Hi all,
Helping out a friend, I’m not to familiar with Cisco IOS-XE and have a question regarding open udp ports.
I’ve run a port scan and can see the following open|filtered ports for UDP. All tcp ports are closed or filtered.
https://i.imgur.com/OZr95Mc.jpg
There are no acls on the wan ingress. I can see NAT-pnp open though, didn’t think IOS supported this?
TIA
I have a AIR-CAP3702I-A-K9 ap and no controller so I need the software for Autonomous Mode/Standalone Mode. I'm looking for the software to download without going through cisco since that requires a contract.
Hey All,
Thanks in advance for any responses to this post. This is seeking advice for our business. I'm a mechanical engineer for a metal 3D printing startup. We recently signed on for a lease of a 15,000 sq. ft. warehouse in south Florida. It's basically one giant 104ft by 148ft rectangle, with about 1000 sq. ft. of bare ones office in one corner. Our organization is currently 8 people, hoping to soon expand to around 15. On average, for each person in the office there's 2 computers and a cell phone, plus a few accessory devices like a dedicated conference room PC, and some smart TVs. So after some new hires we'd be close to 50 devices total spread across the warehouse and office. I'm fairly confident in my ability to handle set-up and install with one of my coworkers. The question here is, what kind of equipment should I be buying to handle the square footage here? From what I've seen at Ubiquiti most of their new wifi-6 APs can handle up to 300 devices, but I'm very unsure of what is involved in getting enough range. Ideally I'd like to just get all our equipment from Ubiquiti or Cisco, as we'll be in this space for at least 5 years and I have no intention of letting us rent equipment from our ISP unless that's something you'd actually recommend for our situation.
If there's any guides/videos/etc. you'd recommend please let me know.
Thanks again for any input.
I'm not looking for a book that explains how to administer a Linux network.
So far the book I found is called understanding Linux network internals by Christian Benvenuti. The only problem is that this book was released in 2005 and it might be out of date.
Can I still use this to understand this topic even though it's 16 years old? Back then the latest Linux version was 2.6.11. Today it's 5.12.12.
But if the theory was out of date then surely a new version would have been released?
Hi!
Anyone any experience on using dynamic vlan segmentation for 1 SSID, based on the authentication voucher used in the captive portal?
I’m looking into a solution for a “Guest WiFi” where I can assign the users in the proper VLAN. (To apply webblocker content restriction)
Clearpass should be able to do this I guess with the guest features.
Anyone some experience with this who wants to share his thoughts?
Would use an Aruba Controller / HP 830 Wireless Controller. Thanks!
Hello everyone! I have a nextcloud on my natwork which requires port 80 and 443 to run outside of my lan but I also want to run a website (and maybe more in the future) from the same ip. Also I want all of them to be https but it seems that https will only work on port 80. Is there a solution to have them run from my network?
http://catalog.owens.edu/preview_program.php?catoid=14&poid=4512
I have a year of experience working in a MSP environment. I do not work there anymore. Would this program help me be able to get a job in networking again?
My previous post was taken down by moids for some now obvious reasons, but I hope to elaborate more and keep the conversation going.
My intentions detailed in the last post are summarized here.
I would like to build:
I am currently past the point of splicing fiber and making patch cables. Most of my Sfp+ modules are compatible, but the original gear I purchased for taps and packet analysis is junk.
I acquired multiple Gigamon products (for a good price) that are near the end of life, but the software tools and licenses are unattainable. I now have a neat new office desk, once I weld the cases together!
I have looked into spinning up three google fiber connections for the wan, and the three roommates agreed to each signup. With a load balancer to tie them together, the price per month is nearly affordable.
The next steps are to try and find (enterprise or consumer if it exists) gear that has the ability to monitor around 100 gb/s of throughput.
I know I am not smart enough to figure out Fiber tapping hardware and at the low level required for speed (that software is probably nuts too. I definitely have to pick my battles. The goal is to piggyback off of the tapper, select packets that seem like outliers, and clear them for a good list. The ml training data will be, for a majority, good packets. For the list of bad, I hope to find packet captures online and create a few (running script kiddie code).
I can elaborate on the software more once I know more and I like constructive criticism, but I am in the hardware acquiring phase as of now. My questions are as follow:
Is there a solution for a gateway at multiple points in the network that can detect errors and anomalies that don't break the bank à la Gigiman?
What fiber taps does the collective hive mind recommend that are affordable (sub $500) and enable some form of user code or modification?
Am a headed down any wrong paths that you can see (traps for young players)?
I hope that I do not have to build a custom OPNsense or pfSense box while trying configuring everything from the ground up.
Thanks for the read and I hope to learn more so I can speak more adequately with you in the future.
P.s If you have time the TensorFlow toolbox for Quantum is some future! https://www.tensorflow.org/quantum/concepts
Hey team,
I've been playing with the free vm Kemp load balancer but was looking into purchasing used hardware instead since the VM is limited. I saw some boxes available on eBay and was wondering what limitations they would have if they did not come package with a license.
Anyone who's familiar with Kemp Loadbalancer, would you mind chiming if I were to buy these load balancer which of the following would happen?.
Hey guys,
I have 2 C2960X switches stacked and want to update them. I already got the right image and connected to them and read all about it and I did nearly the same as I did with the other switches that I updated yesterday (non stacked)...
But now one of the switches in the stack does not boot anymore. If I remove the connections that lead to the 2nd switch in the stack, then the switch boots normally.
Also the 2nd switch did not receive the update and still boots in the old SW-version. And if I try to copy tftp flash: the new image just as I did with the other switches, then the switch can't connect to my tftp server even tho I connected the switch to my tftp server via RJ45 patchcable...
Can anyone tell me what I did wrong and what I need to do to get them back to work as a stack again? Preferably on the new SW image...
I was looking at the configuration guide for Cisco Cat-9300 switch (Fuji 16.9.x release). I noticed that all the examples/configuration are for VxLAN BGP EVPN. Does any one know if data plane learning is supported on this platform?
In absence of anything in the configuration guide, I went ahead and tried it on cat-9300 to see if this really works or not. It did NOT worked, my VNI's stay in the "down" state. Here is gist of the configuration.
I ensured the connectivity for underlay (both unicast and multicast)
This is lab setup so just one spine and two leafs. (all three cat-9300 with DNA advantage license)
- Stitched VLAN and VNI through following config
vlan configuration 200
member vni 100200
- Define NVE interface
interface nve1
source-interface Loopback1
member vni 100200 mcast-group 239.0.0.200
With this I was hoping that when traffic sourced from a host in VLAN 200 should be able to reach the host on the second leaf switch but it did not.
leaf01#show nve vni
Interface VNI Multicast-group VNI state Mode VLAN cfg vrf
nve1 100200 239.0.0.202Down L2CP 202 CLI N/A
The above output shows that VNI are down and mode is L2CP. I am not sure why its picking mode L2CP, I want to experiment with data mode learning. Perhaps it is not supported or am I missing something? I have tested underlay unicast and multicast and it is working fine.
Hi there, I'm considering using Packetfence (a free NAC solution) on our network.
We tried Forescout few years ago but it's a little bit expensive.
So we plan to use the captive portal feature in first place to test the initial setup and a basic configuration (well I think it's a simple one), on a vxrail stack with the ZEN virtual appliance.
I faced some issues with the initial account configuration: you said 1/ passwords wasn't correctly set and I had to hard reset the root account in mariadb and reboot several times to get it clean.
2/ netplan was overwriting the interface configuration, took me a moment to find the trick and get a clean network configuration on the server
3/ to activate/deactivate services, there are switch buttons which act weirdly when you click on it (turning black and nothing happen). Plus, some services (pf-Ha-portal) get stuck in deactivate state and the only way to make it work again, is a reboot...
So, I feel like this piece of software is quite fragile and I'm wondering if I should continue with it
Feel free to share, thank you
Hello, curious I am. Unsure if how my company handles on-call compensation is fair or common out there. Located in US btw.
We currently have two employees in an on-call rotation - alternating every other week. They take pages from 6pm to 6am on weekdays and all weekend. Some days or even weeks are quiet with little amount of calls(0-5) which take less than a couple hours to resolve or band-aid until Monday or next day/morning. Most of the time, you would receive 0-3 calls every weeknight. Weekends are usually a similar story but multiplied by 2 or 3. We have a couple thousand sites we support on varying SLA's. We support wide variety of several different systems and carrier services.
On-call employees are compensated a flat weekly rate of about $350 after taxes. Nothing more and nothing less. How do other companies handle these?
I'm experiencing an issue on a virtual server where it will ping for about 5-10 minutes, then drop for a minute or two, then come back up. That pattern repeats indefinitely.
I'm not a network guy, but our network guy worked on it all day and was stumped; but I'm on call and have to resolve the issue.
The machine only drops from our office and remote home networks. It's not dropping connection from our data center (where the virtual hosts reside). We tried moving this machine to a different IP and it stopped dropping (unfortunately changing the IP isn't an option, we just did that for troubleshooting). When we made a new server using that IP, that didn't work, either.
So there appears to be something causing all computers on a particular network to drop connection to a particular IP. Our network guy checked to make sure another MAC wasn't trying to use that IP. He also tried setting some static routes. He said there was nothing particularly useful when he did a Wireshark capture. He said the server may have been on the wrong subnet mask, but when we changed it, that didn't help.
We are not aware of any changes that were made to cause this issue.
Any ideas at all would be much appreciated!
The more I try and move into the cloud, the more I hate these cloud services. Everything gets abstracted away into a black box that inevitably doesn't have any of the capabilities you'd expect, and sometimes not even the capabilities they advertise in their slick marketing pitches.
Latest frustration is trying to get Prisma integrated into our environment; we're kinda hybrid with some servers on-prem and some on our AWS VPC. Remote users need to access both. Prisma says it supports service connections to AWS, and that it supports BGP, should be great right?
Not so fast. Prisma doesn't support any kind of BGP Route filtering, or metric tuning, path prepend, anything that you'd actually expect for a service that claims to support BGP. You have to either send ALL of the routes in your Prisma route table to AWS, or nothing. Their excuse is to just do static routing on the other side . . . but AWS doesn't support static routes to individual connections (only to the Virtual Gateway).
So now I'm in this situation of Prisma saying “We don’t support BGP route filtering, use static routes” and AWS saying “We don’t support static routes, use BGP route filtering”.
internal screaming
Motherfucking fuckitty fuck I just want a router that will actually do router things.
I'm at the start of my career in the service provider space and know the generalised concept of the lower down the model, the greater the MTU requirement to support the higher layers, but what has always eluded me is knowing how to accurately calculate or configure MTU to take into account the upper layer requirements.
It seems there is such a wealth of combinations to consider in terms of the types of frames, packets and segments that could possibly be transmitted, especially when considering MPLS - how do others seemingly achieve this so easily? Particularly when looking at throughput and the effect of overhead. Is my way of thinking wrong or is there something I'm missing? What helped you all understand this better and are there any great resources available that cover this well?
Thanks.
Hi, I'd like to learn more about what tools a company would use to diagnose a remote employee experiencing slow speeds and choppy video calls. I'm familiar with questions to ask the employee like how far from the wifi router they are (RSSI, Noise, Tx Rate), or who their ISP is so I can check if the ISP is having an outage. But what tools would an employee on the network team use to diagnose this remotely?
This seems like like a silly question but I have a few USB serial adapters and one of most annoying things I have to check every time I plug it in I have to open up Device Manager to see what number the COM port is?
I know the easiest thing to do would be using the same COM port every time and making sure I use the same USB port but a I have a few adapters which I use depending on the situation I'm in and I'm looking for a quick to quickly find the number so I don't have to worry about it.
How do you all deal with this situation? Would love to hear your tips for such a silly problem! Haha.
I have a switch to manage (HPE OfficeConnect 1820 48G Switch (J9981A)) and I am kinda not succeding in doing what i wanted;I don't have much experience with enterprise hardware.
My idea was essentially to create four VLANs based on switch ports with the following table of accesibility between PCs in these VLANS
| 1 | 2 | 3 | 4 | |
|---|---|---|---|---|
| 1 - default | yes | no | no | no |
| 2 - PC with NAS | no | yes | yes | yes |
| 3 - group1 | no | yes | yes | no |
| 4 - group2 | no | yes | no | yes |
Basically i wanted to isolate 2 groups from others, but both should be able to acces one computer. All VLANs also need to have internet connection which comes from a router, where I am able (if needed) to connect a cable for each VLAN.
I was trying to make this happen with tagging, untagging, excluding ports and trunks. I had problems with PCs not being able to find eachother, if they were tagged in a VLAN. And for some reason in the default VLAN 1 untagged and taggged ports were able to comunicate.
First of all, I wanted to know, if this is even possible. If not, any alternative similar recomendations? If yes, short guide would be awesome!
Hi Friends. I have some EnGenius ENH201EXT wireless bridges (PTMP) installed. One of the 4 has fried and I cannot find a replacement. Can I mix and match models? Will a newer model work with this model? I am trying not to replace all four if not necessary.
I have not installed point to multipoint before so I dont know what is acceptable. As always any help is appreciated. My rep is out for the holiday and I need to get something in fast!
I have been googling and I can't for the the life of me find information regarding fs.com console cables. I have a S5860-20QS that needs work. Man even the factor reset calls using a console cable...thats not provided in the box nor specified what kind:
Its RJ45, so I assume DB9 to RJ45. And I have to buy something as onsite doesn't have anything but a Roller Over....so which one?
Can't believe this information is buried.
Can someone explain public subnetting to me? I am a software engineer and I have to process about a million IPs. Many of them are public facing and have a subnet associated with them. For example, there is ip 66.187.###.### with a subnet of 66.187.###.###/20 (# redacted for privacy) everything that I know about subnetting says that the first sequence of bits in the subnet must be 1s, but in the case of this subnet, 66 is 01000010, which starts with a 0. I have only ever seen an IP in CIDR notation, but in this case, the subnet is in CIDR notation. My knowledge level is CCNA and I never learned about this. Does anyone on this forum know about public facing subnetting and could explain the differences between private subnetting (NAT) and public subnetting?
As the title suggests, looking for an alternative to an ASR1001-X. It is literally providing simple 1:1 NAT. One interface in from an AT&T Ciena LAN range, one interface out to an internal Meraki MX100 which acts as its WAN. Throughput is <1gbps. I would prefer something with dual power supplies, but not a deal breaker.
The ASR is overkill for this situation, as was previously vendor provided but after upgrading circuit speed, we switch from one of ATTs subsidiaries to ATT direct, so the subsidiary would like their ASR back, which seems fair enough!
Vendor neutral site, we typically run Cisco Meraki and HPE/Aruba, but aren't tied to any vendor. Open to suggestions?
I have just been gifted several Dell 3024p and 3048p switches but most of the racks in my IDFs are two post and these switches are made to use rails and a four post rack. Does anyone have any experience with modifying the switch to add ears, or is there a product that will retrofit ears onto these switches?
Hello. I have some equipment with a simplistic web server. It is located in a remote location with only cellular internet. There is an Orbic RC400L (Verizon hot spot) available that includes wifi only. The equipment has an ethernet port. Wifi is not available on this machine. My first thought was to find a router with ddns capabilities and the option to use it as a wireless bridge to make the connection from the wireless hotspot to the web server. Any thoughts or suggestions on this complicated solution to a simple problem?
Hey Guys,
I'm configuring NAT on my Cisco FMC. What's the difference between them? can you guys give me some examples?
NAT Rules Before
Auto Nat
NAT Rules After
NAT Rules Before:
IPSEC tunnel and SSL NAT
Auto Nat
Access to the internet via interface
NAT Rules After:
NAT from outside to our internal servers ( servers that are accessible from outside)
is it correct ?
Lately, I've seen most vendors are offering their own solutions to automate and orchestrate their network kit. Usually cloud/portal based solutions that talk to the API on the devices. Sometimes requiring some kind of on-prem component, but more often than not totally cloud based.
My question is, I see a lot of chatter here all the time about how it's time to learn devops skills, and if you're planning to work in the field for another 20 years, you had better hop on that devops bandwaggon and become a coder, or you'll soon be out of work.
But... aren't these packaged and sold products for automation and orchestration going to most commonly solve all of the problems that automation solves, but require a much lower total cost of ownership?
At the end of the day, buying and using this product will offer all the same benefits of having a full time developer team maintaining open source products that have been modified to manage network kit.
Maybe I'm being incredibly short sighted, but I see the cost of that only making sense for "hyper scalers" which 99% of organizations don't fall into that category (far from it!)
Thoughts?
I port forwarded a port (4976) for my COD BO2 game, everything looks fine and dandy but when I check them on a port checker it says that the port is not open. How can I fix this?
Images of the issue:
I am quite deep in my IT career and I am embarrassed to admit I constantly struggle with troubleshooting networking issues between servers / docker containers / kubernetes pods etc
For example I am currently running Ubuntu for Windows, running a Kubernetes cluster using Minikube with a docker driver (so the one Kubernetes node is in a docker container) and have Jenkins deployed.
I have portforward jenkins 8080 to localhost:8080 but I get 'Unable to connect when going there in the browser.
The only command I can think of is 'telnet localhost 8080' which returns 'connection closed by foreign host.
What is your general workflow when troubleshooting these kinds of issues?
What are some tools you use to help you with this?
I am a really visual learner, what is a suitable way for me to improve at this?
I have a script that checks on our switches if the running config has been changed. For that I use SNMP with OIDs '.1.3.6.1.4.1.9.9.43.1.1.2' (last save) and '.1.3.6.1.4.1.9.9.43.1.1.1' (last change). This works fine with SNMP v2. Now we want to change to SNMP v3 but those OIDs no longer work (switch returns nothing).
Anyone know how this is done in SNMP v3?
I have taken over a client with a few Netgear GS110TP managed switch's and I have installed a new Netgear GS110TP V3 to replace a faulty one. Next step I am looking to upgrade firmware on the older switches and this is whats confused me a bit. The old switches don't say if they are version 1 or 2 in the web interface and there's no easy way to tell on netgears website by entering serial info either. I also cannot get to the switches currently due to location but will in a few days.
Is there an easy way to tell I am missing? The Netgear Smart Control Centre shows the switches and the new one it shows GS110TP v3 but the old ones just show GS100TP, so I would assume they are v1. But the bit thats got me confused they have firmware version 5.4.2.13 which netgear doesn't list for v1 only for v2.
Is there an easy way to tell?
I love my Juniper gear, but I need a switch with the following:
It doesn't need to do anything clever, just basic VLANS.
Unfortunately the "quite" requirement eliminated the Junipers as the dual power supply switches sound like the marvel helicarrier taking off!
I'm intrigued by the HP / Aruba switches, but the switch selector is broken for dual PSU and there's so many to choose from!
Hi, I'm in the process on setting up an SSL decrypt MITM proxy on Firepower and have read that Firepower doesnt support TLS 1.3. Does anyone know where I can disable TLS 1.3 or force clients to use 1.2?
Cheers everyone
I can't find definite figures for say E1 to IP conversion...
I get packetisation figures of 10 and 20ms which is just the sample size...
I'm talking about the processing delay of receiving the E1 audio and converting it into a packet and sending it on it's way... using say G. 711...
with a setup of: Analog - > E1 - > IP - > Analog
on a simple bench setup with a Cisco SBC, I'm seeing 1 way delay of circa 50 to 70 ms (using an external audio quality tool)
Hi there, I'm considering using Packetfence (the NAC open-source solution) but I would like some feedbacks on setup, everyday usage, etc Feel free to share ;)
I'm looking for recommendations on ways to automate "failover" of traffic between carrier-redundant internet circuits when the issue is further upstream in our primary ISP's network.
Our current setup: enterprise network with ASN and PI prefixes, two internet circuits on different carriers, all-BGP edge environment, "active/passive" design for path selection, using higher local preference internally on primary for outbound path selection, and BGP communities via outbound route maps with each carrier to influence their LPs for inbound path selection.
Today we had an issue with our primary carrier where our circuit and their metro area were all operational, but they had issue with interstate backbone that led to roughly 50% packet loss / 90% throughput reduction - a bad time for our users. But because BGP neighborship stayed up and default route still advertised to us, our routers were blind to the issue and so no rerouting to our secondary occurred. Because there was another ongoing unrelated incident tying up our on-call resources we were slow to notice the problem so by the time we identified what was happening and got traffic rerouted over to the other carrier we had enough users blowing a gasket to turn this into a Big Deal™. About 1hr from on-set to workaround (would have been faster if we had a pre-set runbook for manual reroute).
Are there any common, reliable (and ideally free but don't want to be a cb here) solutions to automatically identify upstream ISP issues like this and automatically adjust routing accordingly in order to more rapidly respond to incidents like this? We're running Cisco ASRs on our edge if that makes a difference.
Here's the situation. I have a device that supposedly uses Modbus TCP to communicate and I'm trying to write a python script to talk with it. I've been alternating between pymodbus and pymodbusTCP libraries. I'm able to make a connection to the device through python, but I can't get any data out of it as it doesn't seem to like my requests. The manufacturer gave me some of their own software to talk to said device, probably written by their engineers, and it works. I'm able to get live data from the device. So it must be that I'm doing something wrong.
Important things to note:
- Device's IP address is 192.168.2.250
- Device's port is 6601
- My laptop's IP address: 192.168.2.5
Ok so lets look at some wireshark data (today was the first time I've ever used it, so go easy on me). First thing I did was listen to the manufacturer's software talking to the device. My thoughts were that maybe I could see how the packets/frames were arranged and then compare them to my python script's frames that it sends out.
Manufacturer's Wireshark Data:
https://i.imgur.com/EN0Oz1q.png
What I'm noticing here, that may be irrelevant, is that it's always sending 8 bytes of data. And the arrangement doesn't really make much sense to me. I can't tell just by looking at the Data section where the unit ID is, or the function code. But, everything's happy and talking.
My Python Script's Wireshark Data and Script:
https://i.imgur.com/oW48ifO.png
Here I'm noticing that my data that I'm sending the device is in Modbus TCP format. It's clear where the Transaction and Protocol ID are, Unit ID, function code, etc. But for some reason the device won't give me a response. (Also note that I was messing around with random Unit ID's, from 0 to whatever). It sends 12 bytes of data, and really doesn't look similar at all to how to manufacturer's software arranges the data.
Something odd as well is that wireshark is telling me these frames are the TCP protocol. But I've seen screenshots where the protocol is displayed as Modbus TCP. So I'm wondering why it's not showing that for me.
And here is my python script
from pyModbusTCP.client import ModbusClient client = ModbusClient(host='192.168.2.250', port=6601, debug=True) print(client.open()) print(client.read_input_registers(9, 1)) client.close() I have my script printing what's returned after client.open() to make sure that it's connecting, and it is.
Really hoping some of you experts might be able to see something I'm doing wrong here, or overlooking. ANY help is greatly appreciated. Probably really simple.
I'm browsing my local second hand website for a POE switch and came across a Cisco Meraki MS220-8P. Seems great but it states I need a Meraki license to use the managed side of switch.
I looked at Meraki website and I guess its enterprise stuff only, no details on pricing. Now I don't necessarily needs a managed switch, can I just use it as an unmanaged switch without any license? I am pretty new to using a switch and only need the ports and POE.
Right so, almost pulling my hair out as to WHY Firepower here isn't logging to the Event Viewer, and yes, I do have logging enabled on my polices. But it seems to have globally stopped logging any traffic to be honest. The last log was from half an hour ago and obviously a lot of traffic has passed since then. What on earth is stopping this annoying apparatus from doing this! Holy cow it is pissing me off here!
Thanks in advance guys
Tried googling but no luck! Sorry if wrong sub.
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
I need some help in sourcing an appliance to provide POE for some Primex clocks that are going into a new construction area. Does such a thing exist, even?
We have a construction project which has multiple Primex clocks going into the new area. These clocks are only powered by the network, and are kept synchronized via radio waves.
At the last count there were 65 of these devices to be connected to the network power, and because they don't use network traffic, it seemed a waste to use 9300 switches to just provide power.
edit: I've been suggested to look through Amazon for POE injectors. I guess I was overthinking the issue
A month or two ago I took a /24 block out of NY and started advertising it in London. Users in that block are still being treated as if they are coming from the US for sites like Netflix, Amazon, etc, etc. Eventually these Geolocation databases seem to catch up - but is there a way to be a bit more proactive about it?
Just looking into Layer 3 switches from a learning point of view and my understanding is they are a benefit on larger networks when you dont want devices goig back to the firewall to route traffic on the same switch.
When it comes to setting them up to use this functionality do you need to config static routes or any additional config??
I have a few cheap Netgear GS110TP switches and they are apparently Layer 3 but wasnt sure if L3 requires additional setup to work?? I have no need for Layer3 just trying to learn about it further.
Hey all.
I am just curious what steps everyone takes when troubleshooting latency on an all Cisco shop, with no 3rd party tools at their disposal. If you had to just use the IOS commands, and all you were given was a source and destination IP, and someone states that they believe there is latency within the path, what (logical) steps would you take in order to decipher if there is indeed latency within your network.
Basically, title. I had a pair of Patton 2888 linking an office with a remote site over T1, remote site got zapped, Patton is dead.
Looks like that model is EOL so I am looking for suggestions as to what people like for this kind of application. Thanks!
And, yes, going to add inline lightning protection to on the T1 when I do the replacement!
I'm trying to set up an (android) MLS iq1570 as a hotspot, but although the phone itself is connected to 4G, no one else who conects to the phone can access the internet.
I've tried all the possible settings, reset APNs, rebooted several times.
What else can it be?
Hello,
I've got question about qinq. Normally, when there's only one qinq L2 transmission we are configuring that kinda like that (Edge-corE switches conf):
#interface ethernet 1/1
#switchport dot1q-tunnel mode access
#switchport allowed vlan add 100
#switchport native vlan 100
#switchport alloved vlan remove 1
#interface ethernet 1/2
#switchport dot1q-tunnel mode uplink
#switchport allowed vlan add 100 tagged
But when we want to provide more than one L2 qinq transmission to the same client we have to use selective qinq:
#interface ethernet 1/2
#switchport allowed vlan add 100,200 tagged
#switchport dot1q-tunnel mode uplink
#interface ethernet 1/1
#switchport allowed vlan add 20,100 tagged
#switchport dot1q-tunnel mode access
#switchport dot1q-tunnel service 100 match cvid 20
#interface ethernet 1/3
#switchport allowed vlan add 30,200 tagged
#switchport dot1q-tunnel mode access
#switchport dot1q-tunnel service 200 match cvid 30
What if i don't want to do that selectively but just passthrough all the vlans in that qinq transmission? I just don't wanna know what vlans is my client use and have no impact to that (f.e. adding extra vlans in the future). I want to add that this qinq will go through Edge-CorE and TP-Link switch.
Hey guys. I've been asked to help figure out why users are having connection issues when dialing into a Babl call. They can connect to a call but straight away get disconnected.
I'm not familiar with webRTC so I've no idea on where to start. I was told that users were only having issues in the office but they're also having issues when outside the office.
They use Chrome as their browser. I was going to analyse for packet drops/WiFi connectivity issues within the office but after hearing about the issues out of the office it sounds like an external issue.
Where would you start with this?
I have a branch office switch learning some routes via BGP and OSPF (same routes on both). At the moment the BGP routes come over the primary WAN connection and the OSPF over secondary WAN.
This works fine as the lower AD BGP routes are preferred and OSPF routes only become active when the BGP WAN drops.
If I needed to reverse the behavior, i.e. prefer OSPF over BGP, what would be the simplest way to do this?
I've considered sending summary routes over BGP to make them less preferred but cant as the networks are not contiguous. Would my only option be to raise the AD of the specific BGP routes (above 110) via an ACL and the distance command? I guess I would have to do that at every router that currently receives the routes in question though?
Is there a way to change how the routes are advertised at source to make them less preferred (than ospf) across all other routers?
Hello everyone,
My CCNP is about to expire and I need to take an exam to keep it up to date (employer requirement). I took a CCNP specialist exam a couple months ago thinking that would renew/extended my certification's expiration date. I was wrong.
Are any of the exams easier than the others? Previously I would take the troubleshooting exam to recertify, but I don't know the new exams. I'm leaning towards the VPN exam (300-730) just because I work a lot with site-to-site vpns, but not the other types of vpns.
Any recommendations are greatly appreciated. Thanks in advance.
Hi guys - I was wondering if anyone knows how to (programmatically) generate a list of subnets from a list of discrete IP addresses?
We are currently receiving a looong list of IPs from an external provider which we need to input to one of our tools. Visually inspecting this list I can see that there are many common subnets, so rather than inputting each of these IPs individually we are exploring ways to process this list to determine a list of subnets which would cover all these IPs. Ideally the lowest common denominator so that we don't include anything that shouldn't be there.
After some googling, there seem to be a lot of resources out there to convert CIDR / IP & netmasks to IPs, but I'm struggling a bit with finding any good resources for going the other way. Has anyone come across this before and solved the problem, and if so, how did you go about doing it?
Edit: I've found this web utility but I'm looking to understand how this works so that we can implement it ourselves: https://ip2cidr.com/bulk-ip-to-cidr-converter.php
Hey folks,
In the last few weeks, I've been working in a lab to help me studying and testing new ideas.
The main requirements for me were to create a lab that was easy to deploy/destroy with one command so I would only pay for those resources while testing some ideas.
The Lab in the repo will help you to deploy and destroy a Global Network in AWS with only one command. It does require some initial setup but nothing too long or complicated.
Lab Features
- Isolation between Dev and Prod environments is achieved by using Transit Gateways Routing Tables.
- 4 Regions
- 2 x Dev VPCs + 2 x Prod VPCs per region
- Fully meshed TGW Peering for full redundancy
- You can access EC2s via SSH to test connectivity from region to region.
- Extra: Invoking an AWS Lambda from Terraform to tag the TGW Attachment Names. (Only used in cell0000 - eu-west-2)
While working in this lab, there were a few things I learned and noticed:
- The more I use Terraform, the more I like CDK. At some point, I'd love to migrate this deployment to CDK or Pulumi and see what challenges I find in the process.
- DRY code in Terraform is tough. There seem to be some ways to help with this problem, like Terragrunt or even using Terraform modules but my main focus was to build the lab and advance with my studies.
- Terraform does generally a great job at keeping the state and the dependencies of the resources, but sometimes you need to work around problems by using depends_on to tell Terraform to actually wait for other resources to be created.
- Prefix Lists in AWS: I could only use them for the TGW Peering Connections as the exit path would always go via the TGW Peering connection. However, I wish there was a way to create a prefix-list without a Next-hop. For example, a way to easily propagate all the Prod TGW Attachments by associating them with Prefix lists and then use that prefix-list to propagate routes into the Prod Transit Gateway Route Table. Similar to how you associate an ACL with a route-map and use that route-map to import routes into your routing table.
All in all, this has been a pretty fun experience. If you are learning about AWS, I'll leave you the repo so you can play with it and modify it to your liking.
https://github.com/danielmacuare/aws-net/tree/master/terraform/tgw-multi-region
what are your thoughts about this news from AT&T about placing all their mobile assets onto Azure cloud?
https://www.reuters.com/business/media-telecom/att-run-core-5g-network-microsofts-cloud-2021-06-30/
AT&T are not the first to do that. is this the end of the service providers world as we know it?
running the entire network in the cloud is doable but is it efficient? is it performing? is it reliable?
i have my doubts...
I have a phone lying around. I want to turn it to 4G proxy. How ?
Hi, I am looking for the following:
- Reliable gigabit managed access switch, 24 port PoE and non PoE models (not from used market), for small networks, 1 to 6 switches.
- Layer 2 (VLANs, basic security, LLDP, event logging, SNMP, ...)
I have had experience with Aruba 19xy, 2530, Cisco SG, Netgear. And had several problems: reset to factory defaults, freezes, not storing config changes, faulty leds and ports after 3 years, etc.
I have read of similar problems with other brands.
Should I lose hope ?
I am currently studying wireless networks and recently got a question wrong, but I cannot figure out why this is true for the life of me. I am trying to figure out if the question is wrong or if I misunderstand something.
"Your wireless network includes one centralized AP that you configure. This AP forwards the configurations to other APs in your wireless network. Which of the following BEST describes these APs?"
the correct answer is: The centralized AP is a fat AP, and it configures thin APs in your network
How on earth would a fat access point configure a thin access point? I was under the impression that thin/fit access points got their configurations from a wireless LAN controller. I started thinking maybe clustering could do this, but from my experience, this would only work with other fat access points.
(Before reading, please keep in mind that I am an idiot)
I work at a recording studio, and we're looking to upgrade our network setup.
Firstly, our digital audio is routed throughout the facility with Dante (audio-over-IP). We regularly have 60-100 channels flying over the network on any given day. The only other equipment on the same network are digital mixing desks (control data) and some PoE audio monitoring devices.
For the last 8 years, we've been using a Cisco SG200-26P switch with DHCP provided by an old D-Link consumer router (did I mention that I was an idiot?). To be honest, I can't believe it even worked for 8 years.
We also have a new Synology NAS with 2x10gbe ports for archiving recordings.
Ideal requirements for our new switch:
TLDR: need new switch. Reliable, DHCP, 24 ports, PoE, web interface, 10gbe maybe
Thanks!
Hi, what is the best way to go about upgrading the SFR module? Can it be done via FMC or is there a way of doing it via CLI? ASDM would be my last choice but what is the best way of going about it or if anyone could send any links to decent articles then hit me up, haha.
Thanks
Have domain with shares.
server 2016 - using AD.
2 sites
using dfs
site a users can access share, modify and delete.
site b users can access but not modify edit delete
same user - site a works fine - users can create - modify - delete
site b cannot modify edit or delete
when i goto direct share on server still same behavior from each site.
i have tried on different systems at each site using same user - site a allows full access
site b does not allow full access - though permissions should allow this. and its same share through domain.xxx
even if i have site b access site a share directly -- \\server\share - its read only.
if i have the same user on a site a workstation access site b via \\server\share it works as well.
its only if i am logged into a workstation from site b that i can not modify file on the share.
I have a customer that is in the process of moving to a new building 1km down the road. They would like to keep the network up and usable while they move things one piece/department at a time. They have Windows servers with the PCs joined to Active Directory and file shares.
They have a site-to-site ZyXEL VPN set up between the two locations, but to accomplish that, they created a new subnet for the new location. This is going to be a serious issue when they move the servers. Either the servers will need to be re-addressed making the move 10x more complicated, or we'll need to find a way to keep both sites on the original subnet across the VPN.
Is this possible? I found some articles about this, but they seemed to be related to point-to-site (mobile) VPNs rather than site-to-site.
The other option I thought of is a PTP wireless bridge, but there's a few trees and buildings nearby that might make this too expensive.
So I inherited an ipsec DMVPN config from the previous person in my position and it has a different configuration than I'm used to seeing. However I'm far from that experienced configuring ipsec on routers.
However, the config that I see that seems to be best practice would look something like:
--------------------------------------------
crypto isakmp policy 1
authentication pre-share
encryption ae 256
hash sha256
crypto isakmp key ciscokey address 0.0.0.0 0.0.0.0
!
crypto IPsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto IPsec profile vpnprof
set transform-set trans2
------------------------------------------------
Now the config that I inherited is more like this
-----------------------------------------------------------------
crypto ikev2 keyring KEYRING
peer Next-Hop
identity address 0.0.0.0
pre-shared-key local 6 c\DQCHU]PDbPXEYVXJKFDJSLF9808FDLLJL
pre-shared-key remote 6 ]NPfeGHHfZEVT^BA]_O[hQhFD435464FGFGF
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
dpd 30 5 periodic
!
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile DMVPN-21
set transform-set TRANSFORM
set ikev2-profile IKEV2-PROFILE
-----------------------------------------------------------------
I don't see any cisco guides exactly suggestion to go with the way we have it, and I'm not really sure what the pros and cons are of each. Anyone have any ideas or can point me in the right direction?
I just re-configured our firewall(s) (HA pair) in one of our data centers to receive a default route from both of our internet routers via BGP. We're running a pair of ASA5545x's on 9.12(3)12. These connect to a set of switches that also connect to the two internet routers. There is only ONE outside interface, as it's able to see both routers over the same VLAN through the switch.
Everything is mostly working, except ECMP. In lab I had this working perfectly, but it looks like when I moved the config to production, the zone-member OUTSIDE command was not applied to the OUTSIDE interface. In ASDM, I'm not able to add this interface to a zone because it's associated with a crypto map for a S2S tunnel. Would this missing command be the reason that ECMP is not working? Both of our default BGP routes are being learned properly and both have the exact same AD, AS path length, etc, so they should both be eligible equal-cost default routes in the routing table. However, I am only seeing one at a time (if I drop the neighbor on the current "primary" circuit, it failed to the "secondary" as would be expected in an active/standby config).
If I do need to apply this command to get it to work, what does this mean for my S2S tunnel? And would such a change be traffic-affecting?
Kinda frustrating that the entire reason for me redesigning things this way was to get load-balancing (at least on outbound traffic). (To be fair, it was also to do away with HSRP between the routers, but load-balancing was the primary reason.)
If anyone has any advice, I'd really appreciate it! Also if you need a config snippet, I'd be happy to provide. Thanks!!
I'm standing up a network for a temporary event. We expect that we'll have a max of ~15k clients (90% smartphones) connected concurrently. I have been assigned a /27 from the ISP and am trying to determine how many IP addresses I need to devote to NAT. Are there any best practices as to how many clients you can NAT behind a single public IP?
Im looking to build a device that emits a signal to a very close antenna. Wanted to see if I need to register a license to use this tech or if it’s just open bandwidths. Everything I’ve seen so far show they’re unlicensed bandwidths except for the 5G wavelengths.
Yang is pretty cool. I've seen lots of videos and tutorials on the benefits of yang, but I'm having trouble figuring out how I can use it on the client side during configuration generation or configuration linting.
Ive noticed that it looks like if I get a config via rest/net conf, the Json response I get looks to be a mashing together of the device config with various yang models.
How exactly is that done server (router) side? Is it possible for me to combine a normal config with a yang model to generate that JSON extrapolation to validate a config before I push it to a device?
General questions:
How are you using the yang model in your environment?
Hi r/networking,
I am currently in conversations with some companies for a possible new job. Now i'm curious how most of you guys would handle this situation.
One of the companies stands out, but they are exclusively Citrix based. Also for their IT-stations. Personally, some time has passed since I last used it. But I dislike not having full control. Also some other software choices of this company bugs me. Their network is quite interesting and I genuinely see opportunities.
I feel like i'm overcomplicating things. But admins/engineers that are not in full control of their 'own' workstation could -potentially- stress me out. Of course i do not know all details. I do know byod is out of the question.
So basically the title. Curious how some of you might have handled this.
Hey everyone, hopefully an easy one.
I've been tasked with tidying up our DNS (yikes!) and I've been trying to figure out the following. So far Googling hasn't been successful.
Say there's an internal DNS server called dns.A.local with a forwarder to dns.B.local, which in turn forwards to dns.C.local (and you can see where this is going). What is the expected behaviour assuming the request was for an external request (like google.com)?
I'm assuming that:
Does that sound right or am I way off?
I had 2 exams that got converted to ENCOR and now looking to get one of the concentration ones
Im looking at 3 of the below, what is in demand at the moment or best to go for?
Im thinking sdwan or auto would look better on a CV than the oul routing that every other ccnp has as a result of the conversion
Implementing Cisco Enterprise Advanced Routing and Services (ENARSI)
Implementing Cisco SD-WAN Solutions (ENSDWI)
Implementing Automation for Cisco Enterprise Solutions (ENAUI)
What do you guys recon?
Howdy,
I'm on a remote job and trying to improve my internet connection.
I have physical access to my hotel's wifi router. The router is an HP MSM410. Currently I have "DSL" speed from the Wifi router. Good enough for most things, but its the 10 - 15 minutes a day when I need faster speed for work that are killing me.
Using CAT5 cable, can I make a hard wired connection from my laptop's RJ45 Port to the hotel's MSN410 Router's RJ45 Console port?
Would the connection screw-up anyting on my PC or on the hotel's network? I'm hoping it would be just like the old days back in the office when you just pluged into a corperate office port with cat5 cable. Hoping ... hoping ... hoping
Thanks in advance.
I'm currently running a medium business on pfSense. Been doing this for 5 years with zero issues. I have a decent budget now for security, so looking at seeing if it's money well spent going to an enterprise firewall. I currently have a 3rd party vendor with an appliance on-prem that has a port mirrored to my Internet VLAN to sniff any suspicious traffic. Also, my pfSense firewalls and AD servers send logs to the appliance (SIEM). I use DNS Redirector to filter DNS.
I'm using OpenVPN for 15 employees that connect and RDP into their computers.
I use Snort for IDS and auto blocking (scans, etc).
I don't use web content filtering since it doesn't work with HTTPS and I don't want to mess with certificates on all our devices.
I have failover with two WAN circuits. My primary connection is a 500Mbps fiber circuit. Backup is 20Mbps.
I have a pfSense VM for my main network, a pfSense VM for my Public WiFi network, and a pfSense VN for my secured WiFI network. I don't currently have WiFi on my main network, and will probably keep it this way for sometime. So, a total of 3 pfSense VMs on my VMware cluster.
Would the FortiGate give me better virus/malware protection by filtering traffic with full L7 awareness?
How's the content filtering? Can it inspect HTTPS for ALL devices, with no SSL cert errors or configs?
Can it do VPN with MFA easily?
Could one FortiGate be a firewall for my 3 segregated networks? Separate DHCP server for each one? Or just use it on my primary office network and keep pfSense for the WiFi networks?
Any recommendation on which model would work good for our 500Mbps fiber circuit? I don't see us going to 1GbE for another 5 years. We just upgraded to 500M from 200M a year ago and don't' use more than 50% of the pipe.
Any advice is appreciated as I mull over this big and expensive change. Not looking forward to learning a new device and working out all the issues, but also want to give us the best security.
Hi,I have two hosts and I install OVS on both of them.Now I want to run Vxlan between this two switches.
The commands I use for Vxlan tunnel on first switch:
ovs-vsctl add-br br0
ovs-vsctl add-port br0 vxlan0 -- set Interface vxlan0 type=vxlan \ options:remote_ip=172.30.0.103
ovs-vsctl add-port br0 vi0 -- set Interface vi0 type=internal
ip link set dev vi0 up
ip a add 10.11.12.13/24 dev vi0
and similarly for other switch:
ovs-vsctl add-br br0
ovs-vsctl add-port br0 vxlan0 -- set Interface vxlan0 type=vxlan\ options:remote_ip=172.30.201.61
ovs-vsctl add-port br0 vi0 -- set Interface vi0 type=internal
ip link set dev vi0 up
ip a add 10.11.12.14/24 dev vi0
And now i can ping 10.11.12.14 from the other side of the tunnel (with lower than 1ms latency) and everything works just fine.
The problem is low bandwidth on tunnel interface.
when on host1 (with ip 172.30.201.61) I iperf to hosts2(172.30.0.103), The output shows near 1Gbps. but when i use tunnel interfaces for iperf, The output shows near 100Kbps.
I have Googled around but had no luck finding any useful document. Does anyone have an idea why the bandwidth is too low?
BTW: I try this type of configuration too and get same results.
ovs-vsctl add-port br0 vxlan1 -- set interface vxlan1 type=vxlan options:remote_ip=172.30.201.61 options:key=43
Thanks!
I am a 24 yr old U.K. graduate with an unrelated bachelors degree.
I wish to retrain myself, and secure a career within networking.
I have limited knowledge of IT and am currently building up a roadmap of resources so I can self research and learn.
Just wanted to make sure I haven’t missed anything before I begin my new journey working towards the CCNA.
I plan to:
Read up a LOT. Will purchase “Network Warrior” by Gary Donahue, also “Networking for dummies”
Use ICND1 and ICND2 for dummies in addition to CBT nuggets to grasp the material as I have no formal IT background.
David Bombal and Neil Anderson video courses off Udemy
Packet Tracer for labs and Boson for mock exams
Am I missing any resources or additional bits that would be vital in achieving this?
Thanks, and I look forward to learning :-)
Cross Posted in smaller sub r/wirelessNetworking
Hello everyone. I am working on a building renovation. Some of the non-IT management are asking for a simple explanation about our 2 separate networks. The issue is: we have one Network that goes to the outside world and other facilities internet etc. We have another network that is totally contained inside the building for security reasons (Lab) The building renovation will need separate AP’s for each network. There is no survey in place. I am trying to explain to them in layman’s terms why we need to try to separate these AP’s and worry about channel overlapping etc. They will have 2 different wireless controllers, different switches etc.
What is the best way to explain how we need to set these up so the non-it management can understand it?
Thanks for any help you can provide.
Hi, a friend has asked me about setting up public Wi-Fi access for his food court business. He wants customers to have to login, which I understand requires the use of a RADIUS server.
I'm a software developer, and while I do have some understanding of networking, I've never done something like this before. Are there any guides on how to set up a RADIUS server (preferably using Linux) and use it to authenticate a wireless access point?
From what I have seen their products seem to be really well engineered and they have a lot of nice to have features. But the sales process with them has been so miserable I’m tempted to look elsewhere. Getting a quote for specifically what I ask for has been next to impossible. A good example is that I’m looking to purchase between 11 and 20 fortigates and for a FortiManager VM was quoted correctly on the initial licensing but on the renewal they quoted 100+ devices and they didn’t even quote me on FortiAnalyzer like I asked for… That and I don’t even think they can explain the difference between the cloud offerings with the 360 protection bundle and going with virtual machines on premise because every time I ask the same question about functionality I get a different answer and that answer usually is not correct per documentation I find after discussions with them…
I really do like the threat protection features I have seen and read about in the documentation but I’m open to other solutions if it’s going to be this difficult to actually get pricing so I can work on actually budgeting everything.
On another note what is everyone’s thoughts on their switches and access points and how they are integrated into the FortiGates? It looks interesting but I have a preference for Junipers switches and unifi seems much more cost effective for wireless. But if you don’t go with their entire product line are you really get your money’s worth with FortiManager?
Also is anyone able to explain the difference between their 360 protection bundle and going with FortiManager and Analyzer as a Virtual Machine?
I would really appreciate all of the help I can get with this.
Hi, I am in the middle of creating an SSL decryption policy and since I'm not sure how a TLS 1.3 site will behave yet on Firepower, I'm looking at enabling Ciscos, "TLS Server Identity Discovery" and use it to test access rules that trigger on "application" and URL's.
Currently we have 2 ASA's that are running Firepower 6.4.0.3-29 and 6.2.0.2-51...I have read that the TLS Server Discovery feature is only available on 6.7 and above, can I upgrade these modules to their latest (stable) image and enable this feature does anyone know?
Cheers
So I'm trying to do sort of a split tunneling idea here on a Cisco 1811.
Basically I have an wireless access point off a switch port of a 1811 router.
The outside interface with a public IP has a site to site vpn back to our core with GRE over ipsec.
I applied a NAT config to the internal svi on the router as the inside and the public interface as Outside.
The IPsec interesting traffic acl shouldn't apply to my WAP traffic as it's on a complete different subnet, and the interesting traffic acl applied to the NAT config should pick it up
Well, it didn't work.
After looking up Cisco's documentation on iOS order of operations I could see why it wouldn't work as Nat is clear down on 14 in priority. But the IPsec acl shouldn't apply to my WAP traffic and it should work right?
Anyways, when I remove the IPsec crypto map, Nat works, leaving me only to the conclusion that Nat and IPsec can't be applied to the same interface.
Or maybe I'm doing something wrong?
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Can CUCM warn you/detect if your inbound/outbound calls aren’t working? Either on RTMT, snmp, etc. if not directly on cucm, maybe something on the voice gateway, etc. Or is this something only an end user can detect?
Thing is unfortunately we don’t have a NOC so that makes us a reactive shop. But nevertheless we should be able to get alerts for major outages like this. We’d still like to find out something is wrong before the end-users do.
My internet was being slow so I checked the app for my router & I seen a device called “thingschange_ce05” I don’t have any clue what it is & I couldn’t find anything online about it. I’m not sure if this is the right subreddit for this question but if anyone could help that would be great.
Not sure if anyone has encountered this, but I am curious if someone is using SD-WAN devices in a HITRUST (Healthcare) certified environment. Many SD-WAN vendors only provide stateful firewall capabilities in their edge devices, and they will say they that it denies any unauthenticated inbound connections. So this means that any (malicious) connection coming to the branch office from the internet will be dropped (with maybe the header information from the connection being logged and possibly sent to a SIEM depending on the SD-WAN vendor). However, HITRUST seems to require that an IDPS capability be in place at the perimeter network, which in this case would be the SD-WAN device at the branch. I'm not sure how an IDPS would be relevant if the firewall is dropping the packet before it would even reach the IDPS, but I would like to see if how anyone else may have satisfied this control when using SD-SWAN. Thanks !
Hey all Thats my first post here i want to capture the ip from who is iam talking with on Instagram by calling ( voice or video) Using wireshark or anything else Any suggestions ?!
Note : i succeed with Facebook by using wireshark by filtering packets but instagram no luck :((
Hi all,
In ASDM, I see a service column. Are access lists required to allow this traffic through the fw, or can it all be defined with in the NAT section in ASDM with the designated ports = any for original/translated packets with in the NAT rules? Basically, are two rules required, NAT and ACL, or is the NAT rule alone sufficient.
If ACL rules are required, in the CLI or ASDM, is there any way to reference a NAT rule and check if there are any relevant access lists associated with the NAT rule, and if so, what they are?
Thanks
Cloudflare is slower than Akamai and Limelight even though CF has peering agreement with my ISP and PoP here.
So I live in Iraq , and there's a couple of cache servers, without them people would march in ISPs' offices and kill all employees ... Slowly like the internet they provide 🤣🤣
CDN companies and cache servers here:
The ISPs' cache server for pirated movies, show and files etc ..(my downloading speed with this 1.6MBps-2.6MBps)
The Akamai CDN (700KBps-5MBps)
Limelight CDN (1MBps and off peak 6.8MBps)
Google global cache, YouTube and search, (1MBps-3MBps)
Facebook CDN, FNA (1MBps-4MBps)
Tiktok, 4 days ago it was CDN77.org now Akamai, (1.6MBps to 5MBps)
and
Cloudflare 250-300KBps (I don't think it's downloading from cache server here as this speed is for international downloading (not cached) ) and the weird thing they have peering agreements with my ISP Earthlink. And PoP in Baghdad, Iraq
It's been driving nuts, as there's a website that I really like and it uses CF. To make sure that it's not this site's fault. I've made my own website with CF and created cache everything rule and it's still the same download speed (250-300KBps)
i'm not being directed to the closest PoP, but this doesn't make sense, as I'm being redirected to US server . Not even a PoP, also there's probably a one or two PoP closer to me than US, like there's one that 100KM away form me,
I used glasswire to figure out servers' locations, and for most of these it's like this. https://www.glasswire.com/host/cds4.bgw.llnw.net for domain
and https://www.glasswire.com/host/37.238.255.230 for IP
but for Cloudflare
https://www.glasswire.com/host/d01-cf.put.io.cdn.cloudflare.net
https://www.glasswire.com/host/104.18.31.179
Hello,
Looking to do some segmentation in the DC. I am looking at clustering some FTD 4100 units and placing them in transparent mode between my core and distribution layers. Any recommendations? Is there a better way to go for segmentation/security?
I’ve searched high and low and can’t find a way to accomplish this. Has anyone found a to do this without writing a custom page? Other than this the page more or less fits the bill.
Are there any reasonable non-SDWAN alternatives to Cisco for <1Gbps (generally 200Mbps - 500Mbps) at the WAN edge? Looking for something similar in sizing/function to the ISR 43xx/ISR 44xx. Pretty basic requirements. 1Gbps Ethernet, IPSec, OSPF, BGP, etc. As far as I can see Juniper doesn't play in this sizing space any longer. Even open to software-based routers.
Looking for a comparison point if nothing else.
Thank you for any guidance that you can provide!
Hi guys, I don’t know if it’s the right place to ask, but I will try. We have to completely redesign a school infrastructure , and one of the point is to give at least 10 risks that could occur while deploying the new infrastructure. As I got no experience in the IT work I have been struggling with this, and can’t find much on internet. If some of you have experience in the field and can help me, I would be really grateful ! You can reach my by DM’S
Hello!
Currently running a SRX240 with multiple GRE over IPsec tunnels to some small industrial routers.
Topology is as follows:
SRX LAN --- SRX --- (ISP cloud #1) --- IndRouter --- IR LAN
SRX LAN --- SRX --- (ISP cloud #2) --- IndRouter --- IR LAN
(SRX and IR in both lines are the same devices, just connected via different ISPs. So both SRX and IR hosts 2 GRE over IPsec tunnels)
Traffic to IR LAN is routed via static routes with qualified-next-hops and different preference, smaller one for main tunnel, bigger one for backup. Tricky part is, IR can't do OSPF and BFD, only static routing. So I need a mechanism to failover from main tunnel to backup. And statics over GRE are always up, since the tunnel is always up as well, so failover never happens, even when IPsec / GRE pair is down.
The solution I came up with is services RPM probe directed at ISP interface of IR that manually injects are more preferred static route to IR LAN via backup gateway.
Config below:
set services rpm probe gre-failover test gre-failover probe-type icmp-ping set services rpm probe gre-failover test gre-failover target address <IR_ISP_ADDRESS> set services rpm probe gre-failover test gre-failover probe-count 5 set services rpm probe gre-failover test gre-failover probe-interval 5 set services rpm probe gre-failover test gre-failover test-interval 3 set services rpm probe gre-failover test gre-failover source-address <SRX_ISP_ADDRESS> set services rpm probe gre-failover test gre-failover thresholds successive-loss 3 set services rpm probe gre-failover test gre-failover thresholds total-loss 3 set services rpm probe gre-failover test gre-failover destination-interface reth0.251 set services rpm probe gre-failover test gre-failover hardware-timestamp set services ip-monitoring policy gre-failover match rpm-probe gre-failover set services ip-monitoring policy gre-failover then preferred-route route <IR_LAN> next-hop <BACKUP_GRE_PEER_ADDRESS> My question: what solution would you suggest for this routing scenario? I'm just curious and want to expand my knowledge and share experience with fellow network engineers.
Cheers!
hey guys, I'm trying to get my head around the asymmetric key concept.
So I know that if you encrypt using the public key of the receiver (my friend) then it provides CONFIDENTIALITY because only he can decrypt with his private key, and if you encrypt it using the private key of the sender (myself) then it provides origin AUTHENTICATION because he will use my public key to decrypt and verify it.
my question, can asymmetric keys only provide either confidentiality or authentication? or do they actually provide both in some way?
cheers,
appreciate any help, hope you all have a blessed day.
Thank you in advance for any help!
To set this up:
I have NPS servers for multiple sites setup for wireless authentication with a log forwarder for our aggregator that reads the local log file. I also have firewalls that can ingest the accounting messages for identity purposes on the firewall.
My question is:
If I forward accounting requests, does NPS continue to log to the local log file?
Hello all,
Im trying to get access from our office network to a remote jumphost. The jumphost is accessible over the internet, so the remote jumphost IP is, let say: 200.200.200.200. Im using a Cisco ASA for the configuration part. So the problem is that I have problem to access the remote jumphost from the office network.
Here is my configuration:
access-list ACL-OFFICE-TO-JUMPHOST extended permit ip 10.120.3.0 255.255.255.0 200.200.200.200
route (interface of the office network) 200.200.200.200 255.255.255.255 (outside IP, let say 209.209.209.209)
so it will be: route INSIDE 200.200.200.200 255.255.255.255 209.209.209.209
Here is the complete configuration (made it easier to read)
access-list ACL-OFFICE-TO-JUMPHOST extended permit ip object 10.120.3.0 255.255.255.0 200.200.200.200 255.255.255.255 route INSIDE 200.200.200.200 255.255.255.255 209.209.209.209 What Im trying to figure out is how the office net 10.120.3.0 will get access to the remote jumphost? Of course something is missing in my configuration part (probably the configuration is also not correct). Appreciate any help.
Hey All,
I'm trying to improve our standards on how we do new cabling (make it more efficient and cleaner). Currently we are working on a proposal for a client as they need a lot of new cabling and some cleaning up. I have 2 main questions:
1- How do you run and number new cables?
2- Where to run the cables?
The client currently has a couple of small network racks dispersed though the different parts of the stockroom which I'm not sure I'm a fan or not. The pro is that there is a clear small network rack per warehouse "room" which makes working in that specific room easy, but de-centralises the network equipment.
There will be a big (42u) network rack in the center of the warehouse which means that the furtest point of for cabling would be about 70 meters. It is perfectly doable to run all the cabling to the main rack. Only one smalle network rack would have to be completely re-done.
What is your oppinion on both how to do cabling? And should we keep the de-centralised setup there currently is or should we centralise?
Thanks upfront for the information, I'm looking to learn and grow!
edit: some styling
just wanted to do a mental check and see if others see anything wrong for what i am about to deploy
setting up a mail server but to find that my Static IP from my isp is under 2Block lists and contacted them about it and they said that you have to run it in the cloud
i want my mail server / data to be onsite
my diagram of how i think it should work
UI>CloudFlare>VPS>=wireguard vpn=>Mail server on Lan
main point of concern is the vpn part from Mail server being a client and the vps doing the port forwarding and routing of the mail / it being able to talk with the internet
We are rearrange and reconfiguring the switches and this time around we decide to move all non-client devices to a separate switch (like everyone does). To do that, I have to first find what devices are connected to what ports.
We have a few door access card terminals and those are going to be moved, but their port numbers were not documented when they were installed 10+ years ago. It is impossible to trace the cable as the terminals were permanently installed on the wall, it will take destructive means to remove it (security measures? idk, ask Admin).
We have the IP addresses of the devices. We can find their respective MAC addresses and IP addresses by doing a show arp. However, those devices never shows up when doing show mac address-table.
What can I do except resorting to tracing the cable?
I originally own a Netgear R6900 router but a few days ago my internet start experiencing blackouts and the internet won't come back until I erase the router settings completely. I could connect to the internet through the modem and the blackouts continued to occur after I reconnect it to the router. I then bought a new M60 Netgear mesh model but the same problems keep on occurring. Does anyone have any ideas about what is going on with my internet?
As far as I can tell I have configured frr correctly within pfsense doing everything as I can see it in the video and documentation (for ipv6 not 4) but it doesn't even seem to try and connect to my neighbour/peer just sitting at active. I have gone through everything several times but just cannot see where I am going wrong.
`
For address family: IPv6 Unicast Not part of any update group Community attribute sent to this neighbor(large) Default information originate, default not sent 0 accepted prefixes Connections established 0; dropped 0 Last reset 00:00:05, Waiting for NHT BGP Connect Retry Timer in Seconds: 120 Next connect timer due in 116 seconds Read thread: off Write thread: off FD used: -1 I've got a home lab set up with a pair of ASA 5510s in the middle splitting the lab up into WAN, LAN, and DMZ zones. I have each zone wide open for management via both SSH and ASDM/HTTPS. I can login using both methods from the WAN and LAN zones but only SSH is working from the DMZ.
When I try connecting with ASDM from the DMZ zone I immediately get the message "Unable to launch device manager from 10.10.2.253:8443"
Here's what I see in the log:
%ASA-6-302013: Built inbound TCP connection 4339 for DMZ:10.10.2.21/56135 (10.10.2.21/56135) to identity:10.10.2.253/8443 (10.10.2.253/8443) %ASA-6-725001: Starting SSL handshake with client DMZ:10.10.2.21/56135 for TLSv1 session. %ASA-7-725010: Device supports the following 4 cipher(s). %ASA-7-725011: Cipher[1] : DHE-RSA-AES256-SHA %ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA %ASA-7-725011: Cipher[3] : AES256-SHA %ASA-7-725011: Cipher[4] : AES128-SHA %ASA-7-725008: SSL client DMZ:10.10.2.21/56135 proposes the following 6 cipher(s). %ASA-7-725011: Cipher[1] : AES256-SHA %ASA-7-725011: Cipher[2] : DHE-RSA-AES256-SHA %ASA-7-725011: Cipher[3] : DHE-DSS-AES256-SHA %ASA-7-725011: Cipher[4] : AES128-SHA %ASA-7-725011: Cipher[5] : DHE-RSA-AES128-SHA %ASA-7-725011: Cipher[6] : DHE-DSS-AES128-SHA %ASA-7-725012: Device chooses cipher : DHE-RSA-AES256-SHA for the SSL session with client DMZ:10.10.2.21/56135 %ASA-7-725014: SSL lib error. Function: SSL3_GET_RECORD Reason: wrong version number %ASA-7-710005: TCP request discarded from 10.10.2.21/56135 to DMZ:10.10.2.253/8443 %ASA-7-710005: TCP request discarded from 10.10.2.21/56135 to DMZ:10.10.2.253/8443 %ASA-6-302014: Teardown TCP connection 4339 for DMZ:10.10.2.21/56135 to identity:10.10.2.253/8443 duration 0:00:00 bytes 937 TCP Reset by appliance It seems clear that the issue is some kind of SSL error but I have the SSL settings set to "Any" so I'm not sure why this is still happening.
The device I'm trying to log in from is a Windows 10 laptop with a fresh install.
I can provide more info if needed, I'd love some help.
So I've been investigating getting into CH1 via wave/circuit transport. So far I have pricing/planned:
First time dealing with a large datacenter operator, and first time looking at a datacenter connection further than 30 minutes away.
For xconnects, do you pay smarthands to install the cable from a patch? Part of the deal? Or do you pre-wire some of your patch panel to ports of your router?
Are there gonna be surprise gotchas, besides watching the power limit?
On the OSPF process of an ABR (in the case of Cisco), is it possible to specify multiple IP ranges for a single area? For example, if I'd like to summarize OSPF routes between the backbone area and a stub area, and the backbone consists of multiple IP ranges that aren't contiguous (e.g. 192.168.0.0/16 and 172.16.0.0/12), can I specify both ranges with two separate commands and receive a summarized route in the stub area for both ranges?
I'm looking around online to see if anyone else has done this with no luck. Thanks for any help in advanced.
Found this picture of #CLEUR2020 in the depths of our fileshare and was curious if anybody has an idea what kind of monitoring/dashboard software the NOC might have used? https://postimg.cc/K3KDyqh7
So I just started a new job. I've worked with Cisco switches before (very lightly), but not HP. I've never setup VLANs before, but I have a basic idea. I got my Network+ in December.
This small business I'm at has everything on one .255 subnet, which the IT guy there wants to push to .254. However, from my reading it seems smart to put different departments on different VLANs, even for a small business, am I right?
I've never actually had to setup a VLAN from scratch, or worked on one that wasn't on a Cisco switch.
There's only like, 4 areas really. Should I combine HR, which only has a couple people, with the front office? Then do a VLAN for the other areas that only have like, a 24 port switch to them.. and one area that has a 48 + 24 port switch? Should I do the VLANs according to the switch area, or by department?
I'm assuming I setup the VLAN on the main switch in the MDF?
Also, I don't know how large the place will grow. Right now they are tight on addresses since they are all on just one .255, so I'm wondering how many addresses I should give each VLAN if I do do this.
Sorry for the noob questions. I've been doing IT for 20 years, but networking I've never been able to dive in this deep before, but whatever I need to do I'll catch on/read on real quick.
Edit: I've started a network diagram in yworks. They didn't have one before. I've basically just been putting down the hardware and what they are connected to. I assume I should somehow include the VLANs in the diagram once I get them up?
Hey all, trying to figure out what my distro switchports are going into err-disabled (channel-misconfig error) when the access switch uplinks are plugged in.
I have 2 3750xs connected to the same 6506-E. Below are their configs.
3750x / po11 work great. The second switch with po12 won't make a solid connection. As soon as the uplink is no shut, the distro switchport goes into err-disabled.
What stands out to me is the po12 switch doesn't have "switchport nonegotiate" on it. Could that cause the issue? Thanks for any insight!
3750x - access switch that works
!
Interface Port-channel11
Switchport trunk encapsulation dot1q
Switchport mode trunk
Switchport nonegotiate
!
Gi1/1/1
Switchport trunk encapsulation dot1q
Switchport mode trunk
Switchport nonegotiate
Channel-group 21 mode on
!
3750x - access switch that doesn't work
Interface Port-channel12
Switchport trunk encapsulation dot1q
Switchport mode trunk
!
Gi1/1/2
Switchport trunk encapsulation dot1q
Switchport mode trunk
Channel-group 12 mode on
!
6506-E - distribution switch
!
Interface Port-channel11
Switchport
Switchport trunk encapsulation dot1q
Switchport mode trunk
Spanning-tree guard root
!
Interface Port-channel12
Switchport
Switchport trunk encapsulation dot1q
Switchport mode trunk
Spanning-tree guard root
!
Interface Gi1/1/1 (working)
!
Switchport
Switchport trunk encapsulation dot1q
Switchport mode trunk
Channel-group 11 mode on
Spanning-tree guard root
!
Interface Gi1/1/2 (err-disables)
!
Switchport
Switchport trunk encapsulation dot1q
Switchport mode trunk
Channel-group 12 mode on
Spanning-tree guard root
Hello Everyone,
Looking to make my solo racking experience a better one. Been debating on switching up the traditional screwdriver. I have come up with three alternatives that could do the job and was looking for opinions, what would any of you use?
Bosch Pocket Driver: Amazon
Dewalt Cordless Screwdriver: Amazon
Ryobi Screwdriver: Home Depot
Any thoughts would be appreciated. Thank you
I'm very new to networks and try to understand logging atm. Can someone explain to me what it means if "beginning" is disabled but "end" is enabled?
What exactly gets logged and what difference would it make if it was the other way around?
Logging Configuration
DC : Enabled
Beginning : Disabled
End : Enabled
Files : Disabled
Hi All,
I am looking for some help with my company's current network setup.
We have two offices, one located in Texas and one located in New York.
We currently have a FortiGate 90D in the Texas office and 60D in the New York office.
We have a site-to-site connection setup between the two that was setup prior to my arrival at the company. I am not super familiar with FortiGate and have most of my experience with Cisco and Juniper devices.
The issue we are having is all the devices in the TX office are able to reach devices in the New York office without issue, ping, RDP, etc. These devices are also able to connect out to our Azure environment and VMs that we have.
But on the other side in the New York office, the FortiGate is not able to even ping the Texas FortiGate or any other Texas devices, devices connected to our TX VPN, or any of our Azure devices (including our DNS servers).
As far as I can tell it looks like everything is configured correctly on both sides and routing table includes routes to our Azure and Texas environments and looks like the access list is configured correctly to allow traffic to pass through.
Is there any other policies or anything that may be in place that I could check? I am unsure of why I can ping from Texas -> New York but not the other way around.
Any thoughts or suggestions? Any help appreciated! Thanks!
I’ve been facing some problems at work lately and I would like some help. Sometimes a few users complain about not having internet access so when I checked the switchport that the pc is connected to, the interface was up and status was connected but when I did “sh mac address int x/x”, it was empty. Happened with a few other as well. The other problem I’m facing is, some users t even though everything looks fine and their pc has an ip address assigned etc can’t access the internet even though other users in the same subnet can access the internet normally. Our access switches are C3850. Any idea what could cause these 2 issues?
Been working on migrating DNS for our guest wireless from an internal Umbrella VA to Umbrella Public DNS. For the most part, it works. Issue is devices get a cert error when they hit a blocked page. I'm being told this will be the behavior unless we install the Cisco Root CA cert on devices - obviously not possible since this is just meant to be a guest network.
Any suggestions on another DNS/content filtering solution that could leverage our existing Cisco WLC/AP deployment?
I have a managed netgear switch (GS108PEv3) in a set up router->switch-> eero. The switch currently has port mirroring turned on and is mirroring to a different port. Over the past two days the eero's have lost connection to the internet two times while I can tell that the router still has the ability to connect devices to the web. Is there anything inherently wrong with this setup that could be causing this to happen.
Hello, please send me to the right place is I'm in the wrong one, I need some advice on reconfiguring an office network. We have a LAN, that is a labratory with many many different OS, microcontrollers, IOT devices, etc... I run a computer with DOS8, Win2000, XP, RHEL, Ubuntu, a few iPads, android devices and a lot of serial to IP gateway/device servers.
Our parent company has decided that we are a liability with so many old, unsupported and very unsecure devices.
I don't care if I have an connection to WAN from my lab network, but i need to transfer files (on the order of 10GB at a time) regularly to the main LAN on site (which is part of the company wide LAN and contains internet access and VPN to our other remote locations).
All my lab devices get time and lots of other updates from our on prem lab server as well as stream data from various test machines to a our central server. Our IT dept. claims there is no way this can be done. I feel like there must be a solution even if its not ideal. (and not hire an intern to run around our campus with an external hard drive)
Can anyone help me figure out what I should be searching for? Im out of my wheelhouse and I dont even know what i don't know. Security between the two LANs seems to be the penultimate requirement. I need to be able to transfer files from LAN to LAN but prevent all WAN from reaching the isolated LAN with old DOS machines etc. I hope that all makes sense, thanks for reading.