooting ideas, steps, testing I may be able to carry out to identify what on what might be causing this would be very much appreciated.
How do you go about troubleshooting ping spikes?
Been on the line with Cisco TAC All day and still no fix. We’re having trouble pinging internally. When we run a ping it’s consistently the third or fourth ping jumps up to a couple hundred milliseconds and all the other ones are right around 1 ms.
Our set up Is a collapsed core set up and above that is an ASA, a McAfee IDS , And then an asr router. From the core to the firewall we have a 5 GB port channel. On that port channel we have sub Interfaces build out for all of our VLANs and that is where the routing is done between vlans. Those sub Interfaces are the default gateway’s for all subnets.
Whenever we ping the default gateway of each subnet that is when we notice the ping spike. We also notice it in our server area between servers. And it seems to be causing issues with the servers and our Citrix image booting.
If this was your set up what would you do to troubleshoot the spike? We looked at firewall cpu utilization and that does not seem to be an issue. The utilization on all of the links are not getting maxed out either.
Could it come down to the actual physical connections needing cleaned? I know fiber sometimes can have issues when there is dirt on the connector. We are at a point that our network is crippled and have a huge event coming up so it needs fixed. Hoping TAC can get it figured out but for now we’re still at a standstill, so figured I would reach out here and see if anyone has any ideas.
Again this is all internal so I believe the issue is firewall or below.
Mac OS networking issues. No internet connection over Wifi when connected to a second network over ethernet.
Hi all
Sorry if this is the wrong place to post this question but I was wondering if anyone could help.
I have a number of macbook pros connected to a freenas server via a managed switch all on static IPs. They can all connect to the server with no issue and there is no connection to the internet over this interface.
As these macs need an internet connection as well so they are also connected to a wifi network which has internet access.
The issue I am having is that though the macs connect to wifi they will not connect to the internet when the ethernet connection is present. The moment I disconnect a macbook from the ethernet network the internet starts working. There are also some windows based machines being used in the same way which do not have this issue.
Has anyone here experienced this and know of a fix?
Thanks in advance! T
VPN Access to Double NAT site
I'm trying to gain remote access to a site that's setup using a cellular router. The cellular router does not have a public IP and is more than likely double nat'ed.
The is solar so I don't have the resources to place a PC onsite for teamviewer.
Could I possibly use a raspberrypi to tunnel out to a hosted VPS and somehow connect back into the site and see the lan ? My cellular router is a CBA850. In the past I would have used a MOFI for this but they are hit and miss sometimes.
Just looking for some options.
SMF to 1G copper media converters
I both hate myself and feel dirty asking, because I think Media converters are the spawn of Satan, but does anyone know of a good quality one? I have certainly seen lots of unreliable ones in the past. I have been so effective in avoiding them, I don't think I have used one in the last 12 years.
I have several devices that only have copper management ports, and I need to connect to that port over a larger distance than copper Ethernet allows. I also have some sites that the Internet provider only supplies a fibre handoff, and the small site firewalls are copper only. I would like to have it as small as is reasonable, as I don't want to waste an entire U on the MC, and in an ideal world the ability to connect to it and see the DOM stats of the fibre link.
Can anyone recommend a make and model they have had a good experience with.
SRX300 - Junos setup questions
Hi all! I am in way over my head. I am a software developer that was asked to take on the task of setting up a SRX300 in our office that will connect to our AWS cloud. Obviously networking is not my thing and I am needing assistance from people that have hopefully dealt with the Junos OS.
What I have done:
We already have an existing AWS VPC. I setup a Customer Gateway, Virtual Private Gateway and a S2S VPN Connection within AWS. This really isn't my issue...
What I need help with:
We already have a firewall/dns/dhcp/etc server. The purpose of getting the SRX was to be a VPN appliance to AWS. We plan on distributing these to our customers when we setup their AWS EC2, VPC, etc. I need to know how to setup the SRX so that I can keep it behind the firewall, but keep the existing switches hooked up to the firewall. Basically, I just want to plug the SRX into a port on the interior network switch, give it a static local IP (10.?.?.?), which is what our network uses (Class A). Then set it up so that it will be the gateway for the AWS network (Class B - 172.16.?.?). Basically anytime someone inside the network attempts to go to 172.16.?.? it will use the SRX as the gateway through the VPN to the AWS VPC. I know this sounds easy, but I have fought with this appliance for a few days now and I am beat. I am throwing in the towel and going to tell my boss that I am not a networking guru and never claimed to be.
I appreciate any guidance anyone can give.
For those not familiar with Junos, the initial setup makes me choose 1 of 3 methods to setup the appliance. There is standard, cluster (high availability) and passive mode. I am thinking that I want to use passive mode, but then I am told that I must make a choice of other components and I have to choose one. The choices are:
- Universal Threat Management (requires license)
- Intrusion Prevention System (requires license)
- Sky ATP
- Security Intelligence
- User Firewall
Questions:
- Do I connect the cable from the switch that is connected to the firewall into the 0/0/0 port?
- Is that the only cable I need to connect?
- What settings do I need to enable/change for the appliance to know that there is already a DHCP/DNS server on the network?
- How do I tell the appliance to use the existing firewall as the gateway to get to the outside?
- How do I turn off DHCP/DNS for the appliance, so it doesn't interfere with the existing firewall?
Thanks!
Dell PowerConnect 5324 Console | Cables Required?
Hello,
I have a Dell PowerConnect 5324 in a business environment that I am attempting to find the IP address of so that I can make changes. Just as an FYI, this was all setup before I started my position and I don't really have the ability to just RESET the switch as it is the main switch for this department. I could come in on a Sunday and swap all the connections over to a different switch but I am trying to avoid that if I can. I also wouldn't mind learning something new in the process of trying to figure this out.
I have the MAC address and I have tried multiple scans/tools to find the MAC address but it doesn't seem to be on our network anywhere.. I have tried to map the ports on surrounding switches but that ended up not giving me anymore information. My last effort before coming here was to use hookup a switch with LLDP Neighbor Discovery feature but that only showed me the MAC address.
I believe my last resort aside from resetting the device is to use the console port to try and gain access. I was wondering if anyone could tell me what cables / adapters I would need to access the console port on a Dell PowerConnect 5324.
Thanks!
Using firewalld to NAT/port forward based on source IP?
Hello
Im looking to NAT/port foward traffic based on source IP.
I thought this was enough:
firewall-cmd --permanent --add-rich-rule="rule family=\"ipv4\" source address=\"192.168.100.221\" forward-port port=\"514\" protocol=\"udp\" to-port=\"9200\""
But it doesnt seem to be working.
Running a traffic capture, I see the traffic arrive on 514 but I cant seem to find a way to see if the NAT/port forward happens.
ISPs: What are you using for customer handoff?
We've been able to do some much-needed upgrades to our network recently which has made improvements of leaps and bounds in our network performance and stability.
Our business customers have a direct fiber connection to our main office which terminate at a L3 switch. On the other end is a basic media converter which accepts the SC patch from our drop and converts it to copper for the customer handoff.
This is obviously a problem because I have no control at the customer PoP and no way to really monitor the connection. The next phase is to finally roll out some updated service packages to allow our business customers more bandwidth.
So, what do you use as a NID? What sort of things do you monitor?
Layer2 stretch between Cisco ACI and Juniper IP Fabric (QFX5110)
Hi Guys,
Just looking for an yes/no answer here initially so I know if I should pursue this or abandon.
What I'm thinking of is a L2 stretch between Cisco ACI and Juniper IP Fabric for a customer. Both solutions support Vxlan so in theory I could create a tunnel between Juniper and ACI? I've been looking into this:
" The first option connects a remote switch that supports the VXLAN to the ACI fabric. The remote switch can be any VXLAN switch. Given that it doesn’t support the ACI fabric, the southbound API OpFlex APIC can’t manage this remote switch and the VXLAN-related configuration needs to be applied manually. With the remote VTEP in option 1, a user can extend an EPG or bridge domain similar to the one explained in the previous two sections. With remote VTEP, the ACI leaf identifies the incoming traffic with a VNID (instead of VLAN ID), and based on the configuration leaf switch, assign incoming traffic to an EPG and bridge domain."
So in theory the remote switch mentioned here could be a Juniper QFX 5110, for example. Has anyone done this before?
Thanks!
WireGuard / Netgate /pfSense Drama
I understand that this is a technical and professional subreddit, but I think this is appropriate to call attention to and discuss.
Short story: (thanks to /u/i_mormon_stuff for the summary)
Netgate, the maintainers of pfSense, paid a developer to create a Wireguard implementation that would be compatible with FreeBSD.
They then shipped this implementation in pfSense version 2.5.0 and at the same time submitted it to the FreeBSD project for inclusion in FreeBSD 13.0. FreeBSD is the base operating system that pfSense is built on top of.
The developer of Wireguard a guy called Jason A. Donenfeld looked at the submitted code Netgate had produced and felt that it was of a poor quality. He then spoke with several people involved with the FreeBSD project and spent two weeks reworking Netgates code in the hopes it would be high enough quality to actually be included in FreeBSD 13.0 which is due to release soon.
This thread contains links to Jason's general outline of Netgates submitted code and his perception of its quality followed by a detailing of the efforts he and others put in to make it ready for FreeBSD 13.0, ultimately though they decided not to include it in 13.0 and will see if it can make it into the 13.1 release.
As you may be aware pfSense 2.5.0 (which is based on FreeBSD 12.x) already launched with this custom Wireguard implementation so it's already out there and being used by people in their firewalls during which time there is serious doubt being raised about its quality and safety by Wireguards creator Jason A. Donenfeld.
Then, Ars technica weighed in.
Then, approx 12 hours ago as of the time of this post, Scott Long, the director of software engineering at Netgate, posted this um... Blog post. It has since been taken down from Netgates website but the full text is here. The blog post is extraordinary as it directly accuses Jason of being an "attacker" and conspiring with the FreeBSD maintainers to destroy Netgates reputation
I know we try to stay out of industry drama here, but since this could have potential security implications, I think it should have attention called to it to at least assess the situation.
Why is RG-6 Coaxial not approved by TIA/EIA for horizontal cabling?
I know it is not approved but I do not understand why, can someone give me a brief explanation? thanks
fttp wires only service compatible routers?
TLDR: I would like to know how fttp wires only works and what rack routers work with it.
Hello so recently cityfiber has started installing fttp down my road and I would like to find a rack mounted router that is compatible with it. I also have a cisco ws-C3750 48PS-e poe switch that I would like to connect up to the router with fiber.
from my understanding (I might be wrong) is you get fiber into your property and you connect that to the router, if im wrong please correct me.
one of my friends said that they might have a "wires only service where you bring your own termination and router"
How to add ports to an existing vlans using NETCONF and python in Cisco iosxe switches?
Hey guys, I am quite new to networking. I understand the overall picture of NETCONF/YANG/XML and the need for NETCONF and YANG data models and so on. I have configured my switch to use NETCONF and created VLANs using ssh.
However, I would like to add ports to an existing VLAN using python. I found scripts to create a vlan but I would like to add ports and remove these ports from the VLAN using the python module ncclient?
Any python scripts or useful links or blog posts would be really helpful.
Thank you.
Is mapping out cable that you just pull worth it? If so whats a good software to use?
----------------------Intro/back story------------------- Hello, still new to my first networking position. Only networking guy in our community college. Why do I bring up this topic? Well you see the previous people before me ran cable across, over vents, pipes, you name it! Maybe this is normal? I don't know, im still new so maybe someone who has spent more time can let me know. However as I pull cable for new classrooms and fixing old worn out one I thought about making it easier for me and future Networking employees.
-----------------------The Point of my question---------------- I have been pulling cable, using velcro to keep it all together and using hooks against the walls above the ceiling (plenum space). I've labeled the wires at each end.
I have been wanting to use a software that lets me have a 2D view of a map that I would create where I can draw out some classrooms and show where the cables pass through, where they take turns and are anchored. It would be amazing if I could upload pictures where they have over certain areas of the map and a picture that I took showed up. If any one does this let me know what software you are using, im not looking for a topology mapping deal where it just shows what switch is connected to what. But something later on people can see where every cable runs through.
Tuesday, March 16, 2021
$180 Paid Project
Take part in this paid research! Do you troubleshoot network issues in the cloud? If so, we'd like to talk to you about your experience. Over 90-mins, we'll walk through network monitoring tools and the process of troubleshooting network issues. https://app.respondent.io/respondents/projects/view/60495bb5927afc0011ad9d74/do-you-troubleshoot-network-issues-in-the-cloud?referralCode=irinaudrescu-e421bcda0c1a
HSGMII and SFP+ switches
I would like to know where I can find information to understand better the options/configurations required to get an ONT of an ISP's GPON, that uses HSGMII (syncing at 3.125Gbps) in a mini gbic form factor. While connecting the transceiver in a standard SFP or SFP+ cage is possible, and to use it, it's performance appear subpar when compared to the ISP's equipment.
I am mainly focusing on layers 1 and 2, but any info that helps proper sync to use the complete sync speed would be appreciated. Which equipment is capable or what properties I need to look for, how it works... so the GPON side is in sync with the LAN side.
Hopefully my question makes sense to some. Cheers.
Accessing Router history logs
Hello, I have a NF18ACV router with netcomm wireless. I’ve managed to access the router via the ip address but cannot see an option to see devices search history and traffic. Is there any other way to access this information? Thanks heaps :)
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
How to confront a manager that he doesn't know how anything works
I work for an ISP and As the title suggests, I'm dealing with a manager who has no idea about networking (not even what an IP/MAC is).
How he got into his position? A friend of the owner
Surely, he has no idea about any of the incoming requests (yet he'll keep nagging for it)
If someone mentions that today's latency to the internet is 1ms higher than yesterday he'll wear his detective hat and go into micro-management since he assumes it is a big deal.
Received $750k USD quote for 8km of new fiber installation - Accurate?
Hello,
I'm in the early stages of planning a FTTH ISP in a small city in Central Europe.
I was quoted $82 USD per meter (without tax) to lay fiber from their nearest POP, which comes out to be around $750k USD after taxes for about 8km.
There's only one major Tier 2 provider in my country, so the only other option would be to organize all the trenching, permits, etc, myself and bring the fiber to them, but that adds an enormous amount of overhead to a, currently, 2-person company.
I'm curious if this figure seems typical in the industry. I was expecting the price to be about half this, especially in Central Europe. I should add that 95% of the route between the POP and the suggested drop points is one public highway road, which I would assume simplifies this process a bit.
Thanks in advance.
3172 Password or clear config recovery
Someone put a config in to where our user does not have admin priv. I tried going through switch(#boot) to do admin-password (whatever) but it's not sticking. I went to loader > cmdline clear_config and loaded out nxos but it still didn't clear anything. Am I doing something wrong?
Why do 1RU Cisco switches ship without the power supply inserted?
Just like the title says. I've always wondered why 3750s, 3850s, 9200s, 9300s, etc. are shipped with the power supply in the top of the box instead of in the switch. Are they fragile? Are they worried the plastic tab might snap off? The fans ship inserted so what's the difference?
edit: is there any reason I shouldn't leave the PSU in the switch after I configure it when I ship it to it's destination?
Odd behavior regarding link up/autonegotiation on fiber links
I am a network engineer at an ISP. I thought at the very least if I knew nothing else, I understood the concept of autonegotiation and up/up and up/down.
Then I got this job. And it was a paradigm shift, probably because up until this point I didn't have much experience with fiber connections (I figure meh, same concept as copper cables, just a different medium!)
So I'll cut to the chase. How in the flying f*** can you have a fiber connection from one switch to another, in which one switch shows up/up on the port and the other shows up/down, which is caused by an autonegotiation mismatch?
Do I simply not understand autoneg? Autonegotiate (as I understand it) means:
Switch A: "Hey I can do up to 1Gbps and Full, but I'm open to doing whatever you can"
Switch B: "I am open to negotiating too! I can only do 100Mbps but I can do Full"
Both switches: "Ok, it's agreed then that we'll do 100Mbps/Full" LINK UP!
Perhaps even more mindblowing to me is just the general premise that Switch A can be up/up but Switch B can be up/down. Again, I've only ever seen this behavior on a fiber link.
HOW!? Is there some mystical dark magic with fiber that I don't understand? Do not be afraid of insulting my intelligence. I have no shame. I am dying to know what the reason is behind this.
Anyone move from Cisco ISE to Aruba Clearpass while still supporting Cisco APs?
Hey, all. We currently have a Cisco Aironet AP deployment, supported by a couple of Cisco 8510 WLCs and ISE for auth. We've moved towards Aruba for our access and core switching and it's looking like we may go to Aruba APs and Clearpass for wireless as well. However, with the size of our deployment, it wouldn't be a weekend gut-and-replace project, so we'd have to make the Cisco stuff play nice with Clearpass for some time.
I'm particularly looking into the migration experience from ISE to Clearpass pertaining to wireless dot1x and captive portal auth flows (that's all we're using ISE for, frankly) and what that would look like on the configuration side. Clearpass does seem somewhat a darling of this sub and I've liked the way Aruba has done other stuff, so I don't expect this to be a very uphill battle.
So...has anyone here migrated off of ISE and over to Clearpass? How is the multivendor support for Cisco APs on Clearpass? It's been a pain getting ISE to play nice with some Aruba stuff so far. Any gotchas, shortcomings, things to look out for? Any general wisdom and/or advice? Did you love the move? Hate it? Got any good resources to share in the meantime?
Thanks in advance for any shared knowledge!
Dell N2200 Switches
Hello,
did some of you guys have some experience with dell switches N2k series i have big trouble with dot1x ... i've try many many solutions from the web but no luck ... symtomps is like that : on port there is a auth attempts, but in radius statistic's there was no any atempts to connect to radius serwer also in radius serwer there was no logs and wireshark show there is no connections betwean switch and a server .
only message i can get is :
<189> Mar 15 18:00:33 _Stack-2 RADIUS[radius_task]: radius.c(2929) 2914919 %% NOTE RADIUS: Server Entry is Null or Could not allocate Radius Packet
any ideas?
Palo Alto Secondary ISP Not able to ping Gateway
Hello,
I recently set up a PA-850 with a secondary ISP. I tested the ISP by plugging in to my PC and setting the IP, so I know that it is working. However on the PA I cannot ping out to the gateway, or any host through that interface.
Management profile has been set for allow ping Its part of the ISP zone with the other isp ECMP and Symmetric return are on
I'm not sure what I could be missing?
Network Assistance - URGENT
Our school recently switched internet providers and they installed a new mini demarc box and NID. Connection ceaselessly fails. Has yet to work at all. Handoff locations below:
NETWORK HAND-OFF TO NID: RJ45 Port 1 auto-1000-fullCLIENT HAND-OFF FROM NID: RJ45 Port 3 auto-1000-full
When I connect an RJ45 to Port 3 and connect it into our Cisco 891 WAN port, nothing happens. The light remains red on Port 3 of the NID.
I have also used a ethernet to USB, connected it directly into my laptop, pinged the new IPs I was provided by the new company, and it times out every time.
I have been provided a LOGICAL INTERFACE #, Ip address block, Internet company's ip address, and customer address. Also in the IP configuration email we received, they provided WAN IPv4, LAN IPv4, Customer Peer IPv4, and Internet Company's Peer IPv4.
The flow seems to go Demarc Box > NID > Router > Switch > Switch. We have the new demarc box, new NID, a Cisco 891 Integrated Services Router, ProCurve Switch 1400-24G, Cisco 3400 ME Switch, and a what seems to be a Leviton patch panel.
I am brand new to network configurations, especially on a commercial scale and I need all the help I can get. If more information is needed, I'll give you what you need to help us resolve this issue.
Interesting LACP failure yesterday
The issue was reported as: "everything works normally except for one container (which had just been started) can't get a DHCP address"
Both DHCP relays and both DHCP servers seem to be operating normally. PCAP at the DHCP server shows DISCOVERs and OFFERs, but no REQUEST or ACK associated with this MAC.
PCAP at the server's bond0 shows the same thing: Only DISCOVERs and OFFERs. But there is one interesting peculiarity: the DISCOVERs seem to come in back-to-back pairs, with only about 0.1 - 0.2 ms between them. Could there be a loop?
The switch shows the container MAC is learned via the server-facing LACP-based aggregate, so that's okay.
The bridge in the server shows the container MAC is learned via the bond0 interface ... toward the switch ... What?
The switch is not logging MACFLAP messages.
Then I noticed that the aggregate is operating with only one link ... according to the switch. But two links according to the server.
On the switch side, Gi2/0/x is not aggregated, but rather operating as a standalone member of the VLAN.
On the server side, both links are participating in the bond (according to /proc/net/bonding/bond0).
Some more PCAPs to validate cabling (LLDP messages) proves the cables are all in the expected holes.
Then I noticed that in /proc/net/bonding/bond0, the problem link shows speed: unknown and duplex: unknown. So... That's interesting?
PCAPs show no LACP PDUs coming from the server on the problem link. The switch was right to pull it from the aggregation.
I bounced the problem link from the switch side. No change.
Ultimately, what seems to have happened here, is the bonding driver on the server failed, splitting the aggregation, but only on the switch side.
Normal (unicast) server/container traffic was relatively unaffected due to flow hashing on the server side: The various containers (each with unique MAC/IP) hashed to one link or the other on egress from the server, so the switch L2 table has learned them via either the aggregate or the problem link 2/0/x.
In the opposite direction, the bond interface doesn't care which leg is used by the switch.
The only problem case was the DHCP discover (a broadcast frame): Because the switch flooded that frame to all ports, the Linux bridge heard it return via the other leg of the split aggregation. The Linux bridge re-learned the container MAC via bond0, and dropped the (Ethernet unicast) DHCP OFFER on ingress because "that destination is reachable via the ingress interface".
I disabled the problem link and everything started operating normally. After an hour or so, I re-enabled it to gather some more data, and LACP brought it into the bundle immediately. The bond driver is working now, apparently. Hilarious
anyone versed in fiber?
my boss and I are looking to do a fiber lab. we purchased a rather inexpensive fiber termination kit, some LC connectors, sfp connectors, etc.
Here's the deal. we've watch some instructional videos, can't seem to get our cleaver to work. it's a fc-6s clone by the looks of it. we are trying to cut some single mode ssf stuffs.
what are we doing wrong?
What is the english name for this...
What is this thing called on English... it is a plastic thing that connects several spliced together fiber optic cables, it usually goes into the ground into underground cable wells, it contains splice cassettes
Co-Location and Hypervisor Networking
Hi Guys,
I'm moving away from a VPS to a physical server which will be co-located at my local DC.
I intend to use Hyper-V core (the free one) and a couple of Win Server 2019' VM's, a Win 10 Pro VM to run Windows Admin Center from and perhaps the Hyper-V build of OpenVPN.
I'm really struggling to understand the concept of networking in this environment (perhaps I'm over-thinking it).
I'm going to be behind the CoLo's ASA, there is no NAT, and I've told I will be provided with 8 IP's (5 are usable, so I presume the unusable 3 will be network address, default gateway and subnet mask).
Out of the 5 usable IP's one will be for the iDrac which will be restricted by the ASA to my home static IP address to enable remote management of the physical server.
The web server VM will use one of the other IP's, it will host several web sites and the IIS native SMTP mail server to allow the websites to send emails.
The final IP that I will be using, will be for the OpenVPN VM.
I should add that these IP's are all public IP's. And I would like the VM's to be able to communicate with each other locally.
So the part(s) that I'm struggling to understand are: at the hypervisor level, 2 physical NIC's will be used, and I'm not entirely sure what IP's to assign at this level. Previously, I've been behind NAT and it was just a case of assigning a normal 192.168.1.x to these along with the default gateway, subnet mask and DNS.
Within the VM's I'd again assign another 192.168.1.x IP address to these virtual NIC's, then port forward from the ISP router/modem and everything would just work!
Not sure how to deal with this situation when all that I have to play with are 5 public IP's.
Thank you kindly!
Subscribe to:
Posts (Atom)