Saturday, January 6, 2018

New CCNA Resume Advice from a completely different field with no experience in networking

I was looking for earlier posts in here about resume help. But most people had already had prior experience, so then I got confused.

I just got my CCNA, and am switching fields (was pre-med, just graduated from undergrad with a biology major and related experiences(tutoring and volunteering in hospitals/medicine). So my resume was filled with things that are not networking related.

Since I have no prior experience working in this new field at all, how should I format my resume in that sense to send it out for job apps? For any skills(if that is a section on new resume would you list the stuff learned from the exam blue print (can configure/verify ___? etc)

Any help/advice would definitely help, thank you so much!



Rack Install Easily Deployable Shelf? Help?

I do nearly all installs by myself. Trying to balance a switch and mount it into a cabinet can be difficult depending on the patch panels and other gear in there. I was curious if anyone has seen, made, reworked something to basically be a quickly deployed shelf to throw the devices on to mount then detach?



Locating and finding information about Cisco hardware

With the new kernel side channel exploit I am trying to figure out if the club's used in our catalyst and nexus series switches and routers have the potential to be compromised. However, I'm having trouble finding information on what type of cpu is being used.

Where am I am able to find this information?



[Quesion] Running long ethernet under door. Will this flat cable work or is interference an issue?

I may need to temporarily (few months) run an ethernet cable between two rooms that go under the doors. Was considering this ethernet cable since I don't want the door to kink the wire but heard that flat cables, especially at long runs, can introduce interference which I do not want. The cable I linked to is apparently an unshielded twisted patch cable with RJ45 connectors. Is this a bad idea and I should just go with a rounded cable or is the flat one fine?



Cisco 1252G WAP upgrade woes

Working with Cisco APs AIR-LAP1252G-A-K9 in LWAPP mode. They are currently running 7.3 and updated the controller to 8.2... The issue comes down to the APs being stuck in "downloading" mode for more than 24 hours, and can't even pre-download the new image from the controller to the devices, nor apply the old 7.3 image as the backup (Showing as none / 0). Strange part is that some of the APs that aren't that model, that were bought and converted to LWAPP, download the 8.2 image without issue and work within 5 minutes.

Luckily I can revert to the older version as the backup image on the controller reversing the issue... but it would be nice to figure out if this has to due with the age of the APs or a strange bug. If a bug is the only way to circumvent this is to manually update the APs through TFTP / best method to do so?



[Question] Besides the cost, what's the difference between the Fluke Pro3000 Tone Generator vs Fluke Intellitone 200?

I'm looking at purchasing a replacement Tone Generator for my kit, and I'm trying to figure out if there's a reason to buck-up for the Intellitone 200, or if they both effectively do the exact same thing.

This will be used primarily for CAT5e/6 data runs, with the potential for an occasional analog phone/PSTN line.

If I'm being dumb by going the Fluke route, I'd be happy to hear any recommendations for alternatives. This is intended for a permanent network kit with mostly Fluke equipment, so quality is important enough to not go with a bargain-bin $12 unit that will break after a month of light to moderate use.



Tool suggestions

Hopefully this is not too off topic for this group. I am looking to upgrade my punchdown tool to a rapid termination tool, but I have some questions.

Is there really only JackRapid from Fluke and a Paladin one to choose from, besides the brand specific tools? Which keystone jacks are popular enough to warrant a purchase of a head for them (how many people use levitation vs commscope).

I am installing CAT6 jacks next week but will be installing 6A in the future. I am looking for product s with the most versatility.



[HELP!] FastIron firmware

I accidentally deleted the primary and secondary firmware for the FastIron Edge Switch 2402-POE switch, and I can't find where to download the firmware online.



Issues with WiFi

Okay so, basically I had a wireless router in the middle of the house on the bottom floor where we live. My shield tv box in the front of the house would disconnect from the wifi quite often so I decided to move the router to the front of the room and and plug in ethernet into the shield tv. That problems fixed.

Now, in our bedroom at the back of the house which has no access to Ethernet or cable of any kind so we rely on wifi there. Ever since I moved the router, the wifi disconnects sometimes or the signal gets very poor and Netflix buffers, we didn't have this issue at all before.

Now what I'm asking, without buying 50 feet of Ethernet cable and running it through the house, what are my best options? Buy a WiFi extender and plug it into somewhere in the bedroom?

If so which one should I get? Preferably under 50$.

Thanks alot for the help!



Layer 2 & Layer 3 switches

I'm pretty new so please bear with me.

There was a situation that requested to have certain ports to be configured into a specific vlan. (This occurs when there's a new set up with these machines in a different location but require a specfic vlan to get an ip address; trying to be vague in order to not pin point where I work at) I usually use switchport access vlan (vlan name) and call it a day.

However, i noted that the vlan doesn't reside in that switch and when searching for all vlans, it wasn't listed there. Usually I would attempt to trunk the port by checking cdp neighbors but wasn't too comfortable with it. I asked my co worker to help, and our lead mentioned that it's a layer 2 switch and that vlan doesn't reside on that layer 2 network. After back and forth name calling and bashing from the other department who made that original request, they resolved the issue. (my assumption is that they plugged into the layer 3 switch instead).

This is what I know for sure before this hooplah happened: I know that VLANS are layer 2. I know layer 3 has IP addressing.

The switches were: 3560a, and 3750xa

Are the layer 3 switches allows the VLANS to pass traffic across a trunk through routing but the layer 2 switch can't do that feature?

I'm trying to understand this better so when I have to explain it, not only does it make sense to me but I can interpret my answer multiple different ways because not everyone can understand one way of answering a question.



Mac popularity vs Windows

Hey guys,

Just a question...how come so many network engineers seem to default towards a Mac for their engineering work versus a Windows machine? I'm not really a fan of Mac but i've probably never really given it a chance.

I've used Linux a bunch of times and sometimes use the Windows Ubuntu bash shell for a few things but curious to see why people use Mac so much because it seems like half the time they are having to use VMWare or Parallels to use a Windows machine for certain task!

Curious as to peoples thoughts :)



Some questions about Juniper QFX5200-32C

We are looking at various solutions for 1-RU 100 Gig for a new DC project. Most of the vendors have a similar/identical model that compares, only Juniper's had some anomalies.

They list their system throughput the same as the other vendors do... but they list the packets per second forwarding rate as nearly half of the other three competitors. What does that mean?

They all list "up to" 6.4Tbps throughput, but for forwarding capacity the QFX lists up to 2.4bpps while three other vendors listed their switches up to 4.5bpps.

Can anyone explain what that means exactly? Is it accurate and truthful?

My other two questions: it also had a much, much lower list price... do you need a "basic license" to even turn the thing on? And when did that thing first come out? Can't find the date.

It's really hard to compare across vendors.



Question about Software Defined Networking? (SDN)

How would software defined networking integrate with an already established network along with any protocols that are being utilized. Or would software defined networking eclipse the current network?

Hardware:

  • Servers
  • Routers
  • Switches

Protocols:

  • SNMP
  • DHCP
  • FTP
  • TCP
  • POP
  • SFTP
  • SSL
  • etc.

Would SDN effect these protocols or possibly the version being used?

Network Example

  • Centrally controlled servers
  • Domains (Capable with new technology)
  • Active Directory
  • Routers
  • Switches

Network Policies

  • Access Control List

Would there being any changes in network policies?



Anybody using Dell x1018POE switches?

I've got a handful of these switches deployed and I'm getting frustrated at the lack of diagnostics/information available. I don't see where I can look at the interface statistics for individual interfaces t see if there are any errors, etc.

Can someone clue me in?



Bottlenecks on a network(best practices?)

Hello everyone,

I wanted to just clarify regarding where bottlenecks occur on a network. Hypothetically, I have a router with a gig port, where all of the routing tables sit and I have my backbone switch connected up to that port(with all of the other switches patched to that back-bone switch) does that mean I will only have 1 gig transit between the disparate private subnets?

I assume the traffic HAS to pass through the router in order to pass packets to the other private subnets even if is on the same subnet? What is the best practice to achieve maximum local transit is more what I'm asking.



Capacity of 288 strand fiber single mode?

Exactly what the title is. I am having trouble finding out what is the practical capacity of a 288 strand fiber single mode fiber line? Like the ones for backbones and rolling out to connect universities. I am looking to become more knowledgeable with this medium as I explore community broadband for my local town.

Thanks in advance.



Friday, January 5, 2018

Juniper playing hard-to-get on MXR-2

Hey all. I have an old Trapeze MXR-2 WLC that I’m trying to get a more recent firmware for. I can see the versions in Juniper’s download page, but my login doesn’t have access to them. I went through the normal steps of contacting our VAR, requesting a support agreement with Juniper, to find that they won’t provide one because the device is EOL and EOS. Tried to escalate with Juniper to be denied by a broken record manager.

How is one to update the firmware when the manufacturer locks out all options?



BGP prefix / AS monitoring for enterprise

I'm exploring the BGP monitoring options available for the enterprise and looking for real-world experience and suggestions. The initial goals are real-time and historical prefix and AS monitoring with alerts for unexpected changes based on a variety of user-defined metrics.

I've played with a free BGPMon account, and plan to look at Thousand Eyes. I've whipped up PoC scripts to query the REST interface for RIPEStat. I'm looking into the Isolario project.

What options have you all tried, and what are you happy with? Cost is a consideration, but we're not afraid to spend when we can demonstrate ROI.



Made a new tool to give Netbox's IPAM some state info - Looking for feedback

http://ift.tt/2COD1Ej

It's helpful for me today, and I was wondering if it might be helpful for anyone else considering Netbox for IPAM. It needs some obvious work, including handling some edge cases and performance is a real dog right now. Python and programming generally is not my strength, so if anyone wants to make a pull, feel free.

Advice, comments, vitriol... it's all welcome! Let me know your thoughts and have a great day, everyone!



Cellular modem/routers with Verizon SIMs. Each SIM has both a "Gateway IP" and an "IPv4" IP addresses (both are IPv4)

Trying to build a GRE tunnel between routers. Verizon gave us static IPs. Are these SIMs hard-coded to only talk to the SIM that with the gateway IP?



Cisco Wireless issue w/ Network devices that aren't PCs.

I'm... not the most versed network admin... but i was handed the network and need to resolve it... and googleFu has left me high and dry.

Essentially i have an ASA handing out 60 vlans, to a switch stack of Cisco C3650s and a few 1702I access points.

On the network, PCS work great. Wifi and wired. However.. Wireless Printers, Sonos, Google Home, ChromeCast, any IoT device has issues. They don't see the cell phones on the network that control them or the ipads.

I can't seem to narrow down what could be the cause but its across all the vlans... (this is a residential managed wifi deployment... it was from the person previously in this position, going forward we;ve been using Ruckus/Brocade systems w/o issue in this type of envrionment, i'm just... cisco stupid)



Running two firewall devices

A site at the moment has a bog standard fibre device from the ISP which has services such as DNS, DHCP, firewall etc. I am upgrading this to a full enterprise Draytek firewall so we can get all the above features and with the added security and IPSec VPNs however never installed one from fresh, only configured existing ones.

My question is, is there a reason why I can't keep the existing device in place, disable the services on it so its just acts as a router and then place the new firewall off that one?

So it'll go Fibre -->-- Old Device -->-- New Draytek -->-- Internal Network



Meraki AP SSID VLAN issue.

I'm having issues with VLANs per SSID. I can connect to an SSID that has no VLAN tag, and everything works. If I connect to an SSID that has a VLAN tag, the DHCP request does not make it to the FW. I can see the DHCP request leaving the AP with the correct VLAN tag, but I never see it hit the firewall.

Right now I am testing having a laptop connect to an SSID with VLAN 50. On a support call with Meraki they could see the Discover packet leave the AP with the VLAN 50 tag, but they couldn't see it reach the Meraki firewall.

Overview of the network: FW <> SW01 <> SW02 <> AP

I've copied the config for the ports below.

FW to SW01

LAN 1 enabled trunk Native VLAN: VLAN 10 Allowed VLANS: VLAN 10, VLAN 50 , VLAN 60 , VLAN 99 , VLAN 230 

SW01 to FW

interface GigabitEthernet0/2 description TEMP UPLINK SHL_FW0001,DIRECT,Meraki-MX60 switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport trunk allowed vlan 10,50,60,99 switchport mode trunk spanning-tree portfast disable ip dhcp snooping trust end 

SW01 to SW02

interface GigabitEthernet1/1 description SHL-NS0201,DIRECT,FIBER,UPLINK switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport trunk allowed vlan 10,50,60,99 switchport mode trunk ip dhcp snooping trust end 

SW02 to SW01

interface GigabitEthernet1/1 description SHL-NS0001,DIRECT,FIBER,UPLINK switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport trunk allowed vlan 10,50,60,99 switchport mode trunk ip dhcp snooping trust end 

SW02 to AP

interface GigabitEthernet0/19 description AP19 switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport trunk allowed vlan 10,50,60,99 switchport mode trunk spanning-tree portfast disable end 


Questions about tuning IOS for iSCSI

I inherited this situation, I know it's wrong :)

Setup:

  • 2x ToRs, both Catalyst WS-C3560G-48TS-S running IOS 12.2(35)SE5 fc1 and 12.2(55)SE9 fc1
  • 4x ESXi 6.0 hosts, which split their NICs rougly 50/50 between ToRs
  • All ESX hosts allocate minimum 2x1GbE ports to iSCSI
  • 1x Nimble storage array, all NICs split 50/50 between ToRs
  • All iSCSI ports are on private vlan and directly connected to ToR switchports. No iSCSI traffic traverses trunks (at least as far as I can tell)

Problems/Symptoms:

  • Symptom reported: performance craters intermittently on certiain high-I/O VMs.
  • Network-level issues observed: very high output drops (>600k total, >3k/hr) on iSCSI switchports. All other interface counters were zero or normal. These interfaces do not show high traffic/saturated in NMS.

I suspected microbursts per /u/VA_Network_Nerd's many excellent posts I found while searching. I also read about flow control, QoS, and a few other things.

What I did:

  1. Forklift upgraded the whole stack to 10Gb+ haha yeah right, this is K12 and e-rate isn't what it used to be
  2. Manually balanced high-I/O VMs across ESXi hosts to spread storage traffic across as many NICs as possible
  3. Gave the two "main" ESX hosts two more NICs each in their iSCSI vSwitch (4x1GbE total for each host)
  4. Set DRS to manual so VMs don't end up lopsided again
  5. Enabled Rx flowcontrol on all iSCSI switchports and verified vmnics now show it enabled

Current situation:
After all the above, I cleared counters and show fewer output drops on iSCSI interfaces; either zero or < 100/hr avg. Still waiting on end-users for VM performance feedback.

Questions:

  1. I understand output drops usually result from congestion. Is there a way to ensure they definitely are not coming from other sources like hardware fault or misconfiguration?
  2. Is there a generally acceptable rate of output drops for iSCSI traffic?
  3. As I understand it, QoS only helps when multiple types of traffic traverse a link, and provides a way to decide which of that traffic gets dropped when congested. In my case, would QoS provide any benefit?
  4. Based on VMware's defaults, and Nimble's deployment considerations, I enabled Rx flow control on all iSCSI interfaces. Is this still advisable?
  5. Might tuning buffers help?
  6. Any other suggestions for tuning iSCSI here, other than adding bandwidth?


Configure 3 SoincWALLS for MPLS Traffic

I've found lots of documents about how to setup two sites with SoincWALLs for MPLS, but haven't found any for setting up three sites.

All three MPLS IPs are on different subnets.

When adding, say X4 as the MPLS interface, what do I need to put for the gateway address on each of those? That's where I'm getting hung up. I know to make MPLS zone, make it trusted, and add routes between the locations, but what do I put as the gateway address for each?



Cisco Nexus MTU issue

Hi All,

Got a weird issue which I am after some help on. I have two Cisco N5K switches in location A, let's call them A1 and A2, connected to a Catalyst stack in location B (B1 and B2).

There is a single link connecting the two, from a trunk port on A2 to a trunk port on B2.

I created SVIs on each switch on the same vlan, testing ping connectivity between all the switches, and all is successful. However, if I increase the packet size above 250 bytes, I get some weird behaviour, here are the results:

Switch A1 to A2 (300bytes+) - success Switch A1 to B1 (300bytes+) - failure Switch A1 to B2 (300bytes+) - failure Switch A2 to B1 (300bytes+) - success Switch A2 to B2 (300bytes+) - success

The thing that is baffling me is that for traffic to get from A1 to B1, it has to pass through A2, yet A2 is able to ping both A1 and B1 up to 1450 with no issues.

Pinging back the other way from the other side of the link I encounter the same issue. Everything is able to ping fine up to around 250 bytes, then after this point everything works fine except pings to A1, and any clients connected to A1.

I checked MTU sizes with a sh run all, and all interfaces are set at 1500.

I'm a bit stumped as to where to go from here, suggestions greatly appreciated.



working exploit released for CVE-2017-6737 - Cisco SNMP Remote Code Execution via SNMP readonly

FYI: if you still use telnet, or do not have ACLs on your SNMP interface, now is a good time to lock it down.

http://ift.tt/2AwPcje

Tested with a ISRg1 router, a 2811, with recent code.



Round explicit web robin proxy?

Currently we use explicit web proxy servers to handle browser traffic from our desktops. The proxy DNS name only returns a single IP when queried from DNS and we use topology records to keep user resolving the closest proxy server. With rising traffic demands we are looking to add additional proxy at one site. Has anyone experienced problems with DNS round robin for web proxy servers? I know the TCP session will stick to a proxy server until the session is torn down due to idle or other reason, but the next TCP session may get new IP resolution from DNS when TTL expires. I don't think the Internet facing IP of user sessions on these two proxy servers would be a huge concern for major websites.



server being shunned?

Good afternoon,

One of my servers is constantly getting shunned by our ASA. I have no idea why. I have ran virus checks on it, I have checked to see what processes are running. It comes back clean and I see nothing dodgey running.

It's an old 2003 box. (A situation where the owner doesn't see the need to upgrade, it's painful.)

Anyway. I was thinking perhaps I could use wireshark to see what traffic is causing this server to be shunned. The problem is, once I start a capture I am not really sure what I am looking for. Any hints?



Can't discover server at remote location

I am working with two physical locations connected via VPN.

From A I can ping everything at B by IP address and hostname.

From B I can ping everything at A by IP address and hostname.

I have a 2016 file server at B which is 100% accessible from A by IP, hostname, share name, everything.

The only thing I can't do is browse to the machine under Network (network discovery) from a machine at A - though I can browse to it from any machine at B.

I can browse to discovered machines at A from any machine at B, and I can browse to every machine at B from A except for this one.

All of the Network Discovery services are active and working (since I can discover this machine from any other machine at B), it is just this one machine which can't be discovered from A.



Packet Slicing - Length?

Greetings, I'm working on a project where I need to span all data from a vmware vds switch to a packet capture device. Since the capture appliance is a few hops away, I want to use ERSPAN. VMware VDS allows ERSPAN and also has the option to slice packets at a determined length (mirrored packet length). The default length is 60 bytes. If I'm only interested in source/destination IP address and source/destination port/protocol, how can I determine the lowest possible packet length? My goal is to minimize bandwidth usage and make this as efficient as possible. Thanks!



Communicate Between vLANs Without Impacting Primary Router

Let's say I want to get a little crazy and create a bunch of vLANs to segregate different types of equipment:

  • Printers
  • IoT devices
  • Mobile Devices
  • Servers
  • Desktops

Of course each of these segments should be able to communicate with other segments over specific ports. That means I need to use my router to manage all the routes and open ports between the segments. Because I'm sending a lot of ordinary LAN traffic (like print jobs) between vLAN segments, it means my router has to do a lot more work than it does now.

Is this really something to worry about?

I could use a secondary, internal router to route between vLAN segments, but I'd need a way to tell all the devices to route through that router for those destination networks (other than adding static routes to every device).

This is more of a theoretical question, so I'm intentionally not talking about specific equipment or network sizes. Assume under 250 total devices though.



Rack Comparison APC netshelter vs HPE enterprise

Has anyone been able to compare these 2 options in person? We currently have open freestanding 2 post racks in pretty much all IDF locations, for ease of cabling. These have 2-3 switches and about 300 cables in each. We're bringing up 5 new IDFs in a facility expansion and it's been requested that we spec enclosed racks for these. The suggestion was to use the HPE racks that we use for servers, but the idea of putting a lot of cables into those is tantamount to torture. I'm hoping the APC is better, as it seems to have a pretty good reputation around here and /r/sysadmin.

We would be racking about six 48 port patch panels, three 48 port switches, at least 1 (probably 2) rackmount UPSs, some analog PA equipment like an amplifier, etc, and possibly other equipment like a NAS or who knows what else. I'm sure that there's going to be a heat issue thanks to a 500w+ amplifier in each cabinet. Front side cable management is a must.

I'm trying to make a case for the APC, or something else besides the HP cabinets, and looking for recommendations for something that's more friendly to large amounts of cabling.

HP rack spec sheet - http://ift.tt/2EcIVvf

APC netshelter link - http://ift.tt/2b0evij

Thanks!



Will a new submarine cable significantly impact latency?

Hello :)

I'm from Uruguay, and right now two submarine cables connecting Uruguay to Brazil (Tannat) and Brasil to the U.S (Monet) are now active.

The cables are owned by Antel (Uruguayan ISP), Google and other ones I can't remember right now.

So, as far as I know, this will allow Antel and the other owners to don't rely on any other submarine cables when connecting to Brasil and the U.S because they can use their own cables, or even sell its bandwidth.

Well, supposedly the cables are now active, but I didn't notice any significative improvement. I know my internet speed wasn't supposed to change, but I expected a latency improvement.


So my question is:

  • When I'm trying to connect to a server that is in the U.S, How is the shortest/most efficient route calculated?

  • Who calculates it? It depends entirely on my ISP?

  • I assume the most efficient route is now through that cable... Am I wrong?

  • Even if the route changed, and now is going through the cable... Is possible that my latency with that server stays pretty much the same, just for geographical reasons?

Sorry for bad English just in case :) Thanks for reading



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



Cannot view updates when i physically remove the interface from the router

I have a HP MSR series router. When i connect the router via aux, i get updates when a interface turns down. But when i access router via telnet, the router doesn't show live updates when a interface goes down. I hope there is a command to rectify this.



Thursday, January 4, 2018

Dealing with DNS spoofing in China

Started getting complaints from customers in China they can't access our website, or in some cases get redirected to Facebook. So I fired up a couple ThousandEyes mainland China cloud agents and see rather than the normal AWS elastic IPs, anything in one of our sub-domains is resolving to these IP blocks:

  • 31.13.65.0/24 (owned by Facebook...yep https://31.13.65.17/ even has a valid FB cert)
  • 173.252.96.0/19 (owned by Facebook)
  • 69.63.176.0/21 (owned by Facebook)
  • 199.16.156.0/22 (owned by Twitter)

Oddly, hostnames in our parent domain resolve just fine. So this is clearly a per-domain override they're doing. Hong Kong and Taiwan also are not affected, nor is anywhere else in Asia.

Anyone seen this and worked around it? I've suggested bribes but only have $45 cash in my wallet and don't speak Mandarin.



Does cisco also releases testreports of hardware/software

I'm asking this question, because our test-team is saying that they want to test everything. Even when we go from 16.04 to 16.05 they do BGP testing, CDP, ISIS, HSRP etc etc. Can't imagine cisco releasing software where you cannot create a BGP session or where plain CDP is'nt working. Your thoughts? (not talking about bugs inside features, but features as a whole)



What type of bag are you using?

Following off What's in your backpack?, what kind of bag/backpack are you using?

I'm still slinging an old HP laptop bag that weighs a ton and just doesn't want to break. But I've had a hard time getting a bag that holds up or is easy to transport.



How to best broadcast/stream rotating information to ~100 different TVs in different states

Hopefully this is the right place to ask this, if there's a better place please point me in the right direction

   

I work for a mid-size retail company with ~100 stores in different states. Each store has a TV with the following specifications

 

  1. HDMI or USB. Sometimes both

  2. None of the TVs are smart TVs

  3. Each TV current hangs in the store displaying local channels

 

We'd like to

  1. display a set of rotating promotions on each TV instead of the TV channels

  2. This set of promotions would be controlled from the home office.

  3. Ideally our marketing team would update one central file or interface and then have that update to each TV

  4. Wifi is available in each location

  Something as simple as a the powerpoint being shown on each TV would meet the business needs. Is there any way to do this without spending an arm and a leg? For example, I thought of using a raspberry pie as a cheap mini-computer in conjunction with something like

www.rasplex.com



Level 3 issues?

Have you guys had any problems this afternoon? Our 3 offices that use L3 as a primary had problems routing to several services starting about 1:30 PST



Load-balancing over unequal bandwidth

I work with licensed microwave links which have different bandwidth capabilities depending on model, frequency, spectrum availability, etc. This makes load-balancing across multiple links more difficult, since most protocols want to assume they are all the same speed. The only protocol I know of that takes bandwidth into account is EIGRP, which is proprietary to Cisco equipment. Is there another way to do this besides EIGRP which will work with a wide variety of equipment and vendors?

Here is an example of one of the topologies I am currently working with: diagram In this situation, if I use OSPF or LACP to pass traffic over all 5 of these links, it will assume the traffic should be split evenly among them. This will cause issues once they all approach 250 mbps, since 2 of the possible paths will start dropping packets.

I was able to come up with a solution by assigning a proportional number of VLANs to each link. This diagram shows how they were split up using 50 mbps as a common denominator. I can run OSPF on each of the 36 VLANs, which will share the traffic roughly evenly between them, but more of those VLANs will pass over the links with higher capacity. The issue with this is a limitation on the number of ECMP routes allowed by some equipment. I currently have some Layer 3 switches that only allow 4 ECMP routes between the same endpoints. Others may have higher limits, but if I add an additional planned 600 mbps link between these devices, it will require 48 ECMP routes.

It seems like there should be another solution out there without having to be limited to a single vendor like EIGRP/Cisco. The current Layer 3 switch I am using between these sites is an HP/Aruba 3810M. I have been impressed with the price/performance/features of these switches so far, except for the limit of 4 ECMP routes. A solution which can work with these switches would be ideal. Thank you.



Ansible or Python for Network Automation

I'm pretty good at Python, and I have done some things with Netmiko, etc. I'm looking to automate config templates, config pushes, etc. I can do all this with Python and Jinja2 templates, but I'm wondering if Ansible is the way to go long term as no one else on my team really knows Python coding.

I'm just looking for new thoughts and opinions as we enter 2018.



Meltdown/Spectre Vulnerability Tracker

Hello All,

I'm putting together a list of vendor's responses to the Meltdown/Spectre vulnerabilities that were made known recently. If I missed a vendor please feel free to add them here.

Public responses are preferred, but if you have to login to a support portal to find more details just mention it in your comments.

Vendor Responses:



FreeRADIUS/PacketFence or Aruba Clearpass?

Currently we have many different RADIUS servers for different uses, for example NPS for Wireless 802.1x, FreeRADIUS for authenticating mobile users, another FreeRADIUS for device management and then a OTP software that also has built-in RADIUS server.

I'm thinking of consolidating these all to a single FreeRADIUS pair, but I guess I'd need PacketFence for 802.1x? We'd like to be able to do 802.1x in wired LAN also. With machine certificates stored in AD.

How do you manage such a cluster with many different uses? Every use case in a different FreeRADIUS virtual server? I tried playing around with FreeRADIUS + Active Directory but seems quite painful as it seems you need to add the server as a AD member (and we have few different ADs I'd need to have the same server connected to)

Or should I just forget the open source idea and go with Aruba Clearpass?



Looking for vLan help. Novice networking, but long time as IT generalist. VM in nutanix not seeing

For reference:

Map: http://ift.tt/2CFk9qA

PasteBin: http://ift.tt/2lVwFaT

vSwitch Attempt: http://ift.tt/2CFLb14

(I create this post on the nutanix website. http://ift.tt/2lTLHhy)

Hi friends!

Learning networking, 20 years of IT.

I've set up a virtual bridge (bridge2) in Nutanix/Centos on nic 2 (eth1) which connects to a completely separate business router for demo/lab/test environments. It's to keep everything off production because of reasons (old software that will corrupt if sees it's own database on another network...).

I am able to ping the outside world & the router if I put the unmanaged switch (netgear) before the cisco and then over to the comcast router. If I use the vlan200 ports (12-19), it never sees the router.

My guess is it's a vlan issue where it's blocking traffic to the router because of level 2/3 maybe.

I've banged my head against it for 2 days and now need expert help. Going to post this before lunch so I can get my head away from it for a minute.

Any advice or clues would be great! Not looking for direct answer or something to solve for me (unless you're into that sort of thing), but trying to learn why vlan is blocking traffic.

I tried tagging vlan traffic 200 on nutanix/linux, but that didn't seem to help.

Thanks!



Creating a Interview Questions Sticky

Hi /r/networking my favorite sub. I was wondering if there would be any interest in creating a thread dedicated to interviewing? I can see through search history there are multiple threads on how to prepare or "ask me questions."

With many of you perhaps wanting a change of pace in 2018 and may start job hunting. I thought it would be a good idea to create "Interview Questions Sticky" at various levels for us.

If you have a developer friend you know right now they use leet code to answer hundreds of questions to prepare for top tier tech companies. Similar idea.

With that. Lets start hearing them. Once we have sufficient information and feedback, I'll pull the info together for a document. If this takes off and you have interest in helping me prepare the information please let me know.

Please up vote good interview questions. And provide feedback if you feel questions aren't clear submitted by other users.



GNS3 users of /r/networking, how has the Intel CPU bug-patch affected performance?

No text found

Would you choose Intel or Ryzen chip to be on your network after all this Intel vunerability business?

Soooo....all Intel chips that fall into the affected categories will see a "3 - 28%" performance decrease post OS patch. Also, if you happened to be slightly compromised in some way then there's the potential for that patch to be lifted and be majorly compromised?? Yikes.

So I was going to order an i7 7700k. If you were in my shoes how many of you would go with the competing Ryzen chip instead??

Thanks for the thoughts on this on my upcoming build. Appreciate any insight and what else I can learn about this.



Help me with Juniper SRX 3400

Hi Guys,

I am a network engineer and i have touched firewalls in general and in depth with Cisco ASA and Checkpoint.

But Juniper is a new beast to me, i have been digging a bit in a network that i need to master for a project. They use a Juniper firewall as external and internal firewalls.

I will probably have some seriously basic questions but here i go. The design is that they have a cluster which spans 2 data centers. So the master in in DC1 and the slave is in DC2, between them they have redundancy.

Am i correct in assuming the following: Redundancy Group 0 and 1 are for control plane and data plane respectively? It's probably also 2 physical cables? spanned via a switch or an IP network between the 2 firewalls in the clusters.

We have VRRP running on our Cisco network if they need SVI (layer 3 vlan), but for a lot of vlan's the firewall is the layer 3 endpoint. So i have seen the following: For each vlan you define an interface on the firewall (sub interface) you follow the vlan naming convention as the interface naming convention. It's like running Routing on a Stick. I follow there, but the interface only has 1 IP.

So in HSRP or VRRP each interface on the device has an IP and they share a VIP. But in the Juniper firewall the IP is the same across the cluster correct? Is also the MAC the same or does the Juniper performs a grat ARP during failover?

Is there a comprehensive guide to understand this fail-over scenario?

Thanks in advance.



GNS3 2.1.1 has been released.

Check out the announcement here and download your version here. Seems like a minor bug-fix release from 2.1, but if you're still on the older 1.x train, major new features of 2.1 include packet filters (packet loss, latency, jitter etc.) for links, node duplication and appliance templates can be installed from within the application.



Fiber channel switch - adding new servers?

Fiber channel switch newb here, no networking expertise or anyone who knows the FC switch.
I'm working with a qlogic sanbox 5800v and unfortunately I can't get GUI to work so I'm stuck to telnet/commands.
Anyone from experience know the basic steps for just adding servers so they can connect to the FC switch and the storage that's connected to the FC switch?
Am I supposed to create a "zone" for each HP server based on their server/host name, then add the WWN of each FC port that's on the HP server to the FC switch's "zone"?



How CPU news will affect our networking devices ?

go go go



Resources for learning some basic networking stuff?

First-year student here with an exam in a weeks time on computer communications & networks. The exam will have 2-3 questions... an example of the type of question is as follows;

Two nodes A and B are connected by a store-and-forward switch, which is situated half-way between A and B. A wants to send a packet to B. If the packet size (or packet length) is L (bits), the transmission speed (or transmission rates) and the propagation speed on all the transmission links are R (bps) and S (m/s) respectively, the distance between A and B is D (m). Assuming that the processing delay and the queuing delay of the switch are dproc (s) and dq (s) respectively. Express the total end-to-end delay for A to transmit one packet to B in terms of L, R, d, dproc and dq. Indicate the units clearly.

Additionally, there are similar questions regarding transfer speeds, time taken eg

Following on from (a), if A wants to send a file of size F bytes to B, what is the total time taken for B to receive the complete file?

I AM NOT ASKING FOR ANSWERS!

I thought this might be the right place for some not-so-nooby individuals to help me find some great learning resources so I don't fail this test. Any help appreciated Reddit, thanks.



What's in your backpack?

Just wanted to see what ya'll typically carry around with you in your backpack.

I get comments on the heft of my backpack often, which has all the goodies to compliment my pelican tool case.

Pictures here.

What essentials or oddball tools do ya'll never leave home without?



Use ASA 5506 or core L3 switch as router

Hi,

I'm looking over the network at an industrial plant and have some questions. I'm quite inexperienced with this kind of stuff so please bear with me for being stupid.

Here's some background.

  • On the top, there's two core switches (HP 3800-48G-4SFP+).

  • Two (redundant) firewalls (Cisco ASA 5506-X) separate WAN from LAN. They are both connected to one (!) of the core switches.

  • Several L2-switches are connected as a star with the core switches in the middle. Hosts are connected either directly to the L2-switches or via other L2-switches. Some hosts are connected directly to the core switches as well.

In order to separate manufacturing traffic, I will create zones by means of VLAN. However, some traffic needs to pass between VLANs. The original thought was to use the ASA as default gateway and route between VLANs using access rules, where for example an office PC (e.g. 172.16.0.50, VLAN 10) needs to connect by RDP to a host in a certain manufacturing VLAN (e.g. 10.10.60.3, VLAN 60).

My questions:

  1. Would it be better to use an L3 switch, for instance one of the core switches, for routing?

  2. If so, how do you establish the connection between the hosts in the above example? Do you set up a static route in the switch from 172.16.0.50 to the ASA firewall, and in the firewall set up an access rule which permits RDP from 172.16.0.50 to 10.10.60.3? Of course with the VLANs properly set up in switch and firewall.

Thank you



Wednesday, January 3, 2018

What's the problem with having unmanaged switches hanging on your network?

I'm sure I'm asking for an ass-kicking with this question.. but I'm still learning.

I have several Dell N3048 switches on my company's LAN which servers and workstations connect to properly, etc. However, we have one building with a very tiny training room with 10 or so thin clients crammed together and very limited network jacks in this building... my solution (so far) is to use an unmanaged TP-Link gigabit ethernet switch to connect the thin clients to and then this switch also connects back to the building's managed switch.

Is this a problem at all? If so, can someone help educate me?



Websites for relevant IT news

Hi. Im new to the networking sysadmin industry and i was wundering if anyone could recommend interesting news websites about the subject or similar. So that i could have some good spare time reading:) thanks in advance



HA Layer 3 Switches

Hey guys I'm wondering about something. How would I go about setting up HA for a set of layer 3 switches? Cisco preferably. I've never done it just curious about it.



Performance impact of x86 / intel CPU issues once PTI enabled on network hardware.

I expect a lot of you have heard about this fun little issue which now has a logo and webpage - http://ift.tt/2EOJNax

I'm interested in how the mitigation being put in place of page table isolation (PTI) is going to impact our network workloads - especially for those of us using NFV and virtual networking and firewalling. Could be enough of a performance hit to require some significant rework in the case of packet filtering and load balancing. Anyone aware of decent network benchmarks post PTI?



Things a network administrator can do with a programmable mouse

I was gifted this programmable mouse and I do not do any computer gaming. I am, however, interested in using the programmable keys as some network admin tool at work.

Any ideas on how this can be utilized? All I have come up with in the few hours I have had it is a copy button, paste button, and Show run | for my Cisco ASA work.

From my understanding, almost any macro or command can be programmed into each key. And don't just say "macro your passwords" ;-)



Hold my hand through some PAN-OS concepts?

A Palo Alto deployment project has fallen into my lap. I'm in unfamiliar territory, need my assumptions checked.

The basic topology looks like this:

HQ site

  • Single PA 820
  • Two "small business" style ISPs, each with a handful of static IPs (no BGP)
  • NAT traffic outbound with failover between ISPs
  • An IP SLA style scheme to validate ISP health, facilitate NAT failover
  • Speak OSPF with internal L3 devices
  • L2 firewall features to protect Internet-facing devices with IPs in the same subnet as the PA 820
  • GRE-in-IPSec to remote sites, one tunnel over each ISP
  • Speak eBGP to remote sites for tunnel selection
  • Speak sparse mode PIM on LAN and Tunnel interfaces

Remote sites

  • Single PA 220
  • Single "small business" style ISP with handful of static IPs (no BGP)
  • Two GRE-in-IPSec tunnels to PA 820 at HQ, one via each ISP at HQ.
  • Outbound NAT for internal users.
  • Handful of subnets/VLANs for internal users.
  • 802.1Q trunks to L2-only access switches.
  • L2 firewall features to protect Internet-facing devices with IPs in the same subnet as the PA 220

If I were building this GRE/IPSec scheme with Cisco routers, I'd probably do this:

  • Put each external interface on the HQ box into a dedicated VRF (ISP-A and ISP-B)
  • Use the tunnel vrf directive on the GRE interfaces so they'll be transported by the appropriate ISP.
  • Leak the default route from the external VRFs to the global table with IP SLA facilitating some twiddling of the admin distance.
  • Configure interface-based overload NAT on each ISP-facing interface.

I'm primarily interested in exploring the redundant ISPs, and NAT functions right now, since those are important foundations for the rest of the config.

What's the PAN-OS way of handling the two ISPs, GRE tunnels and NAT failove?

I really like the VRF (Virtual Router?) approach to handling the two ISPs at the HQ site, would rather do that than fail a default route back-and-forth between proviers.

It looks like I might wind up BGP peering between three virtual routers: an "internal" instance talking to one instantiated for each ISP. Is that the right approach? Is there something else I should consider?

Does my desire for L2 firewall features on the external interface change things? It'll probably be the last thing I configure, don't want to shoot myself in the foot with an early decision.



Best method to access remote office pc

We have a remote site that sometimes has issues with their PCs like a laptop falls off the domain and there is little I can do other than verbally talk the user though fixing it.

I am wondering if there was a good solution to have more physical connection to the machine ( KVM? ) where they could plug in the inputs for the laptop and I can have more direct control over the machine without relying on software.



[LPT] When interviewing for a networking job, if asked what is "ABC" -- where ABC is a common networking acronym -- do not respond with merely what it stands for.

If you are asked "What is ARP?", do not respond with "Address Resolution Protocol." Interviewers won't care that you know acronyms, they want to know whether you know what the protocol does, when it would be used, and its significance in the industry.



IPV6 /64 router crash?

I think this use to be an issue, but can you still crash a Cisco router with that had a /64 on it? All you had to do was just do a syn/ping/etc to all 18 Trillion addresses and it would eat up the memory and it would eventually crash.

Is this still an issue?



How much should I charge these dingbats?

I’ve posted here before. I installed an IP/POE 10 camera system for a small hotel/casino in the Caribbean. Later I returned to install a POS system for their restaurant. 2 months later the whole island was destroyed by hurricane Irma. The config was simple, LTE modem, netgear router, 2 unmanaged switches. Someone knocked the switch off it’s self onto the floor and then the hotel flooded with 9 inches of water. The switch was submerged. After a couple weeks they plugged everything in again and tried to get the pos to work. They couldn’t get anything to connect to the router WiFi. The password wouldn’t work, despite it being entered correctly.

All of he components were shipped back to me in the US and I couldn’t find a thing wrong, even the flooded switch. I was planning to buy duplicate equipment and head down there to troubleshoot the whole system. They are on limited power and backup generators. I just found out the owner doesn’t want to send me down, instead he is sending his ‘smart enough to be very dangerous’ brother. I will assist him remotely to get the whole thing up and running again.

My concern is many fold. I don’t know if any of my cabling is damaged, is the power quality sufficient? The brother is the only guy down there and every call is interrupted by some ‘other business’ that comes up. “I’ll call you back in five minutes” is his response. This becomes twenty or thirty minutes. All with my waiting by my computer. We can only work at 6am, because the traffic capacity is so limited and saturated by 8am. I’ve tried to remote in, but the connections only last about 45 seconds.

If I was down there, I’d have the whole thing tested, fixed and figured out in a half a day or less. I hate working like this. If you were me, how much would you charge these guys for fixing this remotely? Also are there other tests I should be doing on the flooded switch? I just plugged my laptop into all the ports.



Gateway or Router

Can anyone recommend a good gateway router for a SMB? Just running 2 switches full internet access to all nodes, pbx and in the future VPN and branch connection between us and our other location (bidirectional antenna)



Dumb Question About ACL Ports

Hey,

Im trying to lock down my Backup Server VLAN by only allowing ports that Veeam Backup & Replication needs.

http://ift.tt/2h6usJ3

Im not a network savvy guy so I have a question.

If the backup server to the hyper-v needs TCP 6160 will both the backup server and hyper-v server need to have TCP 6160 allowed?

EG in my switch the ACL is like this:

Source: 10.240.50.13 (backup server)

Destination: 10.240.80.0 (Server VLAN)

Source Port: 6160

Destination: 6160

Will both the source and destination be listening on 6160? Or would it be source 6160 and destination any?



1RU Front to Back Horizontal Cable Management for Cabinet

I have been looking at products like this one from APC http://ift.tt/2lOIMr7

That one may work fine but I was hoping to have something that went all the way from front to back to support the cables inside the rack. I have looked at other products from leviton and mid atlantic but nothing too different from the one I linked unfortunately.

Hopefully some of you datacenter gurus have something I havent seen yet. It needs to be 1RU horizontal and used for front to back cable management in a cabinet. Obviously needs to be able to fit in the cabinet with doors closed. Thank you in advance.



RANCID on HP/Aruba SW

Hey r/networking,

This question seems to be asked a quite a bit, I've been looking through other post to try and find an answer to this but haven't yet. Figured I'd make my own post.

Has anyone successfully gotten RANCID to work on HP/Aruba switches, and how'd you do it?

I'm running RANCID 3.3.0 on Ubuntu 16.04. My router.db file looks like this:

switch;hp;up

My clogin file looks like this:

add autoenable * 1

add method * ssh

add username * user

add password * somepassword

I have CVS Web setup, the object for my switch shows up in there but the config is blank. When I check the logs I see this:

Getting missed routers: round 4.

switch: missed cmd(s): all commands

switch clogin error: Error: TIMEOUT reached

switch: End of run not found

When I manually run clogin against the switch it works, logs in successfully and I can run commands like show run, show version, etc. Not sure why rancid-run is failing to run the commands. Any thoughts or ideas are appreciated. Thanks!



Is there an open source firmware that is capable of meshing?

I’m looking into mesh routers. I wanted to know if I can buy several regular routers and install an open source firmware to manage them as a mesh network.



Do the new Catalyst 9k switches support ip tcp adjust-mss?

Hi everyone,

On my 3850s I see that ip tcp adjust-mss doesn't exist, which makes it a hard sell for use as a client side GRE termination solution, even though that's how they are marketed.

Online I've seen mention of the 3850 not supporting adjust-mss, however I haven't see any such mention of the Catalyst 9k switches.

I was wondering if anyone tried running "ip tcp adjust-mss" on their subinterfaces/Tunnels within a 9k switch? If so, I'd be happy to know whether or not it is supported.

Thanks!



McAfee S4016 cluster logs

Hi im trying to find all past logs of cluster status, originally the first time that the cluster had broke last year, where do the logs get written too?



ISP recommendation for Santa Monica

We are planning to open a small (<10 users) branch office in Santa Monica (90017 area) later this year and the local design team have recommended Spectrum as the preferred telco/isp for the area.

We intend to add this site to our dual hub DMVPN network and will need a basic DIA (around 20Mb+) circuit with a /29 static IP allocation.

Any opinions on Spectrum or is there a better provider I should be considering in this area?



Expect Script for collecting info and logs (fails when logs are too long)

Hi there,

I'm writing an expect script to hasten collecting vital info for troubleshooting purpose whenever a fault occurs.

Basically it's going to consists of show logging, show interface status, show ip interface brief and other commonly used commands for tshooting common and basic device faults, saving time and effort logging in manually and checking things one by one.

I've came up with a problem though, whereby if the "show logging" buffer comes up longer than a certain extent, my script fails to continue and just hangs at the next prompt.... occasionally it will manage to execute 1 more command but then hangs there. I've tried adding sleep or wait but it doesn't seem to help.

Below is my script, maybe you guys can see something I can't:

#!/usr/bin/expect # Receive Variables #~~~~~~~~~~~~~~~~~~~ set ipaddress [lindex $argv 0] # set username [lindex $argv 1] # set rsapin [lindex $argv 2] # set enable [lindex $argv 3] # set configfile [lindex $argv 4] set timeout 10 set outputfile [open expectlog.log a] set username "<username>" set rsapin "<PIN>" set enable "<enable>" #~~~~~~~~~~~~~~~~~~~~~~~~ # PROC Gather Information #~~~~~~~~~~~~~~~~~~~~~~~~ proc getinfo {} { send "terminal length 0\r" expect "*#$" {send "show version | inc uptime\r\r"} expect "*#$" {send "show log\r\r"} expect { "*rt0?#$" { send_user "Device type - Router" expect "*rt0?#$" {send "show ip interf brief\r"} expect "*rt0?#$" {send "show interf desc\r"} expect "*rt0?#$" {send "show dmvpn\r"} } "*sw0?#$" { send_user "Device type - Switch" expect "*sw0?#$" {send "show interf status\r"} expect "*sw0?#$" {send "show interf desc\r"} } default { send_user "Unable to determine prompt, check getinfo{} proc" } } } # Create Log file #~~~~~~~~~~~~~~~~~ log_file -a expect.log # Begin SSH #~~~~~~~~~~~ sleep 2 send_user "\n" send_user "Attempting SSH >> $ipaddress @ [exec date]\n" puts -nonewline $outputfile $ipaddress spawn ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $username@$ipaddress expect { timeout { send_user "\nTimeout Exceeded\n" puts $outputfile " - Timeout Exceeded (10)" exit 10 } eof { send_user "\Connection Failed\n" puts $outputfile " - Connection Failed (20)" exit 20 } "*" {} } # User Access Verification and Enable Password #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #expect "?sername: $" {send "$username\r"} expect { "Enter PASSCODE: $" {send "$rsapin"} "username@*'s password: $" {send "$rsapin"} } # Acquire Token key from user #~~~~~~~~~~~~~~~~~~~~~~~~~~~~ interact -o "\r" return # Verify authenticated, Enable Password #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ expect { default { send_user "\nTimeout or connection lost.\n" puts $outputfile " - Timeout or connectiviy lost (11)" exit 11 } "*failed" { send_user "\nAccess failed, possible authentication issue.\nIf problem persists please try again later.\n" puts $outputfile " - Authentication Failure (1)" exit 1 } "*denied" { send_user "\nPlease check username/password\n" puts $outputfile " - Authentication Failure (2)" exit 2 } "*>$" { send "enable\n" expect "?assword: $" send "$enable\n" expect "*#$" } "*#$" {} } getinfo expect -timeout 5 "*#$" {send "exit\n"} puts $outputfile " - Done, quitting without error (0)" close $outputfile exit 0 


Devices per AP

Hello,

I'm currently busy with research for replacing our current WLAN for the local goverment. And i'm having some trouble with knowing how many devices the accesspoints can handle. i'm looking at the Aruba (HPE) 315 and it says 256 supported devices. but in the "unique benefits" sectection it says this:

"•Supports up to 1,733Mbps in the 5GHz band (with 4SS/VHT80 or 2SS/VHT160 clients) and up to 300Mbps in the 2.4 GHz band (with 2SS/HT40 clients). "

what are the VHT clients? i trying to do my own research but. Having its just really hard for me to find a explanation for what it really is.

i hope my story is a litle bit clear i'm not a native english speaker and have a hard time explaining this.

Thanks in advanse for your answer,

zero_poison

TL:DR: What do the 2SS/VHT160 clients mean?

EDIT: word correction and more words/info



Cisco TRUNK connecting to Brocade Tag? I do need the 802.1Q on the Cisco to connect to Brocade?

on a cisco switch, let's say fastethernet 1/49 is a trunk port that I want to connect to a brocade switch.

my question is do I not need to put in the 802.1q command in the Cisco?

On the Cisco side you'll put in

Cisco01# interface TenGigabitEthernet 1/49

Cisco01 (config-if)# description Trunk to Brocade ICX 7450

Cisco01 (config-if)# switchport mode trunk

Cisco01 (config-if)# switchport trunk allowed vlan 2

on the BROCADE side I put in:

Brocade01(config)#vlan 2 name Fiber128 by port

Brocade01(config-vlan-2)#tagged ethernet 1/2/1 to 1/2/3

Brocade01(config-vlan-2)#untagged ethernet 1/1/2 to 1/1/48

Brocade01(config-vlan-2)#end

Brocade01(config)#interface ethernet 1/2/1

Brocade01(config-if-e1000-1/2/1)#port-name This is a Trunk to Cisco4948

Brocade01(config)#interface ethernet 1/1/23

Brocade01(config-if-e1000-1/1/23)#port-name CONNECT A WORKSTATION HERE



Tuesday, January 2, 2018

Infiniband FDR switch Mellanox and Arista

Anybody use 56G DAC cables to connect Arista DCS-7050QX-32 and Mellanox MCX314A-BCBT? Shoud I configurate Arista switch?



Can i pls get some help

A network profule has become attached to my main 2.4 channel. It kills my speed. I try to forget the profile and disable auto connect but it keeps comming back and automatically connecting to it. I dont know what to do.



[AMA Request] Any engineers that "improperly" use RFC 6598 in their enterprise network

  1. What are you using it for?
  2. Have you ran into any technical issues while using it?
  3. If you had to sell using it to someone else, what were your arguments?
  4. Did you tell your SP that you were going to use it? If so, what did they say?
  5. Any other comments on it?

EDIT: Disclaimer - This is for educational purposes only.



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!



2 routers on one switch

Hi guys need some help.

I currently have one router(MS TMG) and one switch(some old unmanaged switch) with one subnet(192.168.2.0/24). Now I have to replace the old router with new one. Configuring the new device will take some time and I want to test everything properly so I connected the new router to the switch and use new subnet(192.168.1.0/24). This works fine but devices from different subnets dont see each other. The question is can I just create new static route on both routers pointing to the other subnet/gateway, or is there something else i need to do?

Thanks



Acronym pronunciation

My coworkers and I have a silly little disagreement on the pronunciation of VRF. I spell it out "vee-are-eff", but most of them say "verf." How do you pronounce it?

I find that usually these things end up being different from organization to organization, so in that sense it really doesn't matter as long as you understand each other. At the same time, I used to work with a guy who would pronounce MPLS as "mipples," which would aggravate me to no end.

To make this a more general topic, are there any networking acronyms that you see a lot of disagreement on, or wish more people would pronounce your way (i.e. "the right way"?) Any good stories of times a customer insisted on a certain pronunciation and you had to just roll with it?



FTP over TLS ports

Does anyone have a definitive listing of ports used for FTP over TLS?

Late last year I blocked everything but "essential" protocols for lan to wan and have been unblocking things on an as needed basis.

I added port 990 for "IT", which fixed the FTP/TLS negotiation but I see in pcaps that once it negotiates TLS it then switches to an apparently random port between 50000-56000.

Does anyone have some experience with FTP over TLS? Anything to narrow this range or force a different behavior would be great.



AnyConnect Password Management and NPS?

So this has been bothering me for a few days now. I want to have password management set up for AnyConnect so that users can reset their passwords inline. The problem is that the VPN client will tell me that the password is not meeting complexity requirements upon trying to reset the user's password. This is a strange error message because I'm giving the user a fairly lengthy involved password. Has anyone else run into something similar? I can send configs as needed. My users are authenticating via a Microsoft NPS RADIUS server.



I Don't recognize this wiring diagram. HELP

So I have a small office that has 10 ports that ran to a single switch in the next space. I don't have access to the space before. I think they were attached at that end using patch panels. I opened up the port housing and looked at the wiring diagram to see if it matched a typical 568-B/568-A. The diagram I saw was close but had the white green and white blue switched. I was wondering how much this matters and if I can just match that diagram and be okay.

http://ift.tt/2lHQ3Z1 whiteorange/orange/whiteblue/blue/whitegreen/green/whitebrown/brown.

I just want to make sure that this order is okay and I can work with it. thank you



What are some examples of stateless and stateful protocol (Ex: HTTP and HTTPS ? i know the difference but i can't imaging some examples !!

What are some examples of the stateless and stateful protocol (Ex: HTTP and HTTPS? I know the difference but I can't image some examples !!



Cisco Unity # for company directory

We have a company we're taking over and going to move them to our call manager. We're going to redo their auto-attendant greetings as well. On their current greeting one of the prompts is to press 6 to access the company directory. I don't think there's a way to limit the company directory to just this one business unit with out creating a second partition in Unity?



RADIUS and local auth. on Aruba switches

Hey everyone,

I'm attempting to setup RADIUS authentication as primary and local authentication as secondary on an HP/Aruba switch. I have the RADIUS authentication working properly, but when RADIUS is applied and working local authentication doesn't work. Once I remove RADIUS, the local authentication works again. When I do a 'show authentication', it shows as RADIUS for Login Primary and Local for Login Secondary so that appears to be correct. Has anyone dealt with this before?

Thanks!



Advice on backup routes

I've tried to look this up, but I could use some clarification.

I'm working on some backup connections for my sites. What it looks like now is MPLS primary and a VPN over internet as backup. I'm redistributing the routes via EIGRP from the MPLS and they're coming in with an administrative distance of 170.

My assumption was that I could set up a static route for my VPN with an AD of 180 and that would take care of that. However, what I'm seeing is that it works well when the mpls goes down, but when it comes back up my router won't give up on that static route with the higher AD.

Would someone be able to tell me why this acts this way and if there's a better way to do it?

Also: My routing gear is Cisco but my firewalls which host the VPNs are not. Is going to OSPF across the board the ultimate answer to this?



PoE Switch Request

I'm sorry to even bother this sub with such a simple request, and I'm happy to post somewhere else if it's more appropriate, but I'm looking for an unmanaged HP (if possible) 24-port PoE gigabit switch. I've found things like the JH019A, but only 12 of the 24-ports are PoE. This is just to run a group of 20 or so PoE cameras, so I really don't need anything fancy. Any ideas?



AS Border Router and Core Router Separation Required?

Hi, I am learning for small ISP network operation and I have a question regarding a basic AS BGP operation.

A lot of example AS network topologies I see online have Boarder Routers (ASBR) and Core Routers (CR). ASBRs are connected to IP transit providers or AS peers (or IX). On the other hand, Core Routers are connected to ASBRs and servers/clients.

My question is, why do we need to separate ASBRs and Core Routers? For example, if we have a basic network with 2 IP transit uplinks, we could have 2 routers with IP transit connected to each router to have fault torelance. So why should we have 4 routers (2 ASBRs and 2 CRs)?



Automating a captive portal

Hello,

I am new to networking and IT in general. My only experience with computer networks is setting up my home network. My university has a captive portal which is used to login and attain internet access. I have a server in my university which hosts a bunch of stuff on the university network. It is also always connected to a VPN server which I run at my home.

Every 24 hours, I get logged out of the captive portal and lose internet connection and also connection to the VPN. I have to log back in manually to access the internet. What would be an elegant solution to automate the login when I get disconnected?



VPN reconnected after software being removed.

Hello,

I've a question regarding some VPN software.

First i will explaine the situation i came into: Type of VPN: IPSEC, L2TP, PPTP (First came across this matter with IPSEC)

A couple weeks ago i was at a Customer (Customer A), when i received a call from another customer (Costumer B) with some network issues. Both those customers appear to have 10.0.0.x LAN network.

Normally when im at a customer side i have my laptop with me to create a VPN and help Customer B who is calling. In this occasion i did not have my laptop with me but i used a PC in customers A network to setup a VPN connection to Customer B. To create this VPN i need Administrator rights and i was able to setup a VPN.

After creating the VPN i closed the VPN software by Task Manager -> End Process (I know its not the most beautifull way). After i've ended the process i deleted the software from the PC by Control Panel. I left Customer A and went home after i assisted Customer B.

Now the day after i received a call from Customer A that he could not use his printer anymore but just from 1 PC in the network. I've called in to the PC and tryed to reach some network devices but nothing was responding. After a reboot still nothing was responding. I told Customer A that i will come to his side to check it out.

When i got to Customer A i used Advanced IP scanner to check the network devices it could reach, it appears to be that i saw network devices that are not existing in his network... I saw devices of the network i had the day before a connection with a VPN. I tryed to connect to their Windows Server and it worked...

In my oppinion this is very strange after Deleting the software from the PC at Customer A and atleast 2 reboots that i still have a connection with the Customer B network.

Solution: - Reinstall the VPN software at Customer A - Establish a VPN connection - Disconnect the VPN connection (Now i was able to Print again) - Delete the software

Problem solved for Customer A.

I've been able to reproduce this with IPSEC, L2TP, PPTP. I've been able to keep a VPN active for hours while not having the software on my PC with multiple reboots. Its easy to reproduce.

My question in this matter: 1. Should i be able to remain connected with VPN software when the software is deleted? 2. Is this a bug or just normal for all VPN tools? 3. Considering the software requires Admin permissions, it should break the connection when the software is not active?

(I've sended a ticket to the VPN company and they said, nothing is wrong, its a normal behaviour. I do not know if its normal)

Just looking for information, not wanting to call out the VPN provider. I just doubt its normal.



Frameworks, libraries and best practices when scripting?

Hello Reddit.

So now we're all SDN'ing, creating scripts and writing spaghetti code which apply changes to a ton of devices instantly. With this increased productivity we now also have the possibility to screw up much more efficiently than ever before.

Does anyone know of any frameworks which structures the code in a way that helps preventing us in messing up a ton of things and making the code easier to maintain? I'm thinking of a framework which assists in structuring the code and/or forcing one to also verify that the change was correctly implemented and everything is working before continuing.

When doing web devolopment the code is often structured using a framework like Laravel which will split the code into Model View Control (MVC) where the models will communicate with the database, the view will only handle what the users see's and the controller will do all the logic. This really helps forcing the coder to write better code and ensures a lot less bugs.

There's also test-driven development (like Jasmin.js), where you write a test first and then write the code to pass the test. Has anyone tried using something like that for SDN? I imagine it could work rather well for SDN as one could write a bunch of connectivity tests which are run after each change to the network.

Also are there any good libraries out there? :)



Problem with MPLS (EIGRP into BGP)

Hi guys,

I'm doing some homework for a project that is coming up shortly for one of my customers and this has involved me learning MPLS from the ground up (terrible oversight on my part).

Now i've managed to get a few things working etc but i've just embarked on my own kind of 'mini project' and i've fallen at almost the first hurdle.

Can anyone assist at all? I'll add the configs and the relevant portion of the diagram. I fully anticipate this to be an easily fixed issue but i'm stumped!

Oh, I basically can't ping between CE1 and CE2 which should be in the same VRF.

http://ift.tt/2A6HIDo http://ift.tt/2CqruLn



Facebook on work network

Hello.

I'm a junior consultant at an IT company. Today, the facebook page seems to be inaccessible inside our network. I've checked the fortinet firewall. The rules are the same. I've allowed some blocked content temporarily to test if there is a problem. I've added facebook as an exception.

What could be going on?



Monday, January 1, 2018

Proper use of bind() for multicast receive on Linux

I'm trying to use a socket to receive multicast packets from a specific multicast group sent to a specific port and would like to clarify the correct address to use for bind(). The man pages typically discuss bind() in the context of unicast but not so much for the special case of multicast.

I understand that because multiple processes can listen on the same port for multicast, the use of SO_REUSEADDR is usually prescribed. For bind(), I think it's clear that the port to use is the destination port. However, what's not so clear is the address. I see in multiple examples the use of INADDR_ANY for bind. (e.g. http://ift.tt/1aUfY8V & http://ift.tt/1LWOxwq)

However, my experience has been that this way of calling bind() results in receiving unwanted packets, but if I use the multicast group address for bind(), the problem goes away. I have another process concurrently listening to other multicast groups on the same port and I think the current process gets them too because of the indiscriminate use of INADDR_ANY.

So, I would like to confirm whether the multicast group address is the correct address to bind() in my case, like this:

// Don't do this: // bindaddr.sin_addr.s_addr = htonl(INADDR_ANY); // Do this instead: bindaddr.sin_addr = mcastGroupAddr; // Then bind(). if (bind(sockFd, reinterpret_cast<sockaddr*>(&bindaddr), sizeof(bindaddr))) return -1; 

If this is not the correct address to bind(), what should I use?



Network is slowing down in one room when multiple computers connected.

First of all, I am incredibly new to networking, and IT in general (currently studying diploma). Got this job as an Assistant Technician to get experience, but the Technician quit after a week I joined so now I have to do his job as well. I have managed so far, but I can't solve this issue. Basically we have this room, with sixteen computers connected via a switch, to the network. (So, server--> MainSwitch --> RoomSwitch--> PCs). When I connected a couple of PCs (four to be exact), the network ran just fine, but when ever the fifth (and more) PC is connected the whole network slows to a crawl.

With 4 PC: http://ift.tt/2DMxaLN

With > 4 PC: http://ift.tt/2EwyQdr

The switch in use is an Allied Telesis AT-Fs750/24 Websmart switch. http://ift.tt/2DM31Mz

And this is how its connected: http://ift.tt/2EANoJm

Please let me know what else I need to provide for you to help me fix this issue. Thanks for any and all replies to this :)

(PS: Sorry for bad pictures. Took them in a hurry since office was almost closing)



Access port receiving tagged frames some cisco content and books say it's okay, although IOSVL2 images lab doens't work.

I've read some book content and some articles online stating that an access port should accept a frame if it's an access port for the vlan that is in the .1q header. Yes run on sentence i know.

Example: untagged vlan 1 port receives 802.1q frame for vlan 1

To drop or not?

This discussion at Cisco forums seems to think that it works...

http://ift.tt/2lCOlb6

How do I know what platforms it will and will not work on? My testing with VIRL images says it doesn't work.



Extending wifi with Apple airport express

Hi there

I just moved into a new apartment and my landlord provides the internet. The wifi signal In the house overall is pretty good except in the back of the house. I have an airport express and was wondering if I can use it to extend the wifi. I read that you can only extend a wifi network that is using an Apple router. Also read that maybe you can extend if you buy 2 Apple routers. Would like to avoid spending money on this if possible. Any ideas?



What is the best way of establishing a connection between 2 distant points?

I've checked the rules on the sidebar etc, and hopefully this doesn't violate them, but let me know if it does and I'll amend/remove this post. Hopefully this homework question is detailed and specific enough. Not asking for a whole lot, just a few suggestions or pointers in the right direction would be appreciated.

In a scenario where a network already exists (Manchester) with a a VDSL2 modem with 802.11n capability, what is the best way of extending this network (WAN) to create links to a new network which will be created in a new location? This new location already has a VDSL2 box ready to use, just not currently connected to a router.

I was already planning on discussing the use of a VPN as a solution (unless this is a stupid idea), what other options are available? Would adding another wireless access point be simple enough, and if so what measures would have to be put into place in order to keep the data sent around the network secure?



Home network slow, I'm stumped, please help...

Have WOW internet 50MB service. Using a separate DOCSYS 3.0 cable modem (TPLink TC-7620) that is connected to a router (TPLink TRW-841N).

So I recently found that my service is slow. Called WOW and they had me direct hook the cable modem to a laptop, bypassing the router, and the speed test proved that the full 50MB service was coming through.

The issue is, when I connect a router (I have tried above and two other models including a brand new one) I am only getting between 3 and 10MB. And that is via direct wired connection to the router. Wifi speeds are similarly slow of course.

I have tried isolating the cable between the router and the cable modem and it is fine (that same cable delivered 50MB when directly connected to the computer).

I have tweaked the DHCP settings on the router to no avail.

I have tried multiple routers and different ports on the router.

A new cable modem is on the way but I am not convinced that will solve the issue.

Any ideas???



Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.



Sunday, December 31, 2017

Trouble with simple VLAN on Wactchguard Firebox+AP and HP switch.

I'm a system admin with some network experience and recently became the top/main tech at my small MSP so now I'll need to know and do it all, and VLANs have been a weak area for me since we have so few clients that require them. Trying to VLAN the guest wireless straight out to the internet but it's not passing traffic to the router/firewall and not getting DHCP. Everything else on the main network works fine so far. This is about as simple as it should get as far as VLANs go, but it has me stumped and I couldn't even get a resolution from my thread over on Spiceworks.

 

This client is set up with a Watchguard M200 router/firewall, Watchguard AP300 access point, and an HPE 1920-48G-PoE+ switch. The goal here was to have the default VLAN1 = corp/lan, and VLAN10 = guest wifi. The AP is plugged in to port 45 of the switch, and port 1 of the switch is plugged in to the watchguard.

 

On the Watchguard I have VLAN1 set as trusted and untagged on interfaces 1-7 and DHCP Server enabled, VLAN10 set as optional and tagged on interfaces 1-7 and DHCP server enabled, Any-Optional removed from all firewall policies except Outbound and Gateway Wireless Controller, Corp SSID VLAN Tagging not enabled(should use VLAN1 by default), Guest SSID VLAN Tagging enabled for VLAN10.

 

On the switch I have Port 1 set as 1U/10T/PVID1/Trunk and Port 45 set as 1U/10T/PVID1/Hybrid. I have also tried Port 1 as hybrid, and Port 45 untagged for 10, same issue of no traffic or DHCP on guest wireless. Can't get a valid IP configuration when connected to guest SSID and no traffic gets back to the M200. Also noticed that if you're connected to Corp SSID you don't see the guest SSID until you disconnect from corp first or you disable VLAN tagging on guest SSID...not really a problem, but found it odd.

 

I've searched google, asked on spiceworks, etc and don't have any solution yet. I've even had several of the higher level engineers at Watchguard look over the M200 and AP300 settings and they say it must be the switch. Unfortunately they don't know switches so they had little advice for me there.

 

Any ideas? I'd very much like to better understand what's happening here and why so I can learn from it.



Nortel/Avaya ERS 5500 Routing License

Is there any way to obtain a routing license for these now, aside from finding a used one that already had a license installed? Was mainly looking for ospf, smlt and ecmp functionality out of a pair of 5530s.

I got a quote for a couple grand for this license at one point a few years ago but figured with the line being sold off that there's no way to obtain a new one.

Thanks



Some info about the Setup at #34c3

Hi Folks,

I have been helping out on the NOC at the 34st Chaos Communication Camp mostly on the Access layer deployment. I guess some of the readers here have been attending too...

Uplinks were 4x 100G to diverse Upstreams/IXP and I guess the Setup is pretty impressive either way: Slides from the presentation:

http://ift.tt/2lykpNz

Talk: http://ift.tt/2lsBPM4

Neither the presentation, nor the core network was from me ;) But some of the cables that linked the Colo to other places were also run by people like me, ran around the dungeons a lot...

Who else here from this community was around? I forgot to check if there is a reddit meetup :)



Trying to install Ntopng 3.2.0 on linux Mint 18.3

I want to use ntopng 3.2.0 ( http://ift.tt/2lrJWsz ) on linux mint 18.3

I can't install the last version found here : http://ift.tt/2amoejh

dpkg: error processing archive apt-ntop.deb (--install): trying to overwrite '/etc/nbox/ntop-apt.key', which is also in package apt-ntop-stable 2.6-899 abort-install Errors were encountered while processing: apt-ntop.deb

the version that works for now is

v.2.3.160415 works well ( installed it like this sudo apt-get install ntopng )

JF

Tks !!



Is networking becoming cool again?

Thought this article summed up some of the ideas that I've seen raised here in the last year or so, about networking moving towards DevOps concepts.