Hey I have a dental clinic and I need to be able to access our network from time to time to access both our dental database and shared folders. I have a Cisco Rv091 router but it's so complicated and it seems like all of the software for VPN is end of life. Does anybody have recommendations for a simple to set up and use VPN firewall / router that I could use to set up in my office and that it would be easy for both myself and staff members to just install something on their computers to connect to it easily? Also performance is somewhat important so I wouldn't want it to be too slow right now when I connect to Cisco via pptp it's super slow like 30 to 50 kb per second.
Saturday, August 28, 2021
Failure 2000
Since I switched my dns to cloudlfares (both ipv4 & 6) I get failure #2000 on twitch Any help here?
Help with cloudflare
Help with cloudflare
I used to just use cloudflare on my pc, but since I got a new router I also changed the settings on my router. I wonder if I still have to use cloudflare on my pc and phone or if the router setting change is enough. And I also want to know, how I can make sure if I set up my router dns settings correctly.
Why are these two routers not communicating? Packet tracer
Hi all, ive been stuck on this for a good two days, trying different things but i feel i need a second set of eye. I made a network in packet tracer to practive intervlan communication, i got the inter vlan part to work but i cant seem to get the network access to another router which is acting as a "simulated" internet. I think its an ip/subnet issue but im not experienced enough to see it. the pka is here
AFRINIC and the Stability of the Internet Number Registry System - Team ARIN
Not everyone may be aware, but AFRINIC is currently under litigation from a company named Cloud Innovation. Things are heating up and it is showing that IRR's are vulnerable to such practices as IP number resources deplete. NANOG's latest digest shows that many network operators are concerned about this.
https://teamarin.net/2021/08/27/afrinic-and-the-stability-of-the-internet-number-registry-system/
How does level 1 support handle Wi-Fi issues?
Hi, I manage the Wi-Fi infrastructure for the organization I work for. Our level 1 support is outsourced to a local consulting firm where they take in calls from our customers to gather information and submit a ticket.
When it comes to the tickets we receive for any Wi-Fi problem, the information gathered is very very basic even though we have solutions documented for them. Tickets such as "This person has been told that Wi-Fi was slow " (I kid you not, got that one this week, just as brief, nothing more and not even the person affected had called).
My question is: Am I too out of the loop or should basic information be gathered by level 1 support staff? Should I really have to call the client to gather what happened, error messages, times and IPs, etc - on every issue?
How is this managed elsewhere? Hope this fits the sub's rules.
Copper SFP
We just bought Syrotech Copper SFPs
(GOXS - C12 - 02) 1000Base - T Copper SFP 100M
21CFR (J) Class 1
So my question is it has a small switch saying ( A and F) I don't know what does the switch do ???
Does anyone has any experienced this before ???
Friday, August 27, 2021
Eigrp neighbor filtering help!
I'll try to keep this brief... explaining complicated detailed network issues in words is difficult for me without a whiteboard/visio drawing.
"""
TLDR: I want to configure a router to only form neighbor relationships to one specific address, and not 10 other routers on the same broadcast domain.
"""
I am configuring a stack of routers for a new dmvpn network (30 routers) in an enterprise environment. The NBMA addresses are on our default business network and the dmvpn is segregated on vrf X. Half of this network is layer 3 to the access layer, but the other half is a giant stretched layer 2 network (100 vlans). Let's not get distracted on why you shouldn't have a giant stretched layer 2 network!!!! It actually runs really good, well documented, and curated tightly to avoid exposure. Anyways, not my call. Brownfield deployment. Can you guess which side my problem lies on?
On the layer 2 side we created vlan 666, with an SVI on the core *10.0.0.1/24*, and each router has an address in this subnet so it can communicate with the rest of the underlay and conveniently a source interface for us to manage the device on the default business network. Also, each router has a loopback0 that resides in the default global routing table that is used as the NBMA address of the DMVPN tunnel.
For anyone to reach this loopback0, I first tried advertising it with our standard default business network eigrp AS which DID work. The problem with this solution was that each router was forming 10 eigrp neighbor relationships, which seemed like a lot of overhead and potential weirdness/asynchronous routing/dmvpn confusion.
This left me with 2 choices that I could think of. Remove eigrp completely and configure static routes on the core (of layer 2 side) pointing to the loopback0 addresses of the spoke routers and default routes on the spoke router pointing to the svi (10.0.0.1) on the core. Or configure unicast eigrp neighbor relationships on both the core and the spokes. FUN FACT... the "eigrp neighbor 10.0.0.x g0/0/0" must be configured on BOTH sides of the link, not just the spoke side. The spoke sends unicast hello's to the core and stops listening for multicast 224.0.0.9, and the core is sending out hello's to multicast 224.0.0.9 and dropping unicast eigrp hello's. Sure be cool if that worked differently.
Our team are not all routing wizards ( hence the layer 2 design), myself included, and opted for the static route method to make it more "readable". And it does work great! Deployed 95% of the routers, dmvpn tunnels are up strong, reliable and squeaky clean.
Now I am down to the two final routers to configure and of course they are the oddballs. These will be installed in a portable comm shelter which frequently roams around from one side of the network to the other, sometimes fed by microwave, sometimes with fiber/copper. I would sure like to use a dynamic routing protocol on these 2 spoke routers rather than adding and removing static routes all the time.
So, my question is, can your filter eigrp hello messages to specific neighbors? I thought I had it with the "distribute-list gateway <prefix-list name> in" under the eigrp configuration, but I still formed a relationship with the second spoke router on the same vlan.
Redesigning my SMB's Network
I work for an SMB. Recently got hired, for the sole purpose of having a CCNA and being the only one able to answer the "how many IP's in this subnet". First day I got hired, the Internet was dropping hard, every 2-3 hours.
After some days, I traced it back to a surveillance server, that was overloading our network core (a DELL SonicWall firewall which can only process 200mbps), as this server was passing data between 2 LANs.
At this point, I am looking to put the Layer 3 switches we have in our company (currently configured as Layer 2 switches for some reason), and enable Inter-VLAN routing at the Layer 3 switch. This switch is a Ruckus ICX 7150 48 Ports. My boss wants to purchase new firewalls that are not SonicWalls (I recommended the FortiGate 60F or 80F non-wireless).
We are also running VoIP Phones, but ideally, I think we should setup QoS.
We have a lot of our calls drop. At times, the calls last for 10 seconds, and the call drops. We thought it had to do with our SIP provider, but that is not the case.
I'm a recent college graduate, but is there anything I am missing? Any other recommendations?
Buisness networking
Hi there, I’ll keep this short and concise to an extent (not sure of this is the appropriate sub) anyway I’m trying to run internet (WiFi) to a commercial building that’s relatively small 700 feet long and probably 70 feet wide. The problem is 1. Said building is in the sticks so limited WiFi and it’s difficult to find reasonable prices. But the problem is not everyone uses WiFi equally and the coverage isn’t very good. Any commercial recommendations?
What was used for long-distance communications before fiber-optic cables?
Before fiber-optic cables were widely deployed in the early 1980s, what was used for long-distance communications? At that time that would have been telephone signals and early digital networks like ARPANET.
I know TAT-1 and later transatlantic cables were coax and needed lots of repeaters, the ones that had bandwidth over ~300 KHz needed ~200+ repeaters despite having really thick conductors. That's why transatlantic calls were extremely expensive in the early days, very expensive infrastructure with very limited bandwidth.
But what about land connections? I don't imagine coax spanned continents, needing this much amplification. Was there any other way of carrying multiplexed telephone signals? I cannot find that information online, maybe I'm not searching for the right things.
I'm also sort of amazed at how affordable the Internet was in the late 90s when international phone calls were still so expensive with the 2 sharing the same undersea cables.
Junior Network Engineer Interview Tips
Background: Hands-on training on CCNA 200-301 Concepts. Current position: IT Service Desk Assistant (5 months and counting)
I would really appreciate tips on how I can demonstrate my experience. Basically how can I tell a story ?
How can I prepare myself for the role rather than just the interview ?
Help to establish a connection to a workstation for a newbie
Hello everyone
I would like to establish a connection between the workstation and my computer. The workstation has been used to run a simulation program since its performance is outstanding. However, I need the connection to the workstation in order to start the simulation, observe the progress as well as transfer the results from the workstation to my computer. Both computers have Windows systems on them.
What is the best way to do something like this?
Need suggestions on re-cabling
Hello,
Need a little help on how to re-cable my server room, hopefully this is allowed since cabling subs don't really have a lot of members. I recently got some aruba switches, they are racked and stacked and ready to go. Moving from an old cisco 6913. The server room has been neglected for years and wiring was done wrong in the first place when the cisco was put in about 10 years ago (long before me as I'm 3yr in). I'm not sure how to approach re-wiring since everything that is there, is in the path I want to take to get to the new switches. Should I just untie/unVelcro everything, pull it down from laying on top of the racks and re-run above with some trays? Any suggestions would be appreciated! The mess kills me and getting new switches is a perfect time to tidy up!
Thanks,
Tool to find which subnet an IP falls into
I'm trying to come up with a way to be able to easily associate and ip address to a list of hundreds of subnets. The subnets link to locations, this would make it easier for me to link an IP to a location, does anyone have an idea of how to do that? the masks range from /8 to /30, etc.
Crazy discovery in Meraki dashboard
I was copy/pasting addresses in to the device location on new devices in our Meraki networks, but had to take a call to locate a device in the middle. When I went back to Meraki, I pasted a MAC address OUI in to the address box..
The map on the device summary jumped to the office building of the company that owns that OUI. That just blew my mind so much I had to share it.
Juniper Ex4300 reject problem
Hi there, I have a Juniper ex4300 with JUNOS 19.1R3-S5.3 and Centos cPanel server. I'm rejecting the IP addresses I've detected through cphulk with this command: set routing-options static route ip/32 reject
There is no error on the switch, but when I check my server later on, I see the rejected IP addresses again on Cphulk. Can you help me? Am I doing something wrong?
Cisco AnyConnect Dynamic Split Tunneling
I’m looking to disable the “allow user to select connection profile on the login page” option for our Cisco AnyConnect environment and apply settings dynamically based on a user’s LDAP group membership. I’m able to dynamically apply an ACL to a specific user group via Dynamic Access Policies. However, I’d like to also dynamically apply split tunneling settings, including whether or not split tunneling is enabled, based on user group membership and there does not appear to be a way to set this using Dynamic Access Policies.
I attempted to make this work using an LDAP Attribute Map that maps a user group to a Group Policy, since the split tunnel settings are present in Group Policies. But the Dynamic Access Policies seem to override any LDAP Attribute Map that I create. For instance, if there is no matching Dynamic Access Policy for the user group that I’m testing with, the DfltAccessPolicy gets applied before the LDAP Attribute Map and terminates the vpn client session at logon.
Am I trying to do something impossible here? Will I have to keep allowing users to select a connection profile in order to only enable split tunneling for some users?
What could be causing STP compatibility mode flapping in Dell OS10
Hey everyone, we have a pair of Dell S-5212FON switches that keep flapping between STP and RSTP on a port-channel. They are both getting flooded with logs saying “%STP_COMPATIBILITY_MODE: STP:Compatibility mode change received for interface port-channel1.Interface operating mode is STP/RSTP for vlan 1.” I ran the command “show spanning-tree compatibility mode” and all of the other interfaces are running RSTP. For the port-channel, all of the VLANs except one are running plan 802.1D. Every time I run that compatibility command, it switches between STP and RSTP. I can’t seem to find any good documentation of this log message or this behavior. Is this potentially a firmware bug? I haven’t been notified of any issues, I just noticed it when doing some health checks on this customers network. Sorry if this is a newbie question, I am just a young and new jr network engineer with not much help.
Thanks!
Possible routing issues in a Vlan
Hey all. Hopefully I can get some assistance in here.
We have distribution switches that differ in models, one is a 6880 and the other is a stack of x2 3750-24p. Some end user devices (to include but not limited to virtualized desktop machines and VoIPs) links into FEX Switches that communicates to the 6880 distro, and other end user devices goes into the access switches which communicates to the stack. The issue, since these virtual machines uses one Vlan for services, is that half of end devices having an aging ARP and IP assignments but other half does not. As a Level 1 network tech, I have yet to comprehend complex routing on areas like this but I played around the running-configs.
When I did my show run particularly on interface VlanXXX on the stack, I found this:
interface VlanXXX
ip address xxx.xxx.xxx.xxx / 26
ip helper xxx.xxx.xxx.xxx
ip helper xxx.xxx.xxx.xxx
no ip redirect
no ip proxy-arp
ip ospf xxxx area 0
Same command on 6880, this came out:
interface VlanXXX
ip address xxx.xxx.xxx.xxx / 26
ip helper xxx.xxx.xxx.xxx
ip helper xxx.xxx.xxx.xxx
Out of curiosity, I copied the stack's running-config over to 6880, gave a clear arp-cache interface VlanXXX command on both switches and something good happened. Not only that end devices' MAC address now correctly appears in their respective distribution switches, end devices on the 3750 stack also had their IP assignments started aging, which tells me traffic passes and services are online.
But now, the half within the 6880 does not age.
I'm trying to end this issue by having all customers getting online. Wonder if redditors can help out. ...
Thank you.
CONFUSED ABOUT THE JOB
Hey all, i have a question related to networking career. 2 years ago i got a job with cisco tac, it was not with cisco but a different company handling cisco tac, i left it within 2 months due to my stupidity. i did not leave any notice or anything, just got up from my seat and came home. never went back. now i want to join the networking again as i have realised my mistake and wants to pursue a career back in networking. if i try to join it back will i be able to join ? will i face any issues in pursuing it as a career because of my mistake. will i be able to join cisco? PLEASE HELP I AM IN A REAL DILEMNA...
IPsec over VTI vs standars S2S VPN question
My company has several site-to-site VPNs with different vendors. Everytime we add a new tunnel, we have to exchange parameters for phase 1 and phase 2 in order to make sure they match on this side. One of the options is Main mode vs Aggressive mode.
This got me to thinking about our branch offices that have 2901 routers and use IPSec over VTI to connect back to another router at HQ. From my understanding, there is no Main or Aggressive mode with IPSec over VTI, but I don't have a solid understanding as to why IPSec over VTI doesn't use them, but standard Site-toSite VPNs do.
Can someone explain to me why they typical Site-to-Site VPN, say between two businesses, use either Main or Aggressive mode; and IPSec over VTI doesn't ?
I feel like an idiot not knowing this because I've been doing Network Admin work for several years, and have a good amount of experience working with various types of VPNs. My thought is the site-to-site tunnels have to negotiate the parameters because the peers are each managed independently, and IPSec over VTI doesn't because they're statically configured on both peers and typically managed by the same party.
Am I on the right track here, or way off? Any insight would be greatly appreciated
ASR1002-X issue after upgrading
I have 4 ASR 1002-x acting as PPPOE server
i upgrade three of them to asr1002x-universalk9.16.09.07.SPA.bin and Rommon to 16.7(1r) as recommended in
https://www.cisco.com/c/en/us/td/docs/routers/asr1000/rommon/asr1000-rommon-upg-guide.html#con_60840
but since the upgrade our PPPOE users start suffer from sudden stop in some websites and apps for 1 minutes or more and at random times then everything return to normal
this issue keep happing along the day , this issue keep happening along the day , the sites are reachable through ping and DNS resolve its domain normally, the issue happen only on two of this three routers
if you have any clarify i will be appreciate
how big of difference between Big-ip 11.6(2016) and 16.1(2021)
if i master 11.6 will i be lost in 16.1?
Looking for LTE/5G small scale network vendor recommandations
Does anyone have experience with private LTE/5G networks product. We're looking to deploy LTE at a mine site. I know there's multiple new vendors in the market, we'd like to save cost by using a product designed for smaller networks.
Thanks for your input!
Automation for Huawei VRP-based devices
Hi folks,
I started a new job earlier this year and now have to work with Huawei VRP-based devices (NE20, NE40, etc.)
I'm currently looking into doing some automation and stuff using git and ansible.
I can do some basic tasks (like issue some commands) using Huawei's ce_collection.
But since those scripts were developed for CE-devices they seem to lack some functionality (mainly responding to prompts & stuff).
Are there any other tools/resources for managing/automating Huawei VRP devices you know of?
We've looked into Huawei's NCE but from what I've seen this doesn't quite do the job.
Thursday, August 26, 2021
Paid WiFi Network Deployment for Festival
I have an opportunity to deploy a WiFi network at a week-long event with poor cellular connectivity.
Details:
- Symmetric 1 Gbps fiber network connection on site.
- Some open fiber on-site for networking.
- Max 2000 clients, but more likely 1000.
- The demand is there, attendees complain each year.
Questions:
How would you deploy this is one day for an event in 10 days (need to order equipment) to work reasonably well? It's acceptable to limit access to X number of users per day.
Which network equipment? Router/Switches/AP
I've spoken with www.mywifinetworks.com and they seem to confirm their software will work for the paywall. I've seen Ubiquiti has built in options for Stripe, but seems the integration lacks a secure connectivity to the Stripe API.
Any ideas are welcomed.
If you're in Iowa and want to work on a side-hustle, that would be an option.
Manual or automatically change wifi channels?
Which is better in a crowded wifi environment?
Thank you for reading and hopefully answering. :)
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
Are there sites for small contract networking jobs and consulting?
Just spoke with a friend and he asked if there were sites where I could find short term contract networking work outside of my main 9-5 job. Do any exist? I haven't been able to find any but thought I would at least ask?
Can we talk about a strange problem on my network?
So, I want to preface this issue with the understanding that I'm a reasonably capable sysadmin with a fair bit of experience in troubleshooting networking issues BUT, I'm not a "network guy."
Now, I've been thrown into a new environment with ZERO legacy knowledge and ZERO knowledge transfer from the last guy who left. Which is fine. Whatever. It just means there's a LOT of controls, routes and hardware that I'm unsure of. Unsure of exactly what all is in place, what all we're currently relying on and what all is there, quietly screwing stuff up, that has been mothballed but not decommissioned.
I have a good approximation but, nothing definitive.
ALL that said.....
So, yesterday, a specific website and all of it's subdomains started timing out on us. No changes to the traffic rules or routes that anyone knows of (and, honestly, *I'd* have been the one making changes, ostensibly). I don't hear about this issue until this morning, around 1000 hours. So, we're 24 hours behind the trail and now it's a real problem because it's been broken for a whole day and nobody has fixed it.
I test the site, and it's not coming up. I test it from my phone and, boom, it's alive. I fire up a laptop and connect to the enterprise WIFI, no joy. Connect to a hotspot, it works (so it's not the OS doing it). I connect to VPN, it works. I google, but the results for "a website doesn't work from my corporate network" are a bit .... voluminous.
What I have is a site that works but, not if I'm connected to my regular production network. However, it's fine from the VPN interface on the ASA, which, naturally bypasses a lot of our corporate controls. (I do not know why)
Since it's *always* DNS, I start there. Our DNS is controlled through an Umbrella VA and it's running well, the VA dashboard assures me that not only is this domain intentionally whitelisted but, added to that, the traffic is being allowed, according to the logs.
On to the firewall! That's not the culprit, either. We ran traps at the interface and find the traffic is flowing with reckless abandon into the ether, we just aren't getting anything back.
Now I'm starting to feel stupid. I will happily and readily admit that networking isn't my strong suit. I'm "OK" at it, I have a deep understanding of protocols, ports, traffic and controls but, in practice, troubleshooting packets isn't what I'm good at.
I *can* say these things:
It doesn't *appear* to be DNS
It almost certainly isn't the firewall
It definitely isn't something on the desktop
I simply have no idea where to go from here.
I don't expect anyone to say "this is your problem, obviously" and offer me the magic ticket. I would greatly appreciate anyone chiming in with some ideas on where I might look for the "thing that fell over" so I can put it back where it was.
Best way to utilize transparent lan service between sites?
I'm a little stuck trying to plan some network changes for a business, mostly because while I'm pretty familiar with VLANs and such, I'm not super familiar with routing and service provider level networking.
Right now our head office has fibre internet. Instead of internet connections at our branch offices, the fibre provider also gives us transparent LAN service between head office and the branches at different buildings. It all goes through the same fibre connection, with different VLAN tags for the internet and each site. On the firewall (pfSense) at the head office, we've got several VLANs setup for each site, using QinQ to double tag the traffic heading to the branch offices. The branch offices just have a QinQ capable switch that adds/removes the service provider VLAN tags over top of the local VLANs and breaking it out into the different networks.
It work fine, but I feel like this isn't great for a couple reasons:
- All the broadcast traffic from the branch offices has to needlessly go over the transparent lan service
- Managing all the separate VLANs as we add more offices from that one pfSense box is getting a little cumbersome. It would be nice if each branch office had it's own pfSense firewall and did most of the work there, with the head office one just sending the traffic to the appropriate VLAN at head office or to the internet.
- I'd prefer that the site to site traffic be encrypted, so if the fibre provider screws something up, nobody is getting access to our internal VLANs. It's not an actual requirement though.
So what's the best way to setup a network where you have several branch offices connected by transparent lan service, each with several separate VLANs, and internet only at the head office?
Basic VLAN Question
If I have my APC Battery management cards and Network switches on a VLAN 500 and my workstation is on the default VLAN, how would I get access to manage those devices from my computer?
Or should I just leave those devices (APC Battery Management and Network Switches in the default VLAN)
Gamechanger Ethernet Cable
Anyone have experience with Gamechanger Ethernet cable?
I had never heard of this before but our cable vendor is pushing it due to its better than spec performance.
Theoretically it is device agnostic and doesn’t use any kind of repeating. Just a higher gauge cat6 with some secret sauce build.
Probably more expensive but we do have a lot of longer than spec runs needed, so it could save us an IDF or two. Yeah
MSPs world
Hi all! I just been promoted to product manager in the SASE company I'm working for.
I would like to better understand the market's needs and pains and would like to interview some MSPs and of course share some ideas regarding this world.
If you are interested please pm me :)
Great day!
What are your biggest frustrations with online training courses?
The state of the training world these days is online, self paced courses. The trend towards that started before Covid, but Covid certainly brought it about faster.
To that end...
What are your biggest frustrations with online training courses?
And just to keep it from being all negative...
Regarding the positive online course experiences you've had, what elements contributed to them being the best?
Networking question subnets
Hey I am a student learning cybersecurity and networking. I was wondering since we get our ip address from ISP. Can we setup our lans to different IP address than what the IPS provided, and still connect to the internet through the routers Default gateway, but the one interface would be "ip address dhcp" because we our getting our internet from IPS.
The ONLY computer who can't access router page
Hello, I used to connect to my router page using 192.168.1.1, but suddenly it stopped working, and the thing is, it stopped working only for my PC, the other devices (even phones) can access it with no problem.
I obviously tried restarting it, I also tried setting a different IP address manually, I tried disabling my firewall, tried to put http or https before the number, tried different browsers.
Any Idea to how to fix this, and Why is it even happening in the first place ?
Cloudvision vs. DCNM/NAE/Insights/MSO
I'm wondering if anyone can provide real world examples of how DCNM/Insights or Arista's Cloudvision have either negatively or positively had an impact to how you run the Data Center.
We're presenting the two solutions to our executive sponsors and would like to be able to articulate pros/cons for both based on some real world feedback.
Windows Server 2019 and DHCP Range question
I'm new to networking.
Running a small business network of about 30 workstations.
1 windows 2019 server
1 Firewalla Gold firwall device.
This may seem really, really silly. I was having issues with the server having "unidentified network" or connected to the domain but no internet (Even though it had internet) "Yellow exclamation mark.
Most of the times I would reset the network, and sometimes it would work and everything would go back to normal
I took a look at the firewall setting and noticed the range was from .2 to .200
The server is set to .249 (we access and asp . net app from the server)
So, I increased the range to .250
Restarted everything and everything seems normal.
Could that have been the issue?
Wednesday, August 25, 2021
Cs tutor
Hi! I know someone who is an IT major in university seriously struggling in the principles of networking class. If you can be of assistance or be a tutor we can discuss payment. It would mean the world to me. Thank you.
How many users behind a single public IP, before using PAT pool?
People who manage large enterprise networks, do you have a pre-defined number of users that you run behind a single public IP before you need to expand to a PAT pool?
I've seen situations before where it's been exhausted at peak utilization, and the obvious solution for this is to just expand to a PAT pool, but I'm curious about what experience others have had. Is there a spot that the line would normally be drawn, or do you normally just increase the PAT pool as required?
Thoughts on new dual router/dual gateway architecture
We are migrating from a single router single internet GW, to dual router/dual gateway setup. We're aiming for chassis redundancy, with the accepted risk that we'll need smart hands to physically move the southern cloud connection in the event the eastern router fails. We would split our network announcements over BGP across both transit links for load balancing. Communities are available to AS path pre-pend so that the networks are advertised on both links, but half would only be preferred if the other link failed (hopefully that makes sense to you my dear reader!). So in essense, network 2.2.2.0/24 is advertised on the west transit link, but with a as prepend community so it won't become a real route unless the east path fails. We are currently only receiving a default route from our transit provider, so my question is, how can i route egress traffic from the bottom "cloud" out the appropriate path, so that 1.1.1.0/24 routes out west, and 2.2.2.0/24 routes out east? Our SE thinks we'll have to take full routes on our transit and use BGP to manipulate the routing to achieve this. This might also be possible with VRFs or EVPNs but he thinks would need two links towards the bottom cloud. With our current architecture, the 1.1.1.0/24 would ingress on the western transit link, but egress on the eastern transit link due to the preferred default gateway (asymmetric routing). Multipath and a route map weighting the western default route the same as the eastern would result in the asymmetric traffic as well, but traffic could flow out the east and west at least.
What should I look at implementing here, networkers of reddit?
Multi user Jumpbox with firewalls? How do I build one?
Hi everyone. I was hopeing someone else has done something simalure. I'm trying to build a centralized jump box / jump station. A place were multiple users can log in and connect only to an approved list of IP addresses for that spesific user. Is this a simple task? Any tutorials on it? Has anyone else built one?
Ubiquiti UNMS for 2000 devices
Anybody have recommended specs for a server that runs UNMS for 2000 device network. I can’t seem to find any information about how well it scales on the Ubiquiti documentation.
No limit on power or rack space.
TCP Connection timeout
We have a Java Enterprise Application interfaced with SAP and we send data from the application over to SAP through a HTTPS SOAP web service. We seem to get java.net.ConnectException: Connection timed out: no further information exception once every week for all our transactions being sent out to SAP and apparently if we restart the JVM/application and send the transactions again they all go through perfectly fine. I am not a networking guy but wanted to understand what should be the basic steps for debugging this sort of issue.
Also when does a connection timeout happen? 1. The machine/server is not reachable? 2. Our application is able to connect to the SAP servers but SAP servers are slow to process the request which eventually results in a connection timeout?
Again forgive me if this is the wrong platform for asking such questions
Ubiquiti UNMS for 2000 devices
Anybody have recommended specs for a server that runs UNMS for 2000 device network. I can’t seem to find any information about how well it scales on the Ubiquiti documentation.
No limit on power or rack space.
AWS <-> Equinix Colo: any experience?
Hi all,
I have a VPC in AWS and a router in an Equinix rack. I need to be able to route IP traffic from AWS and through that router in Equinix for specific IPs (as well as the reverse path).
Does anyone have experience building out a similar network architecture? There is no compute happening in Equinix -- all compute happens in AWS and then on the other side of the router. I just need traffic to flow AWS <-> Equinix.
Would appreciate a response or PM if anyone has done something similar and knows the potential solutions to this. Thanks :)
Sending full routing table with prefix-list
Hi guys,
I am a fairly new network engineer with a small ISP. I am trying to create a route-map that sends the full routing table to customers. I am wondering if there is a way to match all the routes with a prefix list or do I have to manually type in all the prefixes?
I have already created one to send the default route and it looks like this:
Ip prefix-list DEFAULT-ONLY seq 5 permit 0.0.0.0/0
My router is a Cisco ME360
Cisco Ncs 540 and licensing model
Hello community,
We are currently looking at some N540-28Z4C and we are having some trouble understanding the licensing model. The router has 28X10G and 4X100G.
When it come to 10G ports. We would need to buy 1*RTU license + 1*Term license (3-5 years) both mandatory. What is not clear is what happens when the term is over.. Does the ports would just drop like this? Which would be a time bomb.. Or those license are just honor based?
Also our Cisco AM told us that there is no license required for the 4x100G ports which doesn't really make sense when you read about 10G licensing model..
Does someone use of those and can bring an honest opinion/clarification about the above?
thanks
Chromebook issues with Cisco WLC redirect splash page.
Hi guys, we have a customer that uses a guest network for their chromebooks and attached to this SSID is a splash page redirect showing terms of services for them to accept. The users can connect and browse successfully but an issue arises where the chromebook will reask for the user to sign into the portal sometimes and when the user clicks to go to terms of service it bombs out saying it cant reach there. Turning off the laptop for some time and then restarting fixes but am unsure why they are getting hung up on reconnecting to the splash page. Any help or ideas would be great.
Looking for the difference between Speed and Bandwidth
Hi, I’m a freshman in college wanting to go into networking. I’m having a little trouble grasping the concept of Speed vs. Bandwidth.
I understand that, say, a Gigabit internet plan has a speed of 1000 megabits per second, or 1000/8 megabytes per second.
Does this, also, then mean that the maximum amount of bandwidth is 1000/8 MB/s? Is there any reason to use anything other than a CAT5e ethernet cable, other than with switches?
Is there even a difference between the two? In my mind, it doesn’t quite make logical sense.
Determining topology --
Hey I'm studying IT Networking and I must say this is a very complex course. I sorta regret even getting into it :'(
But I'm doing a project and would appreciate your view on it.
I'm creating a topology for a business which operates a training center. This business needs a storage for training videos and currently it being stored in a 1 hard disk along with other data like the names of students and the courses being offered etc. They are running a star topology.
The scenario being:
I need to design another topology that would keep the business running even when their is a single disk failure. Same videos should be able to run in multiple classrooms at the same time. They have to run smoothly. These vids are occupying the full hard disk and their library are expected to double so I need to have a repository for storage of training videos, a NAS. The system should be only accessible by the staff.
I also have to use cat 5e cable for this
I'm so confused on what topology to even use in such a problem.
Tuesday, August 24, 2021
What’s your favorite TIA ISO Certifier?
I have used nothing but Flukes in the past and I am looking to purchase a new certifier. What do you like more than the Fluke stuff if anything?
Replies from the wrong IP address: When might this come up?
I was talking to a network scanner (think: nmap, but commercial) vendor recently. They said something like:
We keep track of multi-homed systems by encoding a unique payload in packets we send. If we send to one IP, and get that payload back in a reply from a different IP, then we know it's the same system.
The specific examples of payload they gave were:
- ICMP echo-reply payload
- TCP SYN probe initial sequence value
So, okay... I think I understand the technique. But I don't understand how it helps. Like, ever.
Under what circumstances might I send a ping (or TCP SYN) to address "A", and get a reply stamped with "B" in the source IP field?
The only examples I can think of are:
- a contrived situation with asymmetric paths and NAT (not actually an example of multi-homing, but half-broken inline address swapping)
- some terrible microcontroller IP stacks which don't validate fields in the IP header, will respond no matter what you call them (also not an example of multi-homing: you have to go out of your way to make this happen)
Anybody have an example that I might be able to reproduce?
Thanks!
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Networking question (ASA 5508 to Azure route based VPN tunnel)
Hi everyone, I am trying to understand why our ASA is not being picked up by Auvik (network monitoring tool) and after some troubleshooting, I learned that the server that the Auvik collector collector is installed on is not able to ping the ASA's inside interface at 192.168.75.254.
The Server is on 10.40.4.8/24 and there is a route based VPN tunnel between the ASA and Azure.
Now, I have other devices on 192.168.75.0/24 that the Server is able to see with no issues. It is only the inside interface of the ASA that it cannot reach.
I was testing using simple pings (ASA is accepting pings) and I ran some packet captures on the ASA and I am showing that ICMP requests are being dropped because they can't find a route to the host (
icmp: echo request Drop-reason: (no-route) No route to host)
Can someone shed some light and point me towards the right direction? I have been trying to troubleshoot this for a while now.
So I know for a fact I can ping the ASA inside interface from within the 192.168.75.0/24 network. The Server at 10.40.4.8 can pretty much ping everything but the 192.168.75.254 (inside interface of the ASA)
Quoted $17,500 to upgrade our network
Hello Friends,
Let me start by saying while I am techy, can troubleshoot, etc. I am a little over my head right now. Currently our business network is on a 50mbps down / 10mbps up plan with our ISP. We are experiencing some delays when it comes to using our VOIP phones and when needing to do zoom meetings, etc. We were given the all clear from upper management to upgrade our plan to Gigabit. The issue with that is the current switch is limited to 100mbps up and down and therefore would need an upgrade too in order to handle the upgraded speeds.
The price we were quoted was $22,000 CAD (about $17,500 USD) This does not include any new cabling as the building has cat6 and cat5e network cables through out. What is does include is:
- Meraki MX105 Cloud Managed Security Appliance
- Meraki MX105 Advanced Security License, 3 Years
- Meraki 1 GbE SFP Copper Module
- Meraki 10G Base SR Multi-Mode
- Meraki MS120-48FP Switch L2 Cloud Managed 48PT GBE PoE
- Meraki MS120-48FP Enterprise License, 3 Years
- Meraki MS125-48FP L2 Stackable Cloud Managed 48X GigE
- Meraki MS125-48FP Enterprise License, 3 Years
- Meraki MS210-48FP 1G L2 Cloud Managed 48X GigE 740W PoE Switch
- Meraki MS210-48FP Enterprise License, 3 Years
- Meraki 10 Gb Twinax Cable with SFP+ Modules, 1 Meter
- Meraki AC Power Cord for MX and MS (US Plug)
This, just seems like a lot to get our 11 workstations better internet speeds. Could someone please advise if this is way over the top or if this is standard? Would there be a cheaper option that doesn't disk network security?
Edit to add: This quote was given to us by our outsourced IT guy who manages our network and it's security.
Cisco ASA NAT (any,outside) question
I am having issue with IPsec site-to-site branch-1 to branch-2 routing issue and i have following NAT rule. I read most of people saying use nat (outside,outside) so question is does (any,outside) means (outside,outside) also because any = any interface. am i missing something here?
nat (any,outside) source static obj-NET-PRIVATE obj-NET-PRIVATE destination static obj-NET-FOO obj-NET-FOO Question Regarding a VPN Connection and Static Routes
Sorry if this is a amateur question, but I am a L1 tech (working on my NET+) and have been tasked with a networking dilemma.
Current Situation (A-B-C):
- Location A - 10.0.0.0 network (Not managed by me)
- Location B - 172.16.0.0 network (Managed by me)
- Location C - 192.168.0.0 network (Managed by me)
Location A and B had an existing VPN connection between the two, with an important file server at location A. Location C was just opened up and I added a VPN connection between B and C. Because location A is not managed by my company we cannot access their networking equipment and connect A and C, however users at location C need to access to that file server at location A.
I was told it is possible to allow hosts at location C to connect to the file server at location A using static routes. I have not been able to set this up successfully yet, but I am trying to gain an understanding of exactly what I am doing. In this example, is adding static routes at the location B gateway, essentially saying if I am at location C trying to reach a host at location A, then by using static routes the traffic will flow from C to B using one VPN connection, be unencrypted or whatever, and then sent again over technically another VPN connection from B to A, as opposed to going directly from C to A?
Still being new to this I thought that simply connecting sites B and C would give site C access to A, but obviously I am wrong.
Thank you for your time and consideration.
CUCM - File browser or winscp or?
Just out of curiosity, tried Winscp. Nada.
What am I missing?
Cisco being special?
hello guys i really need a piece of advice about RDP
i want to get RDP for the first time and i found a bunch of them but i need to know what should i understand before getting one so if you have experience with that can you recommend me some names i will really appreciate your help.
thank you
Ping reply goes out, never received (internet)
We have several locations with a basic cable modem internet connection where we use DMVPN. Our NOC monitors the broadband with a ping to the static IP. We set up routing to ensure the response goes back out the internet connection instead of the tunnel. On a very small number of locations (Like <5 of 650+) we see the ping arrive on the remote router and response go out, but the response never arrives back at the DC where the monitoring servers are. Remote locations are running Cradlepoint routers.
So far we've been assuming that some device on the internet in the path is dropping ICMP and there's nothing that we or the ISPs can do about it, but is there something we could look at to deal with this situation?
Cisco SG300-52P no longer passing traffic, no console access
Hey all, I have a friend who runs a small non-profit and they're having problems with their SG300-52P. Unfortunately, their IT company is a single guy and he's away so they don't have anyone to help them in person until next week.
There were storms last week and they lost power long enough for the UPS to die. After power came back they powered on the UPS. Since then the switch hasn't worked. It powers on and lights are on on the ports but it won't provide PoE, pass traffic, and the management IP is inaccessible. Bypassing the switch and going straight to the router works fine.
They can't find the serial cable that came with the switch so I had them get a USB to serial adapter: https://www.amazon.com/dp/B0759HSLP1 and gender changer: https://www.amazon.com/dp/B00005111M. The docs seem to indicate a null modem isn't required, so we didn't get one. Attempts to connect to the console were unsuccessful. Tried multiple baud rates and don't get anything back.
Has anyone seen this happen with a Cisco switch before? Any suggestions on what we could try? Thinking about having them get a straight through serial cable as well as a null modem just to try both, but everything takes a day to get so trying to cover all bases.
Thanks in advance!
First major mistake
Hi guys
I started as a junior networking engineer. everything was ok until I made mistake on day of bringing datacenter down for few minutes. The mistake was easly fixed and coworkers said that it is not a problem and to be more carefully next time.
The problem is I have this dought now in my work, even when contiguring simple trunk with alloved vlans, there is some fear. Before that I had no problema with L3 or L2, but because of recent incident I have some slepless nights...
Im interested in your stories of mistakes, how did you coope with it etc.
Help to understand prefix-list
Hi, I am receiving below routes from BGP neighbor: 10.240.6.0/24 10.240.2.0/24 10.240.0.0/23 10.240.3.0/25
If I add prefix list entry: permit 10.240.0.0/19 deny 0.0.0.0/0 le 32
will I block mentioned prefixes from neighbor? I should look at two octets to be 10.240.X.X/19? If there would be for example 10.240.5.0/19 there would be match? Thank you in advance
Route based vs Policy based VPN match on each side?
Hello all,
Today, I had a discussion with my colleague about VPNs. Last week, I set up a VPN tunnel and showed him my VPN configuration which is a route based VPN. He told me that it is important that both sides needs to match if it is route based or policy based. So if I configure route based on my side, the customer/partner needs also to configure route based on their side. Now me personally, I've never heard of this before. I know of course that phase 1/ phase 2 needs to match on both sides, but I never thought of that it is important that each side needs (or rather best practise) to match when going for route based or policy based.
He did not have much time to explain unfortunately. I tried to look it up but could not find any answer to this question. I would appreciate if someone could explain this to me. Also, a reference to this would be very appreciative!
Thanks.
Netgear m4100 dns question
So I have an internal server with a public ip.
I have a domain that points to this ip for a Nas.
I can access it outside the network just fine. But inside I can not reach it.
How can I set up my switch to point traffic from the domain to the public ip of the server?
Best Practice - Physical or Virtual 'Trunking'
I really hope I'm using the term trunking right here. I have a Sophos SG135 which utilizes only the LAN (eth0) and WAN (eth1) ports currently. The other ports are available (eth2 through eth7). I am going to start configuring VLANs on this device but am wondering if I should configure the VLANs on their own interface or configure them on eth0.
The reason I ask is because I'm given the option of using any port when going to create my VLANs. If there's a performance or security benefit to utilizing different physical interfaces, or not, I would love to know.
Anyone successfully automated switch upgrades?
Hi,
I am currently looking into automating the upgrade process for our switches, but it looks like it may be somewhat complicated.
I was thinking something along those lines:
- Use Ansible to ensure the desired image is uploaded to the switches for each model. As such, when ready to upgrade, the image would already be present.
- Using a script, execute the required commands on each switch (list of devices would be obtained dynamically from our inventory software), validate that the device is back up on the new version, and move on to the next one.
This shouldn't be too hard to implement for one model, but we have around 15 different switch models, spread across 4 different platforms.
Has anyone successfully implemented switch upgrade automation in the past? And if so, what was your preferred method?
Anymore Good Networking Message Boards
There used to be a lot more networking message boards going back 10-15 years ago but it's seems with sites like Reddit and Quora people's questions and concerns wind up there. Most of the board members go there when they're stuck and don't become daily posters. I came across networking-forums.com and techexams, the latter being on the Infosec Institute site now. Does anyone know of others? I'm already a member of Cisco's Learning Network.
Two or Four Firewalls Across Two DCs?
Just wondering what people do here? I’m a bit sceptical of only having two across two DC’s, mainly due to it introducing a single point of failure in a single DC. The network will be running VXLAN so we’ll be able to stretch the subnets, but I am worried about tromboning over the DCI as workloads are moved, and the potential disruption should a device fail, or if a DC is lost due to fire/flood.
Power-to-Byte Ratio Comparison Chart
I'd like to see a chart that compares wireless technologies at some distances from the antenna for analysis. Let's say:
-- all common WiFi protocols
-- 3G
-- 4G
-- 5G
-- Bluetooth
-- anything else?
Would also be good to show power output scaling for people. So if 5 devices 50 devices or 500 devices are using connection @ that range. This is such basic information and it is strangely hard to find. Isn't that what supposed "educational institutions" supposed to make easy for us to compare? Or at least the manufacturers to pitch us on the products...
Configure a HP Procurve 2910al-24g through DHCP
Hello all
I have acquired an old HP Procurve 2910al to build a small test lab in our company. It is just what we could scrape together so a storage, some servers and this switch. I know it's by no means the fastest or newest but it is enough (and the only one that we currently have on hand) to do the job.
However, I cannot configure it. Like, in the manual there are two possible ways, either via Serial (for which we unfortunately don't have a machine still here which has a serial port and no adapter on hand) or via DHCP. However, I configured one of the Windows servers as a DHCP and DNS roles, but the switch doesn't seem to want an IP from it. In fact, I can see on the interface that packages get sent from the server to the switch but no packages are received. Am I missing something? Is there something else that needs to be done?
I can see DHCP working because other devices get an IP in the configured range but not the switch strangely.
Thank you
Floating Static and Dynamic Routing
Having some oddness in a lab and can't seem to figure out this behavior. Please see the attached diagram: https://ibb.co/S0VpXZ0
-------------
1). Both sets of "CORE" switches are Nexus vPC pairs acting as a collapsed core
2). "VPN Pri" and "VPN Sec" are just vendor-managed VPN devices
\- these must be "active/passive" \- We can only static route to them 3). Static routes are pointed from each vPC set to their respective VPN device
\- Site B has a route preference of 250 added to the static route so it prefers Site A's redistributed eigrp route until it disappears from the table, then it uses the floater. \* (ip route x.x.x.x/24 x.x.x.x track 20 name VPN 250) \- Site A has a default preference of 1 \* (ip route x.x.x.x/24 x.x.x.x track 20 name VPN)
Site B# show ip route 192.168.1.0/24 192.168.1.0/24, ubest/mbest: 1/0 (Site A route)*via 10.0.0.1, Vlan10, [170/51968], 00:43:11, eigrp-100, external (Local floater)via 172.16.0.1, [250/0], 00:39:44, static
This works beautifully. When Site A's track goes down, this is what happens at Site B:
Site B# show ip route 192.168.1.0/24 192.168.1.0/24, ubest/mbest: 1/0 (Site A route is deleted from RIB) via 172.16.0.1, [250/0], 00:39:44, static
However, when Site A's track comes back up and redistributes... I never see it get relearned by Site B again, and Site B continues to use it's own local static (and consequently, it redistributes it to the WAN). I would EXPECT that Site B would just re-learn the Site A route again via EIGRP, but it doesn't until I force the track to go down at Site B (which removes the floater). At this point it re-learns the EIGRP route and then when I bring the track back online, the floater gets put back in as a backup path.
In my mind, the floater shouldn't have to be removed/re-added just so Site B learns the dynamic route again from EIGRP. I'm thinking it could be a GNS3 bug but I'm curious if anyone knows whether or not this is indeed expected behavior? using N9Kv 9.3(1)
Looking for guidance with importing IPs into my netbox instance
I have setup a netbox instance at my company, and am liking it so far. We also have a solarwinds orion install, and that orion instance is dynamically tracking and aggregating IPs for our network. I would like to see if there is a way to dynamically set it up so that netbox is polling our orion instance so as to populate the netbox’s IPAM.
To do this, I assume some type of python scripting needs to be setup to do an API call against the orion install, but to be frank, I know nothing about python, and I’ve never set up an api call. Can anyone point me in the right direction to figure this out?
I learn best by taking something that is working, and then working backwards (and dissecting it) to understand how something works. So if someone just has a random python script that they use for netbox to pull any kind of data from orion, and a brief walkthrough on how to set that up, I can study that, reverse engineer how it works, and use that knowledge to learn how to get what I need for my custom api call.
Or if someone just has a “Post your question at this specific place”, that would be awesome too!
Thank you for your time!
No APs seen in Cisco Prime with WLC 9800L-F
I don’t see any APs under unified aps (Inventory/Device Management/Network devices). The only thing I see is the wlc itself which is fully managed so I’m not sure why I I don’t see any of the APs. The AP discovery status has been stuck on not yet completed for a few days now. Cisco Prime version is 3.8.0.0.310, controller version is 17.3.3 and AP model is C9115AXI-I. Can anyone please help me with this?
Trouble Advertising same subnet across multiple MPLS, Multiple Data Centers
To keep it super simple, I have the following:
Two Data Centers that have a static path to a subnet through a private connection - that subnet is 10.80.0.0/16
Each data center attaches to two different MPLS Providers, each of those have a single router in the DCs. 4 DC MPLS Routers, two in each location...
Branch Office has one router from each MPLS router (two routers total).
I'm trying to steer this subnet - 10.80.0.0/16 through a particular data center, and BGP is automatically taking the unpreferred path (I know, it's probably taking the better path, but management wants certain offices to go through certain data centers)
I know a pre-pend would help if I had two different subnets, so I don't think that's the way.
I'm thinking I need to tell my Data Center BGP Routers in the preferred data center, that the path to it's router has a higher weight than the other routers. How can I go about doing that?
If that's not the right method to use, I'm truly stumped.
Aruba 501 Bridge Configuration
I posted previously about bridging our Wifi to an outbuilding and I thought it was working fine, but some wireless clients cannot stay connected.
The basic setup is:
`WAN -> (A) Aruba IAP-205 -> (B) Aruba 501 Bridge <--> (C) Aruba IAP-205`
ISSUE:
- The WAP (C) in the outbuilding does not join the WLAN Virtual Controller for the main building.
ASSUMPTIONS:
- Wireless clients probably cannot stay connected because they're trying to connect to the main building APs, which are too far away for the weaker antennas.
- The Aruba 501 bridge is NOT a Wifi Extender/Repeater/WAP.
- I only need 1 Station Profile set up on the 501 Bridge because it provides an upstream connection; it's not setting up a WAP.
POSSIBLE SOLUTIONS:
- Create a new SSID for the outbuilding and add this profile to all managed devices.
- Duplicate the main building's SSIDs and hope they don't conflict.
- Change hardware arrangement?
Computers randomly unable to join Wi-Fi network
Title is marginally vague so let me clarify. We have several hundred laptops, some domain joined and some not, that connect to our network daily. Earlier this year we introduced a RADIUS server for wireless authentication via a Windows 2019 Server with the NPS role. This server is based in azure to allow for both our students who only have azure accounts as well as our staff who have hybrid accounts to join the Wi-Fi. We have a UniFi system of APs and managed switches in place to handle all the internal networking with a FortiGate firewall as our gateway.
The problem is effectively this: The laptops on campus are typically able to connect but when they can't connect I find no reference of them even failing a connection on the RADIUS server. I've dug around our UniFi setup looking for something out of place that could be causing an issue and haven't found anything that stands out. The part that boggles my mind though is that at the same time as some of these laptops lose their ability to connect to the Wi-Fi, other laptops on the same campus, sometimes even in the same building on the same AP can connect just fine. There seems to be no rhyme or reason to it. The laptops that can't connect span all makes and models from Dell to Asus, from Windows to Chromebook. I can't find anything connecting all the ones with issues together. And they vary from day to day too. I thought maybe it was an issue with too much traffic but we have the same amount of people getting on the network generally around the same time every day and it doesn't happen every day. I'm stumped on what could be causing the problem. If any further info is needed to help troubleshoot I will provide what I can.
Asynchronous Routing
I am working with an IPSEC tunnel over GRE/OSPF between two hubs and two spokes. Our two hubs are redistributing routes over EIGRP to our enterprise network. Problem is, one of the hubs is pushing return GRE traffic out of the wrong interface and I can't seem to find out why. Someone had mentioned asynchronous routing to me but I'm a little hazy on the subject. Is this what could be going on here?
Anyone running a full Fortinet stack (FortiGates, switches, APs)?
Hey all,
We are planning an expansion of our infrastructure soon and are planning for rapid growth. Currently our stack is a jumbled mess of Ubiquiti and other prosumer junk. We have several remote sites that are pretty small footprint (probably requires 1-2 switches, 3-5 APs) and more on the way.
I currently run a Fortinet stack in my lab, and it gets the job done (although I do find the FortiLink interface to break after upgrades/reboots). One thing I love about Fortinet is that policy changes are instant (unlike Palo, Check Point) and generally seem to have a lower TCO (I could be wrong on this). I do know there is always a debate of which version of FortiOS you should be running in production and that their releases are sometimes considered to be more "beta" than production ready. (I'm currently running 7.0.1 in my lab.)
Does anyone have experience running a full Fortinet network stack in production? I'm talking the whole package - Fortigates, FortiSwitches, FortiAPs, and even their SD-WAN feature. I'd love to know your thoughts on it. Pros, Cons, Pain points, costs, upgradability, and any other things I should know.
Also, if anyone has experience with running Fortinet products in a more "infrastructure-as-code" manner, I'd love to know how that's going.
Can't run GNS3 on Ubuntu 21.04
When I run GNS3 as user (in admin group) on Ubuntu 21.04, I get this error messsage:
2021-08-24 12:16:54 INFO root:126 Log level: INFO 2021-08-24 12:16:54 INFO main:259 GNS3 GUI version 2.2.23 2021-08-24 12:16:54 INFO main:260 Copyright (c) 2007-2021 GNS3 Technologies Inc. 2021-08-24 12:16:54 INFO main:261 Application started with /usr/bin/gns3 /usr/share/gns3/gns3-gui/bin/python: symbol lookup error: /home/_________/.local/lib/python3.9/site-packages/PyQt5/Qt5/plugins/imageformats/libqsvg.so: undefined symbol: _ZdlPvm, version Qt_5
When I run it as root, works as expected.
Any ideas?
How can we communicate from traditional network setup to Service VPN of Viptela?
Hi, I'm building a LAB and would like to know if what option should I use to communicate from Viptela Service VPN to Traditional network connected to MPLS. Refer to the topology.
Topology: https://ibb.co/p4nkxDb
I did try redistributing OMP route to VPN 0 however it is not allowed.
Aborted: 'vpn 0 router bgp 300 address-family ipv4-unicast redistribute omp' : configuring redistribute omp is not allowed in vpn 0
What is the usual approach on this? Do we really need to install a vEdge at the site?
I'm also checking other solution but if you can share some of the options that being used in production.
Thank you
Monday, August 23, 2021
Mobility Express 2802E.... issues
I have a cisco 2802e AP.. Its been working great with no issues until about a week or two ago i noticed that new clients were not connecting and apparently i forgot to record the username and password for the management interface. So I was forced to reset it.
After resetting it, I can get to the CiscoAirProvision SSID and connect and it will load the web page. I enter all of the required information such as mgmt ip, subnet mask, and default gateway. I configure the "employee" ssid appropriately and then the access point restarts
When I attempted to ping or access the web inteface I get no response from the page, and ping fails..
I am completely stuck I am clearly missing something, this is also all on a cisco 3850 switch with the following configuration.
! interface GigabitEthernet1/0/9 switchport trunk allowed vlan 10,20,30 switchport mode trunk end
vlan 1 is also configured on this interface as well. I have also tried moving the AP to an access port on vlan1,10,20 and on each move i have reset the ap configured the mgmt interface in subnets that belong to these vlans.
Please help I am completely lost.
Could a double-strand single mode trunk be replaced with a 1+1G link aggregate trunk using single-mode fiber SFPs?
So, my organization is planning on upgrading all of our network devices, and we plan on using EVPN in the new setup. Now, my very limited knowledge of EVPN does say that it greatly benefits from using link aggregation for load-balancing and redundancy. Our plan is to create fiber paths between our access nodes and our leaves to support this.
Our current infrastructure has two-strand single-mode fiber between the switches, and only ever one link. We don't use link aggregation at the moment. However, my idea is that when we replace these devices, we adapt both strands into individual, single-strand links. That way, we'd have a redundant, load-balanced 1+1G link aggregate as the trunks without having any new infrastructure!
I feel like this is a good idea, but part of me feels like it's too obvious to be effective. Like, there has to be some reason why we shouldn't do this, right? I dunno, maybe I'm just being paranoid.
Do you think it would work? Thanks in advance for the advice.
Does Ethernet to Lan exist?
I bought a wifi motherboard that doesn’t have an Ethernet port but does have an Lan port. I can’t buy a network adapter because the motherboard doesn’t have mini pcie
Fortigate in transparent mode not sending SIP(UDP-5060) packets ?
We have a setup in which a specific source IP communicates to destination IP via UDP-5060.
In the topology below. You can see that it is just a basic L2/L3 connection although from Core to WAN routers we have a fortigate firewall which is in transparent mode and doing a L2 bridging.
Diagram: https://ibb.co/mtJjg12
This worked before however we recently ran into an issue in which the UDP-5060 packet being sent from the core switch is not being received by any of the WAN routers. Refer to the diagram.
We did run a packet capture on all devices from the core, fw and WAn router.
a. From core I'm seeing that packets are being forwarded to Firewall (IPS)
b. From the firewall we can also see that the packet is accepted and forwarded? however not able to receive it on two of the WAN router.,
:: logs from firewall.
327.220024 port2 out 172.10.10.1.5060 -> 172.20.20.200.5060: udp 551
331.220890 port2 out 172.10.10.1.5060 -> 172.20.20.200.5060: udp 551
335.221877 port2 out 172.10.10.1.5060 -> 172.20.20.200.5060: udp 551
340.719565 port2 out 172.10.10.1.5060 -> 172.20.20.200.5060: udp 551
341.220287 port2 out 172.10.10.1.5060 -> 172.20.20.200.5060: udp 551
342.221032 port2 out 172.10.10.1.5060 -> 172.20.20.200.5060: udp 551
c. WAN routers - From router run a packet capture, verify the flow and added ACL and no visibility on UDP5060
from the above logs, does it 100% prove that it is sending out the udp5060 packet out to the WAN router? The WAN setup is active standby so I failover the traffic from active to standby however still the same.
Any issue on this issue ? and is there any way needed to be checked on the FW IPS side ?
Thank you
looking for someone familiar with data circuits/providers in Pakistan
looking for someone who has experience dealing with Pakistani ISP/corporate internet providers. I suspect the language barrier is getting in the way of me getting better info.
I have a Montreal based client who works with an office in Karachi. Long story short, the local internet connection is so bad the RTT between locations sometimes is over 400ms, affecting their remote desktop sessions (using blast). We know the issue isnt the VDI system as they have clients from all over North America using the system daily with no issues.
I'm trying to find someone who has knowledge of the Pakistani telco market, hoping to find either a better provider or a provider that isnt passing bonded DSL pipes as "enterprise class connections"
anyone?
CAT6 supports 250MHz and CAT5e supports 100MHz, but what's the relevance of that?
I've seen these specs thrown around before, but I don't understand how 100MHz/250MHz correlates anything else in the networking field. CAT5e supports up to gigabit speeds, and CAT6 supports up to 10Gbps, but those speeds aren't proportional to their relative differences in frequency.
Inter-VRF routing for modern datacenters
Hi All
Just was curious if anything has evolved in the spaced of inter-VRF routing. Is it still the norm for a firewall to be the enforcement point where you need to route between VRF's or with BGP being able to filter routes with RT's and RD's we can control the routing design in that way? Only reason I'm not entirely convinced of using the firewall is that it's going to create additional overhead with requiring to manage firewall policies which can add unnecessary complexity to the design. Yes fully aware rules can be automated etc.. but if the customer is also using NSX-T to control their own firewall rules (which is a completely separate team, we only provide the network piping) I would rather make them be responsible for policy control than add more load to the firewall for processing traffic. Anyone else using BGP for inter-vrf routing or would you still recommend the firewall peer to multiple Vrf's and then perform the enforcement to allow traffic between the different zones?
Thanks in advance.
Trying to run a pair of VPN connections on a macbook pro on my work device
Hello,
I work in a Mac environment locally, and on Linux/Windows VMs remotely. We have several cloud providers, the two most commonly connected to are Rackspace and AWS.
Our Rackspace VPN connects via Cisco Client connect software, and AWS via an home grown OpenVPN connection.
When running an Ansible playbook intended to connect to the entire fleet, half the connections fail, and you have to disconnect from one to connect to the other.
I didn't set any of this up, but the guy who did says he has a workaround that he seems hesitant to talk about (he's working on a Linux device and is technically breaking workplace rules).
He says he's able to connect to both via debian's network connector and VPNC. I've seen him successfully run ansible playbooks to completion with no errors so it does work.
Is there a way to do somethign similar on a Mac that I'm not thinking of?
Migrating L2VPN services from IOS XE to XR, LDP issues
Hi,
we're in the process of migrating from an IOS XE platform to an IOS XR one. In some cases, we're gonna collapse 2 XE routers on a single XR one. Since we have only L2VPN services with mpls pseudowires, I thought that it would be enough to migrate the loopbacks we use for pseudowires neighbor statement and that would be enough. Not the case.
Apparently while IOS XE will bring up any circuit that has a mpls pseudowires that points to a reachable IP address, IOS XR will only bring up circuits that are matching its LDP router id.
So, if I am migrating two routers onto one, only the circuits that point to the IP that is also the router LDP router ID will come up, others will not.
Since some of these PEs ave in excess of 4k xconnects configured on them I'd rather not modify the IP addresses. Is there a way to modify XR behaviour to match XE, so that it will bring up a l2vpn instance as long as LDP can be routed towards the target IP?
Thanks.
Accessing Vigor 2830 in PPPoE pass through mode from another Vigor 2830?
Noob question here. At work we have two DSL lines coming in each to their own DrayTek Vigor 2830n. One Vigor is the router and load balancer and the other is essentially acting as a modem. The ISP login details for both DSL lines are handled by the Router. How do I set it up so I can access the Modem over LAN? Ideally I’d like to access it on 192.168.1.2. Thanks!
WebEx Voice- anyone using a good sized install of it
Looking to see what experiences folks have had with this product. We are wanting to bring about 70 locations and 2,000 users from two different platforms onto UCAAS. Roughly 30 locations migrating from Mitel on prem and 40 migrating from Cisco on prem. We have a call center and the need for call recording and reporting.
Cradlepoint: ARC CBA850 is not keeping ip settings
I have a Cradlepoint: ARC CBA850, when I reboot the router it changes it's WAN iP.
It's in passthrough mode. Does anybody know how to statically assign an IP to this device?
Grandstream WP810 wifi phone won't connect to wifi
My office uses grandstream phones and we're trying to get these portable 810s up for certain people but even though the network is configured correctly through the phone, it's provisioned to a user, and it's got the latest firmware (all from the one time it did connect), it just won't connect to the office wireless no matter what. Any suggestions?
Configuring SNMPv3 on NXOS
I am struggling with configuring SNMPv3 on a Nexus switch:
stoS01t(config)# snmp-server user **** auth sha ****** priv aes-128 ****** localized auth key should start with 0x[Hex Digits] Why does it complain? I am not entering localized key, it's up to the switch to localize the passwords itself. The above command works just fine on an IOS switch (with a slightly different syntax).
And I also have another NXOS switch, that lets me add the same command as above, but doesn't actually create a new user. I also don't see any way to restrict access with ACL, create groups, use "match prefix" to allow specific contexts...
Oh, just found another NXOS switch (same hardware, but slightly different NXOS version) ... and there the above command works fine.
rapid-pvst and VLAN 1 question
Hi all,
I have a situation where at one site we have a port on a student wifi provider's switch that connect to our switch. This was done so the salto door locks we have around the student accomodation blocks can talk to the SALTO server that is hosted on our VMware infrastructure. The SALTO server have dual NIC's with one NIC on our network and another one on the student wifi provider's network.
I do not have a router or firewall currently at site that can help me.
My own switches run rapid-pvst.
This is my port config:
interface ethernet1/1/4
no shutdown
switchport access vlan 101
mtu 1532
flowcontrol receive off
SW-2-1(conf-if-eth1/1/4)#
If i show STP config i get this:
SW-2-1# show spanning-tree
Spanning tree enabled protocol rapid-pvst with force-version rstp
VLAN 1
Executing IEEE compatible Spanning Tree Protocol
Root ID Priority 4096, Address d4c1.9e0a.6dc0
Root Bridge hello time 2, max age 20, forward delay 15
Bridge ID Priority 32769, Address 684f.64c3.b3d5
....
VLAN 101
Executing IEEE compatible Spanning Tree Protocol
Root ID Priority 4096, Address d4c1.9e0a.6dc0
Root Bridge hello time 2, max age 20, forward delay 15
Bridge ID Priority 32869, Address 684f.64c3.b3d5
Configured hello time 2, max age 20, forward delay 15
Flush Interval 200 centi-sec, Flush Invocations 4762
Flush Indication threshold 5
My actual question
I am aware that vlan 1 is often the default, but in cases like mine, I do not want the student wifi providers switch to be the root bridge for VLAN1. I am happy for it to be root bridge for VLAN 101 which is their VLAN and their subnet range we hook in to.
What should I do about VLAN 1?
Ubiquiti UniFi multiple syslog servers
Hi! I've asked the same question in /r/Ubiquiti but didn't get the answer.
Is there a possibility to add one more syslog server on UniFi controller?
Python ipaddress module
I'm using the ipaddress module in Python to work with IPs. I can get a list of all of the usable hosts with:
addr4.hosts
and I can get the subnet address and broadcast address with:
addr4.broadcast_address
addr4.network_address
I'm just wondering if there is a simple way to get the full list of ips including broadcast and network address with one call?
Has anybody done something similar?
Thanks
Is it possible to monitor an APN?
Hi engineers!
Is it possible to monitor an APN (via PING, other stuff, etc)?
My monitoring tool is SolarWinds and the provider is WIND.
Wrong value of OIDs of indexes for class-map
hi
I have a policy-map
Policy Map BRNZ
Class CDN
police cir 4000000
conform-action transmit
exceed-action drop
i was use cbQosCMPostPolicyBitRate ( 1.3.6.1.4.1.9.9.166.1.15.1.1.11 ) to get the amount of traffic
but when the traffic exceed 4.3 Gbps the router start send wrong value I test it by SNMP tester and
i already use PRTG
so i decided to start use 64 bit counter cbQosCMPostPolicyBitRate64 ( 1.3.6.1.4.1.9.9.166.1.15.1.1.29 )
i don't see any value for this OID on my router it end with 1.3.6.1.4.1.9.9.166.1.15.1.1.27
Sunday, August 22, 2021
What router would suit my needs?
Hi,
I don't have the best grasp of networking so please bare with me here. I'm looking to start colocating all of my hardware and I need a router for my setup and I'm on a very tight budget. I have a /24 and an ASN so I'll be singlehomed and the router will need BGP, it'd be preferable that it can handle 1 gigabit per second since I'd like to be able to burst to that in extreme circumstances.
I've looked at the following
- Juniper SRX320 (if I get this I'd probably get it refurb/used)
- Mikrotik CCR1009-7G-1C-PC
I've only heard terrible things about Mikrotik, so I'm leaning towards the Juniper SRX320. Will either of these fit my needs?
Moronic Monday!
It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask!
Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.
Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it.
Can electrical cause interference with Coaxial cable?
I'm going to drop 120V electrical outlet and RG6 Coaxial in a network closet and was just wondering if they can be placed side by side, in the same area, or if it would be better to place coax on one side of the rack and electrical on the other side? Not sure if there is the possibility of any interference?
Looking for a netflow monitoring solution
Hi all,
I am looking for a netflow monitoring solution possible open source, Linux based. Do you have any suggests for it?
Thanks
How to remove CAT6 Dust Cover?
I accidentally put the dust cover on before any cables, and now I can’t get it off? https://imgur.com/a/0PYYkqw
VPLS
Hi All,
This is more just a curiosity question.. have you guys encountered many VPLS setups.. surely stretching L2 connectivity over the WAN creating one big broadcast domain is not ideal?
thanks
Some question about SDWAN?
Hi All.
I'm currently reviewing SDWAN and I have question regarding how the technology works & design especially on Underlay and Overlay.
Question:
a. We have a centralize monitoring server and remote server which is connected to MPLS (traditional way).
- Does all remote and monitoring of vedge/controller should be on its VPN 512?
- Since from traditionally we just announce the mgmt to MPLS network or if internet router we build a secure connection to HUB or headend device or directly accessing the RTR using it WAN public IP.
b. How interconnection/communication between the traditional infrastructure and sdwan infra.
c. Common design in data center for underlay and overlay. How default routing being implemented.
d. If Multiple default route being use, does it means it being load balance? If Yes, How can we verify the actual exit interface of the traffix (ex. in traditional we have show ip cef) ?
e. If we need to forward Customer Internet traffic directly to internet of the site. We can achieve this by route leaking right ? If yes, another question is that .. If we have multiple default route on transport vpn how can we ensure that all data traffic will be forwarded only to internet circuit not on MPLS?
Let me know your inputs. Thank you so much.
EVE-NG export of Linux hosts not working
it just says: "Linux: Export not supported (19)."
exporting cisco images is fine.
I want to upgrade the ready to use ubuntu image, and have it updated for future labs. Is there any way I can achive this goal?
thanks in advance
Ways to quickly make a logical map?
I was hoping to see if anyone had a technique they use to get basic/logical network topology when remotely troubleshooting network issues? I work for a small MSP with several small to medium sized clients (not soho networks though). Sadly network maps aren't a thing for basically all of them and when they call in for a network issue I have basically nothing to go off of. I was looking at nmap and other utilities but it doesn't seem like it would be able to make a logical map. I don't need to see all online hosts just the core network (switches and APs)and servers.
- Which server/s are DNS and DHCP?
- What switches are there and what APs are tied to those switches?
Wondering if this makes any sense? Port security as a workaround for not having a AAA server.
I work for a DoD agency and per the STIGs, we are to have a AAA server. Duh right? Why wouldn't you have one? Well we don't. It's coming in the next year or so, but for now we do zero AAA.
Our current workaround to use port security on all access ports. We set the max numbers of mac addresses to 3 and also use sticky mac. When one of those trips, the port goes err-disabled.
This gets to be a pain because there have been numerous times that we get called in on days off because someone switched ports on the switch and now they caused their port to go disabled. Even on days when we are in the office, 9 times out of 10 when our help desk calls on the network team for help, its because port security was tripped and needs reset.
I was talking to my supervisor and asked why we can't just take it off since no where in the STIGs does it say anything about port security or sticky mac. He says because its our workaround since we have no AAA server.
I can't seem to grasp how this makes any sense. Using a AAA server authenticates clients who are authorized to be on our network, and blocks anyone else, among other things. Port security and sticky mac do nothing to keep unauthorized users off the network. It basically just doesn't allow the same mac to be on different ports and only allows so many mac addresses on one port. We still manually check all users on the network and reference a list of approved clients that gets updated every so often. So I am having a hard time understanding how port security and sticky mac is a temporary alternative for a AAA server. When we do our STIGs, we still mark the these ones as open, even though this is our workaround.
Does this also not make sense to you guys, or am I just crazy? The funniest part about the whole thing is when it trips, we just reset it, no questions asked. We actually have automated scripts running to clear port security and sticky mac once a day so its less we have to worry about it.
SNMP Wrong VALUS
hello guys
i have ASR-1002X and run different QOS on it to police users traffic, i use PRTG to monitor
each QOS service total traffic but the issue is when the traffic exceed 4.3G the router start send wrong value i see it in SNMP tester but inside the router itself i can see the right values
Spirent Equivalent product of Ixia IxANVL
Hi,
Does Spirent have any product like the Ixia IxANVL which tests DUTs against standard and RFCs?
I have searched and seen some "conformance test bundle" documents for Spirent TestCenter virtual. But they seemed old to me and I couldn't find them on the website by browsing.
Subscribe to:
Posts (Atom)