Hello. Is sub1.sub2.domain.com a subdomain of the subdomain sub2.domain.com, is it a second-level subdomain of domain.com, or is it both? And why? I haven't found any material on the Internet that cleared up this question of mine. Thanks in advance.
Saturday, July 10, 2021
Can I use a QSFP28 copper DAC to connect two QSFP+ ports for 40GbE?
I've been experimenting with different combinations of NICs between my PC and NAS to get the fastest possible connection. Because they're both running PCIe 3.0 x4, I know I can't get 50 or even 40Gbps, but I'd like to get as close as possible. I recently tried these Mellanox ConnectX-4 NICs, which use QSFP28, with a QSFP28 DAC. They established nominal 40GbE and 50GbE links, but both ran at only 25Gbps. Likewise, these have 2x25GbE ports, but they were limited to a combined throughput of 25Gbps. This therefore appears to be a chipset limitation: when running these x8 cards in an x4 slot, the maximum throughput is 25Gbps.
Next I'm going to try some older 40/56GbE ConnectX-3 NICs, which connect using QSFP+. Do I need a new DAC, or can I use the QSFP28 one? I know that a QSFP28 cable won't work for 100GbE on QSFP hardware, but will it work for 40GbE?
Why dont providers open all ports in a CGNAT?
Forgive my ignorance if this is a stupid question, i do not study CS, just a curious person. But if every client has a NAT at their home, protecting them from unsolicited data, why not open every port in the CGNAT, this gives the option of the user to open any port they want, getting the benefits of a unique public ip without risking other consumers?
Perhaps i’m misunderstanding something.
Thanks!
EIGRP: redistributing a static tracked route?
Hello,
I have the following route:
ip route 1.1.1.1 255.255.255.255 2.2.2.2 10
ip route 1.1.1.1 255.255.255.255 3.3.3.3 track 1
If I redistribute static route-map in EIGRP with 1.1.1.1/32 prefix am I in for any issues with multiple entries in the topology table or will it just take the active route?
thanks
ESXi 6.7 appliance with 4G LTE support?
Trying to build a router/firewall virtual appliance with support for 4G LTE using the US B device assigned by the hypervisor. I have a Sophos XG appliance that sees the Huawei dongle but can't connect to it or see it from the web GUI. Tested with Mikrotik CHR and Open WRT as well but no luck,
I'm hoping I can avoid deploying a physical appliance at each remote location and use the US B port of the ESXi host on a VM instead but I'm not sure whether is doable or not
Hotel sending deauth packets on all channels, jamming Wifi hotspots
I stayed in a hotel last week in which my WiFi router(s) didn't work (I bring a hotspot that bridges the hotel Wifi for security and convenience). I got disconnects immediately after connection attempts. I checked for deauth packets using a simple sniffer, and there were indeed a high amount of deauth packets across all channels. The hotel wifi could be connected to. When taking our router offsite to see if that resolved it, it indeed had no issues offsite. I think this hotel is illegally jamming wifi hotspots. Defective equipment would not selectively jam all hotspots, besides the hotel's.
Thoughs?
https://www.fcc.gov/document/warning-wi-fi-blocking-prohibited
Is Cisco SG350-20 Fanless?
I can't find any much information about the 20-port version. Does anyone know whether the non-PoE Cisco SG350-20 has a fan?
I'm concerned about the noise.
How Smart is Auto MDIX?
I'm finding this is a bit of a tough problem to Google, but it is a problem I can't currently troubleshoot because there won't be power to the facility with the installation for another few weeks. TLDR: Can Auto MDIX figure out miswired ethernet that is neither straight-through nor a regular crossover?
Essentially we have 50+ runs of shielded Cat6A from client to patch panel (link to exact patch panel), and on the punch down block there were color designations for T568A or T568B, of which T568B was chosen. Upon running each cable through an RJ-45 tester, it was discovered that each of the RJ-45 connections way down on the other end were not wired to either T568A or T568B standard. The actual pinout order of the wires is shown below (I've also included T-568A/B for quick reference):
| Pins | T-568A | T-568B (@ Block) | Actual (@ RJ-45) |
| 1 - TX+ | White/Green | White/Orange | White/Orange |
| 2 - TX- | Green | Orange | Orange |
| 3 - RX+ | White/Orange | White/Green | White/Green |
| 4 - TRD2+ | Blue | Blue | Green |
| 5 - TRD2- | White/Blue | White/Blue | White/Brown |
| 6 - RX- | Orange | Green | Brown |
| 7 - TRS3+ | White/Brown | White/Brown | White/Blue |
| 8 - TRD3- | Brown | Brown | Blue |
So now I am wondering ultimately if the cables will need to be re-crimped at the RJ-45 ends, or re-punched at the blocks. The switches we have everything hooked up to do indeed have Auto MDIX, hence the title of the post. Exact switch model link here: Cisco SG220-26 and Cisco SG220-48. So, with the pinouts shown in the above table, we are not sure if we will have to change anything. For further context, our requirements are less than 100Mbps, the important part of the application was the shielding because there will be a non-trivial amount of EMI. So we don't need a ton of throughput, it just needs to transmit packets.
Apologies if I sound like a newb, I am just beginning my journey into Networking :) Fantastic community here, I have been lurking quite a lot.
Thanks.
Can anyone think of a GOOD use-case for this weird Mini PCI-E to Dual-SFP card?
Preface: https://reddit.com/r/homelab/comments/ohd38t/thought_i_found_a_case_i_could_chop_up_to_make_a
In that post I described some weird Mini PCI-E cards I'd found while browsing.
What I can't figure is out why anyone would actually NEED one of these.
https://www.amazon.com/HINYSENO-Ethernet-1000Mbps-Interface-Controller/dp/B08YXLSFKR
There seem to be 2 different cards. The 2x RJ45 one I can BARELY understand someone needing. Maybe.
But the 2x SFP one? Who needs to put two 1000-baseX fiber transceivers into a machine that ONLY has a Mini PCI-E port free THAT BAD?!
Friday, July 9, 2021
Missbehavin Dell poweredge 2848
Anyone have experience with the dell powerconnect 2848?
Got one here thats not showing the web interfaced in managed mode, serial console shows the debug, helo and mcli commands n they all have the default passwords, default ip of 192.168.2.1 is pingable from my pc, but no web interface, and the press esc or return for boot menu just blanks out the serial console for a minute then boots asif i never hit the button. So i cant reset it that way
The pdf says its not compatible with all browsers, maybe thats the problem aswell, anyone know a compatible browser, or a way to flash firmware from debug? Or any other solution
Cheers
EVE-NG Community vs EVE-NG Pro - what version do you use and why?
I'm looking through the feature list for EVE-NG Community vs Pro and I'm having a hard time deciding whether I can get by with Community or should fork over the cash for Pro.
Those of you who use EVE-NG regularly... which version do you use? What features of that version are the most useful for you? What features can you not really live without?
Any context you can share is useful. Thanks.
Stress Test a Network
What stress tests use cases are usually perform on routers and switches? What tools do you use? For firewalls do you consider security audit is capable of covering the stress test scope as well? If not any specific tools that can stress test the firewalls?
When/Should one intervene in case of a power shortage ?
I agree the question is dumb but let me precise :
assuming one has a server plugged to an UPS, and spinning applications writing on journaling filesystem formated volumes,
should one step (physically or remotely) in if one gets an alert that a power shortage just occured and one has, let's say, 30minutes to save/cancel and get any valuable shits together ?
I can't think of any application needing the user/admin to intervene... I heard about photoshop or video editors but I never used them, so I'm not sure. Any CAD software ? I should try but I think it performs periodical saves just as microsoft word and is able to recover after a sudden shutdown. I can even less figure about dockerized applications...
UPS remote monitoring
Hello I never had to deal with uninterruptible power supplies so I have questions :
- Are there LAN/"network"/USB UPS able to periodically message status of their internal battery to some server ? Or does the smart have to be within the ATX/flex PSU of the device plugged to the UPS ?
- Are there dedicated softwares ("frontends"/"webUI") showing the status of some/any UPS ? Or frontends of hypervisors directly? Or is a power shortage recognized by any OS ? (that is - linux/windows kernel says to the window manager to display the charging icon in the taskbar of a desktop machine, and one has to cronjob that to emit some alerts or idk) How about voltage peaks in the latter case?
- UPS often serve multiple devices (access point + server at least) but are there ATX/flex classical desktop machines PSU that embed a li-ion battery in it ? For example for headless machines far away from an internet access point
- What is used if one wants to cover every single wall sockets of an infrastructure ? Some massive UPS or something with gasoline ?
Waterproof canvas carry case for Cat6 cable?
Does anyone know if such a thing exists? I'm looking for a waterproof canvas zip up container that is for a box of cat5/6 etc. I'm a tech for a phone company and it gets tiring taking the box of cat5 in and out of the back of my truck depending on the weather.
is it possible to Dual home my company's internet connection to a single ISP circuit?
I am researching datacenter designs and cannot find any description of what I have in my head but dont understand why. either its not common or its not possible. maybe someone here can help me.
what I would like to do is have my single DIA circuit coming in and hand it off to both of my routers. so both routers would peer with the same ISP circuit, but we would just prepend the BGP to the secondary router to prioritize the traffic from the primary router. but all scenarios and designs I have been able to find show either 1 local router to 2 ISP routers or 2 local to 2 ISP. not 2 local to 1 isp. am I missing something here?
such as this link
https://networklessons.com/cisco/ccna-routing-switching-icnd2-200-105/singledual-homed-and-multi-homed-designs
Impossible good Wifi design, but I have to try. Ekahau and galvanized metal material
Afternoon,
I'm redesigning through Ekahau Pro a building for one of our sites. I received the building materials back from construction and to my horror, it's all galvanized steel including metal doors. The building is a dorm building, hallways on the outside (APs are on the roof here), with rooms and doors facing the outside. Think of a motel type design.
This is a big metal box and a shit show for RF. But I have to try. It's a remote site in the middle of the forest and the folks in the dorm building need wifi. currently they have real shit connectivity, no shit it's metal.
Well, they asked me tot try, more APs etc if possible. I'm gong to model this on Ekahau but can't find loss through a galvanized metal wall in terms of dbm.
Anyone have ideas how they would approach this? My direct answer is, this is a lost cause, but I'm forced to try (upper mgmt).
In Ekahau Pro, the best case is I'll use a custom wall type with a high dbm loss rating. Any other ideas?
Anyone willing to help, Im sure I am missing something basic with static routes and natting on an isolated network. Thank you!
Hello,
I have been trying to figure out an issue with a Cisco ASA 5515 on our isolated system. The topology is fairly simple in this network. We create a standalone network that does not connect to anything but similar systems through the interop 1,2, Handoff ports. In the topology, we have a FW at the boundary, which has the sole purpose of facilitating communication when we connect one system(fw, switch, and hosts) to another (because they all have the same internal private IP scheme, and we need the FW to NAT those IPs so that they can transfer information). That FW is connected to a switch, and then the L3 switch takes care of the rest of the L2 and L3 traffic (along with a vSwitch in a virtual portion of the topology that is unnaffected). The issue that I am having, is that if I were to connect a laptop to my outside interface and configure it with an ip in that network, for some reason, I can only ping into the 192.168.7.x network (the x.x.7.x being the natted verion of those IPs). But when I try to ping any of the other VLANs (10.0.7.X for example), I am unable to get a response. I am going to sanitize(at least as much as it matters. This is a private IP space used on a totally isolate system) and post our config file to give everyone a much better idea of what is going on than I currently have configured. I have tested a few different things that have not worked, like same-security-traffic permit inter (and intra)-interface.
I have found some limited success when pinging each individual VLAN when changing the default route in the switch from 0.0.0.0 0.0.0.0 192.168.109.3 to any variation of 0.0.0.0 0.0.0.0 10.X.0.3, but I can only ping the identified network from my "outside" laptop on interop1, 2 or Handoff. If I try to create specific static routes for each network, they all stop working.
Any advice, education, or direction is welcome and appreciated.
hostname asa5515r
enable password $
fips enable
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
no mac-address auto
!
interface GigabitEthernet0/0
no shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.100
description subinterface for vlan 100
vlan 100
nameif inside100
security-level 100
ip address 10.0.0.3 255.255.255.128
multicast boundary TN1XXXX
!
interface GigabitEthernet0/0.110
description subinterface for vlan 110
vlan 110
nameif inside110
security-level 100
ip address 10.50.0.3 255.255.255.128
multicast boundary TN1XXXX
!
interface GigabitEthernet0/0.200
description subinterface for vlan 200
vlan 200
nameif inside200
security-level 100
ip address 10.10.0.3 255.255.255.128
multicast boundary TN1XXXX
!
interface GigabitEthernet0/0.210
description subinterface for vlan 210
vlan 210
nameif inside210
security-level 100
ip address 10.60.0.3 255.255.255.128
multicast boundary TN1XXXX
!
interface GigabitEthernet0/0.700
description subinterface for vlan 700
vlan 700
nameif inside700
security-level 100
ip address 10.80.0.3 255.255.255.224
!
interface GigabitEthernet0/0.960
description subinterface for vlan 960
vlan 960
nameif inside960
security-level 100
ip address 192.168.109.3 255.255.255.0
!
interface GigabitEthernet0/0.963
description subinterface for vlan 963
vlan 963
nameif inside963
security-level 100
ip address 192.168.108.3 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/3
no shutdown
description outside interface for interop1
nameif Interop1
security-level 0
ip address 192.168.100.7 255.255.255.0
!
interface GigabitEthernet0/4
no shutdown
description outside interface for interop2
nameif Interop2
security-level 0
ip address 192.168.150.7 255.255.255.0
!
interface GigabitEthernet0/5
no shutdown
description outside interface for inner communication for system
nameif Handoff
security-level 0
ip address 192.168.250.7 255.255.255.0
!
interface Management0/0
management-only
shutdown
no nameif
security-level 0
no ip address
!
banner login words words words
boot system disk0:/asa9-12-3-12-smp-k8.bin
no ftp mode passive
!------------------------------------------------------------------------------
! Description - Nating for Interop1
!
object network inside100-mapped-Interop1
subnet 10.0.7.0 255.255.255.128
object network inside100-real-Interop1
subnet 10.0.0.0 255.255.255.128
nat (inside100,Interop1) static inside100-mapped-Interop1
object network inside110-mapped-Interop1
subnet 10.50.7.0 255.255.255.128
object network inside110-real-Interop1
subnet 10.50.0.0 255.255.255.128
nat (inside110,Interop1) static inside110-mapped-Interop1
object network inside200-mapped-Interop1
subnet 10.10.7.0 255.255.255.128
object network inside200-real-Interop1
subnet 10.10.0.0 255.255.255.128
nat (inside200,Interop1) static inside200-mapped-Interop1
object network inside210-mapped-Interop1
subnet 10.60.7.0 255.255.255.128
object network inside210-real-Interop1
subnet 10.60.0.0 255.255.255.128
nat (inside210,Interop1) static inside210-mapped-Interop1
object network inside700-mapped-Interop1
subnet 10.80.7.0 255.255.255.192
object network inside700-real-Interop1
subnet 10.80.0.0 255.255.255.192
nat (inside700,Interop1) static inside700-mapped-Interop1
object network inside960-mapped-Interop1
subnet 192.168.7.0 255.255.255.0
object network inside960-real-Interop1
subnet 192.168.109.0 255.255.255.0
nat (inside960,Interop1) static inside960-mapped-Interop1
!------------------------------------------------------------------------------
! Description - Nating for Intop2
!
object network inside100-mapped-Interop2
subnet 10.0.7.0 255.255.255.128
object network inside100-real-Interop2
subnet 10.0.0.0 255.255.255.128
nat (inside100,Interop2) static inside100-mapped-Interop2
object network inside110-mapped-Interop2
subnet 10.50.7.0 255.255.255.128
object network inside110-real-Interop2
subnet 10.50.0.0 255.255.255.128
nat (inside110,Interop2) static inside110-mapped-Interop2
object network inside200-mapped-Interop2
subnet 10.10.7.0 255.255.255.128
object network inside200-real-Interop2
subnet 10.10.0.0 255.255.255.128
nat (inside200,Interop2) static inside200-mapped-Interop2
object network inside210-mapped-Interop2
subnet 10.60.7.0 255.255.255.128
object network inside210-real-Interop2
subnet 10.60.0.0 255.255.255.128
nat (inside210,Interop2) static inside210-mapped-Interop2
object network inside700-mapped-Interop2
subnet 10.80.7.0 255.255.255.192
object network inside700-real-Interop2
subnet 10.80.0.0 255.255.255.192
nat (inside700,Interop2) static inside700-mapped-Interop2
object network inside960-mapped-Interop2
subnet 192.168.7.0 255.255.255.0
object network inside960-real-Interop2
subnet 192.168.109.0 255.255.255.0
nat (inside960,Interop2) static inside960-mapped-Interop2
!------------------------------------------------------------------------------
! Description - Nating for Handoff
!
object network inside100-mapped-Handoff
subnet 10.0.7.0 255.255.255.128
object network inside100-real-Handoff
subnet 10.0.0.0 255.255.255.128
nat (inside100,Handoff) static inside100-mapped-Handoff
object network inside110-mapped-Handoff
subnet 10.50.7.0 255.255.255.128
object network inside110-real-Handoff
subnet 10.50.0.0 255.255.255.128
nat (inside110,Handoff) static inside110-mapped-Handoff
object network inside200-mapped-Handoff
subnet 10.10.7.0 255.255.255.128
object network inside200-real-Handoff
subnet 10.10.0.0 255.255.255.128
nat (inside200,Handoff) static inside200-mapped-Handoff
object network inside210-mapped-Handoff
subnet 10.60.7.0 255.255.255.128
object network inside210-real-Handoff
subnet 10.60.0.0 255.255.255.128
nat (inside210,Handoff) static inside210-mapped-Handoff
object network inside700-mapped-Handoff
subnet 10.80.7.0 255.255.255.192
object network inside700-real-Handoff
subnet 10.80.0.0 255.255.255.192
nat (inside700,Handoff) static inside700-mapped-Handoff
object network inside960-mapped-Handoff
subnet 192.168.7.0 255.255.255.0
object network inside960-real-Handoff
subnet 192.168.109.0 255.255.255.0
nat (inside960,Handoff) static inside960-mapped-Handoff
!
access-list TN1XXXX standard permit host 234.0.117.1
access-list TN1XXXX standard permit host 234.0.117.3
access-list TN1XXXX standard permit host 234.0.118.1
access-list TN1XXXX standard permit host 234.0.118.3
access-list TN1XXXX standard permit host 234.0.119.1
access-list TN1XXXX standard permit host 234.0.119.3
access-list TN1XXXX standard deny any4
access-list Interop1-In extended permit ip any any
access-list Interop2-In extended permit ip any any
access-list Handoff2inside extended permit ip any any
pager lines 46
logging enable
logging timestamp
logging buffer-size 16384
logging buffered warnings
logging trap notifications
logging host inside960 192.168.109.24 6/20514
mtu inside100 1500
mtu inside110 1500
mtu inside200 1500
mtu inside210 1500
mtu inside700 1500
mtu inside960 1500
mtu inside963 1500
mtu Interop1 1500
mtu Interop2 1500
mtu Handoff 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7131-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
access-group Interop1-In in interface Interop1
access-group Interop2-In in interface Interop2
access-group Handoff2inside in interface Handoff
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 10
ssh version 2
ssh cipher encryption fips
ssh key-exchange group dh-group14-sha1
console timeout 10
vpn load-balancing
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.109.24
username SYSTEM911 password $sha512###
username SYSTEMadmin password $sha512###
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rtsp
inspect rsh
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect sip
inspect xdmcp
inspect icmp
!
prompt hostname context
no call-home reporting anonymous
LACP LAG to Trunk
We are in the process of replacing our cores with aruba 8320s. We have an Aruba 2540 as an edge switch that we want to be link aggregated to our aruba 8320 vsx pair. On the 8320 side I have it setup as a multichassis LAG, and on the 2540 side I have two ports set up as a LACP trunk. All the interfaces see each other and the LACP is up and sees the peer. The trunk is setup for all the vlans, as is the LAG.
I can't ping from one device to the other, but again the mac addresses and vlans are coming through (sh mac-address-table).
Am I misunderstanding LACP? I know trunks and LAGs are different but it was my understanding that at trunked lacp interface could communicate with a LAG. Well and they are from a layer 2 standpoint... Just not from a layer 3 standpoint.
I'm basically just wanting to ask if what I'm doing is even possible or I'm crazy and need to use an aruba 6100 (LAG support) instead as the edge.
Warp 17/DPDK Help
Is anyone familiar with Warp 17/DPDK? I'm trying to create some tests using it and I don't fully understand how it utilizes system resources. I know it's vague....I can get more specific if there is anyone out there that is knowledgeable and wants to give me a hand :)
Thanks!
3 x Router, 3 x BBand and 1 SSID?
Hello all,
In my office I'm taking over 3 routers that each have their own bband connection. They are spread out across a single but large office floor. Not really used for much now but am thinking in future for IoT devices like TVs in meeting rooms and mobile phone connectivity. Nothing fancy with these and I've got no finances or time to invest to upgrade or include new equipment etc.
What I am trying to figure out is how well (or at all) would it work if each bband connection/router had the same SSID and a password?
Each router would be using the same DHCP IP address range (as set by deault). So if my phone was connected and I roam around the office I would automatically switch to the router with the stronger/closer connection?
Am not worried about video streaming for example as I get it if I auto switch between routers then my connection would switch to the bband line that router is connected to.
Is my idea an ok or bad one?
No biggy if I need to name each SSID differently just thinking would be smarter to have 1.
On premise DDOS Filtering for multiple 10G DIA ...
Hi,
We have 4 x 10G DIAs with different providers, and we also have a direct 10G loop to a scrubbing center in Europe (via a 10G wavelenght).
We have a custom solution in place to divert inbound traffic to the scrubbing center when things get ugly, which works really really well. We can also do some filtering locally, but we are trying to improve our on premise filtering and divert less to the scrubbing center. As BGP convergency time is not ideal, and we have better peering when using all our providers.
As we host VMs we have a quite nice custom distributed filtering set on our hypervisors (really custom stuff build over time using iptables, scripts, etc, etc...) and our main firewalls. We are one of this companies that still uses huge Linux machines to router all traffic -and even detect an filter DDOS attacks- as we have quite a bit of experience an understanding of the linux network stack.
But it's really time consuming, as every time there is a new kind of attack, we need to manually sample the attack, find how to filter it -without affecting legitimate traffic- performance test the new rules, etc, etc... And it consumes plenty of time.
So, we are considering other options, to reduce the human time required to manage all this.
What would you recommend to filter small DDOS attacks locally? And what's your experience with that solution? (And if you could give us a hint about the pricing we would also appreciate it :)
Thanks!
Expanding DHCP-range
Hi,
I need to expand the IP-range on our LAN handling user devices and I would like some input if I'm on the right track here. Currently the IP-range is 192.168.40.0/24.
I was thinking that I could change the netmask to 192.168.40.0/23 in our router which would give me the IP-range of 192.168.40.1 to 192.168.41.254 and then change the DHCP-scope to reflect this.
As I understand there is nothing else I need to do, is that correct? We are running 10 VLANs but that should not matter in this case. There are some communications between some of the VLANs but since firewall policies are based on VLAN and individual IP-addresses it should work without reconfigure.
Since I don't want any disturbances, what do you think of the actual change? Could I change the router to 192.168.40.0/23 and then over a couple of days change the servers to the new netmask and then finally change the DHCP-scope. Or will communication be lost once I make the change in the router.
E.g. will 192.168.40.1 255.255.254.0 be able to communicate with 192.168.40.20 255.255.255.0 ?
Of course 192.168.40.1 255.255.255.0 would not be able to reach 192.168.41.30 255.255.254.0
Also, this is not the case, but how would you expand/add to the IP-range if subnets 192.168.39.0/24 and 192.168.41.0/24 were already assigned on other VLANs?
Thanks for any reply and have a nice weekend.
Semiconductor Shortage
Has this global semiconductor shortage impacted only Cisco? I see Aruba, Fortinet and Juniper delivering the items within the agreed timeline and Cisco take almost 3 months for a switch to be delviered.
AdTran NetVanta 3448 Peer VPN setup help
Hello all I’m hoping to get some help in setting up a remote client VPN. I inherited this network and have never worked with AdTran routers before. There is an existing VPN client setup in place so ideally I’d like to just figure out how to make that work.
Can I use the Win 10 VPN client built into Windows or do I need to use an AdTran client? If I need a client software how and where do I download that? If I’m using Windows how do I configure it to connect. Sorry if I’m missing necessary details. Let me know and I’ll reply.
Thank you in advance for any assistance.
Secure network design
I am not a networking guy but am included on a project where we are tasked with designing a highly secure network segment. This network segment contains highly sensitive data and it bridges two networks. What are some ways we can control who get can access to this segment, control the devices that get access, while limiting and restricting all inbound and outbound traffic to only what's required? Are there other security considerations I might be missing?
Static and Dynamic networks connected to same Network Switch
Hi All,
I am having a problem configuring my office network. We have a static IP network that is used for our Main Server that allows our shops to connect remotely via VPN (Excluded Outside portion from the drawing). Due to the slow speed on the Static network of 100Mbps, my company subscribed to a Dynamic network that is 400Mbps.
I managed to hook up both networks onto a Switch which initially allowed office users to get high speeds (200-300Mbps) when connected to Router 2. However, the issue now is, at random, the network users experience a drop to speeds of 5-20Mbps which is the usual speed of the Static Network. This happens even though they are connected directly to Router 2 that is connected to the Dynamic IP Modem. One temporary fix I found was to use ipconfig /release and ipconfig /renew. However the issue comes back again and I cant expect all the network users to use command prompt.
I am not very experienced with IP Addresses. After reading up, I believe the issue is probably IP Address conflict? However after trying to configure the routers to have different IP Address ranges, I have constantly ran into issues and have been unable to solve the problem on my own.
I have drawn a picture to try to describe the setup I have done. Hoping someone with better knowledge on the subject of networks can help me out. The aim is for office users to connect to Router 2 which would provide network speeds of up to 400Mbps while still being able to print and access the file server and office printers.
https://imgur.com/a/rYlBYHx <--- Drawing of the Network Setup
Thanks in advance!
*Ps wasnt sure which flair tag to put for my post...
Thursday, July 8, 2021
Stress test unmanaged network switch
Hi - I have a 5 port unmanaged network switch that is going to be in a mission critical application in awful environmental conditions (-30 to +70C). The switch is rated for these temperatures, but to prove this I'm going to put it in a thermal chamber and cycle it for quite awhile.
During this test I would like to run maximum data through each of the five ports to see if any packets are dropped / a port fails intermittently.
Is there a tool that would let me test all ports simultaneously and monitor the traffic through them? How would you go about doing this?
Thanks for your help!
Subnet Size to accommodate Vulnerability Scanning
My company is onboarding a soc as a service and part of this entails spinning up VMs to do internal vulnerability scanning. Their configuration does a full scan of the subnets you feed it whether the host responds to ping/discovery or not. So it takes somewhere between 12-16 hours to scan a /24 no matter how many active hosts there are. This is prohibitive as they recommend no more than 1000-2000 IPs be assigned per VM. So 4-8 /24s. I have multiple sites with multiple vlans per site all with /24s attached. This will quickly get out of control.
So my thought was that for many of these sites they only have 10-30 users, I could scale all of the networks down to /25 or /26. I would ideally use the same mask for all of them for consistencies sake. And just keep /24s for the bigger sites. There are 30 sites averaging 2 /24 each, bigger sites have 4-8 depending on the infra in place. Any thoughts on how others might tackle this would be great.
Cisco wifi replacement
Hey guys my boss has a bug in him and he wants to straight up drop Cisco for our wireless infrastructure. Something about subscriptions and prime infrastructure going away and you know their new business model. Our closets are Cisco if anyone is doing something else for wifi and what you guys are finding a better or equal replacement?
Meeting with Aruba rep next Thursday Met with Arista already
Currently we are running 5520s 1142, 9120,3600s, etc
Thanks
Weird Wireshark traffic - help clear my train of thought
Please educate me if I am way off, I have a PCAP that I have been analyzing for a few days now and am a little stumped by piecing the story together. The PCAP outlines a home device that is primarily used for emails and only emails, however, there are multiple outbound connections to banking websites and other sites that may contain sensitive information.
There are a few outbound connections that originate from the client, let's called him Client A, and are outbound to an FTP server (port 21 - command) running FreeBSD. There are a few data transfers from the FreeBSD server to Client A's machine. The outbound connection was requesting the FTP server with a login coming from the server IP itself using 'anonymous' and 'IEUser@' as the login and password. The outbound connections from Client A also list FreeBSD under certain sites/IP addresses when a session is made - I would like to assume that this is a classic man-in-the-middle attack, however I have been so wrapped up in my own thought I am turning a mole hill into a mountain.
If statements about Client A are true and it is only used for emails, can an FTP (port 21) connection from a FreeBSD push requests to other services and eavesdrop? I've primarily learned it in the past as a way to transfer files or data and to passively listen to ports when in 'PASV'.
The connections from Client A to the banking website are made a few thousand packets after the FTP connection (3 concurrent connections are made throughout the capture) however the total PCAP is around 8-9 minutes. The multiple connections from Client A span ports so for example:
1.1.1.1 (Client A) > 2.2.2.2 (banking - FreeBSD) port 123 -- TCP handshake started but no connections are officially closed out
1.1.1.1 (Client A) > 2.2.2.2 (banking - FreeBSD) port 456 -- TCP handshake started but no connections are officially closed out
and these continue until there are around 100+ connections from ports with no official closure to any individual TCP handshake. After the 100th or so connection, there is a massive flood of RST, ACK packets from the banking site, followed by more outbound connections to sites other than email (also with similar situations - more connections, no closure, etc).
Is it safe to assume that there may be a malicious program on the Client A system that is calling/beaconing out to the FTP server on startup allowing an external individual to log into the system, eavesdrop, and deploy requests on Client A's behalf?
I have used Wireshark, NetworkMiner, and Snort although I cannot seem to get it to write logs, there are no triggers alerted at all when I run it via cmd line.
I am not asking for answers, just simply to be educated, please CORRECT me if I am way off the deep end.
Comcast EPL Requirements
Does any one know what the requirements are for the switching past the Comcast CPE?
We’re in a pinch due to COVID and aren’t going to get a 9300 series switch for another 2 months… but we have 2960-S and 2960-L series switches. I believe LAN or Lan Lite. Could we get by with these until we get the 9300-L? It’s a 1 GB Line… connecting to the campus 4500s… 7 sites 20-30 vlans - 5500 devices
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
Firepower 9300/4100 Might Fail to Pass Traffic After 3.2 Years of Uptime due to SSD Firmware Bug
Due to a flaw in solid-state drive (SSD) firmware, the SSD that is internal to the FPR9300 Supervisor module and FPR4100 Series security appliances will no longer respond after approximately 3.2 years of cumulative operation. After the first unresponsive event occurs, every subsequent power-cycle allows the SSD to operate for approximately six weeks of cumulative operation before the SSD will no longer respond again.
Issues with two devices unable to establish a two-way tunnel behind firewall. Cisco FMC (yay)
Kinda stumped on an issue right now with two devices and our firewall.
I have two devices that need to reach out and create a connection to a remote server. Apparently, they will be creating a tunnel between themselves.
I have created access rules to allow these internal devices outside which seems to work, but no connection comes back in. I created another access rule to allow these outside IPs access inside. Still no connection.
When I run a packet tracer (cisco FMC) I am getting an error related to NAT.
There is a general NAT/pat rule for user/server traffic outbound to the outside interface within this IP space.
I haven't run into an issue like this before so I am kind of stumped as to where to start. I am assuming somewhere in NAT but packet tracer isn't always the most reliable.
QLogic BCM57810 RJ45 10Gbit NIC (Dual port) shows 8 devices in Windows Device Manager?
So, I used this NIC on other computers with no problems at all. The two ports always show as just one. However, on my newest machine, it suddenly shows 8 devices in Windows Device Manager and I am unable to configure them to my unRAID server (directly connected with CAT6 cables, no switch or anything in between).
This always worked on all my other machines and I have no idea what is going on. Do I have to enter the firmware when booting the system (CTRL + S) ? How do I reset the card to just work as a normal NIC?
Thanks in advance for any help!
https://i.imgur.com/UzggSJS.png
https://i.imgur.com/rlG4W3r.png
https://i.imgur.com/IwpsQYz.png
PC Specs:
-
2x Xeon E5-2690 V1
-
32GB 1600MHz ECC DDR3
-
2x GTX 1080 TI 2-Way SLI
-
QLogic BCM57810 10Gbit Dual Port RJ45
Server Specs:
-
2x Xeon X5675
-
72GB 1333Mhz ECC DDR3
-
QLogic BCM57810 10Gbit Dual Port RJ45
Layer 2 VXLAN w/EVPN on IOS-XE
Not sure if anyone has made this work? We have had a horrible time finding documentation about whether or not it is supported - or how to configure it.
It seems TAC is struggling to provide a clear answer - and they are shying away from getting involved, as this is more of a design question.
Multicast in underlay is not an option, so we had been planning on using BGP/EVPN as the control plane protocol for VXLAN.
We have ISR4ks now, but are considering ASR1001-X or the Newer Catalyst Edge 8000 series routers.
Our sales rep seemed to think L2 VXLAN w/EVPN would be supported on these platforms. Though this seems unclear also.
We are strongly considering going with OTV - but even Cisco said that VXLAN is the way of the future - and would like to use it if it does what we need.
Any insight would be much appreciated.
Project Requirements, for reference:
- Unicast-Based Control/Data Planes
- P2MP
- Edge Redundancy within a site
- Load Balancing of VLANs to be spanned across the Edge devices within a single site (this is more a nice to have)
- Some kind of address learning so that once MACs are learned, traffic is no longer flooded to all nodes on the P2MP instance - at least for unicast traffic.
- Ability to pass customer multicast-dependent traffic (e.g. HSRP/VRRP/STP) over the P2MP DCI
Network Gear Packaging
If I don't have the original box that network equipment came in and I need to ship something, I have always improvised together Amazon boxes, random bubble rap found in the recycling and packaging tape. This always looks unprofessional and I know it doesn't set a good tone with whoever receives it on the opposite end. There have been a couple of times now when the equipment shows up damaged due to my incompetency with packaging.
Anyone have any recommendations on what to stock up on to professionally repackage 1-2U rack mountable gear so it can be sent out to branches across the globe? There has got to be some sort of semi universal box that will fit gear that varies in length.
Sanity check - is it OK to use giant subnets (i.e. /16) for public WiFi?
I am working on a temporary network to provide public wifi at a golf event.
We are working with Cisco who are providing approx 100 Meraki APs and a pair of wireless engineers to set them up. My org is responsible for providing the underlying network connectivity.
We expect we will see an absolute max of approx 15k clients connect concurrently - realistically I expect this number will probably be more like 5-8k.
The physical area we are covering is split across the golf course - there are about 6 large temporary tent structures set up on the golf course which will each have multiple APs. There is some separation between the areas (ranging from about 300' to 1500'). The entire golf course is very open and centralized, so you can see from one side to the other. We do expect that clients will move between areas, but don't expect that we will have people congregating between the main areas.
My original intent was to set up a VLAN / subnet for each tent, but the Meraki folks are advising us to create a smaller # of VLANs, or even to consider doing everything as a flat network because keeping client devices on the same subnet aids in a smooth roaming experience. Their advice was to limit each VLAN to about 10k devices.
I can certainly create 1 or 2 giant VLANs, but my kneejerk reaction is that is way, way too many hosts in a single broadcast domain. However, since these guys work for Cisco and do this sort of thing for a living, I am inclined to trust that they know what they're talking about. And admittedly, most of what I learned about subnetting and planning networks was learned 20 years ago, so maybe things have changed.
Still, it makes me nervous, so I am hoping the community can sanity check this for me.
All of the APs will be on a common Cisco wired network with redundant 10 Gb/s links between switches, in case that matters.
TIA!
SaaS Video Streaming Cameras Recommendation
Do any of you use a cloud video streaming product like ring but more commercial? Looking to broadcast to a portal where no logging in to view the camera is required.
Why can't you block someone by their MAC address if the OSI layer 2, attaches the physical address to each packet?
I'm going through a textbook right now and I'm on OSI layers. For the second layer, Data Link, the book says
"Layer 2 Receives the packets and adds physical addressing by adding sender and receiver MAC addresses to each data packet. This information forms a unit called a frame."
But I also remember a while back I googled "can you block someone by their MAC address" and the answer was no you couldn't. So why can't a receiving user get the MAC address of the packet sent by the sender to block them?
Help for monitoring AD trust with custom sensor on PRTG
Hello, i'm a junior network administrator and i have to monitor our AD trust with PRTG.
I have seen it's possible to do this with a custom sensor write in PowerShell. Someone had already do that ? If yes, how ?
ASA Teardown TCP connection SYN timeout
Hello all,
I posted yesterday about a similar topic and all the respones were awesome, very helpful so thank you for that!
Anyway, Im very curious and want to learn more about Cisco ASAs and the logs so I have a question.
A customer wants access to a public IP on port 22 so that they can share files. They claim that they cant reach the IP (let say 200.200.200.200). I asked them to confirm the source IP (10.230.150.36). Here is an output from the logs:
The ACL I configured:
access-list TRANSIT extended permit ip 10.230.150.36 255.255.240.0 host 200.200.200.200. I also see two hitcounts. The 10.230.150.36 is routed via the TRANSIT interface. The ACL is configured on IP and not on specific port. I know I should define a port (22 in this case) instead of just permitting on IP.
2021-07-08T09:10:02+02:00 10.230.130.25 %ASA-6-302013: Built outbound TCP connection 21416433 for OUTSIDE:200.200.200.200 (200.200.200.200) to CDN-TRANSIT:10.230.150.36/51536 (200.200.200.200/51536)
2021-07-08T09:10:21+02:00 10.230.130.25 %ASA-6-302013: Built outbound TCP connection 21419811 for OUTSIDE:200.200.200.200 (200.200.200.200) to CDN-TRANSIT:10.230.150.36/64416 (200.200.200.200/64416)
2021-07-08T09:10:32+02:00 10.230.130.25 %ASA-6-302014: Teardown TCP connection 21416433 for OUTSIDE:200.200.200.200 to CDN-TRANSIT:10.230.150.36/51536 duration 0:00:30 bytes 0 SYN Timeout
2021-07-08T09:10:51+02:00 10.230.130.25 %ASA-6-302014: Teardown TCP connection 21419811 for OUTSIDE:200.200.200.200 to CDN-TRANSIT:10.230.150.36/64416 duration 0:00:30 bytes 0 SYN Timeout
Here as you can see, we have "Build outbound TCP connection" which is good, that is what I want to see. But then you can se "Teardown TCP connection" bytes 0 SYN Timeout". What does that actually mean? I looked that up and apparently it means that the connection timed out because of the remote end server did not give a reply to the attempt of the user to form the TCP connection. So what I understand from this, it should be something on their end that blocking the user from attempting to access the 200.200.200.200, a firewall or an actual problem with the server maybe?
Thanks for all the help.
Where should the fibers be crossed ?
Hi folks,
I'm pretty new to the whole fiber thing. An installer ran new fibers that were not working at first. I then realized that the receiving and sending fibers where conflicting. So I crossed a patch cord cable and it worked !
My question is, where should this polarity inversion be made ? On the patch ? On every patch cord we have to use ?
Thanks for your insight !
Wednesday, July 7, 2021
ARP table weirdness.
Good Day
I work for a small ISP in south - Africa , I found on my mikrotik routers on the ARP table it shows the whole subnet of ips but let say only the first 100 ip(s) are used the rest is just dynamically added.
But toughs ips are not in use on any device, So i was thinking that it needs to be some service or device pinging or sending data to toughs ips for it to be in the arp table but there is no mac connected as the ips are not in use.
Is there something I am missing, its also happening at different places in different OSPF areas.
Campus VLAN Design
We have a single campus LAN.
This is what my topology currently looks like:
The picture with the VLANs is just an example. The real network has much more VLANs than this of course. You can see that the two VLANs I've shown here are being spanned across the ENTIRE campus! That's an exception though, one that I'm trying to put right nonetheless, because most other VLANs only stretch from building A back to the core VSS pair, or from building B back to the core etc.
So currently all VLANs are directly connected subnets hanging off the core VSS pair. Some stretch right across the campus, some only down into particular buildings. I am already definitely thinking about pushing IP routing down into each building, away from the core, so that we can instead have these two main core VSS switches only performing IP routing between subnets, to ultimately minimize STP, and move away from the topology shown above to something new like this:
….or even this next one where the same VLAN is somehow tunnelled over VXLAN or something…
Bringing Layer 3 down to the distribution switches in each building isn't what I'm asking for help with here. Basically the reason why I've shown you all this, is because some of the VLANs here are in process of being re-classified as Operational Technology (OT) and we're in process of moving all our OT subnets behind a new firewall pair which I've already built. This FW pair is centrally positioned in the two server rooms, as you can see in the pics .
I'm just exploring the idea of having a VLAN per application/system that isn't limited by geography. Is this something VXLAN would help with?
As mentioned, some VLANs currently span further than a single building which is not ideal from a network engineering perspective. Some are spanning to multiple downstream buildings from the core. Ideally the VLANs should be localized as much as possible obviously, unless there's a reason to span them across campus; I don't think that's the case here btw. But at the same time, I think it would be better to have all the stuff for a particular app/system sat in its own subnet. For example... we have a building management system with outstations spread out across the entire campus, all in different subnets. This whole system needs to be put behind our new firewall. It would be easier to manage and more efficient if all these outstations and the management server for this building management system was all on its own subnet. But with it all currently spread out across multiple different subnets/VLANs across the campus, I'm wondering how I'd go about putting it all on one subnet. Is it possible?
Otherwise, for example, I'll just have to push down IP routing to the individual buildings and then create a dedicated VLAN and SVI in each building/area dedicated for just the outstations in that building/area only, but given the limited number of VLANs we can create on this new firewall we're putting it all behind, has me wondering if this is really a waste of VLANs. In the face of this, you'd likely just tell me to buy a beefier firewall with more VLAN capacity, but that’s' not an option. I'm not sure what the best thing to do is.
Airlink Rv50x Sierra Wireless
Hello Everyone,
I am running a Sierra Wireless Airlink Rv50x on Linux 3.14.62. I am having connection issues to this remote host. When I connect to it through SSH, I get terminal hang up on certain commands, forcing me to kill my connection and reconnect.
I have other systems running the same setup without issue.
Where should I start to diagnose? Did not see anything in /var/logs to indicate network issues.
ASA-AnyConnect - Possible RRI issue
Hello
I am trying to add some static routes in on my ASA to point to the other side of a P2P.
route p2p 10.1.0.0 255.255.248.0 1.1.1.1
It is erroring out for me saying the route is already in place and after checking the route table
I see the below
V 10.1.0.0 255.255.248.0 connected by VPN (advertised), outside
---
Doing my google digging here it looks like an RRI issue with our AnyConnect VPN as I see the same advertised for all of my VPN IPs in my route table (below)
V 10.2.0.50 255.255.255.255 connected by VPN (advertised), outside
V 10.2.0.51 255.255.255.255 connected by VPN (advertised), outside
V 10.2.0.57 255.255.255.255 connected by VPN (advertised), outside
V 10.2.0.61 255.255.255.255 connected by VPN (advertised), outside
V 10.2.0.66 255.255.255.255 connected by VPN (advertised), outside
V 10.2.0.68 255.255.255.255 connected by VPN (advertised), outside
We do split tunneling on our AnyConnect and is controlled by ACLs for each "VPN Group" a user connects to pulls that ACL.
Can anyone help me on how to get these routes out of the advertisement stage so that I can drop the required static in -- thanks in advance.
Cisco 4110 NGFW and Nexus 7K vPC question.
Say you have a 4110 HA connected to Nexus 7ks via vPC. So FW A has two downlinks to each Nexus (A and B) vPC style. The LAN gateway goes to Nexsus HSRP with active on Nexus A. Will the Nexus vPC send some traffic over to Nexus B to then be load balanced up to the active FW A? And will the FW A do the same back to Nexus B? If so, anyone have experience with this creating out of order packet issues? Issues with doing a failover for maintenance due to both Nexuses being utilized at the same time? Any other disadvantages to this setup?
What are the benefits of learning Linux as an engineer in a Windows environment?
I work in a NOC and we are mostly monitoring Solarwinds, Splunk, and doing layer 2 tickets. I want to learn Linux to expand my knowledge and eventually experiment with Ansible. Other than that, what else will I be able to do?
system bugs with DellEMC S4100-ON switches?
I received a voicemail claiming to be from Dell technical support today, listing off several of our network switch service tags and claiming we needed to call Dell back to resolve a 'potential system failure which will occur on or about July 27'. Has anybody heard about this bug, or is there a fix/patch/firmware update available?
..or has somebody leaked a Dell database and this is a really good phishing attempt? Dell has never initiated technical calls to us for anything besides our SAN device support. So I was immediately suspicious, and the fact they had accurate service tags actually made me MORE paranoid.
How do you recommend mastering the command line for networking?
I'm more of a hands on learner. I passed my network + back in january but the CCNA i am currently studying for and it goes a lot more in depth and i feel like i'm not gonna master networking unless i do more hands on learning for myself. I was wondering what people might suggest for me to do to go more in depth with my networking skills.
I am currently looking to move out of help desk to a junior network admin or network engineer. Any points or tips.
I am currently working for ibm in a role where i fix computers hardware and software related issues. I have been wanting to learn to a role that involves more networking and working with more networking hardware and software. Passed my network+ and currently working on my CCNA. I do have my A+ and Sec+ and an associates in IT: Support & Services as well as working on another associates in cybersecurity. Was wondering what people might suggest in order to land a possible networking position where it would be a junior role at first but i can move my way up a bit more
STP question: Should I disable STP on the uplink port to the new root?
Hello,
I'm planning the replacement of an old HP 5412zl which is acting as the core switch and STP root with priority 0.
New switches are a pair of Ubiquiti Switch Pro Aggregation and 3x Switch Pro 48.
The 2 Ubiquiti Aggregation are connected together and each Switch Pro 48 will be uplinked to both Aggregation forming a loop. For the moment, the loop doesn't exist. Only one uplink of the Switch Pro 48s is connected to the main Aggregation switch (no link to the second Aggregation).
One Ubiquiti Aggregation will be the new root, the second Aggregation will be the root backup.
I also have an uplink between the old HP 5412 and the Ubiquiti stack that I have to keep until the migration is finished.
But I don't want that the old HP 5412 interferes with BPDU frames while I will be connecting the redundant uplinks between the Switch Pro 48s and the second Aggregation.
In fact, I would prefer to isolate the new Ubiquiti stack STP from the old STP.
That is why I'm thinking about disabling/discarding BPDU frames on the uplink port of the old HP switch that connects to the Ubiquiti stack.
What do you think?
Cisco ASR9K Cluster nVedge eve-ng
hi there, some know if is possible simulate a cluster with IOS XR (ASR9K) in EVE-NG ?
QoS Question
Hi All,
I have seen the following config on a Cisco switchport for QoS. I understand how QoS works but cant seem to understand what these lines are actually doing to the port traffic:
srr-queue bandwidth share 1 70 25 5 srr-queue bandwidth shape 30 0 0 0 priority-queue out mls qos trust dscp Would someone be able to explain what this does and how the numbers effect?
New fiber run won't link
Due to some recent construction, we had to re-route some fiber. This is a 400ft section of 6-strand single mode. We have an HP 5400 with J9151A transceivers on each end. I have tried multiple known good transceivers and patch cables on each end. The other transceivers in both switches are working correctly. I have swapped transceivers to different ports in the module. The new fiber tests good with a meter. I've updated both switches to the latest firmware. The switch detects the transceiver hot swap according to the event log, but it never lights up once the LC connector is inserted. I have also reversed polarity on the SC connectors at the fiber patch panel. What am I missing here?
Straggling finding corporate networking jobs
Every time I look on indeed, dice, LinkedIn, or any other leading job boards, all I see are MSP positions. Not that I have anything against MSPs but I did rather work in a corporate environment at least for now. Do you see the same change? I have to say since things started coming back to normal, I have never seen as many MSP jobs as I do now.
I really don't know what to do at this point, should I try an MSP gig? I just don't know if I feel comfortable going to an MSP just yet.
For those of you working at an MSP, can you provide some positives and negatives
Question about network outage reporting system
I work for a large university supporting plant researchers and they have a series of control systems in their greenhouses which send alarms when temperature readings (among other things) are out of range and notify an on-call staff member. The greenhouse director is leery of potential alarms coinciding with a network outage (not common but a few have happened in recent enough memory that everyone is still jumpy) where no one from her team would be notified causing possible loss of plant matter (in the event that temperatures were far enough outside the range that the plants would freeze). Some of this plant material cannot be replaced if lost, and losses could be in the scope of several million dollars.
I'm wondering if anyone is familiar with a product that would allow us to easily monitor this. I'm thinking something like a sensaphone which would connect to a switch on that network and call out over a cell network should the link go down for more than a given time period.
VXLAN or VRF
I’m wondering what are the drawbacks for going VXLAN or VRF. I’m trying to isolate legacy devices from the rest of the network. The though occurred to me that maybe I should just use VXLAN to the firewall. What would be the limitations in the future?
IpTables
Hello I have been trying to start to learn about IpTables. I have a general understanding of the tables, chains and some commands. But what I can’t understand is the benefits of dropping packets in the Prerouting phase vs the INPUT phase. I looked at the flow chart and I see how it works. But I still can’t see why it would be better to drop/accept packets in on phase or the other. For example whats going to be the difference between these two commands? They seem like they would do the same thing: iptables -I PREROUTING -t mangle -d 198.18.0.12 -p udp --dport 1234 -j ACCEPT
iptables -I INPUT -t filter -d 198.18.0.12 -p udp --dport 1234 -j ACCEPT
Where is multicasting configured?
I'm using Arista's vEOS Routers and I'm trying to configure multicasting. I understand the big picture of multicasting and how it's similar to a subscription system, but I can't quite figure out how to configure it.
How does the router know what is meant to be a multicast? Are they statically defined, or is it supposed to dynamically learn it? I understand it has an mroute table, but I don't quite get how it can fill it up.
Does the sending host need any configuration? Or does it simply assume it's pinging a unicast address.
What is MLD's role? I see it a lot popping up in the documentation, but I've never seen it elsewhere. Do I need it for an IPv4 network or is it an optional configuration? The multicast domain is fairly small so I'm trying to weed out useless protocols as much as I can.
DHCP Relay or DHCP Within Subnet
I'm a novice when it comes to networking for my organization and have recently upgraded all our unmanaged switches to managed. And implemented a bunch of different VLANs for different services including one for public Wi-Fi. I just realized our firewall equipment does not support more than 256 leases (which we are already using 80% of, per our ISP). They gave me the option to setup a DHCP Relay using my own equipment or purchase new hardware from them. I figured I would just setup a DHCP server but since this will be serving a public Wi-Fi VLAN, I'm unsure if I should use a relay or keep that VLAN completely isolated to itself and configure the DHCP server just for that network?
I doubt I'll be doing much with this server once in place except keeping it patched. Which would be easier to do if I set it up as a relay on our management VLAN. We don't have a need for DHCP in any other VLAN at the moment but may down the road.
UBoot/MiniBoot Update (Alcatel Switch)
I'm upgrading this OmniSwitch 9702. I'm stuck on the uboot/miniboot upgrade. The process goes as follows:
- Transfer uboot.bin and miniboot.boot to /flash
- Execute command "update uboot-miniboot"
- When update complete; delete uboot/miniboot files from /flash
- Execute "reload working no rollback-timeout"
- Execute command "update uboot-miniboot"
Could someone provide insight as to why we must delete those files and reboot the switch after transferring them? This doesn't seem logical.
Cisco ASA Deny tcp (no connection)
Hello all,
A customer to us have problems with accessing their server. Between our datacenter and our partner datacenter, we have a VPN tunnel. The customer's IP is on subnet 192.168.50.0 and they trying to access the server which is 10.150.150.3. This server is on the other side of the VPN tunnel. I told our customer to generate some traffic to 10.150.150.3. I did some troubleshooting and I found this in the logs:
2021-07-02T16:42:33+02:00 10.120.130.17 %ASA-6-302013: Built outbound TCP connection 3713197788 for OUTSIDE:10.150.150.3/443 (10.150.150.3/443) to TRANSIT:192.168.50.5/38938 (192.168.50.5/38938)
2021-07-02T16:42:33+02:00 10.120.130.17 %ASA-6-302013: Built outbound TCP connection 3713197934 for OUTSIDE:10.150.150.3/443 (10.150.150.3/443) to TRANSIT:192.168.50.5/38940 (192.168.50.5/38940)
2021-07-02T16:42:33+02:00 10.120.130.17 %ASA-6-302014: Teardown TCP connection 3713197788 for OUTSIDE:10.150.150.3/443 to TRANSIT:192.168.50.5/38938 duration 0:00:00 bytes 6044 TCP Reset-O from OUTSIDE
2021-07-02T16:42:33+02:00 10.120.130.17 %ASA-6-106015: Deny TCP (no connection) from 10.150.150.3/443 to 192.168.50.5/38938 flags RST on interface OUTSIDE
2021-07-02T16:42:33+02:00 10.120.130.17 %ASA-6-302014: Teardown TCP connection 3713197934 for OUTSIDE:10.150.150.3/443 to TRANSIT:192.168.50.5/38940 duration 0:00:00 bytes 7424 TCP FINs from TRANSIT
2021-07-02T16:42:33+02:00 10.120.130.17 %ASA-6-106015: Deny TCP (no connection) from 10.150.150.3/443 to 192.168.50.5/38940 flags RST on interface OUTSIDE
From my understanding, this is a fault on our partners side. The reason is that we get a deny tcp (no connection) from our partner side. The customer IP is 192.168.50.5 and the IP 10.150.150.3 is located at our partner side, that's where the server is located. The IP 10.150.150.3 "refuses" to do a TCP connection with 192.168.50.5. But still, Im not sure if understood this correctly.
It would be great if someone could explain this output for me.
Thanks.
Connecting an HP/Aruba 5400 zl2 a Dell Poweredge r630at 10Gbe
I have an HP Aruba 5412zl2 switch with a spare 10Gbe SFP+ port in it. I also have a Dell Poweredge R630 with 10Gbe RJ45 ports. I'd really like to connect those two at 10Gbe speeds as cheaply as can be done reliably.
As mentioned, the R630 has two 10GBase-T ports already on it. However, it appears that there is no 10GBase-T SFP+ transceiver that's compatible with the HP/Aruba 5412zl2, and a full 10GBase-T module is around $3k.
I have a 10Gbe Direct Attach Cable that's compatible with the 5412zl2 (part J9283B), but no SFP+ ports on the R630. It looks like I can cheaply order a compatible card with 10Gbe SFP+ ports on it (e.g. the Broadcom 57810 Dual Port SFP+), but I don't know if those things can talk to each other.
Is an HP/Aruba Direct Attach Cable generic enough to talk to any SFP+ port, or is it specific to HP/Aruba equipment? Are there other options to connect these two piece of equipment? I'd really appreciate insight from any of you who have experience in this area. Thanks!
Re-thinking my core switch for a police department, looking for input
Our police department currently has a single Aruba 5400 series with dual mgmt modules and dual power supplies serving as the LAN core for the facility. I got some budget to replace it this year, and I am looking for some suggestions for a more redundant approach.
Most of our smaller city buildings have a single Aruba 3810M with dual power supplies and 4 SFP+ module serving as the core switch, with a 40gb trunk back to our WAN core. This is fine for most buildings, as our remote sites don't have any on-site infrastructure and really only handle distribution. There are a few obvious points of failure with these, the chassis, the fiber module, etc...
The PD is now one of our two critical datacenters where our virtual environment resides, and ideally I want no single-points-of-failure here. I'm wondering how others handle something like this and what you all would suggest I do here.
At this point I am leaning towards doing a stack for the core - maybe two 5400s. Is there a better way?
I realize this is a loaded question, here's some relevant information, but feel free to ask for any other info:
- Our WAN is routed via BGP
- The PD site has 4 fibers for the backhaul to our WAN core (single trunk)
- We need Aruba hardware
- We don't need a whole lot of ports on the core, really just fiber uplinks to a few distribution stacks and a fiber uplink to the top-of-rack switches for the VM hosts. So, stacking two 5400s feels like overkill in terms of ports/modules.
- Something modular is ideal so we can replace them in production if needed
- Want to avoid VRRP, would prefer to have a single router with stacking redundancy, but feel free to change my mind
How would you approach this?
Anyone else notice an uptick in issues with AS6939 (HE)
I work on a lot of different ASNs in any given week and see trends in the DFZ sometimes.
It seems like there has been an uptick in problems with HE (6939) lately (~ 60 days). Mainly i've seen an increased number of peering bounces and short routing loops (that resolve within a few minutes) in the last few weeks in different ASNs i've been working in that use 6939 for transit. Normally, HE is pretty solid. Granted this isn't comprehensive data, just some observations at different peering points around the US. I've also seen some anecdotal info in other groups about similar issues with HE recently.
Makes me wonder if they are going through a major network migration like Lumen started last year to merge 3356 and 209. I checked the outages list https://puck.nether.net/ but haven't seen anything noteworthy
Anyone else seeing churn out of Hurricane Electric recently?
EVE-NG - Cannot start nodes
Hey guys,
My EVE-NG is installed on VMWare ESXi and it was working ok till I tried to make PAN-OS 10.1 work. Now nothing is working except CSR & VPCs. Wondering what could be causing this error as I cannot see no logs for it:
vIOS: Failed to start node (12).
Fortinet: Failed to start node (12).
I have deleted PAN-OS totally now and fixed the permissions but still nothing. I have twice checked the VM settings and hardware virtualisation is allowed there.
Can anyone please help me as I fear losing multiple labs.
Thanks.
ShixxNote network enabled sticky notes program and LAN messenger
ShixxNote is multithread client/server network tool that lets you display notes on your desktop and send them through your local network (LAN) to others. ShixxNote is a network-enabled sticky notes program. Every computer where ShixxNote is installed and running has network listener for new messages which when found are presented to the user like colorful desktop sticky notes via which a reply can be sent instantly.
Problem started when Microsoft disabled Windows Messaging service and program thread which is created just for scanning your local network now can't find any computer. Before you would get network neighborhood list of computers and just by clicking on it you were able to add any computer in note recipient list. After adding recipients you just needed to click on button "Send note". Instantly all computers in recipient list would create note on desktop screen, exactly the same note as it was on sender computer. Now I need to rewrite code for scanning network. My function for enumeration was created and wrote before 15 years in C++ and it worked well on Windows 10 till last year. Now it works on Windows XP, Seven, 8 but not any more on Windows 10.
Check out Microsoft Store or visit program homepage www.shixxnote.com if you want to download 30-days trial version.
Regards to all,
Ozren Sirola
Taking SIM card out to mobile router
If I take my SIM card and put it in my mobile modem/router will it work and if so will it use my cellular data or hotspot data? Also will I get in trouble with att for changing my SIM card out multiple times? There’s not many choices out here until starlink hurries up lol
Tuesday, July 6, 2021
what to do with the silicon shortage situation?
i'm sure you all see it or hear about it. there is a shortage in silicon (integrated circuits, not the actual mineral). and there is one (at least) in every network box out there. it's the CPU, the GPU, the NPU, the NIC, the chip on your optical transceiver... it's the whole network... whether you build your own network or take your business to the cloud, fixed or mobile, open or locked, disaggregated or monolithic. lead time for delivery looks bad. rumor is that an order placed in Q4 of 2021 will be delivered in 2023 (yes. 2023).
so i am asking, are you feeling this already? what is being done due to this situation? are chip makers stockpiling inventory? are system makers doing the same? are operators doing the same? is this a part of the 5G/COVID conspiracy? (i'm joking on this one...)
WDYT?
Design Virtual Network
I want to design virtual network for at least 100 containers. This network MUST be independent as much as possible.
I uploded a image of my topology in this link:
Some notes about this diagram:
- There is L2 connectivity between OVS switches.(If there isn't, I can use VxLAN)
- There is L3 connectivity between firewalls.
- Gateway of all vlans in this network would be firewall.(At least for simplicity, let's say for now gateway of all vlans would be firewall but in future we can define gateway of some vlans on open vswitches of host B and host C and use VRRP between them)
- There are two failover firewalls.(HA in active/standby mode)
- Firewall will nat outgoing traffic to it's own publish ip.
any thoughts about this design?
and one more question: I want this network to work with sdn controller. so, I use ovs which supports openflow and ovsdb protocols.
But I didn't decide about firewall yet. Which firewall should I use? (I need some sort of firewall with automation capabilities. some firewall with lots of api's for everything and also have good documentation and good community)
Thanks a lot!
SFP and cable are good, but don't show connection. Loopback plug does somehow?
Hi,
I am currently troubleshooting an Arista 7050SX3-48YC8.
I do not have write privileges to the switch, or I could troubleshoot from there inside the switch.
We have tested the SFP in other switches, tested the fiber cable, tested the light levels. None of it is faulty or broken, and we replaced it anyway.
Somehow a loopback plug works.
What does this mean? My first thought is its a configuration issue and the network engineer needs to fix it, but I have no idea.
This is both for my own information and learning as well as help.
Thank you!
[RANT] Juniper QFX5100 Switches
Hey these are nice switches to use, the os is cool, lots of ports lots of speed
BUT HOLY SMOKE did they go super super super cheap on the fixings (rails/screws/etc)
start with the screws, the smallest things in the world they could possible get away with.
16 screw holes on the switch its self to attach the rail on with, but you only get 8 screws in total
6 (with even smaller screws) screw holes to attach the backet to the rail, but 3 of the 4 switches only came with 4 screws not 6, 2 of the screws shredded them selves as soon as i tightened them slightly
next the rails, these are the softest flimsiest things ive ever seen in my life, bent 2 of them just sliding the switch into the rack (was a slightly awkward position at the top of a 42u rack, but still) even though I was doing it slowly.
grrr shakes fist
Goip and Smpp
Hello everyone Couldn’t find more suitable sub to post my question since gsm is a part of network infrastructure I decide to post it here.
There is no way to change sender id of sms message if it was sent from a smpp server that is connected to goip?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Question re terminating unused strands from GPON/XGSPON splitter.
We are deploying a hybrid GPON/XGSPON network. The splitters in the field are not connectorized but fusion spliced onto the cables, something like this.
I know that there are terminators available for unused connectorized fibers that are recommended to reduce the effects of reflections.
What if anything is needed to terminate the unused output strands on an unconnectorized splitter?
understanding forwarding tables
tl;dr: solution to textbook problem doesn't make sense to me, a router's forwarding table only has entries for its immediate neighboring subnets. How does the router know how to route packets to other subnets?
Hi kids,
I'm struggling with understanding the solution to a problem in the Kurose book and would appreciate some pointers. Not sure if this is the right sub, feel free to delete.
Problem 4.15 in the 8th edition asks to assign subnets to a simple network topology with 3 routers, and to write down the forwarding table for each router. Apparently I'm not allowed to post images in ths sub, so I'll try my hand at an ASCII visualization: subnet A | router R1 / \ subnet D / \ subnet F / subnet E \ router R2 -------- router R3 / \ subnet C subnet B The problem is:
a.Assign network addresses to each of these six subnets, with the following constraints: All addresses must be allocated from 214.97.254/23; Subnet A should have enough addresses to support 250 interfaces; Subnet B should have enough addresses to support 120 interfaces; and Subnet C should have enough addresses to support 120 interfaces. Of course, subnets D, E and F should each be able to support two interfaces. For each subnet, the assignment should take the form a.b.c.d/x or a.b.c.d/x – e.f.g.h/y. b. Using your answer to part (a), provide the forwarding tables (using longest prefix matching) for each of the three routers.
I have no problem with a), and I thought I had solved b), but when I looked up the solution online, the routing tables e.g. for router R1 only have entries for subnets A, D, and F. The full solution is:
From 214.97.254/23, possible assignments are Subnet A: 214.97.255/24 (256 addresses) Subnet B: 214.97.254.0/25 - 214.97.254.0/29 (128-8 = 120 addresses) Subnet C: 214.97.254.128/25 (128 addresses) Subnet D: 214.97.254.0/31 (2 addresses) Subnet E: 214.97.254.2/31 (2 addresses) Subnet F: 214.97.254.4/30 (4 addresses)
To simplify the solution, assume that no datagrams have router interfaces as ultimate destinations.
Router 1
| Longest Prefix Match | Outgoing Interface |
|---|---|
| 11010110 01100001 11111111 | Subnet A |
| 11010110 01100001 11111110 0000000 | Subnet D |
| 11010110 01100001 11111110 000001 | Subnet F |
Router 2
| Longest Prefix Match | Outgoing Interface |
|---|---|
| 11010110 01100001 11111111 0000000 | Subnet D |
| 11010110 01100001 11111110 0 | Subnet B |
| 11010110 01100001 11111110 0000001 | Subnet E |
Router 3
| Longest Prefix Match | Outgoing Interface |
|---|---|
| 11010110 01100001 11111111 000001 | Subnet F |
| 11010110 01100001 11111110 0000001 | Subnet E |
| 11010110 01100001 11111110 1 | Subnet C |
So my question is: assuming a host in subnet A wants to send data to a host in subnet B (necessarily via router 1), how does router 1 know how to route the packet, if subnet B is missing from its routing table?
TACACS and Radius Recommendations
Hi Folks,
Looking for recommendations for a TACACS and/or Radius product that meets the following requirements:
- Installs on Windows (not Server, I know..)
- Relatively easy to manage
- Preferably Free/Cheap
Reason for the above is that we do not want to stand up a dedicated Linux Box for these requirements if we can help it, as if I would be, I'd use TAC_Plus. I would also prefer to keep my Radius separate from my current other accounts/LDAP/AD. Otherwise open to suggestions.
Thanks
Multicast routing assistance
Without jumping into tons of details and making this post super long, are there any gotchas to know about with multicast routing and an ASA? I think I've set it up correctly as I can stream from a receiver on the "inside" trusted network of the ASA without issue from a source "outside" on the untrusted network (the RP is also on the outside network of the ASA), but the reverse is not true. If the source is on the inside of the ASA, I can see multicast traffic on the client which is outside of the ASA, but nothing ever shows up on the screen. In other words, there's no audio/video, or maybe occasionally you'll hear a blip of sound. It seems the stream is being found, but the data isn't making it there correctly or something.
To be brief, we've set "ip pim sparse-mode" on all interfaces between client and server including the RP, multicast routing is set on all multilayer switches (Cisco), and multicast routing has been set on the ASA as well. The "pim rp-address" is set to the RP IP address on the outside of the ASA on all switches and the ASA itself.
PAT is used for the clients on the inside network of the ASA outbound, so private network addresses are not exposed outside, and the outside router does not have routes to the private IP space of the inside network, even though they do not overlap. The public PAT IP addresses are set as static routes pointing to the outside firewall interface from the next hop multilayer switch, so allows for the communication between the two networks.
Things I've tried so far - no-NATing the inside PIM router IP address destined for the RP and allowing PIM from this router IP address to the RP on the outside_access_out access list (it gets hit, but I don't know if it's a bidirectional communication, and if it is supposed to be, it's probably failing because of the lack of routes on the outside PIM router).
I'm not sure if NAT is screwing stuff up here somehow, but I don't know what would be needed to keep NAT from interfering with just the multicast traffic if so. I've noticed that if NAT is disabled, and routes are added between the outside switch to our internal networks, then multicast works in this direction, but it's not something possible in the real setup.
I'm sure I might be missing some helpful details, let me know and I'll try to fill in the missing detail.
Renewing CCNA using CE?
Hi,
I completed the exam for a course that gives me 32 Continuing Education credits, 2x credits above the 30 credits needed.
I have also redeemed this and it is appearing under my dashboard in ce.cisco.com portal. How long does it take for them to apply the extension and how do I use these credits to buy other courses (when I try to buy something on the store, it asks for a SO# which I do not have).
The Course I took: Cisco IOS XR Broadband Network Gateway Implementation and Verification (IOSXR304) v1.0 - The Cisco Learning Network Store
Pre-configured key
Hi! Can anyone explain me what's a wep pre-configured key? I'm a total beginner, so I won't understand many tech terms. Thanks
Why not use a router as an NTP server instead of an external NTP source or dedicated NTP server?
My noob reasoning is, NTP is just used to have all devices synchronized in time, right?
So, isn't using an external NTP source unintuitive because of the latency?
I know I am wrong but can't figure out why. I read in a stackover flow thread too that NTP isn't about just keeping times synchronized and configuring a router as NTP master is never a good idea. But they didn't reason why.
What's the real purpose of NTP?
New building design
I'm looking into a setup for my company for a new building and I'm looking at the switching.
My current setup is 2 "core" switches acting as the layer 3 gateway for all VLANs (odd number 3rd octets are primary on Core1 and evens are on Core2) but each access switch has one 1 connection to a core switch. I use Juniper wherever I can. Currently I have 2x EX4200 for the core switches and a mixture of 4200s and 2200s for the access layer.
I have no issues with bandwidth, but I'm concerned with resilience. Currently it's a massive pain to update the OS on either core switch as it takes out half the building (gateways fail over using VRRP, but as each access switch only has 1 connection I lose half my switches).
I could use spanning tree to go from the edges to both cores, but it feels like a dirty way of doing things.
Is there a way to run layer 3 to the access switches, but have layer 2 adjacency between different access switches? e.g. a port on Access1 can be in VLAN3 and a port on Access2 can be in VLAN3 and they can communicate as if they were on the same switch on the same subnet?
My initial reading brings up L2VPN with MPLS, but this feels overkill.
Is what I want to do a good idea? Is there a better way of achieving multiple uplinks to 2 core switches?
Toner probe responding to multiple lines?
Quick question as I'm relatively new to toner probes. I had to tone a cat5 line from across the building. At the patch panel, I found it, but also three other cables within a port or two away from it that the toner was clearly picking up the same signal from as well. Is this normal? Or is there cross-talk going on?
Any feedback on paloalto's pan-os "native sd-wan" ?
As title say I'm interested to hear if anyone got to try or use this feature.
We are looking at moving HQ site from MPLS to SD-WAN. We have been unable to get informations on Palo's SD-WAN option, even from reseller.
Since we are already using some PA devices on other sites it would avoid the need for training on another brand. But since I was unable to find much informations on it I'm asking here before completely dropping the idea.
Equinix cloud connect - Has anyone ever used it?
Recently our management jumped on the train to get into the equinix cloud connect but nobody really understands it. Doesnt seem to be a ton of info available on the web on how these work...
The main question is how do they get away with charging only 500 dollars a month for a 10Gb path to azure/AWS/GCI/etc? Do we buy their cloud exchange then have to buy the express route/direct connect on top of it and provision it to their system? Or do we get that bandwidth just from paying their monthly fee?
On top of that how is routing handled? Do we peer directly with the carriers or do we peer through the exchange like we would for a megaport?
Thanks for any info or experiences people have. Just a bit worried since management seems to be getting sold this but we can't really find any technical info on the routing or other connectivity requirements =/.
Alcatel OmniSwitch 9702; Stuck in Certified Mode
Trying to update the AOS on this OmniSwitch 9702. I've tftp'd the files onto the /flash/working/ directory and am now unable to copy those files from the working directory to the certified directory. I seem to be stuck in certified mode.
reload working no rollback-timeout
-With this command; the switch reboots but doesn't boot from the working directory.
copy working certified
-Command doesn't work since I am in stuck in certified mode
--"ERROR: Invalid request, CERTIFY requested while running on certified"
write memory
-Unable to use due to directory
--"ERROR: Write memory is not permitted when switch is running in certified mode"
Modify
-The only available syntax after this command is "boot parameters"
How do I switch the running directory to "working" rather than "certified"?
Unable to post configs but can provide as much info as needed:
Current AOS version: 6.4.3.520.R01
Upgrade to: 6.4.3.884.R01
show running-directory:
Running CMM: Primary
CMM Mode: Mono CMM
Current CMM Slot: A
Running configuration: Certified
Certify/Restore Status: Certify needed
SO, the question is, how do I change the running configuration to Certified?
Looking for a network tester
Years ago I bought a RJ45 Network Connection Tester. It was a very basic tester that when you plugged it in, an LED lit up showing there was connectivity on either 10, 100, or 1000.
I have been unable to find another like it. It was just a plastic handle about 1-2 inches long with a RJ45 male connector.
Anyone know where that could be purchased? Everytime I search, I keep getting results for the larger high end testers.
Confusing port channel configurations
I recently started working at a new company and have started off by documenting their already existing network. I've discovered something I've never seen before and my google-fu is failing me. In several spots on the network, there are switches connected together by multiple physical connections. On switch-1, each interface is configured as an L3 interface with an IP and a significant amount of IP PIM configs for multicast addresses. On Switch-2, they are configured to be a part of a port-channel with incongruent IP addresses. (see linked picture for a visual example, I've changed the IP addresses for privacy)
https://i.imgur.com/DmhcVVy.png
I have a good grasp of how multicast works, but it isn't something that I have had a lot of practical experience with. However, this configuration just seems incorrect to me, and I can't for the life of me understand why it was done this way, or even how it is working correctly. If anyone has any ideas, I'd love to hear them.
Subscribe to:
Posts (Atom)