So my setup is kinda weird. I have a router that has internet and another router that doesn't. I connected both routers with a Lan cable. Now when I connect with my phone I cannot connect a second device. My plan was to extend the range of the main router
Saturday, August 21, 2021
Advice about NetAnalyzer Pro
I'm new to the world of networking and I've been using NetAnalyzer app for a while now, so I want to know if it's worth to pay for the pro version of it.
Connecting two nexus pairs both in their own VPC domain....full mesh?
Hi all,
Just wanted to get everyones thoughts here on the best way to go about this. We have recently added a new set of nexus's(in a vpc) that are going to be used pretty much for 1 use case (large amounts of NFS storage). Only one network will live on this switch.
My current plan is to uplink these switches to our pair of 9ks used for core routing. I'm planning on running 4 100G QSFP28 Links in order to fully mesh the two switch pairs and put all 4 links the same port-channel. As it stands this new switch pair just has the storage vlan on it (each storage node connects to the new 9k pairs using a VPC) + the storage vlan SVI. On the Core their is another vlan+svi that is used for bgp peering with our core firewall...both of these SVI's/VLANS will be in their own VRF
Just wanted to get other's thoughts on how they would handle the design of something like this. 400GB is not required and certainly overkill for the time being but this will need to be very highly available NFS storage with the best throughput possible(multiple petabytes and growing) .
Is full mesh between 9k vpc pairs needed or am I just wasting ports? Any things you would personally change about the design? I've considered ditching the SVI and doing it from the actual port but Im not familiar with l3 "port channels". Just a bit of a network newb looking for opinions.
Looking MSM460 cim.startup file J9590A
I bought a bunch of MSM460 APs on ebay and while trying to set them up in autonomous mode, I guess whoever used the last used them with a controller so they no longer have the image required to set them up that way. I can't download them from HP because I don't have a license with them I guess and they like to lock their shit down... greedy bastards...
Anyway, I hope somebody on here has the firmware files for this.
Thanks.
Latency of SFP+ with 10G base-T module vs 10Gbase-T nic
Hello everyone
I am soon getting multi-gig fiber optic and I was shopping around for a nic capable of handling the 2.5gbit connection in. The only issue is that the provider (Google Fiber) is requiring the use of their ONT. I was looking at getting either the Intel X550T2 (rj-45) or X520-da2/sr2(sfp+) for a PFsense box. I was reading this article from fs.com about the difference in latency between Rj-45 and SFP+ DAC's. I know that DAC's provide the lowest latency, but I was wondering if there is a difference in latency with a nic that has native rj-45 ports vs getting a sfp+ 10Gbase-T adapter. My guess is having a sfp+ 10Gbase-T module for WAN in then a DAC out to the core switch would provide the lowest latency, but I wonder how much latency that adapter adds compared vs native RJ-45. Do you think it is comparable to the latency that a fiber optic sfp+ module adds?
Thanks any input.
Help with subnetting for a beginner?
Hey guys! So I was recently given an assignment and I'm struggling greatly with it. There's a bunch of other info, but the only thing that's really giving me trouble is a part involving subnetting.
The assignment says to assign internal IP addresses from the range 10.1.0.0/16 among two internal networks. Now, I basically have no networking experience but I really want to understand, because my first thought is to try and subnet this IP into two different networks and assign the IPs from there, but the CIDR notation seems to indicate a class B address while the one listed is a class A.
I may be just completely misunderstanding the assignment from the get-go, but I'm trying hard to see if there is something here that I am just not getting right, and wondered if you guys could help. I'll answer any questions you have, and I appreciate the help.
Internet connection lost when using Windows SSL VPN
I usually access my university's VPN network with Forticlient VPN. Recently I used a laptop with no admin rights so I couldn't install Forticlient and I tried the build-in windows 10 VPN client. I had to install Forticlient from the store (no admin rights needed) to add SSL functionality and it worked and I could access my university's resources. The only problem is I can't access the internet. I can ping 8.8.8.8 for example but I can't ping any domain name. I am assuming it is DNS related but I can't figure what exactly is causing the problem.
I tried unchecking the 'Use default gateway on remote network' option in my IPv4 VPN networking settings.
I tried manually setting the DNS server to 8.8.8.8
I also tried setting a manual metrics for both the VPN network (lower metric value) and my WIFI network (higher metric value) with no luck.
I have been struggling for a while so any help is appreciated.
Trying to segment traffic for staff vs public
Hi.
I've created a Netgear Switch/AP network at a local non-profit. I've got 1 public SSID that is from the default configuration. As of today, all traffic is on that SSID (across many AP's and the several switches).
Given COVID, the staff now wants to do in-person and remote events at the same time (Zoom sharing the in-person events). But when people come to in-person, they use the public Wifi and are significantly impacting the wifi traffic ... slowing things down to a crawl.
We can't turn off the public wifi on those event days... and I was hoping there was a way to create a second wifi network that has a better QoS. So I went down the path of creating a VLAN that had a QoS of 7 and a dedicated WifiSSID. But then I see that ports on the switch can only have one VLAN ID configured at a time... which would be fine if I wanted to have more AP's.
But I can't.
So... is there a way to get what I'm after given the hardware we have? I had hoped there was a way to simply create a WifiSSID that had a higher QoS. But that doesn't seem to be.
Help? Thanks!
how does routing traffic between interfaces occur?
I wanted to understand how the traffic is routed between two interfaces if they are on the same IP subnet.
for instance, I've a windows vm with two interfaces. first interface is connected to a DC (virtual network, no internet) and the other to the internet (home router), and they both are on a 192.168.0.0/24 network.
how does the computer know which interface to use to send the traffic? I'm able to ping my DC and reddit successfully.
Creating a subnet on public wifi
Hey guys, currently going to college and want to use AirPlay/other casting features that are disabled on their network. My idea was to connect my laptop to their network then use the mobile hotspot function to AirPlay. This allowed me to connect my device to my tv with AirPlay, but I do not have any internet. Any ideas?
Can I use a router as a wired wifi repeater?
Is it possible to use a wifi router as a repeater by plugging the WAN port of one to the LAN port of another? I tried googling it but everyone is explaining it for a wireless setup.
Cambium Wifi - cnPilot Mesh functional as "cheap backhaul"?
I'm evaluating alternatives to Unifi. Cambium came up in a few posts here and I started taking a closer look.
Question in short:
Does using E505s as mesh bridges allow me to bridge two networks and keep using cnPilot and cnMatrix devices in both locations and managing them in one cnMaestro environment.
More context:
One feature I can't figure out from the docs: Unifi is happy to automatically establish AP to AP backhaul if needed and then bridge all the traffic behind this AP (switches, other APs) back to the central location. This helped me out a few times when someone cut a fibre in the building or when users pull out cables. \o/
I'm also looking into a setup where we want to do outdoor wireless and might want to connect a second building that's over the street and quite close. I wonder whether this needs the PTP equipment or whether a simple setup using E505 as a mesh bridge would be sufficient. It doesn't have to be super high performance – a 5GHz link with something like 500mbps in this situation should be more than ample.
In case anyone has Cambium experience with this – running a mesh bridge allows regular clients to connect to the both Mesh-APs, right? I would expect this, but I'm so used to "surprises" that I'd rather ask ... :)
I haven't touched PTP stuff before and found the product overview a bit confusing, but that's maybe just me not having experience with it.
Is there a reasonable way to add CEs for CCNP (Enterprise)?
I see that there are three options to add CEs (test out, take courses, author questions), however if I only want to take a course they are like $1800. There has to be another way. Excuse me if this has been posted before, if so please direct me to that post.
MGRE tunnel bandwidth
I'm working an issue where an entire remote office is experiencing extremely slow internet. Users state this has been happening for a long time but now its just difficult to get any work done from office. Traceroute shows the latency kicking in after the traffic leaves the router. This is part of a hub and spoke Topology. Didn't see anything that stuck out as an issue between the edge switch and the router. Checked tunnel configuration and remote site bandwidth is set to 1536 while other spoke tunnels are set to 10000. Could this be a cause for concern or am I looking in the wrong place? If so, and bandwidth is changed, do I need to shut/no shut the tunnel for change to take effect? Any help is greatly appreciated 🙏🏾!
Dante audio over layer 3
Has anyone had any luck with a Dante audio network spanning multiple VLANS? I'm trying to go with a fully routed network design, but this causes issues because Dante is primarily layer 2 (even though technically it is layer 3, it won't natively route).
I know Dante Domain Manager can do this, but is there an alternative? I would think I would just have to do some PIM routing for the mDNS discovery and PTP clocking. Has anyone successfully done this? Or should I just try extending layer 2 over 3 with VxLAN?
Fluke testIQ reports failures at 10G
I hired a tester to narrow down where a cable fault was, which it did, but now i’m also finding that all the other working structured cabling is also failing at 10G with a cable length of just 15m
How do i narrow down on what the cause of the 10G failures is?
Cable is Cat6 https://www.comms-express.com/assets/specs/UTPS6.pdf
Help in understanding QoS (Cisco)
Hi all,
Beginner here. I've started studying QoS on Cisco routers very recently and below is what I've understood. Kindly correct any wrong statements and add more to further help my understanding.
- Tx traffic. Without WFQ or CBWFQ enabled, there will only be one queue (default class). Packets processed by the routing processor gets placed on this queue. A queue is a set of memory locations in memory (RAM/dedicated IO memory?) If the Tx interface is congested (more packets to be transmitted than the physical interface can transmit at a given unit of time), packets get placed in the aforementioned queue. If there is no Tx congestion, packets will bypass the queue and will be directly serialized on the physical interface.
- Tx traffic. If CBWFQ is used, there will be a queue per class map (traffic class). A class can be assigned with a bandwidth value, which theoretically, all classes collectively, must add up to the total bandwidth value of the interface. The weight per class is calculated by the router using the previously assigned bandwidth value.
- Tx traffic. If CBWFQ is used and there is no congestion, packets will still be put into the queues by the scheduler.
- Tx traffic. If WFQ or CBWFQ is used and the Tx interface is congested, packets coming from the routing processor are sent to the respective queue using a scheduler (is this the case?). Therefore, WFQ and CBWFQ can be considered as a part or whole of the scheduling mechanism itself. The rate of distribution of packets into the queues is based on the weight of each class. When traffic exits the queue to be propagated on the physical interface, again the scheduler decides at which rate packets are serialized on the interface using the scheduler (is this the case?). Basically, does Tx scheduling happen between the routing processor and queue, between the queue and Tx ring or both?
- Tx traffic. Regardless of being queued or not, packets get placed on a dedicated Tx ring buffer (separate memory from RAM) before actually being propagated on the physical medium. Filling up the ring buffer is what truly means by 'congestion'. The ring buffer operates as FIFO and the mode can't be changed. Therefore, the only way to manipulate the rate at which certain classes of packets get propagated on the wire is through queuing.
- Tx traffic. The LLQ queue bypasses the scheduler and therefore has a possibility of 100% link utilization unless a maximum bandwidth is configured (policing).
- Tx traffic. When the ring buffer is full and WFQ or CBWFQ is present, a dropping algorithm (tail drop, WRED) drops packets in the queue. Does it drop packets from the ring buffer as well? If the ring buffer is full and WFQ or CBWFQ is not used, tail drop is used on the default queue (default class).
- Tx traffic. Shorter queue depths equate to less time spent in the queue but higher taxation on the routing processor. Why is that? What is the goal of changing the Tx ring buffer size if queue depths can be configured?
- QoS is usually implemented on egress traffic (I am yet to see configuration guides for ingress traffic).
- On a router, is traffic marking usually done on ingress LAN gateway interfaces (ingress policy map per interface) or on the egress interface going towards another router (single egress policy map)?
- Rx traffic. After a packet is received on a physical interface, it gets placed onto a dedicated Rx ring buffer (separate memory from RAM) using FIFO (which can't be configured). If an Rx buffer becomes full, it is know as congestion. If WFQ or CBWFQ is not configured and there is congestion for ingress traffic, packets will be placed in a default queue and will be tail dropped. If CBWFQ is configured, packets in the traffic classes will be dropped using tail drop or WRED. Is traffic from the Rx buffer dropped as well?
- Rx traffic. If CBWFQ is enabled and there is congestion on ingress traffic, packets will be sent from the Rx ring buffer to the queues using a scheduler based on class weight. Packets will also be sent from the queue to the routing processor based on the class weight.
- Rx traffic. If CBWFQ is enable and there is no congestion on ingress traffic, still, packets will be sent from the Rx ring buffer to the queues using a scheduler based on class weight. Packets will also be sent from the queue to the routing processor based on the class weight. Basically does Rx scheduling happen between the Rx ring buffer and queues, queues and routing processor or both?
- Rx traffic. The LLQ queue bypasses the scheduler and therefore has a possibility of 100% link utilization unless a maximum bandwidth is configured (policing).
- I couldn't find the command to change the Rx buffer size. However, the queue depth for ingress traffic can be changed. Does the Rx ring buffer need to be adjusted?
- PQ and CQ aren't discussed since I still haven't touched them.
Sorry if this was too exhausting (I still have a list, probably for another day). There seems to be misinformation regarding the inner workings of QoS all over the web. I just want some clear answers.
Freeradius Detect Phone Clients
Hi,
I want to detect phone clients with freeradius and assign a different VLAN to them.
so far, I use this policy to assign different vlan based on NAS_IP: (in default file - section post-auth)
`if (<ipv4prefix>NAS-IP-Address <` [`172.30.48.254/24`](https://172.30.48.254/24) `) {` `if (&reply:Tunnel-Private-Group-Id[0] <= "207" && reply:Tunnel-Private-Group-Id[0] >= "200" ) {` `update reply {` Tunnel-Private-Group-Id := 225
`}` `}` `}` with this policy, I can change the pre-configured vlan for clients based on their locations.
Now what I want to do is that I want to somehow detect the clients that their operating system is android or IOS.
Is there anyway that I can do this with freeradius?
Is there any attribute like NAS_IP that I can use them in order to detect client operating system?
Routing connection?
Sorry in advance if this is the wrong place to ask!
Without using exitlag i get ping spikes and consistent 5 to 20 percent packet loss, when i do use it i get about 40 ping with no packets lost. Is there any way i can route my connection (preferably free)? Exitlag seems like my only option but its a bit pricey imo. Tia!
Friday, August 20, 2021
The UK's Public Switched Telephone Network will be switched off in 2025
No pun intended.
I read that the UK will switch off its PSTN (or POTS) in 2025. I don't know if it'll be the first country to do so, but that is quite a bold move that will hopefully pay off in the long run.
However, the copper telephone wiring will remain, so it can be used for DSL internet.
Maybe some Brits can chime in, but I thought the UK had already switched to all VOIP. I thought all telephone analog lines were basically plugged into the internet already, and using telecoms' IP networks.
So if I'm understanding this correctly, right now your home landline in the UK is basically like plugging a headset into your computer with a 3.5mm jack and then using it to talk on Skype with a virtual number. Except the cable is really long and plugged into a computer at the telephone exchange (CO). And you're limited to 8 KHz/8-bit 64 kbps with G.711.
And what they'll do in 2025 is unplug all of these "audio" cables (they'll keep them plugged into DSL equipment), and just make you use your own internet (e.g. the DSL service they sell you) to connect your "landline" to. So it's literally the same as plugging your headset into your computer and talking on Skype, except your headset looks like a telephone. And of course the software now has control over the codec and bandwidth, so you can get better audio. And hopefully ISPs will prioritize VOIP traffic if you use their dedicated service.
Am I getting this right?
And are there current plans for the US to do that or any other country? I can't find any information.
Thoughts on name brand vs off-brand SFP modules
I'm having a hard time wrapping my head around the cost difference between [off brand website] SFPs and (for example) Cisco's gear. If one was 10%, or even 50% higher, I could do some mental gymnastics and get it, but [off brand website] is like $20 for a 10GB SFP, and Cisco wants like $600 (SRP, so call it half that, on average.)
Which is your preferred option and why? Are the cheapies just fine as long as they work? I know SOME hardware won't let you use off-brand modules, but assuming that's not a problem, would you rock them? Why or why not? I know there's a "get what you pay for" sentiment here as well, but if they pass traffic, what's the difference? Failure rate comes to mind as one reason people might shy away, but I inherited a bunch of no-name SFPs in production and I haven't had to touch them any more or less than Cisco branded modules.
So then, cheap off-brand SFPs or hardcore OEM only?
Apologies if this violates any rules, I looked at the sidebar and I believe this post falls under enterprise design and/or best practices.
Network design recommendation 10GbE or not
Hello!
I need your expertise designing a small/medium branch.
- 250-300 devices
- North-South traffic mostly (Our applications are hosted in our private data centers)
- Top business apps last 30 days:
- Office 365
- Sharepoint
- YouTube
- Windows file sharing
- Teams
- 1Gbps Internet circuit + 40Mbps MPLS
- We will buy 9X PoE C9200L access switches for PCs, printers, cameras, APs, phones, etc. Main room will have a stack of 7, satellite will have a stack of 2. 3-4 VLANs probably
- We will also buy 2X Meraki firewalls in HA to integrate with our SD-WAN solution
Now I have a few questions concerning the architecture itself if we should go 10GbE or not. We will run fiber between the satellite and and the main room.
Should we buy the MX95's and connect both stacks to them with 10GbE SFP+ ?
Or we can buy the MX85's and connect both stacks with 1GbE SFP.
Last option would be to connect the satellite stack to the main stack in a port channel (1 or 10GbE) and have a single egress point to the Meraki's.
I know that going from 10GbE to 1GbE can cause output drops but we can play with the buffers as per :
If we decide to skip the 10GbE ports all around we will save money on the C9200 and on the firewalls.
Thoughts ?
Thank you
Meraki Rouge AP detection question?
After having read this blog post: https://meraki.cisco.com/blog/2017/09/rogue-access-point/
I have got my head around it somewhat but still have some questions and some clarity needed on the subject, this is what I've summarised so far:
When Meraki AP's try and detect a rogue AP, they look for traffic that is “seen” on the LAN meaning that other legitimate AP's have received a broadcast frame from it via the Meraki AP VLAN and is broadcasting SSIDs that are visible to the APs that make up the corporate wireless infrastructure.
In order for a Meraki AP to classify an SSID and AP as rogue, the MAC addresses of frames on the wired side of the corporate APs are listened for in the enterprise VLAN the Meraki AP's are on. If the wired MAC and the broadcast BSSID MAC of the SSID from an AP match on the 3rd and 4th bytes of the MAC addresses and the rest of the bytes differ by 5 bits or less, then the AP is classified as rogue. This comparison is achieved by applying an XOR (comparing MAC addresses in binary) to both the wired MAC address and the BBSID MAC address from the AP.
After I read that, I think to myself, okay I get it, but why? I ask myself to. Why 5 bits or less? I would've thought the more bits (meaning the more different a MAC address) would've been more positive? Why is this criteria when matched, classed as a rogue AP? Might seem stupid to ask but again, it's something that I'm currently thinking about after reading it.
(typically wired and wireless MAC addresses are contiguous) not to sure what this means when mentioned on the article?
Thanks for all the clarity and help here everyone.
Straight Through/Crossover
Straight-Through: Used for dissimilar devices.
e.g. Router to hub, computer to switch
Crossover: Used for similar devices.
e.g. Router to Router, Computer to computer.
Why does a computer to a router fall use a crossover cable. Aren't they dissimilar devices (Theory only)?
In the real-world there will be Auto MDI-X/Auto translation going on.
TIA
How can a NIC (the networkd card in my pc) obtain an ip from the DHCP server in my router?
> I dont' know if it's the right place to ask this.... Don't blame me, point me to different subreddit if this is wrong place
When PC starts, my network card knows only it's burned MAC address, right?
And has a physical cable attached to it.
Is the network card itself (a part of firmware in a chip) that asks for a DHCP [layer 1]?
Or is something software (driver, so tcp/ip stack, what else...) [layer 2/3] ?
I ask you because I am curios: the NIC don't know anything about the network.
What system does it use to ask for a DHCP?
Does it 'shoot out' in the cable something like "I need an IP !!!" ?
If yes, what is the protocol ?
How are you guys managing switchport and VLAN settings from Ansible or similar orchestrators?
I've got around 200 IOS switches and routers that I'm managing through Ansible. At this point I've got almost all of the global settings managed. This includes TACACS, RADIUS, logging, domain name, NTP, SNMP, etc.
But what I can't figure out is how to manage the VLAN settings on individual switchports from Ansible in a way that is easier than just doing it on the switch itself.
The first thing that comes to mind is that I could have a host_vars file per switch stack with the VLAN IDs, a default VLAN ID for the "most used" VLAN, and a list of switch ports that need to get assigned to the other VLANs. But this just seems really cumbersome.
Also, our switchport assignments are completely random. So I can't say, as a policy, "all switchports 40-48 are for IoT" or something to that effect. The assignments are just all over the map from technicians at the various offices just plugging things into the first switchport they see.
So I'm wondering, for those of you that have gotten to the point where you manage your switches 100% from Ansible or something similar - how do you manage switchport VLAN assignments?
Cisco Transport Planner Internal Connections, how can I control the port configuration?
Hello, I am working on adding a new site in CTP and I've been lucky to have a very similar site to essentially copy config from in my file.
However, most of the options are set to auto on the similar site, so I set the same options to my new site I'm getting inconsistencies with config.
The Shelf should map:
TNC-E Card in Chassis 1 Slot 1 to SMR2-C in Chassis 1 Slot 2,
and
TNC-E Card in Chassis 1 Slot 8 to SMR2-C in Chassis 1 Slot 7.
But it's configured itself to have the TNC-E in Chassis 1 Slot 1 for both SMR's, even though there is a TNC-E installed in Slot 8.
I can't seem to find any options to edit this configuration, any help is appreciated.
Cisco Meraki switch stack startup?
Hi, i'm going to be doing a job later on today that will involve racking and booting up 2 Meraki switches and then putting them into a switch stack with uplinks to the distribution layer.
Everything on the Merakis have been pre-configured in terms of thr DHCP reservation, access port VLANS, uplink ports both ends etc...
I'm just condering the process of whats best to get them on, on the dashboard and then in a stack. I have been thinking that i should put in the 2nd uplink after the first Meraki switch has come up, so do them separately, let them both pickup their DHCP addresses and then put in stacking cables. Maybe delete the portchannels as well both ends now and then once both switches have addresses, put in a stacking cable and create the port channels again?
Thanks all, I come from a Cisco IOS background for the most part, with a splash of Juniper to so i'm just wondering what the best way to go about this would be?
Intel vs Atto cards on windows
Hello,
For 25gbe performance, in your experience, is there a huge difference in the Atto cards vs Intel? Use case would be large file transfers between windows 10 pc’s. Sfp+
Thank you!
Struggling with networking
Hi guys and girls :)I am at school, trying to learn networking and stuff. These days I am doing one of several hand-in assignments. No time limit, but at the end of the year i have to do a final test over 5 days. And if i pass, i will get a certificate of apprenticeship.
Anyway, I don't understand this. Either I am too stupid, or the teachers doesn't explain it good enough, or both. Therefore I chose to reach out to you guys. I have some questions that I hope you will answer. Thanks in advance :)
P.S: Sorry for my garbage english
Network setup
Click the link to see my setup, with explanation
https://ptpimg.me/f928q6.jpg
I have two LANs; LAN1 and LAN2. The reason why I did it like this was to be able to control access between networks. The backup pc on LAN 2 have one only purpose, keeping backups from the server. No other machines than the server should have access to this. Server will push updates to the backup machine.
The server and all the PCs of the employees of this fictitious company are on LAN 1. Server are accessible to the employees.
I am using PFSense on a laptop that is my router. I have 2 USB Ethernet adapters (in addition to the built-in one which is connected to "WAN") connected to it, each of them set up as a LAN.
It may be easier ways, f.ex using VLANs or something. But I am not there yet. Still learning :)
Questions:
- When setting up firewall rules, does EACH of the LANs have their own firewall? Or does PFSense just make it look that way? Does all the rules end up in ONE firewall, controlling separate accesses ? It makes more sense, but my teacher say that EACH lan have their own separate firewall.
- If eah LAN have their own separate firewall, how do i configure access? Do I allow OUTBOUND traffic from LAN1 or INBOUND traffic into LAN2? Or BOTH??
- Is there a better way to do this? Am I doing it wrong?
I hope you guys can help me understand this.
Thursday, August 19, 2021
Calculating PDU Power Draw
Can someone please explain how they got this answer (5kVA) in the most simplest terms possible? I am having a hard time understanding this video and watched several YouTube videos as well searched all over google but could find nothing or when did was still confused.
A server technician is procuring and installing a single-phase rack PDU that will meet the following requirements:
- Maximum line current per phase: 30A
- Rate current per phase: 24A
- Maximum current draw: 6 x 16A
- Nominal voltage: 208V
Based on these requirements, which of the following can be implied regarding load capacity?
A. Purchase a PDU with a minimum load capacity of 2kVA.
B. Purchase a PDU with a minimum load capacity of 3kVA.
C. Purchase a PDU with a minimum load capacity of 4kVA.
D. Purchase a PDU with a minimum load capacity of 5kVA.
Answer: D
Question regarding traceroute/tracert - denied traffic
I spent a good amount of time looking for the answer to this specific question but it was not clear to me. maybe someone can answer:
When using traceroute/tracert, if I am unable to reach my destination and it appears my traffic is being dropped/denied along the way, is the last IP address shown in the output the device that dropped/denied my traffic or the last device that let the traffic pass? I presume it is the latter as the device that drops/denies would not send a response (and not have its IP logged) but I just wanted to verify as that has different implications (the latter being much less useful).
Documentation stores
To pick your brains:
What're you all using for documentation / procedure storage & publication?
More to the point, what are you using that doesn't suck?
I'm coming in to what is distressingly close to a greenfields situation, and the tools that exist at the moment are a sharepoint environment and a couple of different wikis.
What's awesome out there that I should be looking at?
I'm considering purchasing a CompTIA Network+ practice exam. Suggestions?
Greetings all. I found this resource for a practice exam I'm considering buying. Can anyone attest to the provider or the quality of the tests that Edusum provides?
If not, what are some other resources for practice exams that I should note? I am inclined to pay for full fledge practice tests.
Currently, for the free method, I'm using ExamCompass to practice my knowledge, but I want to experience a full randomized test so that I can gauge where I'm at.
Thanks all.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
A fast way to migrate from Junos 12.x to 18.x
Hello,
I would like to know if any of you have a way with an script or preferably with Ansible of migrating full configs from 12.x to 18.x
I have to replace a lot of ex3200 with ex3400, and some of the syntax are different.
Maybe someone has done this many times and could share some info on this?
Thank you!
VyOS 10Gb+ performance?
Has anyone benchmarked VyOS at and beyond the 10Gb mark in the newer versions that implement XDP?
The results I see online suggest that xdp should make for some tremendous improvements, but I don't currently have any hardware to test this with.
Small sub-10 port managed switch with coper and SFP ports
I am looking for a small portable managed switch with at least 2 SFP ports and a few coper ports. It will mostly be used as an in-the-field tool for packet captures, as a switch and for general troubleshooting. My work is a mix of coper and multimode fiber and being able to easily interface and directly capture packets on fiber and coper links will be helpful.
I was looking at something like the EdgeSwitch 10, but I'd like a little more of a true managed switch. Unfortunately it is the only smaller switch in the EdgeMax line that has 2 SFP ports, but it has the greatly reduced feature set compared to other EdgeMax products.
Something that is easy to use is also benefit. I will be working other colleagues who might not be comfortable in the CLI, so a nice GUI is a plus. That is one of the main reasons I am looking at the EdgeMax line vs something from a company like Mikrotik.
Any suggestions would be greatly appreciated.
For the right price a small router would be great too. I am looking to keep it under $250 if possible. Used is also fine. I'd love a small Cisco L3 switch with 2 SFP ports and a few coper ports.
Are there headers other than radiotap and ieee80211 involved in wireless packets?
I am in the process of building a ieee80211 interpreter/sniffer in C but I am missing something. I get a raw packet over raw sockets in Linux (on wireless interface so 100% wireless packets), interpret the first few bytes as radiotap and determine from the length field in the radiotap header where the 80211 header starts but the results are wrong. I tried using text2pcap to see the Wireshark interpretation to see what I am missing but Wireshark only shows me a "Ethernet II" header with 2 addresses and a Type. So I have two questions:
-
How can I tell wireshark to interpret my packet as 80211 with radiotap?
-
Are there headers in wireless packets other than radiotap and 80211 that I am missing and are causing my 80211 header to have the wrong offset? (only datalink layer I dont care about IP and above)
Mikrotik 10GBase-T RJ45 Copper SFP+ Link speeds
Hey guys. I have a Dell Power Connect 8024F 24 port SFP+ switch. Most of my clients are 10Gig fiber, a few are 10gig copper but i have these new little quirky 2.5Gig USB NICs that are goddamn dirt cheap and making me tempted to re-NIC all my existing 1gbps NICS if it didn't require some special switch that supports NBASE-T . I would have thought Dell / Cisco / Netgear / etc would have been able to just push out some small firmware upgrade that allow the SFP and 4x RJ45 ports to link at 2.5 & 5gbps along with the existing 10/100/1000/10000mbps. Its driving me nuts that an slower tech is going to make me have to purchase a special (possibly) unmanaged workgroup switch. Then i read some post online that said the Mikrotik 10gbase-T RJ45 transceivers can actually link up at 2.5/5gbps . Low and behold on their website the v2 model of the transceiver mentions 2.5/5gbps on a 10Gbase-T SFP. So im wondering if this is a special kinda SFP that is different then all the rest of the over priced 10Gbase-T Transceivers that only link 1000/10000mbps? Will my Dell Power Connect switch even support the 2.5 gig SFP if it does support that link speed? I find this whole multi-gigabit / nbase-t specification to be a bit of fustercluck if you ask me. Some mfg's support 2.5 while others support 2.5/5 . Im personally a bit insulted and disappointed with Dell . The 8024F switch is not a workgroup switch or even a smart /web switch.. It's an enterprise grade Layer 3 switch with FCoE and iSCSI capabilities along with the layer 3 switching. It's a bloody router! The signalling mechanisms aren't physically any different in 2.5/5gbps AFAIK. Its the same hardware more or less... Just slightly different firmware to handle to linking at those 2 speeds. No?
TL;DR WILL this (https://mikrotik.com/product/s_rj10) Mikrotik S+RJ10 10Gbase-T *6 SPEED RJ45 transceiver* work with my Dell power connect 8024F SFP+ switch to support linking up at 2.5 (or 5)gbps which is a newer ethernet specification then the 1000/10000mbps phy speeds that the switch was designed with? Can a SFP bring added 2.5/5gig functionality to my managed switch with out having to buy a whole separate RJ45 switch that is super expensive and i would have to decide upon giving up managed functionality or not depending on the price point just to get a few 2.5gpbs clients connected?
While researching the proper part # of the mikrotik SFP i came across this Marvell SFP (https://www.marvell.com/content/dam/marvell/en/public-collateral/transceivers/marvell-phys-transcievers-alaska-x-88x33x0p-product-brief-2018-01.pdf). It almost looks like Mikrotik ripped Marvell off using their chipset. so maybe i was wrong about the physical part being different. Same questions about this SFP as the Mikrotik? Can i use in my switch to get 2.5/5gbps speeds?
Thanks!
Connecting an unmanaged 2.5gbps Netgear switch to my Dell Power Connect 8024F 10gbps SFP swtich
So this a seperate quesiton that sorta relates to another post i made about 2.5gig networking. I have a Power Connect 8024F SFP switch. I need to connect around 4-5x 2.5 gig ethernet nics to the network @ 2.5gbps. Obviously i would like a managed solution but none of them are within any form of affordable and at the prices im seeing i might as well get 10gig coper or just go all 10gig fiber. EXCEPT there are a few units out there , all unmanaged of course, that caught my eye. I cant remember if it's TrendNET or netgear but there is a 8port and a 5 port 2.5gbps unmanaged switch. I also saw a 10 port one with 2x 10gig SFP+ uplinks. The one with the 2x sfp uplinks would be ideal if it was managed.. i think.. Do i really need managed switches for this? I use VLANs for my esxi envrionment . I would be connecting 2 mac mini's with 2.5gig usb nics runnign esxi to these switches so i would want VLANs to work , but do i need the switch to handle that or can my existing uplinked 10gig dell power connect switch handle all that for me? Further, how does it work if i were to get lets say a netgear manged or smart switch capable of VLANs and connect it to my dell switch? The dell switch is an enterprise grade peice of hardware with a full blown switching/routing os unlike the rinky dink smart switches... but the rinky dink switches seem to offer all that i really need anyways which is just basic vlan functionality. from the 2.5 gig switch all i need is the 2.5gig link speed and for it to not strip the Vlan tag info off the packets when thy're switched i think.. will connecting an unmanaged 2.5gig switch work with esxi/vlans since im not asking the switch to do any vlan routinug.. dell and esxi will handle that.
thanks! stay safe yall.. cheers.
Fortigate Extending/mapping vlan from one vdom to another vdom?
Hi Guys,
I have encountered this setup in which tags from a client which was forwarded to Fortigate VDOM X somehow being forwarded again to another VDOM Y but seem like the original client vlan mapped to different vlan on other VDOM.
Anyone aware about this design. Is this possible? and may I know what specific feature is being used and the purpose of this type for design.
Attached the sample flow.
Thank you
WAN Bonding Services
I am looking for a solution / service where we could have a single site that has two 50X10Mbps internet connections, from two different providers, and aggregate those connections where if the client were to do a speedtest.net, they would see near 100X20Mbps on their results. If one of the links were to go down, the client would not notice anything, their VoIP would not drop, and the would just have reduced speeds until the second WAN came back up.
I think this requires an aggregation router at the clients side, and then similar larger device at the datacenter/cloud/pop that has the capacity to receive these incoming tunnels, and aggerate them.
Peplink's SpeedFusion Bonding seems to be what I am looking for, but I am try to see whom else is out there. Is VMWare's Velocloud an alternative? Ideally we would like something where we could host the boxes on both ends.
ISE: Using endpoint profiles to assign VLANs?
I can figure out how to create endpoint profiles and use things such as MACs or Usernames to create Certainty factors to assign devices to profiles, and I can create Authorization Profiles to assign VLANs, but I can't figure out how to connect the two?
How can I assign endpoint profiles to authorization profiles?
Are there any ways to give certain users with dynamic IP addresses access to a database behind a firewall?
Hi everyone,
I am a Postgres database developer and am currently working on a project for a client of mine. The database will have to sit behind a firewall, which will be setup by a third-party company.
Now there's the problem that I need certain web applications, which are hosted on AWS with dynamic IP-Addresses, to be able to connect to the database. There is no way to make these IP-Addresses static or even to determine a certain fixed range for them.
I don't know much about firewalls, but I assume that normal IP-Whitelisting will not work due to these circumstances.
My question is now: has anyone of you come across such a situation, and how would you solve this? Are there any other ways to authenticate access from dynamic IP addresses?
Any help is much appreciated! Thanks!
Update Apache at Voicemail Pro
Hello,
I handle the retina on my system and get alerts on my system. How to update to solve the problem.
Thank you
QoS Marking Questions
Hi Everyone,
By default does marking my traffic with an EF/AF automatically prioritizes it? This mean that I will just mark the traffic with the DSCP and let the default configuration take place. No policy-maps would be created to implement(police/shape) and no congestion avoidance/prioritization techniques.
Because by default, FIFO is currently the default queuing strategy. Also notice that there are certain protocols that have specific markings by default like OSPF(CS6). I know that its still up to the administrator to define what markings/traffic will get priority treatment.
Aviatrix - SD-WAN
Greetings all
Hope all is well.
I have a concern regarding Aviatrix if anyone can assist.
I was talking to a partner who is considering deploying SD-WAN solution and he informed me that Aviatrix is against ! I cannot get the idea of Aviatrix being proposed for SD-WAN solution , am totally aware it is multi cloud network architecture and per the training they compensate for the features missed between the other cloud providers , but what about other features such as on-prem security , etc.
Thanks!
Cisco Networking Refesher
Hey guys, hoping this is the right forum to drop this in. Im starting a new job in the next two weeks and they require more Cisco than I have been using. I had my CCNA but its been so many years since I've used the knowledge actively and so I was wondering if anyone has a good source for a refresher. I already took Cisco 1-4 in college but just want a brush up. If anyone has some idea I would appreciate it. I tried Google and could only come up with results on taking the test or practice tests, and also full online courses.
Wildcard Calculator
We often have to do policy-based routing but only for a very specific wildcard. For example, if I need to route for only every .1 within a /13, the network and wildcard mask example would be 10.0.0.1/255.248.0.255. I can find no calculators online that can help with this type of wildcard mask - are you aware of any?
FTDv vSphere Interface issues!
Hi guys,
Has anyone had issues with adding / removing interfaces with FTDv and FMC from within vSphere 7.0.
Brand new builds of FTDv and FMC built with VI .ovf files.
Management interface attached when VM created and that works great. Since initial creation of VM I can't add any other interfaces to the VM.
Under edit setting on vMware the OK button is greyed out.
I have the correct permissions as I can change all other VMs.
Any help appreciated!
Maybe my understanding of how this should work is wrong. Feel free to school me on the matter. I have been over the whitepapers and can't see anything that covers this.
DHCP (relay) help on an Aruba 6300F
Emergency inserted/added a 6300F on an alcatel stack and somehow not getting dhcp. basically trunked one interface between the two. On the alcatels we use "ip helper addresses x.x.x.x" to get to the dhcp server (infoblox). Routing is fine on the 6300, i can ping to the dhcp server just fine from the switch. I can also ssh to the switch remotely, Pretty new to CX stuff here so need some guidance. Switch is running 10.05. I'm hoping it's just a setting on the switch MAYBE SOMETHING SUPER BASIC i'm missing here. Thanks in advance.
cx(config)# show dhcp-relay DHCP Relay Agent : enabled DHCP Request Hop Count Increment : enabled L2VPN Clients : enabled Option 82 : enabled Source-Interface : disabled Response Validation : enabled Option 82 Handle Policy : replace Remote ID : ip DHCP Relay Statistics: Valid Requests Dropped Requests Valid Responses Dropped Responses -------------- ---------------- --------------- ----------------- 36406 2 0 0 DHCP Relay Option 82 Statistics: Valid Requests Dropped Requests Valid Responses Dropped Responses -------------- ---------------- --------------- ----------------- 494 0 0 0 interface 1/1/1 (this is the trunk to the other stack) no shutdown no routing vlan trunk native 10 vlan trunk allowed 10,201,551,2021 exit cx(config-if)# show run int 1/1/47 (currently have my laptop here. also tried it as access port and no go) interface 1/1/47 no shutdown no routing vlan trunk native 10 vlan trunk allowed all exit Can I connected my laptop to sfp?
Hey, I have a Cisco nexus 9k switch, and have configured a span port on a 100g interface. Was just wondering, is there any adapters, or something for me to be able to connect my laptop to the LC connector ?
Printing across multiple vlans slow.
Ok, so an odd issue I'm having at 3 different clients. All 3 have multiple VLANs for everything, one for pcs, one for servers, one for printers, etc. Let's assume vlan 1, 10, 20 for pc, printer, server respectively. Printing to a 2016 print server is slow, many minutes slow. Direct printing is fine. I've looked around but can't find anything, and this is only on 3 of 100ish clients. Any help from anyone would be appreciated.
OSPF Design Question(s)
Hi,
I am currently trying to setup a remote site the has 1GB P2P connection along with a 100Mb backup internet connection with a VPN back to the primary site. OSPF is setup on all links as below:-
Primary Site:-
CORE to remote site via P2P - Area 2 Stub no summary
CORE to local Firewall via LAN - AREA 0
Local Firewall to remote site Firewall via IPSEC VPN - Area 2 Stub no summary
Remote Site:-
CORE to primary site via P2P - Area 2 Stub no summary
CORE to local Firewall via LAN - Area 2 Stub no summary
Local Firewall to primary site firewall via IPSEC VPN - Area 2 Stub no summary
This is mostly working as expected. However we have some clients that also VPN in via the firewall at the primary site. The routes on this firewall are preferring the Intra-Area route for Area 2 to Area 2 as it should according to the standards for route selection. However the core at the remote site is using the P2P as its route back, again as it should. The firewall at the remote site is using the remotes site router to get back to the primary site. The issue arises when a client connected via a VPN to the firewall at the primary site tries to access the secondary site we end up with assymetric routing as the firewall at the primary site sends traffic over the VPN and the remote site only knows to respond over the P2P. Ideally it should send this traffic to the CORE at the primary site unless the P2P is down in which case everything should use the VPN.
I hope this makes sense? I have drawn a diagram but I am not sure how to upload it here, its a PDF but I can make it a jpg or anything.
Do P2P softwares have seperate two sockets?
I'm trying to make a p2p chat software with C. For this i will use sockets with multithreading. For this i designed only Server/Client applications but now i want to design p2p systems.
I got the basics, what is p2p etc. But i dont know how to implement.
Question : Should i create two seperate socket for one peer to connect/listen. So when a peer_1 tries to connect peer_2 peer_1 client socket will connect to peer_2 server socket and same for peer_2 to peer_1.
Or is there another solution?
What's the advantage of tone dialing vs. pulse dialing other than speed?
I don't know if this is the right sub-reddit for this question, but I have a feeling people here will be knowledgeable on the subject. This is all sort of ancient technology by now, but I'm curious about tone dialing vs. pulse dialing and why the transition happened.
Most people would say tone dialing is more convenient because it uses buttons. But they definitely made pulse dialing phones with buttons. I remember in the 90s having such a phone, I would press the buttons and the phone would dial with pulses. If you pressed the buttons quickly, the pulses would queue up and it would take a few seconds for all the pulses to be transmitted.
Even my dial-up modem used pulses, though maybe that was because the telephone exchange at the time only supported pulse dialing where I lived... otherwise a mid-90s dial-up modem have certainly supported tone dialing, right? I was a child at the time, so I don't remember how it was set up.
But my point was, why use audible tones instead of pulses? They could have made the pulses go quicker if speed was the issue.
And does tone vs. pulse dialing have *anything* to do with analog vs digital telephone systems? I think most people thought when tone dialing became a thing that that meant the system was digital now, but I don't think it had anything to do with that.
Dealing with dynamically changing IPV6 PD, other than ROAS or manually changing ipv6 local pool, cisco router.
Good day,
With the changing PD from ISP, I have reached to two solutions so far to keep up with the changing PD,
Bridged ONT ----- ISR1K ---- C9200
- Simplest, router on stick, losing the InterVlan routing on L3 switch
- Manually re-setting up the DHCP6 server on cisco router every time the PD changes.
would be grateful, If anyone knows a better way dealing with the changing PD, or a method to have the "IPV6 local pool" automatically updated every time a new PD allocated by ISP.
Router config:
interface Dialer0
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
zone-member security WAN
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
ipv6 address autoconfig default
ipv6 enable
ipv6 mtu 1492
ipv6 tcp adjust-mss 1432
ipv6 dhcp client pd hint ::/56
ipv6 dhcp client pd STC
ipv6 dhcp client request vendor
ppp authentication chap callin
ppp chap hostname xxxxxxx
ppp chap password xxxxxxx
ppp ipcp route default
ipv6 local pool STC2 2001:16hh:hhhh:hhhh::/56 60
ipv6 dhcp pool DHCP6
prefix-delegation pool STC2 lifetime 84199 84199
interface GigabitEthernet0/0/0
ip address 192.168.0.1 255.255.255.252
ip nat inside
zone-member security LAN
negotiation auto
ipv6 address STC ::1:0:0:0:1/64
ipv6 dhcp server DHCP6
Cisco's SNMP Object Navigator -- does it still exist?
Because I'm developing and maintaining a network monitoring application, I was frequently using SNMP Object Navigator tool on Cisco's web. But when I tried to find it recently I just couldn't. Does anyone know if it's still available?
Active/Active IPSec VPN tunnels up issue
Hi Guys,
Got a task to design and implement active/active IPsec VPN tunnels from on-prem Cisco Firepower to Azure network.
Below is my little bit background information:
My local gateway device has two WAN uplinks, hence I am able to create two IPSec tunnels to Azure end - Azure gateway can have two public IP address when active/active mode enabled.
Two WAN uplinks on firepower are configured as primary/backup mode (we have changed Administrative Distance on secondary WAN default route to achieve that), hence my concern is when IPSEC Keep-alive SA travels, both tunnels SAs would go out via primary WAN interface as there is only one active default route on Firepower routing table. Therefore the secondary IPSEC keep-alive packets will have issues when reach to Azure secondary public address because when Firepower send those SA packets to Azure it won't use secondary WAN interface instead those traffic would go to Primary interface ?
Once we have got this IPSec tunnels setup. We would add VTI tunnel and BGP on top of it to advertise protected network from both sides, but I think those are not relevant to my concerns, so I have posted in the end.
Any help or suggestions are much appreciated and hope you guys all have a good day.
Thanks,
Bill
Wednesday, August 18, 2021
Websites and apps hosted on Microsoft Azure not opening on wifi
Hi, some websites that are hosted on microsoft azure web services don't open on my wifi network, while everything else works perfectly fine. For example, facebook, instagram, google, etc work perfectly fine but websites like arxiv, github, linkedin, outlook, etc don't open on my wifi, the page just keeps on loading infinitely. This problem occurs across all my devices, not just my laptop.
What all I have tried to fix this: 1. Resetting the router 2. Flushing DNS cache 3. Setting DNS to 1.1.1.1 4. Clearing browser cache 5. Using a VPN
Out of these, using a VPN worked. I ran a traceroute on some of the websites and I keep seeing ' * * * ' in multiple places. I really don't know what else to do. I tried contacting the ISP but they said that my router must be faulty. Can someone please tell me how can I fix this? I have tried everything but no luck.
Having troubles with Unifi Access Point
Hi !
I have been in charge of renewing the whole Wifi setup in my company recently, and after some discussion we decided to switch from our old Cisco APs to Unifi ones
Everything worked fine at first place, but since several month we started having Wifi issues, people reporting short Wifi outages and slow connection. After some research we decided to downgrade the APs version, going from 5.X.X to 4.X.X (quite unusual to me), which doubled connection speed. Still, people keep reporting network outages, and I cannot find any solution to this problem
Have some of you experienced such issue, and if so what did you do ?
Any experience with Perimeter 81
My company is looking for a software-based VPN solution because of our work-from-home situation and the limited bandwidth (need to support up to 100 simultaneous users) at our datacentre. So we took a look at Perimeter 81. Their pitch was excellent and offered everything we wanted, though they were a bit expensive.
I just wonder if anyone has any experience with them and if the investment will be worthwhile. Also are their any other SASE vendors who offer a service similar to these guys?
Managing Distributed Access Lists
I inherited a network that's a mess. One of the biggest issues I have right now that I don't see a clear way through is distributed access lists. That is, the access switches have access lists. Let's assume that's 1000 access switches. The "core" has a firewall in it, but some end devices talk to other end devices, and it was set up with ACLs to manage security for most things E-W. So 1000 switches, each with different ACLs applied based on long forgotten projects and not much documentation.
Is there any way to manage distributed ACLs from a central point? It will take a long time to untangle the mess, but in the mean time, I still have to manage this mess.
Ubiquiti Restock Discord
Hey all,
For those who are interested, there is a very active Discord server for tech-related restocks that I have been a part of for a few months, and I can easily say that the community is more than welcoming.
It is because of the admins, mods, bots and users involved that allow for accurate and timely restock notifications.
Although this may be read as a bland advertisement, I’m simply a user that has had a fantastic experience on this server, and have gotten the products I’ve been looking for because of it.
Whether you’re a consumer or professional, this discord is a great place to be for restocks.
Here’s the link if you’re interested!
OSPF topology design
I'm having some difficulties to sort out how to implement areas in my OSPF network - I need areas for summarization. The physical topo looks like this - https://imgur.com/a/54hnXEe
If all routers was in area0, no problem. But how to fix this? As pr OSPF design, DC1 and DC2 must be area0 for traffic being able to travel from area X to Y as it has to be via 0.
Leg1 as area0 with (backup) virtual-link over leg2?
Putting the different legs in separate areas will make area0 ( DC1 and DC2) non-contiguous which will screw things up. That can be be mitigated via virtual-links - but can you duck-tape area0 together via multiple virtual-links over separate areas?
I really appreciate any ideas here. Most textbook stuff about virtual-links seems to be covering simpeler topos.
send-community for bgp neighbors question
Hello all,
I am currently studying for my CCIE data center and something I have not had explained well is the differences between these following commands:
Neighbor 12.x.x.x remote-as xx
Update-source lo0
Address-family L2vpn evpn
Send-community
Send-community extended
Route-reflector client
and this:
Neighbor 12.x.x.x remote-as xx
Update-source Lo0
Address-family L2vpn evpn
Send-community both
Route-reflector client
The question: What are the differences between adding both commands "send-community, send-community extended" and just "send-community both" - Does this do the same exact thing?
Thank you in advance!
Best solution for Layer 2 over DMVPN?
(Posted this in r/cisco as well but figured I'd post here too)
We currently have a layer 2 ethernet circuit between our two data centers for replication. This circuit is inflexible because I can't re-route traffic elsewhere or add on a third spoke data center without ordering another layer 2 circuit. Because of this, we're trying to implement DMVPN across this layer 2 circuit in order to afford us the ability to add a third spoke when the time comes, as well as re-route traffic over other connections if need be.
My question is, what is currently the best method to implement layer 2 connectivity over DMVPN? I've done simple xconnect for other use cases and this is fine, but I need something that will be multipoint/mesh like the DMVPN network itself. The routers we are trying to use will be Catalyst 8300's, but I'm currently just taking shots in the dark in CML/ViRL with a CSR1000v to see what will work. Long term we will eventually be moving to VXLAN, but technology wise we just are not there quite yet. Our current Nexus/Nexii(?) aren't setup to support it just yet, and truthfully I don't have the knowledge to start down that road. I'm trying to stick with what I know and what works for now to come up with a more elegant solution than what we currently have, at least in the short term. I've looked at OTV, L2omGRE, VPLS, and VXLAN, and so far I can't tell in which direction I should go. Thanks for any advice!
Open optical networking
Is designing a network that is disaggregated a priority for most operators? Does a disaggregated solution provide operators the most flexibility for adopting new tech or should one stick to a single vendor for simplicity. I see a push for open optical networking but doesn’t that complicate networks?
Best free tool for switch bandwidth monitoring?
Hi all,
What does everyone recommend for switch bandwidth monitoring?
In the past, I have used MRTG (the old one) which is perl based. It has never let me down, the only downside is extracting information from the HTML reports can be a bit slow. I'm prepared to use this again, but I'm wondering if anybody can recommend any alternatives?
I just need something that can utilise SNMP and give me a breakdown of each switchports bandwidth utilisation over a 24 hour period.
Cheers
SFTP Reverse Proxy to FTP Server
So I know this is not exactly networking related, though you could argue proxies are networking to an extent. If this type of question is not welcome here, feel free to delete the post.
I've got a customer that, for whatever reason, has to stick to his plain ftp servers and needs to have them public on the internet. Considering his stance on security I was amazed that he asked me how to publish them somewhat securely.
So first idea was to have a proxy in front of them that does the ssh/sftp negotiation and then forwards the data to the ftp server unencrypted. I know there are appliances and software that do this for FTP/S but I can't find a solution that would be able to do this for SFTP. Is this due to the fact that FTP over SSL is really just that, plain FTP over SSL while SFTP is not really related to FTP itself but rather a completly different protocol and tunneled in SSH?
Anybody has some advice?
UDM-Pro or opnsense for small business (firewall, vpn, reverse proxy)
In my new company we have an ms exchange and a nextcloud. These are only protected by the router firewall.
In the future, our old switches will be replaced with manageable ones. So that we can have a vlan and poe.
Because of the fact that we need new hardware and that we don’t really have a person who takes care about the network I thought about Ubiquit products.
An advantage of opnsense is that I don’t have to ask my boss for money.
I think both systems will be able to perform the required functions well but a complete unifi environment is more pleasant.
What is your opinion?
Thank you =)
Does anyone have any references or resources about Forward Error Correction(FEC) codes concerned with Free Space Optical (lasercom) networks with on-off keying modulation?
Are there any resources available other than the CCSDS standards ? I am trying to design an Error correction design for FSO communication and I am planning to use LDPC architecture for its implementation. But I wanted to know if there are more resources available regarding this?
FSO links work differently with Error Correction codes compared to normal RF and I want to know which one will be the most suitable for me.
Tuesday, August 17, 2021
network device backup solution for azure
Hey all,
Doing a design for a hybrid cloud deployment, I would like for the on-prem devices (switches and firewalls) to be backed up into the cloud (Azure),
Looking at the Azure Backup offering that is only for the on-prem solution (VMs / apps as offered through Azure).
What does everyone suggest for this job? its a small scale deployment, max 5 devices to be backed up, looking for low cost solutions.
Thanks
Webex Notifications for Oxidized?
Hello
Has anyone setup a way for Oxidized to send Webex messages to a space when config is pushed/modified?
STP, Blocking role/state, and transitioning
I'm currently learning about STP.
I have a more technical question that I haven't been able to find a direct answer for yet. For ports that are in the Blocking role, when do they decide to begin the blocking > listening > learning process? My current assumptions is that since Blocking ports can still receive/process BPDU's, they switch over after the MaxAge is reached.
Logically there is some mechanism, otherwise if an interface that was previously on a network segment with another switch and in a blocking role/state was no longer connected to a switch, it would be blocked until someone manually unblocked it or reconnected it.
Also is there any difference in using the terminology blocking role/state?
Help getting out of trouble...
Hello ! I don't know if it's the right subreddit to ask that, but anyway.
One of my close relative is currently taking a course called something like "systems and networks senior technician" (translations may be inaccurate due to the fact I translated the names (i am french)). He is desperate because its training center has got many problems (lack of money and teachers, or lazy teachers doing nothing...). So, there are many things that he does not know how to do, while being very late on the curriculum. He told me that he had to learn these things in order to pass the exam :
- implementing a routing protocol
- intervening in a Public Key Infrastructure
- administering VPN connections
- install and set up an image deployment service
- install and configure a WSUS server
- install and configure a thin client server
Since he can do nothing to improve the situation on the side of the training centre, I suggested him to try and learn all these things by himself to pass the exam. He told me he did not find any courses about those subjects online.
I'm hoping some of you on this sub could help regarding that. Could you provide any courses, links or help ? Thank you so much.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
GCP VLAN Attachment /29 IP assignment - 3rd IP pingable
When creating GCP Interconnect connections, once the VLAN attachments are created in GCP portal, GCP provides a /29 subnet for that connection, out of which first usable IP is for cloud router and 2nd IP is for on-prem device. The third IP in this subnet is not to be used anywhere but its always pingable from on-prem device. Any idea what this IP is used for inside GCP?
Do you find networking meaningful?
I want to save everyone from a wall of text so, tl;dr: do you find "doing networking" meaningful?
The long version is:
I like networking because it's technically challenging. However, I doubt whether the work I do makes the world a better place.
For example, the latest project I did was sending syslog into ELK instead of a proprietary logging system. The benefit of this "huge": we have better alerting, we pay less in support costs, our logs are integrated with other systems, etc.
But ELK isn't going to change anyone's life. We're still going to have alerts go to people after hours. The cost savings will never go into the pockets of my team members. We might save some time here and there, but not much. Despite the banging on about "digital transformation", the company's line of business still runs as it always did before the system was implemented. It all ends in a big, "so what?".
I've had the same struggle with any professional development. Say I wanted to take my CCNP to a CCIE: besides bragging rights, what's the point? To work on a bigger, more complicated network? I don't really see myself as a better person, because I suddenly know how to use dual-hub with DMVPN instead of single-hub or because I can sell cDNA better internally, so why bother?
This is what I'm hoping you can help with, by sharing what you find meaningful in the networking you do, and how the networks you run impacts the world.
Much appreciated.
10/100M link LED still up but not on 1000M when wire cut in ethernet cable
To add a bit of context; this is about switches and I was just wondering if someone has an explanation to why the LED indicating that an link is up stays on on both 10M and 100M when i cut a wire in an ethernet cable. Now while I did this I did cut the solid green wire. Does this have anything to do with auto-negotiation not being so common on 10/100M atleast on 10M whereas on 1000M it is? Now I know that 1000M uses all it's four pairs compared to 10/100M which uses only two. What I'm really curious about is that this does not happen on 1000M. Why I did cut a wire in the first place was just to see how each wire behaves individually. If anyone has an explanation to why this does not happen on 1000M and maybe a work around to it from preventing the link LED from going down on 1000M if possible then it would be highly appreciated. Thanks.
Ixia BreakingPoint FTPS and SSHv2 Superflows?
Hello, has anyone got any ideas on how to create a superflow in Ixia BreakingPoint for FTPS and separately for SSHv2?
If so can you either export a completed one, or give me a step-by-step on constructing them as i have run out of ideas. I would rather avoid resorting to PCAP replays if i can but if needs be i will....
Any help is welcome, thank you!
Can't acess Azure VMs using OpenVPN on PFSense that has IPSec to Azure VNET
I'm quite 'new' to networking, still learning stuff, I'll try to explain the situation as simple as I can.
We have a PFsense in the office acting as a router with an IPSec connection to Azure VNET that has a few VMs on it. Whenever I'm at the office, I have no trouble reaching machines in the Azure VNET (10.0.0.0/24).
We also have is an OpenVPN server set up on the same PFSense 10.0.8.0/24 (virtual network)
When I use it from home I can access LANs as specified in the server configuration page (IPv4 networks that will be accessible from the remote endpoint). When I use my VPN app form home I can access local machines on a 172.16.0.0/24 local network .
However...
If I run a tracert trying to reach 10.0.0.6 (on of the VMs) I get the following:
1 10 ms 17 ms 11 ms 10.0.8.1
2 * * * Request timed out.
I'm routing ALL traffic in my VPN-app, I have the IP of the office and reach the LAN and, I'm trying to understand why the VPN tunnel would limit access. I know it might be a million things and I've problably not mentioned important things, but our setup isn't that complex. What might be the cause here?
How to use dynamic ip address for WAN on Juniper SRX220
Hey Guys! Have a question that seems obvious but cant find the solution.
ISP gives me a dynamic public ip address via DHCP on ge-0/0/0. I want to point a static default route to that dynamic address. Cant point it to the interface since its not P2P link but also I cant point it to an ip address since I dont know what IP im going to get. How do I get around this ?
Riverbed Steelhead WAN Capacity
Hey guys!
Maybe somebody has here some knowhow to share.
According to the Riverbed Steelhead Datasheet, there is not only an Optimization Limit, there is also a WAN Capacity Limit:
https://support.riverbed.com/bin/support/download?did=ngqugijcle5qshl7822q0s4e78
Does that mean the overall Throughput in a physical in path deployment is not linespeed (e.g. 1G on CX770) and its limited to just 100mbit?? Or what else does that limit refer too?
We are planning to deploy Riverbed or similar Solution in some of our Branchoffices, but in an inpath deployement several other Traffic will flow through it as welll and we are worried to create a bottleneck.
Cheers and thanks
AppNeta Alternative?
Does anyone know the largest competitor against AppNeta?
If you don't know what AppNeta is; it's basically a network monitoring solution that focuses on resolving where issues are taking place, whether that be the ISP of a WFH employee, the SaaS product they're using, their corporate network, etc.
Anyone know what the largest competitor is?
Can we terminate Comcast business metro ethernet ourselves?
We currently have an office with Comcast metro ethernet, with a Ciena 3903 being used to terminate the fiber. All of our networking equipment except the 3903 is fanless, and the CEO wants to get rid of the 3903 for that reason. I was thinking I'd just get an appropriate SFP to put in our router and plug the fiber in directly, but I suspect there are reasons that won't work.
My networking knowledge is out of date and never involved metro ethernet to begin with, so I thought I'd ask here. Anyone have specific knowledge of whether this is possible?
Spamming inside network, public IP getting blocked
Looking after a large network which all users have a BYOD and their own subnet. As of late there has been spam and email blockings against the Public WAN IP. Until the gremlin or gremlins are found it will continue to cause endless blockings to spam lists.
What will be the best way to monitor SMTP traffic and stop oland identify this happening again. I'm thinking running a device with Wireshark and a port 25 display filter on the core switch. Will this be enough to capture SMTP traffic and the offending local IP? There is no funds to throw in a content filtering device so it will have to be a manual, freeware process to find the infected device.
Any help is much appreciated
FIPS and Wireless
I am in a need of a small wireless solution (only 2 WAPs) that is FIPS compliant / validated. My question for you is - does such solution exist in "controllerless" world? I am trying to avoid using either physical or virtual wireless controller for such a small setup.
Ruckus Unleashed appears not to support such scenario. Cisco documentation on this topic is vast, but can't 100% confirm that FIPS enabled controllerless setup is supported. Fortinet has pulled their application from validating few of their WAPs. Aruba appears promising as they have "Wireless Access Points with ArubaOS FIPS Firmware." What I can't find out about Aruba is if WAPs would need to be managed separately or built-in wireless controller on "master" WAP supports FIPS. My gut feeling says that it should as long as I preload FIPS firmware on each WAP.
Any help appreciated.
Boston/new england pay for year 1-year 2 in networking?
I’m wondering what’s the average pay for someone early in their network career in this area?
Im about to hit year 1 and my pay is super low. My plan is to wait at least 1 more year before job hunting but man it is brutal in the mean time.
Parsing Version Code on Arista Switches Using Nornir
Hello all.
I have a small Nornir script which runs against all of my Arista Switches and basically does a show version. Nornir is new to me while I have a little bit of Python experience. What i'm trying to do is pull only the version of code that is running on each device, and if it's not equal to the code that should be running on it, it will go out to an FTP site, download the correct version and install it.
I would be able to figure this out with Python, but I don't see how I could do this using Nornir. I tried using the splitlines method on my variable (below), but you can't use it on run module apparently.
Any suggestions or direction would be much appreciated. Thank you.
My variable is as follows: result = Router.run(netmiko_send_command, command_string="show version")
Cisco CUBE - simple call forwarding?
We have a Cisco CUBE (just a 2951 router) which our telco SIP trunks terminate on. It handles calls to/from our phone systems.
I don't do a lot with voice, but I've been known to go in and add a new dial peer for a new phone number from time to time, and route it inbound to the appropriate PBX's IP.
I'm dealing with a bit of an issue today, somehow a phone number which is supposed to be owned (RESPORG'd) by our cloud fax solution was ported back to our SIP trunk. I have tried routing that number to my phone system, then having that system forward the call back out to a local number. This works when I test from my cell phone (I hear fax tone) but when I actually send a fax to that number it says there was a communication error and I never see the fax come through.
My theory is that perhaps bouncing the call from CUBE to PBX, back out to the SIP trunk via the CUBE might just be hurting the call quality too much, and maybe if the CUBE could do it, it might work better. Again, just a theory.
Of course, the ball is rolling to port this number back to my fax service but that may take a few days. In the mean time I'm wondering if I can cut out a step here and just have my CUBE forward this call back out to another phone number?
For example, let's say my non-working number is 888.888.8888. I have a working fax # in the cloud, 111.111.1111. I just want the CUBE to take any calls for 888.888.8888 and route them back out to 111.111.1111, without "bouncing" the call off my PBX first.
Possible?
GUI Switchs vs CLI Switches
I have worked quite a bit with GUI based switches where they are just programmed through the web interface, I've done some more advanced networking such as vlans through it as well. However I just started working at the local school district and they have CLI switches.
My main question is what would the advantage of CLI switches be? I'm still early on in my college career being only my 2nd semester in. Is there any advantages of either that pushes people to use one over the other?
Thanks.
Is it possible to reference a different IP address for a URL at the router?
I'm wondering if it's possible if it's possible to point a specific URL to a different IP address at my router or another network device, assuming my DNS entries are pointed to a global DNS server (8.8.8.8 for example).
We have production and DR instances on the Internet that have different URLs (and IP addresses) and am thinking of workarounds of using the same URL (aside from typing it in since users might get confused with two URLs).
Removing switches from Dell 5548 stack
I have a dell 5548 switch-stack with 8 'nodes?'
We are moving to a different switch vendor, but some of the switches on the Dell stack need to stay for a transition period.
The switches are #5 and #6, with ports labeled as such (5/0/1 6/0/1) with config on them.
My question is, if I remove switches 1-4 and 7,8 how will the switch-stack deal with the numbering?
In rack cable labeling & TIA-606-C.
Does anyone follow TIA-606-C standards for in rack cabling and if so what do your labels look like?
BGP break's Hulu and a lot of streaming website
I just turned on BGP for the public IP's I announce. I'm assuming because i'm multi homed most website's don't like the 2 possible path's back to my public ips? I can't get any streaming site or PlayStation network to work while both peer's are connected. Should I use sticky on my BGP paths? or whats the best way to fix it?
Any idea's are much appreciated!
firewall { all-ping enable broadcast-ping disable group { address-group BLOCKED_USERS { description "UCRM blocked Users" } address-group PublicIPs { address xxx.yyy.92.0/23 address xxx.yyy.178.0/25 address xxx.yyy.178.192/26 address xxx.yyy.178.128/26 address xxx.yyy.221.32/27 address xxx.yyy.221.64/27 address xxx.yyy.221.240/30 address xxx.yyy.221.244/30 address xxx.yyy.221.248/30 address xxx.yyy.221.252/30 address xxx.yyy.221.176/30 address xxx.yyy.221.180/30 address xxx.yyy.221.184/30 address xxx.yyy.221.188/30 address xxx.yyy.221.160/28 address xxx.yyy.221.216/30 address xxx.yyy.221.220/30 address xxx.yyy.221.12/30 address xxx.yyy.221.224/28 address xxx.yyy.221.208/29 description "Public IP block" } network-group PRIVATE_NETS { network 192.168.0.0/16 network 172.16.0.0/12 network 10.0.0.0/16 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians disable modify MSS_CLAMP { rule 10 { action modify modify { tcp-mss 1440 } protocol tcp tcp { flags SYN,!RST } } } name WAN_IN_ISP1 { default-action accept description "WAN to Internal" rule 2 { action accept description "Allow established/related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 3 { action drop description "Drop invalid state" log disable protocol all state { established disable invalid enable new disable related disable } } } name WAN_IN_ISP2 { default-action accept description "WAN to Internal" rule 30 { action accept description "Allow established/related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 40 { action drop description "Drop invalid state" log disable protocol all state { established disable invalid enable new disable related disable } } } name WAN_LOCAL_ISP1 { default-action drop description "" rule 10 { action accept description "Allow icmp" log disable protocol icmp } rule 20 { action accept description "Allow GUI" destination { port 22,80,179,443 } log disable protocol tcp_udp } rule 30 { action accept description "Allow established/related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 40 { action drop description "Drop invalid state" log disable protocol all state { established disable invalid enable new disable related disable } } } name WAN_LOCAL_ISP2 { default-action drop description "" rule 10 { action accept description "Allow icmp" log disable protocol icmp } rule 20 { action accept description "Allow GUI" destination { port 22,80,179,443 } log enable protocol tcp_udp } rule 30 { action accept description "Allow established/related" log disable protocol all state { established enable invalid disable new disable related enable } } rule 40 { action drop description "Drop invalid state" log disable protocol all state { established disable invalid enable new disable related disable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 10.0.200.1/24 duplex auto speed auto } ethernet eth1 { address xxx.yyy.83.254/30 description "WAN - ISP1" duplex auto firewall { in { name WAN_IN_ISP1 } local { name WAN_LOCAL_ISP1 } out { modify MSS_CLAMP } } mtu 1492 speed auto } ethernet eth2 { address xxx.yyy.222.22/30 description "WAN - ISP2" duplex auto firewall { in { name WAN_IN_ISP2 } local { name WAN_LOCAL_ISP2 } out { modify MSS_CLAMP } } mtu 1492 speed auto } ethernet eth3 { duplex auto speed auto } ethernet eth4 { duplex auto speed auto } ethernet eth5 { duplex auto speed auto } ethernet eth6 { duplex auto speed auto vif 2 { address 10.0.2.1/30 description ospf1-s ip { ospf { dead-interval 40 hello-interval 10 network point-to-point priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } vif 3 { address 10.0.2.5/30 description ospf2-s ip { ospf { dead-interval 40 hello-interval 10 network point-to-point priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } } ethernet eth7 { duplex auto speed auto vif 4 { address 10.0.2.21/30 description ospf1-a ip { ospf { dead-interval 40 hello-interval 10 network point-to-point priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } vif 5 { address 10.0.2.25/30 description ospf2-a ip { ospf { dead-interval 40 hello-interval 10 network point-to-point priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } vif 32 { address 10.0.32.1/24 description MManagement mtu 1500 } } ethernet eth8 { address 10.0.1.1/24 description "Local LAN" duplex auto speed auto vif 6 { address 10.0.2.37/30 description ospf1-m ip { ospf { dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } vif 7 { address 10.0.2.41/30 description ospf2-m ip { ospf { dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1500 } vif 30 { address xxx.yyy.92.1/23 description MCustomers } vif 34 { address xxx.yyy.221.225/28 description Public } vif 166 { address xxx.yyy.221.217/30 description "LOffice" mtu 1500 } vif 209 { address xxx.yyy.221.209/29 description Web } } loopback lo { } } policy { prefix-list BGP-ISP-From { rule 10 { action permit description "Default Only" le 24 prefix 0.0.0.0/0 } } prefix-list BGP-ISP-To { rule 10 { action permit description "BGP Announce" prefix xxx.yyy.178.0/24 } rule 20 { action permit description "BGP Announce" prefix xxx.yyy.92.0/23 } rule 30 { action permit description "BGP Announce" prefix xxx.yyy.221.0/24 } rule 200 { action deny description "Do not Announce any other Route" prefix 0.0.0.0/0 } } } port-forward { auto-firewall enable hairpin-nat disable wan-interface eth1 } protocols { bgp XXX215 { neighbor xxx.yyy.50.111 { description "ISP2 Neighbor" ebgp-multihop 5 password **************** prefix-list { export BGP-ISP-To import BGP-ISP-From } remote-as XXX92 soft-reconfiguration { inbound } update-source xxx.yyy.222.22 } neighbor xxx.yyy.50.211 { description "ISP2 neighbor 2" ebgp-multihop 5 password **************** prefix-list { export BGP-ISP-To import BGP-ISP-From } remote-as XXX92 soft-reconfiguration { inbound } update-source xxx.yyy.222.22 } neighbor xxx.yyy.83.253 { description "ISP1 Nieghbor" prefix-list { export BGP-ISP-To import BGP-ISP-From } remote-as XXX10 soft-reconfiguration { inbound } update-source xxx.yyy.83.254 } network xxx.yyy.178.0/24 { } network xxx.yyy.92.0/23 { } network xxx.yyy.221.0/24 { } parameters { log-neighbor-changes } } ospf { area 0.0.0.0 { area-type { normal } network 10.0.2.0/30 network 10.0.2.4/30 network 10.0.2.20/30 network 10.0.2.24/30 network 10.0.2.36/30 network 10.0.2.40/30 } default-information { originate { metric-type 2 } } parameters { abr-type cisco router-id 1.1.1.1 } passive-interface default passive-interface-exclude eth6.2 passive-interface-exclude eth6.3 passive-interface-exclude eth7.4 passive-interface-exclude eth7.5 passive-interface-exclude eth8.6 passive-interface-exclude eth8.7 redistribute { connected { metric-type 2 } static { metric-type 2 } } } static { route xxx.yyy.50.111/32 { next-hop xxx.yyy.222.21 { description "ISP2 1 .111" } } route xxx.yyy.50.211/32 { next-hop xxx.yyy.222.21 { description "ISP2 2 .211" } } route xxx.yyy.178.0/24 { blackhole { } } route xxx.yyy.83.252/30 { next-hop xxx.yyy.83.254 { description "ISP1 Peer" } } route xxx.yyy.92.0/23 { blackhole { } } route xxx.yyy.221.0/24 { blackhole { } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LOffice { authoritative disable subnet xxx.yyy.221.216/30 { default-router xxx.yyy.221.217 dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 start xxx.yyy.221.218 { stop xxx.yyy.221.218 } } } shared-network-name LPublic { authoritative disable subnet xxx.yyy.221.224/28 { default-router xxx.yyy.221.225 dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 start xxx.yyy.221.226 { stop xxx.yyy.221.238 } } } shared-network-name MCustomers { authoritative disable subnet xxx.yyy.92.0/23 { default-router xxx.yyy.92.1 dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 start xxx.yyy.92.2 { stop xxx.yyy.93.254 } static-mapping Home { ip-address xxx.yyy.92.199 mac-address f4:92:bf:94:a9:0c } } } shared-network-name MManagement { authoritative disable subnet 10.0.32.0/24 { default-router 10.0.32.1 dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 start 10.0.32.2 { stop 10.0.32.254 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 1000 listen-on eth0 listen-on eth6 listen-on eth7 listen-on eth8 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 1 { description ucrm_forward_suspended destination { address !10.0.32.203 } inbound-interface eth8.30 inside-address { address 10.0.32.203 port 81 } log disable protocol tcp source { group { address-group BLOCKED_USERS } } type destination } rule 5000 { description "masquerade for WAN" exclude log disable outbound-interface eth1 protocol all source { group { address-group PublicIPs } } type masquerade } rule 5001 { description "masquerade for WAN 2" exclude log disable outbound-interface eth2 protocol all source { group { address-group PublicIPs } } type masquerade } rule 5002 { description "S Clients NAT to Eth1" log disable outbound-interface eth1 outside-address { address xxx.yyy.221.113-xxx.yyy.221.126 } protocol all source { address 10.0.40.0/24 } type source } rule 5003 { description "B Clients NAT to Eth1" log disable outbound-interface eth1 outside-address { address xxx.yyy.221.129-xxx.yyy.221.142 } protocol all source { address 10.0.50.0/24 } type source } rule 5004 { description "M Clients NAT to Eth1" log disable outbound-interface eth1 outside-address { address xxx.yyy.221.17-xxx.yyy.221.30 } protocol all source { address 10.0.60.0/24 } type source } rule 5005 { description "B Clients NAT to Eth1" log disable outbound-interface eth1 outside-address { address xxx.yyy.221.145-xxx.yyy.221.158 } protocol all source { address 10.0.70.0/24 } type source } rule 5006 { description "S Clients NAT to Eth2" log disable outbound-interface eth2 outside-address { address xxx.yyy.221.113-xxx.yyy.221.126 } protocol all source { address 10.0.40.0/24 } type source } rule 5007 { description "B Clients NAT to Eth2" log disable outbound-interface eth2 outside-address { address xxx.yyy.221.129-xxx.yyy.221.142 } protocol all source { address 10.0.50.0/24 } type source } rule 5008 { description "M Clients NAT to Eth2" log disable outbound-interface eth2 outside-address { address xxx.yyy.221.17-xxx.yyy.221.30 } protocol all source { address 10.0.60.0/24 } type source } rule 5009 { description "B Clients NAT to Eth2" log disable outbound-interface eth2 outside-address { address xxx.yyy.221.145-xxx.yyy.221.158 } protocol all source { address 10.0.70.0/24 } type source } rule 5010 { description "masquerade for WAN" log disable outbound-interface eth1 protocol all source { group { } } type masquerade } rule 5011 { description "masquerade for WAN 2" log disable outbound-interface eth2 protocol all source { group { } } type masquerade } } ssh { port 22 protocol-version v2 } suspend { allow-domain unms.website.com allow-ip redirect { url } } udapi-server unms { connection } } system { analytics-handler { send-analytics-report true } conntrack { expect-table-size 2048 hash-size 32768 table-size 262144 } crash-handler { send-crash-report true } host-name CoreRouter-ER8-XG login { user user { authentication { encrypted-password **************** plaintext-password **************** } full-name "" level admin } } name-server 8.8.8.8 name-server 8.8.4.4 ntp { server 0.ubnt.pool.ntp.org { } } syslog { } time-zone America/Chicago } traffic-control { optimized-queue { policy global policy queues } } Cisco IOS XR, how to configure SPAN to mirror traffic from one sub-interface to another sub-interface?
Title says it all. When I configure the following:
monitor-session M1 ethernet destination interface HundredGigE0/0/0/0.40 exit interface HundredGigE0/0/0/0.20 ipv4 address 10.20.20.1 255.255.255.0 ipv6 address fdd1:10:20:20::1/64 encapsulation dot1q 20 monitor-session M1 ethernet And try to commit, I get this error:
interface HundredGigE0/0/0/0.20 monitor-session M1 ethernet !!% 'SPAN' detected the 'warning' condition 'The platform encountered an error processing a SPAN operation': Operation not supported I tried changing the interface monitor-session command to include direction, but nothing works. SPAN works when configuring physical interface to physical interface.
Note: adding "port-level" to the end of the monitor-session M1 ethernet on the interface does not take (not recognized). Also running version 7.4.15.
How does one configure mirroring of one sub interface to another sub interface?
Wired and wireless devices not able to communicate
Greetings!
I'm trying to track down an issue at the school I work for, and thought maybe you all could help me pinpoint what the problem is, as I'm stumped.
Here's what I'm working with. 10.0.0.x/23 subnet, router, AD server (serves DNS and DHCP requests), a couple of switches, and a Ruckus ZoneDirector 1100.
Here's the issue: wired and wireless clients cannot ping each other across mediums. Wired devices can ping and connect to any other wired device; wireless devices cannot ping any other device, but can access the ZoneDirector web configurator.
AFAIK this is a flat network, or should be. The switches don't seem to have been configured at all, which leads me to believe that this isn't a VLAN issue (I may be mistaken). Wireless devices can access the internet, but not the intranet. I cannot access the switches, router, or AD server when connected to wireless, but can over wired.
All help appreciated!
Aruba SD-Wan configuration
I am installing Aruba SD-Wan at the moment, we have a Branch GW setup with 3 different MPLS tails into our core and the VPNC in the DC with a single 1G tail. However for the overlay to work, they uplinks need the same name, however a name can only be used once. How have others handled this in the past?
Public IP Subnet - UK
We co-locate a large amount of equipment in a UK DC, the DC provider leases us a /26 IPv4 subnet. I have been looking into the possibility of getting our own IP space for a number of reasons:
- If we wanted moved DC providers, we would have to re-IP all equipment
- Some services would be next to impossible to migrate, for example 250+ SIP Phones out in the field hard programmed with endpoint IP Address (no way of using DNS, handset limitation)
Looking online you can either purchase IP space (around $40 per IP - /24) or be added to the RIPE waiting list (if you're organization has never had an assignment before) and hope that over the next year or so, someone releases IP space and RIPE allocate it to you.
As much as we'd love a /24, we only really need a /26. However, I believe a /24 is the smallest amount of IP space you can "own" due to BGP Routes, is this correct?
In addition to this acquiring the IP Space (waiting or buying), am I right in thinking we would need to become a RIPE LIR Member and pay their 2000 EUR fee for the first year, and then 1400 EUR per year there after?
Is there a cheaper way of going about having your own (small) block of IP Space? I have looked into "renting" IP Space and getting our current DC provider to announce this on their network (which they would be happy to do), however it seems to be a minefield in terms of if the IP Space is clean and with a good reputation etc.
Would value anyone's ideas.
Subscribe to:
Posts (Atom)