IPv6 Proxies: 2018-08-12

Saturday, August 18, 2018

[RANT] When your internet's out at your apartment for day's due to a layer 2 issue ...

Wall jack stopped working. More than that, the WAN port on my firewall is suspiciously fried ...

Happened Thursday, soonest availability Sunday morning. For something I could fix myself in 5 minutes with the network closet key (even if it meant unplugging someone to use a different switch / port) ..

Yeah. Doesn't help the guys I called don't know what a fucking cable tester is or what a cable tester not listing off link speeds means and are asking if "I have a triangle." Even putting it in terms of no light on a port using a real PC didn't satisfy 'em. Gotta have the triangle. Gotta try going to google ... speed test ...

I'm drunk and high key want to strangle someone. Move the damn patch cable to another switch port already. They don't even have any kind of layer 2 isolation set up that would prevent one from doing this .... Bet anything none of its labeled and end up toning the damn thing with my tester since apparently these chucklefucks haven't seen the Fluke logo before.

So not only do I have a few $$$ in ESD damage (going to be running network through my UPS from now on ... replaced a working one w/ one that has a gigabit CAT6 protection circuit instead of downgrading the run to 100mbps) but they can't even pull off a 5 minute fix. Nope. Gotta see the jack. Even though the tester sees all 8 strands and reports well over 100 feet of distance ...

How does the payment card system work?

I don't know if this is the right sub for this question, but if it isn't I don't know what is.

If someone could answer a few key things that would be greatly appreciated.

What protocols do credit/debit card transactions use(i.e. I use my card at McDonalds, how is cost info sent to my bank)?

What does a transaction look like on a network? Packet layout, data structure, that sort of thing.

Is any part of this system open source/ have public information available?

I've googled this many times and all of the articles I've found just explain how banks work on a broad scale and don't discuss the means by which it actually happens.

Thanks in advance.

Any Wireless Engineers out there

Just checking in to see if there are any wireless engineers on this sub-reddit... I was wondering if you could share with me your experience on day to day jobs (consulting).. and if that part of networking has any growth or job opportunities. I got volunteered for a lot of wireless projects so i was planning on pursuing some certifications along that route (Cisco and possibly CWNA/CWNP)... any recommendations?

Only reason i want to pursue it hard is because everyone in my team knows R&S and such.. so i wanted to branch out a bit and cover Wireless or DC technologies... (Couple guys have security covered)

Work VPN Slowing Home Network

Hey everyone,

New here.

Here is a basic rundown.

I have Centurylink 20mbps down 2mbps up.

I am a web developer and work from home. My wife is also working from home as a nurse and was set up with a cisco box, some type of gateway or something that connects directly to our modem then her phone connects to that along with her laptop.

We are always getting 16ms of ping and 20mbps down, no issue.

Randomly, and randomly, on saturdays or early on mondays, it will jump to 400ms and 0.5mbps making it impossible for her to work.

As soon as she shuts off her machine, the internet is back to 16ms and 20mbps down.

She is logging into a VPN and we talked with the tech support and they said there is nothing going on at all on their end but if we cut power directly to this box, the net is fixed.

Any ideas?

I need to place my router in ISP's DMZ

My networking skills are marginal at best and I do apologize if any of you find this hard to read. Here is my situation.

I live in a Rural Area and my only option outside of Satellite internet and dial up is a local ISP that I've been with since moving to my home 7 years. The ISP has come a long way from when it first started but the last year has been really terrible in terms of online gaming while paying outrageous amounts for speeds you would laugh at. I recently realized that I had a double NAT situation going on, which I was able to resolve by placing my home router in bridge mode. I connect to the internet via a line of sight PPoE connection. I have no issue streaming or downloading things but maintaining a connection to any online game (WoW, Rocket League, Overwatch, anything) results in huge rubber banding and disconnections. I have no ability to open ports, assign IP's etc as that is controlled on my ISP side.

What I would like to do is use 2 physical routers to remove any port blocking my ISP has. I would like to place the first physical router into the ISP's DMZ (they provided me the IP address), and then connect another router to that which would be connected to the rest of my home network. My hope is that I can open ports or make adjustments that would allow for better connectivity to the various online games I play.

Again, I apologize if anything is unclear here.

I need a console adapter for a Force 10 S50

I picked up some force 10 switches to set up a lab for a project (Pre Dell). These have a proprietary DB9 to RJ45 adapter I guess. Plus since the switches are reset, I can't do a thing with them without a console cable.

Performed some searches for one for sale - ebay, google, etc. No luck.
Bought one to pin out myself and schematics are not available or make no sense whatsoever.

Does anyone know where I can get my hands on one of these?

Arbor DDOS

Gey guys, i am about to embark on a journey and deploy peakflow, tms. What kind if configuration is needed to onramp all the dirty traffic and offramping into the clean vrf on a cisco/juniper or even an ALU environment ?

Read online route leak between dirty VRF and GRT is needed. Any advise gents ?

Double NAT

Hey guys, I’m new to Reddit and also a new Networking technician at a small wireless internet company. We are running into an issue with double NAT when it comes to using ubiquiti wireless equipment. Only people on Xbox are having the issue of this. We have customers who are using ps4 and pc, they are fine. We have Ubiquiti Sectors and Omnis and using power beams for the customer equipment. Any ideas on how to manage this? If I turned NAT off on the home equipment will that help with the issues?

Does my ISP see what games I play?

For example if I am at work and want to play something on steam, or fortnite. Can they track that? I completely understand that can see my browser history, but what about other data even such as passwords.

[HELP] I can't make AP work with PoE

Hi all. I have a Cisco rv345 and just bought an Ubiquiti Ap Ac Pro.

The switch says that ports 1 through 4 and 9 through 12 are PoE.

I tried connecting the AP to those ports but it doesn't turn on. Used both Cat 5 and Cat 6 UTP cables.

What am I doing wrong?

Please help me!

Low Speed on TV

I have 100Mbps broadband plan. But when I'm streaming 4K video on YouTube (5GHz WiFi with 100% Signal Strength) it says 40Mbps on Stats for Nerds section. I don't think so something is wrong with ISP since my PS4 gives 10-12 MB/s download speeds. What could be the reason behind low speed and how do I increase it?

PAN-OS 8.1.2 upgrade broke my OSPF (release notes says its fixed in PAN-OS 8.1.3)

Just a warning here, my upgrade to 8.1.2 (from 8.1.1) broke my internal OSPF peering on my pan. Looks like the peering now was going through the firewall and since i didnt have a default Trusted/Trusted allow rule in play the firewall passed it down to the deny all rule and it was blocked. Since i was trying to figure out why i wasnt getting traffic back i put a static route in the firewall back inside and it fixed it for the night.

The next day i finally noticed the 2000 any any deny's which is way above normal and looked and ill be damned that OSPF was being blocked. This apprently is addressed in the 8.1.3 upgrade looking at the release notes. Just a warning out there.

What cache, if any, do you good folks use?

Top of the night folks.

I am not referring to fna, ggc, akamai or Netflix (these are the ones I'm aware of), I'm talking about http, p2p and the likes.

People in the industry have told be about the following: Cache mara Extreme peering Blue coat

I myself have used bluecoat and cache flow (cacheflow turned into bluecoat). That too fifteen years ago

Apart from these, is anybody using anything else? What kind of saving are you seeing? Is your target saving or the accelerated performance some of these software/hardware provide?

Thanks

Wanted: passive CWDM multiplexer

Hello,

yesterday I setup a new dark fiber (9.8km) and enabled the first optics (Fibre Store CWDM-SFP10G-20SP, 1330nm, 20km) which was recommended by fibrestore support for the attenuation information I sent them about both fibers which was given from me by the ISP.

The connection worked immediately when I put the optic into the switch, no errors nothing. Tonight, link flapping started. Now the link went offline.

On switch A:

display transceiver diagnosis interface gives:

transceiver diagnostic information:

Current diagnostic parameters:

Temp.(¡ãC) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)

35 3.24 33.21 -19.71 1.11

Alarm thresholds:

Temp.(¡ãC) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)

High 90 3.80 100.00 0.00 6.00

Low -5 2.70 0.00 -16.99 -7.00

There are some errors on this interface:

Peak input rate: 204 bytes/sec, at 2018-08-17 17:10:41

Peak output rate: 376 bytes/sec, at 2018-08-17 21:09:05

Last 300 second input: 0 packets/sec 0 bytes/sec -%

Last 300 second output: 0 packets/sec 0 bytes/sec -%

Input (total): 68540 packets, 6552135 bytes

41 unicasts, 104 broadcasts, 68284 multicasts, 0 pauses

Input (normal): 68429 packets, - bytes

41 unicasts, 104 broadcasts, 68284 multicasts, 0 pauses

Input: 106 input errors, 0 runts, 0 giants, 0 throttles

104 CRC, 0 frame, - overruns, 2 aborts

- ignored, - parity errors

Output (total): 124626 packets, 10398046 bytes

50 unicasts, 1426 broadcasts, 123150 multicasts, 0 pauses

Output (normal): 124626 packets, - bytes

50 unicasts, 1426 broadcasts, 123150 multicasts, 0 pauses

Output: 0 output errors, - underruns, - buffer failures

0 aborts, 0 deferred, 0 collisions, 0 late collisions

0 lost carrier, - no carrier

On switch B:

display transceiver diagnosis interface gives:

transceiver diagnostic information:

Current diagnostic parameters:

Temp.(¡ãC) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)

56 3.20 43.38 -11.59 1.02

No errors on the interface on switch B:

Peak value of input: 242 bytes/sec, at 2018-08-17 20:13:48

Peak value of output: 440 bytes/sec, at 2018-08-18 03:23:23

Last 300 seconds input: 0 packets/sec 0 bytes/sec -%

Last 300 seconds output: 0 packets/sec 4 bytes/sec -%

Input (total): 68628 packets, 5831800 bytes

32 unicasts, 767 broadcasts, 67829 multicasts, 0 pauses

Input (normal): 68628 packets, - bytes

32 unicasts, 767 broadcasts, 67829 multicasts, 0 pauses

Input: 0 input errors, 0 runts, 0 giants, 0 throttles

0 CRC, 0 frame, - overruns, 0 aborts

- ignored, - parity errors

Output (total): 50717 packets, 6105567 bytes

28 unicasts, 810 broadcasts, 49879 multicasts, 0 pauses

Output (normal): 50717 packets, - bytes

28 unicasts, 810 broadcasts, 49879 multicasts, 0 pauses

Output: 0 output errors, - underruns, - buffer failures

0 aborts, 0 deferred, 0 collisions, 0 late collisions

0 lost carrier, - no carrier

So, what would you recommend:

a) Put in an optics with more "power" on one site?

b) Change the passive multiplexer with less insertion loss. Vendor Pan Dacom says for its "SPEED-CWDM-81E:" (MUX + DEMUX) is max: 3,85 dB What passive multiplexer would you reommend?

For a) I would need optics with higher costs for all channels. So I´ll try b) What is your opinion?

Update: I am asking myself whether that single optic from FS is actually bad...

Limit internet speed, but still get full speed for internal connection ?

how i can limit internet speed from my ISP but i still get full speed for internal connection like transfer data from pc to NAS or something ?

If it's possible, how i can do that ?

If i need more hardware, what kind hardware i need to buy ( router / switch ) ?

Recommended number of users per IP(NAT)

I’m in the middle of a project to push all remote site internet traffic through a Palo Alto HA cluster in our DC instead of having direct internet breakout.

At present I have completed one site of about 50 users, and by the end of the project there will be roughly 200 users internet traffic going through it.

They are currently being NATed with the public IP address on the internet interface of the Palo Alto.

At what number of users would it be recommended or necessary to start using a nat pool instead of a single IP?

Is there a volume of source IPs when it’s required to move to nat pool rather than interface nat ?

L3VPN Local-AS

When peering via ebgp sessions is it a requirement to set local-as either via the routing-instance config or the routing-instance bgp group config?

I’ve been having issues when dual homing back to customers from the mpls we host - pe’s were not seeing each other’s routes if I configured a local-as. Upon checking the logs it showed the routes were not present due to an AS loop. Fair enough I thought.

I then labbed it up and removed the local-as config, meaning the peers were using our global AS number within the bgp session. This caused the AS loop prevention to not kick in and both pe’s were able to see each other’s routes.

It seems the local-as specified gets appended to the AS-path but the global does not.

I’ve read plenty of mpls setup guides and none state to use a local-as within the specific routing-instance bgp settings, but for some reason that is what my company has historically been doing.

Should I be using a local-as per routing-instance or is it unececcary as I’m beginning to suspect?

RJ45 - DB9 & RS232 to USB?

Will that work? Aren’t the DB9 / RS232 exactly the same? Because it looks like that, and they need to connect in each other?

Friday, August 17, 2018

remote connect externally to esxi hosts.

So i have a some servers, both running esxi 6.5, as well as one running a vcenter VCSA, and i need to access them remotley from outside my local network. So i can access one server, as long as i forward port 902 and 443 to the local ipv4 address of that server. But what if you have more than one server that you need to connect to? well theres my problem. Ive tried openvpnAS to try and allow vpn connection to the network, allowing me to monitor the servers, but it never really worked. So my question remains, how do i connect to these hosts externally? thanks.

Mesh network question

Hi guys, quick question: is it possible for me to make any set of routers into a mesh network. I don't know if there are multiple meanings to a mesh network, but I am looking to join all of my routers into one SSID, where a device will be shifted to the router with the strongest connection automatically. I know ASUS has a feature called Aimesh for some of their routers (which is why I have a feeling it could be possible for all routers since it is software). The only requirement for this to work should be tri band routers. That is, one antenna for 5ghz, another for 2.4ghz, and another (5ghz i think) for communicating with the other routers with the SSID think I was talking about. I have three routers from three different companies, and all of them are tri band. Is this possible, and if so, any way that I can do it? Thanks!

Configuring Dell X1026P Switch

First off, I’m not a networking pro by trade. I have configured switches in the past, firewalls and done troubleshooting on networks. However, this is my first attempt at configuring a smart switch with multiple VLANS and for the life of me, I can’t get it.

I have a Dell X1026P and I basically need to split this thing into two switches. One VLAN for PCS with an uplink to a firewall, and another VLAN for VOIP with a different uplink over to a clarity device (firewall).

Is there a way that I can do this? When I try to add a second IPV4 addressing interface, it tells me hat I can’t do it in the current mode. This is a layer two switch, so I’m not sure if it’s possible.

Can someone help me out please?

TIA.

Palo Alto Firewalls

I am planing on getting a firewall for my home network as I don't have one currently. I am considering a Palo Alto unit but I am unsure as to what model to get and the differences between them. I was looking to get a rack mountable one used off of ebay or the like. I am mainly seeing model 2020s, 2050s, 200s and 500s.

We all need to thank Aretha Franklin for inspiring the Internet in 1967

"R-E-S-P-E-C-T. Find out what it means to me. R-E-S-P-E-C-T. TCP/IP. Socket to me, socket to me, socket to me..."

Hackathon on Open-source Network Experimentation Testbeds in Budapest

Hi all, I posted this in the /r/budapest subreddit but I think it's also relevant here.

Next week (August 25) we organize a hackathon in collaboration with NOKIA, ACM and NETFLIX in Budapest, and we'd like to invite people from local communities on open-source software and computer network enthusiasts/operators to participate. Participation is free and we'll provide food and drinks throughout the day. The link below has more information on the event:

https://conferences.sigcomm.org/sigcomm/2018/hackathon.html

The event will be attended by students and researchers from over 10 different universities around the world and we'd like to connect them with the local open-source and networking scene.

Do you have any suggestions on which communities to contact? I've already contacted the Budapest Hackerspace but since I'm not from Budapest I don't know if there are other prominent communities that may be interested. I checked if there is a local NOG (Network Operating Group) but I didn't find something.

Linking VLAN across a router

Hi,

I'm trying to create a few tiny networks, linked using PPTP VLAN to eachother.

I have an ubuntu server in the cloud running a PPTP server, and am using a load of small GL-AR150 routers which are configured to connect to the VLAN server. This part seems to work. The clients can all speak to the server, and the clients can load eachother's router web-portals.

E.g. Server is 10.10.10.1 and it gives the VPN clients 10.10.10.100 to 10.10.10.110. The computers behind each GL-AR150 can load other GL-AR160 pages by browsing to 10.10.10.101 from the router configured to 10.10.10.100.

Each of these routers has a few computers, currently receiving addresses via DHCP e.g. 10.10.100.1 and the computer gets 10.10.100.2.

How do I configure the AR150 to forward traffic between these subnets?

I want a computer that is 10.10.100.2 (connected to the router that has VPN IP 10.10.10.100) to be able to talk to 10.10.101.2 (connected to the router that has VPN IP 10.10.10.101) and vice-versa.

I have tried setting up static routes, fiddling with firewall etc, but seem to be missing something. What static routes would I need to setup and how would I setup IP tables to allow this?

Cheers

NX-OS Schedule Rollback

Is there any way to schedule a rollback on nxos?

Thr config guide only shows manually rolling back to a checkpoint not scheduling it to automatically occur after x minutes have passed.

Thank you.

Dual-homed BGP, ISPs in different cities

Sorry, lot's of stuff in the pic but it's a complicated question I think...

In short, how to avoid asymmetric routing on firewalls: https://i.snag.gy/chzf04.jpg

We have two ISPs connected to our network in two cities separated by few hundred kilometers. 1Gbps, full BGP table each. We have two /24 we can advertise (those are documentation blocks, IRL we have larger blocks we can split). Some of our servers are on public IPs, some on private (we have private peerings with private IP addresses to some of our customers)

Currently we have single homed internet connectivity, and we'd like to make it dual-homed. However routing traffic back via the right firewall cluster seems to be the problem here. We wouldn't like to have asymmetric routing. We have 2 firewalls in each city towards ISPs, making it 2 fw clusters.

Simple solution here is to NAT everything coming to firewall 1 to a source IP from 198.51.100.0/24 block so the return traffic would get to the right firewall. And everything coming to firewall 2 would get NAT'd to something from 203.0.113.0/24. In that way no matter what link/fw is broken, there wouldn't be asymmetric routing as that block would only be originated from a single firewall. And towards ISPs, we could AS prepend the networks so that 198 would be preferred via ISP1 and 203 via ISP2.

Routers on the right would have to somehow decide which default route to use, or we could just leave it for the OSPF/BGP to decide... though as it's only a VRF called "core" between those, all the routers on the left are 1 hop away so every router on the right would choose the same router for the default route.

Not sure if this would be a problem at all, but it would be nice to have networks in the south to use the ISP in the south :)

Without the NAT hack how would we achieve this? I'm thinking of using communities, and on the right hand side routers tagging every route with either "prefer ISP1" or "prefer ISP2" depending on the location and then left hand side routers/firewalls doing local pref tuning based on communities. Our firewalls talk BGP.

OK it wasn't short but hopefully there are people who don't have anything better to do on friday evenings :)

Recommend an ethernet toolkit?

I have been working with a hand-me-down 'toolkit' since starting my current job ~1.5yrs ago. My crimper is a half-broken StarTech piece. I'm down to two RJ-45 connectors, and my 'cable stipper' (or whatever you call it) is barely functional.

I see many different kits online with brand names I don't recognize, and they all seem to be of poor quality.

I could buy these things piecemeal, but right now I would prefer to get a new kit. Budget is ~$75(us).

What are some good recommendations?

Thanks!!

Issue with Dynamic ARP Inspection and Cisco APs

https://ift.tt/2Bi2HZR

Using /31 DMZ subnets

I was toying with an idea of doing /31 subnets for our DMZ servers, just with VLANs now but later maybe with VXLANs. Then lot's of interfaces on the Fortigate firewall and everything under a DMZ zone.

We don't have more than hundred servers where we'd like to allow access from internet. All the access to those would come via F5 BIG-IP load balancers, and the BIG-IPs would have the public IPs. Those /31 subnets would be with private IPs.

Reasoning that then I could allow access between two DMZ servers if needed, and via firewall. If using private VLANs I couldn't route the traffic through the Fortigate I think?

Though the firewall doesn't do anything advanced, maybe I could just use the firewall on the BIG-IP and have it do all those WAF thingies etc. Usually the rule would just be "anything from the internet, allow to port 443 on server". BIG-IP can also sustain more session and everything than our firewalls.

Any thoughts?

Basics of Network Switching

What is the best source to read the basics of Network Switching and Routing?

Short, concise. CCNA is too vast.

Cisco Catalyst 9300 Hardening

This switch has a bunch of new features that I am not totally familiar with at this point. Things like PNP and DNA that I know about, and probably other stuff that I don't. I'm open to testing these new features, but I'd like to make sure that we don't have our pants down while I am figuring things out.

I've always followed the catalyst switch hardening guides, but they don't address these new features. Have you folks got any advice on what I should watch out for?

interface commands for 5585 asa

Hello, I see so many connnections on the 5585x that go to different switches. Is their a way to view these connections such as a "show interface g0/x" like in Cisco IOS? I'm wondering if there is a similar command...or the ASAs just don't work that way.

thank you

Setting up switch help

In general I don’t know what to do. I need to set VLAN and IP4 adres for the switch, the subnet and the gateway. But after I’ve done that, I can’t connect to that IP4 adress I’ve set.

I just need a basic start to go ahead with.: 1) Connecting trough web interface or SSH 2) Port that handles WAN 3) Setting up a VLAN to use as main network and add different devices (so they are connected to internet)

In general, what are steps to take to get it done? Like what ip, and how to allow WAN into that VLAN.

Network monitoring

Anyone knows a good network traffic monitoring software for a Cisco router 1841?

Single machine unable to load web GUI

So long story short, I have a desktop that I use for my daily admin machine. Found the other day that a web gui for a firewall did not load when accessing the LAN IP and port. I can ping the device, I can access the GUI via the WAN IP and port (it's a remote site firewall), I can telnet to the port and it connects, I can SSH to the device from this machine, I can tracert and see it's taking the appropriate route, and 3 other machines (including a non-domain joined machine) load the GUI just fine from behind the same switch on my desk. I've tested Chrome, Firefox, IE and even the lovely Edge browser and they all act like the site times out. Even looking at the Wireshark capture on the machine it acts like a TCP timeout. I'm kind of out of ideas at this point. I even rebooted the remote firewall over night as well as my desktop and still have the issue.

Do the Ubiquiti AP pros with Unifi still have the limitation of not providing DHCP leases?

I know that as of a few years ago you couldn't use the unifi controller to serve DHCP addresses to a guest-specific LAN, but is that still the case?

I set up a separate guest network and it looks configured to serve up addresses in 192.168.100.1/24, "DHCP Server" is set as the mode, but when users connect they are getting an IP address from the main server instead of something from this range.

HPE cuts lifetime warranty for networking switches?

https://ift.tt/2OKsU56

Guys, my router is a bit hungry...

I need a syn ack for it

CIsco 819 Router with Verizon interface resets every few seconds

This is very strange and could be a config issue, or could be because I am using a dynamic IP. I am going to reach out to Verizon for a static IP to test, but wondering if anyone here can assist as well.

I want to take in Verizon LTE and use it as the ethernet uplink for a Meraki MX.

So far I have the router config'd and the interface is constantly bouncing and shows interface resets in the "show int cell 0". I can occasionally ping out to 8.8.8.8 when the connection is up, and I get an IP, but then it resets again and I lose it until it connects and bounces repeatedly. Past that, nothing downstream can get out at all, even when the int is up and pinging through the router, I think this is a NAT config issue below, as routing should be covered with the 0 0 cell0 rule I would think.

Here is my config:

Building configuration...

Current configuration : 6531 bytes

version 15.6

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname yourname

boot-start-marker

boot-end-marker

logging buffered 51200 warnings

no aaa new-model

ethernet lmi ce

crypto pki trustpoint TP-self-signed-1840704989

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1840704989

revocation-check none

rsakeypair TP-self-signed-1840704989

crypto pki certificate chain TP-self-signed-1840704989

certificate self-signed 01

XXXXX

quit

ip dhcp excluded-address 10.10.10.1

ip dhcp pool ccp-pool

import all

network 10.10.10.0 255.255.255.128

default-router 10.10.10.1

lease 0 2

no ip domain lookup

ip domain name yourdomain.com

ip cef

no ipv6 cef

multilink bundle-name authenticated

chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"

license udi pid C819HG-LTE-MNA-K9 sn FTX2137Z05V

username admin privilege 15 secret 5 *******************

redundancy

controller Cellular 0

lte sim data-profile 1 attach-profile 1 slot 0

lte modem link-recovery rssi onset-threshold -110

lte modem link-recovery monitor-timer 20

lte modem link-recovery wait-timer 10

lte modem link-recovery debounce-count 6

no cdp run

interface Loopback1

ip address 1.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

interface Cellular0

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation slip

dialer in-band

dialer idle-timeout 0

dialer enable-timeout 8

dialer string lte

dialer watch-group 1

async mode interactive

interface Cellular1

no ip address

encapsulation slip

interface FastEthernet0

no ip address

interface FastEthernet1

no ip address

interface FastEthernet2

no ip address

interface FastEthernet3

no ip address

interface GigabitEthernet0

no ip address

shutdown

duplex auto

speed auto

interface Serial0

no ip address

shutdown

clock rate 2000000

interface Vlan1

description $ETH_LAN$

ip address 10.10.10.1 255.255.255.128

ip tcp adjust-mss 1452

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static 10.10.10.3 100.69.6.199

ip route 0.0.0.0 0.0.0.0 Cellular0

dialer watch-list 1 ip 5.6.7.8 0.0.0.0

dialer watch-list 1 delay route-check initial 60

dialer watch-list 1 delay connect 1

ipv6 ioam timestamp

route-map NAT permit 10

match ip address 199

match interface Cellular0

access-list 23 permit 10.10.10.0 0.0.0.127

access-list 199 permit ip any any

control-plane

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

mgcp profile default

line con 0

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

stopbits 1

line 3

script dialer lte

modem InOut

no exec

rxspeed 100000000

txspeed 50000000

line 8

no exec

rxspeed 100000000

txspeed 50000000

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

scheduler allocate 20000 1000

end

IPV6

If you use an IPV6 IP from your range of /64 to connect to another computer over the internet and they are malicious/ want to DDOS you, can they guess the rest of your range? Can you just blacklist that one IP with the ISP if you have a static IP and then be free from harm?

I don't know a lot about networking so if I am completely off base, my bad.

Wireless deployment with no internet access

Hello

I've just had a very interesting question from one of our sales guys and I wanted to see if anyone here had experience with it.

His potential customer runs some sort of warehouse with automated drone robots that pick the equipment from the shelves. When working out the quote my colleague was trying to sell an internet circuit with it, and the customer was pretty adamant about not needing one, since all he needs his drones to communicate with is a server that's on site. I'm assuming this has some connection to the internet but that's not information I'm privy too.

He wants to deploy a Cisco WLAN with an on-site controller but no outside connectivity, theoretically I can't see any reasons why it isn't possible but it isn't something I've ever encountered before and googling "wireless with no internet" just brings up stacks of people complaining about their wifi not working properly.

Has anybody here ever seen something like this?

Thanks

How would you implement an overlay network?...

If your base network is RFC 1149 compliant?

cost effective 1G BGP Router?

Hi, we are currently researching our options for BGP routers. currently our PI-address space (/24) is routed by our ISP (Cisco 3925 @ 100 Mbit line), but we like to change that (own ASN with multihoming and dualstack with a gigabit line)

we also got quotes from our distributor about various juniper models. The cheapest is a pair of used Juniper MX80 incl. Xcare Advanced for ~22k€ (Germany)

I'm not sure if we need a such expensive router pair. Our requirements are not that special:

max. 1 Gigabit throughput (Currently usage sitting at 6 Mbit avg, peak 90)
SFP interfaces
No IPsec or IDS/IPS

IDS and VPN are handled by our edge-Firewalls (PA-820). Is there any recommendation for a cost effective router?

Huawei, where to start?

Hey guys. I'm working for a company that makes routers in the backhaul-area for telco providers(MPLS 4 life yo). I have experience and certifications (R&S) from Cisco so I'm familiar with their products, CLI and that stuff. I've recently become interested in Huawei's product line but i'm very unfamiliar with their stuff, so to speak. Routing is routing but is Huawei that different, configuration-wise? If one was to begin 'studying' Huawei where is a recommended starting point?

hp rookie - qos tagging of citrix traffic

A little out of my daily element on this one.. so please dont bash me please :)

Im working on a project that implements mpls circuits at a customer. I'v been tasked with also implementing qos to prioritize their citrix traffic..

From my understanding the citrix guys need to do multi-stream ica traffic flows. My thought was to have them put print related stuff into one group and have that use one specific tcp port. Then have the rest of the citrix related traffic in a different group and use a different port.. makes sense?

Im working on getting my config right for the switches in each location.. trying to tag voice with ef class and the citrix with af31 class.

config would be:

qos tcp-port ipv4 2598 dscp af31

qos tcp-port ipv4 1494 dscp af31

qos type-of-service diff-services

vlan 100

name "Voice"

qos dscp ef

am i totally off?

What console servers are you all using?

There are many options for Console servers. Curious what you all are using?

We deploy OpenGear for the most part. What else is popular?

Thursday, August 16, 2018

Opengear Lighthouse on GCE

Greetings. I am posting this as I believe /r/networking is the most appropriate audience. Apologies if someone feels this is better suited to another sub.

We finally pulled the trigger on a few Opengear boxes for OOB. We planned to deploy the Lighthouse central management software on a server in a colo outside of our own network. However, now that we're getting around to the initial deployment Lighthouse is now supported on the Google Compute Engine platform. We haven't been successful with the deployment as the image file from Opengear's FTP seems to be corrupt.

The question: has anyone here deployed on GCE? Is it working as expected, or would you still go the on-prem route?

Cisco WLC problems, really need some advice here.

Tonight I was supposed to swap in our replacement/upgrade WLC. We are upgrading from a 2504 to a 3504, and this week I was able to mirror the configs (minus teh few newer feature differences and the mgmt IP).

So I get here, I powered down the old, power up the new using the old controllers mgmt and LAN cables from the switch. After an hour only 6 of the 19 ap's showed associated. Now I did verify beforehand that all of our ap's models were in the compatibility list.

So after reading where it's typical to connect the new or second WLC to the network on a new IP, then set it's ip as the primary controller under the HA tab in each ap I thought I'd give that a go.

So I bring back up the old wlc, and after 20 minutes it has zero ap's associated. I'm at a complete loss as of what to do now. We were not using teh LWAPP or CAPWAP dns entries before.. I've added those (CISCO-LWAPP-CONTROLLER and CISCO-CAPWAP-CONTROLLER and rebooted them both. But the results are the same.. 6 on the new and 0 on the old.

I could really use some reddit love tonight.. I have no one to call for assistance on this.

Thanks

Routing to firewall from core switch

Hi everyone - I currently have an Aruba core switch at 10.1.0.1 and a hardware firewall (pfsense) at 10.0.0.1, plugged in to port 1. I am having trouble forwarding networking traffic from the LAN to the firewall. My switch can ping the firewall, but my devices on the network cannot. Everything I’ve researched has gotten me to here, but I’ve hit a wall. Any help would be greatly appreciated. Below is the running-config:

hostname "Aruba-2930F-24G-PoEP-4SFP"

module 1 type jl261a

timesync ntp

time timezone -360

ip default-gateway 10.0.0.1

ip route 0.0.0.0 0.0.0.0 10.0.0.1

ip routing

snmp-server community "public" unrestricted

router rip

— redistribute connected

— restrict 10.0.0.0 255.0.0.0

— exit

vlan 1

— name "DEFAULT_VLAN"

— no untagged 1

— untagged 2-28

— ip address 10.1.0.1 255.255.0.0

— ip helper-address 10.1.0.2

— exit

vlan 10

— name "FIREWALL"

— untagged 1

— tagged 2-28

— ip address 10.0.0.2 255.255.0.0

— exit

spanning-tree

password manager

Is Cisco DNA Centre compatible with MSE?

For a greenfield deployment I want to use DNAC, but MSE is a requirement, so if it isn't compatible then I need to stay with Prime Infrastructure which would be sad.

I'll keep searching the docs but I haven't found any reference to MSE yet either way

AP Discover Packet over VTI Site to Site VPN

We have AP's connected via flexconnect to a controller in another office. When the circuit goes down the AP's go into standalone mode and then issue their discover broadcast packets to the controller. The packets are not traversing the site to site vpn however. Has anyone else ran into this and what did you do to fix it?

wireless PTP recommendations

I was wondering what you guys recommend for a cheaper PTP wireless bridge solution. I have used Cambium and red line in the past but this is just to provide connectivity for one AP in a shed, Ithink those would be overkill. Distance 300 ft give or take 50 ft

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Unable to delete files on shared network drives

Ever since I've introduced Active Directory to our network there has been some issues regarding specific files created on some of our network drives that state that the file is in use.

As a temporary fix I've had users contact me with files that need to be removed and I could force close the files on the server through computer management but obviously this is not a solution.

The file type that seems to be the problem is a .JT, a 3D model file.

The users will work on it, save the file, and close the program. View open files on the server it still shows the users has it open.

I want to be able to blame the program and file type but since this only started up since the introduction to Active Directory I'm wondering if there is any potential relation or if it's just pure coincidence.

What I've done is turned off thumbnails for network drives and applied the policies. The users have the correct permissions as they can manage other file types without issue and I can't delete the problem files unless I force close the files.

Is there any other policies that may potentially keep these files open in the program (Teamcenter Visualization Mockup11.3) that is caused by Active Directory or does anyone have knowledge of the program and file extension and know a solution to it?

Best used switches to get some exposure

Hi Networking,

I pretty much only work with Cisco network equipment with the exception of some very old dell powerconnect switches. I'd like to check out HP/Juniper networking gear to see how the OS's work and just get a feel for them. I'm a homelab, I like to touch it kinda guy, so I started looking on Ebay for some used equipment I can play with. A lot of the stuff I came across seemed somewhat old. From the old Dell/HP equipment I've dealt with the CLI is very different from what I would get on a new switch so I want to make sure I get something that would have or could be upgraded to a somewhat current CLI.

Can someone help me out on some models that would meet that goal? Also not looking to spend a huge amount of money on this.

Thanks in advance.

3850

We have two 3850 stacks each with two WS-C3850-24P-E switches. A couple of weeks ago we upgraded the firmware from 3.7.4E to 3.6.8E, as specifically advised by Cisco TAC, to resolve a bug with interface output counters (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb65304).

After reloading we noticed a couple of problems:

sap pmk mode-list only allowed "no-encap" and not "gcm-encrypt" (MACSec).
The SFP interfaces were down and couldn't be brought back up. Saw below errors in the logs:%PLATFORM_PM-6-MODULE_ERRDISABLE: The inserted SFP module with interface name Te1/1/4 is not supported%PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/4, putting Te1/1/4 in err-disable state

The Cisco TAC engineer on WebEx at the time suggested the below, which didn't make any difference:

3850(config)# no errdisable detect cause gbic-invalid
3850(config)# service unsupported-transceiver
Remove SFP module, shutdown/no shutdown the port, insert back the SFP module.

Despite explaining at the time and in many emails since that these errors were occurring AFTER reloading (to the same engineer that was on the WebEx), they keep referring to a bug (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCud82475) which is specifically about seeing errors DURING the switch reload. After two weeks I've just asked for the SR to be escalated to another TAC engineer.

This upgrade was at the end of two 18-hour days and two days of network issues so we didn't have the time to read any release notes etc (which I'm struggling to find for the specific version anyway). The actual issue ended up being a bug with offloading on our PA-3220s, but we still want to update to a 3850 firmware that doesn't have the output errors bug and something more recent.

Questions for r/networking:

Has anyone had any experience with the invalid/unsupported SFP issue on 3850s on 3.6.4? (I couldn't find anything online specific to that version that didn't look like a different issue).
What is everybody's thoughts on the Denali 16.x train? Should we be looking at upgrading to it? I've read somewhere that the future is 16.x.
Have I just been unlucky with Cisco TAC support on this case or is this a usual occurrence? We raised another TAC case and got really good, immediate support.

Edit: Posting from work while everyone wants to talk to me, please excuse poor title and any lack of details/poor questions :)

PIM-SM (junos) - Need help configuring

Take a look at the following quickly drawn diagram

I am trying to achieve that the "multicast receiver" (on vlan51) with IP address 10.3.0.2/24 can subscribe to mcast group 239.250.0.1.

I have successfully initated PIM-SM between R1 and R2 on my juniper switches and they see each other as neighbors.

In this diagram, who is the RP? I believe the RP should be R1 in this case (but correct me if I am wrong). Which IP address should I use for the RP? The multicast-sender facing interface or the R2 facing interface?

I'm stumped. What does this prefix-list accomplish?

Applied to a Cisco ASR 1004.

12.44.44.44 is out internet provider. We have four internet facing routers and they all have the same prefix-list applied. Can't figure out what it actually does.

ip prefix-list CLASSA-ONLY seq 5 permit 0.0.0.0/0 le 8

ip prefix-list CLASSA-ONLY seq 10 permit 0.0.0.0/0 le 12

ip prefix-list CLASSA-ONLY seq 20 permit 0.0.0.0/0 le 14

router bgp 65000

address-family ipv4

neighbor 12.44.44.44 prefix-list CLASSA-ONLY in

Data center networking

I have one high-level question that's bugging me, apart from that I would like recommendations of a good resource on DC architecture.

How is internet connectivity in a DC provided? A loose understanding I have is the DC provides you with the IP space you purchase and connectivity to their equipment which is multi-homed to several ISPs. Most of my experience is enterprise campus, where we either peer directly with an ISP(s) or have standard business circuits or leased lines.

How to take down your whole network...

Okay so I made a little mistake today. I was ending off a network cable to go from a switch in our server room to one switch at the other end of the building. We have a stack of 3 layer 3 Cisco switches in the server room. I changed port 3 on switch 1 to a trunk port but me being me plugged the layer 2 switch at the other end of the building into switch 2 which was only set up as an access port. This wiped out almost every switch on the network (apart from the Cisco Meraki ones).

Am I right in thinking I caused a network/switching loop?

Struggling to get structured XML output from network devices

I have been working with NETCONF for most of the day, and despite my most sincere efforts I cannot seem to get a simple show command to work. I have started working with ncclient which is a python library for NETCONF.

I have been trying to connect to a Cisco CMTS (CBR8) running IOS-XE, with unfortunately does not seem to support the newest iteration of Cisco's API, just the old NETCONF. (Frustrating!)

m = manager.connect(host='10.0.0.1', port=22, username='admin', password='admin', hostkey_verify=False, device_params={'name':'iosxe'}) >>> for c in m.server_capabilities: ... print c ... urn:ietf:params:netconf:capability:url:1.0 urn:cisco:params:netconf:capability:pi-data-model:1.0 urn:ietf:params:netconf:base:1.0 urn:ietf:params:netconf:capability:startup:1.0 urn:cisco:params:netconf:capability:notification:1.0 urn:ietf:params:netconf:capability:writeable-running:1.0 >>> c = m.dispatch('show inventory') Traceback (most recent call last): <removed for brevity> ValueError: Invalid tag name u'show inventory'

I am not sure what I should be doing here I have been googling for an hour and I am just not putting it together.

Do you guys have any better strategies for this? I am determined not to resort to screen scrapes and ugly regex in 2018. 'tis the era of the API surely there is something better!!

Some tips for a networking student?

Hi I am currentry enrolled in a cisco networking online school which I get to do 50$ a semester because I go to an IT secondary school of some sorts. What should I do after I finish secondary school, and the +1 technical year? Should I go to university or should I go to work to get experience? Also, apart from learning the cisco modules how can I practice networking? We use packet tracer at school, should I practice with that? English isn't my native lang so excuse me :D

Template for escalations to your team?

Hey /r/networking -

Our company is working on putting escalation / ticket transfer procedures in place (bout ... F'ing ... time...). We've been tasked with putting together a template that our internal help desk needs to fill out before sending tickets our way.

I wanted to see some input from others out there if you'd be willing to share, so I can tailor one for our company. Anyone that uses this have any examples they'd be able to share?

DHCP Relay through ASA Subinterface with multiple VLANs

Hello, I cant quite figure this one out, I have to enabled dhcp on a vlan, we will call it vlan 20. It is on an access switch, going to our fabric/leaf node, which trunks everything to an internal ASA, dhcp relay is configured on the internal ASA, and it has a subinterface that takes all connections from the leaf node into a subinterface, 2.20, problem is that trunk connection has multiple vlans on it, and I don't want all traffic in there to be using the dhcp relay, is that possible? thanks.

ELI5 -- GVRP

Ok, maybe not really ELI5. I have a pretty good understanding of networking, but limited to smallish businesses. I work for an MSP, and one of my customers has an "IT guy" that tries to fix things himself before calling us pretty often. I've tried to talk to them about this practice, but to no avail. They keep paying us to fix stuff "IT guy" breaks, so it's all good.

Long story short, internal network is default VLAN 1, and Guest WiFi is VLAN 20. IT guy decides to turn on STP on all switches (HP/Aruba, if that's relevant), then later calls in a ticket that the guest wifi doesn't work. STP apparently enabled GVRP on VLAN 20 and overwrote the existing VLAN config. I have never worked with GVRP before, so my best solution at the time was to disable GVRP and statically assign VLAN 20 to the AP switch ports to restore service as it was before.

Is GVRP useful at all in a scenario like this? I briefly read up on it, but it doesn't sound like I'd ever need it in a SMB environment. Honestly I've never even had much use for spanning tree other than enabling redundant paths in a couple environments.

Juniper Optimal Route Reflection

Hello,

We're trying to evaluate the Juniper Virtual Route Reflector and make use of the new features that Optimal Route Reflection affords, however as configured by Junipers examples, the router is not adjusting the metric to factor in the IGP cost as expected. Curious if this is something others have seen, or if ORR is not quite there yet in general.

EDIT: since theres going to be that one guy that somehow thinks its configured wrong, here is an example:

group iBGPv4 { type internal; local-address 10.10.172.4; cluster 0.0.0.4; optimal-route-reflection { igp-primary 10.91.14.253; } neighbor 10.91.14.253; } james@rr1> show route 10.91.14.253 inet.0: 573624 destinations, 1615236 routes (573623 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 10.91.14.253/32 *[OSPF/10] 15:15:15, metric 221 > to 10.60.155.235 via em1.0 ## This is another router in the iBGP mesh, separate peer group with ORR settings but same cluster. james@rr1> show route advertising-protocol bgp 10.78.31.254 4.0.0.0/9 Prefix Nexthop MED Lclpref AS path * 4.0.0.0/9 X.X.42.41 50 1299 3356 I

I would think MED would be 221 or..something thats not 0 :)

-James

Can I push a native 100G DWDM wave through a passive multiplexer?

We're currently feeding some smaller sites with 4-channel passive multiplexers since we haven't deployed active ROADM everywhere yet. Presently, these sites are fed with 3x10G DWDM waves over these 4-channel muxes. We'd like to upgrade to native 100G but we may be limited to what the mux can do. Ideally, we'd stand up the 100G wave alongside the existing 3x10G before tearing them down. My question is, if I shoot a 100G DWDM optic over that 4th channel, will it work? Will there be too much insertion loss with the existing 3 channels?
~Thanks!~

Contract work for someone whos never done any

Looking for new job, Im getting tones of hits on contract work of various lengths and contract-to-hire; but very little full time hits. So starting to think of taking something on.

What gotchas and things to know should I know, so I dont make a critical error and screw myself over?

Creating a mDNS Gateway / Bonjour Gateway

We have a standard campus network L3 SVI's sit on the dists for each site. Currently we have our WLC sitting on Dist1. Each Dist has separate vlans. On dist1 we have Vlan 10 (wireless devices) and Vlan 354 (Apple TV's). Our problem is we are putting apple TV's on dist2 and 3 and are unable to trunk those vlans to the cisco WLC allowing them to be on the mDNS "gateway/domain". Which will allow wireless devices to use screen mirroring with them. Is there something we can configure on our Cisco core as a gateway inside the SVI or globally? We are all cisco BTW

Core -->L3--> Dist1-->L2--> ACCESS --> apple TV or other screen share devices

| | --->L2--> CISCO WLC (currently using as mDNS(bonjour Gateway)

|------->L3--> Dist2-->L2-->ACCESS --> apple TV or other screen share devices

Connecting remote sites with VPLS or L2 VPN from ISP?

I'm thinking of connecting our remote sites to our 2 DCs with an ISPs VPLS service. I'm thinking of getting the same VPLS service to all our remote locations (30 or so), in this way the remote site's router could run OSPF with each other and the DC routers. Any downsides to this? Comparing to L2VPNs where I would have a MPLS connection to the remote site with two VLANs, one to each DC

VPLS service supports VLAN tags too so I could divide the service to smaller blocks or even go down to 2 hosts per VLAN.

Thanks for any ideas!

What does AWS use for NAT?

might be a noob question here but what does AWS (and others at their scale) use for NAT?

E.g. i deploy a VM on AWS and it comes with a private IP on eth0

But i can SSH to my VM using a public IP that AWS provides.... so what are they using to do that NATing? I'm assuming they have some "secret sauce" devices to handle their scale... anyone know?

Anyone know how to reset the Cisco Catalyst 3750 back to factory settings? I want to use it as a PoE switch

Turning here as I'm out of ideas and referred over here. I can't even log in to the thing. I got it in a lot of other equipment I bought and want to use it to handle PoE to 12 cameras. Thanks!

Quick question about BGP

I've never had to use BGP (mostly work on LAN stuff in medium businesses) but I am curious about it.

Suppose a client has 2 internet connections from 2 isp's. Each isp assigns a /28 block of addresses.

Assuming the isp's let the client pair with them (I think that's the term in this case) via BGP would the client advertise all public ip's to both isp's?

If this is the case does that mean that if one of the isp's assigns an ip of 1.2.3.4 (lets just say it's TWC) and it goes down could that ip still be reachable through the other isp since it also has the route via BGP of the other WAN link that is still up?

Outdoor Wireless AP

Looking for a Wireless AP for use in a performance venue like a rehearsal hall/proscenium theatre. Budget would be under $100. Only use would be connecting up to 3 devices to control a device with an app. Range would maybe be 500' maximum.

Hitachi GPON assist?

Good morning Networkers! Have an aging Hitachi GPON FTTH setup out in the field that I would like some help on.

We're working on the voice side of these things, currently H248, and looking at going to SIP. When the SIP profile is engaged, with all settings looking correct, the ONT emits zero SIP packets; data still flows OK, but it does not generate /any/ SIP packets at all, or at least that we can detect.

Anybody out there have some Hitachi ONT experience? It's a longshot, I know -- we're trying to get AMN1220's to do our bidding and it isn't going quite as planned. Please post here or DM, either way is great! Thanks in advance!

I've asked on r/ssh but no one answered, so I'll try here

So I have an ssh server running on my computer and I wanted to be able to log in to it without having to be on the same network, can you guy's help?

Aryaka wanop + dual L2 network

Anyone ever use aryaka? Im looking at it for replacing my riverbeds on my global network but they have an entire private network in place as well. They say they can replace my mpls and still give me qos and stabile latency.

Lack of routing

This has been driving me nuts, because I can't work out what the problem is

Symptoms:

Router will stop passing traffic to the WAN apparently at random. Sometimes when it's busy, sometimes when it's quiet. A reload of the router will get it back up and running. Pings to 8.8.8.8 from the router stop working - no traffic passes through out to the internet. LAN side is fine and behaves normally

Diagnosis so far

The original router was an 881 - and I thought it was falling over because of too many NAT sessions etc. It was under specced - so has been replaced with a 1921 ((C1900-UNIVERSALK9-M), Version 15.6(2)T1, REL ).

The drop in WAN connection is less often now but still happening.

We have another way to reach the router when the WAN is down. I checked earlier today and it shows the GE0/0 as being administratively and physically up even though I can't reach my next hop. (the .93 ip address)

The config (redacted) is here: https://pastebin.com/nS0dS2Kv

Public IP addresses: have had the first three octets amended - but the subnets are still valid.

Routing table (redacted) is here: https://pastebin.com/taSVKu33

So - I think it's one of four things

a. the not-managed-by-us next hop (the Juniper) is wobbling, but seeing the interface go down and come back up when we reboot the Cisco is getting it to behave.

b. There's something inherently poor in the way I've built my config that is placing undue load onto the Cisco and causing it to fail.

c. The variably subnetted (/30 and /32) element to reach my next hop is causing an issue that isn't consistent.

d. Something else

Suggestions very welcome...

EIGRP distribute-list & Topology Table

I haven't been able to find the answer to this with some googling and looking in my old CCNP route book. Trying to use a prefix list with the distribute list command to only redistribute the default route from EIGRP into the neighboring L3 switches. I want to make sure I know what's going out before I form the neighborship and there doesn't seem to be any command equal to the show bgp advertised routes command. So, here are my questions:

Is there any EIGRP command that shows you what routes will be advertised to a neighbor? I haven't found it so it doesn't look like there is.

If I apply a distribute list with a prefix list inbound, will the routes that are supposed to be filtered out show up in the topology table of that device? I'd assume they shouldn't.

Same question but now outbound. I'd think these might show up in the topology table but be filtered once they hit the interface outbound.

I'm doing "redistribute static" but then applying a prefix list to permit 0.0.0.0/0 & the implicit deny at the end. I've tried applying both inbound and outbound but the static routes show up in the topology table either way.

XR | XC Local Switching

HI Guys,

Just want to ask your input about this, Is it require to match the same MTU for local switching in XR?

I configured below scenario and its currently up and working even MTU doesnt match. Ex

XR-R1#int g0/0

mtu 9000

XR-R1# inteface g0/0.10

mtu 9014

l2transport

encapsulation dot1q 100

rewrite ingress tag pop 1 symmetric

XR-R1# inteface g1/1

l2transport

mtu 9014

Verification:

#sh l2vpn xcon

----------------------------------------------------------------------------------------

Test LocalSW UP Gi0/0.19 UP Gi1/1 UP

----------------------------------------------------------------------------------------

Details:

AC: GigabitEthernet0/0.10, state is up

Type VLAN; Num Ranges: 1

VLAN ranges: [100, 100]

MTU 8996; XC ID 0x80009; interworking none

AC: GigabitEthernet1/1, state is up

Type Ethernet

MTU 9000; XC ID 0x80008; interworking none

XC shows that it is up.

for g0/0.10 will subtract 14bytes for l2mtu and 4bytes for tag equls 8996. While on g1/1 will only subtract l2mtu cause there no encapsulation.

So if packet will arrive on G0/0.12 the allow MTU will be 8896. and the MTU that will be transmitted into G1/1 is same 8996.

Thank you for your inputs.

Networking Scripting Mentoring

I'd like to find someone who can provide insight on writing networking-specific Python code that others can maintain. Maybe it sounds easy, but as someone who's been writing "scripts" and not "software", I have no experience with stuff like object-oriented programming (not just using objects, but writing them and creating them) or other software development best practices. I'd love to find someone who's had to tackle these challenges and can talk about their experiences.

Advance Edit: I'm going to be going to bed in the next hour or so, so don't be offended if I don't upvote or reply to you comment immediately.I have to sleep some time.

BGP Communities to influence default route selection

Has anyone done multiple default route advertisement via bgp using extended BGP communities to influence where each remote site routes? Reason being we have a couple of DC sites with internet connections that we want to route certain sites to each (Dependant on location)

The MPLS provider has said we could use a extended community for each site and then advertise out each community with the default route from each DC, and failover if the other isn't available.

Just trying to work out what that would look like from a config perspective? Want to advertise each main DCs subnets out in addition to influencing the default route fore remote WAN sites.

ISP Router

router bgp 65500

address-family ipv4 vrf ft-160

network 172.29.0.64 mask 255.255.255.245

neighbor 172.29.0.68/29 remote-as 65510

neighbor 172.29.0.68/29 description Y00x

neighbor 172.29.0.68/29 activate

neighbor 172.29.0.68/29 send-community both

neighbor 172.29.0.68/29 timers 10 30

maximum-prefix 1000 90 restart 5

Local Router

Lo1

ip address 172.29.0.68 255.255.255.255

router bgp 65510

network 172.29.0.64 mask 255.255.255.248

neighbor 172.29.0.65 remote-as 65500

neighbor 172.29.0.65 timers 10 30

neighbor 172.29.0.65 send-community both

Wednesday, August 15, 2018

Gigabit Ethernet Pinout

what is the pinout (RX/TX) for Gigabit Ethernet? Gigabit ethernet uses all four pairs. If this is not the right place to ask, where do I ask? Thanks

Have you (recently) seen RIPv1 in the wild? If so, why?

I'm learning about VLSM and I'm just curious... How common is it nowadays?

Question about asymmetric routing

I have two Windows 2016 servers across a WAN. just for a visualization of the problem the tracert -d (combined) looks like a figure 8 from both servers.

The first server 10.0.40.40 goes to 10.0.30.1 then to the mpls then to 10.10.30.21 then to 10.10.40.40

The reverse 10.10.40.40 goes to 10.10.30.1 to mpl then to 10.0.30.21 to 10.0.40.40.

I drew this out is visio to visualize it and it looks like a figure 8. My question is the above setup going to cause a asymmetric route? I am not able to touch the networking equipment because I am not on the networking team. If I ping, tracert, and RDP over 3389 everything seems to be working fine.

I am told by the networking team that it is "wide" open but we have a tool that is not working. It is a tracert style network mapping tool that builds a view.

If I can answer any additional questions please let me know.

Weird wiring for Ethernet.

I have a new bike house and all the Ethernet jacks look like the photo below. The other end in the basement is just cut so I’ll need to add some connectors. Problem is that I don’t know what wiring to use based on what’s in the jacks. It doesn’t look like either 568a or 568b. Any help would be appreciated!

Ethernet wiring

Tool to detect unused route-maps, prefix-lists, ACLs, etc on IOS/NX-OS?

Does anyone know of a tool that can be fed a Cisco config and detect any route-map, policy-maps, prefix-list, ACLs that are configured but not actually applied?

I guess the logic could be a bit difficult based on the variety of ways some of these things could be applied.

I have a vague memory of using a tool with this feature that was along the lines of Cisco's CLI analyzer. I haven't found anything within the Solarwinds suite.

And yes I may be asking because I accidentally removed an important prefix-list during a clean-up change task.....

Job offer incoming from VAR tomorrow. Any last minute advice?

Have a call with a VAR tomorrow to discuss their formal offer for a wireless engineer position. I've been employed in both the ISP and enterprise space but never on the VAR side so not sure if there are any gotchas I should be looking for in an offer.

We discussed their pay structure (base and variable aspects) already but this will be the first hard number I'll get for the base part.

Any insights would be much appreciated!

Palo Alto Firewall advice

Just basically got thrust into a new role for the unforeseen future of, managing 3 clients Palo Alto firewalls. So essentially I need to gain 2 years experience in two months time. Which I understand is impossible, any tips on where to start or things to look at. Any tip will be appreciated. Gotta love management.

Anyone have experience with AVI networks?

Does anyone have experience with AVI networks? How do they compare to F5?

Cisco WLC 3504.. LAG on internal ports?

So we are setting up a new 3504, I was able to basically mirror the config from teh 2504 it's replacing. However I'm wondering, to get the most performance out of it would there be any benefit to setting up a LAG group with the ports that comprise the Internal interface?

Best Practices for IP camera VMS/NVR network setup?

Hi,

I am working with a client who has 30+ IP cameras & was looking to find out of the IP cameras where 'phoning home'. With some advice from another subreddit, I installed Pi-Hole and am able to see that some of the cameras are in fact sending web requests to a few domains.

Before reporting back to the customer, what is the best way to move this forward / lock it down?

They have a PFsense router, a few Cisco layer 2 switches, some IP phones etc.

Everything is setup on a single network (192.168.1.X)

Roughly:

30+ various IP cameras 25+ Cisco IP Phones 20 Workstations/Laptops ? Devices on wifi.

They do have a guest Vlan for wifi traffic (not in this list).

Everything else is all on one IP Range.

Any advice on moving this project forward without over complicating things?

Do I just block (how) the range of IP cameras from internet access (Range 192.168.1.200-192.168.1.235).

Thanks, Rich

IOS XE Fuji-16.8.1a or Fuji-16.9.1?

I've got a pair of C9500-48Y4C-A switches in front of me and it seems that 16.8.1a and 16.9.1 are my only two options for firmware. Both are marked as ED and neither has a gold star.

Which would you pick? I haven't gone past 16.6.x on any of my gear yet...

EDIT: They shipped with 16.8.1a, but I don't think that means anything because they were ordered before 16.9.1 was released, they just took the better part of a month to get here.

EDIT: Also, why are these both called Fuji? I don’t understand the naming scheme at all. NM, I found a post explaining it. It’s stupid, but at least I get it now.

Issues with OpenBGP [ x-post from /r/pfsense ]

I'm currently using PFSense VM (KVM on Linux) to act as a border router for a virtual environment. The grand idea is to have different servers announce their service IP address via BGP through a route reflector to the PFSense box.

I'm currently using OpenBGP on the PFSense box, GoBGP on the route reflector server*, and Quagga on the server to announce the route. Everything connects up just fine and the routes are pasted from the server, through the GoBGP server to the PFSense box. The issues is that the routes aren't being installed in the FIB on the PFSense box.

flags destination gateway lpref med aspath origin I 76.8.56.26/32 172.18.129.8 100 1 ? <-- This one

If I establish a direct peering between the PFSense box and the server, the routes appear in the FIB.

flags destination gateway lpref med aspath origin I*> 76.8.56.26/32 172.18.129.8 100 1 ? <-- From server directly I 76.8.56.26/32 172.18.129.8 100 1 ? <-- From GoBGP server

Looking at the output of bgpctl show rib detail for those routes, there appears to be nothing different about them:

BGP routing table entry for 76.8.56.26/32 Nexthop 172.18.129.8 (via 172.18.129.8) from NIMI01 (172.18.129.8) Origin incomplete, metric 1, localpref 100, weight 0, internal, valid, best Last update: 00:02:33 ago Originator Id: 172.18.129.8 Cluster ID List: 172.18.129.1 BGP routing table entry for 76.8.56.26/32 Nexthop 172.18.129.8 (via 172.18.129.8) from COLO-BGP-V4 (172.18.129.2) Origin incomplete, metric 1, localpref 100, weight 0, internal Last update: 00:02:29 ago Originator Id: 172.18.129.8 Cluster ID List: 172.18.129.1

The OpenBGP config for these two neighors is:

group "colo-bgp" { remote-as 65301 route-reflector 172.18.129.1 neighbor 172.18.129.2 { announce none descr COLO-BGP-V4 local-address 172.18.129.1 } } group "nimi01" { remote-as 65301 neighbor 172.18.129.8 { announce none descr NIMI01 local-address 172.18.129.1 } }

Normally I do all of this on Junipers, and they are pretty good at telling you why it doesn't install the route. I was curious if anyone had any insight into this.

* I'm using GoBGP for the servers to directly connect to as it allows me to define neighbors by the subnet allowing my automation to work a heck of a lot smoother without.

What entry level jobs are most in demand at Amazon?

What courses would one have to take? Can one take only a years worth of courses and apply for networking related jobs?

Remote access using SNMP?

Hi, Anyone here has configured or using SNMP to remote their network devices? Is this possible? Possible to share your config and how can we remote the device?

Ex:

R1(Target Remote host)

#snmp-server community test RO

R2# telnet r1 snmp# <---is this how we can access the device?

Thank you

WARNING: New Spectrum BGP "Standards"

Just got off the phone with Spectrum/Charter/TWC/Brighthouse/Whatever they are now. Our BGP with them went down Tuesday at precisely 1AM. Sounds fishy? While you would prefer perfectly stable connections, it's pretty standard (in my experience) to have middle of the night random drops as providers perform maintenances without sending notifications. How professional! The exact timing is a dead giveaway.

My colleague (he wants me to refer to him here as Chuck Finley) opened a ticket, and was immediately told it was a fiber cut. Great! Update us as it gets fixed.

No updates throughout the day, and Chuck calls back. Now he's told it was an equipment migration. Super, fix it.

We start escalating with account managers and breathing fire. Chuck finds this in the logs:

%BGP-3-NOTIFICATION: sent to neighbor 192.0.2.1 active 2/2 (peer in wrong AS) 2 bytes 4E21

Yup, they botched their config.

He gets on the phone with them and gets them to fix this. BGP neighborship comes up, we get our default route, but our outbound advertisements are still not being preferred over our backup that we prepend 6 freakin times. Still escalating with account managers, who basically say "we're going home for the night, good luck!"

This morning Chuck finds that we are no longer even receiving the default route, 0 prefixes received. le sigh.

Calls them up yet again, and is told somehow they stopped giving us default and gave us Full Routes. We filter everything but default inbound. They put it back to default and we're up and running for outbound traffic, but route advertisements to them are still borked. Chuck goes through all the config and asks me to hop on a conference call and double check. I confirm the config is good on our end.

The Spectrum engineer says he's getting our routes prepended 3 times with 100 local preference. That's odd, since our route-map to him just matches on our prefixes and doesn't set anything. The only route-map that prepends 3 times also sets the local preference lower via communities. Our config hasn't changed since the BGP relationship bounced multiple times, so it's not like some latent config is stuck in the works. Just to humor him, I hard reset the BGP peering, and he claims the prepends went away. OK fine, still has nothing to do with not preferring that route over a 6x prepend that goes through 2 other ASes. While talking about that 6x prepend route he lets slip that the local pref on that route is 101.

WHAT?

It clicks that our local pref is only 100. I pull up my 'Charter BGP guide' (probably old/legacy, but most providers are relatively consistent with local preference communities). 120 is default for customer routes, 100 for peers, 80 for transit. He starts explaining about the new config standard they are pushing blah blah blah. He even gets someone from the Standards team on the line. I start questioning about why they are defaulting us to 100 and why, since local pref is significant within the AS, they are assigning our routes from transits to 101. Blah blah new standards. I ask for their new BGP guide. They have none, he's going to bring it up to the team and see if they can write something. Gotta wait 2 weeks and ask my account manager. He asks if either we can set 120 local pref via communities or he can have it hard coded. I'm happy to set it and do, then soft reset. Symptoms go away. Now I get to wait and bring it up over and over again until they actually fix their broken standards.

TLDR:

Once you're on the 'new standards' Spectrum will now by default prefer ANY OTHER PATH to your routes, even if it goes from Slovakia to China to Russia to South Africa, then back to you over 92 AS hops rather than going over your direct fiber link with them. Maybe I'm overreacting, but I feel like they just broke basic BGP.

How much does crowd strike endpoint protection cost?

I realize the cost will probably vary wildly depending on deployment size but approximately how much does it cost per license? I don't want to get inundated with sales calls and am curious if it's applicable to a small network of about 25 clients that I support.

Full mesh diagram

Anyone have an example of a way to diagram a full mesh topology of over two dozen nodes without it looking like a bowl of spaghetti?

What magic keywords am I looking for? When I search for fiber transceivers for Ubiquiti US-48s, Amazon says that there are only 3 models that exist. That can't be right.

Per the title. I'm looking for LC fiber transceivers on Amazon to go along with my US-48 switches but either 10Gtek and 6com are the only manufacturers on the planet or the search terms "LC transceiver ubiquiti us-48" are too restrictive.

Seeking guidance to master BGP

https://ift.tt/2KSIJUN

Ubiquity for small non-profit offices question: USG? With or without a UTM?

Greetings!

I work with a non-profit with several small offices around the world in developing nations. We’re trying to “unify” things, and the Unify line is what meets our needs and our budget.

I’m trying to balance ease of remote management (from a time/efficiency and usability perspective) with security and future room for growth. I know the USG is limited in terms of its feature set verses most UTMs (Sophos, Meraki, SonicWall), and the hardware wasn’t designed with IDS/IPS and DPI in mind.

BUT, we don’t need a lot of the advanced features of most UTMs. We have machine level content filtering, AV, and phishing. Buuuut, for a better layered approach, I know a UTM would be best. But, is this overkill for an office of 15 staff with only workstations?

Any thoughts? USG only? UTM only? Both?

Conveyancer and VPN?

One of my clients wants to install Conveyancer on his computers which require the computers to be connected to the central server to access the databases.

I'm assuming the best way is to either - Enable VPN for the server, allowing all computers to connect. - Purchase a Remote application, but will require a dedicated workstation for each laptop that connects remotely.

If I am using VPN, is Windows Server Essentials satisfactory? I'll need to purchase a Server - is Dell OK? Or should I use VPN built into the router? Is that ok for 4-10 workstations?

I'm still new to this so any help is appreciated.

WCCP not working

Currently trying to upgrade our WCCP router and it is weird, I copy the config over to the new device and it refuses to pass any interesting traffic to try and establish the WCCP tunnel at all. I can not find if it is a feature to turn on or a license.

I put the config for WCCP2 on its new router and that one came up almost instantly. Both new routers are ISR4451-X. Much stumpage.

IPv6 Public vs Private

I am aware that you need to finish paper works to request for public IPv6 subnet and pay annual fee associated, while private do not require.

I am also aware that public IPv6 address can be advertised or used on public Internet, while private cannot.

So besides these two difference of the Private vs Public IPv6, any other items I should be aware when deciding which to use?

Where do I place Wireshark?

Long story, I received a PCAP file to analyze the traffic of our web based firewall (zscaler). I was wondering, if this is web based firewall, where would wireshark be placed at?

NETGEAR Orbi vs Google WiFi for home speed and coverage?

Which would you all recommend? Our house is about 3600 sqft. Ideally I want the router in the upstairs corner of our house, which is my home office, because I want my pc to be hardwired. Doing that obviously creates some dead spots in other areas of the house. I'm fairly certain that I want to do a mesh system and I've narrowed it down to these 2. Just need a little help determining which would better suit my needs, which are coverage, then speed. I also need the coverage to extend outside to the backyard to some extent. Any help is much appreciated!

Any of you ever work with CFM provisioning in Cisco's EPNM?

Hey all - first time poster, long time lurker.

My company is looking into moving into Cisco's EPNM. I've been tasked with setting up automated CFM provisioning. Have any of you ever worked with this? If so, do you have any insights on setting up CFM through their interface? Specifically, we're looking into Y.1731 and TWAMP.

Any help is appreciated. Thanks!

Cisco ISE and iPhones

For some reason, iPhones just dont like operating in enterprise environments, or at least it seems that way to me.

Currently we are deploying guest access/captive portal via ISE on our campus. Everything is working as intended except for iPhones.

Whenever a user tries to connect to the SSID thats connected to the ISE captive portal, immediately a "unable to connect" box appears, if the user quickly tries again they will connect.

This only happens with iPhones, and only on the SSID tied to the captive portal, all other situations work with no issues.

Has anyone else ran into this issue? Thanks

Managing Multiple DDNS'

TL;DR - Do any of the big DDNS hosts offer managed DDNS accounts, 1 admin account, multiple users for DDNS?

Hey, I've been given a problem that I can't figure out, just making sure that I'm not crazy. We have a lot of remote users with routers and they require accessing their devices off their network remotely. Currently, we have DDNS addresses assigned to their routers but they utilize the single admin account from DynDns. The company has grown to the point that this can pose an issue if we continue gaining clientele that require remote access without a static IP for their site. Do any of the big DDNS hosts offer managed DDNS accounts, 1 admin account, multiple users for DDNS?

Very odd behavior - gateway unreachable from client until ping FROM gateway is run to client

A quick history; client has a network with about 100-150 devices at any given time, had an old HP Procurve stack that had a failure in PoE and a fan failure so we had to replace it. All new UBNT switches, connectivity in the stack is with 1gb fiber sfp and local communication seems to be no problem.

Since the replacement, we have users (both wired and wireless) that will get an IP from DHCP with no problem, can communicate with the servers and other network resources but have no internet access. Some of them can ping the gateway (Watchguard firewall) but still have no access and others can't ping it at all. My own laptop had this behavior when I got here this morning tracert times out, ping would go through but I couldn't get to the internet and I couldn't access the management interface on the gateway (both web and System Manager). Logging into a server that has working access let me connect to the firewall without issue. When I ping from the firewall diagnostic tool to MY local IP, the first packet fails, the subsequent ones go through and all of a sudden I can get to the internet and manage the firewall.

Now, this is my first day dealing with this as I just came back from holidays, but my boss has been looking into this essentially since I left. My thoughts are that somehow there is an issue with ARP finding the gateway via the switches until the gateway establishes a path TO the client at which point the stack knows how to get back to the gateway. Am I losing my mind here or does anyone else have some insight as to what might be the issue?

L3 portchannel single TCP stream performance

Hello colleagues,

Im facing strange issue. There is L3 portchannel(2x1G) in my network(ME-C3750-24TE vs. CISCO7604). I have test device(100mbps NIC) on far end(Behind ME). Single TCP stream BW test is oscilating aroung 50mbps. When i start multiple TCP stream test, everything works fine and i get 92mbps results. End to end delay between those nodes is 10ms. None of the links is saturated during test. Balancing is working allright(half/half).

Config:

ME:

interface Port-channel1

description x

no switchport

ip address x

ip router isis

load-interval 30

mpls label protocol ldp

mpls ip

max-reserved-bandwidth 100

end

C7604:

interface Port-channel2

description x

mtu 1536

ip address x

ip router isis

load-interval 30

mpls ip

mpls label protocol ldp

mpls traffic-eng tunnels

mpls traffic-eng administrative-weight 1020

mls qos trust dscp

hold-queue 4096 in

hold-queue 4096 out

end

Any advices are welcome.

Have you found a stable Cisco 3850 code?

Does it Exist? Will it exist? Maybe 16.10.1 Gilbratar? Please share as I haven't found one!

Thanks.

Tuesday, August 14, 2018

Can virtual router infect my PC

I’m considering using a virtual router program on my PC to allow a family member to connect their device to our network. I was wondering if my PC could in any way be affected by what they do on their device while connected to the virtual router on my PC.

They are not exactly tech savvy and they tend to download suspicious files/programs or anything that pops up on their screen. Would my PC store any data or get infected from what they are doing over the network?

Watchguard XTM25 upgrade firmware without feature key?

Bought an xtm25 off ebay for cheap, found out it was retired as part of a trade up and can therefore not get a feature key for it. Seller refunded me when i asked to return and he said keep it not worth the trouble, so figured i may as well try to use it as best i can.

It was on 10.9 and i kept getting stopped by the device telling me i need a feature key, but then i found out if i upgrade incrementally one version to the next i was able to progressively work my way to higher firmwares. At least until 11.10.7 update 1, after that i couldn't upgrade to 11.11, which according to watchguard's website is directly after 11.10.7 u1, am i SOL or am i missing a firmware?

What don't you carry cisco smartnet on?

Well folks its that time of year, time to renew smartnet! We don't carry smartnet on phones, wireless access points, and ucs blades. I was wondering what reddit does?

Do good but inexpensive cable testers/certifiers exist?

If so, where might I find one of these unicorns? (I know the difference between tester and certifier :)

Oftentimes I'm called to troubleshoot a customer WLAN. On occasion, the line running to the AP in question is in an... interesting state. I'd like to be able to plug into both ends and test the cable with a known good piece of equipment.

Fluke's DSX and EOL'ed DTX testers are the gold standard, but I also don't have a down payment on a house to spend on this device. If I were a telecom technician installing CAT6 cable for a living, it's a different discussion.

Any ideas?

Monitoring uder traffic via router.

I manage a small office in China and there is little IT infrastructure to speak of aside from a synology diskststion and a netgear nighthawk router that I installed. Ideally I need to monitor traffic through the router.

The problem is that people in the office use commercial vpn applications and I'm sure this is going to create and problem in detecting what people are viewing during work hours.

What are my options here? Do I need to install software on the user laptops in order to obtain a definitive list of what they are browsing and the time spent on each website? Would also be good if I could obtain the amount of data sent over the network for each user as I know one is regularly gaming!

Thanks.

ISE + IPv6 Support

I'm struggling to find documentation on this. Does ISE 2.3+ support IPv6 dACL's?

MPLS VPN Internal Routing Input. RFC6368/4456?

Have a customer with about 100 sites on an AT&T full-mesh layer 3 MPLS.

The routing is a mess, lots of RIP/OSPF redistribution into the BGP and back, tons of unnecessary static routes. They want some better redundancy and traffic planning as well as have a SDWAN transition plan, so Phase 1 is getting rid of AT&T cisco managed routers onsite they're unnecessarily paying a ton for and connect their CPEs direct to the MPLS. All devices are modern Fortinet CPEs.

Looking for input on the MPLS internal routing, I've typically either done an eBGP private AS per site or done a single eBGP AS with AllowAS-in, however I've recently been reading RFC6368 and RFC4456 (iBGP with route reflection) and it seems like a great solution. The equipment is compatible so does anyone have any comments or feedback, or maybe another style that I haven't thought of?

Also aware of potentially doing an SDWAN overlay with the Fortinets but that comes down the road a bit, they have the heebie-jeebies about it after being burned in a pilot implementation by another vendor even though it works fine.

Do you give management interfaces an (r)DNS entry?

If so, how do you manage/update them?

I've hacked a bit of python which reads directly from our NMS, uses netmiko to determine the management interface, and spits out resource records for the zone file like so:

ExampleIDF1 CNAME exampleidf1-v-10 exampleidf1-v-10 A 10.155.166.4 ExampleEdge CNAME exampleedge-ge-1-1-1 exampleedge-ge-1-1-1 A 10.250.21.86

It then reloads bind for the zone and away we go. Is there an easier way?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

What is the significance of crosstalk in ethernet cabling? What effect does it have?

What exactly is bad about crosstalk? Does it just lower your speeds and that's it? Or can it mess up the data itself or some other harmful effect?

#OldSchool How long was bridges actually used in association with Hubs?

Every network class I've sat in covers Hubs, then bridges, then switches.

In this context how long were companies using bridges before switches replaced Hubs?

Security Camera Software

Not sure if this is the right place, provide alternates if not. I'm the network admin for a few school districts and one of them needs to get new software for their security cameras. Price is the issue. We use Exacqvision at another district but it came back a little too pricey. I'm looking for something that doesn't require additional equipment and can run off a VM with the ability to support 30+ cameras. If you have any suggestions they are greatly appreciated. Thanks

How do you politely request for a new TAC engineer from Cisco support?

Working on a case where my switch is policy routing it has eigrp routes for. It is set for "set ip default next-hop" so it shouldn't do this.

The TAC engineer had 3 days to look over the config.

It took over an hour on the phone for him to finally agree that it shouldn't policy route traffic it has routes for. I had to SHOW HIM CISCO DOCUMENTATION for him to finally agree. Before that he insisted on topology diagrams and lots of info which seemed completely unnecessary for such a basic issue.

Have you ever request for a new engineer? How does that go?

100/10 switch for 100Mbps down/10Mbps up connection or gigabit?

I need the fastest switch.

Quick way to test web DNAT to proxy?

Hello, just got a hint of a mandate that all traffic on X Vlan needs to go to a cloud hosted proxy that does not exist yet. I want to get my configuration ready so when they give me an hour to turn over the traffic I am ready. I need to test to see if my DNAT is properly configured, is there a "trustworthy" proxy out there that will actually forward traffic once I have DNAT'd to it? I see the flow on the firewall showing that my destination is being changed to whichever IP I configure, but I need to test to make sure things are flowing properly. Not sure if I am properly explaining things.

edit: the devices would be non-corporate owned so we cannot just push proxy config to them. Thanks!

Other Use case for PC Engine apu2c4

I am currently running pfSense on a PC Engine apu2c4 . It works great, never problem. However, I have been budgeting and saving for a Ubiquity USG Pro along with their UniFi products. Regardless of which route I may go, can anyone share with me another use case for the PC Engine apu2c4 if I decide to go with a different Firewall?

Cisco 3850 pings timeout unless I add a static route

I had an issue with two Cisco switch stacks today that stumped me. Network diagram and CLI output at the end.

A client is retiring their MPLS in favor of site to site VPNs. VPNs between the firewalls have been setup but when I tried to ping from the SC switch to the OH switch the pings time out. OH to SC has the same result. Doing a packet capture on the local SC firewall, I see the ICMP request leave *and* the OH's reply come back. The firewall says it forwards the reply to the local SC switch, and has the switch's MAC address as the destination. But the switch says it never received a reply and that the request timed out.

See the CLI output, the switch at 10.10.60.1 is set to send traffic to the default gateway of 10.10.60.254, the firewall. If I add a static route to OH via the default gateway 10.10.60.254 the pings start working. If I remove the DG the pings stop working. I've verified neither firewall has any routes pointing to the old MPLS router. Things I tried:

Rebooting the firewalls and switches at both sides (no affect)
Adding a /24 route to the OH side (pings still failed in both directions)
Pinging the SC server at 10.10.60.10 from OH (pings were successful)
Pinging an OH Cisco router at 10.20.36.15 from the SC server (pings were successful)
Manually sourcing all pings from the respective interface (SC 10.10.60.1 and OH 10.10.36.1) (made no different)

The switches were sold to the client by their phone vendor and the client has not updated them since install, I noted the firmware dates in the network diagram. Any ideas why adding a seemingly unnecessary static route to the SC allowed pings in both directions to complete successfully?

Network diagram and CLI output