Saturday, December 23, 2017

ASR iVRF License... Why?

Why does this license model exist? Why do we need to license 8 VRFs per linecard?

I imagine most mainstream ISPs simply incorporate L2 stuff rather than L3 VPNs - eliminating the need for the license...

Just wondering why Cisco decided to deploy this model...



Multiple Cisco switches reverting back to old configs, losing vlan settings, etc.

So I'm pretty decent with Cisco gear. Been around it for a while, but this issue is downright perplexing to me.

We took over for another company who did some major changes this last summer. Unfortunately, we took over right after they made the changes so we don't know much of what they did, and they turned over zero documentation.

The issue is that randomly, it seems, the switches will suddenly be missing things like a route or a vlan access stmt on one of the trunk ports.

One thing we did find is that it appears they were backing up conifgs to a Solarwinds TFTP server, but all of that stopped after they did their reorg in July because all of the config files are dated June of 2017.

on top of that it appears they had tried to execute a pwd recovery on several switches and renamed the config file as config.txt instead of config.text. They must have had everything running in system run config, and then when rebooted, the autoinstall found the tftp server and pulled down the configs.

Well now we have shutoff the tftp server and disabled the service, yet we are still seeing this behavior.

My only guesses are these switches are just now rebooting for the 1st time since the July changes occured and have lost their config.

There is some other automated process that is overwriting the config.

Or, lastly, some asshole is playing a sick prank on us! ;-)

Anyone have any thoughts on this?



Using a Cat6 patch cable on an otherwise Cat6a network?

What are the expected losses from using a Cat6 patch cable on an otherwise Cat6a network?

The bandwidth is the same for such a short distance, but would the lower frequency bottleneck cause significant crosstalk due to essentially limiting the frequency in the downstream Cat6a cables?



Product connectivity question

Without going into to much detail about the product idea itself, I'm interested in learning more about the possibilities involved with being able to connect to a device from a remote location and being able to send commands from a mobile app to the device to perform a specific function.

For example, user is 10 miles away from home, opens up app on phone, presses button pertaining to specific command, and then the device performs command. If anyone has knowledge about this or if it's even possible I'd love to hear some info.



To what extent can my employer see my phone traffic?

Be gentle, folks, and if this post doesn't belong here, please redirect me.

I'm a teacher. During my precious downtime (but on school premises), I want to look at grown up material and order grown up things for grown ladies. I do not need my IT dept. seeing this activity, so I keep my work PC for work and keep my personal stuff on my phone. But even that makes me uncomfortable.

To what extent can my employer see my surfing behavior when I'm on my phone, connected to school wifi? Should I turn off wireless and just use data?



More hosts / subnet and less subnets, or less hosts per subnet and more subnets?

So I just learned about classful networks. Class A, B, C. Class A has very few subnets, but apparently has a ton of hosts per subnet. On the opposite end of the spectrum, Class C has a ton of subnet but not that many hosts per subnet.

What are the differences? In Enterprise networking, for instance, which one is more preferable?



Updated resources for getting smart on QoS?

I "learned" QoS a long time ago, which is to say I beat my head against my Cisco ONT book enough times I was able to pass the stupid exam sometimes in 2008 or 2009.

Now I actually need to learn some of that knowledge, mostly in a service provider context.

In particular right now I'm looking for more resources on the theory side, since I'm living the heterogeneous network life, but there's plenty of cisco in the environment, so no harm with vendor-focused material either.

I'll be revisiting those chapters in the ONT book and Network Warrior, but I figured I should ask if there's more recent resources out there as well.

I've seen references to the Cisco End to End QoS. Is that any good?

Any other recommendations? I like getting stuff like this in print, but web stuff is of course welcome as well.

Also, I've got /u/VA_Network_Nerds "best of cisco live" links bookmarked, and several of them are directly pertinent to my question. Feel free to post the list again if you'd like, just didn't want to look like I didn't take that resource into account :)



Can't capture traffic on cisco 3560

Hello,

I'm using the embedded packet capture feature to capture traffic on a port to a file.

Here's an cisco example on how to do it.

But when I do the show buff dump command I see nothing on the screen.

What am I missing here?



Qusetion about data link layer

What kind of error detection algoritham is used in data link layer? Thanks in advanced



Around 10% packet loss when I ping inside a VRF but 0 loss when I ping in the global routing table

Hi,

Subject covers the issues but here is me pinging from a CE > PE and PE > CE. Thought it was an MTU issue but I still get the same amount of loss (around 10%) in the VRF whether MTU is default or 128 and 0 loss from the non-VRF P2P address range. Any advice?

CE-ROUTER1#ping vrf VRF113 172.31.255.14 r 100 Type escape sequence to abort. Sending 100, 128-byte ICMP Echos to 172.31.255.14, timeout is 2 seconds: !!!!!!!.!!!!!!!!.!!!!!!!!!!!!!.!!!!!.!!!!!!!!!!.!!!!!!!!!!!.!!!!!!!!!! !!!.!!!!!!!!!!.!!!!!!!!!!!!.!! Success rate is 91 percent (91/100), round-trip min/avg/max = 1/2/4 ms CE-ROUTER1#ping vrf VRF113 172.31.255.14 r 100 df-bit size 128 Type escape sequence to abort. Sending 100, 128-byte ICMP Echos to 172.31.255.14, timeout is 2 seconds: Packet sent with the DF bit set !!!!!!.!!!!!!!!!!!.!!!!!!!!!!!..!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!! !.!!!!!!!!!!!.!!!!!!!!!!!.!!!! Success rate is 90 percent (90/100), round-trip min/avg/max = 1/1/4 ms CE-ROUTER1#ping 10.255.255.253 r 1000 Type escape sequence to abort. Sending 1000, 100-byte ICMP Echos to 10.255.255.253, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/2/4 ms CE-ROUTER1# ------------------------------ PE-ROUTER1#ping vrf VRF113 192.168.100.1 r 100 df-bit size 128 Type escape sequence to abort. Sending 100, 128-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds: Packet sent with the DF bit set !!!!!!!!!!.!!!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!!! .!!!!!!!!!!!.!!!!!!!!!!.!!!!!! Success rate is 92 percent (92/100), round-trip min/avg/max = 1/2/4 ms PE-ROUTER1#ping 10.255.255.254 r 1000 Type escape sequence to abort. Sending 1000, 100-byte ICMP Echos to 10.255.255.254, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/2/4 ms PE-ROUTER1# 

Both routers are LDP speaker.

CE uplink:

interface GigabitEthernet0/0 mtu 1524 ip address 10.255.255.254 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip mtu 1500 ip ospf authentication ip ospf authentication-key 123 ip ospf network point-to-point ip ospf dead-interval 5 ip ospf hello-interval 2 ip ospf mtu-ignore ip ospf cost 5000 duplex auto speed auto mpls mtu 1500 mpls label protocol ldp mpls ip end 

PE downlink:

interface GigabitEthernet0/0/0.104 encapsulation dot1Q 104 ip address 10.255.255.253 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip mtu 1552 ip ospf authentication ip ospf authentication-key 123 ip ospf network point-to-point ip ospf dead-interval 5 ip ospf hello-interval 2 ip ospf mtu-ignore ip ospf cost 5000 mpls mtu 1552 mpls label protocol ldp mpls ip end 

NB: Actually using public IPs for the P2P just changed to 10.255.255.x for obvious reasons.



Friday, December 22, 2017

"Oh Cisco Tree, Oh Cisco Tree..."

The office has been a little quiet over the last few weeks as we wrap up the year, so a few members of our team built our own network-themed Christmas Tree (inspired by /u/Suddenly_a_Mexican 's tree). We used old hardware that we had laying around - a Cisco 3602i (top), 14 3502i APs and a HP 5406zl switch as a power source.

The LED state on each AP is determined by which blade it's connected to on the switch. One provides only PoE and no link which produces a rapid red blink. One provides PoE and link but no DHCP which produces a rapid green blink. One provides PoE, link, and DHCP which produces a slower green/off/red/off blink. The 3602 was flashed to autonomous firmware and had the LED blink in perpetuity through a CLI command. Sadly you lose out on the blue LED in the pattern and only get a rapid red/green blink in autonomous vs CAPWAP. The lamp on top was graciously provided by one of my colleagues.

Merry Christmas and Happy Holidays to everyone!

Album



Netgear RADIUS user authentication

I successfully got RADIUS server running on pfSense for auth and accounting. I can login with a username that I conigure in RADIUS on my netgear switches. The users are read_only, however. How can I make them have READ_WRITE (admin) permissions?



SNMP on a Cisco 2950

I have a few older switches that I need to use SNMP v3 to monitor. However when I enter the snmp user commands two odd things happen.

  1. Warning message: *Adding an snmpv3 user could cause a bootup delay, do you wish to continue? * I'm fairly sure this can be ignored.

  2. Things get weird here. This is the command I'm using. snmp-server user SNMPv3-USER snmpv3group v3 auth sha Password access 17 After entering this command and looking at the config and no SNMP user is there! However if I 'show snmp user' I can see the user name there.

However if I enter this command the user line stays in the config. snmp-server user SNMPv3-USER snmpv3group v3 access 17 The auth and sha config options are all valid when I check with ?.

And no matter what SNMP v3 won't authenticate. Anyone encountered & solved this issue?



What are your network related achievements from 2017?

Based on the 2016 achievements thread from last year and the followup goals for 2017.

http://ift.tt/2BXG0JA

What did you do in 2017?



Unboxing Facebook's Backpack Chassis

http://ift.tt/2BzopYW

Full disclaimer - I'm a Cumulus Consultant.



How to setup VPN for router behind PTMP connection?

Hi! A new wireless ISP installed broadband for me yesterday, however due to my location, a relay was needed in order to point the signal down the hill to me. My neighbor also got in on this deal.

The hardware is: Internet - LTE receiving radio - ubiquity nsm5 (PTMP) - ubiquity nsm5 (my house)

Internet is working fine, however my client VPN setup on my meraki mx64 isn't connecting, as I can only assume due to double NAT, as it's showing the WAN ip as a 192.168 address.

I've read about port forwarding and etc, however there's no routers between my house and the LTE radio, just the bridge.

How can I make it work?



Improving inside security

I imagine many of you have faced this problem before, so I come to you for advice. I need suggestions on how to develop VLAN ACLs for a network that has no VLAN ACLs.

Unfortunately, the testing network also happens to be the production network.

At the current moment, the network has dual N5K cores with 50ish vlans segmenting traffic. Gateways are provided on the N5Ks via HSRP.

Public wireless is segmented off and lands on the firewall instead of the core, so no traffic is allowed from public wifi to internal resources.

Unfortunately, the previous admin never developed VLAN ACLs nor applied them to any interfaces.

How does one, in such an environment, develop VLAN ACLs without breaking everything under the sun?



What exactly is a 'virtual WiFi access point'?

Recently I've come across the notion of 'virtual WiFi AP'. For examples contexts in which this notion came up, please refer to these pointers: [1],[2],[3] (references from Cisco, Aruba networks, etc.).

I'm a bit confused about what virtual APs actually are.

My questions are:

  • What exactly is a virtual AP?
  • Are there multiple ways of implementing a virtual WiFi AP? Which? What do they consist in?

For example, I suspect that one way to create virtual APs is configuring the WiFi daemon with multiple SSIDs (e.g. hostapd as explained in this guide).

Are there other ways, besides daemon configurations? E.g. based on virtualization, which would allow the state of an AP (e.g. current connections, crypto material like PMKs, etc.) to be 'migrated' between physical devices, like virtual machines?



iBGP over the Internet

iBGP over the Internet

I probably know the answer to this, but is it common to setup iBGP sessions over the Internet? If so, do you establish them over standad GRE tunnels, IPsec tunnels, or just over normal IP? I know BGP doesn't require neighbors to be directly connected, and I figured you cant always connect remote, geographically separated offices...so iBGP over the Internet must be the way to go.

Please see this diagram and the following details for clarification:

  • Site A and Site B are separated geographically, but connected to the Internet. They do not have an internal connection (e.g. WAN, dark fiber, etc) connecting them together
  • Each site is configured with BGP AS number 200
  • Prefix 172.16.0.0/24 is configured at Site A
  • Prefix 172.16.1.0/24 is configured at Site B

In this configuration, the two sites cannot talk to each other. The reason being is that Site B will see its AS number in the AS path attribute from Site A updates, and therefore Site B will not accept the update and never learn how to get to Site A, and vice versa.

To fix this I created an iBGP session between Site A and Site B routers.

Thanks



Anyone ever deal with Dropbox's lan sync discovery protocol?

Was trying to figure out why the soft-phone on my workstation could not configure an IP so I decided to open up Wireshark to troubleshoot this further. What I was was a number of broadcasts from Dropbox originating from a single user. Now I have been looking into how to limit or completely eliminate these broadcasts from Dropbox but not really finding much. Wondering if anyone here has ever dealt with this before.

EDIT: Did some more reading and found that LAN Sync requires access to UDPport 17500. So that is a good starting point but I need to make sure nothing else will be using this port internally. I am thinking that this can be blocked on endpoint firewall/IPS.



Problem with sharing files/folders on same private switch in Hyper-V

I have 2 VMs with same private switch. They can ping each other without any issues, but when i try to share a folder i can't find second VM to share with.. Any ideas?



to span or not to span - STP on Cisco3750 router

Hi all,

I'll get straight to the point: I have a moderately sized network with 2 stacked 3750s playing the role of router on a stick. Below that I have larger HP (xl,zl,yl) procurve switches, then at the edge, more HP procurve switches.

The HP Switch closest to the 3750 (which is doing all the routing) is currently the physical and STP root switch.

The 3750 is the default gateway for about 40 vlans.

Is there any need for STP on the cisco? It's not really working as a switch (as I see it). Can't I just disable it?

TIA. nx.



Issue with Dell PowerConnect pinging between VLANs \ Switches

I have a server on a 3048 Dell switch that's on my 4032's port #23 (core).

I have a workstation on a different 3048 Dell switch that's on my 4032's port #24 (core).

The issue I'm having, is that when I try to ping the server from the workstation, it won't reply... however when I try pinging the server from the core, it works. Below is part of my core's configuration:

configure vlan 20,30 exit vlan 20 name "Computers" exit vlan 30 name "Servers" exit ip routing interface vlan 1 exit interface vlan 20 ip address 192.168.2.2 255.255.255.0 exit interface vlan 30 ip address 192.168.3.2 255.255.255.0 exit ip route 0.0.0.0 0.0.0.0 192.168.2.1 ! interface Te1/0/23 channel-group 10 mode active description "Uplink to Server N3048" no lldp tlv-select dcbxp ets-config no lldp tlv-select dcbxp ets-recommend no lldp tlv-select dcbxp pfc no lldp tlv-select dcbxp application-priority exit ! interface Te1/0/24 channel-group 128 mode active description "Uplink to Workstation N3048" no lldp tlv-select dcbxp ets-config no lldp tlv-select dcbxp ets-recommend no lldp tlv-select dcbxp pfc no lldp tlv-select dcbxp application-priority exit ! interface port-channel 1 switchport mode trunk switchport trunk allowed vlan 1,20,30 exit ! interface port-channel 10 switchport mode trunk switchport trunk allowed vlan 1,20,30 exit ! interface port-channel 128 switchport mode general switchport general pvid 20 switchport general allowed vlan add 20 switchport general allowed vlan add 30 tagged exit 

And below here is my workstation's 3048's configuration (Workstation is plugged into Gi1/0/1, and core is plugged into Te1/0/1)

configure vlan 20,30 exit vlan 20 name "Computers" exit vlan 30 name "Servers" exit interface vlan 20 ip address 192.168.2.15 255.255.255.0 exit interface vlan 30 ip address 192.168.3.15 255.255.255.0 exit ip route 0.0.0.0 0.0.0.0 192.168.2.2 ! interface Gi1/0/1 description "Workstation" switchport access vlan 20 exit ! interface Te1/0/1 channel-group 128 mode active description "Uplink to 4032" exit ! interface port-channel 10 switchport mode trunk switchport trunk allowed vlan 1,20,30 exit ! interface port-channel 128 switchport mode general switchport general pvid 20 switchport general allowed vlan add 20 switchport general allowed vlan add 30 tagged switchport general allowed vlan add 1 tagged exit ! 

And below here, is my server's 3048's configuration: (Server is plugged into port Gi1/0/1, and core is plugged into port Te1/0/1)

configure vlan 20,30 exit vlan 20 name "Workstations" exit vlan 30 name "Servers" exit ip routing interface vlan 1 exit interface vlan 20 ip address 192.168.2.10 255.255.255.0 exit interface vlan 30 ip address 192.168.3.10 255.255.255.0 exit ip route 0.0.0.0 0.0.0.0 192.168.2.2 spanning-tree priority 61440 ! interface Gi1/0/1 description "Server" switchport mode trunk switchport general allowed vlan add 20,30 tagged switchport general allowed vlan add 1 tagged switchport access vlan 20 exit ! interface Te1/0/1 channel-group 10 mode active description "Uplink to N4032" exit ! interface port-channel 10 switchport mode trunk switchport trunk allowed vlan 1,20,30 

I've tried several different configurations for the port-channel... this is just the latest one, it's probably not right... but i'm out of ideas.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



Thursday, December 21, 2017

A question i got wrong on a test

Hey everyone I'm studying for a communications technology degree online and Ive got a question wrong on a test . the question is "under what circumstance may address resolution be bypassed?" My answer was if the client connects to the server using its ip address instead of its url. The correct answer was if the client has connected to that server recently, which was my initial thought. Are both answers correct? I suspect its because it says the correct answer verbatim in the textbook . or I may be wrong entirely. Who knows player. Do you?

Thanks



How's everyone's eyesight?

After looking at a computer screen 8 hours a day, 40 hours a week, I imagine my eyes are not meant for this.

Senior network folks, after doing this job for 20, 30+ years, has your eyesight gone to shit? Do you wear glasses? Do you (or any of you) take precautions to protect your eyesight?



Wireless DPI/SSL Unrolling?

In our infrastructure we're already using DPI for our primary network. However, we have a decent wifi network that has roaming guests and I haven't quite wrapped my head around how DPI is expected to work in a configuration where you have no capability to deploy certificates to client devices.

Managed and deployed systems is one thing w/a PKI infrastructure in place. But w/everything from iOS, Android and mixed mobile devices (chrome books, PCs, etc.) how is DPI/SSL unrolling expected to function w/o throwing every browser alarm in the book?



Netgear GS724TPv2 Issue pinging devices? VLAN concern?

So the past week and a half I was at this job site configuring one of these for 2 separate VLANs. After reading some of the documentation and what I'm familiar with in terms of what will manage the VLAN and trunking and so forth I still couldn't understand how this piece of equipment worked. The closest I've thing that came to a suitable understanding was that if you treat the ports similar to Cisco switching it'll be more understandable then "Tagging" and "Untagging" the ports. The description in Netgear help manual reads off as so;

U, Untagged, means traffic is not tagged with the VLAN ID on Egress, when it exits the switch, to the next upstream or downstream device. T, for Tagged, means traffic is Tagged with that VLAN ID, and it will be preserved as it Egresses the switch. Blank, means that there is no participation for that VLAN, and that it will not Ingress, enter the switch, or Egress the switch at all, on that VLAN, from that port.

So at first I was a bit confused but as I said it was later and better explained to read it like "Trunking [T]" and "Access [U]".

Anyway, to get to the point I set up 2 VLANs from a Fortigate 60D. I've been dealing with Fortinet equipment for a couple years now and thought I had it all set up. On the Netgear switch I had 5 ports dedicated to a different VLAN for this AV companies equipment (10.1.1.0/24) on the Netgear I established ports 14/16/18/20/22 as the VLAN20 and on the web interface they were filled in as [U] ports while port 23 was tagged [T] to "Trunk" the VLAN over. After all was said and done I was able to ping my phone, my laptop, a couple of other devices both hardwired and wireless under that subnet. When it came to the AV equipment I couldnt ping their devices. They have this Crestron setup with 3 pieces of equipment that required static IPs. I assisted and setting that up with him and even ran some network testing, still no way of pinging those devices. Tested the ports in the room if they were getting internet and it resolved both a DHCP IP and using a Static for my laptop. Both had access to the internet and you could ping my laptop both through the wifi and wired connections. Checked the DHCP of the firewall, the VLAN was handling it, and saw his devices with their mac address come up but nothing still on the pinging efforts. Eventually I just took his connections to the switch and put it on the native VLAN and all of a sudden everything started connecting and pinging.

Just wondering if I may have missed something or wasn't aware of how these are set up? I haven't had an issue with other Cisco and FortiSwitch products but they were pretty straight forward in their set up. For the Netgear I'm not to familiar with but I figured I could apply the same idea as what I know with the previous products mentioned.



Nexus 92160 or alternative for small campus L3 core switch?

Looking at Nexus 92160 because of cost for small campus core switch.

Pairs of 9200s in datacenters would aggregate layer 2 Catalysts at 1/10G gig using vPC. The layer3 peer-router seems to address concerns with routing and vPC. Are there better approaches? Familiar with 5000, 7000 and 9300 - any gotchas with 92160?

The nexus 9200 pairs in centers would interconnect to each other at 10 or maybe 40 Gig. Is Fabricpath still preferable for campus vlans or would something else be better? Where possible, I would route and get rid of campus wide vlans but anticipate some need to maintain vlans - mostly point to point.

campus seems too small to need a spine or core to aggregate the 9200s but interested in the pros-cons.



Coreswitches : HP comware or Aruba Procurve

Bit of background : we’re a Cisco shop which does Procurve as secondary brand and then mostly as access switches.

A customer wants to renew their current network infrastructure and wants to standardize on HP. Their current core is a Cisco 3750 stack and the infra is not that special. The new infra will include a dual core and has to have 10G links and the option for 40G links. Is the Aruba 5400-series an option or do we need to look into the comware based switches ? Personally, the 5400-series feels dated but we do not have any comware experience in house. We have enough experience with Procurve but that’s mostly access related and I do not know if that’s enough. The design will be a collapsed core design with cores linking servers and being the distribution for the access layer. What to chose ?



What causes the overrun counter to increment on a Cisco switch?

I'm looking for a plain English explanation of the overrun counter.

We have a two member port-channel where this counter is incrementing. According to this page, overruns happen when "the receiver hardware was unable to hand received data to a hardware buffer because the input rate exceeded the receiver’s ability to handle the data." At first glance it seems like this would mean that the server is sending more traffic than the port can handle. Is this right? The server NICs are 1 gig and the switchports are 1 gig, how could they possibly be overloaded? Also, this port doesn't seem to have been getting much traffic.

Port-channel56 is up, line protocol is up (connected) Hardware is EtherChannel, address is MTU 1500 bytes, BW 2000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is N/A input flow-control is off, output flow-control is unsupported Members in this channel: Gi1/8 Gi1/10 ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters 25w1d Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 1015 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 3052000 bits/sec, 799 packets/sec 5 minute output rate 2943000 bits/sec, 959 packets/sec 272699111701 packets input, 390034805628930 bytes, 0 no buffer Received 12946251 broadcasts (4202505 multicasts) 0 runts, 0 giants, 0 throttles 4 input errors, 4 CRC, 0 frame, 151834 overrun, 0 ignored 0 input packets with dribble condition detected 96397195674 packets output, 38669149614929 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out 


Assistance with IGMP Snooping operation on ASR9K

Hey all. First time poster to this subreddit, so apologize if I do something out of line.

Need a bit of assistance. Working a TAC Case with Cisco involving an issue with IGMP snooping. The Cisco engineer (who is a CCIE, and seems pretty knowledgeable) and I are in disagreement with the operation of IGMP Snooping. I wanted to verify that what is occurring is not intended operation.

Here's a quick drawup of the toplogy, although some inconsequential details are changed: http://ift.tt/2Bxa8Mf

Issue: A test Set-Top Box sends a leave-group message upstream. The upstream switch receives it, and continues to forward it upstream towards the ASR9000 switch. The problem is that there is another device, on another interface of the same switch, joined to the same group. I was of the understanding that IGMP Snooping would recognize that another interface has receiver(s) for the group, and would thus not forward the IGMP Leave-Group upstream.

So, to reference the drawing. Both STBs are joined to group 225.1.1.1, and are correctly receiving the stream. The source for this multicast group is not pictured, but is transported via PIM where is hands off Layer2 at the ASR9000 Router (pictured on the far right). We leave the group (flip the channel) on STB 192.168.1.10, and a leave group is sent upstream. The ASR9000 switch (pictured left) receives the leave, and prunes the interface Gi1. At no point does it prune interface Gi2, which still has an active receiver (confirmed via show commands). Regardless, the ASR9000 switch sends a leave-group message upstream, at which point the ASR9000 Router prunes the stream completely on the LAG, thus killing the stream for the STB that was still joined on the ASR9000 switch interface. The stream eventually comes back after the ASR9000 router sends a General Query.

So it seems to me that there are 2 problems here... One is that the ASR9000 switch is sending a leave-group message upstream when it shouldn't, and the other is that the ASR9000 router is not correctly performing the last-member-query, or that it is but is not receiving a reply.

My main concern is with the IGMP Leave being sent when it shouldn't, as the ASR9000 Router is on legacy software, and is being deprecated very soon.

Talking with the Cisco engineer, he believes this is intended operation. After I asked for clarification, he reached out to 2 colleagues who indicated the same. So, I'm starting to get of the mind that I'm not processing the flow here correctly, but wanted a 3rd party's take.

I looked in the ASR9000 documentation for snooping, and found the following line, which indirectly seems to back me up:

"If the leave message was from the only remaining port, IGMP snooping removes the group entry and generates an IGMP leave to the multicast routers."

With the above quote, I would think the reverse is true as well? i.e. If the leave message was received on a port that was NOT the last remaining one, IGMP snooping would NOT generate a leave to the multicast routers.

After even more digging, I found the following from Beau Williamson's 'Developing IP Multicast Networks Volume 1'. (the last sentence is the most significant)

"If another IGMP Report is received from a host connected to port 2 (where a last-member-query was just sent out of on an IGMP Snooping switch) then the CPU quietly discards the original Leave Group message from Host 1 (on port 2). If, on the other hand, no IGMP Report is received on this port, then the CPU deletes the port from the CAM table entry. Because other nonrouter ports are still in the CAM table entry, no (leave) message is sent to the router"

The IGMP Snooping RFC didn't seem to give a lot of direction on this specific case, but I could have just misread it.

This problem is consistent, and reproduce-able.

I can included additional info if needed. Thanks!



Cisco ASA Clientless VPN issue with IIS 10/Server 2016 SSL Sites…Site Unavailable?

We are experiencing an issue where we cannot browse SSL IIS 10 websites on Server 2016 using Cisco's Clientless VPN.

We have a Cisco ASA 5510 firewall running firmware 9.1.(7)20 and use ASDM 7.5(2). We have many web servers, but for this issue know we have some Server 2008 R2 6.1 (Build 7601 SP1) with IIS 7.5.7600.16385, Server 2012 R2 Datacenter (6.2 Build 9200) with IIS 8.5.9600.16384, and Server 2016 1607 (Build 14393.1770) with IIS 10.0.14393.0.

When we attempt to use the Clientless VPN through the firewall to access internal resources, we are unable to view SSL protected sites if they are hosted on Server 2016 with IIS 10. We are able to view both http and https sites through the VPN from Server 2008/IIS 7 and Server 2012/IIS 8, and are able to view http sites through the VPN from Server 2016/IIS 10. If we attempt to access an https site hosted on Server 2016/IIS 10 through the clientless VPN, we get a "URL unavailable" message from the firewall. We have confirmed this on 3 servers.

We get the same result if the site is secured with either a domain certificate OR a godaddy wildcard certificate. Both types of certificates work for secure resources on Server 2008/Server 2012.

We performed a wireshark capture between a working 2012 web server and the firewall, as well as a non-working 2016 web server and the firewall. The traffic followed a similar pattern, however on the 2016 Server after the certificate exchange there are no more acknowledgments from the server. At the recommendation of some articles we read, we enabled all ciphers on the firewall hoping to circumvent any incompatibility with encryption protocols, but this resulted in identical behavior. The certificate exchange and ciphers packet capture are identical in both the 2012 and 2016 servers. However after the certificate exchange it looks like the firewall and the server are not encrypting/decrypting traffic correctly.

We're stuck...we're pretty sure the issue is a new configuration in IIS related to SSL, but we've searched the web and crawled through settings and found nothing. If anyone has made the Clientless VPN work with secure IIS 10 sites, or if anyone has any idea of a configuration in IIS 10 that could help us, we'd be extremely appreciative.



Equipment to create "colorized" DWDM signals from white light?

So I've a DWDM project that has some equipment in scope that doesn't support any DWDM transceivers so I need a device that coverts the white light to my channelized DWDM signal to push into my Muxes.

I know Cisco has the ONS line that can do this but they're kind of pricey. What other options are out there to convert white light into channelized DWDM signals? Does anyone have a vendor or product they would recommend? Can I get standard 80km out of these?

I have a lot of enterprise/city campus WDM experience but I've always used single channel transceivers that plug directly into my equipment.



Velocloud WAN Circuit Aggregation

Hi guys,

For those of you who have deployed Velocloud, I was wondering if you could answer a few questions I have.

1) Does Velocloud actually aggregate Internet links? Example, if I had 2x50x10 Mbps underlays, then my total aggregated throughput should be 100x20. If I were to goto speedtest.net, would I see that combined speed since I have read its not flow or session based?

2) Does Velocloud automatically rate limit individual internet underlays to ensure optimal performance from a latency and jitter point of view?



Small business router recommendation

So I know this is really small time for all of you here at r/networking but I was hoping to get your input. I do some side work for a small tire/mechanic shop and they are currently looking to purchase a router. Their ISP refused to provide the credentials to the supplied router when called and said all they could do is put their device in bridged mode so we can use a third party router. I don't know how common this is but we decided to just purchase one so they had full control over it.

Anyway, the client has 2 workstations that RDP to a Server 2012 box running on consumer grade hardware. From there they run their software to print out receipts, among other things. The only other device on the network is a printer. Everything is wired directly to the ISP router. They don't spend a whole lot on tech and tend to run things until they die. One of the workstations is still running XP for no other reason besides it still works. This is despite many warnings from myself.

Anyhow, I was wondering what you folks would recommend for such a small setup?



Converting a ipv4 multicast to ipv6. Please help!!

How to convert 224.0.0.5 to ipv6:

Why does 224 convert to ff in ipv6?

My thinking is:

 224 0 0 5 

1110 0000 | 0000 0000 | 0000 0000 | 0000 0101

ff 02 0 5

So the answer is: ff02::5 but I don't understand why. When I break up the ff I do this: 1111 1111 - which gets me 255. The ff is referring to the 1st octet for this problem in ipv4 addressing? Why am I wrong?

Please explain in binary, I prefer to learn this way. Thank you.



Palo Alto upgrade and RADIUS issues

We tried to upgrade a pair of HA Palo Alto firewalls over the weekend to a new code revision. After doing so, we found that RADIUS requests were being dropped by an authentication server. After downgrading to a lower version, everything began working again.

My thought now is that there's some change in RADIUS packet structure which is causing the server to drop the query. Has anyone run into this before, and if so, what did you do to fix it?



UCCX call forwarding

Got this CSQ in UCCX built for our help desk. Noticed today that one of the IT tech's phone wasn't working. We figured out the issue. When he forwards his dn to his cell, UCCX tries to follow the path of the call although I don't think he gets the call on his cell. When we undo the forwarding, it works. I didn't think that UCCX would try to follow the path of what's done on the individual DN? thought the idea was to keep the calls within the acd group?



Connecting two sites (currently using team viewer).

Friends family business is looking to connect two sites and asked me for advice (been in IT for a long time) but I don’t know the cheapest most efficient way to set this up. They aren’t a big company with a lot of money.

They are pretty much looking to use their billing software from another location, right now they are just using team viewer to remote the computer that has the software.

I thought about recommending installing on a server and creating a VPN and just using RDP?



Network design (rack, ethernet, cctv) for new building (fire department in Europe)

Hello

I want to submit requirements from the networking/it perspective to the architect. Even if the architect does it on his own, I want to at least compare my requirements against what they suggest.

We currently have 3 pcs + 2 infoscreens which need internet over ethernet access. A lot of people work on mobile devices (may be their own). My main aspect is future proofing (at least the ducting has to be installed).

What I've got so far: * central 42U Rack in a dry/dust free room. Will probably only emitt 500W of heat. (patchpanel, switches, router+modem, qnap nas, dokuwiki server, phone system, speaker system for the building, ups) * cat7a, >=1000mhz ethernet cables, might be used for poe, maybe also for security cameras * wifi for the complete building, dual ethernet cables per drop (probably ubiquiti, guest and internal ssid) * cables/or at least ducting for security cameras on the outside, parking lot, entries and hallway (terminates at the server rack) * double ethernet drop to every potential workplace * double ethernet drop to every room (minimum, more if room is larger * power and ethernet socket in the floor of our main assembly room (we do meetings here, will fit up to 60 people) * cables for a central phone system, controller should be in the rack * preparation for home automation and electrical lock system (at least one cable to every door and vehicle gate)

I need to get the requirements correct at the beginning, installing cables afterwards is possible but requires the ducting, which has to be installed in the building phase.

Are there any guidelines on how to calculate the required required distribution of ethernet drops (or at least empty ducting)? Am I missing something obvious?



smoke ping and packet loss

I set up a smoke ping Tuesday night and last night noticed it stopped with packet loss. Can anyone give me any tips on what to do next to fix this problem. My knowledge on this is obviously limited. Thanks for any help.

http://ift.tt/2kUc5r5



http://ift.tt/2huCp8Y

IPv6 enabled Christmas Tree



Joint Comments of Internet Engineers, Pioneers, and Technologists on the Technical Flaws in the FCC’s Reclassification of Net Neutrality

I thought this was a great read. I am not posting this as a debate but more of a technical paper that is a great read.

http://ift.tt/2t9gA3J

If this doesn’t belong as a new thread let me know and I’ll post under the NN thread.



Recommendations with a new network for my small business

Have a team of 15 people working out of a small office in Nepal. We're moving to a new office next month so using it as an excuse to revamp our network. Currently running off of 2 x airport express and a consumer router (fritzbox).

Our new setup will involve two ISP fiber connections (one residential, one business) which we need to have in case one or the other goes down. There are power cuts in the country so I'm currently running the individual routers off of solar / inverter setup. Needs to support awake on lan in case our server goes down due to power loss and we're out of the office.

Looking to completely change it up and am looking for suggestions for the following requirements:

  • Wifi support for 20 laptops across two floors + a lot of phones, hoping for minimal speed loss over wifi.

  • Individual LAN for 15 access points (1Gbps support but not loud (small office))

  • Networking monitoring (to see which clients are heavy users) and throttling

  • Seamless switchover from one ISP to another

I'm travelling to Europe this week so would be looking to pick up the equipment over there. Help me /r/networking. Thanks



Wednesday, December 20, 2017

How to I troubleshoot a tracert that dies from one site, but not another?

Specifically, I'm trying to tracert avivaavantage.ca, which has two A records, 192.230.81.161 & 199.83.132.161.

From one site, I can ping / tracert both, but from my 2nd site in Canada, I can only reach one IP, while the other one dies on a cogentco hop.

Does this mean that cogentco has an issue? Is there anything I can do about it or report it to someone? Naturally, the broken A record is the one my most important site resolves to.

...or am I missing something and the issue is really on my side?



Cisco IPSec over MPLS

Hiyo networking guru's of the reddits.

Just after some very basic info/help on getting this working.

A new client really wants some encryption over their newly provided MPLS VPN - i.e. they are not doing the MPLS but they run a hub/spoke network over their providers MPLS, so they see an interface per router with an IP.

Previously i've set this up using DMVPN or similar tech (im not usually on Cisco hardware) but what I thought would be handy would just be to encrypt traffic on the interfaces rather than create GRE tunnels over an already 'private' link.

How would one go about setting this up for hub/spoke network? Consider it 1 physical interface on the hub, 1 physical interface on each spoke, and just all traffic between those interfaces encrypted.

Thanks in advance for any help



Cannot ping 2 VMs in Hyper-V

Hello guys, i've made 2 VMs in my Hyper-V and made a virtual private switch for them. Then i tried to figure out if they can talk to each other by ping them.

I've used Get-NetIPAdress in powershell to find what is my ip in both machines and then typed ping XXX.XXX.XXX.XX on both machines but it said: "Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)" i've restarted machines and tried again and it said:

Pinging 169.254.167.19 with 32 bytes of data: General failure. General failure. General failure. General failure.

Ping statistics for 169.254.167.19: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

Then i tried again and it said: Pinging 169.254.167.19 with 32 bytes of data: General failure. General failure. Reply from 169.254.214.123: Destination host unreachable. Reply from 169.254.214.123: Destination host unreachable.

Ping statistics for 169.254.167.19: Packets: Sent = 4, Received = 2, Lost = 2 (50% loss) So i tried last time:

Pinging 169.254.167.19 with 32 bytes of data: Reply from 169.254.214.123: Destination host unreachable. Reply from 169.254.214.123: Destination host unreachable. Reply from 169.254.214.123: Destination host unreachable. Reply from 169.254.214.123: Destination host unreachable.

Ping statistics for 169.254.167.19: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)

And boom now i see that i've receivew these packets but why does it say "Destination host unreachable" ?

Did i something wrong or is everything alright?



Are networking and SysAdmin synonymous with one another? If not, what are the major differences late career?

So I’ve been learning a lot about networking in the past few weeks, and also about server administration. I’ve heard from several system administrators that SysAdmin requires strong networking knowledge, so it’s very beneficial to have a CCNA. However, apparently there is a difference between a networking administrator and system administrator.

What are these associated differences?



SOHO - Site to Site VPN options

Looking at connecting two remote offices for a customer, have experience using cisco asa 5505 for S2S tunnel using public internet but due to not having deep pockets what are some open source firewalls (pfsense) that can connect two remote sites.

Anyone have any luck using a online service that provides S2S connectivity?



Blocking unwanted devices on your network

We have a bit of a problem with having random unwanted devices plugged into our network at times. We have some tools to monitor it, but they kinda work retrospectively and we would prefer them to get blocked right away (for example by having an easily manageable whitelist of MAC addresses).

What setup do you guys use to achieve this? Which software and what exactly does it do?



Multiple Site-to-Site VPN Security Question

When setting up site-to-site VPNs out of a data center, is it best practice to just vary the pre-share key between the different VPNs, or should you vary authentication, encryption, and DH groups too?



Wireless Networking Questions

I am a self-taught amateur eager to learn as much as possible about wireless technologies. Any questions to the following or other learning resource suggestions are greatly appreciated!

  1. What are the basic modulations of LTE, 802.11, & WiMax? I know all modulation is either AM, FM, or PM but I do not know which technology uses which. What are their respective coding techniques? For example, does 802.11 combine Phase Modulation with Quadrature-amplitude shift keying? Which combinations of encoding and keying are the 'best', ie result in the most efficient use of data transmission over physical medium?

  2. Do Wireless Intrusion Detection Systems exist for LTE microcells/picocells ? Do picocells broadcast beacon frames in the same fundamental way as 802.11 WAPs? In general, how does authentication differ between 802.11 and LTE? What is the LTE equivalent of an SSID?

  3. Are there commercial Access Points/picocells have some sort of modular capability to support other frequencies and technologies (ie, are there 802.11 WAPs that could easily support LTE bands?)

  4. Is there some table out there of current theoretical maximum data bandwidth to distance for each group of frequencies?

  5. Are there other factors besides coding and keying that significantly influence bandwidth performance, such as actual packet structure? How does an LTE packet compare to an 802.11 packet? Does one have a more efficient header than another, whatever that would mean?

  6. How do LTE, 802.11, and WiMax all compare with respect to QoS? I am referring specifically to prioritzation handling of voice and video jitter.


And a few other completely unrelated networking questions that have been keeping me up at night:

  1. Is it possible to route between layer 2/layer 3 protocols and USB? How do USB hubs work, and can they do switching by providing some sort of addressing information? Is there any difference between a USB port and an IP port insofar as routing is done? In principle there is nothing specific about USB I am interested in, you could equally replace USB with serial/parallel ports. Basically I am wondering if there is some way to translate peripheral port technologies to layer 2/3 protocols and how that is handled. Also, is there a way to 'manage' USB traffic (ie drop, queue, log, etc).

Much thanks!



Layer 2 switch configuration

Hoping that someone may be able to point me in the right direction here. Please bear with me, I may not be up on all the proper terminology.

I have 2 separate networks that I'd like to use a wireless P2P link to give one of the outbuildings at my employer network access for various things. Now one network is for the PLCs and is on a different subnet, for security reasons I'd like to keep them from being able to communicate with each other, as the other network is connected to the outside world.

I was planning on using 2 layer 2 switches to do this. Will this work, and if so, would one of you be kind enough to point me in the right direction to change the necessary settings to make it work?

Imgur



Which ASR should I get?

Let me preface this with: I work in a Cisco shop and it would be a really hard sell to convince them to switch to something else.

Going to be upgrading a couple of MPLS circuits and a couple of Internet circuits each at 2 sites by like 10x. It'll be 1G for each MPLS and 500M for each Internet connection, so per site an aggregate bandwidth of around 3G. There's a very real possibility of those numbers at least doubling within 3 years, and I'd prefer not to have to keep telling management "We'll need all new hardware". There's also the possibility of adding additional circuits or dark fiber in the slightly longer term future.

My budget is enough for a single ASR1006-X (redundant 40G ESP and RP) for both sites, possibly with a little wiggle room.

Would you go with the 1006X or some other solution, like multiple ASR1001X?

All the traffic must be encrypted, so it has to be able to handle line-rate IPSEC tunnels over those circuits. Currently we use a ISR4000 series for each circuit and if a router goes down, we lose that link. We would prefer to make things a little more redundant. Bandwidth needs are likely to increase, possibly every year, however I have never gotten accurate projections from the business on bandwidth needs or circuits configurations.

I feel like the 1006 gives us a lot of room to grow, flexibility on circuit bandwidth, hardware redundancy (except the chassis), etc. However a few cheaper routers would probably be able to accomplish the same thing in the right configuration.

Any opinions and reasoning here would be much appreciated.



Fundamental networking question: Packets per second or bytes per second: which is the real limit?

With the rise of IOT and Kafka solutions, I have a question about how to design a load balancer for a large implementation. My service is going to be getting potentially millions of updates per hour, but they are small packets, generally 100 byte updates (800 bits).

The question is about fan out. Does having such a large number of small packets create enough overhead to constrain the total practical, usable, bandwidth?

I have been playing around with the bandwidth calculators, but all they do is compute single stream bandwidth delay products. If I have a hundred sessions, is it fair to add up the Bandwidth Delay Products?

I feel like if I sum up all the sessions and their associated BDP's I am missing an important component of overhead.

If I sum up the BDP's, then with a 100 concurrent session load I will be doing something like 3 million packets per second, and about 2.4 Gb/s.

By one reckoning a single 10 Gb adapter should be able to absorb all this workload, but again, I feel like there is a lot of overhead I am ignoring. My instincts say that no one NIC is really capable of sustaining 3 million packets per second for hours on end, day after day.

What is the practical limit of traffic on a 10Gb interface, assuming lots of small packets?



I need help with an ACL

Hi all,

I am trying to make an ACL on my layer 3 switches (in HSRP) that would allow a new VLAN on my network to be accessible via RDP and ICMP from all other user VLAN's. Also, the server VLAN needs to do ICMP as well as TCP and UDP 445 to this new VLAN. And the new VLAN needs to access the following on the server VLAN:

UDP Port 88 for Kerberos authentication UDP and TCP 135 for domain controllers-to-domain controller and client to domain controller operations. UDP 389 for LDAP to handle normal queries from client computers to the domain controllers. TCP and UDP Port 464 for Kerberos Password Change TCP Port 3268 and 3269 for Global Catalog from client to domain controller. TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller. TCP & UDP 49152-65535 the ephemeral ports are required ICMP (Echo)

The following are the VLAN id's with the co-responding names: vlan 20: Server VLAN Vlan 30-40: all regular user vlan's vlan 184: new restricted vlan

The following is what I have currently in my ACL but its not working properly:

ip access-list extended RESTRICT-VLAN184-IN remark Allow ICMP permit icmp any any echo-reply remark Allow RDP permit tcp any any eq 3389 permit udp any any eq 3389 remark Allow VLAN20 permit tcp any 10.10.20.0 0.0.3.255 eq www permit tcp any 10.10.20.0 0.0.3.255 eq domain permit tcp any 10.10.20.0 0.0.3.255 eq 443 permit tcp any 10.10.20.0 0.0.3.255 eq 52230 permit tcp any 10.10.20.0 0.0.3.255 eq 135 permit tcp any 10.10.20.0 0.0.3.255 eq 464 permit tcp any 10.10.20.0 0.0.3.255 range 3268 3269 permit tcp any 10.10.20.0 0.0.3.255 range 49152 65535 permit udp any 10.10.20.0 0.0.3.255 eq domain permit udp any 10.10.20.0 0.0.3.255 eq 88 permit udp any 10.10.20.0 0.0.3.255 eq 135 permit udp any 10.10.20.0 0.0.3.255 eq 389 permit udp any 10.10.20.0 0.0.3.255 eq 464 permit udp any 10.10.20.0 0.0.3.255 range 49152 65535 remark Deny all other VLANS deny ip any 10.10.0.0 0.0.255.255 remark Allow internet permit ip any any 

Applying the ACL inbound to the layer 3 vlan

interface vlan184 ip access-group RESTRICT-VLAN184-IN in 

If anyone can help with this, it would be very much appreciated. Thanks in advance.



Log into netextender with domain creds?

I configured LDAP and can successfully enumerate user info via sonicwalls built in test. I'm really unsure of the next steps...

What I would like to do is have an AD group I set up provision access to it's members. I have imported the group, then mirrored the group, but cannot log into net extender with domain creds. Any help would be greatly appreciated.



Cisco Wireless Access Point connected to switchport speed 100

We are having wireless speed issues at my work and after checking the switch config I noticed that our Cisco APs were connected to switch ports set to speed 100. My questions are should these ports be set to 1000? Would this greatly improve our wireless performance?

Cisco switch 3650 Cisco AP 1200 series

Thanks!



To stack or not to stack distribution switches?

We have L2/L3 boundary at the distribution level, and usually we have two distribution switches for the building / larger department.

Some of our guys think that stacks are not a good idea, what do you think? I guess some of the issues were that the stacking cables were behind the switches so in a messy cabinet one member was difficult to change. In the newer switches we have the stack cables are in the front of the switch.

In a topology like this: http://ift.tt/2BRaNr6

I think we have two options: either do stacks and etherchannels, or use STP and have only one uplink active at a time?

Any thoughts? Thanks!



DHCP versus static: how do you choose?

In my networking textbook, it specifies that sometimes, server administrators will pick different schemes related to DHCP and static network configurations. One of the set ups is to use the lower end of the spectrum as static and the upper end of the spectrum as DHCP. Mixing them together. Why bother making them at all? Isn’t it better to have dynamic configured hosts? Minus servers, of course, because you want those the always have a static IP address I’ve heard



Juniper training suggestions?

We have a new customer who's network that consists of Juniper EX8200/4200's for the cores and EX2200/3200 for distribution. I have my CCNP and comfortable with routing/switching but 10 minutes in the Juniper CLI and I was lost. Can someone recommend a class that will get me up-to-speed on this platform? I dont need help with the underlying technology, just the cli/ui/gui of Juniper.

As always, thanks r/networking.



[Q - X-post wrong sub] Any diff btw network/TCP-IP stack btw Windows OS workstation and server versions?

Symptoms: delayed response forcing app level "complaints" - RSTs in TCP, or UDP missed heartbeats - on a network showing no packet loss in capture of transactions, just showing that the server app system is not responsive at times.

Can't figure out why we're recording two order of magnitude more problems, over the same network infrastructure, on a relatively high speed, high volume, small transactions environment, on the win 7 installed on a desktop server app, vs a server version of windows, running the same server app, installed as a VM, in a hypervisor based environment. Clients are the same. NIC characteristics, RAM, etc. very close in specs, on both environments.

Extra: what windows OS counters would you recommend monitoring, if to reveal $subj, or other problems in the network stack?



IP SLA

Is IP SLA still a good way to go for keeping track of WAN performance?

What other alternates to IP SLA are people using?



Icinga 2 - Monitoring Cisco

Hello,

I was wondering if any of you are using Icinga 2 as a monitoring tool for your Cisco environment. We have a test running for end-hosts and linux servers.

But a quick glance through the tool does not really show an SNMP polling kind of monitoring attached to it. There is an Agent Based Monitoring configuration guide to it:

http://ift.tt/2BF4apz

But in that guide it's clearly stated that the SNMP agent should be on a remote system. I am guessing for most Cisco Switches/Nexus that looks useless? As they are just sending their SNMP polls to a server configured in the start-up configuration.

Anyone with idea's?



Tuesday, December 19, 2017

who makes the *best* cat6 plugs?

I have been running and terminating wire for a very long time, but it's never been the main job I do. So I know some things but I'm coming from a place this isn't really in my wheelhouse necessarily.

  • I have a 4p/6p/8p terminator tool, so old any info printed on it has long since rubbed/scratched off it. I bet this is 10+ years old but has 'normal wear and tear' nothing is particularly broken. I realize this could be the whole root of the problem and am hoping to rule it out. It's probably older than the cat6 standard, but RJ45 is RJ45 on the outside. A new Klein is a trip away if it's needed but I'm not 'supposed' to just go buy myself a new tool to fix this.

  • I have been using Monoprice cat6 wire for years, our company buys boxes of it 10 at a time, usually have 2 or 3 colours on hand so I can pretty well say I could certainly have a bad box, or a bad internal cut on one pair within, but it's not 'bad wire' categorically.

  • We (well I, I don't go through supplies often so I usually just grab a handful of whatever our current stuff is) have the Monoprice cat6 ends with the inserts. I don't love these ends. They aren't the worst to work with, the wire through ones would be easier but these are the next easiest, but I don't know if that comes with caveats.

  • I'm getting a lot of crimps with 3 pair fine and one (usually green, everything we do is A spec) open or intermittent. I'm thinking because it's on the end its either the die isn't crimping it hard as the others, or the insert inside the plug isn't aligned quite right for everything to make contact.

  • I am hoping I can get a recommendation of the best cat6 ends, the best for the money, etc. and fix some of the existing bad crimps proving it's not the wire. If not it gives me pretty good footing to get new crimpers and hopefully for the whole crew. Lot less costly than having the crew come back and pull all these wires a second time.

Thanks in advance.



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!



Meraki firewall on residential Comcast cable modem - does dynamic DNS updates work for you?

I have a Meraki MX64 firewall on a Comcast residential cable modem. A few months ago I had client VPN working with no problems. I used the dynamic DNS service Meraki provided, setup L2TP VPN through Mac OSX built in client no problem. Recently I upgraded my modem to Docsis 3.1 to take advantage of the 12 downstream channels that are now available in my area. Since then I have not been able to connect my Macbook (High Sierra) to my Meraki VPN firewall. From the logs it appears phase 1 happens with no problem but when we move on to phase 2 we don't get a response. I've tried configuring, reconfiguring my client and firewall multiple times. The dynamic DNS for the firewall no longer responds to ping and comes back with no known host. Cisco did reply in response to that and it was quite interesting. But using the WAN IP of the firewall does not resolve the issue either. Here is Cisco's response..

"After looking at your device, it appears that this issue is being caused by Comcast redirecting the http request that we make to determine public IP address of the MX for dynamic DNS purposes. In order to resolve this, you need to contact Comcast and find out why they are redirecting your http traffic. You should also be able to get more information by accessing an http (not https) website from a client using that internet connection, so you can see the redirect page."

So right now I am just curious if anyone else has a Meraki firewall on a residential Comcast cable modem and if the service is working?
Here is the log file from the firewall for the failed VPN connection:

Dec 19 18:31:03 Non-Meraki / Client VPN negotiation msg: failed to begin ipsec sa negotiation.

Dec 19 18:31:03 Non-Meraki / Client VPN negotiation msg: no configuration found for 6.1.0.0.

Dec 19 18:31:02 Non-Meraki / Client VPN negotiation msg: IPsec-SA established: ESP/Transport 71.233.0.189[4500]->6.1.0.0[4500] spi=39098493(0x254987d)

Dec 19 18:31:02 Non-Meraki / Client VPN negotiation msg: IPsec-SA established: ESP/Transport 71.233.0.189[4500]->6.1.0.0[4500] spi=99050664(0x5e764a8)

Dec 19 18:31:01 Non-Meraki / Client VPN negotiation msg: ISAKMP-SA established 71.233.0.189[4500]-6.1.0.0[4500] spi:70f9223a4216f1b8:a614b6c2d51c4277

Dec 19 18:30:36 Non-Meraki / Client VPN negotiation msg: failed to begin ipsec sa negotiation.

Dec 19 18:30:36 Non-Meraki / Client VPN negotiation msg: no configuration found for 6.1.0.0.



A little nexus routing help please.

So I am looking at helping to convert the layer 3 functionality from a 6509 to some nexus 9k's, and I am a little confused about setting up the nexus. There are about 10 static routes that need to be moved to do this, do I need to add a VRF configuration or is just moving the static routes and l3 interfaces sufficient.



ISE experts - can I configure a syslog or email alert anytime ISE sees traffic to a site with a self signed cert?

As the title says, I'm trying to get an alert configured so that I can log/track the self signed certs that are hit by my inside clients. I have a very basic SSL rule set up currently, that only looks at cert status, and is set to log to the event viewer, with an action of "Do not decrypt".

It's my understanding that anything that matches the rule should be logged to the event viewer, then sent on the the access control policy for action there. And in fact, I see the events in the connection events log, with an SSL status of "Do Not Decrypt", so it appears that part is working.

The issue I seem to be having is getting notified when this happens.

As I'm typing this, I wonder if I'm actually trying to go about this the wrong way. Would it be easier to just run a scheduled connection events report every 24 hours? If I can eliminate duplicate responder IPs, I think I might get something very useful.

Anyway, sorry if I'm rambling. If you have experience with ISE alerting and/or reporting, I'd really appreciate if you could chime in.



Virtual Lab Question: IOS-XRv, IOSv, or CSR1000v for CCNP

I was one of those people who got a VIRL subscription and found the interface too unforgiving for the precious amount of time I have per day to study. Luckily I now have all the images and a year of image updates. I spun up EVE-NG in Workstation Pro and I was shocked how intuitive it is. The rumors of a near-perfect sim/emu are true! Now I need to pick out which images to use.

I just started my studying for CCNP Route and I have these 3 images: IOS-XRv, IOSv, and CSR1000v. It appears that the CSR1000 is the most resource-heavy of the 3 [I might be wrong]. I'd like to know which image would be kindest on my host resources [Gen 7 i7/32gb of RAM/SSD] and I want to know if these images can do everything I need for CCNP ROUTE. It would be great if one image could do everything I need.

Can anyone give me some insight?



a new source for authoritative routing data in North American region: ARIN WHOIS

I'd like to share an update on some recent routing security activities. The process and use of ARIN WHOIS data as described in this NANOG posting, should make it easier for operators to signal to their peering and upstream providers which ASNs are allowed to originate what IP blocks. I'm open to questions!

http://ift.tt/2BNrVhq



NextGen Firewall Upgrades

I have a few aging ASA5520's that go end of support next year that I am looking at replacing. The 5520 is acting as stateful firewall and is also terminating client vpn connections. We are looking at options for replacement and adding some IDS capabilities as well. We are pretty much a Cisco shop. Would love some community recommendations on what you like to work with, IE PAN Vs Firepower Vs ASA with firepower bolt ons Vs whatever else.

I hear great stuff on Palo Alto's but have never used them. How is their support compared to Cisco TAC. I am just trying to decide a direction to start attacking this and would value people's real work production experiences. Thanks in advance.



Network orchestration

redditors,

i am done with managing tons of devices with just CLI. Its maddening and very unforgiving. I have 100+ locations worldwide, with mostly cisco catalyst infrastructure (from 2940-curent). Is anyone using an orchestration platform out there that brings all configuration, compliance,reporting, and management into a single pane of glass? I'm really looking for a meraki-esque touch and feel. Also, we are Cisco today, may not be tomorrow so I'm open to any recommendations.

if i never have to touch the CLI again (for access layer items), ill die a happy man.

TIA



How can two servers balance load by network?

We had an overload problem on a server and decided to use another old computer as a back up, they are both working on different ips,now I was thinking of using nat to balance traffic between the two but it doesn't seem like the best way to do it.

What is the standard option to balance load between these two ips? or what do you use? I tried using cisco SLB but my 6500 won't accept it.



Building my first medium sized office network. Want some tips on getting the most speed possible!

Hello, so I've been working in the IT field for about 4 years now but its mostly been working with individual computers and setting up a network with maybe 12 computers at most. This is my first large project and while I understand the basics and some intermediate level stuff, I'd really like some tips on how to set up a 30 to 40 computer network with a NAS and about 10 printers.

Long story short I was given this project with the client full and well knowing I was going to be learning as I go. The network was poorly set up to begin with, done by the internet company on a shoe string budget.

First of all, here's a quick and dirty diagram of the network: http://ift.tt/2CGrPVS

There are 2 48 port catalyst 3560 100mbps switches, one for data the other for voip the server is a dell of some sort, it seems to be fast enough to not have issues. the router is a NETGEAR Nighthawk X6 AC3200 Tri-Band Gigabit WiFi Router (R8000)

The goal of this network is for everyone to be able to access their files (photos and pdfs mostly) from the server and run their software (its called abacus, its law firm management software)

Now I know one of the biggest issues is the room with 12 computers in it that has only one ethernet wall outlet and several cheap 4 port switches daisy chained together. It has another ethernet output in there, maybe more, but it is not hooked up and many desks are in the way.

The main questions I have are as follows: Is the server room wired correctly? Does it matter where on the network the router is? What can be done about the room with 12 computers and only one or 2 ethernet outlets? How much of a help will upgrading to 1gbps switches?

And any other information that would be helpful. Thank you so much in advance!



Supervisor desktop now showing teams

we have a new helpdesk queue we're creating. I've got the queue created and trying to get the manager access to monitor. I created a team and added his name to the team. He's a supervisor but can't see any of the teams? also during the install of supervisor desktop it didn't ask me for the address of the UCCX server so how does it now where to connect to?



ssh login-attempts won't take

Ok, Cisco 5548 running 7.0(6). "ssh login-attempts 3" then do a "sh run security all" and I get "no ssh login-attempts"

WTH? Will it stick only after a reload?



Does anyone use LLDP? Any caveats?

We are having a new phone system installed by a 3rd party and they're working with me to get switches and things configured (haven't started yet). We are setting up phones on their own VLAN and we're going to be using LLDP so that computers and phones get ports auto-configured for the correct VLAN.

I never heard of LLDP until recently, so I've begun reading my switch manuals. We have Dell PowerConnect 5500 and N3000 series switches.

So far it makes sense but I just wonder if there are any things I need to know to watch out for.



Network security experts: why are there so many layers of security, rather than a central method for securing all data end to end?

So I’m preparing for the CCNA exam and having fun learning about network security and all of these different security methods. A couple days ago though I heard about this encryption software called Veracrypt that is virtually uncrackable. The NSA hasn’t been able to even break it. It is basically used to encrypt hard disks.

But for networking, we apparently have so many different methods of securing network communications. SSL, WPA 2 AES, certificates to verify back and forth, and probably half a dozen other security methods for wireless networking.

Why not just have one central method using something like veracrypt to encrypt all communications from start to finish across wireless networks? Like, if you sent completely encrypted data with a safer distributed to the parties that are receiving the communications, much like a certificate, what would be the issue?



Using RRs with MPLS - Can't ping between two CEs

OSPF for IGP and all devices know about each other and can ping. The RR is learning routes off both CEs and both CEs are learning the routes from the RR (see "show ip route vrf" section in image) but I just can't ping from R1 to R3 in the VRF.

http://ift.tt/2yY2YdZ

Any advice?



What machine to direct bury cable that doesn't "cut up" the ground?

Hi all, more of a general question...

I'm looking to direct bury some cable. I know about a ditch witch, but I also have seen a machine that will, in one motion, slit a strip in the ground, insert wire, then push down the slit and cover the wire....this leaves the ground looking untouched.

What is that machine called?



Question about this fiber rack mount thing

I know very little about fiber, so I wanted to come here and get some help with this.

We have a couple 3rd party VPN T1 lines coming into our company. On of the vendors called and said they were going to upgrade our T1 to something like a "2.5 meg Ethernet connection". This was months ago and they gave me no details. Then the other day, a telcom company shows up to install fiber and runs a new line from the telcom poles outside all the way to out networking room.

I ended up getting pulled away all day with IT issues and they finished up and left without saying anything. I went into our networking room to check everything and saw that they had installed this in our rack. Now I am trying to figure out what this is.

I assume it is basically like a fiber patch panel that will allow more fiber connections in and out of the building, but I don't know how this works beyond that in both a technical and business sense. There is only one single white fiber line that comes into the building and connects into the back of this and so I am assuming that single line is being split up into 24 individual optic fibers. But does that mean other vendors can use this same line or is it typically limited to the company that owns it?

I guess I'm partially confused because I don't get why one company would install this for use with one single connection. We do have one other fiber connection for our primary ISP and that is a single line that connects to a little vendor-provided, 4 port Cisco switch that converts the fiber to a regular Ethernet cable..

I appreciate any help.



Wireless access point questions

So I have an Asus ac3100 series router and a Netgear ac1750 router.

I currently use the Asus router and it covers my home more than well enough. The problem is, I am using a Netgear USB wifi adapter on my desktop and it's maxing out at about 50mbs. I pay for 100mb down and 10 up.

Could I expect better speeds if I connect my Netgear router in as a wireless access point and hardwire my desktop into the wireless ap? I know that the main router and access point will still be communicating wirelessly which is only half duplex correct? So I'll still get slower speeds than wiring. But I can't run cabling through the house. Anyone have experience with this scenario?

I've tried power line adapters as well and it doesn't get any better than just using the wifi adapter.

Any help is appreciated!



Can someone clear up my ISR WAAS confusion?

Hey guys, My company has recently purchased some WAAS devices in order to improve the throughput on a very low bandwidth network of ours. More specifically, we have bought 2 WAVE594's along with components for ISR-WAAS (HW-upgrades and licenses for ISR4K).

The idea is to run the 2 WAVE594's as CM and WN (1 of each) on a central site with decent bandwidth, and run ISR-WAAS on branch ISR4K routers as the remote WAAS nodes.

However, we're having trouble with the setup. The ISR-WAAS are deployed by applying the EZconfig script, where they are autoconfigured to use AppNav as the Interception method. The WAVE594 WAAS node on the other hand, does not have an AppNav I/O module installed, and must therefore use WCCP (or PBR). After changing the interception-method on the WAVE594, we lost connection to all the ISR-WAAS devices, and now I am wondering if it is even possible to have both interception-methods usedwith the same Central manager. Does anyone have any experience in this regard? Any insight would be much appreciated!



Does using a VPN inside a VM prevent the host traffic going through the VPN?

I've recently started working from home (software dev) and need to connect to my companies VPN so that I can Remtote Desktop into my workstation at work. I stream music and download stuff in the day, so I don't want all of my traffic from home going through my companies VPN.

I've set up a Virtual Box VM on my home computer, inside which I connect to the VPN and then RDP into my work machine. Now if i stream music outside of my VM on my home computer am I correct in thinking that will not go through my companies VPN?



ASR1002-F Question

Greetings all, Sorry for my english. Is there any ASR1002-F users out there? I'm currently having some issues with the one of a router. When i plugged in 4 SFP (GLC-SX-MM) the SPA port LED does not show that the SFP is enabled. And i'm sure that the SPF is working as it is taken from another working unit (ASR1002-F)

When i issue a command "show facility-alarm status" below shows this, when i plugged in a fiber cable no LED and such and i issues the same command the below description still remains.

Source Severity Description [Index]


  • GigabitEthernet0/0/0 INFO Physical Port Administrative State Down [2]
  • GigabitEthernet0/0/1 INFO Physical Port Administrative State Down [2]
  • GigabitEthernet0/0/2 INFO Physical Port Administrative State Down [2]
  • GigabitEthernet0/0/3 INFO Physical Port Administrative State Down [2]

When i took it out

ource Severity Description [Index]


  • xcvr container 0/0/0 INFO Transceiver Missing [0]
  • xcvr container 0/0/1 INFO Transceiver Missing [0]
  • xcvr container 0/0/2 INFO Transceiver Missing [0]
  • xcvr container 0/0/3 INFO Transceiver Missing [0]

Is there a way to enable the SPA port or a command maybe?



SolarWinds - Conditional alerting

Hi all,

Anybody know of any resources or have any pointers as to how to configure solarwinds with conditional triggers of the type:

If latency on NODE is > 500ms more than 5 times in 24 hours an alert is triggered

The above is just an example, we'd be setting them up for things like packet loss too.

I know it's possible, but I'm stumped with regard to how to do it, feel like I'm missing something obvious.

Thanks in advance.



SIP. Why are you the way you are?

OK, it's a long shot posting this here, but I'll take what I can get at this point.

We're setting up a Cisco VCSe deployment that's running through a Palo Alto firewall.

There are two DMZ zones involved, and the basic flow is:

VCS (inside) > (VCSe (inside-DMZ) <-> VCSe (outside-DMZ)) > outside

The VCSe (inside-DMZ) and VCSe (outside-DMZ) interfaces live on the same host, so there's no traffic rules or inspection happening there, but the IPs live on different VLANs in different security zones.

There's a NAT for the outside public IP mapped to the VCSe (outside-DMZ) private IP, it's bidirectional.

There's an application override for SIP traffic to and from the VCSe (outside-DMZ) IP that stops layer 7 inspection on SIP.

The security rules have been totally bypassed for testing for some trusted public IPs. The firewall is basically a router at this point.

STILL! SIP calls fail. TCP handshake failure. Client hello goes out, server hello comes in, and then there's a bunch of retransimissions like the server hello didn't get acknowledged.

We're seeing what Palo Alto support is calling asynchronous traffic issues. VCS team says it's the firewall, firewall support says it's async routing somewhere. ISP says they don't mess with SIP. Would it matter if traffic was coming in on one ISP link and exiting another? I don't know that's happening, but it's been speculated that it could be.

I'm not sure what I think just yet. Anyone set one of these up with Palo Altos? Run into any bizarre trouble? Any thoughts?

I know there's probably not enough info to go off of, if you have any questions or suggestions, I'll be happy to respond and discuss.

Thanks for reading!



Help with small data center design

Hi,
We are mostly a Juniper shop. I am putting together a design for our new datacenter. The situation is it is going to be a multitenant datacenter.

I have high-end SRX in a active/passive cluster. EX4300 and QFX switches. The topology looks like this:

(Internet)----[FW]---[SW]---[SRX]--(datacenter cloud)

I currently have the SRX cluster reth1 trunked to the QFX in virtual-chassis which is the hub to the rest of the L2 domain. The current data center is multi-tenant but separated by VLANs.

The new network for the new data center will be bigger than my current one and needs to be separated from the current one. My plan is this :

  • A new route table for each organization
  • leak the default route and some services from the main route table to the new route tables
  • To reduce the downtime, instead of using virtual chassis, I would create a trunk link between the two ex4300 via the 40Gbps DAC cable. This is because for upgrading and rebooting the switch. The problem that I have is I don't know if I can create an ae interface on a active passive SRX.
  • Then the VMware hosts will have a redundant links to the ex4300

I would rather cluster the two ex4300, but not sure if I can reboot each member individually without getting a downtime for my tenants. I think I can, but could not test this because I don't have a test environment.

(Internet)----[FW]---[SW]---[SRX]--(datacenter cloud) {new rt}---[tenant 1] {new rt}---[tenant 2] 


Show CDP neighbors - confused from output

I'm really confused by the show CDP neighbors command. I was trying to find all the uplinks on our switches, unfortuantely they are at a remote site so I can't just go and have a look. I have just started out and got the following output. I am totally confused as I am seeing tonnes of different devices for the same interfaces. It looks like a lot of our mitel phones are listed. They are all showing as going into the same port though, which is also a port that is being shown as going into a SWITCH2. Any advice on why this is or what this is actually indicating would be really appreciated. I'm still early on in my network career and still trying to get up to speed with things.

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID f09e63c61d43 Gig 1/0/2 179 S I SF302-08P fa4 ESW-540-8P Gig 1/0/3 167 S I D ESW-540-8 g9 CORE_STACK Gig 1/0/26 124 R S I WS-C3750G Gig 1/0/28 CORE_STACK Gig 1/0/25 124 R S I WS-C3750G Gig 1/0/27 SEP08000F3AA281 Gig 1/0/2 173 H P Mitel 521 Port 1 SEP08000F151F9C Gig 1/0/2 158 H P Mitel 522 Port 1 SEP08000F63F9D4 Gig 1/0/2 145 H P Mitel 531 Port 1 SEP08000F17C9B5 Gig 1/0/2 132 H P Mitel 520 Port 1 SEP08000F2D9B53 Gig 1/0/2 129 H P Mitel 521 Port 1 SEP08000F356F8C Gig 1/0/2 170 H P Mitel 521 Port 1 SEP08000F3B1D28 Gig 1/0/2 128 H P Mitel 521 Port 1 SEP08000F17F9C5 Gig 1/0/3 133 H P Mitel 520 Port 1 SEP08000F166CA3 Gig 1/0/2 118 H P Mitel 520 Port 1 SEP08000F17E51F Gig 1/0/2 150 H P Mitel 520 Port 1 SEP08000F3A6C17 Gig 1/0/2 178 H P Mitel 521 Port 1 SEP08000F17CA60 Gig 1/0/2 148 H P Mitel 520 Port 1 SEP08000F1A88F4 Gig 1/0/2 164 H P Mitel 522 Port 1 SEP08000F274C3E Gig 1/0/2 151 H P Mitel 520 Port 1 SEP08000F37CCBB Gig 1/0/2 146 H P Mitel 521 Port 1 SEP08000F17BCCA Gig 1/0/2 154 H P Mitel 520 Port 1 SEP08000F2C1AFB Gig 1/0/3 139 H P Mitel 520 Port 1 SEP08000F17FBBF Gig 1/0/3 161 H P Mitel 520 Port 1 SEP08000F17EB60 Gig 1/0/2 167 H P Mitel 520 Port 1 SEP08000F2F3429 Gig 1/0/3 164 H P Mitel 520 Port 1 SEP08000F28E755 Gig 1/0/2 155 H P Mitel 521 Port 1 SEP08000F17F787 Gig 1/0/2 133 H P Mitel 520 Port 1 SEP08000F4F6917 Gig 1/0/2 178 H P Mitel 531 Port 1 SEP08000F273F58 Gig 1/0/2 159 H P Mitel 521 Port 1 SWITCH9 Gig 1/0/6 155 R S I WS-C3560- Fas 0/45 SEP08000F48F7FE Gig 1/0/2 146 H P Mitel 532 Port 1 SEP08000F26DB8E Gig 1/0/2 174 H P Mitel 521 Port 1 SEP08000F2F35AC Gig 1/0/2 130 H P Mitel 520 Port 1 SEP08000F35245D Gig 1/0/2 124 H P Mitel 521 Port 1 SEP08000F2C1983 Gig 1/0/2 116 H P Mitel 520 Port 1 SEP08000F28749B Gig 1/0/2 166 H P Mitel 521 Port 1 SEP08000F17E606 Gig 1/0/2 126 H P Mitel 520 Port 1 SEP08000F2CD6B2 Gig 1/0/2 137 H P Mitel 520 Port 1 SEP08000F26DB6A Gig 1/0/2 144 H P Mitel 521 Port 1 SEP08000F2D0CA1 Gig 1/0/2 177 H P Mitel 521 Port 1 SEP08000F2C16EE Gig 1/0/2 137 H P Mitel 520 Port 1 SWITCH2 Gig 1/0/3 134 S I WS-C2960S Gig 1/0/3 SWITCH2 Gig 1/0/5 141 S I WS-C2960S Gig 1/0/5 SWITCH2 Gig 1/0/2 134 S I WS-C2960S Gig 1/0/2 SWITCH2 Gig 1/0/4 134 S I WS-C2960S Gig 1/0/4 SWITCH2 Gig 1/0/1 129 S I WS-C2960S Gig 1/0/1 SEP08000F1F35CE Gig 1/0/3 147 H P Mitel 521 Port 1 SEP08000F26DC5A Gig 1/0/2 156 H P Mitel 521 Port 1 SEP08000F61BEF1 Gig 1/0/2 122 H P Mitel 532 Port 1 


Putting firewall behind another router firewall/router for VLANs

G'day,

I have a client who has a Sonicwall NSA 4600. I thought they were going to bring in a new internet line, but it seems like the want to use their existing.

I need VLAN access to at least 1024 IPs so I would use the Sonicwall to do that, but can I put the Sonicwall behind their office firewall/router, and give the Sonicwall WAN IP an internal IP from their office firewall?

I suppose another option would be to try and get their ISP to provide them with another public IP and then attach the Sonicwall directly to that assignment.

Any thoughts? Thanks for your help!



CHeckpoint training resources

Dear Networkers, Do you know any fancy training resources for Checkpoints, I have tried to find something interesting but no success.



Monday, December 18, 2017

Upgrading SonicWALLs

Hi All,

Every time I go to upgrade from a SonicWALL to another the process goes something like this:

  • Check compatibility matrix to see if the two models are fully compatible. Pray. Sometimes they are sometimes they aren't. I'll even try a partial sometimes.

  • Upload config. Pray. Check nothing is nothing is lost in config conversion. Usually there is, so I go to the manual method.

  • Manually go through each GUI menu and copy config by hand, recreating every object, group, policy, etc. via GUI and hope I don't miss anything.

  • Swap firewalls and test.

I've even converted the .exp file to readable text, but the configuration text is close to impossible to be human readable and definitely wouldn't be easy to do a diff of two configs. Any sort of configuration analysis program I've found is either out of date or does not support many models.

Most of my experience is with Cisco configs which are very readable, both Catalyst and ASA. Even FortiGate has human readable configs and a decent CLI. SonicWALL has neither. Does anybody here deal with this or have a better method of upgrading SonicWALLs than having to go through page after page of GUI config?

I'm working in a Dell shop, so I'll have to deal with these for a while. At least their switches are close enough to Cisco to be usable. Ugh.

Thanks in advance!



Security concerns with voice vlan?

I am cleaning up our switch configs and was wondering if there is any security risk with adding the voice vlan to every access port. Currently I only add it to ports with phones connected but that gets troubleshoot for my Help Desk when users move desks.

Here is the config I would use...

 switchport access vlan 500 switchport voice vlan 400 switchport mode access 

If there is a better way to do I am all ears. I am still learning and working towards my CCNA.



How does Cisco IP SLA work?

A customer I work with has two buildings. Both have their own networks, cores, ISP, and ASA's. In each building we have IP SLA echo configured to reach out to something reachable at their ISP. When if the IP SLA fails to reach get a response from whatever it is pinging it will cause the core switch in that building to send it's default traffic to the core of the other building which will then send the traffic out it's own ASA to its ISP.

Over the weekend we had both ISPs go down which created a loop of building A sending traffic to building B and building B sending traffic to building A. I changed the weighted default route to send traffic from building A directly to the building B ASA instead of the core and this ended the loop and brought everything back up.

Immediately when I made the change the loop stopped and both SLA's on both core could reach their respective paths on their own ISP. The question is: Regardless of the loop shouldn't the SLA on each core switch from each building still be trying to get to its destination via the original default route to its own ASA and not via the weighted one to the other building? If it could then the loop would have corrected itself...correct?



Weird network issue - Please help

Howdy all,

This weekend, I moved our 3x ESXi servers and NAS from one building to another.

In that process, we ran into switch issues and ended up plugging all three hosts into a single, dumb Netgear switch (no redundant connections, for now).

Within each hosts, we have a single vSwitch with no VLAN settings.

Testing with 3 VMs has revealed some interesting issues. All three are running on the same vSwitch, in the same host, using DHCP.

Of these VMs, 2 cannot ping our firewall or one of our switches, and the third can ping everything no problem.

Anyone have any ideas of where I can begin to look?

Please and thank you!



Beware of Comcast Fiber - As if anyone didn't know.

2 clients wanted Comcast fiber. 4 total sites. Ordered 5 static IPs for all sites.

Service was brought into the wrong closet at 2/4 sites.

Comcast notified us of the site install 1/4 times.

3 weeks later and service only works at 1/4 installs.

Service was tested 1/4 installs. We know service wasn't even tested after install because the initial support contact confirmed all interfaces were disabled on the 3/4 Ciena delivery switches.

Blocks of 5 statics were only provisioned for 1/4 sites.

3 weeks after first support call and I'm still just trying to explain to them that the service doesn't work at all for most sites. I've spoken to 4 people and still have yet to get through to someone who understands what a WAN IP block is.



Link aggregation, diverse paths, and out of order frames

Are out-of-order frames really an issue on most LACP LAGs? Since most vendors use a hash on L2, L3, or both headers, any given flow would take the same physical link, correct? I have seen multiple service providers refuse to build LAGs on paths with unequal latency out of fear for this issue. As a result, they will avoid using diverse fiber routes (reducing redundancy.) If they have to use diverse paths, they will create multiple L3 links and use multipath or similar to balance traffic out. This seems like it could be worse for out-of-order frames since depending on the hardware, path selection might be more finicky.

So in that case, it seems using multiple L3 paths would either pose the same or greater risk of being out-of-order than if they were LACP, but never less. I imagine this would vary by vendor, but it seems you would always be safer just using a LAG as nearly everything uses some hashing on the headers.

Do you have policies about using diverse / unequal latency paths for LAGs? Has anyone ever actually seen problems with that kind of configuration?



Smaller-Scale Route Reflector Design Question

I am re-evaluating our datacenter interconnect and regarding iBGP I have some design questions on using route reflectors.

I currently am using static routing with tracked objects to automate IP failover between our sites. We have BGP edge routers in each site, with Firewalls that have synchronized configurations. If site A is to become unavailable, the tracked object for the Public IPs routed to the firewalls at Site A will point to Site B's firewall. While a good fit for the time when it was put together initially, as we have expanded it's becoming more cumbersome to add and track many static routes and I would like to have the Firewalls participate in iBGP to advertise their public subnets up to the edge routers.

Due to the rules of iBGP, it seems that I should have a Route Reflector cluster set up, so that routes from Site A are learned at Site B and vice-versa.

Would it be best practice to use a dedicated Router or VM at each site to operate as route reflectors, or would a better approach be to configure our edge routers themselves as route reflectors, saving the need for added complexity?

I've put a diagram together here: http://ift.tt/2BsWbf3 showing a generic view of our topology with the two options. Please let me know if I'm at least on the right track here or if I should even be looking at a different direction to help handle the failover.

Thanks!!



Aruba 0.0.0.0 IP Issue

Hi i am trying to figure out how to get my bridged vlan to pass client info to the controller if its even possible. They pull an IP fine and have internet access so its not that they arent getting one. In the dashboard however they show as 0.0.0.0 for the bridged clients. In the end i will have it tunneled and set up correctly but this is how i need to keep it for the migration process. This is at a school the admin and academic used to be on an instant setup where the academic was its own seperate entity. The IPs showed fine on this setup. http://ift.tt/2CzmBel. They have since been connected to the main network with fiber and moved to a controller. http://ift.tt/2BtUM8g Now the bridged academic network will not show the ip of the client. I am not sure what i am missing. I have created rules on the fortigate to allow traffic between the networks allowing the academic 10.58.x.x to talk to both the controller and the aps subnet but it didnt help. Any ideas?



Network Performance Monitors

This is a X-Post of mine from r/sysadmin. I am looking for all the help I can get.

I have wandered into an interesting problem that could use some insight from more experienced hands.

Background: I am a network engineer for a Fortune 500 Company. We have a very large presence over the entirety of the lower 48. We are very short staffed.

Problem: We are currently trying to monitor uptime of our devices across the US via Solarwinds NPM. We are monitoring a large swath of devices that seems to be beyond what solarwinds can handle. We are monitoring 108,187 unique devices.

SolarWinds Physical: Seven servers. The primary has 8 threads of an Intel Xeon E5-2670 v3 and 32gb of ram; this server handles the primary poller, the web console, and config backups for a small portion of devices (about 1000). The six secondary pollers are running half the threads and ram. All seven are VM's. We are on SolarWinds NPM 12.1 and NCM 7.6. They are being upgraded to 12.2 and 7.7 respectively today.

Problems with this setup: There is a two fold issue with our setup. First, the pollers are only designed to handle around 11,000 devices. Second, the collector service that aggregates the data from the pollers is only 32-bit.

Observations from the first problem: that vast majority of the data we collect with SolarWinds is ICMP and round trip times. As such, the pollers themselves are not stressed. However, they do poll quite a large number of devices, between 15,000-19,000 per.

Observations on the second problem: When the primary server goes to aggregate the data to push it to our SQL Database, the process that does so (which is 32-bit) runs itself up to 4gb of ram usage, hangs, then crashes.

I have been back and forth with SolarWinds Support on this for over a month now and we are currently looking for options.

Has anyone else experienced this issue and can provide insight? Alternatively, does anyone have any suggestions on programs that would be able to handle 108K devices on ICMP and Round Trip time?