Good Day,
I am new here but I have been in networking for the past 12 years, most of them as a consultant. One of questions many persons ask is "how to size their firewall." I created a sizing tool and provided some recommendations for choosing the right firewall. Let me know what you guys think about it. Would it add value to persons? Would you have added any other considerations?
NGFW Firewall sizing guide - Awesome Networking
Saturday, August 7, 2021
Firewall Sizing Guide/Tool
What way did you teach yourself to memorize the OSI model?
Mine was All People Seem To Need Data Processing
What was yours?
Career Doubt
Hey, At work, I’ve been give an option to upskill in SDWAN and pick up SDWAN work.
I’m interested in SDWAN but I’m more interested in traditional Routing and Switching.
I am relatively very early in my career. I want to take a step which will benefit me in future.
If going with SDWAN will be beneficial for my career, I’ll go with it.
Please put your thoughts and opinions forward.
TLS proxy: Pros and cons of SW based solution vs dedicated device.
Hi there,
I was not sure if I should post this in the cybersecurity group or here, as security is involved. I would be happy to read your advice about a setup.
Sorry if you think this is not the right place for this post.
We have a bunch of devices at the field level that will send data to the cloud by means of HTTPS connections with X.509 based authentication. Only outgoing communication from the field level firewalls to external networks is allowed.
Due to company regulations there cannot be a direct connection between the field level and internet, so we are going to send the data first to a DMZ, where a TLS proxy will forward the data to the cloud.
The thing is, that we cannot decide yet which TLS proxy solution would be the cleanest in terms of performance and security.
On one hand we thought about a SW based TLS proxy installed in one of our servers. Either as native application or as a container. It is the cheapest one, but the proxy is as secure from threats as the server is and we don't know how adding more software will affect the stability of our server.
On the other hand, we have been offered one of these "IoT gateways". They act as a broker, being a HTTPS server on the side facing the field level and a HTTPS client on the side facing our internet firewall. The box has a simple, closed proprietary OS. The initial investment is higher, but it looks more secure as it is a dedicated box and its hardening looks simpler.
I look forward to see your views about both options.
What protocol/software do ISPs use to enforce fair usage policies
I was just wondering how ISPs monitor how much bandwidth each customer users and how they enforce fair usage policies I.e when customer uses x amount of bandwidth reduce his available bandwidth by 50% do they have SNMP running on the router they install in informing them of bandwidth utilisation?
Assignment of IP addresses - best practice
Hi everyone,
I'm just working on a networking assignment (I hope this question is ok). I've been given an IP address of 100.1.1.0/24. I've completed my subnetting and only have a layer 2 switch, 1 x PC and 1 x router to assign the addresses to.
I've asked my lecturer but he hasn't been responding to forum posts or emails. I was hoping someone may be able to point me in the right direction for the best practice of assigning the IP addresses. Do we assign out the first IP address, second IP address and Third IP address in that order or would you assign the last and second last assignable address to the switch and router, so when you onboard more pc's they can have sequential IP addresses.
Thanks in advance!
Earn $170-$200 for quiz and packet tracer lab
I need a quiz and packet tracer lab done ASAP.
You will get paid:
Quiz (20 multiple choice questions) - $90
Cisco packet tracer lab - $80
Prices are negotiable but $200 is the limit.
To see if you’re legit, I will need to test your knowledge with 3-5 practice questions.
DM me if you're interested.
Friday, August 6, 2021
Multiple Static ip Routing and port fowarding them all to the same ports.
Hi yall i have 13 static ips I purchased from my isp (spectrum biz) i also have a switch which is the netgear business Gs108tv3 switch , i have verified that it is a layer 3 switch that is capable of ip routing. My isp is spectrum and i am using thier provided router that has all 13 ips loaded up inside by the tech. I have my 4 devices plugged into the switch..which the switch is plugged into a single Ethernet port on the back of the router.
Now i have port fowarded all my devices to the the port lets say “1248” and have assigned each external address section in the add rule section with a different static ip. So so far i have assigned 4 different static ips to 4 of my devices and port forwarded all of them. THE PROBLEM IS ports show open when i use a port checker but my devices are not being affected accordingly. What could this be from. Any help would be greatly appreciated.
Network Architecture for a Manufacturing plant
There is this task given to me for designing the LAN of a location outside a city, to be connected over a MPLS cloud link.
- A cisco router 1900 series is there for routing purposes
Only LAN components are being changed.
I wanted to implement 2 L3 switches stacked as Master - Slave and then to connect the L2 switches . The connectivity has to be given to three other buildings from the main Admin building we are planning OFC lines for them.
My question is there any advantage of implementing L3 switches in the location. There will be 180-200 data points all over the location. 2 VLANS I am trying to implement for two floors of Admin Building rest all other buildings will be sharing the ground floor VLAN.
Can anyone provide insight whether it is advantageous this way or should I go with all L2 switches? Can any better method is there to implement location of this type?
How do multi-national ISPs break up their address space?
I'm curious to know how large, multi-national ISPs break up their address space between infrastructure subnets, loopbacks, and customer address space. I imagine they would have separate IP allocations for each region? (I.E. Different supernets for North America, South America, Europe, etc). How do they handle summarization, and where do they summarize at?
Are there two classes of CAT6A? Two distinct price points.
Hi everybody, I'm Dr. Nick!
I'm looking at a quote from a contractor to install, terminate, and certify a CAT6A installation and was flabbergasted by the price. While trying to determine the cost per hour billed and markup on products I found some very expensive cabling in there, which led me to discover there are two distinct price ranges for CAT6A 1000' spools. The $500ish range and the $1000ish range (USD), why is there such a discrepancy when the specs of the cables appear to be the same?
The Monoprice, Amazon, Cables Direct cable vs the Panduit, Commscope, General Cable brands.
Is this because I want each run certified to CAT6A standards or because graybar has outrageous pricing but they integrate with quoting software/billing sytems?
Capture specific bytes only using tcpdump?
Hi,
I am using the following command to capture UDP Packets being received
tcpdump -Xnpi eth0 port 16000
Which outputs something along the likes of this:
0x0000: 4500 0025 425e ..........
0x0010: 0000 0000 0000 ..........
0x0020: 0000 1111 0000 ..........
I ultimately want to log my payload to a csv file. Let's say I want to log the 1111 to this csv, which happen to be the 34 and 35th bytes. I am unsure whether if it is possible to only look at these specific bytes. How do I focus on specific bytes to log, or view?
Network Diagrams
Can someone please share with me what they feel is the best way to represent a trunk port on a diagram of a network? I've been looking around and there seems to be no set standard or common industry practice other than obviously labeling it.
Software to create network documentation
Does anyone know of a software that allows creating network diagrams with the following requisites?
- Support router, switches and tunnels
- Possibly interactive to see which vlans are on what port, and the ip addresses
- Opensource
- Preferably based on text code instead of dragging things around
Do All Networking Jobs Require Standing?
Chronic knee issues are limiting me to desk jobs sitting in front of a computer but interested in pursuing a career in Networking.
Need the name of the Networking Cable label and management ebook.
I'm not sure if this is the right place to post this.
It was like 2-3 years that I went through one ebook where there are guides that shows how to properly and manage cable based on some standard. It was a good book. The sad news is that I don't remember the name of the ebook. The only thing that I remember about the book is whenever I open it on Adobe Reader, there are three to four cables that are animated on the first page. Please help me with the name of the ebook.
FCC Reimbursement Program
I keep seeing updates regarding the FCC reimbursement program for replacement of covered equipment from vendors such as Huawei and ZTE. But my question is.. do the majority of US operators still run equipment from these vendors? I feel like the majority of the operators I have spoken to have already replaced their hardware.
Migrating from Cisco ASA5515 to 5545, Checklist? Gotchas? Lessons learned?
Will be migrating this weekend to the ASA5545 from ASA5515. Current setup is Hub/Spoke, entire organization runs to our DC for INET THROUGH the FW, which is configured as HA pair with a few IPSec tunnels, AnyConnect VPN, DMZ .
New setup will be identical. Have already pasted config file to new FW and configured appropriate interfaces.
This will be our second attempt since first one failed and we reverted. On first attempt the IPS tunnels came up immediately however there were issues accessing through AnyConnect as it was sporadic, when testers connected some could not access applications on the DMZ and when they could connect accessibility to our intranet and corp webpage was sporadic as it was to some applications. At first we thought it was a DNS issue, we use internal DNS servers, forwarding to Akamai. We changed DNS IP's to an external DNS (Google DNS) and still not working.
I cleared the arp cache of downstream switches and upstream switches, but we could not get users to reliably access DMZ applications which is strange because config is identical to whats already working.
Is there a migration checklist that doesn't detail the obvious like check that the OS is identical as before, ASDM version should match, make sure your Firepower version is the same etc? Something like a 'Gotchas' to be on the lookout for like arp cache, or anything I haven't thought of? Or if anyone has gone through this what are the 'Lessons learned' you experienced?
ISP1 ISP2
| |
| |
R1------HSRP-------R2
| |
| |
FWSwitch FWSwitch
| |
| |
FW1------HA-------FW2
| |
| |
DMZSwitch DMZSwitch
Fibre patching at the DC. Do we need to upgrade to OM5?
Hello,
I have suggested to my manager to budget for new OM5 fibers in our main DC because the current OM3 connectors cannot do more than 10G/pair. As far as my understanding goes, they can support up to 100G, but with the help of PMO connectors.
Our DC is around 15 racks and will be reduced to 10 by the end of the year. It has been build over a decade ago, with both copper and fiber patching, most of them terminating in a "patch panel rack".
Since most of the copper connections are OoB management now, and 10G is the "new minimum requirement", is it worth passing a new fibre patch panel between the core racks or are there cheaper alternatives?
Need some help with Dual Wan setup
My buddy owns a local business and currently has a Dual ISP configuration, but he has to plug and unplug equipment when ISP1 is having issues to get ISP2 running, so we're trying to simplify things. The main setup is Xfinity modem -> Router -> 24-port switch. We were going to implement a Dual wan solution where ISP2 kicks in when ISP1 is down. I'm aware of how to set that up under settings, but I'm trying to get help with wiring configuration. Is there a way to configure things where both ISPs will utilize the same wireless router so there's no need to have a separate router for ISP2. Again, ISP2 is simply a failsafe and won't be used unless ISP1 is down. Thanks for any help.
How to prove Netmiko library is safe to use from security standpoint
Hi Guys,
The info sec team are nervous about me using the Netmiko Python library because they know nothing about it and are concerned from a security viewpoint as it will be connecting to switches/firewalls to run Python scripts, I need to show them it is safe to use it, does anyone know how the Netmiko library is audited and if it’s got a stamp of approval from a well known authority to use in live environments?
I need to demonstrate to them the library is safe to use somehow and it’s okay me connecting to network devices with it and typing my credentials into it etc
Thanks
Regarding RADIUS/TACACS servers, do you lock down clients (i.e. routers and switches) by IP addressing and specific or shared keys?
Seeing this at my new job, every network device is configured with specific radius servers for authentication/accounting however, some devices have unique shared keys, and each switch or device has to be statically defined as a defined client in the NPS server. My previous job did that for wireless controllers but for IOS devices, they all just worked with same templated config. How are other industries doing this? Ideally, I want to get to an automated config deployment and while this can certainly be a variable, it just seems cumbersome to get another team involved in every switch addition/removal. I really can't even change radius source interfaces if I needed to without a ticket to the NPS team. What would you consider best practice on this?
Port 135 (Remote Procedure Call/RPC)
I have a question regarding port 135. I did a netstat scan on my laptop today and found port this:
TCP 0.0.0.0:135 CTC2-###-#####:0 LISTENING
So I looked up this port "135" and I found that it is "used in client/server applications (might be on a single machine) such as Exchange clients, the recently exploited messenger service, as well as other Windows NT/2K/XP software."
But I'm kinda confused on what this means. What is the purpose and services this port is supposed to provide? Such as how SMTP is used for email services, HTTP is used for webpage services, and RTMP is used for streaming services. What is the service Remote Procedure Call (RPC) is trying to provide?
Is a /24 still the smallest you can advertise via BGP to ISPs? I'm hearing differently but always thought that was the rule of thumb.
Recently a VAR mentioned redundancy between sites by splitting our public /24 into two /25s and advertising from one site while advertising /24 from the other instead of using AS prepending. I specifically remember being told by ISPs they wouldn't accept smaller than /24. Is this no longer the case?
Does anyone have any experience with setting up NAT64 and/or DNS64
The place where I work, we want to deploy ipv6 to our existing ipv4 network. Are there any gotchas or tip and tricks? Any advice would help.
Setting up LTE failover with D-Link DIR853 router
Hello, I currently have D-Link DIR 853 router and 600mbps/100mbps fiber coming from ISP. I was wondering if this router is capable of failover/fallback function using LTE modem. I know LTE modem works when connected to the usb port on the router but can it be set to auto failover/fallback also?
STP topology change causing link outage
Hopefully this is within the rules, as this is my home setup. However the people over at /r/homenetworking could not help, and suggested I post here.
I am fairly competent in networking I like to think, however I don't fully understand spanning tree, but I've never had a problem with it, until now.
My setup consists of a Dell X1052P (Which honestly sucks) and then I have a 10G trunk over to my garage which has a Cisco 2960S
Recently I built a new box, and it has a Mellanox ConnectX4 SFP28 25G NIC in it, which I'm running at 10G with an SPF+ transceiver and its plugged into the Dell switch and has nothing to do with the Cisco switch
When this system gets a link, it causes an STP topology change and the trunk port between the Dell Switch and the Cisco switch goes down for 30-40 seconds. And, when the link goes down, the same thing happens! Its irrelevant to TrueNAS, it happens during boot before TrueNAS even gets involved.
There is no other issues with connectivity on the Dell switch which is odd to me.
I had to shut the box down to add a PSU, so I fired up wireshark on my desktop just incase I saw anything. And all I can see is this. The MAC listed on that STP packet is I believe the second switch. 10.0.0.11 is the NAS with the NIC in question
Does this seem to show that my second switch for some reason is grabbing the root bridge?
https://i.imgur.com/1SvmQm1.png
Its worth noting that the port config for the NAS is just an access port. Nothing fancy
Any ideas? This has me completely stuck
Thursday, August 5, 2021
HPE 5500 HI (JG542A) DHCP Server config
Comware Software, Version 5.20.99, Release 5501P36
Trying to configure the switch as DHCP server for its VLANs. Tried many things, i can't seem to make it work. Here is what i have:
# vlan 101 name LAN 10e # vlan 102 name VoIP-102 # dhcp server ip-pool 101 extended network ip range 172.16.101.17 172.16.101.224 network mask 255.255.255.0 gateway-list 172.16.101.1 dns-list 172.16.16.1 domain-name ingt.local expired day 3 # dhcp server ip-pool 102 extended network ip range 172.16.102.17 172.16.102.224 network mask 255.255.255.0 gateway-list 172.16.102.1 dns-list 172.16.102.1 domain-name ingt.local expired day 3 # interface Vlan-interface101 ip address 172.16.101.1 255.255.255.0 dhcp server apply ip-pool 101 # interface Vlan-interface102 ip address 172.16.102.1 255.255.255.0 dhcp server apply ip-pool 102 # interface GigabitEthernet1/0/1 port link-mode bridge description User Port port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 101 to 102 port trunk pvid vlan 101 undo voice vlan mode auto voice vlan 102 enable broadcast-suppression pps 3000 undo jumboframe enable poe enable stp edged-port enable lldp compliance admin-status cdp txrx qos trust dscp Somebody sees something wrong in this? It is supposed to be easy, as my 1st config with comware, i'm starting to be a bit frustrated (tried for the last 1.5 hours, i RTFM, etc)! I'm used to Cisco, RouterOS and HP (the old one). Any help would be greatly appreciated!
IPSec tunnel followed by static route
Hello everyone.
I'm exploring the infrastructure on a new job and have a question to which I didn't find an answer from the colleagues.
So we have a standard IPSec tunnel on the firewall, peer described in crypto map and lan subnets described in crypto acl. But additionally there are two static routes for these subnets, and they point to different bgp providers with different metrics. Both IPSec and static route have common outgoing interface, so the static route won't interfere with IPSec traffic.
I guess that it is made for redundancy in case of an ISP failure, but why would you do it on a firewall, shouldn't it be implemented on the ASBR? Is there any other purpose for such design?
And what will be with the traffic behavior in case of IPSec going down? Will the data transfer unencrypted due to static route and be dropped somewhere? For example it won't drop if the lan subnets from white range, but will drop if they are from private range.
Need help with business internet configuration
Hi Everyone,
I'm looking for advice on finishing our new business internet configuration. We're changing providers and no one at our small business fully understands what exactly these questions mean. We could probably go with the defaults and be fine but I'm interested in what these mean. Thank you very much!
![[LINK TO SCREENSHOT]](https://i.imgur.com/7GEsUVG.png){kind=link}
CAT5 Cabling RJ48c/x Termination
I'm at a site for work that was wired 15 years ago. The plugs weren't fitting well in the new switch I installed and when looking closer I didn't recognize the color pattern for how the wires were laid out for the building's existing wiring. After looking around I found that all the CAT5 in the building was terminated with RJ48c/x type keystones and plugs.
I have never encountered a set up like this before and was wondering if it is fine to use t568b from the wall to wired endpoints if PoE is involved.
Any help on this would be great.
Thanks!
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
Network Switch that will actually do 1Gb speeds?
I did my friends network and he has some issues. Currently he has an 8 port TP link switch that will just not do GB speeds as needed. Only using about half of the switch right now. This would be nice as there are several devices and lots of cameras. So sometimes the network can be congested.
Any recommendations or should I just get an average run of the mill 16port Netgear For a little extra over head?
Does not need to be manged.
Network map.
Comcast 800mb service> Self Owned DOCSIS 3.1 Modem> Edge router X > some ap's > Switch computers and other random stuff.
Anything before the switch i.e. plugged into the edge router or modem is significantly faster.
Where is IOS .bin file on Cisco 9300?
Normally I do a sh flash: and there it is....
Here is the output, any help appreciated !
Switch#sh flash:
-#- --length-- ---------date/time--------- path
2 2097152 Aug 05 2021 21:35:38.0000000000 +00:00 nvram_config
3 2097152 Aug 05 2021 21:35:38.0000000000 +00:00 nvram_config_bkup
4 17392652 Jul 09 2021 05:26:30.0000000000 +00:00 cat9k-cc_srdriver.17.03.03.SPA.pkg
5 104428552 Jul 09 2021 05:26:30.0000000000 +00:00 cat9k-espbase.17.03.03.SPA.pkg
6 2262024 Jul 09 2021 05:26:30.0000000000 +00:00 cat9k-guestshell.17.03.03.SPA.pkg
7 5124 Jul 09 2021 05:26:30.0000000000 +00:00 cat9k-lni.17.03.03.SPA.pkg
8 595178500 Jul 09 2021 05:26:30.0000000000 +00:00 cat9k-rpbase.17.03.03.SPA.pkg
9 34792456 Jul 09 2021 05:26:30.0000000000 +00:00 cat9k-sipbase.17.03.03.SPA.pkg
10 57529348 Jul 09 2021 05:26:30.0000000000 +00:00 cat9k-sipspa.17.03.03.SPA.pkg
11 28738568 Jul 09 2021 05:26:30.0000000000 +00:00 cat9k-srdriver.17.03.03.SPA.pkg
12 14427140 Jul 09 2021 05:26:30.0000000000 +00:00 cat9k-webui.17.03.03.SPA.pkg
13 9220 Jul 09 2021 05:26:30.0000000000 +00:00 cat9k-wlc.17.03.03.SPA.pkg
14 6802 Jul 09 2021 05:26:30.0000000000 +00:00 packages.conf
15 47364227 Jul 09 2021 05:26:30.0000000000 +00:00 cat9k-rpboot.17.03.03.SPA.pkg
16 4096 Aug 05 2021 21:39:16.0000000000 +00:00 .installer
17 4096 Jul 09 2021 05:28:53.0000000000 +00:00 .installer/issu_crash
18 14 Aug 05 2021 21:35:01.0000000000 +00:00 .installer/watchlist
19 259 Aug 05 2021 21:34:11.0000000000 +00:00 bootloader_evt_handle.log
20 4096 Jul 09 2021 05:37:14.0000000000 +00:00 core
21 4096 Jul 09 2021 05:28:45.0000000000 +00:00 core/modules
22 1 Aug 05 2021 22:20:33.0000000000 +00:00 core/.callhome
23 4096 Aug 05 2021 19:35:10.0000000000 +00:00 .prst_sync
24 235 Aug 05 2021 21:34:14.0000000000 +00:00 .prst_sync/log
25 20 Aug 05 2021 21:35:35.0000000000 +00:00 .prst_sync/reload_history
26 4096 Jul 09 2021 05:28:45.0000000000 +00:00 .rollback_timer
27 4096 Jul 09 2021 05:28:52.0000000000 +00:00 gs_script
28 1024 Aug 05 2021 21:34:21.0000000000 +00:00 gs_script/sss
29 12288 Aug 05 2021 21:34:21.0000000000 +00:00 gs_script/sss/lost+found
30 5242880 Aug 05 2021 21:34:51.0000000000 +00:00 ssd
31 4096 Jul 09 2021 05:28:50.0000000000 +00:00 ss_disc
32 4096 Jul 09 2021 05:28:52.0000000000 +00:00 tech_support
33 15305 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/igmp-snooping.tcl
34 1612 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/igmpsn_dump.tcl
35 13515 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/mld-snooping.tcl
36 1612 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/mldsn_dump.tcl
37 15828 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/multicast.tcl
38 7367 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/multicast_dump.tcl
39 1330 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/pkt-drop-stats-dump.tcl
40 14047 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/pkt-drop-stats.tcl
41 1365 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/platform-fabric-iid-ethernet.tcl
42 2107 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/platform-fabric-iid-ipv4.tcl
43 2109 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/platform-fabric-iid-ipv6.tcl
44 2729 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/platform-fabric-vrf-ipv4.tcl
45 2757 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/platform-fabric-vrf-ipv6.tcl
46 52363 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/platform-fabric-vrf-source.tcl
47 612 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/platform-fabric.tcl
48 1548 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/platform_evpn_vxlan.tcl
49 26175 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/port.tcl
50 3215 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/port_dump.tcl
51 18827 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/port_interface.tcl
52 8171 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/port_utils.tcl
53 15655 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/stack.tcl
54 4937 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/stackwise-virtual.tcl
55 1496 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/tech-support-confidential.tcl
56 685 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/tech-support-dump.tcl
57 38541 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/unicast.tcl
58 12653 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/unicast_dump.tcl
59 5162 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/unicast_ipv6.tcl
60 2864 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/unicast_ipv6_dump.tcl
61 336 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/utils.tcl
62 1384 Aug 05 2021 21:34:21.0000000000 +00:00 tech_support/xfsu.tcl
63 4096 Aug 05 2021 21:34:21.0000000000 +00:00 dc_profile_dir
64 251645 Aug 05 2021 21:34:21.0000000000 +00:00 dc_profile_dir/dc_default_profiles.txt
65 251645 Aug 05 2021 19:05:19.0000000000 +00:00 dc_profile_dir/dc_default_profiles.txt.bkp
66 382 Aug 05 2021 21:34:22.0000000000 +00:00 boothelper.log
67 4096 Jul 09 2021 05:28:53.0000000000 +00:00 sys_report
68 4096 Jul 09 2021 05:29:06.0000000000 +00:00 .USWAP
69 4096 Jul 09 2021 05:29:01.0000000000 +00:00 .USWAP/rp
70 4096 Jul 09 2021 05:29:06.0000000000 +00:00 .USWAP/fp
71 4096 Jul 09 2021 05:29:01.0000000000 +00:00 .CRFT
72 134458 Aug 05 2021 21:34:35.0000000000 +00:00 memleak.tcl
73 2049 Aug 05 2021 21:34:35.0000000000 +00:00 svl_ipc.tcl
74 4096 Jul 09 2021 05:29:01.0000000000 +00:00 Tbot
75 117906 Aug 05 2021 21:34:35.0000000000 +00:00 Tbot/HealthCheckDebugInfra.py
76 265373 Aug 05 2021 21:34:35.0000000000 +00:00 Tbot/L3ParseOutputs.py
77 365279 Aug 05 2021 21:34:35.0000000000 +00:00 Tbot/L3DebugInfraAPIs.py
78 155706 Aug 05 2021 21:34:35.0000000000 +00:00 Tbot/L2DebugInfraAPIs.py
79 164575 Aug 05 2021 21:34:35.0000000000 +00:00 Tbot/L2ParseOutputs.py
80 155706 Aug 05 2021 21:34:35.0000000000 +00:00 Tbot/L2DebugInfraScript.py
81 4096 Jul 09 2021 05:52:20.0000000000 +00:00 .dbpersist
82 4096 Jul 09 2021 05:52:20.0000000000 +00:00 .dbpersist/history
83 4096 Jul 09 2021 05:52:20.0000000000 +00:00 .dbpersist/DMI_STATE_DB
84 412 Jul 09 2021 05:52:20.0000000000 +00:00 .dbpersist/stats
85 13 Jul 09 2021 05:29:08.0000000000 +00:00 NVRAM
86 4096 Jul 09 2021 05:36:54.0000000000 +00:00 onep
87 4096 Jul 09 2021 05:36:54.0000000000 +00:00 onep/apps-cli
88 4096 Jul 09 2021 05:36:54.0000000000 +00:00 pnp-info
89 16976 Aug 05 2021 21:35:30.0000000000 +00:00 rdope_out.txt
90 89 Aug 05 2021 21:35:28.0000000000 +00:00 rdope.log
91 4096 Jul 09 2021 05:36:57.0000000000 +00:00 guest-share
92 0 Aug 05 2021 21:35:30.0000000000 +00:00 dope_hist
93 4096 Aug 05 2021 21:35:56.0000000000 +00:00 pnp-tech
94 14132 Aug 05 2021 21:35:56.0000000000 +00:00 pnp-tech/pnp-tech-time
95 145316 Aug 05 2021 21:35:56.0000000000 +00:00 pnp-tech/pnp-tech-discovery-summary
96 4096 Aug 05 2021 19:03:48.0000000000 +00:00 .rommon_sync
97 363 Aug 05 2021 19:03:48.0000000000 +00:00 .rommon_sync/env_var
98 1440 Jul 09 2021 05:44:34.0000000000 +00:00 2021_07_09T05_44_32.304222.xml
9832636416 bytes available (943841280 bytes used)
Windows Server 2019/2020 @ 25Gbps?
We upgraded some equipment to 25Gbps and our Linux boxes will hit 23Gbps all day, no tweaks. Our Windows Servers (mix of 2019 and 2022 for pre-testing) can't seem to break 15Gbps.
The machines are all high clock-speed Epyc Rome 2 (equivalent of Ryzen Zen 2) as well as a Ryzen Zen 3 workstation. Mellanox CX4 cards. Fiber. Using iperf3 for testing.
I don't think it's a CPU issue, as running multiple streams in parallel doesn't improve throughput, each stream just decreases so the cumulative is 13-14Gbps.
Does anyone have any suggestions for improving performance on Windows? I went through this way back in the day with Server 2012/2016 and 10Gbps, but have largely forgotten everything I did.
edit: disabling virtual machines queues and setting the TCP Windowing to "experimental" did the trick.
Firepower 2100 - FDM configure AnyConnect VPN access from an internalnetwork
As the title states, I'm trying to figure out how to set up the firewall through the FDM to allow the AnyConnect clients to connect to the VPN from an internal network. I figured it was some hairpin NAT rule that I'm missing, but I've been unable to figure out what the best path forward is to get this to work. Any help would be appreciated!
Advice request: router suggestions for small start up office
hi all,
I have a small office that I am trying to improve the wifi connectivity of, in particular the ability of our network to support many devices at once (>25-30 802.11AC devices). The place is fairly small (about 1000 sq. feet with tall 20 ft. ceilings) without any walls. Our router is in a "loft" location at about 16 feet within line of sight of all devices. This is our current router (https://www.linksys.com/us/wireless-routers/mesh-routers/linksys-max-stream-mesh-wifi-6-router-mr7350/p/p-mr7350/) which replaced the Comcast gateway (which is now just used as a modem).
We have a 400/100 Mbps line Comcast business line. While the wifi speeds are fine, once we have lots of devices on the network then things start to get bogged down, with sites taking a while to load and network performance generally dropping. We don't have any connectivity issues and signal strength is fine in the office, which leads me to believe this is just an issue with the number of devices. In addition speed tests during peak load seem fine, but actually getting to the speed test sites get laggy.
We're looking to upgrade our router to something that can perhaps handle this peak load without choking up. The problem is that we don't have ANY ethernet ports anywhere in the office, so whatever we end up with has to rely on wireless connectivity.
I thought about a mesh system, but my understanding is that they only help deliver wifi access to places with weak signal, but we don't really have a weak signal problem, we just have issues with peak load. I could be wrong about this, however.
To provide some context on our staff: we have a pretty skeleton crew (we're a start-up) so we don't have dedicated IT, but we have fairly tech savvy folks who should be able to figure out something a bit more complex than consumer grade plug-and-play stuff. Having said that obviously something that doesn't require days of tinkering and maintenance would be super helpful.
Thank you!
2 nics and 2 gateways only problems
Hi
Building out an AV-Lan at a customer location.
At the site we have a Dell server for remote access & remote monitoring.
The machine has two ethernet cards. First nic is connected to a Meraki for VPN connection.
The second nic is for accessing the AV-Lan.
Both cards are set up with static ip's.
Up until now everything has been working since the second nic had no gateway specified.
The av-lan was configured as a l2 network with only vlan 1.
I've started setting up vlans on the av-lan with the core switch as a layer-3 swtich for inter-vlan routing.
I have issues with the dell server not seeing all the hosts on the AV-lan as long a there are two gateways. If i disable the ethernet nic for the VPN connection the machine sees all hosts across vlans.
Anyway to get around this?
Juniper IPOE static shared VLAN.
Does anyone use IPOE on juniper with shared static vlan?
I'm trying a configuration more, only connects one user at a time.
Juniper IPOE static shared VLAN.
Does anyone use IPOE on juniper with shared static vlan?
I'm trying a configuration more, only connects one user at a time.
Juniper IPOE static shared VLAN.
Does anyone use IPOE on juniper with shared static vlan?
I'm trying a configuration more, only connects one user at a time.
Juniper IPOE static shared VLAN.
Does anyone use IPOE on juniper with shared static vlan?
I'm trying a configuration more, only connects one user at a time.
Juniper IPOE static shared VLAN.
Does anyone use IPOE on juniper with shared static vlan?
I'm trying a configuration more, only connects one user at a time.
Juniper IPOE static shared VLAN.
Does anyone use IPOE on juniper with shared static vlan?
I'm trying a configuration more, only connects one user at a time.
Juniper IPOE static shared VLAN.
Does anyone use IPOE on juniper with shared static vlan?
I'm trying a configuration more, only connects one user at a time.
Juniper IPOE static shared VLAN.
Does anyone use IPOE on juniper with shared static vlan?
I'm trying a configuration more, only connects one user at a time.
Gre Tunnel from a Switch To Linux Server does not work.
Arista 7060CX-32S
I set GRE Tunnel from Arista 7060CX-32S to a Linux Server 18.04 (running VPP)
My end is fully configured.
I tried GRE from an Linux Server to Linux Server and traffic goes through and everything is working. It doesn't work when GRE from Arista 7060CX-32S to my Linux Server.
The most strange thing is that I can't ping the other end under tunnel for example (Arista 7060CX-32S end is 10.0.0.1) my end under tunnel for example (10.0.0.2)
I can only ping 10.0.0.1, once the Arista 7060CX-32S pings 10.0.0.2, after couple hours once the Arista 7060CX-32S stops pinging my end 10.0.0.2, I can't ping 10.0.0.1.
So yea I've read multiple documentation and j can't find a reason for this :(
Wednesday, August 4, 2021
Is there a format for a range of IPv6 addresses?
This Wikipedia page shows address ranges for IPv4, but not for IPv6: https://en.wikipedia.org/wiki/Reserved_IP_addresses
Would the format for an IPv6 range be ::0000-::1000?
Also, what's the valid range format for --to-destination when using this example command for IPv6?
sudo iptables -t nat -A PREROUTING -s 10.10.10.10 -j DNAT --to-destination 127.0.0.1-127.0.0.10
This seems like it would throw an error.
sudo iptables -t nat -A PREROUTING -s ::1010 -j DNAT --to-destination ::0000-::1000
Single or Multiple OSPF Areas for Vlans
I'm very new to OSPF routing, and I feel like I have a decent understanding, but something is tripping me up and I'm hoping someone can chime in here to help me understand some things.
I have multiple layer 3 switches lets say S1 and S2 that will be connected to each other. I will be routing traffic between them using OSPF. Each switch will be connected by P1 and P2. Both P1 and P2 have different vlans and the traffic shouldn't cross for any reason, will I need to create multiple areas (one for each Port/Vlan or would I group them in a single (area 0) and and send the traffic that way.
MST or RPVST for Small Network?
What is the consensus on RPVST+ vs MST? We are doing a network refresh with two core switches in a hybrid collapsed core and distribution design. Original plan was to use HSRP on the core switches, create two MST instances, and load balance the VLANs across those instances & core switches.
Some info:
- Environment only has some 30 VLANs tops
- Upgrading to Catalyst 9300 & 9500s
- Currently running MST only using instance 0
- Not a lot of manpower on the network side - two admins (KISS very relevant)
- Might need to run a slit HP & Cisco environment during a slow rollout (might upgrade access switches first)
- Access switches will use StackWise
Some concerns:
- MST & StackWise: apparently vPC and MST don't play nice when adding a new VLAN, so not sure if there are similar concerns with StackWise
- Needless complexity - ability to bring less experienced admins into some network troubleshooting is ideal. MST requires more manual administration - assigning VLANs to instances, manual revisions, concept of IST 0, regions, etc. What do we gain in our environment? We have no CPU concerns given low number of VLANs. We are still able to load balance RPVST+ via HSRP & core switches.
Any input greatly appreciated.
VLAN configuration on Cisco 4948 to Linux "server"
This is a homelab networking question... and I'm trying to figure out what best practice would/should be for this situation.
I'm currently using two separate physical LAN ports (built on the motherboard) to keep two VLANs separate.
Let's say the VLAN numbers are 6 and 8. 6 is the main VLAN that gets routed to the internet, and 8 is the VLAN I want to prevent any traffic from getting out to the internet.
I'm wanting to convert to using VLAN on eno1 for both 6 and 8... so would it be best practice to configure the port that machine is plugged into as a trunk, or simply leave the VLANs tagged? I've only (in my limited experience) ever set a port to trunk for connections between switches. I don't see a reason why it wouldn't work to a computer/server, but I thought I'd ask before I, literally, tear down my security system and rebuild it.
It's a simple question, I know - I'm looking for a much more experienced viewpoint.
Thanks in advance.
Cisco ISE NTP Keys - SHA256/SHA512
Has anyone been able to get Cisco ISE working with NTP keys other than MD5? I've been trying to get SHA256 or SHA512 keys working, but ISE never syncs when using those keys. I'm on ISE 2.7 and the upstream NTP box is a Microchip S650 on the latest version. I don't see any reason why it can't work. I'm guessing the issue is the version of the NTP daemon ISE uses just doesn't fully support it.
TAC has been less than helpful, but mainly because I can't do a Webex, which breaks their workflow and makes it impossible to get anything done with them.
DANOS Interface placed into vrf for management
I`m setting up a DANOS router to connect my AS to an IX platform. The rackspace is included with a public ip for OOB. I`m now trying to setup an interface on the machine in a VRF to allow management to be apart from the global routing table.
So far i came up with this, which give me ping but ssh for example is not yet working. What am i missing here?
set interfaces dataplane dp0o1 description OOBman set interfaces dataplane dp0o1 address 93.xx.xx.xx/29 set routing routing-instance manvrf instance-type vrf set routing routing-instance manvrf interface dp0o1 set routing routing-instance manvrf protocols static route 0.0.0.0/0 next-hop 93.xx.xx.xx Strange network filtering I can't hunt down.
My experience:
I'm a Network+ certificate holder but NOT a CCNA certificate holder. So I'm not nearly as advanced as many here.
My issue:
https:// and http:// connections to "google.com" fail to connect while on my network. I get a timed out error on any pc or browser
My expected resolution:
To be able to browse to google.com and use it like a normal person.
It appears that only HTTP/HTTPS is blocked to google.com:
- https://google.com fails on domain connected PCs in all browsers as well as smart phones on the corporate wifi using their built in browsers. However, the failure only seems to affect "google.com"
- accounts.google.com , gmail.google.com, youtube.com and even google.ca work just fine in any web browser.
- > ping google.com
- works as expected
- > nslookup google.com
- works as expected
- > tracert google.com
- works as expected
Troubleshooting attempted:
- I've checked the DNS on my firewall and switched it from my ISP, to google and to OpenDNS. none have fixed the issue.
- I've of course flushed the DNS on my test machines after every test.
- I've removed/disabled my IPS software system for testing and this did not correct the issue.
- I've checked my firewalls filtering settings and couldn't find anything of note.
- I've checked by Microsoft DC server for any filtering or DNS rules and couldn't find anything of note.
- I've manually changed a client PCs DNS settings so it wont use my in-network DNS server/relay. This did not fix the issue.
Conclusion: There is some form of HTTP network traffic filter on my network that I cannot find for the life of me. My major culprits are my firewall and my Domain Controller. I have failed to identify the correct setting or feature that could be blocking this traffic.
If anyone has encountered this issue in your systems or knows a likely place to check I'm all ears.
My Network Architecture
This business uses a full Unifi network stack. (Unifi Dream Machine Pro Firewall, Unifi Switches and Unifi Access points) The Domain Controller is a standard Windows Server 2019 and all PCs on the network are bound to it's domain. This is a small business with less than 40 employees and only one site. (no multi-site domains or anything fancy)
DHCP is handled by the domain controller, not the Unifi Firewall.
Thanks in advance!
Thoughts on Aruba Clearpass?
Looking for an onprem solution to get TACACS with LDAP running for our network devices (mostly Cisco routers/switches, and higher ups don't want ISE. They had very bad experiences with it years back before I got here and they don't want it deployed ever again), heard through googling and forums Clearpass seems to be a popular choice.
Anyone able to share their experience with it, or know if they do trial evaluations? I reached out via their contact us page, still waiting to hear back.
Policy Compliance Checking - What too do you recommend?
We use SolarWinds NCM for config management and policy compliance. For compliance I've never used anything else, but I am pretty sure I hate it, and I'm looking for alternatives.
What off-the-shelf policy compliance tools are you familiar with and are there any you would recommend? Looking for something capable of handling 15,000 devices and growing.
To be clear on the term "compliance" I mean that the device configurations are scanned to make sure specific settings exist, unexpected settings do not exist, and is version-aware. NCM does it with (for the most part) regular expressions and configuration blocks.
TIA!
Shared vs dedicated internet
Our business ( small trucking company) is in the design/ plan stages for our new shop/ headquarters. In Spartanburg SC. Our architect is going over what services we have available at the street as we need to plan how we want to do the utilities.
It appears sprectrum is the only business provider and they offer 3 plans 200/10 600/35 and 1000/35. The architect mentioned doing a dedicated line? I started doing some quick research and not really too sure what advantages it has besides being expensive. I’ll list so far the items were going to have on the network. A pbx phone system A storage server A few computers ( not sure on the number, less than 6) A nvr server 10 plus up cameras Other misc network devices. I’m hoping someone can help point me in the direction of what to start researching so I can better understand and help make the right choice!
Centralized Network Management
I recently just started a Network Administrator job out of college. My company has put me in charge of updating a database with switch information (IP, MAC, Serial, Model) which would not be an issue but the company has well over 400 Cisco devices and they have let the database get behind making it a pain to update it. These devices are world wide connected using a WAN. They informed me they were going to use SolarWinds to manage this but since SolarWinds had security issues in the past we are no longer going to use it. Does anyone know of a solution to this to automatically pull this information and store it in a database?
How to authenticate IP Phone 7821 using 802.1x?
I have installed ISE a few days ago and I want to authenticate the phones using 802.1x. Some phones authenticate using mab and I want them to authenticate using 802.1x
HP 1930 Vlans
Hello,
I purchased HP 1930 and I want to connect to my FortiGate.
On Fortigate I configured an interface with IP and a subinterface VLAN 6 with IP.
I would like to do trunk on 1930 with native VLAN. I didn't understand how to do it.
I would need to configure on 1930 VLAN 1 as native VLAN and VLAN 6 as tagged.
How can I accomplish that?
Thanks
Route multiple WAN IP's through a L3 Switch
Five static IP's come into the MDF on fiber from the ISP. Would like one of the WAN IP's to appear on one switch port, and have a another WAN IP appear on another switch port. Then those ports would be plugged into a router/gateway or plugged directly into a server and distributed through other ports of the switch. Or the raw internet could appear on select multiple ports and whatever is plugged into the port could pull their static WAN IP. Is it possible using a L3 managed switch?
I'm trying to understand how this was done at a current install. The network cable from the ISP is currently going directly into a Dell PowerConnect 2724 managed switch. From there, the building HVAC system is getting one of the WAN IP's though the switch, the client's router is plugged into another port and is getting another WAN IP, then distributing it back into the switch. A tenant on the other side of the building is getting another WAN IP and then handling routing from their IDF with their own router. Unfortunately the original network architect is unknown and the switch is password protected. But it's working as intended. Now we're getting ready to upgrade the switches.
How do I replicate this setup with a new switch? How do I get the raw internet feed including the 5 static IP's to appear on various switch ports on a L3 switch? Guessing it may involve LAG and VLANs but wanted to ask before I start trying to figure out how to get it to work. Thank you.
Technicolor CGA4131COM Comcast Modem Bridge Mode Question
Hello,
Does anyone work for Comcast know or have worked with this device know if putting the modem in bridge mode will mess with the phone lines? This device has 8 phone lines and 8 lan ports. My understanding that taking the router out of routed mode and placing it into bridge mode will in-fact cause a problem with the phone lines, but I want to put a different router between it and the LAN without causing any problem with the onboard analog phone lines / TV services coming through the coax with the internet.
Quick question regarding ARIN RPKI
Looking into enabling RPKI for our ARIN organization ID and just curious if this will have any impact on existing advertisements/peering other than being more secure, trying to avoid outages.
Cisco nexus TCAM carving question
Currently i have following feature enabled for tcam on Cisco Nexus 9396PX switch
# show run all | grep tcam | exclude 0 hardware access-list tcam region qos 256 hardware access-list tcam region racl 512 hardware access-list tcam region e-racl 256 hardware access-list tcam region copp 256 hardware access-list tcam region redirect 256 hardware access-list tcam region ns-qos 256 hardware access-list tcam region ns-vqos 256 hardware access-list tcam region ns-l3qos 256 hardware access-list tcam region rp-qos 256 hardware access-list tcam region rp-ipv6-qos 256 hardware access-list tcam region rp-mac-qos 256 hardware access-list tcam region ipv6-racl 512 hardware access-list tcam region arp-ether 256 hardware access-list tcam region sflow 256 This is border leaf of EVPN clos fabric, I want to enable span feature so trying to find free up some tcam from other region but confused if i break something else.
Example:
I am using BFD so i need redirect 256, I am using ACL v4 and v6 so i can't take that tcam also, same with arp-ether for suppression, using sflow for collector.
Now question is QoS (i didn't configure any kind of QoS related thing on this switch, I have just enabled Jumbo Frames only.
I can take qos 256 and give it to span but how do i confirm nobody using qos before i take that memory share?
Router settings?
First, I have a small office setup with about 15 workstations. Printers, ect.
Sec, I have moved everything over to a new router, but haven't removed the old one yet. (Internet comes in, old router, new router, everything else.)
The problem. I don't see the network name. I see network 1/2/3/4 on the workstations.
I'm trying to get file sharing off the ground.
Ip address and subnets seem to all be the same.
Edit: old router is Arris bgw210 new router is udm pro
Cisco ASA log message "SFR requested device to bypass further packet redirection and process TCP flow from.."
Hello all,
Im trying to open port 443 between two servers and I cant make it work. I looked at the log messages and this is what I found:
Aug 04 2021 14:48:13: %ASA-6-434004: SFR requested device to bypass further packet redirection and process TCP flow from INTERFACE-A:10.150.150.10/443 to INTERFACE-B:10.40.10.10/49759 locally
Aug 04 2021 14:49:00: %ASA-6-106015: Deny TCP (no connection) from 10.40.10.10/49761 to 10.233.60.132/8080 flags RST on interface *******
Aug 04 2021 14:49:00: %ASA-6-106015: Deny TCP (no connection) from 10.233.60.132/8080 to 10.40.10.10/49760 flags ACK on interface *****-PROXY
Aug 04 2021 14:49:00: %ASA-6-106015: Deny TCP (no connection) from 10.233.60.132/8080 to 10.40.10.10/49761 flags ACK on interface *******-PROXY
I have an access rule that is permitting source IP 10.40.10.10 to destination 10.250.250.50 on port 443.
access-list ACL-PROD extended permit tcp host 10.40.10.10 host 10.250.250.50 eq https.
I cant see in the logs that the IP 10.40.10.10 is even trying to make a TCP connection with 10.250.250.50.
I have double checked that the ACL is applied to the right interface and we have routing.
Our windows guys checked the proxy and they opened ports (just for now) to make some tests. They could se all 10. IP addresses bypass in the proxy.
Could someone explain to me what the log message "SFR requested device to bypass further packet redirection and process TCP flow from..." and what could cause this problem?
Thanks!
Automate ping sweep
There is a way to automate a ping sweep on my entire network (several subnets) that give me a summary report with the count of host alive for each subnet, if it can track history would be a plus.
Extending cables over 100 meters using 4 port unmanaged switch
Greetings everyone!
We currently have ethernet cables running underground in pipes to each room in a beach resort.
Some of the cables exceed 100M(190M) and they require a switch in between. Would small unmanaged switches such as IP-COM F1105P-4-63W or TP Link TL-SG1005P renew and extend the cables properly or do we need a managed switches such as TP Link TL-SG2210MP.
Also how accurate are the TP Link T1600G-28PS cable length and fault locations in web interface under device diagnostics ?
Looking to acquire and host IP blocks
Hi, I’ve been doing a lot of research about buying/leasing IP blocks to host on my own, but still have a few questions.
What are some of the most trusted IP brokers that people are using today? I see a lot of them online but I’m nit quite sure which ones are the most reputable.
How difficult is it to get assigned IP blocks by ARIN? I have completed the process of registering on ARIN in order to get out on the IP block waitlist, but am not sure how likely it is that My company will get approved.
Lastly, if using a IP broker, will I be able to specify which sites that I need to make sure are able to be accessed by the IPs?
Thanks I’m advance for the help.
How are Link State Packets Sequence Numbered
I have a question regarding Link State Packets:
How are Link State Packets Sequence Numbered and why?
Policy-based routing question/setup
Hi All,
I'll keep this short (I hope). We're brining in a 2nd ISP into our environment for path diversity with a new IP range. I wanted to get some info on how I can implement policy-based routing to have these links work in tandem, but I am unsure where to start as we got a handful of subnets and site-to-site VPNs with some vendors using our current ISP.
The setup seems simple, we have Cisco firepower's at our edge doing routing so I was hoping to just plug up the new ISP into this firepower and create my ACLs and do the route-maps, but, my question is where do I start? Do I just do a few subnets at a time? create a "test" subnet and use that first to make sure traffic flows correctly?
I am in a bit of a pickle due to the fact we're a 24/7 operation so scheduling this without testing could be problematic if something goes wrong.
I know i haven't given the bigger picture of our environment but just wanted to get an idea on how to plan and come up with the design.
Thank you!
Tuesday, August 3, 2021
Which application do you use to monitor each IP's traffic in the network?
Hi guys,
Our network was hit hard by DDOS yesterday, but it takes a long time for our ISP to find out which destination IP was under attacked. To help us identify the attacked IP quicker in the near future, my idea is to mirror and capture the whole traffic by spanning it to another port.
If my idea was familiar, which application is able to achieve that goal? and if there is a tutorial you could link me to it, that would be great.
Thanks.
P/S: Apparently we will install a firewall appliance in the future, so the above question is for learning purposes.
Also, The ISP send us the image below, could you identify which app they are using?
Cat6a unshielded UTP patch cables : Hard to find? Safe to go with shielded instead?
Hi,
We're going to run some new cables for IP cameras (about 10 runs). We ordered Cat6A unshielded UTP as the prices of the 1000ft rolls are quite affordable nowadays. And it future proofs that we'll be able to get 10 Gbps on 100 meters later.
I'm now shopping for the patch cables. Geese! Is it me or they're on the expensive side? Also it seems that shielded patch cables are more readily available than unshielded. Cheaper too.
I mean, one 3 ft unshielded cat6a is 13$. We can get five shielded cat6a for 15$. Go figure.
I'd go and buy the shielded one but I've read that when you go shielded, you must be shielded all the way, from the device to the switch... Or it could create more problems than benefits... That's why I'd rather go with unshielded.
Now, there's the so-called slim cables available in cat6A UTP for a reasonable price, but they're only 28AWG or 30AWG... The cat6a that we'll use for the cable runs are 23AWG.
So my questions would be:
- Can the Slim cat6a patch cables (3 to 7ft) reliably transmit 10Gbps and POE?
- Is it OK to use SFTP/SSTP shielded cat6a between the patch panel and switch, even if our cable runs and patch panel are unshielded? Can it cause any kind of problems?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
How do I get to the next level? Senior engineering, more responsibility, better pay etc
Yo networking vets and gurus, I’m in desperate need of some advice on how to advance in the field.
I’ve been in IT for 8 years now doing a variety of salaried and contract jobs ranging from SMB network administrator to NOC L1 to Wan engineer at a F500.
I’m a paper CCNP earned through nights and weekends with Gns3/eve-ng but unfortunately my realworld experience with most protocols has been limited. I was finally able to implement BGP and OSPF in my last my job(contract) before being laid off due to rona.
Im currently in a contract doing cyber security administration but I really wanna utilize my core skillset which is network engineering.
The hard part is every position that pays a decent wage(100k+) is “senior” requiring years of MPLS, BGP, DATACENTER, VoIP and vpn/IPSec knowledge with cloud infrastructure/programming languages thrown in for good measure.
Many people say apply any way, and I’ve made it to first round interviews but talking about my GNS3 experience doesn’t inspire confidence and I keep getting passed over for more upper echelon guys(20+ years in the game/military XP) because networking is such a mature field.
I’m at loss y’all, companies want everyone to hit the ground running and I’ve considered taking a pay cut to find a mid/junior engineering role so I can get more experience. I have a family now and 70k isn’t gonna cut it anymore. I need the big bucks and my wife wants a big truck.
I’ll post my resume as well, let me know or what I can improve. Thanks for any and all advice.
Dynamic routed dual hub-spoke network configuration
So my network has grown a lot over the past couple years and I am unsure how to design my network going forward as in my reading a lot of the documentation says I should change how it works and gives examples that don't really match my network and we've started to see weird routing issues. There is definitely a learning curve going from a mid-size network to a truly enterprise fully redundant network that I am trying to create.
So for the back story about 2.5 years ago my network was a very traditional hub-and-spoke network. I had 14 remote locations all with 2 tunnels to our data center directly because our data center also has 2 separate internet providers. I ran OSPF between the data center and the remote sites with every router and subnet being in the same area and traffic flowed beautifully between everything and life was simple. 15 routers, 28 /30 routing subnets, and 17 /24 networks for devices.
Since then we have grown a lot. By next summer I am going to have 65+ locations as well as a second data center that is a part of a company we purchased. We want to use this new data center as a second hub and would like all of our sites to be actively connected to both data centers with automatic routing and failover.
Documentation on OSPF that I have found states that it is a bad idea to have 50+ routers in a single area. Additionally looking at the math there are going to be 260+ /30 routing subnets, and 70+ /24 networks for devices. This is a lot of growth and it is all happening very quickly so I haven't had time to sit down and make routing changes and create new areas but we have passed 55 sites and we are starting to notice weird routing issues having everything in one area that just miraculously fix themselves when we reboot remote routers which is not my preferred solution. As of right now I haven't set anything up in the new data center or integrated it into our network and am trying to figure out what design changes I should be making.
So I am looking for recommendations or even links to documentation on how to design a network like this and what should be done for routing. Do I need to stop using OSPF, if I continue using OSPF how do I set up the areas with which subnets going into which areas?
TL;DR: Looking for recommendations on configuring dynamic routing on a dual hub-and-spoke network that has two data centers that each have two ISPs.
Nokia 7210 SAS-D image load failed
At the ISP I work at I'm seeing other providers using interesting equipment I haven't yet worked with. One of those is the Nokia Alcatel-Lucent platform, which I'm eager to start labbing up with our preferred Cisco equipment.
To that end, I spun up a GNS3 7750 image, which is great but since I love real hardware I also picked up a 7210 SAD-D, only to find this:
Skipping missing or bad config file 'cf1:/config.cfg' Cannot find or access configuration file TiMOS image load failed. Hit a key within 51 seconds to change boot parameters... Pretty sure I'm missing a firmware image (it was pointing to a remote server for this on the original boot config), do I have a brick on my hands?
Pros/Cons of Interface Templates on Cisco switches
We are starting switch replacements at several sites and I am considering to use interface templates at the access layer. I wanted to see if anyone uses them and was looking for any positive/negative feedback.
Thanks,
Advice Needed: Best Method/Software for Network Config Template Management
Hey everyone,
I wanted to reach out to the community of networking professionals here on Reddit to see how other's currently 'solve' this problem that I'm having at my current job.
I work for a fortune 500, and the networking pillar of our I.T. Operations department is comprised of about 70 employees, and this truly and purely is just network engineers and their respective PM's.
Currently, there is no great system for creating a single source of truth for our network configuration templates. For example, we leverage Cisco ISR4331's for our current standard of branch router, and so we have a configuration standards document for this. However, it's just a dumb old word document. What this means, as that standard interface configurations, ACL's, object-group's, etc. etc. etc. change through time, that document never gets updated. Over time, this has put my organization into a state of conflicting truth when it comes to what we should be using for design and configuration standards.
I don't know if this makes sense or not, but I'm also looking for a middle ground between the Word documents of yesteryear and the configuration-as-code of the future (think DNA, ACI, etc.). I thought GitHub could work, but I don't know if that would be too steep of a learning curve for a group of people with limited experience in that platform or code management.
I'm all ears to any opinion or suggestion, so if anything comes to mind, let me know.
Looking for suggestions
Can anyone suggest some study material (Books/videos ect) on ISIS, BGP, OSPF, EIGRP ect? I want to shake the rust off a little and sharpen some knowledge and can use some direction. I primarily work with Cisco/Juniper platforms, any help is greatly appreciated.
Generate FCS errors using a Bad cable
Hi all,
I am trying to generate FCS errors for cable testing purposes. I have used some tools and was able the necessary errors. Now I want to manually tamper an ethernet cable and generate the required errors so it resembles a real bad cable. Does anyone know any specific combinations with the internal wiring which can generate those errors? TIA
Firewall at Edge vs Core
Obviously I would think having a firewall at the Core switch is ideal, however sometimes this may not be possible, (depending where the ISP connection is).
My question is the following, is there a fundamental difference between having a firewall at the edge vs core? At the link below is a drawing of 2 scenarios,
Scenario # 1 the firewall is directly connected to the core switch.
Scenario # 2 the firewall is as the edge switch on it's own VLAN (SVI) is on the core switch and there is a trunk between the core and the edge.
In both scenarios, the static route is pointing to the firewall.
(Note) This is for a backup ISP connection and would only be used as such.
Thanks for any input.
Camouflaging outdoor access points and radio bridges
Hi all,
I'm helping overhaul the WiFi at a professional haunted house as a side project. The topology is very straightforward; I'm just carrying a VLAN or two to some Ubi WAPs on a few outbuildings via 5Ghz nanostations.
I'd love to see if anyone has any thoughts regarding my approach to spooky camouflage for the gear. See, all of the buildings are black and/or textured, and white Ubiquiti equipment will stick out like a sore thumb and distract from the attractions onsite.
I come from a B+M retail background, and deal with similar aesthetic challenges on store frontage. Radio-transparent enclosures are a clean solve for this situation, but I'm seeing if we can find more 'organic,' fabric-based solutions for the nanostations we'll have up on pole masts.
I'm thinking of gently draping the the radios with a light wicking fabric, like a burlap or black veil material, which can get damp in the rain but won't get soaked. (That's the chief concern; the camouflage material getting wet and muting the radio.)
I'll be testing out a few options this week but figured I'd also poll the audience to see if anyone has any thoughts/suggestions.
Thanks!
Moving Network from L2 to L3 Routed
We have a network wide refresh coming up, and I keep reading that the L2 demarc should be as close to the access layer as possible. This makes sense, there are multiple benefits like convergence, eliminating STP and other L2 chatter, etc. However, I'm having a hard time understanding a few things.
- How are people connecting ESXi hosts, do vSwitches support L3?
- We have a few VLANs that span across multiple floors of our building. Would this need to be redesigned so only one route for a network always has same next hop? Or can we create two routes to same destination with multiple next hops in some fashion?
- Does L3 at the access layer assume VLANs are unique to each closet? Ex, that access switch is the sole next hop for whatever network exists in that closet.
- We use a collapsed core design for the floor where our Core switch resides. For other floors, the core connects to distribution switches. Does this wipe out the possibility of going L3?
- We use VLANs that are non-routed except by the firewall for certain things like guest network and an isolated network. These networks need no access to anything internal, so the Core simply sees them in L2 and passes them to the firewall. Like above, does this topology rule out the possibility of L3?
Appreciate any input.
Does a CAT cable contain uplink and downlink wires?
Hi!
I upgraded to 250/250 Mbps internet. I get a stable 240 Mbps down but my uplink never goes over 100 Mbps.
I just got off the phone with the ISP service technician and they say I must buy a new cable to test as they can verify my speed cap with them is set to 250/250 Mbps. I've never experienced any problems before. I was even maxing out the upload to my NAS (HDD not SSD)
Question is: Could it be that the cable contains wires for uplink that have been damaged? Cable must be 10 yrs and might have been run over by a chair sometimes during these years.
Is it just me or are contact centers for IT absolutely flooded with backlogs right now?
Is it just me or are customer contact centers being absolutely flooded since about April?
Real talk, I’m sure everyone in here works a variety of different technical roles in different industries. Has everyone else noticed how insanely batshit bonkers the sheer volume of customer inquiries has been since about April if this year? Like, I’m specifically in network security for a vendor of network security and our queues for support tickets is absolutely off the wall batshit crazy. I’ve read other forums of people in sales with customers flooding the phone lines about appliance back orders. Seems every customer contact center whether it’s a simple question or a technical question is absolutely flooded right now. Is it just me or is anyone else seeing this?
For reference before covid we averaged maybe 100 to 120 tickets at end of day and we are going home with over 300+ tickets in our queue some nights and rarely dipping below 250
Two gateways/firewalls on a network in a transition period
Hi,
Company has a gateway with IP 192.168.1.1. This firewall has a lot of rules, nat and port forwarding.
Is it OK to have a second gateway/firewall on 192.168.1.2 that is placed on a separate/new wan link in a transition period? If it's possible without any trouble, it will make it possible for me to configure and test some important rules and NAT before cutting of the 192.168.1.1 gateway.
Thanks
Routed Access design - vague Cisco's description
While reading Cisco's materials for CCNP ENT about campus architecture, I came across the following paragraph about switched vs routed access layer.
The Layer-2-only access design is a traditional, cheaper solution. However STP, while getting rid of loops, blocks half of the uplinks. Layer 3 design introduces the challenge of how to separate traffic—for example, guest traffic should stay separated from internal traffic. Layer 3 design also requires careful planning. A VLAN on one Layer 3 access device cannot also be on another access layer switch in a different part of your network. Each VLAN is local. With Layer 2, you can have the same VLAN on multiple access layer switches; however, that practice is not recommended.
I can't understand the bold sentence. Why the same VLAN can't be on other access switches? What is the problem with that? I think it is even what many companies do - the same VLAN for example for voice on all access switches. We only need different subnets but it is not the VLAN that has to be different.
Can you please help me to understand this Cisco's definition?
Monday, August 2, 2021
Newbie question... Why does this company run SD-WAN over MPLS?
I recently got hired as a contractor at a large corperation to do minor networking stuff. I am studying to become a Network Admin so I am still learning a lot. They have a bunch of branch offices that use ATT MPLS circuits. But they are in the process of converting to SDWAN. They are using 2 VCEs, one is using a broadband connection, and the other is using the same MPLS circuit. Why would they do this? I thought SD-WAN is supposed to just run over broadband internet... Wouldnt their goal be to get away from MPLS? I asked one of the full time engineers and didnt really answer me... so I thought I would ask here.
AdminToolbox.Fortiwizard Automate FortiGate VPN Tunnels
I've recently built a PowerShell module that serves the purpose of generating configuration scripts for FortiGate Firewalls. While not limited to, the primary role being to generate VPN configuration scripts for different IPSec tunnel scenarios.
I am responsible for building Many VPN tunnels and I got tired of the repetitive task of copying and pasting parameters into configuration scripts. I also am not a fan of the FortiGate VPN wizard so this module just made sense.
As I continued to develop the function, I decided the ultimate goal would be to run a single PowerShell function and have that generate a VPN config from a VPN form. A VPN form can be sent to a 3rd party, and when returned with the required tunnel parameters such as Peer Address and remote hosts, you can immediately generate a tunnel. To take it a step further I generated Examples that use Posh-SSH to invoke the generated configuration script directly to the firewall without ever leaving PowerShell.
The amount of time this will save me is huge. Fork it, change it, contribute, critique it, or ignore it. I am pretty happy with this one, and hopefully it can be useful for some of you.
Here are some related links.
recommended book/video tutorials for learning Ansible for network engineers (for beginners)
Are there any books/videos I can invest it to further expand my knowledge. I wanted to buy Ansible: Up and running (O'Reilly press) but the reviews I have seen online for that book aren't great.
What books/video series do you guys recommend that would take me from absolute beginner to expert
thanks
Split Tunnel JAMF on a Palo Alto
Has anyone successfully split tunneled JAMF on the Palo Alto Global Protect Client.
It seems that application paths need to be configured. I have the below items configured in the "Exclude Client Application Process Name" for split tunneling so far:
/Library/JSS/bin/jamf-pro
/usr/local/jamf/bin/jamf
/usr/local/jamf/bin/jamf policy
I can push a bash script to "sudo jamf recon" and "sudo jamf policy" and split tunneling works. But if I run those locally on the machine it does not work.
Any ideas or any successes out there?
IPS signatures for CVEs
Is there an API available for querying Cisco IPS/Snort protections against CVE’s?
VLANs between Aruba and Netgear for VoIP
Here's the goal: Connect VoIP phones to their gateway by going through the existing Data network.
Here's the environment:
Most of the main building has network drops with 2 wall ports; 1 for the VoIP network (192.168.1.x/24) and 1 for the Data network (10.0.1.x/24). VoIP network is completely segregated. Clients (Polycom phones) plug into (a wall port -> patch panel ->) a Netgear Prosafe GS752TP (Switch 1) and then into an EdgeWater 4550/v2 gateway device (Gateway IP 192.168.1.1) and get their IP with DHCP.
However, we have one building (more of a trailer) that is connected only to the Data network. The switch out there is an Aruba HP 2530-24G Switch (J9776A) (Switch 2) which connects to the main building into another Prosafe GS752TP (Switch 3). Currently there is no routing or VLAN configuration, all ports on all switches are simple access ports, including the ports linking Switch 2 to Switch 3.
I need to put some phones in the other building. My plan was to (on Switch 2) create a VLAN for voice (we'll call it VLAN 25), tag specific ports on Switch 2 as VLAN 25 so anything plugged into them (phones) would be tagged as VLAN 25, tag the link between Switch 2&3 with VLAN 25 to ensure network traversal. Then on Switch 3 create VLAN 25, then tag the link to Switch 2 with VLAN 25. Then I'd need to connect physically Switch 3 to the EdgeWater gateway, and tag that link with VLAN 25 so that only VoIP traffic will get routed to that gateway, and everything else will continue to the regular 10.0.1.1 gateway.
I've been at this for a few hours with various tweaks to configuration, all with no success. Any guidance would be greatly appreciated!
Edit: I put Routing flair, but that might not be the most appropriate. It kind of falls under Design and Troubleshooting as well
Contractor to Federal Employee?
I currently make about $160k per year as a federal contractor doing network engineering. There's a couple GG-13 positions opening up at my office that I have a really good chance of getting offered. The position would mostly be doing the same thing, just more of a design role. The only thing that is making me uncertain is it would be about a 20% decrease in salary depending on the step. I'm pushing 40 and looking for something more stable but the pay decrease is significant enough that it's making me uncertain. Have any of you made this transition? Any advice would be appreciated.
Is CRL checking required for wired 802.1x on Windows?
I'm running into sporadic issues with Windows clients failing to authenticate with wired 802.1x. We're using an internally signed certificate on our authentication server and it is trusted by the clients. The server certificate does have CRL/OCSP distribution points listed.
Logs from the machine do show that during authentication the client is failing to reach out to the CRL distribution point, which makes sense since we do not have a pre-auth ACL allowing that. However, it's not clear to me if that's actually causing the failure. Our Microsoft engineer states that it is the cause but cannot provide any documentation on the CRL requirement. I believe he's just assigning causality due to them both happening at nearly the same time.
Windows documentation states that the client does not require CRL checking of the server certificate when Wireless 802.1x occurs. I can not find the same statement about Wired 802.1x. Furthermore our Cisco engineer has never seen this as a requirement for wired 802.1x
To try and narrow it down I removed all cached CRLs/OCSP from a client and was able to authenticate successfully. This tells me that CRL verification is not required and goes against what the Microsoft engineer is stating.
Does anyone know if CRL checking is required during Windows 10 wired-802.1x authentication?
Dynamic DNS
Hello!
I have the following scenario and could use some help. I am planning a solution where there will be 3 active connections off of my firewall. 1st, 2nd and 3rd will of course each use a different IP address public facing, and we have port forwarding being used at the moment out of the primary ISP.
Port forwarding needs to remain intact and functional regardless of the IP address, therefore I was considering a Dynamic DNS service.
This way the IP would become irrelevant and I could issue out a URL to give to the users to access network services through the port forwards.
All insight is appreciated!
- TheHungryNetworker
Cisco ACI - new APIC version mismatch, need to downgrade
My google-fu is apparently really week. I have some new APIC's that I need to swap into my existing fabric and eventually replace all my current APIC's. But the new ones are running at 5.0 (no support for first gen leaf/spine switches) so I need to downgrade them to my desired firmware.
I am completely lost on how to do this.
I've already decommissioned one existing APIC, and added the new one in it's place by running through the wizard and connecting the fabric. I was hoping I could commission the new one and downgrade it inside the GUI. I got all the way to commissioning it, and now it seems to be stuck on Data Layer Partially Diverged.
Anyone know the right process for this?
App for drawing LAN diagrams
Hi,
I was wondering what apps do you guys use to draw LAN diagrams?
I'm currently using Creately's app and also tried Visual Paradigm's online web app but I'm sure there are more\better ones out there.
I'm looking to draw simple diagrams, nothing fancy or complex.
ip a showing 2 IPs on one interface (Linux)
Recently I've been having some latency issues and packet loss (DUP errors), and today I realized that one of my interfaces is showing 2 IP addresses. This is on a Kubuntu/ Linux PC.
Does anyone know why this is and how I can correct it? This PC is just hardwired and does not have an active wifi connection (disabled)
Virtual server question
Noob question. After recently switching out a router, We were having some issues with our virtual servers. We have a physical server with a virtual host and 3 VM’s on it, but we could only ping one of the VM’s, the host and other VM’s were unreachable. I’m shadowing an analyst and it was determined that the issue was physical cabling which was misconfigured after the router switch. I’m curious if two things:
- How could one of the child VM’s be reachable if the host was not able to be pinged and
- How is physical cabling involved with VM’s, I always assumed there was one Ethernet cable attached to the NIC on the back of the server and all switching done for the VM’s was virtual
How to: non-interactive login to devices that don't support pubkey auth
tl;dr: sshpass with some shell functions and ssh_config tweaking. scroll down for configs.
more of my job is shifting to python/ansible/NMS, but at the end of the day I'm still a cli jockey. I ssh into devices all the time, and most of the deployment I manage doesn't support pubkey auth (yet). so I get to type my ssh password over and over. until now I accepted that's just life until we get everything up to cat9k. but then something snapped, and I went on a mission to find a way to get (reasonably secure) non-interactive login, without rsa keys.
sshpass does exactly what I want. it allows passing a plaintext password to ssh, simulating non-interactive login. But I didn't want to store my password in plaintext on my machine, or have to type it in over and over. I want to type my password once per session, stored in memory only, and forgotten when I close bash.
It got tricky when looping the jumphost into the mix, which can use pubkey auth. In the end I got what I wanted by using sshpass's environment variable option (-e). Passwords are never stored on disk, won't show up in bash history or ps, but persist across a bash session until I close it (or actively deauth.)
relevant bits of ~/.ssh/config:
`` host jumphost IdentityFile ~/.ssh/id_rsa User austindcc Hostname jumphost.example.com Port 22 ProxyCommand none PreferredAuthentications publickey # Also addAcceptEnv SSHPASS` to jumphost's /etc/ssh/sshd_config SendEnv SSHPASS
host * ProxyCommand ssh -W %h:%p -q austindcc@jumphost PreferredAuthentications keyboard-interactive # We need to disable StrictHostKeyChecking because sshpass intercepts the new hostkey confirmation, and returns nothing. Note: This does NOT suppress the key mismatch alarm, only the initial connection prompt to a new device. # Also add this to the jumphost's /etc/ssh/sshd_config StrictHostKeyChecking no ```
~/.bash_profile:
``` function auth() { read -sp 'Cisco password: ' pass export SSHPASS=$pass }
function deauth() { export SSHPASS='' }
function jump() { # calling jumphost with no arguments connects to jumphost directly if [ "$#" -eq 0 ]; then ssh jumphost fi if [ -z "$SSHPASS" ]; then auth fi sshpass -e ssh "$@" } ```
For extra frictionless logins, I added privilege 15 in my configs to drop into enable mode right after login. The cisco.ios.ios_user ansible module can roll this out easily.
Now after first login or manually calling auth, just type jump switch01 and drop straight into an enable-mode prompt. awesome!
Limitations:
- All devices must use the same password, and I can't think of an easy way to overcome this, as
sshpassdoesn't let us specify a different environment varaible - Doesn't try pubkey auth first. could be done, but may add a few hundreds of ms to login times on non-pubkey-auth nodes. irrelevant for me since we don't use pubkey on managed nodes yet
NX-OS Modify Distance for certain prefixes
It's well known that BGP backdoor isn't available on nx-os, but I can see a route-map set distance option to modify the distance for EBGP. Does anyone know if this works on received routes? I need to make the EIGRP path (if present) to be preferred.
If it does, it seems odd that there are many posts about this either suggesting alternatives or suggesting to modify the distance at the address-family level (e.g. here or here).
! N9k running 7.0.3i7x: nx-os-switch(config)# route-map RM-BGP-IN permit 200 nx-os-switch (config-route-map)# set ? as-path Prepend string for a BGP AS-path attribute comm-list Set BGP community list (for deletion) community Set BGP community attribute dampening Set BGP route flap dampening parameters distance Set the Administrative distance of route [...] How to address a network closet shared with another tenant
Hey guys, we recently had a tenant move into one of our sites that has been vacant for some time since our users moved out.
Keep in mind, this tenant is completely separate from our organization so we are not required to provide and network services.
Upon their initial move-in, they asked if they'd be able to hop onto our network for internet access and we explained to them that our network/equipment is off-limits. We did allow them to use the 2nd-floor portion of the patch panel so that they could install their own equipment and be able to patch accordingly. They agreed to this and that was the end of that.
Over the weekend, our switch at this site dropped. Went in this morning and found that they had unplugged about 15 of our cables directly from our switch (not from the patch panel) and also must've unplugged our fiber uplink and then failed to reseat the SFP because the site was offline the entire weekend. This put a very bad taste in our mouths.
The point of this post is to ask the best way to address sharing a network closet with another tenant. Sure, we know that we need to install a network cabinet and physically secure our equipment from them but what else may you recommend we do? Any specific guidelines we should lay out with them in regards to not touching our equipment? What would you suggest the best way to address this situation be?
Thanks!!
10 pair phone cable termination
I am installing a regular 19" Rack for all switches in a particular floor for a 4 story building. the thing is the main PBX is in floor one and running from it is 10Pair cables to each floor cabinet how do you terminate them in the Rack cabinet are there any solutions like network patch panels and patch cables? how do you do it properly? your input is highly appreciated
Jumbo frames on DIA hand off.
I just recently received a 10gig DIA from our carrier and found out that they are handing over the circuit with Jumbo frames enabled.
Is this something that is normally done now with circuits this large?
Analyzing Netflow/SFlow to identify TopTalkers
Hi!
I want to have a better tool to identify top-talkers and details about that afterwards. Can you recommend me any software to:
- capture netflow
- be able to choose a time-frame
- get top-talkers of that timeframe and drill down, what they did (possibility to group by host, protocol, etc.)
What I am currently evaluating is:
- ntop - Does not really provide good historic data
- Scrutinizer - Has some problems, but seems to be quite good. Pricing seems steep
- ManageEngine Netflow Monitor - VERY limited
Is there anything, you can recommend?
Thank you and best wishes!
ITStril
Is there a device that can allow me to update videos remotely in my offices?
Hi there! Apologies in advance if this is not the correct sub - it seemed like the best fit after reading the rules, but if not it can be removed.
Part of my job is to create and update the videos that we play on our office waiting room televisions. Generally, these updates are monthly, and require me to drive around to our 3 local offices to plug in the fresh USB drives to the video players attached to each waiting room's TV. It's not too much of a hassle, since the offices are nearby and it takes me just an hour to do all three, but I figure that if I can save myself the time then I should!
Does anyone know of a network device that could potentially hook up to our office's/company's internet and allow me to update these videos remotely from the HQ office I work at? I figure that there has to be something like that out there, but Google is misunderstanding my searches and keeps giving me answers for streaming and casting, like screen-mirroring stuff.
Any help is appreciated. Thank you!
Remote job help
Hello everyone so I’m currently a cybersecurity student and I’m likely about to move to the outer banks because my girlfriend is getting a job there. I know the job market there isn’t great because it’s mostly seasonal but I need to get a job while I’m there but I’m still a student so I don’t have a bachelors at the moment. I have an associates degree and no professional experience so I’m worried about finding a job. I’m willing to start low on the totem pole at help desk as long as I get a job I’m just not sure anywhere would hire me remotely with no experience. I was wondering if anyone has some advice for me or could possibly help me out in finding a remote job. I also would be willing to have a mentor that can push me forward and so I can have someone I can ask questions. Any help would be great. Thanks everyone!
G4 Dome Anti-Theft Ideas?
Hey all,
I have a bit of an issue that I'm trying to find a solution for, and I just wanted to see if any of you have experienced a similar issue.
I'm outfitting a small office building with Unifi Protect. I'm putting 2 G4 Domes in the parking garage, but the parking garage has a low ceiling, making the G4's essentially accessible by hand.
Is there any way I can better secure the camera to the ceiling? Maybe a Junction box above the dome with a cable inside of it secured to the dome?
Thankfully I don't really live in a high-crime area, but there is still a risk of kids thinking its funny to run away with the camera, and then I'm back to square one in this tech shortage we are all facing.
Any advice is much appreciated. Thanks!!
IT inventory tool?
Hi. I want to know what software do you recommend for IT Inventory (routers, printers, Apps, etc.). I would love to have a centralized view of my entire IT infrastructure, including physical and logical topology. Firmware version and stuff like that would be great. I have experience with ITSM by ITOP, but I am just wondering what other options could be beneficial too.
Thank you.
WAN Attacks is it just whack-a-mole?
I'm wondering if anyone could provide suggestions on best practice design or offer some practical advice on how to proceed with an issue I'm having.
We have a Cisco 5515 ASA as WAN Firewalls, entire enterprise consisting of 20 or so satellite offices connect to INET over MetroE throug our DC, we have a few IPSec tunnels and DMZ link as well.
The problem is we are constantly being DDOS attacked which brings the performance of the 5515 to a crawl impacting services to our internal networks. Our solution is to block those IP's on our Edge Routers by adding an ACL, which only then normalizes the FW's.
My question, is this our only resort to block the attackers via ACL on the edge router, is this the best design for our enterprise? It just doesn't seem very efficient that we operate this way!
Any recommendation greatly appreciated!
ISP1 ISP2
| |
| |
| |
PublicIP/30 PublicIP/29
R1----------HSRP--------R2
| |
| |
PublicIP/30 |
FW1---------HA----------FW2
Wireless bridge eating away frames
Hi folks,
I am having a weird issue with one network. A print server losses connection to the printer if it is over a wireless bridge. But if the server is running a constant ping to the printer, it works no problem. It looks like the following:
|Print-Server|-----|Switched-network|-----|AP| ))) |AP|-----|Switch|-----|Printer|
I mirrored the respective access ports on both ends and sniffed the traffic from the server and the printer. Somehow, the TCP packages leave the server but never arrive to the printer if the ping is not active (it also works for the first few seconds after we turn off the ping).
We have also tested it without the WLAN-bridge and all the packages arrive well. It is obviously something in the bridge causing the problem, but I have not idea what to look for. Other services/host connected to the remote switch do work without an issue. I would like to sniff the APs' ports as next step, but hadn't had the change yet.
We are using Unify Switches and APs with some old Cisco switches that will be replaced soon. We are able to replicate the issue in a lab environment with just 2 switches and 2 APs. If we remove the APs, the problem goes away.
Do you guys have any idea what may be causing the problem? Or what I am actually looking at here?
Thank you very much in advance.
Access webadmin from different VLAN
Cisco SB200 managed switch is on a network with IP 192.168.1.2 and VLAN 1. It’s connected to a Ubiquiti dream machine pro which has a built in VPN server that assigns 192.168.3.x addresses for those users. It does routing between them. I can see every phone, printer, and pc on the network and fully access all the devices from my VPN connection EXCEPT the Cisco switch. It doesn’t respond at all unless I’m on the 1.x subnet. I see in the admin screen that it asks for a management VLAN and that is set to 1. Is there a way to allow an additional VLAN to login to it, or maybe ALL VLANs to login? It’s a small private company so I’m not worried about others gaining access. Just that I can’t gain access myself without utilizing one of the PCs through Remote Desktop.
Benefit of Azure training within the industry?
Hello all,
I hope this is not a violation of Rule 5. I'm CCNA studying CCNP working in a senior network admin position. An opportunity has presented itself to me via my company for free Microsoft taught Azure training with certificate vouchers.
I'm wondering how beneficial this would be for me to invest time into? My location is definitely more than a few years behind on tech (DOD branch) so it has no utility at the moment.
Is the civilian side seeing a big pickup on Azure and other cloud networks?
Any opinions appreciated.
Subscribe to:
Posts (Atom)