IPv6 Proxies: 2018-08-26

Saturday, September 1, 2018

vlan question

hi all, im quite new to cisco and advanced networking i would like to ask for any ideas on having a VLAN in my network.

on ruckus AP, i created another SSID and assigned vlan 99, then ethernet ports, set to trunk port from the default access port. (its a Ruckus 7363 Multimedia Hotzone Wireless AP to be exact)

on my cisco switch, already set smartport of AP to cisco accesspoint, then i see it is now a "trunk port". (Catalyst 3560 Series to be exact)

on pfsense firewall already created a vlan99 and dhcp server, added rule on guest interface to allow * on * just to test things.

lan subnet is 192.168.0.0/20

guest (vlan99) 192.168.50/25

problem: clients cant get a dhcp ip from the firewall, (nothing yet works on the new vlan)

Any idea what am i doing wrong? Any steps I missed? I do not have any networking certification nor trainings btw. Any comments appreciated. Thanks.

I recently purchased a SRX 210 to play with at home (learning Junos). I wanted to set it as a dns proxy but I'm not finding any settings for it. Supposedly it's under system -> dns but there is no such entry. The only thing that starts with "d" is dhcp.

I also looked under the built in help docs and it didn't show any commands related to dns other than setting the dns servers for the firewall and dhcp options.

The docs say the 210 supports this but I don't see it. Any ideas?

I posted here instead of the juniper sub because there is more traffic here.

[MPLS Beginner] Please, someone explain route distribution protocols for MPLS

After quite a while of googling, I've been managed to figure out that MP-BGP has some sort of support for MPLS, LDP is a protocol for "distributing labels" (where they actually come from, I have no clue), meanwhile RSVP-TE and OSPF MPLS-TE exist with done relation to the topic.

I don't know if I'm searching for the wrong terms, but the best I've been able to come across are various Cisco articles giving particular setups without much explanation of what the various protocols do and how they interact.

Thanks in advance...

PS: Also, for bonus points, possible direction to achieve a lab with only linux-based routers?

BGP real world

What is the process of getting into BGP? Im not asking for how the BGP protocol works. What is the step by step process of getting the peering with the provider or with a university? Is there a yearly fee?

Standalone Firewall vs Firewall built into router/gateway?

I am currently planning the network setup for my new house and I was wondering about getting a standalone firewall. I know my fios Quantum gateway has an internal firewall, but is there any benefit to using a standalone firewall? My network setup is a work in progress, but right now I am planning to run 2 cat6a outlets to every bedroom, plus several other outlets around the house, and a at 4-6 to both my den and home theater for the TVs' accessories. So I know I'm going to need a rack mounted patch panel (24 Port) and managed switch. Plus I'll home automation with Samsung SmartThings using 1-2 Connect Home hubs (that I can use as routers) and Arlo surveillance cameras. So right now I'm looking trying to decide between using a Geekpub Wanbox with PFSense using the WAN cord from the Fios ONT or the source or using the Fios Gateway as the source? Or can I use both?

VOIP Service.

A voice over Internet Protocol (VoIP) service provider offers VoIP Internet telephony solutions to residential and commercial customers. Also known as an Internet phone service provider, a VoIP service provider generally provides the VoIP hardware and services to subscribers at a monthly rate, although hosted VoIP services are also quite common.

Access edge standardization and best practices - what does yours look like?

I think it would be an interesting conversation to discuss what a properly defined network edge would look like. Specifically the access switch edge, not internet edge.

For the sake of the conversation, let’s assume a few things about this fictitious network. All cisco devices, in a core/distribution/access 3 tier fashion.

Core is layer3 to the distribution, over these layer3 links, ospf is used to send routing information to the cores. Distribution has layer 3 svi’s configured that are trunked to the access switches. In most but not all cases distribution can be a single distribution switch with l3 uplinks to corea and coreb.

Distribnution1 is set with stp rapid-pvst, and has a priority of 8192. It has an etherchannel to distB with all vlans allowed. Distribution2 is set with stp rapid-pvst, and has a priority of 16384. They use hsrp and each supports all client vlans in a deterministic fashion making distribution1 the primary for layer2 and layer3. Trunks from the distribution all have explicit vlan allow statements towards the access switches. Rootguard is configured on distribution ports facing the access ports.

The edge has uplinks to dist1 and dist2. The edge has vlans defined that are used on the switch. ideally each access switch has it’s own defined vlan however some things are trunked to multiple access switches. Access switches have portfast default and portfast bpduguard default enabled. Access switches have rapid port vlan stp priority set to 20480.

Ok, so with that out of the way – how do you protect your edge?

Port security? What do you care about. What threshholds do you use?

Do you filter at the edge? acl’s vacls? What and why?

Does anyone care about voice vlans anymore?

Anyone still use private-vlans? Why?

802.1x ? dynamic vlan assignments? How do you get it to scale to thousands of switches?

Anyone looked at clearpass

Do you force non-trunking (dtp off)

vtp transparent?

Do not ever use vlan 1

Do you still use a dummy vlan or shutdown unused ports?

Dhcp snooping/ip sourceguard / dynamic arp inspection?

Storm control? What parameters?

How do you manage Qos across a huge variety of switches, and in some cases against a huge number of families of line cards per switch platform? Is it even worth it ?

I am genuinely curious what other enterprise network folks are doing with their setups and how they find it working out in the real world where users come and go and requirements change quickly. On some level the expectation is the network should just work and should enable the business to do useful work without getting in the way. The other hand is that the network should be generally protected – where is the trade off? What do you wish you were doing that you are not – what do you hate the way you are doing now and wish you could change?

Nexus use cases for mid-sized companies

I'm new to Nexus. Web searches related to NX-OS reveal mountains of white papers and marketing pizzazz, but I'm struggling to understand (in practical terms) what benefits NX-OS would provide outside of a data center environment, given that it seems to be quite similar to IOS. Is it simply a matter of SDN compatibility and bandwidth capacity?

I hope I didn't make your eyes roll. I'm an IOS guy interviewing for a job that includes a bit of NX-OS, and I would like to have a basic understanding of the above.

Thanks!

First Job Search in 25 Years - What Network Specific Advice Do You Have?

Someone close to me worked over 25 years at one company before being laid off due to a merger. They asked him to stay on until the very end, as he was needed for the transition. He had worked his way up from technician to mid/upper level management over 7 engineers; he designed, implemented, and troubleshot telephony networks. Now he's looking for a job, but it's been so long, where to start?

I'm in a completely different field, so I just don't know how to help him. He is telephony/communication/networks. He has an updated resume and LinkedIn.

Technology changed, and he kept up as the company changed, but he started out with little formal education. Now, these jobs require degrees. Will his experience make up for that? It doesn't make a ton of sense for him to spend 2 years taking classes on things he learned in the field. When looking at job postings, he has experience in all the programs they list...

Are there specific recruiters you recommend for this field? Or specific job boards (not just Monster or Indeed) for the industry?

Single tier firewall

Is there anything called single tier firewall? I'm aware of 2 - tier and 3- tier . Is it an obsolete term ?

Testout Sim

I’m studying for CCENT and eventually CCNA and further. For my data com and networking class in college they made us buy this thing called testout, supposedly it prepares you for Network+ has anyone heard of it?

Will it help me with the CCNA stuff at all? I plan on using packet tracer the sim that came with the Odom cert guide and hands on stuff for that anyway. I guess obviously I have to get Cisco specific knowledge through that stuff

Inventory management system

Hi, I am looking for some kind of inventory management system for keeping record network equipent in stock. We periodicly do receive alot of devices, at several locations and do need to keep track on what we have in stock, instead of using internal mailinglists to ask for a specific device/component.

The system should be: -web-based -Run on premise -keep track of inventory on separate locations

10gb rj to SFP+

Hey

Does any1 know if they exist? I have some SFP+ to RJ 1gb converters, but I want to get 10gb RJ to SFP+, can that be done? Most of the network runs on sfp+ but we have workstation with RJ 10gb so its a bit of issue.

TIA

Please, sanity-check this branch network

Hello all,

I've been tasked to redesign a cost-aware small branch (They call it branch but its more a SOHO) network while adding in a firewall and some dedicated wired connections. Goal is improved security & visibility & speed.

I would like to run the setup I have in mind with you experts, as to double check if everything makes sense and that there are no bottlenecks or completely useless and convoluted contraptions..

Below a diagram, the first block being the firewall (thinking of getting a pfsense box, specifically the SG-3100) and the second block is a managed switch.

Few points I've been pondering over:

The big heavy loads will happen on the switch on VLAN_Y (multiple PCs talking to NAS).
I want to manage centrally the L2 firewalling and to strictly control what VLAN_XYZ do in relation to each other and towards WAN
I want to protect and gather visibility on the WAN so I was thinking to run Suricata and/or pfBlockerNG on the WAN port (so IDS/IPS). I don't think (questionable) I need to run any of those on the other interfaces?
The reason for the LAG between Switch and Router is to allow VLAN_X to fully talk to VLAN_Y without pestering VLAN_Y trying to talk to WAN
Bottlenecks... If I should fully utilize the 1Gbps from the WIFI and go to the VLAN_Y (like accessing the NAS), and the VLAN_Y should send at full speed to WAN..(it has nowhere else to go) it would still be 1Gbps+100Mbps .. so there should be no issues ?
For clarity, I'm assuming that the firewall will be the gateway for VLAN_X, _Y and _Z, no static routing will happen in the switch. And I assume that when I need to go from VLAN_X to VLAN_Y, i'm actually sending traffic to the SOC? This bit I'm not sure.. Still if that happens I have 2.5Gbps to the SOC and those could be 1Gbps VLAN_X in + 1Gbpe VLAN_X out + 100Mbps VLAN_Y to WAN .. 2.1Gbps.
The firewall is not super-beefed .. however I'm starting to think it's more than enough for the setup (and I would hate spending twice as much and not utilize the investment). Although I'd run Gb speeds to it for L2 routing, the heavy stuffs should run only for the WAN (?) which is low speed.. (100Mbps is even an exaggeration, they currently have a 10/1 connection, but I'm considering room for improvement).

So what do you think? Any conceptual mistake here? Anything different you would make?

On a different note do you think the SG-3100 is enough for this task and leaves some room for adding complexity for the future?

______________________ | ##### | SOC #-----------------|- 1Gbe PORT <-> WAN comulative up/down 100Mbps #####-----------------|- 1Gbe PORT <-> OPT for non-traffic-generating-stuff, isolated ##### | #####- 2.5Gbe PORTSW -# ##### #- 1Gbe PORTSW <-> 1Gbe PORT WIFI AP (2.4-5GHz) VLAN_X #- 1Gbe PORTSW <-¬ # --> 2Gbe LAG to Managed Switch VLAN_Y,VLAN_Z #- 1Gbe PORTSW <-' ______________________| __ | |- 1Gbe to Router (LAG) VLAN_Y,VLAN_Z |- 1Gbe to Router (LAG) VLAN_Y,VLAN_Z | |- 1Gbe to NAS VLAN_Y |- 1Gbe to NAS VLAN_Y | |- 1Gbe to PC1 VLAN_Y |- 1Gbe ...... VLAN_Y |- 1Gbe to PCn VLAN_Y | |- 10Mb to non-traffic-generating-stuff VLAN_Z __|

Thanks a lot for your invaluable feedback!

Bridging ethernet to Wi-Fi in attempts to boost it on Ubuntu Server

I have a PC running Ubuntu Server (connected via Ethernet) and I have a Wi-Fi card capable of being an access point, is there any way of bridging the Ethernet connection to the Wi-Fi card in attempts to boost the network range, while being able to still use the Ethernet connection - all through the command line? This is a long shot but we don't have money but are in dire need of a solution. Any help would be massively appreciated, thanks in advance :)

Friday, August 31, 2018

Juniper EX v6 RA and loopback filter

Hi all

I seem to be having a strange issue with some EX's and their loopback firewall that I can't seem to figure out.

I have a EX4600 virtual chassis and multiple EX4300 virtual chassis which are connected to the EX4600's.

I have some VLAN's that have their layer 3 handled by the EX4600's. The EX4300's are only layer 2 for those networks - they do not have any irb interface in them at all.

For the VLAN's in question, the EX4600's have router advertisements configured. I confirmed they are working (from a capture on the device itself as well as from a server attached). On the EX4300's I have a v6 filter attached to the loopback interface. For testing purposes the firewall simply has one rule - allow all traffic. With the filter attached to the loopback interface no clients connected to the EX4300 see any router advertisements. Solicits also fail - I don't see the counter incrementing on the EX4600's.

I then removed the loopback filter on the EX4300's and router advertisements work as expected. I don't understand why that is - the filter simply has an allow all rule.

Has anyone ran into a similar issue?

Virtual Network Tap recommendation

Anyone have hands-on with virtual taps from Ixia, Gigamon or Apcon? Looking for a Virtual Tap that will work on ESXi standalone w/standard switch as well as vcenter w/VDS. Seems Apcon Virtual Tap will only work with vcenter. Would also like the ability to send tap output directly to monitoring tool via ERSPAN. I know this is not optimal, but smaller environments cannot always afford a physical packet broker. Thx!

IPv6 BGP routing with three carriers and OSPFv3 for core routing issues.

If I ping an ipv6 address from a bgp router and it wants to go out a different carrier it will send it out but it keeps routimg back to the first bgp router. For ospf on my edge I am using the command of ospf originate default always. I do this with IPv4 and do not have any problems. What do I need to do differently with IPv6 so that the OSPF default route does not try to route right back to the original edge router.

Telnet into towel.blinkenlights.nl to watch ASCII Star Wars

towel.blinkenlights.nl

BGP Route with multiple AS_PATH Origins

Hello Redditors,

It's come to my desk a request that I find quite odd, but they want it done. Basically I have the prefix 192.168.0.0/24, this prefix is currently being originated by AS 1000 (the company I work for) and propagated via 3 upstreams. The owner of this prefix acquired his own AS (name it 2000), and now wants that the origin be his AS using us as transit (so the AS_PATH goes 1000 2000) so far nothing odd/weird.

However out of the 3 transits, 1 won't accept our broadcasts unless the origin is our own AS (it's an internal policy they have). So they asked for us to peer with them and broadcast the prefix over all the providers but doing an AS_Overwrite when sending to the third one. All in all the world would see this:

192.168.0.0/24

AS_PATH_1: Provider1 1000 2000

AS_PATH_2: Provider2 1000 2000

AS_PATH_3: Provider3 1000 1000 (we'd prepend as well)

Aside for the length of the AS_PATH, although technically this is doable, have any of you experienced a problem by doing this? (if you ever did). I mean those prefixes will get out there as long our upstreams accept these, but I'm afraid of potential issues with this over the internet.

OC3 circuit L1/L2 Protection means?

Hi, I just want to ask if anyone is familiar here with Circuit protection? Is it with cisco devices/module? or for OC3 circuit? Thanks

My Town is fed by a Single Microwave Link Tower. I have questions about the Upgrades their doing and how their doing it if anyone knows larger scale network infrastructures. (Pictures Included)

Lets begin with the basics.

Our Internet is by Shaw (Cable Internet through the Town) But brought in via Microwave Link or I like to call a Drum on a tiny tower. Shaw has been over saturated for almost 3 years now. We are talking about 500ms+ Ping with 1/1mbps and less at peak hours. But it's not just the saturation but the random packet loss that really kills things. Like stops images from fully downloading make downloads go from 1mbps to 10kbps and not climb up or even error and stall. Pretty much our entire town is broken Internet wise.

So Shaw is going to resolve this finally this year was suppose to be done in the spring, summer now it's fall and their actually outside doing something.

The Plan is to bring a line almost 1km down the road to another tower owned by Bell Canada. Bell use to provide DSL they still do for like 5/0.5 but only to existing customers no one can get this DSL now and works flawless assuming there is next to no saturation. Shaw is planning on using the Shaw tower and here at first I thought it was going be Shaw putting their own microwave link up but I'm not sure now honestly...

The Map: https://i.imgur.com/E3GpRiV.png

(Bell is the left side red marker shaw is the right side white marker)

This is the Shaw Tower Site (Right of Map):

https://cdn.discordapp.com/attachments/443593135659024394/477998114041495572/unknown.png

Bell Tower Site (Left of Map):

https://i.imgur.com/3o6DtFh.png

You can see does not seem that the tower has room for another Microwave Link?

Today they added some massive I assume transformer on Shaw's Tower Site... Remember show is not adding a new Tower or adding a new Microwave Link from what we understand nor does their current tower look like it can support say a bigger Microwave Link. But this Transformer looks like a beast I assume large Microwave Links do require higher power but what the heck would they need this for if they don't plan on Powering a new Microwave Link on the site?

https://cdn.discordapp.com/attachments/443593135659024394/485123092499136513/P_20180831_101854_vHDR_Auto.jpg

You can't see it from the picture but I saw them pour concrete months ago there. There was PCB pipes coming from the ground for a while in the concrete. Honestly they had cut out 4 groves on the corners I had assumed at first they were building a new tower even though it seems most towers are 3 grooved cut...

Here is a older picture without the transformer:

https://cdn.discordapp.com/attachments/443593135659024394/477998457433358336/unknown.png

So on the way from Shaw to Bell workers were putting in Junctions? The Plastic sort of containers in the ground. Here some PCB? sticking out the ground:

https://i.imgur.com/wxVf5Wq.png

Example of the Plastic Junctions? they are installing between the towers:

https://i.imgur.com/MkOMUGU.png - Workers with one exposed half way between the towers:

https://i.imgur.com/Jp8nwbv.png - At the bell Tower

https://i.imgur.com/jDhIvGh.png - At the end of the road of the bell tower with sticking out PCB

So I'm trying to figure out what is their plan they refuse to tell people haha so I have come to ask the Internet on educated guesses. Honestly even with 1 more Microwave Link up and running it's not going just fix it that easily. Can these Microwave Links be upgraded via just more Power? That could make a bit of sense what their doing at the Shaw site but besides that what the massive transformer looking thing?

Routes advertised from VPNv4 Peer Metric.

Hi,

I have BGP VPNV4 peer router ,1st is Edge RTR and 2nd Route Reflector.

TOPOLOGY: CUSTOMER ====(multiple path)====RR-----------EDGE RTR

We are using IGP underneath. Now, Im received routes from Route reflector then install to Edge RTRs VRF but when I look at the bgp table, Router metric is changed to IGP metric. BGP inherited the IGP metric.

EGDE RTR#sh bgp vpnv4 unicast vrf test 10.22.23.0/24

Paths: (2 available, best #1, table test)

Not advertised to any peer

(65 64 651) 655 650 354 1, imported path from xxxx:10.122.203.0/24

13.21.22.7 (metric 65) from 3.3.3.11 (3.3.3.11) <<<--------

Origin IGP, metric 0, localpref 100, valid, confed-internal, best

Extended Community: xxxxxx

mpls labels in/out nolabel/2408

(65 64 651) 655 1 1 1, imported path from xxxxxxx

13.16.4.11 (metric 70) from 3.3.3.11 (3.3.3.11) <<<-------- I want to prefer this route

Origin IGP, metric 0, localpref 100, valid, confed-internal

Extended Community: xxxxxxx

mpls labels in/out nolabel/10066

What is the best solution for this better if the changes will afftect on EDGE RTR. t

Thanks

I passed network+ 006 today (expiration day) with a 729, AMA

No text found

Cisco 5520 WLC CIMC and SP Port Confusion

I've been researching and looking into deployment guides, but I still cannot find out what the recommended use of the CIMC or SP port is. Should the CIMC be used for out of band management or the SP port? Is there a certain way that each port should be configured?

Is there any reliable place to sell a CAT6A Bundle?

I work as an assistant in my work's IT department when i'm not running one of their print presses. They cleaned out their storage closet and they let me take a bundle of Superior Essex Cat 6A Plenum Cable that was shipped to them buy mistake. The shipping company would not take it back, and the production manager did not want us to hold on to it.

My question is: other than just listing it on Craigslist or eBay, is there any reliable place that would buy this sort of thing? Would it be wise to ask a local business? I apologize if this isn't the appropriate subreddit to ask this kind of question, but I'm not sure where else to inquire about this.

Ipv6 problem

Today I opened my browser (Vivaldi) and it can't load any website, i tried to change the ipv4 DNS preferred server to 8.8.8.8 and the alternate to 8.8.4.4 and then connect to google.com but still no response. It keep loading forever. Then I tried the same thing with Google Chrome and still the same result. After that i opened cmd as a administrator and typed ipconfig /all .. it shows Media State :Media disconnected. Then i reset the ipv6 ,flushed the DNS , disable the ip helper for the service and it still the same.. this is happening on my window 7 Pc. But all my wifi connected devices are working properly. Please help

Regarding leaving current position early for another position within the company.

I have networking experience, currently I have an IT job but it's not networking. I haven't been here very long.

I'm on an enterprise team and I deploy computers, the company is always encouraging us if there are better positions to apply.

So I was curious and decided to look, and I found a job posting for the network team but it's a NOC role.

I guess what I'm asking is, do you think it would look bad to apply for this position?

How do you think the network team would look at it?

Is it a bad move to leave my current position for a position I want which would be networking. Should I just do my year and then hope for another opportunity later in the future?

Aruba 3810M switch will not give directly connected Mitel Phones IP Addresses

I have one location where I am replacing several Cisco switches with several HP devices. I have one Layer3 device that is an HP/Aruba 3810M and three Layer2 Devices that are HP/Aruba 2530 - 24G 's. These switches are in a hub and spoke configuration and all of the 2530's are directly downstream of the 3810. Our Mitel phones that are connected to the downstream 2530's are pulling IP addresses and functioning properly meaning that I can make and receive any internal or external phone calls. On the 3810, however, the mitel phones are failing to receive an IP address. I found this reply on a different web form:

If your switch supports vlans, and can be configured with a tagged and untagged vlan on an interface, it should be compatible with most or all IP Phones.

Typically, the phone will either be configured manually to use the voice vlan, or will recieve (initially on the data vlan) an option from DHCP that will let it know what vlan it should start tagging things with. Once it starts tagging things with the voice vlan, the switch only needs to support vlan tagging.

One gotcha that I've found with Aruba switches is that by default when you enable LLDP the lldp tlv "network_policy" will be enabled. With that TLV enabled, and a "voice" vlan configured, a lot of phones will ignore what they get from DHCP in favor of what they get from there. That works fine, if you have configured it to hand out what they need, but if you prefer to use dhcp, make sure and use "no lldp config <port-range> medTlvEnable network_policy" (assuming that doesn't interfere with anything else)

but I am uncertain if this is my issue. I know LLDP to some degree is enabled by default on HP Switches, but I have not enabled anything beyond the default. I am not able to test this out immediately, but I am hoping for a little more feedback first, anyway. Other things I have considered is adding an IP Helper address, but if that were the problem, I would think the down stream layer2 switches would exhibit the problem as well.

Any help is greatly appreciated.

QOS Question

Hi Guys,

I would like to ask if in PE we are just matching default value and on CE their using Gold and Default. Do you think this will affect or degrade the assigned bandwidth?

Topology: R1 -----Local Looop----- R2

Issue: R2 cant reach the assigned bandwidth of 1.5M band on the graph it stuck in 1.2 which im thinking that local loop provider do limit the incoming traffic from r1 to r2(vise versa)?

Do you think below QOS affect the BW?

###### R1 #########

Class-map: class-default (match-any)

498442231 packets, 285894640418 bytes

30 second offered rate 70000 bps, drop rate 0000 bps

Match: any

police:

cir 1500000 bps, bc 46875 bytes

conformed 498442231 packets, 285894640418 bytes; actions:

set-mpls-exp-imposition-transmit 5

exceeded 0 packets, 0 bytes; actions:

drop

conformed 70000 bps, exceeded 0000 bps

###### R2 #########

#sh policy-map int gi0/0

GigabitEthernet0/0

Service-policy output: G0/0_OUT

Class-map: class-default (match-any)

1393735 packets, 483608471 bytes

30 second offered rate 171000 bps, drop rate 0000 bps

Match: any

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/158/0

(pkts output/bytes output) 1428782/534908617

shape (average) cir 1500000, bc 6000, be 6000

target shape rate 1500000

Service-policy : G0/0_CHILD_OUT

Class-map: GOLD (match-any)

230899 packets, 45327523 bytes

30 second offered rate 12000 bps, drop rate 0000 bps

Match: ip precedence 5

0 packets, 0 bytes

30 second rate 0 bps

Match: ip dscp ef (46)

0 packets, 0 bytes

30 second rate 0 bps

Match: dscp ef (46)

0 packets, 0 bytes

30 second rate 0 bps

Match: access-group name ACL_Class_2A_AF11

143066 packets, 19484082 bytes

30 second rate 5000 bps

Match: access-group name ACL_Class_2A_AF12

68838 packets, 21418191 bytes

30 second rate 7000 bps

Match: access-group name ACL_Class_2A_AF13

17550 packets, 4004811 bytes

30 second rate 0 bps

Match: access-group name ACL_Class_2B_AF21

1445 packets, 420439 bytes

30 second rate 0 bps

Match: access-group name ACL_Class_2B_AF23

0 packets, 0 bytes

30 second rate 0 bps

 police:

cir 1500000 bps, bc 46875 bytes

conformed 230876 packets, 45292701 bytes; actions:

set-prec-transmit 5

exceeded 23 packets, 34822 bytes; actions:

drop

conformed 12000 bps, exceeded 0000 bps

Class-map: class-default (match-any)

1162836 packets, 438280948 bytes

30 second offered rate 158000 bps, drop rate 0000 bps

Match: any

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops/flowdrops) 0/158/0/0

(pkts output/bytes output) 1428782/534908617

Fair-queue: per-flow queue limit 16 packets

Exp-weight-constant: 9 (1/512)

Mean queue depth: 0 packets

class Transmitted Random drop Tail/Flow drop Minimum Maximum Mark

pkts/bytes pkts/bytes pkts/bytes thresh thresh prob

0 1196087/489420957 47/14330 108/5832 20 40 1/10

1 0/0 0/0 0/0 22 40 1/10

2 0/0 0/0 0/0 24 40 1/10

3 0/0 0/0 0/0 26 40 1/10

4 0/0 0/0 0/0 28 40 1/10

5 230873/45292447 0/0 3/254 30 40 1/10

6 1822/195213 0/0 0/0 32 40 1/10

7 0/0 0/0 0/0 34 40 1/10

Thank you

Has anyone used Peplink products? Pros and cons vs other brands?

Anyone has any opinion on Peplink products and how these products fair in terms of quality, pricing vs other products?

strategy for as needed wall jacks?

So we have new management that doesn't like that we are wasting money by having all ports wired up. It makes closets beautiful and easy to manage as each patch panel matches a switch perfectly.

Has anyone developed a scheme to connect as needed ports without making a mess?

Pre-owned Catalyst 4506 questions

Hello /r/networking, I have stumbled upon this pre-owned machine at my local computer store (see pictures). I am a noob who recently started an online course in networking on Udemy and I wanted to know what it is. The store owner has no idea what it is or what it's worth, he said he got it with some bulk purchase.

From what I have found online it seems to be a managed switch called Cisco Catalyst 4506, within the 4500 series. There is no End-of-Sale date announced on the Cisco website, so I assume this machine should be up to date. There are a lot of different options within the 4500 series and I have no idea what this machine is worth. I tried looking on Ebay but prices vary so much that this information does not provide accuracy. Just one power supply alone could be worth $400.

I hope this community can help me figure out:

Does this machine use CatOS (as Wikipedia suggests) or Cisco IOS (as the Cisco webpage suggests)?
Why does this machine not have RJ-45 ports (aside from the 'entry') and what are these kind of ports called?
What is this machine worth? Should I buy it if the shop owner offers me a good deal, or is this machine too old?

Thanks so much,

a noob

Wireless Point to Point solutions ~1km

Well, reddit, I fucked up and I could use your help. I run the network at a fairly affluent private college. There is a field on campus where they frequently pitch tents for events, parties, etc. They want wifi there. I looked at point-to-point bridges and found the ever-popular Ubiquiti AirFiber system. We also thought it would be good to get one to experiment with wireless backhaul in case of fiber cuts, DR, redundancy, etc. The price was good, so I bought an Airfiber 5 kit with two units. I didn't look at the size. Holy crap, this thing is 3ft tall and 35 lbs. Mounting is going to be a nightmare. Plus, we'll be shooting to the middle of the field to a cart and people will see this massive antenna array and start to wonder how much cancer they're going to get from it. Plus, with how they worry about building aesthetics here, I wonder if they would even let me hang this off a building at all. I have enough problems with my little outdoor WAPs. I wonder if I should just return it.

So I may need a different solution or to argue that this is the only one feasible. Requirements are here:

Will connect a half mile away at at least 150 MB/s throughput.
Small, discreet antenna. I think I can get away with something the size of an Aruba outdoor AP because I have before. Those are about dinner plate size.
PoE powered.
Directional antenna. If it is point-to-point I want to minimize the broadcast area. This will send a private vlan that only connects AP's to the controller, nothing else, so it won't be useful to anything else.
No 2.4GHz. I don't trust it. Too much noise, and I don't want to make more.

Any thoughts? Should I look into using Aruba gear with a Yagi or dish antenna? Thanks in advance.

Unable to route with an IP in AWS

we are hosting a php forum in AWS EC2... we have a public ip of 52.xx.xx.xx

it works outside our network but not internally...

we have a Windows server 2016 DC with DNS pointing to the correct IP...

also we have an entry in Cloudflare for external users.

when I try to access in our network via IP I get a 403 forbidden

but here is the kicker that I dont understand... when I go to C:\Windows\System32\drivers\etc\hosts

and put my 53.xx.xx.xx forums.mysite.com

it then works internally... why?

what should I change or look at? I am lost

Urgent VLAN Question from a new IT guy

Hello! I've inherited the IT throne of my small business and have been learning quickly but am unclear on several things. Right now I just need to set up 2 Wi-Fi networks, one for guests and one for administration, segregated by VLANs. I have a router that supports VLANs, and I understand the purpose of VLANs and tagging, but their implementation mystifies me. I want to daisy chain a few wireless APs together and have them broadcast 2 SSIDs, one for each VLAN, as shown here : https://imgur.com/a/7w9pDZz . It seems simple but I haven't found anything useful online. Does anyone have a hint?

Help with Oversize packets

Hi guys, just looking to see if i am on the right track here.

I have 16 blade servers running a 1GB network on some Dell PCM6348's

Before Wednesday night, all my servers had no VLAN tagging. On the switches i configured each port manually to tag them on VLAN 100 as this was the only VLAN we used.

On Wednesday i configured more VLANs for blades 12-16, these were set on the server so i have a Virtual Switch with a VLAN of 100 and another Virtual Switch with a VLAN of 106. I didn't see any issues and things seemed to work.

Queue Thursday morning, i come in to work and all hell is breaking loose. We have 2 applications that are crashing left and right and users are complaining its taking ages to save files to the network compared to normal.

I moved all the data to different blades i hadn't changed and it all started to work normally again now. Looking in to it, under the port statistics for blades 12-16 i am getting millions of "Oversize Packets". Upon further reading i believe this is because the MTU is set to the default of 1518 and the VLAN tag adds 4 bytes making it 1522 which is too large.

Does this sound right? Do i need to just globally up my MTU packets to 1522 and then change it at the port level also?

Maybe i'm on the completely wrong path, however any help would be greatly appreciated! I am not really a network guy as we only have a couple of switches.

Cisco EEM Scripting Help

I've been trying to see if EEM scripting could be used for dynamic port configurations for Access Points.

Fortunately, a script that configures a port based on CDP add event works great. Now I'm attempting to implement a script that resets a port configuration to "standard" if the AP is removed. However I'm running into a fun little issue.

When APs are installing new code (or for other reasons I'm not aware) the APs CDP relationship gets wonky. The AP of course could reboot (which registers as a CDP delete) and the port is put back as standard. Then CDP add hits the port and the switch should be configured back to the AP config. But somewhere along the way, the add/delete process gets kind of messed up and I end up with an AP with a non-AP port config.

Here's the script in question

event manager applet port-reset authorization bypass description "Reset configuration of port when AP is removed" event neighbor-discovery interface regexp <regex for port range> cdp delete action 1 cli "commands for configuring the port"

My thoughts are I need to make the script wait for a number of minutes, then check the port CDP a second time (after the initial CDP event) to validate if the there's an AP on the port. Of course if an AP is detected, exit the script with no action, but if there isn't a CDP entry, change the port configurations.

Does anyone know if this possible in EEM?

Small Enterprise Network Design Questions

Hi all,

I'm hoping to get some help and feedback on how to best design (redesign?) my enterprise's network. I'm not aware of all the technologies available in our field - some I'm aware of but don't know well enough to be designing an enterprise network. I'm a recent college grad with my CCNA. I started recently at this organization and the network design seems off. Don't get me wrong, it's been working this way for years but I think we can do better. Where I struggle is wrapping my head around what to do in attempt to fix it. I'll do my best to explain the current state and end goals clearly. Any thoughts/comments/feedback/suggestions/etc are much appreciated.

Current state:

Static routing everywhere with the exception being if a branch office ISP goes down, the VPN goes down and appropriate devices remove that VPN route out of its routing table
Full mesh, site to site VPN (primary)
Hub and spoke VPN (backup)
Two ISPs in branch offices
Here's a diagram of the current state: https://imgur.com/zQfxvbo It's not pretty but it gets the job done for now. I put some small firewall symbols on some routers because we use our firewalls for routers in some places

IP Addressing Scheme:

All /24
.0 - .69 located in HQ
.128 - .133 located in Colo
.135 - .136 located in Colo
.138 - .139 located in Colo
.151 - .153 located in Colo
Anything >= .70 excluding mentioned colo subnets are branch offices

Notes:

Site to Site VPN was implemented 5 years ago by current Sr. Net Eng specifically for VoIP traffic. This improved VoIP quality immensely according to him
No CoS or QoS used
DMZ/PCI at HQ and Colo
Currently working on BGP for HQ. Two routers with VRRP and iBGP between them, eBGP with the two ISPs, then a FHRP - the "usual" BGP setup
HQ services ALL DNS/DHCP requests
HQ is where 98% of resourceslive
Also working on separating sensitive/Datacenter subnets from the rest of the enterprise. We'd likely do this with a new core for routing, then connect said core to the current switch fabric and implement ECMP routing
Here's a diagram of some initial thoughts on topology changes to accommodate for all the things I'm asking about in this post: https://imgur.com/tKLrPtN
Currently use Fortinet firewalls. They're almost 5 years old now so in the near future we'll be evaluating a different solution

End Goals:

Have a logically laid out IP addressing scheme(I don't think our current scheme is that great)
Interested in dynamic routing but not sure how to implement, specifically because of branch offices
Implement North-South firewalling
Branch offices need to have seamless failover (if primary ISP fails, backup connections kicks in and routes properly)

Questions:

What's the best way to implement a dynamic routing protocol, whether it's OSPF, iBGP, etc in the enterprise?
Is there a need for a full mesh and hub and spoke if SD WAN is implemented properly?
How would SD WAN be implemented properly?
To achieve logical, simple routing, we may need to re-IP some subnets?
Where is the best place to terminate the MetroEthernet?
Is the network not as bad as I think it is? Should we keep doing what we're doing with only minor changes?

I'm sure I've forgotten things that would help you all respond but hoping that questions will come up and I'll be able to edit the post to include more info. What I really want to get out of this post is to understand how dynamic routing can work in our environment. I mentioned all the other stuff just to make everyone aware of some other initiatives. In the end, it all needs to work together - which is where I'm struggling. Thanks for any help - it's much appreciated.

Edit 00: Oh my gosh this formatting is horrendous. I apologize, trying to fix it currently.

Edit 01: I SUCK at Reddit formatting. Also adding IP addressing - I forgot to put it in and realized it'd be helpful for some of the questions I have.

Edit 02: I figured out that there is a new way to format on Reddit. It looks somewhat acceptable now. Sorry about that.

New ISP link gradually getting faster?

I am seeing some pretty odd behavior on a new internet link and was wondering if other people have seen something similar in the past. Topology: 2x Juniper MX routers, one internet peer each (Charter 2 Gbps, ATT 500 mbps). We have local pref in place to push all outbound traffic that isn't destined for ATT networks to go over the Charter link. We have 4 prepends in place on the ATT peer link so incoming traffic should prefer the Charter link. Both MXs are iBGP peers. The Charter link just went live a few days ago. Day One: 13/200 Mpbs when doing a basic speedtest via speedtest.net. Day Two: 35/400 Mbps. Day Three: 213/836 Mbps. On day one we thought it might have been a bad cable or a faulty optic, but that didn't seem to change anything. The DL speed I could maybe guess as other AS routing tables slowly updating to prefer the Charter path, but I would have expected upload traffic to have immediately preferred the Charter link. Any ideas as to what we might be seeing?

False Linux ping command results

I'm sorry if this is not the right subreddit to post this question but I couldn't think of a better place.

I have a Python script that pings an array of IPv4 addresses. It uses the Linux ping command to do so. This script is called by a cronjob on a fixed interval. It usually works, but every now and then the script falsely reports that a host is unreachable when I know for a fact that it's not. I also have a Node.js script that does the same and it has the same problem. I've tried running the scripts on different machines in different countries and the problem still persists.

When the script fails to ping a particular host, it retries 2 times, for a total of 3 attempts. If the 3rd attempt fails then it reports that the host cannot be reached.

At first the scripts pinged 5 hosts asynchronously at a time but I've tried lowering that number down to 1.

The two ping commands I've tried are "ping -c 5 <ip\_address>" and "ping -A -n -c 4 -w 2 <ip\_address>".

I've run out of ideas. Does anyone have any suggestions as to what the problem could be? I'm desperate.

3850-48XS with 4x10G Breakout Cable

I've got the all SFP 3850-48XS running IOS-XE 16.3.6.

In my application I wish to use one of these, a Cisco compatible QSFP-4X10G-AOCxM breakout cable:

https://www.fs.com/products/30907.html

The QSFP end will go in an available QSFP port in the 3850 and uplink to various access switches.

So, I have the cable and the 3850 recognizes the cable successfully:

Fo1/1/3 notconnect 1 full 10G QSFP H40G AOCxM SFP

I plugged the SFP+ port labeled #1 into a 2960X and it too successfully recognized the transceiver.

The problem I'm having is configuring the 3850-48XS to use the 10G breakout interfaces TenG1/1/1 - 1/1/16

I tried issuing the following command:

hw-module breakout module 1 port X switch 1

While the switch took this command it didn't deem to make a difference.

I still only see the native TenG ports (1/0/1 - 1/0/48) and the FortyGig ports when checking interface status.

I also see the following error after issuing the "hw-module" command:

*Aug 31 12:16:31.908: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Fo1/1/3 removed *Aug 31 12:16:34.604: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Fo1/1/3 *Aug 31 12:16:34.606: %PLATFORM_PM-6-DIFFERENT_MODULE_INSERTED: Warning: SFP module inserted in to the interface Fo1/1/3 differs from the previously inserted one. The port's speed configuration will be set to the default.

Does anyone know what the trick is to making this cable work in this switch?

Proposal/agreement and Designated-Discarding (RSTP)

Can anyone tell me, according to the standard, should all the Designated non-edge ports on a bridge go into sync (Discarding) when an Alternate port goes up? An explanation would be appreciated, too.

I've been trying to understand the standard, but I just can't comprehend it.

Thursday, August 30, 2018

MDS Switching

For anyone that configures MDS switches what was your primary source for learning the cli? Cisco documentation? A book? Thanks.

Sales emails via ARIN contact info?

I just got a sales email asking of I was in charge of ASXXXXX and if I was imterested of using XXX service. First time for me, Anyone else get thees?

When to use a layer 2 ACL vs a layer 3 ACL?

My main question is what circumstances would one use a MAC ACL vs an IP ACL?

A few immediate thoughts:

-Just like an IP ACL, in L2 I need a source and destination MAC to filter over, and my immediate thought is 'how would I ever know what undesirable destination MACs are?'

-There will be a MAC address for every NIC on a device, so potentially my storage space for an ACL file is greatly reduced, and similarly the work required to make one is increased as compared to a single IP range that doesn't care about every NIC associated to that IP.

-Otherwise why would I ever want a L3 ACL, for security reasons? Since it is harder to spoof a MAC address. Understood I could potentially use both but if I had to pick one or the other, what would I be losing out on?

Separate question: Why can't I have an ACL that applies between several layers, for example why can't I make a rule that denies a certain IP range to a certain MAC address?

Routing is yesterday switching is tomorrow

Tech giants such as google and Facebook demand so much traffic that they build their own undersea cables. These cables essentially connect their data center switches. Nexus 9000 and QFX are the most important products of their respective vendors.

Innovations are happening in the data center - virtualization, cloud, bhah bhah bhah as a service etc. Even VXLAN and EVPN are gearing towards supporting a switched network platform.

That’s why someone has came up with the title of the post. Is this the case?

Cisco Prime monitoring Switches DELL

I want to know if I can monitoring my Dell switches using MIBs as a custom device or using SNMP v2.

Found this guide

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/117707-config-ngwc-00.html#anc4

But I have read that even using open standards. Sometimes Cisco Prime couldn't recognise the device.

Any experience with Dell switches?

Building new OPNsense router - just remembered my ASA is too slow

So I just remembered that my ASA 5506-X caps at 500Mb and Spectrum is installing my 940x35 on Saturday, which will make my Plex streaming WAY better than the current 200x10 allows. Of course, I'd love to get this up before Saturday morning, but there won't be enough time, so I can at least take my time and plan it out without worrying about a deadline.

I'm planning on using a spare R210ii with a Pentium G850, 20GB RAM and a spare 256GB SSD (overkill, I know, but it's spare and sitting in storage). I'm planning on installing OPNsense, but I've never used it before. I have a background in Cisco and VMWare, so I don't think it's going to confuse me too much. Is the G850 strong enough? The clock speed is far above the "Recommended" requirements, but those requirements also only state "multi-core CPU" and don't say if dual core is good or if a quad core is better.

My L3 core switch just routes everything up to my ASA now, and I haven't found any threads detailing any actual problems with OPNsense, but coming from ASA-land are there any terminology "gotchas" that I need to keep in mind when I'm setting it up?

Using LAGs between switches with multiple LANs

Greetings Internet brain. Pardon the ignorance, but I need some advice from someone who understands this stuff better than I do - breaking this stuff down in layman's terms would be helpful to me.

I am trying to recreate a network with several managed switches that use multiple VLANs. I need VLAN 1 on Switch 1 to communicate with VLAN 1 on Switch 2 and VLAN 2 on Switch 1 to communicate with VLAN 2 on Switch 2 and so on. I have the impression that connecting VLAN 1 and VLAN 2 between the two switches will not work because of a network loop and that my best option is to use a LAG. I can tell my predecessor used a LAG for this purpose because Switch 1 is still configured from the previous time this network was created, however I don't have a proper understanding of how a LAG works or how to configure one.

I assume LAG Port 1 on Switch 1 (1-1) connects to LAG Port 1 on Switch 2 (2-1) and 1-2 to 2-2. I can tell from the existing configuration that 1-1 and 1-2 were both on VLAN 3. Does that mean 2-1 and 2-2 need to be on VLAN 3? If so, how does VLAN 1 and 2 travel between the switches? I feel like I'm not fully understanding the concept of a LAG. Do I need to assign VLANs to the LAG (if so, how?)? Does it matter which VLAN the LAG ports are assigned to? A lesser concern is making sure that only VLAN 3 can access the switches.

Switch 1 is Netgear GS2728TPP and Switch 2 is Netgear GS108T. I'd love to learn more about the concepts behind making this work beyond just finding a solution.

Thank you so much. I hope there's someone out there who's enthusiastic about sharing this knowledge.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Junos IPSEC Tunnel to Azure & TCP-MSS

I am configuring a Juniper SRX 300 Series to establish an IPSEC tunnel to Azure.

The Azure Vnet range is 192.168.10.0/23

The local range is 10.49.236.0/24.

The configuration: (relevant bits with sensitive parts replaced with $PART)

security { ike { proposal ike-proposal-azure { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 28800; } policy ike-policy-azure { mode main; proposals ike-proposal-azure; pre-shared-key ascii-text "$PSK"; } gateway ike-gate-azure { ike-policy ike-policy-azure; address $AZUREGWPUBLICIP external-interface ge-0/0/0.0; version v2-only; } } ipsec { vpn-monitor-options { interval 10; threshold 10; } proposal ipsec-proposal-azure { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 27000; } policy ipsec-policy-azure { proposals ipsec-proposal-azure; } vpn ipsec-vpn-azure { bind-interface st0.0; vpn-monitor { optimized; } ike { gateway ike-gate-azure; ipsec-policy ipsec-policy-azure; } establish-tunnels immediately; } } flow { tcp-mss { all-tcp { mss 1350; } ipsec-vpn { mss 1350; } } }

There are also security rules/policies to allow traffic to/from the vpn and a route for 192,168.10.0/23 pointing to st0.0.

The Problem:

PS C:\windows\system32> ping -l 1500 192.168.10.20 Pinging 192.168.10.20 with 1500 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.10.20: Packets: Sent = 4 Received = 0, Lost = 4 (100% loss), Control-C PS C:\windows\system32> ping -l 1400 192.168.10.20 Pinging 192.168.10.20 with 1400 bytes of data: Reply from 192.168.10.20: bytes=1400 time=8ms TTL=127 Reply from 192.168.10.20: bytes=1400 time=7ms TTL=127 Ping statistics for 192.168.10.20: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 7ms, Maximum = 8ms, Average = 7ms

SMB traffic to Azure hosts is also affected.

When running wireshark on the azure host I see a bunch of fragments and fragment reassembly time exceeded.

https://i.imgur.com/3c2c6uE.png

Hey guys need some help with isolating IP addresses(noob)

I recently got a business internet with 5 static IP addresses, from my knowledge the only way to isolate the static ip address is to buy a switcher(dont know which kind managed/unmanaged) and from there i need 5 routers to connect to the switcher so each router gives off a different IP through the configuration.

This is the end goal of what I am trying to do 5 routers giving 5 different IP's. if there is another way can someone explain it to me Did I get this right or am I in the wrong here? some help would be appreciated.

Edit: IP addresses are attained online through their software they said by assigning mac addresses to different ports or routers not sure. I need to make a call again and record it.

48 Port Access Switch with POE with Fan PSU to IO

I've been searching for 4 access 48 port switches with POE with fans PSU to IO.

I've checked with Dell but they say they don't have any with PSU to IO.

I'm waiting for Cisco's response but they taking longer than usual.

Any idea?

What is the difference between a BVI interface and a bundle-Ether interface?

The vFlow v0.6.5 has been released!

https://github.com/VerizonDigital/vflow

High-performance, scalable and reliable IPFIX, sFlow and Netflow collector (written in pure Golang).

Features

IPFIX RFC7011 collector
sFLow v5 raw header / counters collector
Netflow v9 collector
Decoding sFlow raw header L2/L3/L4
Produce to Apache Kafka, NSQ, NATS
Replicate IPFIX to 3rd party collector
Supports IPv4 and IPv6
Monitoring with InfluxDB and OpenTSDB backend

https://github.com/VerizonDigital/vflow/releases/download/v0.6.5/vflow-0.6.5-x86_64.deb

https://github.com/VerizonDigital/vflow/releases/download/v0.6.5/vflow-0.6.5-x86_64.rpm

Anyone use GTT Communication for fiber?

Anyone use GTT Communication for fiber? We are looking to switch from Comcast for to GTT for a 500mb circuit in San Jose. I've heard some good things and some bad things.

HP qinq enable and qinq transperent-vlan vlan-id questions

Hello,

I have some qustions about q in q in HP switches

In the following config

int gig 1/0/5

description# NNI_XXX

port link-type trunk

port trunk permit vlan 1404 1406 1413 3879

qinq enable

qinq transparent-vlan 3879

So what is the difference between vlan 3879 and the other vlans

I mean in Cisco when you are doing qinq you have s-tag (vlan in access mode and switchport mode qinq tunnel on the egde interface) but in this case I have several vlans and doing qinq? How is that working?

I read a lot in HP forums but it is still unclear for me...

Paloalto Auth Profile

We want people to be able to sign into captive portal with user@domain.com or just user. We've tried all sorts of combinations with the modifiers and domain, but haven't had it work both ways. We've had it work with one setup where it let them log in both ways, but would only see the user's AD groups if they signed in as user@domain.com. When they signed in as just user, it let them in but didn't see their AD groups. Anyone here have this working this way? LDAP

Unable to access Juniper Jweb from fxp0, but can on ge-0/0/0?

Im new to Juniper and trying to configure Jweb access on a vSRX.

I've enabled fxp0 and assigned it an IP and enabled HTTP web-management. The IP is on the same subnet as the rest of my IP's on my network. (No security zone assignment as that is not possible on fxp0).

I tried to load the Jweb page via internet explorer but it wont come up.

When I tried to assign the IP address to interface ge-0/0/0 and put that interface in the trust zone and assigned it the web management IP, I can successfully load the internet explorer page.

Why wont fxp0 load Jweb but the ge-0/0/0 will?

Cisco 819 seemingly blocking random services

I have a Cisco 819 with a Verizon Sim card in it and have it setup to be transparent to handoff to a Meraki network. We seem to hav e connection to the site and I am able to vpn in but some web pages are not working, and external services, like slack and socket comms seem to be not working.

For instance, I can go to bing.com and search and that works, but can't go to some URL's like yahoo.com. I am able to ping yahoo.com, get DNS resolution, and then I tried to use that IP the site still times out. Doesn't appear to be a DNS issue. Wondering if anyone here can help me out and check over my config to see if maybe its something in here doing it? The only thing that changed at this site was moving over to this box instead of using an USB stick modem in the MX.

Thanks

Current configuration : 8936 bytes

! Last configuration change at 17:54:40 UTC Thu Aug 30 2018 by admin

version 15.6

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service internal

hostname yourname

boot-start-marker

boot-end-marker

logging buffered 51200 warnings

no aaa new-model

ethernet lmi ce

crypto pki trustpoint TP-self-signed-1840704989

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1840704989

revocation-check none

rsakeypair TP-self-signed-1840704989

crypto pki certificate chain TP-self-signed-1840704989

certificate self-signed 01

#####

quit

ip dhcp excluded-address 10.10.10.1

ip dhcp pool ccp-pool

import all

network 10.0.0.0 255.255.255.0

default-router 10.10.10.1

lease 0 2

ip domain name yourdomain.com

ip name-server 8.8.8.8

ip inspect WAAS flush-timeout 10

ip cef

no ipv6 cef

flow record nbar-appmon

match ipv4 source address

match ipv4 destination address

match application name

collect interface output

collect counter bytes

collect counter packets

collect timestamp absolute first

collect timestamp absolute last

flow monitor application-mon

cache timeout active 60

record nbar-appmon

parameter-map type inspect global

max-incomplete low 18000

max-incomplete high 20000

nbar-classify

multilink bundle-name authenticated

chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"

license udi pid C819HG-LTE-MNA-K9 sn FTX2137Z05V

object-group service INTERNAL_UTM_SERVICE

object-group network Others_dst_net

any

object-group network Others_src_net

any

object-group service Others_svc

object-group network Web_dst_net

any

object-group network Web_src_net

any

object-group service Web_svc

object-group network local_cws_net

object-group network local_lan_subnets

any

object-group network vpn_remote_subnets

any

username admin privilege 15 secret 5 password

redundancy

notification-timer 120000

controller Cellular 0

lte sim data-profile 1 attach-profile 1 slot 0

lte modem link-recovery rssi onset-threshold -110

lte modem link-recovery monitor-timer 20

lte modem link-recovery wait-timer 10

lte modem link-recovery debounce-count 6

no cdp run

class-map type inspect match-any INTERNAL_DOMAIN_FILTER

match protocol msnmsgr

match protocol ymsgr

class-map type inspect match-any Others_app

match protocol https

match protocol smtp

match protocol pop3

match protocol imap

match protocol sip

match protocol ftp

match protocol dns

match protocol icmp

class-map type inspect match-any Web_app

match protocol http

class-map type inspect match-all Others

match class-map Others_app

match access-group name Others_acl

class-map type inspect match-all Web

match class-map Web_app

match access-group name Web_acl

policy-map type inspect LAN-WAN-POLICY

class type inspect Web

inspect

class type inspect Others

inspect

class type inspect INTERNAL_DOMAIN_FILTER

inspect

class class-default

drop log

zone security LAN

zone security WAN

zone security VPN

zone security DMZ

zone-pair security LAN-WAN source LAN destination WAN

service-policy type inspect LAN-WAN-POLICY

interface Loopback1

description ### always-on interface ###

ip address 1.2.3.9 255.255.255.255

ip nat inside

ip virtual-reassembly in

interface Cellular0

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly in

encapsulation slip

load-interval 30

dialer in-band

dialer idle-timeout 0

dialer string lte

dialer string ltescript

dialer watch-group 1

async mode interactive

interface Cellular1

no ip address

encapsulation slip

interface FastEthernet0

no ip address

interface FastEthernet1

no ip address

interface FastEthernet2

no ip address

interface FastEthernet3

no ip address

interface GigabitEthernet0

no ip address

shutdown

duplex auto

speed auto

interface Serial0

no ip address

shutdown

clock rate 2000000

interface Vlan1

description $ETH_LAN$

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static 10.0.0.2 interface Cellular0

ip route 0.0.0.0 0.0.0.0 Cellular0

ip access-list extended NAT

permit ip 10.0.0.0 0.0.0.255 any

ip access-list extended Others_acl

permit object-group Others_svc object-group Others_src_net object-group Others_dst_net

ip access-list extended Web_acl

permit object-group Web_svc object-group Web_src_net object-group Web_dst_net

ip access-list extended nat-list

permit ip object-group local_lan_subnets any

dialer watch-list 1 ip 5.6.7.8 0.0.0.0

dialer watch-list 1 delay route-check initial 60

dialer watch-list 1 delay connect 1

dialer-list 1 protocol ip permit

ipv6 ioam timestamp

access-list 23 permit 10.10.10.0 0.0.0.127

access-list 23 permit 10.0.0.0 0.0.0.255

control-plane

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

mgcp profile default

line con 0

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

stopbits 1

line 3

script dialer lte

no exec

rxspeed 100000000

txspeed 50000000

line 8

no exec

rxspeed 100000000

txspeed 50000000

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

scheduler allocate 20000 1000

end

Update on Cybrary Customer Service Issue (I Was Wrong)

Okay, admitting you are wrong on the internet feels lousy but it is the right thing to do even if this doesn't get a lot of views. I posted about Cybrary having "predatory" business practices when it came to cancellation of their Insider Pro Program. I admit this was a pretty big exaggeration fueled by frustration more than anything else. The practices were not predatory but rather that they were unclear.

I received this email today from Trevor, the president of Cybrary:

I regularly review the conversations occurring between our customer success team and our customers and wanted to send along my apologies for the interaction with the team.

As you alluded to in the conversation, we do like to speak with our customers who are deciding to cancel as it is very helpful feedback to improving the product experience. We have received many insights from customers we were completely blind to; and those have led to significant improvements to the platform. Chatting with us to cancel should not be a laborious process for the customer and I have since sat with them to review the process and ensure it is much more customer-friendly.

Again, I apologize for the poor experience and hope Cybrary continues to be a valuable resource to developing your career in the industry, even if that exists in a non-paying capacity.

Please feel free to reach out to me at any time with any additional questions or concerns.

After reading this it is pretty clear that the way I interpreted the initial conversation I had was off and a bit quick to jumping to conclusions. It's nice seeing the president of a company give such great attention to a customer service issue and stay on the front lines as well. That earns my respect.

It also appears that whatever miscommunication happened probably won't happen again. Please don't discredit Cybrary because of my misleading previous post. Thank you.

Is it possible to damage switch by connecting non-poe device to passive poe port?

I accidentaly connected an old x200 laptop to passive 24V poe enabled port on 16 port unifi switch for ~1 minute. Laptop's NIC is probably fried, i didn't check it yet, but i was unable to connect it to network. My question is if i could have damaged switch too.

Higher learning Question

I'm a sysadmin but wanted to brush up on my switch and routing skills. We're an HP shop and I can't get my head around properly vlanning and routing with the switches. The location my employer provides for classes is New horizons. Does anyone have any recommended classes to take? They mainly offer Cisco and the commands don't seem that far off. Either that or any good book suggestions?

LAN Switching Issue

Hello,

I am facing an issue where a few of my Dell and 1 Adtrane switches are losing management connectivity. The management IP stops pinging and only a reboot revives it. However the strange part is the switches continue to work and pass traffic, it just appears to be the management IP on the switch. I am going to update firmware later this week to see if that fixes it.

I find it odd its multiple switches though and different vendors. It just used to be the old Adtrane switch but now its spread to the Dell switches. I thought maybe it would be a duplicate IP on the network detected but I have not looked into that yet.

Any thoughts or suggestions or need more information?

How can I make a vlan ACL on a ProCurve 3500?

Hi all, it's been many moons since my Cisco classes and I haven't had to deal with router configs in a bit...

Our core ProCurve 3500 is a L3 switch that routes all production traffic out to the internet, as well as between vlans. It knows of 3 vlans (vlan 10,20,30). I am wanting to add a guest wireless network that will go out a separate connection (it will leave via a comcast modem, not thru this L3 device and our primary broadband).

I'm thinking i need to add something like Vlan 222 (random number) to all necessary switches (and tag the uplinks) as well as this core 3500. I'd set the gateway of Vlan 222 to point to the Comcast router.

But what do I need to enter to deny ALL traffic on Vlan 222 to vlans 10,20,30, as well as vice versa? I want this guest vlan to be completely separate technically from the production network.

I know that an out of band wiring scheme would be best, but due to the complexity of my building, that may be more labor and $ than allowed.

Dell N series Switches CLI vs GUI

I was checking the settings on the CLI and i don't see the settings of the stack ports, but when i use show switch stack-ports , it shows the stack ports. I checked in GUI the ports are set to stack port. Isn't that it suppose to have some lines about the stack ports?

redundant links between stack, layer 2 loops

So I have 3750g stack pair acting as core with 4 stack pair of 3750 48 ps as aggregate stack pair. Can I run two layer 2 trunk links between each of the stack switch to the agg stacks ?

so My setup will look like ;

Core stack sw 1 gig1/0/1 <- Layer 2 trunk-> Agg stack sw 1 Gig 1/0/1

Core stack SW 2 gig 2/0/1 <- Layer 2 trunk-> Agg stack SW 2 Gig 2/0/1

Will this setup cause layer 2 issues ? Thanks.

Seeking advice on Cisco IOS update

Hello, today i got couple switches and now i looking to update them but i got confised.

From SW1 i got: System image file is "flash:/c3750-advipservicesk9-mz.122-46.SE/c3750-advipservicesk9-mz.122-46.SE.bin"

From SW2 i got: System image file is "flash:/c3750-advipservicesk9-mz.122-46.SE/c3750-advipservicesk9-mz.122-46.SE.bin"

But at Cisco site there is no "Advanced IP Service" version under latest firmware. Am i missing something?

Noob Query about Fibre to Ethernet media converter.

Needing to convert a fibre to ethernet (well forced to for various reasons). Been given one of these TP Link boxes by the cabling guys as standard and wondering exactly if there's any caveats \ gotchas I need to be wary of?

https://www.tp-link.com/us/products/details/cat-43_MC100CM.html

I'm assuming these things have no logic at all and it's just a straight what comes in goes out the other end. Specifically in terms of VLANs but I assume in general it's just what comes in goes out the other end?

Hi guys (Noob query ports)

Hi guys I been working as a DC Engineer for the past year, am currently doing my CCNA with aspirations to go into a 3rd line Networking position just to give abit of context.

Is there Common ports to unblock to allow network functionality? that is always part of your procedure when configuring a ASA/Firewall, I'm trying to get good habits in now in the sims before real world application.

Much Appreciated and Thanks for the help.

How do people QoS/throttling guest wireless?

I'm having trouble finding the best way to QoS/Throttle our public wireless. We're a school district in a hub and spoke topology and are Cisco based for switching/routing and Fortinet for wireless. Each site has a Catalyst 3850 core stack that feeds back to our central 9410R core at the primary site. We pipe our outbound traffic through a bridged content filter (for CIPA compliance) into a edge 3850 switch with an ASA 5525X sitting between outbound and inbound VLANs on it.

I've wasted countless hours trying to get the QoS rules on my Fortinet wireless controllers to work and have given up at this point (don't but Fortinet wireless, the OS is a dumpster fire.) Now I have to decide where I want to try to police my connection on my switches or ASA. Each site has it's own subnet and our guest wireless is always on 10.XXX.224.0/19. I'm thinking about throttling guest connections down to 10mbps max. My gut is to do it on our ASA but I don't know how to achieve it since I'm not super well verse with ASA service policies.

skipping Internet providers

Does anyone know if it's possible to skip internet providers and somehow connect to the Internet directly, I have a feeling that it's possible but probably pricey and complicated right?

Nat on asa

NAT on ASA is not my strongest suit. I have an ASA 5510. If I want to allow whole bunch of public IPs from different ranges to single inside host, i would need allow inbound ACL and nat correct? If I have let's say 10 IPs to allow, I would need 10 nat statements? Also, these would be restricted inbound to particular port numbers

Let say your network is segmented

If your Network is segmented and you notice the main dhcp for your building is on native vlan? Can this cause broadcast issues at specific time of day?

Assign VPN Pool From ISE

I have a 2130 firepower box, and I have 3 local pool IP's (staff, student, admin) for anyconnect. When a user authenticates, I want to get the ISE server to determine the name of the local pool to be used, depending on the AD group of the user. This then sends a radius message to the ASA, with instructions of what pool of IP addresses the client should be allocated an IP address from, based on the pool name (determined by ISE).

The ISE server is setup to get this working already, just with ASA's. The radius attribute in ISE is set to "Radius-Cisco VPN 3000/ASA/PIX7.x" to get it working. An example of what I'm talking about is shown in a forum post by another user below, when ACS was the main product before ISE.

https://community.cisco.com/t5/policy-and-access/question-how-to-assign-vpn-ip-to-vpn-client-user-using-acs-5-4/td-p/2227147

However, how do I configure the firepower side for this, and is this radius attribute still the same one I need to configure on the ISE server for the firepower boxes to work?

Strange issue

Hello fellow engineers,

I have a strange issue. We manage Cisco 6807-XL that for some reason has stopped forwarding traffic to specific destinations from specific sources. If I do a trace from the router directly, I can reach the destination and also from some sources further downstream I can get to the destination as well, but from others I can't.

Analysing the CEF table with "exact-route" I can see there are entries for the working source/dest and also the non-working source/dest but the latter doesn't work, it just seems to drop the traffic.

Just wondering if you have any of you have encountered a similar issue before?

Cheers,

Wednesday, August 29, 2018

DarkTrace together with Firepower?

Hello networking,

I'm going to a meeting today, where Darktrace will tell more about their product. My customer today is running Firepower. Will it even make sense to run both products? Is Darktrace a product any of ya guys have experience with? What is it like?

/Have a great day at work :).

Cisco Meraki Increase Throughput on new MX Products

Satisfying customers with growing demands for more cloud applications, mobile devices and the latest types of connectivity are the main goals of the new Cisco Meraki’s MX and Z branch-office security devices.

Cisco Meraki’s MX family supports everything from SD-WAN and Wi-Fi features to the next-generation firewall and intrusion prevention in a single package.

According to the Cisco Mereki Blog he announce brand new additions to their MX and Z products. The MX family adds six new models to the highly successful [..]

Learning other technologies/trends while studying towards a goal(CCIE)

As many of you probably already know , studying for certification such as the CCIE is no joke when it comes to time management. Its not uncommon to see people putting 20-30 hours worth of study time a week towards the cert. I'm soon heading down this track as well since i want a deep understanding of how all the core network protocols work and also obtain that number.. That being said, i realize networking isn't just routing and switching anymore. There's a lot of other technologies that have or are becoming a requirement for a network engineer to know in order to stay competitive in this field such as AWS,NGFW,Load balancers,Python,and SDN.

My question is , how do you learn all these other technologies while also studying for difficult goal such as the CCIE? Should i put those other things on pause? Or should i stop studying for my CCIE and learn those other technologies first? Maybe i should try learning them all once?

Good Router with bandwidth quota Control

Hi I’m looking a Good Router for small office with bandwidth quota Control for each device or mac address. (like 10gb per month each device) Any suggestions?

Director of IT applauded after ransomware encryption. Wuh?

My small company (250 employees) was recently taken down by ransomware that encrypted all our mission critical data. I’m down the hierarchy but know that we’ve been completely immobilized and they’re bringing in an outside firm to help salvage our business. Our CEO had all employees stand and applaud the Director of IT for all the work being done to fix it. Shouldn’t he be accountable for our lack of data redundancy plan and overall network security?

Synolgoy |WD Gold Drive - Bonded Gigabit vs SFP+?

Hey everyone, I am looking at creating a datastores via iSCSI/ LUN on my Synology server that is furnished with Five 4TB WD Gold drives which have 128mb cache built in.

From what I have read [I think I am correct], these drives have a sustained read/write of 249MBps.
(https://www.storagereview.com/wd_gold_hdd_review_8tb). With that being said, I SHOULD upgrade my Synology's available PCI-e slot with a 10GB SFP+ adapter or would my bonded Cat6 cables suffice?

Given the gigabit speeds being only 128Mbps, I believe I should upgrade to SFP+ (even though it would be overkill, it would place the bottleneck back on the spinning drive instead of my ethernet). Just asking for confirmation.

Thank you for your help!

Sidenote: I know the bonded 4 ethernet cables will not increase my speed, just allows more concurrent connections without bottlenecking. Just seeing what you guys think.

WLAN and VLAN by departament

Hello.

What is the best practices for implementation of WLAN with VLANs by departments? With same SSID.

I think that the only options is multi-wlans or radius implementation, both with same SSID, but need confirm.

Question about BDPU’s

So; idk how to ask this question properly so I’ll kind of just wing it and see what I can get out of y’all.

Why is there a default setting of 6 BDPU’s being sent under one hello time interval. Why 6 of them with the same message? I don’t understand. Or are they the same message?

SBC for 10k+ calls

Apart from the Sonus 5200’s what other sbc’s can I look at which can handle 10k calls and higher?

Moving away from ASRs and need to price up an SBC solution

Vendor blames DOCSIS

We support a few work from home employees, and a few have DOCSIS 3.1 modems.

All locations are having performance issues, and they decide to blame the 3.1 modems.

Am I correct in that for the most part other then things like MTU, it should not matter what protocol?

I understand maybe a specific modem has bad firmware, etc. but an entire Spec? That seems like a scapegoat to me.

Thoughts?

Ref

https://emstatuscenter.elliemae.com/

See bottom Right side panel.

"We have been made aware that the new generation of modems being deployed by the Internet Service Provider may be causing freezing and poor usability of Encompass. We have pinpointed an issue with DOCSIS 3.1 protocol. SYMPTOMS OF ISSUE THAT HAVE BEEN IDENTIFIED: The typical behavior being reported is during an active Encompass session, or after an undetermined amount of time of Encompass being left idle, the user finds the application has become unresponsive or frozen and no longer accepts input from the user. Some users may receive a server disconnection message. This results in the user having to close the Encompass application via Windows Task Manager and start a new session. ACTION CUSTOMER NEEDS TO TAKE: If you are experiencing issues relating to this device. Please have your Network IT team contact your Internet Service Provider to report the issue and inquire about reverting the hardware, settings, or possibly the firmware version related to DOCSIS 3.1 protocol back to DOCSIS 3.0. ACTION BEING TAKEN BY ELLIE MAE: It has been determined that this is caused by hardware on the client side, related to DOCSIS 3.1 protocol. As Ellie Mae does not support customer on premise hardware nor do we make recommendations on hardware they have onsite, the customers will need to work directly with their vendor supporting that hardware. As a part of our technical review we have confirmation from multiple clients that swapping the hardware back to their previous setup resolves the issues with Encompass latency and disconnects. We continue to monitor and troubleshoot incoming cases. LINKS/PHONE NUMBERS THAT ARE HELPFUL: Here is the Comcast web-page outlining the new class of xFi hardware in question: https://www.xfinity.com/support/articles/wireless-gateway-compare Please refer to your local ISP."

Cisco ise to authenticate with Microsoft azure mfa

Been trying to get this to work. I'm running cisco ise 2.3 which currently authenticates with AD. Boss wants to have mfa working with it. I can't find literature or research of this being done before. Cisco tac agent said my configs are ok on the use machine. But I still get authenticate failure and radius token drops. Any help would be great

Palo Alto - Mirroring all traffic to external DLP product?

Hi Everyone,

I'm trying to get mirroring to a Symantec DLP product working. So far, I have the SSL decrypt mirror working fine, and the DLP product sees all of the test traffic and flags it as expected. However, the problem I find is that it does not mirror EVERYTHING to the port, just encrypted traffic that has been decrypted by the Palo. It completely misses unencrypted generic HTTP, ftp, etc traffic because it's not sending it.

What I have done to get around this, is to span the outside interface and the decrypt mirror interface of the palo using a switch, and aggregating that to a single monitor port on the DLP product. But now the DLP sees the encrypted traffic 2x, one encrypted, one decrypted and it's doubling up the processing time.

I've already engaged PA tech support and product support people, but they say it's not on their radar of features to implement, which i think is pretty stupid since if someone knew they could send social security numbers, credit card info, etc over generic http, our DLP product wouldn't catch it unless it was employed with the workaround I did.

Anyone get all traffic mirrored without needing an external switch? I've heard talks of a L2 V-wire, but that would double up the processing on the Palo itself. Just wondering if there were better alternatives.

Options for site to site VPN

We have two facilities across the country we are needing to setup a site to site VPN between. One site has a 10Gig drop (not sure who supplies it) the other is a 1Gig drop from ATT. Realistically I know that we probably won’t come close to sustaining 1Gbps between the sites since it’s cross country but would like to minimize any bottlenecks if possible.

We currently have a Juniper SRX 300 but that’s only good for 250Mbps over IPsec. We were looking at the SRX1500 which is advertised to do 2Gbps IPSec.

Are there any other options suggestions for hardware that could do this that would be clearly better than these juniper systems?

Advice on what to expect with new router.

Hi all, I'm new to networking so go easy on me! I'm getting a new internet connection which will provide me with 5 static ip's, but AFTER I'd signed the contract they told me that the router they'll supply isn't capable of doing this and will need to be put into modem only mode and attached to another device. I want to run pfsense on a box I've got running proxmox, and if I could do some of the setup in advance that would help. What address would I use for the pfsense wan setup though? Do I use the public IP address, or would it be the new router's gateway address? Sorry if I haven't been clear!

High memory utilization on new FPR-2140 devices

I'm in the process of setting up a pair of new Cisco FPR-2140 boxes. They are running FXOS 2.3(1.111) and ASA 9.9.2.18. However, ASA is not currently setup and production at this time. This is a new base install with no traffic passing to/from/through it.

I'm seeing on both devices that memory utilization for FXOS is averaging 80-95% at any given time. Each box has 64GB available. Is this normal behavior for these devices? I can't seem to find any sort of documentation that describes the memory allocation and how it may work between the limited FXOS OS and ASA platform on top. I can do a show proc memory and the stationary ASA is using everything but 1.8 - 2 GB of memory.

I know in Palo Alto's, they optimize and use the available memory. Is that the same case here?

Security Object Syncing between Vendors

I wrote a Java application this past week that keeps ASA, FTD, SonicWall, and Fortigate objects in sync with eachother.

So for example lets each site has an outbound rules bound to Group Objects and Service Object groups. As long as the firewall rule exists on the above platforms it keeps the objects synced together. So I cans have a group called "whitelisted_destination_addresses" and add it to a master location and it will sync it out despite the vendor. It also runs validation to ensure that designated groups have the same object representation. So a rogue Fortigate will notify if a group object is different.

I was wondering if there would be an interest in a show and tell on it.

Creating a Host only Network VM to VM help

So my first VM is a kali linux OS, within that VM, I downloaded VirtualBox and created another VM (OWASP_Broken_Web_Apps_VM.ova -> it's a type of webserver OS environment which is purposefully vulnerable) ... so I'm trying to create a Host only network between those two.

First off can a host only network be created this way? Or do I have to actually create a guest addition in the host Kali Linux VM?

But to continue with problem..

For the initial Host only network setup, I opened a Host only Adapter on the Kali Linux VM and set a static ip to 192.168.56.1, with the mask 255.255.255.0 and I opened a Host only Adapter in the OWASP VM and set the static ip to 192.168.56.101 with mask 255.255.255.0

From the host kali linux OS, whenever I ping the OWASP VM all the packets are shown to being transmitted perfectly but when I enter the command ifconfig the eth0 adapter for the kali linux OS is not showing any TX packets being sent out, only the loopback adapter TX packets are going up.

Now from the OWASP VM, whenever I ping the host kali linux VM I get a Destination Host Unreachable, and when I enter the ifconfig command from the OWASP VM the eth0 TX and the loopback TX packets of the OWASP VM are going up.....also when I enter the ifconfig command on the host kali linux VM I can see the vboxnet0 adapter (which is linked to the OWASP VM) TX packets going up.

So I believe there is some type of connection between the two I just don't know to what degree and how to fix it so they both can send and receive packets from one another. Thank you.

DO NOT purchase Cybrary's Insider Pro Edition (Predatory Business Practices)

So I decided to try cybrary.it Insider Pro trial to see how their virtual labs and practice exams were and if the $400/6mo price tag was worth it. The webpage at purchase emphasized that you won't be charged until the trial is over, you can cancel at any time, but you do have to provide payment info to get into the trial. Okay, that's pretty typical, let's give this a shot.

I tried out the trial and the VLabs were alright, the practice exams were lackluster though and had a limit of two downloadable offline exams. I would rather pay for the practice exams and get a full product imo, so I decide to cancel within the same day that I got the trial. I sent a request to cancel on their website chat, with the advertisement "usually responds within minutes!"

30 minutes passes... I ping the chat again "Hello?". Still nothing an hour later. So I email their support line support@cybrary.it with my order ID and request for cancellation.

24 hours later, I get the following emails back and forth (name is spoofed):

Support (Susan):

Hey there,

Would you like to pause your subscription instead to resume at a later date?

In addition, would you mind me asking where you feel the program is falling short of your expectations?

Looking forward to hearing back from you.

Thanks.

Me:

Hi,

No, please cancel the subscription.

I do not think the value of the material provided justifies a $67/mo. price tag paid in full up front.

Thank you,

Support (Susan):

What price point do you think should be charged for our Insider Pro resources? In addition, what other resources do you think should be included to make Insider Pro a more valuable subscription to you?

Me:

$150 - $200 per year would be acceptable. Maybe pushing $250.

Downloadable practice exams (more than 2) need to be included if you are to keep the price as high as it is.

Support (Susan):

What makes downloadable practice exams a better asset than the practice exams that we offer now?

Me:

Hi Susan,

I understand Cybrary wants user input before cancellation, but this should be a voluntary process. Please cancel my subscription.

Thank you,

Then a few minutes later I get a message from the cybrary website because I had been refreshing my customer portal to see if the cancellation went through with Susan saying:

We had processed your request when you first sent it. We had scheduled your account to cancel when your trial is over, which is in 6 days.

I responded:

Thank you. That should be communicated in the initial email requesting feedback.

I mean seriously, what crap is that? Not only are cancellation requests not an automated web service, but the person I interact with takes over 24 hours to respond, doesn't communicate clearly, and avoids my request for cancellation in liue of asking for user feedback? It's honestly a joke and I am no longer supporting Cybrary. That is a crazy way to run a business, especially when you are asking for a $400 payment.

Budget-friendly disk-based cloud storage

I used to have a dropbox 1TB, and I want to replace it with something like a Synology or QNAP devices where I can create my own cloud. Here's what I want it to do/have:

1- Access it remotely from any computer (upload and download)

2- Preferable a phone app to upload pics and vids directly

3- Share links with others to download files (is this even possible in this case?)

4- I dont care about playing media from it.

5- 2 bays minimum, though I was thinking 4 bays for future proofing.

I came across Synology (418j, 416, ...) , QNAP and other brands. I dont want an overkill for my needs, which is mainly backup for my data, redundancy, online accessibility and sharing with others without giving them access to the whole drive.

Any recommendation is appreciated. Thank you

Does anyone else ______?

Yes, there's a subreddit for that but it's also a pretty common question in the r/networking realm. When there's an issue, we want to know how many other people have had the same problem. When making a choice about infrastructure, configurations, or application usage, we want to know how many other people are doing the same thing.

We (Nyansa) have access to more data than most, so we made a public dashboard that looks at anonymized data from over 9 million devices on enterprise networks. It's an effort to democratize data for public analysis and commentary.

Charts you would like to see? Metrics that would be interesting? Leave a comment and we'll try to integrate them into the next update.

You can find the dashboard here: https://voyance-live.nyansa.com/