Saturday, February 24, 2018

Layer 2 or 3 for the access layer?

Hi

I'm currently designing a network and so far have a Juniper MX240 as the edge (layer 3), 2 x Arista DCS-7050S-64 as redundant aggregation (layer 3) and a single Juniper EX4200 TOR (access layer) per cabinet which are connected to each of the aggregation switches.

The network will use a VLAN per server being defined at the aggregation layer and trunked down to the TOR switches.

I am debating over whether it would be best to use layer 2 or 3 on the TOR switches. I believe one advantage of using layer 3 would be the failover and redundancy capabilities.

Does anyone have any view on whether using layer 3 would be a significant advantage over layer 2 for the TOR switches? What is the best way to manage the redundancy of the TOR switches to the aggregation?

Thanks



Routing through Palo Alto

So I have a palo alto VM and two standard ubuntu servers hosted on one subnet in Openstack. I'm trying to get the ubuntu servers to be able to connect to each other through the palo alto VM while still having internet. I've set the default gateways of the ubuntu servers to point to the palo alto VM, but no luck. I can't find anything online about this - any advice would be greatly appreciated. Thanks!



Pointers on a networking side hustle/business?

Hey everyone,

I'm curious to know how those of you who have some sort of side business approach the startup, finding business day to day tasks, staffing, etc. Also looking for opinions and any input. The essential dos and don'ts of consulting.

I've worked with a few individuals and small business owners on basic network infrastructure type of work. Firewall, wireless, and LAN setup. All maintenance is billed time and materials, since I do not have the time nor do I want to deal with the managed services aspects. Most of it has been based on previous relationships and word of mouth.



Local Network Traffic Monitoring?

Is there any way to check my local network traffic?

Moreover, is there any way to know if somehow the router is shrinking the local network speed?



Dns cached name

Hi, after doing a DNS benchmark I noticed that a DNS has no cached name, what does it mean?



Juniper VS Cisco

Hi everybody

which Cisco router is the potential competitor of Juniper MX 80,40,10? Thanks

Andrea



Campus Network Troubleshooting

Hey guys I'm messing around in packet tracer. I'm building out a campus network with a main core switch and then the distribution layer and access layer. I'm passing traffic with static routes from the distribution layer to the core layer. The switches can ping each other the router and the isp gateway. But the host on the access layer in their vlans can not make it past their distribution switch. I have made sure ip routing is enabled with ip route set to the correct gateway. I have check the router to make sure I have it set up correctly. I know I'm missing something. When I enable ospf it all works fine so I know it's a routing issue in the distribution layer or core layer. I know it's not my routes in the router because I don't enable ospf and it works fine. Here is an image on the layout and config. https://imgur.com/a/wRTls Thanks in advance!



Save Windows Server state in GNS3

I guess this can go for any qemu VM but I want to be able to change the default state of the VM when I add it to a new project. I don't want to have to install AD DS, DNS, etc each time I start a new project. How do I make this happen?



ns-os routing service not enabled

I have several cisco 5k's working fine. Pulled one from our lab to insert into our network. Simple configuration, couple Vlan's. Enabled the interface-vlan so I should be able to do some routing. Waiting for a license to do OSPF so in the mean time just going with static routes. Problem is once configured I do a "sh ip route" and the state of all the routes are pending. The command "sh forward route" comes back with Service not enabled. I do have a L3 module installed. Any ideas? I thought I did not need any special license to do static routing. I know in IOS on layer 3 switches you need to enable routing, but on nexus I thought just need the interface-vlan feature. Any special license for the L3 Module?

Has to be something really simple I missed, just banging my head against the wall!

thanks for the help!!



InfoSec professionals of /r/networking, is it really the worst thing in the world to run an IGP on a Firewall?

No text found

ow does the SMTP standard guarantee that all email sent from an address originated from the same address?

No text found

Can I insert AC and DC power supply into Huawei S5700 Switch Simultaneously ?

No text found

How should I setup the network access points in a small business located in a basement with thick concrete walls?

Hi all, I’ve recently been tasked with trying to improve a small business’s Internet. The business office is downstairs in a basement littered with thick brick walls. Currently they have one router (very old, only supports 108 mbps) located in a central room, but does not output a strong signal beyond the area near the room.

First off, this business will be upgrading their data plan from a measly 15mb/s down (yes, it is that low) to a modern 300 mb/s.

To give a layout of the basement, there are four employee offices, in pairs. So, two of the employees directly neighbor each other in one section of the basement, and a little further away, the other two employees neighbor each other.

The way I had thought of doing it would be to place three routers in total in the basement. Put one in each pair of offices, so the pairs would share wireless signal. Then place the third router on the farther side of the basement away from the offices for use in that part of the building.

Now I’m not genius, but I have been tasked with this so I want to give the best opinions and knowledge I can. So id like any input I can get. Should they use just one router, and place WiFi repeaters throughout the basement? Or should they use multiple routers instead?

Thank you all. Any recommendations, layout, devices, etc. are very appreciated!



Getting a job in a different state

Hello, I’m planning to relocate to a different state and have began the process of applying for jobs. I have over 10 years in network support and desktop support roles. This seems like a daunting task at the moment. So I’m reaching out to anyone who has gone through this process before. What worked for you to land a job? Any tips will be very much appreciated.

Thanks



Friday, February 23, 2018

How does User Equipment support LTE aggregation?

If I am using WiFi and LTE at the same time on a single logical network, am I just having stuff sent to two IP addresses from the same NIC?

Does UE in general support aggregation technologies, or is it only specific applications (eg, Siri using Multipath TCP)? How does UE supportability vary by aggregation technology (eg, do all legacy clients automatically work with LWA, LAA, etc., or how does that work?)

Most of my knowledge of aggregation interworking is very limited, and mainly about interworking at the radio access network layer. I don't know too much about User Equipment. Thanks in advance!



"Transparent" but manageable NID for visibility behind 3rd party DIA circuits?

Every now and then, my company sells a 3rd party DIA circuit to a customer (usually as part of a larger packaged solution, otherwise this makes no sense at all) where we are playing no role in the customer's layer 3 termination. It's literally just a 3rd party DIA circuit that we have no visibility to, which hands off to a customer-owned firewall or WAN appliance.

The challenge with these circuits is that while we don't have any visibility to them, we still need to do our best to provide active monitoring and be in a position to help facilitate troubleshooting should the client have an issue. In the past, we've tried to accomplish this in a number of ways I am opposed to. For example, we've ordered a /29 from the carrier (even though the client only needs a single IP) and thrown our own firewall-capable switch in-line between the client's CPE and the carrier. This works, but it bulky, and a waste of precious IPv4 space. Other times, we've ordered a routed /30 to go along with the p2p subnet, then placed our own firewall in-line, doing no stateful inspection or NATing with the client's subnet; just acting as transparent as possible. This, again, is a waste of IP space, and I am strongly opposed to placing a firewall in front of the client's firewall for a number of reasons. It just opens up the door to possible problems that are only going to frustrate both the end user and our support teams.

I am on a quest to see if there is a device out there which might provide a less bulky solution for monitoring in cases like this. I want to find a manageable box that can provide basic monitoring connectivity in-line between the carrier hand-off and the client, without the need for additional IP space, and without the exposure and cost of a full firewall. I am envisioning a box that is basically doing IP passthrough or bridging, while at the same time listening only on one or two specific obscure ports (ACL-protected) for SSH and ICMP traffic. Doesn't even need to talk SNMP as far as I'm concerned.

Does such a box exist? Or is there a more obvious solution that eludes me?



PXE over multiple subnets TFTP access error

Hey guys, first post in this subreddit! So hopefully I can submit a little troubleshooting post and not get banned.

Okay I've been trying to get this working all week. I set up a WDS/MDT server for imaging new computers on subnet 10.10.1.0/24 and it works. If I connect a computer on that subnet in that physical location it PXE boots and wala I get a freshly imaged computer.

Now, we have a second physical location connected via fiber. I want to be able to PXE boot and image computers over at that location without standing up another WDS/MDT server.

Everything I ready point to the fact people do this and it is possible with IP helpers and/or DHCP options. So at the second location I create subnet 10.10.2.0/24 and add DHCP options in Meraki.

PXE booting doesn't work. It gets to a point where the TFTP times out or PXE-T04 Acces violation then PXE-E36 TFTP server error. So I try removing the DHCP options and use the boot server options. Similar error.

I tried booting into windows to do a little wireshark troubleshooting. I enabled TFTP client on windows 10 and requested the boot file. 2 packets. The request and the response. So I know they're talking. Again Access Violation. I've changed all the security settings on the remote share I can think of but still keep getting the same issue.

Any thoughts? Where do I add IP Helpers in the Meraki Dashboard?? I feel like I'm close..



Campus Vlans Distribution Layer Issue

Hey guys I'm playing around with packet tracer and I decided to do a simple campus network design. I've got a router, l3 core, l3 distribution. and l2 access. I can get my switches on the distribution layer to ping back and forth to the router with default routes. But my host's won't in their vlans. They can only ping vlans on the same distribution switch. Can't even hit the router from the host's. It's like it's not routing the host traffic back to the core. If I enable ospf it all works fine so I know I have a routing issue just trying to understand the issue. I've set ip route 0.0.0.0 0.0.0.0 10.10.0.1 and I also made sure ip routing is enabled. Thanks in advance.



BFD Multihop on an ASR1k?

Any idea if/when a 1001 is going to get multihop BFD?

We've got some use cases for it internally and this one ASR to our MPLS provider is the only thing that doesn't support it.



Carrier BUM restrictions and OSPF question

Has anyone had any problems with OSPF across a carrier network and the broadcast/unknown unicast/multicast restrictions causing communication problems? It seems to me that in certain scenarios it could be possible to exceed the limits. If so what kind of work around did you do?



Can Cisco ISE be configured for guest wireless with FIPS mode enabled?

I'm trying to research this and can't find anything that tells me explicitly whether I can have guest wireless (outside/general public devices) configured and active on a FIPS enabled ISE deployment. If so, what Auth process is used? I assume we need to get an acceptable cert on to the devices. I'm just having a little trouble understanding what would be appropriate in this case.



Service vs Location as Second Octet

I'm sure this has been posted before, but my google-fu is failing me.

I'm working on our IPv4 addressing scheme at the small startup where I work. We had a contractor do most of the network work, but they are not being super responsive and didn't know how to do a couple of things.

I'm an SRE so this is totally within my domain and I have some experience running more complicated (but small!) Networks. I'm also trying to improve my network chops, and I'm not totally out of my depth, so I jumped in. That being said, my experience is with very small nets, and designing for orders of magnitude growth & w/ multiple sites is new territory for me.

We currently have only one location, but a number of remote workers.

Are there any significant advantages or disadvantages to associating service as the second octet of a class A network, and location as 3rd octet or breaking it down into smaller blocks from there?

The main advantage I can think of is remote workers... Break off a /16 for BYOD and dole out small blocks for each remote person. That would appear to allow you to set up routing and monitoring rules per-employee more easily. Though I suppose you could just as easily allocate a /16 for remote workers and do something similar.

The main disadvantage I can think of are larger routing tables... But how much larger would they be, really? I don't really know how to set up the equation for this. Shot in the dark is servicesxlocations where first octet is just locations so worst case is 254 vs 2542? If your router is using a balanced-btree internally, that should be 2x lookup time, right?

By the time we've got more than 254 services or sites we'll have full time network engineers to refactor this so I'm not super concerned about scalability above that point.

Things like "this requires a manual change for every new hire or fire" don't phase me--I'll just add it to our onboarding / offboarding automation, etc.



Having weird issues with Angry IP Scanner.

Hello, I really did not know where to turn with this issue/question. I was looking at subreddits and thought this was my best shot.

So, when scanning on Angry IP, at first I am able to do the default scan normally, scanning only ping, ports and hostname. At first it works just like it should, atleast to my eyes.

But as soon as I add web detect to the scan, it stops working. By that I mean: ports, web detect, ping, EVERYTHING but hostname, is n/a. (In the same IP Range, right after my first scan). And it says all hosts are dead. After Ive once scanned with web detect, even the normal scan fails.

Is this some kind of a security protocol on the network? If I try to do a web detect scan it blocks me totally? Or is it just the Angry IP itself messing up? Sorry if this is a nobrainer here, but I seriously do not know whats going on.

Edit after 15mins: I managed to do a scan with the web detect on on a different network/whatever it is, it shows a few hosts alive, and one with ports. But still not what I think its supposed to look like.

Thank you for answers if I get any!

Ill be very pissed if my post gets "removed", as it took me nearly a hour to write all this.



Two Data Centers, one flat network. Moving to collapsed core? Can the current switches handle this?

Greetings. I've started at a new place and the first red flag is their data center design. https://imgur.com/a/gqYwa . The network is completely flat across VLAN 1, all the host have their gateway set to one of the HSRP address that live on the routers. As you can imagine the 1G link between the switches and the router is being over subscribed. Also the network cannot survive an outage of the trunk.

My plan is to split the data centers into two networks and use L3 routing across the P2P. In the new model the 3850 will act as the "Core/Distribution" and I will be moving the gateways to there. My question to the sub is, will the 3850's be able to handle this duty? There are only about 30 VMs in each data center. Previously I've used Nexus in this role with fex switches for access.



SFP28 10gb Compatibility

We're currently looking at a Dell 5148 25gb SFP28 switch to replace our current 10gb switches and I'm trying to determine if the ports will be backward compatible with our existing 10gb gear and downlink to 10gb. Does anyone have any existing experience with SFP28 ports linking to 10gb gear?



Anyone use Telegraf for SNMP monitoring?

I'm trying to set up Telegraf with the SNMP plugin to monitor our network devices, but I can't for the life of me figure it out.

The first device I'm trying to look at is a Fortigate 600D on 5.4.X. I downloaded the MIB from support and opened it using the Paessler MIB Importer to get the OID numbers. Here's my Telegraf config:

[[inputs.snmp]] agents = [ "192.168.1.1:161" ] version = 2 community = "public" name = "system" [[inputs.snmp.field]] name = "fg sys cpu usage" oid = "1.3.6.1.4.1.12356.101.4.1.3.0" [[inputs.snmp.field]] name = "fg sys mem usage" oid = "1.3.6.1.4.1.12356.101.4.1.4.0" [[inputs.snmp.field]] name = "fg sys disk usage" oid = "1.3.6.1.4.1.12356.101.4.1.6.0" [[inputs.snmp.field]] name = "fg sys ses count" oid = "1.3.6.1.4.1.12356.101.4.1.8.0" [[inputs.snmp.field]] name = "fg ips intrusions detected" oid = "1.3.6.1.4.1.12356.101.9.2.1.1.1" [[inputs.snmp.field]] name = "fg ips intrusions blocked" oid = "1.3.6.1.4.1.12356.101.9.2.1.1.2" [[inputs.snmp.field]] name = "fg ips anomaly detections" oid = "1.3.6.1.4.1.12356.101.9.2.1.1.9" [[inputs.snmp.field]] name = "fg ip sess number" oid = "1.3.6.1.4.1.12356.101.11.2.2.1.1" [[inputs.snmp.field]] name = 'if in ucast pkts' oid = "1.3.6.1.2.1.2.2.1.11" [[inputs.snmp.field]] name = 'if out ucast pkts' oid = "1.3.6.1.2.1.2.2.1.17" [[inputs.snmp.field]] name = 'if in errors' oid = "1.3.6.1.2.1.2.2.1.14" [[inputs.snmp.field]] name = 'if out errors' oid = "1.3.6.1.2.1.2.2.1.20" 

The names starting with fg, and their OID numbers, are taken straight from the MIB. The names starting with if were taken from another generic RF1918 MIB that I found, since I can't seem to find interface stats in the Fortigate MIB.

The only stats I see in Grafana/InfluxDB are the first 4: CPU, Memory, Disk, Sessions. I don't see any IPS stats or interface stats. We use IPS/IDS heavily on our FG units.

Any ideas on how I can get these stats?

Edit: Some additional info. I experience similar symptoms when trying to monitor Cisco devices. Another question: if I do an SNMP Walk against my devices, I get a massive list of OIDs. How do I know what these OIDs represent?



DC toolbox essentials

Hey guys,

Been meaning to make a toolbox to keep inside our rack@DC. The following come to mind Screw drivers Pliers UTP connectors Patch chord jointers Attenuators Cable ties Cable cutters Screws Nuts Pen Spare sfp/sfp+ UTP cable tester?

I'm sure there are a tonne of things to keep, but what essentials are mandatory?



Can't use delete key in CLI of Cisco SG300

Hey fellow /r networkers..

I have a bunch of new Cisco Small Business SG300-52 and -28 switches that we are rolling out at my organization. I noticed I am having an issue where I cannot use the delete key within the CLI. Normally these are set at a default baud rate of 115200, but I updated to default to 9600 and still no dice. I know my copy of putty is fine because the delete key works on other Catalyst devices I console into, but this IOS is a little bit different than the Catalyst. Any idea what gives? Probably am overlooking something easy..thanks in advance!



Firepower Management Center HA

I'm setting up two new 2500 FMC's. Never touched firepower before. I've got both boxes with 1 cable in eth0, connected together at layer 2. I want to setup active/standby on them, and I want to make sure I set these up in the best way. The documentation seems to just say that you setup 1 interface on both boxes with a management IP, then run through the HA wizard. Just wondering if this is literally the only cable you use to set these boxes up (i.e. one cable into both boxes)? I was expecting that you'd have a couple of ports for HA, and then maybe a seperate interface for downloading patches (like a WAN interface).



Palo Alto redistribution logic

I'm trying to redistribute a static default route into the BGP RIB on a Palo Alto box.

The redistribution works, but it's taking unwanted routes along with it.

The config looks like:

set network virtual-router VR_A protocol redist-profile VR_A_DEF2BGP filter type static set network virtual-router VR_A protocol redist-profile VR_A_DEF2BGP filter destination 0.0.0.0/0 set network virtual-router VR_A protocol redist-profile VR_A_DEF2BGP priority 100 set network virtual-router VR_A protocol redist-profile VR_A_DEF2BGP action redist set network virtual-router VR_A protocol bgp redist-rules VR_A_DEF2BGP address-family-identifier ipv4 set network virtual-router VR_A protocol bgp redist-rules VR_A_DEF2BGP route-table unicast set network virtual-router VR_A protocol bgp redist-rules VR_A_DEF2BGP enable yes set network virtual-router VR_A protocol bgp redist-rules VR_A_DEF2BGP set-origin incomplete set network virtual-router VR_A protocol bgp allow-redist-default-route yes 

I'm starting to suspect that the filter destination 0.0.0.0/0 isn't a specific match for the default route, but rather is catching all routes, allows anything to be redistributed.

I can kill the unwanted routes by intercepting them with a higher priority (numerically lower) redist-profile configured with action no-redist, but I don't want to enumerate every possible route that I don't want.

Maybe there's a filter exact-match keyword or something? What's the right way to do this?



Need to get PDU power draw into Grafana, whats my go between?

We use statseeker for SNMP monitoring. I was told i would have to use something else or script it myself. Just need the average load for the DC in grafana



What do you use for IOS Baseline

Hey everyone,

I just came into a lead role for a company. One of the issues that i've been tasked with is identifying what baseline to follow for what versions of IOS/JUNOS/PANOS to maintain on the network.

How do you guys keep up with your IOS versions?



Collecting module/component serial number details with Ansible - what does the output look like?

Is anyone able to provide an example of the level of detail provided when you run the ios_facts module?

Specifically, I'm trying to find out what the returns from the ansible_net_serialnum looks like.

I'm trying to figure out if the output approximates the

show mod 

or

show inventory 

commands on the CLI, providing the serial numbers of all the individual components of a switch or router.

The eventual goal is to (hopefully) use Ansible to collect facts like this, in addition to Product ID/SKUS, and SW version info, stash that info in a redis database (or any other useful way to store the data), then use that captured info to query the Cisco Support APIs.

EDIT:

Assuming that the responses I've gotten so far are correct, is anyone aware of or has experience with an open source tool that would be useful in collecting general HW inventory info for Cisco networks, specifically serial numbers, PIDs/SKUs, and software versions?



rugged portable cart to haul equipment around

So we have destroyed half of a dozen of these carts:

https://www.harborfreight.com/24-in-x-36-in-folding-platform-truck-68894.html

hauling around all our equipment. Anyone using a better option? Like you would hurt that person that takes your cart aka My Precious!

We usually haul around 1U switches that go over asphalt and bumpy sidewalks before getting to the nice flat floors in buildings. The carts have ended up with handles coming off due to the nuts vibrating loose (fixed those with nyloc nuts), the wheels get chewed up, and the whole frame eventually bending too much to be good anymore.



GLBP

Hello,

I am looking to move from HSRP to GLBP on my EDGE. I have two 1G circuits with different carriers. I want to go to GLBP so we can load balance between the two. Only thing is I have never seen GLBP used before and wasnt sure if it actually load balances like it says. Thanks for you input and and caveats or knowledge of you implementing and help would be appreciated.



I'm just becoming a master of break/fix. Can't see the forest for the trees at the moment.

Being in support for most of my career I'm starting to get a little worried that my skill set is swaying more towards the side of break/fix. Most of the work I perform is troubleshooting and I rarely setup or design anything from scratch. I'm just wondering what things could I do to progress myself to a well rounded Engineer who isn't only a one trick pony and just knows a bunch of quick fix tricks.

  1. Follow certification paths like the CCNP->CCIE or CCDx series and hope experience comes?
  2. Build out common topologies in GNS3/Homelab environments?


Looking for a good CCNP-W Online training Resource?

Hey Gang,

I've been deploying Wireless networks for ~10 years, and extremely fluent in Cisco R/S as well as the CWUN portfolio.

I am currently running down my CWNE and work needs me to grab a Cisco cert as well. I loved the way the INE CCNA-W course looks, but I can't find the same kinda package for the CCNP-W.

Anyone out there know of anything like this?

Edit: Holy Shit - my old R/S CCNA is expired. This means I have to do my CCENT-->CCNA-W again. Pretty sure I could go cold sit for the CCENT(since its required for CCNA now), no?



Centralised Backups??

Anyone know of a way of backing up configs of all networking equipment from multiple vendors to one centralised location? Need to be able to then pull that backup from the network and store it in a centralised location.

Saw that RANCID could solve the issue but would still need a way of pulling that backup to somewhere else, could possibly be done through VPN tunnels and SSH.

Thanks in advance.



Teach colleagues the basics of troubleshooting

I have been given the opportunity to hold a short presentation to members of the dept to teach the basics of network/connectivity troubleshooting. The idea behind this is to reduce the number of pointless tickets that come through to the network desk.

A lot of people who work in IT will know ping, trace route etc, but not necessarily know how to interpret the results to give them an idea of the issue.

I am planning on explaining the basics of ping and trace route and what they actually can tell you (similar to the NANOG trace route presentation).

I was wondering if anyone else has done something similar and to share what you would teach if you had the opportunity?



Small business LAN upgrade question

I have a graphic arts business. We run our entire LAN off an old D-Link 24 port gigabit switch (DGS-1024D). We're moving large files around all day and have an video surveillance system on the LAN. I think our network could be speedier. Would upgrading the switch to something like an Ubiquity US-24 Unify switch appreciably improve network performance?



Ethernet repeaters

Any good recommendations? I will be setting up a temporary network in a big convention center. I was told repeaters were used in the past at this site and they may need a refresh in equipment. Just looking for some good suggestions.



Nortel SFPs in Avaya switches?

I know some manufacturers lock down their switches and SFPs so that they're not compatible with anything else... -cough-Cisco-Cough-

Will Nortel SFPs work in Avaya switches? Nortel is under Avaya.

These are older Business Ethernet Switches, Nortel Model BES 120-24T-PWR and Avaya model "Baystack" 5520-48T-PWR.

SFPs are Part Number AA1419013, Gigabit SX



OTV Multicast Transport and IGMP

Before I implement OTV at a customer site, I wanted to ask if someone could clarify the following concept for me. The AED device, N7K VDC in the planned implementation, uses the site VLAN to create dual adjacencies with the other edge devices in the site and remote site over the join interface so that the control plane can flood the information pertaining to MAC reachability. In order to facilitate this we all know the edge devices use any source group to facilitate this communication using IGMPv3. What confuses me is

  1. why is IGMPv3 required, as it seemingly is explicitly listed in all the documentation I read.
  2. Which device facilitates the IGMP querier role which manages the membership report database, in this overlay network. Is it the AED's or is it every Edge device in the overlay network?


Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



Thursday, February 22, 2018

Difficulty With Small Business Network

Hello All,

I work for a small nonprofit and we are attempting to upgrade our wireless network. We are locked our of our old router (a Linksys EA6350) because no one knows the credentials and the coverage can use an improvement. I purchased a Netgear Orbi system to replace it.

the network configuration is:

Internet>Firewall>40 Port Switch The switch has both our Server (running Windows Server, I do not have access to it) and our Wireless router (Not in AP Mode) plugged into it.

Devices connected via wifi (192.168.1.xxx) are able to access the server (172.17.88.xxx) with the current configuration but I cannot seem to be able to make that possible with the new router without having it in AP mode (which is to be avoided as the organization wants all devices to have static IPs).

Is there something I am missing? It must be possible because it works now but I can't seem to make it work. Even setting the DNS to the internal server manually doesn't seem to make a difference.

Thanks in advance.



Small business LAN upgrade question

I have a graphic arts business. We run our entire LAN off an old D-Link 24 port gigabit switch (DGS-1024D). We're moving large files around all day and have an video surveillance system on the LAN. I think our network could be speedier. Would upgrading the switch to something like an Ubiquity US-24 Unify switch appreciably improve network performance?



Gaming devices and NAT issues in higher education residential areas

Hello there folks!

I am an entry level network administrator at a public university. I am assigned to work with the students who live on campus and assist them with any issues they have (wired or wireless). I have a fair amount of knowledge with many technologies, but little depth in most of them. Jack of all trades, master of none type of deal.

One of my most common requests is to help students play online games such as Call of Duty or Rainbow 6: Siege with the same solid connectivity they are familiar with having from when they live at home. However, users rarely understand that an enterprise network is very different than a home network.

We currently have a solution for these students in place, but we certainly have the understanding that this is FAR from best practice and it requires a ton of manual labor. I will describe my process as well as I can to include the types of network devices we use at this university.

To resolve a student's online gaming woes, we ask that they connect to our wireless gaming SSID (Cisco 3502 AP's, Cisco 5508 controllers). This SSID is secured by PSK with the key posted on university intranet website---certainly not secure but we didn't feel comfortable with an open SSID. The users then submit their MAC and IP address through an online form on our website. Once we receive the MAC and IP, I go through four basic steps:

1) Create a DHCP reservation for the user on our Windows NPS, verifying that the information they sent us is correct by just double checking the IP lease to make sure the MAC they gave us is the MAC we see. I then add the ticket number in the description of the DHCP reservation.

2) Create a 1 to 1 NAT on our Palo Alto firewall, giving the user a public IP address from a pool of available addresses.

3) Add the user's IP address to an address group that belongs to a security rule allowing common inbound game ports that are listed on different sites (3074 for Xbox, 6112 for Blizzard, etc)

4) Contact user to verify connection is working.

Honestly, each request doesn't take that much time but in the world of networking I know fully well that a more experienced administrator would have this as a solved problem and an afterthought. I have processed over 300 of these requests this year, and I imagine I am just now approaching the threshold where if I spent every bit of that time working on a way to automate this, I would be breaking even.

A few notes:

  • The current process we are following is a suggested resolution posted on the Palo Alto forums from other folks dealing with the same issues. To me, it just seems like a band-aid fix and not really a solution.

  • We have considered just handing out public IP's to these folks, but our gaming SSID with PSK currently has 2100 devices connected to it (needless to say these are NOT all gaming devices, since users get cheeky and start punching the PSK into devices that have 802.1x capability). Since we have a /19, we technically have the room to accommodate all these users but with the subnets we have remaining available we will be cutting it too close for comfort.

-A colleague has suggested ipv6 as a solution, but I have a huge knowledge gap I need to overcome to get there. I have not been able to figure out if this solution is worth pursuit and would absolutely appreciate input on that.

At the end of the day, we have two challenges at hand:

1) How do we balance security and convenience for these users to get their non 802.1x devices onto the network? PSK just kind of sucks for this use-case, as we've found.

2) How can we efficiently ensure that game servers can initiate inbound connections to our students' devices without going through all the trouble of assigning each device a public IP one at a time?

Thank you for your time!



Why might WebSocket connections be dropping across all my different clients?

I manage our network for our small company, and I'm trying to troubleshoot what I suspect are some network issues.

We use Slack for internal messaging, and we're finding that the WebSocket connections for Slack drop pretty regularly.

The Slack engineers believe it's some sort of networking problem, but I'm not even really sure where to start.

The modem from Comcast is connected to an old HP ProCurve Switch 1810G Series--I have no idea how old it is. It was here when we moved into our office space years ago. I reset it to factory defaults a couple weeks ago, and that did seem to clear up the issues for a couple days or so, but then the WebSocket drops started reoccurring again within a couple of days.

3-5 wired workstations are connected directly to the ProCurve switch via Cat5e in the wall and drop ceiling. We also have connected, via different Cat5e runs, three different Airport Extremes: two 6th generation, and one 5th generation, in an almost equilateral triangle, each maybe 60 to 75 feet apart from each other. These just act as wireless access points. Anywhere from 20-30 wireless devices altogether tend to be connected to the three AirPorts during peak usage during the workday. 802.11b and 802.11g devices are prohibited from connecting to the AirPort Extremes. Only 802.11n and faster are allowed to connect to the network, as per each AirPort's settings.

Each AirPort Extreme is set up just as a wireless access point, so they each have the same SSID and WPA2 password.

These WebSocket drops happen on the wired and wireless workstations similarly, so my initial hunch is that something's going on with the ProCurve switch.

I'm looking for any kind of guidance to diagnose the problem so I know what to replace, repair, or reconfigure. My initial hunch was to swap the ProCurve for something newer and/or swap the 5th gen AirPort Extreme with a 6th gen AirPort Extreme. Beyond that, I'm clueless. Any ideas?



IOS upgrades

Any ideas for upgrading ISR4300 IOS at 150 sites that are connected via DMVPN? Pushing the image over the tunnel takes about a day. I've got 150 locations 😂



What are your thoughts on SolarWinds' IPAM? How does it compare to other tools (such as InfoBlox)?

No text found

Traffic going through backup IPsec tunnel even when primary tunnel is up?

Ok so weird situation. I'm also a noob when it comes to this so bare with me.

I work with a company that maintains a dual-hub DMVPN network. We have just around 300 different remote sites that connect back to ours via site-to-site vpn. At each location we have a single static IP from the ISP (different depending on location), with the ISP's modem in bridge mode. Nothing special with the modem/connection from the ISP. It's just like buying a modem off the shelf and plugging it in at home, only difference being we have a single static IP. We use VRF routing, with Tunnel0 being the main WAN Tunnel and Tunnel1 being the backup tunnel through the cellular interface. The configuration with this router is the same as every other site we manage.

Here's where it gets weird. I first noticed this issue when trying to ping devices behind the router. With every other site, any device I ping will have a consistent reply anywhere from 33-43 ms. With the problem site, the times are anywhere from 57-365.

So I start looking into it. I do a traceroute from my local computer to devices at other sites, and I can see the traffic is going through Tunnel0. At the problem site I can see traffic going through Tunnel1.

This is the part I really don't understand:

Pinging Tunnel0 from within another site's router. (Notice the ping times)

> Sending 5, 100-byte ICMP Echos to Tunnel0_IP, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = 44/47/52 ms 

Pinging Tunnel0 from within the problem site's router. (Notice the ping times)

> Sending 5, 100-byte ICMP Echos to Tunnel0_IP, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms 

When I do a traceroute from another site's router to Tunnel0:

> Tracing the route to Tunnel0_IP > VRF info: (vrf in name/id, vrf out name/id) > 1 X.X.1.1 24 msec 24 msec 24 msec > 2 Tunnel0_IP 48 msec * 44 msec 

But when I do a traceroute from the problem's site to Tunnel0: (It completely bypasses the first hop)

>Tracing the route to Tunnel0_IP >VRF info: (vrf in name/id, vrf out name/id) >1 Tunnel0_IP 0 msec * 0 msec 

And finally, a show ip route in another router:

Gateway of last resort is Tunnel0_IP to network 0.0.0.0

But with the problem router:

Gateway of last resort is Tunnel1_IP to network 0.0.0.0

I've checked the config for the problem router multiple times and everything is the same as other routers. What could be causing this?



What is the most ludicrous feature/product/widget where a vendor said "Sorry, there is a licenses you need to buy for that"

No text found

What do you guys use to physically label your ports/cables?

I'm about to move a decent sized environment from an HP stack (8x24port copper) to Cisco switches, and before I go unplugging everything I want to know what cable goes where.

Most of my googling is turning up how to logically label a port, which is not what I'm looking for.



Cat 9300 multigig?

Can I terminate 4 x 1gig SMF and 4 x 10G SMF on a cat9300? The rest just copper? Ask because I have some older 2960 access switches that don't do 10g and some newer ones that do.

C9300-24UX or C9300-48UXM??



[Non-Technical] Enterprise & Business Networking question

Friends,

For the sake of accuracy, is it safe to say all enterprise gear requires a contract for software support? The only exception to this rule being open source gear or consumer grade?



Looking for advice with DHCP and MAC reservations

Hello,

I work in an environment that employs DHCP MAC address reservations. Traditionally this was handled by linux DHCP servers operating on each subnet but I've recently migrated several subnets to active directory integrated DHCP.

I've now discovered that with AD DHCP I no longer have the ability to configure multiple MAC addresses to use a single IP address. This was a capability I had when DHCP was hosted on linux, I simply had to define a new host with a different name, desired IP and mac. Now I find myself having to assign multiple IP addresses and an alternate hostname in DNS.

The common example lately: newer Dell laptops are no longer compatible with the old "port replicator" docking stations, everything appears to be moving the direction of USB-C docking stations. These USB docking stations appear as a new network interface in the OS. In this situation, I'd really like to be able to create two DHCP reservations and assign the built-in/LOM mac address and the docking station mac address to the same IP.

I'm not crazy about the idea of moving DHCP back to a linux system but I'm keeping that in mind as a last resort. Any advice/assistance would be appreciated.

Thank you!



Question on RADIUS auth for Cisco switches

I've got a bunch of 2960Xs running 15.2(2)E3.

When looking in their configs related to setting up RADIUS authentication for administrative logins, I see servers specified at two places in the config and I'm confused as to how they relate to each other. Can someone explain how a radius server group, which is specified near the top of the config with

aaa group server radius <name> <ip1> <ip2> <ip3> 

Relates to the entries at the bottom of the config, where I've got

radius-server host <ip1> key 7 *hash1* radius-server host <ip2> radius-server host <ip3> key 7 *hash2* radius-server key 7 *hash2* 

I appreciate any insight people can give.



Riverbed Modelling FTP Traffic

I've ran into an issue with riverbed modeller, in which FTP download response times are half the time of upload response times in a switched network. The interesting issue is, the data sent in bytes is exactly the same for uploading and downloading, but the packets sent are twice as much as the received packets. How can this be when the data for sending and receiving is identical in bytes.



What are the best areas/cities for Networking?

Where are the best cities or areas in general to get jobs as a Network Administrator/Engineer? Anecdotes welcome!



loopback communication over chained switches

I have a limited understanding of layer 2 technologies but wanted to know the following.

I want to use a layer 3 loopback as a management port but I am unsure how that loopback can be used to communicate to upstream devices.

my initial thought was to put the loopback intoa vlan and some physical interfaces in the same vlan, but my understanding is that in order for that vlan to communicate to the next device that vlan would need to be passed through a trunk. is that accurate?

could I simply assign both physical interfaces into for example vlan 10 and expect it to work or do I need a trunk that passes that data through either side allowing the loopbacks to communicate.



How are you locking down your AWS environment?

I work at a smaller startup and currently we have 2FA, IAS and disabled root credentials for our AWS environment. We also have IP restrictions so you can only connect through via office internet or VPN. Currently if our office went down we would not be able to access our AWS environment(without making emergency changes within AWS), so I was asked to implement a redundant VPN line.

I guess my question is how mandatory does /r/networking think having IP restrictions on accessing AWS resources? Is this a standard in the tech industry?



New to the industry... what should I be doing at work?

I was hired as an intern by this company last summer. My boss had me work on a bunch of low-level IT stuff, both for him and for the rest of the Network Operations team.

Said boss retired over Christmas, and the company hired me back part-time to help ease the transition and lighten the team's load. But now nobody's telling me what to do, and I'm unsure how to take the initiative. People only come to me when there's a problem with the software that only my boss used. Like 90% of the time I'm just doing homework or trolling about on reddit.

I don't want to be the slack-off employee who only works when someone's looking over his shoulder, but right now I'm at a loss for direction. How can I take an active role in improving our network operations?



Setting up a server for an agency network

Hey /r/networking!

Happy to find a subreddit for this kind of topic and get some advice on this. I'm a web programmer in a small company of designers so I'm not exactly a specialist in networking, but being the most computer-savvy person at work they nominated me as the dude to set up a better solution to what we have now.

Basically, we work with Macs and currently we share our work files via a Mac Mini complete with Apple Server bought via the App Store. Everything mostly works and has served us well for many years – with TimeMachine we got a good backup system going with backup hard drives that we switch out every week.

However, our designers (who work with InDesign and large video/photo files primarily) would love to get more performance out of the server, which struggles to keep up and frequently bottlenecks our productivity. We believe that switching to a RAID might be a much better solution (we were looking at a G-Tech Raid 16 TB) but we admittedly know very little about how those work and as I'm not a specialist I can't make a judgement call on it at the moment so I'm researching what options we have. I think that replacing our Mac Mini with e.g. a Mac Pro might possibly vastly improve performance but we're not a big enough agency to justify spending that cash if there's other options. What do you guys think?

(Our Mac Mini is a 2.5 GHz Intel Core i5, 4 GB 1600 MHz DDR3 RAM)



Unknown unicast storm control

Hi.

I've been having a play with unknown unicast storm control in an admin area and am quite surprised by the rate which I am needing to set it to stop alerting.

Should this be set much higher then the broadcast rate? What are you setting yours at?

I'm using 2% of interface speed successfully for broadcast but still getting the odd alert for 10% on unknowns. This seems excessive?

Thanks.



Cisco 4500 Layer 3 Issue

I have a Cisco 4500 switch that is giving me some issues. Hosts in the same VLAN on the same blade can not ping one another. They resolve layer 2 just fine. After the pings fail, each hosts shows up in the ohters arp table. There are a few VLANS that work just fine but a majority of them do not. For example VLANs 100-160 work perfectly. Those VLANs pull DHCP and get on the network with no issues. Most of the other VLANs will not pull DHCP. Even with static IP addresses they can not get on our network nor can they ping one another. Cisco TAC seems to think it is the Supervisor engine.

Any ideas what could be causing this issue?



UCS Fabric Interconnect Licensing

I am reviewing our UCS configuration and am reminded that we are using all of our port licenses on the interconnects, so when it's time to expand with another storage array, it looks like we get to pay thousands of dollars to use additional ports on the equipment we already paid for. Why is this a thing? How can a switch be sold with the expectation that you can only use a fraction of the ports and then have to pay a lot of money to use more ports?

Is anyone else sharing the same irritation? I noticed FS.com has some pretty inexpensive high-throughput switches that might work well if we decide to move toward hyper-converged infrastructure and begin transitioning away from traditional converged infrastructure. Does anyone have any thoughts/experiences they could share regarding the hyper-converged strategy?

Not that I'm itching to get away from vSphere, but Microsoft's new S2D with Hyper-V looks interesting - like they have finally come full circle and fixed the issues of the pre-virtualization days so that we are back to stacking pizza boxes in the rack. I saw a demo a while back where they were pushing 1 million IOPS using 4 Dell R730's with NVMe and RDMA NICs while running VMFleet. Those numbers sound absurd, but if true, wow! Has anyone lab'd that up? Any shops running Microsoft's baked-in hyperconvergence?



Seeing Unexpected OSPF Next Hop Entries

I hope this is the right place to post this, but please let me know if it isn't.

I have a cisco 6500 that runs both eigrp and ospf. Eigrp for all of our cisco and ospf to our fortigate device. Today, while moving L3 interfaces from some distributed switches to our core 6500, we saw our fortigate introduced it's mgmt interface as a possible next hope causing some of the networks behind the fortigate device to be unavailable to networks on the 6500.

My question is can I filter out that particular next hop on the 6500 via a route map?



What API would you choose to represent your network?

So,

 

I've arrived to a point where I got tired of the massive amount of different vendors the company I work in is using and decided it's time to automate everything I could possible think of.

 

Great idea, right? Problem is all these different vendors use different CLI syntax or only posses a GUI interface so creating an automation for each one would take a life time.

 

Which lead me to the grand solution of setting up a 'proxy machine' which would accept a universal syntax on one end, and GET/POST this as commands to the infinera/cisco/juniper/ciena/extreme/microsens/nextone/alcatel and whatever other crap I've got here. Basically it takes some API commands on input, then turn it into syntax which the device recognize in its shell/gui. End game is to keep the automation apps in check whenever they need to read/write something on the network.

 

Thing that keeps me at night is what API to choose for the front end of my server. Should it be REST? Should I have something customized. Feel free to destroy my idea at will.



Fortigate mgmt Interface Advertising Routes

Hi all. We have a pair of Fortigate 600D firewalls in an HA cluster. The Fortigates are configured to advertise OSPF routes to our 6509 core switch, which is directly connected to the Fortigate via the Inside interface.

On our core, we're seeing OSPF routes to the Inside interface of the Fortigate, but we're also seeing OSPF routes to the mgmt1 interface of the Fortigate. This is creating duplicate routes and causing issues. I've been told by Fortinet that the mgmt interface is not a routable interface, but this doesn't seem to be true.

Is there any way that I can prevent the mgmt interface from participating in any routing?



Connecting two buildings 900 ft away from eachother

Hey, I have a house and a barn(which has an apartment in it) that are about 900ft away from eachother. I talked to my service provider about dropping a second line but they said they wouldnt service my barn because it was too far away.

So my plan was to just share my internet with the barn apartment. I have 250mbps so it shouldnt be an issue to add 1 more computer. Now I am having trouble coming up with how to send the signal 900 ft. I'd like to not spend too much money but I want it done right and hopefully have it last long.

I have 1500ft of cat5e cable laying around I have power sources at both ends I live in the SE US so lightning is a large concern for me/

Any suggestions on how to bridge these too buildings?



Wireless controller and Local Authentication

Howdy, I'm working on a Cisco 5508 Wireless controller. I have a radius server which authenticates domain members to access the Wireless Lan, however, if the Radius client (the Controller) is enabled users are able to authenticate, but I'm unable to login to the controller (local or domain creds) if I disable Radius, I can login locally to the controller, but then domain members can't authenticate and join the WLAN, from reading forums,there's no way to use local authentication if Radius server is reachable . Is there a way to force local creds on the Controller in the presence of a Radius Server ? I have to wait untill the end of the day to login to the WLC or else I break the Wireless for the company.



Made a small utility for easily convert the format of MAC addresses

Something I wrote a while ago to quickly convert MAC addresses. (aabbcc001122, aa:bb:cc:00:11:22, aabb.cc00.1122, AA-BB-CC-00-11-22 etc..) while I was doing a python tutorial.

It actually came in really handy in my day to day job in a multi-vendor environment.

Formac



Intervlan routing on Cisco SG500

I have replaced an old catalyst 3500 with a SG500 and I'm struggling to get intervlan routing to work properly.

I've configured the SG500 in L3 mode, set the firewall as the default gateway, added IPs to both data and voice vlans, and all ports are trunked. If I give a pc the data vlan IP as its gateway routing works as expected and I get internet access, however I can't ping anything in the voice vlan?

On the 3500 setting this up was easy but the web gui on the SG500 is horrible and the cli appears to have slightly different commands than the usual ones.

Can anyone point me in the right direction? Can paste configs if needed



"Dr. Transport"? Where can I find more information about this, whatever it is?

I've been offered a my first networking position and an item on the job description is Dr. Transport. Maybe I just suck at googling, but I can't seem to find what Dr Transport even is. I'm assuming it's a networking tool of some kind. Is anyone here familiar with "Dr. Transport?"

I'm sorry if this is the wrong sub. I considered all others in the side bar before posting here.



HP Procurve MSTP / Spanning Tree Help

Hi.

We use MSTP spanning tree in our business and never seem to achieve 24hr free of spanning topology changes.

My question is what causes time since change?

Is this bad?

If it is .. how do i identify and fix?

Thanks



[RANT] How much am I worth?

I have been working at a major hosting provider in Network Security, directly involved in the implementation of the most complex environments for the most well-paying customers. I've only been doing network security implementation for a few years, but I started writing automation a while ago to do my job, because no one else was going to do it.

The automation isn't done but it is partly functional and doing wonders. No one asked me to do it, so no one feels like I need to get paid more to keep doing it. It's to the point that I have a title vastly different from the work I do and the work I am getting involved in. The pay is also vastly different.

Instead of guess where I work, or who I am, how about you tell everyone how much someone like me is worth in your locale. I know automation, python, Ruby, Golang, and while I only have a CCNA R/S, I don't get paid enough to afford the CCNP R/S I should have.



Routing issue - LAN can ping gw, gw can ping outside, LAN can't ping outside.

Here's the route table on our gateway

Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [1/0] via 203.188.221.97, eth2

C>* 127.0.0.0/8 is directly connected, lo

C>* 169.254.32.196/30 is directly connected, vti0

C>* 169.254.34.212/30 is directly connected, vti1

B>* 172.16.0.0/20 [20/100] via 169.254.34.213, vti1, 1d19h35m

C>* 172.16.32.0/22 is directly connected, eth0

C>* 203.188.221.96/27 is directly connected, eth2

I am able to resolve (uncached) addresses, so DNS is working... I guess that makes sense as the requests are going to the gateway first, not direct to an external DNS server.

Any ideas?

172.16.32.1 - Unifi USG Gateway

172.16.32.2 - Cloudkey

172.16.32.3 - Unifi AP

172.16.32.4 - Unifi AP



As Network engrs/professionals/admins/techs, what work related websites (for instance, networkworld.com) do you subscribe to?

thanks



I wrote a scripty-poo to document the interface configuration and status of Procurve switches

We're ripping out the old Procurves, and putting in some new hotness.

But before we do this we need to know about the network, and our customer doesn't know about their network.

It's a bit of a pickle, considering we're working on just under a hundred switches that are fairly remote. So completely remote that we want to get this right the first time so nobody has to go back.

Here's the script: https://github.com/thewozza/HP_Procurve_Interface_Documentator

It drives into an HP procurve and grabs the interfaces to note the current up/down status and the duplex. Of course in our case, it does this about 100 times so I don't have to.

Then it scans the VLAN config and figures out what VLANs are associated with a particular port, and whether or not they're tagged.

THEN it wanders through the switch logs looking for up/down events which could indicate that a port that is off at the time of the scan was UP at some point, in which case we care about it.

Lastly through some python magic that I don't understand it barfs all this out into an excel spreadsheet ready for human consumption.

The intention is that we can use this excel spreadsheet (print it out maybe?) when we're deploying the new switches. It will help us understand what ports are actually important, and what ports can be just thrown together in the usual VLAN.

It also helps us understand more completely what all of you know, that we're using fewer switch ports every year and those closets that required 4 switches 10 years ago only need two now.

So maybe this will help you in your search for data, or maybe you can tear apart my spaghetti code and make into something that is actually useful. Good luck!



SSL based site to site VPN

Does any firewall support SSL based site to site VPN on default 443 port? Sophos does it but on port 8443.



Reset FMC Pass

How do you reset the SSH password for the FirePOWER Management Center? I have full access physical access to the device, just don't know how to do it.



Wednesday, February 21, 2018

Need a slight crash course on Data Center networking and data center components as a whole, what can I review over a weekend?

So, anything to do with racking, power distribution, CRACs and information about them, anything to do with planning, cabling, etc.



Small Business Design - ubiquiti?

Hello,

I was asked by a relative for advice on upgrading their small network infrastructure in a single office. This is a very rural area so any local professional service of this type is extremely poor as I've seem firsthand as my parents run a large garage operation in the same area. I've been out of this type of work for quite sometime (currently working in defense industry) I seen it as an opportunity to have some fun and get them some decent products.

If this belongs in homenetworking i apologize in advance as this is a very simple network but is a business.

Network consists of:

  • 12 workstations
  • 2 severs
  • 15 IP cameras - large warehouse area
  • multiple mobile devices

Everything is running on typical "home" consumer gear right now and after a little research I like the looks of ubuquiti's products. I first looked at Cisco's line of SMB products but I had problems in the past supporting multiple RV120's and it doesn't look like (based on reviews) that things are much better now.

  • WIFI ** x2 UniFi AP AC Lite
  • Router ** UniFi Security Gateway
  • Switch ** 24 Ports Ubiquiti UniFi Switch

Some of these managed features will likely go unused for such a small environment but there is added value with VLANs for IP cameras and VPN access on the Gateway as he once inquired about having one setup. The GUI menus also look very user friendly which will be beneficial as this individual will be the one primarily managing these devices. He worked in IT at a young add and has always managed the network and computers within the office.

If anyone has any advice regarding these products or design I would appreciate it.

Also if there's another vendor I should be focused on please let me know.



I tricked a company into paying me too much for a job I'm barely qualified for and now they're treating me like I'm competent and I don't know how long I can keep faking my way through this.

I accepted an interview for Network Engineer position that was a quite a reach, and somehow managed to nail it. What was supposed to be a 1-hour interview turned into a 4-hour interview and they made me an offer the next week. I expressed hesitancy, so they came back with a second offer that was 30% higher than their first offer, doubled the PTO, and slapped a "Senior" in front of the title. I accepted it because even their baseline offer was more than I thought I was worth, and their second offer was just too bonkers to turn down.

But now I'm a couple months in here and I'm getting overwhelmed really really fast. The few outages and major problems that came my way I was only able to resolve only through dumb luck and guessing, and most of my day is now spent trying to hide how little I actually know from my boss. I get tasked with something, cheerfully say "Okay sure, no problem!" and then spend the next two days frantically googling and digging through Cisco's config docs to try and figure out how to pull this off.

So I'm trying my best to be less terrible at my job to justify this idiotic salary but fuck there's just so much. I've started studying for my CCNP Switch exam and that's it's own deluge of info to try and absorb, but I also keep reading that being a CLI monkey is a dead end these days so in the evenings I'm slowly plowing through Learning Python the Hard Way.

But on top of the nuts-and-bolts networking I've also got to start figuring out this never ending stream of ancillary services, like I'm using SolarWinds for the first time and trying to understand why most of our alerts aren't sending emails even though it looks like they're being triggered, while I'm also living inside our Palo Alto firewalls for four hours a day trying to un-fuck the prior (now fired) outside security consultant's half-aborted attempt to implement segmentation with the firewalls at the network core, oh and also they paid a bunch of money for a Splunk server at some point which has it's own unique programming language that I need to sort (Hey Splunk, when your "cheat sheet" is a dozen pages long, it's not a cheat sheet) out so management can get the pretty graphs that drives their world, but I also need to learn how Microsoft's NPS/RADIUS server because that's the only thing we have for network access control and the policys are convoluted and completely undocumented and I'm terrified to touch it at all because it's a house of cards that will probably fall over the instant the wind blows the wrong way, and I'm keeping up with the daily VoIP management stuff on this expensive cloud provider they have (which is actually a small blessing because it's pretty straightforward compared to the CUCM clusters I'm accustomed to), oh and I'm sorting out Meraki for the first time too which has their own quirks (how the heck to you limit an SSID just to a specified Access Point?!).

And on top of this they're considering a company expansion in the next few months which would necessitate a near-complete re-architecture of the network with new Core/Distro switches to actually get 10gig fiber to all the access layer stacks, and new firewalls with much greater filtering capacity, and I've nodded and taken polite notes through meetings about these things and after I did some scary math and talked to VARs and finally went back to management and was like "Guys, this is going to cost like half a million dollars" and they all nodded and said "Okay, that sounds about right, lets start seeing some high-level designs" and I nod and smile while in my head I'm screaming WHAT THE FUCK I BARELY GOT MY CCNA WHY AM I HERE.

How the hell do you guys put up with this long term? How can you possibly handle this never-ending firehose of stuff you're supposed to know, and be competent in? How do you come in every day knowing that you're just one unplanned outage away from everyone knowing just how bad you are at this job?



DHCP-relay on a QFX3500 completely lost

Hello,

I have a QFX3500 that is the router for all my l3 vlans (irbs on this device) and I'm trying to setup dhcp-relay to work with our PXE server. I have this exact config on a QFX5100 working without isssue. However on this device it just doesn't seem to work. The original setup was

 

3500 config

set forwarding-options storm-control-profiles default all set forwarding-options helpers traceoptions file dhcp_helper set forwarding-options helpers traceoptions level all set forwarding-options helpers traceoptions flag bootp set forwarding-options helpers traceoptions flag all set forwarding-options dhcp-relay server-group dhcpserver 185.221.134.35 set forwarding-options dhcp-relay group dhcprelay interface irb.217 set forwarding-options dhcp-relay group dhcprelay interface irb.219 

Heres how it was originally laid out

QFX3500 <===trunk===>EX4200<===trunk===>Cisco 3560 

Then both the PXE server ( also handles DHCP, via noc-ps) and the client wer connected to this. To eliminate the issue of the cisco switch I connected them direclty to the Ex4200 so now the setup looks like this.

 

QFX3500 <===trunk===>EX4200 <== both clients connected directly to EX4200 

This made some improvements as now instead of seeing no DHCP offrers received I'm getting this message on the client.

https://i.imgur.com/UTtsmdy.png

 

irb.219 = client / ge-0/0/43

irb.215 = pxe/dhcp server - ge-0/0/45

 

All vlans are trunked correctly, I've verified reachability between the 2 devices.

 

I've attached monitor traffic logs for both the IRB interfaces and the physical interfaces they are attached to. Aso the traceoptions all file for the QFX3500

 

Another note to add, I had an issue like this before on a EX4200 and the solution was adding firewall rules to allow the traffic through because the traffic passes through the loopback. I have the exact rules from the working QFX5100 on the 3500, and for testing purposes I've also removed the ACL completely from the loopback.

 

logs

EX4200 Ge-0/0/45 https://pastebin.com/BEZKdkmt

EX4200 Ge-0/0/45 https://pastebin.com/M3Xbw1zU

3500 irb.219 https://pastebin.com/auYyzgnt

3500 irb.215 https://pastebin.com/TvCs17rg

Traceoptions all https://pastebin.com/HttKeFpV



WAN block level data sync suggestion

I'm currently using HP VMExplorer to replicate recurring full backups from one data center to another. The trouble is it's taking forever to complete and almost always has failures due to time outs. The problem is that it sends all of the data across even though most of data between full backups hasn't changed. I'm wondering if anyone knows of a block level syncing tool that will: 1. compare data to existing data at the block level in other (selected) folders 2. delete data that has been deleted from the originating system 3. works on Windows 4. reports failures 5. encryption would be nice but it will be running over a vpn

Thanks



RANCID with Enterasys devices

Hey all - I'm in the midst of trying out RANCID as a way of tracking changes to device configurations. I've got it working pretty well with Cisco and HP equipment in my test network, but my Enterasys gear is proving to be a bit more of a challenge.

I've been Google-fu-ing this problem for a few days and I've not found a whole lot of useful info on getting Enterasys devices to work with RANCID. I've seen some references to using rivlogin and rivrancid for Enterasys gear, but not a whole lot else.

I've got N3, B3 and C5 switches to work with in my test environment. My production environment uses those devices as well as other Enterasys gear.

If anyone has any experience setting up RANCID to work with Enterasys gear, I'd appreciate any tips and suggestions.



Who is your least favourite service provider to deal with?

It seems like everyone has something bad to say about AT&T, but after having to deal with Bell Canada on an almost daily basis, I have a newfound appreciation...

What about you; which telcos have you had the worst experiences with?



Scripts or free tools for automatic provisioning of Cisco IP phones, DNs and/or Unity mailboxes?

I would like to incorporate provisioning of Cisco IP phones and Directory Numbers within CUCM, and mailboxes within Unity Connection, for new/former employees. Rather than attempting to re-invent the wheel I am looking for suggestions on scripts and/or tools being actively used in the field. Thanks in advance.



Hey guys! Ip address to irl address (Help!)

So, it’s been a mess lately in my highschool, and people were looking forward to finding someone who created an instgram account against it. Me and a friend of mine made a pretty well made plan in order to get to that person’s IP Address, and it worked, and we thought that if we have the IP Address it would be extremely easy to find the irl address and find who actually created the account, but it seems like I can’t find anywhere a precise GPS Longitude // Latitude GPS online and all that stuff, so I’m asking u guys for help. How can I find someone’s identity or at least address through IP?



[Q] How to simulate conditional slow network connections in Windows 10

I was wondering if anyone is able to point me in the right direction here. I am trying to find a way to run a background process in Windows 10 that will simulate a slow network connection only for certain domain names. My initial research hasn't really turned up any solutions so far unfortunately.



Looking for a Juniper Edge Router suggestion

Hello fellow redditors,

Currently I'm shopping for an Edge Router for a small DC. This router needs mainly to:

  • Receive 2 full BGP feeds (v4 and v6), eventually we'll need to receive a third one.
  • Process around 4 Gbps concurrent traffic (in + out), roughly 250k pps
  • Provide visibility through netflow/sflow
  • Connect back to 5 iBGP peers and get around 100 additional local routes
  • OSPF single area
  • Connect via eBGP to a scrubbing center via GRE tunnels (no encryption)
  • QoS for out critical traffic mainly (not for controlling usage by tenants)
  • Around 3 VRFs
  • 2 - 4 1GE ports
  • 2 - 4 10GE ports

For fun a small history of why I'm looking for this

Basically we're a Cisco + MikroTik shop, life was all good with our setup (roughly 6000 VMs distributed over 150 servers) 24/7 no issues at all for the past 2 years, we use Cisco at the Core and Access layer and MikroTiks at the Edge layer.

Well we had 2 events that are making us change the MikroTiks at the Edge, basically we were DDoSed (not the first time, but the first time the DDoS crippled our routers), this attack was a Low BW one (less than 250 mbps) and low PPS (less than 200k pps), the attack made our routers go to 100% CPU usage making them behave really bad, since those are software based routers the CPU spiking like this locks them almost 100%. The attack itself wasn't targeted directly to the routers but to one of our servers.

They didn't reboot and we managed to get them back online with help from the upstreams but we don't want this to happen again.

We were victims in the past of 6 Gbps/500k pps DDoS attacks and the routers didn't sweat at all (CCR1036 for those who may want to know), so at first got confused as to why this "smallish" attack made the router go like this, but upon further investigation we found out that the router's network process goes crazy if every single packet of those 200k pps comes with a randomized source or destination port, as in, every packet is treated as a different new connection.

We knew this was a possibility if we made the routers use a lot of services, but we basically deployed these with:

  • Conntrack disabled
  • Only firewall rules to protect access to it
  • Only newflow operational (which I know will stress the router a lot if such situation but we need it like this)

We don't hate those routers, we actually love those, 2 years working non-stop with no issues at all getting full BGP feeds from v4/v6 and using netflow, surviving "normal" DDoS, etc. But guess it's just a normal limitation of software based routers...

So here I'm, currently looking for a router that's hardware (ASIC) based.

End of the history

Anyway we could go with Cisco's ASR1000X line for this, but we'd like to try and test Juniper, I've toyed with these before and I do LOVE the CLI but I have to admit I am a bit confused about their MX line, that seems to be the one that fits us, they pack the datasheets for all the line with not all the information I'd like to have.

Any Juniper operator here that could provider some suggestion as to what hardware should we take a look into?

Thank you very much in advance.



Can anyone explain the minimum mtu size of 576 bytes and max 1500 bytes?

No text found

DHCP Superscope not handing out a whole subnet/pool

We have a suoerscope of 3 subnets/pools 192.168.200.0 /24, 192.168.201.0 /24, and 192.168.202.0 /24. The 200 and 201 subnet are handing out fine. However our 202 subnet doesn't hand out anything. This is all facilitated on one server so I shouldn't need to authorize the server or something. Our server has a 200 and 201 address on it's LAN interface. Would I need to assign a 202 address to it as well or should it not need an ip in that LAN to hand stuff out? Thanks.



What Libraries did you find helpful to you after learning Python?

Right now im still learning to use Paramiko, Netmiko, sys, and socket. Curious if anyone uses any libraries in specific thats helped them make cool tools or something like that. Just trying to find more way's to put my skills to the test and find some cool new libraries to get familiar with.



ML Applications to Computer Networks

Hi there! I'm a Brazilian undergrad student and I am currently picking a theme for my course conclusion work. Through the last year I've been working with handover algorithms in wireless heterogeneous networks, but for my conclusion work I'd like to implement something towards a personal interest: Machine Learning. Do you guys know some possible applications to ML in networking? I've seen some works where it's used for intrusion detection or Quality of Experience Prediction, but I'd like to hear more from you guys.



Secondary IP's and HSRP

We have a client request that involves moving VDI's to a new network. The desire is to add the new IP range to the existing VLAN interface, while I know how to add an "IP Secondary" to a standard Vlan Interface, I am not sure if this is possible to do on an interface that is setup with HSRP. Of course my desire is to simply use a new vlan but there is push back.



Best practice on a L3 Switch and VLAN tagging/Interface IP...

I am configuring an L3 in our office to handle DHCP and internal routing.

Last night I had each interface configured for it's respective VLAN and had intervlan routing working with different test PCs I have plugged into said switch.

After presenting the results, my boss wants me to instead give the VLANs the IP address as opposed to the ports handling the VLAN.

I am running into a problem with this (partially because the Cisco ADSM/WebGUI is terrible) and getting the ports I am tagging with the VLAN that has the IP to dish out DHCP.

Does it make more sense to give each interface an IP with it's respective VLAN IP (I guess this would be a sub interface IP) and tag the VLANs I want those interfaces to allow, or should I keep digging until I fix the issue with the VLAN IP and tagging it for the ports using that VLAN?

I hope this makes sense.



VPN software to connect multiple Zyxel USG 20s to a cloud based IPsec VPN?

I currently have Zyxel USG20s all over the world connected to a Zywall 110 which is connected to a server running Squid web proxy. I’m trying to replace the server with AWS or any other cloud services and the Zywall 110 with a VPN software.

I’ve looked into AWS and I’m able to set up squid web proxy and run from that. However I’m not sure how I am able to replace the Zywall 110 with a VPN software. I’ve looked into using OpenVPN software but it does not support IPsec.

Are there any VPN software which would work well with AWS and work over IPsec?



Unable to Authenticate on ASA5525 via ASDM after IOS update

Hello,

I recently updated my ASA from 9.1.(2) to 9.4(4)17.

Before the update, I was able to get to the ASDM login just fine. However after, it now rejects my credentials. I can ssh to it just fine with the same credentials I have been using (AAA to active directory)

I can launch the java web start and get to the login screen. However when I type my credentials in now, it rejects them. This is the case on my old ASDM image and he new one. ( asdm-716.bin and asdm-762-150.bin.

I updated the ASDM because the 716 version is not compatible with the new IOS that I updated my ASA too.

Any thoughts or if you need more info, let me know and I can paste them here.



What technical requirements are usually used when choosing network equipment?

We rebuild out network infrastructure. And we would be like choose a right equipment.

Question: What technical requirements are usually used when choosing network equipment?



Use audio recording during a VoIP phone call

Hey!

So I was wondering if there is a VoIP softphone/Software that allows you to use an audio recording (wav, MP3 etc) during a phone call?

This would obv replace me speaking into the mic every phone call I make. The reason I ask is that this would be beneficial for my dissertation project.

I have searched online and asked my supervisor for my dissertation project and have been unsuccessful to date to see such a softphone or software that enables it.

Would be very appreciated if anyone can recommend a softphone or software capable of this.

Thanks.



Issue with a NetMiko script

Hello all.

I'm going through a Udemy course regarding automation tools and i'm stuck on a NetMiko script. I don't understand the output of the error so i'm hoping someone can help. I posted my issue on github here: https://github.com/ktbyers/netmiko/issues/721

Essentially, The script will run, and either fail right after trying to connect to the first host, or it will connect to a host and then fail on the second, etc. It's not a STP issue as I statically configured S1 to be the primary for all vlans.

Any help would be appreciated. Here is the script along with the error:

!/usr/bin/env python

from netmiko import ConnectHandler

iosv_l2_s1 = { 'device_type': 'cisco_ios', 'ip': '192.168.122.71', 'username': 'michael', 'password': 'cisco', }

iosv_l2_s2 = { 'device_type': 'cisco_ios', 'ip': '192.168.122.72', 'username': 'michael', 'password': 'cisco', }

iosv_l2_s3 = { 'device_type': 'cisco_ios', 'ip': '192.168.122.73', 'username': 'michael', 'password': 'cisco', }

iosv_l2_s4 = { 'device_type': 'cisco_ios', 'ip': '192.168.122.74', 'username': 'michael', 'password': 'cisco', }

iosv_l2_s5 = { 'device_type': 'cisco_ios', 'ip': '192.168.122.75', 'username': 'michael', 'password': 'cisco', }

with open('iosv_l2_config') as f: lines = f.read().splitlines() print lines

all_devices = [iosv_l2_s5, iosv_l2_s4, iosv_l2_s3, iosv_l2_s2, iosv_l2_s1]

for devices in all_devices: net_connect = ConnectHandler(**devices)

Try delay_factor =2 and if that doesn't work 4

output = net_connect.send_config_set(lines, delay_factor=5) print output


Traceback (most recent call last): File "netmiko3", line 51, in output = net_connect.send_config_set(lines, delay_factor=5) File "/usr/local/lib/python2.7/dist-packages/netmiko/base_connection.py", line 1131, in send_config_set output += self.exit_config_mode() File "/usr/local/lib/python2.7/dist-packages/netmiko/cisco_base_connection.py", line 51, in exit_config_mode pattern=pattern) File "/usr/local/lib/python2.7/dist-packages/netmiko/base_connection.py", line 1081, in exit_config_mode if self.check_config_mode(): File "/usr/local/lib/python2.7/dist-packages/netmiko/cisco_base_connection.py", line 33, in check_config_mode pattern=pattern) File "/usr/local/lib/python2.7/dist-packages/netmiko/base_connection.py", line 1065, in check_config_mode output = self.read_until_pattern(pattern=pattern) File "/usr/local/lib/python2.7/dist-packages/netmiko/base_connection.py", line 449, in read_until_pattern return self._read_channel_expect(args, *kwargs) File "/usr/local/lib/python2.7/dist-packages/netmiko/base_connection.py", line 384, in _read_channel_expect raise NetMikoTimeoutException("Timed-out reading channel, data not available.") netmiko.ssh_exception.NetMikoTimeoutException: Timed-out reading channel, data not available.



Multiple DMVPN spokes behind same global NAT address

Hi all -

We have a few spoke routers at a large jobsite that requires us to use their campus internet access. They are NAT'ing all traffic with the same single IP address. I'm having trouble trying to get more than 1 spoke up and running since it can't differentiate them on the dual hub end.

We have asked the campus IT if they can NAT us out different IPs, that's a no-go. As a temporary workaround, we have the additional routers using ezvpn remote to an ASA.

Any ideas would be greatly appreciated.



Best video course material with subtitles for CCNP studies?

I'm looking to supplement my CCNP R&S studies, and I've been shopping around for some video courses for CCNP with subtitles/transcripts.

I'm hearing impaired, so suffice to say INE.com has been disappointing. I tried contacting their CS for transcripts but it's only a very small portion of their videos that has subtitles/transcripts.



Check VPN Phase 1 and 2 of ASA

Hi Everyone,

I'm not very experienced on the ASAs but i need to get a colleague to send me the details of site2site tunnels he has ongoing.He sent me the running config but i'm not able to figure it out. I mostly need the following but if there is a command that shows all details the better:

Phase 1 and 2:
-Encryption
-Hash
-DH group
-Lifetyme

Will show vpn-sessiondb detail l2l get me all this info? I also need to know if it is IKEv1 or v2.

Thanks!



Small Business router to firewall configuration advice

Howdy,

I am working on setting up a small business with a Watchguard firewall behind their Comcast modem. I had Comcast give us static ip's but my boss and I argue about how to setup the modem. I believe the Comcast modem should be setup in passover mode (dhcp & nat turned off), and he wants to place the firewall in a DMZ and set the external interface of the firewall to the modem's internal ip range.

*The office will use VPN's and a BOVPN connection with their firewall and not much else.

Any advice would be greatly appreciated.

Thanks!



ASA Multi-context, AnyConnect, and Hostscan

I'm testing AnyConnect on an ASA 5585-X in multi-context mode. I've got it working, but hostscan isn't supported. However, it still directs you to the Hostscan feature when you're configuring DAPs, but it doesn't exist. If no Hostscan, then no posture assessment, so what's the purpose of DAPs in MC mode, other than use with ACLs? Not sure if Hostscan will be supported in the future, but it sort of makes DAPs less useful.

Has anyone else experimented with this, or implemented it?



Open source network documentation tool?

What tools do you use for documentation and monitoring? I was looking into Netdot, but it seems that it hasn't been updated since 2016 and I ran into some errors when installing it.



Cisco IOS XRv 9000

Hey all. I'm curious if anyone is running this in production? I'm thinking of leveraging my VMware infrastructure in my datacenter to replace some old routers. Thanks.



Tuesday, February 20, 2018

Weird Mac issue, can only SSH after pinging to SSHer unless layer 3

http://ift.tt/2C7EdCd

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!



Slow Traffic Over IPsec VPNs

Hey guys,

I'd first like to say that I'm a younger guy who got hired at a company with only one other guy who has any general sense of networking. I've yet to be thrown in a scenario like this, and it's causing a bit of stress because our end users are directly affected by this. I don't quite know the depths of networking that well, but am learning what I feel to be rapidly.

I got hired at a company that has the need to send insane amounts of data to remote sites over IPsec VPNs. These remote sites have substantial bandwidth that I'm 100% sure is not the problem. 1 Gbps Fiber Up/Down on both ends (best case scenario that is still experiencing slowness).

We're tapping into 50-60 mbps, TOPS, to these remote sites.

The core issue, is that these connections are sending at such ridiculous speeds once we hit our ipsec VPNs over the wan. My core theory is packet fragmentation and I believe Wireshark confirms this. All I see is reassembled packets retransmitting at an alarming rate. I haven't had to sniff packets at all before, so I'm not sure if what I'm seeing is normal.

From what I understand, a standard MTU is 1500 which I confirmed our Fortigate 200D firewall is set to. A standard TCP MSS is 1460?

1500 - 20 IP header - 20 TCP header = 1460 bytes for data? Max Segment Size?

This does not account for the VPN header, which from what I understand, could be anywhere from 60-100 bytes (We use 3DES and SHA1). We're sending fragmented packets all the time...

This led me to a lot of research that people have had success dropping MTU to 1400 and clamping the TCP MSS to 1350-1300.

Can someone please point me in the right direction in the slightest bit? Is my thinking, at all correct? I don't quite know where to turn as I feel we've got a serious networking issue, but am not quite knowledgeable enough to act upon a concrete theory.

Any and all help would be GREATLY appreciated.



Migrating Brocade SAN switches to Cisco

Has anyone here done this? I might be getting into this, and have some questions - probably some that I don't even know I have yet.

I understand that Cisco has a tool in Prime DCNM that will convert the Brocade configs to configs that are usable for the MDS switches. Does it work (well)? Are there other tools or methods for this, or is this the only feasible way to perform this migration in a production environment?

Did you do a rip and replace, cap and grow, inter-operate, or what? What issues did you run into?

If you've had even similar experiences, PLEASE comment. Any and all advice is welcomed!



Comcast MetroE Fiber and SonicWall VPN

Hey Reddit,

Trying to wrap my head around configuring Comcast EDI Fiber (or MetroE Fiber) on SonicWall to use site to site VPN. Any assistance is much appreciated. So unto the details

Topology Currently our main site is using Level 3 for WAN connection, 76.x.x.160/28 on a SonicWall NSA2600. LAN is your run of the mill 192.168.1.0/23. We are having 3 remote sites coming on line by summer, with 1 already online. All sites will be connected with site to site VPN using NSA2600 at each site. To that end we purchased the Comcast MetroE Fiber 200mb u/d just for the VPN connections. Idea is regular users internet will continue to use the Level 3 while Comcast is dedicated for VPN.

Comcast MetroE is assigned with 2 subnets, a WAN block of 50.x.x.56/30 and a consumer block of 50.x.x.48/29 in my case. Currently the site that is already online I am using the only IP available on the WAN block, 50.x.x.58 as the remote gateway and everything is working fine. But ideally I want the 3 remote sites to use the consumer usable IPs of x.49 - x.54 as remote gateways. This is where I'm not sure about.

Concensus from reading online is to use another layer 3 device in front of the SonicWall, but there are also articles on how to set this up without, either by using static ARP or DMZ. None of them is regarding VPN though.

Thanks in advance.



Does anyone sell ready-made network triage kits? If not, how do you suggest I assemble one with an eye toward saving time?

I need to overhaul mine, but if possible, I'd like to save time on research/purchasing.

Stuff I'd much rather buy off-the-shelf instead of building by hand:

  • Clear plastic container of assorted of rack nuts, screws, etc.
  • A collection of varying sizes/types of fiber jumpers (SM and MM in varying lengths and connector combinations)
  • The most appropriate container for the kit that will allow good organization, easy transport, quick access to all components. I'm thinking some kind of larger travel suitcase on wheels type of thing? Would need to be pretty big.
  • Clear plastic container for organizing spare modules

I'm looking for as-ready-made-as-possible, but I appreciate any input on building a triage kit.



Anyone using Arista as WAN router?

Any of you guys using Arista as a WAN router? If so what are your thoughts on it?

  1. Are you doing MPLS? If so any issues?
  2. Are you peering with any Cisco devices? If so any issues?
  3. Are you taking in the full route table? Again, any issues?
  4. Any other thoughts?


Copper in a SFP+ device

Hi. I'm thinking about buying a 24xSFP+ device for my small hosting environment. But I still use copper for IPMI and such small things.

The question I got, is it standard that every device can handle SFP copper modules? Or would I need a separate switch for that? I'd like to keep the amount of devices to a minimal because of power usage in my rack.

Thank you in advance!



V380 IP camera RTSP stream issue

Hi,

Working on a project for a customer, he wanted a server for his IP cameras. The original 4 he had are working great but the last 2 that he just got off wish (cheap and chinese) are refusing to work with Ivideon and i cant even pull the stream in VLC

Important info: Model: v380 OS: Lubuntu Software: Ivideon and VLC Internal Url: rstp://admin@ip/live/ch00_1 Admin, no password Port 8899

If i use any other settings than those i get authentication issues but even with those settings they dont stream

Any ideas??



Tool for checking flash directory of Cisco device

I'm getting ready to update the software for around 1,000 Cisco switches. I'm wondering if anyone knows if a tool already exists that does / can do the following:

1) Log into the device

2) Check if the software exists, if not download via scp/sftp, if yes report back ready to go.

I've been trying to push the software via SolarWinds NCM but it seems to be failing on half the devices for some reason and now I'm in a state where I'm not sure which switches have the software and which don't.

Sorry if this is a noob question but I'm still new to working in an environment where we have more than a thousand network devices with a team of 3 people.



SG300 trunk issue

I have 2 SG300 switches in my network. Both have configured IP address on vlan 1, which is Lthe sole vlan on both switches. Current topology is SG300-10 | | SG300-28(F1) SG300-28(F2) | | HOST1 HOST2

Host 1 and 2 can ping both switches and the switches can ping their respective hosts. But HOST1 and HOST2 cannot.ping each other.

Configuration on both SG300-28

int range gi1-25 Switchport mode access Switchport access vlan 1

Int range gi25-28 Switchport mode trunk Switchport trunk native vlan 1

Int range gi1-24 Mdix auto (SG300 1F) Mdix on (SG300 2F)



Recommendations on server lift trolley thing.

I know they exist but I've never seen one in person. Anyone have recommendations on what kind to get? They seem to range in price from $5,000 to $600.

I just about killed myself racking a heavy ass 2U device by myself. I'm not a weak dude but holding something that weighs 50 pounds with one hand while trying to keep it level enough to screw in gets really tiring. My back isn't in the great shape and I'd hate to actually hurt myself.



Windstream MPLS random packet loss (every 4-5 hours)

Yesterday at 9:00PM we received a ton of alerts that our MPLS was having packet loss and latency issues go from our main site to our 5 remote sites. It cleared itself up after about 20 minutes. I did my own ping tests and could see about 25% of the pings failing, after it cleared up we were stable at near 100%.

This happened again at 2:30AM, 7:00AM, and now once again at 11:00AM. We have been in contact with Windstream who says everything looks fine. I don't understand what would cause this to happen at intervals like this and then resolve itself. Not sure where to even start looking as this has been relatively rock solid for months and months.



Is Substratum Going To Be The New Internet?

Hey guys,

Cryptos are really hot right now and now blockchain technology is being used for many more things than just currencies. The other day I was browsing some projects and I encountered something that looked interesting.

It is a project called substratum and it wants to create a decentralized web: https://substratum.net/

I thought the way it worked was pretty interesting, but what do you think, could this be the new way for us to communicate? I would love to hear your thoughts :D



New Building Construction - Emerging Technologies?

We have quite a few new buildings spinning up over the next couple of years, some smaller, some multi story buildings and I'm curious what other network/technology people are seeing out there.

Typically when a building comes online we are obviously very involved with the layout of network jacks, MDF and IDF closets throughout the building, the fiber used, if there's a datacenter we're involved in the electrical side of things.

As more and more devices are becoming IP and server based we are getting more involved in other aspects of the building such as HVAC deployment, smart lighting and access control.

In access control for example for decades people have been using 'banana cables' to supply power and copper wiring for communication to the end points. I'm curious if there are any emerging technology that any of you have been seeing in new construction to where they're just POE devices and don't have the big security boxes mounting in the MDF/IDF closets on plywood on the wall. Would be a lot simpler to just run a Cat 6 cable to the end points and let them get their power/communication from a network switch.

How about smart lighting ballasts? Anyone starting to utilize these with Cat 6 cabling going directly into the ballasts yet?

Just curious what others might be looking at for future construction.



Meraki MX400 virtual IP, load balancing, HA?

Apologies if this is not the right sub but my question deals primarily with the networking aspect of supporting an ADFS HA setup. Help is appreciated.

My org uses an MX400 to do NAT, and I am setting up ADFS such that we have two ADFS proxy servers (off the domain) behind the firewall. Those are joined to a pair of ADFS servers which point to our AD.

My question is, for Meraki can I use 1:many NATting to load balance between the two proxy servers such that if one of the proxy servers or ADFS servers goes down, it will default to the other pair? How would the Meraki know to do that? Is this even the right implementation?

I'm not that good on meraki so help is appreciated.



[Q] How does Viptela tunnel work with ISP CoS?

Can't see this clearly (definitely missing something) - looking at the Viptela solution, I see that they build tunnels over any connection type, which makes me wonder about how they would address today's "direct" CE-PE with QoS on the customer side and CoS on the ISP side. If tunneled, how do I guarantee the prioritization in the MPLS provider's network?



Cisco Nexus 9k 1U and 2U chassis LEDs post boot

Can anyone confirm for me the LEDs that are normally lit on post boot of a blank 9k? I can't seem to find the information anywhere.



Trunk from V1910-24G-PoE to Dell T30 Server

If I get a PCI NIC for the server with 4 ports, would it be possible to setup a trunk (cisco:etherchannel) to the Server? If so, which NIC would you recommend?