Soon-to-be-former Verizon SA here. In my time at Verizon, I have become worn down by our incompetence, inflexibility, half-baked "marketecture", and overall inability to build solutions that are actually good for the customer. I'm happy to be leaving the world of telecom to join a vendor, but as I walk away, I can't help but wonder if all of the major service providers are equally bad, or if Verizon is uniquely awful. So for those of you who've had a chance to work with other major telecoms (i.e. AT&T, Centurylink, BT, NTT, Orange), is the grass greener on the other side?
Saturday, May 29, 2021
Moving from Software Engineer back to my networking/IT roots?
Hi!
I got laid off from my software engineer job and took some time to re-evaluate things. I've been a Software Engineer for the last ~4-5 years, but I'm not sure if I'm cut out for it. I got my start in IT as a network tech and always enjoyed my Cisco networking academy classes which helped me earn an AAS degree about a decade ago. I stayed in IT ops for a while, but ended up going the sysadmin route and eventually wound up going back to school and getting a SWE internship (and worked for Cisco after graduating, funnily enough).
But I'm just kind of burned out on SWE, I think. I don't really enjoy trying to keep up with the combinatorics of front-end/back-end languages, technologies, frameworks, testing libraries, dependencies, etc. I enjoy problem-solving and logic, but I really struggle with the abstract mathematical thinking required for data structures & algorithms, etc. I'm a reasonably talented programmer, but I'm best at scripting for performing/automating concrete tasks rather than designing/implementing new abstract features.
I'm hoping to get some feedback about what my options are. I want to be able to WFH 100% (even post-covid), so I'm thinking something cloud-based is probably going to be best. I had a Network+ cert that expired years ago, but could probably pass the CCNA after a quick update/refresher.
Cloud Network Engineer? DevOps? What's the reasonable play here?
How do you generally go about troubleshooting performance cases?
Hello, I've recently moved into the world of IT in the Network sector. I'm really enjoying what I do so far and I feel like I'm able to resolve most issues within my Tier 1 means. The one thing I'm getting clogged up on, filling my bins are the dreaded "slowness" issues. I have the general questions down "when did it start, who's affected, is it consistent times, random, or all day etc" I'm feeling like I'd much rather answer the phone to a system down than just general slowness. What are some good troubleshooting techniques you use for performance cases?
UCS FI vs direct termination to nexus
I have never done any major research into UCS FI, but to me it seems like just an alternative to just terminating server hosts and storage directly on a vPC pair. What is the benefit of using an FI over just configuring vPCs to hosts and storage?
How do we properly perform CGNAT on a MikroTik Router for customers?
MikroTik Subreddit thread of this: https://www.reddit.com/r/mikrotik/comments/nnne1e/how_do_we_properly_perform_cgnat_on_a_mikrotik/
So in the MikroTik wiki, they used action=src nat as an example, whereas, on various MUM presentations, they used action=netmap.
Note: We are NOT doing or interested in deterministic NAT.
So basically this what we want:
- NAT multiple subnet slices out of the 100.64.0.0/8 to public/25
- And accordingly, allow incoming traffic destined towards public/25 + destined for only ports 1024-65535 to be dst-natted to the various subnet slices out of the 100.64.0.0/8 to allow customers to take advantage of port randomisation and get port forwarding to work correctly for P2P traffic etc.
- What are the chances 100.64.0.0/8 customers would all use port 1024 for instance for their Bittorent clients, right? Zero.
This is an imperfect solution compared to IPv6, but we would like to give customers at least a better if not perfect P2P networking experience while IPv6 is being rolled out.
So this is what we've tried along with IPSec passthrough attribute:
#src-address-list=local, local is address list containing multiple CGNAT subnets like 100.64.0.0/24, 100.64.0.256/24 etc# /ip firewall nat add action=netmap chain=srcnat comment="Netmap for outbound TCP" ipsec-policy=out,none protocol=tcp src-address-list=local to-addresses=public/25 to-ports=1-65535 add action=netmap chain=srcnat comment="Netmap for outbound UDP" ipsec-policy=out,none protocol=udp src-address-list=local to-addresses=public/25 to-ports=1-65535 add action=netmap chain=srcnat comment="Netmap for outbound non TCP/UDP" ipsec-policy=out,none src-address-list=local to-addresses=public/25 #Example we only want to allow accessible for port frowarding for 100.64.8.0/21 instead of everything inside src-address-list=local# add action=dst-nat chain=dstnat comment="For inbound port forwarding TCP" dst-address=public/25 dst-port=1024-65535 in-interface-list=WAN protocol=tcp to-addresses=100.64.8.0/21 to-ports=1024-65535 add action=dst-nat chain=dstnat comment="For inbound port forwarding UDP" dst-address=public/25 dst-port=1024-65535 in-interface-list=WAN protocol=udp to-addresses=100.64.8.0/21 to-ports=1024-65535 So the above rules, sort of works... On the customer end, we were able to seed torrent traffic without any issues but the ports are still "closed" for the public /25 mapped to the customer at the time of testing, which we checked with the port checker.
Is there a proper way of doing CGNAT to allow this to work correctly? I feel something is wrong with the rules themselves.
A different network operator was able to open up ports from the public for their CGNATted customers using MikroTik, we are not sure how they did it.
Networking Basics - Infographic
Hi sub,
This week I started creating a series of infographics supporting my way through CompTIA Network+ studies.
Some friends have the idea of a private study group and I'm the only one that knows a bit of Illustrator and Corel Draw so I'll be responsible to create those infographics that eventually will be printed to have as a quick reference.
I know there are a bunch of already existing infographics online that we could find useful but we decided to create our own as we go through each chapter/subject/area and we decided to make the infographics public as a small contribution from our side to those starting to learn networking as well.
-------------------------------------------------------------
The infographics that I've created so far are:
-------------------------------------------------------------
You could access the library from here.
-------------------------------------------------------------
Any suggestions, ideas, fixes or anything that could be useful to improve the material are highly appreciated.
Thanks in advance!
VIPTELA SD-WAN
Hello all
I have a weird issue and I'm literally losing my mind, I want to try clouldexpress (cloud on ramp for IaaS) in my eve-ng lab.
all my vEdges can reach the internet also I have turned app-visibility on I did some applications policy and worked fine.
but when I try to do the cloudexpress the application stays red even tho when I open the same application in the browser it shows in the DPI but not in the cloudexpress app.
I did suspect that it's DNS issue so I found that the vEdge doesn't resolve names through vpn 0, but it does resolve them on vpn 1, I did check everything but no luck.
noting that my vmanger doesn't access the internet idk if this relevant
I hope anyone can help me with this because I'm losing my mind
that's one of my vEdges configuration:
bfd app-route poll-interval 10000
system
host-name vEdge1
system-ip 2.1.1.1
site-id 1
admin-tech-on-failure
no route-consistency-check
organization-name network-lab
vbond 10.10.100.2
aaa
auth-order local radius tacacs
usergroup basic
task system read write
task interface read write
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
usergroup tenantadmin
!
user admin
password $6$EGF05c24x.zG7IwK$qzGxsZX5z1ADe9EtL3oLwfkqxjn5TfYmxbgkj75c1h6V7NwnLPl92eCHHF2LdmBNn/eXk1ANZQD2SrN0uaE2S0
!
!
logging
disk
enable
!
!
!
bfd app-route poll-interval 10000
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
security
ipsec
authentication-type ah-sha1-hmac sha1-hmac
!
!
vpn 0
dns 1.1.1.1 primary
router
bgp 65005
address-family ipv4-unicast
network 172.16.2.0/30
!
neighbor 172.16.2.1
no shutdown
remote-as 1
address-family ipv4-unicast
!
!
!
!
interface ge0/0
ip address 192.1.1.1/24
nat
!
tunnel-interface
encapsulation ipsec
color public-internet restrict
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
interface ge0/1
ip address 172.16.2.2/30
tunnel-interface
encapsulation ipsec
color mpls restrict
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 192.1.1.254
!
vpn 1
dns 1.1.1.1 primary
cloudexpress
node-type client
allow-local-exit
local-interface-list ge0/0
applications google_apps
!
interface ge0/2
ip address 192.1.21.1/24
no shutdown
policer 8K in
vrrp 21
priority 150
track-omp
ipv4 192.1.21.254
!
dhcp-server
address-pool 192.1.21.0/24
offer-time 600
lease-time 86400
admin-state up
options
default-gateway 192.1.21.254
dns-servers 1.1.1.1
!
!
!
ip route 0.0.0.0/0 vpn 0
!
vpn 512
interface eth0
ip address 10.0.0.4/24
no shutdown
!
!
policy
app-visibility
policer 8K
rate 1024000
burst 15000
exceed drop
!
lists
data-prefix-list TELNET_BLOCK
ip-prefix 16.16.16.16/32
!
!
access-list TELNET_BLOCK
sequence 1
match
destination-data-prefix-list TELNET_BLOCK
destination-port 23
protocol 6
!
action drop
count TELNET-COUNT
!
!
default-action accept
!
!
Hi, I'm a networking students and am a little confused on DNS
1.If I change my primary DNS server, will my DNS requests go through my ISPs DNS server then to the DNS is specified or straight to the DNS I specified?
2.Whats the point of using a third party DNS server like cloud flare? I heard its faster but how?
Amateur looking for my first networking course/reading.
Hi all, currently I'm working on mid-sized boats and some roles onboard are responsible for many systems aside the usual ones of your role. In my case a side from navigation I'm responsible for networking, VSAT and communication systems since I am with the most experience and "keen to do it" of the crew. I am totally amateur and i get to solve problems just by studying the diagrams and A LOT of trial and error. I am enjoying in general the amount i am learning and would like to improve on this subject. So, i was looking for a course or lecture or manual of basic networking that i can do or read with low bandwidth since we are almost 90% of the time at sea hooked with the Satellite internet. Thanks all!
Can vpn routers work as dial-in VPN clients?
Good day all,
Full disclosure: I know nothing how network works and I don't know much about VPN either.
I have a problem.
I remotely connect to my workplace via VPN to access corporate infrastructure. I have no control over the VPN server. I heard it's Cisco ASA 3000 that was catered to Windows users. It supports split tunneling.
Native Windows 10 VPN client can connect to the VPN with no issues via L2TP/IPSec with a pre-shared key. But NetworkManager on Linux has troubles. I don't want to go deep into why since it's a bit off topic.
I have a VPN router. TP Link TL-R605 that has support for IPSec, L2TP and can encrypt with 3des-sha1-df2 which is exactly the necessary conditions for a successful connection.
Can VPN routers in general, and TP-Link TL-R605 specifically be used as a sort of hardware VPN clients? Sitting in the middle between my workstation and my modem?
Mellanox ConnectX-5 EN with SFP28 BiDi Transciever
Hi all
I need to terminate a 25 GbE WAN link. Its SMF with λ TX1271nm and RX1331nm. I'm currently looking at the NVIDIA Mellanox MCX4121A-ACAT ConnectX®-4 Lx EN and the NVIDIA Mellanox MCX512A-ACAT ConnectX®-5 EN. I already got cisco branded SFP28 BiDi transcievers with matching λ, but I cant find any Mellanox document stating compatibility with BiDi transcievers in general. Cisco itself lists the Mellanox to be compatible with its 25G-LR-I/S modules, but those arent simplex.
Any ideas if the Mellanox cards would work with those transcievers or are they picky? What would you recommend?
What is this fibre cable? LC to SC?
Can anyone tell me if this cable in the screenshots (Fibre 50/125 OM3 cable) is LC to SC please? I need to get a replacement today as emergency out of hours work for friend and don't have the cable handy to tell, only have these low quality mages. I havent done a lot with fibre cables before so wanting to check.
It plugs form a Netgear Prosafe (1999Base SX/LC) connector to the patch panel so my guess is SC to LC like this link OM3 50/125 LC-SC Multimode Fibre Patch Lead Duplex 2m (7ft) - Aqua - FS United Kingdom
Frustration with PA firewall
I am trying to configure a new PA firewall that will replace our ASA and I am running into problems just trying to get connectivity to the internet from our internal network. I feel like I am going crazy over not being able to make a simple configuration work on this firewall.
So I have (2) zones (trust/untrust). trust is assigned to L3 internal interface, untrust assigned to L3 outside interface (facing the ISP's equipment). Both interfaces are using static routing and I can ping different internal subnets as long as I specify the source as the internal interface and vice versa with the external interface. I have a security policy to allow traffic from trust zone going outbound to untrust zone. My NAT policy has trust set to source and destination set to untrust. Source translation is set to dynamic ip and port, with the interface set to the external facing interface and IP address. Obviously I want to add more granular rules to filter traffic properly but if I can't even get a basic configuration going, I can't move onto more complex configurations. I come from an ASA background so there seems to be a bit of a learning curve here.
Friday, May 28, 2021
Need your opinion: is this a good time to be joining Aruba?
I've received an offer to work as an SE at Aruba. I'm super excited about this opportunity, as working in pre-sales at a large networking vendor has always been a major career goal of mine. Originally I had been set on joining Cisco, but after seeing the mess they've become over the past couple years, they're no longer on the top of my list. Meanwhile, it seems like Aruba is headed in the right direction, and there's room for actual growth as well.
Since I'm assuming there are at least a few Aruba employees lurking around here, I thought I'd ask the question: do you think this is a good time for someone to join your company, especially in a pre-sales role? I've already heard the "pitch" from the hiring team, but I'd like to hear your unfiltered opinions. If you're not comfortable posting your opinions publically, please send me PM. Thanks! :)
Can WiMax customer-premises equipment (CPE) Communicate with each other just like Wifi Bridge.
My ISP terminated the Wimax Service altogether, as they did not have enough subscribers. Now me and many of my friends in the neighbourhood are left with these Customer side equipments. I was wondering if we could use those devices to communicate with each other or share a single Fiber connection over WImax.
Which IPS/IDS has the best reporting UX?
What IDS/IPS either cloud or on-prem has a good user experience for admins to get insights from in terms of data coming out of reporting?
Cisco? Palo Alto Networks? Fortinet?
ERSPAN option missing from Catalyst 9500
Hi all, I'm trying to set up an ERSPAN session off our Cat 9500s and the "type" option is missing from the "monitor session" menu. I'm running IOS XE 16.12 and according to this: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-12/configuration_guide/nmgmt/b_1612_nmgmt_9500_cg/configuring_erspan.html#reference_bfq_1gt_vdb
it is fully supported.. but it's just not there. The only options I have are "destination, filter, source"
Am I missing something obvious? Thank you!
Python for Network Engineers starts Tuesday, June 1 (free course)
About once every three months, we run a free course on Python for Network Engineers. Our next course starts on Tuesday, June 1.
You can sign-up here:
https://pynet.twb-tech.com/free-python-course.html
The syllabus is also available at the above link.
The course covers Python fundamentals from a network engineer's perspective. So it covers Python basics using examples and exercises that would be generally familiar to a network engineer. It is definitely a beginners course and doesn't assume any existing Python knowledge.
Towards the end of the course I segue a bit into applying Python to Network Engineering, but this is definitely a minor part of the course (relative to the Python fundamentals content).
The course format is a lesson a week for eight weeks. The lessons come out every Tuesday morning (U.S. Pacific time). The lessons consist of videos, exercises, and additional content.
A bit about myself: I am long-time network engineer (CCIE emeritus in routing and switching). For last several years, I have been really into network automation particularly with Python and Ansible. I am the creator and maintainer of the Python Netmiko Library and also do a reasonable amount of work on both the NAPALM project and on Nornir.
If you have any questions about this course, ask away.
Regards, Kirk
Migrating from Dual-homed to Single homed Nexus
Hey folks. So like a lot of people, I'm struggling with getting my Nexus 5600's upgraded because they were installed in a dual-homed fashion. I'd like to migrate to the single homed architecture, as is recommended by pretty much everyone. We've got 10 FEX's, is it as simple as unplugging the uplink to parent switch A on FEX's 1-5, and then unplugging the uplinks to parent switch B on FEX's 6-10, or is there more to it than that?
Cisco OSPFv3 Carrying vrfs?
So I have a config I've put together for my new corporate network while segmenting with vrfs. I'm able to get default table routes no problem, but nothing carries over on my vrfs, all I get is local table. Am I misunderstanding the concept entirely or am I just missing some bit?
Going to post just the relevant VRF config and ospfv3 from both, don't believe I need anything besides that currently.
Sw1
vrf definition CAMERAS rd 6969:1503 ! address-family ipv4 route-target export 6969:1503 route-target import 6969:1500 route-target import 6969:1504 exit-address-family ! address-family ipv6 route-target export 6969:1503 route-target import 6969:1500 route-target import 6969:1504 exit-address-family ! ! interface Vlan150 description Cameras vrf forwarding CAMERAS ip address 10.x.x.x 255.255.255.128 ip verify unicast source reachable-via rx allow-default ipv6 enable ipv6 verify unicast source reachable-via rx allow-default ospfv3 6969 ipv4 area 123 no autostate ! router ospfv3 6969 router-id 10.x.x.72 log-adjacency-changes detail auto-cost reference-bandwidth 100000 timers throttle spf 50 50 5000 timers throttle lsa 0 20 5000 timers lsa arrival 15 timers pacing flood 15 ! address-family ipv4 unicast passive-interface default no passive-interface GigabitEthernet1/0/48 exit-address-family ! address-family ipv6 unicast passive-interface default no passive-interface GigabitEthernet1/0/48 exit-address-family ! address-family ipv4 unicast vrf CAMERAS redistribute connected passive-interface default capability vrf-lite exit-address-family Sw2
vrf definition CAMERAS rd 6969:1504 ! address-family ipv4 route-target export 6969:1504 route-target import 6969:1500 route-target import 6969:1503 exit-address-family ! address-family ipv6 route-target export 6969:1504 route-target import 6969:1500 route-target import 6969:1503 exit-address-family ! ! interface Vlan150 description Cameras vrf forwarding CAMERAS ip address 10.x.x.x 255.255.255.128 ip verify unicast source reachable-via rx allow-default ipv6 enable ipv6 verify unicast source reachable-via rx allow-default ospfv3 6969 ipv4 area 123 no autostate ! router ospfv3 6969 router-id 10.x.x.80 log-adjacency-changes detail auto-cost reference-bandwidth 100000 timers throttle spf 50 50 5000 timers throttle lsa 0 20 5000 timers lsa arrival 15 timers pacing flood 15 ! address-family ipv4 unicast passive-interface default no passive-interface GigabitEthernet1/0/48 exit-address-family ! address-family ipv6 unicast passive-interface default no passive-interface GigabitEthernet1/0/48 exit-address-family ! address-family ipv4 unicast vrf CAMERAS redistribute connected passive-interface default capability vrf-lite exit-address-family What does it mean when someone wants me to print a section of program code on C# and explain the tester program.
Please help asap, would be much appreciated.
SVI best practices
Hello Guys,
I'm going to help with DC modernization and I have a question regarding SVI implementation best practices. I have 2 core and 10 distribution switches working in redundancy (2 per rack). Is it good practice to assign SVI for each VLAN on each switch? Maybe better solution is to create SVIs only on the core layer? Appreciate your help.
Stumped over an unstable link
At one of my sites I have about 100 Windows 10 machines. Ubiquiti switches, gig ethernet, 200x200 fiber connection to the building Sonicwall NSA2600s
All users use parallels client to connect to a cloud app across a tunnel. Generally no problems.
I have a single user who has fraction of a second disconnects a dozen times a day or more. Just enough to cause the connection to drop and come back, but she loses everything she was working on on the remote machine.
I have tried literally everything I can think of: drivers, certified the cabling, even replaced the computer, nothing helps.
Wireshark shows nothing other than a single 004 RST packet at the time of the drop.
The third party insists that they are perfect, there is nothing wrong with their side of things -ever- and the issue must be on my end.
Is there anything that I am not looking at that should be getting my attention before I raise a bigger stink?
connecting layer 3 switches
I've seen this done two ways - first way is to create a VLAN with just one untagged port and an SVI with a /30 address. Do the same on the other switch and connect the access ports. The second way would be to just set the physical ports to route-only and directly assign the addressing to the ports. Just wondering if there is a best practice here or if it simply doesn't matter?
fastnetmon notify_about_attack.sh question
I am running fastnetmon and so far its doing great job and notifying me on time to take action, currently we are not using any BGP auto-null routing so i am planning to use some kind of script which will block IP address on core router using IP address and destination target port port that way not whole target IP get block instead just specific port.
This is what i am planning, following script giving me detail output and sample of attack which i can use to extract destination port so i can supply IP:DST_PORT info to my script to add ACL on my core router. (following script only provide IP info but not port, can someone explain how does this script sending me all detail email with all packets information from where its obtaining that information?)
notify_about_attack.sh https://github.com/pavel-odintsov/fastnetmon/blob/master/src/notify_about_attack.sh
I can see "cat" command which feed that info but from where that info coming from and how?
Moving from a single /24 to a divided /22; address space is running out and I want to compartmentalise. (E.g. move phones to their own subnet and VLAN). For inter-VLAN routing, what equipment should I use? A L3 switch? A NGFW?
First of all I consider myself a novice, so just bear that in mind.
It's a small business (40 ish users) but we're slowly expanding, the original /24 network with everything on it is running out of addresses. Rather than just move to a /23, I want to compartmentalise and introduce some security. So I was thinking something like:
10.0.0.0/24 VLAN 10 (servers, switches, APs etc) 10.0.1.0/24 VLAN 20 (workstations, laptops, printers) 10.0.2.0/25 VLAN 30 (phones) 10.0.2.128/25 VLAN 40 (DMZ) 10.0.3.128/25 VLAN 50 (guest wifi) I have thought about the address space here, and I am certain it's conservative enough. We're never going to become a huge company or acquired by another bigger one, we're just way too niche.
At the moment we have a Sonicwall TZ300 as our edge router/gateway. I was thinking it makes sense to let this just handle internet traffic, and not also use it in a router-on-a-stick config and have inter-vlan routing handled by something else.
We run a couple of DL380 G10s (Both have 4x 1Gb NIC and 2x 10Gb) with ESXi on them for AD, WSUS, File Server, 3CX etc. I'm wondering what the implications might be of running pfsense or vyos on one of these servers? Bandwidth is sufficient but I'd assuming I'd need two instances of PFsense running for redundancy.
-
I'm not a network professional but very much a jack-of-all-trades sysadmin, so (cost aside) would a dedicated bit of kit be more practical? I've not really used pfsense much.
-
The 3CX (phone) system potentially wants to be accessed from the outside so I am assuming that just a L3 switch would not be sufficient, and it really wants to be in the DMZ and firewalled from the rest of the LAN.
-
Should I opt for a L3 switch instead of routing with pfsense, and put 3CX behind a single virtualised pfsense instance? Do you think it's OK to use the TZ300 to isolate 3CX or does it want to be a seperate (different brand?) firewall?
-
I want 10Gb between the servers - at the moment backups are throttled by 1Gb speed and not the disks, which are all SSD. (In case you're wondering, it's a small company with quite a lot of money, hence the overspec.) The 10Gb NICs are not used at all. All the networking equipment is 1Gb, at the moment.
Backups are on a seperate on-site DL 380 G8 server with a 10Gb NIC, then replicated to the cloud.
- I'm assuming I can connect the servers together using a small 10Gb switch, and basically put these 10GB NICs in their own little "backup network" so any veeam backups or vmotion'ing that may take place is super fast. The other 4x 1Gb ports bonded on each G10 are more than sufficient for serving users.
I'm not entirely sure how I'd actually go about implementing what I just mentioned however. I'm guessing I'd just have static IP addresses on the 10Gb NIC and put them in a /29 or something? I'm not sure how I'd tell veeam/vmotion to work over the 10Gb link and not over the 1Gb link.
I may be asking the wrong questions, so feel free to point out any holes in anything I've said.
Thanks for your help.
Recommended Network Equipment?
So we're currently running a mix of HPE Switches, NetGear and Zyxel, and they've been in quite a while.
About 100 users in the building.
Will be looking to move everything over to one manufacturer at some point to keep things simple.
I'm thinking Unifi Ubiquiti Switches? I've had some people advise Cisco Meraki (obviously) but they're £1K, that won't get approved. I'm also being told to stay away from Unifi Ubiquiti kit as well by a couple of people, I don't understand why though as I've never had any issues with it previously?
Prefer to move over to something which can be cloud based. Does anyone have any suggestions?
Isp failover
Hello, i have a question regarding isp failover. PC ----- ROUTER ----- ISP1 ------ INTERNET ------- Server. ----- ISP2 ------
Here this router is connected to both ISPs. Now in this scenario, Pc is connecting to the server using Rdp or any other application and its working. Suddenly ISP 1 goes down and router failover to ISP2. But the RDP connection won't reconnect. If we close the RDP connection completely and then connect it again it will connect through ISP2.
My question is what can we do on the server or router so that when it happens it won't stop the connection but allows it and why it happens.
Cisco switches and ssl decryption
I am working for a fairly large organization and all our internet traffic is ssl inspected. Essentially each endpoint needs to have a root certificate in each endpoint, and that will enable the device to get to HTTPS sites.
The management of our switch infrastructure is outsourced, and our outsourcer says that the Cisco switches need to communicate to Cisco over HTTPS to manage licensing. However they have said that they cannot install the cert in the switch, and so all of it has to be made an exception. I find that hard to believe and was wondering if any of you had any experience with this. Or any experience in setting up certs in Cisco switches. The alternative is to create exceptions for a whole host (thousands) of switches which is not the way I want to go down.
Thanks.
Question about inter-vlan comunication using SVI
Hi Everyone
Last time I posted a question everyone was really helpful. I'm trying to get better at networking and this forum is great, so thanks a bunch
My question is :
When you want switches to be accessible for management externally, you create a management VLAN on them and give that VLAN an IP address. With router on a stick, this vlan will be made accessible from the outside by giving it a default gateway that corresponds to the router subinterface created for it.
But what about when you use a L3 switch for intervlan communication? You will have to give this management vlan an IP as you would normally, but this would act as the default gateway for the other switches that need to be managed externally through the management vlan. Will the L3 switch's management VLAN interface have an IP for default gateway functions for all the other devices on this vlan, as well as another IP on the same vlan for its own default gateway needs?
If I'm not making sense my question in essence : Vlans need a default gateway to communicate with each other. When the default gateway is external on a router thats straight forward, but an L3 switch will already have an ip address for management vlan to act as default gateway for everyone else on the vlan, but what about its own need for a gateway to communicate with the outside?
Thanks!
Thursday, May 27, 2021
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
Smart Card Auth on Cisco Switches
I've looked around the internet and the closest thing I can find its the x509v3-ssh-rsa settings.
Has anyone every configured Cisco Switches to Authenticate using Smart Card Certificates? I have the putty CAC client. but I'm not exactly sure how to configure the switch to do this if its even possible at all. I do have a Trust point setup with my internal CA and can request a Cert as I did this to get a Valid Cert for the http interface. This is currently the only thing holding back my IT department from being completely password less as Radius Auth Still requires a username and password while everything else in our environment is now Using Smart Card Authentication.
Do Switches keep port config if a blade is replaced?
I have a 4507 and am doing a blade replacement to fix a bug.
I'm under the impression removing the old blade and putting the new blade in the same slot would carry over the old config to the new ports, but just wanted to double check with you smart people.
Will replacing a blade wipe the config for those ports or will it carry over?
Thank you.
Cisco Smart Licensing
Hey Guys,
So, I am new to everything regarding licensing of Cisco hardware in any way.
Currently I am facing following situation:
I do have some Cisco ISR4331 routers running ios-xe 16.09.X. These are not yet SMART licensed.
In the SMART Account I do have SL-4330-SEC-K9 licenses which are registered to the respectice route processor serials of the devices.
By accident some of these licenses have been converted to SMART License and are now 'not in use', though the respective serial can still be found in the details of the license and the affected routers are still registered, since they do not communicate with the Cisco SMART Software Manger (CSSM).
Also I still have some PAK lcienses lying around which are waiting to be converted to SMART License.
multiple questions come to mind now:
- When updating to ios-xe 16.12.x and activating smart licensing (which is required for ios-xe 16.10.x and later) does the router get the same license which has its route processor serial linked?
- When setting up a new ISR4331 with ios-xe 16.12.x which was not yet licensed at all, will the licenses which have a serial linked be used to register the new device or will they be left untouched until I remove the device delegation or the correc?
- In case the new router gets one of the previously assigned licenses, can I use one of the PAK licenses for the other routers which then will be upgraded so they can use SMART Licensing?
I would appreciate any help or reference to any documentation that could help me solving this.
Cheers
Palo Alto announces PA-5450 series and PA-400 series NGFWs
Here are the links to each of the datasheets:
PA-400: https://www.paloaltonetworks.com/resources/datasheets/pa-400-series
I am going to be very interested in seeing the pricing for the 400 series. We have a couple smaller locations that we would like to put PAs at, but need at least 1Gb IPSec througput and could not justify the price of the PA-850.
I think the PA-5450 fills in the gaps between the 5200 and 7000 series. Sad to see the blue color scheme going away.
Access list number relevant?
Hello! Is the access list number relevant when defining an access list?
For example: access-list 1 permit any
Is the number '1' relevant in the comand?
Will a partners traffic be in our firewall logs?
So we have a a vpn setup to one of our business partners. The connection is active and they can route traffic to our site, let's call this site 1. They want to send traffic to another site so we setup a rule to forward vpn traffic to our other vpn, let's call this site 2. They have an extremely locked down network and only allow for certain traffic inbound and outbound on a specific port to an ip while we open our whole subnet to them.
They can't route anything to site 2 through this tunnel, however we can send from site 2 to them. I've looked through the logs and there is nothing destined for site 2 coming into site 1's logs.. they are adamant that their ruling is setup correctly so I'm not sure where to go from here.
If I can't see any traffic in our logs on site 1's firewall would this be an issue on their side?
Simple stuff here but I've been going crazy trying to fix. They also don't allow for icmp traffic.
Thanks
2 WAN Connections with 1 ip?
Looking for some advice on this one...
We have 3 sites, 2 out of the 3 have a primary and failover connection.
Failover works just fine, but if one of the locations does failover its public IP changes which means our user VPN and our Site to Site VPN to AWS do not work.
Is there any way for for us to keep the same public ip (even if its not one we have now)? I feel there has to be a solution out there for this that we just haven't had any experience with yet.
Thanks for looking!
Quick Network Refresher Course/Program?
Anyone have any recommendations on some courses or training programs that are pretty quick and good at refreshing networking skills?
I was a network engineer a few years back, been in a systems engineer role for a while now, but am going back into a network engineer role again. Just wanted something that can help me brush up on some networking skills before starting.
Thanks!
PoE
Just out of curiosity, what happens when you wrongly wire a UTP cable?
For example: I connect a PoE switch with a faulty UTP Cable (Power lines switched to data lines) to a Non PoE device.
Eve-ng - Interface issues with csr1000v
Hi Everyone,
I'm having interface issues with csr1000v (csr1000v-universalk9.16.09.06) on eve-ng. The installation itself is fine (followed this link https://www.eve-ng.net/index.php/documentation/howtos/howto-add-cisco-csrv1000-16-x-denali-everest-fuji/) and I can boot up the node no problem.
But when I unshut the interface, I get this error:
Router(config)#int gi1 Router(config-if)#ip add 10.1.1.1 255.255.255.0 Router(config-if)#no shut [vmxnet3][WR][vmxnet3_get_command_status]: Received request for unknown command: cafe000f Router(config-if)# the interface does come up, but you won't be able to ping it. For example, I had two nodes connected point to point - both CSR100v's, both having the same problems, both can ping themselves, but also both not able to ping the other side.
Here's what I have done thus far:
- I have tried deleting and adding back again.
- Also tried using different versions (csr1000v-universalk9.17.03.03, then csr1000v-universalk9.16.06.05) and still nothing.
- Tried changing the Qemu Nic setting from "tpl(vmxnet3)" to "vmxnet3"
I am running eve-ng in Workstation 16 Pro (16.1.0 build-17198959). All other nodes I have (Cisco IOL, Cisco NX-OSv 9K, Juniper vSRX) all seem to be working fine.
Thanks in advance on any advice you can give!
WiFi Calling Issues
So long story short the company I work for sold a wireless solution to our client, we have 24 datto AP's with 4 Aruba instant on 1930 switches. After the installation it came to light that the main reasoning behind the wireless solution was to use WiFi calling as the mobile signal in the area is extremely poor.
The customer are now ready to rip out the AP's as the WiFi calling isn't working as they might have hoped. Wireless coverage seems to be fine as far as normal internet usage, we also have made teams calls over the network fine. I'm wondering if anyone might have had any experience with improving WiFi calling on their network?
Need some carrier advice
Hello guys,
I have experience in Enterprise IP communication, routing, switching, wlan, firewall, etc (4-5 years) in vendor-specific environment (TAC).
I need some advices from you guys as what would be a wise step up from "classical" IP network. I try to decide what to do next which is helpful in the future and to avoid wasting time to learn some technology which has a dead future. So in other words to consider the current market evolution. I am leaning toward SDN (Cisco ACI), or automation maybe (also I see Data center positions, Service provider, etc) but I have a difficult time to see the big picture and your input will be greatly appreciated. I want to use my previous experience and the best way possible (not start from scratch).
Some insight: I work in a TAC environment as IP engineer for some years. The current position is mainly troubleshoot and is becoming more and more stressful, with urgent tasks and no time to analyze/prepare (bad management, communication, etc). Too many diverse networks (customers) and requests, so is impossible to learn one's network for long term use. I am the kind of guy which likes to analyze deeper and prepare before I do anything, more quality than quantity, so this position does not fit me anymore.
Thanks!
VyOS Static Route setup
Hello Everyone
I hope this is the right sub for this. otherwise please point me the right direction.
For a school project, we have to use 1.3x VyOS CLI, and in one of the assignments, we have to setup static routing for our subnets, so that we can ping computers downwards in the network.
current setup is:
[Imgur](https://imgur.com/perpQ9J)
When we follow the guide on VyOS, we get the issue of removing our default gateway and every machine under the router, is unable to connect / ping to internet / other machines.
We use the command
set protocols static route ip next-hop ip
on of our middle router we set: (we did this, but with different ips for the different routers)
set protocols static route 10.0.0.10 next-hop 172.16.0.1
we have also tried
set protocols static route 172.16.0.1 next-hop 192.168.1.1
What are we doing wrong here?
-Thanks for your time
Help needed with chopping up a network, please!!
Hi all,
I'm having a brainfart moment today and it's not even the start of work where I am (coffee needed, lots)...
So, I'm tasked with redesigning the (small) company network and I'm planning to use VLANs - 4 in total. I'm looking for help with assigning IPs under the vlsm method - basically chopping up a network into various sizes for these VLANs.
I'm thinking to do the following:
VLAN1 - 172.16.0.254/24 (used only for VLAN1 and untagged traffic)
Mgmt VLAN - 172.16.0.0/29 (used for remotely controlling networking devices - IPs needed is approximately 5)
File/Print VLAN - 172.16.0.8/28 (as the naming convention states, this vlan is used for accessing data and printing - IPs needed is approx. 10)
Workstations VLAN - 172.16.0.48/27 (again, as the name says, this vlan is for staff pcs / laptops etc. - IPs needed is approx. 25)
The issue I'm having is I can't remember for the life of me if I can chop a network like this (as in setting up a vlsm that isn't consequential or creating vlsm that doesn't follow on from the last network address allocation). I have set DHCP range which is untagged and that's ok but since I'm still in the setup stage, I want to make sure I'm not making too many stupid mistakes.
Thanks for any and all comments / help / tips!!
Wednesday, May 26, 2021
3560-CX VLAN Setup
Configuring VLANs on two 3560-CXs that are connected via fiber and humming along fine. One is located in an easily accessible building while the other is a 10 minute drive and rickety elevator ride down into a tomb-like concrete shaft. I'm hoping to completely configure everything from the former location.
Is setting the fiber port to trunk mode something that terminates a ssh session? Am I fated to locking myself out and making the trek?
Someone got my ip and I'm scared they are gonna try something with it
Hello, so i'm not sure if this is the right subreddit to ask this but yesterday, I've connected to my classmate's hotspot and he found out my ip adress. I'm scared he's gonna do something because in the past he did... Is there anything i can do to change my ip or prevent anything from happening?
ASA AnyConnect with no documentation
I have a remote end user on macOS that had to make a new profile, so the old seeing are blown out. This is a new customer that has almost no documentation on how to access anything on the network. We are trying to access a cisco ASA with AnyConnect. Is there any way to bypass the OTP that the client is asking for? I know probably not because it's a security feature but thought I would throw it out there.
Design Recommendations
I’ve recently inherited a small-ish business that has two Cisco 3750 series stacks, two switches per stack. Just a single flat /24 network and a DMZ.
One stack of 3750x wall mounted that all of the forward facing devices connect to voip phones, Laptops, desktops, credit card machines, TVs, etc. this stack also provides POE.
The other stack of 3750g is setup in the rack providing bonded (2x 1G) connections to all the servers and other rack mounted devices, voip stuff, san (separate physical switch) router, firewall, isp gear etc…
There’s also a bond between the two stacks. (2x 1Gig)
-
Any recommendations on core design changes? I don’t have too much experience with stacked Cisco gear but it seems pretty solid.
-
Each cube has two network cable drops, originally planned for one voip device and one workstation. Things have changed a bit and now there’s a few locations with a need for 4+ connections (Credit card terminals, docking stations, phone, desktop, etc). The not so technical folks have installed random dlink cheap switches to remedy this. I’m planning to replace these as running new cable drops is not an option at the moment. POE, 8ish ports are the only requirement. I’ll probably stick to Cisco gear as well from a consistently stand point. Any recommendations?
Overall everything is working pretty well. No issues. I’m mostly just curious on others opinions of the setup. :)
Thanks!
Packet Sniffer
Looking for Packet Sniffer recommendations for use on a small network.
Have a single router, and want to be able to sniff packets from all machines and create custom daily or weekly reports.
Do you have any suggestions?
Spectrum Enterprise Fiber Internet Access is a Joke
I work at a service provider and am helping a client with a new office where they have a 10Gb Spectrum Enterprise fiber circuit. We have been troubleshooting with Spectrum for 3 weeks, and after 2 weeks, found an issue where the Spectrum policing is restricting outbound internet traffic to less than 2 Gbps per "flow".
However, after confirming the policing is causing outbound traffic issues, Spectrum has re-enabled the policing and now the client is affected again. Spectrum calls it Large Flow Policers and has said the policers are "needed" and that "LFP is implemented on the Spectrum network to protect our clients from link saturation". Neither I nor my client have ever heard of this from an internet provider and has effectively reduced a 10 Gb circuit to a 1-2 Gb circuit. Has anyone ever heard of Large Flow Policers (LFP)? I don't understand how this decision doesn't break every contract with Spectrum Enterprise to create this disruption or failure of service. This sounds like some Mickey Mouse crap I might see in a residential setting, not an enterprise one. Especially for a client like mine that relies on the ability to upload large content on a continuous basis. We are constantly seeing discards on the edge next to the Spectrum ADVA where traffic is being refused.
None of this policing was discussed with the client prior to signing the contract with Spectrum Enterprise and at this point, I would never recommend them for any business.
Has anyone else run into this? How have you dealt with it?
Odd issue...
We have reports from users that they are unable to access https://id.vin.com/login/website-vin-members from our network. Through some troubleshooting it seems to be isolated to a specific VLAN and through more troubleshooting (wireshark) it seems as if the devices on this specific VLAN are getting reset flags (specifically connect reset (RST)) whereas all others are not. We've determined there are no rules on the firewall that appear to be causing the block as well as confirming the same on the local core switches. Any ideas?
LTE enabled/Wi-Failover capable mobile solutions
Hey guys,
I'm hoping this is the right place for this. I am currently looking for a small device that is LTE enabled, but can failover to Wi-Fi if necessary. The device needs to be somewhat rugged as the deployment of it may be in mobile environments. CradlePoint seems to be a solid contender, along with Sierra Wireless. Please let me know your thoughts, thanks for any guidance you can provide.
Cost is a factor, including potential monthly subscription fees.
How does EVPN work with VxLAN?
I was tasked with installing and configuring EVPN-VxLAN on a small network. I have BGP and VxLAN configured, so now I only have EVPN. The thing is, I have no idea what EVPN does. Various documentations and sources are mostly confusing. It looks like it does exactly what VxLAN does. So why do I need it? What does it add to my network and why would I need it? I get connectivity fine between various VLANs in different WAN, so why would I need it? Sorry if this is a dumb question, I simply don't understand the purpose of EVPN.
OSPF6 not routing
hello,
i have 10 pfsense routers within vmware setup. OSPF over ipv4 works perfect. OSPF6 is giving me a headache, as it is not routing at all. all 10 pfsense routers + pc's have a static ULA ipv6 address. within the point to point connections, pinging is possible.
Could it be link local addresses that are interferring the static addresses? or the same router id on ospf6 as on ospf. or area id.
anybody with ospf6 experience, please give me input. Thanks
Cisco ACL Check
Hi all
I have been presented with following ACL and I am just wondering, are the three denies and final permit even required?
ip access-list extended VOIP permit udp host ExternIP eq 5060 host PublicIP permit udp host ExternIP eq 5061 host PublicIP permit udp host ExternIP eq 5060 host PublicIP permit udp host ExternIP eq 5061 host PublicIP deny udp any any eq 5060 deny udp any any eq 5061 deny udp any any eq 35060 permit ip any any I can quite wrap my head around it as the initial permits are allowing a specific external IP in and my assumption is there is an implicit deny anyway?
This is what's on the wan interface.
interface GigabitEthernet0/0 ip address PublicIP Mask ip access-group VOIP in Strange TCP behavior with Desktop PC and Universal Robot
Hi, thank you to anyone that can shed light on this issue I'm having.
I have a Dell Optiplex 7080, i7, 16 GB of RAM with an additional PCIe NIC (TP link, fairly cheap) used to communicate with a Universal Robot. I have an application that shows the robot's 3D position. The app was developed in a virtual machine, and works great.
However, when moving the app to the physical Dell machine, it will communicate with the robot for a short period of time (less than 20 sec), but the returned data is delayed by about 4 seconds. For example, when you physically move the robot, it's position takes about 4 seconds to update in the app, but eventually all communications cease.
Wireshark shows full windows, but is followed by a zeroed window. It feels like the Rx buffer is filling up, but I can't be sure. I guess my question is is there obvious thing I'm missing that I could adjust either with the NIC or something else?
I know this is very specific to my situation but didn't know if any of you folks could offer guidance. We have tried many troubleshooting steps and are at our wit's end.
Thanks in advance.
Large scale network closet audits- recommended data standardization software?
Hey all - we've got several large scale network audit / assessment projects on the horizon and I'm looking for ways to update our data collection workflows. We have several teams that we leverage globally for the onsite work and each team has different ways that they collect and record the closet data... the data that they collect is good, but it'd be great it we could better standardize the data format and make sure nothing is missed. We need to capture images of closets, create elevation charts, capture serial information, models, all that good stuff that really requires an onsite visit. Ideally this form software should be able to run on an iPad.
I'm looking at Prontoforms or Fastfield. Has anyone here used programs like this successfully on similar projects? Any other programs that should be considered?
Can i configure two internal routing protocols in the same autonomous system?
Hello! Quick question: Can i configure two internal routing protocols in the same AS? (cisco)
Fibre patch lead labelling
Hi guys
I work at a fairly large University and at the moment I'm the only network engineer (started just before pandemic/been remote mostly). My predecessors didn't believe in labelling much I've discovered. I'm getting pretty tired of looking at fibre patch leads going to panels/switches and having no idea what they're for/where they're going to on the other end, without having to manually trace the cores at each end, as it involves a half mile walk across campus sometimes.
We're looking for a network officer/technician to help out with a fair bit of leg work that needs doing. I want to get a fibre audit of the campus put on their to do list. Part of that is going to involve labelling.
I'm wondering if anyone has recommendations for clips/labels, that can be hand written on, and attached to a fibre patch lead?
I used some years and years ago, where they just had two metal clips and a little piece of paper that just slotted in (similar to a key tag), but for the life of me I can't find any on Google.
Or any other recommendations?
Thanks
Finding a job
So for those with CWNP professional certifications or a CWNE, do you find it fairly easy finding wireless network engineer jobs? I know many jobs have become remote over the last year and that opens up a whole lot more positions for people but didn’t know if it was hard or not. I just knocked out my CWSP and am jumping right into the CWDP this week with the goal of my CWNE next year. I do have a number of years of network engineer experience at all levels at this point. Thanks in advanced
Questions to ask at a new job
Hi all, I'm starting a new job as a technician installing Wireless and Satellite services in rural Australia and I want to eventually progress into a design or network engineer role.
Do you have any tips or advice on things I should look out for to learn the networking side, and questions I should ask to show my keenness and help me get a head start to learn this stuff?
Thanks in advance.
csma/cd computer science clarification
I have a dilemma on the CSMA/CD, more specifically the explanation I have been given in class.
The exercise/problem is as follow: using CSMA/CD, station A starts transmitting at time 0, when A reaches time 8, B starts transmitting. Total time to travel from A to B is 10. When A and B will know a collision happened?
After a bit of search, my understanding is as follow: A is 8, B is 0 and starts. They both meet at time 9 where collision occurs. At collision time time 9 the signal is propagated in both direction informing A and B of collision:
therefore B is informed at time 2 ( 10 - 9 = 1, 1 in one direction + coming back 1 == 2) A is informed at time 18 (time 9 at collision + 9 to travel back == 18)
Am I correct in my reasoning?
The explanation given was as follow: A is informed at 18 because A was 8 + 10 to travel back B is informed at 10 because it takes 10 to travel from B to A
I am a bit unsure if the explanation given makes sense (to me). Arent the frame discarded at collision and a higher signal because of the crash is propagated to both station in both directions ?
Need advice on job interview as backbone engineer.
I work with ISP whose backbone is built on Junos.
And a NOC engineer I have been working on IPTRANSITS,MPLS,BGP DIA ETHERNET etc.
For the role of BACKBONE ENGINEER what questions should I expect in the interview ,as have been loosing confidence due to current pandemic situation and suffering from depression and anxiety which has been hindering with my career growth.
I am revising the concepts but it would be a confidence booster to hear all the awesome professionals here.
Tuesday, May 25, 2021
SSLVPN - am I nuts, or is this inferior to IPSEC NAT-T
Help, Reddit - I don't get SSLVPN.
Why would I want to pack N TCP sessions behind a single TCP session with a single window that could close and fuck performance at any point, when I could instead run IPSEC NAT-T which punches straight through firewalls owing to it being just port 4500 UDP, and has no such performance concern?
Can someone honestly tell me the benefit of SSLVPN, generally speaking? Is it a nice marketing gimmick so every vendor can just build their own nonstandard client and charge for it?
(CCNA) Rest API for Network Automation
Hi y'all!! I am CCNA newbie and i just couldn't understand and still don't sinking in to me how REST API doing in network automation. Is it like a northbound api or something that communicates between SDN controller and application? Any response will be appreciated because this confuses me as hell. Have a good one y'all!
C9120AXI stuck on 20 Mhz (5 Ghz)
Resulting in limited speed of 288 Mbps, rather than supposedly 866 Mbps on 80 Mhz (.11ac).
I have tried disabling DCA, setting custom channel to 80 Mhz, but my devices can only get 20 Mhz. Happens on various firmware from oldest to latest.
What's strange is on EWC dashboard it shows that my laptop is negotiated on 80 Mhz, but on the laptop itself it's still 20 Mhz.
Is this a bug or something I misconfigured?
Recommendations for 10GE port cisco router?
Nothing overkill. Need 2 ports for WAN, and at least 4 ports for switched LAN.
Also, what's the difference between an NCS and traditional router?
Nexus 2k and 5K image for EVE
Hi guys,
Does anyone has Nexus 2k and 5K image for EVE?. Pls kindly share with me. I appreciate that.
Getting Into Networking
Hey All,
Decided at the age of 39 to ditch being a nurse and start a career in networking. Just cam here to ask: If you could give me one piece of advice as as a new tech, what would it be?
Moving from unmanaged switch to managed switch kills network segment
I'm trying to sort out a networking issue that had me scratching my head this afternoon. I have two buildings in question, building A and B. Building A gets its internet connection from a nearby office via an ethernet drop. The switch in the office is a Ubiquiti 24 port unit. Building B gets its network from an ethernet drop from building A.
Office----Building A ----- Building B
Today I was at Building A and doing some cleanup and upgrades on in their small wall rack which included switching out an old gigabit unmanaged switch to a Unifi USW-16-POE. Building B's ethernet drop goes into a cabinet that has a couple of SLC/Scada items attached to a small switch that I believe is also managed but I can't remember the name/brand of the unit, but it does basic switching as expected.
Essentially what is happening is if I connect the drop that goes to Building B into the new Unifi Switch in Building A, both sides of the connection die. All AP's, anything wired with ethernet will go to a 169 IP. I disconnected everything that wasn't SCADA related in building B but nothing changed. After several confusing hours I decided to hook the old unmanaged switch back up in Building A and everything went back to working normally. I even connected the new unifi switch into the unmanaged switch and it all still worked.
I'm just trying to understand what's going on when I connect the drop to building B to cause everything in A and B to quit suddenly when it's connected to the new managed switch. I've left all the STP/RSTP settings to their default values on the new switch since I haven't had a problem before, and I don't know if it's a problem now. Any help would be greatly appreciated.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Fiber link not staying up on Cisco SG350X
I have a stack of two Cisco SG350X switches. There is an SFP interface, 1000BaseSX that suddenly won't stay up. We've moved SFP slots, changed the SFP, changed the patch cord, rebooted the stack, and the link comes up for about five seconds, and goes right back down. We've also swapped the optics at the far end, and switched to another fiber pair. I currently have a tech about to swap out for media converters, as a sanity test. Any other thoughts?
The onsite tech tells me that the link light for the port was flashing "faster than I've ever seen".
25-May-2021 12:13:31 %LINK-I-Up: te1/0/1 25-May-2021 12:13:32 %STP-W-PORTSTATUS: te1/0/1: STP status Forwarding 25-May-2021 12:13:35 %LINK-W-Down: te1/0/1 OSI Model Reference - What do you guys think? Any additions/corrections?
I'm studying Networking to, eventually, chase the CompTIA Network+ Cert.I'm reading Mike Meyers All in one Network+ Book, watching some videos on YouTube and looking for references online.With the information gathered I just created this reference graphic and any complements/ideas/corrections on it are greatly appreciated.
Link: https://github.com/DelfinoRT/Networking-Study-Stuff/blob/main/OSI%20Model.png?raw=true
Thanks in advance!
Struggling to establish IPsec Ikev2 on GNS3 using Cisco ASAv
I have been through the process of setting up IPsec tunnels twice now and both times have failed. I am unsure what the issue is as following tutorials online, they claim everything should work. I have also talked to a networking engineer in my workplace who can't seem to find any issues with the config, and my university networking lecturer also can't find any issue as of yet. I've ran a "sh crypto ipsec sa" which reveals no IPsec Sas and a "sh crypto ipsec stats" which shows no active or previous tunnels, and all other outputs are zero. It's worth noting I'm trying to follow the NCSCs guidance for setting up an IPsec tunnel, so have been using their recommended encryption standards.
I have three networks, one on the 192.168.1.0 range (CS1) , another on the 192.158.2.0 range (CS2), and one on the 192.168.3.0 range (RS - this has not yet been configured for IPsec and has been switched off for all testing/development so far). I'm using Cisco ASA firewalls on both ends of the tunnel. The firewalls can ping eachother's outside interfaces (10.10.0.10 for CS1 and 10.10.0.20 for CS2) with no issues, however the hosts and other devices on the CS1 and CS2 sites can't ping their firewalls' outside interface, yet can reach their local gateway. I have tried using an access list that permits everything on both ends and that doesn't seem to work either. The running config for each firewall is below (I've had to type it out as GNS3 doesn't allow for exporting the ASA running configs so I've removed sections of useless information), apologies for the formatting in advance, any help would be hugely appreciated!
## CS1 Config ##
ASA Version 9.12(2)
!
hostname CS1-Firewall
no mac-address auto
!
interface GigabitEthernet0/0
description Inside interface acting as gateway
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
description Outside interface within tunnel
nameif Outside
security-level 100
ip address 10.10.0.10 255.255.255.0
!
access-list ACL-CS1 extended permit ip 192.168.1.0 255.255.255.0
!
route Outside 0.0.0.0 0.0.0.0 10.10.0.20 1
route Outside 192.168.2.0 255.255.255.0 10.10.0.20
route Outside 192.168.3.0 255.255.255.0 10.10.0.30
!
crypto ipsec ikev2 ipsec-proposal P1
protocol esp encryption aes-gcm-192
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map CS1-CS2 1 match address ACL-CS1
crypto map CS1-CS2 1 set peer 10.10.0.20
crypto map CS1-CS2 1 set ikev2 ipsec-proposal P1
crypto map CS1-CS2 interface Outside
crypto ikev2 policy 1
encryption aes-gcm-192
integrity null
group 19
prf sha256
lifetime seconds 604800
crypto ikev2 enable Outside
!
tunnel-group 10.10.0.20 type ipsec-l2l
tunnel-group 10.10.0.20 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
## CS2 Config ##
ASA Version 9.12(2)
!
hostname CS2-Firewall
no mac-address auto
!
interface GigabitEthernet0/0
description Inside interface acting as gateway
nameif Inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/1
description Outside interface within tunnel
nameif Outside
security-level 100
ip address 10.10.0.20 255.255.255.0
!
access-list ACL-CS2 extended permit ip 192.168.2.0 255.255.255.0
!
route Outside 0.0.0.0 0.0.0.0 10.10.0.10 1
route Outside 192.168.1.0 255.255.255.0 10.10.0.10
route Outside 192.168.3.0 255.255.255.0 10.10.0.30
!
crypto ipsec ikev2 ipsec-proposal P1
protocol esp encryption aes-gcm-192
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map CS1-CS2 1 match address ACL-CS2
crypto map CS1-CS2 1 set peer 10.10.0.10
crypto map CS1-CS2 1 set ikev2 ipsec-proposal P1
crypto map CS1-CS2 interface Outside
crypto ikev2 policy 1
encryption aes-gcm-192
integrity null
group 19
prf sha256
lifetime seconds 604800
crypto ikev2 enable Outside
!
tunnel-group 10.10.0.10 type ipsec-l2l
tunnel-group 10.10.0.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Cisco switch with Aruba APs
Hello all,
We acquired a Cisco 4510 with a company we purchased. They had old Cisco APs that were replaced with Aruba AP-515 models. Currently we have Juniper EX3300 devices as a temporary solution in place, but I am migrating everything back to the Cisco in just a very basic configuration for now. It's been a little over 15 years since I've been in a Cisco environment so my syntax is a little rusty.
On the Juniper ports with Aruba APs attached I have the following configured and it works fine:
unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ corp-wifi guest ]; } native-vlan-id 80; } } corp-wifi is VLAN 90 and guest is VLAN 99. The management VLAN is 80.
I tried moving the AP to the Cisco and it would not come up. This is what I used on the port:
interface GigabitEthernet10/37 switchport access vlan 90,99 switchport trunk native vlan 80 switchport mode trunk spanning-tree portfast edge Am I missing some part of the config or is that just completely wrong?
netmiko Cisco ASR config replace
I want to upload a modified config to a Cisco ASR (IOS-XR) and do a 'config replace' to replace the whole running config. I have the config on the router but I need to run the config replace command with netmiko and wondering if someone has already figured out the relevant netmiko commands for this sequence so I can re-use them?
The manual process looks like this:
RP/0/RP0/CPU0:ASR-Router1#conf t Tue May 25 05:18:59.211 UTC RP/0/RP0/CPU0:ASR-Router1(config)#load disk0:modified-config Loading. 2611 bytes parsed in 1 sec (2603)bytes/sec RP/0/RP0/CPU0:ASR-Router1(config)#commit replace Tue May 25 05:21:14.750 UTC This commit will replace or remove the entire running configuration. This operation can be service affecting. Do you wish to proceed? [no]: y RP/0/RP0/CPU0:ASR-Router1(config)# Thanks
Looking for recommendations for a high speed (at least gigabit) wireless bridge for use in Mexico.
Anyone have experience with high speed (gigabit or better) wireless bridges that can be configured for operation in Mexico? I need a range of about 1.5km.
What free tools or templates do you use to turn telecom data utilization export CSV's into useful data?
I don't do this very often, but I'm helping someone understand their Internet usage. The only data they have are the ugly DataUtilizationExports from their telco provider. In the past, I would work through a spreadsheet to put together trends based on business hours using 2-3 months of data. Honestly, while this works, it takes way too long and I was wondering if there was a better way for one off's like this.
Dark Fiber Backup IPSEC design programming
Looking for way to design a network that is currently dark fiber with 3 sites. Need to create a failover network using IPSEC tunnels using 3 Fortigate firewalls in case fiber goes down. Sites are currently using EIGRP and Cisco L3 Switches. I would imagine this would need to be changed to OSPF?
All clients go to Site1 for internet/server access
Site 1 (Internet/Servers/Clients) (DHCP/DNS)
Site 2 (Clients)
Site 3 (Clients)
Drawings below of current environment and proposed environment. We have more VLANS but made the drawings for simplicity purposes.
Looking for programming advise.
Is being given a 255.255.255.250 netmask for a public IP normal?
I've been given a 255.255.255.250 netmask by an ISP and I've never seen this before.
I've read it a few times and no it's not .248 or .252.
Mikrotik configure their IPs by cidr notation and its not either. Anyone any ideas?
Can a server be the one contacting the client without the client making a request first?
It seems for the TCP/IP protocol, the client need to be the one sending a request to a server for the server to send a response.
1) I wonder if let's say the server knew every client IP addresses. Would it be possible for the server to send data/response/content to clients without clients making any request to that server first?
2) In other words, what make the client different from a server. Why server can receive any requests from any client but client cannot receive any requests from any servers ?
3) And when a client do send a request to a server. Does this request is unique? For example, if the client send a request to a server, can the server send thousands of response instead of just one?
For you expert in networking, it's probably all dumb questions but i'm so curious about it.
Sharing my python script to automatically clear port security and reset err-disabled ports
A few people asked about this script in another post, so thought I would share it in hopes it helps others. This script uses textfsm and scans cisco IOS switches for ports in err-disabled mode, then selects those interfaces and does a "shut, clear port-security all, no shut". I know setting up err-disable recovery would avoid all this, but I am new to python and was looking to automate this with netmiko for learning purposes and to also have a baseline script to do anything I want with after making a few changes. For example, I also use this same script to shutdown unused ports in specific vlans just by making a few minor changes.
But anyways here it is, hopefully some people find it useful.
https://github.com/Alston518/Netmiko/commit/8432c1e535a88b395e2e67ad4ff4169db698979b
u/spaceman_sloth u/SlimLowJack
Also, thanks for all the people from r/networking that assisted me in getting this together by answering any questions I had when putting this script together. The support on the sub is amazing!
Help getting 5 static IP's into layer 3 switch and distributed
Upgrading a school that currently has 15+ year old Dell Powerconnect switches and have a question about how some static IP's are pulled in.
Building gets 5 static IP's over fiber. The ONT currently appears to plug into the current Dell switch. From there, it's sent to various other parts of the building using VLANs where other systems are plugged in (like HVAC gets one IP, VOIP system, and then another tenant gets another IP and has their own router and switches.) They want the static IP's to be used so the networks are separated and if the HVAC system or VOIP system were breached, hacked, etc. it wouldn't contaminate their main data network. They also don't want the other tenant anyone where on their network. They give the tenant a port on the far side of the building IDF so they can feed and manage their own network.
Is this easy to do using Unifi Switch Pro 48 POE's? (It's Layer 3)
I've setup dozens of networks where one IP is brought into a router/firewall like the USG Pro 4 or UDMP, then distributed to a switch. I understand the basics of layer 3 switches but have not built up a network this the one I'm describing feeding multiple tenants with different IP's. Any guidance to get my head around how to route raw internet WAN IP's through the switch would be helpful. Thank you for guidance.
CISCO PACKET TRACER “INVALID IP ADDRESS”
Hi I am still new and studying about networks have here 234.1.18.6/29 address and mask but when I try it out on Packet tracer it gets me an invalid IP address message. I cannot understand why this address are invalid.
Ansible - gather vlan facts, apply specific configuration base on facts
Hey guys,
I wanted to see if the below scenario would be something possible with Ansible, and if so what would be the approach for the playbook,
---
Basically I want to be able to have a playbook that will deploy a new vlan base on an existing configuration, ie: if the "base vlan" is tagged on port 1-10, and on my uplink, I'd like to playbook to replicate the same configuration for the new vlan that the playbook will push,
this is for ICX environment,
I have a working script that do this using the old friend 'expect' and regex but I want to have something more 'robust'
would dict2items in this case would be where to start looking at?
I believe that doable but I'm not sure where to start with
happy networking!
1000fold speed decrease VPN
I am really desperate because i cannot find anything online about such immense performance loss in internet speed.
How can it be that my internet connection is 50mbs and my VPN connection is anything from timeout to a few kilobytes. It literally takes half a minute to change a folder on a shared network drive in VPN (i see traffic max at 50kbs)
Other configurations and VPN services work fine, the struggle is specifically with a built-in Windows10 SSTP network via PEAP auth which is maintained by my organization. Can someone shed a light? I am lost.
Monday, May 24, 2021
Unable to configure VLAN for Netgear GS728TPv2
Hi all, networking newbie here and I was trying to configure a VLAN for the Netgear GS728TP switch for my company. I followed all the instructions here:
https://kb.netgear.com/31026/How-to-configure-a-VLAN-on-a-NETGEAR-managed-switch
I created a new VLAN, chose the correct ports to be added, removed the chosen ports from the default network and configured the PVID to match the VLAN. I have attached some screenshots to hopefully better illustrate my situation. Is there something I need to do on the VLAN section of the routing tab? VLAN ID is 10. Thanks for all your help in advance!
Data center connectivity passing through two other sites
Hi all,
I have two data centers that I need to pass traffic between. There are two more data centers in-between these two sites that are basically acting as cross-connect facilities, but there are switches at every site. All fiber links are touching a switch at each site. Let’s say my locations are called: A-B-C-D.
My question:
Is best practice to have all switches routing to one another (each switch will route to the next switch’s SVI)? Meaning there would be SVI’s setup on each and every switch?
Or is it acceptable to have switches B and C simply passing the traffic straight through at layer 2- Trunks between all switches, SVI’s would only be setup on switch A and switch D. B and C would just be passing that traffic straight though on a dedicated VLAN.
Thanks!
ISO value 10G layer3 switch IPv6
Guys, experts, pros, friends...
...now that I've buttered you up!
I'm looking for a value 10G layer3 switch that can route IPv6 at wire speed. I use a lot of ubiquiti and mikrotik products and they really don't offer anything in this space. Mikrotik has a nice 10G switch ( CRS317-1G-16S+ ) for a fantastic price, but no hardware offloading of IPv6 at all including in their development version.
I don't need a ton of ports, but I want to be able to handle at least 3 10G connections and say 6 1G.
I don't need a ton of routes either, I've built a 1G native IPv6 network that only distributes own routes and then user traffic is tunneled across using GREoverIPv6. I would love to do vxlan or SRv6 instead if the hardware supported it.
Alternatively, a multi-10G port router priced well. I can add a small switch to get the 1G ports I need.
Any suggestions?
How do I setup Multiple Public IP addresses through my TP-Link ER605 router? Possible?
Im trying to setup a few servers that need their own static public (WAN) ip's and im not sure how to do it. I currently have a ER605 TPLINK router. I was told by my ISP that I have 5 static IP's available but that I would either have to use a switch so that they could assign the public wan ip's to certain ports on it, or I would have to put my router into bridge mode to do it if that was possible... I don't really understand why they cant just assign static public ip's to devices behind my router if i give them the MAC addresses of the devices...but apparently they cant ...but switch would allow this? How is that?
Im doing all this because im trying to run a certain kind of software on multiple servers and they all must have their own Public address
Any help would be appreciated. Thanks
Juniper Exams
Has anyone else taken a Juniper exam and gotten an email after that their statistics show that you may have had access to an answer key? They still gave me the cert but what does that mean when I go to take my next exam? Do I need to go slower and take more time?
Multicasting data packets
I am trying to build a application that will try to multicast packets on IP 239.3.3.3
It works as expected as all the machines that are connected to Router A are able to read the data that has been multicast.
It also works as expected when machines that are connected in Router B are also able read the multicast data.
Now, Router A and Router B are connected like this where Router A is connected to modem and Router B is connected to Router A via LAN cable.
The problem I face here is machines in Router A are not able to Listen or read the data that has been multicasted in Router B network. And also vice-versa.
Is this a technical limitation or am i doing anything wrong here?
Layer 2 VS Layer 3
Ok, so this is driving me up the wall, I have a great deal of trouble figuring out the difference between layer 2 and layer 3 in a large network. So hoping that someone can help explain this to me better.
I understand a layer 2 network to largely be based on MAC address, so a layer 2 switched environment would normally be a bunch of physical ports, the devices have IP addresses, they ARP and RARP back and forth to resolve station IDs and can send to each other using IPs or MACs which is fine and all that. You can have multiple vlans on the layer 2 switch, different physical ports tagged to vlans (in access mode on cisco?) i believe are all still layer 2.
Layer 3 comes into effect if you give the vlan itself an IP address or an interface on the hosting switch of the vlan to allow it to cross other networks.
Is that basically it? A Layer 2 can have IPs but becomes layer 3 if the vlan itself or the switching interfaces are given ips?
What's the difference between a layer 2 and a layer 3 trunk then? Since vlans can be l2 or l3, is it just adding an IP to the vlan on a switch makes it layer 3?
dog: An open source firewall management system for packs of firewalls (iptables)
https://relaypro-open.github.io/dog/
What is dog?
dog is a distributed firewall management system designed to manage hundreds+ of per-server firewalls.
dog is your network guard dog.
Why dog?
- Need consistent network access rules across hundreds+ of servers in multiple regions on multiple providers?
- Need defense-in-depth, beyond gateway firewalls?
- Need blocklists with thousands of addresses distributed across many servers updated constantly?
- Need to limit number of connections and/or bandwidth usage?
- Sick of error-prone manual updates of per-server iptables rules?
Junos Juniper EX4550-32T-AFI 32-port never works witn 10Gb
Hi guys,
I tried to connect my server with EX4550 with 10Gb port but it never connects 10Gb but only 1Gb
when I set 10Gb manuall like below
xe-0/0/9 {
ether-options {
speed {
10g;
}
}
unit 0 {
family ethernet-switching;
}
}
it just does not work. when I checked link from server, it says "Link detected: no"
I tested my server can connect 10Gb. and here is the ethtool result when connected 1Gb with switch
Settings for enp1s0f0:
Supported ports: [ TP ]
Supported link modes: 100baseT/Full
1000baseT/Full
10000baseT/Full
Supported pause frame use: Symmetric
Supports auto-negotiation: Yes
Supported FEC modes: Not reported
Advertised link modes: 100baseT/Full
1000baseT/Full
10000baseT/Full
Advertised pause frame use: Symmetric
Advertised auto-negotiation: Yes
Advertised FEC modes: Not reported
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: Unknown
Supports Wake-on: umbg
Wake-on: g
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
Thanks in advance
Network architects - frameworks, or just ccie?
A quedtion to network architects.
Do you use frameworks like TOGAF or Zachmann? Or any other? Do you have knowledge about Enterprise architecture management? Requirements enginnering?
Or is ist just ccie and years of experience?
I am thinking about going for a togaf certificate after i did my ccnp enterprise with enterprise design. But im not sure if it is worth.
How to block internet (only) access on a Windows 10 computer, password-protected, while allowing local network traffic?
Hello, I'm working with an unusual client who needs the ability to lock down all browser/internet traffic so internet is not accessible, but use of local network (printers, file sharing) works just fine. This must be locked via password, so only a network administrator can change these settings.
My initial thought was to install a firewall like TinyWall where rules can be established and enforced with password protection. However, TinyWall can be uninstalled without the password and thereby defeat the firewall rules that disallow internet access. I could then perhaps use something like My Lockbox to password-protect access to the TinyWall folder on the machine (and hence uninstallation), but this is starting to get clunky.
Can anyone think of a more elegant solution that my kludge above? Thanks!
How to make an IDF closet look nice
Hello all,
I am creating this out of frustration/desperation of our continuous, eventual decline of our IDF closet cable management and hoping to get some ideas as how to best cable manage our network closets.
Our IDF closets generally have a couple/few hundred ports, with anywhere from 2-4 stacked switches in them. We do not buy a device for every port, and use fixed length cables from typical vendors. Upon upgrades/clean outs I am generally happy with how the cable management is left after we are done, however over time every one looks awful. Our IDF closets use wall mounted vertical racks for our gear physically below the patch panels), while our patch panels are mounted typically in another wall mounted rack. Our cables typically plug into the switches, move to the left into the cable tray, and then up/over into the various patch panels.
Issues I am facing:
- Cable sag over time. This causes the cables to sag over switch ports and makes it difficult to physically get our fingers in there to move cable around when the persistent employee relocations occur.
- The general layout of our closets. I hate it, but just accept it as this was the space that was provided to us.
- Having many more patch panel ports (many wall plates per office, with lets say 4 terminations per wall plate, to allow desk/office customization) than switch ports causes the patch panel location to look...scraggly at best
- Using fixed length cables causes a lot of slack at some points. I always measure and use the least amount of footage required but within the cable tray (which does have a cover and pretty well hides the "mess") can look scraggly as well. We use velcro wraps to tie our bundles together.
- Employee moves will cause us to pull/move a cable that was in (lets say) patch panel port 2, and move it to port 48. The extra length required causes us to pull the cable entirely, and put in a new one. As we have bundles already in place it is a huge hassle to undo the velcro at every wrap "point", add the cable, and retie it. Also as the original cable was pulled and another added it never rejoins the bundle as nicely as the previous cable did. The amount of "twisted" bundles we have over time makes it looks like we never cared to begin with.
In an ideal world I'd like to have a switchport per patch panel port so I can never have to walk in there again and just shut/no shut ports down as needed after documentation between patch panel ports and switch ports are done. However we use Cisco and don't have money burning a hole in our pockets. I have looked at other vendors to save money and make this happen but those with the power to make it happen don't like the idea of so many "wasted" ports on the switches (I don't necessarily blame them, but it sucks).
I am praying some here have some ideas that I haven't thought of/discussed with my coworkers to potentially resolve our issues.
Diagramming software
Are people are still hooked on Visio? I have been using dia for years but I have had co-workers complain about it. With some effort I can get drawings into a scalable pdf but it is a pain. I rarely use windose anymore but visio and the full outlook client are two things that can't let me leave it completely. Wondering if anyone is using any other diagramming tools or if anyone would share what their experience is with sharing drawings. Thanks guys!
Help with an adapter
I ran into a bit of an issue just now, and i need help. My adapter (more specifically the TP-Link TL-WN722N) disconnected from my pc and i got a notification saying windows did not recognize it. This had happened before but it usually reconnected after a few seconds. I would love some assistance
juniper ex2300 - route all traffic over firewall
Hi,
I recently purchased a few juniper ex2300s. I would like to route all the internal traffic of some/all vlans over our firewall, and thought about using VRFs for this. Turns out, the EX2300 series does not support VRF.
What would be the best way to achieve this on these switches?
L2TP over NAT through a Sonicwall, error 789
Trying to establish a L2TP connection from outside the network to a Win2012r2 RRAS server.
I have all the NAT rules set up on the firewall. I can see the packets flowing through the Sonicwall and also the certificate request/reply occurs over port 500 when I run wireshark on the host that I'm trying to connect with.
The connection then fails with error 789 on the host. I also don't see any logs on my RADIUS server that there was ever a connection attempt.
Alternately, when I'm inside the network the RRAS server picks up and connects fine, and the RADIUS server log shows the connection approval.
I found a forum post on Spiceworks which mentioned making a REG DWORD "AssumeUDPEncapsulationContextOnSendRule" registry entry and set it to "2" to no avail.
I must be missing a detail somewhere along the way that would have this working but am not certain what it is.
TIA!
Mobile Hotspot Static IP?
Good Morning,
I work for a credit union and we do these dealership days were we have auto loan specialist who sit at a dealership and crank out loans for customers.
They currently bring a mobile hotspot and microsoft surface to these sites to process these loans. They must connect to a specific service hosted at our core site to complete these loans. We're running into an issue where the hotspots are dynamically assigning IP's and it's causing connection issues.
Does anyone here know if you can request static IP's with mobile hotspots or a solution that can provide static IP for us?
Subscribe to:
Posts (Atom)