Saturday, May 19, 2018

VM-Series High Availability on ESXi?

Hi there, I am really new in network virtualization. I want to ask about high availability in Palo Alto VM-Series. We are going to buy two VM-200 (1 for Internal, 1 for External) and will install it on ESXi. I want ask for your advice.

  1. Should I buy another two VM-200 for the redudancy?
  2. or let the vSphere (HA or FT, I don't know which one should I use) handle the failover?
  3. ... your advice ...

What do you think?



Do routers use ARP to find next hop mac?

Sorry if this has been answered I tried to research first.

From what information I can find ARP is usually a broadcast, but broadcasts stay within the LAN.

How do routers determine the mac of the next hop external network does it somehow use ARP?

If it does use ARP how does it function when querying the mac when not in the same LAN?

Thanks in advance to anyone kind enough to help me understand this topic.



Netmiko: Device_Type options

I've been working on a script at home for work and I've come to the point were I'd like to start testing it out on devices besides besides my ancient CAT switches, and some of the testing devices we have are NX-OS. The issue is when I'm declaring the devices, in (Device_type : <ios>) I cannot seem to find a list of the various arguments for the OS's. I'm guessing it is something akin to "cisco-nxos" but I can't find anything definitive.

Before you say it, I've already google-fu'ed this to death, and looked in the docs for netmiko, they describe how the commands work, but not the arguments that I'm looking for. Hope I didn't miss anything obvious, and any help is appreciated. Thanks,

P.S. the lab script, if you're interested: https://pastebin.com/wp76LFEL



Server Network Down Monitoring Tool (Free)

Anyone any suggestions? I will have to use it for my new job, purpose of monitor server network outage or disk warning alert. Anything free would be an good advise. PS: Window server & Linux

Many Thanks & Good day!



Public BGP Peering using GRE/IPSEC

Hi, I'm trying to figure out if there are any services available that would allow me to peer with them, or for the sake buy transit w/o being physically connected.

This is for our lab and I'd like to avoid getting fibre towards an IX. It's mainly for learning purposes for our networking teams.



Learning path for ops manager with datacenter responsibilities

I ended up moving from software development to being an ops manager maybe 18 months ago. Its an interesting shift because it is a bit of a mid-career direction change (I'm 14 years past my BS/MS in Computer Engineering, did hardware design for 9 years, software development for 3ish, and now this). Most of the equipment I care about is in one of two datacenters with on the order of a dozen racks of equipment each. We use Cisco ASRs, Catalysts, and a bunch of Nexus boxes for our core networking equipment, with Palo Alto firewalls and F5 load balancers as well.

I'm finally at the point where I know the basics of my job and I can start digging in to what we are doing in the datacenter instead of just working off the pattern that was set by the person before me. I am pretty strong in managing Linux servers (as is my team) and we have no dedicated network resources (corporate IT loans us people as needed) so I went ahead and got a CCNA R&S cert so I'd know the basics. I'm trying to figure out my next steps.

On the Cisco/networking path, I'm looking at CCNA Data Center (both for NX-OS skills and general datacenter background), CCNA Security (mostly because we have a number of IPSec tunnels we manage with partners), and CCNP R&S (just going further down the general networking rabbit hole). I have some interest in SDN and/or using tools like NAPALM for network management, due to my software background. I also feel like I'm out of my depth in general datacenter discussions -- I didn't know twinax was a thing until I had to order some cables, I'm never sure when I order rack power or network connectivity if I'm getting the right thing, etc.

What education would be of the most value for someone in my position? It doesn't have to be certification-focused, though I like that certs give me a way to measure if I actually learned what I read/watched/heard. I'm leaning towards CCNA Data Center just because it covers some of the basic datacenter stuff I am missing and would get me up to speed on NX-OS, but I'd love to know if there are other good paths to take.

Because I'm trying to learn as I work, I don't want to spend too long on things that aren't useful. I did most of my CCNA R&S studying in about 4 months outside of work hours, but I had a decent network background for someone who has never officially worked in networking. I'm guessing the extra CCNAs would be similar in time, but I really don't know.

Really, any suggestions would be appreciated! I've seen a ton of advice for people getting certs to move into networking, but I'm basically already in the job and want to find ways to get better at what I do, especially having come in as a lateral move...



what is the benefits of flashing wifi router?

No text found

MOP management with GIT

anyone here have a good system of managing MOP reviews/approvals? I want to implement a way for an engineer to submit a MOP with GIT and have it reviewed/approved (using Ansible maybe? or some other tool) by another engineer. Any recommendations? Thanks!



It's tough to find good networking jokes, but I just saw a trailer for a Call of Duty Game

And let me tell you, those black ops fellows have some fancy ip addressing mechanisms.

let me know if any of you can resolve 125.625.192.986



Trying to wrap my head around firewall design

The current network I work on is a collapsed core, with L2 spanning the campus. We have TRUST security zone vlans terminated on the core, and other security zones (WWW, DMZ, DB etc) terminated on our edge firewall. We are planning out a Campus network refresh with the plan of going L3 down to the Access Layer(https://www.cisco.com/c/dam/en/us/td/i/100001-200000/110001-120000/119001-120000/119801.ps/_jcr_content/renditions/119801.jpg?zoom=2)

The one problem I have, is wrapping my head around security zones, if the only FW we have is at the internet edge (It is a 40Gb Palo 5250). We will have DMZ servers in the Datacenter block. In my mind creating a virtual router that spans the network would be the fix(VR_WWW, VR_DMZ, VR_DB) Then the edge firewall would do the inter VR routing, and we can place security zone policies here.

Also in the same breath I think this is stupid, since lets say you have a WWW server sending traffic from the Data Center block to the firewall on the Internet Block, routed from the VR_WW to the VR_DB and sent back to the Data Center block. Maybe this is the only solution until budgetting is available for a firewall on the Data Center block.



WAN Failover and VRRP/VPN

I'm interested in how you would build a WAN with fail over both at the hardware and networking level between two sites. I have some basic networking knowledge but would like others opinions. How would you go about implementing a solution of using two edge routers for redundancy?

  • 2x EDGE routers using VRRP where one router is the master and the other is passive.

  • Is it also possible to provide redundancy in this scenario using an additional ISP to connect to the edge routers so we can switch over if one of the link fails? if so, how would this be implemented and how would we ensure VPN connections are reconnected if one of the links fail? I'm thinking of something like edge routers with DUAL WAN ports.

  • Is there any way OSPF could play into this scenario and how would it be implemented?



2950 Voodoo

Hi, I'm having issues removing an old 2950 (standard image). Currently I have a 3850 with a SVI routing to an access port on VLAN 916. It goes via the 2950 and then to a Cisco WAVE appliance and then to a Cisco ASR 1001. The WAVE has inline interfaces configured to listen on all VLANs, and the ASR encapsulates on VLAN 3. No VLANs are configured on the WAVE.

I have RW access to the 3850, no access to the 2950 and RO access to the WAVE and ASR.

I thought the 2950 couldn't do any VLAN routing or any layer 3 features so my mind is blown.

Do any of you have any idea of what could be going on before I take the WAN offline and password reset the 2950?

I manage the 3850, the rest is covered by an outside organisation. I want to remove the 2950 because it is 15 years old. Getting the other company to do any work is like trying to herd cats. Swapping to VLAN 3 on my side is an option, but requires a bit of extra work.



How do I block two hosts from each other using ACL of Cisco Catalyst switch?

I was using the following to block a specific host to a whole VLAN:

access-list 101 deny ip host 10.10.10.75 192.168.0.0 0.0.0.255

But how do I make a block only between two the hosts instead of one host to a whole VLAN?



Question about ip phone numbers.

First off ill say this is a school project, but it is for an actual network.

In the topology(screenshot link below): https://imgur.com/a/aqNrUIi

Ignore the red zone The server provides dhcp for all devices. I have labeled

vlan 20 ADMIN port 2-9 default gateway 172.16.20.1 /24

vlan 25 Library port 10-18 " 172.16.25.1 /24

vlan 10 Voice " 172.16.10.1 /24

So lets say the physical layout is Switch -->patch panel -> wall plate ->ip phone -> PC

I would like to know if there was a way to specify what number each phone gets. for example. I want the phone in ADMIN to get 1101 and the phone in library to get 1201.

I know if it was separate LANs you could just specify the numbers in the separate routers in the ephone#-dn command. And auto-assign x-x would dish out phone numbers. In this case its one big LAN with many subnets. I dont want to use the auto-assign command.

But what if i wanted that phone in ADMIN connected to fa0/2 on Switch1 to always get the 1101 number and the one connected to fa0/10 to always get the 1201 number so there can be system. I came up short on google. I would appreciate some guidance.

Thanks.



Friday, May 18, 2018

Replay edited packets using tcpreplay, tcpedit...?

So I've captured a string of packets of a host logging into a network. I'd like to edit the source destination. Does anyone know how you can edit a pcap (say, change an IP address of a source or destination), then replay that capture? I am having some trouble with syntax I think. Just a little guidance would be helpful, thanks.

And yes, this is on my own network.



How can I be sure that an application is on right send/rcv flow?

Let's suppose the following (egress) flow:

[app (nginx)]-->[send_buffer(tcp_wmem)]-->(qdisc txqueuelen)-->[tx_ring]<--(dma)-->[nic]

For the tx_ring buffer I can use the driver script to ensure the affinity and for the qdisc I can use fq_codel but for the application (nginx) I do have cpu_worker_affinity but how I can make sure that the nginx worker N on CPU/core X is on the same (network) flow of X ?

Do the nginx worker N running on X always get the send/rcv buffer of X? (ensured by the kernel?)



ASA 8.2 to ASA 9.X migration tool?

Hi,

Does anyone know if there's a utility out there, Cisco provided or not, that will convert ASA 8.2 configs to the newer 9.X config format?

I'm coming up blank in my searches other than a simple utility on tunnelsup.com that attempt to convert NAT, statics, and Globals for you.

Thanks



Is gigabit fiber media converter able to support 100 meg ethernet device?

Hi so we are connecting a sign to our network and using 1000 Mbps gigabit sm fiber ethernet media converter on both ends. On one end it connects to a 1000 Mbps gig switch port and on the other end its connected to a 10/100 Mb sign ethernet port. Is the media converters able to allow the sign to communicate over it even though it is a 100 Mb device? Right now I can only see the switch port as connected at 1000 Mbps but can't talk to the sign.



Question for service providers, with Juniper cores, who offer ethernet transport.

I'm working on an overhaul to our ethernet transport offerings and I'm curious how other ISP's handle core-traversal of their ethernet transport links. Right now, we're using simple tags to whatever end-point the customer requested but I feel like this is inefficient versus what we could be using.

I looked into setting up L2Circuit/Psuedowires (essentially ethernet over MPLS) but the core equipment we run on doesn't support that feature for our PE-edge interface configuration.

Thought on how you would approach this?



Cisco ASA Failover and out of band management

I have an ASA5515 that I'm adding a second device to in HA. When I configure failover the secondary device takes the IP from the out of band management interface on the first one.

Is there a way to have two separate management IPs for the primary and secondary when failover is in use? Or do i just do away with out of band and hit it on the outside interface?



Device profiles Aruba/HPE switches: single ports/ APs as exception?

Is there a way to set an AP or port in the device profile of an HPE Aruba switch as an exception? I have 25 APs on one switch. 2 APs must be isolated. These are to be integrated into an extra VLAN. If I temporarily deactivate the device profile, all WLAN VLANs are directly set to the default (natural VLAN). Because I work remotely and the company produces 24/7 I cannot deactivate the profile or simply dismount the AP.

The switch is a VSF stack Aruba 2530 with firmware YA.16.05.x The APs are IAPs 334,305 and 304

My profile configuration is very simple :

device-profile name "aruba" andtagged-vlan 30 tagged-vlan 31-32 exit device profiles type "aruba-ap" associate "aruba" enable exit

I am happy to receive any information



Watchguard - Firewall - Yahoo Login Page Header Oversize

So, I have multiple clients, all running on Watchguard Firewalls. We have them running through your usual http/https proxies. When they try to login to Yahoo. After putting in the username. And pressing Next. It will bomb out, and give a header Oversize Message. And deny the traffic.

When you look at the header you see "google.com" repeated over and over to an indeterminate amount.

Any ideas? Or is anyone else seeing this in their environments?



cloud based internet issues

We recently had an issue where our tunnelled aws traffic started running dirty with alot of packet loss. When tracking it down you could see the hop in the middle of the path that the latency spiked and all the packet loss started happening. Maybe it was a peering issue, bad equipment, congestion whatever.

How do you guys deal with this when some random provider in your path that you do not have a relationship with is breaking your stuff? In this case it cleared up eventually but I am just trying figure out what others do that I may be able to add to my playbook.



Why should I learn Python/Ansible for network automation?

I find the idea for network automation highly intriguing. The problem is that I'm lacking motivation to start getting involved and putting the time in to learn it all. We use Solarwinds in our environment and it seems like it does a pretty good job of automating tasks. Maybe I'm not fully understanding the full capabilities of what can be accomplished using Python and Ansible. Can anyone fill me in on why I should start cracking the books and videos? I would love to hear examples of how you use it in your environment!



Draytek router hacked

Where would be the best place to post about a possible flaw in the security of Draytek Routers so fellow Redditors are aware ?



OCTET 8291 Public network serving local user

Hi all,

I would like to request your help in understanding a disconnect cause that I'm currently melting my brain on.

Scenario: A# is calling B# and I get the disconnect cause as "userbusy" in my trace.

Actually, the customer says that this is not a one time issue and it happens quite often even though he's with coverage and is available to receive calls.

I've been studying this for some time and this is the conclusion I have reached:

I receive information that the B# is busy.

busyCause: 8291 .... 0010 = Cause location: Public network serving the local user (LN) (2) .00. .... = Coding standard: ITU-T standardized coding (0x0) 1... .... = Extension indicator: last octet .001 0001 = Cause indicator: User busy (17) 1... .... = Extension indicator: last octet

I've checked the octets, 8291 and:

82 gives me the general location of the disconnect (82 is Public network serving local user) 91 gives me the cause (91 is Transit network does not exist)

Looking into what "Transit network does not exist" info means, I see that in CIsco troubleshooting I get the following info:

"No route to specified transit network (national use) Indicates that the gateway is asked to route the call through an unrecognized intermediate network.".

So currently I'm on a dead end since I cant assume where this disconnect event is coming from. Is it from the RAN or from the Core.

PS: I work on an MVNO and I'm quite a noob. :)

Many thanks guys!



Thursday, May 17, 2018

RFC 6349 WAN testing

Has anyone found a good way to run RFC 6349 tests over WAN links in an overall solution that scales easily? We have 100+ sites and really could use a server-based solution, something that we could deploy fairly easily.



Access control list aka acl

Hey guys and girls,

Now, under normal circumstances everybody would use a firewall, before their edge router connects to the internet and all drops and permits would go on the firewall.

Under regular circumstances, I do not have a firewall in place and I have 2 sets of ACL that sit on the upstream(s) interfaces. One inbound and other is outbound.

Thing is, you can make it as complicated as you want, dropping all the nitty gritty and then permitting or you could permit and drop everything else. As it stands, Cisco reads line by line and the more lines you have, more computation and higher CPU.

What I want to know from people working in ISP/SP and are also transit providers, how would you go about doing it? Keep it simple and least lines as possible or would you have 200 lines for each ACL? What is the common practice in your case and why?

I mean yes, drop bogons, drop your own IP coming in, drop DNS, BGP, NTP, uPnP, SMTP and maybe even drop ICMP and then would you go ahead and proceed to do more?

I am not even going to try and stop ddos using acl because I can't, doesn't matter what hardware I have, I can't; I don't know what a firewall could do, not going to be finding out soon.

My biggest worry after ddos is having my IP blacklisted, it's usually spam over SMTP or somebody just having watched the matrix, trying to log into the IRS dBASE too many times. Either way, whitelisting is a bitch and worse when money is required and clients don't want to pay and switch providers; No law to prosecute the sob.

Cheers



Cisco 6807-XL Quad VSS Packet Loss

For interest: has any one experienced packet loss on a Quad VSS setup? Notably with ARP traffic; and as a side effect problem using exposes itself as /some/ clients not having an entry for the gateway.

Interestingly problem dissipates if a host is moved to a switch that is etherchannel to both chassis.

Latest firmware and TAC have been slow getting to the bottom of this one.



Installing EVE-NG pro on metal using the ISO from their website.

I'm trying to install EVE-NG pro on a bare metal server using the ISO file provided on their website. My assumption was that it would be equivalent to the OVA file,--i.e. the actual lab software installs automatically via a post install script--but after installing it it just looks like a normal Ubuntu server. All of the tutorials I've seen online tell you to install Ubuntu first then do a bunch of weird stuff like changing the interface name to get EVE-NG running on top of it. If this is the case then why do they provide an ISO themselves if it's just vanilla Ubuntu?



ASA5508-X wih Firepower do i ned FMC?

Hi

I just got this device and i have never used this FDM webgui before. I need to setup PBR and security context but I cant find how I configure this.

All I have found is that i need FMC? Seems weird to me. I thought I could configure the device via ASDM but it doesnt seem possible.

So is FMC my only option to unblock these settings?



EVE-NG: Terminal with multiple tabs

Hi,

I'm sorry for asking but I can't find a solution to use another terminal than Putty. I like Putty but it doesn't support multiple tabs so I wanna use SuperPuTTY. it drives me crazy when you're using many routers and you need to swap between many PuTTY terminals. I can't stand it and don't wanna leave EVE-NG because of it.

I know it can be done because on an official EVE-NG YouTube channel I saw an instructor using another Terminal with the mentioned support.

Here is exampe :https://youtu.be/82M9vpx5UAU?t=11m58s

Thanks in advance.



My Router was confiscated from my dorm room on the account of it running a rogue DHCP server running on the WAN end

Hello Reddit,

This may not be a technical networking question, but I need some help here. I do have a basic understanding of how computer networks work, but nothing more than that. I will reply to your responses if I don't understand something, so please be patient with me.

Last month, my college campus' IT team confiscated my router which I have been keeping in my dorm room for almost a year, saying that it was running a rogue DHCP server working on the WAN end. The representative explained to me that my router has assigned IP address to other devices trying to connect to the campus network and hence, they have not been able to access the network resources or connect to the internet.

The router runs OpenWRT. I have been using this router for almost a year and there have been no issues. The IT representative told me that they have been monitoring my router and said that the rogue DHCP server has been detected very recently (A week before the confiscation). I have made no changes to the default configuration that OpenWRT comes with when installed.

I have two questions. Firstly, can a Router/Firmware (OpenWRT) malfunction like that suddenly? Is it a heard of issue? And second I know that all switches used in the network are all Cisco switches, and don't they come with DHCP snooping?

They have landed me with a hefty fine and taken other disciplinary actions - they have basically flagged me as someone who has actively tried to disrupt the network.



Most stable QFX5100 virtual chassis >14

Can anyone recommend QFX5100 code above 14 that is stable with virtual chassis? It would be nice to have a version of Junos that matches all our other gear, but Juniper is still recommending 14.



Cisco Shares down 4% on Memory concern

DRAM memory pricing continues to be a headwind, say Cisco executives. They guided down gross margins on this. Appears to be a industry-wide trend. Good to be in the memory business these days, Micron investors (MU) are loving it.



Have you heard from Dell about the Intel component failures?

We're 15 months into the clock signal issue.

Dell's advisory promises proactive replacement of affected devices starting about 6 months ago.

Anybody heard from them yet?



Link in LAG group failed, could still access switch but DHCP fails. Why?

So I have a switch LAGed (2 links) to the main switch. The switch provides POE to a bunch of Access Points that are on trunk ports with a native vlan. The other day, when all of those APs went offline it was pretty clear that the issue was with that single switch or at least it's line of communication back to our core switches. I could SSH into the switch and could ping around internally an externally, as well as saw in 'show cdp neighbors detail' that the APs weren't getting IP addresses. At some point I saw that one of the two links in the LAG group was dark, but the assumption that the LAG group was meant to continuing operating if a link failed led me to look else where. After some amount of dead end troubleshooting, i decided to just fix the dead link in the LAG group and voila, all the Access Points received DHCP and all was well. Can someone explain this to me?



Mikrotik['noob'] - Is there a way to block a specific device from accessing my LAN using their MAC address?

Hi,

I have some Mikrotik switches, with some wireless access points. I've noticed that there is an unknown device attached to the network. I would like to block that device from acces the network. Is this possible and if so, how is it done?

Everything i've come across seems to be about restricting devices from accessing the internet. When i tried a filter out, i blocked all devices from the network. Ops!

I know that the ideal scenerio would be to change to wireless password, but i would also like to block the device specifically too. I know how to easily do this on a domestic router, but a commerical router like this seems to have me stumped a little.

The device i'm attempting to apply the filter/block is a RB750Gr2 which controls the access points and is the gateway device to the internet.



Junos Space Push Massive Configuration Changes

Anyone use Device Templates on Space to push config changes to multiple switches? Have a Juniper customer that used local authentication, no NTP, default SNMP, no syslog, etc... on all their switches. Basically I want to push a change in password, set up authentication and other best practices on all the edge EX switches. Any links, videos, advice for utilizing Space for this function? I've never used the product before but the customer has it up and running with most of their switches discovered.
Thanks as always!



How do sales engineers prepare for a discovery meeting?

How do you prepare for a discovery meeting? What tools do you use?



Is the pricing of scalable corporate wifi so unreasonable or what am I missing?

So the CEO decided to "move forward" (sic.) and asked us for a draft on how we plan to implement an extensive WiFi coverage in our main building.

Right now we're limited to a single Cisco WAP AP in our meeting rooms, VLAN encapsulation and captive portal on a CentOS server. It's a no-brainer to see we can't really scale that without shooting ourselves in the foot, so I went and asked around..and I kinda didn't expect what I saw.

Picture this: you can buy a single AP from Cisco (WAP Serie) for about 100€ - you're quite limited to a single point but those things are sturdy, reliable, have a good range and support separate VLAN on different SSID..

The game gets rigged when you try to add a couple more and you fancy some features like scalability and roaming...

I fell in love with Fortinet lately, they even integrate a WiFi controller in each of their appliances, so I went and took a look at their product matrix: you can't pick something too little, as the lower products (sub 1000€) just support up to 4/6 APs, so you're bound to invest at least 2000€. Fine. And then you ought to dig MUCH DEEPER in your pocket because the APs are 450€ each (of course if you're prepared to give up on 802.11ac - because that's at least 650€)

Fancy and all, but how do you justify a 400%+ price increase for basically the same features? (nope, Sonicwall etc. are not much cheaper)

I'm not even talking about heatmaps, placement, routing or even basic planning... I'm talking about having to shelve 10k at the very least to cover a couple key rooms, we're talking 20-30k on hardware alone for the whole building.

TBH I didn't expect it to be so expensive...am I missing something?



When are 169.254.x.x addressees assigned

Had a printer that was getting a 169.254.x.x address. This post

https://superuser.com/questions/840388/i-am-using-windows-7-and-i-get-a-169-254-x-x-ip-address

implies that the the Ethernet link has to be up /up before a 169.254.x.x address will be assigned i.e. layer 2 has to be up but no DHCP server is responding. Is this strictly true or can layer 2 be down and the printer will still get a 169.254.x.x address.

Edit : should be addresses not addressees



Reallife experience from per-packet loadbalancing?

When you setup an ECMP and/or LAG the packets can (usually) be loadbalanced either by flow (aka per-flow, such as the combo of srcip+dstip+srcport+dstport so a specific tcp-session will only use a single path) or per packet (aka per-packet, where packet1 goes path1, packet2 goes path2, packet3 goes path1 and so on).

Traditionally using the per-flow loadbalancing is considered more "safe" because packet order within a flow is maintained however more and more equipment today supports per-packet (and even start to default to that) which will better utilize available links.

Imagine you got 10G hosts but only 1G links in between. With per-flow the max speed for a single filetransfer will become 1G but with per-packet, if you have lets say 8 links, the max speed is now 8G for a single filetransfer.

Another situation is if you are unlucky and two flows are selected to use the same physical path so instead of host11 got 1G to host21 and host12 got 1G to host22 they both got 0.5G.

Anyhow the worry of using per-packet is the possibility of out-of-order packets but how is this a problem (if ever) in reallife if you use up2date linux and/or windows clients/servers?

I can imagine there might exist some usecases like VoIP who needs to have the packets within the decoding window (like 10-30ms) where any late packets are just discarded, but other than that?

Anyone experienced any problems in reality when using per-packet loadbalancing over ECMP/LAG links and if so any fixes to mitigate this (I would assume increase some buffer in the tcpstack settings on the linux/windows boxes)?



Wednesday, May 16, 2018

Transport Circuit to Hawaii

Anyone here had success buying a L2 transport circuit to Hawaii? 1Gbps or 10Gbps depending on price. Could also be L3VPN if necessary. Head end would be well-lit colos in Phoenix or Vegas. Was just told by a broker that no one bid on L2VPN due to distance, but I find that odd considering both ends are on-net for several tier 1s.

I’ve just asked for a quote from HE which would drop them into a Phoenix colo that we’re not in, so I’d have to get a second circuit. Just wondering if anyone’s had success doing this and could point me in the right direction.



Need help. I'm flooding my school with mail requests and need to block it on my end.

I talked to my schools security guy and he told me that my home's external IP address is showing up as sending way to many requests to their mail server. I believed it was my new galaxy note 8 because its mail setting were set to auto so I tried to limit it by setting it to manual. I also want to block the mail server on my firewall/router I have a fortigate 60c at my house. I have a policy that says all internal traffic is allowed to go to WAN1(policy 9). But above that I have a policy that says deny all traffic from internal that is going to the two mail server ip addresses at my campus (policy 8).

Am I doing something wrong? Shouldn't policy 8 block all data from going to the ip addresses? I did it by making firewall objects and put it in policy 8 as a deny all traffic.

Any and all help would be appreciated, my campus has put a global block on my home external IP until this gets figured out because apparently it is a dangerous amount of traffic and they think my equipment is compromised... it all started when I got my new phone, and I have tracked the usage in my logs to my new phone.



A question of subnet mask....

I had a question asked of me today that I thought I knew the answer to, but, after thinking about it I wanted to get the thoughts of this sub...

So, Let's assume we have two devices.

Device "A" has an IP address of 10.192.193.40 with a mask of 255.255.0.0

Device "B" has an IP address of 10.192.192.40 with a mask of 255.255.255.0

I have an IPsec VPN setup between two sites that routes the full /24 of 10.192.192 to 10.192.193, and the full /24 of 10.192.193 to 10.192.192

My answer would normally be that in this case the IPsec rules are explicit, and only allow /24 traffic across - but the point was made that masking shouldn't matter here, and I was asked why the device "A" couldn't talk to device "B"

As I understand it, Device "A" should be able to talk to anything from 10.192.0.1 to 10.192.255.254, and as I understand it Device "B" should be able to talk to anything from 10.192.192.0 to 10.192.192.254

So - why couldn't Device A talk to Device B?



VLAN Setup (Procurve Switch)

So I've been banging my head lately against a wall with a Unifi AP as its been having some weird VLAN issues and I would figure I would start at the switch and move forward and hope to eventually get to the problem.

Side Note: I am coming into this with previous System Admins setting things up and not sure if it was done right and trying to improve.

Here is a diagram of our current switch layout https://i.imgur.com/N2BoEyU.pngwhich from what I've read and seen should be correct.

The problem I am having with the Unifi AP is that any time I specify a VLAN to use it immediately breaks the AP assigned to it.

So I am coming to you guys to see if you can see something wrong with the switch layout!

Its a HP Procurve 48p fyi.



Migrating policy from ASA to Firepower

https://ift.tt/2IpJmEY

Simple Corporate VPN with easy management and fast speeds?

(Apologies up front if this is not the correct subreddit, but I think it's OK...) Our company has employees and clients all over the place and we have used NeoRouter in the past to create two VPN subnets so that employees can access our servers (droplets, databases, anything we put on the VPN for them) and clients can access a narrower selection of the same things.

We are migrating from a baremetal host of yesteryear to DigitalOcean and I ran a speed test after setting up a simple OpenVPN server from my office in Central TX. OpenVPN was about 175-225 megabits; NeoRouter was 15-20 (I think due to the driver they use).

I spent all day delving into OpenVPN config files to figure out how to set up what I needed and while it's manageable, it's frankly a pain in the arse and I went looking for free or freemium solutions that would give me a GUI to say "issue a cert to this guy and give him access to this subnet but not that one" as well as see things like who is logged in right now. OpenVPN-AS is too expensive for us. I am a competent amateur in that I've been running our company's fairly simple networks for 15 years but it takes me a while to shift gears to work on this stuff and I'd prefer to eliminate it as something I have to spend a ton of time on (so yes, I know OpenVPN out of the box will do everything I want...dumb it down for me!)

I don't care about anonymity or routing all my traffic through our VPN. I just want to create a virtual network accessible to our company and some of our clients. Something that runs out of a Docker image like Google's Outline seems like it would fit the bill but it's intended for jouranlists and people who want to route all their traffic through it. I just want routes for our subnets.

What's the best bet here? A dedicate pfSense/OPNsense droplet? It doesn't have to be free but I'd rather pay up front than a per-user-per-month model.

Thank you!



Determine why phones failed over to primary subscriber and then returned to primary subscriber - Call manager

Our phones failed over to our subscriber at our DR site. and then they failed back. Trying to determine the root cause. I was looking through the real time monitoring tool and looking at some traces. I don't which one I would select in real-time to show this? Is there a way to see how long a phone has been registered to a certain call manager? Where would I look to determine the cause of the failover? I've looked at the routing at both datacenters and don't see any route changes.

Any help in pointing me in the right direction would be much appreciated? Thanks



Purple.ai via 4g Routers?

Hi,

Has anyone set up purple.ai through 4g?

We have a fleet of cars with 4G routers and would love to use this.

What i am thinking is my solution is a Wireless Access point that can connect to a hidden SSID and Broadcast another SSID that has this enabled.

We are using Teltonika Rut850 because it has GPS tracking, but it does not feature a category cable to link to an access point that can use purple.ai.

If not, i am looking to Facebook Wifi, if someone has a solution for that.



Studying for CCENT/CCNA - Need Help

I'm terrible at studying. In all my 28 years I generally study and do terribly on tests, especially when studying from a textbook. However I know the only good way to study for this exam is via a textbook so I got the official books for this exam.

I've managed to go through and take notes on a few chapters so far while I could during my last semester. I have some extra time this semester as my load is a bit lighter so I was hoping to study more for the exam I just don't know how to go about doing it. There's so much information in the book that I'm not sure what's important to memorize, or what's important to just understand the concept of.

If anyone has had to study for this before from a textbook, could you please share any study tips you may have for studying for this exam? What should I be taking notes on to study later and what should I just be reading to understand?



If you were opening a new small office, what networking equipment would you buy to ensure the best quality for VoIP traffic?

Sorry for the non-enterprise question, but this sub seems to have the most expertise in ensuring that VoIP traffic is properly managed.

I'm opening a new small office for a friend (about 10 people) and the staff will need reliable phone service. He's in a Cogent building so he'll use them for an ISP but everything else is on the table.

Thank you in advance for any help.



Help debugging extremely strange situation.

Hey folks. I have a weird situation and I'm not even sure how to begin debugging.

I have an Asus AC-5300 running merlin. It's wired through the house. In my office I have a little gigabit switch connected to the wall. When I plug ethernet into my raspberry pi, my wireless becomes extremely unstable. I can get the windows boxes in the house to connect to it, although intermittently. The android devices error out instantly.

As soon as I remove the cable from the pi, everything instantly works again. My only thought is it has something to do with the 100 megabit ethernet port on the pi. I have no idea. Any thoughts would be welcome. I've reset the router to factory defaults, as well as an android device. They exhibit the same behavior.



Advice on Network Upgrade

Hey everyone,

I'm having to redesign our topology and could really use your advice on a few areas. Currently our network is flat with no vlans, it spans 4 buildings which are physically close and connected with fiber, we have about 850 users with a little over 1k devices.

So my first question is would you do vlans based on locations or category? I see the value in each but I'd love to know if one performs better over the other.

My second question is which brand to go with when we buy new equipment. Right now we are looking at Aruba or Ubiquiti. We don't have a huge budget and the Aruba would seriously be pushing the limit and would need to be purchased over 2 years, while we could get all the Ubiquiti switches in one go.

And lastly, would all the switches need to be layer 3 for interVLAN routing?

Sorry if these questions are a little lower level than the norm here. I've tried hiring a consultant to help set everything up right, but my request was denied.



Routing VPN traffic between Meraki MX84 and ASA 5505

Hello everyone! My head has been spinning at this issue ever since we put in new Meraki appliances. There turned out to be a limitation where we cannot just send specific IP addresses over a VPN tunnel. The whole subnet has to be sent instead. We have a partner company who has very many VPN tunnels set up, and they couldn't accept our entire 10.0.10.0/24 subnet over the Site to Site VPN because they have other clients within that same private subnet range. After learning this, I had to get creative, and that's why I'm here. We have some Cisco ASA 5505 devices laying around. Is there a way to have that VPN connection terminate on the ASA with an internal subnet of 10.0.5.0/24 and route the traffic from the VPN tunnel to the Meraki MX84? How can I get the traffic destined for the partner company's network to then route from the MX84 to the ASA and out of the ASA VPN tunnel? The ASA will have its own public IP address as well.

Any help would be appreciated!



Configuring APIC into ACI

I've run the setup for the first APIC into the Fabric and that worked.

i set the cluster size to 3 for 3 servers and selected controlled id 1 for the first one.

I do the same config (except for controller 2) but it didn't ask me for the admin password to change it, after the ip info it went straight to the login prompt and i can't log in with the admin user i made.



Low cost console servers

Hi r/networking

I work for an SMB, and I’m looking for some low cost ways to add some out of band access to my branch offices. Most all of them only have a router and 2 access switches. (Some have more, a few only have one).

I’m looking to add some OOB access to the console ports on the gear. Unfortunately I won’t be able to have a secondary internet connection, but I do have access to POTS lines at each site. My intention would be to use the primary internet circuit for console access to the switches, and if need be the POTS line for access to the router’s console. I do see there is a lot of these devices that offer LTE, but I’m not sure that it’s something I could swing management on at this time, but the option to add it later would be nice.

Does anyone have any recommendations in this space? As always cost is a big constraint, but on the flip side, I didn’t want to go try to find a low cost product and end up regretting it later either.



What is the cheapest WiFi router that could support Radius MAC Authentication and Accounting?

I'm looking for users to avoid entering username/password and also to measure the data usage for each user on their devices.



Best Campus VLAN Theory?

Just curious on folks' thoughts about a multi-building environment... Do you enable routing at each building and have a VLAN mostly for that building, with a route to a core router?Or do you all layer-2 the entire thing and just segment stuff by type (IE, cameras, staff computers, door controllers, etc)?

I've always done the former, but with the reality of IoT I'm wondering if it's any better or worse than just doing it all layer-2.



Fiber ONT questions

So i was curious about our newly installed Fiber ONT box.

We just had Centurylink out to install a brand new fiber 1g/1g connection and they installed this Calix 716GE-I Fiber ONT switch. Then they media converted the Ethernet to fiber to our switch.

Do they make a Fiber ONT that has fiber in and fiber out? They also used Cat5E for the media converters.....

https://imgur.com/dY2Ha8e



How to convince system guys that you dont have to span vlan everywhere?

Hi everyone, I'm a long time reader here but I'm never posting anything because I'm not very good with English. Sorry about that first.

I just change my job(about a month) and now responsible for designing, implementing, and operating network part of new data centers and campus network project for government sector.

The problems are I cant convince server guys here not to span vlan everywhere from data center to campus part. I tried to explain why L3 is better and easier to manage but they told me they already have too many vlan(thay have less than 50) and managing hybrid mode next-gen firewall is easy enough because of GUI.

And last time we spoke, they want to span vlan from switches to NSX domain. They told me I dont have anything to concern because NSX is their job. How do you guys approach this situations or am I wrong that I want to segment the network at layer 3?

Thank you.



Best upgrade path for ASA 5512X HA pair from 9.4.4 to 9.8.2

Currently running an ASA 5512X HA pair on 9.4(4)16, want to upgrade to the latest recommended release, 9.8(2)33. Would prefer to do a zero downtime upgrade as business runs 24-hours so out of hours is not really possible.

From my knowledge I have a few options:

  1. Upgrade from 9.4(4)16 > 9.4(4)33 > 9.5(3)9 > 9.6(4)8 > 9.7(1)4 > 9.8(2)33 over the course of 5 days, one upgrade per day (zero downtime).

  2. Upgrade from 9.4(4)16 > 9.4(4)33 > 9.5(3)9 > 9.6(4)8 > 9.7(1)4 > 9.8(2)33 in one session (zero downtime).

  3. Upgrade from 9.4(4)16 > 9.4(4)33 > 9.8(2)33 (downtime).

Option 3 is a not preferred due to downtime. I prefer option 2 as it will be quicker and the risk the same as option 1, but CAB is concerned about the "big bang" approach and would prefer a step-by-step upgrade path.

Firstly, are all the upgrade paths correct? I believe it follow Cisco's guidelines. Secondly, which option would you chose and why (pros/cons)?



Anyone using SFP+ 10GBASE-T on DELL EMC VNXe SAN?

I don't think it's considered a supported solution, but I know the people on this sub are resourceful. Has anyone connected an EMC VNXe SAN to 10G Copper using SFP+ modules. I know they support Twinax cables, but have a situation where we'd like to use an SFP+ 10GBASE-T to connect to a Cat6 patch cable.



GLBP equivalent / non-cisco proprietary protocol

I'm working on a project and I was wondering if I could find routers with a non-proprietary protocol which work like GLBP.

Here is the diagram.

I understand that now most of the routers come with VRRP but I've had hard times finding routers that have VRRP and load balancing services.

I'm looking for any idea which would avoid the excessive Cisco pricing.

EDIT R1 and R2 are gateways



How to put two destinations in one monitor-session?

I am using Cisco ASR9000 series and I need to put two destination interfaces on this. Any alternative to it?



calculating correct burst values?

I'm studying the CCNP SP track.

In the study guide for the Core exam I am going over token bucket policing it states:

When you define custom burst sizes, for optimum performance use this formula to determine the burst value:

Bc (= CIR bps* (1 byte / 8 bits)* 1.5 seconds

There are also post on Cisco Support forums saying similar things.

https://learningnetwork.cisco.com/thread/53215

What I don't understand is the purpose of the 1.5seconds and where it comes from because at first it seemed to me that the Bc would exceed the actual interface speed.



Tuesday, May 15, 2018

Cisco AnyConnect VPN vs. Windows 10 Always-On VPN

We're currently a Cisco shop utilizing the AnyConnect SSL VPN client and it's been great for many years. We're expanding our VPN to be 'always-on' and automatically connect whenever a machine is off the corporate network.

Can anyone provide any input comparing/contrasting Cisco's AnyConnect with Always-On vs. Microsoft's newer Always-On VPN (Not Direct Access)?



stock firmware Linksys 1900ac switched to openwrt..

Yesterday electricity went off in the neighbourhood, and after getting it back I wasn't able connecting back to my linksys 1900. Today finally decided to look into it and upon connecting via http was greeted by unfamiliar interface of OpenWrt Chaos Calmer 15.05.1 Just in case I did the back button factory reset, yet the OpenWrt remained.

Any idea what happened? I assumed perhaps I was hacked and the router got it's firmware flashed or whatever, but that seems too complex.. Any insights please?



VPN Login Failures

https://ift.tt/2wE6pKO

ARP time outs on 2960x - troubleshooting.

I'm experiencing a strange issue. Some devices on a specific VLAN drop off after a period of time for no apparent reason. The server won't see the device until you SSH into one of the MDF switches, ping the culprit, and it brings it back online. There's only a few things I can think of - either the device isn't smart enough to bring itself back online after the dead timer, or there's a bug in the code on the switches I'm using. Has anyone ever ran into this issue?



Cisco Nexus 3K C3048TP SFP+ transceivers...

Hey all - I have a Nexus 3k 3048 that I am trying to use the 10GbE interfaces (1/49-1/52) on. I picked up "Cisco compatible" transceivers from fs.com and although they've been helpful so far, they're still not working. I am running NX-OS 7.0(3)I4(7) with no other issues. The transceivers show up when I do "show inventory all":

NAME: Ethernet1/49, DESCR: Fiberstore

PID: 10Gbase-SR , VID: SFP-10GSR-85 , SN: D87B1426211

NAME: Ethernet1/50, DESCR: Fiberstore

PID: 10Gbase-SR , VID: SFP-10GSR-85 , SN: D87B1426210

NAME: Ethernet1/51, DESCR: Fiberstore

PID: 10Gbase-SR , VID: SFP-10GSR-85 , SN: D87B1426212

However, when I show the interface status I see:

Eth1/49 KCLOUD1ESX1 10GbE notconnec trunk full 10G 10Gbase-SR

Eth1/50 KCLOUD1ESX2 10GbE notconnec trunk full 10G 10Gbase-SR

Eth1/51 DESKTOP 10GbE notconnec 1 full 10G 10Gbase-SR

I have forced the speed to 10000 and full duplex but cannot get the interfaces to come up. On the other end of the interfaces are ESXi hosts using Mellanox ConnectX NICs with Finisar transceivers which work no problem going into a Dell PowerConnect 5548 (with Finisar transceivers). The FS.com part that I ordered is this one https://www.fs.com/products/11552.html . I tried to run a command about unsupported transceivers disable or similar, but no real change - port still won't come up. Also tried auto negotiate/force negotiate on the ESXi side as well.

Any thoughts?



Alternatives to Cisco Umbrella?

Apologies if this is the wrong place, but I'm doing some homework and looking for some input.

We've been using Cisco Umbrella (the paid version of OpenDNS), and our contract is coming up. We're looking to explore what options are out there, in the basis of cost, ease of use, and functionality/speed.

Does anyone out here have any suggestions or recommendations for any of these products that we can look into?



40G multimode module with LC-connectors - impossible match?

Most 40G multimode modules out there uses MTP/MPO as physical connector for obvious reasons (because a 40G SR4 signal is actual a 4x10G signal and multimode cables are usually a bad choice if you want to wavelength multiplex stuff).

This gives that if you need to go to a different rack in the DC and there are only LC patchpanels available you will need to use a MTP/MPO to LC patchcable which will "eat" 4 pairs of LC at this patchpanel.

Looking at fs.com (and other vendors for that matter) do there exist some 40Gbase-SR4 optics that can use a single multimode cable (pair) with LC-connectors?

Or well it doesnt have to be SR4 on the fiber end of the module just that it will identify as such to the device the QSFP+ is fitted into and the cable (patchpanel) I have available is a multimode LC.

If I had the choice to use singlemode cables then this wouldnt have been an issue obviously...

Or am I missing something here?



RADIUS Issue (Windows NPS with Single DSL connection)

Hi all, encountering a strange problem at the moment.

A typical site for us has a leased line with DSL backup. Certain sites only have DSL while we wait for digging to be done.

On a DSL only site, I cannot get RADIUS to work with our Meraki WiFi. If I enter valid AD credentials, the request never seems to hit the server and the connection fails.

If I enter some random characters then the request connects to the server but fails due to the fact it’s not a valid account.

As above, this is only on a Single DSL connection. It works perfectly on a Leased Line. My initial thoughts were MTU but I’ve had this changed by the ISP to no avail.

Any feedback would be greatly appreciated!



Managed wireless services

I'm a 31 year old Network Engineer with 7 years experience at a University with mostly a Route/Switch and Firewall background but I have working knowledge of wireless as well.

I've just been offered a position at a regional ISP as a Network Engineer in their Managed Services group. I would be managing their wireless services that they sell to customers, such as apartment buildings, dorms, businesses, etc.

Having never worked in wireless day to day or at a MSP, I'm looking for opinions of those who have......or any advice/comments in general really. This is a fairly new offering from the ISP(2 years?) so one of my concerns is that my responsibilities aren't as clearly laid out as I would like. I tried to get an idea from the interviewer(would be my direct supervisor) about how responsibilities would be shared between Engineers and Field Techs. He gave me a general idea but I think I'm going to need to press for a more concrete idea of what it entails. Then again, responsibilities weren't clearly laid out when I took my current job at the University either but I was also just breaking into the industry at that time so it was a step up regardless. They currently have one other Engineer managing the wireless. I did not get a chance to meet him but that is another thing on my list.

I do have an acquaintance that I connected with on LinkedIn who used to work at this ISP and spent 17 years there and was happy there. He only left because he got an offer he couldn't refuse. By his account, my would-be manager is "pretty easy to work with". The culture of the company seems great. The University I currently work at does purchase bandwidth from this ISP and we are generally happy with their services. I also have their services at my home and am quite happy.

I would be receiving a 40% raise + 7.5% bonus. They actually beat my desired salary by 5% percent on the first offer which still has my mind blown. I'm "over the moon" at the financial offer and I have always wanted to work at an ISP at some point in my career. I always wanted to work at a University too and I've done that now so I feel like I should move on.

If I were to take the position, I would like to someday transition from the Managed Services group over to the Core Networking group doing Route/Switch, at least that's my thoughts today. Maybe I'll be happy with wireless and stay there, who knows. Within a ISP, is it difficult to move from the Managed Services group to the IT/Core Networking group? Depends on the company, I know.

With my current position here at the University, raises are flat, we have gotten 1% total over the last 3 years. I have this network running like a well oiled machine and am not reaping the rewards from it. I suspect we will get a menial 3-5% next year which doesn't make up for the goose eggs before. Potential for raises is definitely better at the new position as well. My University position does have a very laid back environment though and of course, the job security is there.

Any advice is appreciated.



VTP with Nexus 7k core switches

Hey, only asking here after having googled around and not finding what I'm looking for.

Just a general design question, how is VTP typically setup when you have two Nexus 7k switches with a vpc peer link as your core switches? (In this case also a collapsed core)

I'm most familiar with a stack of switches acting as the core (and primary VTP server) and all downstream switches being clients. With two Nexus 7k switches, they don't operate in unison like a pair of stacked 3850s.

Is one node typically assigned Server and the other Client or Transparent? Is VTP server handled by another device in the network in this situation?



Localhost being Forwarded

I'm on a server running apache tomcat with no knowledge of how it was actually configured. If when I enter localhost in the address bar it forwards me to a xxx.yyyy.com webpage, would it be safe to assume that was just the name of the website being hosted on that machine or is it possible to forward localhost to an external DNS?

The hosts file is not altered.



10 Tips for Building a Failsafe SD-WAN Network

I just came across this free eBook on Talari's website that has some great tips for optimizing your business' SD-WAN network: https://www.talari.com/white_paper/10-tips-for-building-a-failsafe-network/



MPLS-TE Advice Needed

I am working on designing an MPLS network for an enterprise customer. It will be used for L3VPN and L2VPN. They are wanting more control over path decisions than what the IGP provides. I have read some docs, watched some Cisco Live videos, etc. and there are lots of options to consider. Relative to other SP networks, this is a very small network (10 PE routers).

I need a little help understanding what are people actually deploying with success, and what features should i stay away from? Or maybe some of these are overkill for the size of the network like auto-tunnel mesh groups.

Features I'm considering using:

  1. Auto-tunnel mesh groups
  2. Auto-bandwidth
  3. Per-service tunnel selection using service path preference
  4. FRR with link or node protection
  5. Use TE metric to route based on latency instead of other factors

Requirements:

  1. Different traffic types (within a VRF) can take different paths based on policy (i.e. - replication traffic, voice, normal data)
  2. Keeping traffic intra-continent unless there is no on-continent path available.
  3. Very fast failure detection and re-convergence.


Old enough to drink

/u/thesauceinator recently reminded me of this post where I shared with you all the story of an amazing little router that had over 20 years of continuous uptime. Well it's been yet another year and said router is now officially old enough to drink. I shall accept your gifts on Scotch on its behalf should you feel so inclined. Happy belated birthday good ole orl-sn2.



DNS server on localhost

Hello! I am currently learning networking, and I am testing BIND. My setup is that there are two computers, one is the DNS server (A), and another that connects to it (B). I configure it so it uses (A) as its DNS server. So far this works. However, if I use the computer hosting the DNS server, and configure it to use itself, it wouldn't resolve and says "unknown host".

What am I doing wrong?



Cisco to Ruckus Wireless Review

We are looking for any feed back from anyone who has migrated off Cisco to Ruckus gear. Having a tough time find a reference that has done this.

Our current layout is 5520 controller and a mix of 1142 & and 3602 AP's running Flexconnect.

Ruckus has scoped out Virtual Smartzone controller and R710 AP's. They are selling us on the idea of needing half as many AP's as a Cisco deployment.



Need to break out 1 QSFP28 port into 4 x 10Gb ports on a Cisco N3K (C36180YC-R)

Hello:

I have a C36180YC-R that's going to use 4 of its QSFP28 ports for the vPC peer link. I'd like to break out the remaining two QSFP28 ports into 4 x 10G ports. Questions below.

  • Can I break out only two ports? If this is not possible, I have to scrap this approach.
  • If yes, what do I plug into the QSFP28 ports to break them out? I haven't seen official Cisco documentation indicating what is allowed (for example, a QSFP+ breakout cable or something like that).


TCP Port Security Best Practices

Hey guys,

I'm working on a pet project of mine, looking for some help determining my approach.

We have an app that was developed in-house for use with some of our remote locations. Currently we host application servers at each remote location which are then replicated to a central DB. I'm in the process of learning AWS more in-depth, and thought it would be a good opportunity to try and centralize/streamline this app a little bit.

My questions is with regards to port security: the app requires two TCP ports be open to allow it to transmit: I can change the ports, but two need to remain open. What is the best way for me to control/restrict traffic across these ports to only this application?

Thanks in advance!



"Anycast" NetFlow

Hello Redditors,

Lately I've been thinking about an idea to provide HA to our Netflow setup without adding more work to routers/switches, basically I want to anycast the netflow collectors, our setup has two things:

  • Elasticsearch Cluster
  • ElastiFlow machines (the actual collectors)

Basically what I want to do is to make the ElastiFlow machines publish via BGP or OSPF the same /32 IP, this way netflow traffic gets routed to the nearest NetFlow collector, and in case there's an issue, it'll find and use another of the collector availables. This will make for some load-balancing of the netflow traffic so collectors don't get overloaded.

This way I also remove the need to have 2 feeds going to two (or more) different collectors in parallel per SW or Router, ElastiFlow doesn't do any analysis on its own, it's just there to collect flows and enrich the data (using Geo/ASN information for instance), the analysis of the data is done by other systems interacting directly with Elasticsearch.

Has anyone done this? do you see any possible issue here with my approach? thank you!



Monday, May 14, 2018

Quad Cisco WLC 8540s and HA

Looking to see if there is a way to get my four 8540s to HA together so if we have a site fail that has two of the controllers we can have the APs move to the 3rd or 4th box. I looked up and it seems that most WLCs require a direct redundancy link but it seems like there was a way to setup three boxes on the 5508s however I can not find a setup guide. Any help is appreciated.



High Ping Times Macbook Pro

Hi everyone, I'm just trying to figure out why my machine's ping is so much higher compared to windows machines on my network. My Macbook Pro 2017 is pinging my gateway at 32-61 ms.



Qos Queues on HPE 2920 series Switches

We are using 2920 series switches dedicated to iSCSI traffic (we use the 10Gb SFP+ uplinks for the traffic) e.g. J9728A As the switches are dedicated to iSCSI and because there is only one IP subnet per physical switch, there is no need for vLANs. So all traffic is running over what is – in HPE parlance – the Default VLAN (ID 1). There are also no QoS rules configured because all of the iSCSI traffic is (in networking terms) equally urgent. Although the packet buffer on these switches is not huge when compared with some of the more upmarket alternatives, it is OK and seems decent enough for our iSCSI requirements. However, as we are about to expand our storage using a second array, I wanted to take the opportunity to check about the QoS Queues and see if it is possible to apply any tweaks for maximum potential performance. My understanding is that these 2920 switches can be configured to use 2, 4 or 8 QoS queues. And that the factory-default setting is 4. First Question: since the buffer size will remain constant, will reducing the number of queues increase the maximum depth of each queue? If I reconfigure the switches to use 2 queues instead of 4, will the available buffer resources be divided into halves instead of quarters? Or does it simply not work that way? I like the idea of deeper queues because presumably, all other things being equal, we are less likely to see packets dropped. If it does work this way, then I have a Second Question: will modifying the number of queues actually make any difference when there are no QoS rules in place? Are these queues utilised with the switch in its factory-default state vis-à-vis QoS? If it doesn’t work this way, can anyone offer up some tips as to how it does work, and in what circumstances one would want to configure a higher or lower quantity of queues?



Router or antenna (ubi type)with hotspot mode by default

Hello to everyone,nice meeting you.Basically I know I can do this easily with ddwrt,but since I need a hotspot with a splash and social media login page and I want a router or antenna that has by default wireless hotspot mode.Due to price because we are talking about 2 rooms I want something simple(no mikrotiks etc)



Transitioning from a T1 to a VPN over the Internet GLBA compliant?

We have a bank customer who has a branch in an area where we can't get any point-to-point connections from local ISPs. I won't go into detail but basically, there is a conflict with a local exchange carrier so new connections are impossible to get and the old T1 product is going away. I am wondering if anyone has put in VPNs to transmit either virtual desktop rdp connections or actual customer information for GLBA compliant entities. If so, have you had to deal with Auditors having issues with that?



Cisco IOS switch (Allen-Bradley Stratix) pummeling vlan with ARP traffic for **my** computer's IP, dest MAC is all 0s. why?

I have a switch with a management SVI on the same VLAN as one of my workstations. I noticed today while pcapping something unrelated that the switch is just hammering the VLAN with ARP traffic for my workstation's IP: https://i.imgur.com/T5ztqfi.png

just some clarification on the switch: it isn't a Cisco branded switch, but rather an Allen-Bradley Stratix switch running Cisco IOS. for anyone unfamiliar, it behaves just like a Cisco switch from the CLI.

the destination MAC is all 0s. as I understand it this is used for gratuitous ARP, but these packets don't appear to be GARP. my computer is replying with it's MAC and the ARP

I've checked the config on the switch and there are no references to my IP that it's ARPing for. I've also tried issuing the no ip proxy-arp command to the SVI but it's made no difference. this switch is strictly doing L2 and the devices connected to it aren't experiencing any problems.

I've just consoled into the switch and shut the SVI sending the ARPs, but they're still being sent... I confirmed it's the same MAC too.

has anyone ever seen this before and/or have any advice? I'd love to just reboot the switch, but unfortunately I don't know when I'll get a maintenance window to do so.



Best swag item from a network vendor?

What cool stuff have you gotten from networking vendors? I’m thinking about two categories:

1) Totally free stuff, like a trade show give-away. T-shirts, pens, notebooks, socks(!), novelty items, etc.

2) Nicer stuff, as a “thank you” from a sales rep, or trade show raffle. I’ve seen polo shirts, Marmot jackets, Bose headphones, R/C drones, etc.



Could Radius server measure how much data a device used from some specific WiFi routers?

Assuming I have many APs connected to a single FreeRadius server. Can we measure how much data a device say a smartphone consumes from specific APs, assuming the device moves from AP to AP.



NOC Monitoring Setup

How are people setting up their monitoring systems in NOC rooms? We don't have a large team, but we are growing, and it's about time we throw some TV's in our working areas with monitoring systems casting live information.

I don't know where to start except for configuring a PC with multiple video outputs and having someone login each morning and then login to each system. What are recommended hardware/software setups that make NOC monitoring easy and efficient?



Only person at my school with internet access-

-- internets been down all day at the school but I managed to circumvent it. I connected to my mobile data and established a connection to my openvpn server. Then, I went over to the school wifi and turned off the data, and when I do that the tunnel still works. Any idea why this happens? I think there might be some kind of ISP routing issue I'm circumventing.



In the event of power failure, can POE be automatically turned off?

C3850 switches and mixed APC ups

Im not comfortable with how overloaded our ups are. My personal threshold for mandatory upgrade on most things is 70% and we are close to that.

Our battery backup requirement is that users need to be able to save to the cloud and then gtfo.

When the ups activates I'd like the following command to run:

Conf t

Int ra giX/0/Y - A/0/B

No power inline

End

This should vastly increase my uptime at no cost to my department! If they don't reload and I forget to turn poe back on, no big deal. Out of hundreds, only a few employees will stay and more than likely they will be VIP enough to have my cell number

Thanks in advance! This will get me positive recognition at work <3



how to use pfsense for cloud plumbing ( detecting new instances) in VPC-AWS

Hi all,

I created a VPC inside AWS and I have put pfsense as software router inside it. I get that normally ( outside aws environment) Pfsense works with DNS and DHCP protocol when it detects a new machine inside the subnet to give and get the IP address of that new machine.

Instead in AWS, the DHCP is done automatically by Amazon. so my question is how can Pfsense detect a new instance inside a VPC?

Thanks very much for your answers!



Cisco Aironet 1815I Mobility Express Multiple SSID not working

Hello

I want to have two SSID for our network, one for our users and one for our guests. I've setup so that one AP is for users VLAN and one is for guests VLAN on the switch running on trunk ports. I also put each AP in their own AP Group in the GUI so that the APs will only broadcast their own SSIDs.

Here is where I am experiencing problems, with one SSID I can connect and get an address no problem. But when I create the next SSID for our guests, sometimes I can connect to it and wont get an address and sometimes I get an address and sometimes I cant connect to that specific SSID. After a reboot of that AP I could however connect but why does this problem occur and how do I fix it

I have two Cisco Aironet 1815I APs connected to a 2960 switch. Running the latest version available from Cisco.



Upgrade path from ASR1K series of routers for 40Gb/100Gb

Looking at potential upgrades when going from the ASR1K (specifically the ASR1002+). Starting to get close to the 10Gb bandwidth limitation and the route limitation of the ASR1K so wanted to look at what the natural upgrade would be for Cisco.

Looks like there are two choices:
ASR9001
ASR9006

The ASR9001 is much cheaper but it only supports 1 x 40Gb interface.

The ASR9006 has way more throughput and supports lots of 100Gb but it doesn't look like it supports 40Gb ports? Then of course there is the huge price difference.

Any thoughts on either of these. The ASR9001 seems almost like an interim upgrade but the ASR9006 although way more 'future' proof is VERY expensive due to having to jump in at the 100Gb port mark.

Thanks



Seemingly Random Network Deaths on an Industrial Single Board Computer

Not sure if this is the right place to ask but I'm at my wits end.

We have a device running Windows XP Embedded SP3 on a Single Board Computer (SBC) which randomly maybe once a week just half-heartedly drops off the network. The network is pretty simple it's just 5 or 6 devices connected via an unmanaged switch on a 192.168.1.0/24 subnet with no other connectivity. When this happens everything else on the network still works but just can't talk to the SBC.

When it dies I can still see broadcast traffic leaving the interface (NBNS mostly) but all active connections die and I can't see Windows logging anything to the event log to explain why. When it goes down running 'arp -a' at the command line shows no MAC entries. Tracing the ARPs in Wireshark from another device on the network shows the SBC sending ARPs and other devices responding to them but nothing happens on the SBC and nothing gets added to its ARP table. If we try to open a TCP connection to another device we can see the ARP go out, a reply come back but then no handshake, nothing.

Fixing it temporarily is as simple as disabling the ethernet adapter and enabling it again. It's happening on most of the SBC's we have of the same model but we can't recreate it because it's so sporadic. I'm leaning to a driver issue but we've reached out to the manufacturer and so far they've got nothing and I have no idea how to go about troubleshooting it any further.



Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.



Dismantled VPC - ports not coming up - any workarounds apart from disabling VPC on the port channel?

We are in the process of splitting our VPC in half.

It was two x 5k and now there is 1 x 5k. The 5k still thinks it is part of a VPC, because we haven't converted it back to Spanning Tree (yet).

Are there any commands to bring up individual ports, so it ignores the consistency-check on that port, or do I need to disable vpc 120 on portchannel120 to get these ports working? This takes the entire FEX down for approx 80 seconds (in testing).

VPC status on 5k:

5k-1# show vpc Legend: (*) - local vPC is down, forwarding via vPC peer-link vPC domain id : 1 Peer status : peer link is down vPC keep-alive status : peer is not reachable through peer-keepalive 

Example of a connected FEX port channel:

interface port-channel120 switchport mode fex-fabric fex associate 120 vpc 120 

Trying to bring up a new port is coming up as below:

5k-1# show int e120/1/18 Ethernet120/1/18 is down (vpc peerlink is down) 

Because:

5k-1# show vpc consistency-parameters interface e120/1/18 Legend: Type 1 : **vPC will be suspended in case of mismatch** Name Type Local Value Peer Value ------------- ---- ---------------------- ----------------------- Speed 1 10 Gb/s - Duplex 1 full - Port Mode 1 access - MTU 1 1500 - Admin port mode 1 - Shut Lan 1 No - Allowed VLANs - 1 Local suspended VLANs - - - 


Help me clear out some confusion about OSPF config

So when I learned about OSPF during my internship, I learned that it was best practice to configure it on a specific interface using 0.0.0.0 as wildcard bits, rather than configuring it on a whole network. However when I got back to class, the teacher said that we should calculate and use the reverse mask (example if your netwok is a /30, your wildcard bits would be 0.0.0.3) so I'm confused...what is the best practice when configuring routing protocols that use these wildcard bits??



Switch stack uplink connectivity best practice

I have some questions about uplink cabling from stack switches to upstream devices. In this scenario the stack switches are catalyst 9300's and upstream device are nexus 7k's in VPC.

Say the requirement is to have 4x10G uplinks per stack. Each stack can be either 5,6 or 7 switches per stack. What is the best practice to distribute the uplinks per stack?

For the example I have created below (stack of 6 switches) I have the uplinks distributed across 4 switches, with two uplinks to N7K A and another two to N7K B, and master and slave set to the remaining two switches which do not have any uplinks. Would this be the best way?

https://imgur.com/a/kX7avp1



Sunday, May 13, 2018

Anyone used VXLAN outside of the data centre?

Every time I read up on VXLAN it always mentions data centres and nothing outside of it.

I just got a piece of work to do as part of a bigger project to provide layer 2 connectivity between two locations. At first I was looking at L2TPv3 but have had a number of issues setting it up, I then decided to use VXLAN since it's a simple point to point link and it works a treat! All mac-addresses learned, can reach other layer 3 networks etc. So it got me thinking there's more use case scenarios for VXLAN out side of the data centre.

To give you an idea of the set up I have done and tested.

Using Huawei AR routers, both routers connect to the MPLS network.

Created a VXLAN tunnel with IPSec for security between the routers and connected them to the access switches.

Do some pings between the sites and all is good.

Has anyone else done similar setups and if so any problems you've come across?



Cell Tower Connection Sharing

A bit of a shot in the dark, but I’m wondering if anyone has any experience with this.

We have a location that is pretty awful when it comes to business internet connectivity - the best (and really only) option is 100 Mbit Comcast Business.

However, we have a T-Mobile tower that leases our roof and a portion of an electrical closet. I’m not familiar with cell tower uplinks, but I am assuming they must have something pretty robust to provide good 4G service.

Has anyone ever approached a cell phone company about directly accessing their network in a situation like this? I don’t know if this is ever done, or who at T-Mobile you would even approach with a question like this.

Our facility manager handles the lease, but I think T-Mobiles presence predates our ownership of the building and so he is very hands off on any technical aspects.



Where do you learn best practices?

I recently got a new job and realized that not everything I've learned is best pratice, be it learned from cisco or previous jobs. Even when I sit down to learn from various resources they rarely tell me what are best practices for certain scenarios and such .



Printers/Cisco IP Phones VLANs

Is it best practice to put all printers/IP phones in a network in a separate VLAN? What are the advantages and disadvantages of doing so as opposed to lets say putting the printers/IP Phones of the Accounting department in the Accouting VLAN?

Any help would be greatly appreciated. Thank you.



IPv6 with Cisco ISR 4331 and Concast Business

Hey guys,

I have been struggling with this for the past week and need some advice.

Sorry I am not at work and cat pull the configs at this moment but can post them Monday if needed.

So we recently moved offices and had to drop our Cogent dedicated fiber line and switch to using our backup internet as our primary (Comcast).

Now I don't know if you guys have much experience with Comcast but its a nightmare, for me at least there is no way to put the Comcast modem in bridge mode instead you need to use it as a gateway (which I don't know how they think a 500mhz process with even less ram can handle anything more than 5-6 users let alone a business/enterprise network).

I have IPv4 working great and without issue for years now, and only recently decided to try and make a push for IPv6. Now comcast has given me a /56 prefix and in my experience with setting up IPv4 with them I had to set the default route / route of last resort to the comcast's public ipv4 address (different then the static ip's I was assigned).

For IPv6 its a little weird, I have tried every setup I can think of, from assigning an ip to both GI0/0/0 and GI0/0/1 to leaving them link-local only. No matter the setup nd + cef can see all the neighbors and even setup the next hop on the WAN to the Comcast modem's link-local address, I can also ping the internet from console on the ISR but if I configure a ::/0 route then everything dies. Also I can ping the routers link-local address from any computer within the lan and I can ping the global address's as well, just cant go past that point.

Any traceroutes or tracepaths always end at my routers LAN link-local.

Now I know my setup isnt that large but my company is super cheap and I had to fight tooth and nail for the equipment I got despite the fact that everything I have ordered had resolved all the pre-existing issues that came before me (massive packet drops, horrible latency issues, horrible wifi latency, etc)

Before I can all they had was the Comcast modem & a Meraki mr18 for a minimum of 40-50 users and peaking at 70, switched them to enterprise-grade equipment minus a few business class dumb switches and now instead of no security, I have secured the shit out of it.

Another issue I am having is the IDS I have created works great and does support DPI but unfortunately, none of my switches support mirroring and they are too cheap to drop the $200 to get something decent. I am exploring building a tap but since you cant reliably tap gigabit + lines without dropping some serious money, most tap designs I see max at around 500mbits and I have no interest in bottlenecking the network. I also briefly explored building a pfsense router/firewall but that really doesnt seem like a viable solution for our setup and was wondering if it was possible to to enable spanning tree on the cisco isr LAN port and output it to the Management port, but I dont really have high expectations on that working as the Mgmt is on its own special vlan that cannot be changed.

Any help would be greatly appreciated on both the IPv6 issue and on how to do DPI locally without having to rely on cloudshark.

Thanks



iperf enhanced reports for UDP Latency

This is a pretty specific question, I hope no one minds. Given this is a very common tool, I thought I'd check with the gurus.

iperf 2.0.9+ supports additional information on UDP latency with the --enhancedreports or -e option.

Minimum example commands:

[Server] iperf -s -u -e -i 1 [Client] iperf -c 192.168.1.1 -u -e -i 1 

This information appears on the target, i.e. server side of the test:

------------------------------------------------------------ Server listening on UDP port 5001 with pid 5167 Receiving 1470 byte datagrams UDP buffer size: 208 KByte (default) ------------------------------------------------------------ [ 3] local 192.168.1.1 port 5001 connected with 192.168.1.1 port 59592 [ ID] Interval Transfer Bandwidth Jitter Lost/Total Latency avg/min/max/stdev PPS [ 3] 0.00-1.00 sec 122 KBytes 1.00 Mbits/sec 0.063 ms 0/ 6254 (0%) 659.932/659.882/660.502/ 8.345 ms 6252 pps [ 3] 1.00-2.00 sec 122 KBytes 1.00 Mbits/sec 0.020 ms 0/ 6250 (0%) 660.080/659.919/666.878/ 0.110 ms 6250 pps [ 3] 2.00-3.00 sec 122 KBytes 1.00 Mbits/sec 0.020 ms 0/ 6250 (0%) 660.113/659.955/660.672/ 0.047 ms 6250 pps [ 3] 3.00-4.00 sec 122 KBytes 1.00 Mbits/sec 0.022 ms 0/ 6250 (0%) 660.153/659.994/660.693/ 0.047 ms 6250 pps [ 3] 4.00-5.00 sec 122 KBytes 1.00 Mbits/sec 0.021 ms 0/ 6250 (0%) 660.192/660.034/660.617/ 0.049 ms 6250 pps 

I can find no documentation anywhere about the exact meaning of the Latency columns.

The values are also strange because,

  1. the default UDP bandwidth limit is 1 Mbit/s which means the latency cannot be measured in XXX milliseconds (ms) on a normally functioning network, only lower
  2. the first set of digits, e.g. "659." seem to increase monotonically, i.e. "659.", "660.", "661.", "662." as the test progresses
  3. those first sets of digits even keep increasing with subsequent tests! So, if it ended on "699.", then doing the client command again to start a new test, the result will start from "700."

I even briefly checked the source code and it only mentions "transit time".

Note. I like iperf rather than iperf3 for UDP testing. It seems far more reliable, with no spurious packet loss under ideal test conditions or default packet and buffer size issues in older versions. It is just not as convenient as iperf3 because it does not traverse NAT with a single port combination if you test in both directions.



problem with dorm network

Soo i didnt know where to post this but i have problem with network at my dorm.

Internet seems to work on router when connected to lan. But laptops and pc's shows triangle at network icon and shows no internet.

I allready checked everything, lan cable working. Then some pc techie said an asshole on network doesnt know hoe to connect lan cable to router. How can bad connected lan cable mess with whole network? Also how can i fix this problem next time?



Question

https://i.imgur.com/DVWIZfw.png

Can someone explain why there's a spam of arp requests on my network?



IP Route Aggregation

Hey all. Sorry is this isn’t allowed but I’m stuck

I’m in school currently and trying to figure out route aggregation.

I have the range 170.40.63.100 to 170.41.41.40 (no masks provided)

I understand how to get everything below in the green square. However once the mask starts increasing is where I get confused.

routes

I’ve looked in a bunch of places online but have yet to find an actual step by step.

Could anyone provide some insight into this for me?



Redistributing internal OSPF into BGP

Hey guys, I was wondering if anyone could shed some light on this topic for a networking beginner.

I am attempting to build a network in Packet Tracer for educational purposes. The topology is that there are 3 offices, each office routes internally with OSPF. Each office has a boundary router. These boundary routers then connect to a single router "hub" that is to act as an ISP.

Currently OSPF is working in each office, and the three external routers and the ISP router communicate using BGP fine.

What isn't working is communication out of an office, past the external router.

This is a very badly drawn diagram which shows OSPF process numbers for each office and ASN/BGP numbers for each office and the ISP.

Diagram



Ordering a Cisco controller..

Do I need the PSU or is it included?

Also the AP mounting kits. Is one included in the box?