Saturday, March 31, 2018

Issues with passive DWDM setup when adding channels

We have a 50km DF run between two sites that we are using in a passive DWDM setup with colored optics. For the past couple of years we have had 10x10g channels active and everything was working fine. Recently we tried adding two more channels, however, when we did that we started seeing CRC errors on some of the existing ports. The basic layout is as follows

+-------+ +-------+ | |---->EDFA------------>| | | MUX | | MUX | | |<------------EDFA<----| | +-------+ +-------+ 

My knowledge of optical networking is extremely limited and I am kind of at a loss of what to look at to troubleshoot this issue. One thing I considered was that we could be running into issues with dispersion and I was wondering if adding a DCM to the mix might help. Has anyone run into a similar situation or do you have any suggestions of things I should be looking at? Also, if anyone has any recommendations for good reading material covering optical networks to get me up to speed I would appreciate it.



What's the easiest way to block all internet access to a pc whilst keeping it on the network so I can access drive shares on my other pc?

No text found

sfp+ networking/cabling but layer 3 connectivity?

We are upgrading our small business network and adding a small SAN/NAS device using freenas to have shared high speed storage. I'm looking at upgrading the networking as the 1gbps network is already maxing with the number of file transfers and vm's we have on the network.

I've done a lot of research and it appears that if we get a sfp+ switch, cards and cables then the layer 2 is taken care of but I can't seem to find how the IP network (layer 3) is setup to work on top of that. Can anyone point me at resources to understand more how I can get that rolling?

Also, I've read that RDMA direct memory access helps greatly for VM's and I wonder what direction I can take to make this part of what we are setting up for the networking. Budget is about $30k and there are 6 physical servers and about 50ish virtuals doing various functions.

Any suggestions for network design would be greatly appreciated on this. More info, this is %100 internal network used for dev/qa, sql server, exchange, filestorage, etc. Our production network is AWS/cloud so it doesn't really figure in this. We use sonicwalls for our outbound network but will probably have to upgrade those soon as the business is growing quickly.



Anybody using Enterprise OpenDNS?

Please keep this to enterprise only, I know they have a free service for home support. Is it worth the cost? Has it protected you? Anybody doing it better in the DNS Firewall space?



Advertising leaked routes between two PE devices.

Hey guys,

I'm busy labbing out a scenario that looks like this.

As can be seen;

  • Two separate customers have their own VRFs (Blue and Red)

  • These two customers each have a site connected to the main PE device, MAIN:PE.

  • There is another PE connected to the main PE, SECONDARY:PE, where VRF Blue has another site.

I have leaked the route for 10.88.0.0/24 (VRF Green) into both of the other VRFs, Blue and Red.

I've accomplished this by importing and exporting the relevant extcommunities on MAIN:PE

I've then added VRF Blue to SECONDARY:PE and added a site there. I noticed that the route leaked on MAIN:PE is not advertised to this Secondary PE.

I know if I make the default gateway point towards MAIN:PE from SECONDARY:PE I will be able to reach the leaked route. But is there a way to propagate that leaked route throughout a VRF?

edit** I could also create VRF Green on the secondary PE and then leak again, but my question of the ability to advertise the leaked route within the VRF still stands.



C3850-12XS as MPLS P switch

Hello Redditors,

I've got a question related to the C3850-12XS, now that these devices have MPLS support I was thinking about building a small MPLS core (4x P routers connected at 10GE) using these devices.

They seem to fit, would only be used as MPLS P (LSR) devices not PE, as such the routing table would be quite small (probably less than 100 routes), wouldn't participate on BGP only single area OSPF, there's also no need for MPLS-TE, this basically to build a solution (cheap one) to provide L3VPN, VPLS services between 2 locations.

This is for a small project, traffic stats are going to be small as well (we don't expect going above 20 Gbps in a single direction in the next 2 years at least).

So, the question is, has anyone tried this? or is doing this on a production environment? how stable has it been for you? we mainly consider the model due to it having the features we need for a 10GE P core device at the scale we work with a good pricing.



Trouble with ethernet connection, but multimeter says its hot.

In my apartment, I have a non powered ethernet splitter that feeds to ports in other rooms. If I plug a cable into one of the jacks in another room and test the pins, I get a signal with a multimeter. If I unplug my router from the splitter, I don't get the signal anymore. So it appears that the connection is indeed reaching my router. But if I plug a device into that same jack, I cannot get an ip nor can I ping my router.

Any thoughts for what else might be happening? I'm a little sketched out by the non-powered splitter....

Edit: Sounds like it is indeed the splitter. Thanks for the help.



In OSI model At which layer takes the Data physical layer or Transport layer ?

I'm preapring for CCNA certification any one please give me some clarity about how communication flow will happen



IPSec tunnel not coming up

I have an ASA 5510 configured for policy based routing and an ASR configured for route based. Both are configured for IKEv1. The tunnel seems to not want to come up. We've verified the Ike phase 1 and 2 match and we have basic connectivity. I can ping the public interface. Am I missing something?



Need advice/recommendation on small portable LAN/WAN

I work with a team of highly qualified individuals but they have very little network skill. We are deployed in groups that may be 1-10 miles apart from each other and all gear has to be lightweight, low power, portable and pre-configured. Here is our basic setup:

Team 1 (First arriving team, “Recon”, small group 5-15)

ERX router (192.168.1.X)

Port 1 Primary WAN, not used until broadband available via Nano Beam to Team 2

Port 2 Secondary WAN, failsafe to Port 1, used by cellular or small sat until Primary WAN is available

Port 3 LAN Printer

Port 4 LAN AP

Port 5 LAN 8 port switch (if needed)

Team 2 (Second arriving team, “BoO”, large group 35-80):

ERX router (192.168.2.X)

Port 1 Primary WAN large sat or other broadband

Port 2 Nano Beam to Team 1 (192.168.1.X)

Port 3 Nano Beam to Team 3 (192.168.3.X)

Port 4 LAN AP

Port 5 LAN 16 port switch for PCs, Main Printer, NAS, VOIP

Team 3 (detached mission, “Search”, small group 4-6)

ERX router (192.168.3.X)

Port 1 Primary WAN, not used until broadband available via Nano Beam to Team 2

Port 2 Secondary WAN, failsafe to Port 1, used by cellular or small sat until Primary WAN is available

Port 3 LAN Printer

Port 4 LAN AP

Port 5 LAN 8 port switch (if needed)

I separated the teams IP addresses so as to keep network traffic over the microwave links low and improve performance. However, a new request has been made that any team can print to any printer. Do you think it is wise to put everyone on one big subnet? How else could I get everyone to print to every printer? I am by default the network guy but it is not my everyday job. Just looking for some guidance from people that do this stuff every day. Thanks.



DNS filtering service for Service Providers?

I work for a smallish ISP, we've built our own internal DNS filtering service which we offer as a service to our customers (blocking security threats/content filtering etc.). We're really happy with it and we've spent quite a lot of time building it and creating all the infrastructure around it to pull in from content lists/security threats quickly, we find it's a good added service for customer who don't want a fully managed firewall (for which we use Fortigate).

We were discussing yesterday if what we've built could be useful for other ISPs? I know there are services out there like DNSFilter/SafeDNS, but our service is definitely tailored to our own ISP/MSP use case. With some tweaks we could offer create an "on-prem" style product that providers could run inside their own networks, where it pulls it's lists from a managed central service? We could also offer it as a hosted product which may be useful for smaller ISPs?

Anyway, it's just an idea - we're happy with what we have but would like to know if this is of interest to anyone. Thanks in advance!



Do Linksys E1200 and E2500 have an Ethernet wan port?

Title says it all.



Configuring Cisco DHCP pool for iPXE booting clients

I'm trying to configure a dhcp pool on my 3560G switch to load SmartOS via iPXE. My tftp server has undionly.kpxe and menu.ipxe which tells the client what to boot. I get the client to boot the udionly.kpxe file, but I'm not sure how to get it to boot menu.ipxe. My TFTP server is 10.50.3.191. Here is the current config.

ip dhcp pool DHCPPOOL network 10.50.3.0 255.255.255.0 bootfile undionly.kpxe next-server 10.50.3.191 default-router 10.50.3.3 domain-name example.com dns-server 8.8.8.8 8.8.4.4 

What do I need to add to get it to load menu.ipxe?



High ping on aws server?

I live in Brazil, and i almost have the same ping on Sao Paulo server that i have in us-east server, does someone knows what is going on? How do i fix it?

https://imgur.com/a/nCBXQ

edit: i don't know how to do this but i will try (traceroute): https://imgur.com/a/Prg3K



Cisco Nexus 5k, wake on lan possible?

We have a patching server on our Nexus environment and we want to try out WOL to patch computers that have been turned off during our regular patching.

We're using Nexus 5k, with HA. 5696Q 7.3(2)N1(1). Cisco 6509.

Layout.

Nexus as a Layer 3 switch for our data center. Goes to our core. Nexus hoses our WOL server. 6509 Also connects to goes to our core. Our users connect to the layer 2 switches then to the 6509.

The reason why I was if its possible is because the lack of commands on NX-OS. I gathers information online and figured I used the following commands.

Cisco 6509 - User PC LAN Remote PC VLAN Interface VLAN100 ip helper-address 10.12.12.5 (WOL SERVER) ip directed-broadcast 101

Access-list 101 permit udp host 10.12.12.5 any eq 7

on Nexus I thought I could use ip forward-protocol udp 7

WOL VLAN INTERFACE VLAN40 ip helper-address Remote-PC-VLAN (10.10.10.255)

Now on nexus there is no IP helpder under the interface. What I found was to use ip dhcp relay command. From what I read online this is only for DHCP ports only. Not port 7 that our server uses. So that's where I'm stuck. How can I get my WOL magic packet sent out of my WOL VLAN to my 6509?



Cisco 3650/3850 3.6.7 exposes stupid mistake

S***post about something that happened at work. I sometimes dump frustrating or stupid things that happened on here so I can remember why I hate my career field.

Every network admin knows to not put access ports in the native VLAN. It opens up the threat vector for double-tagged frames. IOS XE will not stop you from doing it however and I have a neat trick to figure out if you have any such misconfigurations in your network. Upgrade to 3.6.7e.

How it came to me: I have a switch configured this way* that I have just now upgraded to IOS XE 3.6.7e to get around one of the numerous bugs in 3.6.2ae. Users on the access ports are not passing traffic. GD. IP device tracking, the dhcp server itself, ARP cache, all confirm nobody is getting an IP. Netflow or interface statistics would have shown it more easily during a busy time of day. I don't remember if the SVI for the mgmt IP was in the native VLAN or not but I could SSH in. Easy fix, 3.6.6e does not exhibit this behavior 3.6.8e is out now but I haven't tested it for this.

*I help manage a ~5000 switch/router wide network so please allow me to put the blame squarely on "whatever idiot" configured it this way.



Friday, March 30, 2018

INE Is Getting Just As Bad As Solarwinds

We spent some $$$ for an AAP for multiple team members and a good chunk on tokens and now I'm being spammed to death. https://imgur.com/dTPXi4Z starting to feel just as bad as Solarwinds.



DHCP Issue stumping me

Hello friends,

I have been working with a colleague to try and figure out this issue but have run into some confusion which will probably seem completely academic to you.

We have a device in question which is a hardware controller (http://www.wiznet.io/product-item/wiz550io) . This controller is set to allow for dhcp, and has a default IP of 192.168.1.2.

In our main office, which has DHCP running on a windows 2012r2 server, it is able to connect properly and go through the standard handshake process.

When I take the same device to our other office down the street, which has DHCP running off of our firewall (fortigate 60e) it fails. port mirroring and wireshark shows the device constantly sending out the discovery broadcast but never receiving a response. Other devices can get addresses just fine on this same port.

The wireshark capture shows that the source is the 192.168.1.2 (default address) and destination is the broadcast domain 255.255.255.255. I wagered that this was probably the issue but was stumped by how it was then able to work in our other location with a Windows DHCP server. note that we do not have a 192.168.1.0/x subnet in either location.

Before submitting this post, my colleague confirmed that once he set the default ip to 0.0.0.0 it was able to successfully obtain an address in our remote office



Cisco 3750G flash/nvram free space and filesystem geometry

I'm trying to copy a file to a 3750G's nvram: that is smaller in bytes than the filesystem's listed free space in bytes. However, the transfer aborts with:
%Error writing nvram:blah (No space left on device)
I assume this is because the free space does not indicate unallocated free space, just filesystem capacity minus straight used space (so if it's a 524288 byte filesystem with 2k blocks, and I have two 100-byte files, it would show 524088 bytes free but I couldn't actually put anything larger than 520192 bytes).
Is there a way to find more details on the flash/nvram filesystems in these switches? Either through Cisco documentation or a CLI command to show filesystem geometry? Something that could show me actual usable space would be fantastic.
FYI right now the nvram: filesystem has two files of 0 bytes, is showing a capacity of 524288 bytes, with 524236 bytes free.



Server to host video streaming for nationwide company

Hi all,

I work for a company that has stores nationwide. In each store we have a Samsung TV that we use to stream information pertaining to the job. I've been with this company for a year now and recently have been in charge of maintaining the TV's in each location as a side project to my normal networking tasks.

We host our playlists on a seperate server that we pay for but I've been wanting to find a way to host these TV's playlists and maintain them on a server of our own so we don't have to pay for the licensees through a third party company. The only issue being I have never attempted something like this before.

Does anybody here have any insight or previous knowledge/know how on this kind of thing and could point me in the right direction to get started? I really feel like this could save my company thousands of dollars every year if I could pull this off.

Thank you for reading!



Cisco Firepower email alerts

I'm trying to more effectively monitor a Cisco Firewall on my cell phone.

Can you help me configure alerts so they don't come as attachments to email, but are inserted in the body of the email instead?

Connection oriented alerts come as plain text in the body of the email titled "Auto Generated Email, [yay, this is helpful]

but the vast majority of my other alerts are titled "Emailed Report" and require downloading and opening a text file [e.g. JobSFMail-20180330163002.e276abec-e0f2-11e3-8169-6d9ed49b625f.txt] before I can see the message. [boo, this prevents me from seeing at a glance on my phone if the alert is important or not].



Using “public IPs” on private networks

I have a question I’ve wondered for a few weeks. Is there anything stopping anyone from using public ip ranges within their own LAN... for example, can I make my dhcp range for WiFi a 78.78.78.1 - 78.78.78.255.. we can assume this is a typical setup from a ISP were they provide you a public IP gateway



Cloudflare Announcing 1.1.1.1 & 1.0.0.1 DNS Resolvers

A heads up since I know a lot of people like to treat 1.0.0.0/8 like private space - it seems like Cloudflare and APNIC teamed up to start offering DNS service on 1.1.1.1 and 1.0.0.1. The announcement isn't "official" yet but the service is already running.

On the plus side the resolver is fast as lightning (probably because nobody is using it yet). The IPv6 addresses are 2001:2001:: and 2001:2001:2001::



Cisco WLC Question... trying to improve 2.4ghz on my campus

Greetings all,

Still working on trying to improve our wireless on our campus. I've gone through multiple rounds with VARs and Cisco Wireless Experts and we've made quite a few adjustments for our residence halls in particular but I'm still getting complaints. I think some of this is simply due to interferers... in some areas I'm seeing 80%+ channel utilization with less than 5% tx and rx on the AP and it's neighbors and with a number of unknown interferers in the area with unknown effect and duty cycles. We won't know for sure until this summer when we can go in with a spectrum analyzer and disable our radios for a clean survey of the air space. Since most of our residence hall APs are in a hallway covering rooms on both sides (not great, I know, but this can't be changed anytime soon), they can see each other as neighbors fairly easily.

 

We don't support 802.11b anymore and that helped, particularly with roaming. A lot of complaints in the residence halls don't really involve a roaming situation though. Our engagements with the experts have indicated the following data rates for 2.4ghz:

 

Data Rate Support
1 Mbps Disabled
2 Mbps Disabled
5.5 Mbps Disabled
6 Mbps Disabled
9 Mbps Disabled
11 Mbps Supported
12 Mbps Mandatory
18 Mbps Supported
24 Mbps Supported
36 Mbps Mandatory
48 Mbps Supported
54 Mbps Supported

 

Recent attempts to improve the situation have involved reducing the 2.4ghz cell size by modifying the RRM Power Threshold v2 trigger and Maximum Power Level Assignment. I believe, judging by feedback, this had a small positive affect but it wasn't enough yet. We also enabled a 5ghz only SSID but I've already gotten a complaint about that network as well.

 

My second attempt involved adjusting those settings again, this time to increase 2.4ghz cell size, and disable the 2.4ghz radio on every other AP (staggering between floors). We're in the process of seeing how this one plays out although RRM is still keeping the radios power level down so I started looking in to other possibilities.

 

I'd like to disable the 11 Mbps data rate... advice we got previously was to leave it on so clients could drop down to it if necessary but I'm wondering if this isn't part of the issue since as I've read this could be causing a larger cell size for AP neighbor detection. I did try to disable it on one RF profile but got an error saying "Failed to update 11b data rate as 802.11b network is operational"... do I need to disable this data rate in Wireless->802.11b/g/n->Network" first?

 

This is a BYOD environment so I have to support as much as possible, within reason (#sorrynotsorry802.11b). When I look up device info in Prime Infrastructure on some of the tickets I've gotten, connectivity/data rates/SNR/etc usually looks pretty good for the most part. Anyone have any similar experiences or thoughts on this?

 

edit Update to include some additional information... all of our residence halls are utilizing a main SSID broadcasting both 2.4ghz and 5ghz with Band Select enabled (the two residence halls I'm using to test are also broadcasting the second 5ghz only SSID I mentioned above). AP units consist of Cisco 2702i APs and some 702w/1801w deployed where we had to.



Port Security

Ok, so to preface this question, I am new to networking. I understand the basics and am working towards my CCNA, but I definitely have to consult Google every single day still. I tried googling this question, and asking my coworkers, but no one had an answer.

So I'm bringing a new VoIP phone online for a customer. We use port security and sticky MAC-addresses for the network, so I SSH into the switch to clear the port and make sure the interface has the right vlans. However, I can't clear port security. I type in clear port-sec ? and it only shows dynamic as the next choice. Normally, I type clear port-sec sticky interface interface. But all, configured, and sticky don't show up as logical next steps when I use the ?. Ultimately I just removed the configuration for port security and added it back, but I was curious as to why clear port-sec sticky wouldn't work.



VLAN Question

I'll start off saying I'm new VLANing. I have a SonicWall TZ400 and an HP OfficeConnect 1920S. I have VLAN ID 3 configured on SonicWall X0:V3 and VLAN ID 3 configured for POS system on the switch. I have Port 5 on the switch that will be the end user device (DHCP preferably). On the Switch:

I currently have Port 5 (End user) configured to include and tag VLAN ID 3. I also have VLAN ID 1 exclude and untagged.

I have Port configured as a trunk (TRK1) on the switch which plugs into X0 on the SonicWall. TRK1 is currently untagged and include in VLAN 1 & 3.

My goal is to have Port 5 (POS end user) go out to the internet without any communication to the rest of the network with VLAN 3.

As I said I am very new VLAN and still learning, I am sorry if I seem confused at first and have questions.

Thank you for your help in advance.



NAT and RDC/ SSH question

I have a couple questions involving networking:

*I understand that when a request is made using NAT, it is recorded in the NAT table from the respective computer so that the router knows who to route then response to. But how does this work if two computers on then network make identical requests at the same time?

*With SSH/ Remote Desktop Connection, how does the protocol/ application know which private IP address to route the connection to on the network if the private ip can change from DHCP?



Using VLAN to separate traffic from different WiFi networks?

I'm hoping someone has an idea of how to help me understand/implement this. We have a good number of guests in and out of our office. We want them to be able to connect to our WiFi in the building and get to the Internet, but:

  • We don't want them to be "on the same network" as our employee servers where they could get into our staff drives or communicate directly with any of our machines, and

  • We don't want connections coming in from the guest WiFi to get DPI-SSL through our firewall, because if you don't have a special certificate installed on your machine, you're not able to get to any secure websites. This is fine for our machines because we push the certificate out, but for guests it's a pain to download and install the certificate every time, and often they're not really OK with us installing stuff on their personal computers to begin with.

My boss has this idea that we can use VLANs and tagging to set it up so that guests get DHCP from the wifi routers and are placed on a separate VLAN with a different IP range, and we can then apply different rules to that range using the firewall. The problem is, there are only 3 of us in the department (including boss) and none of us has any experience with VLAN and we're collectively banging our heads against the wall trying to get our minds around this problem.

In an ideal world, this is how the setup would function:

  1. The (Aruba) wifi access points have 2 networks broadcasting: Internal and Guest. When you connect to Guest, you get DHCP and it assigns you an IP in a range that's different from the one we use internally.

  2. The Aruba is configured to add VLAN tags to traffic packets on both networks. For example, let's say it tags traffic on the Internal wifi as 10 and the Guest wifi as 20.

  3. The packets are passed on to a (Netgear GS748T) smart switch, which is configured to separate the traffic onto the 2 VLANs and then pass the packets on to the firewall with the tags left intact.

  4. The firewall (SonicWall NSA 2650) is configured to apply different rules to packets with different VLAN tags. It receives the tagged packets and applies DPI-SSL to packets tagged 10/Internal and does not apply DPI-SSL to packets tagged 20/Guest.

I haven't been able to find any documentation in the switch manual or online about how to potentially set this up, or whether it's even possible in that configuration. If there are any VLAN gurus around here who want to help me work through this problem, or can even send me some links to good resources to help me sink my teeth into VLAN as a topic, I'd be eternally grateful.



WLC Krack - Stable Versions of Code

Anybody get this stable yet? Finally got all my legacy ap's out of the environment and will probably pull the trigger.



Troubleshooting Cloud Application - Bandwidth Being Blamed

I have a client that uses a cloud application and the users are complaining about sporadic performance problems during certain operations within the program. Using all the bandwidth and network traffic monitoring that we have in place there are no obvious issues with the Internet connection. In fact, it appears they aren’t using anywhere close to all the bandwidth, especially in this application. The cloud provider has a speed test that can be run to test the connection between us and their data center. When the users are experiencing the performance issues, I have them run the speedtest. The results the users are getting back are showing a very healthy connection; always 25ms or less of latency and greater than 50Mbps upload and download. In addition to this, I have made packet captures of the cloud application (during times where no performance issues are noticed) and I have seen that these operations involve very little data transfer. In most cases it is less than 3MB in total data for an operation that when the performance problem is present is taking as long as 5 minutes to complete. In many cases the users are even having to “end task” on the cloud application because, from what they tell me, it looks as if the application is locked up.

Currently we seem to be stuck in finger pointing mode in that the cloud provider (and some users) are just blaming our “bandwidth” as the problem. I feel like the results that the users are getting from the speedtests they are running while the problem is occurring are conclusive proof that there isn’t an issue with bandwidth/connectivity but I am still struggling to get traction with the cloud provider.

Does anyone else have any suggestions on what I can do to isolate the problem and/or prove make quality progress on getting the issue worked on in a quality way by the cloud provider?

Any suggestions are greatly appreciated and please let me know if you need more info from me on this.



Cisco router for 350Mbps Internet?

Hi all, need some advice please!

We recently upgraded our VirginMedia service from 152Mpbs to 350Mpbs (with static IPs and SLA). We go through a Cisco892 ISR, so we can use WAN failover (to an old ADSL line) and other features. I used to get 152Mbps fine with our old connection, but since the upgrade it's actually slower (100Mbps max download on speed-tests). When I connect directly to the Virgin router I get nearly 400Mbps, so clearly the problem is with our Cisco configuration. I found that by removing IPS from the WAN interface, it now maxes out at about 180Mbps, so nearly a 100% increase. I've determined that the general issue is that I'm maxing out the capability of the CPU on the Cisco router. Doing a "show processes cpu history" command in the CLI confirms that it is indeed struggling.

A few questions:

  1. Why is the relatively-expensive Cisco892 router so much slower than the relatively-cheap Virgin router? I assume this is because the Cisco box is doing everything through the processor and offering more services/inspection at the cost of performance?

  2. Is there a quick-fire solution to improving this speed, i.e. anything else I can disable on the router? The only things I'm using now that could be using CPU is the general firewall (access-group in) and the SLA for failover so I don't think there is...

  3. What would be a good upgrade for my situation? I want to stick with Cisco preferably. Something that's going to do 400Mbps without killing the CPU, but not too overkill!

Many thanks in advance!



AS Path Filter list contains ^$

Just want to confirm what this means. Here is the config output

ROUTER#show ip as-path-access-list 10

AS path access list 10

 permit ^$ 


Looking for a specific Media converter

So a while back in one of the media convert posts. Someone had an sfp to copper converter that they said was comparable in price to a FS.com one, but was wall mountable and had space inside a cover to coil the patch cord. It was white in color.

I can't seem to find the post. Anyone have any ideas?



Differences in bridge domain interface and subinterface?

I have a trunk from an ASR 920 to an ASR 1002 HX which I am using for a border router. I can configure it either with subinterfaces or service instances and bdis. I dont really see any practical differences other than I can save vlans on the router by using service instances and stripping the tags. I dont really foresee that being an issue but if there is no reason I shouldnt use a bdi then I think I should be consistent with the ASR 920s.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



Thursday, March 29, 2018

Bizarre Default Gateway Behavior, clients ignoring default gateway

I came across something today I've never seen in 15 years, and I'm having a tough time figuring out how this is even possible.

Our current corp LAN is 192.168.100.0/24. The router/gateway is 192.168.100.1. However, I'm testing a new router/firewall, so I have it setup at 192.168.100.7 on its LAN interface. It's using an unused WAN IP. I was planning on testing rules etc. by setting a client's default gateway to the new device at .7 (have done this many times before in the past for testing).

So here's where it gets weird. I set a laptop to use a gateway of 192.168.100.7. If I plug the laptop directly in to the LAN port on the router, the laptop correctly uses that as its gateway, and I can see traffic flowing through that new router.

However, if I plug the laptop into the switch (still statically set the gateway as .7), the laptop seems to "ignore" the .7 gateway, and somehow finds and uses the existing .1 gateway. Windows 7, 10, and some iOS devices all behave this same way. Traceroutes confirm it's going through .1 (which it shouldn't be), and it's going out the WAN address of the .1 router.

So I'm scratching my head here -- why (and how) are clients seemingly ignoring the .7 default gateway which has been statically set? How are they able to auto-magically find the .1 gateway? A route print on the windows clients makes no reference to the .1 gateway and shows the 0.0.0.0 route as 192.168.100.7. But for some reason the clients are basically ignoring that second GW.

Ideas?



Mikrotik Based Botnet Doing the Rounds

Heads up to any fellow net nerds running outdated Tik FW.Some nasty exploitable code doing the rounds.

Abstract from Radware

A newly discovered botnet targets TCP port 8291 and vulnerable Mikrotik RouterOS-based devices. MikroTik, a Latvian hardware manufacturer, products are used around the world and are now a target of a new propagating botnet exploiting vulnerabilities in their RouterOS operating system, allowing attackers to remotely execute code on the device. Such devices have been making unaccounted outbound winbox connections. Radware’s Emergency Response Team (ERT) has spotted an increase in malicious activity following Kaspersky’s publication about the Slingshot APT malware that infected Mikrotik routers. It is believed this botnet is part of the Hajime botnet. Radware is witnessing the spreading mechanism going beyond port 8291 into others and rapidly infecting other devices other than MikroTik (such as AirOS/Ubiquiti). The concern is that this new botnet will be leveraged to launch DDoS attacks

https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/

https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/mikrotik-botnet/



Confused on how to handle rendezvous point in PIM sparse.

I am working to add more support for multicast traffic. I am looking at adding PIM sparse mode but confused on how I should setup the rendezvous point. Along with how to handle if the rendezvous point goes down. My network topology looks like this and is composed of Dell S class, Dell N class and Dell Powerconnect switches. My S class switches are setup in a VLT configuration.

What I have tried:

  • Setup loopback 0 on the S class with IP 10.11.0.1/32 and 10.11.0.2/32(on its VLT member switch)
  • Setup ip pim rp-candidate loopback 0 on both switches
  • Setup ip pim bsr-candidate loopback 0 on both switches
  • I can show ip pim neighbor and see the other switch there

My questions:

  • Confused as how to configure the RP. Do I manually have to specify my RP to point at itself?
  • Should I just enable ip igmp snooping on edge switches? (We don't have a distribution layer, just running as a collapsed core)


Does using an IP routing protocol make sense in every situation?

First time poster here,

I’m curious to know if anyone has worked with networks free of any routing protocols and if it makes sense to not use one in my situation.

In our current setup we have a layer 3 core switch (Cisco 6500) that is has all network VLANS up and running locally on the switch, there are around 55 VLANS. Every VLAN is assigned an IP address on the core switch. The IP routing table on the core switch shows all subnets are directly connected via each VLAN respectively.

Every server at our location is connected directly to the core switch with the default gateway set to the IP address of one of the core switch VLANS. For example, all servers on VLAN 5 have their gateway set to the IP address of VLAN 5 on the core switch. These servers communicate with workstations and various network devices through the core switch.

The workstations are connected to layer 2 workgroup switches that connect to the core switch, so not much in terms of IP routing. Just a trunk link with necessary VLANS between the two. The workstations and workgroup switches have their default gateways set to the VLAN IP address on the core switch just like the servers.

Everything outside the server room is connected via fiber and our network is broken into zones based on the physical location. About half of the zones have a managed layer 3 switch, typically a 24-port switch that connects directly to the core switch via the fiber run. The links from layer 3 to the core switch are trunked and they carry only the VLANS needed for that zone. This is the only place I could see any real routing protocols being used. We have about 35 layer 3 switches connected the core switch each on their own fiber link.

Each 24-port is then connected to a handful of 8-port layer 2 switches. Those layer two switches connect to all the network equipment. The network equipment default gateway is then set to the IP of the VLAN on the core switch just like every other end device. The network equipment generally consists of IP cameras, sensors, traffic controllers, and monitors all on separate VLANS. The network equipment communicates mostly with the servers.

The default gateway and default route of every switch is also set to the IP of VLAN 10 on the core switch so all traffic will be forwarded to core switch where it will then decide which route to use based on the directly connected subnets.

The other half of the zones are connected via another variety of layer 2 switches that are daisy chained to work with the pre-existing copper network, so we can disregard any IP routing here.

Although there doesn’t seem to be any noticeable performance issues with the way things are currently, I’m always looking on ways to make things better. It also feels strange not using a routing protocol. I would like to get some feedback and opinions on not using a routing protocol.



Ruckus APs not getting DHCP - but only certain units

I had a project to deploy Ruckus APs with a virtual controller on a network recently. The APs and their clients are on their own VLAN and get DHCP via Windows domain controllers on a separate VLAN.

I started setting things up, half of the APs got DHCP in the correct VLAN, but the other half got nothing at all. Wireshark shows no broadcast packets from the other APs arriving at the domain controller. The problematic APs DO get DHCP if we set up an isolated network with DHCP handed out by the switch.

We verified that the VLANs are all set up the same and working normally (a laptop plugged into the same ports gets DHCP as expected) and the scope is not out of addresses, and as far as I can tell there are no MAC conflicts.

What really boggles my mind is that the 'broken' APs consistently don't get DHCP, but the 'working' APs consistently did get DHCP from the same switches and switch ports. Even factory resetting a working unit would result in the same unit working again, but resetting the 'broken' ones wouldn't.

The domain controllers are in a Hyper-V failover cluster with several switches between them and the APs. All other clients on various VLANs and networks work perfectly. We're using all Brocade/Ruckus switches.

Ultimately we ran out of time to troubleshoot this today and I gave up and configured them with static IPs to get things rolling, but I'm curious if anyone has any ideas on where to look to figure out why this happened? All I can think is that there's some oddity like a misconfigured netmask somewhere but I couldn't find anything.



NPS double authenticating?

As the only network engineer on staff, I'm finally getting around to configuring NPS as a RADIUS server for our network devices so we can finally be rid of local-auth passwords and I'm running into a strange issue where NPS simultaneously fails and authorizes logins via SSH.

We are using Netgear Prosafe switches and AAA is configured correctly. I have a Connection Request and Network Policy configured. The setup so far is fairly basic, owing in part to my complete inexperience with NPS and reading endless blog posts, docs, and trying to fill in the blanks in between.

The Connection Request Policy:

  • Looks for RADIUS Clients containing the friendly name "Switch_" (we'll be setting up WPA2-Enterprise authentication on our WAPs next, so this seems like the right way to differentiate policies).
  • Authentication is set to "Authenticate requests on this server".

And that's it.

The Network Policy:

  • Also looks for the friendly name "Switch_"
  • Authenticates users in the user group "[DOMAIN]\NetEng"
  • The correct Authentication Method is selected (PAP, SPAP)
  • "Do not allow Multilink connections" is disabled under Multilink and BAP, which stopped an error that was being generated in syslog.
  • Service-Type = Administrative is enabled, since logging into the GUI will drop me into Operator mode otherwise.

And it works! Sort of. When I log into the GUI everything works fine. Huzzah.

When I log in via SSH, it also works BUT the NPS generates an error at the Connection Request Policy level after I enter my username:

Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

...but after I type in my password, I authenticate successfully. So NPS is trying to verify my username after I hit return, fails, but still passes the request to the Network Policy which finds my username/password combination in the AD group, and authenticates no problem. While it WORKS, I'd obviously love for syslog and the NPS logs not to flood with false "authentication failure" messages. I've fumbled with the Connection Request Policy but I'm not sure what changes I need to make, and it seems like any other changes I have made causes authentication requests to ignore the policy altogether and then drop.

Initially I thought it was a switch AAA config issue, but I ran Wireshark on the NPS and saw the same thing: enter username, hit return: access-request made, followed by access-reject - then enter my password - access-request made, access-accept. So it's probably related to how I have the CRP set up, but I'm not sure what else I should be doing there. Any suggestions? Thanks, all!



Linux for Networking

Hi Everyone, What are the best resources to learn Linux for networking. Anything will work - books, tutorials, videos. Where should one start considering one is having CCNA level knowledge.

P.S Also do share some of the advantages in learning linux. where in the production world can we use linux Thanks.



QoS marking Site-to-Site VPN on L2 Switch, useful?

Hi, I have a site to site vpn tunnel and L2 switches. Our main offices have mpls and are marked with QoS for some phone and Skype applications. Is there a purpose to mark the L2 switch for those site-to-site switches with QoS? Will it make the phone traffic not drop during bandwidth hogging?



Specific details on PCI Compliance in relation to NetSecurity

Hey networking friends,

I was hired into a position to increase network security and the main focus is to become PCI compliant. I've been doing countless research on it as a whole but it seems a lot of the information I'm seeing is more high-level, without much to do with specific cases. Do I have to speak with a QSA/Security/Compliance consultant to get my specific questions answered?

My main question is regarding the scope of PCI compliance. The way we take all payments(and "saved" credit card info) is outsourced ENTIRELY to a third party company, who is PCI compliant themselves. What does this mean for our requirements? The way it works is that a token is created(well, three over the course of the transaction) and sent to the vendor, who matches it with their token, and they send it off that matches another and completes the transaction. Since we don't truly handle actual credit card numbers, are we really in the scope of needing to be PCI compliant? If we still are, would the requirements be lower?

Any resources/forums/articles/case studies would be appreciated :) Or even PCI Consulting services.

Thanks!



Changing phone line to ethernet

So i was just checking to see what cord my house has for phone lines and i noticed it has two cords connected to one adapter, since two phone lines have 8 cords total would i be able to use it with an ethernet adapter?



Mobile Hotspots inside hotel/convention centers. What do you use?

Hi, I am working with our marketing department who is asking for a solution on mobile hotspots so they can avoid paying the $500 for 1mb connections that most trade shows offer.

We have many At&t hotspots that we use and hand out which I was planning on starting with adding an external antenna and adding that to the highest point of the booth as my first attempt.

I am also investigating signal amplifiers such as this netgear one in the event that I do not have much luck with the first option.

Does anyone else have experience going down this path? Any tricks or suggestions that anyone else in this situation has found to work well in these environments?



Remote work position changing to report in..

Hey All,

Disgruntled employee here. I have been at my current employer for going on 2 years now. When I was interviewed this position was advertised as a 100% remote position and up to now it has been. I have an upcoming meeting with my boss next week about a new initiative where they want people within 20 miles to start reporting in to work a couple times per week.

When I accepted this job I sold my fuel efficient vehicle so now I will need to carpool or use public transportation to get there, additionally none of my coworkers will even be at that office, they are based all around the country. To add insult to injury, I believe I am being singled out as everyone else lives further than 20 miles from an office.

What can I do here? What should I prepare to say during the meeting? I am very unhappy and the fact is that I will be looking for a new job due to this change in policy.

Thanks, Max



Question about a CISCO Access Point.

I'm setting up a Cisco AIR-CAP 37021-E-K9 AP.

I connected for the first time to the network to make the initial settings, in a WiFi dedicated vlan. After half an hour, the equipment keeps blinking green.

What does it mean? What is ready? What do I need to do more?



Example PaloConfigs Wanted

Hey all a long time ago I wrote a set of scripts for working with paloalto specifically for PCI compliance. The biggest is panexport.py which makes an API request and creates an excel file of the combined rulebase from panorama or device (whichever exists)

I want to continue to maintain the code for the community but the code is lacking proper tests of some core functionality and that is where I need some help.

I'm trying to get example palo alto configs from the API to see if anything has changed across versions and ingest these into tests.

I'm not looking for 500 rulebase configs just any sanitized lab style few dozen rulebases.

The API endpoints I'm pulling are:

Device Rulebase: <show><config><running></running></config></show>

and

Panorama Rulebase: <show><config><pushed-shared-policy></pushed-shared-policy></config></show>

If anyone wishes to contribute feel free to touch base on github https://github.com/shepherdjay/pan-os-scripts/issues/27



CDP shows 2 different IP's on my Nexus switches

When I do a 'show cdp neighbor detail' on my nexus switches that connect to other nexus switches, the output shows:

Interface address(es): IPv4 Address: x.x.x.225 ... ... ... Mgmt address(es): IPv4 Address: x.x.x.201

So if I am trying to build a network topology of my data center in Visio, which IP would I use on each device and why? What is the difference between these two IP's?



Help with multicast in my environment...

We have a few vlans dedicated for video traffic via multicast. I'm looking at the configuration of the Cisco 3750 stack, and ip multicast-routing is not in the running config, as well as any other router configs. As far as I can tell our multicast is basically just isolated vlans but I'm super green with multicast.

Although I see a few PIM commands, my hunch is they aren't being used at all.

.....

interface Vlan1205

ip address 10.120.58.1 255.255.255.0

ip pim sparse-dense-mode

no ip route-cache cef

no ip route-cache

ip igmp version 3

no ip mroute-cache

! !

ip pim ssm default

.....

Please guide me! If I dropped every command above (except the actually vlan) would my traffic change?



Different Proxy Settings When On/Off VPN?

Hi all! I'm running into a bit of an architectural challenge at work and I'm wondering if other engineers have faced similar issues. Like most large organizations, we use a proxy for internet traffic (we use Cisco Ironport appliances specifically). Our deployment is not completely standard however. Instead of using a proxy PAC in our browsers to actively redirect browser traffic to a proxy, we intercept all HTTP/HTTPS traffic as its heading to our internet firewall with a policy-based route (like the one below) and then send all the 80/443 traffic to the proxy and everything else around it. The key is this doesn't discriminate between web browsing in IE/Chrome/Firefox and cloud apps HTTP/HTTPS traffic like Office 365.

route-map Proxy deny 5 match ip address no-pbr route-map Proxy permit 10 match ip address web-traffic set ip next-hop 10.10.10.10 

10.10.10.10 is the proxy in this case. The access list "web-traffic" is just

10 permit tcp any any eq www 20 permit tcp any any eq 443 

This worked fine for years, but now as we are using more and more cloud-based applications like Office 365 that do not work well with a proxy, we've had to begin maintaining an absurdly large bypass list (access list no-pbr in this example) that is becoming unwieldy (and beginning to fill the TCAM on our core routers which is another story).

The reason we don't just use a proxy PAC is because to authenticate people before connecting to VPN, we allow them to go to a website where they get a secure code after putting in some credentials that they then enter into AnyConnect. So according to our security team, we can't just use a proxy PAC because it will be too difficult for users to turn it off when they get their VPN code.

I realize this may be more of a Windows question but does anyone know if there is a way to selectively use a proxy PAC so users could go to the authenticate.mycompany.com website to get their VPN auth code, but then use a browser-configured proxy for everything else so we don't have to worry about ridiculous bypass lists. In my opinion the PBR is a bad solution to this problem and there must be an application-level way to securely get people authenticated to VPN while still maintaining a proxy PAC.

Thanks!



Horizontal Cabling Management?

Hi everyone,

I am a syadmin at a large multifunctional stadium with a network of around 2500 wall jacks spread throughout 50 racks in different locations on the campus. We redid the whole network a couple years ago using a traditional CDA model, monomode fiber all over the place for vertical cabling, etc. In the process we have used Racktables with the Link Management extension for keeping track of the fiber cabling, and it has done a fantastic job for us.

Our current struggle in maintaining the network is with the horizontal cabling. We are constantly expanding our network to include new wall jacks in many places, and we have been through many projects where entire office sections have been demolished to build new ones. Keeping track of all these changes is not impossible, but difficult. We used to have a consultant which would get us floorplans from the construction department, annotate the plans in Visio with the wall outlets using proper labeling (all the cables and wall jacks have the proper riser and cable ID labeled on them) and export them to PDF for us to browse. We also used to have an Excel spreadsheet accompanying the floorplans but we lost control of it over time.

Has anyone here been in a similar scenario, and if so, what tools or procedures did you put in place to keep control over the constant changes happening on the horizontal cabling? I've done much research on Google these past few years for something of a database system that ties wall jacks, risers and floorplans together, and it seems like it is a niche market with absurdly expensive products. So far it looks like developing an in-house solution is the best option for us.

Thanks in advance!



What is your favorite/essential free software?

No text found

Cisco 3650 Static routing

Hi guys,

Does anybody know what is the maximum amount of static routes I can use on a 3650 using IP Base?

We seem to have a limit on ours of 15. When trying to add more routes, it accepts the command and doesn’t give any errors, but when showing the route table it hasn’t added it.

I’m hoping this is a software bug and can be fixed with an update, but can’t find any information on this online or in documentation.



LAN to LAN IPSec dropping every 3mins (Draytek)

Hi All.

We have a customer with a Draytek 3900 at their HQ.

It dials out to 14 Draytek 2860 routers at remote sites and establishes 2x IPSec VPN each. Separated by VLANs one for data one for voice.

All sites are identical in setup - apart from remote IPs.

On 3 of the sites, the data VPN drops every 3mins (almost to the second!) the voice VPN stays solid.

I've been concentrating on one site and have had a ping going from a server behind the Draytek 3900 going to a PC on the remote site. It drops 1, maybe 2 pings each time the VPN drops and reconnects - it reconnects that quickly.

All routers are on the latest firmware.

I've created new VPN profiles for the one site and have changed just about every timeout/delay feature I can, added 'ping to keep alive', DPD on and off.

There are pretty much set as default settings; IKEv1 protocol, PSK auth, ESP security protocol. The only change on the advanced tab is to enable RIP via VPN. Settings on the proposal tab are; IKE phase 1 proposal DES G1 IKE phase 1 auth ALL IKE phase 2 proposal 3DES with auth IKE phase 2 auth ALL Accepted proposal acceptall

If both VPNs were dropping this way, I'd be straight on to the ISP, but the voice one is solid....

Does anyone have any ideas?

On a personal note, I've only been in this job a week, so to fix this would be cool!!

I have logged a ticket with Draytek support - but its been 48hrs without any update so far!

Many thanks Bryan

EDIT: Just created a PPTP LAN to LAN VPN and it stays up fine - so really can't be the ISP.....



Using a POE Injector to refresh UTP max distance?

Hello guys!
I have to set up one access point on a location that sadly excedes the 100m, so i was wondering, instead of puting a dumb switch to refresh the signal (i know it sucks) can i use a POE Injector to refresh it? have anyone had a similar problem with another solution?.
Thanks!



IPSec tunnel showing down

I'm trying to configure an IPSec tunnel between an ASA and an ASR. The tunnel is down. I noticed the ASA has NAT-T enabled and the ASR was not configured for it. I've verified the ISAKMP and IPSec parameters matched. Is there a way around this without the ASA disabling NAT-T?



HELP! DNS Request spam from router Gateway... Router does not do any DNS forwarding or have a DNS daemon.

I have been trying to find the source of this DNS query spam for over 2 weeks now. We have a sonic-wall SOHO edition gateway at 10.1.5.65. 10.1.20.65, and 10.1.1.250 (1 subnet per interface)

--The DNS server lives at 10.1.5.75

--The Spam comes from 10.1.5.65

--The Query is for vjiojveofijvwk.net & 2hpujkw6ypybyaz.net

-Any other requests made are all logged with the proper source and destination aside from the spam I am trying to diagnose.

(ex query[A] win10.ipv6.microsoft.com from 10.1.1.25)

(ex Me forcing the same query from the 10.1.20.x subnet "query[A] 2hpujkw6ypybyaz.net from 10.1.20.68"

(ex Me forcing the same query from the 10.1.5.x subnet "query[A] 2hpujkw6ypybyaz.net from 10.1.5.70"

(ex Me forcing the same query from the 10.1.1.x subnet "query[A] 2hpujkw6ypybyaz.net from 10.1.1.25"

-The DHCP servers are all configured to provide 10.1.5.75 as the DNS server and nothing else.

-When i tried to dig @10.1.5.75 google.com i get a reply, if i dig @(ANYGATEWAY) the reply fails.

-The sonic-wall does no forwarding and has no DNS server/daemon running.

I am going crazy i cannot figure this out. Even the packet captures I run all show the source as the gateway. Why in the world is any DNS traffic coming from the source IP of the sonic-wall gateway. We do not allow requests from the outside and there is no NAT between the subnets. At this point all i can think of is the sonicwall somehow got infected or something is spoofing its source IP to be the gateway.

I have tried googling Numerous things and i am honestly surprised i cannot find something along the lines of :

"Routers Gateway IP spamming DNS requests"

"Malicous DNS Request comming from gateway"

"Router running no DNS forwarding or daemon is making queries from its ip"

"Express VPN strange DNS queries"

https://www.reddit.com/r/pihole/comments/7yx9zt/strange_dns_queries/

There is a single comment here ^ that shows someone "Has seen express vpn make weird queries" but no other information.The internet search engines have failed me countless times on this I don't know where else to turn but posts at this point.

The DNS requests (after much digging) seem to be related to ExpressVPN but virustotal shows them to be malicious domains/ips/files that came from them.

The DNS spam is for the 2 domains below, and it happens literally every 1 second.

query[A] vjiojveofijvwk.net from 10.1.5.65 query[A] 2hpujkw6ypybyaz.net from 10.1.5.65

https://www.virustotal.com/#/domain/vjiojveofijvwk.net https://www.virustotal.com/#/domain/2hpujkw6ypybyaz.net https://www.virustotal.com/#/ip-address/107.6.159.114 <-- This one in particular "expressvpn_6.7.3.4009apk.apk" https://www.virustotal.com/#/ip-address/198.143.153.42 https://www.virustotal.com/#/url/006ec4fca4b25ac9729d73259bd18c973ad3b9d6441ff2f508a71829a240fd73/detection

I am not super worried at the moment as I am dns sinkhole-ing the requests. But it is generating a lot of unnecessary traffic.

If anyone can figure this out, or has heard of this, or knows how the router IP could possibly be the source IP&MAC of the request. I would really like to know before I go crazy and start ripping nodes off this network one by one until the traffic stops.

Edit: Apologies i am not used to Reddit formatting at all.



Does enabling jumbo frames in N7K with FEX disruptive?

has anyone tried enabling jumbo frames in N7K with FEX? I'm not quite sure if it would impact traffic or not.



Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication

The link is here



Wednesday, March 28, 2018

Refresh Cycles?

How often are you guys refreshing gear? different refresh cycles for different sets of gear? Security (Firewalls/IPS), Switches, Packet Brokers etc?

I ask because we found some 4 year old equipment in our environment. Then was tasked to but together a refresh plan.



Critical - Cisco IOS XE Software Static Credential Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc

Workarounds To address this vulnerability, administrators may remove the default account by using the no username cisco command in the device configuration. Administrators may also address this vulnerability by logging in to the device and changing the password for this account.

LOL WAT???



Alternatives to Cradlpoint for in-vehicle Captive portal router?

Found out after we bought two IBR1100's and their tech support, Cradlepoint captive portal doesn't work on mobile devices (at all) and they don't know when it will be fixed. We have a couple >10 vans we want to place these in but a huge requirement is the captive portal & URL Re-direct. Does anyone have one they have in play with those features? I've come across a lot of police equipment and mobile hotspot tech in my searches but none designed for car use with captive portal/redirects.



Mini-NOC?

I have two TVs and a SFF Lenovo just sitting here at my new job. I’ve used Nagios in the past but they have Meraki here and already have stats and info out the wazoo. I work for a small school district with heavy BYOD. The 8 windows servers we have now will be decommissioned in a month and replaced by two. Can you think of anything that I could put on this screen to monitor other than Reddit?



VLans

Hello people. I want to separate in two my internet to have 2 gaming computers at the same time and don't have high ping in both.

My question is, do I should buy a switch with VLan support? If I have to buy one, what do you recommend to buy?

Thanks!

Edit: I only need 2 ethernet ports, so I don't need a big one.



Cisco 4500 series IOS Upgrade

We currently have a few Cisco 4500 (4507r) series switches throughout our environment, but after implementing a VOIP system, we find the current QoS configuration options lacking with the current IOS version (12.2r25) and SupervisorEngine IV, I have tried updating the IOS to 12.2(r31),12.2(r52) and 15.2(r1), but still do not have the option for configuring CBQoS or IP SLA. Does anyone know if this is a hardware limitation, IOS version limitation or Supervisor Limitation?

Any help would be most appreciated.



New Gear

My company (hospital management system) is looking to replace their old Cisco gear in the corp HQ (2950s era). We wont go with Cisco gear due to monetary limitations and as such we have been looking at Aruba and Juniper. Our NAC vendor has warned us about some interoperability with Juniper and we are still working on getting references. Anyone work with Aruba gear? Are they solid? Are they re-branded HPs or are they actually Aruba? We have VoIP phones and a Cisco WLC. Our needs beyond that arent too great.
Any other vendors we should consider?



Why Cisco?

(Sorry for the click bait-like title) Not looking to start a war eg Coke vs Pepsi/Mac vs Windows but while I’ve been studying for my CCENT I got to wondering why Cisco? I had one IT job in the past where they used to use Cisco switches but later (not sure just because the staff didn’t understand them or was a cost issue) but switched to HP when they went from 10/100 to 1000. Fast forward years later at a different job all they used was Cisco - But then again this is a much bigger company 600 versus 250 employees. I guess the question I’m asking is when would you need or prefer Cisco equipment over say an HP or Microtek?



VRF/ip assignment via radius

Hi all,

So currently I'm trying to setup a vrf to be used by lines configured by a virtual template via pppoe & radius.

However once I apply the (Cisco) vrf-id tag via radius the framed-ip-address is being dropped by the asr 1k2... I've made sure that the IP is sent after the vrf.

Any ideas?

Thanks :)



Host to Switchport Mapping

I've got this feature request from our CIO that I'm starting to grasp at straws to try to find a solution for. Maybe you all have heard of something.

Management wants to have some software that they click on a switch, and see what desktops are connected too it. This kind of functionality exactly. I've looked at Solarwind's Orion UDT Plugin but UDT does not support our Aruba/HPE switches. HP IMC has the functionality of doing real-time location and even historical tracking, but you cannot just click on a switch and see what's connected. You need to know the IP/MAC you're looking for.

Meraki has this functionality! Yay! right? "No, that's expensive Skirek, keep looking". Management is good to me. I want to do this for them. We're getting ready to do a refresh on switches in the next year so if I had to swap vendors, it's not out of the question. Just Meraki, because $$$. Our Layer 2 network isn't complicated so I don't really care what vendor we use.

I could move to different vendor of switch and use UDT, I suppose. Or maybe I brush up on my Python and build my own webapp, whiskey and bourbon. I don't like hookers.



Looking for ideas for a Network Engineer practical test

I'm conducting interviews for a network engineer and I want to give them a practical exam such as terminating a network cable, configuring a switch, etc but I'm not coming up with a lot of great ideas. I have a bunch of equipment I can use to setup a test lab including a router, several switches, WLAN controller, and a few other nodes. Can anyone suggest good test ideas?

Thanks



Wanting to get a CCNA

Hello,

I am a 22 year old without a college degree, I have about 4 years of working experience in IT and am wishing to get a better salary, so I thought getting a CCNA might be my best option without going to school.

What I was wondering is, is this the best option I have? Are there different tests I should also look into? And is there any where I can get free practice tests and study guides, as I could not seem to find anything. And On ciscos website each section is like $750.00 which I do not have the money for.

Any help is greatly appreciated, I am so sick as working as IT support, and need a new job as soon as possible.



Speed test websites

Im thinking of looking into blocking the well known ones. Im getting too many

"Hey network guy, speedtest.net shows im only getting so and so speeds"

Its not like the speeds are bad, they're pretty good, but as soon as someone feels that the network is slow, I get a screen shot of some speed test site.

I dunno, just kicking the idea around. Whats your thoughts on this?

Hehe, maybe even redirect the traffic to a page on a internal web server.

" Your speedtest results are: Its all good." Lol.



Cisco Network Automation Githubs?

Hey

I was wondering how many of ya'll who do python cisco network automation (REST/SSH/Netconf/etc) had githubs out there. I do somewhat, but I don't really have any one to talk to about it. Mainly I just want code to look at to try and get to the next level.

Here is my github: https://github.com/GoreNetwork

I have a few things on there that might be useful. A network mapper, finding non-802.1x ports, automated IOS upgrades, normalizing interface names, change between cider/snm/wcm (Assuming wcm isn't discontigious), etc.

If you would post your github so I can oogle it :-)

Thanks



Going back to school for CIS, what are some certifications I should get along the way?

Pursuing a computer information systems degree that should take about a year to complete. Have heard/read that it's a good idea to get certifications alongside the degree. Can someone lend some insight on how I can go about doing so?



Question about TCP, does it work differently between VLANS/Subnets?

Hello all,

I have an interesting issue that I would like some assistance with. We have a printer on that was wireless that communicates to the intranet server in order to print. The Intranet server is on a different VLAN and subnet. We noticed that if you send so many jobs to that printers, lets say 100 only 21 would come out.

I took wireshark and captured the communication between that printer and the intranet server and found that there was alot of TCP Window Full messages from the intranet server to the wireless printer.

We then put it on a wired LAN on a different VLAN and subnet and everything seems to be working and I am seeing TCP Keep Alive messages so I know the connection is still present and it continues to print out as it should. I printed out 100 and got 100 out.

My question is, why is the TCP process totally different and why is the intranet server no longer stating that the TCP Window is full when the window size did not change from when it was not working to when it was?

More information can be provided if needed.

Thank you!



Cisco XRv 9000 tagged port

Hello reddit!

My google skills are failing me on this one. I have to create a trunk port between the Cisco IOS XRv and a Juniper MX80, but what I found out is that XRv actually does not support data-plane L2VPNs (yet) and consequently cannot form trunk switch ports.

A quick description of problem/status:

For a project we are evaluating the Cisco IOS XRv 9000. We have the 6.2.25 version. I installed the VM on Centos 7 Host (running on HP DL20 G9 server). I have created bridges which controls individual host Ethernet ports. Then I create a NIC in VMM using network source: Bridge <bridge name>: host device eth1. Using this configuration I gained connectivity from host to guest VM (Cisco XRv) and also from Cisco XRv to the LAN (including the host). Of course I added the IP address on the server port and on XRv port.

The port is now directly connected to an access switch and from there gives me WAN access. Next step was/is to create something similar to the diagram from this picture and here things start to complicate:

Connection-Diagram

So in short the VLAN 100 will be my VLAN through which I can have WAN connectivity. Juniper has already configured uplink port for WAN access and trunk port on eth1. Over the same link additional VLANS are planned, but are not yet defined.

Since I cannot configure the XRv for L2 services (I can configure it, but as I said, data-plane is not working), my plan here was to give the eth1 interface on XRv two or more addresses from different LANs (depending on needs) and configure trunk interface only between Host and Juniper MX. Or to add additional vNIC to XRv and then bridge them to the correct trunk interface.

What I am missing / lacking is how to configure the split between host ports and VM ports. Or if this solution would even work? I have found this tutorial:

kvm-brctl-in-linux

Can someone confirm this solution to work with XRv? I think this is for CentOS 6, is there a similar procedure for CentOS 7?

Thank you!



Limited mirror (span) groups

I have a client with a stack of two Aruba/HP 2920 48 port switches as their top-of-rack/core switches. They've recently decided to implemnt multiple disperate network security systems, one of which is physical and one is a virtual appliance. Both need to have 'internal traffic going to or from the internet' mirror to them.

My first problem is that the 2920 only supports a single mirror group, so I can have one physical port with the monitored traffic. This means I can't channel the mirrored traffic to both appliances.

My second problem is that the virtual appliance is on a VMware cluster of three hosts, two of which is already at max capacity of NICs. So I'll have to put it exclusively on the third host and add a NIC.

I've come to the conclusion that the right answer is to connect the one mirror port to the physical security appliance through a network tap, and have the tap duplicate the traffic to the NIC on the host with the virtual security appliance.

This feels 'cludgy', I'd much rather have multiple mirror groups but from what I can see only 3500yl or 5400zl series switches support that. Both of those are expensive solutions, especially compared to buying a network tap.

Is there a particular brand of network tap anyone would recommend? Does one exist with multiple tap ports? I've only ever worked with "Network General" brand, but it was 10/100.



Is there a way to tell if there is an active phone call on a 3850 access port?

I'm cleaning IDFs. We have 130 stacks and around 400 switches.

I'm authorized to disconnect user ports briefly. I would rather not hang up someones phone call but idgaf about their Pandora stream or whatever.

Is there a convenient way to check? I don't have access to anything other than the switch.



Using all Fortinet vs some Ubiquiti for Small Business Network Upgrade

So we are about to start a much needed network upgrade for our small business and I just wanted to get people's thought's on going entirely with Fortinet for everything (Firewall, routing, switches, AP's) vs only using them for the Firewall and then going with Ubiquiti for everything else. The price difference is not massive, but I've heard nothing but good things about the Ubiquiti's networking equipment for the price.

I am basically trying to determine how valuable controlling everything from one portal would be if we went with all Fortinet. Anybody have any thoughts or experiences with this?

Thanks!



Anyone who understands Cisco Smart Software Licensing and Cat9k?

I think i am going mad! I have acquired two 9300 Catalyst with Network Advantage and DNA Advantage. The license envelopes that came along refered me to Cisco Smart Software Licensing -- no PAKs. If I log in to Cisco Smart Licensing I can see my license, but how the hell am I suppose to connect the switches to the Cisco Smart Software Licensing -- magic? I thought I was supposed to run the command "license smart enable" but that dosen't exist in IOS XE 16.6. I want to be able to see the license consumption and in the future use Cisco Smart Software Licensing Satellite with the CAT 9k series.

What I have found is something called right to use license... f*ck is that? I have now given up on life and all my Google searches redirects me to shitty Cisco documents explained the "smart" smart license. I need ELI5 answers cause im retarded regarding license and that stuff....

All I want is my switches up and running so I can try netconf on them :(



I need suggestions for a router that is easy to set up with DHCP for a business.

Preferably one that isn't very expensive just would like to hear your opinions.



Altice (Lightpath) major outage in Tri-state

Seeing a lot of down circuits from lightpath



New Cisco 9500 Series

Yesterday, it seems Cisco updated their 9500 line, and added a couple new models. The C9500-16X stands out.

So, we want a Cisco switch that supports MPLS. We were looking at the C3850 as the ASR920 had too few 10G ports at only 4 or 6 max. We need more 10G fiber ports.

There a couple of models of the C3850 that had 12 and 24 10G fiber ports. Everyone says the 9300 is the replacement for the C3650 and C3850, but the 9300 doesn't have any models with lots of 10G fiber ports. Thats the 9500.

Can anyone tell me how licensing works on these models? I think we would need the Network Advantage over the Network Essentials as the Network Advantage support MPLS. Is this an honor based system, or do they actually disable the features available in the Network Advantage if you were to buy a Network Essentials switch for example? Does it throw error codes or what?

Then what is all this DNA stuff, and what if I don't want it? I think you are forced to buy it, so what the cheapest option?

Can anyone explain in simple terms how SMARTNET works on these devices? The Cisco Catalyst 9500 Series Switches come with an enhanced limited Lifetime Warranty (E-LLW) that includes Next-Business-Day (NBD) delivery of replacement hardware where available and 90 days of 8x5 Cisco Technical Assistance Center (TAC) support. So after 90 days I assume you have to pay SMARTNET for TAC support right? But no need to hardware replacement SMARTNET as its included in warranty? If we don't want SMARTNET can we still download the latest software? Lifetime warranty with HPE and Extreme means everything is free forever like support, NBD hardware replacement, and software, but I doubt CISCO does this.



Looking for help with VPN issues on Win 10

Hi all,

Apologies if this isn't the right place, I'll explain the setup a bit.

At work I have my own virtual server which I do my development work on, this is run on my work Mac. From home I VPN in to the office where I can SSH in to my Mac and my Virtual Server.

The website on this virtual server is set up so that anyone can view it via the domain name. I can view it from home without using the VPN, but as soon as I use the VPN I can no longer access this site.

However I can still SSH in to it, ping it and everything else. Now here is the kicker, on my laptop at home I can access the site via both the VPN and without the VPN. So this leads me to think that the issue is windows related, any suggestions? Thanks!

Edit: I found the issue, it's to do with the DNS on the VPN. Changing the hosts file to look at the virtual server allows me to view it on the VPN (just not off it, which isn't an issue) strange how it doesn't effect the Mac though!



Got women? WINS application for SC18

The application deadline has been extended for the WINS program for SC18. This is a great program for women to apply to, but there is also links to information about the network that is built for the supercomputing conference for anyone.

http://women-in-networking.net/apply-to-wins/



Changing out core L3 switch stack

Hoping someone can sanity check me here - I'm not a network guy by trade, but it's one of my hats at this job. We have an older Juniper EX4500 stack that is being decommissioned and replaced with QFX5100s. I've already moved over all the physical connections and have a trunk between the switches for all the VLANs.

The only thing left to do (and it's a big thing) is to get the routing interfaces (IRBs/RVIs in Juniper parlance) moved over to the new stack. We have 33 VLANs with gateways provided by the Juniper (172.16.1.1, 10.10.1.1, etc. etc.). All the actual phyiscal connections are on the new switches, but the network interfaces for those IP addresses are on the old switch stack, so any routed communication has to traverse the trunk back and forth. There just a few manual static routes, no dynamic routing.

My plan was to add the IRBs and routes to the new switch and then commit the changes at the same time that I unplug the old switch. I tried that early this morning, gave it about 6 minutes, and had to rollback when nothing was coming up. I was connected to one of the VLANS on a Win10 box and couldn't ping it's default router anymore. We are a 24/7 business with critical public safety systems, so I couldn't sit and tinker around with it.

Assuming I didn't muck up the config and everything was correct, what's your next best guess for why this didn't work out? Was it a terrible plan from the start? ARP refresh timer is at the default 300s, but I assumed when the new switches got the routing interfaces, they would broadcast a gratuitous ARP and everything would pretty quickly update.



Watchguard -- SNMP

Does anyone have experience with SNMP and Watchguard? I'm trying to get information from our Watchguard via SNMP. So far i'm able to see whether an interface is up or down. But now I would like to see when a Feature Key is about to expire. Is there an OID that would get the expiration date?

Any help would be greatly appreciated.

Thanks.



Visualization of the wavelength assignment algorithm in optical networks

I created a project to visualize the optimal allocation of wavelengths in optical networks. You can find the code and the algorithms on github and an example on the BBN Planet backbone in the US.

Some context: wavelength multiplexing (WDM) is used in optical networks so that a fiber can carry several wavelengths at once. If we consider a traffic request going from a source A to a destination B, and if there is no transponder in the optical network, i.e no electronic conversion of the optical signal, the wavelength used to carry the traffic must stay the same from A to B. This means that any other traffic request which path shares at least one fiber with the first one must use a different wavelength. So the question is: given a set of traffic requests (and the path they take), how can we find the minimum number of wavelengths required in the optical network to satisfy all requests. (this is NP-complete)

That's basically what this project is all about. I solve the problem in Python with two different algorithms, and use JavaScript to display the result on a map.

2 steps:

  • click on routing: this will find the shortest path (with linear programming, not Dijkstra) for all traffic links (the pink ones). Blue links are optical fibers.

  • click on transform graph and choose a method to color the graph, then close the window to visualize the wavelengths.



Tuesday, March 27, 2018

Cisco Cat9400

Hi guys, Looking to use a Cat9400 over a Nexus as the cost is better and port density is more. I want to be sure the Cat9400 can do VXLAN? Can anyone help confirm this please?



Cisco is officially disaggregating IOS-XE, IOS-XR, and NX-OS from their hardware

http://www.futuriom.com/articles/news/cisco-unbundles-ios-after-at-t-goes-full-whitebox/2018/03

We've been wondering if/when this was going to happen. But as time goes on, it feels less important. Other than some of the niche features and protocols, most of what Cisco can do in software, many others can do as well. It's just a matter of learning different syntax. As always, if you know how the protocols really work, it's not that big of a deal to transition.

I think the real questions that are going to come out of this are regarding support models for enterprises who require hand-holding (which I believe is most of them).

Thanks to Tom Hollingsworth for the link.



LTE - Band 14 FirstNet

Hey so this might be a little out of the scope of this sub but has anyone worked with LTE Band 14 (public safety) much? I've been using Cradle Point for the majority of deployments but am curious, "What else is out there?" I'd love the feature set of having band 14 in a Fortigate but I haven't seen many modems out there.



LACP to a single host

Hello guys, If i have a switch with two port's, gi1 and gi2 forming a LACP bundle po1 conected to ESXI server, and i want to perform a test, like If i disconect the cables from the lacp bundle and connect a laptop to let's say gi1 to test, does the link comes up or the LACP protocol prevent's the link comming up because it cannot detect a LACP negociator at the other side, logicaly because the laptop only has a single nic and cannot negociate LACP.

My simple question is, does the gi1 link comes up and forward's traffic, or i will need to remove
the port from the LACP bundle first for this to work???

Tnx in advance for help.



Activating custom profile on Cisco C1111

We have a custom APN on BELL to have our cell connections drop into the fiber MPLS.

I've created a custom profile and used the cli to activate and set it as default data profile, but it won't activate.

I can see it has a good signal and shows connections to cell towers, etc.

I have disabled the lte firmware auto-sim and manually set it "cellular 0/2/0 lte firmware-activate 2" Firmware 2 is Bell

Profile Information

Profile 1 = INACTIVE* **

PDP Type = IPv4v6 Access Point Name (APN) = inet.bell.ca Authentication = None

Profile 2 = INACTIVE

Profile 10 = INACTIVE

PDP Type = IPv4 Access Point Name (APN) = CUSTOM.APN.NAME.HERE Authentication = None



Network diagrams combined with live status monitoring through snmp?

noobie, not really in networking but this feels like place to ask

I use yed for network diagrams, I recently started to play with librenms

Is there something that puts these two things together and allows to draw network diagram and then show status of the devices on the network inside the diagram?



NX 9000v mac address table weirdness?

I'm working on a 9000v, default config, VLAN 1 all ports.

I have 2 docker hosts on e1/1 and 1/2 respectively and can ping between the ports no problem.

show mac address on the 9000v:

switch# sho mac address-table interface e1/1 Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False, C - ControlPlane MAC VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ switch# sho mac address-table interface e1/2 Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False, C - ControlPlane MAC VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ switch# sho mac address-table vlan 1 Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False, C - ControlPlane MAC VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ 

It's like it's just forwarding everything and not learning at all?

I am missing something stupid, or is this normal behavior for the 9000v in GNS3?

Thanks.



I created a patch cable tracking webApp you may find useful.

I'm a network engineer who got tired of spending too much time studying outdated Visio diagrams and tugging on patch cables whenever I needed to trace out a cable path.

I created a webApp to manage patch cables. It uses uniquely identifiable cable ends to track cable inventory and view/plan cable paths.

Check it out here (no cost).



Adding networks to advertise BGP confused with an older config

Hi here is the output of our config with a device to amazon.

I need to add 4 networks to be advertised through BGP. I am not sure if it's done through this network statement or a prefix list that's referennced. Any help would be appreciated.

router bgp 65005

bgp log-neighbor-changes

neighbor 10.2.20.102 remote-as 65005

neighbor 169.254.255.1 remote-as 7224

neighbor 169.254.255.1 timers 10 30 30

neighbor 169.254.255.5 remote-as 7224

neighbor 169.254.255.5 timers 10 30 30

!

address-family ipv4

network 0.0.0.0

network 10.0.2.0 mask 255.255.255.0

network 10.0.20.0 mask 255.255.255.0

network 10.1.0.0 mask 255.255.0.0

network 10.2.0.0 mask 255.255.0.0

network 10.2.52.0 mask 255.255.252.0

network 10.4.0.0 mask 255.255.0.0

network 10.6.0.0 mask 255.255.0.0

network 10.20.0.0 mask 255.255.0.0

network 10.23.0.0 mask 255.255.0.0

network 10.30.0.0 mask 255.255.0.0

neighbor 10.2.20.102 activate

neighbor 10.2.20.102 next-hop-self

neighbor 169.254.255.1 activate

neighbor 169.254.255.1 default-originate

neighbor 169.254.255.1 soft-reconfiguration inbound

neighbor 169.254.255.1 prefix-list aws2ccc in

neighbor 169.254.255.1 prefix-list ccc2aws out

neighbor 169.254.255.5 activate

neighbor 169.254.255.5 default-originate

neighbor 169.254.255.5 soft-reconfiguration inbound

neighbor 169.254.255.5 prefix-list aws2ccc in

neighbor 169.254.255.5 prefix-list ccc2aws out

exit-address-family

ip prefix-list ccc2aws: 11 entries

seq 10 permit 10.1.0.0/16

seq 11 permit 10.6.0.0/16

seq 12 permit 10.4.0.0/16

seq 13 permit 10.23.0.0/16

seq 14 permit 172.16.7.0/24

seq 15 permit 10.0.2.0/24

seq 17 permit 10.30.0.0/16

seq 20 permit 10.20.0.0/16

seq 25 permit 10.2.52.0/22

seq 30 permit 10.2.0.0/16

seq 35 permit 10.0.20.0/24

ip prefix-list aws2ccc: 3 entries

seq 5 permit 10.40.0.0/16

seq 10 permit 10.10.0.0/16

seq 15 permit 10.41.0.0/16



Can you help a small migrants' rights non-profit figure out this networking issue? (Flowchart and effort included!)

Hi everyone,

I work as an assistant at a small non-profit and everything is my job.

My job today is to fix my boss' internet before she comes back. We set up an almond router as an access point because the wifi signal in her office/conference room is weak. She often experiences slower speeds and disconnecting calls, and she has suggested that I buy a new router. I think there may be another issue in our labyrinth of a network that may be causing it. I believe I have daisy chained the two routers together correctly.

Here is a flowchart of our network: https://imgur.com/a/9mYwk

Here are my questions:

1) Do you think we simply need faster internet? 2) Should I get another router to replace the almond? I would prefer a dedicated wireless access point like Ubiquiti etc. but I'm unsure whether I can plug the VOIP hardphone into those via ethernet.

I'm sorry if these questions are juvenile or if it doesn't seem like I did enough homework. I would really appreciate any help that you may have to offer.

Thanks so much!



Leasing external IPs back to the IANA

The organization that I work for is almost done with the process of switching their 2,000 endpoints from an external IP range to an internal range. For the near future, there will be a handful of endpoints that use the external range and the servers always will. The external IPs will not be leased back to the IANA. Why is this the case? If a large external IPv4 block is purchased by an enterprise, can some of the addresses be resold to the IANA, if they aren't in use anymore?

I'm a desktop technician and my supervisors aren't familiar enough with networking either, to answer this question.



Routing Paths and Subnetting help

Hi All!

I’m reviewing material for understanding routing paths and subnetting better however I’m falling hard on material. I dont feel like it’s sticking. Does anyone have any videos that have helped them out when understanding better? Any help would be appreciated.



Do iBGP speakers advertise their update source to neighbors?

I've got some iBGP speakers peering with one another using loopback interfaces.

Each router has introduced its own loopback IP to its local BGP RIB.

None of these routers are advertising that loopback IP to their iBGP neighbors. There's no route-map / filter issue, the rest of the local RIB goes fine. Just this one prefix doesn't escape.

Now, of course I understand that each neighbor device already has reachability to the peer's loopback interface... Without it BGP wouldn't come up. But I want this /32 prefix in BGP so it gets advertised to other places, either via iBGP route reflectors or to eBGP neighbors. With the relevant prefix sitting only in the owner's BGP RIB, it's not escaping the local AS.

What say you?

Is there some BGP rule which says we shouldn't advertise the prefix we're using to originate sessions with peers?

Final fun fact: I'm in PAN-OS town. I don't see this behavior on IOS.



Favorite brand of 3rd party SFP optics?

Looking to get some Cisco SFP-10-LR compatible optics for our closet uplinks, can't avoid the cost savings of 3rd party. We originally were looking at FS.com but they process outside of the US and our credit card blocked it.

Anyone have a particular vendor they've have good experience with in the past?



what is the best way to connect four campuses?

hello every one i have a networking homework, which describes a school as follows : "we have four campuses that are within city limits with access to city services but are located far apart from each other. We have four campuses that are roughly located in north, east, south and west of the city center. Each campus is about five kilometers away from the other two to the left and right of it (it looks like they each take up a corner of giant square with the city center in the middle in map). One cannot see any of the other campuses from a campus but they all see a couple of skyscrapers that are in downtown."

i have some questions that i cant find an answer via searching : can i use air fiber to connect these four campuses ? they want to minimize intercampus traffic, should i get an connection from isp for each campus ?



Plantronics Headsets with Cisco 7811 IP phones ? NEED HELP !

Hi,

First of all I'm sorry for posting this in here if it's not appropriate, but I didn't find any solution for this

has anyone of you guys successfully replaced the handset with a headset in the 7811 ip phones ? it seems that simply connecting the headsets into the RJ11 port won't make it work, should I enable an option somewhere in CUCM ? tried to look around in here in reddit and cisco forums without any success, tested 4 different headsets with the same brand/model cisco phones, no success

the headsets : Plantronics HW520 & 26716-01 Cable U10

Thanks in advance



Managed ti land myself a Network Analyst I job

I have been wanting to get into networks for a while now, study some of my ccna but couldn't afford the rest of the course. Got in with an IT company as an Operations Technician and a Network Analyst job came up. Found out I got it last week. I want to really push myself and learn as much as I can quickly. How did you guys and girls get into networking and whets best to study etc? Thanks



Any injuries from networking?

Dropped a 3802i Cisco AP from on top of a rack on my foot and its nice and swollen.

Couldnt go for a run tonight.

Anyone else injury themselves in an attempt to move packets?



ISP BGP QUESTION

Hello Everyone. We are planning to decommission our two old BGP Routers and replace it with a Fortinet Firewall. We have two internet service providers on which we are advertising a /24 prefix using those two BGP Routers.

My question is, is it possible that our two internet service providers can advertise our /24 prefix on our behalf using our own company AS numbers? Then the two ISP will just route the /24 back to us using a static route?

My networking knowledge tells me that this is not possible because of the following: but still, I wanted to confirm with you guys.

  1. Those two ISP cannot advertise the /24 prefix for you using your own AS number. It has to be their own AS.
  2. The /24 prefix cannot source from two different AS from the two internet service providers.
  3. Failover is not guaranteed to work, or will not totally work.
  4. Asking an ISP to advertise a prefix for you to the Internet is ok, if we have just one ISP.... but since on this case we have two ISP, this is not possible.

Please let me know if this is correct, if not, please explain why.

Thank you so much!



oddity with computer in closed network getting an IP

I have a DHCP server connected to a network switch, and a computer on the other side that, upon running dhclient -v, shows a DHCPACK: bound <IP> message that makes me feel like it should have acquired <IP> as an address, but it retains 0.0.0.0. What could cause this? Please let me know if I can be more helpful with details



Stopping a loop behind an IP phone

Hi, All

I had an issue the other day where someone plugged in a small 5-port netgear switch behind a Mitel phone and caused a loop. It wasn’t enough traffic to prevent management access so I was able to locate and shut down the offending port ahead of the phone pretty easily.

The network is all Procurve switches, multiple VLAN’s and a layer 3 switch as the core. The port was a trunk and had the voice VLAN tagged and the data VLAN untagged. Spanning tree was on with bpdu-protection enabled to shut the port if it receives a BPDU since it is essentially an access port but the port stayed open. I am assuming that since the phone was between the small switch with the loop and my switch that BPDU’s don’t get beyond the phone to be included in the looped traffic. I could be wrong but that was my best guess.

Is there something more I should be setting with spanning tree that could have shut the port when this happens? I tried enabling the HP loop-protect feature with transmit-interval of 1 but that didn’t stop it when I introduced the same scenario on a lab switch.

What am I missing? TIA!