Saturday, January 27, 2018

IBNS 2.0?

Has anyone here deployed 802.1x using Cisco's IBNS 2.0? Are there any benefits that outweigh the seemingly additional complexity that it introduces?

We will be doing a large-scale 802.1x deployment in the near future. I'm getting mixed messages on whether we should use the traditional 802.1x configuration or the newer IBNS 2.0 model. Cisco is obviously pushing the new configuration, but the re-seller we use is telling us to stick with the traditional method (I get the feeling that none of their SEs are familiar with IBNS 2.0 which is probably contributing).

Beyond future functionality, the only real benefits of using IBNS 2.0 that I can see are simultaneous authentication methods and smaller config files.



Why aren't you going to heaven?

We all always do our absolute best all the time (right?). But sometimes budgets, timelines, lazy co-workers, management and apathy prevent us doing A+ work. Share your stories of how you have made more of a mess than you should have (or made it worse than before you were there).



If you had a choice to choose between an Asus RT-AC56R and a Netgear R7000, which would you pick and why?

No text found

Thanks Malwarebytes

Their fiasco of a dat update hit just as I was in the the middle of my datacenter/fw vendor migration. Specifically just after I fixed a asymentic routing issue. 30 mins of network tshooting followed by a hour on the phone with the systems engineer and then manually rebooting half the 300 PCs cause they were blocked from our server networks. By far the worst timing of my IT carreer.



[Help] Experiance With SF 85 Tier 1 Securtity Clearance?

I don't know where else to ask this, but I just got my first job with a local government contractor doing IT and they had me fill out the SF 85 non-sensitive clearance form. What I'm worried about is I had one job at a fast food restaurant that I stopped going to and I'm uncertain whether or not they registered me as fired or that I quit. It directly asks if you've been fired from any job in The Last 5 Years.

What I'm worried about is that if list that I quit and that I was not fired, ill be denied security clearance.

Lastly, how often do people fail these tier one background checks. From what I read it's only a 1% denial rate.

TL:DR

Will I be denied my tier one security clearance for not knowing whether or not I was registered as fired or quit from a fast food job?



Can someone explain what the Fa0 interface on a Cisco switch is?

I just started at a new company and I'm trying to get a feel for the (poorly) documented environment here. I'm a CCNA studying for my CCNP, so . . . I know enough to get myself in trouble.

Running show cdp nei command on a switch gives this output, and I'm confused about what the Fa0 interface is. Because I'm damn sure this switch isn't connected to those other switches.

IDF2-AS-2-new#show cdp nei Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID MDF-DS-1.company.blob Fas 0 126 S I WS-C2960X Fas 0 MDF-DS-2.company.blob Fas 0 174 S I WS-C2960X Fas 0 IDF2-AS-2.company.blob Fas 0 139 S I WS-C2960X Fas 0 IDF2-AS-1.company.blob Fas 0 125 S I WS-C2960X Fas 0 Total cdp entries displayed : 4 

Can someone explain to me exactly what this means? Google hasn't been any help so far.



"Well Rounded" Network Engineer...?

Recently had several conversations with peers and seniors in the industry, and most defined a well rounded engineer as someone who knows his/her way around networking, some scripting, automation, nix/windows knowledge, etc.

But the thing I'm curious about is that almost nobody mentioned anything about being well rounded in the networking field itself. R&S aside, there are so many appliances out there (VPN boxes, firewalls, proxies, packet shapers, load balancers, WAN accelerators, wireless, IPAM etc.) What is the average engineer's skills and experience across the networking spectrum like?



COMCAST changed the privacy policy.... again! OPT OUT OF TARGETED ADS HERE! http://ift.tt/2Gmq2I6

No text found

How do you block a smart tv from other devices on the network

Someone in my house has a smart tv, and is obvoulsy on the network every device has the option to stream to it, how do i block it from MY devices? i have firewalls on my phone and windows machine can I block the local address?



Found a rack of networking components hidden away in our basement. Junk? Gold? Paperweights?

Hello all, I was cleaning out a shared basement for my apartment building and found all of this networking gear. We’re a small building and it doesn’t belong to of the owners or tenants and we think it was left after somebody moved out.

Is any of this worth selling or giving away? Or is it antiquated junk.

I’m located in Brooklyn, NY if anybody wants it.

PICS BELOW

https://imgur.com/a/L5gPc



Trying to figure out a dual-homed bgp setup, getting writers block

So I'm doing some design work for our updated enterprise... we're going to get a dual-homed (single ISP) setup, where we'll get two circuits, and terminate them to two routers.

I've set something similar to this up at a different job before. It was really simple. We did iBGP between our two edge routers, and on the "primary circuit" we set any route learned from the ISP as a higher local preference, and on the "backup circuit" we set any route we advertised to the ISP to be prepended 4 times.

This led to the primary circuit being the path all ingress and egress traffic took into and out of our network. It also led to the backup circuit being more or less completely unused, but it would kick in and be the best path both into and out of our network if the primary circuit died.

Then LAN side we just did VRRP between the edge routers and had the firewalls point a static route to the VIP.

That was simple, easy to understand, and I could set it up easily today.

There's one small problem. We are kinda wanting to use the two different circuits for two different things.

That would require certain traffic to always go out and come in on "Path B," while the rest of the traffic always goes out and comes in on "Path A."

I'm trying to figure out in this case: do I even do iBGP between the edge routers? After all if I do iBGP between them, and the ISP only advertises a default route, my entire autonomous system will pick only ONE path out of my network. Right? So that throws out the whole "use the two circuits for two different things."

So if I split the edge routers up so they aren't iBGP anymore, then I can do "different things" on both circuits, but then I kinda lose redudancy right? i.e. if path B fails, how do I make sure that traffic fails over to Path A without anyone having to touch anything? They still very much want this stuff to be able to fail over.

I'm starting to realize this configuration is actually going to be a little more complex than I originally thought it would be. I'm not sure how it will look on the firewalls either.

Anyone got any advice? By all means I'm not asking to hold my hand and configure the whole design for me, maybe just some hints or pointers. Making things a little more difficult is our ISP that kinda has very cookie cutter approach to peering and doesn't set anything up as they would deem "custom" for us.



two wifi adapters, two networks?

okay. i am messing around in my network lab today and i am trying to see if i can get two wireless adapters to connect to two different APs. currently, i have my onboard wifi and my wired connexion working this way; each connected to a separate network. i'd like to do the same with the onboard wifi and my usb wifi stick. i think it should be doable since the basic concept is sound and currently funxioning, but Win10 (aka: Fail10) is being difficult and Ubuntu is... well... i'm not sure what's happening there right now; still early days...

at any rate, as i am bashing away here, i thought i'd post this and see if anyone has some light to shed so i'm not reinventing the wheel.

NOTE: i'm looking for HOW to do it, not a bazillion reasons it can't be done. so if you're full of nope, please just move on.

thanks all! :)



Free ways to detect WiFi channel of surrounding networks?

I’m attempting to get rid of some WiFi interference. I believe that since I live in a trailer park I may be having some channel interference. We only have one internet provider for this area and well, I’m sure you guys get the issue lol. So I’m looking for a free website or app that I can use this one time to scan the area for WiFi channels this way I can configure my R8000 router for the channel less used.



Failed my CompTia A+ 901 exam

Somehow it didn't work out even after putting countless hours into studying. They put some really stupid unrelated questions on this thing



NETGEAR GS110TP or HP 1820 8g

At same price which one is better? Netgear model has POE and fiber but is not something I plan to use. Can you find some other reason on why to choose one over the other?

EDIT: I can buy as well the GS108PE

Thanks in advance.



How to isolate network throughput issue

I'm running into a network issue I've isolated away from systems to the core which consists of a N3k and a C2960s. iperf3 is reporting consistent 10G connectivity between both NICs on both systems in storage, however when transferring data It initiates at over 400MB/s and then trickles to 20M. I've tested this using a RAM disk to hosts connected to the 2960 and to the N3k, and get the same behavior, however the 2960 connection initiates at 100MB/s. Here's a quick screen capture of the behavior, this happens when copying disk to disk within the RAMDisk or flash storage only over network, local on the storage system is fast. https://streamable.com/yy7s3 The upper limit here even when reading/writing to RAM is telling me it's a network issue (CPU is idle during this test), but I don't have it in my vocabulary to describe what could happen.

If this helps, the connections related to the storage nodes are simply two 10G, with individual IP to N3K, 1 1Gb connected to the 2960S and the 2960S connects over LACP to the N3K. This issue happened before th 1Gb connections, they were added when upgrading the NXOS on the N3K recently during reboot.

Something tells me this is a loop, but I'm not sure where to start testing there. This issue happened weather the devices were in a bond0 or separate IPs . Any point in the right direction on a description, and I'll investigate further will be appreciated.



Abnormal issue..Checkpoint

Ok, here's the setup:

User vlan------>Checkpoint------->Server Vlan

User vlan------ 10.10.1.0/24 Server Vlan------ 192.168.3.0/24

The problem is intermitent...

From time to time user 10.10.1.4 ping to server 192.168.3.3 goes to 200-300 ms in the same time ping from the same user to the internet 8.8.8.8 is <1 ms.. The same time when ping goes high for user 10.10.1.4,,, ping from user 10.10.1.110 to 192.168.3.3 is normal...

I checked switch ports, i checked If Checkpoint is doing some kind of traffic scaning, i disabled antivirus in station PC...

In my vision If there was a physical problem, like a switch-port or cable, traffic would have droped to the internet as well, not only to the server 192.168.3.3 or If there was a problem with the server conection the problem would manifest for all the user's not only 10.10.1.4..

Do You guys, have any ideea as what to troubleshoot next.?

Tnx in advance...



BGP or VRRP on routers connecting to firewalls?

We have this kind of setup with two firewalls in an active/passive cluster:

https://snag.gy/1BoCny.jpg

FWs are connected to a L2 DC switch so the clustering would work correctly. There are multiple VRFs on the routers.

From routers I can do a static route towards the virtual IP on the firewall, but how about the other direction? I was thinking of doing two BGP sessions to the routers so I could easily take one router down for maintenance and traffic would flow through the other one. Or if some linke went down, BGP would advertise the routes from the second router.

Do you see any problems with this kind of setup? Or should I do VRRP on the routers instead? I'm not big fan of it though... I'm afraid I'll end up in a situation where the link towards the core network is down but VRRP virtual IP still stays on the router and traffic from FW gets blackholed.

Thanks!



Issue with VTI on Cisco router

Hello,

I setup simple lab environment in GNS3 and found interesting problem. Used setup from https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1080079 (Configuration Examples for IPsec Virtual Tunnel Interface). So in this simple setup, tunnel interface is UP, from the router I can ping everything, but from the server on left and right side I can't ping tunnel endpoint or LAN IP of the other router. I have no idea why, it's totally not logical, servers are using LAN IP as default gateway.



EIGRP

 10.15.0.0/16 --Routed Link-- Core1 ---vpc---- Core2 | | | | Dist1 ---vpc--- Dist2 v1015 v1016 | | | | | | R1 ________________R2 | 10.16.0.0/16 

Hi all, most likely a very stupid EIGRP question for you, I have a setup like above with two metro-e lines between my office (R1 and R2) and my dataceter (Core1-2 and Dist1-2).

I create a VLAN for for each, call it 1015 and 1016 then I create the SVI on the Core. Its at this point that my brain shuts down and I need help. If I create an SVI on only one core so that for instance R1 and Core1 can become EIGRP neighbors I get a VPC status check failed because the SVI's on the two cores don't match up. If I create the SVI on both of the cores then the two cores will also form an EIGRP relationship on that interface, when I do that for v1015 and v1016 I have two neighbor relationships between the cores on top of the routed link that I built specifically for the peering.

Would you suggest configuring a static neighbor or is that going to bite me in the ass down the road? It's my thought process that the ideal end state would be R1 has Core1 and Core2 as neighbors R2 has Core 1 and Core2 as neighbors and R1 and R2 are neighbors. Then in the event of a core failure I still get the use of both my 1GB lines and in the event of a line failure traffic will flow over the link. Am I overthinking this?



Need advice on wheteher or not to upgrade our Ubiquiti APs or switch to something else

We currently have 3 Ubiquiti UAP APs with about 30 people spread out over our office. They have been great as far as throughput goes, but we're experiencing some lag when it comes to people accessing our POS server. I'm wondering if we should upgrade to a newer UAP-AC-PRO or maybe a Ruckus R700 or Aruba 205. Would any of these devices do better than what we have now?



Accelerate 18!

http://ift.tt/2neJmz0

Do you 'mirror' your ACLs?

I feel like this is probably a stupid question, but I'm keen to hear what others are doing. Let's keep it simple and say you have two VLANs, A and B. A web server on VLAN A should be able to make a TCP 1433 connection to an SQL Server on VLAN B. Again, keeping things simple, let's say you're using ACLs on the switch to enforce these rules.

Do you have an inbound ACL on VLAN A to only permit the web server to access the SQL server over TCP 1433? I'm guessing most would tick this one.

Do you then have an outbound ACL on VLAN A to only permit traffic from the SQL server with a source port of TCP 1433 to the IP of the Webserver? If you leave this one out the SQL Server (or anyone else) can send unsolicited traffic into VLAN A, though a TCP connection would never establish due to the first rule (unless of course it's sourced from the SQL server from TCP 1433). Do you care?

Do you have any rules on VLAN B, ie, an inbound rule to only permit the SQL server to send traffic to the web server over TCP 1433?

The 'most secure' method would be to have 4 ACLs (In/Out on VLAN A and B), but that becomes a management clusterfuck and you're probably more likely to get something wrong. The benefit though is if you do get something wrong, the worst case is that things don't work as the other ACLs will still cover you. Getting something wrong with the single ACL on VLAN A could mean you permit traffic you shouldn't.

What's the right balance?



Dental Clinic Setup

Hello I'm sure this subreddit gets lots of requests for help, but after searching I couldn't find someone asking for this setup before.

Looking at setting up a dental clinic. Planning to have a Computer + Roku 4k (just for the remote headphone feature - don't plan on streaming 4k) in about 10 rooms. May need to upgrade to 15 rooms in the future. In addition the reception area will have several computers as will my office so, let's add an additional 6 computers. There will also be a 3D printer, 3D scanner, a Extraoral Xray machine + computer. So I'm looking at least 30 systems that will be hard wired in with possible expansion up to 40. A server hosting the practice management libraries and radiograph images will have to be in place as well.

I would like to have a guest wifi for patients while they're in the office. In addition some surveillance system setup for entrance/reception area would be great.

From what I understand Ubiquiti products seem to have a great reputation and likely could meet my needs.

Anyway I would appreciate any insight on this. I'll be hiring this job out to a local IT guy as my computer skills in regards to networking are complete ignorance. However I would love to have a basic grasp on things in order to convey my plans effectively.



Friday, January 26, 2018

Only some SNMP MIBs available on Dell N1548 switch? Trying and failing to do file copy

http://ift.tt/2BwsLek

Assistance with FC, MXL and Intel x520 NIC

Hi there,

We have an M1000e chassis and several Dell PowerEdge M630 blades running ESXi 6.5. There are four MXL switches, in slots A1, A2, B1 and B2. Each blade has an Intel x520 LOM for Fabric A and an Intel x520 mezzanine in Fabric B. There is a FlexIO FC module in both MXL in B1 and B2. There is a 4 port SFP module in both MXL in A1 and A2

My question is whether there is any way to get the x520 in Fabric B to communicate with the FC traffic which will hit the FlexIO in B1 and B2? I am not a networking guy, and am trying to get a handle on this setup but trying to get a view on some options. My research has come up with the possibilities below:

  • The MXL or the x520 is capable of translating the FC into Ethernet and on to the blade OS? Possibly via DCB?
  • The x520 needs to come out and be replaced by a FC capable NIC
  • FCoE or iSCSI is implemented on the network, both of which are supported by the x520

The last two will be difficult to achieve and ideally I want to retain the hardware we have and achieve the connection from blade to the DotHill SAN without changing kit. Is it possible?

Apologies in advance for any omissions or incorrect assumptions - I should not have skipped networking classes at school :-)



Can someone do an ELI5 for Cisco AAA and crypto pki trustpoint?

I'm reviewing our config that we have in place for our VPN network (I'm a tech, I didn't create the config), and I came across these lines and am confused on what they actually do.

aaa new-model 

I know this is "Authentication, authorization, and accounting," but does this line just globally "turn on" aaa? So, aaa basically is just the Cisco standard for tracking, controlling, and allowing certain users to login/make changes?

aaa authentication login default local 

Does this allow anyone to login if you know the local username and password stored in the router database?

aaa authorization exec default local 

Same thing but allows anyone who logs in to change anything?

So, authentication determines who is allowed to login, and authorization determines what certain users can do?

 aaa session-id common 

Cisco says this "To specify whether the same session ID will be used for each aaa"... what does that mean?

crypto pki trustpoint TP-self-signed-3860224465 

Something about defining an object to be a trustpoint? What exactly is a trustpoint?

 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3860224465 revocation-check none rsakeypair TP-self-signed-3860224465 crypto pki trustpoint TP-self-signed-1675739775 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1675739775 revocation-check none rsakeypair TP-self-signed-1675739775 crypto pki certificate chain TP-self-signed-3860224465 crypto pki certificate chain TP-self-signed-1675739775 

No idea what these do.

Any help would be greatly appreciated!



Patch panel/connector identification

I've been in dozens of small business network closets for the last 10 years but I ran into something I've never seen before. The cables are standard CAT5E. The wall port side of the cable runs are RJ45.

I'm likely going to rip this out and replace with RJ45, but I'm interested to know what it is.

Thanks!

https://imgur.com/a/wX4S4



Best way to design/configure this network?

This isn't a homework question, I feel that I need to state that from the start because it certainly reads like one.

I would also like to state that I walked into this network, many years ago, and as the network grew it was not a possibility to make the necessary changes. I'm not saying it will always be like that, but many decisions were made by electrical contractors as this site never had primary IT support. I have no problem admitting that, even though the above is true, I'm still a bit green in networking, which is why I am making this post.

Without getting into complex design talk about the current setup, I'll start with a few obvious facts about this network (for this theoretical example)

10.10.100.0 /24- IP Camera Network 10.10.105.0 /24- Printer Network 10.10.110.0 /24- LAN Network 192.168.100.0 /24- Server Network 

Here is the question...

What is the best way to wire up 6 remote buildings (all on the same plot of land all connected with at least 6 strands of fiber) while having each network device/network live in their respective buildings. Meaning, each building has 2 IP cameras that need to live on 10.10.100.0 network, each building has 2 printers that need to live on 10.10.105.0, etc.... 

Today, I have trunk links from each building (all are home runs to the main office) and each trunk link carries all the VLANs over the trunk link. This works, but I feel that it isn't the best solution. For example, a broadcast storm on the LAN network in building 5 will cause issues in the remaining buildings due to being on the same broadcast network.

This isn't an excuse, but there were some fiber links that were not done by me and were already in place when I started working here. I feel that a better design would be each building having their own router with static routes on the routers or some type of routing protocol, but I can't get further than that. I think it would be easier, for me, if the respective IP's/networks didn't have to all exist in each building.

Hopefully that is enough information to try to explain the question I'm asking.



FQDNs and Firewall Rules

I've been asked to deploy Microsoft updates to Windows workstations at a customer site. WSUS has been selected as the tool for the job. The problem is that the customer has a firewall with default-deny policy, and the firewall does not support FQDNs in the ruleset.

Microsoft lists the FQDNs below that need to be permitted through a firewall in order to download updates locally. They don't offer a list of IP addresses that I can find. I've been trying to think of the best way to do this and I can't believe it's this difficult. All I can think to do is throw together a script to run dig on each FQDN to get the IP address and add those to the firewall rules, but there are a few problems with this. First, each FQDN has multiple IP addresses but I don't have a way to get all of them. Even if I query multiple public DNS servers I still wouldn't get all of them. Second, the IPs will change in the future as Microsoft's CDNs shift around as they always do. Third, there's no easy way to enumerate all the subdomains of those wildcard addresses (*.update.microsoft.com, etc).

Am I missing something here? Is there an easier way to do this that I'm not seeing? I'm hoping that there's a good way to handle this and I just don't know about it due to my inexperience.

Thanks for any advice you can send my way! I'll probably post to /r/networking too as it seem like an appropriate question for that audience.

http://windowsupdate.microsoft.com http://.windowsupdate.microsoft.com https://.windowsupdate.microsoft.com http://.update.microsoft.com https://.update.microsoft.com http://.windowsupdate.com http://download.windowsupdate.com http://download.microsoft.com http://.download.windowsupdate.com http://test.stats.update.microsoft.com http://ntservicepack.microsoft.com http://wustat.windows.com http://go.microsoft.com



Using hostnames for RADIUS servers on Cisco switches?

Please forgive my dumb. I need to specify RADIUS server names based on hostnames, not IPs.

I've used aaa group server radius to create a group, and server company-radius-01 to put the servers in the group. However, the switches just seem to resolve my entry to the IP address, and put the IP address into the running config instead of the hostname.

I've used the server name command, but that doesn't seem to work. It enters into the running config fine, but I can't log in via my domain creds (and it does work if I specify the IP of the radius server via the prior commands). DNS resolution does seem to work, when I'm in the switches I can ping the RADIUS servers via the hostname and they resolve and respond.

What am I missing here?



802.11ax is no longer on the horizon. It is just around the corner



Best way of conveying that VPN tunnels are not circuits?

Morning (or afternoon, or evening depending on where you are) /r/networking.

The title says the gist of it. I have run into this more times than I can count over the years, but I have decided that I need a new strategy, because nothing I have done in the past has worked. And I guess as I get older I have grown more cranky and do not want to say something I will regret. I just need some feedback from others to expound on some methods used to explain to non-technical, or of a limited networking background that a VPN tunnel going down for a few seconds once a week is not a huge deal, and will happen regardless of hardware or configuration. That if you need absolute connectivity you need a circuit.

Thanks in advance.



Any layer 3 switches with stateful firewall?

Are there any layer 3 switches on the market with stateful firewall features? The switches I've worked with don't seem to, so I'm always stuck using ACL's to control traffic between VLAN's.

So are there any? If not, why? Is there a technical limitation or other reason why it would be undesirable?



EAP-TLS Win 10 client prompted for certificate every time they connect

Currently running 802.1x certificate based authentication in our infrastructure alongside PEAP - our users are prompted to select a certificate each time they connect to our wireless if they are in the EAP-TLS group. Everything works fine - it is just a nuisance. Apparently it was seen in Win 7 and there was a hotfix, as seen here -

Prompted to select a certificate when you connect to a wireless network in Windows 7

And doing a search on that exact phrase for Win 10 only returns this

I have simple cert selection on as well as certificate selection on to only trust our Root CA. We are running SfB in our environment as well. Anyone seen this and gotten rid of it?



Need assistance with eBGP path selection for this example Design.

I''m going to try to be as detailed as possible. We have two areas so to speak, the internet, and the datacenter. I will refer to the routers and fw's as i for the internet side and d for the datacenter side.

The datacenter spans ALL of the continental US for arguments sake.

There are 3 peering points between internet and DC, ebgp, each with a firewall. Here is the layout and locations:

New York iRouter <-> eBGP <-> dRouter

Philadelphia iRouter <-> eBGP <-> dRouter

Denver iRouter <-> eBGP <-> dRouter

I would like to design this scenario so that the Datacenter advertises the 10.10.0.0/14 network out all 3 peers, and when traffic either enters or leaves, that its 100% symmetrical.

The iNet would advertise a default route down all 3 peers as well.

So in essence, if one peer were to go down, or even two, the entire DC still can get out. At the same time, we cannot have asymmetrical routing. I'm thinking routing would be based on location, both for gear talking out to the internet, or whatever gear in the internet would have to talk to the DC.

What is the best BGP algorithm to have this happen and are there any pitfalls in this design?

Thanks all.



Downgrading an AP

We have a couple of APS on one controller that isn't compatible with the 8.5 firmware I want to go to. We have another 5508 controller that has a lower firmware. If i move these 2 APS to the other controller, will it automatically downgrade the firmware? they are 1042 aps.

Just curious because with Cisco phones if you have a phone with a higher firmware than call mgr it won't downgrade the firmware on the phones. I didn't know if the same principal applies to the controller where it will only upgrade the aps to the wlc firmware but not downgrade?



Sidebar suggestion: Asciiflow for describing scenarios

I always see people post scenarios on here and the descriptions are sometimes tedious to read without having some type of simple diagram. Could we possibly add a recommendation to the sidebar to if feasible diagram on asciiflow.com. Paste the result into the comments box, highlight all and indent as code. The result it very practical and looks great!

+---------------+ ae0 +---------------+ | +-----------+ | | Switch #1 +-----------+ Switch #2 | | | | | +---------------+ +---------------+ |ge-0/0/0 |ge-0/0/0 | | | | | | | | | | | +----------------+ | | | | | +-----+ Switch #3 +----+ f0/0 | |f0/1 +----------------+ 


Mobile/portable AP for internet access for non-profit active in emergency and disaster support

Hello together,

while my education did teach me some foundations on networking and I like to dabble a bit in R&S, I am no networking professional. This is why I am hoping you could provide me some hints. (And please excuse my language mistakes, English obviously isn't my native tongue.)

The chief of a growing regional non-profit in Germany that provides psycho-social support to survivors of emergency situations recently discussed their plans to expand their ability to respond to situations of mass casualties, disasters and catastrophies with me. They work closely together with government institutions tasked with emergency response.

For legal reasons they don't have access to government radio and communication channels for emergency response, but have been recommended to try using commercial mobile networks for the time being. Securing internet access even in remote locations (for a densely populated country like Germany) would fulfill a key need to organise their operations.

While they do have qualified technicians in their organisation, creating an ad-hoc mini-WISP on the go in some tent, impromptu-building or random public building for their senior staff creates some difficulty for them.

Many of these places do not have the ability to provide, say, usual ethernet infrastructure immediately, and, as stated, the government emergency management networks are not directly accessible to them. They plan to acquire portable UPS devices, so power should be there for an initial period.

I told the chief that I would have a look and try to find about internet for their core lead staff, amounting from 5 - 10 people, working together with and coordinating the actions of potentially several dozens of other team members. Their organisation is growing, and their work is appreciated by the government agencies and offices tasked with emergency response, with whom they work together closely. But as stated, for legal reasons they can't use the government channels.

Apart from voice and e-mail, the access to the orgs internal web apps would be considered key for making their operations more efficient and responsive.

Two-Way-Satellite-Internet has been on the table, but is seen as very expensive in hardware, subscription and data (especially up). (Are there cheaper ways to realise this?) Most of the area the non-profit operates in should be covered by at least one of the three German mobile network providers, Deutsche Telekom, Vodafone Germany, and Telefonica Germany/o2.

I am superficially aware of products by Icomera used by the German national railway company (Deutsche Bahn) and the long-distance bus Flixbus that use all available mobile networks to provide on-board wi-fi. I tried online-windows-shopping for any APs that provide such capabilities, but my google-fu failed me due to my lack of terminology and certainly foundations in wireless networking. Are there commercially available "multi-homed" mobile internet products affordable for a non-profit?

If there is no way to realise something like that at a reasonable price (let's say, less than a few thousand €) and me rushing to learn BGP, is there a preferred way to use three provider-specific mobile APs together, or should they consider a combination of "satellite down, pigeons up" and eat up the latency issues?

Thank you.

TL;DR: Non-profit wants to have internet access on short call in new / remote places, but can't afford a reverse, "fiber-planting", backhoe (send the backhoe in, and fiber grows immediately in the earth). What can they do?



CCNP / CCIE lab guides

Hey guys -

Do you know where I can find some labs that are very... scenario based? I like things that take real world examples to make you implement the technology.

IE they give you a base topology and say "we need increased throughput on this uplink. Use LACP to create a 3 member port-channel". "Load balancing is not ideal on this port-channel, change the hashing"

The INE workbooks are so... dry. I'm totally willing to pay. I'd prefer the labs to be in VIRL or hosted... but I'm open to anything.

Does Cisco have an official offering for this kind of thing?



Quick juniper question

Setting up a mx240 for the first time, (last time I was in a juniper was pre .com crash days) it's a new regional fiber rollout with no design plan or infrastructure to speak of so to speed things along, I built dns,syslog,dhcp,etc servers on a cluster in another building and used some vlans to get to the juniper to at least get the base setup. Now I'm to the point that I can separate the "isp" from the existing network, but I will need connectivity to the servers for a bit more.

Can I use the single ether net management port for that for now? It will eventually be solely for out of band management but I don't want to stop the momentum we have built up with this rollout because it only has 1 copper ether net port.. from what I've read it is not recommended, but it doesn't say it isn't possible...



Disabling NAT on E4200v2 doesn't allow internally assigned IP addresses to be public facing.

I've assigned a private IP range for my internal network. I disabled NAT and have the DHCP configured for the public IP range I intend to use. When I perform a public IP check on a client though, the IP is still the WAN IP, instead of their internal public IP address. On top of that, a whois on the IP doesn't point to me.

Is there something I'm missing here? I did the change yesterday. Is this like DNS where it just takes time for the systems to catch up?

Thanks!



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



Static or Dynamic IP?

Hi all,

We have a bunch of equipment here on the network (all of various Windows flavor), and I know for a fact that some of them are set with a static IP, and some are on dynamic/DCHP-assigned IP addresses. Short of walking to (or remoting into) each one of them one by one, is there away to determine which of those have static IP numbers?

thanks!



Looking for teaming/link aggregation switch

I have a engeinius wireless bridge set linking two sets of computers with internet on one side. I would go down every few months so I decided to throw up a ubiquiti litebeam ac2 as a backup link. I figure might as well have them aggregate since the connection isn't that great, like 10-50mbps. I need something that can do about a dozen computers on both sides. Do i need to buy 2 new switches to do the link aggregation? What unmanaged switchs do you guys recommend? Looking not to spend too much. Thanks!



Trying to set up DDoS scrub server

So I colo in Chicago and run a small sized hosting company. I want to start getting into DDoS attack mitigation and I have some of the infrastructure to get started.

I have a Juniper EX4300. It's older and has limited functionality. The firewall sucks. This router is on a 10G backbone.

I have a dedicated server in this same LAN on a 10G link with some insane specs that I want to use to scrub incoming DDoS traffic with firewall rules then pass it back to the core router.

How would I do this. I already got traffic to the dedicated server via iBGP and via static routes but how do I go about routing back the clean traffic after I've worked it on the dedicated server?



Thursday, January 25, 2018

best heat map software

started new job, i have a campus with 4 buildings and a little bit more then 100 ap's i want to put all the ap's on there meraki map. but i dont have a good way to know where all the ap's are.

one thing i thought i could do is grab the mac of the strongest ssid and then have that ap flash its lights to confirm.
but dont know of any good tools that will show me that info.

also started looking at netspot but want to see what else is out there thanks!



CRC errors only seen on one side of the connection, from Cisco 3560 to Adtran 3458

Greetings!

I am stumped on an issue (along with Windstream). We have a dedicated fiber connection from Windstream. Windstream's IAD is an Adtran Netvanta 3458. From their Eth0/2, it connected to my Layer 3 switch, a Cisco 3560 (12.2(25r)SEE4).

On my Cisco port, I see occasional input errors and CRC. It's slow incrementing, but we have seen some packet loss on it. We have tried the following:

Make sure both ports are set to Auto Changed cables, tried straight-through and crossover Changed ports on the 3560 (i've tried 3 different ones) Set ports on both ends back to 100/full (Adtran Eth interfaces are 100 only)

On the Adtran, Windstream sees no CRC or input errors at all. On my 3560, i've seen no other CRC errors on any other port. I've always thought if you see CRC errors on one side it should appear on the other as well.

What else can I try?



Telepresence & Voice VLANs

On your networks, do you put TP units into their own VLANs, or do they use the Voice VLAN, I've seen it done both ways, and from my perspective, dedicated Video/Telepresence VLANs seem to be more trouble than they're worth (in terms of the administrative changes required). But then again, I'm sure there are other ways to look at this (which is why I'm asking you guys for your thoughts).



Cisco Hospitality APs and Wired port authentication

I've got a few 1810w access points from Cisco. These are "hospitality" APs designed to mount to a wall box and they expose wired ports in addition to wireless. I'm wondering if anyone has gotten port security working on the wired ports?

We've got a third party NAC solution that the WLC is already set up to connect to via RADIUS. We also do our user access ports on each building's Layer 2 devices so that devices authenticate to RADIUS via MAB. In each instance, whether wired or wireless, clients should get redirected on non-SSL web requests over to the NAC solution where they can sign in and get cleared for network access.

I'd like to do the same on the 1810w network ports. A Remote LAN seems to support RADIUS server communication and Mac Filtering but it seems to be missing the option that, on a WLAN, would redirect clients... think it's called NAC State.



Capturing Intra-Switch traffic?

Curious how others capture Intra Switch traffic? If a single physical switch has many servers connected to it and most intra-server communication never leaves that physical switch, is there any other way to capture the traffic between the servers other than SPAN?

Network Taps would not catch Intra switch traffic, only traffic traversing the uplinks. Host based agents are a possibility I guess, but difficult to deploy/manage if you have a mix of Windows, Linux/Unix servers. NetFlow is an option, but some switches do not support NetFlow. Am I missing any other options?



Issue with Cisco console

Hey guys,

We are having an issue consoling into one of our Cisco devices and I was wondering if anyone has had anything similar to this. Basically we will console in, everything works great, but after awhile the console goes haywire and starts spamming G and H. This appears to only happen on one of our devices.

We are consoling in via a machine running Fedora 27 using minicom and the screen command. We were able to replicate this issue on a machine running Ubuntu 16.04 as well.

The Cisco switch is running IOS 15.2 and model is WS-C2960X-24TS-L.

Any ideas would be greatly appreciated!



New version of Python for Network Engineers free course.

I am going to be running a new version of my Python for Network Engineers course. The course lessons are delivered via email and consist of videos, exercises, and additional content.

The new course focuses more on Python3 (than my earlier course). It also has more content related to applying Python to Network Engineering use cases (SSH to devices, Jinja2 templating).

That being said, the course still is about Python fundamentals.

High-level course syllabus is:

  • Week1 - Why Python, the Python Interpreter Shell, and Strings
  • Week2 - Numbers, Files, Lists, and Linters
  • Week3 - Conditionals and Loops
  • Week4 - Dictionaries, Exceptions, and Regular Expressions
  • Week5 - Functions and the Python Debugger
  • Week6 - Netmiko Basics
  • Week7 - Jinja2 Basics, Introduction to YAML and JSON, Complex Data Structures
  • Week8 - Libraries, Package Installation, and Virtual Environments

You can sign-up here: https://pynet.twb-tech.com/email-signup.html



Network Administrators: What are your thoughts on server side ad blockers like PiHole?

I attend a small college in New England, USA and have noticed that all of the computers across campus have ads on them. I understand that installing an ad blocker on each individual client could be a nightmare, but why are there no network or server side ad blockers in place? Is this just something my school choses not to do? Are there any companies/schools that have server side ad blocking? Thanks!



Nebraska Network Operators Group

Any networking professionals in Nebraska? I've created a slack workspace specifically for Nebraska Network Operators.

PM me for the invite. Thanks!



How large of WiFi VLAN before broadcasts are too much?

My building currently has about 12 Cisco 3702 WAPs on each floor, controller by a Cisco 5520 WLC. I have each floor's wifi in its own /23 vlan, but I am finding that it doesn't seem to be enough anymore. I am thinking about expanding the VLANs but my concern is with broadcast traffic bogging down things if the network gets too large.

Should I split the building in half and have two /23 networks per floor? Or would I be ok do a /22? Option A wouldn't be much more work than just expanding the vlans, but would it even be necessary? Plus, if someone walks to the other side of the building for a meeting, they would need a new IP when joining a new AP group.



Need help trying to figure out network drops

Hello! I'm a medium knowledge level Sysadmin working for a small company of about 30 users or so. After coming on board, the company already had some devices in place and I've also installed some devices. At this time, we're experiencing network drops that I'm trying to understand why they're happening and what I can do to fix them.

To give some background on the network infrastructure: Modem -> Sophos XG 430 Firewall ->

LGS124P Switch (Unmanaged) -> Domain Controller (DNS server as well)

LGS124P Switch (Unmanaged) -> Sophos 100C Access point

LGS124P Switch (Unmanaged) -> Netgear Ac1700 Router (acting as an access point)

The Netgear router is acting as an AP because we origianlly had to 100C Access Points and one of the died, and I had to make a quick fix, and used that to give the second half of the office wifi.

Onto information on the actual issue. Periodically, throughout the day, the network will go down. The drops happen for about 45 seconds then everything is fine. I've noticed this before so from the Domain Controller, I have 5 ping tests writing to text files to show me what is going on. I have:

  • Ping to Firewall
  • Ping to Access Point (Sophos AP)
  • Ping to Router acting as AP
  • Ping to self
  • Ping to 8.8.8.8

During the last "outage", the ping to Firewall returned "Request timed out". The ping to AP was fine, no dropped packets. The ping to router acting as AP returned "Reply from 192.168.254.3: Destination host unreachable.". Ping to 8.8.8.8 returned "Reply from 192.168.254.3: Destination host unreachable." (192.168.254.3 is IP of DC/DNS server).

So my first question is: What better tools are there for figuring out what the hell is happening? One problem i'm having is that Ping doesn't leave a timestamp, so i can't properly determine if these are actually happening at the same time.

Second: My best guess as to what's happening right now is that the AC1700 is being overloaded or is dropping connections. But i'm not sure because when these "blips" happen, the whole office is effected.

Any help at this point would be appreciated. Thank you.



10 Gig Core switch in home lab

This might not be a normal request but I'm running out of 10G interfaces at my home "lab"

My current core switch (Juniper EX3300) that does most L3 termination (have one EX2300 as well) only has 4x10GE uplink ports. Currently two ESXi hosts has allocated half of those, one NAS has the 3:th and the fourth goes to the EX2300.

I'd like to introduce another EX2300 for my backup NAS (to move away from L2 and LACP agg)

However I'm not sure what would be the best topology and to what cost. Another EX3300 would make the most sense, running Core+Access and do L3 in Access and let the core forward traffic to my vSRX firewall if needed (traffic between routing-instances and security zones). All routing is done with OSPF in core + a few BGP sessions in the vSRX to the outside world.

I'm also thinking about to let the EX3300 be the core switch and use three EX2300 as access switches, however they do not support routing-instances (what a bummer) and I'd like to do L3 in the access layer. Also they only have 2x10GE uplinks, not really meant for access ports meaning my ESXi hosts would not be able to connect to the same switch.

There are a lot of 10GE switches out there (With SFP+) but as this is home I'd like them to be quiet and not consume a load of power :)

Another option is to do L2 aggregation with cheaper switches, but most of them only offers copper ports (not really an option here)

What would you do?



Nexus VPC question

Hello!

First time I'm posting here so I hope I don't break any rules!

I'm setting up a virtualization environment and using Nexus switches for the first time!

I have two Nexus 9ks connected with 2x 10g twinax cables for peer link and a separate 10g cable for the keep alive. I've configured 2x10g connections as a VPC for the connection back to the core switch and it works perfectly, removing one of the connections doesn't cause any interruptions!

I did a DR experiement today of powering one Nexus off. As expected, everything remains stable :)

I then turned the other nexus off. As expected, VMware becomes inaccessible. I then turned only ONE nexus back on.

And this is where my question comes! Because each nexus is independent (there's no stackwise like with Catalyst), the VPC doesnt come back online, so VMware is inaccesible and worse, the virtual servers inside VMware have no network access.

So in an event where say a power cut results in one of the 2 nexus switches being hosed (say, the motherboard is fried), the VMware environment is completely dead, even if the other nexus is fine.

How do you guys deal with this scenario?

Many thanks for reading and for your time.



JuniOS, can you show the output interface of BGP routes learned from a route reflector?

Unsure if it's possible. If we do "show route table inet.0 output interface ae0" it only shows ISIS/Direct routes, no BGP routes learned from a RR. https://i.imgur.com/Wkfh9GT.png

We'd like to catch indirect routes only related to an interface.

Any ideas?

Edit: was a little too impatient before posting, figured it out. Loopback of the next hop. Like a doofus I was searching next physical hop. Doing an extensive show showed me the protocol next hop, which would tie to that specific interface. Sorry about that, thanks



Speed Differences - LAN vs. WIFI to a single HOST

I have a puzzling issue that I could use some insight with.

I have a remote site connected via MPLS 10mb. The site has an L3 switch, an MPLS router, a Firewall for internet, and a single WIFI access point (Ubiquity Unify UAP-PRO running 2 bands).

In the MPLS cloud, many sites are connected, but there are (2) specific sites that have resources used by all sites.

  • Site 1 has a CRM app

  • Site 2 has all Windows resource apps

When this site connects to the CRM app via LAN, everything is perfect, fast, and without issues.

When this site connects to the CRM app via WIFI, the app connects but it's very slow and sluggish. All Window resources are OK and perfectly fast, and internet access is fine as well.

Flip the client back to LAN and the CRM app speeds up perfectly.

The LAN switch is a Cisco 3560 with ip routing enabled. This is the default gateway for LAN and WIFI clients. WIFI clients get DHCP on the same LAN subnet, not a separate VLAN. Debug shows no issues, no arp pollution, nothing strange at all.

Can anyone offer any insight as to how to figure this out? I'm out of ideas.

Thanks!



HPE 5940 - IRF configuration help

Hello,

Preface: Not worked a ton with HPE products in the past, just looking for some help on configuring IRF. Link between switches won't come up after IRF configuration.

We have recently got 3x HPE FF 5940 48SFP+ 6QSFP28 switches.

They are connected in a ring topology with 40G QSFP DAC. See here: https://i.imgur.com/y0blCWj.png

All switches are running the same software (HPE Comware Software, Version 7.1.070, Release 2509P02).

Factory default configuration out of the box all interfaces are LINK UP.

After configuring IRF on all three switches the link between them won't come up and IRF won't form.

Not sure if I'm missing something? I'm following this guide https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05212296

I've tried both with the "easy-irf" command and manually configuring the switches.

Here's sample configuration from one of the switches:

Any help would be appreciated.

[HPE]display current-configuration # version 7.1.070, Release 2509P02 # sysname HPE # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 30 irf member 1 description SW1 # lldp global enable # system-working-mode standard hardware-resource vxlan l3gw16k password-recovery enable # vlan 1 # irf-port 1/1 port group interface HundredGigE1/0/49 port group interface HundredGigE1/0/50 # irf-port 1/2 port group interface HundredGigE1/0/51 port group interface HundredGigE1/0/52 # stp global enable # interface NULL0 # interface HundredGigE1/0/53 port link-mode bridge # interface HundredGigE1/0/54 port link-mode bridge # interface HundredGigE1/0/49 # interface HundredGigE1/0/50 # interface HundredGigE1/0/51 # interface HundredGigE1/0/52 # (Cutting out some Tengig Interfaces here, no config on them) # scheduler logfile size 16 # line class aux user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line vty 0 63 user-role network-operator # snmp-agent snmp-agent local-engineid 800063A28040B93C406FA400000001 snmp-agent sys-info version v3 # radius scheme system user-name-format without-domain # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # return [HPE]show irf MemberID Role Priority CPU-Mac Description *+1 Master 30 00e0-fc0f-8c02 SW1 -------------------------------------------------- * indicates the device is the master. + indicates the device through which the user logs in. The bridge MAC of the IRF is: 40b9-3c40-6fa0 Auto upgrade : yes Mac persistent : 6 min Domain ID : 0 [HPE]show irf link Member 1 IRF Port Interface Status 1 HundredGigE1/0/49 DOWN HundredGigE1/0/50 DOWN 2 HundredGigE1/0/51 DOWN HundredGigE1/0/52 DOWN [HPE]show irf topology Topology Info ------------------------------------------------------------------------- IRF-Port1 IRF-Port2 MemberID Link neighbor Link neighbor Belong To 1 DOWN --- DOWN --- 00e0-fc0f-8c02 


Just purchased a 5506-X for home

Just as the title says, I bought a firewall. My current home lab consists of the newly added 5506, a 2921 ISR, two C3750Gs, and a Dell R610.

Currently I’ve been running NAT overload on the 2921 with my single, static, public address which then connects to the stacked 3750s which do L3 internal vlan routing, and the hosts/clients connect via wired patch ins to the switches.

My question is, how would I best introduce the 5506 into this equation? I would like for the 2921 to continue performing NAT, otherwise it will have nothing to do. The 5506 was purchased mainly for a hardware accelerated VPN solution but also to play around with towards CCNA security.

I only have one static IP and I’m assuming the 2921 would want to be at the edge if it’s going to perform NAT. If anyone could lead me in the right direction, it would be greatly appreciated.

Thanks, Chris



PolyCom Phone not getting correct DHCP Address / Can't connect to Skype 4 Business

I pulled a packet capture from my switch that connects this phone to the network. From what I can tell It is receiving a DHCP request / ack but it is missing some of the server options that connect it to Skype For Business. Should i see all of the DHCP Options in wireshark on the acknowledgement? I am missing MSUCClient options 1,2,3,4,5. and Option 120 (URL for UC). Any Advice?



Looking for ideas on how to upgrade IOS on a fleet of ~450 devices

The situation:

  • In my 2nd year as a k12 jr. neteng
  • ~450 Cisco devices under my supervision, as an MSP-level netadmin, for various local school districts
  • The bit of research I've done so far suggests the number of devices requiring IOS updates approaches 100%
  • Almost all devices are of the 3750/3560 vintage. A few 2800 routers here and there, and yes, a few even older than those.

Side-note: I understand these are ancient devices, and the Best Solution(R) is to refresh them. This is on my radar, and I'm working with the resources I have to make this happen. For now, I need help upgrading IOS. If you have constructive advice, I'm all ears! If all you have to offer is something about how old these devices are, please feel free to not reply.

Tools I have:

  • SolarWinds Orion NMS in production
  • Decent python/napalm/netmiko skills—I've done more than one useful thing with them
  • Very, very basic ansible skills—just did my first PoC recently, nothing serious
  • A supportive manager
  • A reasonable budget for more tools if needed


JunOS IPv6

Hi,

Quick question about IPv6 on JunOS. Are you guys statically setting up your link-local address or you let it generate itself?
What is the best practice for link-local address?

Also, I noticed that for reth interfaces, it does not use the fffe on the host part of the link-local. Which make sense if you have multiple reth interfaces. But how does the JunOS generate its host address for the link-local?

Last, for your static routes, do you point your static route to the next-hop global address or to link-local of the next-hop router?



HP/Aruba Procurves and TFTP

So I've got an environment with over 60 switches and was working towards scripting at least the image downloads to the secondary flash memory on groups of them. I setup a CentOS TFTP server, tested get and push commands on it, no problems. I can even backup the switch config files to the TFTP server without errors.

When trying to download the image file, I receive "Corrupted download file." every time. I've tried several versions of images and have now tried several switches. I'm not having luck finding anyone with similar issues. I did test via the GUI in HTTP and it will save and verify the image file to the secondary flash location. Any help would be great so I don't have to GUI-manage this update.



Trouble connecting Cisco 1933 routers to Aruba 2930F

I have a client that has two Cisco 1933 routers, managed by a 3rd party vendor, that a currently connected to an old cisco switch that we are trying to replace with an Aruba 2930F. I have no access to the Cisco routers and am dependent on the 3rd party vendor to provide me with their configuration.

Currently, the routers are connected via GE0/0 to ports 47 and 48 on the existing switch which are configured as trunk ports. They are able to SSH into the first router over the WAN and then connect to the second across the trunk. When I plug it into the ports on the new 2930F switch they are unable to communicate between the two routers.

I've configured ports 47 & 48 on the new switch to Vlan 1 (untagged) and Vlan's 75 & 100 tagged. Encapsulation has been confirmed as 802.1Q. The routers GE0/0 interfaces are on the same subnet.

For troubleshooting, if I plug the 1933's into a dumb unmanaged switch they can communicate but when I connect to the 2930F they can't. This confirms to me that there is a layer 2 issue.

This is the configuration information I've been given by the 3rd party vendor(device names and IP's changed):

Current configuration : 117 bytes ! interface GigabitEthernet0/0 description trunk port no ip address no ip redirects duplex auto speed auto end Router1 #sh run int GigabitEthernet0/0.75 Building configuration... Current configuration : 308 bytes ! interface GigabitEthernet0/0.75 description Management VLAN encapsulation dot1Q 75 ip address ###.###.###.### 255.255.255.224 no ip redirects ip nat inside no ip virtual-reassembly in end Router1# ============================================================================== Router2#sh run int GigabitEthernet0/0 Building configuration... Current configuration : 117 bytes ! interface GigabitEthernet0/0 description trunk port no ip address no ip redirects duplex auto speed auto end Router2#sh run int GigabitEthernet0/0.75 Building configuration... Current configuration : 308 bytes ! interface GigabitEthernet0/0.75 description Management VLAN encapsulation dot1Q 75 ip address ###.###.###.### 255.255.255.224 no ip redirects ip nat inside no ip virtual-reassembly in end Router2# 

Is there something obvious that I'm missing here? I have very little Cisco experience, I mostly use HP/Aruba gear, however when I read this configuration I can't see why these devices can't communicate.



Meraki MR42 | Unable to obtain IP address

Hi Guys,

Im setting up New MR42 but user unable to obtain IP address? Do we need to manually set the DHCP on AP itself? Because existing AP is currently working and its all good.

SSID authentication is via Raduis server, I already add AP as Raduis client (so we can now able to connect and authencate)

But the problem is the DHCP

New and old AP have the same setting (not sure about manually tweaking dhcp setting), same firewall rules, same switchport settings. But the I things is OLD AP can provide ip addess but the new installed cannot.

Note: I'm not the none who installed the old AP which is working. And its working if using static IP, mean no problem with authentication.

Seeking your assistance if i missed out something.

Thank you and Regards,



Network issues Once VPN connection is made

I have 2 offices that I used to connect through Hamachi. One is the main office and the other is a small post. When that office opened I used the same IP range as the home office (192.168.0.x). Both offices are a workgroup. Hamachi connected the offices and was functional. We were approved to purchase and install a Sophos XG210 into the main office. I would've liked to have setup more XG devices for site-to-site, but unfortunately, the approval was only for the main office. The post has 3 users and is run with a residential router like a Linksys. When they connect through the VPN client there are now issues with things like network printers at the post. I'm pretty positive that it's because of the IP ranges matching. I'm going to try to change the post's router to a different IP and handout a different range. Does this sound like it is my issue?

I'm thinking about using 192.168.1.x with a 255.255.252.0 subnet at the post. is there a better range that I should use?

Thanks!



Next hop to VPC pair

I ran into a situation where there is a VSS switch stack acting as one switch fiber connected to a nexus 5K pair using VPC. Each nexus has its own IP address. How would I route an address block to the nexus switch in active active config? I setup two routes on the VSS switch with the next hop as each of the VPC member IP's? Is this the correct way to do this? I see additional options such as track and permanent are available for these routes.



Europe: routing problems with GTT via Telia

Hi,

Is anyone else experiencing problems with routes that are coming from GTT (AS3257) through Telia (AS1299)? We're an ISP and have received numerous customer complaints. We have preferred AS3257 through another transit provider, but notice that other ISPs are also experiencing problems.



Configuring disassociated APs

I have put 30 accesspoints in storage and now I want to change the AP group and location on the WLC to match the new location. I have tried to change the values using the WLC webGUI, Prime and the WLC CLI. But apparently I can not change the configuration on a disassociated AP.

So please tell me there is another way than unboxing 30 accesspoints a third time, connecting to a switch to bringing them online to configure them..



Network device configuration testing

Hi all, i've had a google but nothing came up so thought i'd pick your brians.

I've got a system where i'm generating network device configuration files using Ansible, .j2 templates and pulling the information from our DCIM(NexBox). The creation of the network device configs end up in a directory, simply saved as txt files and are not initially applied to the devices.

Is there any tool that you know of that is designed for testing the configuration files? or is there a good method for testing the network after the configs have been applied?

would be good to know what you all use.



Back up router/switch conifgs through console ports

Is there any way to create config back ups without using a tftp server, mainly through a console port?



Can Cisco Any connect Disable WI-FI?

Hi

I am currently configuring Cisco Any connect and using the Network access Module so that I can have my WI-Fi clients auto connect, to corporate wireless.

However, If I connect to Wired it disconnects the VPN and I am then on the local LAN however can the network access module disable the WI-FI adapter automatically ? and be re-enabled once a psychical cable is unplugged?



Auto Negotiation - Half/10Mpbs on a Gig Link

Hi,

I have a Cisco 1921 (Router A) connected to a Fortigate Firewall (Router B).

The Cisco and the Fortigate are both using GigabitEthernet and Auto Negotiation.

The Fortigate is reporting 1000Mpbs/Full (Perfect!) The Cisco is reporting 10Mbps/Half (Oh dear..)

I have tried manually setting the Cisco to 1000Mpbs/Full to match the Fortigate, however this brings the link down.

As far as I was aware a failure in auto-neg should result in Half/100Mbps and not Half/10Mbps?

Has anyone seen this before? The cable has been swapped. I am starting to suspect a faulty port.

Thanks in advance



Different routing for guest network

Redditers,

I have 150+ sites in the US with all kinds of connectivity back to my data center. Here are the main categories they fall in:

-MPLS + 4G (4G only for failover) -MPLS + Broadband with firewall(internet egresses out of broadband)

When a site gets broadband they are allowed to have guest wireless.

Today my MPLS is mostly single T1s. This year we'll be migrating to a new MPLS carrier and every site will get a minimum of 5M Ethernet. In the new design, no sites will have broadband. All internet traffic will traverse back to my data center.

With this upgrade, all sites will get guest wireless.
I would like to have the guest internet use a completely separate route for their internet access. So my corporate internet traffic will leave from NY, and my guest traffic leaves from California.

How can I have a separate route for this? I'll be doing bgp with my MPLS provider and will receive my default route from it (back to my DC). We use Cisco routers.

Ask any questions you need. Thanks in advance.



Fortinet Switches

Hey y'all,

I wanted to know if anyone had any experience with FortiSwitches and if so what is your opinion/experience?

Background is we are replacing switching at 4 branch offices all sub 100 users. We have very basic needs. Just need to be able to do vlans (one voice) and maybe some very simple ACLs. We are a non-profit so price is very important for us and the Fortinet Switches are coming in several thousand less than anything else.

Also, this will be the first time I'm building branch LANs from the ground up and would like some feed back on my plan. We have an ISP provided MPLS network between sites. I would like to use layer 3 switches at each site to terminate our vlans. Right now we have a router on a stick setup which I believe is an old way of doing things. Also, because the ISP manages these routers I feel like terminating on the switches give us more control and flexibility.

I'd appreciate any feedback on either the switches or my plan.

Thanks.



Wednesday, January 24, 2018

Network Monitoring Devices

I had recently stumbled upon an advertisement for a device that is not yet released called monitor-io. From what I have observed on their website, it looks like an interesting product for home and small business. Do you have or know of any small business network monitoring systems similar to this one? Let me know what you think of this device and which device you prefer.

Here's the link.



More "enterprisey" wireless bridge similar to Ubiquity Nano Beam AC?

I just put in a pair of Nano Beam ACs, and wow, I'm impressed by the capabilities, performance, and cost. But, I find their admin features lacking.

Are there wireless bridges that are similar to the Nano Beam AC in capability and performance, but with better admin features like SNMP version 2c, multiple local admin accounts, and Radius (or LDAP) admin authentication?



VLAN Looping, not sure why

I have another post, but I feel as this is a complete separate issue.

This Is my network structure + the ports they connect to.

Starting from the cisco router(rv320), port 4 goes to Camera NVR. Port 4 is setup untagged to go to vlan 30 and it's tagged at port 2 (which is untagged for vlan1). The NVR has a static IP of 192.168.30.xxx and the link is live and works, however my windows 2012 r2 server is not assigning that IP for some reason. In my server I created a new scope, 192.168.30.0 that points to router 192.168.30.1. So this is problem 1, why isn't my static IP being assigned a lease in my server?

Going forward, cisco router from port 2 goes to my cisco switch, sg300-28pp, that switch setup is the following; Vlan 1- Forbidden on port 1, tagged port 2, untagged 3-28. Vlan 30- forbidden port 1, untagged port 2, tagged 3-28. Shouldn't this mean, anything connected to port 2 will automatically be on vlan 30?

Going forward, HP switch is setup for vlan 30, ip address 192.168.30.1 with tagged port 26

The new cisco switch I put in for the cameras is setup to boot on vlan 30, however, it's not being assigned an IP so I cannot access it.. And this is where it gets confusing... If I ping an ip that is not assigned on vlan 1, it comes back destination host unreachable. If I ping an ip not assigned on vlan 30, it comes back TTL expired in transit. When I tracert the same ip on vlan 1, it comes back again, unreachable. When I tracert the same ip on vlan 30, it loops between the hp switch and the cisco router...

I'm 100% completely out of ideas on how to fix this... If anyone has any input it'd be greatly appreciated



Multicast packet question

Short version - I'm looking for something that diagrams what a multicast packet looks like as it flows through the tree. I can't find the magic phrase for google to spit out what I need.

Long Version - We have an app that's acting up and it's now a network problem, shocker. we have 4 sites, each with a server that keeps data up to date between them via multicast. one server isn't receiving anything. straight unicast works fine. My guess is the something is hung in the app. Whatever. I just need to show them that the packet is getting to the server, or atleast the wire to the server. The issue is there is also normal UDP streams between the servers. I can't for the life of me find something that shows me the source address I should be seeing for multicast traffic. Is is the true source, or the multicast group address? I'm guessing from the last hop router is with be the true source and the true destination IPs.



Troubleshooting a Cisco ASA5525 & an ACL for syslog traffic.

OK so this is a weird one.

I have an ASA5525 with two interfaces (LAN & WAN). I have an ACL from the LAN to the WAN to pass syslog traffic on udp/514.

On the LAN side I have a vRealize Log Insight VM as the source of the syslog traffic which is correctly configured to send syslog traffic to a server on the WAN via the ASA over udp/514.

In the logs on the ASA I do NOT see any syslog traffic from vRealize (& yes it is sending traffic) however if I hit the test button in vRealize I see test traffic in the ASA logs and the test traffic passes through the ACL correctly.

If that wasn't odd enough... if I change vRealize to send syslog on udp/1234 I see tons of syslog traffic at the ASA being blocked by the ACL rule for udp/514... nothing wrong there working as expected... so if I now change the ACL to allow udp/1234 the traffic immediately stops and nothing is seen in the ASA logs!!! weird huh... if I now send a test from vRealize on udp/1234 I see it in the ASA logs as the ACL passes the test traffic...!!!!

You may need to re-read that to understand my problem... so anyone EVER seen anything like this behavior??

tldr: when I align my ASA ACL syslog (LAN to WAN) rule with the incoming syslog LAN traffic the ASA logs report no traffic seen.... however if I misalign the port (between the traffic and the ACL) I see traffic in the ASA logs albeit blocked by the misaligned ACL???



Network Computing Dissertation

Hi all,

I'm a university student in the UK, currently studying towards a BSc in Network Computing. Currently out on a placement year working in a sys admin type role for a massive motor manufacturing company.

I'm starting to think of some ideas for what I can study for my dissertation work which I will be starting in September - here are some of the general idea's I've came up with so far (although I'm struggling to think of how I could go really in-depth in them):

IoT devices - Security analysis IPv6 and IPv4 comparison Wireless security (maybe focusing on the recently revealed WPA2 vulnerability) SDN vs traditional networks comparison (a comparison of convergence times/protocols/performance impacts) BGP security Hybrid cloud analysis

My problem is that all of these are quite general so I'm struggling to really find a topic which stands out. I'm learning more towards something related to either security or software defined networks. I did initially want to tie in with something I currently do on my placement, but quickly realised it's hard to write a dissertation on something server related or SAN related and how this affects the manufacturing side of the business!

I appreciate any help or advice you can give me.



Want to get started with the NetConfig tool that was posted here, but I have ZERO *nix experience. Where to even start?

In trying to be less terrible at my job I want to try dipping my toes into this automation thing so I don't get stuck as a dinosaur CLI monkey. The NetConfig tool that /u/v1tal3 posted looks amazing and a brilliant place to start, but the entirety of my *nix experience is checking my e-mail on a linux box ten years ago.

I'm reading through the installation guides for it and it's all completely greek. I'm sure I can type them in just fine, but I've got no idea what any of it means.

Is this too much for a first project? Is there someplace else I should start?



Flying with network equipment

Hello /r/networking

I'm going to travel to a remote office next week to activate a circuit on a Cisco 4331 router. Can I bring the router on board as a carry on, has anyone done this? I Checked TSA guidelines but nothing is explicitly expressed other than TV's and Xbox that is allowed on carry-on but advises checking with the airline to ensure the item will fit in the overhead bin or underneath the seat of the airplane.



Would there be any difference between these setups?

Given specs being equal and similar configurations. Would there be a speed difference inside the network?

Multiple 1 gig wireless devices connected to 1gig access point connected to a 1gig switch ( hardwired to router)

Vs

Multiple 1 gig wireless devices connected to 1 gig wireless router



Best books and links for completely understanding marking/coloring traffic?

This is one area that I REALLY need to get a grasp of. I've read a lot of material on the subject, but its just not sinking in fully. I am the type to read from as many different authors as possible as everyone has a different way of explaining things, and thus, one will eventually click.

Just wanted to see if anyone has any links that easily explain QoS and DSCP, marking traffic, etc. Books would help too. Any help would be appreciated. Thanks.



Is anyone really using SSL inspection?

I've seen different advertisements on the vendor's sites promoting their SSL inspection capabilities. I thought SSL inspection breakes everything using HSTS for example google.com to start with? Have I understood something incorrectly?



Cisco ISR 4300 alternative?

We're coming up on EoL on a few of our 2900s and are looking at alternatives to Cisco. Our newer sites are using Cisco 4300s, which we are reasonably happy with, but we'd still like to avoid Cisco in the future.

From some google searches it looks like the Juniper SRX series is a potential, but it looks like they're marketed as firewalls. Are they suitable for branch router deployments too? We're also looking into a few SD-WAN solutions that can terminate our circuits directly.

Anything else that people are into these days for branch connectivity?



Service Providers, what access switches (if any) do you provide to your fiber customers?

We started using cisco me3400s, then juniper ex2200-c. Those are getting harder to get so we've begun using ex2300-c.



Just moved to Fort Worth Texas.

Aiming for my CCENT. Been here for about 3 months and I’ve been watching several YouTube videos but I really would like to learn from an actual instructor. Is there anyone out here that can vouch for a school? Thanks.



What are your thoughts on using 10GBase-T SFP+ modules?

I've never used one before. But now we have a need to move some SFP+ ports that are currently connected using twinax cables over to some copper 10G ports. So we're looking into buying 8 10GBase-T SFP+ transceivers and getting rid of the SFP+ twinax cables, and connecting these ports over CAT6 into a 10GBase-T switch. Basically we have 4 SFP+ ports in an expansion module on out 10GBase-T switches, and we need to replace those expansion modules with 40GbE QSFP modules, so we need to figure out a way to get rid of those SFP+ ports without having to buy a brand new switch. So we figure this is our best option.

Are there any risks with this? Any concerns? Could it introduce any additional latency, which is very important in this setup as these will be linking a blade array into the SAN fabric? I've never used these types of transceivers before, so I'm just a little weary.



SD-WAN on FortiGate 200E/300E as MPLS replacement? [x-post /r/fortinet]

We are in the process of replacing our Cisco ASA's and are considering the FortiGate 200E and 300E's for our various 7 offices across the US.

We currently have an MPLS connection between each office to provide communication across each office. We'd like to be able to get rid of this MPLS and switch to an SD-WAN to save money as the MPLS is expensive.

After reading up on the FortiGate SD-WAN, it seems that the feature is more of a load balancer for dual internet connections than a function that would allow us to create a virtual connection to each of our offices.

Obviously we could do site-to-site VPNs to each office, but the new buzzword of SD-WAN means most of the new products will manage all of that networking easier than creating 7 VPNs on 7 different devices.

Has anyone used the FortiGate SD-WAN feature for this purpose or is it merely an intelligent Internet routing function?



Encrypt 40G cross country connection?

We need to encrypt the connection we use to send all our data to a DR site 2,000 miles away. It's layer 2 over an MPLS network. We need at least 10Gbps of ACTUAL throughput. Has anyone done this? We know a hardware solution will be necessary. Horror stories welcome.



Azure ExpressRoute MPLS and ASA with DialIn Remote nodes

Hi,

I have ASA 5516-X with latest firmware and we are running MPLS to Azure over XO network (ExpressRoute). 2nd Interface on the ASA we have Cogent ISP and several sites that are not part of the MPLS network. They have DialIn (IKEv1) VPN (policy based) that connects them with this central ASA. Remote devices are Cisco 1900 routers, ASA 5506-X, CradlePoint 4g routers. Obviously I want those remote sites to be able to access Azure network over MPLS which is running BGP among nodes of MPLS network so I need to inject all those dialin subnets into BGP.

From the variety of devices used, I am not sure what is the best way to get this going. Maybe setup OSPF on ASA (single area) and all dialin nodes and redistribute OSPF into BGP. Can I even do that when I have policy based VPN since GRE is not an option here?



First time at Cisco Live, planned my seminars, what now?

I think this post is according to the guidelines, if not, admins feel free to remove it.

Next week I am going to Cisco Live for the first time in my life. I have wanted to go there since I was young. Now it is finally happening. I have already planned the seminars and a CCNP cert exam.

For the folks that have been there before:

  • Have I forgot something during my preparation? What do I need to do?

  • What is your advice when you are there?

  • Could you share your stories for when you went there the first time? Would be fun to read ;)



Another master's post: value of a Security & Network Engineering M.Sc.?

Hi all, some good dicussion in the master's post from yesterday, but mostly about a MBA. What does this sub think about a technical master's? E.g.: https://www.os3.nl/

The theses are impressive, but is there an advantage to having a research degree in networking if you're looking primarily at a non-academic career? It seems like the program has nice relationships with education and research networks (https://www.glif.is/participants/), which seems like it could be an interesting space to work in.



Help: OSPF Routed Access in Campus LAN Routed Access Design.

Hi,

We are refreshing our devices to Cat9000 series switches. The Access switches are 9300 with Network Essentials license while our Core will be 9500 with Network Advantage license. NE license is capable of "OSPF Routed Access" while NA is capable of "Full OSPF".

The LAN will be 2-tier collapsed core design and we are heavily considering Routed Access. We plan to put the Access Layer switches in Stub Area. The core is in Area 0 (with WAN routers) and acts as the ABR.

The OSPF Routed Access' limitation is 200 dynamic routes. Our challenge is that we will receive 8K routes from our WAN link (unfortunately out of my control to summarize from the source).

Question:

  • How the ABR will summarize the 8K routes that will be advertised to Stub Area?

To make things more complicated, one particular switch block will be three-tier, Core<-->Fortigate Firewall<-->Access Stack. Fortigate will act as the distribution and also participate in OSPF.

Question:

  • Can Fortigate support Totally Stub Area?

  • How to configure an Area to be Totally Stub Area? Is it correct that the "no-summary" command should only be configured in the ABR?

Info: As of this writing, the 9500-40X (10G) series are not yet capable of StackwiseVirtual (ie. VSS). So a Layer 2 network that heavily relies on STP and HSRP will make an uplink to blocking link instead. Besides, the NE license already supports "OSPF Routed Access" so no additional cost. NE being the lowest license we can get for Cat9k series.

Thank you!

EDIT1: Specified Core model.



Dual BGP connections advertising the same subnets

Hi,

I have two BGP connections (A & B) handed off, from a 3rd party, to my two Cisco Nexus switches (X & Y). The problem is they advertise the same subnets. Basic Diagram.

Question 1 -

How do I advertise these BGP routes to the rest of the WAN? (How do I redistribute them into OSPF)

Question 2 -

How do I prioritise A on the X side switch, and B on the Y side one, but still have both A and B available on both, for redundancy?



Tuesday, January 23, 2018

Can I use any protocol with dispatch proxy?

Im not totally clear what SOCKS 5 really does. If I want to broadcast video with RTMP over dispatch proxy will it work? Does the server need to be configured in any special way or will it just receive the rtmp stream as if dispatch proxy wasn't there?



Cisco Prime Infrastructure - templates and compliance

So I have been working on a few things with PI recently, and was hoping to see what others have been doing in this area... possibly of there is interest I could post some of what I have done!

We use PI for configuration pushes now, and are about to start ramping up on our use of the compliance module. So first, how do you structure your compliance policies and profiles? I am in 2 minds, as to whether to break it out with a policy for each configlet like in the templates and use the profiles in a similar way to composite templates, or just build a single policy for each device type/role.

Second, any good tips for either config templates (Apache VTL) or compliance policies? Things that are not immediately obvious, but worked well for a specific problem?

And third, I have a few (very basic and likely bug ridden) python scripts that can take a configuration template and turn it in to a policy that can be imported in Prime. If there is interest in that, I'd be happy to clean it up and share it with the community. It has some caveats, but broadly works well enough for most templates we have created.



IP summarization design

So I never quite grasped this. I skimmed some books and tried my Google fu but I couldn't quite get the answer I was looking for.

If you are trying to design a new IP space for a 100 branch office site where do you start?

Also in general when designing IP spaces (Data center, campus, Wan, branch , remote workers) where do you start? How do you lay it out?

Say you want to make a 'cookie cutter' site. 6 /24s for users, phones, servers, etc. 6 /30s for various transit networks, some /29s for slightly larger transit networks... a management network, etc.

How would you go about figuring this out....

If I try to work through this I need

  • 7 /24 (one for mgmt) *6 /29 transit space *6 /30 transit space

Now I understand there may be more or less, but lets run with it for this example.

First I would need to determine the aggregate route. I'm not sure if this is right, but I think we would need to basically add up all the IP space from our composite routes (not sure if usable or count Bcast / network). (255x6)+(8x6)+(8x4) = 1610. Now looking on the binary scale that would be... 2048 so a /21.

Cool now we know each site gets a /21. And we need 100 branches (assuming no growth) meaning a /11 would summarize all the branches... right?

Okay so now we have to divy up the /21. Here is where I'm not sure how to slice it up. Do we start with the /30s first and work our way up? how do we do this part?



Dell Networking 2018

Hi all,

So we're currently looking to revamp our relatively modest VM infrastructure so that it will be able to handle a more demanding workload. We've decided that we want to go the 10G ethernet route, but we're trying to balance our wants and needs with our credit card limit. :)

The switches will be used exclusively for ISCSI traffic between the storage array and the VM hosts. No routing or anything fancy. The most we would do is set up VLANs to segregate the MPIO traffic.

Were were originally looking at the Cisco SG550XG-24F cause everything I've read indicates that they're considered relatively solid devices and attractively priced. (Unfortunately we can't quite justify dropping $10k+ per switch, so the higher end Ciscos, Brocades, etc, are out)

Our rep is really trying to push us towards using Dell N4032F's instead, and based on datasheet specs, it's definitely a nicer option albeit more expensive.

But when I do a bunch of googling I see opinions ranging from "ok" to "OMFG Stay away" with long lists of bugs people have run into. I thought Force10 based hardware was supposed to be solid, but there appears to be a surprising amount of debate as to whether the N series even is F10-based gear.

So my question is, is that still the case, or has time and firmware updates solved the problems people have run into? The most recent stuff I found was still over a year old, so I don't know if the opinions are still accurate.
Can I reasonably justify choosing an N4000 switch over the SG550XG?



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!



Juniper SRX Remote Access VPN Using NCP VPN Client

Hello Everyone, I need your help. I am trying to configure remote access VPN on a Juniper SRX300, doesn't matter if its SSL or IPSEC, but the VPN client I will be using is NCP Secure Client. There are configuration guides available online, but those guides are using a Radius Server as authentication method. Is there a way we can configure it without using a Radius Server and use the SRX local user database instead? If yes, do you have a sample configuration that I could use please?

This is the guide I am currently using (Radius): https://www.ncp-e.com/fileadmin/pdf/exclusive/Juniper_Config_Guide_IKEv2_EAP_MD5.pdf

Thank you in advance.



Quick stupid question about D-link WAP

So my boss handed me a D-link WAP and said "Set this up for our support center." So I went into the sonic-wall router and found the sub-interface for the public WiFi at our support center and the IP add for the sub interface was X.X.1.137/29. Then I put X.X.1.138 on the WAP, and allowed the WAP to give out X.X.1.139 - X.X.1.239.

I can not test as I'm not on-site and don't really have a solid lab here for sonic-walls. This should work properly? Am I missing something?

Edit: X.X. are all the same first two octets.



Single ASA redundant connections to a Active / Standby ASA Pair

So we have an active / standby pair of ASA firewalls. and they each have a connection to a single ASA which is setup as a redundant connection. On the Active ASA it sees this connection as normal (waiting) (under failover status) on the standby it sees this connection as failed (waiting).

The reason I think this is the case is that the single ASA will be looking for the standby ip interface but the active/standby pair is only ever sending the active ip interface on both links. Is there anyway we can configure either side of these connections to resolve our failover scenario?



SD-WAN - End of CCNP, RTEs?

What are your thoughts on this? Does it mean the end of Cisco routing? Will it totally phase out ISR's, ASR's!? Year from now, will it be worth still getting your CCNP?

Can't believe that a cloud service will eliminate Cisco gear and and network admin/engineer titles /jobs. All they'll need is a Helpdesk tech.



Network adapter no longer running, the capture has stopped.

http://ift.tt/2GaXKR0

ISPs of the future

Im curious to see what everyone thinks. What will ISPs of the future look like? We use an ISP in Australia that has a decent portfolio offering on-demand circuits. Basically, you have a single physical cable, but can setup virtual connections with other entities. These are ordered and configured within minutes via a portal or script.



WLC 5508 upgrade

Planning on upgrading our wlc to version 8.5.110.0. our current version is 8.2x. from the release notes looks like i can't do a direct upgrade? from release notes: Upgrade Path to 8.5.110.0 Software 8.3.x.0 You can upgrade directly to Release 8.5.110.0 8.4.100.0 You can upgrade directly to Release 8.5.110.0

Maybe I should just try anyway? would it give me an error message? if i have to upgrade to version 8.3 and then to 8.5 would i also let the aps upgrade to version 8.3 as well and then reboot the controller on version 8.3 and start the process all over for 8.5?



Is it possible to send Radius accounting info to two different servers Cisco WLC?

I am trying to figure out a way to send Radius info from my Cisco 8500 WLC to two different accounting servers. One is the NAC the other is the content filter.

I found This article that describes how to setup aaa broadcast server groups but it only applies to 5700 series WLC. Anyone know if this is possible with a 8500 WLC?



Cheap 100Gbps Switching

I work for a public university in a very poor state, so we don't have the largest budget available to us. Thus we tend to do things on the cheap. Currently we have 2 10Gbps links providing us connectivity to the outside world. This is monitored by a Bro IDS cluster that is fed from a Pluribus switch that is doing load balancing off of the 2 tapped links. Well, the heaven's have opened up and the powers that be have allowed the stat to award an ISP the opportunity to provide all of the Universities in the state with 2x100Gbps links. Well now that poses a problem to our Bro cluster. How do we catch the 4x100Gbps links that you get from tapping 2x100Gbps links. Since this would be out of our budget and not the magic fairy budget providing the Internet connectivity, we need to keep things as cheap as possible. Now to my question. what recommendations do any of y'all have for cheap 100Gbps switches? Needs a minimum of 4 ports to catch the taps. Thanks!



Ubiquiti Edgerouterlite - OpenWRT w/ WifiDog offering slow load times for splash page redirect on venue.

Have 300mb fiber incoming from ISP, Google Firebase and WiFiDog handling our captive portal / re-directs. The load times are so slow that we're losing a lot of our users and I'm wondering if there's a bottleneck anywhere in our set up or if WiFi dog is the problem here. We maintain about 500-1000 users/day with ~100 users/hour average.

ISP -> ERLite -> Multiple Nanostation Loco M2/M5 Antennae 10.x subnet. Sorry, I'm mainly a developer and not the strongest in networking but trying to learn.



Historical data on Cisco wifi controller

We're running a Cisco 5500 series wifi controller with 51 active APs.

Is their a way to pull historical info from the controller?

Nothing too fancy, we can see how many users are presently connected but we want to know what our peak # of users connected has been. Specifically on our open-access wifi.



Monitoring IPSEC Throughput

Has anyone found a way to monitor VPN bandwidth historically using Solarwinds or SNMP? I'm trying to prove we're hitting the 300 Mbps IPSEC throughput limit of our ASA 5525.

I know every time a VPN reconnects it gets a different OID, making it difficult to monitor individual tunnels. I don't care so much about individual tunnels, just IPSEC usage as a whole.

I have found VPNTTG but would like to know if anyone else has a solution using our existing Solarwinds infrastructure.



Network Diagram Software

I know this may be a noob question, but I was tasked with designing a small business network for a retailer's branch. I was successful in designing using a 3 level approach and all cable runs and sever configurations are almost finished. Only thing that's left is network diagram. I've actually never diagram a network before so I don't know where to start.

Can anyone recommend open source softwares, but not limiting myself to that. Also maybe a combo monitoring software with mapping features.

I have 6 switches (Cisco SG300) 1 sever (Dell) 87 clients (users, cameras, WAPs)

Thanks!