Saturday, June 30, 2018

Switch with SFP+ Combo ports

Does anyone knows if any brand of switches come with this kind of configuration. One of my clients is asking for a Switch with SFp+ Combo ports but I already checked Cisco , Dell and HP and I only could find SFP combo ports.

Maybe another brand have this kind of ports( Brocade, Extreme).?

Thank you



[question] about dial up modems

What protocol was used back on the old telephone lines back in the day was it SLIP.?



Is it possible to maintain a record of all the devices that connect to my router?

Total noob in networking here.

I wanna make sure I know who logs onto my router (and preferably when), and save it in a file, for security reasons. I know I can look at the currently connected devices MAC addresses in the router menu, but is there a way to automatically collect this data and maintain a record of it? With some program maybe?

Sorry if I violated sub's rules.



In our tests Docker only lags 5% in performance while paired with HAProxy makes our bidders 50% slower, any clue why ?

https://github.com/venediktov/vanilla-rtb/tree/master/docker_swarm

More details besides README on GitHub. Our bidders use persistent connections, we configured HAProxy to use http-keep-alive , without http-keep-alive it runs even slower. We disabled docker mesh routing and added HAProxy due to mesh dropping connections to our bidders . Btw, Traefik proxy runs even slower then HAProxy. Here are the numbers on my machine

  • 22K QPS single bidder response outside of docker

  • 20K QPS single bidder response in docker

  • 5K QPS with HAProxy + 1 bidder in docker , HAProxy is part of swarm but mesh routing to HAProxy is disabled

  • 2.5K QPS with Traefik proxy with 1 bidder behind proxy , swarm mesh is disabled , sticky session in traefik enabled

Tested HAProxy outside of docker talking directly to bidder running outside of docker too - 7K QPS

QPS - Queries Per Second



Noob question

Can you explain like I'm 5 what a "commodity Internet" and Internet 2 are?

I am familiar with NIPRNet and to me Internet 2 another restricted backbone network. Am I right compare this to NIPRNet?

Is the commodity Internet the same thing?



DHCP Relay Assistance Please

Imagine the topology of my network as this:

hosts --> layer 2 --> core switch --Layer3--> firepower box --Layer3--- > DHCP server. 

Originally the firepower box was a pair of 5580's, and I've migrated them to firepower firewalls. Works fine. However, I was reviewing my config tonight (3 weeks after my migration) and I realised I had forgot to put DHCP relay config on the firepower boxes. YET, the DHCP service is issuing new IP's without issue. This has just defied my logic of how DHCP relay works. Currently the core switches have a DHCP relay configured to point at the DHCP server. But the firepower box has 0 DHCP relay config. I thought all layer 3 devices in the transit path towards the DHCP server required a relay agent. Is this not the case? What magic is happening here.



Using Bluecoat with ICAP to OPSWAT and Download Speed Drop to ZERO

OKAY..So I am not getting anywhere with this, might as well add it here.

We use bluecoat proxies with ICAP to OPSWAT AV scanning, adding to it, we have packet brokers inline which transfer everything to the Cisco IPS.

Recently we upgraded to OPSWAT v4 from v3, and now out of nowhere when downloading files in the +1GB range we notice the speed starts fluctuating, reaching 0 and then coming backup.

This happens multiple times, and eventually if it doesn't come up, the download simply dies with a "Network error" in the browser.

At times though even with fluctuation it makes it and the download completes.

Thoughts please..



Avaya VSP7254 default MTU 9216??

Hi,

I was looking more into the use of jumbo frames, and it's pretty obvious it should only be used with internal storage.

Now, I also read that in your LAN all your devices should support jumbo frames before you enable it anywhere. Because when enabled on your router, but disabled on your L2 switches you could have lots of issues with retransmissions etc. Is this information correct??

Second of all, why does an Avaya VSP7254 (for example), have MTU default set to 9216? Shouldn't it be set to ~1500 to avoid network performance decreasing?

Thanks for the information.



Why can't I VPN/RDP to this PC?

Hello,

Okay, so I only have a few months here at this new site. This cubical has like 3 computers and two users. One day, I was trying to setup a new intern on this unoccupied desktop and I couldn't sign in with my credentials. I figured that this PC had a bad network configuration and so I called someone that new the credentials to the local admin account.

The computer was in fact on a separate VLAN(.30) than everyone else(.10). However, we didn't know why since it shouldn't have been. We have all the PCs going to Cisco switches to a Cisco ASA. After simply turning the NIC off and on, it got on the right VLAN.

I don't have the credentials to the switch. This PC I am currently having issues with is in that cubical and in the wrong VLAN and we cannot RDP to it when we use the VPN. I can VPN, RDP to a different PC and RDP to that PC.

It's kind of strange, I don't see why I can't RDP to this PC. I can assume that it's a firewall issue but what configuration is doing this?



Network Certifications

Hi all,

I'm a tier 3 linux admin by heart but I've been with the current company since it was 23 employees. Since then, we have grown to almost 200 in the past 1.5 years. I have been self-teaching the entire way through about implementing QoS (still having a hard time here), teaching myself how to setup VLANs, etc.

Right now (because of me) we have a lot of Ubiquiti edgerouters and edgeswitches across a few sites that I have linked to an OpenVPN server in "the cloud" (or the butt?).

I need to get some network certifications under my belt due to projected expansion.

My issue is that I could go for CCNA then CCNP, but these are Cisco certifications so I am unsure of how beneficial these would be in this situation as we do not currently use any Cisco gear.

What would be the CCNA and CCNP equivalent of non-Cisco gear? Should I do CCNA and CCNP, anyways?



802.1X on virtual machines

Is it possible to lab 802.1X authentication using virtual machines? For example to create virtual WLAN or use something like OVS to connect virtual machines and try "wired 802.1x"? I saw an Aruba Clearpass workshop video where the instructor used virtual machines on ESX and got me wondering.

Using passthrough USB WLAN dongle would probably work but you'd still need physical AP for that.



Is there a SSL cert serial number database?

I've came across a suspicious SSL certificate which I suspect is backdated. Is there a database of all issued certificate which I can search using the serial number and figure out when it was issued?

I've heard that after the whole WoSign controversy, key players have created a database which CA has to update daily or something.

If that's true, can you point me in the right direction?

Thank you!



Friday, June 29, 2018

Quick question about sessions.

From time to time at my job I have to investigate some security events on a firewall. I was discussing session DoS attacks with a colleague when he stated that you only need one packet / in one direction to establish a session with a edge device thus overwhelming a device with a large amount of sessions is easy. I figured the edge device has to acknowledge it some how. I am now curious I guess about the requirements of starting a session and how a device decides to close them? Just session timers or is there more to it? Is he even right? I did some digging but could not find anything this specific online. Anyone care to chime in? Thanks!



DHCP help (Portable setup)

I hope this is the appropriate place for this. Feel free to send me elsewhere if not.

Basically I'm building a case for SAR usage that has a SFF PC, screen, radio stuff and a router in it. The basic idea is I can put it on a table and start working. We don't generally have internet or networking gear initially (we might be based in a woodshed or rugby clubrooms) but as resources arrive we get better infrastructure or on the odd occasion, we operate from somewhere with networking infrastructure existing. The logging software we use is all networked to a database server on one of the computers so it can run without internet, however internet is preferable.

Because of the maybe/maybe not aspect of being connected to external networks, I'd like to have the DHCP server enabled on the router in my case but don't want to run the risk of DHCP foul ups when externally connected.

Has anyone got any bright ideas? Set my case to a different subnet with DHCP and use the gateway address of the other router for internet? Plug the other router into the WAN port of my router? I know just enough to be dangerous here!!

Thanks



Anyone get a "Confirm your Cisco Account" email recently?

I got an email today with the text "Due to Cisco’s security policy, we must ask you to confirm your Cisco Account information every year. Otherwise, you may not be able to obtain Cisco services.". I've had a Cisco account for nearly 20 years and this is the first email like this I've ever seen. Seems like a phishing attempt. Confirm?



Brainstorming on a possible PBX/PRI problem and could use some help...

Hey everyone! I'm not really looking for solutions on this, I just want to make sure my troubleshooting....thought process...is correct.

So we have an old Toshiba CTX100 at one of our remote sites. The phone system has been having significant problems as of lately and I am completely out of ideas as what else to try. I am not a VOIP person at all BTW. The phones in the office can find the PBX and connect to it without a problem. They are on their own VLAN with QoS. The network is very simple... two VLANs: voice and data... Gigabit ethernet Cisco 2960 switch with PoE. Switch is working fine. No changes have been made to the network, or the PBX at all.

Here is the issue...

  • Phone calls are randomly dropped. They are not disconnected, just audio drops.
  • Also, when you hang up on the outside, the phone does not terminate the call (not a big deal)

Here is what I know so far...

  • Can ping PBX
  • Can ping Phone
  • PBX sees phone
  • Phone sees PBX
  • Phone and PBX both see VM server on a separate subnet/VLAN (I know that ACL's are fine.)
  • Phone has dial tone, can dial out local and limited long distance
  • Can dial from outside to phone with no issue.
  • I was able to call in from my cell and maintain a connection for at least 20 mintues. (I had a timer and just let it keep going while I was reading about the PBX).
  • I was also able to do the opposite, and maintained a call for the same amount of time.
  • I did experience random dropouts though, but I do not think they are the providers fault
  • We have a PRI line, but like I said I think the line is fine.
  • We have a school next door with the exact same setup and no issues, with the same provider (though not on same phone circuit, same WAN circuit).
  • I checked the cabling and it was fine
  • I checked for known service outages and there were none.

My suspicion is that the line cards in the PBX are failing. It is an older system... I think 10+ years old, so we are not to crazy about supporting it. The office will be vacant in a month so we are trying to build a case to forget about it.

Is there anything I am missing though? I hate VOIP with a passion, unless it is Alworx, AVAYA, or Cisco. I can handle those...



How much do you charge for side work?

tl;dr - How much do you guys charge, and how do you structure it? Hourly, flat-rate?

I've got a good gig working 9-5 as a network engineer, but have gotten some opportunities for side work doing a small office setup (~70 users with simple needs, basically just need good wifi to get to g-suite). I've done the gun-for-hire thing before when I was younger in my PC Tech days, so I'm familiar with the risks and pitfalls of baby-MSP stuff. But it's extra money and I like money.

About me: CCNA, few years experience in government/enterprise and a couple years with a smaller company the private sector. Conversational in switching, weak on routing, reasonably familiar with Palo Alto firewalls, very comfortable with Ubiquiti wifi and Cisco WLCs.

I'm in the SF Bay area, for what it's worth.



Lightning to Cisco serial cable

I have read, what I think to be, all the do-it-yourself builds for making an iDevice to cisco console cable. There are a few commercial products out there for $70+ that do the trick, but also some dated how-to's for under 10$. Has anyone had any luck creating an updated lightning to Cisco console cable?

Mini RS232 - TTL Converter Module Board Adapter MAX3232 looks to be the main item needed, along with the lighting and rollover cable, and possibly a single resistor. Let me know! I would like to give it a shot. Also can't determine whether the iDevice needs to be jailbroken or not. If it does, how do the commercial versions of this solution get around that?



Cisco meraki

I've recently bought 1 Cisco meraki switch and 4 Access points. I can't register them on my account because the serial numbers are all still in use. Is there anything I can do?



🎵Old MAC donald had a route. E I G R P🎵

No text found

Migrating to cloud-based VOIP

We are migrating from an on-prem PBX system to a cloud-based VOIP system and we are hesitant to do a number port initially as we are concerned there could be issues and we want the ability to easily roll back. Assuming everything goes well and there are no issues, we would port our numbers over weeks later. We have around 500 DIDs, most of which are assigned to user stations.

What creative options might there be to accomplish this?



Multicast /Unicast device

We have a device that needs to communicate with it's other peers via multicast at bldg A,they are all on the same Cisco 4500 blade on the same vlan. This same device also needs to communicate with a server in a different vlan on a different vlan via unicast/tcp in Bldg B.

With this set up in mind I did not enable multicast on the interface vlan at bldg A b/c they are all on the same vlan. The vendor confirmed they could all talk to each other. We came back to Bldg B to set up the server and it and the primary device at bldg A could not communicate via unicast. I tested from Bldg B and could not ping the devices at A. I logged into the switch in Bldg A that they are directly connected to and was able to ping the devices. Once I did that they were reachable from Bldg B for about a minute then they would stop replying again.

This was the case every time I pinged local to the devices. Finally I enabled PIM sparse-dense-mode on the interface vlan these multicast devices shared at Bldg A and they were pingable, the server could communicate with it's unicast TCP traffic.

WTF? Multicast configuration should have no bearing on ICMP or unicast traffic. Why did this make a difference?



Cisco 4451 Crashes and High Memory Usage

Hi all,

I've got a bit of an issue with my routers. Every few days lately, the routers will reboot. I was SSH'd into one that was acting up and the CLI was very slow and unresponsive. I sent a show command, and it crashed. When it came back the CLI was behaving normally. For all I can gather, I think this is memory related, but I'm not sure what is using all of the memory.

show platform software status control-processor brief shows that Committed memory is at 94% right after boot and it stays there.

Any ideas?



Openvpn Bridge - can connect but no LAN or WAN

Hello,

I have had a routed openvpn server running for some time. I am trying to set up a bridged connection so that my vpn will be on the same subnet.

I have the following config file for the server. When I try and connect, I can, it will successfully do it. But I have no internet connection, local vpn connection. I also cannot ping the VPN sever.

Please could I have a hand?! What else do you need to see?

VPN IP: 10.0.1.4

Subnet: 255.255.254.0

Gateway: 10.0.0.1

dev tap0

tls-server

proto tcp

port 443

port-share 127.0.0.1 444

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key

dh /etc/openvpn/easy-rsa/keys/dh4096.pem

topology subnet

user nobody

group nogroup

server-bridge 10.0.1.4 255.255.254.0 10.0.1.60 10.0.1.70

mssfix

persist-key

persist-tun

#log /var/log/openvpn

status /var/log/openvpn-status.log

verb 4

client-to-client

keepalive 10 120

mute 50

#set the dns servers

push "dhcp-option DNS 10.0.1.2"

#For windows, to make the network recognized

push "route 0.0.0.0 0.0.0.0 10.0.1.4"

cipher AES-256-CBC

auth SHA512

log-append /var/log/openvpn

comp-lzo



Possible fiber cut on the east coast?

https://imgur.com/a/kupWgtc

We're getting a lot of outage reports all over. Seems to be a big one.

Edit:

Comcast is reporting a nationwide service outage



Cisco Switch Access Limiting

I work at a large company with a small IT Shop (surprise surprise). I have fellow non-networking team members that need the ability to clear port sec stick MACs and also shut/no shut interfaces. I am not seeing an easy way of setting this up. I do not want to give them access to change any configs at all. This is purely for clearing port-security. I have researched but am unable to find a Cisco or 3rd party solution. Thanks for the help!



Cisco ASA L2L VPN - Phase 1 and 2 up with encaps/encrypts. No decaps or decrypts.

New VPN setup where we are running into an issue where phase 1 and phase 2 tunnels come up. No traffic is flowing through from either direction. This is between an ASA5505 and an Azure VPN Gateway. I have tried checking some crypto debugs and checking the logs but nothing stands out as an issue. Shows phase 1 and phase 2 coming up without a problem.

Here is a show crypto ipsec sa

https://i.imgur.com/u4liShp.png

Here are the relevant crypto config commands

crypto map VPNCRYPTOMAP 1 match address azure-vpn-acl2 crypto map VPNCRYPTOMAP 1 set peer x.x.x.x crypto map VPNCRYPTOMAP 1 set ikev1 transform-set azure-ipsec-proposal-set crypto map VPNCRYPTOMAP 1 set security-association lifetime seconds 3600 crypto map VPNCRYPTOMAP 1 set security-association lifetime kilobytes 102400000 crypto map VPNCRYPTOMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VPNCRYPTOMAP interface ATT_OUTSIDE ! crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac ! crypto ikev1 policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! access-list azure-vpn-acl2 extended permit ip 10.24.0.0 255.255.255.0 10.50.0.0 255.255.0.0 ! nat (INSIDE_LAN,ATT_OUTSIDE) source static onprem-networks onprem-networks destination static azure-networks azure-networks no-proxy-arp route-lookup ! object-group network azure-networks description *** Azure-Virtual-Network *** network-object 10.50.0.0 255.255.0.0 ! object-group network onprem-networks description *** On-premises Networks *** network-object 10.24.0.0 255.255.255.0 

I will note this was up and running. AnyConnect was setup with the ASDM wizard on this ASA5505 which was verified that the IPsec VPN was still up and running without issue and AnyConnect access was working as expected. Some time after this seemed to have stopped working.

What I have verified:

  • Phase 1 and Phase 2 tunnels come up
  • Route for VPN peer and remote subnet out the specific interface we want
  • Ran capture and verified I'm seeing IPsec traffic to and from the public IPs of the VPN peers

Any thoughts?



Sub for DC-type questions?

Sorry for the off-topic post here, but I'm curious if there is a sub on reddit that covers questions for racks, power, and datacenter equipment.

thanks in advance!



Something is printing to a particular IP on my network - need help tracking it down

https://ift.tt/2tQFYwH

Setting up a virtual network using VirtualBox

Hello,

I am looking for advice on how to properly set up a virtual testing environment to practice with windows servers2016 in VirtualBox. I have limited experience with VirtualBox which consists of installing red hat linux for a class at school via bridged connection. In addition I have installed and messed around with kali on my own just for fun also bridged connection. However, the goal now is to set up a Windows environment with windows server2016 and two or 3 windows 10 workstations. I want them all to be able to connect to the same network in order to practice setting up GPO's and mainly just to get more familiar with the server. From the tutorials I have watched online it looks as if I am supposed to set Server2016 and the workstations up with a NAT connection, but I have not been able to get them to connect. Any advice would be much appreciated.

If it matters the local laptop I have VirtualBox installed on is using WiFi.



Silverpeak: “Boost this traffic” for VoIP?

We have it unchecked for our VoIP Overlay, wondering if we should check that box if it works for VoIP and can optimize the traffic more.

Also can anyone share your Shaper config?

Thanks, fellow Silverpeak users!



Mikrotik MPLS Sanity Check

Could we get a sanity check on our config? We have our Core router CCR1072 with a 10Gb uplink to the internet (sfp-sfpplus1 vlan 803) . We have a 1GB fiber connection from the Core router (sfp-sfpplus3 vlan 3000) to SW1 CRS112 (ether1 vlan 3000). We then have a wireless Ubiquiti rocket AC lite link between SW1 (ether2) and SW2 CRS112 (ether1). The fiber link has a max MTU of 8900. The wireless link has a max MTU of 2024. We set the different interfaces on the Mikrotik router and switches to the max MTU supported by that link.

Download speeds before MPLS configuration was around 500Mb down at SW1 and 200Mb at SW2. After MPLS it dropped to 90Mb at both SW1 and SW2. We are eventually wanting to setup redundant wireless links and expand MPLS out to our other towers. We are not seeing any errors on any devices.

We did try disabling MPLS on SW1 and the Core with no improvement in download speed. Also, using a VPLS tunnel instead of a EoOP tunnel resulted in slower speeds.

Upon further research, It looks like the tutorial I read that recommended changing MTU to the max supported by the backhauls may not have been correct. Or at least it should not have had me set all the MTUs the same. Could this be the issue?

Core1

/interface bridge add fast-forward=no name=LoopBack add name=PIP protocol-mode=none /interface ethernet set [ find default-name=sfp-sfpplus3 ] l2mtu=8900 mtu=8900 /interface eoip add !keepalive mac-address=02:1C:12:38:E8:41 name=Core1-to-SW2 remote-address=10.200.0.3 tunnel-id=1 add !keepalive mac-address=02:8D:48:7D:E2:7D name=Core1-to-SW1 remote-address=10.200.0.2 tunnel-id=0 /interface vlan add comment="MPLS" interface=sfp-sfpplus3 name="vlan3000" vlan-id=3000 add interface=sfp-sfpplus1 name=vlan803 vlan-id=803 /routing ospf instance set [ find default=yes ] distribute-default=always-as-type-1 mpls-te-area=backbone mpls-te-router-id=LoopBack redistribute-other-ospf=as-type-1 router-id=10.200.0.1 /interface bridge port add bridge=PIP interface=Core1-to-SW1 add bridge=PIP interface=Core1-to-SW2 /ip address add address=10.255.0.2/30 interface=vlan803 network=10.255.0.0 add address=10.20.0.1/22 interface=PIP network=10.20.0.0 add address=10.0.0.1/30 interface="LanLink - vlan3000" network=10.0.0.0 /ip firewall nat add action=src-nat chain=srcnat out-interface=vlan803 src-address=10.20.0.0/22 to-addresses=x.x.157.1 /ip route add distance=1 gateway=10.255.0.1 /mpls interface set [ find default=yes ] mpls-mtu=8900 /mpls ldp set enabled=yes lsr-id=10.200.0.1 transport-address=10.200.0.1 /mpls ldp interface add interface="vlan3000" /routing ospf interface add interface="LanLink - vlan3000" network-type=point-to-point use-bfd=yes /routing ospf network add area=backbone network=10.200.0.1/32 add area=backbone network=10.0.0.0/30 /system identity set name=Core1 

SW1

/interface bridge add fast-forward=no name=LoopBack add name=PIP protocol-mode=none /interface ethernet set [ find default-name=ether1 ] l2mtu=8900 mtu=8900 set [ find default-name=ether2 ] l2mtu=2024 mtu=2024 /interface eoip add !keepalive mac-address=02:A3:ED:52:A3:C9 name=Core-to-SW1 remote-address=10.200.0.1 tunnel-id=0 /interface vlan add interface=ether1 name=vlan3000 vlan-id=3000 /routing ospf instance set [ find default=yes ] mpls-te-area=backbone mpls-te-router-id=LoopBack redistribute-other-ospf=as-type-1 router-id=10.200.0.2 /interface bridge port add bridge=PIP interface=Core1-to-SW1 add bridge=PIP interface=ether3 add bridge=PIP interface=ether4 add bridge=PIP interface=ether5 add bridge=PIP interface=ether6 add bridge=PIP interface=ether2 /ip address add address=10.0.0.2/30 interface=vlan3000 network=10.0.0.0 add address=10.200.0.2 interface=LoopBack network=10.200.0.2 add address=10.100.0.1/29 interface=ether2 network=10.100.0.0 /mpls interface set [ find default=yes ] mpls-mtu=2024 /mpls ldp set enabled=yes lsr-id=10.200.0.2 transport-address=10.200.0.2 /mpls ldp interface add interface=vlan3000 add interface=ether2 /routing ospf interface add interface=vlan3000 network-type=point-to-point use-bfd=yes add interface=ether2 network-type=point-to-point use-bfd=yes /routing ospf network add area=backbone network=10.200.0.2/32 add area=backbone network=10.0.0.0/30 add area=backbone network=10.100.0.0/29 /system identity set name=SW1 

SW2

/interface bridge add fast-forward=no name=LoopBack add name=PIP protocol-mode=none /interface ethernet set [ find default-name=ether2 ] l2mtu=2024 mtu=2024 set [ find default-name=ether3 ] set [ find default-name=ether4 ] l2mtu=2024 mtu=2024 set [ find default-name=ether5 ] /interface eoip add !keepalive mac-address=02:3C:BA:67:20:97 name=Core1-to-SW2 remote-address=10.200.0.1 tunnel-id=1 /routing ospf instance set [ find default=yes ] mpls-te-area=backbone mpls-te-router-id=LoopBack redistribute-other-ospf=as-type-1 router-id=10.200.0.3 /interface bridge port add bridge=PIP interface=Core1-to-SW2 add bridge=PIP interface=ether3 add bridge=PIP interface=ether4 add bridge=PIP interface=ether5 /ip address add address=10.100.0.4/29 interface=ether2 network=10.100.0.0 add address=10.200.0.3 interface=LoopBack network=10.200.0.3 /mpls interface set [ find default=yes ] mpls-mtu=2024 /mpls ldp set enabled=yes lsr-id=10.200.0.3 transport-address=10.200.0.3 /mpls ldp interface add interface=ether2 /routing ospf interface add interface=ether2 network-type=point-to-point use-bfd=yes /routing ospf network add area=backbone network=10.200.0.3/32 add area=backbone network=10.100.0.0/29 /system identity set name=SW2 


DevOps: To CI/CD, or not to CI/CD?

I'm setting up a virtual machine to do some management/monitoring tasks, and I'm using Docker to containerize everything, so extensibility is preserved. When it's all said and done, I'll have extra resources I can put to use.

Which leads me to the question of DevOps: Should I implement a CI/CD system to our network? (about 300 devices in a handful of locations, all within a few miles of one another) I've heard good things about Travis, and I'm considering self-hosted GitLab as well. I don't think either will integrate into LibreNMS or Oxidized, so that question is moot.

If I'm already using LibreNMS with Oxidized, is it worth it to implement a DevOps-style CI/CD system into the mix? Would that be duplicating or conflicting with those two applications I mentioned or DNA Center? Would it still be worth it as a resume builder?

What's your take more broadly on the DevOps movement as it relates to networking. Where do you see this all going, and why?



Help with ASA ACL

I'm working on a migration from ASA to FortiGate 60E. Currently moving the ACL's.

If there is an ACL like this:

access-list HACK_access_in extended permit object-group DM_INLINE_PROTOCOL_5 X.X.X.X 255.255.255.0 any4

And if I look at the assigned interfaces:

access-group outside_access in interface outside

access-group LAN_access_in in interface LAN

access-group PRIV_access_in in interface PRIV

access-group CloudMgmt_access_in in interface CloudMgmt

access-group CloudExt_access_in in interface CloudExt

access-group dev_network_access_in in interface DevNetwork

access-group dev_network_access_out out interface DevNetwork

access-group Visitor_access_in in interface Visitor

access-group global_access global

It isn't there, so it means that the ACL is not in use? I understand that if you want to apply an ACL on all inbound connections, you use global ACL's, but this isn't one, right? I'm probably having massive brainfart right now, but I just can't remember this.



Power supply of IE4000 needed?

Hi Guys,

I have some queries in relation to the Cisco IE 4000 switch.

At the moment we are ordering the following units. IE-4000 - 4GC4GP4G-E Switches.

Along with the PWR-IE170W- PC-DC= power supply.

Current spec HERE

 

These units are being deployed underground.

 

My question is this.

The power supplies function seems to be to take between DC 12-54 V and convert it to 54VDC/3.15 Amps.

Is it possible that if the electricians can supply the switch directly with the 54VDC, that we could simply not need the power supply? This would be a savings of about $1300 a cabinet?

Do these power supplies provide more than just converting the input to the required output? Do they do any power smoothing or any other functions i might be missing?

We do require the full POE budget as it is foreseeable that cameras and Ap's will be utilising these switches at some point?

 

 

I also have a question about the current setup , since it's been installed.

 

We have both power connections going from the switch A & B , to the same powersupply.

Is this the correct setup ? or is it more designed that the A\B switch connections are to be fed from a completely separate power supply \circuit? See Photo

Mounted in cabinet HERE

 

 

 

Thanks for reading



Thursday, June 28, 2018

unique setup. windows ICS, want VM on the internal network...

using a long range wifi connection for WAN access... 192.168....

have internal network that is 172.16.0.0/24 that is created from sharing my wifi connection via ICS out via a ethernet port...

cannot access my router from the windows machine with ICS, this is fine... i would love to keep my networking setup the way it is as much as possible, but spawn a VM on the 172 network so that my wireless devices can hit the VM...

what are some ideas on getting this to work... i guess i can let my vm live on the 192 network and add a route on the 172 network router... but lets see what ya'll think...



My boss just offered to pay for a conference. Since Cisco live already passed, which conference do you recommend me to attend?

The conference has to be in the US. It has to be related somehow to networking of course.



Google DNS IPv6 Design

Edit: In my limited understanding of Anycast services I would assume longer prefixes than /48 could be inside of service provider networks where Google potentially has DNS servers setup.

Given the two Google IPv6 DNS addresses:

2001:4860:4860::8888

2001:4860:4860::8844

It seems odd to me that what should (?) be operationally distinct addresses are in the same /48 (ultimately the same /32,/48,/64, etc.) which is what I understand to be the longest prefix that is globally routable. Given that the two DNS addresses are in the same /64, both of their services will at least go partially down with one /48 prefix hijack correct?

redacted#sh ipv6 route vrf redacted 2001:4860:4860::8888

Routing entry for 2001:4860::/32

Known via "bgp redacted", distance 20, metric 0, type external

Route count is 1/1, share count 0

Routing paths:

FE80::214:F600:2B4:65F4, GigabitEthernet0/0/0

MPLS label: nolabel

Last updated 5d19h ago

redacted#sh ipv6 route vrf redacted 2001:4860:4860::8844

Routing entry for 2001:4860::/32

Known via "bgp redacted", distance 20, metric 0, type external

Route count is 1/1, share count 0

Routing paths:

FE80::214:F600:2B4:65F4, GigabitEthernet0/0/0

MPLS label: nolabel

Last updated 5d19h ago



Hyper-V & Dell R710 NIC (Mis)Labeling

Weird question, although I have never run into this problem before:

I have a Dell R710 running Server 2016 Hyper-V. Within the server manager on the host, the NIC labeling doesn't match up with the physical NIC label on the rear of the server. For example, eth0 in server manager matches up to eth3 on the back of the server. Is there a quick remedy to this other than masking tape and a sharpie?? :)



Question Regarding Layer 2 vs Layer 3 Switch

Hey,

We currently have an ASA 5506 doing all the routing at our locations + ACLs.

Im looking to deploy a managed switch just because we will be adding a lot more devices.

From my understanding Layer 2 operates via MAC addresses via ARP table and Layer 3 operates via IP and does routing.

Since our ASA 5506 acts as the DHCP/Routing/ACL control etc... should I just purchase a Layer 2 switch? Or should I spend the extra cash and get Layer 3 and use Layer 2 mode for future proofing?



IPSec Site to Site Issues (PFSense/Cisco Meraki)

Hey All,

Recently started a company and decided to integrate some dedicated servers on the web into our network through a site to site VPN - Please see crude diagram:

https://imgur.com/6WAuG9M

First problem I encountered and inherited was this organisation is using a combination of Cisco Meraki MX60, MX64 and MX64Ws which suck. These firewalls are interconnected through a mesh VPN network – a connection into one allows them all to connect (from what I understand). I have successfully managed to connect the mesh VPN to the PFSense virtual firewall via an IPSec site to site VPN which is working. Current Rules:

PFSense:

• 500 UDP to Remote Office 1 • 4500UDP to Remote Office 1

Meraki:

• 500 UDP to PFSense FW
• 4500UDP to PFSense FW

IPSec Config on PFSense

10.0.0.0/8 172.16.0.0/24 ◄ Inbound ESP Remote Office 1 -> PFSense FW 172.16.0.0/24 10.0.0.0/8 ► Outbound ESP PFSense FW -> Remote Office 1

Unfortunately I cannot seem to ping or reach any hosts on either side of the tunnel and I’m unsure of what else I can try – I was hoping you’d be able to give me some pointers, stern words or things to investigate/think about.

There are other site-to-site VPNs connected to this mesh VPN to connect other servers to this network, which appear to have worked without too much issue. I understand this may be a little more tricky than this however.

Would be grateful for any help you can give.



Static NAT (port forwarding) Cisco ASA

So, I have an outside interface with an IP of 66.57.3.20 (made up). I have a server on the inside interface with an IP of 172.16.1.100, listening on port 443. I want to set up a static NAT statement on the ASA to allow traffic hitting 66.57.3.20 on 443 to be forwarded to 172.16.1.100, 443, then allow the return traffic. I am running ASA code 9.1(2).

66.57.3.20 is object-name (outside-ip)

172.16.1.100 is object-name (inside-ip)

443 is service-name (https)

I am use to this but it's not working

nat (outside,intf2) source static any OBJ-66.57.3.20 destination static video-172.16.1.100 video-inside-ssl service https https



ASA 5520 throughout

If I am wanting to use a 5520 as my WAN gateway in a a satellite office, am I reading correct that the total throughout of the device is 450mbps? If I connect direct to a 1Gb ONT, it won’t handle that full speed when routing? Or is this just VPN total troughout?



Ping not working (2PC directly connected)

Hi, Im trying to connect 2PC using a cable via usb/Gigabit interface.

This is the scenario:

Desktop PC:

-ehthernet0: connected to the switch (DHCP enabled - main connection to internet)

-ethernet1 (usb/Gigabit): 192.168.2.1 /24 - cable directly connected to ethernet1 on laptop

Laptop:

-ethernet0: connected to the switch (DHCP enabled - main connection to internet)

-ethernet1 (usb/Gigabit): 192.168.2.2 /24 - cable directly connected to ethernet1 on Desktop

ethernet1 intefraces are connected using a DIRECT CAT6 cable + crossover adapter (only in one side).

Desktop PC:

"ping 192.168.2.2" --> PING OK

Laptop:

"ping 192.168.2.1" ---> UNREACHEBLE

OS: Windows10 (both), FW disabled on both (windows defender), domain: WORKGROUP (both).



Error Rate Monitoring

I'm trying to figure out a way to monitor discards and errors on our Juniper routers using SNMP IF-MIB. I notice that there is OIDs for ifInDiscards, ifInErrors, and ifOutDiscards and ifOutErrors but how can I turn that data into an error rate or percentage of total packets that have errors. I don't want to send alerts on the very existence of an error or discard on a port especially if it's 1 error over the course of 5 million packets or 30 days or something. Just looking to monitor the percentage of packets having errors (ie 1% or higher)

If it helps we are using a modified TICK stack, we use Grafana for graphing, Influx for storage, Prometheus for alerting, and Telegraf for collection.

Thoughts? Thanks guys.



Ipv6 handoff question - can't route from internal subnet

I am being assigned a /48 from my ISP, but we are having some trouble with it. I've been assigned a /48, with an address block similar to this (not my actual address) - 2001:abcd:aaaa::/48 . They've assigned their network interface (their handoff on their router) as something like 2001:abcd:aaaa::1/48.

Now, I need to break up this /48, so I made the external interface a /64 and assigned my router's wan port to be 2001:abcd:aaaa::2/64 . I can ping the ipv6 internet through this address.

For my internal interface I used 2001:abcd:aaaa:1111::1/64 . However, this internal subnet has no internet connectivity. I believe my cisco config has been set up right (ipv6 unicast-routing, ::/0 default route set to 2001:abcd:aaaa::1 , etc).

Now, I'm thinking the problem is that their handoff interface is configured as a /48. Their router thinks the entire /48 subnet is directly connected, and will never try to route any packets through my router. Instead, packet captures seem to indicate it is trying to use neighbor discovery to find addresses like 2001:abcd:aaaa:1111:1 (which is being used internally).

The ISP is telling me it should work fine. This is how they should be doing the handoff, and their interface has to be a /48. I'm telling them it should really be a /64.

Then again, I'm not ipv6 expert. A sanity check here is appreciated.



Favorite CLI config typos

Just wanted to add some humor the sub, add your favorite typos when at the CLI.

My top two are:

no shit

int rage



Anycast NTP on Nexus Cores

Hi,

I read a bit about anycast implementations and I'm trying one on two nexus switches in a vpc pair. I've created the same loopback address on both, and source my ntp from it. They both connect as clients to time.nist.gov, and peers to each others on another set of unique loopbacks (.1 and .2). All four loopbacks are being injected into their EIGRP AS. As of this standing though, only one of the two cores is synced externally. I'm assuming this is because only one can truly receive ntp updates because the firewall cannot differentiate the return path to the anycast loopback. What am I misinterpreting here?

core 1:

ntp peer 2.2.2.2 ###core 2 lo0 ntp server 132.163.96.3 prefer ###time.nist.gov ntp source-interface loopback1 ###anycast address ntp authenticate ntp authentication-key 1 md5 Qa1bgrfTfwsru 7 ntp trusted-key 1 ntp logging ntp master 6 ntp allow private 

core 2:

ntp peer 1.1.1.1 ###core 1 lo0 ntp server 132.163.96.3 prefer ###time.nist.gov ntp source-interface loopback1 ####anycast address ntp authenticate ntp authentication-key 1 md5 Qa1bgrfTfwsru 7 ntp trusted-key 1 ntp logging ntp master 6 ntp access-group match-all ntp allow private 

show status:

CORE-1# show ntp peer-status Total peers : 3 * - selected for sync, + - peer mode(active), - - peer mode(passive), = - polled in client mode remote local st poll reach delay vrf ----------------------------------------------------------------------------------------------------------------------- +2.2.2.2 10.240.251.0 16 64 0 0.00000default =127.127.1.0 10.240.251.0 6 64 0 0.00000 *132.163.96.3 10.240.251.0 1 64 0 0.04498default CORE-2# show ntp peer-status Total peers : 3 * - selected for sync, + - peer mode(active), - - peer mode(passive), = - polled in client mode remote local st poll reach delay vrf ----------------------------------------------------------------------------------------------------------------------- +1.1.1.1 10.240.251.0 16 64 0 0.00000default *127.127.1.0 10.240.251.0 6 64 377 0.00000 =132.163.96.3 10.240.251.0 16 64 0 0.00000default 

Is this correct? shouldn't I see a valid stratum from at least my peer/time.nist.gov? Any help is appreciated



Access list question

I need to block traffic from the following subnets on my network: * 172.30.201.0 * 172.30.203.0 * 172.30.204.0 * 172.30.205.0 * 172.30.206.0 * 172.30.207.0 * 172.30.209.0 * 172.30.210.0

On my core layer 3 switch (of which the above 8 subnets are directly connected through a layer 2 network with my ISP), the access list is as is: access-list 10 remark Allow VTY Access access-list 10 permit xxx.xxx.xxx.2 access-list 10 permit xxx.xxx.xxx.18 access-list 10 permit 207.xxx.xxx.0 0.0.0.255 access-list 10 permit 172.30.0.0 0.0.255.255 access-list 10 permit 172.20.20.0 0.0.0.255

Do I just add a deny statement to the 8 subnets I need to block AFTER or BEFORE my permit 172.30.0.0 statement?

OR should I do a deny host for say 172.30.201.1?

Or maybe theres a better way to block traffic coming from those subnets?



Help with network design/routing

We have 2 sites (labeled SITE #1 and SITE #2 on the diagram). These 2 sites are connected together via a 1g link. We are partnering with 2 remotes sites (labeled REMOTE #1 and REMOTE #2 on the diagram). These remote sites manage their own networks and firewalls.

  • Site #1 connects to remote #1 via a 50m evpl
  • Site #1 connects to remote #2 via VPN

We have a need for an interpreting service from all 4 locations. The MPLS connection from us to them will be from SITE #2, and all 4 sites should be able to access the interpreter service through this site. Devices at any of the locations should be able to register their ipads/phones etc. using the interpreter service app and an IP provided by them. These devices should be able to access any IP in the 10.140.x.x range at the interpreter service location(s).

For Site 1, Site 2, and Remote 1, this will not be an issue because there is no network overlap. For Remote #2, they already use 10.140.x.x, which is what the interpreter service uses. We are looking for a way to have Remote 2 be able to access the interpreter service while also limiting the NAT configuration on the SITE 1 side. Since we do not manage these remote locations, we'd prefer any additional config for this be on their end, but I fear this may not be completely possible.

What are my options for allowing remote #2 access to the interpreter service applications (10.140.x.x) when they already use those addresses on their local network?

https://imgur.com/a/pDPWJ74



I need some advice.

I'm new to this, so i was doing some tcpdump experiments, and i came across something like this,

11:25:09.753455 IP {My linux box IP.}.jamlink > 122.221.45.236.23433: Flags [.], ack 6745, win 85, options [nop,nop,sack 1 {6744:6745}], length 0

I want to clarify few areas,

  1. what is .jamlink
  2. what is this unknown IP that appears with a port 122.221.45.236.23433 when i call my couchbase using ip and port

My testing scenario - I've hosted couchbase server on my linux box, and i'm trying to access it through at normal windows machine that has a different IP.



ASR9001 : MPLS LDP missing?

I have installed the A9K-9001-AIP-LIC license and I'm using the Cisco IOS XR IP/MPLS Core software but for some reason I cannot seem to enable 'MPLS LDP'.

If I type 'MPLS ?' then I get the below options but not MPLS LDP:
ip-ttl-propagate
ipv4
ipv6
label
lsd
static

I'm obviously missing something and I'm hoping it's not another license. New to IOS XR so it may be that I'm doing something silly. Actually more likely to be this :)

Thanks



Inter-VLAN Routing

I know it sounds like a basic question, but I think I may be over-complicating things. I’m working in a test environment doing some learning with a Fortigate and an Aruba switch. For a small environment with half a dozeN VLANS or so, do you do the inter-Vlan routing on the router, or flip the switch to L3 and do the inter-Vlan routing on the switch?

What is usually best case scenario for this, and what dictates one or the other?? Thanks!



Wednesday, June 27, 2018

Read-Only with TACACS+

I have recently spun up a TACACS+ server and got it configured in a test environment before we go live. I have been able to get mostly everything configured with the exception of a Read-Only user. I am using TacasGUI with MAVIS LDAP. The LDAP is working perfectly and the groups are working as they are supposed to. I am just unable to have any AAA Authenticated user actually show up as a Read-Only user. If I set an AD group in Tacacs to privilege level 15 they will get SU privileges and any other level including 5 shows as Port-Config when doing a #show who command to check SSH connections. If I change the Read-Only to use Privilege level 15 it will then log in as a SU so I know the groups are working and using the config in Tacacs. Below is a small snippet of my configs maybe I am missing something obvious.

I have 3 AD groups Admins, Read-Only, and Ports-Only

Snippet from a test switch config (let me know if you need to see more)

Current configuration:
!
ver 08.0.30mbT311
!
stack unit 1
  module 1 icx6430c-12-port-management-module
  module 2 icx6430c-copper-2port-2g-module
  module 3 icx6430c-fiber-2port-2g-module

aaa authentication login default local tacacs+
aaa authentication login privilege-mode
aaa authorization exec default tacacs+ none
aaa accounting commands 0 default start-stop tacacs+
hostname Tacacs_Test
ip address 0.0.0.0 255.255.255.0

This is a snippet from my Tacacs config as well.

group = Admins {
default service = permit
service = shell {
default cmd = permit
set priv-lvl = 15
}
} #END OF Admins

group = Read-Only {
default service = permit
service = shell {
default cmd = permit
set priv-lvl = 5
}
} #END OF Read-Only

group = Ports-Only {
default service = permit
service = shell {
default cmd = permit
set priv-lvl = 4
}
} #END OF Ports-Only

This is the #show who output while all 3 users (one in each group) are logged in.

 1      established, client ip address 0.0.0.0, server hostkey DSA, user is test13784, privilege port-config
        using vrf default-vrf.
        32 second(s) in idle
 2      established, client ip address 0.0.0.0, server hostkey DSA, user is curtinr, privilege super-user
        using vrf default-vrf.
        you are connecting to this session
        56 second(s) in idle
 3      established, client ip address 0.0.0.0, server hostkey DSA, user is test12689, privilege port-config
        using vrf default-vrf.
        5 second(s) in idle

So as you can see even though Read-Only is set to 5 and Ports-Only is set to 4 both users appear to have Port-Config privileges. I have tested level 5 on a local user and it shows as having true level 5 Read-Only privileges but just not using AAA. My account curtinr is in the Admins group, Test13784 is in the Read-Only group, and Test12689 is in the Port-Only group.



how to connect to my home surveillance camera when my phone is not connected to the wi-fi connection of my house

Hello,

this is the situation for which I need to find a solution. Some time ago I've bought a surveillance camera that I want to use to monitor my home. I can see the video produced by the camera with an android app. Problem is that it works only when I'm inside my home and my phone is connected to the wi-fi network. When I'm not inside and I'm connected only with the 4G connection of my phone,I can't connect to the video captured by the camera. I'm pretty sure that I can find a solution to fix this problem. The easiest one could be to use my computer to make some kind of bounce,but I don't want to keep the PC connected only to achieve this goal. So,I would like to know if there is a lighter solution. I don't know maybe an android app that can re-route the signal ?



Set up my own ONT on fiber network

Like title says, I want to learn how I would setup my own ONT on a fiber network in an apartment with fttp. I don't want to break the law (or any community posting rules), but I'm interested in learning more about networking in general. Dr. Google hasn't gotten me very far, so can anyone point me in the direction of another website, forum, or other source of information where I can learn about how this might be accomplished? Thanks!



Fiber and SFP Questions - What type of Fiber is this? (Pics included)

Hey guys,

Our company has recently purchased a facility off another company, but apparently as a part of the deal they get the networking switchgear back. Our current standard is Cisco SG200 and SG500 stuff at most of our sites (extremely simplistic networking).

I've been out of the networking game for over 10 years so I need some assistance regarding what type of SFPs I might need. My apologies if this is too simplistic of a question.

The site essentially has two trailers connected with underground fiber. See the second picture in this link -- this is LC fiber - correct?

Second question -- in the first picture from the link above, I'm at a bit of a loss. Why would a normal Cat5e cable be going into the slot here? On the other end it's just plugged in to one of the normal switchports... Maybe it's a 10/100 switch, and the module is Gig? That's the only reason I can think of why a module would be used there...



Condo has ethernet ports in wall, how to connect them to my single home network?

I just got a steam link and want to play it with a wired connection to my network. Right now I have my router connected to the ethernet port in the wall - and that give me internet to my home PC and wireless network.

I have another wall socket in the bedroom (where the steam link is). I'd like to connect this to the same network so that I can stream games. I have a second router available to me, but I can't access the network closet for the building.

Is it possible to achieve what I want?



Cisco 4431 can ping Layer 3 Nexus 9k's but can't ping past it

So I have a 4431 router connected to an HP 5412 switch(Layer 2 only), and the HP is connected to a pair of Nexus 9k via a port channel. The 4431 can ping the Nexus, and has a default route going through the Nexus IP address. Other devices on the same subnet as the 4431 work perfectly.

The 4431 can also ping other IP addresses on the Nexuses that aren't on the same subnet, but can't ping devices on those subnets.

Any ideas on what could be causing this? This was all working yesterday, and no changes were made.

This almost feels like the router is sending all traffic out with a TTL of 1. But again, no changes were made, and there is no TTL command. Is there an easy way to test this TTL theory or and other angles I should troubleshoot this from?



How to get captive portal to appear when accessing apps

Does captive portal behave differently on apps on different Android version? When I use an app and if my login radius session times out, I get a no Internet message. How could I get the cp login to pop up?



Cisco VLAN - no internet connection for guests via wlan access points

Maybe an easy to solve problem.. I have 2 Cisco WLAN access points connected to a Cisco switch and this switch is connected to a Cisco small business router on one of the 4 LAN ports. The router itself connects to the internet via its first Wan port. I have the 3 default vlan's 1, 25 and 100 but only want to use 1 and 25. I want to put the internal WLAN access into vlan 1 and the guest wlan into vlan 25. So I choose vlan 25 in the setup of the access points for the guest network. Now if I try to connect as a guest it gets an ip from the DHCP service on the router, says its connected and after some seconds "no internet connection".

I assume the packets that come back as answer from outside aren't routed correctly.. Is this more a problem with tagging the packets or by routing them different or do I need to setup some additional firewall rules?

Thanks in advance :)



Brocade-Networkswitch - SNMP-Monitoring-Problem

Hello Networking-Community!

I have a kind of a special problem and I think I need your help with it. I hope the r/networking subreddit is the right location to post a question like this.

Short-story:

We use PRTG to Monitor our environment and got a brocade VDX with NOS v2.0.1a (old version, I know). This VDX is used to connect our Unisphere-Storage to the ESX-Hosts. We got some performance issues the last time and want to find the cause of this, so we decided to monitor the bandwidth of the ports of our datastore-switch.

My problem:

Okay, no problem (I thought) - added SNMP-Bandwidthsensors for each port - but there is no bandwidth shown (stays at 0kb/s).. Last but not least, I figured out how to get values with a snmp-browser, add the index of an interface I want to monitor and found the following:

INTERFACE: 1/0/15, 10GBe, SNMP-Index: 403636238, Descr.: DATA-ESX05

- ifSpeed: OID:1.3.6.1.2.1.2.2.1.5.403636238 value: 4,294,967,295

- ifHighSpeed: OID:1.3.6.1.2.31.1.1.1.15.403636238 value: 10000

Manual - page 20 and page 35

http://jp.fujitsu.com/platform/server/primergy/products/note/other/NOS_MIB_v300.pdf

Analysis:

ifHighspeed returns the right value. We got a 10Gbe Interface behind the index and everything is okay. If I try to get the bandwidth with ssh (show interface tengigabitethernet 1/0/15) I get informations about the interface and something like this:

Rate info (interval 299 seconds):

Input 14.505856 Mbits/sec, 501 packets/sec, 0.15% of line-rate

Output 10.931722 Mbits/sec, 427 packets/sec, 0.11% of line-rate

IfSpeed-Definition from manuel (link above):

"An estimate (in bits per second) of the current bandwidth of the interface.

For interfaces that do not vary in bandwidth or interfaces for which no

accurate estimation can be made, th

is object must contain the nominal

bandwidth. If the bandwidth of the interface is greater than the maximum

value reportable by this object then this object must report its maximum

value (4,294,967,295) and ifHighSpeed must

be used to report the interface

speed. For a sub-layer which has no concept of bandwidth, this object must

be zero."

I want to get this Info with SNMP to monitor it with PRTG, but PRTG doesnt get this info and my SNMP-value seems to reach the maximum (documentation). I'm out of ideas at the moment. Do you guys have any tips how to get the right value?

Thank you very much!



EVC

Hi, link discuss the process/operation of EVC and I just want to clarify few things.

https://supportforums.cisco.com/t5/network-infrastructure-documents/understanding-ethernet-virtual-circuits-evc/tac-p/3406382#M5476

The "Order of operation" mention that, For example we already categorize the received frame the next action will be "pop" and forward the un-tagged from to BDI.

What if we are using EFP as Trunk.

interface GigabitEthernet0/1/2 (Pointing to Customer/Partner)

service instance trunk 1 ethernet

encapsulation dot1q 30-40

rewrite ingress tag pop 1 symmetric

bridge-domain from-encapsulation (Derives BDI from encapsulation)

When V30 frame(Ingress) comes, it will be categorize and mapped to SI1 then will "POP" the first tagged which is V30 and forward to BDI 30 or 40.

Q:

  1. Now my question is since we pop the first frame how can we know what outer tag will be used(30-40) and how can ASR know which BDI will the untagged frame will be forwarded since already untagged?

  2. What is the equivalent config of these IOS command to XR?

    in IOS

---VLAN CREATION

vlan 1

name test

vlan 2

name  test2

---Access port

interface FastEthernet0/3/2

switchport access vlan 1

---TRUNK MODE

interface FastEthernet0/3/1

switchport mode trunk

switchport trunk allowed vlan add vlan1, vlan2, vlan3

Thank you



IPSEC tunnel connection to another organization

Kind of an odd scenario here. I currently have ipsec tunnels to my vpn concentrator that act as a failover connections in the event that the primary connection fails but need to point them to another organizations concentrator (meraki firewall). If i point those tunnels to their destination address and the tunnels come up, will we experience any routing issues once those tunnels are established? As i said, these tunnels are not being used when the primary connection is up. Looking to do this because the other organization is taking over a few offices and at EoB and we will be disconnecting these offices from their primary connection, thus taking them off our network and allowing the other organization to gain access to these devices over the vpn tunnels. Im trying to avoid having to change things after hours and having to be consoled in to make the changes once the connection to our network has been severed.



Bussiness Idea

So I am currently taking a level 3 Networking and Cyber security at college, looking to go for another year and possibly university, I have had the idea of in the short future setting up a business to help support home networks with people general stuff like house coverage and configuring them correctly, then further on from that setting up of office networks but more to start with home networking, I've looked at the Ubiquiti courses and probably will be taking them as I would be mostly Ubiquiti as my preferred hardware (and software) what I was wondering is if there are any other courses I should take or anything important to know, I'd say I have a pretty good understanding so far of setting things up but is there anything else I would need If so what would you recommend, thanks.



Middle of network packet sniffer tools [Advice needed]

Hi Guys,

We have a few Sonicwall NSA 3600 firewall which we use to monitor what from IP to IP to see what ports are getting dropped and open ports as needed.

Moving forward, I was wondering what we can do to do this without using the firewalls packet monitor. e.g. something like Wireshark, but in the middle of the network to monitor packets between specific source IP to a specific destination IP. We currently do this by installing Wireshark on the desired source / destination machine and filtering by the source / destination, surely there is a better way to do this though without having to install Wireshark on every server?

Hope this makes sense



If you leased bandwidth from an upstream supplier, what kit (specifics welcome) would you need to be an ISP provider for a few hundred people?

Just curious really, we're all sick of the customer service we get and I'd like to know what would actually be required. I assume you'd need a router/switches/server. Could you do anything with a clever implementation of IPtables? Would it be within reach of someone who's starting from scratch but happy to learn and is comfortable in a linux environment?



New SLX9640 1RU router by Extreme Networks was revealed at the Interop Tokyo 2018

Here is the official press release on Japanese:

https://jp.extremenetworks.com/blog/news_20180612/

TL;DR

  • 12 x 100 GbE with breakout to 25 & 40 GbE
  • 24 x 10GbE
  • 6 GB deep packet buffers
  • MPLS, BGP, ...
  • Support for 4 million Ipv4 routes, 800k Ipv6 routes


Tuesday, June 26, 2018

Saturating WAN links

I have a lab setup spanning across a couple of cities for testing and sales demos and what not. Lately it has been used mainly for SDWAN stuff. Each city has a Spirent traffic generator and it's been handy for testing use cases over real WAN links and then congesting them, seeing how everything behaves, etc.

The issue I've come across now is that my company wants to add another city into the mix but we don't have the budget for another Spirent box. I tried iPerf to load up the WAN connections but only achieved about 12 Mbps on a 50 Mbps circuit.

Can iPerf do what I want it to do, or should I be looking at something else?



Dumb juniper routing question.

The setup Is basically 5 vlans that are private subnets, all with either an IRB or VRF as the gateway on the juniper. and 1 vlan that have public addresses with the gateway also being the juniper, I do not want the public addresses to be able to route to the private addresses but they can. Would it be best practice to firewall those off inside the juniper or null route those subnets on the public vlans IRB? I've never setup a router that would allow this setup as "the default" I didn't tell it to route the publics to the privates or to allow that traffic, but it is...



DNS Server continues to get a bad entry

I keep deleting an entry in our Windows Server 2016 DNS server and it keeps reappearing.. I have deleted it out of all 3 of our DNS servers and within an hour, it's back. Any way to tell what's adding it back in logs? Active Directory server is acting as DNS authority, which then propagates to a second AD and a third non-AD DNS server.



Cisco ISE

Sorry for the vague question, but I wanted to hear everyone's input on Cisco ISE. Is it worth it?



BGP Aggregate route vs Summarizing a route

Hey Guys, got a quick question we are a little confused on.

Background: We are using Azure cloud and we advertise our satellite sites under our BGP statement at our Data Center so that Azure knows to come to our Data Center to reach our satellite sites. These satellite sites are connected to the data center via MPLS or VPN. Keeping that in mind, our BGP list of networks is huge and we have to manually input them under BGP. We had 2 ideas given to us by an engineer at Cisco Live.

  1. Use an aggregate route which essentially would summarize all of our routes, say 192.168.X.X/16

  2. Or using a summary route as 192.168.X.X/16

Our question is what's the difference between summarizing a network vs using an aggregate address? Or do you guys have a better idea so that we don't have to manually add a statement under BGP every time a new site comes up?



Questions/Advice Concerning BGP

Hello all,

First of all, small introduction: I'm a system and network admin working for a small company (150).

I am in charge of our internal network and some clients infrastructures hosted in datacenters.

My questions concern, one of these infrastructures that I was tasked to replace the firewalls by newer Cisco ASA running 9.9 ASA firmware. Up to this point, no problems that couldn't be handled.

Here a link to a representation of it

As you can see, pretty simple setup and easy to maintain:

Site 1 is production site

Site 2 is the backup site

Both sites are connected to two ISPs, one Internet and the other 'private network' is a VPN/MPLS for clients, (to be honest I don't know what is behind it)

Site-to-Site VPN is UP between the two sites through Internet.

We don't have any control over the routers, they're not under our control.

On daily basis, apps and flows goes to the site 1 and if site 1 is down, only traffic from 'private network' should be automatically redirected to site 2.

As of today, no automatic failover is in place, client-side apps have to manually change IPs to connect to site 2.

I am not going to detail system wise, but a replication is in place between the two sites across a dedicated link connected directly to the datacenters.

Allright, problem now is to be able to make incoming flows from the private network to site 1 redirected to site 2 if site 1 is down (all of it, even network equipements).

So multiple ways of doing that right? DNS, loadbalancers.

But, clients want BGP..

And that is where I ask for some help understanding all of this. I am not new to networking, and can handle myself pretty well but BGP is way out..

This private network is an AS but not under our control, that gives us a few IPs, that we want to advertise for example: if x.x.x.x is not available, redirect to y.y.y.y. Clients saw BGP as simple as that, but I know it isn't

As I understand BGP, it is a routing protocol that advertises IP routes, that can be used either internally to an AS or to advertises to other AS IP routes. As far as I also understand, BGP protocol is used by ISPs or big networks owners, and for small networks, advertise default routes for outgoing traffic.

I tried to study BGP, study examples on forums, but I am hitting a wall

I know that BGP can be used, I have to doubt, but as far as I understand, BGP should be implement by the private network ISP to redirect himself the IPs.

Theses IPs are not even configured on the firewalls..but on the routers..

What I want to know, is: is it possible to implement BGP myself between the two firewalls (BGP capable) or do I need something from the ISP?

I don't know if I have been clear enough

Many Thanks



Microsoft AS8075 looking glass availability?

Hi,

I am wondering is there any public routeserver/looking glass available for Microsoft AS8075?

I am having trouble with reaching some AS8075 ip space since about a week (Xbox Live related) through one upstream ISP/T1 carrier. (Others work ok - from the same router, same ip space (I announce my ip space via bgp), so this excludes hardware related problems or being blacklisted, just different outgoing ISP/T1 carrier).

The problematic AS8075 ip space is not even reachable via the ptp /30 address provided by this particular upstream carrier for ebgp neighbour connectivity. So this excludes problems with my own ip space/bgp configuration.

A single traceroute from AS8075 or "show ip bgp" command to one of my ip addresses would solve the mystery since the carrier claims everything is fine.

I tried sending a mail to [ioc@microsoft.com](mailto:ioc@microsoft.com) for a traceroute request but no response at all for over a week.



BGP in DC - Do you use route reflectors or confederation?

Hello networking

We run BGP / MPLS L3 VPN in the datacenter with a relatively small number of peers. However, we are going to be increasing the amount of BGP routers, as we replace old equipment that was previously in a "legacy" part of the network. The full mesh IBGP configuration is getting longer and bothersome. I am looking at using router reflectors for scaling, but I am going back and forth between which routers in the topology to use for it. I am somewhat knowledgeable of the rules/limitations of RR in regards to path advertisements and selections, but I'm afraid I'll be negatively surprised by something along the road. The RR would be either a pair of NX7706 or ASR9901 where the NX is in the core and the ASR is outside the dataplane of 90% of the traffic it'd be RR for.

We also run BGP DMVPN with "internal" EBGP design, so we'd not be strangers to using a design such as an AS number for each rack.

I know this post doesn't contain a lot of detail and there are a ton of things to consider, but the implementation is a way down the road. So I'm looking for some general advice or pitfalls that someone has experienced implementing scalable BGP solutions in the datacenter.



Ping Standby ASA IP

Recently taken over an ASA pair running active/standby. I did a failover test but noticed that the primary IP did not follow to the secondary unit when i failed over from the primary.

Primary IP - x.53

Secondary IP - x.54

When i failed over to secondary, i thought the x.53 IP should have followed it over? instead i had to access them via .54

Am i missing something or just being silly?

If i run the following on the primary unit:

#failover exec standby show interface

then the management interface on the standby unit shows:

Interface Management1/1 "MGMT", is down, line protocol is down

EDIT:

Think ive found the reason:

Management Port Configuration Changes

The  ASA 5500-X Series introduced a shared management port for firewall and  IPS services.,There are certain caveats to follow during migration from  the ASA 5500 Series.

•  The shared management port cannot be used as a data port. All  through-the-box traffic arriving at the management port will be dropped  implicitly. This cannot be disabled.

• The shared management port cannot be used as a part of a high availability configuration.



how closely can frames be spaced on a 10G line?

Hi guys I was doing some research on how can I avoid queuing at my nics and was looking at texts that answer the following but got no conclusive answer. In theory, how closely can frames be spaced on a 10G line or what is the minimum possible time gap between 2 frames on a 10G line ? Would appreciate any inputs I have looked at 9.6 nanos of nterframe gap but i am observing the limit is higher ~74 ns. Whats the explanation ?



Monday, June 25, 2018

Issue with STP Root

From what I understand STP root is I should be setting the switch I want as the root STP switch with the lowest priority. For some reason I have the same model switches not recognizing the MDF switch as root. I have uploaded screenshots to show the issue.

https://imgur.com/a/6cocmHr



Any around with Brocade ADX Load Balancer experience?

We're troubleshooting an issue with our LoadBalancers where they don't seem to be load balancing properly.

Our load balancing algorithm is set to 'least connections' so it should be sending traffic to whichever webserver has the least number of active connections.

But what we are seeing is that all connections being made to the service from our WAN IP are going to the same webserver.

Does the load balancing algorithm only take our source IP into consideration when load balancing? Or does it see the source port so it knows requests are coming from multiple different machines behind a NATed IP?



Handling slowness issues

We have a radiology application that gets reported being slowed all the time and I always show that the wan link is clean and not the cause of the slowness. Is there a good way to prove that the application is being slow using packet capture or some other means? How do you all usually handle slowness reports.



I think I have the fastest RMA approval in history.

I had an issue with a Cisco 3750X. I submitted the TAC case, and got the confirmation email at 1:10 PM. At 1:18 PM, I received an email from the TAC engineer, asking for shipment details to send out a new switch.

Eight minutes. For them to approve an RMA. No asking me to upgrade firmware, no troubleshooting, nothing.

If you're curious, I think this is what made it go so quick:

000127: Jun 14 15:22:03.761 EDT: PSECURE: Assert failure: psecure_sb->info.num_addrs <= psecure_sb->max_addrs: ../switch/psecure/psecure_utils.c: 165: psecure_update_address_counts (c3750x-xxxxxxxxxxxx-2) 

(For reference, an "Assert" error message is a message put in by the software developer to error out in case something happens that should never happen. In this particular case, it includes the source code file, line number, and function name so the developers can go look at their code. This is beyond a normal bug!)


What was your fastest RMA approval?



Opengear: World Sim Card

I currently have 3 Opengear devices deployed in 3 different countries, each with their own SIM card, from 3 different providers.

I just started to do some digging on a 'world wide SIM card' possibility. I thought I'd ask here:

Has anyone used a world wide SIM card for M2M? More specifically, with an Opengear device?

I'm looking for the convenience of having one company to work through issues with and to be able to configure the SIM cards in the US and ship to different countries and still have them work properly.



Opengear Community

Lets start an Opengear Community

r/opengearhelp



Network Certs, Degrees and their relevance

Hey guys: New to this Reddit community but it seemed an appropriate place to out these thoughts. I am currently a senior graduating with an Information Technology Infrastructure B.A.S with a Networking/DevOps emphasis hoping to get into either field. I am currently weighing the pros and cons of getting a Network+, CCENT, CCNA and/or other relevant certifications to the industry. I am wondering if these things are really useful in helping secure jobs and if the knowledge I gain will add to my knowledge from my degree. I know the Network+ is more generalized whereas the CC stuff is Cisco oriented.



L2xconnect (PW) Issue

Hi, I do have a neighbor peer passing thru "Option B - MPLS NNI" and my pw cannot establish. Also there no route path detected same with remote label?

Local interface: Gi0/3/7.300 up, line protocol up, Eth VLAN 300 down

Destination address: 185.1.11.1, VC ID: 882, VC status: down

Last error: Local access circuit is not ready for label advertise <-----

Output interface: none, imposed label stack {} <-----

Preferred path: not configured <-----

Default path: no route <-----

No adjacency

Create time: 00:37:44, last status change time: 6w1d

Last label FSM state change time: 00:00:03

Signaling protocol: LDP, peer unknown <-----

Targeted Hello: 63.223.14.8(LDP Id) -> c, LDP is DOWN, no binding <-----

MPLS VC labels: local 9330, remote unassigned <-----

Group ID: local 16, remote unknown

MTU: local 1618, remote unknown

Remote interface description:

Sequencing: receive disabled, send disabled

Control Word: On (configured: autosense)

SSO Descriptor: 185.1.11.1/882, local label: 9330 <-----

Thank you



Sunday, June 24, 2018

Cisco ISR or Ubiquiti EdgeRouter Pro

Hello,

Note: This is for my homelab | Current ISP plan is 300/300

As I'm upgrading from a 10/100 Cisco 1841, I'm in the search for a new router. I can't decide between a newer ISR or a Ubiquiti. The ubiquiti one is a lot cheaper then it would be for me to carry out a Cisco for over $XXXX.

I do prefer command line, but I am not shy of using the wonderful UI that Ubiquiti provides. As I might have future plans to upgrade to the APs that they provide.

I have a few friends (other SysAdmins) who are referring me to go Ubiquiti due it's ease in setup as well as future proof.

TLDR; Does anyone here have experience with either? Possibly give a bit of an insight on which might be better?

Much Appreciated.



My last few days on CenturyLink, any ideas?

 3 341 ms 314 ms 259 ms eugn-dsl-gw26.eugn.qwest.net [67.42.192.26] 4 285 ms 329 ms 327 ms eugn-agw1.inet.qwest.net [67.42.193.201] 5 314 ms 275 ms 260 ms sea-edge-12.inet.qwest.net [67.14.41.62] 6 256 ms 298 ms 274 ms 63-158-222-114.dia.static.qwest.net [63.158.222.114] 7 321 ms 328 ms 315 ms 108.170.245.107 8 261 ms 286 ms 302 ms 72.14.233.116 9 266 ms 302 ms 300 ms 216.239.46.126 10 410 ms 399 ms 388 ms 216.239.59.1 11 485 ms 456 ms 385 ms 216.239.42.91 12 * 478 ms 445 ms 216.239.51.118 13 434 ms 456 ms * 72.14.238.255 14 309 ms 430 ms 471 ms 216.239.47.207 15 491 ms 499 ms 485 ms 209.85.253.29 16 * 479 ms 502 ms 209.85.241.228 17 * * * Request timed out. 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 * * * Request timed out. 23 * * * Request timed out. 24 * * * Request timed out. 25 * * * Request timed out. 26 197 ms 197 ms 197 ms lu-in-f106.1e100.net [74.125.131.106] Trace complete. 


Hey Guys, Does This Sound like a Good Idea?

Hello,

Thanks for reading my post. Sorry for the generic headline, but I don't really want to into specifics on my current awful job situation because it would be almost a freaking novel. I really need some feedback and will try to keep this brief as possible.

So here's my situation. My employers forced me into a job role where I am now the assistant to the network admin. This is completely new to me, and he has given me zero guidance or showed a willingless to help me in this role. Well the guy trashed me on my evaluation. His big complaint is that I haven't tried to take on new job roles. So that has left me trying to brainstorm ideas to improve the IT department. Currently I think the IT director is running the department in a manner that could be disastrous. He has put his complete faith in one guy to run the whole network and this guy is really the only person who knows everything. Nothing is documented. Nothing about the servers, network schemas, really only an inventory database which is done in Access.

One idea that came to me is to create a kind of weekly state of the union IT document that will be stored and archived. The document will cover things like network status, current drive space, any errors or changes made. That way if something bad did happen, we have a completely history of when and what was done.

What do you guys think? Does this sound like a good idea? Since I know very little about network administration, maybe things are done a different way. Does your organization do something similar?



Downside of routing between SVIs instead of routed interfaces?

I have worked on multiple campus LANs over the last few years that are entirely VLAN based even for routed traffic going between SVIs over a routing VLAN with the trunks passing both layer 2 and 3 traffic. I’ve never seen it recommended or even much talked about in textbooks. Do any of you work with a design like this or if you’ve moved away from it, how did you convince them that it’s better to separate the two layers fully? Are there any major disadvantages?



Just want to be great.

No right or wrong opinion to this post I’m just curious to your thoughts and would love some advice. I have been in the networking field for about 6 years now. Between the Army and now as a DOD contractor..I’ll be pursuing a CCIE Routing and switching next year.

My question is...in other fields you have doctors and researchers ect..that write papers on innovations in their industry that help hem stand out and show expertise.

In networking do these same opportunities present themselves for me to do? I have a passion for rousing and switching but what can I write about spanning tree protocol or EIGRP that hasn’t already been said? Just trying to see if their is any room for innovation or creativity..



USB WiFi adapter for packet capture

Does anyone have a current recommendation for a USB WiFi adapter that supports multiple radios with all current bands, and can run promiscuous mode in all bands on all radios?

I remember a few years back I had two identically looking Linksys USB adapters, same model but different revisions, one could run promiscuous, one could not. That one only went up to G band... what is the latest set, (a/b/g/n/ac), or are there new ones ?

TIA!



What is "good enough" security in your mind when designing a network?

I realize that this is a pretty nebulous and open ended question. There are definitely many needs/requirements for networks (PCI being one of them), and of course not all networks are the same in their needs for security. I just felt that maybe it would be good to have a discussion about this just to see where we all kinda are in this oft heated topic.

However from what you guys/gals have seen, where do you feel is a good point of compromise of security for most use cases, and how have you/your company/your group achieved it?

Thank you :)



Requesting some advise from my fellow network admins

Dear fellow network geeks,

I have been lurking this subreddit for a while and decided to make this post.

First off a small introduction: I'm a 29 y/o network engineer and I work for a private cloud based company in the Netherlands. We are currently making little baby steps into Azure. We basically host Citrix environments for our customers in a shared environment.

After working as a system administrator for 5 years, I made the decision (3 years ago) that I wanted to persue a carreer in network administration. My company signed me up for a CCNA fast track course and ever since I have been working on our network devices. In the last years the colleague's that I used to work with left the company and now I am one of the few remaining network engineers at my company.

We are running FortiGates, HPE Comware switches, 2x Juniper MX routers, 2x Juniper SRX routers and a few Cisco IOS Routers/Switches. We also run Netscaler virtual appliances.

Now let me start by saying that in terms of network administration, everything we did until now was based on incident management (solving issues) and we never really "managed" the network. A little while ago my company decided that it was time my focus changed from solving problems to proactively manage our network (Yay!).

I decided that the first items I need to look at are:

- Network monitoring

- Device backups

- Device firmware

- Network automation

As of now I only have 3 years of experience in network administration so I am kind of looking for advise on the topics...

Network monitoring

I have decided to setup Zabbix and do basic monitoring of all my network devices in Zabbix. This is working fine for now. We have a base network monitoring and if we need more in-depth monitoring in the future we are always able to expand with a different tool if needed.

Device backups

We are now backupping all our devices using Kiwi CatTools. Do you guys have any recommendations/advise on this? Are there better tools around for the job?

Device firmware

I honestly don't know how to start here. Right now we do not keep track of firmware levels at all. How do you guys keep track of firmware updates for different vendors and how do you decide if you want to upgrade your devices or not?

Network automation

I am looking into automating simple tasks using Ansible. (Right now everything is done by hand which seems a bit silly to me) I am not really sure if it will fit my needs. How do you guys automate tasks on your network devices? Most solutions will only work for specific vendors, but I kinda need an all-in-one solution and Ansible seemed to be the best place to start..

I am not asking you guys to do my job for me, but maybe you are able to provide me with some sort of advise or start some discussion on the above topics. For me the above are the basics that need to be in place first before anything else, but if you have any advise on that then please let me know as well.. :-)

If these kinds of topics are not welcome in this subreddit then let me know!