I'm looking for a solution that I can place a firewall between 2 vlans on
a BigIron router with L3 enabled.
For this moment there is one big vlan2 with a ip-route 0.0.0.0 0.0.0.0
123.123.123.123 and a router-interface ve2 with the IP of the router, the
address I use as gateway on the machines behind it.
The WAN port has the IP address to communicate with to the GW of the
carrier-router (123.123.123.122)
Because I want to let the BigIron the routing I was thinking of 2 vlans,
one for the lan-vlan and one for the wan-vlan, but this will be a problem
because I only have one IP-block what I can use.
So the sitiuation must be as follow on the BigIron:
WAN => vlan2 => firewall => vlan3(lan)
Because of the fact that the firewall will be transparent, this should be
no problem to place it between the vlans. The actual problem is how to
manage this. In simple words, I should be able to replace the firewall
with a cross-cable and it should still work.
Cisco for an example has a SVI solution for this, but I can't find such
thing for a Foundry router.
We are having some problems with a Foundry Bigiron 4000.
The hardware config is as following:
- Bigiron 4000 chassis
- 2x B8GMR3-A management (active + standby)
- 2x B24E
Once every couple of days now, we get the following error in syslog:
Code: 2009-10-05 20:40:00User.Warning8x.xx.50.1Oct 5 20:39:59 gateway IP: IP: Duplicate IP address 8x.xx.38.1 detected sent from MAC address 0004.d3ea.e200 interface 3/13, 1 packets, first packet received at time 1 days 20 hours 41 minutes 37 seconds since bootup!............
I've exausted my self attempting to load on a boot image to the management blade for a project that i'm doing with a few friends.
I just bought this Foundary *off ebay of course* and who ever had it last removed the image! I mean I cant even get into the primary or secondary. I tried booting from tftp, but everytime that happens, the switch just restarts and then doesnt boot up again. This is what i'm getting.
Code: BOOT INFO: RESET ANY master arbitrate : become primary arbitrator. BOOT INFO: Become active CPU module M2 BI Boot Code Version 06.05.00 Enter 'b' to go to boot monitor ... BOOT INFO: load from primary copy BOOT ERR: bad code image header BOOT INFO: load from secondary copy BOOT ERR: bad code image header BOOT INFO: try to boot from bootp server bootp timed out, bootp-tftp process aborted! BOOT ERR: bootp failed
I currently have the B2R07601b.BIN image, just I dont know how to load the file onto the blade via tftp or any other method.
I know there's been discussion regarding Foundry BigIron's and their capabilities of running L3 and L2 at the same time.
I have a friend who is running a BigIron 8000 and only pushing just over 100Megabits on it, however once every few hours he experiences a BGP flap and one of the CPU's maxes out. He is running both Layer 3 and Layer 2 on it.
When the issue occur's, new connections do not open, but currently opened connections continue to operate.
Is there a specific packet type that is causing this to happen? Does anyone have any insight? It is running the latest firmware.
I recently installed a foundry bigiron 4000 with a B8MGR3 running version: 07.1.18T53
When ever I tracert outbound using a unix box, it gives me a ICMP checksum is wrong error. Before I had this switch installed, i never had this issue! Could it be this version i am running?? And this ICMP error happens on all of my unix boxes.
the datacenter where are located my server have a Cisco 3560G 48 port, seem that we have a problem when we add on a port as secondary 5 subnet, it hangup and not all the ips work, the datacenter tech say that can be a bug and 3560G dont support more that 4 subnet as seconday per port is this true? when we have remove the 5th subnet all the ips work fine.
I would like to find out from users how they designed and layout their networks when it comes to subnets.
Currently we have 3 subnet's of different sizes which house our network equipment such as Switches, PDU's, Log Servers etc. but also on these same subnet's are servers which we provide web hosting and VPS services. We also have some clients on these subnets with dedicated servers.
I am curious about this network design. Is it acceptable to house our operational equipment such as switches, PDU's etc on these same subnets which has client access servers or should be obtain a small seperate subnet to house this equipment for security and isolation reasons.
Is there a VPS provider that will sell me a VM , and put it up somewhere, and can make me another VM in the future, on the same VLAN as the original VM ?
For example, pretend VM #1 has a NIC at 10.0.0.100
in the future, I want another VM with a nic at 10.0.0.101
I was looking at Go-Grid , but I'm not sure how their pricing works.
I need a basic L3 switch for maybe 25 mbps that will do hopefully up to 50 VLANs and which will not require me to hire someone to configure it.
As much as I like Cisco, that rules them out.
The reason I'd like a Layer 3 switch is so that I can run my backups and inter-server transfers without adding to my bandwidth bill. Also, VLANS are a critical requirement as i have a lot of customers with root on their managed servers.
So i am looking at HP [gasp] switches. How "easy" is the web-based configuration widget? [I'm an advanced unix admin but networking is a mystery to me.]
This is a starter switch and once i have a full cab of servers I'll be able to spend $7K on a pair of 3560s and hire someone to configure them for me ... but until then what can i get to meet my requirements?
I'm trying to implement VLANs on my network and can't get connectivity to host servers. Here's how the network is configured. Pardon the bad ascii diagram.
In this example my upstream is providing two subnets:
111.111.111.16/28 (I'm using an IP from this subnet to manage the 3550)
222.222.222.16/29
I am attempting subdivide the /29 into two /30's in order to place a server into it's own /30 subnet & VLAN ............
I'm not sure exactly how to phrase the question. But, I'm researching how to PXE boot a server without having a DHCP/PXE server in each vlan.
Scenario: Datacenter with dozens of servers. 1 VLAN per server. Cisco switches and routers. Each server has a serial console available for remote management (OS and BIOS are configured for serial console). If an admin wants to re-install OS, they should be able to reboot the server and tell the BIOS to initiate a PXE boot request. A central install server is available to provide the DHCP and PXE boot images.
Has anyone tried this? I have been reading about the 'ip helper-address' for Cisco to relay DHCP requests. Interested in hearing about real-world setups. Or is there a better way to accomplish remote OS installs?
I have two servers both in a same vlan. Both may access Internet and be acceessed from Internet I setup db server and web server internal IP each as follows:
I used ifconfig to check both status, both of them are up. both of them may ping google, but when I try to ping their each other through internal IP, nothing returns.
I used command tracert to follow, found all packages were sent to Internet rather than an internal IP.
My host tells me to do it by making NAT, I have no idea on it. Anyone may help me out on how to do with NAT?
Having a slight problem working with one of our Extreme Summit 48 (ugh) switches - I've figured out most of the basics, but I can't seem to find any way to add a secondary IP address to a VLAN! This, I would have thought, would be a pretty basic feature to have. Typing "config vlan [vlanname] ipaddress 1.2.3.4/24" works for setting the primary IP, but I can't figure out how to add any more - and doing the command again just overwrites the first one.
So... does anyone have any tricks up their sleeve, or is this something that Extreme neglected to add to this model switch?
We offer colocation & dedicated servers as well as shared & reseller hosting services.
Our colocation customers and dedicated server customers are definitely on their own VLANs for obvious reasons.
Up until now, we have been using separate VLANS and ip allocations for each of the servers in our shared & reseller server fleet. I'm starting to question this policy for many reasons:
1) We directly manage all of the servers and it is very rare that any servers are compromised to the point where they can steal an IP address.
2) We are wasting IP addresses - network, broadcast and gateway addresses are required for each vlan. Additionally, if a server needs 1 more IP address, we need to add a whole new block.
If all of the servers are under our direct management, does it make sense for us to use any vlans at all? It seems that it only serves to complicate things, waste ips and add management overhead.
I've read that all ethernet switches in a MST Region need the same Name, Revision number, and list of member vlans for each Instance. So what happens when you need to change the range of VLANs in a MSTI ? Let's say that you need to add a range of vlans to an instance that spans 20 switches? How would you do that?
Can you make a recommendation for a switch-based L3 router which can
- hold a moderate number of routes (interface routes, a few hundred statics + default) - OSPF and BGP - MST - 1024 layer-3 dot1q subinterfaces (or maybe VLAN interfaces) with + traffic policing in and out per subinterface/vlan + VRRP/HSRP/NSRP - IPv4 & IPv6 native - 2x GigE ports - Not tip-over under 1gbps DDoS towards a VLAN interface.
I've been using 3560Gs, but they seem to lack the output traffic policing. I'd prefer to have subinterfaces which don't run spanning-tree, versus Vlan Interfaces to a trunk interface which runs spanning-tree. These switches sit at the L3 boundary between two L2 networks.
Cost is a big factor; but I also must carry vendor licenses & support contract, if the vendor asserts that not doing so is illegal in US.
I got 3 IP addresses i am trying to trace and I want to know where this person has send me those from. Is is possible to get exact addresses/locations?, where the person who sent me the emails is from? and Infos which websites have been visited?
After Trace route whats the next thing to do ? When my ISP dynamic IP address is some like and starts with 112.0.0.0 I cannot see all sites on the server. So what I did run a tracert on DOS prompt. After 9 hops and reach this IP 216.18.239.6 everything timed out and it cannot reach my server.
I already tested several Internet access and its reaching the server except my home DSL with the IP 112. I also checked if the IP is block on the firewall but its not present on the block list. I also mentioned this with my internet provider and still waiting for notification.
what is needed is a dedicated server or colocation in which my portable IP space (a class c assigned to me in 1995) can be routed to in its entirety. We will then have a VPN back to our own site. This could be accomplished by the ISP BGP peering, or simply announcing the routes themselves. We've got clue in routing, both in OpenBSD and IOS.
The machine doesn't have to be too powerful, and needs little storage space, but the bandwidth provided has to be decent. This is for a hobbyist rather than commercial project, so price is an issue.
I recently moved a customer's site to a new server. Everything went smoothly except for the fact my customer cannot access the new site. When he pings it he gets the right IP address but it just times out.
The URL is regalfire.co.uk
I asked him to run a tracert command and it seems to find the right path but stops just short of finding the server. The last server he connects to is ge-5-2.the.uk.euroconnex.net [87.127.231.90] which is the same as me. The next step is the actual server but for him it just times out.
I can see the new site fine. His ISP is Virgin Media and I have asked several other customers with the same ISP and they can see the site OK.
He has flushed his DNS cache and the problem remains.
This works on my site. But for some reason I still get the occasional IP's through.
I looked at my Lighttpd server-status and I have 600 connections from 3 different IPs that come from China.
I typically use ./route add -host 222.221.81.3 reject as the way to block them, but it changes from time to time. The Chinese are using 90mbps of bandwidth and I want it to stop as they must be directly hotlinking my content.
How to null route large blocks from China? Please note I want to keep Hong Kong, Macau and Taiwan.
ssh is driving me CRAZY right now... On an almost stock CentOS 5.1 install (inside a Xen VPS, though), I changed sshd to listen on 2222 instead of 22 and restarted sshd.
All of a sudden:
Code: matt@t60:~$ ssh -p2222 64.191.108.xxx ssh: connect to host 64.191.108.xxx port 2226: No route to host I should note that I'm actively logged into that IP in another window, and that it responds to ping. There most certainly is a route. Yes, I've quadruple-checked that I have the right IP. And I use the -p2222 daily to connect to another machine. This is a virgin CentOS install; I just changed the "Port 22" line to "Port 2222" and restarted sshd (/etc/init.d/sshd restart).
I am not behind any sort of firewall, unless CentOS installs one that I don't know about. (I own the physical hardware, not just the virtual machine.)
I figured it had to do with this error in /var/log/secure
Code: May 31 19:18:39 relay120 sshd[23359]: Server listening on :: port 2222. May 31 19:18:39 relay120 sshd[23359]: error: Bind to port 2222 on 0.0.0.0 failed : Address already in use. So I changed (uncommented) the ListenAddress directive to:
Code: ListenAddress 64.191.108.xxx and restarted sshd again.
