What are the best books and resources you would consider to be the best for getting into networking.
Saturday, April 24, 2021
S3048-ON FTOS 9 primary/secondary/default boot images
I'm a software (Linux, virt, etc.) guy, not a networking guy. For my sins, I also manage my team's small lab, which uses a stack of Dell S3048-ON switches running FTOS 9. We'll be expanding the stack from 2 to 4 switches in a couple of weeks, and I'm taking the opportunity presented by having the new switches sitting around to research the details of how these things work and write some internal documentation.
Right now I'm working on the OS9 upgrade process. I've reached the point that I've got the updated OS written to the B: partition of both switches.
Dell#show boot system stack-unit all Current system image information in the system: =============================================== Type Boot Type A B ---------------------------------------------------------------------------------------------- stack-unit 1 FLASH BOOT 9.10(0.1P8)[boot] 9.14(2.9) stack-unit 2 FLASH BOOT 9.10(0.1P8)[boot] 9.14(2.9) stack-unit 3 is not present. stack-unit 4 is not present. stack-unit 5 is not present. stack-unit 6 is not present. I'm pretty sure that the next step is to use the boot system command to set both switches to boot from their B: partition, i.e.:
boot system stack-unit {1|2} {default|primary|secondary} system://B: I've been unable to figure out the meaning of default/primary/secondary in this context. Having a default would make sense; having a primary and a secondary would make sense. The combination, however, doesn't seem to make any sense at all, and (this being Dell) I've been able to find anything that explains what these terms really mean.
Anyone know?
Where to find packet captures?
I'm trying to do some research on TLS handshake failures and use packet captures to find MITM attacks. Does anyone have and good sources for stuff like this or could point me in the right direction?
Thanks
Port ACLs on Layer 2 Switches for Public Internet Connection
Hi all,
Like many others, we land our ISP connections into our layer 2 switches into their own VLANs in order to distribute public internet connections to more than one firewall/device.
Anyone using Port ACLs on their switches to lockdown devices that are sitting directly on the internet?
We have some specialized video gear that sit directly on public IP's with no firewall protecting them. Don't worry, the devices are secured properly with SSH keys, etc., but they do still get inbound attempts from the world trying to access them. To prevent this, I've been considering applying simple Layer2 Port ACLs to filter public IP address ranges.
Anyone doing this? Any concerns with PACL's causing switch overhead? The switches we have are Cisco 2960X's and XR's, so not the most powerful devices in the world, but I'm hoping they can handle this job of filtering inbound IP's.
Thanks!
Juniper VCF Licensing
Hello, everyone!
Could you please clarify the question about Juniper VCF licensing?
I've read in the documentation that only 2 licenses are required for VCF to be working, one is for master spine and another is for backup. Does it mean that I don't need to purchase a new license for each new leaf switch?
The Documentation I've read:https://www.juniper.net/documentation/us/en/software/junos/virtual-chassis-fabric/virtual-chassis-fabric.pdf (page 21)
Nexus vxlan/evpn multisite VTEP-PIP loopback delayed up after reboot
I am having a vlxan/evpn multisite setup with VPC-BGWs (the legacy site DCI case) with nexus 9k3 (nxos 9.3.7). The setup works fine, with two nexus in VPC on one side and another two nexus in VPC on the other side.
When i reboot one of the nexus, traffic continues to flow fine but when the nexus comes up again and restores the VPC portchannels, traffic stops flowing. I can see that VTEP-PIP loopback is down (nve is up) and BGW loopback is also down. When the VTEP-PIP loopback goes up, traffic starts flow again and after the "delay-restore time" the BGW is also up again.
The problem is that VTEP-PIP loopback takes anything from 30 to 250 secs to go up, which means traffic stops for that period, which is bad and i can't really understand why. Let me also note, that while this happens and traffic is not passing through, all the IPs of VTEP PIP/BGW are reachable (they ping) from both nexus of the other site.
Any ideas why the VTEP-PIP loopback takes ages to go up after reboot and why traffic stops flowing?
Is it better to do inter vlan routing on a layer 3 switch or router?
I'm trying to figure out how I want to redesign a cluster of a network I inherited. Vlans all over the place with descriptions that don't match what they do. Majority of users on the default vlan which is also the management vlan. No pruning etc...
I am wondering if it is better to do inter vlan routing on a layer 3 core or distribution layer rather than the router. Correct me if I am wrong, but it seems like it would be faster and less congested.
Minutes before Trump left office, millions of the Pentagon’s dormant IP addresses sprang to life. -Washington Post
https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/
I'm not quite sure if this falls in the rules of the subreddit or if this is the right flair so mods please remove this if that is the case, but I do think it was relevant enough for a discussion.
EVPN VXLAN Spine/Leaf Fabric - Arista & Cisco comparison
I'm looking to do a POC with both Arista and Cisco 9ks for a small-medium Spine/Leaf DC fabric we are building. I haven't worked with Arista switches in the past so I'm interested to hear some positives and negatives between their 7000 range and the Cisco 9ks (We're looking at the 9300-GX/2 series in NX-OS mode for 400G connectivity on the Cisco side). This is for a multi-tenanted environment with L2 & L3 services within the fabric so i'm looking at MAC/IP/VRF scalability as well as each vendors implementation of VXLAN EVPN, MLAG (I know EVPN + VPC can get complex on the 9k platform with a few gotchas and caveats), API completness/automation capabilities, reliability and ease of operation.
I would be very appreciative to hear from those in the community who have worked on both platforms for building DC fabrics.
Juniper virtual router routing instance and L2 interfaces - Question.
OK, so I have a problem that I ran into at work late yesterday (Friday afternoon) for me and I got rather stuck on it, so I figured I'd turn to the hive mind here for some suggestions. I'm going to ask my colleagues on Monday morning, but it's bothering me enough that I wanted to post here.
Here's the situation: I have a set of SD-WAN appliances connected to my network. The uplinks on these appliances are trunk ports, with separate vlans for LAN access, a secure network, and Voice.
This is an all-juniper environment that these SD-WAN devices connect to.
From the switches that these SD-WAN devices connect to, the vlans go up to their respective distribution switch, where they're Q-in-Q tagged back to their EX9200 routers.
On the 9200s, there's a routing instance for LAN traffic, and also a routing instance for voice traffic. The LAN routing instance is a virtual-switch, while the Voice is a virtual router.
For all other vlans in the voice routing instance, the two 9200s are handling VRRP. However, the SD-WAN appliances should be handling VRRP for their Voice routing instance interfaces.
In a perfect world, I would have layer 2 interfaces from the 9200s, tagged through the distribution layer, terminating on the access layer, and the routing and VRRP for those interfaces handled by the SD-WAN appliances. But I'm not sure how to do this in a virtual router routing instance.
[VyOS 1.3] Having WAN Load Balancing routing issues with inbound traffic
I recently enabled WAN Load Balancing on my VyOS installation since I have two ISPs providing DHCP. However, I've been having one hell of a time getting this configured correctly, specifically with inbound traffic. Traffic on LAN -> WAN seems to work fine, however failover is either broken and routing everything through one interface as as soon as the primary interface goes down, everything goes down. For the time being, I've seemingly resolved the issue partially with inbound traffic becoming stable by setting static routes for 0.0.0.0/0 to each interface with distance to determine which interface should be priority, but now my backup interface is unable to connect at all. Any advice on what to do would be appreciated.
NOTE: I am aware of a WAN Load Balancing issue with VyOS when it comes to DHCP. However, the April 23rd rolling release has supposedly fixed this problem, and I updated to the release yesterday.
Stay for experience or leave for fulltime?
So, I have a dilemma concerning jobs. I have a job now where I'm on contract (so no PTO, no benefits of any kind), long commute, don't have to deal with end users, but the coworkers are super cool, it's laid back, and I'm learning a lot of invaluable hands-on like configuring and putting equipment onto the network, working actual projects, in charge of some small ones, just really cool experience you don't get out of a book (my background is a couple of years NOC and afterwards a couple years mostly on transport, break n fix). In fact it helps to make sense of what I've learned from study and certification ( I just passed my CCNA and being able to actually get real life experience is pretty cool.) Issue is I have this other job that I could accept. About the same money, fulltime, benefits, PTO, about the same commute but they work remote right now, it does deal with end users (break n fix), they say I have plenty of opportunities in the company to move where I want (but we all know how that can go in reality at times), they are a somewhat national company and a really nice campus it appears in the pictures (for what it's worth). I feel like I should take the job to have a fulltime (legit) job, but then I also feel like I should stay where I'm at, at least a few months more while I finish a couple of more certs and continue getting this hands-on exp. because I feel it will valuable to me down the road in my career. Flip is, maybe I'll learn stuff too at the new job, it just won't be config, putting my hands on the equipment, kind of thing. What would you guys do? I'm not expecting anyone to decide for me, but it would be nice to have input to help me make a decision. I keep bouncing back and forth.
BGP Conditional Community
Hello All,
I am sensing a very uniqe requirement (at least to me) in one of my project deployments.
I need to be able to track MPLS routes in a CE and if they are unavailable (link down or routes not received) then the CE should request an adjacent router, which also has a leg in MPLS topology, to start advertising its routes.
Meaning a backup path should trigger from CE2 if CE1 has MPLS link failed and it flags (somehow) to CE2 that it can advertise CE1s route present in RIB to PE2. In normal conditions when CE1 has got MPLS up, CE2 can advertise CE1 routes everywhere 'except' PE2 (loop prevention).
I was thinking of BGP conditional and have been partially successful. Since I have no control over MPLS domain, I can append community to inbound routes. Then via another route map I match that community in RIB and if exist, I advertise local CE1 routes with another community to CE2. CE2 filters that community to be advertised to PE2 and allows the rest.
Thats all good but problem is when MPLS is down, the advertisement to CE2 stops. CE1 should be able to advertise routes without community in case of MPLS down and with community if MPLS is up.
Any help will be appreciated.
Thanks.
Removing admin vpn from a segregate admin/service infrastructure
Hi there ! First post on the community, so critics and advices are welcome ;)
Context: A few years ago, I land in an infrastructure where administration access is physically (switches, fw, routers) and logically (VPN) separated from the service side. Means that each server (mail, phone, printers, etc) has at least 2 interfaces - >the admin and the service (which is the default route). Administrators use a specific dial up VPN with their own admin account to reach servers through administration interface. Today, I try to remove the admin VPN without suppressing the concept of segregation between service and administration.
If I remove VPN, admins will reach servers from the same subnet than regular users. So servers will received admin connection request on their administration interface and answer on their service interface. This is the moment where router says "no way".
Now the question: What could be my options in order to not screw up the routing side while removing admin vpn ? How would you address this situation? - Dedicated subnet for my admins ? - Bastion ofc but it's not in the road map yet - Routing trick on servers ? - Some NAT ?
I feel like I miss some obvious solutions but can't see it.
Thanks for your answers fellows, any tips will be appreciated. I can clarify any points if needed.
Have a nice day
Friday, April 23, 2021
VoIP telephone and computer coexistence
Hi to the group. I am sorry if I am asking something that it is already discussed. Thanks for all the help in advance.
I am planning an upgrade regarding the structured cabling for a small business. My main concern is that I have included on the budget 300 ip plugs and 5000km cable, calculating distinct plugs and cable routes to the walls for the ip phones. Can I have VoIP telephones connected to PCs and decrease the budget, since I will have less meters of cable, plugs, patch panels, switches? Or is this a bad practice?
The cable will be at cat 6a category.
Thank you all!
Nikos
Internet bandwidth planning for small-mid sized company
Hello everyone,
I am an IT guy working for this small-mid sized company and would like to get some opinion regarding internet bandwidth planning.
Currently we have two internet lines coming into my router like below:
- Primary internet - 1Gbps best effort. sometimes it has a huge network congestion
- Secondary internet - 100Mbps guaranteed bandwidth
The problem that I would like to resolve here is the huge congestion on the primary internet.
Internet usage on the primary internet is normally 50Mbps - 80 Mbps but sometime it goes over 100-200Mbps for about 15-30 mins once or twice a week due to some company wide video calls (these video calls are sometimes important, sometimes not so much).
I was originally thinking about switching the primary internet and make the secondary internet as the primary but now I see those 100-200Mbps spikes, I feel like to upgrade the secondary internet bandwidth to accommodate the heavy traffic.
I think it is not much information to determine what is best to do here but I would like to ask for your opinion whether those 100-200Mbps spikes are a good reason to upgrade internet bandwidth.
For hands on experience on Cisco, Check point or Pao alto or any popular firewalls
Hey everyone, I am learning networking and is very much curious about learning the working of firewalls hands own. I have vmware workstation but not money to spend on labs or to pay for tution. Do any of these companies offer a free firewall ova for just getting to learn how they work. Kind of like the 60-90 trial version of windows offered by windows. Any help or direction provided would be great, thank you.
Am I being stubborn for wanting to run BGP? OSPF or another IGP the way to go? What are YOU running
Currently looking for a little advice. I was ideally looking looking to get some bgp running inside my network. Excuse the jank drawing: https://ibb.co/r6t5WG8
Original plan: IBGP peering between each colos core and edge routers, then eBGP between all edges. I thought this would be a good scalable way to route internally (network is much bigger and has more locations than shown but thats the gist). However, Due to our core gear using the same ASN at each colo to peer with our provider for WAN. That kind of throws a wrench in plans. Anyone have thoughts on whether this is a route worth pursuing? Are there any workarounds to this same ASN # ? Maybe as-override or something similiar?( I could go as far as have our provider change it at the locations but that would be very painful)
I also thought about running Ibgp across the entire shindig and use the edge routers as reflectors. Never used reflectors so I'm a little hesitant.
Am I just being stubborn and should go with OSPF? I'm just not a fan of how it functions on the particular hardware we have and I like the granularity of control with BGP but if OSPF seems more reasonable for this type of environment I suppose I'll cave.
Already running iBGP on leaf switches so I've gotten familiar with it as well but this wouldnt really tie into that.
Just wanted to get some input out of sheer curiosity. Are any of you running BGP internally? If so how?
Connecting a managed switch to a managed switch for additional capacity
I know this isn't an ideal situation, but can I safely connect a managed switch to another managed switch?
General idea: Core switch --(fiber)--> closet switch stacked (3) C9200 48port POE --(eth)--> C9200 24port POE
I work for a university and manage things at a small annex campus. We provide courses via distance learning classrooms with a bunch of AV equipment. Our network closets are in different closets than the AV equipment. As time goes on, more and more AV components (controllers, audio amps, etc) require network connectivity.
The current proposal is to replace some dumb switches we're currently using with C9200 24-port managed switches trunked via ethernet back to the main closet for that area of the building. This will provide more ports for the AV hardware without having to run all new cabling, etc. The Cisco Codecs will still be connected directly to the main closet switch, but we'd like to connect the rest of the AV hardware (mostly AV controllers, audio amps, etc) to the secondary switch in the AV closet. We'll also need to provide access to two VLANs.
Our core switch is at capacity for fiber uplinks, and we're not in a position to run new fiber to the AV closets and replace components on the core. Is this all functionally doable while not ideal?
Interconnect technologies: connecting two data centers
We have been working on building second data center (DR) which is 10 miles away from the main data center. Installing our own physical fiber is not possible due to restrictions from local authorities.
What design and interconnect technologies can be considered ?
I have been looking at options like Microwave and SD-WAN, purely out of curiosity but I am not sure if that's the correct and reliable way to do it...
Dell EMC VEP / SD-WAN
Hi All
Hope all is well.
I have a question related to some vendors (Such as Velocloud and Versa) adopting Dell EMC VEP for SD-WAN deployment , these vendors already have a variety of edges to use , what is the actual use from deploying SD-WAN on Dell VEP ?
Thanks
Need help with Netmiko for Arista EOS
Hello,
I am about to lose my mind, so please help:) Trying to configure VLANS on Arista EOS switches with Netmiko but it hangs and times out. Exact same script works fine for Cisco but not Arista. Any ideas?
Thank You!
from netmiko import ConnectHandler
EOS3 = {
'device_type': 'arista_eos',
'ip': '192.168.122.83',
'username': 'cisco',
'password': 'cisco'
}
EOS4 = {
'device_type': 'arista_eos',
'ip': '192.168.122.84',
'username': 'cisco',
'password': 'cisco'
}
Arista_devices = [EOS3, EOS4]
for devices in Arista_devices:
net_connect = ConnectHandler(**devices)
for n in range (2,6):
print ("Creating VLAN " + str(n))
config_commands = ['vlan ' + str(n), 'name Netmiko_VLAN_' + str(n)]
output = net_connect.send_config_set(config_commands)
print (output)
Cant Access EVE-NG Web
I installed Eve-NG and I am unable to access the web interface. I can ping the management address, I can log in via SSH, but the webpage will not load via SSL of http. Any suggestions? I followed the tutorials that I found on their website but no luck. Also, I noticed some of the directories were missing where the tutorials asked me to fix permissions (did something change or was my install corrupted)?:
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
What router to use with LTE AP?
Hi all!
I have a bit weird situation: I need 2-10 laptops to access a web application in a max. 100 metre radius, where wired network is not available. My choice for network source at the moment is the Mikrotik SXT LTE kit and I'm searching for a suitable router. A rather stable network is what I'm looking for, range shouldn't exceed the 100 metres. Do you have any suggestions?
I'm definitely not an expert in networking so please excuse me if I got anything wrong.
Thanks in advance!
Juniper update for CVE-2021-0254
We have a Juniper SRX 345 that is running a 15.1XD170 which is pretty old that needs to be updated for this CVE. Per the Juniper KB article we wouldn’t be vulnerable as the only way to get console access to this unit is physically (it’s in a lab) but we just need to update it to remove all doubt along with it being old.
So two questions
1) Can I go straight from 15.1XD170 to 15.1X49-D240 that resolves the issue? Or do I need to go through intermediate steps? 2) I want the highest chance of no interoperability issues with this upgrade. So I assume staying on 15.1X49 would give me the best chances of that...but the Juniper download site gives a “High: please refer to Juniper TAC recommendation for Junos Software releases for particular products.” . That says I should be on Junos 19.4R3-S1. Is this just a “recommended” version I should be on and not necessarily required? Our config isn’t complex and we aren’t really concerned with any additional functionality.
Any advice/suggestions before we do this?
Discussion : DC cabling
Hi all,
This is a rant/discussion.
I work for a huge company in their EMEA hub site (the second of the 3 major hub sites). Every bloody time I try to do anything in that DC something goes wrong!
From installing a new device to tracing a cable, everything i touch affects something else.
Cabling is as good as it can be for a site that has been fairly grown the last decade. I know its not an AWS availability zone, but cabling is not that bad. However touching some cables can bring the service down.
Has anyone encountered this issue before? Is it because the DC is "too warm" and causes issues with cables? Or is it because the cables have been connected to the devices/switches/PDUs for so long that plastics become loosened? I am becoming "the guy who brings the network down" and I do not like it!
Help with arguments for Open Source/Freeware (like LibreNMS)
I'm having problems making a business case for using LibreNMS with Oxidized at my company. I'm also looking at Eve-NG for us.
I've installed and presented the application and it's uses. It's ease of integration with our environment, and I found it much easier to set up than solarwinds or OpManager (who dont support our network switches by default). I set up a test environment and it is working wonderfully.
But I'm always met with the same questions
-
Isn't opensource less secure?
-
Can we buy support?
-
Isn't freeware less reliable?
Even with examples like SolarWinds getting breached, they'd prefer to spend on a purchasable product as they are deemed more reliable and secure, going through RFP and RFQ processes to multiple vendors.
For the Support argument, they want to have professional support for any system or application so the accountability can be shifted in emergency. We've always found professional services very lacking, but still get them.
I can easily just do all of this work under the radar, and have full monitoring and configuration management with whatever utilities I want without anyone knowing (until I get audited), but I'd rather have the business know and approve.
I'm one guy servicing 500 switches, 200 wireless access points, over a 10km campus, and I'm tired of doing everything manually without any visibility, I jsut need to make a good argument for tools I think would best help us.
HOW TO BECOME AN I.T. SUPPORT SPECIALIST
Good day, this is just a simple question. How to become an I.T. Support Specialist? I am a graduate of Information Technology but for the past 2 years my work was in creatives. Right now I want a fresh start in I.T. Career. Where can I learn I.T. Support aside from youtube, github, and reddit. Is there any platform that can help me understand well in I.T. Industry?
Thank you and More Power!
Best Way To Configure Network Failover For Two Separate Links
We have a warehouse across the parking lot from our office building with no network connectivity. Recently we wanted to get network connectivity into that warehouse. Eventually we'll hire a contractor to run proper ethernet or fiber if the budget ever gets approved. But for now I set up a wireless bridge with two wireless access points. The speed is poor but it's mostly reliable and works for what we need.
We recently discovered that a previous tenant must have run coax from the office building to the warehouse. I had a couple of coax to ethernet adapters in a drawer so I connected them on both ends and that also works. Speed is a little better, but those coax adapter devices stop working every once in a while and need to be rebooted.
What is the best way to configure an active/passive failover for these two links? If the coax adapters stop forwarding traffic we want the wireless bridge link to automatically take over. It can't just rely on layer 1 link status because the link lights stay on even when the adapter stops forwarding traffic, so it will have to monitor layer 3/4 as well. Something I can manage remotely is ideal since I travel often and work from home. I don't want to have to call my non-technical co-workers and ask them to move cables around.
From searching around it looks like HAProxy, nginx, or relayd might be good options. Is that the smartest way to go? Or is there another technology/solution that is more suited for what we're trying to do?
Thanks for any suggestions!
VXLAN Without Spine Switches
At work I got 5 N9k-C93108TC-FX, my boss wants to use 3 of those at our HQ and 2 at a remote office. The vendor sold him the nexus switches but not the service for installation/configuration. I only have experience with Catalyst switches. After doing research I figured out I need VXLAN EVPN to connect the 3 racks to the remote office for replication.
The problem is I've never played around with Nexus, only Catalyst, my WAN uses EIGRP, and don't have spine switches, I figured to break this project in two parts.
Part 1
Install the 3 nexus switches in HQ and extend the L2 domain on all three switches in order to have all servers on the same subnet.
Problem = don't know how to do this without having a collapsed core design (1 root switch and 2 access switches). Can't use VPC since it only works with 2 switches. And don't really like the idea of the collapsed core design since only the core switch (middle ToR Switch) will be connecting to the Core WAN switch.
Part 2
Install the other 2 switches at the remote location and extend the layer 2 domain to the remote site. ONLY AFTER GETTING THE HQ UP AND RUNNING
Problem = don't know if I can do VXLAN/EVPN with only leaf switches
Maybe i'm just overthinking this project, but I prefer taking my time and doing a good job rather than a sloppy fast job, I've read many whitepages from cisco but they're all confusing. If anyone out there is willing to help me on this project and show me how to properly do it would really appreciated.
Do many medium to large companies use mid-range to high-end SonicWall firewalls?
I just wanted to get some insight here as I have very limited corporate IT exposure and experience. I'm sure its common for small businesses to use a SonicWall TZ or something, but is it common that medium and larger companies use the mid to high end SonicWalls at all? I'm just trying to get an idea of market share with regards to the bigger firewalls. I assume its mostly stuff like Cisco, HP and PA.
[Update] to Comcast finger-pointing: Comcast has a show-stopping firmware bug in some of their co-ax gateways if you use static IPs
Super TL;DR: Static IP customer with daily outages had problem solved with new model of modem
I have been fighting this with Comcast for almost a month now and was about ready to scream at them over the phone. The sheer incompetence and utter idiocy present in their "business" support is enough to make you lose all hope in humanity.
Anyway, on with the technical details. You may remember this thread in which I was trying to prove it's Comcast's fault. Here's what the customer has
- Comcast "Business" Internet 150/20 (Real-world speeds 185/25)
- Comcast Business Internet Gateway. Unfortunately, I no longer have the gateway so I don't know WHICH one it was, but it was either Model Numbers: DPC3939, DPC3941T, and TG1682G.
- Gateway has a /29 of our static IPs provisioned on it. Five usable IPs for us
- Gateway is NOT in bridge mode because Comcast does not support that with static IPs. It's in a hybrid passthrough mode that allows devices connected to it to use the public IP addresses
- In this case, the gateway ran through a couple switches on a special VLAN to present itself to the firewalls, a pair of HA pfSense units
Much of the troubleshooting and technical details are in the linked thread above. However, there have been new developments.
After we continued to see regular drops and had to have the customer keep resetting the gateway, we hired an electrician to come inspect the cabling and make absolutely sure that everything was properly grounded. He tested the grounding thoroughly and said that it was correctly done, so it's not a grounding issue.
I plugged a laptop into the gateway directly and assigned its NIC one of our Public IP addresses. I installed EMCO Ping Monitor on it and had it monitor two external IP addresses and the gateway public IP address. Meanwhile PFSense is logging gateway quality and availability. Whenever there is an outage (which is about every 12-24 hours or so, but inconsistent), the following happens
- T0 - The gateway IP address stops responding to pings
- T0 - The external IP addresses stop responding to pings and Internet connectivity stops working
- T+2 minutes - The gateway IP address begins responding to pings again
- T+??? minutes - Anywhere between 2 and 6 hours later, the gateway suddenly begins passing traffic again. OR you can power cycle it and as soon as it reboots it begins working again
Meanwhile the customer is about ready to throw things since they keep losing their connection over and over again.
I got back on the phone with Comcast for what seems like the 100th time and explained about what was happening to the level 1 guys. Unhelpful as usual. "Sir please reboot your gateway" and all that. I politely demanded an escalation. They agreed. 4 hours later, "Level 2 troubleshooting" calls me back. I explain the whole situation again.
Level2 troubleshooting says "Lets replace your modem again with the same model"
At this point, I simply declined that troubleshooting option. I told the tech that that's not an acceptable fix because we've already had two of this same model modem and we're not willing to eat another hourlong outage during the day to have a tech do the swapout.
Instead I ask if there is another model of modem that would work. He says there is, the gateway they use for Gigabit service. After pressing him on it, he agrees to schedule a tech to come onsite and swap it in. The only window they have is 8-10am during business day. Customer begrudgingly agrees.
Tech comes onsite. When he arrives, he calls me and tells me that he's going to check signal levels (oh great. Thanks. That's been done literally 6 times at this point) and that he CANNOT swap in the alternate modem. I almost fell out of my chair. He says that this modem is in short supply and they're only allowed to use it for gigabit customers. I try to explain the issues we've been having but he's not having it. I ask for a supervisor number. I then call supervisor, who is surprisingly cool. I explain the whole situation to him, and he's actually pretty embarassed. He authorizes the different modem.
Tech unplugs old modem then swaps in new one. The new modem is defective. Won't power up. Holy shit.
He goes to his truck and gets the ONLY other new modem in the city, apparently. Plugs it in. It boots. He spends about 30 minutes on the phone getting the static IP block transferred. Once he's done, it reboots a few times for firmware updates, then settles in. Customer has been down 2 hours and is pissed but what're you gonna do?
It has been 5 days since then. There have been 0 outages. We are showing 99.987% successful ping response.
It was never an issue with the cable plant. It was never an issue with the grounding. It was never an issue with VLANs, or switching, or fiber, or anything that we were doing wrong. There appears to be a catastrophic firmware flaw with static IP address blocks on the XB3-model modems. And Comcast would never own it, but it seems pretty clear that that is the case. I do not know if this issue is specific to our area, or actually network-wide for Comcast.
I hate Comcast coax service. I hate it with a passion. I yearn for the day that a decent fiber carrier arrives in the area willing to sell 1000/1000 for less than a mortgage payment. This customer is going to pay WELL over $1000 per month for 1000/1000 beginning in a couple months. We (MSP) burned literally dozens of hours and phone calls and site visits and equipment on this issue and it truly WAS their fault.
SSL Inspection - Thoughts? Best practices?
Hi All,
This is my first post to this sub so to start I want to give a huge thank you to this community!
This is more of a general question which isn't geared towards a specific vendor or a specific security device.
What are your thoughts on implementing SSL Inspection (not certificate inspection) and what are some best practices to follow or some Do's and Don'ts. When and where is it needed and where should it be avoided? For those of you that have implemented it, how was the implementation process and were there any gotchas or observations you'd like to share?
Meraki Fiber issue
I have an issue I would appreciate some insight on trouble shooting some fiber connecting meraki switches.
Backstory: A warehouse with 4 switches connecting A-B-C-D
They all have 2 connections from their uplink switch. Switch B-C technically will have 4 as they have downlinks to the other switches.
Multi mode OM3 fiber 12 strands terminating to a fiber patch panel.
All the same SFPs from meraki directly ( forget the exact model rn but can update later. It’s the LR multi mode rated for the type of fiber we were told is in use)
Switch A-B : No issues Switch C-D: No issues
The problem...
Switch B-C
I get no link from either port no matter what I try.
I have swapped and tested with known good SFPs and patch cable ( in fact I verified they weren’t bad as well but putting them in a working port and it came up zero issues)
I tried this with both switch’s btw
I have tried all strands of fiber no luck.
We had the cable vendor that installed it “test” it but they were kinda incompetent about the whole process and didn’t get test results printed.
I’ve tried explaining this to the PM on this project about how we can’t just take their word for it because their response was “we got light to go down it “ which I’m not super familiar with fiber testing but I know at least the intensity of the light and signal strength is kinda important to actually getting usable fiber.
Unfortunately we don’t have the tools ourselves to validate this but I wanted to know if anyone had any insight on this and could offer something that maybe I missed or I’m on the right path and there is something wrong with the Fiber itself running from those switches. Luckily this warehouse has a barebones crew in there running off of wireless so an RMA process if needed wouldn’t be too painful but the longer this sits it could be an issue.
Thanks !
Guys what is this thing is someone stealing my internet?
Guys i don't know what this thing is i tried reading on internet but didn't understood what it does the highlighted one is my internet cable is someone stealing my internet ? Any help will be appreciated!
Guys what is this thing is someone stealing my internet?
Guys i don't know what this thing is i tried reading on internet but didn't understood what it does the highlighted one is my internet cable is someone stealing my internet ? Any help will be appreciated!
Anyone know the sign on for Disney World WIFI ?
Trying to livestream inside rides with no lag, however, the guest WIFI is too slow....WLAN-TWDC & TWDC-CAST show as available with password!
Thursday, April 22, 2021
How I solved the weirdest speed bottleneck problem
I've been setting a few routers in a router-on-a-stick configuration and I had the weirdest speed problem crop up that technically never should have happened. It all started when I daisy-chained an upstream router to a downstream switch + router which used SFP+ ports and VLANs to make a theoretically perfect 1-gigabit connection. Then, I noticed a BIG problem. When connecting directly to the upstream router, I could get a full 940/940 speed that's limited only by the 1000base-t standard. However, when connecting to the downstream router connected via SFP+ to a 10 gigabit switch, I could only get 800/60 Mbps at the most. At first, I thought it was a simple CPU problem, but it couldn't have been because it was capable of routing the full speed of the SFP+ port. I thought it was a switch offloading problem. VLANs can sometimes be tricky, so I made sure the switch chip handled everything, but it was. Fancy QoS queues can take a toll on processors, so I disabled that as well. I still couldn't get above a 60-megabit upload speed even though it should be 10 times that so I knew it had to be a L1 problem. This gremlin persisted for days until it hit me. I realized that upstream, the router only had a plain old gigabit ethernet port. I was connecting to it via a 10Gbase-t SFP+ which kept auto-negotiating to the full 10G speed. What was happening is that the SFP+ kept sending 10G-encoded signals to a gigabit port that couldn't understand MOST of them, as obviously a few made it through and could be understood. However, the signals sent by that gigabit port were all somehow being understood by the SFP+. This shouldn't technically happen according to the wildly different standards for 1000base-t and 10Gbase-t but it did. To make a quick fix, I disabled auto-negotiation and set the SFP+ to a normal 1 gigabit speed because it was listed in the switch as working at that speed. This made the problem worse as now NO packets could be sent at all. My other SFP+ modules did support doing this, so maybe it was just a junk model that I got. I then tried swapping out for a plain-jane gigabit SFP and I suddenly got the full 940/940 speed downstream. What did I learn? Make sure your PHY rates make sense, and make sure your SFP+ twisted-pair modules support slower speeds.
Am I wrong?
I took a practice test for a CISSP exam and the question is:
You want to create multiple broadcast domains on your company's network. Which if the following devices would you install?
A. Router
B. Layer 2 Switch
C. Hub
D. Bridge
The answer given is A. Router and the rationale giving is that layer 2 switches cannot create broadcast domains. The CISSP book says the same thing. However, everything I've studied in networking suggests both A and B are true but you generally use a layer 2 switch to create broadcast domains and a layer 3 devices such as a router to route between them. I would think this would be doubly true in a security exam as using a layer 3 device as the only means to segment broadcasts would leave you more vulnerable to packet sniffers.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
How is Multiplex actually implemented?
Hello,
I am studying networks for class and I've read about Simplex, Half-Duplex, Duplex and Multiplex.
Now as far as Simplex, Half-Duplex and Duplex go, I see them as how two partners communicate. They're pretty easy to understand on their own.
Multiplex I would define as how to share a medium for communication like time-division multiplexing, space-division multiplexing and frequency-division multiplexing.
But I have a few examples in my head where I just cannot really make the connection, if there is any
-
Radio: For radio to work the way I see it we would combine Simplex and Multiplex. My question: Wouldn't many listeners connecting to the same radio station over the same frequency cause problems? (Maybe I'm thinking too much from a wired perspective)
-
Broadcasting-Pattern: The way I understand this, this is a case where we have Multiplexing and Half-Duplex. In a scenario where a participant in a LAN would want to resolve an IP to a MAC-Adress it would have to communicate via Broadcast, where it sends while every other participant listens. Now I see two ways to do this:
A: Every device is connected to every other device or B: The request would be sent to the Layer 2 switch which then communicates with every other member in the LAN.
This leads me to the next question: Using Switches as an example, is multiplex generally realized by using a parent-node (say a layer-2 switch) to connect one participant to multiple other participants at the same time?
Cisco 9800 WLC running APs in local mode using multiple Vlans
Another question on configuring the C9800 Wireless controller vs the 5508. I've got my controller setup and configured for our first site which was a Flex Site. so that sites working great. Now I'm looking to configure my Primary site (where the controllers actually are). Since this site will be local mode, I've created the Policy to set it up in local mode, generated the tags, etc. the connection appears to Authenticate, and connect and there starts the problem.
1) Computer does not pull a DHCP address. I may have messed this up, but i have the policy telling it to use Vlan 10. the interface the controller is connected on is in trunk mode with allowed vlans 10 and 99. DHCP helper address is configured on the SVI of the core switch.
2) Somethings messed up with the networking. I set a static and I still cannot get anywhere.
What did I miss in the configuration for local mode that i setup for Flex mode?
Keep in mind my network structure is such that on the 5508 my AP management ip address is in Vlan1, and my client network is in Vlan 10. it's centrally switched so the AP is connected to a switchport running in access mode on Vlan1.
Need to replace existing wireless solution, unifi
I need to replace existing unifi installs.
I am not against using a cisco product, but I'd like to keep it on the more cost friendly side of the scale vs full blown enterprise cisco.
If this product exists, great, if not, then I guess I'll keep searching.
I don't want to use amplifi/google mesh/etc, which will reduce speeds when more mesh points are added and a router is already in place.
100% of APs are hard wired from their mounting location to the main rack, even though unifi does allow meshing, it isn't used in our environment.
What I'm looking for
- Fastest possible speeds with most wireless devices (I know this will be limited on the client side wlan radio)
- Somewhat price friendly, I'm not looking for standard consumer gear pricing, but want to avoid enterprise pricing)
- Wireless controller to manage all APs at a site
- Future proof wifi standard AX should be available, if possible
Is there anything entry level/not full blown enterprise that someone could recommend? I've heard people mention cisco APs, in the past, but this was back when I wasn't having issues with wifi and I wasn't looking into other brands, at that time.
To be clear, I'm not replacing the unifi APs thinking that wireless speeds will improve with another brand, I'm simply getting more and more annoyed with the direction in which unifi is heading....bad support/no support, horrible firmware upgrades, removing features from the controller that users want, etc...
I know that no company is perfect, but unifi is all over the board.
Thanks.
Was given my first solo project. Building out offices indifferent locations. What else do I need?
So, I've been working in tech for about 2.5 years and in my current role my manager has given me an opportunity to grow by allowing me to put together a project of everything we will need to hook up anywhere from 11-20 computers to the network in each office using fiber with conduit (as some fiber will be exposed and run over asphalt. There will be multiples of these offices spread out over the campus. I'm really wanting to impress (or at least not come off like I need to go find another career). So far, I have listed a need for 1-10Gbps backbone (haven't decided if we really need 10), I don't need the distance for single-mode fiber, so I think multi-mode would be okay, cross-connecting with LC connectors. I don't think I need a firewall since it's going to our existing network anyway. I'm considering using a 48 port switch per office. Do I need to include a patch panel per office? Some offices will have a closet for equipment storage, some won't. So, I know I will need a rack. This is my first project solo. I know I am probably missing a TON of stuff I'm just not thinking about since I've been up since 3am, but I welcome suggestions.
OSPF traffic engineering on Juniper
Im a Cisco engineer for most of my career. I am in the Juniper space now in my new role and I am curious about how to do OSPF traffic engineering.
In the Cisco world, I can redistribute routes as either E1 or E2. Quick and easy way of selecting one path vs another. I notice that in the Juniper world there is no E1 or E2 to influence. I see that I can set it in a policy statement but it has no benefit to other Juniper devices. Is there something I am missing?
Also once I set the metic-type as either 1 or 2 in a policy statement I don't see that attribute when i do a 'show route x.x.x.x detail'. So I have no way to validate if its set correctly unless I jump over to a Cisco router.
Issue in synchronization between active directory and ISE
There’s an issue that surfaced the last couple of days. We’re using dot1x for wireless authentication. The issue is, when I create a new username in the active directory, the ISE doesn’t know anything about that username until the next day. The user can’t connect to the wifi using that username until 24 hours or so have passed. Synchronization used to happen instantly but now it doesn’t. Can Anyone help me with this?
Options for accessing multiple computers using the same port from an external network?
I would like to be able to access multiple machines that are using the same port - for instance, SSH - without forwarding independent ports for each of them. This may simply be impossible, however I am curious to see if there's a way to do it. Is there a way to pass along information through the local computer listening to port 21? I've had little success googling for an answer.
IGEL UD-3 LX42 thin client and OS 10
Does anyone have a pointer for me?
Customer runs IGEL OS 10 on a UD-3 LX42 thin client and wants to use jitsi in the local browser
Sloooow. We think it doesn't hw-accelerate ... according to
https://kb.igel.com/igelos-10.06.100/en/hardware-video-acceleration-on-igel-os-23509152.html
Any chance to improve that?
We have a license for that Multimedia Codec Pack, but it isn't noticeable in any way.
Can I check if it's active somehow?
We spent hours already ;-) thanks
Configuration advice for an absurd amount of SSID requests from vendor.
We are a mobile division that will be moving to a cellular solution involving Routers in each vehicle. In our environment we have redundant cisco WLC's that deploy our access points at the datacenter. At the moment we have just a few main SSIDS "corp" and "guest". A vendor with wireless products is requesting each vehicle have its own individual SSID for its product, as in if you have "car10" wifi would be "car10xVendor" and so on. Problem is we have hundreds of vehicles. What would be the best configuration to appease different SSIDs per vehicle without overloading the controller?
Basic network diagrams
What's everyone using to create floor plans & network diagrams, we've dabbled in PowerPoint & Sweet Home 3D, just need something simple to make basic floor plans with network switches, routers, servers, access points, etc.
SD WAN Solution and Service Provider in India
At NTT Global Data Center and Cloud Infrastructure, our SD-WAN solutions make your enterprise networks more agile secure robust with software-defined wide area network solutions.
TCP Black Hole
Recently I was trying to troubleshoot a Domain Controller at a branch office, with an IPSec S2S over ADSL connection refusing to replicate with a PDC Emulator at the Datacentre. Connectivity appeared good (I was RDP'd to it from the Datacentre DC), DNS appeared good. But still it refused. I spent ages scratching my head, going over and re-going over time, dns, ACLs, local firewalls, perimeter firewalls.
Then I started troubleshooting MTUs.
If I did a ping -l 1500 -f I got the expected "need to fragment" response. Same at 1490, 1480, 1470. Somewhere around 1450 I hit "request timed out", until I eventually dropped the test pings to 1410 when responses started coming back.
I dutifully set my problem DC MTU to 1438 bytes (1410+28), and it has now been replicating for 3 days solid.
What I'm trying to figure out though is, what would cause the "need to fragment" message to eventually be replaced by a "request timed out" before eventually finding the sweet spot of 1410?
My guess is that the "need to fragment" ICMP response is coming from my remote office router, and once I drop low enough to get past that it might be just getting dropped silently in our ISP's network?
Also, is 1410 an unusually low MTU?
I mean, I think I've fixed this issue, but I think I need to understand this better. I think this may be affecting multiple sites so this may be something I need to fix, ideally a fix in one place rather than getting all user's laptops and desktops reset to a lower MTU (very few of our sites have domain controllers)
How does P2P work?
It always fascinated me. How does torrent work? How Blockchain nodes communicate?
Essentially what I'm struggling to understand, how does a client find another client? How does it know which IP address is running the other node?
MS-KMS & MSRPC-BASE flagged by Palo Alto
Hi guys,
Maybe you can assist with an issue that I'm currently experiencing.
I have two devices that have the two protocols flagged and blocked by the FW.
As in theory I understand what triggers the two protocols, I have no actual idea what to check might be the issue to see if there has been an actual breach or not.
The protocols are flagged trying continuously to target some IP's (probably servers?)that belong to private intranets.
I have checked on the windows machines if there are any Ms products that might need activating (for KMS) and found nothing.
Only issue for one user was that Teams apparently wasn't able to send messages for a short while yesterday, but has since been working.
Thanks for your help!
Will there be a default VDC configuration in Nexus devices?
'show vdc detail' from a Nexus device in our environment shows one entry as active.
As per the sysadmin in my organization, it's a default config in Nexus devices and is not configured to achieve any specific use.
The NCCM software that we are using is picking up this default vdc from this device and is showing a sub interface as a separate device.
Is this configuration there by default? How can I remove this configuration from the device to make sure that the interface is not shown as a separate device in the NCCM (Infoblox NetMRI).
Thanks in advance.
Attaching the show vdc detail below:
show vdc detail
vdc id: 1
vdc name: sample
vdc state: active
vdc mac address: xx:xx:12:34:vc:bf
vdc ha policy: RELOAD
vdc dual-sup ha policy: SWITCHOVER
vdc boot Order: 1
vdc create time: Tue May 5 21:51:00 2020
vdc reload count: 0
vdc restart count: 0
vdc type: Ethernet
vdc supported linecards: None
Wednesday, April 21, 2021
How can I sniff traffic from a USB device in Android using adb and UsbPCap ?
I've a USB c-type device. It is made for Android. It has specific application made by their developers. It only communicate with that. And they don't provide a third party API. But I want to use that device's feature for open source projects. Now I heard that, I can debug any USB c-type device, by wireshark to be specific UsbPCap. But I don't have a c-type in my computer. So if I connect my Android adb over WiFi and connect that application. Can then I somehow sniff data between Android and c-type device.
Why are Versa SD-WANs virtually non-existent outside of the service provider realm?
I'm curious to know why Versa deployments seem to be, well, non-existent outside of the telecom/service provider realm. I rarely - if ever - see them mentioned here but supposedly Gartner considers them major player. Based on my research it seems to be the most full-featured out of all of the SD-WAN vendors (particularly surrounding security as well as core routing) and it's much cheaper than Silver Peak and Cisco. The biggest negative I can think of feature-wise is a lack of substantial WAN opt functionality, but from conversations with customers that doesn't seem to be important to many of them anyway.
I'm guessing that this has nothing to do with its code stability or performance. Is it due to management complexity? Support? I've had a chance to look at the controller GUI and, well, there is certainly a lot going on there... but I would assume that some environments would consider that to be an advantage. Or do you think it's purely due to poor marketing and sales strategies?
Looking for some validation...
I'm currently trying to help my workplace redesign their IT network. I have some background in this field so naturally I feel quite comfortable doing this. However, speaking with the hardware supplier is starting to make me doubt myself.
Please can someone help me reaffirm my plan isn't full of holes and I'm not suffering from ID10T!!
My first point of action is to split the network onto 2 L2 switches and I'm looking to breakup the network into VLANs as follows:
- 1 for workstations
- 1 for servers
- 1 for printers
- 1 for Guest WiFi
- 1 for management
I'll connect the 2 L2 switches via a trunk link and then connect both to a 2 LAN port firewall. This is the bit I'm most confused about. The hardware supplier is giving me a QNO Secure Router which has 4-5 WAN ports and 2 LAN ports. This is new to me as I'm more familiar with working on hardware with the opposite configs (1-2 WAN & 4-5 LAN). The QNO device is advertising as supporting port based VLAN. Since it's only got 2 LAN ports, my confusion is, will it still be able to handle the 5 VLANs I need or will have I to rethink the whole network.
FYI, the L2 switches I'm being supplied is Zyxel. These all have web based GUI for setting them up so I don't need to worry about knowing how to configure them (like Cisco and Juniper). The downside is, I'm not so familiar with them as I've only ever handled Cisco R&S hardware.
All comments are appreciated and a massive thank you for your time to read this far!!
Have you ever lied on your resume?
Have you ever lied on your resume by adding additional responsibilities for a particular job? Especially technology your familiar with? I can fully answer interview questions to the related technology making it seems as if in fact worked with it.
Anyone here have managed services through NTT? If so, what's your experience been like?
I'm curious to know if their managed services organization operates pretty similar to other telecom vendors (i.e. AT&T, Verizon), or if they're actually competent.
Single RTMP Ingestion Endpoint - How?
We run a small streaming business and one of our platform's biggest weaknesses is that we still have to setup unique custom RTMP ingest URLs for each client. The gold plated solution is obviously a single ingest URL, like Youtube uses, but I have searched high and low and just cannot seem to find any explanation of how it's done.
I'm guessing that there's some networking and DNS magic (Anycast?) involved, but there must also be some load-balancing done somewhere and if there is, how on earth do they scale load-balancers to handle the scale of multiple incoming streams? Is load-balancing load-balancers a thing??
I apologise if this is the wrong subreddit; if there's a more appropriate one, please let me know - I was thinking of posting in /r/webdev, but without more knowledge this feels like a networking challenge more than a software one.
Thanks!
MTU Explanation with VPNs
I have a question regarding how VPNs work in regards to MTU size and over something like the internet.
If I have my MTU set to 1500 bytes and I send a packet to a VPN device it then encapsulates the packet and it now exceeds 1500 bytes. It then has to transmit this packet to the other end of the VPN tunnel and it now has a non-standard packet size of > 1500 bytes. How can you do this over the public internet without all of the routers between VPN devices supporting jumbo frames?
Would it be smarter to shrink my source side MTU or could that adversely impact applications/operating systems that are expecting a 1500 byte minimum?
Lastly, how come sometimes when packets are too big they’re dropped and sometimes they’re just split up?
Thanks!
Native VLAN mismatch driving me crazy
I'm a bit of a newer network technician and am running into an issue that I've been working at for several hours now and it seems like a fairly simple fix but I just can't seem to "get" there. I have two directly connected switches via fiber (Cisco 6506 port Gi2/9 to Cisco SG550X Te1/0/5). The SG550X is brand new and it just replaced a Cisco 3508GXL. The config on the 6506 port has not changed at all and it was running fine with the 3508, but I'm now seeing this message every 5min on the SG550X:
%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface te1/0/5.
6506 port Gi2/9 config:
switchport
switchport access vlan 23
SG550X port Te1/0/5 config:
no macro auto smartport
The old 3508GXL had no config at all on the connected uplink port to 6506, just the defaults (blank).
Connectivity between the devices fail if the SG550X Te1/0/5 is set to:
switchport access vlan 23
(Note: There are no vlans configured on the SG550X or downstream switches)
I get a Native VLAN mismatch on the SG550X if I set Te1/0/5:
switchport mode trunk
switchport trunk native vlan 23
OR
switchport mode trunk
OR
switchport mode access
switchport access vlan 1
OR
switchport mode access
OR
switchport mode access
switchport trunk native vlan 23
I realize some of these are just wrong, but I've been throwing everything at it and I know I'm missing something here. I don't want to change the 6506 port to a trunk port, I'd like to leave it as is. Many thanks to anyone who attempts to help this poor soul get a better understanding of what's happening. I thought I had a good understanding of tagged, untagged, native vlans, access and trunk ports, but I suppose not...
ASA redistributing OSPF
Hi, I am doing a site to site VPN, and need the VPN learnt networks to be redistributed into my LAN switches.. I have created a route map on my asa, and the routes are showing on the connecting h switch ( juniper) only issue is that when I do show ospf route the vpn networks are held in Ext (exchange) state
I am aware that mtu size can cause this, as different vendors use different sizes, juniper uses 1504 asa 1500 - I’ve matched it to the one of the asa.
However once I do that, I no longer see the ospf learnt routes on the juniper.
Any idea why this is happening ?
What do you do for syslog?
It seems like it’s best practice to log to the buffer at level 7, and perhaps to syslog servers at a lower level. I’m trying to decide what to do with the flexibility afforded by Cisco ASA firewalls. On the one hand, our logging buffer is full of logs for connections established and torn down, leaving everything important out of there. That information is not useful for troubleshooting, but could be helpful for forensics.
I’m wondering what most of you do when it comes to logging ACL hits and connections up/down on the buffer vs syslog servers. I’m thinking of using logging ACLs for the buffer and send everything informational to the syslog server.
Adding NAT to school router
Hello
Here in ireland primary schools get a router from the dept of education. The router is locked and only accessible by the tech guys behind the broadband helpdesk. The body that manages internet connections to schools has ran out of ip addresses and as such they cannot increase the numbers allocated to schools. They suggested to implement nat by attaching an external device to the dept of education supplied router. Although this router can support nat they chose not to support its implementation in order to have more ip address available. Can anyone point me in the right direction on how to set this up and what should i purchase? I suppose it would be a hardware firewall or a gateway of some sort. Any help will be greatly appreciated. Thanks in advance
Senior Network Interview - Cloud topics
Hi folks
I have an interview for an upcoming Senior Network role that I am really interested in and it matches my skillset fairly well. Only thing is, it is looking for expert level in Cloud and hybrid cloud design. This is something that unfortunately I have no experience in but I am currently going through the Solution Architect AWS exam topics. I am not going to lie or BS the interviewers but I am looking for suggestions on topics that I could brush up on that I could speak to...Maybe a high level plan for how you would implement hybrid cloud architecture. What are the most real life ways of providing connectivity?
I know my current company we have guys working with AT&T to provide direct cloud connections but other than that I dont have much info...
Any suggestions would be appreciated
VPN Tunnel woes - ASA to ISR, return traffic coming from wrong IP
So I've been setting up a VPN tunnel from my ISR to a remote ASA.
We can get all the configs matching, pass traffic, but eventually it drops, maybe after hours, maybe after days. When it drops, I'm seeing packets encapsulate from the ISR, decaps on the ASA, then encaps again on the ASA, but they never arrive back on a return trip.
The ISR is receiving instead packets from the next hop router on the ASA side.
So if my ISR is Y.Y.Y.Y, ASA is X.X.X.Y, then I'm getting packets from X.X.X.Z.
Error on ISR: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=Y.Y.Y.Y, prot=##, spi=0x#######(#######), srcaddr=X.X.X.Z, input interface=GigabitEthernet0/0
Can't find anything that's causing this in routing on the remote side, these are obviously the responding packets from X.X.X.Y, but why are they sourced from the other IP?
Anyone deal with elevator communication?
We have an elevator using a POTS line for emergency line access and are currently switching to a new telecom vendor who cannot service the old school POTS lines. I was told by the elevator repair tech that an ATA will work, but the telecom vendor says they do not support that. What other options do I have here? Is there a way to move an elevator to IP somehow?
nfsen vs fastnetmon for sFlow and DDoS monitoring
Just starting discussion to see what majority of people think about this? I have worked on nfsen and it does really good job but otherwise hearing lots of goodness about FastNetMon so trying to understand what is the difference?
What do you guys using in your organization to detect DDoS and mitigate DDoS?
Service provider job advice
Hello everyone!
My goal is to go work for an ISP in the next 2-3 years. I should finish the CCNP ENARSI cert this summer. I'm very comfortable with Cisco IOS and I'm wondering what to learn next.
Should I give a shot at Juniper? I was thinking of doing the CCNP Service Provider after ENARSI but I read that Juniper was popular in the service provider realm.
I'm also a bit tired of Cisco stuff these days so might as well learn something else.
What do you think?
Thanks
Need some suggestions for warehouse Wifi
Hey guys, I got a 20k sqft warehouse we use for our business and need to take our internet connection to the next level. We’re currently using xfinity business and all their equipment but it’s been performing very poorly plus I’d like to have more granular control in configuring the router. So I’m looking for suggestions for the best possible setup; which would include router, modem and several range extenders/access points for better coverage. I’ve done this on the consumer level but not at this large scale. Any suggestions?
Can a Bullet M2 be used as an AP for TP-Link P2P bridges? Are they compatible?
Has anyone tried this setup? I have a TP-Link CPE510 that doesn't see the Bullet M2 AP. All other devices can connect or see it though. As network devices, they should be compatible right? I've tried manually entering the AP information but still no cigar. They are both in the 20MHz range and using WDS.
Any help is appreciated.
NAS systems
I work in a cabinet manufacturing facility and looking for the fastest possible file storage system to host our jobs on. The only requirement is you have to be able to map a network drive to the storage for our CAD software. Would an array of SS drives in a NAS device function better than the Dell server I am currently using for file storage? Everything on my network is Gigabit. Just seems like jobs are taking a long time to load and was looking at ways to improve the speed. Any advice is appreciated, I am not as knowledgeable as you guys are, I just know enough to get things running.
CISA Releases Alert on Exploitation of Pulse Connect Secure Vulnerabilities
Hopefully most folks running Pulse for remote access are aware of this by now
DC Power Distribution - what is required?
EDIT - Title refers to "Direct Current Power Distribution", not "Data Centre Power Distribution" :)
We are looking at purchasing some Juniper ACX710 routers, but one of the complications is that they only have DC power supplies. We've only ever dealt with AC PSUs before, so I've been trying to figure out how you go about making a DC power distribution within your cab but struggling to find anything definitive so was hoping someone with experience with this may be able to point me in the right direction. We'd be looking for something rated to approx. 1KW to be installed in a 19" rack (600mm deep).
So far I've come to the conclusion that I'll need a rectifier to convert AC --> DC, and then some kind of fused distribution panel? Also, is this the kind of thing that should be installed by a qualified electrician or do they just come as ready-made units that you plug in to your AC feed?
We are based in the UK if anyone has any specific recommendations.
Thanks!
Question on load balancing two 1Gbps circuits from same carrier.
We thought the carrier was actually giving us a single 2Gbps handoff but it's actually two 1Gbps handoffs, two /28 blocks. We're going to be using a Fortigate 200f as our edge device. Do I need to think about setting up BGP or do anything else to prevent weird routing issues on this type of circuit?
Outdoor POE Surge Protector
Hello all, I am trying to find the proper way to connect an outdoor PoE Surge protector. I’ve read some things that say the outgoing connection to the injector should use shielded cable with shielded connector, and others say to use unshielded. What are everyone’s thoughts as the correct procedure and why? Thanks
Question for technical communication
If you could change one thing about technical communication (COM 210), what would it be? Explain your answer GRE tunnel still up/up despite keepalive
The network topology looks like this: Router 1 tunnel — ISP — Router 2 tunnel
The tunnel configuration for both ends of the tunnel are as follows:
ip address x.x.x.x no ip redirects no ip unreachables no ip proxy-arp ip ospf hello-interval 3 ip ospf cost x keepalive 10 3 tunnel source x.x.x.x tunnel destination x.x.x.x Even when router 2 is down and inaccessible, the tunnel at router 1 is still showing up/up despite keepalive being configured.
Routers are Cisco devices.
Any ideas why is this so?
Vxlan/EVPN multisite connecting legacy DCs. Pseudo BGW config
Hi all,
I have two DCs that I want to connect with two pairs of nx9300 (9.3.7)(a pair on each site). I want to configure the nexus as VPC-BGWs, but while it is clear that i must configure the "evpn multisite dci-tracking" on my uplinks (the links connecting the DCs), it is not clear on what ports shoud I configure the "evpn multisite fabric-tracking" because there are no spines in the design.
So, for the pseudo-BGWs I have, do i have to configure the "evpn multisite fabric-tracking" command and on what interfaces should i configure it?
Tuesday, April 20, 2021
noob question...trying to understand VPN and the traffic thru them.
lets say I'm signed into a website.(facebook, edx, ebay) https. and while im perusing this website (signed-in) I decide to open my VPN app and connect to a server, from a different location. changing my IP address. (i assume my identity or credentials.)
shouldn't my connection to this website(server) be compromised i guess in someway. if continued searching on that website.
shouldn't I be signed out the session. and required to re-verify my credentials..
Juniper SRX book recommendations?
Do you guys have any good books to recommend for someone that has a bit of experience on the Cisco side - ASA, and routing/switching, to get their feet wet in the Juniper realm?
BGP neighbor question
I can't find anything on this on the web. Is there a particular reason why I would want to form neighbor relationship with non directly connected interfaces like loopbacks over directly connected interface ip? One reason that I can think of is the ease of identifying each peer. Any other?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Why is IPv6 neighbor solicitation only responding to solicited-node multicast and not unicast?
I have guest A on host A and guest B on host B. Let's say guest A has a global addr of 2600::A and guest B has an address of 2600::B.
When guest A attempts to ping guest B it ends up taking about 10 seconds to complete. After doing a packet capture, this is because guest A tries three times to do an NS for guest B and gets no response. It's only after the fourth attempt that an NS is sent to the solicited-node multicast address for guest B where it gets a response. It looks like this:
attempt 1: src: fe80::A dst: 2600::B (timeout) attempt 2: src: fe80::A dst: 2600::B (timeout) attempt 3: src: fe80::A dst: 2600::B (timeout) attempt 4: src: 2600::A dst: FF02::1::ff00:B (success) I thought this may have been firewall related but I've flushed the rules and I'm still seeing this result. Why this may be the case?
Is there a configuration that I connect my Ubiquiti Bullet M2 to a TP-Link managed switch VLAN port to act as a guest network? Can P2P also bridges connect to the Bullet?
I'm still learning and building my test network before implementing it in a non-profit park in July. I've tried researching it but I can't find something specific to my problem with the Bullet. It receives an IP address on the VLAN port it's connected to but can't reach the WAN or distribute DHCP addresses to clients.
I have a Digital Forensics and Computer Science background so I'd like to learn networking to make me more versatile. Plus, I find it fascinating and fun! I just started studying for the Network+ then next is the CCNA.
Firewall Decisions
Hey guys/gals, just looking for some insight or suggestions on something. We are looking at new firewalls for our data center and I was wondering if anyone had any input on products they have used or would stay away from? Ease of use and configuring, etc. Right now we are looking at the Cisco Firepower 2140 ASA Appliance, and the Palo Alto Networks PA-5220 security appliance. I have heard alot about the headaches with the firepower solution, so I am weary of it. We are currently outfitted with everything cisco, but I am vendor agnostic at this new site. Thanks for any feed back you may have on this.
Also, we will be utilizing A LOT of VPN traffic, IPsec and OpenVPN. It will also be setup as HA pairs.
Serial server
Hi,
In our DC we have a bunch of network devices, which we have connected to a serial server (which is connected to an OOB network). Purpose is that in case of network issues we can still manage those devices remotely via a webinterface.
We used to have an airconsole (https://www.get-console.com/shop/en/device-servers/98-airconsole-ts-8-port.html) but the micro usb connector went broken. Since there seems little development at get-console.com and I'm not 100% confident in the quality, I was wondering if there is something better on the market. I know Moxa have the nport devices which should do the trick (but they are rather expensive).
Thanks for any suggestions.
Trying to access data sent from device to computer over wifi. Where do I start?
I have a golf simulator that measures a dozen or so metrics from my golf swing, then sends the data it has collected over wifi to my computer, and I'd like to access that data live as it is received on my system.
I know this is a beginner question, and a specific one at that. I don't want a full tutorial, just a nudge in the right direction if possible.
I'm relatively computer-savvy but have spent most of my time building software without much networking overlap, so my knowledge in the field is minimal, and my attempts at googling my way to this data have led me to people with Arduinos and the like attempting to connect to a computer over wifi-a similar problem but not exactly what I'm looking for.
So, two questions I guess:
- What should I be studying to learn how to access this data?
- Is there a chance this data is encrypted in some way, and not accessible without help from the manufacturer?
EVE-NG and Tera Term
I'm trying to paste in huge configs into a CSR from Putty, but it can't handle big pastes so I can only do a few lines at a time, which will literally take me hours.
I installed tera term but when I open putty links with it in Firefox, it's just a blank Window. Does anyone know what I need to do in tera term so I can open telnet links from Firefox.
Thanks!
Proxmox, VLAN's and ZeroTier - InterVLAN Bridging
Hey there, Been stuck on this for a few days, I've got a few virtual machines with a provider, and they have setup a VLAN between them.. Am wanting to have all the associated VLANs on the other VMs have access to the ZeroTier network and GRE network that i've got attached to a single one.. i've got it in a normal linux bridge, and while yes they can communicate, they can only communicate directly to the VLAN'd IPs.
Anyway, some helpful guidance would me much appreciated.. yes the interface names are different, but yes it's connected to the same VLAN, using Debian 10.
Here are configs;
Main Server;
```
# Ethernet
allow-hotplug ens192
iface ens192 inet dhcp
# VLAN
auto ens224
iface ens224 inet manual
# Bridge
auto br0
iface br0 inet manual
bridge_stp off
bridge_fd 0
bridge_waitport 0
bridge_ports ens224 ztyxaw4yqx ztr2qs4e5q
up /bin/ip addr add 2407:xxxx:xx::xx:1/48 dev br0
up /bin/ip addr add 172.xx.xx.1/16 dev br0
```
Connected VM #1
```
# Ethernet
allow-hotplug ens192
iface ens192 inet dhcp
iface ens192:0 inet6 static
address 2a0a:xxx:xx::1
netmask 48
#VLAN
auto ens161
iface ens161 inet static
address 172.xx.xx.254
netmask 255.255.0.0
iface ens161 inet6 static
address 2407:xx:xx::xx:xx:54:1
netmask 48
```
Pinging Main Server & Another server via my ZeroTier from Connected VM #1: https://www.screenimg.xyz/DhXUXEs1Mt.png
Pinging Connected VM #1 and Another server via Zerotier from Main Server: https://www.screenimg.xyz/ygGv6XD1mb.png
Main Server brctl: https://www.screenimg.xyz/bYeVKAeF4U.png
AWS to Data Center LISP Troubleshooting Help
Back Story
We had this thing up at some point but the senior manager in charge left the company and took both the AWS account with him and wiped the configuration for the Router in the data center because he owned the license and he was the one paying the AWS bill. Now another senior network guy is in charge of the project but gets laid off. He wipes the router on the data center (something about the license) and now a third senior network guy is in charge. He put in his two weeks’ yesterday and now I’m the sucker in charge and also the junior-most member in the entire team.
The problem
I have OSPF along with an IPSEC tunnel to transport LISP securely (per what little documentation was left and the example on AWS). The subnet is extended through the data center and AWS. I can see the host at each site (AWS and Datacenter) but I can’t ping them unless I use the source command “ping 10.10.15.101 source tunnel 2” and they can’t ping each other.
Everything was configured mostly following this guide here
The local router(c2900) and the AWS router are different models
Local Router Config (Redacted)
crypto isakmp policy 1 encr aes 256 hash sha256 authentication pre-share group 5 crypto isakmp key 6 secrekey address 22.255.255.22 ! ! crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile IPSEC set transform-set TS ! ! ! ! ! ! ! interface Loopback1 ip address 11.11.11.11 255.255.255.255 ! interface Tunnel2 ip address 30.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 22.255.255.22 tunnel protection ipsec profile IPSEC ! interface LISP0 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 10.0.2.1 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 ip address 10.0.15.2 255.255.255.0 duplex auto speed auto lisp mobility ISA nbr-proxy-reply requests 3 ! ! router lisp locator-set dmz 11.11.11.11 priority 1 weight 100 exit ! eid-table default instance-id 0 dynamic-eid ISA database-mapping 10.0.15.0/24 locator-set dmz map-notify-group 239.0.0.1 exit ! exit ! site site1 authentication-key 6 secrekey eid-prefix 10.0.0.0/16 accept-more-specifics exit ! ipv4 map-server ipv4 map-resolver ipv4 itr map-resolver 11.11.11.11 ipv4 itr ipv4 etr map-server 11.11.11.11 key 6 secrekey ipv4 etr exit ! router ospf 11 network 11.11.11.11 0.0.0.0 area 11 network 30.0.0.1 0.0.0.0 area 11 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 10.0.2.200 ip ssh version 2 ! ip access-list extended VPN permit ip 10.10.15.0 0.0.0.255 192.168.15.0 0.0.0.255 log ! ! ! control-plane ! ! line con 0 exec-timeout 60 0 logging synchronous login local line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec-timeout 180 0 logging synchronous login local transport input ssh line vty 5 15 exec-timeout 180 0 logging synchronous login local transport input ssh
AWS Router Config (redacted)
crypto isakmp policy 1 encryption aes 256 hash sha256 authentication pre-share group 5 crypto isakmp key 6 secrekey address 44.255.255.44 ! ! crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile IPSEC set transform-set TS responder-only ! ! ! ! ! ! ! ! ! ! interface Loopback1 ip address 33.33.33.33 255.255.255.255 ! interface Tunnel2 ip address 30.0.0.2 255.255.255.0 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 44.255.255.44 tunnel protection ipsec profile IPSEC ! interface LISP0 ! interface VirtualPortGroup0 vrf forwarding GS ip address 192.168.135.10 255.255.255.0 ip nat inside no mop enabled no mop sysid ! interface GigabitEthernet1 ip address dhcp ip nat outside negotiation auto no mop enabled no mop sysid ! interface GigabitEthernet2 ip address 10.10.15.192 255.255.255.0 negotiation auto lisp mobility ISA nbr-proxy-reply requests 3 no mop enabled no mop sysid ! router lisp locator-set aws 33.33.33.33 priority 1 weight 100 exit-locator-set ! service ipv4 itr map-resolver 11.11.11.11 itr etr map-server 11.11.11.11 key 6 gGGZDfQTTfHUF^aADFMENKQDReEAAB etr exit-service-ipv4 ! instance-id 0 dynamic-eid ISA database-mapping 10.10.15.0/24 locator-set aws map-notify-group 239.0.0.1 exit-dynamic-eid ! service ipv4 eid-table default exit-service-ipv4 ! exit-instance-id ! exit-router-lisp ! router ospf 11 network 30.0.0.2 0.0.0.0 area 11 network 33.33.33.33 0.0.0.0 area 11 ! iox ip forward-protocol nd ip tcp window-size 8192 ip http server ip http authentication local ip http secure-server ! ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload ip ssh rsa keypair-name ssh-key ip ssh version 2 ! ip access-list standard GS_NAT_ACL 10 permit 192.168.135.10 0.0.0.255 ! ip access-list extended ISAVPN 10 permit ip 10.10.15.0 0.0.0.255 10.10.15.0 0.0.0.255 log ! ! ! ! ! ! control-plane ! ! ! ! ! ! line con 0 stopbits 1 line vty 0 4 login local transport input ssh line vty 5 20 login local transport input ssh
Anyone have an example of a script with CiscoConfParse that will put together a list of of IPs?
I want to use ciscoconfparse to scan a range of switch IPs, and on those switch IPs, find specific ports that are in a certain vlan and not being used. I want it to compile a list then and then issue shutdown commands to those ports on each switch. For example, issue a shutdown command to ports in vlan x that are not being used on switch IP. xx.xx.xx.xx
I know this is a two step process, so right now working on the first step of putting the list together.
I understand how apps like ansible and netmiko point to a host or device file. I am thinking I can do this with ciscoconfparse, but just curious what this list should look like, considering I also want port information like vlan and current status. Like is it just another host file with a list of IPs plus added port info?
If anyone has an example I would greatly appreciate it.
What are some devices (routers or switches) that have a vmdk available and commands or setup that are similar to Cisco's?
I'm doing a college project right now where I have to setup non-cisco devices in GNS3. The last project I had to use non-cisco devices it was a real struggle to find which command does what and it was like I'm learning cisco all over again. Some devices had me do a whole pre-configuration process just to get it ready to start being programmed. Which brand devices could I upload to gns3 that have easily available commands on the internet somewhere that are easy to compare with the equivalent cisco commands I already know? Routers are preferred, but I could route using switches and trunking too. Also it has to be something free.
Also I know reddit is often a little weird when it comes to questions about a homework project. Idk what else to say but this isn't an easy question I can find on google.
Teltonika - RUT955 IPSec tunnel
Hi all We have a Teltonika we need to switch to that will handle a IPsec VPN temporarily for one of our small offices
This will be paired with a Palo at the other end but I’d like to know what the throughput is for the IPsec VPN ?
Any info would be greatly appreciated!
i can’t seem to find any specific info on any of their spec sheets
Networking project ideas
I am looking to learn networking from scratch. However, I have realized that studying networking books, and videos leave me dumb after some time with nothing to practice with.
Please suggest ideas for building networking tools that would help me grow my networking knowledge. Should range from basic to advance.
Is it easier to block DDoS attacks to a HTTP service than a custom service on tcp/udp ?
I have a small game server that's getting DDoSed by an angry player, we managed to block it by moving over to OVH but the thing I found really weird is the fact there were so many free/low cost services to block DDoS attacks on HTTP based services but whenever you wanted to secure a service running on some arbitrary tcp/udp port it was always more expensive or wasn't even available.
Is there a reason for this?
I thought since HTTP runs on TCP the same DDoS mitigation techniques ISPs apply will work for any service running on any TCP port.
Can I create a complete virtual network in vsphere ?
Hey,
I currently have a vSphere cluster with 3 hosts, all of them have a 10g sfp+ nic that is hooked up to an sfp+ switch (mikrotik), which in turn is hooked up by sfp+ to my isp router.
I am trying to setup a kubernetes custer but I seem to understand that to allow pods to communicate with each other, I need different ipv4 blocks.
Currently, I am running everything in my network on this block : 192.168.0.0/24
My ISP router does not allow me to manage vlans or assign anything to something other than this block.
Since most of my self hosted services are running on static IPs and gateway and a lot of timeand effort went down into reverse proxying these services so that they are available from the outside, changing the main router is not really an option.
I was thinking that maybe it would be possible to have a virtualized pfSense machine or something (I also have a ubiquiti edgerouter x for that matter but it's only 1gb eth so that would be a downer), and setup virtual switches in vSphere to manage new networks directly inside the vSphere cluster. Can it for example attach virtual NICs to virtual machines to connect them to another network ?
Now my networking knowledge is pretty basic, and I have never really played with vlans. Do you have any resources I could read through to do this ? Is it even doable ? I have no idea how I would go about configuring this in vSphere as I do not know how virtual switches work either, but I would be really thankful if some of you could point me towards the right direction :)
Thanks !
Cisco Collaboration - Unity Connection Exchange migration
Hey folks,
Im currently using Exchange 2016 for my voicemail functionality with my CUCM cluster
I want to migrate to Unity Connection and take the existing voicemails and greetings with me.
From my research I dont believe this is possible to do.
Does anyone have any experience and or links on how to do this migration if its possible?
Thanks in advance.
What Tools Can't You Live Without?
Hey Network Engineers of reddit!
Just as a casual discussion, I'm wondering what kind of tools you all use! Personally, I use nmap, nping, and iPERF religiously. Are there any tools or software suites that you can't live without? Post them below!
Monday, April 19, 2021
Roaming on hotspot
Hello everyone,
I'am trying to implement roaming to give best experience for my clients, from my experience Roaming comes with 802.11k/802.11v and 802.11r only. Anyone know how to implement this in a open security Mikrotik Usermanager hotspot network
HTTPS tunneling using CONNECT
Does the CONNECT method of http(s) tunneling work only for http/1.1 or does it work for http/2 as well ?
If it does work for http/2 is there any difference in the way its implemented for http/2 ?
Circa 2000 website that taught networking concepts from the point of view of celebrities?
Does anyone remember a website that taught networking concepts in an accurate way but humorously through use of celebrity instructors?
Titles were like Mr. T explains BGP.
X520-DA2 EEPROM Dump Request
I bought an X520-DA2 but found that the EEPROM seems to have been modified, such that the device ID doesn't match the vendor id. Similar to this: https://serverfault.com/questions/818559/supermicro-aoc-stgn-i2s-labeled-coraid-cant-install-drivers-and-use-lan-card. The computer can see it but no drivers will work in both Linux and Windows. I was hoping someone with a working X520-DA2 could give me a dump of the EEPROM using Ethtool.
Ethtool -e enp1s0f1 (or whatever yours is called)
Much appreciated!
Call Home and Smart Licensing
Hey Guys,
So I purchased a Cisco FPR-1120 with ASA, and will be using it as an ASA. However, I need to apply the Strong Encryption license from the abomination that is Cisco Smart licensing.
Does anyone know if the default config on the ASA has call home already set up on it so all I would need to do is plug it into a generic internet port and run license smart register idtoken on the command line? Or do I need to search Google for a call home profile configuration that works to pull the licenses down from my inventory?
Walked into this network today for a new company today...thoughts?
Is this pretty bad or has anyone seen something simiiar to this? said company is a financial provider that uses that same setup to connect multiple DC's. Firewalls handle most of the routing. The firewall on the right is used solely for datacenter interconnects which are connected via the switches then trunked up the port channel via L2.
It seems like an entire set of devices (routers?) are missing here.
Current thoughts.... Ditch the firewall on the right used for cross datacenter connectivity . Get a set of routers. Run l3 Uplinks from switches to said routers. A few things im not sure of... where to terminate cross dc links? Is it reasonable to plug them directly into the "core" TOR switches and run a /29 p2p cross dc? or is this maybe best connected at the router level? Also How to replace the encryption performed by the "cross dc" firewalls?.. macsec?
Be gentle please...not really use to a network like this and while it seems functional as per the staff it seems to not be very scalable and also a nightmare to maintain. Am I incorrect in that assumption?
Any thoughts appreciated.
Config help - Juniper switches, Pelco VxPro system
I need some help. For reference, here is topology: https://i.imgur.com/TFlWRPr.jpg
I have 3 EX3400's, passing vlan 604 via xe-0/2/2 on all back to a QFX5100 VCP, all ex3400's connect to re0. These xe interfaces are dedicated, no other vlans sharing the port, so they have 10GB carved out. Bandwidth seems to be about 250Mbps, so not much.
Connected to EX3400-1, there is a Pelco (Pelco logo on Dell) server connected to ge-0/0/21, camera in ge-0/0/33 (sorry for wrong port # in that drawing). Both ports are in vlan 604. No special config. It is the Pelco VxPro system.
Connected to EX3400-2 and EX3400-3 are also cameras, same vlan, vlan trunked along as you'd expect. Pelco server sees all cameras. Pelco server reporting significant packet loss albeit varying at times the amounts of it. It seems to be somewhat related to load but not a definite correlation. According to the Pelco client machine, it defines the packet loss as lost RTSP packets... sequence numbers missing.
I did see the Pelco guide (https://support.pelco.com/s/article/How-to-determine-UDP-packet-loss-of-IP-cameras-connected-to-Digital-Sentry-systems-1538586677120) to debug it further. I'll go do more of this when I am at the site next and have access to the test env.
The loss is present on EX3400-1 with camera, workstation, and server all in same subnet/vlan/switch. So obviously the fiber links are not the issue. I also verified on the ports on ex3400-1 to see:
[from ge-0/0/21]
dbh2@ex3400-1.site> show configuration interfaces ge-0/0/21 | display inheritance unit 0 { family ethernet-switching { ## ## 'vlan' was expanded from interface-range 'ipcams' ## vlan { ## ## 'ipcams' was expanded from interface-range 'ipcams' ## members ipcams; } storm-control default; } } Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 63, Errors: 0, Drops: 144436, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 (…)
MAC statistics: Receive Transmit Total octets 7497489178 7082649693203 Total packets 9545704 5211644387 Unicast packets 7340055 2619945304 Broadcast packets 3977 150329 Multicast packets 2201672 2591548754 CRC/Align errors 0 0 FIFO errors 0 0 MAC control frames 0 0 MAC pause frames 0 0 Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 [from ge-0/0/33]
dbh2@ex3400-1.site> show configuration interfaces ge-0/0/33 | display inheritance unit 0 { family ethernet-switching { ## ## 'vlan' was expanded from interface-range 'ipcams' ## vlan { ## ## 'ipcams' was expanded from interface-range 'ipcams' ## members ipcams; } storm-control default; } } Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 29, Errors: 0, Drops: 20466306, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 (…)
MAC statistics: Receive Transmit Total octets 2553034989358 2309921829955 Total packets 1833105948 1710322394 Unicast packets 1832969984 3100238 Broadcast packets 96484 45774 Multicast packets 39480 1707176382 CRC/Align errors 0 0 FIFO errors 0 0 MAC control frames 0 0 MAC pause frames 0 0 Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Are there any config things I should know about IP cameras on Juniper? I'm semi green and I have no experience with IP cameras and networks to back them up.
Subscribe to:
Posts (Atom)