Saturday, March 10, 2018

Cisco Interface0/1(LAN) is not sending traffic out Interface0/0(WAN)

Got a question that's a bit rough. So currently we have this setup ( https://i.imgur.com/wedBAO2.jpg ) where we are not not using the OVS (openvswitch) connection anymore aka the triangle. We made an actual interface on the server to bypass this, but that's not the issue, so Palo is a VM and Cisco is a physical 2811 router, where Palo is connected to Interface0/1 and can successfully ping it, but cannot get out, whereas on the Cisco router itself it can ping out to 8.8.8.8 on Interface0/0

Our Cisco config is:

Current configuration : 959 bytes

! version 12.4

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R1

boot-start-marker

boot-end-marker

enable secret 5 $1$Srd4$FruvokoxY9bb7jJiYMoHJ/ (it's just password, literally)

no aaa new-model

resource policy

ip subnet-zero

ip cef

interface FastEthernet0/0

ip address 10.254.0.41 255.255.255.0

duplex auto

speed auto

interface FastEthernet0/1

ip address 172.16.2.1 255.255.255.0

duplex auto

speed auto

interface Serial0/0/0

no ip address

shutdown

no fair-queue

clock rate 2000000

interface Serial0/1/0

no ip address

shutdown

clock rate 2000000

router rip

version 2

network 10.0.0.0

network 172.16.0.0

no auto-summary

ip default-gateway 10.254.0.1

ip classless

ip route 0.0.0.0 0.0.0.0 10.254.0.1

ip http server

control-plane

banner motd ^C How are you today ^C

line con 0

line aux 0

line vty 0 4

scheduler allocate 20000 1000

end

I can ping the LAN IP from Palo, and the WAN IP from Palo, I cannot however hit the router on the other side of the Cisco Router.

Any advise would help.

Thanks.

Why are these pings going through?

In the picture, i am connected to SW1. Only SW1 is configured with an IP address and is in 'connected' status. I dont understand why pings are going through to SW2 into the other side. Maybe its a Cisco error...

https://imgur.com/BB9771P

EDIT: first ping is going to R2, second ping is to SW2

BGP route-policies / prefix-list best practices?

After a merger we have somewhat large corporate network soon to run MPLS & BGP all the way through the company (so far I've just done a quick&dirty eBGP between couple of our networks to add the other half of our new company). We have some overlapping networks, however I don't think they're that critical as they're usually some old local LAN networks that mostly need to talk to local servers or we can NAT them

But what I'd like to ask you guys is how would you do route-policies in this kind of a network? Would you manually enter all the network each site has and then add them to your IPAM as you go (the other company only has Excel sheets for their networks...). Then permit the networks you've gone through that don't overlap and you want to allow to the core network? Or just allow anything and then figure it out later if something breaks?

Larger sites currently have something like 500 routes, and then there are smaller sites that have only few. On our side we also have firewalls doing BGP, we try to avoid manually entering static routes anywhere. FWs don't however do much policing or anything advanced as that's not their main purpose.

Thanks!

Visual AWS VPC flow logs

https://beta.totalcloud.io

Coax tracing

I'm trying to get my MoCa adapter to work because the house has coax I'm not going to use for anything else (Yay fiber!) I bought a tone tracer and put the one end by where the router is and tested every connection in the box outside, but got no tone.... Does that mean there's a short someplace or is there a connection I'm not aware of.

Any ideas?

Thanks in advance

L3 Switch routing to WAN router

I have a Cisco 3850 providing inter-vlan routing between four VLANs: 10, 20, 30, and 40. Interface g0/1 of the 3850 connects back to the LAN interface of a router.

To accomplish the inter-vlan routing, the hosts all have their default gateway set back to the interface IP of the 3850 on their respective VLANs. However, I'm now trying to figure out how to properly route internet bound packets correctly.

The easiest method is to have the router implement router-on-a-stick but I specifically want to keep the 3850 as the inter-vlan routing device for performance reasons.

Do I need to put a static route into the 3850 to forward internet bound packets out g0/1? If so, how would I still have internal access to the router? Just have it implement an SVI on one of the VLANs and make g0/1 an access port?

Any feedback is appreciated.

Guest Wifi over IPSEC

So, I'm looking to see if anyone has any knowledge or in place design to implement a guest network at remote branches/facilities. I already have established IPSec tunnels to these branches with a mix of dhcp relay's and dhcp services provided by the router. However, I would like to consolidate dhcp and dns requests to traverse the vpn tunnel for the guest hotspot portal I have enabled to access TOS and possible Facebook check-in or paid vouchers... The equipment I have for this idea is 1 5506-x, 1 5505, and 2 ubiquiti AP's. The controller resides at the facility with the 5506-x. Any help would be appreciated. Ask me for more information if needed.

Verifying PXE Boot (Error: "PXE-M0F: Exiting Intel Boot Agent") is/isn't the network causing it to fail?

Desktop team is trying to PXE-Boot to their WDS server from within the same subnet as that server. Typically the boot file path ends in .com from what I see set on other subnets, but they gave me a path ending in a .iso. Does this make any difference? I wouldn't think so since it's the path on the server itself.

I've setup the subnet dhcp configuration options (66/67) to include the Next Server & Boot file name (W/ path) and verified that the DHCP Helpers are present in the in VLAN configuration for the subnet.

I've done a packet capture and can see the Next Server is there, but I get "Boot file name not given" which I think is because I was using my laptop which isn't going to request it. Is my only option to mirror their port during their PXE Boot attempt?

Other questions: 1. How do you typically verify PXE Boot from the network perspective? 2. Is there a cli tool to verify/request options received by DHCP Servers so that I can properly run a packet capture w/out having to perform a PXE boot?

I've been going through documentation trying get more familiar w/ this.

Source for 2500 series chassis emblem?

So I have 3 2500 series routers that are missing the Cisco emblems on the chassis... is there a good source to replace them?
I checked ebay with no luck.
I know this seems dumb but it bugs me to see the blank area and the holes where the emblem should go.

picture

VOIP without dedicated VLAN - experiences?

Hi,

our org is planning to move away from "good" old semi-analog phones to VOIP this year. I've been reading quite a bit about the requirements for VOIP over the last few days and the general consensus is that VOIP devices should be on a dedicated VLAN and subnet. However, unfortunately many of our access switches do not support 801.11q - so it looks like all phones will have to share their network with the standard endpoint VLAN.

We have enough bandwidth on most of the sites so we don't really have to worry about doing QoS and so on, which seems to be the main reason for separating phones from the rest of the network. Are there other reasons for separating VOIP from other data traffic? Have you deployed VOIP without separation before?

If it is necessary to separate VOIP from other traffic, we'll have a hard time implementing VOIP in the near future.

Thanks for your help.

BGP route-map placement/basic route question

Summary: Where best to place route maps from this diagram? Core needs static routes to reach external?

https://imgur.com/a/LLiur

Currently following this guide: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#anc15

Load Sharing When Multihomed to Two ISPs Through Multiple Local Routers

edit-1: Feeling that if I deny traffic/configure route maps on the Edge with route maps that packets will start to get drooped, as the traffic would have already left the Core-1 router.

Currently have a BGP network as seen below, the CORE-1 needs default routes currently to both edge loopbacks - 10.10.12.5 and 10.10.12.6 so that full connectivity works. Although these can be changed from default to spesfic routes, I would like to keep them as default routes, with route maps deciding which way spsesfic traffic goes.

Also for your information the core router is just running OSPF and not BGP.

Thank you very much, I can provide more details if required. Hopefully I was clear enough!

Switching vs Routing performace

I'm trying to understand difference between performance between those two types of traffic pushing. AFAIK if routing is performed in hardware using TCAM memory, routing and switching should have more or less same forwarding performance (both for throughput and pps), but I was recently told that this might not be the case. If your hardware has enough TCAM for your needs would there be any performance differences between those two approaches?

In case of similar network designs, one based on switching, second on routing, if main requirement is forwarding performance what would be preferable solution? I'm thinking that to save TCAM (and use it for some other purpose i.e. ACL), switching should be chosen.

How is your experience with Ubiquiti's RMA / warranty department?

I've been using Ubiquiti UniFi APs for a couple of years and in different locations which so far - knowing and understanding their limitations, that is - they've been pretty much "good enough" in a lot of cases in Education and SMB. Their APs are cheap enough to keep of spares on site and they are also quickly replaced in case of failure. However Ubiquiti hasn't always been able to keep steady stock levels (thus keeping spares on site...).

I've been looking a bit into their Edge Switches and since a switch failure potentially causes more disruption than a single Access Point I'm questioning how quickly and and hassle-free their RMA department works for customers (in my case) within Europe. Anyone who can share their experience with Ubiquiti's RMA department?

I've made both good experience with HPE/Aruba and - yes, don't crucify me - Netgear with their managed switches in terms of RMA replacements. Thus I'm curious since the use case I have rarely allows the budget for Cisco equipment.

Where can I learn?

Hey everyone. I'm a senior software engineering student who's really interested in Enterprise level networking. I'd like to learn and work in that field too.

What I really wonder is, however, where can I learn starting with the basics? Are there any sources you can suggest other than YouTube?

Thank you all in advance.

Switch vs Router?

Now, I don't need an explanation of what they are, but way way back a family friend told me, that if I want a better connection, always be connected directly to the router. Now, this was ten years ago, and I have never faulted from this "way of internets". Now, where I'm at now, it would make so much sense to be connected with a switch, since we have everything centralized in the house, but here I am needing to be directly connected.

So, is this way of thinking just plain stupid? I guess I have gone down this path that if I am connected to the router I'll get our full speeds, but if I'm on a switch I'll be basically sharing a connection with everyone connected to the switch.

Someone set me straight.

Friday, March 9, 2018

Working for a VAR/Vendor

I see a lot of the network engineers here end up working in VAR/Vendors and i'm wondering how do you guys go about landing these gigs? Ive heard working for a VAR is one of the best things you can do since you'll get to deploy new equipment and see a bunch of different customer networks but everytime i go job hunting i never see these positions pop up on indeed.

Do you guys get hired through word of mouth or are you finding these positions online. Im very interested in getting to this line of work. I've been doing networking for an enterprise and its one of the most boring things ive done.

Can someone explain how internet bandwidth is distributed in an office environment?

Hello,

If my office (80 users total) purchased 300 mbps of data from our ISP, why is it that when I check each users network adapter status, on wi-fi it shows 400mbps and on ethernet, it shows 1000mbps. Are those numbers just showing theoretically what that device could potentially get if available?

And when I run a speed test on some users computer, it only shows about 120mbps.

I think I understand bandwidth in the sense of the number of lanes on a highway but all these numbers don't make sense to me.

And I've heard ISP and other IT people mention..."You could get up to speeds of blah blah...." Is there not a minimum or maximum guarantee of the amount of data we're paying for? Is it just what's available that day or hour in that area?

Could someone explain it to me, thank!

Ouvis' P2P Connectivity Feature for remote and local camera access - how does it work?

I have put some IP Cameras in my house recently and I've got a few AP's with multiple SSIDs and VLAN capable managed switches and I live out in the sticks. I have backup generator and primary internet is high speed cable, but I have satelite backup too. This past weekend we had a big storm that knocked out power, cable modem, and even covered my dish in too much snow to get signal. Now I'm trying to fix all the things that didn't survive on their own and part of that includes Ouvis security cameras with "P2P" feature for remote and local LAN access - their documentation sucks and before I go taking pcaps to reverse engineer how their P2P feature lets you connect to the cameras, I'm wondering if anyone else has any knowledge of this protocol and/or how I can make it work when I'm off-line; perhaps special local DNS entries, etc.

Getting an Intern for the summer

Hey everyone!

I’m currently working in a Tier 3 Networking Engineering role. We have an intern with a software development background who is interested in networking.

I really want it o be worth it for him to get the most out of this summer, so I’m looking for recommendations on different tasks or projects we can give him.

Any recommendations are appreciated!

Proxmox LACP Help

http://ift.tt/2oXP60Z

Feeding my connection from router to better router

So I am reasonably techie but not so much in the networking dept. I would prefer to get some advice from a pro. I have two xbox ones that I would like to have both with a permanent open NAT type. Unfortunately this can only be done through a router that allow upnp and the 'Pace 5268AC FXN' supplied by AT&T absolutely sucks and doesn't allow this. The DNZ and just all around router settings are awful.

So I am going to buy a good d-link router that allows more functionality in the settings, specifically upnp and easier port forwarding. Can i switch it out for the default router my ISP provided or do I have to a 'feed' the connection from the gate router to the new router in order to be able do what I'm trying to do?

Any advice would be appreciated and any info on peripherals I also might need to do this would be great.

Thanks!

Setting up home network, need some advice

Hey guys, so my fiancée and I just bought a house and are closing on the 14th, cox is the only provider in my area with higher speeds so we went with them

I’m going with 100mbps and did not want to rent their equipment. So I’m purchasing my own.

My question is, is a modem and router separate better in terms of performance and security than a modem router all I one.

Also I see I need a DOCSIS v3 modem, while browsing amazon I see some that have higher and lower channel bonding, like for instance one was 8x4 another 16x4, is higher better in this instance? I googled it but didn’t really understand it.

I do a lot of online gaming and school work for reference.

Thanks for any advice

Cisco ASA remote VPN access to tunneled network

So I thought I had this all figured out. Everything is working beautifully except for the remote VPN network can't access the networks at the ends of either configured tunnels. Networks behind the interface have no issue access "dr" and "office-s". When I remote into colo1 and get an address on the 10.16.94.0/23 I can't access "dr" or "office-s". Packet-tracer tells me it is failing due to NAT so I've tried a variety of NAT rules to remedy this with no effect. My google-fu is failing me as well...

What have I got configured wrong?

colo1-sgf.png

ASA Version 9.1(7)23 ! hostname colo1-asa5510 domain-name domain.com xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names dns-guard ip local pool ipool1-mfa-vpn 10.16.94.5-10.16.94.254 mask 255.255.254.0 ip local pool ipool2-mfa-vpn 10.16.95.2-10.16.95.249 mask 255.255.254.0 ! interface Ethernet0/0 nameif outside security-level 0 ip address i.s.p.133 255.255.255.248 standby i.s.p.134 ! interface Ethernet0/1 description inside no nameif no security-level no ip address ! interface Ethernet0/1.201 vlan 201 nameif inside-vlan201 security-level 100 ip address 10.16.64.254 255.255.255.0 standby 10.16.64.253 ! interface Ethernet0/2 description dmz no nameif no security-level no ip address ! interface Ethernet0/2.208 vlan 208 nameif dmz-vlan208 security-level 50 ip address 10.16.70.1 255.255.255.0 standby 10.16.70.2 ! interface Ethernet0/3 description LAN/STATE Failover Interface ! interface Management0/0 description ##OPEN shutdown no nameif no security-level no ip address ! boot system disk0:/asa917-23-k8.bin ftp mode passive dns domain-lookup inside-vlan201 dns server-group DefaultDNS name-server 10.6.5.10 name-server 10.6.5.11 domain-name domain.com same-security-traffic permit intra-interface object network on-mfa-vpn subnet 10.16.94.0 255.255.254.0 object network on-dmz-10.16.70.0 subnet 10.16.70.0 255.255.255.0 object network on-inside-10.16.64.0 subnet 10.16.64.0 255.255.255.0 object network on-10.50.2.0-24 subnet 10.50.2.0 255.255.255.0 object-group network ogn-office-b network-object 10.6.4.0 255.255.255.0 network-object 10.6.6.0 255.255.255.0 network-object 10.6.7.0 255.255.255.0 network-object 10.6.22.0 255.255.254.0 network-object 10.6.24.0 255.255.254.0 network-object 10.6.26.0 255.255.255.0 network-object 10.6.48.0 255.255.255.0 network-object 10.6.49.0 255.255.255.0 network-object 10.6.51.0 255.255.255.0 network-object 10.6.57.0 255.255.255.0 network-object 10.6.99.0 255.255.255.0 network-object 10.6.245.0 255.255.255.0 network-object 10.6.252.0 255.255.255.0 network-object 172.29.2.0 255.255.255.0 network-object 172.29.8.0 255.255.255.0 network-object 172.29.14.0 255.255.255.0 network-object 172.29.15.0 255.255.255.0 network-object 172.29.16.0 255.255.255.0 network-object 172.29.23.0 255.255.255.0 network-object 10.6.144.0 255.255.254.0 object-group network ogn-colo1 network-object 10.6.3.0 255.255.255.0 network-object 10.6.5.0 255.255.255.0 network-object 10.16.64.0 255.255.224.0 network-object 172.29.2.0 255.255.255.0 network-object 172.29.4.0 255.255.255.0 network-object 172.29.6.0 255.255.255.0 network-object 172.29.7.0 255.255.255.0 network-object 172.29.9.0 255.255.255.0 network-object 172.29.10.0 255.255.255.0 network-object 172.29.11.0 255.255.255.0 network-object 172.29.21.0 255.255.255.0 object-group network ogn-office-d network-object 10.2.0.0 255.255.0.0 network-object 10.5.0.0 255.255.0.0 network-object 10.8.0.0 255.255.0.0 network-object 10.11.0.0 255.255.0.0 network-object 10.33.0.0 255.255.0.0 network-object 10.50.6.0 255.255.255.0 network-object 10.50.7.0 255.255.255.0 network-object 10.64.70.0 255.255.255.0 network-object 10.64.78.0 255.255.255.0 network-object 192.168.200.0 255.255.255.0 object-group network ogn-office-e network-object 10.50.13.0 255.255.255.0 network-object 10.50.15.0 255.255.255.0 object-group network ogn-office-h network-object 10.4.0.0 255.255.0.0 object-group network ogn-sas network-object 10.16.70.92 255.255.255.255 network-object 10.16.70.93 255.255.255.255 object-group network ogn-office-n network-object 10.1.0.0 255.255.0.0 object-group network ogn-office-s network-object 10.50.2.0 255.255.255.0 object-group network ogn-office-t network-object 10.50.6.0 255.255.255.0 network-object 10.50.7.0 255.255.255.0 object-group network ogn-cloud1 network-object 10.36.0.0 255.255.0.0 object-group network ogn-dr network-object 10.6.151.0 255.255.255.0 network-object 10.6.205.0 255.255.255.0 network-object 10.6.248.0 255.255.255.0 network-object 10.6.250.0 255.255.255.0 network-object 172.29.206.0 255.255.255.0 network-object 172.29.214.0 255.255.255.0 network-object 172.29.215.0 255.255.255.0 object-group network ogn-mfa-vpn-split group-object ogn-office-b group-object ogn-office-d group-object ogn-office-e group-object ogn-office-h group-object ogn-office-n group-object ogn-office-s group-object ogn-office-t group-object ogn-cloud1 group-object ogn-dr group-object ogn-colo1 object-group network ogn-rfc1918 network-object 192.168.0.0 255.255.0.0 network-object 172.16.0.0 255.240.0.0 network-object 10.0.0.0 255.0.0.0 object-group network ogn-pbx network-object 10.6.6.124 255.255.255.255 network-object 10.16.64.59 255.255.255.255 network-object 10.16.64.61 255.255.255.255 network-object 10.16.64.62 255.255.255.255 network-object 10.16.64.63 255.255.255.255 network-object 10.16.64.64 255.255.255.255 network-object 10.16.64.65 255.255.255.255 network-object 10.16.64.66 255.255.255.255 network-object 10.16.64.67 255.255.255.255 network-object 10.16.64.68 255.255.255.255 network-object 10.16.64.122 255.255.255.255 network-object 10.16.64.123 255.255.255.255 object-group network ogn-colo1-to-dr-remote network-object 10.6.151.0 255.255.255.0 network-object 10.6.205.0 255.255.255.0 network-object 10.6.248.0 255.255.255.0 network-object 10.6.250.0 255.255.255.0 network-object 172.29.206.0 255.255.255.0 network-object 172.29.214.0 255.255.255.0 network-object 172.29.215.0 255.255.255.0 object-group network ogn-colo1-to-dr-local network-object 10.6.3.0 255.255.255.0 network-object 10.6.5.0 255.255.255.0 network-object 10.16.64.0 255.255.224.0 network-object 172.29.6.0 255.255.255.0 network-object 172.29.10.0 255.255.255.0 network-object 172.29.21.0 255.255.255.0 object-group network ogn-colo1-office-s-local network-object object on-mfa-vpn object-group network ogn-colo1-office-s-remote network-object object on-10.50.2.0-24 access-list acl-mfa-vpn-split extended permit ip object-group ogn-mfa-vpn-split object on-mfa-vpn access-list acl-colo1-to-dr extended permit ip object-group ogn-colo1-to-dr-local object-group ogn-colo1-to-dr-remote access-list acl-dmz-inside-vlan201 extended permit ip object-group ogn-sas object-group ogn-pbx access-list acl-dmz-inside-vlan201 extended deny ip any4 object-group ogn-rfc1918 access-list acl-dmz-inside-vlan201 extended permit ip any4 any4 access-list acl-colo1-office-s extended permit ip object-group ogn-colo1-office-s-local object-group ogn-colo1-office-s-remote access-list cap extended permit ip any4 any4 pager lines 24 logging enable logging monitor debugging logging asdm informational mtu outside 1500 mtu inside-vlan201 1500 mtu dmz-vlan208 1500 failover failover lan unit secondary failover lan interface fo-link Ethernet0/3 failover key *** failover timeout -1 failover link fo-link Ethernet0/3 failover interface ip fo-link 10.255.255.100 255.255.255.0 standby 10.255.255.200 monitor-interface inside-vlan201 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside-vlan201 asdm image disk0:/asdm-791.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside-vlan201,any) source static ogn-colo1-to-dr-local ogn-colo1-to-dr-local destination static ogn-colo1-to-dr-remote ogn-colo1-to-dr-remote no-proxy-arp route-lookup nat (inside-vlan201,outside) source dynamic ogn-rfc1918 interface nat (outside,outside) source dynamic on-mfa-vpn interface nat (outside,inside-vlan201) source static on-mfa-vpn on-mfa-vpn nat (dmz-vlan208,outside) source dynamic on-dmz-10.16.70.0 interface access-group acl-dmz-inside-vlan201 in interface dmz-vlan208 route outside 0.0.0.0 0.0.0.0 i.s.p.129 1 route inside-vlan201 10.6.0.0 255.255.0.0 10.16.64.1 1 route outside 10.6.151.0 255.255.255.0 i.s.p.129 1 route outside 10.6.205.0 255.255.255.0 i.s.p.129 1 route outside 10.6.248.0 255.255.255.0 i.s.p.129 1 route outside 10.6.250.0 255.255.255.0 i.s.p.129 1 route inside-vlan201 10.16.0.0 255.255.0.0 10.16.64.1 1 route inside-vlan201 10.36.0.0 255.255.0.0 10.16.64.1 1 route inside-vlan201 172.29.0.0 255.255.0.0 10.16.64.1 1 route outside 172.29.206.0 255.255.255.0 i.s.p.129 1 route outside 172.29.214.0 255.255.255.0 i.s.p.129 1 route outside 172.29.215.0 255.255.255.0 i.s.p.129 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server aaa-mfa-vpn protocol radius aaa-server aaa-mfa-vpn (inside-vlan201) host 10.16.64.6 key *** no mschapv2-capable aaa-server aaa-mfa-vpn (inside-vlan201) host 10.6.6.6 key *** no mschapv2-capable user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authorization command LOCAL crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map outside_dynmap 65535 set ikev1 transform-set ESP-AES-256-SHA crypto dynamic-map outside_dynmap 65535 set ikev2 ipsec-proposal AES256 AES192 AES crypto map outside_map 10 match address acl-colo1-to-dr crypto map outside_map 10 set pfs crypto map outside_map 10 set peer dr.36 crypto map outside_map 10 set ikev1 transform-set ESP-AES-256-SHA crypto map outside_map 10 set security-association lifetime seconds 2147483640 crypto map outside_map 10 set security-association lifetime kilobytes 2147483646 crypto map outside_map 20 match address acl-colo1-office-s crypto map outside_map 20 set pfs group5 crypto map outside_map 20 set peer office-s.130 crypto map outside_map 20 set ikev1 transform-set ESP-AES-128-SHA crypto map outside_map 20 set security-association lifetime seconds 28800 crypto map outside_map 20 set security-association lifetime kilobytes 4608000 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dynmap crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment terminal fqdn fqdnvpn.com subject-name CN=fqdnvpn.com,O=office-b,C=office-b,St=office-b,L=office-b keypair fqdnvpn.com crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate *** quit crypto ikev2 policy 10 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication pre-share encryption aes hash sha group 5 lifetime 86400 ssh stricthostkeycheck ssh timeout 60 ssh version 2 ssh key-exchange group dh-group14-sha1 console timeout 0 management-access inside-vlan201 threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 10.6.3.1 source inside-vlan201 prefer ssl encryption aes256-sha1 aes128-sha1 rc4-sha1 ssl trust-point ASDM_TrustPoint0 outside webvpn enable outside anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 2 anyconnect enable tunnel-group-list enable cache disable group-policy gp-mfa-vpn internal group-policy gp-mfa-vpn attributes wins-server none dns-server value 10.6.5.10 10.6.5.11 vpn-idle-timeout 60 vpn-session-timeout 600 vpn-tunnel-protocol ikev1 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value acl-mfa-vpn-split default-domain value domain.com split-dns value domain.com webvpn anyconnect keep-installer installed anyconnect ask none default anyconnect tunnel-group mfa-VPN type remote-access tunnel-group mfa-VPN general-attributes address-pool ipool1-mfa-vpn address-pool ipool2-mfa-vpn authentication-server-group aaa-mfa-vpn default-group-policy gp-mfa-vpn tunnel-group mfa-VPN webvpn-attributes group-alias mfa-VPN enable tunnel-group mfa-VPN ipsec-attributes ikev1 pre-shared-key d3w0FMTN tunnel-group dr.36 type ipsec-l2l tunnel-group dr.36 ipsec-attributes ikev1 pre-shared-key 3baaGvIzF%tg#6^K tunnel-group office-s.130 type ipsec-l2l tunnel-group office-s.130 ipsec-attributes ikev1 pre-shared-key ahNg9Aev"u7uigah ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect h323 h225 inspect h323 ras inspect ip-options inspect rsh inspect sunrpc inspect xdmcp inspect icmp class class-default user-statistics accounting ! service-policy global_policy global privilege cmd level 3 mode exec command perfmon privilege cmd level 5 mode exec command more privilege cmd level 5 mode exec command dir privilege cmd level 3 mode exec command ping privilege cmd level 3 mode exec command who privilege cmd level 3 mode exec command logging privilege cmd level 3 mode exec command failover privilege cmd level 3 mode exec command vpn-sessiondb privilege cmd level 3 mode exec command packet-tracer privilege cmd level 5 mode exec command export privilege show level 5 mode exec command import privilege show level 5 mode exec command running-config privilege show level 3 mode exec command reload privilege show level 3 mode exec command mode privilege show level 3 mode exec command firewall privilege show level 3 mode exec command asp privilege show level 3 mode exec command cpu privilege show level 3 mode exec command interface privilege show level 3 mode exec command clock privilege show level 3 mode exec command dns-hosts privilege show level 3 mode exec command access-list privilege show level 3 mode exec command logging privilege show level 3 mode exec command vlan privilege show level 3 mode exec command ip privilege show level 3 mode exec command failover privilege show level 3 mode exec command asdm privilege show level 3 mode exec command arp privilege show level 3 mode exec command ipv6 privilege show level 3 mode exec command route privilege show level 3 mode exec command ospf privilege show level 3 mode exec command aaa-server privilege show level 3 mode exec command aaa privilege show level 3 mode exec command eigrp privilege show level 3 mode exec command crypto privilege show level 3 mode exec command ssh privilege show level 3 mode exec command vpn-sessiondb privilege show level 3 mode exec command vpn privilege show level 3 mode exec command dhcpd privilege show level 3 mode exec command blocks privilege show level 3 mode exec command wccp privilege show level 3 mode exec command dynamic-filter privilege show level 3 mode exec command webvpn privilege show level 3 mode exec command service-policy privilege show level 3 mode exec command module privilege show level 3 mode exec command uauth privilege show level 3 mode exec command compression privilege show level 3 mode configure command interface privilege show level 3 mode configure command clock privilege show level 3 mode configure command access-list privilege show level 3 mode configure command logging privilege show level 3 mode configure command ip privilege show level 3 mode configure command failover privilege show level 5 mode configure command asdm privilege show level 3 mode configure command arp privilege show level 3 mode configure command route privilege show level 3 mode configure command aaa-server privilege show level 3 mode configure command aaa privilege show level 3 mode configure command crypto privilege show level 3 mode configure command ssh privilege show level 3 mode configure command dhcpd privilege show level 5 mode configure command privilege privilege clear level 3 mode exec command crypto privilege clear level 3 mode exec command dns-hosts privilege clear level 3 mode exec command logging privilege clear level 3 mode exec command arp privilege clear level 3 mode exec command aaa-server privilege clear level 3 mode exec command dynamic-filter privilege cmd level 3 mode configure command failover privilege clear level 3 mode configure command logging privilege clear level 3 mode configure command crypto privilege clear level 3 mode configure command arp privilege clear level 3 mode configure command aaa-server prompt hostname priority state no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily hpm topN enable

EdgeRouter VS UTM (Meraki, Sonicwall, Fortigate, Sophos)

Small business (10-15 local users) currently running on consumer grade router/firewall. Upgrading to a fiber optic connection in the near futer and adding VoIP phones to the mix. Current infrasture is dated and needs to be upgraded.

I have exprience with Unifi AC PRO access points and I am considering the full lineup (EdgeRouter/USG + Switch + AC PRO). However, my understanding is that the EdgeRouter/USG is not a true UTM because of some key features it lacks.

Would something like Meraki MX64 / MX64W or comparable SonicWall/Fortigate/Sophos device be justified in this situation? Or would an EdgeRouter with OpenDNS and endpoint AV be sufficient in this situation?

Also, would the throughput limitation on the MX64 (250Mbps) be a concern for VoIP traffic?

Analysing Netflow with overlapping subnets

How do you guys providing netflow services solve the problem where two companies have the same netflow sources on the subnet?

Company A: 10.1.1.0/24

Company B: 10.1.1.0/24

Solarwinds' solution is to basically create a separate instance per customer. This means purchasing additional licenses. This doesn't seem very scalable.

Anyone faced and conquered this problem? How did you do it?

Having exchange disconnects often. Cannot find an inactivity timeout setting on Meraki switches.

After extensive research, I would like to find what the timeout setting is on my Meraki switches between my Citrix app servers and my on-prem exchange servers, as well as my workstations and on-prem exchange servers. I have previously adjusted this setting on SonicWALL hardware in the past, but do not see the appropriate setting in the Meraki switches.

TL,DR; Cannot find any sort of connection inactivity timeout setting on Meraki switch hardware to mitigate my exchange event 26 issues.

3850 vlan?

I got a brand new 3850 running 16.3.5b and one port just won't take a vlan to it. Never shows in 'show vlan' no matter what I do. Never seen this before. I have HA PANs upstream and failover wasn't working and I couldn't figure out why. Port 45 would come up but wouldn't pass any traffic. I configured another port (gi1/0/37) in vlan20 and moved the PA to it and it works now.

Has anyone seen this before?

20 fw-and-stuff active Gi1/0/29, Gi1/0/30, Gi1/0/37, Gi1/0/39, Gi1/0/40, Gi1/0/43, Gi1/0/46 interface GigabitEthernet1/0/45 description ###firewalls and stuff### switchport access vlan 20 switchport mode access end

What is the most asshole interview question?

These are questions that are lazily constructed and/or tedious, lengthy or just impossible to answer sufficiently! I'll start:

"Name and describe all of the OSPF link-state advertisement types."

DHCP relay to NAT-ed server

Is this even possible. See the attache diagram.

https://imgur.com/a/6UauW

Show etherchannel summary doesn't show the created channel?

Hi All,

Client used C2900 with Version 15.0(1r)M16, RELEASE SOFTWARE, but the issue is after creating a L3 etherchannel we cannot view the status of the etherchannel using the "show etherchannel summary" there no output showing the group. But the thing is etherchannel work fine.

Will try to upgrade 1 of our spare router for testing. I just checking if youve encountered this issue before. :)

Thanks..peaceout :)

Recommend APs for meeting space? Looking at Ubiquity but which ones?

I am setting up a network in a 4,000 sq ft conference space. It normally has a few people there in offices. A few times a week there will be 50 - 125 people. We need to set up a network that provides public wifi but also protects our bandwidth for streaming the presentation to YouTube.

I have set up home and small office networks (ok, only a couple) with Ubiquiti hardware so I am comfortable with that but I don't know which APs to get for this size room and this many users. (All indoor. Only drywall to get through.)

Here are my questions:

Will the Traffic Bandwidth Limits in UniFi allow a USG to limit how much bandwidth goes to the guest wifi network?
Which APs should I go with?
How many APs should I get?

I don't have illusions of giving everyone great bandwidth. But we want to protect what we need for production.

Thanks

Suggestions?

Assistance with Juniper SRX Firewall Config

Hello folks. I'm having some trouble with getting a new firewall in place. We are replacing our Cisco ASA with a Juniper SRX. IP addresses are not changing from the ASA to the Juniper. I believe we have mirrored the config from the ASA to the SRX pretty spot on.

What seems to be happening is that no traffic is being routed to the firewall.

Here is a link to the configs.

https://drive.google.com/drive/folders/15lOTrEVffoOeDa8GiHumS72aoC7UB_zi?usp=sharing

Any help would be appreciated!

Simple EEM script regarding dot1x and DMVPN

Hopefully this simple command set helps someone. Since it's the first EEM script I've actually had need to write, I'm posting it here on the chance someone will get something out of it.

Problem.

My DMVPN spokes (890s) are all running dot1x port auth on their switchports. However, when a user power cycles the router the switchports all come up and attempt to authenticate long before the tunnels are established. I initially worked with dot1x timers and retries, but nothing seemed to work. So, I've come up with this tiny script to force re-auth once the DMVPN session is really UP.

Here I'm establishing an object tracking that triggers UP or Down whether or not a default route has been put into the global routing table. For my design, this is done via BGP and signals that the tunnels are UP and BGP adjacencies are made.

 track 1 ip route 0.0.0.0 0.0.0.0 reachability

running a show track 1 with no connectivity shows the following

 IP route 0.0.0.0 0.0.0.0 reachability Reachability is Down (no ip route) 1 change, last change 00:01:26 First-hop interface is unknown Tracked by:EEM applet clearDot1x

Once the default route is in the routing table, it will appear as below. You can see the object tracking knows about my default route via BGP.

 IP route 0.0.0.0 0.0.0.0 reachability Reachability is Up (BGP) 2 changes, last change 00:03:04 First-hop interface is Tunnel1 Tracked by:EEM applet clearDot1x

Now the EEM script. Here I'm just simply resetting the dot1x sessions on the switchports one by one. I wish the command would allow for a range, but this is my best solution.

 event manager applet clearDot1x event track 1 state up action 1.0 cli command "enable" action 1.5 syslog msg "Clearing Dot1x on all Interfaces" action 2.0 cli command "clear authentication sessions interface gigabitEthernet 0" action 2.1 cli command "clear authentication sessions interface gigabitEthernet 1" action 2.2 cli command "clear authentication sessions interface gigabitEthernet 2" action 2.3 cli command "clear authentication sessions interface gigabitEthernet 3" action 2.4 cli command "clear authentication sessions interface gigabitEthernet 4" action 2.5 cli command "clear authentication sessions interface gigabitEthernet 5" action 2.6 cli command "clear authentication sessions interface gigabitEthernet 6" action 2.7 cli command "clear authentication sessions interface gigabitEthernet 7"

At this point whenever the default route is added to the routing table (for me a few minutes after boot), the switchports restart their auth process and now can be properly authed with my radius servers.

Where to Buy Bulk Cat6?

I have to do some new Cat6 runs for the first time, and I'm not sure where to grab the bulk cables. This is going in a plenum space, so I'm going to need plenum rated, but does anyone have any favorite places online to grab the cable? Don't want to overpay or underbuy, if that's even possible.

How to identify which IPs are

I have a pair of Nexus 5Ks at a branch office that carry a stretched VLAN from corporate to the internal network. The gateway for the network is back at corporate. I need to find a way to identify which IPs on that VLAN are coming from the branch office. Should be simple, but I'm having a hard time with it. Any suggestions?

Redirecting traffic on an Etherchannel

Hey Guys, was wondering if you could assist.

We currently have a layer 3 port channel which is configured to load-balance traffic across two separate ports. This is configured to distribute traffic via MPLS.

Is we were to add a static route (ip route x.x.x.x x.x.x.x exit-interface next-hop) would be we able to cheat the algorithm in use and manually redirect the traffic over the other port?

Cheer, Benanater

DHCP-Relay and NAT

PacketTracer File

imgur

I want PC_A to get a IP on Network A from Server_C.

But If I own Server_C, I don't own Router_C/Switch_C (Managed services). And they don't want to add a route for 192.168.107.0/24

As far I know, there only two solution, but these are not doable on the short term. - Merge Network A in Network B - Set-up a DHCP Server on Network B

Do you know any other solution?

Thanks!

Cisco IOS-XE , Embedded PacketCapture

Hello Guys,

I'm having a bit of trouble getting an embedded packet-capture running on a Cisco IOS-XE. This is running on a Cloud Router from Cisco. I've followed the guide, which is described on the Cisco Webpage.

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

But it's not really working, however i've noted that i am not really after capturing true L3 packets. The interface is not L3 defined, it's an interface connected to a trunk with bridge domain's active to it. Also it's a software router connected on a Vmware. Could this be the culprit?

Should i be looking on the Vmware level?

Autonomous access point Software for Cisco 1140 series

Our service contract expired so I can't get it through the official website, any ideas where i can find this software?

ISP’s blocking VPN’s?

We have a remote site that used to form tunnels just fine, but suddenly stopped. After troubleshooting for a bit, I eventually switched out from esp to nat-t mode. Boom, tunnels came up. Great.

Fast forward two days later, and they’re down again.

tcpdump on both sides show the remote node’s packets never reach our data center.

I called the ISP to complain and they gave me the whole “we don’t block anything by default, I can’t confirm whether or not I see the traffic.” (It’s residential grade broadband.)

Finally we tried modified NAT-T with a custom port number. Boom, tunnels came up. Few days later they went down again. What is going on?

Can anyone identify these dishes or their usage?

Sorry if this isn't the right place to ask this question. I couldn't find answers elsewhere. This shipment of weapons was intercepted by the Syrian Army. It was destined to a group of besieged rebels. What stood out to me were these two dishes. Do they look like satellite dishes or point to point wifi links?

Pic 1

Pic 2

Sorry if this isn't the right place. And thank you in advance.

Edit: thank you for the insight!

Cisco 3850 ip access-list not cooperating

We recently setup OSPF on our new aggregation switch stack and setup some access lists to deny access to private ip ranges. The customer ip ranges are setup on specific vlans and mgmt ips in the 10.x range are setup on other vlans. I made a access list to allow ip and icmp from the 10.0.0.0/8 range and then deny any any, but the customers can still ping the 10.x address assigned to the switch on the other vlans. Config:

ip access-list extended NO_CUST_IN permit ip 10.0.0.0 0.255.255.255 any deny ip any any permit icmp 10.0.0.0 0.255.255.255 any deny icmp any any interface Vlan3014 description mgmt ip address 10.1.1.1 255.255.0.0 ip access-group NO_CUST_IN in ip access-group NO_CUST_IN out

Why can the customers on the public ips still ping the private ip addresses on the switch? These rules are blocking access to downstream 10.x ips, but not the switch's ip on the 10.x range.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Best practices of UTM & Helpdesk Services For A Global Consumer Electronics Brand

There are many approaches to protect an organization's data, network and critical assets from outside intruders and threats. Yet, many organizations continue to be challenged by managing network security in-house due to operational complexities and rising resource costs.

Here is a case study on how a large global consumer electronics brand benefited by adopting a fully managed solution by InKnowTech.

https://inknowtech.com/casestudy/unified-threat-management-helpdesk-services/

Thursday, March 8, 2018

Question about IT career

Just because someone introduces your to IT dose that mean there responsible for your career meaning "you wouldn't be noting with out me"

[Discussion] What are some tips on setting up a home network that you would give to newbies?

This would include certain commonly overlooked settings to a link to making your own antenna boosters (these I really want to see how far they have progressed since I last saw them. I currently have a Archer C7 v.2 and an Archer C7 v.2 - any suggestions would be great thanks! Any custom firmware etc. thanks!

Aftermath of a fire at a Netflix / CommCorp colo in Brazil

https://twitter.com/dtemkin/status/971550320999374850?s=19

https://twitter.com/tiagosetti/status/971796338177437697?s=19

Apparently the fire suppression went off but it doesn't look like it had much effect.

Unrecognized IPs on my network.

I have IPs on my network that I don't recognize. Should I be posting this elsewhere?

What are they?

C:\Users\e>arp -a

Interface: 192.168.1.164 --- 0xb

Internet Address Physical Address Type

224.0.0.22................01-00-5e-00-00-16....static

224.0.0.251...............01-00-5e-00-00-fb....static

224.0.0.252...............01-00-5e-00-00-fc....static

239.255.255.250........01-00-5e-7f-ff-fa......static

239.255.255.253........01-00-5e-7f-ff-fd......static

255.255.255.255........ff-ff-ff-ff-ff-ff............static

C:\Users\e>

Learning and have specific questions I can't find online

I'm currently in a college program for networking, and when we do labs we use private IPs between routers. I'm wondering if this is common practice for real world corporate/small business to have only the interfaces interconnecting WANs have public IPs and everything inside use private addresses

PAN-OS: Loopback interface address not being advertised to iBGP neighbors

I've got a /32 IPv4 address assigned to a loopback interface on a PAN-OS box. I used redistribution "approach 1" from here (no network statements in PAN-OS apparently?) to get that address into the BGP loc-rib.

The problem is that this prefix isn't being sent to my iBGP neighbors (virtual routers running on the same box).

I haven't configured any sort of outbound filter, and I'm confident that the route isn't being advertised (as opposed to advertised but rejected by the peer) because of the Outgoing Prefix counter visible with show routing protocol bgp peer peer-name <blah>.

I haven't yet found the PAN-OS version of show ip bgp neighbor <blah> [advertised|received|received-routes]. If somebody can steer me toward that, it'd be helpful.

Ideas about why my neighbors aren't seeing the missing prefix? It's happening in both directions.

Idle wattage? Cisco WS-C2960S-48LPS-L

Hi,

I am looking to add a Cisco WS-C2960S-48LPS-L to my network. I am trying to find out the idle wattage of the unit without anything plugged in.

My CE500 idles at around 60w. Where dose the C2960S fit in?

Thanks, Rich

SonicWALL trying to exclude IP range from Block.

So what's going on is I've been trying to exclude a range of IP addresses from a block under APP control. I have SIG ID's 5, 7, 63, and 66 that need to be unblocked for a user who needs to stream to YouTube for promotional purposes during events.

I enable the block and exclude the IP-ADD range group object. From all SID's I listed above and it won't work. His devices are within this range and I've set him statically by MAC on our DHCP to get reserved IP addresses in that range.

When I disable blocking for all on these SID's he's able to stream. When I disable blocking for ALL except his range it still blocks him.

How is it that it's happy to block him when he's excluded in the allow, but not happy to allow him when he's excluded from the block.

L2TP / IPSEC NAT-T: Troubleshooting

Hi guys,

I'd like to know your steps or even fix from you to a problem that doesn't belong to me just my co-worker and I wanna help him but I don't know solution, either.

My co-worker made L2TP / IPSEC server with NAT-T (basically allowing port 4500 UDP) at company A. When a person from company B connects to company A through VPN, it's good. When a second person from company B connects to company A through VPN it lasts only for a while and then a second connected user kicks the first connected user. Only one connection can last. So we connected too and we could be there. We weren't connected from company B but from another location.

From the description you can see one thing. Two people from company B have the same public IP (NAT) so it's the problem. I'm asking... why? The same IP shouldn't be a problem because we have ports. Could be problem on their firewall or on the server side?

How I told you. The first user can be here as long as others connect from the same company.

Please, consider everything.

Thank you :)

EDIT: Server made on a MikroTik router. It seems like issue associated with the brand.

Why would a 3560CX reboot EXACTLY every 6 hours?

I've got a 3560CX-12PD which has the peculiar habit of rebooting every 6 hours. EXACTLY every 6 hours.

Last configuration change at 06:28:09 EST Wed Mar 7 2018 Last configuration change at 12:28:13 EST Wed Mar 7 2018 Last configuration change at 18:28:10 EST Wed Mar 7 2018 Last configuration change at 00:28:09 EST Thu Mar 8 2018 Last configuration change at 06:28:08 EST Thu Mar 8 2018 Last configuration change at 12:28:07 EST Thu Mar 8 2018

It's not in a high-use area, so there aren't any complaints, but I noticed it because I started logging config changes and every 6 hours I'm getting a new config dump and the only thing that has changed is the "Last configuration change at..." line.

If I look at the current uptime then that plus the "last config change" time almost perfectly equals the current time.

The last reload reason is "power-on". I've had devices with bad power supplies that have randomly rebooted but never in 6 hours intervals.

Any thoughts?

Jitter in broadband connection

I switched from an ADSL connection to an optical fiber one. Problem is, despite being an optical connection, the jitter is worse compared to my old ADSL connection. Here are the PingPlotter results for the two connections. The one above is Airtel ADSL 2Mbps up / 0.5 Mbps down and the one below is Vnet fiber 10 Mbps up and 10 Mbps down. https://imgur.com/a/bf8Fj . I'm trying to explain this issue to my new ISP but they refuse to accept it as a problem. But I'm pretty sure that this is the culprit of the inconsistent download and upload speeds that we are getting. Can someone please tell me possible reason(s) for this problem?

PS: Vnet is a small ISP in my city and does not have a whole lot of users (currently less than 20) We all use single shared IP and connect using PPPoE.

Weird results on PingPlotter, would like some feedback

Hey.
I have been having some weird issues playing online games.
I have downloaded PingPlotter and it seems like I have spikes and packet loss on a few nodes.
The packet loss on my router, I assume, is just a bug and isn't real, right?
Here are the results to a German IP:
https://i.imgur.com/VWVtYNG.png
Would appreciate any input.
Thank you.

What's the size of your company

Just curious how large (or small) is your company? If you're in a large environment (plus 50k), do you find you exist in more of a silo? or have opportunities to learn as well as support multiple technologies?

My current company is about a thousand employees. My previous one grew to about 10k and we had 3 network engineers. Just curious at what point the organization gets too big to allow growth.

What are you using for Radius authentication for wired 802.1x that isn't NPS or ISE?

We are looking to turn on 802.1x authentication on network switch ports. For ports with domain PCs attached this is simple - computer certificates (automatically pushed via group policy) and Radius to NPS servers.

The problem is how to accommodate things that aren't domain PCs like printers and phones. MAC address bypass (MAB) seems like the answer, but with NPS as the authentication agent, that would require creating a user object in AD for every MAC address and setting the password to the MAC address. Not exactly an appealing option.

ISE is an option, but seems to be very much overkill for such a simple task.

So, what are you folks using for 802.1x other than ISE or NPS?

I'm thinking I'd point my switches to a local NPS server. The NPS servers would have a proxy policy such that authentication requests that consisted of MAC addresses would be forwarded off to another Radius server which would contain the MAC address of all our phones and printers.

But what Radius server? Bonus points if it runs under windows.

VLAN config problems

Hello,

I'm having some issues understanding why a VLAN isn't working... we use a /20 (172.16.1.0) block for our network and I'm trying to create a /24 (172.16.10.0) VLAN inside the /20. I've created the interface in the router and assigned it to VLAN with a gateway of 172.16.10.254. In the core switch, I've created VAN 10 and tagged port 20 for VLAN 10 (this is the port connected to the router/fw). At this point, I should be able to ping the VLAN gateway from the switch, no? It just times out. If I completely change the network address to something like 192.168.10.0/24 I can ping and everything seems to be fine.
I'm sure I'm overlooking something but why can't I use a network range inside the /20 for the VLAN?

Thanks.

BGP loopback wrong route pinging issue

Hi, I am trying to configure EBGP beetween an Enterprise, ISP and Customer.

So far I have all neighbours up, with the ISP-1 able to ping the Site A and the Customer.

The issue I am having is that the Customer has a route learned which goes via ISP-1's loop back which can't ping site A. I was wondering what I have done wrong in my configuration.

 192.168.12.0/32 is subnetted, 1 subnets B 192.168.12.1 [20/0] via 10.10.100.5, 00:00:44

Diagram: https://imgur.com/a/nCMkn

Customer

 router bgp 400 no synchronization bgp log-neighbor-changes network 1.1.1.1 mask 255.255.255.255 network 2.2.2.2 mask 255.255.255.255 neighbor 10.10.100.5 remote-as 200 neighbor 10.10.100.5 ebgp-multihop 2 neighbor 10.10.100.5 update-source Loopback0 no auto-summary

ISP

 router bgp 200 no synchronization bgp log-neighbor-changes neighbor 1.1.1.1 remote-as 400 neighbor 1.1.1.1 ebgp-multihop 2 neighbor 1.1.1.1 update-source Loopback0 neighbor 10.10.12.5 remote-as 100 neighbor 10.10.12.5 ebgp-multihop 2 neighbor 10.10.12.5 update-source Loopback0 no auto-summary

Edge-1

Can't ping 1.1.1.1 or 2.2.2.2

 show ip route bgp 1.0.0.0/32 is subnetted, 1 subnets B 1.1.1.1 [20/0] via 10.10.100.5, 00:02:44 2.0.0.0/32 is subnetted, 1 subnets B 2.2.2.2 [20/0] via 10.10.100.5, 00:02:44 router bgp 100 no synchronization bgp log-neighbor-changes network 192.168.12.1 mask 255.255.255.255 neighbor 10.10.12.6 remote-as 100 neighbor 10.10.12.6 update-source Loopback0 neighbor 10.10.12.6 next-hop-self neighbor 10.10.100.5 remote-as 200 neighbor 10.10.100.5 ebgp-multihop 2 neighbor 10.10.100.5 update-source Loopback0 no auto-summary

Edge 1 - can ping ISP-1's loopback Customer A - can Ping ISP-1's loopback ISP-1 loopback can not ping 192.168.12.1 - Issue

Many thanks

Edit: Formatting

Too much networking lingo

When a network engineer talks, you may think his network is out of this world. But in reality most enterprise networks are just as average as any other.. you hear too much DMVPN, VRF, MSTP, VSS, MRC, MPLS, SNAT with a Dyno pool, GRE over this, BEACONING, to mention but a few.

I see us confusing the average Joe making our work seem so out of this world yet it's not as tough as going down a sewer tunnel.

justcrossedmymind

radius/tacacs replacement for ACS

I work for an MSP and we operate 100's of discrete networks in North America and we use Cisco ACS for admin access to everything. That ACS is old, creaky and out of maintenance (no patch for the current vuln). Is there any product out there that can serve both RADIUS and TACACS clients but has a unified GUI? I know freeradius and tacplus but my install and support teams don't and would likely screw them up in no time so a single GUI to both is ideal. ISE is not an option (too much NAC crud). Anything new on the scene since this topic came up 4 years ago?

HP 5900 switch enable http/https

Hi, We have a couple of HP 5900 switches, and i want to enable the web gui. Reading on forums about the issue, I know the command is supposed to be "ip http enable" and "ip https enable", but "ip" does not have those options. I am running the command from system-view. Any pointers to what I might be doing wrong would be greatly appreciated :)

Adding zone to existing zoneset - Nexus 5k

I've inherited a Nexus 5k FCoE SAN configuration and need to add a new zone to an existing zoneset. My experience has been limited to iSCSI for the past decade (my last foray in FC was with an old Hitachi SAN that used traditional FC zones). Anyhow, I've created the new device alias and added the members to a new zone.

New device-alias: SERVER13_HBA01

Existing storage device alias: SAN01_CTRL1

New zone: SERVER13_HBA01_to_SAN01_CTRL1

The current active zoneset is "ZonesetA_May012017" in vsan 5 so would the following command be correct?

zoneset name ZonesetA_May012017 vsan 5 member SERVER13_HBA01_to_SAN01_CTRL1 exit zoneset activate name ZonesetA_May012017 vsan 5

Also, will this cause the existing connections to drop during the activation?

How much should I charge?

I work in the wireless industry, but the brother of a long time customer of mine, came to me seeking help with his home internet service.

His previous DSL setup was only receiving 1.3 Mbps, while he was paying $150/month for 3 Mbps & home telephone. His lot is very large & his historic house is 4,500 sq ft. (A $2.4 million home in a community with an average home price of $160k. )

A competitor of his current ISP quoted $6,000 for “last mile” construction because he was 120-180 ft too far from their node. That was before the cost of the utility pole and was expected to take 9 months.

I decided to get creative. I suggested & negotiated an agreement between my client and his neighbor (acquaintances for 50 years) which meant the ISP running a secondary connection to the neighbor’s. I was there for the duration of the install.

Tomorrow, I will trench and bury about 300 ft of cable to move the modem and we’re hoping to achieve close to 100 Mbps after about a month and a half of researching and back and forth trying to work with ISP’s.

I’ll then either be installing a PoE to distribute WiFi or a mesh system once all the work outdoors is done..

Both my client & his brother own several successful businesses and are definitely multimillionaires. I really believe he’d write me a check for 8 or 10 grand if I asked , but I’m not looking to take advantage just because he’s loaded.

What’s fair here? I’m in my mid-twenties and could damn sure use the money, but I definitely value long term relationships over shortsighted profit. Any insight would be greatly appreciated!

Juniper EX4200 switch and BGP sessions.

Hello gents,

I'm just posting this to find the answer to a rather basic question that I quite for the life of me cannot find the answer too on Google. I currently plan on operating a rather botchy network setup where I use a Juniper EX4200 switch that supports BGP sessions with my network provider.

My question is, does anyone know if the EX4200 is capable of supporting more than 1 upstream BGP session? If not, how would I go about configuring another switch to work with the upstream BGP session of the original switch. (We need to use 2 separate ASN's).

Cheers!

EPC from RSPAN?

I'm curious to know if the following is possible and if someone has experience setting it up.

I have a pair of remote Cat 4500s. One, in the mdf, has ip base. The other, in an idf, has lan base.

I need to do a Embedded packet capture from a device connected to the IDF switch. However, since it has lan base it doesn't appear to support EPC. So I was going to setup an RSPAN from the IDF switch to the MDF switch. Then setup the EPC on the MDF switch and save it locally then grab the file.

Can this actually work? I'm having difficulty figuring out the syntax on the EPC to get the traffic from the RSPAN vlan.

Thoughts or suggestions?

Thanks for your time

Wednesday, March 7, 2018

Need to convert from rapid-pvst to mstp

I have a network with a Cisco 6509 sitting at the core and fiber connections from there to 25ish IDF's that contain a mix of 3560's and 2960's. This whole setup is running in rapid-pvst. The 6509 is configured as the spanning tree root. The 6509 is going to be replaced with a stack of Meraki 425's and the edge switches will be replaced with MS350's shortly after that. Since Meraki cannot be the stp root on a Cisco network running rapid-pvst I need to convert to mstp. I have done this on a test switch connected to the Meraki and it worked. I didn't do any vlan to instance mapping, just changed the spanning tree mode. Is there really anything else I need to do in my case? In the test, before switching to mstp the 425's were not root even through they are configured to always be root. Once I changed the mode to mstp, it put vlans 1-4096 into the default (mst0) instance and the Cisco switch showed that the Meraki was root over that instance. I know I have to convert starting at the core (and need to set priority at the core) and then work my way out from there. It seems pretty easy so I think I must be missing something.

Need help setting up VPN tunnel

I am trying to help my uncle setup a VPN Tunnel to connect his two office computers together( located physically at two separate offices on 2 different networks). Both machines are running Windows 7 SP1. I need to be able to access the shared folders on PC2 from PC1 over the internet. The ISP at both locations are Comcast and it's Business Class Internet Service. Both locations are using their Wireless Gateways. We are looking for a software based solution. I'm trying to make it so he can connect and work in his quickbooks program from both locations in multi user mode with the main company file being in sync. Any advice is appreciated. I had some success using Windows built in vpn, but it was too slow and had issues with the connection. Am currently experimenting with Hamachi VPN from Logmein. Seems to be slow too and unstable.

Wireless Multicast: joining group

Hi guys im rather new to all of this but im trying to debug an issue with my wireless network. I am running three fedora 19 machines in a wireless network with one acting as an access point. Im trying to figure out how to get my client machines to listen on specific multicast channels. Essentially joining a group. Ive tried using smcroute to join a group but to no avail. Any suggestions?

Best way to find open ports cisco switch

I usually use show int status | i notconnect|disabled and look for something that has not been used in 6 weeks but one switch i have is showing last input never and last ouput never on just about every notconnected port. Should i trust this information or is the switch lying to me?

Question: What would be the best way to get signal throughout a football field?

So I am trying to help a friend setup a small event on their football field.

On each corner of the football field there will be a computer. 4 computers in total. There will be sharing text files nothing heavy like music or videos.

What would be the best way to get all 4 computers to talk to each other without running soo many cables?

What would be the best equipment for the job?

My budget is about $300 to $600.

The signal doesn't need to reach the stands or the stadium. Just the center of the football field.

Any advice/ plans would wonderful.

Thank You for reading.

Redundant Core - Spanning Tree Design Questions

I recently moved into a networking position managing a large existing network. I'm more than a little fuzzy on spanning tree, and the organization has had major problems in the past that were attributed to it, so everyone is afraid of it and doesn't know anything about it besides: don't touch it.

We have redundant core switches with over a hundred buildings connected to both. The core switches also serve as our core routers, but that seems to be working fine for now. In my poking around I've discovered that Core A has had it's priority set so that it is the root bridge, which seems normal. However, Core B seems to have a priority that's made it even lower in the tree than most, but not all, of the head end switches. This results in many of the Core B ports being in the blocking state, rather than the designated state.

This doesn't make sense to me. It seems to me that I'd want B to be right behind A in terms of priority, so that if A falls over then B becomes the new root. That would mean each headend would be responsible for putting one of its uplinks into the blocking state. Additionally, there doesn't seem to be an L2 connection between A and B, so B has to get to A via one of the building headends, and that building has all the VLANs tagged across it.

I've got a diagram of what things look like now: https://i.imgur.com/05sFd3w.png

My question is... what should this look like? Should I modify the priority on B so that its ports are in the designated state instead of blocking? Should I stand up a new L2 link between A and B for all the VLANs so B can get directly to A?

Thanks! -ljb2of3

I'm installing netbox!

Now what do you use for the rest of the fucking owl?

I've been helping build a regional fiber network, and since january I've created about 10 servers, 15 vlans, learned JuneOS, figured out the calix gear and their hella bad gui thing.

I have NMS setup (monitoring not alerting yet) Servers with letsencrypt/snmp/intrusiondetection. I've done preliminary vulnerability scans and that has been ok. My issue is documentation is sprawling (hence netbox) I'm basically the only one that understands how the dns/dhcp/ntp/ftp servers work or how to update and troubleshoot them (I'm trying to teach as I go, but their isn't much time) I'm hoping netbox will let me condense everything i've been putting in visio/notepad/excel into one place.

But I'm missing some type of config management preferably open source. (right now i have the devices that support it, sending a copy of the config to my office server on commit, and server backups doing the same) but sometimes I catch the other guys doing things they don't fully understand (I've found a few config files with /example/example copied directly from the configuration guide) Dont get me wrong they are learning a ton and great to work with, but there are so many moving parts its hard to keep track of it all. I have a syslog server setup and everything is dumping logs there too, so I can go back and see what people changed and fix it. I have a small pfsense instance with snort setup, but have been thinking about expanding that. This is a community/rural environment so budget is a concern (I thought they were going to choke when a networking company wanted 170$/hr to do some configuration work... LOL

There was really no plan as far as I can tell from layer 2 up. Layer 1 was well planned and engineered, but they did't even have a single server setup for dhcp/dns when I started in january. There are vlans going all over the place for voip/TV/etc (i hope netbox will help there too) I've been working so much I actually just found where I setup a g2032 ring and barely remember doing it, much less documenting it in my crappy spreadsheet. We have strong passwords for everything, I showed them how to gen random ones and never use the same one twice, but that is becoming an issue too (does netbox securely store that? or do I need to just break down and get keypass or setup openlap or something?)

I've been out of the ISP side for probaby 10 years so i'm rustly as hell. None of the vendors have been much help, Everyone that told them to buy juniper... when we asked for help said "oh we don't have it yet, we can get professional services to help in 6-8 weeks" /facedesk Over all it has been really fun but exhausting, I see the guys getting exicted when we turned up the first customer and it reminded me of building the first ISP I started when I was 20. We have plenty of drive, but there is only 3 of them and 1 of me. If you made it this far thanks for reading and if you have idea on configmangement and password/api/keys those are the 2 big things I know I'm missing.

TLDR Jumped in head first building a regional fiber network with 3 electrical engineers and have come a long way in 3 months, but i'm loosing track of all the moving parts, Need something to pull it all together.

Cisco ACS Unauthenticated Java Deserialization Vulnerability

Vulnerability could allow an unauthenticated remote user to execute commands with root privilege, and affects all versions prior to 5.8 update 9 (so, pretty much every version).

Link to advisory

Edit: 5.8 u7 and 8 at least require authentication to exploit it

"ACS systems running release 5.8 Patch 7 or Patch 8, require authentication in order to exploit this vulnerability"

Is Cisco DANA still in it's infancy?

I have been through a lot of Cisco meetings and events about their DNA SD- WAN but I have not been sold for a second. The way they explain it sounds so smooth and sleek. Cloud this cloud that, but then again I get told that we need on prem beefy appliances. Is it me who is not getting it or it's actually a pain to setup and manage? And how well does it holdup in a multivendor environment?

Anyone feel the same

Looking for Manual/Info on ConSentry LANShield CS4048X Switches

Hi all,

I've inherited three of these old ConSentry switches at work, and need to find a way to do some kind of factory reset on them. I've been digging around and all I've come up with is datasheets on them. Potentially pertinent information:
* We are unable to locate the controller these switches went with.
* I am able to interrupt the startup process. Looks like it may be running some variety of *nix, but who knows.
* If I'm unable to get these things reset, we'll just destroy them. Not the end of the world, but I'd like to avoid that if possible.

I'd greatly appreciate any help anyone can provide. Thanks!

wireshark from command line

Running wireshark using dumpcap, specifying the interface, and writting it to a file from 5 different command line boxes (5 interfaces being captured at one time) produces little to no results.

But when using wireshark gui, multi-selecting all interfaces, gives me what i need, but its all jumbled in the one capture. So I have no idea on the flow.

I need to do 5 captures from different points in the network at the same time to catch the flow. I thought I could get a single wireshark box hooked up to 5 different points in my DC, and run command line to capture to 5 different files at once. this doesnt seem possible. Has anyone tried to do this before?

I need some help with my Home Network.

Hi there,

I've some issues with my Network at home.

Situation: We have bought a Devolo dLAN 550+ pack last week. The intention was/is to connect everyone in the house (5 places) on cable internet. We have got a 80mbit down and 30mbit up line at home, which will be upgraded soon to 200mbit down and 200mbit up. I've got a Netgear Nighthawk 7000 for the wifi, and a Experiabox V9 modem (which is from KPN)

Problem: Now is the problem that at some times the devolo powerplugs conflict and wouldn't have a working network connection. I already know that the Devolo's wouldn't work with a different powerplug next to it (like a laptop or phone charger), so we already have reserved the electrical outlets for only the Devolo powerplugs.

Now we still have some problems at random times. Is it because my network is currently to slow (80down, 30up)? Or is Devolo unable to work correctly with more than 2 or 3 Devolo powerplugs?

My brother uses it for his playstation. My dad uses it for calling, browsing and mail. My mom also uses it for browsing and mail. I use it for downloading and watching youtube.

Can someone help me with this, we are already struggling with this for a while.

Cisco SG350-28 trunk with 3560

Hello,

Anyone here having experience with new Cisco switches? I've configured tons of now older Cisco switches, but this new with web GUI are pain in the ass. Trunk simply does not want to work. On the 3560 side I have: switchport trunk encapsulation dot1q switchport mode trunk

Pretty granular and specific question here. PBR on FEX ports coming off an N9k. Some suggest it isn't possible.

To give the run down we have two types of servers. Server Group A and Server Group B, which must have their external traffic routed to respective firewalls. Group A will route to Firewall A and Group B to Firewall B.

We currently use PBR to do this with a next hop of A or B if it matches an ACL.

We are moving these said servers to FEX ports off an N9K.

This link here says

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/unicast/configuration/guide/l3_cli_nxos/l3pbr.html

"Policy-based routing is not supported with inbound traffic on FEX ports."

Given this sound straightforward as traffic destined TO hosts on FEX ports, I wanted to be extra sure.

Thoughts?

Subnet question

I'm trying to break down a /16 into multiple subnets. I would like to use a /23 for our physical servers for the first range (172.26.0.1-172.26.1.254) and a /20 next (172.26.2.1-172.26.17.254). Is this possible? Every time I use a subnet calculator, it keeps telling me my network will be 172.26.0.0. Why can I not start with .2 in the third octet? I went further and tried with 172.26.18.1 and it says my network will be 172.26.16.0. Can someone explain why this is? Thanks.

Edit: My first range is a /23 not /21

Cisco CSP (Cloud Service Platform) Experiences

Hi, the search turned up nada so I figured I would quiz the group on their past experiences with Cisco's CSPs. Cisco is pushing them hard on us and they appear interesting enough but, without having got my hands on one yet, it is hard to be anything but skeptical.

The tl;dr of what they are, they are a consolidated device that basically lets you virtualize a bunch of platforms. You have a remote site and want a router and ASA, place a single CSP box and run both virtually. You are supposed to be able to run other virtualized options on it so you could throw a server of your choice on it as well.

The CSP was also pitched as part of their Agile Exchange SDN offering.

So, stay away, proceed cautiously, or, SPEND SPEND SPEND?

TIA!

Network device sends two identical ping requests in same subnet.

I have a linux network device with only one interface. When I attempt to ping another network device in the same subnet on the same VLAN I get (DUP!) responses. I can see with tcpdump that the device is sending two ICMP ping requests at the same time with the same sequence number before receiving any replies. The network device that I'm pinging responds to both ICMP ping requests as well. The ARP cache has only one entry for the network device that I'm pinging. I can't think of any reason why it'd want to send two identical ping requests at a time. Anyone?

Paid service for on-call forwarding?

Anyone using one? Just want something that I can get US DIDs and easily update to forward to whomever is on call that week. Need to support domestic (US) > international forwarding as well. Right now using CUCM on-prem but that is going away and our voice vendor can do it for us but its painful at best.

TIL: about the RFC 1149 - what seems to me to be the ultimate protocol that combines both features of TCP and UDP.

If only the throughput could be increased, we'd be combining the reliability of TCP with the low overhead of UDP. Here's the link to the specifications:. Shame about the low throughput. Any ideas on improvements?

Any benefit to using Route 53 instead of DynDNS?

We have six domain names we want to point to websites hosted on AWS servers. We are trying to decide whether to put the name servers for those domains at AWS or put them at DynDNS, redirecting from Dyn to those AWS servers. We already use DynDNS extensively.

Is there any benefit to putting our name servers at AWS instead of Dyn? Is there a cost associated with that?

Trying to get machine auth working on wireless using Anyconnect NAM. Is it possible?

Hey folks. I've been working on ISE for the better part of a year now, and I've made a lot of progress thanks to many of you.

What I'm dealing with presently is, the machine+user auth is currently working on wired dot1x, but I can't find any way to make it work with wireless.

I've got policy sets created, with one specifically for wifi. We're using Meraki cloud controller, with MR32 APs, if that helps

Meraki and MPLS - Interop Issues?

Hi Guys,

Throwing this one out there as i'm having a real mare with it.

We have a customer who has many UK MPLS sites, these all route to an MPLS Core site (UK Site A) On the core site (UK SITE A) we have a WAN switch which delivers the MPLS Primary and Secondary connections as well as a connection into a Meraki MX100, this Meraki then has SD WAN setup to many International locations which routes via a non MPLS internet circuit.

The issue we have is that if I’m sat at the non core site, say UK SITE B I get packet loss to every Meraki international site. This traffic goes via the MPLS, through the WAN switch, to the Meraki LAN interface, out of the Meraki WAN interface and into the switch then out via the 3rd party internet.

If I’m sat in any international site I get no data loss over the SD WAN to any other international site, so Meraki looks to be good.

If I’m sat in any international site I get data loss to any UK Site apart from (UK SITE A).

If I’m sat in UK SITE A I get NO data loss to any international Meraki site.

All UK MPLS sites have 0 data loss to each other.

I believe the carrier route at UK SITE A is the cause, I have tried to get the carriers best engineers but they seem stumped. We have tried MTU size changes, resetting interfaces, router and NTU upgrades, Meraki upgrades, Repatching ports. You name it

I’ve tried it!

Any ideas at all?

Diagram:

http://oi67.tinypic.com/oqyddl.jpg

Alex

How does MTR learn MPLS labels on distant hops?

When running MTR towards a remote site's IP, I was surprised to see the ISP MPLS labels in the output.

How does my machine know these labels given that the first (local) MPLS router is a few hops away from me? I assumed the labels should be stripped off there.

Tip: In Linux, if your MTR doesn't show these labels, press "e" while the trace is running.

Edit: Cool, there's a web-based, Internet version here: http://mtr.guru/?www.airkoryo.com.kp

Using a serial to USB adapter without Admin privileges/drivers

Hello,

I am looking for a usb to serial adapter where I don't need Admin rights to install the drivers or even a driver.

Is there anything on the market? Are there maybe adapters with drivers where no Admin privileges are needed to install them?

-Thanks

Cisco 5508-x ASA with FirePower

Hello, is there any way for me to find out the uptime of the device after I rebooted it? is it in the backup config? Startup config? Or anywhere! I accidentially reloaded the device during maintenance but I need to find out how any days it was up prior to that. Any way to figure this out? Thanks!

Layer 3 switch or Router?

I have an edge router ---> switches --->end users (about 200 users). I want to segregate my network (VLANS) and create some access lists to prevent users reach some resources. I don't want to use the edge router to do VLAN routing because of the overhead. What is the best practice/solution? Is router of stick reliable? or I need layer 3 switches? if I need L3 switch, how many? does one switch will work as a router to router between VLANS?

Any suggestion, please feel free to ask any questions.

VLAN interfering with another VLAN on same switch

Hi r/networking,

I am trying to set up a switch (cisco sg300 series) to carry two different subnets (.10 and .20), with each on their own VLAN to avoid any contact between the two. Each subnet is being carried in on its own ethernet cable, to ports 11 and 12, respectively, and the subnets already exist independent of this switch and I can communicate with machines on either one that don't come through it.

I want to isolate the two of them, as they're being used for different purposes (communication/control on one, data transfer on the other) and having one be able to talk to the other has caused headaches in previous iterations.

Individually, each VLAN works as intended - I can communicate with machines on the .10 or .20 subnets individually, but if I have both plugged in at the same time the .20 subnet stops working and I can no longer ping any machines connected to it via the switch. If I remove the cable bringing in the .10 subnet or turn its port off, .20 becomes available.

What I want is a setup like the following (minimal) example:

VLAN	ports	use
1	13	(switch management)
2	11, 23	(11 comes in from external switch, 23 connects to a computer)
3	12, 24	(12 from ext switch, 24 connects to computer)

Is there any way to set up the configurations on the switch such that I can use both subnets simultaneously?

Thanks in advance.

Netgear Introduces 96-Port Modular 10G Switch

https://www.netgear.com/about/press-releases/2018/M4300-96X.aspx

Now I know many of you here are dying to deploy this in your 24/7 mission critical datacenters but it's only scheduled for availability in April.Wonder how raw that launch firmware is gonna be ?

Pricing and Availability The NETGEAR M4300-96X Stackable 10G and 40G Modular Managed Switch (XSM4396K0-empty version) will be available in April 2018 worldwide through authorized NETGEAR partners and other reseller channels and ecommerce sites. It has a suggested price (MSRP) starting at just $100 per port, or $9,600 (USD) for the 96-port 10G SFP+ fully populated version.

The M4300-96X Managed Switch is also available as a 48xSFP+ Starter Kit with a 600W Power Supply Unit. Consult the website for details on additional PoE Power Supply Units and port card variation

Cisco 2960X stacking question

Hi, this question is probably so stupid its the reason why I can't find help on google but can I stack different models of 2960X series of switches (For example: A 2960X-24PD-L and a 2960X-48LPD-L).

We have a design with 24PD-L x 2 stacks per building (for the SFP+ uplinks), but I want to add 24 more ports and the consultant wants to add another 24PD-L to the stack when it seems easier to me to change one of the 24PD-L's with a 48LPD-L.

Sorry for the dummy question.

Research: Google and Cisco.com. Found this Whitepaper <Stacking on Cisco Catalyst 2960-X and 2960-XR: FlexStack-Plus and FlexStack-Extended White Paper>: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-x-series-switches/white-paper-c11-739615.html

No explicit mention that I can or can't, which I would assume to mean I can but would like to confirm.

Tuesday, March 6, 2018

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

FFTH P2P. Really ?

Hi guys,

I just buy a new isp and a pro fiber FFTH P2P (point to point) .

But when i check the network i am able to see 5 mac adress on the network . .

FTTH P2P mean that i have to be alon on the fiber no ?!

How would a company achieve in the PSTN network what a company does with BGP and prefixes? Is it practical for a company to "advertise" their own block of telephone numbers through multiple providers?

If the subject is not clear please let me know how I can further clarify. If even remotely possible we would like to be able to be provider independent on inbound calls in case of outages.

Listing of Circuit ID formats to providers?

Does anybody around here have a listing of CID format mapping to the provider it comes from? I'm dealing with a private circuit from Rectums (sorry, Spectrum / former TWC area) that comes from them at one end, but they do not service the remote end. They call these "Type 2" circuits, and they normally seem to contract to GTT to handle everything past some midpoint.

Since I'm not customer of record with GTT, I have no standing to call GTT directly and ask for circuit details. Spectrum does often have a Circuit ID that comes from GTT's end though, so this corresponds to whoever the last-mile carrier is (be it a telco LEC or some other local ISP). I'm often trying to turn these circuits up using a remote-hands contractor, so the more detail I can give them about what equipment they should physically connect to, the more smoothly the process goes.

I'm just wondering if anybody has a list of circuit ID formats and what providers they tend to correspond to. For example, I've found that Spectrum in my area uses periods as separators, and ends everything with "..TWCC". I have Comcast private circuits in other locations, and those are also period-separated and end in "..CBCL.." (with double-dots on both sides). I know that ATT seems to enjoy using slashes instead of periods as separators, but I'm not sure why, and I think I've seen circuits with dots from them as well.

The particular pair of sites I'm trying to deal with today (Spectrum via GTT via ???) are dot-separated, and are both "##.KEGS.######..CV". I've never seen a circuit ending in "CV" so I'm not sure who might be carrying these at the end. If it had been "CL" I would think CenturyLink, but I'm at a loss with "CV." These circuits are both ending in VA, one near Mechanicsville and the other near Chesapeake, if that helps at all.

(Small Bus.) Different users randomly get "no internet" wired&wifi

Hello, I handle the tech for a small business in a rural town and I need some help on where to start troubleshooting.

Quite frequently, random computers will decide to have stay connected to the network but have "no internet, secured." This happens with both hardwired & wifi devices.
Info on network: * Spectrum business "techinicolor" modem/router feeds into a Cisco small business switch * 3 computers are hardwired and sometimes another 2-3 are connected wifi.
* 3 of the computers feed through polycomm VoIP phones. * Don't ever have an issue with speed * All computers are running Windows 10 pro

Where should I start on this? I appreciate the help.

Troubleshooting - PA-3050 HA Failover Test - VPN Fails

We are building a new data center that has this as the stack in front of the PA-3050. This is still in building/testing and nothing is being stored/built here yet. Unfortunately for this, I only have access into the PA's and only remotely.

Cisco ISR > Cisco 5516x (for VPN) > PA-3050 - All have two devices for HA.

I am 95% sure my configuration is correct in the PA (my first implementation for a Palo Alto FW). However, when I did my first failover test, I couldn't access either Firewall but the VPN was still up. I had to reboot the FW's to get the A side to take back over and then both Firewalls were available, which was strange. Since then, I made some changes in the config that put me at 95% certainty that the PA config is good. When I went to test my failover again, the Firewalls are apparently correct in their LED indicators but the VPN is completely down with the error that The AnyConnect package on the secure gateway could not be located. I've researched this issue and found that it is quite common however no solution really fit my scenario. My thought is that the 2nd (B side) of the 5516x's does not have AnyConnect configured or configured correctly with either a mismatch in the AC package version or the 5516x is not prepared for HA failover.

Has anyone run into this issue? What did you find the problem to be? What information (remember, only from the PA's) would help you solve this?

Thank you!!

Help please

Hi I’m looking at attending my local community college and going for a two year program and getting an associate degree in Networking. The program is designed to get entry level job. What are some jobs you can get with this degree?

Which network emulator do you use and why?

Hi,

I installed today EVE-NG.

It doesn't look bad at all. Should I start learn on it or switch to GNS3? I wanna avoid future problems.

I wanna know which environment do you use and why. There's actually lots of emulators. I didn't expect the amount of it.

How would you handle this sitation(Update)

https://www.reddit.com/r/networking/comments/7wpw1j/how_would_you_handle_this_situation/

So I documented the other things this guy was doing to me. I sent this to the best "HR" person in the business.

I officially reported the harassment yesterday; along with other complaints of the place.

I got fired today.

Question on how to properly configure a l3 port for HA.

I am doing HA on 1 L3 port, I am adding 2 addl L3 ports that will be setup for HA. SO i total it Will be 3 HA L3 ports.

1 port is already configured with this config below. Would hsrp be the best way to configure the ports. two of the ports are going to be connected to HA firewalls, and one port will be going to the ISR.

here is the config of the port going to the isr

interface GigabitEthernet1/48
description TO_ISR
no switchport
ip address 10.50.255.0 255.255.255.254
ip access-group QOS out
no ip redirects
no ip proxy-arp
ip ospf message-digest-key 1 md5 7 xxxxxxxxxxxxxxxxxxx
ip ospf network point-to-point
ip ospf 100 area xxxxxxxxxxxxxx

Quick question about NTP best practice: Local vs External

Hello again Reddit!

I am working on connecting devices on a very small network to NTP in order to get accurate time. It seems like setting up a local NTP server that then connects to external time servers is the preferred way to do it.

What is the motivation for setting up a local server instead of pointing each device on the network to the same one or two external NTP servers, specifically with regards to security. (I understand it is more considerate to the public NTP hosts, but this is a very small network)

Smarter networking people of reddit, i have a geo-ip question

Hey,

My macro knowledge of how the Internet works is admittedly limited to the basics, but I understand VPN services, basic layers of networking, and the like. My questions is this:

With all the drama certain countries cause for our Internet and governments in the West in general, why is geo-ip filtering not a commonly deployed tactic of anti-cyber warfare to the extent that we could macro block entire countries in the same way lots of businesses currently do? Is this tactic already employed on a large scale in gov orgs? The diplomatic situation behind this kind of thing aside, could it be done feasibly on an ISP scale? Would it break everything? Do we depend on a country like Russia or Eastern European countries for some services we couldn't live without?

This question is purely academic please don't bring politics into it, thank you.