Saturday, May 26, 2018

Confused to take CCNA or CCIE Security

Hello, I am a fresher from India who has a 6 months of intern experience as IT Security Analyst. But as i was interested in security and networking so started to learn and i came up to a institute that would help me learn up to CCIE Security level. The institute starts teaching from CCNA, CCNA Security , CCNP , CCNP Security and up to CCIE Security. Now i am at the level of CCIE Security training. But i am confused should i write CCIE Security exam or CCNA R&S exam because i am a fresher and what is the right path for me as fresher. This topic is with me since so many days i wish to understand so kindly if some experienced ppl would help me it would be really great.



Old Telecom Professionals, how are homes wired so that a single POTS line can deliver dialtone to multiple phones?

No text found

Does AWS create PTR records for their Ipv6 addresses?

NOPE



Resources to learn Networking from basics.

Firstly, I am not sure if this is the right place to ask (If not please direct me to the right place) and also if I am breaking any rules. Please bear with me.

I am looking for resources - Tutorials, courses, books, blogs et cetra - to learn about networking from the start.

I have always found networking a very intriguing topic but have never really looked into it... I want to learn in details about how ssh works, how to make secure proxies, how to benchmark a network, how to setup a stable connection between two remotely located computers... things like this... I have experience with some of the topics but it is just enough to get me through whatever I was doing.

I have used proxy softwares to chain proxies and bypass my universities network's blocking (they have blocked torrent), but I don't really understand how proxy chaining works.

I hope you get the idea. Any help is highly appreciated and sorry if this feels like ranting.

Edit: Spelling, added one line.



Two iSCSI targets

Would two iSCSI servers on the same LAN cause intolerably slow load times and access for the initiators?



What software do you use to collect and visualize telemetry (MDT) from Cisco?

Hi engineers! I am currently using snmp to collect statistics from Nexus 3/9k and ASR 1/9k, but would like to replace it with gRPC Dial-Out. What open source software do you use to collect and visualize telemetry (MDT) from Cisco?



Friday, May 25, 2018

Can someone point me in the direction of video(S) that help with advanced routing?

I know there is like Khan Academy and I know some college have free videos on lecture. Has anyone self taught themselves this stuff? I prefer videos over reading.

Look for info on things like SSL certs, PBR routing, VLANs, more of a broad over view. I have a DD-WRT router flashed and have no idea what half the features do. I have bought a full set up of Ubiquiti stuff and am hesitant to set it up.

Thanks!



Cisco Nexus 7010 Upgrade

We have a Cisco Nexus 7010 in production that was one of the first model release. It is a Cisco Nexus 7010 (N7K-C7010) with Supervisor Module-1X (N7K-SUP1) and Fabric card module (N7K-C7010-FAB-1). The N7K-SUP1 is EoS/EoL on 8/31/2019 and we have just decommissioned a Cisco Nexus (N7K-C7010) with Supervisor Module-2 (N7K-SUP2) and Fabric card module (N7K-C7010-FAB-2) in a Data Center consolidation project. Has anyone here moved upgraded their N7K-C7010 from N7K-SUP1 to N7K-SUP2 and N7K-C7010-FAB-1 to N7K-C7010-FAB-2? Is this just as simple as moving cards and apply config? Any gotchas?



Visio examples to download?? L1,L2, L3

My current employer has very little documentation. We have a new project that will last a few months to document the network and major applications communicating across it.

I was told to create a Logical drawing for the app/server path and then L1-L3 designs for the infrastructure itself. We have Cisco, VMware NSX and various server models.

Is there a place I can download some good examples to get ideas from and to jumpstart this process? Maybe someone wants to upload an example ? I'm using Visio 2016.

Thank you, Jay



What is the maximum amount of connected devices that a Nanostation loco m2 as AP can manage?

As stated in the question I installed 2 nano-stations loco m2 as AP in my company because I needed to cover 2 hallways , each hallway with 15 rooms side by side we have WIFI projectors and the clients on a peak day we can have almost 400 clients and I want the internet to work well for my clients and my projectors.

sorry for bad grammar.



SonicWall APs

Anyone have any experience with SonicWall APs? I've used Cisco, Aruba, Meraki, and Ruckus. However, I have a consultant that is recommending that we go with SonicWall firewalls and APs. I know nothing about SonicWall, other than they just separated from Dell (maybe that's a good thing?). Just looking for any experience with them. We will be utilizing the firewalls for site-to-site VPNs too.



Unifi Comparable to Ruckus P300

Good morning

We use Ruckus P300 in most wireless bridge deployments and it is ROCK solid but they are 2k a pair which is a bit steep for one of our clients, especially considering we need two sets currently.

I am looking for a comparable Unifi setup with 1gbps throughput ideally, but depending on price we might consider 450+ mbps.

Distance is a couple hundred feet, clear line of sight, no obstructions whatsoever.

I need two pairs or one pair that does point to multipoint. Also I am really not sure we need external antennas for a 300 foot throw, but they all seem to require antennas of some sort.

There are so many models, AirFiber, Airmax etc.

Does anyone have any recommendations?

Thanks



what are the things that I have to know to distribute free wifi in my business?

I want to start giving WiFi to my clients what are the things that I have to keep in mind for a good installation?



No audio on Cisco phone via VPN

Hi!

My problem is that others I call from a specific Cisco phone can't hear me. If they call me, after a few seconds I can hear them speaking.

Infrastructure:

Main floor - Mikrotik router (acting as a VPN server), 192.168.88.1 - many devices attached to this one, servers, phones, pcs, and machines via VPN from distant places. Reception - TP-Link router with DDWRT connecting to a provider via PPOPE for security camera feeds, and internet access - 192.168.15.1 - VPN passthrough is enabled. Reception - Netgear router attached to the TP-Link router, connecting to the Miktorik router via a PPTP VPN connection, using the Mikrotik router's public IP address. The Cisco phone in question is attached to this router. 

We need the TP-Link router for internet access and camera feed, and we tried connecting through this PPOPE connection with the built in DDWRT VPN client, but it won't work, on the forums people say it never worked, that's why we included the Netgear router.

The connection between the phone and the FreePBX server is fine, all lights are green, phone gets an IP address via DHCP, and can start and receive calls, but if I call someone, they can't hear me.

We have another Cisco phone connecting from another distant place via VPN with a Linksys router with DDWRT (via direct PPTP connection), and it's working fine. Both phones have the same settings except specific settings.

We had the same problem before the camera feeds, when the TP-Link router was connected to the Mikrotik router directly with a static PPTP connection, but before using the FreePBX server, we had an Asterisk server, and the phone was working.

What could be the problem? Because the Netgear router doesen't make any difference I guess it must be the TP-Link one with the ddwrt, or the server itself.

Any help would be appreciated, thanks in advance!



BGP issues

Hi Fellow Network engineers,

I have a strange issue with BGP and I would like some advice.

We have a customer that reboots there router. When the router comes back online, BGP does not re-establish even though we can ping the remote end and telnet to the CPE from the PE. In order for us to bring the sessions back online and learn routes we have to hard clear the BGP session with "clear ip bgp *". Can you think of any reason why this would be happening?

Cheers,



IOS XR 6.1.4 and SNMPv3 traps

Hi! Since I haven't found a possible solution for my problem I hope somebody from you guys can help me with this :)

I have an ASR 9k with IOS XR 6.1.4 running and need to send SNMPv3 traps(not informs) to a certain destination using a VRF. This are the commands I have used: "snmp-server vrf Management host 192.168.0.30 traps version 3 priv clear User2018"

What I can't understand is that the type of the notification is inform and not trap,here is the ouptput: "RP/0/RSP1/CPU0:ios(config-snmp-vrf)#do show snmp host Notification host: 192.168.0.30 udp-port: 162-Management type: inform user: User2018 security model: v3 priv"

Anyone experienced such an issue? What can I do to force the router to use traps instead of informs? SNMPv2c is working without problems.



how wifi hotspot monitization works?

how the ads injecting to the network? is it a java script file injection?



Fibre Optic safety wrt wavelength

Afternoon,

We have lots of fibre links on our local sites using 850nm and 1300/1310nm and they've always been deemed as 'safe', i.e. won't be blinded/damaged if accidentally shone in an eye. Is this assumption correct? Would this be the same if we jumped up to using longer wavelengths e.g. 1550nm. Common sense and basic training says don't stare down fibres anyway but are there special requirements needed when using longer wavelength/long distance SFPs? e.g. PPE, locking cabinets/fibre trays, signage etc.

When googling for this, I get info about the hazards of splicing, which isn't what I'm after.

Regards,

Kris.



Using 2 fibre lines with flat VLAN

Hi guys,

Need some advice on a new network setup for a small company I sorry. Currently, they have a fibre line going into a router with a 10.0.0.254 range. This is going into a stack of switches which all the PC's and IP phones go into and the Server which handles DHCP for the PC's and IP phones.

They have just install a 2nd fibre line and want to separate their traffic so VOIP goes down the old fibre line and all other data goes down the new line. Will this be possible using only a flat VLAN setup? My manager is adamant he doesn't want to go down the multi VLAN route. We have a Sophos SG that we can use as a router for the 2nd line. They have 52 IP phones which we can set to with use DHCP or static IP's and about 50ish PC's.

Here is a digram i drew of the setup: http://imgur.com/gallery/W4iJEas

Any help would be greatly appreciated.



Thursday, May 24, 2018

Whitelisting IP addresses please help me understand

If someone said please whitelist “172.45.7.16/33”what IPs would you be whitelisting and how do you work it out?



corporate team building

Trust falls are nice and everything, but there is a new way to foster teamwork in your office while having some actual fun. Right now, all team-building events at the Manhattan Comedy School include free tickets for all to Gotham Comedy Club! Today is the perfect day to sign up your office for one of our events where you can creatively boost teamwork, have a blast, and get a free comedy show :D https://manhattancomedyschool.com/corporate-training/



My morning Cisco Bug Email

...Facepalm.....

For the record, we're on 3.6.8, but I've had internal pressure to goto 16.3.5 based on comments my SE has said.

Known Bugs - Catalyst 3850-12S-E Switch

CSCvj49476

Console, Telnet/SSH Sessions Hang/Become unavailable at execution of "show run"

Symptom:
Console, Telnet/SSH sessions to the switch hang up and the condition does not clear until a reload is done.

May 4 12:12:27.154: %PARSER-6-WMLRETRY: Write memory lock currently held by pid '485', automatic retry. -Process= "SSH Process", ipl= 0, pid= 487
May 4 12:12:41.205: %PARSER-6-WMLRETRY: Write memory lock currently held by pid '485', automatic retry. -Process= "SSH Process", ipl= 0, pid= 488
May 4 12:12:45.757: %PARSER-6-WMLRETRY: Write memory lock currently held by pid '485', automatic retry. -Process= "Exec", ipl= 0, pid= 486

Conditions:
Vlan configuration change/add/delete events executed at the time ARP hits the CPU ( DHCP snooping/ARP inspection)
Switch freezes, drops end user traffic and also stops executing.
Show run/ Show tech-support command is executed.
Affects 16.6.3, 16.3.5, 16.3.5b, 16.3.6. across all platforms. Code versions earlier to each of the mentioned releases are not impacted

Workaround:
The switch will not be recoverable once the condition is hit. Switch will have to be reloaded.
Run the following steps to avoid running into the issue,
Option 1:
1) Disable IP DHCP snooping
No ip dhcp snooping vlan 2-4094
No ip dhcp snooping
2) Disable IPDT/ SISF policy if applied on the interfaces.
Int <>
no device-tracking attach-policy
3) Make all the desired vlan config changes, restore the cli's remove from step 1) and 2) above.

Option 2 (Intrusive Method, not recommended):
- Enable MAC ACL to temporarily block ARP packets.
- Apply the ACL on all the ports on the switch or modify the respective CoPP policy.
- Make the VLAN changes.
- Remove the MAC ACL from the interface, restore CoPP policy if copp is modified.

Option 3( Intrisive Method):
- Shut down all interfaces
- Make VLAN Changes
- Unshut all the interfaces



Playing around with firewall packet timeouts. Do's and dont's?

I have a situation where a connection is over saturated, and unfortunately it takes a while before the upgrade is in place.

Users are getting timeouts and have to re-load connections, which is the biggest annoyance.

Before I start playing with these settings, are there some good reads of do's and dont's regarding this?

I am currently looking at a Mikrotik RB3011 router with these settings: https://imgur.com/a/n4EayfJ



Is it bad VLAN configuration or not?

Hi,

look at the 2 pictures, please.
https://imgur.com/a/0lfgv9v

You can see that Gig12 is an access port and has native VLAN 10 but Gig13 is trunk with VLAN 10 as tagged. I'm definitely sure that it must be example of how not to do. I just wanna make sure that if one VLAN is used as native then it should stay native no matter what.

Btw, this is config of my supervisor and if something happens it's my bad...



Can't find if Huawei equipment supports SFP 1000Base-ZX

Hi, i'm making a project for an optic fiber link which will have 50 km. My requirements are not high(in terms of switching capacity and throughput) so i'm considering the Huawei S1720-10GW-2P. I saw Huawei SFPs which supports distances up to 80 km but i can't see anywhere if these are compatible with this switch.

I don't know if i can use this switch or if i have to jump to a higher line of huawei.



Need some help with a Switch -> Router Problem

Greetings,

I currently have 2901 Router running EIGRP with two interfaces 10.100.10.0/24 and 192.168.2.1/24 192 is the Metro E 10 Is the Local Lan

Router 10.100.10.254 --> 10.100.10.253 Switch

The Switch Currently has 2 VLAN's Vlan2 Data 10.100.10.253 Vlan3 Voice 10.100.11.253

The Voice Server is on the Metro E, i have to advertise the 10.100.11 into EIGRP. It is currently working with a static route that i redistributed i would like know if there is another way to configure the current devices so i do not have to add static routes.



Who's job is it to physically install switches and routers?

Still new and learning everything, just wondering what the job title is for the people who physically install all of the switches and routers for a commercial project. Keep getting different answers when I search so I figured I'd ask you guys, thanks!



Cisco CCNA, RHCSA, and VSphere Path

Hello everyone! I'm here today to ask you all a question. I am wanting to become a system/network administrator. I know they're slightly different but accommodate some of the basic fundamentals. I like Linux and am currently using minicom to remote into my Cisco 2800 routers. I'm also studying for my RHCSA so I can use Linux to do such tasks. I haven't dwelled too deep into the VSphere yet, but will soon.

Do you guys think this is a good way of getting potentially good work experience? I'm about to do more with making a Linux based home network with 5 computers, 3 desktops and 2 laptops with wireless connection. I'm also trying to make a print server access. What do you guys think? Is it a good way to not only study certs but get enough practical knowledge to become an administrator?



Cisco FTD/FDM RA-VPN restrict users/DHCP

Hi!

I'm currently configuring an ASA firewall with Firepower Module and I'm managing this device with FDM. I'm trying to setup Remote-VPN for our users to access our internal networks. I want to have two VPN pools, one for admin managing our devices and one for employees that need to access one server on the network. I'm having a bit of a problem trying to set this up.

I followed the Configuration Wizard in the FDM and addded a Identity Realm thats connected to AD. I've created two test users one thats called vpnadmin and one vpnemployee. Both can connect but they still have access to everything. I thought I could make that VPNadmin connects to vlan 10, and vpnemployee connects to vlan 20 and they recieve their addresses from respective DHCP pool but this doesnt seem like the case. I could only configure 1 Pool with VPN addresses.

So I tried using the identity policy and added the respective user to each policy but they can still access each others stuff. It's very hard to find any configuration guides for this on the Internet.

Any help would be greatly appreciated



What switches should I buy to replace our Cisco ones? [x-post /r/juniper]

I'm tasked with coming up with a plan to age a few aging Cisco switches in some of our branch offices.

Currently we are running 2 x 48 port PoE Cisco Catalyst 2960-s. We run them with a router on a stick design for inter-vlan routing and routing over our MPLS.

We are planning on getting rid of our MPLS in favor of an SD-WAN(really S2S VPN) solution, so we want to get rid of the routers to simplify our network design. So I am going to be doing some simple L3 routing on the switch I decide to purchase.

Most of the branches these will be going in are between 15 and 25 users. We have printers, video conference rooms, and other local networked devices as well.

At least 3/4 of the users in these offices work on CAD drawings, so they frequently open/save files that are anywhere from 20MB to 500MB or more, depending on the size of the project. We also have people opening Photoshop/Indesign files that can be 200-300MB each.

We also have WAPs that service a max of probably 30 devices in each office. We have a Cisco IP Phone system currently, but are looking into cloud based PBX options. I assume that the Cisco IP Phones will work just fine with these switches.

We also have some light infrastructure in each office: a VMWare host with a domain controller and a terminal service. We also have a NAS that the users pull their files off of.

Since we're currently using 2960's without any issues, I'm considering the Juniper EX2300-48P as it specs out about 3 times faster than the Cisco's we're using. If we don't have any issues with those, I don't think we need to go overboard.

I also looked at the Juniper EX3400-48P but it doesn't seem like I get that much more and I think it may be overkill for these small offices.

I'm going to configure the switch as the default gateway for each VLAN and then just use a few static routes to get traffic from the switch to the firewall and router for actual routing.

Will the EX2300 be sufficient in handling the traffic and light routing it'll be doing or should I look at sizing up a bit?

Thanks!



Do you have any tips for the folks transitioning from an Enterprise to a data center engineer?

I am coming from an Enterprise and switching to data center. Do you have any advise for someone like myself?



EEM Scripting with Dynamic Input

Hi,

So i've got a bit of a weird corner case i'm trying to work here to work around a stupid bug Cisco seem to have introduced with IOS-XE 16 and bridge domain processing which has broken a solution we had working quite well for a long time in 3.16 (long and short, bridge-domain has a VFI member and a port-channel member, but the bridge-domain does not go up if only the VFI is up, it only goes up after removing and re-adding the VFI or admin down / admin up of the bridge-domain construct.

What i want to do is write a script that parses through a number range of bridge-domains, see's if there is a valid bridge-domain in that number range, and if it is run a 'shutdown / no shutdown' on it when the interfaces go down on the local PE or on reload.

I know i can set those 'triggers' but i'm looking for good examples for programatically doing something like this with TCL or EEM.

Does anyone know if this is possible and can point me in the right direction of any resources for doing this?

Essentially the logic is as follows:

  • Active firewall on PE1 has interfaces up
  • Standby firewall on PE2 has interfaces down
  • Standby firewall on PE2 becomes active and interfaces go up
  • Active firewall on PE1 becomes standby and interfaces go down
  • When interfaces go down (trigger), run through list of bridge-domains xxxx to xxxx and then shut / no shut
  • When system has rebooted (trigger), run through list of bridge-domains xxxx to xxxx and then shut / no shut


working on a book that covers open networking

Hi,

Is anyone interested in working on a book that covers topics like:

. Network Operating System types. . Classic vs Open Networking. . Open Networking and SDN. . Forwarding Chips. . The new stack. . Disaggregation. . Automation. . Telemetry.

I'm thinking of covering the reasons why dis-aggregation was delayed
with networking, what are the advantages and disadvantages of that
approach, the new stack on new platforms...etc
The goal of the book is to educate and not to promote one vendor over
the other, but i'd prefer providing exmaples using Cumulus Linux VX,
Open Networking Linux, Sonic.
Direct Msg me if interested to talk more.

Thanks,
Marcus



Dirty Switch Advice

Hello /r/networking!

Currently in our data center we have 2 ISPs that each connect to their own dirty switch before going to our firewall. I am upgrading these switches this year. My plan was to put the new switches in a stack and feed both connections into the stack. Recommended idea or not?



L2 mpls vpn study resources

Greetings,

I have recently joined the Service Provider world! As a newbie, I started learning BGP & MPLS(MPLS fundamentals book, IRA, etc), my main focus area is l2 vpn sevices and EDI.

What I found so far:

RFC 2547

Designing and implementing IP/MPLS- based

Ethernet layer 2 VPN services

Juniper docs/Cisco white papers

The books go in depth & I plan to read more , although my supervisor told me to not go in depth since it's quite broad for the beginning! And rather focus on the docs/white papers for now.

So I am wondering, what other resources would you guys recommend?



Good tutorials for troubleshooting network problems

What is a good tutorial (written/video/audio) that focuses on troubleshooting common TCP/IP performance problems? I'm talking about indepth analysis on things like sequence number analysis, dup acks, retransmissions, sliding window issues, congestion etc. where they narrow down the actual root cause. So rather than just ending by saying "this happens because of congestion" or "the network has packet loss", they show where it is likely occuring, based on e.g. wireshark analysis.



Wednesday, May 23, 2018

Input on VLAN layout for K12

County-level MSP managing many local districts/schools, looking to standardize our VLAN layout as we overhaul sites moving forward.

I know L3 to the closet is the new hotness, and we have the equipment to do it, but I suspect that kind of shift in overall process/structure might be too much for my team—but I'm definitely interested in hearing about any successes you've had doing that in K12.

Here's what I came up with for each school site:

  • Management - Any managed L2/L3 network device (switch/router/AP)
  • Voice - VOIP and/or intercom
  • Cameras - IP security cameras ideally with dedicated trunks back to NVR
  • IoT - Catch-all for any IP device that doesn't have a user in front of it (and isn't a phone/camera). Think HVAC, sensors, bell system, maybe even printers.
  • Staff - All devices used by district staff members.
  • Student - All devices used by enrolled students.
  • Guest - All devices used by anyone not employed by or enrolled in the district.

Thanks for any input!



Cisco FTD firewall best practice between sites

Hi All, we are in the process of deploying two Cisco FTD firewalls at two new datacenters. One is in Virginia and one is in Texas. I'd like to set these up as an active/passive pair for failover. Would latency between the sites affect the firewall performance?Any other considerations to be aware of? We have a L2 connection between both sites @ 10gbps maybe 30ms latency? I don't know 100% what the latency will be.

Appreciate the help!



Looking into managing WFH user's wireless with a UniFi USG. Is what I'm wanting to do possible?

Hello!

I am looking into giving a few of our users who are always work from home a USG paired with a UniFi AP so that we can make sure the router they're connecting to us with is secure.

I'd be setting up an IPSEC tunnel to our network.

Here's the kicker: only company issued devices. So only their laptop would be able to connect.

So- the idea would be that we would have the USG give them two separate networks so that their can have a company wireless and a home wireless that use one AP, but are separate SSIDs and can't talk to each other.

Is what I'm thinking doable or am I going to need more that just the USG + UAP?

Thanks! :)



Network planning software

Anyone know of some software I can use to map out our network? Its really confusing at the moment as to what switch is going where.



Outdoor Mesh Wifi

I'm looking into wireless mesh options to serve wireless to our stadium. Politics have made fiber to this location very difficult, and the building that could have been an option to terminate is less than ideal to begin with. Wireless is really what I'm left with at this point. Line of sight is clear from building to stadium at roughly 100m

I have a call with Aruba tomorrow for a pair of instant 275's

I need to review the Cisco 1562I's in more depth

I know ubiquity has some options that may be overkill for mesh / point to point. But I still need an AP to serve after that. Least complication is ideal.

Is there anything else around 3K that can get the job done? I can't believe between both of the two models suggested, almost nothing comes up online for documented installs. Also is there any way to do a free site survey for non wifi 2.4 and 5ghz interference.



Netvanta 5660 Bypass

We recently had Centurylink business fiber installed and we were curious if it was possible to bypass the netvanta 5660 and just plug the fiber directly into our router with vlan tagging?



How to? - active/active with MS AD/DNS - Internal

Hello,

What are you guys doing for your Active-Active DC designs when it comes to the internal AD infrastructure. I have one site and am ramping up my other one. I don't know if I should:

1) create a separate AD infrastructure at second site or just a vxlan tunnel to sync up AD at the second site (ex: site1.companycom and site2.company.com. Thoughts?

2) Really just trying to understand best option for AD/DNS design/sync. Still looking at vxlan for communication but may be a physical dedicated circuit as well.

Any ideas/feedback are very much appreciated.

Thank you, Jay



Ruckus Wireless Problems

Here’s my recap of the wireless issues I have been having with Ruckus. It’s been a crazy adventure to say the least.

Hardware:

  • 2 Zone Director 3000’s. One is our failover which sits on our separate campus
  • Roughly 70 R500 APs with a few R700s and T300s for outside coverage.
  • ZD running 10.0.1.0 build 61 but the issue was still happening on 9.x

Areas Affected:

  • Humanties (HUM)
  • World Languages (WL)
  • IS Office (IS)
  • The HUM and WL buildings are near each other physically but are on 2 separate switches that don’t intersect. IS is on a completely different side of campus.

Issue:

  • At random times our users in the 3 separates areas of the school lose internet access for roughly 10 to 15 minute intervals. The client stays authenticated with the AP but all traffic is slow or doesn’t work at all. Pinging from the client to the AP, Default Gateway, Core Switch, ZD, or outside to a website is intermittent. Many dropped pings happen during this time. All wired traffic works perfectly fine. Also pining the AP from a wired client works with no dropped packets. The issue is between client an AP. This occurs at very random times, is not reproducible manually, and at least happens once or twice a day to the various areas. The issue seems to only happen to clients on the 5GHz connection. All 2.4GHz traffic seems to pass through fine. This includes devices of all types including Apple, Windows, Android, etc... I've been workin with Ruckus engineers both on the phone and onsite to help the issues.

Troubleshooting:

  • Wireless analysis determining if there’s noise on 2.4 & 5GHz both while the issue is happening and while it’s not with no considerable changes or red flags.
  • Turned off different 5GHz channels the clients were connected to eliminate channel issues.
  • Test multiple SSID WLANS and the issue occurs on all of them.
  • Set BSS Min Rate to 12.00mbps
  • Enabled ProxyARP
  • Turned on DFS channels
  • Turned off tunneling
  • Enabled performance mode on ZD
  • Created an entirely new network VLAN that doesn’t have internet access and put both the ZD and AP’s on it to isolate the devices from any random traffic that could be hitting the en0 port.
  • Ruckus engineers have taken many different Wireshark captures and system info files and have compared them to times the issue is happening and when it does not.
  • Performance logs of individual AP’s while the issue is happening and when it’s not.
  • Today we physically replaced our APs that Ruckus has loaned us in various area which are all R500’s. (Keeping my fingers crossed)

We’ve clearly done a ton of troubleshooting. After our testing it would be hard to believe that this is a network or RF issue at this point. I’m convinced it’s a software/firmware issue on their end. The claim they “Have never seen this issue before” but the issue is going on 5-6 months.

Any insight or tips would be super helpful! Thanks you very much!



VLAN Setup Clarification

I hoping you all can help. I'm still trying to grasp the concept of VLANs and am having a mental block.

We have 5 UniFi APs, several switches, and a DHCP server. We are wanting to setup a new SSID on it's own subnet and VLAN so they can't access anything but internet but still get an IP for the DHCP. Lets say, it'll be VLAN #30.

So, in its simplest terms, any port switches that the VLAN passes through to get to the DHCP need to be tagged with VLAN #30, correct?

So, say its something like this:

  • AP is configured with new SSID associated with VLAN #30

  • AP connected to Switch 1 Port 10

  • Switch 1 Port 20 connected to Switch 2 Port 30

  • Switch 2 Port 40 to DHCP Server

So, switch 1 port 10, switch 1 port 20, switch 2 port 30, and switch 3 port 40 all need to be tagged with VLAN #30.

Is that right or am I way off base?



Using Cisco 3750 as Router

So the quick and dirty is, I'm limited to what I have available as stock for routers. I've been searching around and found I can use a 3750 as a router.

I applied some basic lines of command to my Gi Ports, and was hoping if someone here can confirm this will work?

I'm not going full out programming this, as I have some new trainees that I have to get up to speed on switches and routers.

My entire shop is full of switches no in use, but all our routers are live, so I can't have trainees touching live routers.

Thanks.

Building configuration... Current configuration : 1922 bytes ! ! Last configuration change at 00:18:17 UTC Mon Mar 1 1993 ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch ! boot-start-marker boot-end-marker ! no logging console ! no aaa new-model switch 1 provision ws-c3750-24fs system mtu routing 1500 ip routing ! ! ! ! ! ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! ! ! ! interface FastEthernet1/0/1 ! interface FastEthernet1/0/2 ! interface FastEthernet1/0/3 ! interface FastEthernet1/0/4 ! interface FastEthernet1/0/5 ! interface FastEthernet1/0/6 ! interface FastEthernet1/0/7 ! interface FastEthernet1/0/8 ! interface FastEthernet1/0/9 ! interface FastEthernet1/0/10 ! interface FastEthernet1/0/11 ! interface FastEthernet1/0/12 ! interface FastEthernet1/0/13 ! interface FastEthernet1/0/14 ! interface FastEthernet1/0/15 ! interface FastEthernet1/0/16 ! interface FastEthernet1/0/17 ! interface FastEthernet1/0/18 ! interface FastEthernet1/0/19 ! interface FastEthernet1/0/20 ! interface FastEthernet1/0/21 ! interface FastEthernet1/0/22 ! interface FastEthernet1/0/23 ! interface FastEthernet1/0/24 ! interface GigabitEthernet1/0/1 description TRUNK switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport mode trunk spanning-tree link-type point-to-point ! interface GigabitEthernet1/0/2 description TRUNK2 switchport trunk encapsulation dot1q switchport trunk native vlan 20 switchport mode trunk spanning-tree link-type point-to-point ! interface Vlan1 no ip address shutdown ! interface Vlan2 ip address 192.168.2.1 255.255.255.0 ip access-group 1 in ! interface Vlan10 ip address 192.168.1.1 255.255.255.0 ip access-group 1 in ! no ip http server no ip http secure-server ! ! logging esm config access-list 1 permit any ! ! line con 0 line vty 5 15 ! end 


VPNFilter malware targets 100,000s of networking devices worldwide

https://blog.talosintelligence.com/2018/05/VPNFilter.html

https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructive-Malware

Mikrotik,Linksys,Netgear,TP-Link and QNAP Devices targeted.

Excerpt For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter."

We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves. In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.

While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.



Recommendations for used enterprise Cisco hardware buyers/resellers (UCS blades and switches primarily)?

Greetings,

I'm the junior network admin at a medium sized corporation and I've been tasked with selling about ~10 Cisco UCS blades and various Cisco gigabit+ switches. I've found a few companies that specialize in buying and reselling enterprise hardware via Google (P3Online looks like a pretty reputable one), but I'm wondering if any of you have had good success with specific companies and/or have recommendations? Thanks!



How do you access an old Draytek via https (SSL_ERROR_UNSUPPORTED_VERSION)

Hi guys, how are you accessing your Drayteks now that Firefox doesn't work with SSLv3? We've got a couple of old clients that use them and due to poor maintenance of them, they've not been upgraded for a long time... It's therefore my job to unfuck it...

Unable to Connect Securely Firefox cannot guarantee the safety of your data on 195.62.204.24:8443 because it uses SSLv3, a broken security protocol. Advanced info: SSL_ERROR_UNSUPPORTED_VERSION 


need some troubleshooting suggestions

I have a simple 10M layer-2 ethernet metro link with a problem. I can ping across the transit addresses, but can't establish OSPF nor connect over SSH. It's been working fine for months and there have been no recent changes. I checked the MTU and verified that I can ping with a 1500 byte packet with the df-bit set.

Any ideas?



Dot1x global setting on Dell N series switches

If I enable the dot1x setting globally, does this make it so all ports have to be authorised or does this just turn on the functionality and then for dot1x configuration, you'd do this per switch port?



Network engineer in the house on Jeopardy!



The end of WHOIS with GDPR taking effect?

I wanted to hear what the networking communities view is on the way GDPR will impact the WHOIS database? Link1 Link2



Mobile phone WiFi calling function blocked on WiFi unless the phone is with O2

Hi all,

Here is what I believe to be a very difficult one but maybe you'll prove me wrong. We have various different WiFi networks being broadcast around our organisation e.g Guest, Corporate.

When connected to any of the WiFi networks, the WiFi calling feature on the mobiles fails to kick in unless that phones cellular provider is O2 (UK cellular provider)

I have checked our firewall and can see no reason for this function to be blocked, especially seeing as the traffic would be initiated from inside to out and therefore permitted back in due to packet inspection.

We also run firepower and I have also ruled that out as the cause for the function not working.

The external IP these networks are routed outbound on is a Houston IP address however the internal subnets are based in the UK. Could this function be failing to work for all UK cellular providers bar one due to the external IP address being US based ?

Thanks in advance



Network security considerations for a new office

Maybe not strictly in the vein of this sub but I had this question in an interview a while back.

Company is opening a new remote site, users want to access the internet, what infrastructure and processes would you put in place to secure the network?



Our country is implementing a centralized data center for routing/filtering all traffic. What data security concerns should we have and how should we respond?

Not much is known yet about what the countries implementation will be. And I assume that to some degree what we are doing is already being monitored.

But, I want to do some due diligence to begin researching this issue and some potential solutions.

We are an international company with multiple locations, but our tech demand is rather low. Salesforce, Quickbooks online, cloud file storage, email, etc...

We will be replacing all of our site networking equipment with Unifi solutions over the next year. USG’s and USG Pros.

What should our primary concerns be? DNS and trafficking “sniffing”? Potential blocked sites and services?

And what are some potential solutions? Encrypted DNS? Forcing HTTPS? VPN at the networks edge?

I’m sure my question and details are too broad, but I’m hoping for some guided resources to help me know what is best to research. Thanks!



Tuesday, May 22, 2018

MPLS Multipath Issues

I am labbing up a an MPLS network in GNS3 and cannot figure out why BGP multipath is not working as expected. I don't even think it is a BGP issue at this point, but I am not sure. I am using all ASR9k, btw.

There are two PE routers at each site, and I am using BGP additional-paths on the route-reflectors to reflect all paths to a given VPNv4 prefix. Then the PE routers are configured with multipath ibgp 2 unequal-cost.

From site A, PE-A, vrf RED, I am trying to reach site B, vrf RED, prefix 192.168.11.0/24.

Site A, PE-A router's BGP tables shows this.

Site A, PE-A router's RIB shows this and this.

Site A, PE-A router's CEF table shows this.

When I traceroute, or attach a docker container behind the router at Site A and use MTR, I cannot get it to actually push real traffic via both site-B PE routers. It always routes via 1.1.1.2 (site B, PE-B). BGP has already decided to put both BGP routes in the RIB, and each RIB entry's next-hop is PE-A and PE-B at site B. So I would think that standard ECMP would take hold based on both BGP RIB entries, and CEF. But it doesn't seem to be.

Any help is greatly appriciated.



Simple hardware client VPN for remote users?

Looking for a way to issue my remote users a small hardware device they could plug into their home networks, then plug in or wifi to the device to have direct access to our corporate networks. I know Meraki APs have the Teleworker VPN capability that does pretty much exactly what I want, but $600+ per user for the APs plus yearly licenses fees is a little steep. Are there any alternatives (besides roll-my-own)?



Looking for a completely silent network switch.

I am putting wired networking throughout my house and haveone room has to has to have a network switch in it, as it has two devices. I also sleep in this room and would like the switch to not make a noise. The devices maybe on while I am sleeping (which are soundless). I have heard that the switches can have high pitched beeps or whine to them.

I have also heard of the fan-less switches, will these work, or will they still have sound? Is there any suggestions for a network switch which someone can say is really quite? Only need a couple of ports (5-8).



Problems with NAT

I am attemting to NAT an internal IP address to an external IP address. The problem that I am running into is that the IP address on the inside that I am trying to get to will not take the external address. I can apply the NAT to another IP address in that Vlan with no issue, but it will not work with the one I need it to.

Essentially, the connection is------ MDF--Meraki--Rocket--C3560x--Topcon unit. If I nat the vlan ip address on the c3560x it works just fine, if I use the ip on the Topcon, same vlan, it does not work.



Take a demotion for a possible better future career?

Currently I work as a network tech. First IT job and been here about a year and a half. The job is good, no complaints really and I'm getting hands on Cisco/networking experience. However, the pay is dirt and there's 0 opportunity to rise in rank (admin. engineering, etc.)

My friend works at a very large (within the top 50 of the fortune 500 list) company and encouraged me to apply for an IT position there. I didn't get called for an interview for that position but I did get an email from an internal recruiter to set up an interview for another position there. I talked with the recruiter and she mentioned the job is basically "tier 2" desktop support. The pay is a little better than what I'm making now but it's hourly (I'm salary) and the hours are Tuesday-Saturday 8-5PM. (There were 2 other time's available; Sunday-Thursday and a Wednesday-Sunday 7PM-3AM). She sent my resume off to the hiring manager and he wants to set up a face-to-face interview for this position. However, I'd have to take a day off work since the location is 2 hours away each way.

So I guess my question(s) are, if I do get the job offer, should I take it? My friend says the company hires a lot of internal workers and the opportunity for promotion is pretty high(within his department anyway.)

I'm looking to eventually move into administration/engineering but I don't know if this role would allow me to do that. (Would I be breaking any rules if I named the company? I guess if anyone wants to know just PM me and I'll tell.) Also, would it be rude/look bad to ask for a "pre-interview" phone interview to see if the position is something I would want to do and inquire about moving up within the company, instead of driving 2 hours and wasting a day of work and finding out it's nothing I want to do?



Cisco 3750x: twinax configuration

Hi,

I was hoping someone could help me out with the configuration of a twinax cable into my network.

Just got a new EMC Unity 300 and want to utilise it's 10gbe connection so the solution I have is to use an active/passive twinax configuration.

Where I am unsure about is the configuration for the 10gbe ports on the switch, currently on the standard 1gbe port I just simple set the trunk and encapsulation and it's up and running is this the same for the 10gbe ports?



3850 dropped packets

Over the weekend, we replaced 2 4948E in the core with 2 3850-24XS switches running IOS 16.3.5b. We have a 4x1G port-channel going to one of the core ASAs pushing around 400Mbps (176232 pps) and were dropping enough packets to be production impacting. During our call with Cisco, we changed the hashing to spread out the load a bit, as well as adjusting the buffer with "qos queue-softmax-multiplier 1200". Both helped, but not enough. Any suggestions ? It may be possible to return the 3850s and replace them if there's a better solution to this. We also saw CPU at around 85%, which may or may not be related to the dropped packets - I'm currently leaning towards not being related, since our changes didn't affect CPU at all.



Converting fiber with an adapter

Curious if it is possible to convert these two ends of fiber to work together without a media converter or would it be smarter to just run another line of fiber through the building?

https://imgur.com/a/jFe5Q7j

I am guessing one is SC Male Single Mode and the other is LC Male Single Mode?

Thanks!!!



WAN latency, packet loss and bandwidth emulator for SD-WAN solutions testing

I have not looked at WAN emulators in a long while, so the last one I was familiar with was the WANem product. I am not even sure if this link points to the true (latest) code source site - I just googled for it and pasted it here.

Has anyone used anything, lately, from the open source / freeware space, to simulate particular conditions under which SD-WAN products could be tested, to show their "behavior", under specific [multi]circuit conditions?



4-post shelf for 4-post 19" telecom racks?

I have a 2-post telecom rack (19" 10/32 threaded round-hole rack) with a 4-post add-on kit turning it into a 4-post round-hole rack.

I'm looking for a 4-post shelf with adjustable depth that will attach to round-hole racks with 10/32 screws...

I need to mount 2x tower servers... don't ask.

Thoughts?



Linksys Velop Question

Hello everyone, and I’m sorry if this has been answered before. I’m going to visit my parents in the middle east during the summer and the only thing available, and that they have is DSL provided by a TP – link modem router combo. If I purchase a Linksys Velop here in the states and bring it with me, will that work with their set up? I want to try to extend the range of what they have. Any advice would be much appreciated.



Job Searching

So I don't know if this is a good place to post. I'm currently ready to get out of the place that I'm working. I had bad experiences with job search sites in the past and what got me into my current role was contract to eventual hire. I attempted to apply to some internal jobs but I wasn't considered for them. Any help in the right direction would be great.



[Cisco] I wrote a script that will take an IP address and give return the edge switch and port to which it's connected

hey everyone,

after finding myself manually going through the process of taking an IP, getting its MAC, then checking MAC tables to find what switch and port the device is connected to, I wrote a Python script to automate the process.

https://github.com/routetehpacketz/cisco-ip-trace

here's an excerpt from the README that explains its usage:

-Open a command prompt/terminal and run cisco_ip_trace.py

-Fill out the following prompts:

Enter the IP address of the core router/switch that can ARP for the IP address to scan: Enter IP address to trace: Username: Password: 

-Press Enter

The script will then use a series of show commands and regexes against the outputs to identify the port the associated MAC address is learned on, determine if there is another Cisco switch connected via CDP, and continues the trace until it reaches a port where no switch is detected. It will then print its findings like this:

10.1.10.10,000.abcd.ef12,SwitchA,Gi1/0/1

currently this script is currently only designed to work on Cisco devices, but I intend to continuously find ways of improving this script and hope to provide support for other platforms. please see the github page for a more complete list of requirements and known issues.

I greatly appreciate any feedback, positive or negative, and I hope this script is useful to at least one person on here. please let me know what you think! thanks!



ANSI ,TIA , BICSI ...etc, what are the relations ?

Note : I'm talking about structured cabling

I'm a little bit confused, between all these organizations. I know that ANSI is the American standards. And I know that TIA is having standards for structured cabling and other things. And also I know that BICSI is providing training and they are have the IT experts and they are providing best practices and guidelines for the same.

But what I'm confused about it are (for TIA, BICSI) :

1)are they are providing standards or best practices, training.. Etc, only?

2) are they are contributer with ANSI, or what? Since I see for ex ANSI/BICSI 00x standards?? What does that mean? Does that mean ANSI, had an agreement with bicsi to make a standards?

3) how many communication organization standards are there in the USA? Only ANSI?

4) what is ANSI doing for communication standards? Are they are the one who write their own communication standards? Since 99% of the SCS, I see ANSI/TIA/EIA. Not ANSI alone.

5) what does ANSI/TIA/EIA XXX or ANSI XXX means?

Thanks alot and sorry for my bad English :)

Kindly fill the gap for me..



FMC and 4150 Failover - And Making Changes

Hi All,

I have a HA pair of FMC 2500's, and a HA pair (act/stby) of 4150's. These are hosted inside two DC's so either datacenter can go down, and I will still have a working 2500 and 4150.

I have an upcoming power outage in one datacenter, and I want to use this window to make a standard bunch of policy & object changes on the 2500 and 4150 that are still alive in the other datacenter. My understanding, is that when the other DC get's its power back, that my config changes would be synched back across to the non-live devices. However, when there's been an outage I've never actually changed config before restoring the HA problem. So I am wondering, if this will work?



Cisco 3560 appears to have reloaded it's self and cleared it's configuration

Hi All,

I have just sen something strange occur on an access switch and was wondering if anyone else had seen the same thing before.

The Switch is a Cisco 3560 running firmware c3560-ipbasek9-mz.122-55.SE4.bin

The switch appears to ave reloaded it's self and wiped it's configuration. The configuration that was running on the switch had been saved many times so it was not a case of the switch was powered off and the running configuration was never copied to start up.

I tried looking for a crashinfo file to maybe tell me what had happened but I do not see one.

Anyone got any idea what might have happened ?

Thanks in advance

SW



SecurityMetrics Vision

Anyone using Security Metrics Vision appliance for their internal PCI scanning? We have been using Tenable.IO for a number of years and while very happy with it the Vision product is coming in at almost half the price.



Transceiver model for Nexus 9396

Hi,

Are there any 100Mb Single Mode Fiber transceivers available for Nexus 9396?

Always had issues picking the right one...



Radius Request from SSID without AAA Server

Hello

i have migrated to a new ISE Server. on the old one i get still one Radius Access Request. from a MAC which is on SSID with no configured AAA servers.

so does anyone know how the hell the request gets to the old ISE Server?



Palo Alto Radius Authentication Server off non-management port?

Labbing this up in prep for new role.

I've configured a Palo Alto VM to authenticate via a Radius Server, the Radius Server is not located off the management port, rather its what ive designated as "inside"

Radius Authentication is failing and upon checking a pcap i can see that the Palo is looking for the Radius Server off its management port, even though the subnet is off a different interface.

Am i misunderstanding something with this? Should th eradius server be located off the management server instead?

Also i have noticed if i do not specify source when pinging anything on the inside LAN form the FW that it will send the ARP requests down the management interface as well. Is this to be expected?



Netflow Analysis : those data are wrong or I'm under attack?

Hi gents,

I'm recently on the "Elasticsearch log analysis" mood.

I've just set up a collector for my Netflow logs coming from about 20 devices across the Europe.

Everything seems fine, I have consistent data about flow directions and TCP/UDP bytes usage. But regarding others protocol (eg. ICMP; HOPOPT and so on) I'm getting those huge values under bytes (flow export related to 1 hour):

https://ibb.co/jEVuqo

eg. HOPOPT 1.6 TB of bytes and 5k flows in the last hour? Seems a bad reading or conversion, right?



(Network Simulator) Configuring iptables firewall for a business network question

Hey everyone,

I'm setting up a business network in a network simulator but there's one thing I don't understand. I want to allow traffic only from the internal network and it works well when I allow access to specific subnets but how can I allow access to the whole network in the same command?

E.g. iptables -A FORWARD -i eth0 -p http -s 112.143.98.0/24 --destination-port 80 -j ACCEPT

So when I replace -s with 112.143.0.0/24 it doesn't work anymore. And I tried 112.143.00.0/24 with the same result. But everything I've found in google says to do it this way.

Am I missing something? Any help is much appreciated.



Monday, May 21, 2018

What traffic is illegal to decrypt and why?

At a Cisco conference the key note speaker mentioned it was illegal to decrypt bank traffic. In my efforts to find if we are doing that I was forwarded to legal, who is asking me what I am talking about. Sadly I can't find this on line easily. Anyone know what laws the Cisco guy was talking about?



Recommendation for mid-range hotspot?

I'm planning on installing a hotspot to give free internet access to the patients at a children's hospital.

Given that I have a house with great line of sight visibility to one of the walls of the hospital, what would y'all recommend for equipment? The house is 30-40m away from the hospital.

Also, I understand that this is not a very good solution and potentially a significant percentage of the building won't get very good reception, but these are the parameters I have to work with...



Low-Voltage / Network Specialist

I've been challenged to come up with a job role/description of an individual who would interface with groups like a facilities and/or contractor group needing to perform work in the telecom rooms. The role specifically is to be a liaison between the facilities/contractors and with IT. They would need to have basic skills in both layer 1 technologies as well as basic skills in networking, as they would essentially be help with ensuring governance and compliance of Telecommunication standards across the board. Typically, this is just a regular old engineer job, but in my case, we are very thin and aren't able to meet with contractors, etc..., on a regular basis to ensure their work is going into the right locations, with the right parts, etc...

Having said that, have any of you found you had a similar need for a lower tier team member with layer 1 and networking understanding? How did you write your job role/description? Does such a person exist?



Managed IPphone company recommending switch upgrade/replacement prior to VoIP rollout; sales pitch or necessary?

Hello all, new to posting on here, so I apologize in advance if I'm not following some specific format/guideline for asking this question. I will also mention up front that I am not a networking hardware expert, but I understand the basics.

Basically the title says it all. We are moving to a cloud-based IP Phone system managed by our phone company and from what I've gathered, they pretty much told us we had to upgrade our switches early on in the process, but when an engineer came out for a site survey, they seemed pretty confident that our current setup would suffice (I was also brought into the project after the decision/recommendation for new switches was brought up). We are pretty standardized on Dell N3048 (core/mdf), N2048P and N2024P (IDF) switches throughout our environment. I'm trying to wrap my head around why they're pushing for new switches without stirring up too much drama with the phone company itself . I'm not 100% clear on the PoE functionality of the N3048, although it appears to have some, which could be part of the reason they originally pushed for updated hardware?

We currently have a hodgepdge of digital/IP phones, some of which are already functioning just fine on the switches using PoE, although it does seem like power may be an issue on these switches for higher powered phones?

We aren't against upgrading our hardware, we just want to understand why it would make sense.

TL;DR Does it make sense to upgrade/replace your Dell N3048 (Core/MDF) and N2048P/N2024P (IDF) switches if you wanted to move to PoE/VoIP managed phones, or would that hardware handle it just fine as is or with some upgrading?

We have approximately 100 employees/phone spread out over 4 physical buildings (in an office park) with fiber connecting most of the IDFs.



Same old ISP NAT problem

Hi, I'm dealing with this problem for a long time now and i'm out of solutions.

I'm a simple man who wants to access from outside local network to my raspberry pi running transmission on a random port. The problem is always the same: my ISP NAT. I know that this is a well-know situation ad i've read a lot about it, unfortunatly without any result. Public IP and ISP port forwarding is not an option in my case.

On the internet seems that the only solutions are: 1. Reverse SSH: I did not try this in person but, from what i understand, it simply uses a VPS as an intermediary router to allow SSH connection from outside the network to my raspberry pi. The problem is that I want to access to a webpanel, hosted on http://localraspiIP:serviceport and, from what I can understand, this method can't allow me this 2: VPN: This is the choice i try initially, with strange result. My idea was simple. If I setup on a VPS an openVPN server, then i can connect bot my raspberry and my phone to this new network, obtaining "local" ip address. I manage to create this. My raspi was connected with a new interface tun 0 and a new ip address like 10.x.x.x . The same was my phone and all' seems correct. Ping from one device to another with the newer class A IP worked and the VPN was doing his job. But, even in this situation, trying to access to the transmission control panel from my phone using http://10.x.x.x: transmissionport lead me to another fail.

Now, with my bad English i'm asking if someone have suggestion. I really want this working all this problems are driving me Crazy.

Thanks to everyone who has the patience to read all' my post.



Sonicwall TZ Soho series vs TZ300 for small dentist office

Dentist office with about 13 workstations. 6 of them only do intranet tasks. 4 others do mostly intranet with occasional email and basic web. 2 are server and rarely do anything internet related. The remaining one, the doctors PC does both intranet and moderate internet including online shopping, streaming audio and videos,etc.



How do you make your network scalable?

I'm studying for my CCNA and came across this aspect of a network: scalability. Now, I understand that the network should be scalable (obviously, and especially, for enterprise networks). But, isn't this aspect already implemented when you purchase modern networking equipment? Like, isn't scalability already included in the up-to-date models of the equipment?

What would a network engineer have to do to ensure a network is scalable, apart from purchasing updated equipment when the network is initially installed?

I may not be in the right spot, so forgive me.



Can anyone know of some sample networking logs?

Hey everyone, I'm designing an incident response training event for a group of high school kids. For that, I'm looking for some true-to-life noise to populate the scenario. I don't need or want any real data, but I am looking something that looks and smells like the logging that a mid-size building would enable, specifically:

  • Firewall
  • Incoming VPN connections

Once I have these logs in hand, I plan to hack them up so that they suit the scenario and the audience.

Does anyone know of a resource that has a set of dummy logs for this kind of thing? Maybe a dummy set that you can use to test/integrate into a monitoring platform?



Anybody knows if Cisco 40G->10G breakout cable will step down to 1G?

Hello,

It looks like I will need to connect 1G-only device (fiber) to Cisco 9236c switch which has QSFP ports only.

I know that CVR-QSFP-SFP10G will work for this, but I don't have them in stock.

So my question is - do I need to rush order this adapter, or do you know if 40G QSFP with breakout cable would be able to work at 1G with the end device?

Thanks!



Weird routing issue with Ubiquiti nanobeam 5AC Gen 2 antennas (x-post from r/Ubiquiti)

I posted this on r/Ubiquiti, nothing but crickets, so here we go.

[Here's the current topography](https://imgur.com/a/oV2gXjh)

I know this might not be the most efficient setup, and I will most likely be making some changes before there are actual users at the branch site. That said...

The issue I have here is that no device on the 1.0 subnet can ping ANT1 at the 1.90 LAN address. It seems like any static routes actually overrule directly connected hosts.

Current facts:

*Subnet 2.0 (branch office) has total access to everything: all internal LANS and WAN.

*ANT1 can be reached via the 10.0.0.1 IP as expected, from any subnet.

*The ASA is the only device in the 1.0 subnet that can ping 1.90.

*Any device can reach ANT1 via 1.90 IF I add a static route for them on ANT1.

One caveat that confused me was that the "WAN" interface only seems to be able to be present on the WLAN side, which makes the default gateway a little confusing since its pointing the wrong way. Nothing from the 2.0 subnet could ping anything from the 1.0 subnet until I added the 192.168.1.0/24 --> 192.168.1.90 static so the ASA could hairpin route the traffic back on the same interface. Now everything works, except 1.0 devices cant ping 1.90, they have to ping 10.0.0.1.

Is this normal behavior for ubiquity to have static route overule directly connected subnets with correct subnet masks?

Again, I know there are different, more efficient topologies. But even so, shouldn't the antenna still reply to pings on the same subnet?



Bind IP to hardware box in ASA active/standby cluster

Hi all,

In an active/passive ASA cluster you have a primary unit and a secondary unit - let's call this a role. Each unit also has a state which is either active or standby. When you define the ip on an interface the syntax is: "ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2". This means that the IP address is bound to the state, not the role of the interface. I've always found this confusing, when doing a failover you can end up on the other box without even realizing it.

Is there any possibility to bind one of the interface to the actual hardware box, such that in the case of a failover when the states of the boxes change they address remains bound to the same hardware?

I would be tempted to say that if I just enter "ip address 192.168.1.1 255.255.255.0" without the standby part, then this would work, but then the ASA will replicate this to the standby unit and I will end up with a duplicate IP situation, I suppose.

To summarize - supposing I have an active/standby ASA cluster with one box in datacenter A and one box in datacenter B, can I configure an IP address i such a way that it will always take me to the box in datacenter A, regardles of the state of that box at that time?

Is this possible in multiple context mode?

Otherwise I guess the only way to do achieve what I want is via a console router, or worse, going into the dc and putting in a console cable into the ASA.

Regards,

Paul



Your Monday can always be worse (x-post: Bomb in the server room?)



eNMS v2: a web-based app to automate your network graphically with netmiko/napalm/ansible workflows

A few months ago, I've shared here the first version of eNMS. In case you've missed it, the idea was to implement a web-based GUI for the most commonly used libraries for network automation, namely Netmiko (both for pulling data and configuring a device), and NAPALM (data retrieval with NAPALM getters, and configuration management with NAPALM load/commit/rollback functions).

I've been working on it actively for the past few months and I'm glad to release a new version: eNMS 2.0 (github)

The most significant changes are:

  • eNMS now supports sending Ansible playbooks.

  • The introduction of workflows. Scripts (netmiko, napalm or ansible scripts) can be combined together to form a "graph of scripts". Rather than a long explanation, here are two examples (double-click on a script to find out what it does): a workflow using Netmiko configuration and file transfer functions to perform an OS upgrade, and another workflow combining NAPALM and Netmiko to commit a configuration, run some checks afterwards and rollback if the state of the device is not what's expected.

  • Before, network visualization (display the network on a world map or via a force-directed drawing algorithm) and network automation (scheduling netmiko/napalm scripts) were independent features. Now, all the automation is done graphically, i.e you can schedule a script/workflow by selecting the target devices directly from the graphical view (from the world map, or the force-based graph drawing).

  • A task can be scheduled to run a command periodically and store the outputs of a command in the database. eNMS then creates a line-by-line diff of the outputs between any two versions. You all know network configuration backup tools like Rancid and Oxidized: eNMS can do the same thing, but for virtually any command.

Check out the github readme where I provide a step-by-step explanation of the process (network creation, visualization, script and workflow creation, and graphical scheduling) with a video for each step. At each step, the readme also links to the online demo where you can try everything I've described by yourself.

Note: Works for any OS (windows/linux/mac), any version of python from 2.7 to 3.6. Contributions are most welcome ! We are on the networktocode Slack, channel #enms if you have questions, requests, want to contribute or simply discuss the project.

Other useful links: Online demo, Documentation



Upgraded switches, can't ping, https or SNMP monitor

OK, I changed out three sg500 52 port poe switches (stacked) with three sg500x 48 port (stacked) switches and, unless it's from the same subnet, I can't ping, connect to gui or monitor SNMP with them. The old switches were L2 only and, except for that, the IP and system config were basically the same. The 500x's are L2/L3. Do I need to add IPv4 routes to remote monitor and manage them?

I can provide configs if requested but thought I would start with this first to see if it was just something stupidly obvious that I'm overlooking.

Be gentle, thanks!

Edit: the new ones are POE as well.



Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.



what tools do you use to analyse very verbose logs example - show log on cisco devices

What is an efficient way of analysing walls of text? Currently, I am using notepad++ but are there better tools?

Is python effective?



Nexus 93180YC-EX - 2348UPQ FEX Problem.

I have problem when configure Fex on N9K 93180YC-EX with 2348UPQ. I connect 1 port 40G on 93180 with 1 port 40G on 2348UPQ using SPF : QSFP-40G-SR-BD . My NXOS : nxos.7.0.3.I7.3.

When i configure fex on 93180. It didn't discover 2348. The led of 40G port on 2348 turn off.



Is it possible to use 802.1x in a cisco catalyst switch without external radiusserver?

I have a usecase where 802.1x is wanted but the switch the clients connects to will not be able to reach an external radiusserver for authentication of the clients.

Is it somehow possible to configure a local "radiusserver" in a modern cisco catalyst switch or is there some other trick available to use 802.1x along with guestvlan which then is switched into a prodvlan once the client is authenticated?

The authentication in this case is fine if its just based on mac address (will still apply port-security so not any box will be able to be plugged into these switches) but something like EAP-MD5 would be fine too because Im not expecting to be able to do cert-based authentication at this point (unless there is a method for this available without an external radiusserver?).

This deployment guide mentions MAB (MAC Authentication Bypass) but that still seems to require an external radiusserver, however the below is mentioned so Im hoping somebody in here might already experimented with this and can point to some example configs or such?

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html

2.4.6 Inaccessible RADIUS Server

When the RADIUS server is unavailable, MAB will fail and, by default, all endpoints will be denied access. In a highly available enterprise campus environment, it is reasonable to expect that a switch will always be able to communicate with the RADIUS server, so the default behavior may be acceptable. However, there may be some use cases (for example, a branch office with occasional WAN outages) in which the switch cannot reach the RADIUS server, but endpoints should be allowed access to the network.

If the switch already knows that the RADIUS server has failed (either through periodic probes or as the result of a previous authentication attempt), a port can be deployed in a configurable VLAN (sometimes called the critical VLAN) as soon as the link comes up. Because the switch has multiple mechanisms for learning that the RADIUS server has failed, this outcome is the most likely. If the switch determines that the RADIUS server has failed during a MAB authentication attempt (for example, if this is the first endpoint to connect to the switch after connectivity to the RADIUS server has been lost), then the port will be moved to the critical VLAN after the authentication times out. Previously authenticated endpoints will not be affected in any way; if a reauthentication timer expires when the RADIUS server is down, the reauthentication will be deferred until the switch determines that the RADIUS server has returned.

When the RADIUS server returns, the switch can be configured to reinitialize any endpoints in the critical VLAN. This behavior poses a potential problem for a MAB endpoint. When the MAB endpoint originally plugged in and the RADIUS server was unavailable, the endpoint received an IP address in the critical VLAN. Because the MAB endpoint is agentless, it has no knowledge of when the RADIUS server has returned or when it has been reinitialized. If the device is assigned a different VLAN as a result of the reinitialization, it will continue to use the old IP address-an IP address that is now invalid on the new VLAN.

There are several ways to work around the reinitialization problem. You can disable reinitialization, in which case, critical authorized endpoints will stay in the critical VLAN until they unplug and plug back in. You also can set the critical VLAN to the data VLAN (essentially a fail-open operation) so that the MAB endpoints maintain a valid IP address across reinitialization. If neither of those options is feasible, consider setting the DHCP lease time in the critical VLAN scope to a short time (for example, 5 minutes) so that a MAB endpoint will have an invalid address for a relatively short amount of time.

Would for example this be a doable workaround for such usecase as described in https://services.geant.net/sites/cbp/Knowledge_Base/Security/Documents/gn3-na3-ufs_133.pdf ?

authentication event fail action authorize vlan <vlan-nr> authentication event server dead action authorize vlan <vlan-nr> authentication event no-response action authorize vlan <vlan-nr> 

along with lowered timers:

dot1x timeout quiet-period <sec> ! default value 60 dot1x timeout tx-period <sec> ! default value 60 dot1x timeout supp-timeout <sec> ! default value 60 


Cisco - Port security for 500+ Devices?

Hi and thanks for reading.

I'm an IT manger/Sysadmin at a site trying to figure out how to deal with an operational problem. CCNA, but by no means an networking expert.

It's a hotel, and we have 500+ TVs running on CAT6. Due to PCI, we need port security on the lanports that TVs are plugging into. The orginal "solution" was to set the ports to sticky-MAC. This sort of works, however when the the maintenance guys replace a broken TV, it locks the port because it sees a different MAC address. This creates an operational issues and guest complaints because our networking is outsourced, and the SLA for a downed port is 4 hours. This is a long time for a guest TV to be out of services....

I'd like to create a huge whitelist of all our current TVs, plus all the backups we have sitting in the storage room and use that for port security. I'm not sure if this is possible with this many devices.

Any other suggestions?

Thanks in advance...



Speed test results slow but tests confirm speed

We just lit up gigabit Hurricane Electric via dark fiber to one of our buildings, and tests from HE on their side and using iperf from the inside out show speeds approaching 700Mbps, which is great. All the APs are Aruba and gigabit, and there doesn't seem to be channel interference anywhere, but online speed tests on WiFi are showing anywhere from 60 Mbps to maybe 150 Mbps.

Wired speeds are in the 200Mbps range according to those speed tests, but I'm wondering why I'm not seeing faster speeds like I am on my server hardwired into the network running iperf.



[Cisco IOS XE] iBGP vpnv4 neighbors only installing best routes from neighbors, working as intended?

TL;DR: iBGP only cares about and installs the best eBGP route within an AS into the BGP table when configured in AF vpnv4, but not in af ipv4 vrf RED. Working as intended or have I borked something?

Hiya, friends! Happy monday to you all.

Simplified diagram: https://i.imgur.com/FA0KxAi.png

There are 2 links (DMVPN tunnels) between the spoke and each hub. I don't run MPLS between the hubs.

I have a couple more vrfs out to other spokes than the one specified here, they behave exactly the same. If I specify the iBGP neighbor session between my hubs within "address-family vpnv4" then BGP behaves differently than if I have the iBGP neighbor statements in each ipv4 unicast address family (vrf lite style).

With the neighbor statements in AF vpnv4, the only route that gets spread is the best way out (Local pref 2000) in HubB, HubA's BGP table is completely unchanged:

HubA#sh run | sec ip vrf RED ip vrf RED rd 1:3 route-target export 65001:3 route-target import 65001:3 HubA#sh run | sec vpnv4 address-family vpnv4 neighbor HubB activate neighbor HubB send-community both neighbor HubB next-hop-self HubA#sh ip bgp vpnv4 vrf RED BGP table version is 5, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:3 (default for vrf RED) *> 10.10.10.0/24 10.20.10.4 0 2000 0 65002 i * 10.20.12.4 0 200 0 65002 i HubB#sh run | sec ip vrf RED ip vrf RED rd 2:3 route-target export 65001:3 route-target import 65001:3 HubB#sh run | sec vpnv4 address-family vpnv4 neighbor HubA activate neighbor HubA send-community both neighbor HubA next-hop-self HubB#sh ip bgp vpnv4 vrf RED BGP table version is 5, local router ID is 10.1.1.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, t secondary path, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 2:3 (default for vrf RED) 0.0.0.0 0.0.0.0 0 i * 10.10.10.0/24 10.20.10.4 0 1000 0 65002 i *>i 10.1.1.1 0 2000 0 65002 i * 10.20.12.4 0 100 0 65002 i 

If I, on the other hand, specify the iBGP neighborship per vrf (within address-family ipv4 vrf RED), all 4 ways to the LAN behind the spoke is visible in both Hub routers.

Is this working as intended? Does it even matter if I see all the possible ways out or not? I tried killing the primary tunnel to the spoke (the one that gets marked with LP 2000), resulting in the LP 1000 tunnel being the primary way out from HubA too.



Recommendation for Switches for RDMA and RoCE

Hi,

I wonder if anyone got recommendation for RDMA switches. We been using Mellanox 100 Gbps plus switches. They are great but they are quite pricey. On the other low end, Netgear switches (M4300 series) tend to support Priority Flow Control. I am still trying to figure out if RDMA is supported on those switches since I am not getting clear answer. Anyone got any recommendation for low-end enterprise switches that can support RDMA? Running converged solution over regular switches is just too slow.

Thanks.



Sunday, May 20, 2018

How to block unknown devices from connecting to the network?

I want to create a white list of devices that can connect to the network, both wired and wireless.

I was thinking of filtering based on MAC addresses but I now realise that spoofing a MAC address is trivial and so is sniffing out a white listed MAC address.

Is there a way to block unknown devices without harassing the user to verify themselves each and every time they connect to the network?



NX-OS debug to syslog

My Google-fu seems to be weak because I cannot find a way to send debug output on console or term mon to syslog. Any chance someone could point me in the right direction? I’d really appreciate it!



Any providers offering BGP to the public?

Are there any providers that would allow me to establish a BGP session with them (multihop or via a tunnel) without actually passing them any traffic or announcing any prefixes?

What I would like to achieve is to have a live view of all the prefixes announced and their corresponding AS paths (from one location is good enough).

I've been using HE's LG servers for this purpose and periodically exported the whole routing table, but it takes a long time and is not really reliable, so I would prefer to have a live BGP session.

Bonus points for IPv6 and if it would be doable with a private ASN, as I don't have access to a public one.



Looking for reference material recommendations (Extreme)

The MSP I'm currently working for has decided to add Extreme devices to our inventory. Until now, I've been working primarily with Cisco Meraki gear. Are there any command guides or reference guides out there for Extreme? My Google-fu has only returned a 3k+ page pdf of commands.

I'm looking for something dead-tree that I can keep on my desk.



free Windows syslog server than can execute a script

hi,

any knowledge of a free syslog windows based application that can excute a script or do an action?



Comcast or RingCentral VOIP for small business??? Suggestions please

Our phone system was fried after a lovely Miami lightning strike and we now have to switch rather quickly to VOIP. Comcast appears to be the fastest to switch to but not sure if it has the features and quality of RingCentral or others. Any pros/cons will help as we are completely new to this. We are a Windows oriented office with 10 phones. Thank you!



People who took the N007, or the previous networking plus test. What were some of the questions like and what areas should I really focus on?

So I just got my A+ about 15 days ago and I've been studying for the network plus 007 since then. Along with my current study resources I'm looking to get a good idea on what to maybe dial in a little bit more, so if anyone has any suggestions from their previous experience taking the test let me know. I'm also curious to hear how long it took you guys to study for the test as well, from what it looks like it should take me a month in total of studying. I'm fairly new to networking, so it's all a lot of new stuff for me.



spiceworks vs lansweeper

hey all

i'm considering helping out a nonprofit 30-student school near me. they're having networking issues.

the most concerning issue is they're "getting kicked out" of the network a few times per day. i'm not sure if they're getting kicked offline, or if they're just getting kicked out of the domain (or both).

to complicate things more, i'm a windows guy. they're all using mac mini's. not sure what their server is yet.

i'm leaning towards spiceworks, lansweepers site says nothing that seems to suggest that its good for checking network health / finding issues.

thanks in advance



A question about the ISDN?

I've read that "the telephone system is so tightly intertwined with (wide area) computer networks". I've also read briefly about the ISDN (Integrated Services Digital Network). Describe the architecture of VOIP internet call apps/websites, phone call spoofing/ prank call apps/websites, and internet SMS apps (For example. Twilio). Please elaborate greatly in somewhat layman's terms as I intend on building a similar application from scratch. Thanks in advance.