Saturday, May 12, 2018

Double NAT and static IP

Ok. So I am on a network with a static IP for my work, and we have a Linksys WRT 32X gaming wireless router.

When the modem is set to modem only, no wireless, basically I have one Ethernet port that gets internet.

When I have it set for all functions, I get internet on all the ports, but when I connect my XBox, I get a double NAT type.

Outside of reprogramming the thing through command print for me to use this router to do what I want or did I just buy an expensive router just to look pretty?



Cellular router to pick up weak signal?

Hey everyone,

I'm going to spend some time in a place with very weak cellular signal. What can I do about it? Any device that I can put a sim card in and it will create wifi? A signal booster? I'm trying to keep costs low, it's not going to be a long time.

Thanks for all the help.

Edit: I live in Europe if it makes any diffrence



Failover to another DC: BGP on a VM or updating DNS?

We currently have L2 DCI with routers running VRRP, vmotion and our storage mirrors all the VMs over the link to another DC so failover is quite fast & easy. However we'd like to explore other options for doing failover after a disaster / manually migrating VMs to another DC (because of all the problems related to L2 DCI...)

What's the consensus today, should we run BGP on the Linux/Windows servers to advertise loopback address so we could failover the single IP address? Services are for our enterprise's internal use so it doesn't matter that much how the address block is advertised towards the internet.

Or should we have different IP networks in each DC and then update the DNS records when the host migrates? In this case, should we have load balancers to do this? We have F5 BIG-IPs but I would like to explore the open source world too, can for example nginx/haproxy do this?

This is also a 'it depends' question, but how do you see the correct way to run two DCs and be able to fail VMs over to another either after a disaster or manually before maintenance? It's not a single issue I'm trying to fix rather than get ideas how to do this correctly in the future. Our softwares we run are not in containers, I guess that would open more opportunities for this.

Thanks!



Why do Network Engineers need to learn Linux?

Curious how this falls into your alls day to day.



Donate bandwidth?

I now have unlimited data at my home and a ton of upload bandwidth that never gets used. is there any way I can use this upload for good, i don't like to 'waste' it at all. any servers or ways to donate my bandwidth to help a cause?



Structured Cabling Terminology

I think everyone agrees that the cables between the patch panel and the ethernet switch would be called "patch cabling", and that the copper run terminating on the patch panel would be called "horizontal cabling"; but what do people call that the portion of cabling that goes between the wall plate and the end device? I've been calling it "station cabling", but I'm not sure if that is correct.



Network segmentation with ISE

Is anyone using dynamic ACLs or SGTs to segment traffic with ISE? Heading down ISE rabbit hole but don't have a solid plan for which technology we're going to use for segmentation. Overhauling our network with MPLS or VRFs doesn't seem like a feasible option and not currently interested in being a beta tester for an overlay like Cisco DNA. What are others doing?



Fiber Cables

Hi all, I am a network engineer and I usually don’t have anything to do with cabling. My customer is building a few buildings and they want them interconnected via 10Gb fiber with the possibility to upgrade to 40Gb with just changing the (switch and) sfp. I have seen that the same connectors can be used. The buildings are not far apart (400 feet max). So that should give enough possibilities.

What would be best to use. My customer asked to review the contractors quote. We just make designs and configure them when all is in place. This is a bit out of my comfort zone but I don’t want to leave him hanging either.

Are there any specific elements I need to take into consideration?

Thanks!



Friday, May 11, 2018

Biodegradable Fibers sheets

Looking for the company who makes/produces the organic biodegradable fiber pads that >California scents, abro, and others use for their products. < The companies i mentioned make the "spill proof" air fresheners. They soak them in fragrance oil. I wanna find out where the companies purchase the blocks? Who manufactures the Organic blocks? I'm having a tough time finding the company! link to the photo added if you're confused. Please shoot me an inbox if you find out the company's website(s). It would mean the world to me! Thanks in advance 💕💕💕 http://www.abro.com/images/as-560%20organic%20af%20pads.jpg?crc=522667186



Fiber options - SM or MM?

I'm building out a new network room that is about 350 feet away from the main network room and cannot decide if I should go with single or multi mode (OM3) fiber. I know the big one is distance capability of SM, which doesn't enter in this equation, but are there any other reasons to go with one over the other? Cost of the optics or cable is not a concern, and I don't want to run both.

Thanks all!



BGP vs SD-WAN

Please excuse my ignorance on this. My company advertises a /24 network using a single multihomed connection to two ISPs, with our router receiving full tables. It seems to work great, except if one of the circuits goes down or has problems, then it takes several minutes for the routes to reconverge. I didn't design this myself as that would be a bit above my abilities, but now I am the one managing it.

Recently, my manager saw a SD-WAN demonstration where a phone call was going across WAN1, and was nearly seamlessly moved to WAN2 after WAN1 was degraded. He now wants me to explore putting SD-WAN on our outgoing circuits. From what I know about SD-WAN, this will replace our "best path" for a load-share design, but that it will eliminate the time required for a reconvergance.

Am I understanding this correctly? Should I explore SD-WAN for my primary circuit or should I just stick to BGP routing? Is there some hybrid solution that I should learn about?



What internet package should I get for my Business?

I've been trying to optimize my internet package. They are offering me: Business Cable 25/5 Static for $160, Business Cable 75/15 Static for $200, Business Cable 150/20 Static for $270, 3MB Ethernet ESA for $385, 5MB Ethernet ESA for $552,

My question is why is 5MB so much more than Business cable? It seems like all the Business cable options are cheaper and faster.



Trying to share drives between two PCs. Hitting permission problem?

Hi /r/networking,

We have two workstation PCs running Windows 10 Pro that we're using for video editing, both with 8TB hard drives in addition to their SSDs. We're on a secure network on a R7800 router, connected wirelessly.

We want to make each PC able to access the other's 8TB hard drive so we can transfer footage and stuff between the two computers, and we're most of the way there but can't quite figure out the rest. We're hitting a permissions error.

https://i.imgur.com/jLYOvDK.jpg

Not sure what to do from here! If anyone can assist that'd be great. Networking isn't really my forte...

Thanks!



Problem with Track not being recognized by EEM (Event Manager Applet)

Key pieces of "show run":

!

track 2 ip sla 2

delay down 5

!

::::

!

ip sla 2

icmp-echo 24.XXX.XXX.1 source-interface GigabitEthernet0/0

threshold 500

timeout 1000

frequency 1

ip sla schedule 2 life forever start-time now

!

::::

!

event manager environment _email_to XXXXX@gmail.com

event manager environment _syslog_msg

event manager environment _email_from XXXXX@earthlink.net

event manager environment _email_server :XXXXX@smtpauth.earthlink.net 587

event manager applet ISP_change

event track 2 state any

action 0.5 cli command "enable"

action 1.0 cli command "clear ip nat trans *"

action 1.5 wait 10

action 2.0 mail server "$_email_from$_email_server" to "$_email_to" from "$_email_from" subject "On SAT / Cable Down Change - $_event_pub_time" body "Event ID: $_event_type /// Cable is now: $_track_state." source- interface GigabitEthernet0/1

action 2.5 end

!

end

(EOF)

I am using 2 tracks, one for IP routing and this track 2 for notifications....

Now when I run, show track 1, I get the "Tracked By" - as it should be but for this track 2, I get nothing:

router#

router#show track 2

Track 2

IP SLA 2 state

State is Up

2 changes, last change 16:16:27 

Delay down 5 secs

Latest operation return code: OK

Latest RTT (millisecs) 8

router#

router#

I am not sure why my "show track 2" isn't showing the applet that should be tracking it. Any guidance appreciated... I've tried newer code - it's a C3945 with latest MR software on it but happened with some older IOS too.



Anyway to increase density on MMF? BiDi? Muxing? I'm concerned about core-diameter.

So, let me start by saying, yes, it should have been SMF. I have been preaching that since the start of the project, everyone was onboard, then the subs pulled in some OM4.

le sigh.

So, we have 2 core rooms and 30 some-odd riser rooms. Maximum cable distance is ~ 380 meters.

At most, to get from any core switch to any riser switch would be 3 patch cables and 2 structured fiber runs.

We have 6 strand fiber pulled in (again, i know, I wanted 24 strand OS2).

We have 3 different switches going in to each riser (different networks) and I'd like to double-connect each riser switch to each core switch at 1Gbps.

Can I run 1GBase-BiDi transceivers on OM4 up to 380 meters?

My concern is I'm not familiar with the impact of the launch diameter of the transceivers in relation to the core diameter of the fiber.

Should I use mode conditioning launch cables? or just stick with LC UPC / LC UPC OM4 patch cables straight into the transceivers?

Is there any kind of DWDM tranceivers or CWDM tranceivers and mux/demux equipment that would operate across OM4?

I'm really wishing I could just get them to replace the 6 strand OM4 with some 24 strand OS2, but I got shot down on that budget request. "single connected 1G is enough... these devices don't even need a 10th of that"...

yes, i know they don't even need 100Mbps connectivity, its that I want the redundancy of double connections, preferably with DC-LACP to the two core switches.

So, is there any way for me to make 4-6x 1GBase fiber connections on 6 strands of OM4?

Switches are Aruba 5406R ZL2 (core), Cisco 2960-X (access 1), TP-Link TL-SL2218, and Netgear GS418TPP.

If I can't get more than 3x1G connections to the closet, I might have to simply go to a 5-switch-ring topology for each access closet and setting up STP to block between Access 2 and Access 3.

God why couldn't we just get OS2.

Core Switch 1------- Access Switch 1 | | | | | Access Switch 2 | | | <--- STP blocking here. Core Switch 2------- Access Switch 3 


Management routing on ASA 9.9

Hi! So as you know the newer ASA code has a separate routing table for management traffic only.

I'd like the 10.10.10.0/24 subnet to exist in both routing tables so I can use it for management along with routing normal data. Is the ASA intelligent to know which traffic is management and which is data? Or will this break routing to this subnet?

In other words I want it to use the management interface and mgmt-only routing table when I'm SSHing to it, and the inside interface in all other cases.



Help

My cable modem worked fine. After a recent visit of the isp to change the cable head to a new one it kept working fine. It worked fine until from that day it keeps shutting off at random times. No reset or nothing will get it back. Sometimes the signal / internet connection comes back for 5 - 10 seconds but gets lost again. I honestly don’t know what is happening .



FINALLY!! Kubernetes, powered by Tungsten Fabric on AWS

Not sure if any of you have ever followed the OpenContrail project - but recently it's been moved to the Linux Foundation under the new name, Tungsten Fabric. Essentially it is open source SDN - logically centralized, physically distributed controller and "vRouters" that live everywhere your workloads live (VMware, OpenStack, Kubernetes, OpenShift, Any public cloud.)

Until recently there hasn't been an easy way to consume the upstream code. Luckily the community has just built some Amazon AMIs and a tutorial that will help you deploy a lab-grade Kubernetes cluster, powered by Tungsten Fabric on AWS.

Here is the blog post: https://keepingitclassless.net/2018/05/up-running-kubernetes-tungsten-fabric/



Access Point donations for summer camp.

Hello,

This is to ask if anyone has old access points they would donate to help get WiFi access in to a building in time for a summer camp. The camp will be in Canada but I have Canadian and US shipping addresses.

I am looking for up to 5 AP's, but even one or two would be a help. AP's with the following would be super helpful:

  • Support for VLAN's (2 SSID's)
  • 802.11n

I know this is a long shot. Mods, I will take no offense if this post is removed for being inappropriate for this sub. I know the Cisco 1140 series AP's are going End of Support at the end of September. I thought if a company had replaced a bunch of them and had some lying around this could be a good fit for them. An old PoE switch or controller would be icing on the cake, but totally not required to make this project work.

Thanks for your consideration!



DD-WRT router behind ISP modem/router (dmz)

So we recently switched from ISP and they both have the same modem, however our new ISP the firmware is terrible.. way less options and stuff like forwarding just isn't working. And best of all is they won't even help because they just plain don't support forwarding or DMZ. So now we are trying to setup our own router thats running dd-wrt behind it.

The ISP router is a ZTE 369a and our own router being a TL-WDR3600 (running dd-wrt.

What i did so far: Give the own router his own IP, setup DMZ in the modem with that same IP and assign public IP to the mac address of our own router. Now whenever going to 192.168.1.1 im seeing the dd-wrt interface and no longer the ISP modem interface so thats succes right?

However i have no idea how to setup the the router, i set the WAN ip to the same IP of the device (192.168.2.1) and the same for the local ip. I've setup DNS (google dns for now) and after rebooting both devices nothing.. My pc has a network connection just no internet (because the router doesn't have an internet connection). I'm lost at this point.. what am i doing wrong?



Creating a "closed network" for Media Production

We have a requirement to setup a new closed network which will contain about 20 machines, Servers/PC's/Macs. We were initially thinking of domain joining the machines Servers/PC's by using ACL's for access but not sure whether that is the correct way for this type of network. Really looking for any advice on this type of setup.

Thanks



How non-stop is your NSR/NSB/GRES?

https://ift.tt/2rCrRdk

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



Thursday, May 10, 2018

Problems with Tp-Link T1600G-28PS Duplex Mode

Guys, give me a hand please, I have some Tp-Link T1600G-28PS around here, and they keep loosing the SFP ports duplex configs, take a look https://imgur.com/a/qH2ejdl , when they start the default state is "FULL" in the duplex mode, but the port will not transmit anything in that state, as soon as I put to "AUTO" it will start working, but that will only last until the next reboot, even after saving the configuration... So I should be doing something really dumb, does anyone how can I fix that?



First fiber run over 10km

Getting ready to connect a site that is roughly 13 km away with a direct fiber run. Our standard GBICs only run to 10 km so was looking into a new model. Our main line to all sites run Cisco switches (this will be connecting two Cisco 3850s) and have always used Cisco GBICs, but $1300 for a GLC-LH-SMD seems rough, especially when fs.com has theirs for $14 https://www.fs.com/products/20358.html. We have never used FS, but I hear great things from on reddit all the time. Thinking about grabbing some just to try out, but wanted to check if I am just missing something completely between these or if anyone has had experience with them vs the Cisco branded ones. Extra stress point, only one side of these will be in a controlled environment where the new location is exposed to temps sub freezing and over 120o F. We have had Cisco 2960s and Cisco GBICs in these conditions for over 15 years now without a failure.

Also, I have never come across this statement before on a GBIC: A 5 dB optical attenuator should be inserted between the fiber-optic cable and the receiving port on the SFP at each end of the link for back-to-back connectivity. Is this a standard statement for any run length with these transceivers, and if so, why not just make the laser 5 dB less powerful to begin with. I assume since i would only be using 13 km of a 40 km possible run the light would be a bit overbearing, but my lack of knowledge in this area does not want me to just go for it without questioning first.



Need some help with a Cisco SG300

I have a SG300-52 in layer 3 mode that's primarily used to route traffic to another site. Originally I just wanted layer 2 but needed the routing due to our Sophos firewall.

Anyway, I'm not a big networking person, just making it work but I recently found I can no longer access the iDRAC console from the admin workstation. After checking some ports it seems I can't access the iDRAC's on port 23. I'm relatively sure the Cisco is blocking this after the admin PC is connected to it, but how can I go about confirming this, or allowing it?



[Troubleshooting] Network Traffic bogs on SQL pulls only

(crossposted to sysadmin)

Dentist's office, Line-of-Business app is all SQL-based. We got a new server (2008 old, 2016 new), and all new computers. Old server was almost a dumb box with SQL Express running, and no Microsoft management. New server is an actual server with Hyper-V, one virtual for Active Directory and actual domain stuff, etc. The other virtual is strictly for the LOB app and SQL Express 2017. Files for the LOB app are shared from this VM. File transfers are quick, but anytime the LOB app pulls SQL data, the entire program hangs. Pingtimes spike during this period.

The first day we had everything running with just one workstation, and the speed was fine. Second day, everything slowed to a crawl with just one workstation, and all that were added. Nothing changed physically on the network, or in software configurations.

Current physical network: -Crappy SOHO Netgear Router (will be replaced soon) ---Server plugged in here --Netgear ProSafe JGS524E (I don't think any management is enabled, but again, even if there is, I didn't change anything) ---All workstations plugged in here.

I haven't done anything with Wireshark, because although I know what to do in theory, I don't have enough in-depth knowledge to know what I'm really looking for.



Configuring Linux Firewall to Allow Upload Only

I have something of an interesting use case. I want Splunk clients to be able to upload data for processing to my Splunk server over port 8089 (the Splunk REST API port) with SSL. It needs to be lightweight on client endpoints, so using a universal forwarder is not viable.

This can be accomplished by using the Splunk REST API, but it creates a security issue. Splunk authentication/permissions do not allow for uploading that data without also allowing downloading of data on that server using the same credentials. For security purposes, that is unacceptable.

Given the limitations in Splunk, I'm attempting a work around using a Linux firewall on the Splunk server. My thought was I could use iptables to drop all output except that which is explicitly necessary to negotiate the SSL connection and acknowledge receipt of uploaded data. But I don't have the expertise to know how to do that most effectively.

Setting up a DROP policy on OUTPUT is easy enough. But the only progress I have made on filtering the communication is to set up a rule that limits the length of OUTPUT packets that are allowed out. This feels clunky and brittle though.

Does anyone have any insight into how to do that most effectively or if there is some other solution I'm overlooking that would make more sense? Thanks.



Batch multiple "show" commands (Cisco)

Hello r/Networking!

Trying to figure out how to batch or PowerShell multiple "show" commands in Cisco 3750 & 4500 switches.

I've tried using this in PS:

$password = "password" $switchip = "ip-goes-here" C:\Users\username\putty.exe -2 username@$switchip -pw $password -m "C:\Users\username\commands.txt" 

With the following being in commands.txt:

show config show vlan show logging 

But it just closes the connection after the "show config".

I've also tried copying the pasting all the commands at once in separate lines, but that doesn't work either. Finally, I've tried putting a semicolon between each command (I.E. "show config;show vlan;show logging"), but it doesn't work like that either.

My tools are pretty much limited to PowerShell and PuTTY (I cannot install additional software).

Any advice would be greatly appreciated.



SSL Certificate

Hi all,

Our company has a bespoke CRM system hosted with a cloud developer but it turns out it's not secure and they have confirmed they can't secure their systems with SSL... very concerning for cloud developer right!?

How can I encrypt this with a certificate from my end the company have given me a static IP address for the login but Im not sure what to do!

Thanks



Experiences with backup infrastructure

Hello! I'm working on deploying a new backup system after discovering that the one we had in place has not been working much at all. I'm looking for experiences from people who manage backup systems that cover 20+ machines including quite large fileservers. Some details of my environment:

Systems: ~30 hosts, all running linux (Ubuntu 16.04-18.04, Centos7, and fedora)

One synology NAS box with approx 200TB of data stored.

2 additional storage servers running centos7. (much better than the synos, have raid cards, capacity of ~100 TB each)

Freeipa domain is available and configured.

10G-BASET and 10G-BASE-SR are available

Note that all the storage servers are running btrfs but the synology boxes don't interoperate with any other system running btrfs because syno made changes to the btrfs parts of the kernel.

Given this I think my requirements are:

Incremental

Compression must be none (would use btrfs zstd compression), or something like lz4, zstd, no gzip

I would love a system tied into kerberos as well.

Tape support is probably a plus as well. We may have a library available if I pester the right fellow.

I've tried btrfs send-recv, which does not work because the synos changed btrfs too much.

I've tried borg, which is OK but has trouble with large numbers of files.

I'm considering bacula and would love to know if anyone has any experience with it.



Question for any network consultants

How did you guys start, is it better to have a CCNA cert before you start consulting, how do you balance consulting and a regular IT job



Best Way to Monitor East/West Traffic

What would be the most effective way to monitor East/West traffic within a datacenter? Going N/S and crossing security zones is easier because it goes through a firewall, however, the server to server (E/W) traffic is difficult to monitor and therefore troubleshoot. Ideas?



Cisco IOS automatic DHCP reservation creation?

I have a need for a solution where I need to create a DHCP reservation on a Cisco router automatically based on a MAC address seen on a specific port/VLAN. The parameters of the reservation would be standardized except for the MAC address. Unfortunately, the MAC isn't known before hand. Has anyone ever achieved something like this with EEM or some other technology?



ASA route-based VPN without tunnel IPs

I've recently been asked to build a route-based VPN using an ASA.

The other end of the VPN is a business partner who hands out a sheet with phase1/2 details all filled out. They've done this before, plenty of times.

They tell me it's a route-based (as opposed to policy-based) configuration, but didn't supply IP addressing info for the tunnel interfaces. So, I guess I have to run that VTI as unnumbered?

Now we're getting into weird territory for me. The ASA's route command doesn't allow me to specify only an interface. It requires a next-hop address.

So, what do you think? Is it possible to create an unnumbered route-based VPN on an ASA? I'm beginning to think this is actually supposed to be a policy-based VPN.



Wi-Fi woes

So I am stuck again. I am doing a project at work with mobility anchors, for the testing I am being asked to have all test machines for the MA network use the WLC's internal DHCP server which currently serves our guest SSID. What I am finding is that none of the machines on the MA network will grab an IP address. I have the theory that only 1 SSID per DHCP entry can anyone confirm this?

Thanks as usual.



Recommended Cisco Router for SMB/1Gbps WAN ?

Hey guys. I have a client here (about 120 users) and we just upgraded our coax connection to 1Gbps. We've got a little Cisco RV325 which has been great but I can't squeeze more than 800Mbps out of it per speedtests on speedtest.net and fast.com. I set the WAN1 port on it to High Priority through the GUI but that didn't make any difference.



New equipment configuration

Hello! I have a question for you wonderful people. I am putting in new network equipment. Ideally, I'd like to keep the same IP scheme and public IP info for our VPN tunnels. Should there being any issues with putting the current public IP address onto the new device and creating all of the tunnels on the new device with the same peer IP address and PSK that the old device had? Would there be any issues if I had to put the old gear back in for any reason with those tunnels? For reference, moving from Cisco ASA 5505 to Meraki MX84.



Question about HP switch selection for a lab

I am trying to get a cheap layer 3 HP switch for a lab I am building that is as close to the 2910al as possible in terms of layer 3. According to this wiki I am looking at either a 2800 series or a 2610 for layer 3 from HP. I honestly don't know much of anything about HP switches and was wondering if anyone could give me some insight.



Network IP Range Lingo Question

I'm a network engineer, have been for 3 years. I had a conversation with a coworker and we were discussing IP ranges. We have a /16. I said when reworking our IP range we wouldn't use the top half (thinking 145.138.255.254 instead of like the lower half 145.138.10.5). He then said yeah we don't want to use the bottom half, to which he thinks means the higher half of the /16 range such as 145.138.128 on up. Isn't that the top or higher half of the IP range?



How do you get PTR records added for public IPs?

Sorry if this is a stupid question..

We have several /24 subnets that we own and advertise via BGP to several ISPs. Our Sysadmins are requiring public PTR records for some of these public IPs. How is this normally done?



High Throughput VPN recommendation

Hi to all!

I always read this sub but i never do a post.

Im looking for recomendations, im in a proyect where needs a high throughput vpn (more than 2 gbit).

I know a few models of Fortigate unit that support this (Fortigate 300E and 500E), but i need an equivalent in other vendor like cisco or Juniper.

Any of you know a Cisco/juniper model?

Thanks you!



Fail-to-wire Firepower 4K: Does LACP work?

I've seen conflicting reports that suggest that LACP might not work on an inline set on FP 4K. The topology is fairly straightforward: FP sits in between two devices that are connected by a port channel. Does this actually work with inline sets / IPS-only mode (e.g. "transparent" IPS)? Are there any caveats?



ScreenOS, Multicasting, and IP Spoof Detection

Alright, so I'm working with a Juniper ScreenOS Device on the latest revision one of the 550M's and I've run into an issue with alerts being generated by multi-cast traffic. I'd like to start off by saying that while I've read a little bit on multi-casting, my actual understanding of all the elements involved isn't as up to snuff as I'd like, in fact it's embarrassingly little compared to probably where it should be at

There's a service running in one of the zones, let's call it test zone a, with let's assume an interface of 192.0.2.1/25 behind this is a couple of machines running Ganglia in it's default configuration which apparently makes use of multi-casting in order to monitor the devices within.

Ganglia fires off to a consistent address on a consistent port, easy enough right, but the address is out in the multicasting IPv4 range (239.2.11.71) . Screen OS throws an unholy bitchfit about this with an alert like this about every second:

IP spoofing! From 192.0.2.25:32818 to 239.2.11.71:8649, proto UDP (zone Test-Zone-A, int ethernet0/0). Occurred 4 times. 

Which is wonderful and all except I have these alerts dumping to an inbox for monitoring and now I basically have an inbox filled with false positives. Now everything I've read from the ScreenOS community is basically that ScreenOS is too old and dumb to figure this out turn off IP Spoofing on that zone; however, given that ScreenOS very clearly has multicasting routers and rulesets I choose to believe that this option couldn't possibly be the case. I figure I just need to know what multicasting elements I need to setup to tell it that this traffic is expected and allowed.

So is it just as simple as establishing an M-Cast on an intrazone policy with the MGroup address being the one I'm seeing over and over again or are there more complications. I started trying to dig into IGMP / PIM / etc. but got a little lost along the way.

So I guess my questions are.

1.) Is this even possible with ScreenOS can it be taught that multicasting is not IP Spoofing thus eliminating the alert? I'd like to if at all possible leaving the IP Spoofing intact, but properly account for the multicast traffic

2.) Does anyone know a a good resource on Multicasting and if ScreenOS can deal with this traffic properly, a resource on it and multicasting?



BGP flowspec carriers

Hello fellow netadmins. Anyone heard of BGP flowspec carriers anywhere? In Europe, I seem to be unable to find any despite the tech being almost 10 years old...



Cisco MR33'S not reaching top speed

We've just moved into a new office, (pre wired by previous tenants) and I have a mesh of mr33's managed by meraki. We have a gigabit fttc but I'm only getting a max of 340mb over wireless (900 over the Lan) Could this just be the wiring or have I missed something? All hops to core switch are either fibre or or minimum length possible.

It's been a busy move and I'm very tired so be gentle!



Wednesday, May 9, 2018

[Stupid Question, expect downvotes] Is there a concept map of protocols that work together for networking engineering?

I expect the answer to be no, I wanted to create one as a hobby but it seems like a massive undertaking, and don't even know how to go about doing it.

almost like a flow chart of sorts but just showing for example what interacts with DNS, etc...



Get Public IP with CLI (TelnetMyIP.com)

Started this service a few months ago. Hopefully it helps some people out. Works with TELNET, SSH, and HTTP (curl or wget).

Usage:

telnet telnetmyip.com ssh telnetmyip.com curl telnetmyip.com wget -qO- telnetmyip.com 

It always returns a JSON formatted response that is easy to read but can be picked up with a JSON library if you want to use it programmatically.

The service works for IPv4 and IPv6 so it is up to your client to decide if it likes the A or AAAA DNS record returned. If you want to test a specific stack, then you can use ipv4.telnetmyip.com or ipv6.telnetmyip.com.

sshmyip.com also contains all the same DNS records so you can use that if it is easier to remember.

Code can be found at the GitHub Page



SRX as route reflector, am I crazy?

Have the need for two route reflectors to handle IBGP peering in our environment. Going to be a total of ~15 peers, maybe 100 prefixes.
Looks to me that the most inexpensive solution would be a couple of SRX 300's, which support BGP with base licensing.
Anyone have any experience with the SRX line performing just routing or route reflection?
Any better low cost alternatives?



automation for network devices?

I am trying to come up with a framework for devops-style managing a broad range of network devices: cisco, juniper, arista etc.

We are looking at Ansible, NSO, or a combination of both. Also open to scripting parts of the process with bash/python as needed.

There are thousands of routers/switches.

Has anyone been through this exercise, what did you explore and end up with and why? And how is your set up running?

fyi. i'm from devops bg.



Ruckus AP Deployment Best Practices

I am about to deploy a bunch of Ruckus R720 AP's with Smartzone 100 controller and Cloud Path. I am looking for some best practice type advice here. We currently have old Cisco gear installed. Our facility consists of around 20 buildings. Each building has it's own separate vlan for wired devices but the AP's are all in one flat vlan that spans all buildings. All the wireless traffic is tunneled back to the Cisco controller. My questions relate to vlans mainly. I believe I am going to have 4 wireless networks, one for institution owned devices, one for staff personal devices, one for student personal devices, and a guest network. All users will have to authenticate in some way (staff and students have AD accounts). My thought is that the AP's would go on a trunk port and I would trunk the vlan for each wireless network and for management to the AP. Then the AP would tag their network traffic with the correct vlan based on how they have authenticated, is that correct? Should the vlans for the wireless network span across each building or will each building need a specific vlan for the each wifi network? What about the AP management vlan? Hope this makes some sense.



ISE and managing Domain and Guest devices Dot1x/MAB how do you do it?

So I am beginning to roll out our ISE deployment to some test groups and I am wondering if there is a better way to do a few things. So far we ended up going with AnyConnect as the endpoint agent for domain machines.

We have the NAM profile for the corp network set to check for both Machine Auth and User Auth by cert

AD is currently pushing a machine cert for ISE for any machine added to the domain and an ISE user cert for domain user logging on.

Dot1x Auth checks these and then goes to our rules setup to check against our internal identity groups for various permissions.

for MAB we have exceptions for Printers, IP Phones, cameras etc. TAC also helped me setup a catch rule since CDP/LLDP profiling can be slower then the auth process, this helped catch some devices that weren't getting profiled properly

Then the rest of MAB devices get sent into the guest self registration portal. Domain users and Contractors can register their devices and get guest dACLs from the portal.

This all works great.. mostly... but I've run into some fringe circumstances that I'm wondering how to solve and if there's a better way to do our initial Dot1x auth.

So two scenarios that I have run into: Freshly imaged machines, they get added to the domain during imaging and get their certs, but until a user logs in they will not have a user cert to check. Similarly, a normal domain machine sitting on the network with no user currently logged in will fall into the MAB auth session until someone logs in. Normally a user doesn't notice as it will re-auth as they are logging in, find their cert, and auth as Dot1x, but remote workers trying to remote to that desktop won't be able to since its in a guest portal sequence with a redirect ACL on its port.

So here's where I'm a little unsure which direction to go. I think I can do some work-arounds. I am thinking I can put in a catch authentication rule for just having the machine cert but I can't do this in the Dot1x sequence as it will fail since its set in the NAM profile to look for both machine and user certs. I think I can put it at the begging of the MAB sequence and put them with a dACL that has the necessary access for domain/RDP/AD etc.

The other idea was to remove the user auth from the NAM profile and just try to add an AD user rule to the Dot1x policy set but this seems to defeat the purpose of having our user cert.

I could use some insight on how this is typically handled for others. I'm also a little torn on how to fully handle BYOD vs true guest. Any help is appreciated.



Anyone using Chef to automate device config & mgmt?

I hear sysadmins sing about chef like it's incredible. I know napalm already looks like it does what chef does, but with already looks like it has recipes for networking gear. Does Chef?



What software do you use for Cisco configuration management?

My organization is looking to invest in software for configuration management. So far SolarWinds Network Configuration Manager is high on the list, it’s just a bit expensive. We also ran a demo of Cisco Prime Infrastructure which had most of the features we were looking for. What do all of you use? Thank you!



Software for mapping fiber optic networks?

Hello folks. I am looking to map out all of our dark fiber that spreads among 30 buildings or so (college campus). I have looked at using GIMP, Google Earth, and some free CAD software, but nothing is really working that well. Is there something you recommend for a task like this?

I am hoping to use a satellite view as the base layer.



BGP - prefix advertising question

Hi, our current situation: we got /22 subnet, which we are advertising from DC in city A to internet. We also have DC in city B, which is just connected by dedicated fiber to city A.

We are using 2x/24 in DC A and 2x/24 in DC B from our /22 subnet.

Right now we are in process of ordering new internet connection to DC B (different isp from DC A)

My plan is advertise 4x /24 from DC A and 4x/24 from DC B and set "as prepend" on both DC's for prefixes which are used on another DC. In this way, traffic for /24 used on DC A should go directly to DC A and only if our upstream on DC A fail, it will go to DC B and via our connection between cities to DC A, which is desired state.

Is it valid thinking? Never advertised one prefix from multiple sources :) Thanks!



Cisco Firepower 2110 HA config

Hi,

 

Does anyone have any experience with these firewalls? I'm trying to configure HA between 2 of them but the interfaces do not come online.

 

I have the following config on the primary (and secondary, with secondary specified):

 

interface Ethernet1/3

no shut  

 

failover

failover lan unit primary

failover lan interface state-link Ethernet1/3

failover replication http

failover link state-link Ethernet1/3

failover interface ip state-link 192.168.254.1 255.255.255.252 standby 192.168.254.2

   

I fear that I am missing something that is different between these firewalls and the previous ASAs I've configured. Can you point me in the right direction?  

 

Thanks.



Having trouble finding a job as an intermediate level engineer

Has anyone else has this issue?

I have been in networking now for about 3 years and in the IT industry for around 12, i started as a junior network engineer but was made redundant after a year and a half.

After that i got a job as the sole network admin in a smaller company which was great for me at first but now i dont feel as if my career is progressing.

I have gotten my JNCIA and CCNA R&S but i am getting the same two responses for every job i apply for:

  1. You are over qualified for the role
  2. You are under qualified for the role

I get told that i havent got enough real world experience but how am i supposed to get this without someone giving me a chance. I understand people dont want to let you loose on a production environment but i am really trying to get somewhere in this industry and despite my efforts just keep getting knocked back.

I want to do my CCNP next but im worried im just going to keep getting the same responses.

Is it just the case of waiting for someone else to give you a chance as i really feel like im stuck in limbo at the moment!

Any advice would be appreciated



Line card configuration - Nexus 7000

Hi Guys,

Just checking up with a command set i have to push on a Nexus 7000.

So we have a Nexus 7000 10 slot chassis with a mix of F1 and M1 cards in there with 2 sups. We have run out of 10g ports and there is a new card in the chassis for some time. It's a F2E card and according to the matrix of Cisco it should perfectly work with all the other F1 M1 cards.

The only thing i have to do is adding the card to our 2 VDC's. We have a VDC for production traffic and one for the backup traffic, it's a 48 port card so i want to split the card across both VDC's.

The configuration i need is: limit-resource module-type m1 m1xl f2e (have to add that one)

This needs to be done on both VDC's and then i can assign ports form that card. Now a couple of questions arise i couldn't find in the documentation:

  • I have re-paste the whole command with f2e added to the string to ensure i'm allowing all older cards to. If i only add f2e i have the fear that i will only add f2e and all older cards will be removed

  • Say for a weird reason the switch goes haywire, i lose configuration. Can i just reboot the Nexus 7K, as long as i don't commit the configuration to startup i should be fine rebooting it and it should come back like before.

Any pointers or suggestions?



GLC-LH-SM LX optics for less than 1m distance?

Hi,

Dumb question, but our MSP has asked us to hook a supplied ME3400 switch to a BT EAD ADVA box using SMF.

The distance is less than a meter away and they've supplied a 1m OS2 SMF cable.

They've also supplied a GLC-LH-SM optic for the ME3400 and the ADVA box has an unbranded LX optic in it.

My question is, is it appropriate to run LX optics this close together without an attenuator?

The EAD circuit is 1Gbps and the ADVA box can terminate copper RJ45 as well as SFP modules. We mentioned this at the time but the MSP is adamant that their CPE and the BT ADVA box be connected together using LX optics on SMF.

Should I suggest the use of a different medium such as copper or MMF optics or an attenuator or is it me that's got my wires crossed? :)



Tuesday, May 8, 2018

usb to serial adapter issues

I recently purchased a usb to serial (DB9) adapter so i could configure my dell 5448 switch via command line. I have tried to connect to the switch using putty, of course after installing the proper drivers, but when i clicked connect, it opened a window, but no text loaded, and i couldnt type. I cant get into the switch i guess, any help would be great, thanks.



Policy NAT in ASA 9.2+

I have an ASA that I'm leveraging as my VPN Device for L2L Tunnels as well as my internet gateway for user browsing. I need to NAT a particular IP address to a different IP address when going over the VPN tunnel to a particular partner. Also that partner will need to initiate connections to me, so essentially the NAT will need to work both ways.

I'm thinking back in the pre 8.4 days I remember doing this with a policy NAT via an ACL but i'm not sure if that would have worked with connection are initiated from the outside.

How can I an IP address to a particular IP when going over a L2L tunnel while maintaining the "overload" NAT when going out to the internet.

Edit: I think I came up with a config solution. What do you guys think?

// Local host on my inside

object network LOCAL

subnet 10.1.1.1 255.255.255.255

// Local IP I will be NATing my local host to

object network XLATED-LOCAL

subnet 192.168.1.1 255.255.255.255

//Host on the other end of the tunnel

object network XLATED-REMOTE

subnet 172.16.1.1 255.255.255.255

nat (inside,outside) source static LOCAL XLATED-LOCAL destination static XLATED-REMOTE XLATED-REMOTE



Any source for IPv4 statistics on home/personal use vs. business use of addresses?

I've been searching the web for a while and can't come up with any quality source for a breakdown of how IPv4 addresses are allocated (broadly). I know a portion of them are reserved (RFC-1918, RFC-3927, RFC-3330/5737/TEST-NET-[1-3], RFC-5735, and 0.0.0.0/8), some are allocated to businesses, and some are allocated to individuals or home use.

Is there a good source for getting a rough estimate of how the IPv4 address-space falls into each of those buckets?

Thanks!

(cross-posted from /r/Network as recommended there)



Question about WiFi encryption

Hey,

I'm studying for an IT certification, and just went through a Network+ course/book, but since it's an online course and I don't really have anyone to actually talk to, I had some unanswered questions about WiFi encryption.

So, I know AES is a symmetric encryption method, meaning the same key is used to encrypt and decrypt messages. In the context of a wireless network, is the key in question different for each client? I assume it would have to be, otherwise wouldn't it be possible for someone else authenticated on the same network to decrypt your transmissions?

My other question was: with WiFi encryption, messages are encrypted by my device, and decrypted by the router, right? So if someone authenticates to the same wireless network I'm on, could they potentially intercept my messages after they've been decrypted by the router?



Where to store Site-to-Site VPN tunnel configs, PSK, etc ?

Hi Guys,

What do you guys recommend to store all Site-to-Site VPNs configs, PSK, etc so the information is easily accesible when required? I get that you can back-up the configs and even get the PSKs depending on how you save it, but is that the only/best solution?

I'm talking about 100+ tunnels spread through different devices.

Thanks for your help!



Security cameras losing connectivity

Need help with security cameras intermittently going out. They are mostly Axis brand cameras connected to either cisco 2960x's and alcatel P-6850E. Both have POE capabilities. My first thought is lack of power on the 2960s--too many cameras connected to one switch that's pulling too much power. I've separated them into 3 separate switches. There are no special configs on the ports. The 'fix' has always been restarting the problem switch which is getting old since we operate on different campuses

Are there any best practice settings/configs/etc that i'm missing out here? TIA



Is it normal for root CA to change the date on their certificate?

I recently came across two root CA (same hash) and the not before and not after dates were different. They are both valid certs. Is this normal?

If it's nornal, can you tell me why CA does this?



What switch for mGig WiFi?

Long story short, we are getting our hands on some 802.11ax equipment later this year and are planning a huge overhaul of our wireless completely onto the new (currently unreleased) standard.

I am told it's imperative that we get the most out of these access points, and we need to get multi-gig at the access level, and it has to be copper with PoE, so new switches are required that can both provide PoE, and supply faster connectivity than 1gbps per port. So far I am not having any luck finding anything that fits that bill perfectly.

I am not fussed about the vendor, but would like to avoid Netgear as have had issues in the past (management decision, not mine).



Looking for some advice on intentionally creating congestion

I'm trying to congest a trunk link between two Cisco IE4000 switches to conduct some tests that require a congested network with high latency. (This is for graduate school research). My general idea was to use a server I have with 4 network ports (Dell R610) to create four Ubuntu VMs, each running Ostinato network traffic generator. Then I am planning to send max bandwidth traffic through the network across the trunk port, two on each side sending to the other side. (So 2Gbps being input on each side of the 1Gbps trunk). I don't need the switches themselves to be congested (as I imagine I won't be able to generate the amount of bandwidth that they are designed to handle), just any communication from one switch to the other.

I'm not very familiar with Cisco switches in general, but I was wondering if anyone had any advice or any insight if this would be an effective way to generate high latency on the small test network for my tests.



We want to change the hardware of our default gateway, will a hardware change cause an issue if IP stays the same?

Sorry for the strange wording. Essentially, say all of our clients have a default gateway of 1.1.1.1. We decided that 1.1.1.1 isn't the device we want to do our routing on so 1.1.1.1 just forwards everything to 2.2.2.2. Now it make sense to just have all clients go to 2.2.2.2 instead and have 2.2.2.2 set as the default gateway, but we have many devices with hard coded default gateways which can make this a challenge.

Could we just swap the ip addresses of the devices without causing an issue? In this example, if I were to change the ip address of 2.2.2.2 to 1.1.1.1 so clients will be going to a new device, but we wont have to go in and change these hard coded default gateways. We are concerned there could be some strangeness with ARP or something else weird. In theory it should work, what should be my concerns?



Question about Blockchains and IP networks

Hello,

I have a paper to do with this subject : The use of Blockchains in IP networks.

(IP as the protocol and not "intellectual property")

The problem I face is that I have difficulties finding informations and papers on this, most papers with the "IP" keyword speak about "intellectual property". So I'm a bit confused about what I'm supposed to find.

The questions I have might sound lame or stupid but I want to be sure I understand what I have to do (and I never studied IP networks so I don't know much about it)

Do you think I have to explain how a Blockchain works inside an IP network? Or is it something else?

Do you know any paper on this subject that might be able to help me do my paper?

I precise that I have a very good knowledge of how a blockchain works.

Thanks in advance for your replies :)



Issue with Multiple Networks talking to a Single Remote Location

We have a hardware system setup at multiple locations, with each location having its own network. Our hardware is on its own subnet on that site's network. When a change is made on the hardware, we have an indicator that is connected via ethernet that signals the change. How can I setup a way to have an indicator connected at my office that can remotely communicate with these network? Ideally, through a singular device. Can a managed switch connect to a vpn on a port by port basis? Any help is appreciated and I apologize if there is an obvious answer. I am newer to this side of IT.



HP 2920 Switch Stacking

I currently have 1 HP 2920 but do to growth we're needing to add extra ports. I read the white paper many times on switch stacking but still have questions.

1) Can I add a new switch to the stack but have it be a member and not standby? The documents all indicate it'll auto assign as standby and then the 3rd switch added will be a member. Can I not have 2 switches; Commander and Member and call it a day and if so can someone help me out with what I need to do?

2) It would appear that the member in the stack uses the primary VLAN. I am to assume this is just to manage the member and I can still assign ports on the member to other VLANS?

3) When a member is set up will it show up in the web based management tool?



Dual receive SFPs

Hi. Looking to add some more SFPs to a Cubro Packet Broker (https://www.cubro.com/packetmaster-ex32.html) that we're using to to span network traffic from a fiber tap. Currently we've used standard SFPs (https://www.fs.com/products/11589.html) in the packet broker which means we require 2 for each fiber pair that we are spanning as we only use the receive side each SFP.
Does anyone know if/where we can buy dual receive SFPs without any transmit capability so that we are able to make full use of each slot?



Intermittent response from Azure server when connected via AnyConnect VPN

Currently working with a client who are moving a software licencing server to Azure. Software lives on desktop and needs to reach a licencing server and get a response before it will run.

When at a client location it works with no issues, but when accessed from a laptop connected via AnyConnect VPN this very often does not work and when it does the response is very slow when it should be more or less instant.

Any advice on trouble shooting this? I'm inclined to think MTU related, but pcaps i have received from client machine do not show any signs of fragmentation(if i would be expected to see them from there)

Note, i have no access to the Azure side of things at all



(iptables) routing connections from external client coming to public interface to another external host

know that that the theme of Iptables is nothing special, but searching for a solution didn't give the result. Please finish readeing the post before offering VPN's, Squid and etc=)

For my setup I need to deploy a kind of transparent proxy (without any client device settings), but for forwarding not only HTTP, HTTPS, but any remote clients requests to specific TCP/UDP ports (RDP,SIP,etc.) of host's public IP to another external hosts, depending on incoming connection port. If it's possible also to masquerade client's IP, it would be supercool.

|remote client|public ip|> <-SIP, RDP, HTTPS-> <|public ip|proxy|public ip|> <-SIP, RDP, HTTPS-> <|public ip|target servers (RDP, SIP, VPN etc.)|

So, I want to "hide" servers (SIP, RDP, Mail etc.) public IP to make the network more secure, but I can't use a regular NAT from public to private network. My network is decentralized (I'm using VPS's and dedicated servers by different providers from different locations, and some of my own hardware). Thats why I cant use virtual networks offered by hosting providers and just deploy NAT on border of this virtual network.

The second scenario I thought about was creating VPN between all my hosts and to NAT incoming traffic to these hosts. But this is also a bad solution due to my network specific (VPN realisations support, latencies, UDP mode problems in combining with HTTP proxies).

The third scenario is some kind of reverse proxy (but this is for Web servers as I suggest) or Transparent proxies. But all the information I found about these variants made me understand, that this scenario is used for TCP connections.

So, I'm trying to solve this task using a Debian VPS and Iptables. All the ready-to-use solutions I found don't work for me. Most of them offered to use just several rules: 1. Turning on ip_forward 2. PREROUTING DNAT 3. POSTROUTING SNAT

My current Iptables rules allow any incoming, outgoing, forwarded connections. There no other rules. As I defined from Iptables documentation, I need to use these tables and chains:

PREROUTING 1)Connection Tracking - to not forward reply packets 2)DNAT

POSTROUTING change clients IP (with SNAT or mangle?)

I hope somebody can help me. I would be thankful not only for an simple solution, but for any relevant info to google. Should the chosen scenario work with UDP? How fast do you think it is about latencies?

Thanks.



Captive/Guest Portal Help Please

Hello, We run a small business and have been using some Ubiquiti Unifi AP-LR's for a while now with the guest portal included in the Unifi Controller. We'd now like to ask users to input their email address before signing on to our Wi-Fi, however it doesn't seem like something we can include on the built in guest portal. We'd like to know what the easiest way of having a simple guest portal that asks for a user to input an email address and accept some T's&C's before connecting for free. I'm not familiar with PHP/Apache/mySQL or anything like that really, so if the easy route did involve any of this then a guide would be much appreciated.

Many thanks!



Monday, May 7, 2018

Cisco ASA Config Cleanup Tool

Wrote a tool a while back to help find unused configuration items in an ASA config. It can find unused items in the config as well as find unused ACE's in each ACL.

Compiled binaries available for Windows and Mac.

Available on its GitHub page



Best practice for determine new software version on networking devices

Hello Everyone,

I have a general question on choosing new software versions for networking devices such as routers, switch, firewalls. I work mainly with Cisco and Juniper gear. Part of my job responsibility is review gear that is on older software and/or gear that are affected by vulnerabilities and determine the fix or upgrade to a new software version.

Cisco's software page has a "starred" release on some of their releases. What other things should I be looking at before determining which specific software to use? I like to validate that features will be supported.

Any tips that you guys have?

Thanks!



Multicast, Broadcast.. how do they understand it?

Hello everyone, I am learning about networking, and I understood the Unicast, Multicast and Broadcast methods, but one thing that I just can't understand is how a router or switch knows how to deal with IP addresses. Given the network 192.168.56.0/24, the broadcast is 192.168.56.255, but how does the router know this address is for broadcast, the message will be transferred to all the computers in the network. How does it understand that? Is it inside the IOS of the router? or some flag inside the IP Packet? or a Standard implemented inside the router? Thank you



Spectrum Analyzer opinions (iPad based ideally)

What are your experiences and opinions on spec-ans for smaller orgs with mostly basic wi-fi needs? I've used AirMagnet before at a larger company, but the place I'm at now doesn't have that kind of budget.

I'd used Chanalyzer before and found it to be okay, but being tied to a Windows device was a pain. We use iOS for all our mobile stuff so something that I can throw into an iPad would be great.

I've looked at https://www.oscium.com/spectrum-analyzers/wipry-5x, has anyone used it? Or something similar?



Allowing admin access to only create VPN profiles within Cisco ASA

Hey Guys,

Hopefully this is a simple questions but basically trying to give my jr admins the ability to only be able to create and delete vpn profiles for users.The rest of the asa would be offlimits. Is there a quick way of integrating this? We have about 10 sites and offloading this on a few jr admins would be helpful to our senior guys.



Ruckus Wireless question

I need to replace a slow wireless bridge and I'm thinking about using two Ruckus wireless access points. (not Ruckus bridge devices) I would want to set them both up and allow the far out AP to mesh with the AP in the main office. The additional challenge is that I need to hang a switch from the far out AP. I basically want to use the two APs as a bridge and also to provide wifi access around the far out office.

I thought about using one of the wireless radios to bridge the two offices as the two APs mesh, and use the other wireless radio for regular wifi. Are the APs capable of forwarding packets from a switch from different VLANs?



Need some help

I have a client that wants to have a clean internet line that can be used to program networks that will be going out to there clients homes. The issue is they have a pre-existing network that is split into to networks one running there office wifi and the other a server. Is there a way to create another feed off that is a straight shot to the internet as if it were plugged into a completely different modem? They have a comcast business modem with all 4 ports full and in bridge mode.



Cisco WiFi newbie: Can I rename an SSID from the IOS CLI?

I've got a reasonable handle on some Cisco WiFi concepts (controllers, capwap tunnels, mobility anchors) but have never actually worked with it.

Somebody's just asked me to re-name an SSID on a modest system consisting of a single 3850 running IOS-XE 03.07.04E and a small handful of APs.

I've reviewed the configuration from the switch CLI, found stanzas of the form:

wlan <profile> <id> <ssid> client vlan <vlan> no exclusionlist ip dhcp server <whatever> no security wpa akm dot1x security wpa akm psk set-key ascii <key> session-timeout 1800 no shutdown 
  1. Is changing the SSID as simple as removing this stanza and replacing it with another one? I'm worried that there's a whole universe of WiFi configuration that I'm not seeing from the switch CLI.
  2. The profile string in this configuration is the same as the ssid string, and doesn't appear anywhere else in the configuration (that I can see from the switch CLI). Is the profile string possibly referenced elswhere, and therefore it's critical that I preserve it? Putting it another way, shoud I change from wlan foo 1 foo to wlan foo 1 bar (changing only the SSID) or to wlan bar 1 bar (changing both the SSID and the profile).

Thanks!



Stupid Cisco SSH ACL question!

https://ift.tt/2rmlKtE

iPhones don't get internet access when connected to WiFi

At work, we have a Cisco RV345 Dual WAN Gigabit VPN Router/Firewall. We just switched all LAN's and WAN's to use this firewall. We use UniFi wifi Access Points for our WiFi. The issue we're having is that all iPhones can connect to the WiFi but can't load anything. I can't think of anything that we don't have configured correctly. Any help would be greatly appreciated.



Juniper ipsec tunnel on metro ethernet

We have an issue wherein a juniper mx480 NPU1 is not coming up on an ipsec tunnel using ikev2 on a Metro ethernet circuit, spoke router is a Cisco 3945.

Can bring up the ikev2 tunnel using a Direct internet circuit (DIA), wondering what the issue could be, any pointers would be appreciated



ICMP policy for IPv6 (ISPs)

Hello all,

I have a brief question about policy for IPv6. We are working on research project to understand the adoption of IPv6.

Part of the paper tries to discover home users. I have around 130 IPv6 addresses in multiple ASes. However, only 8 addresses responds to ICMP messages.

Is there a policy or best practice to disable ICMP for IPv6 ? or I am just unlucky with the collected addresses.

Thank you in advance for any guidance or direction in this regard.



Reliable P2P wireless link gear?

My org is out of space at our HQ office and is about to sign a lease for another office space directly across the street as a temporary (i.e. probably 12-24 mos) solution. They're both single story buildings, but there's not really much between them except for road, and as such there is pretty good line of sight. On Google Earth, a straight line between them indicates a distance of about 1200 feet.

Rather than bringing in connectivity at the 2nd location, I'm tempted to see if we can get by with a wireless link. There will only be about 25 people at that location, so the bandwidth needs shouldn't be extreme. I'd like a few hundred Mb/s, but realistically if I could get 100 Mb/s that would probably work. They key is that it needs to be reliable - doesn't do me any good otherwise.

The use case is that everyone across the street would use the wifi link for everything - Internet access, access to our local LAN resources (i.e. file server, print server, etc). Everyone there will also have Cisco IP phones, so I need to make sure that any solution I implement doesn't have latency spikes under load.

The good news is that we're in a relatively undeveloped area, so there shouldn't be any interference from other networks to worry about.

Anybody have suggestions on 1) whether what I'm trying to accomplish is even feasible, 2) what radios I might want to look at, and 3) is this something I can handle myself or do I need to bring in a VAR? Budget is largely a non-issue since I'd probably pay $20k+ for 2 years of metro ethernet between the locations, so even if I have to pay $5-10k for some enterprise bridges that isn't a deal breaker.



Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.



Software for Cisco DMP 4310G Media Player

I have a test DMP 4310G that I’ve got my hands on for a while to see functionality, but I’ve learnt that I need the software (DMPDM) firmware release 5.2.2 to set it up to use etc, but I didn’t realise I need a Cisco valid service contact to make it all work. Could someone please gratefully share the software for this device. (bit.ly/2HSEX14)



I have a OSN 1500B configured two Q5CXLL16(L-16.1,LC), does this mean that the OSN can support a total of 32 STM-1/8xSTM-4? This is assuming that the box has the ability to support 8 STM-4 interfaces.

I have a OSN 1500B configured two Q5CXLL16(L-16.1,LC), does this mean that the OSN can support a total of 32 STM-1/8xSTM-4? This is assuming that the box has the ability to support 8 STM-4 interfaces.



Fully secure/isolated WiFi guest network configuration.

I have several customer that need secure guest networks - I am looking for a simple device that I can pre-configure and connect to the network to provide this, but I've been unable to find a fully secure solution.

I've tried several different routers, different firmwares including custom open-source, and I cannot get the wired devices fully isolated from the wireless connection. I have tried configuring with VLANs, and guest/hotspot options, but none of them stop me being able to ping the local wired devices.

I've spent a lot of time on this and can't seem to find any solution that is 100% isolated - can anyone provide any insight for me? I'm no engineer/expert...



Switching bandwidth / forwarding performance in Mpps

Hey all,

I'm in the process of working out which switches will fit our requirements, and seem to be having a derp moment.

I want to confirm that all 48 1Gbps ports on a 2960-X (Lan-Base) + 2 10Gbps uplinks can operate at line rate.

I believe I've confirmed this by confirming the switching bandwidth of 216Gbps.

(Data sheet: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-x-series-switches/data_sheet_c78-728232.html)

I've confirmed that 2Gbps (full duplex 1Gbps) * 48 (Ports) = 96Gbps, and with the two 10Gbps uplinks = 136Gbps, plus stack of 80Gbps full duplex = 216Gbps which matches the switching bandwidth. That makes sense.

Where I'm having issues is when looking at the Mpps table.

It says 130.9Mpps is possible on the Cisco Catalyst 2960X-48FPD-L model with 64 byte packets.

I'm getting confused relating the Mpps to the switching bandwidth. How can I calculate how many Mpps at various packets sizes? How can I find the maximum Mpps for the switch? Does this relate to the Switching Bandwidth at all?



Multicast monitoring

G'day guys, apologies if this is already in here I've gone through the search and haven't been able to find what I'm after (I'm sure it is just my wording).

I'm trying to come up with a solution to keep track of when my multicast traffic is coming in or not. I don't care about the data itself, I just need to be able to pinpoint if and when I am receiving the traffic. Are you guys doing anything similar? If so what do/would you use?

Thanks



Sunday, May 6, 2018

I was traveling through SEATAC a few days ago, and was very impressed that in a very crowded terminal, their WIFI speed was quite high, 50Mbps or more. So I am curious, what is required to provide good WIFI to a large in size, large in users, airport terminal?

No text found

What's your "best" fiber outage root cause? How's "the island is leaking"?.

I've seen fiber cuts due to back hoes, drivers hitting telephone poles, data closets getting flooded, rodents chewing through wires, etc...

I just saw this image on the front page: http://i.dailymail.co.uk/i/newpix/2018/05/06/03/4BE7272900000578-5695425-image-a-37_1525574205390.jpg

What's your "best" root cause item for an outage?



Automated Network Diagram; mnet v0.10 released

A couple years ago I released a tool on github and Reddit (thread) to automatically discover and diagram your network. Give this python script an IP address of a root node and SNMP read-only credentials, and it will do the rest.

Version v0.10 is now on github.

Change Log

v0.10 - 5/5/2018 - Ported to Python 3 - Cleaned up and refactored code - Improved discovery - Improved discovery console output - Fixed VSS chassis detection; now finds correct serial# and platform - All output referencing node IP now uses best IP instead of first found - Try all known IPs for a node until one works; no longer fails on unreacable IPs (eg, VRFs/ACL blocks/etc) - Default depth is now 100 - Added runtime to stdout - Renamed 'graph' to 'diagram' - Cisco ACL-style node matching (replaced config subnets/exclude with discover) - Added 'leaf' option to stop discovery beyond a matching node - Added 'include' option to stop discovery at a matching node - Config option diagram/node_text replaces the below: - include_svi - include_lo - include_serials diagram - Changed -f option to -o - If a LAG spans multiple devices (eg, Nexus) override expand_lag for that device - Output can create multiple files. Ex: -o "file.{svg|png}" will create file.svg and file.png 

Example

# ./mnet.py diagram -r 10.75.0.1 -o .\network.svg

Will generate this diagram.



Best router for under £100/$135

So I'm upgrading my home network and I need some advice on a router, I've had a look at tp link and netgear but can't find anything specific.

So I turn to you, the Internet for advice.

I mainly use it for streaming HD films from my pc to my 2 raspberry pi's but I don't mind doing this wired if needed. I play ps4 online and just general day to day stuff on my phones/tablet and laptop, stuff like youtube and general Web browsing.

Can anyone help me with options to achieve this.



RedundantBGP Route Reflectors cluster-IDs

Consider the following topology:

https://imgur.com/a/3bN9fpC

Would it make more sense to use the same or different cluster-IDs? My understanding as of right now is different cluster IDs.

Current config of RR1:

RR1#show run | s bgp router bgp 2 bgp log-neighbor-changes neighbor 4.4.4.4 remote-as 2 neighbor 4.4.4.4 update-source Loopback0 neighbor 4.4.4.4 route-reflector-client neighbor 5.5.5.5 remote-as 2 neighbor 5.5.5.5 update-source Loopback0 neighbor 5.5.5.5 route-reflector-client neighbor 6.6.6.6 remote-as 2 neighbor 6.6.6.6 update-source Loopback0 neighbor 6.6.6.6 route-reflector-client neighbor 7.7.7.7 remote-as 2 neighbor 7.7.7.7 update-source Loopback0 neighbor 7.7.7.7 route-reflector-client neighbor 12.12.12.12 remote-as 2 neighbor 12.12.12.12 update-source Loopback0 

Each client has 1 peering to each RR.



We don't make enough money

The Big Lie ISPs Are Spreading in State Legislatures is That They Don't Make Enough Money

https://search.app.goo.gl/dS5uF

Don't know about most of you but we aren't making money... But I'm not Comcast or at&t ....



SFP+ modules - I learned something today

Of course you can plug an SFP in to an SFP+ port, everyone knows that. Today I learned you can can plug (maybe only under certain circumstances?) a 10Gbit SFP+ in to a 10Gbit SPF+ port, OR in to a 1Gbit SFP port. You can even force the speed of a 10Gbit SFP+ port to 1Gbit, and link up with a 1Gbit SFP.

Sorry if this is old news, it got me out of a bind today, didn't know it was possible. I'm used to optics being capable of only one speed.



Changing jobs from Fiber Field Engineer to Coax. Would I pick it up easily?

My current job is currently underpaying me greatly, so I decided to switch jobs and I found a position with a higher negotiable salary. I've been working with Optical fiber for around 2 years now and have great experience with all the processes involved to get the fiber connected in the exchange.

New job I found works with Fiber coax hybrid in metro areas and in apartment buildings. I haven't ever seen the process involved to get that running but I have sometimes seen the active hybrid fiber equipment in the field.

Would I pick up the work easily? I'm worried that it's going to take me awhile to but since I've been working with fiber for so long, they assume I'm a professional. Is there anything I should know before starting the job?

(I've already negotiated my salary so I don't want to disappoint them)

*edit: grammar



Is it better to have router and modem separate?

Recently been experiencing some problems with my with and decided to buy a new router, however it didn’t work as expected so I’ve decided to return it and this time I’ve order a router and a modem separate does it make a difference?



Media Converters Suck

Media converters suck. I have a lot of networks with over 100 meters between ROuters/MDFS and IDFS, and my engineering team seems to love employing these god awful devices that break at an ungodly hour multiple times a week, at this point the number of media converters we have deployed is just an asinine, and unsustanible amount, I am curious if there are better options for converting between fiber and copper than these devices that we could start deploying in an attempt to phase out media converters, and make our networks more reliable. I am fairly new to the infrastructure side of networking, but have suggested using SFPs as opposed to media converters, and my engineering team shot that down, so I am curious if there are any other devices/methods that could be employed (some sites have upwards of 50 to 100 media converters) .

I am reletively new to the infrastructure side of networking, but it seems the common consensus is media converters are the devil, and having to send out an On call employee to swap them at 3 am is not cost effective.



Wireshark Question: Why are the filter semantics different in the first filter box before you capture, vs the filter after you capture packets?

No text found

Managers Asking About Incompetent Co Worker

Hi,

I've been working at this company for a year now and I have a very, very bad co worker, let's call him Bob, who should've been fired a long time ago, but due to corporate structure (our main office and managers are across country), a lack of accountability, an organizational split where our old boss was going to fire him but dumped him onto someone else, and me picking up his slack, he's managed to survive for the past year.

Bob has been a junior engineering for over 10 years when he should probably be a technician. He is the least technical member of our group, and actively avoids work, which means I've been doing a lot of his job for him for the past year. I'm convinced if it weren't for me, he finally might have gotten noticed and fired. From November to Feb of this past year, he had a habit of coming in two hours late and only two days a week (he would "work" from home), which he got away with because we didn't have any supervision. Bob and I work in operations and often times we are the only ones on shift. However, Bob let's me do all the work by actively ignoring requests or doing a piss poor job addressing alerts. Often times he leaves the room when shit breaks and it's something he doesn't know how to handle, which leaves me with the bulk of the work while he watches youtube for 5-6 hours during his 8 hour shift. I've never actively confronted Bob on his work ethic or behaviors, but I've encouraged him to be more pro-active and to investigate issues deeper before writing them off. I've also done my best to answer any questions he has had and have never withheld any knowledge or information from him regarding our job. I know people exaggerate when talking about bad co-workers, but I'm not exaggerating here.

Bob and I also don't get along. I think he's a shitty person and quite frankly, a bitch. He probably thinks I'm a hard ass who takes my job too seriously.

I was fine ignoring him, picking up his slack when needed, and never complained to management about him because I wanted to be bigger person and sometimes complaining does you no good. Having said that, in the past two months, our manager has asked me questions about him, and the VP of our department has started asking me questions about him and his work ethic. I didn't really let on what was going on, but mentioned we might need more leadership in our office, and when our VP, who is the kind of guy who has zero tolerance for bullshit, asked me questions about him, I did my best to say good things about him because as much as I hate him and don't like working with him, I don't want to jeopardize another man's livelihood.

Should I tell my managers the truth?



[Question] Looking for a dual WAN router for my office. Looking at the Cisco RV345

Hi all. I'm searching for a router that supports dual WAN balancing with VPN and firewall features.

What I was able to find is the Cisco RV345 which has all those features, but I'd like one to have also WIFI connection.

My company has about 20 employees and we depend on having a reliable internet connection, that's why I want the dual WAN thing.

Does anybody here have experience with this router or know an alternative that's good and reliable? How about one with these features and also wifi?

Thanks!



What router should I buy?

I have a 500mbps plan and a 20mbps router and I want to buy something that is better.

Budget: 50$-70$