Saturday, October 13, 2018

Why don't we see ISP level ad blocking since Advertisement is a substantial amount of bandwidth

Surely ISPs would benefit from doing so, especially small ISPs.



Big-IP LTM VE on AWS. Anyone using clone pools to send Bidirectional traffic to IDS instance in same AWS VPC?

R/f5networks is pretty dead and the aws subreddits are fractured so I am asking here.

Has anyone tried using clone pools on the LTM VE? I'm looking for an alternative to agent-based packet capture (like Gigamon's vTap). Not interested in flowlogs. Naturally I'm ok with the LTM being in line. IDS resides in a separate Linux instance "X" but same VPC. If my tcpdump on "X" sees full payload in real-time without dropping packets the test is successful. Assume bursts up to 1gbit.



Lets settle Nexus VPC Routing and OSPF discussion

For the VPC and Routing experts out there. I am doing a DC migration to some Nexus switches. Right now we have a temporary stretched L2 for migration over two pairs of dark fiber running passive DWDM for 8 ports per pair. Once completed we intend to break the L2 VPC/PO and convert over to L3 Links.

We have 4500-X VSS on one side and Two Nexus 93180 on the other side. The original plan was to convert the VPC/PO to two L3 links using OSPF on top and let it ECMP. We weren't going to use SVIs just pure "no switchport" on physical interfaces per switch. We then would bring up HSRP on the Nexus and create two additional regular L3 links between the two Nexus switches that is entirely outside of the VPC vlans, avoiding vpc blackholing, TTL issue, and orphan ports.

Now its come to my attention that the newer releases of NX-OS and 9Ks now support a command "layer3 peer-router" that allows using VPC for L3. So insisted on creating an entirely new set of L3 links everywhere that is separate. I configure a VPC interface as no switch port or use SVIs between the 4500x and Nexus's. Now before many people say why run your L3 over an L2, we have a scenario which I feel is a genuine use case. I hope I don't have to put flame pants on.

Supported Topologiesfor Routing over VPC

I wanted input from people who have done this? And thoughts from everyone.



Looking for small switches, VLAN capable, POE, programmable with (text) config file

For deployment in a travelling network(think conference, two weeks running), I am looking for small VLAN capable programmable switches. Currently I am using Cisco SMB type switches (SF302-08, SG300-52), but I need some new ones with POE capability. Currently testing a Netgear GS108PE, which would be fine, but although you can save and restore config, it is not as text, so presumably not remotely programmable.

Any suggestions for hardware? Someone who knows how to make Netgear switch configs, other than through web interface?



Nexus upgrade wiped config from all fex interfaces

Yeah so did some 5548 upgrades today and the config from all the fex interfaces was blank when they rebooted. Anyone had this before?



Can the Iranian government cut the internet access, completely, from its people?

The Iranian government is scared shitless of the internet. Every mudslime despot is. In 2009 people revolted with the aid of Twitter. They blocked it. The following year it was WeChat. They blocked it. In 2018 it was Telegram. They blocked it... But this time, they failed. See, technology is not kind to mudslimes. Telegram is open-source, and some Telegram clients have built-in proxy. Plus, most people, like me, have VPN, sometimes, with static IPs.

My question is, if they fail to cut off people's access from the more problematic parts of the internet, can they block it, completely, after 20 years of infrastructure built around it and everything done with the internet, and more than 70% of people using the internet daily?

Thanks for your answer, and please, if they block it, will the US government do something? Like, free satellite internet?



Cat 6 not working

I'm trying to fix a monitor at a restaurant. The wire that goes into the monitor is cat 6, but when I wired a new jack, it won't work. I tried wiring the jack for both residential and commercial but it's not working. I think the wiring is diff. Can someone check the image and let me know if the old jack is wired different than standard commercial jack wiring pls. https://imgur.com/a/FS4yN8C



New Job - Panic Ensuing

I've been recently offered a new job with a city as network admin. This is my first admin position and I will be "it" as far as the network is involved. My last position was a network technician which is another way of describing help desk w/ added infrastructure responsibilities.

Needless to say, I am panicking and feel like I am going to drown at the new job. I have a decent amount of experience with Cisco networking (which is what they use) in terms of configuring and troubleshooting switches but not so much with routers, wireless and voice equipment. In terms of firewalls and sec appliances, I am relatively new with but I understand the basic maintenance and configurations of setting one up as I have done this before.

Would anyone here have some hints/pointers for me as to how city network jobs are in terms of workload, expectations, and the like? I just want to make sure I am not going up to my eyeballs in problems with no way out.



How does DNS over TLS is supposed to work? (Using Cloudflare's 1.1.1.1)

I just configured Cloudflare's DNS servers [1.1.1.1 and 1.0.0.1], yet when I type some random URL in the browser I'm still catching unencrypted DNS queries.

At their page, they talk about how important DNS over TLS is, and how simple it is to setup their DNS resolvers, but nothing about how to configure it to use DNS over TLS.

I'm wondering what fundamental part of the equation I'm missing.

ninja edit: tested on all browsers



How does Netbox actually get its information?

Read some docs about netbox and at some point I didnt understand how this tool gets all the IP and Networking information. Like which protocol is used (snmp, cdp, lldp) and which configuration on router/switches are also neccessary ?

Or am I supposed to fill this tool with information on my own?

Furthemore: Do you have experience with netbox, is it worth implementing or are there better IP address management tools?



Networking Troubleshooting Labs that aren't Cisco?

Hey r/networking!

I'm working at a helpdesk job and we somewhat frequently have to troubleshoot connection issues with various vendors, users, vpn tunnels, etc, and I don't have very much in the way of guidance from a more experienced network admin. I spend quite a bit of time doing my due diligence and map everything out, but in a production environment, it doesn't always work out and I tend to get frustrated. I don't have someone that can tell me what small thing I may be missing, so I want to try to buff up myself by doing some networking troubleshooting labs, particularly ones that are not Cisco, because we don't have clients that use them. Nothing against Cisco, I just don't have much exposure.

Can anyone recommend some vendor-neutral networking troubleshooting simulations or labs that I can dig into? Preferably troubleshooting scenarios where you are trying to resolve connection issues using firewall rules, policies, zones, etc..

Thank you!



Can i set the the ip address, gateway and subnet mask via ipmitool in one shot?

Can i set the the ip address, gateway and subnet mask via ipmitool in one shot? Trying to configure some idrac here.



Friday, October 12, 2018

New tech tips?

So I'm a store manager that managed to find his way in to being a tech, and my first job is to clean up the networks at my companies various stores. Some sites are 20+ years old, and I'm finding OLD ass stuff, like rj11 switches that are just left under registers, not going to anything, etc. Mostly I'm just seeking any advice anyone can think of to make things smoother and easier, stuff to save me time, etc. I've learned to tape the levers on ethernet cables whenever I have to run them, etc., and to tape them to cables that are already in awkward spots when I have to run them through somewhere. Using a cable tester to see what cable is which from one part of the store to.the other. I've put together a tool belt that includes different colored tape to help follow different cables, i.e. that are all blue and going through the same spot in the wall, etc. I'm pinning cables to walls and such to keep them sorted, and using velcro straps to bundle cables that are too long, or ones that need to be grouped together. I'm labeling each end with what connects to what, and I'm making a topology for when I'm done.

That's about what I've got so far.



Basic policy NAT question - ASA 8.2.5(59)

I think this probably a dumb question. I want an IP to be natted to one IP when it goes out the internet interface, and another IP when it goes out a different interface. I have two policy NAT access lists like so (made up IPs):

access-list NAT3 extended permit ip host 172.17.10.10 any

That's for traffic to the internet and it gets natted to a dedicated public IP.

access-list NAT4 extended permit ip host 172.17.10.10 188.188.188.0 255.255.255.0

That's for the other interface and it gets translated to a different IP.

The NAT3 access list grabs all traffic and shoves it out to the internet as you might expect, so nothing ever goes through the other interface even when IPs match.

Just wondering what's the best way to do this. No lectures about the version please, I know.



Any good way to lab VXLAN + EVPN?

It’s become apparent to me, that I don’t have the opportunity to get my hands on VXLAN + EVPN in production. The people I work with aren’t interested in trying it out, even though all our gear supports it. We’re a smaller shop, so there’s no spares in stock that I use to lab it up.

I’ve read about VXLAN/EVPN, I’ve watched videos on it. I understand what it is, why it’s used, and how it works. But I have never configured it, and never gotten to monitor it in an operational capacity. I’m more of a hands-on learner. I need this exposure.

Enterprise gear that can do VXLAN/EVPN would cost a fortune, even bargain bin used stuff most likely. So it seems like buying hardware is out of the question.

But I’ve heard it may not be easy to lab this in a virtual environment. Is there any way to lab this in GNS3? I know GNS3 doesn’t tend to play well with layer 2, and you have to configure stuff all funky to get SVI’s.

Maybe something with Linux/VM’s? Any advice would be greatly appreciated!



SRX Cluster - 1G SFP interface UP/DOWN

Hi all,

Looking for some input on what seems like a peculiar issue I am facing with the above.

I have an SRX cluster that I am trying to add DUAL ISP setup using local interfaces. Each ISP split across the nodes in the cluster.

I have tested one of the provisioned ISP ccts on an Cisco 7604 using a 1000Base-ZX optic. The service was verified and signed off with the carrier etc. I have since moved the LC tail from the C7604 to the SRX cluster but the interface refuses to reach UP/UP state.

The 1000Base-ZX optic is documented at operating on 1550nm, so we employed equivalent optics on the SRX. When the service did not initialise correctly, we got the light measured on the LC tail from the carrier which was confirmed to be on the 1301nm wavelength. So with the appropriate 1310nm optic in the SRX, we re-patched the LC tail, but still the port remains UP/DOWN.

Both optics register in the SRX and we can see the Tx/Rx dbm. I have set and removed the auto-negotiation feature also but with no change.

I am sure there must be something simple that I am missing but just cant see it...



iPhone Wifi calling... I can't believe I have to post this.

So, I've been going back and forth with Apple for 2 days about this. I have a company owned iPhone 6s on Verizon. I was using Wifi calling happily until iOS 12. Wifi calling immediately stopped working immediately after that update. I opted into the beta track, and was up to the most recent 12.1 Beta 3 (public) yesterday. I did a factory restore to go to 12.0.1 (stable). I have a coworker that is on iOS 11, his wifi calling works fine. We use a Palo Alto 5020 and are on PAN-OS 8.1.3. I'm on a VLAN that isn't being filtered for content, so literally everything goes through. We aren't doing DPI. What's weird is that it works fine for me at home.

For a while, I thought maybe it was something to do with the wireless side, but that seems unlikely, it doesn't work on 2 different models of Aerohive APs, I tried the Golden and most recent firmware on the newer of those APs. Also tried on a Ubiquiti UAP-AC-HD on the newest firmware. I also tried setting up a WPA2 Personal SSID to rule out anything to do with authentication, since we normally use WPA Enterprise. None of that fixed the issue. The traffic seems to be going through. I feel like this has to be a bug with both Palo Alto, and/or Apple's iOS. It works fine at home. I've mirrored the port my AP on my desk is on, and captured packets, and the guy with the iOS 11 phone is out of the office for the day, so I have nothing to compare to.

Anyone have any ideas?



Brocade/Ruckus ICX 802.1x Wired 15Sec Delay AAA_Accept Msg

Anyobody an idea where this 15 sec delay could origin from (18:51:41 - 18:51:56)

- radius accept msg leaves the radius server 14 seconds earlier

- no problem or 15 sec delay with non ICX Switches

Debug: Oct 11 18:51:41 [T:748473649] [EVENTS] (1/1/7) dot1x_add_new_mac_session: new MAC session - original_vlanid 0 - mac session b8ae.ed75.95f9 vlan 10 index 32768

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: authenticator state for port 1/1/7: [b8aeed75:95f9] is INITIALIZE

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is INITIALIZE

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] Tx EAPOL Pkt at DISCONNECTED State of Auth PA ESM with EAP Code: 0x04 (Failure), EAP Id: 0

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: authenticator state for port 1/1/7:[b8aeed75,95f9] is DISCONNECTED

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] Tx EAPOL Pkt at CONNECTING State of Auth PAE SM with EAP Code: 0x01 (Request), EAP Id: 1, EAP Type: 0x01 (Identity)

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: authenticator state for port 1/1/7:[b8aeed75,95f9] is CONNECTING

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is IDLE

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] Tx EAPOL Pkt at CONNECTING State of Auth PAE SM with EAP Code: 0x01 (Request), EAP Id: 1, EAP Type: 0x01 (Identity)

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: authenticator state for port 1/1/7:[b8aeed75,95f9] is CONNECTING

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: port 1/1/7 Rx EAPOL_START

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] Tx EAPOL Pkt at CONNECTING State of Auth PAE SM with EAP Code: 0x01 (Request), EAP Id: 1, EAP Type: 0x01 (Identity)

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: authenticator state for port 1/1/7:[b8aeed75,95f9] is CONNECTING

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: port 1/1/7 Rx EAPOL Pkt with EAP Code: 0x02 (Response), EAP Id: 1, EAP Type: 0x01 (Indentity)

Debug: Oct 11 18:51:41 [T:748473650] [TIMER] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] sets aWhile timer to 0 seconds in the RESPONSE state of backend state machine

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) GRIDIRON DEBUG: Sending packet to AAA

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is RESPONSE

Debug: Oct 11 18:51:41 [T:748473650] [EVENTS] (1/1/7) : 802.1X: authenticator state for port 1/1/7:[b8aeed75,95f9] is AUTHENTICATING

Debug: Oct 11 18:51:41 [T:748473651] [EVENTS] (1/1/7) : 802.1X: port 1/1/7 Rx EAPOL Pkt with EAP Code: 0x02 (Response), EAP Id: 1, EAP Type: 0x01 (Indentity)

Debug: Oct 11 18:51:41 [T:748473651] [EVENTS] (1/1/7) 802.1X: Port 1/1/7 UP

Debug: Oct 11 18:51:41 [T:748473651] [EVENTS] (1/1/7) Port is up

Debug: Oct 11 18:51:41 [T:748473651] [EVENTS] (1/1/7) : 802.1X: Rx AAA_INTERACTIVE for port 1/1/7:b8ae.ed75.95f9 from authentication server

Debug: Oct 11 18:51:41 [T:748473651] [EVENTS] (1/1/7) : 802.1X Pass-through from auth server: port 1/1/7 Rx EAPOL Pkt with EAP Code: 13,Id: 2, len: 6, type : 13

Debug: Oct 11 18:51:41 [T:748473651] [EVENTS] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] Tx EAP-Packet (EAP Req) received from RADIUS Server to Supplicant at REQUEST State of Backend Auth SM with EAP Id: 2

Debug: Oct 11 18:51:41 [T:748473651] [TIMER] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] sets aWhile timer to 30 seconds in the REQUEST state of backend state machine

Debug: Oct 11 18:51:41 [T:748473651] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is REQUEST

Debug: Oct 11 18:51:41 [T:748473652] [EVENTS] (1/1/7) : 802.1X Pass-through: port 1/1/7 Rx EAPOL Pkt with EAP Code: 13,Id: 2, len: 184, type : 13

Debug: Oct 11 18:51:41 [T:748473652] [TIMER] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] sets aWhile timer to 0 seconds in the RESPONSE state of backend state machine

Debug: Oct 11 18:51:41 [T:748473652] [EVENTS] (1/1/7) GRIDIRON DEBUG: Sending packet to AAA

Debug: Oct 11 18:51:41 [T:748473652] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is RESPONSE

Debug: Oct 11 18:51:41 [T:748473652] [EVENTS] (1/1/7) : 802.1X: Rx AAA_INTERACTIVE for port 1/1/7:b8ae.ed75.95f9 from authentication server

Debug: Oct 11 18:51:41 [T:748473652] [EVENTS] (1/1/7) : 802.1X Pass-through from auth server: port 1/1/7 Rx EAPOL Pkt with EAP Code: 13,Id: 3, len: 1024, type : 13

Debug: Oct 11 18:51:41 [T:748473652] [EVENTS] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] Tx EAP-Packet (EAP Req) received from RADIUS Server to Supplicant at REQUEST State of Backend Auth SM with EAP Id: 3

Debug: Oct 11 18:51:41 [T:748473652] [TIMER] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] sets aWhile timer to 30 seconds in the REQUEST state of backend state machine

Debug: Oct 11 18:51:41 [T:748473652] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is REQUEST

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X Pass-through: port 1/1/7 Rx EAPOL Pkt with EAP Code: 13,Id: 3, len: 6, type: 13

Debug: Oct 11 18:51:41 [T:748473653] [TIMER] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] sets aWhile timer to 0 seconds in the RESPONSE state of backend state machine

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) GRIDIRON DEBUG: Sending packet to AAA

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is RESPONSE

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X: Rx AAA_INTERACTIVE for port 1/1/7:b8ae.ed75.95f9 from authentication server

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X Pass-through from auth server: port 1/1/7 Rx EAPOL Pkt with EAP Code: 13,Id: 4, len: 249, type : 13

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] Tx EAP-Packet (EAP Req) received from RADIUS Server to Supplicant at REQUEST State of Backend Auth SM with EAP Id: 4

Debug: Oct 11 18:51:41 [T:748473653] [TIMER] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] sets aWhile timer to 30 seconds in the REQUEST state of backend state machine

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is REQUEST

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X Pass-through: port 1/1/7 Rx EAPOL Pkt with EAP Code: 13,Id: 4, len: 1492, type : 13

Debug: Oct 11 18:51:41 [T:748473653] [TIMER] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] sets aWhile timer to 0 seconds in the RESPONSE state of backend state machine

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) GRIDIRON DEBUG: Sending packet to AAA

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is RESPONSE

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X: Rx AAA_INTERACTIVE for port 1/1/7:b8ae.ed75.95f9 from authentication server

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X Pass-through from auth server: port 1/1/7 Rx EAPOL Pkt with EAP Code: 13,Id: 5, len: 6, type : 13

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] Tx EAP-Packet (EAP Req) received from RADIUS Server to Supplicant at REQUEST State of Backend Auth SM with EAP Id: 5

Debug: Oct 11 18:51:41 [T:748473653] [TIMER] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] sets aWhile timer to 30 seconds in the REQUEST state of backend state machine

Debug: Oct 11 18:51:41 [T:748473653] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is REQUEST

Debug: Oct 11 18:51:41 [T:748473654] [EVENTS] (1/1/7) : 802.1X Pass-through: port 1/1/7 Rx EAPOL Pkt with EAP Code: 13,Id: 5, len: 56, type : 13

Debug: Oct 11 18:51:41 [T:748473654] [TIMER] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] sets aWhile timer to 0 seconds in the RESPONSE state of backend state machine

Debug: Oct 11 18:51:41 [T:748473654] [EVENTS] (1/1/7) GRIDIRON DEBUG: Sending packet to AAA

Debug: Oct 11 18:51:41 [T:748473654] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is RESPONSE

Debug: Oct 11 18:51:41 [T:748473654] [EVENTS] (1/1/7) : 802.1X: Rx AAA_INTERACTIVE for port 1/1/7:b8ae.ed75.95f9 from authentication server

Debug: Oct 11 18:51:41 [T:748473654] [EVENTS] (1/1/7) : 802.1X Pass-through from auth server: port 1/1/7 Rx EAPOL Pkt with EAP Code: 13,Id: 6, len: 69, type : 13

Debug: Oct 11 18:51:41 [T:748473654] [EVENTS] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] Tx EAP-Packet (EAP Req) received from RADIUS Server to Supplicant at REQUEST State of Backend Auth SM with EAP Id: 6

Debug: Oct 11 18:51:41 [T:748473654] [TIMER] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] sets aWhile timer to 30 seconds in the REQUEST state of backend state machine

Debug: Oct 11 18:51:41 [T:748473654] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is REQUEST

Debug: Oct 11 18:51:41 [T:748473654] [EVENTS] (1/1/7) : 802.1X Pass-through: port 1/1/7 Rx EAPOL Pkt with EAP Code: 13,Id: 6, len: 6, type: 13

Debug: Oct 11 18:51:41 [T:748473654] [TIMER] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] sets aWhile timer to 0 seconds in the RESPONSE state of backend state machine

Debug: Oct 11 18:51:41 [T:748473654] [EVENTS] (1/1/7) GRIDIRON DEBUG: Sending packet to AAA

Debug: Oct 11 18:51:41 [T:748473654] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is RESPONSE

Debug: Oct 11 18:51:56 [T:748473804] [EVENTS] (1/1/7) : 802.1X: Rx AAA_ACCEPT for port 1/1/7:b8ae.ed75.95f9 from authentication server

Debug: Oct 11 18:51:56 [T:748473804] [EVENTS] (1/1/7) : 802.1X: port 1/1/7:[b8aeed75,95f9] is passed the info of Tunnel-Type=13; Tunnel_Medium_Type=6Debug: Oct 11 18:51:56 [T:748473804] [EVENTS] (1/1/7) ; Tunnel_Private_Group_ID=10

Debug: Oct 11 18:51:56 [T:748473804] [EVENTS] (1/1/7) txCannedSuccessDelayed: Enter a4161cc6/1

Debug: Oct 11 18:51:56 [T:748473804] [EVENTS] (1/1/7) txCannedSuccessDelayed: a4161cc6/1 setting timer

Debug: Oct 11 18:51:56 [T:748473804] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is SUCCESS

Debug: Oct 11 18:51:56 [T:748473804] [EVENTS] (1/1/7) : 802.1X: authenticator state for port 1/1/7:[b8aeed75,95f9] is AUTHENTICATED

Debug: Oct 11 18:51:56 [T:748473804] [EVENTS] (1/1/7) : 802.1X: backend state for port 1/1/7:[b8aeed75,95f9] is IDLE



Some help please!

I had an issue with the flash not loading on a switch. I ended up having to use hyperterminal to load in a new flash. It seems that the switch is still trying to load the old flash, fails, then trys the the new flash here is what is happening.

*Mar 1 00:10:53.673: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.

Using driver version 1 for media type 1

Base ethernet MAC Address:

Xmodem file system is available.

The password-recovery mechanism is enabled.

Initializing Flash...

mifs[2]: 0 files, 1 directories

mifs[2]: Total bytes : 3870720

mifs[2]: Bytes used : 1024

mifs[2]: Bytes available : 3869696

mifs[2]: mifs fsck took 0 seconds.

mifs[3]: 5 files, 1 directories

mifs[3]: Total bytes : 27998208

mifs[3]: Bytes used : 20568064

mifs[3]: Bytes available : 7430144

mifs[3]: mifs fsck took 9 seconds.

...done Initializing Flash.

done.

Loading "flash:/c2960-lanlitek9-mz.122-55.SE7/c2960-lanlitek9-mz.122-55.SE7.bin"...flash:/c2960-lanlitek9-mz.122-55.SE7/c2960-lanlitek9-mz.122-55.SE7.bin: no such file or directory

Error loading "flash:/c2960-lanlitek9-mz.122-55.SE7/c2960-lanlitek9-mz.122-55.SE7.bin"

Interrupt within 5 seconds to abort boot process.

Loading "flash:/c2960-lanlitek9-mz.150-2se11.bin"...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

File "flash:/c2960-lanlitek9-mz.150-2se11.bin" uncompressed and installed, entry point: 0x3000

executing...

Then load the new flash. What do?



Edgerouter Infinity ER-8-XG loud fan replacement

Hi,

I have recently bought ER-8-XG, and I must admit, I wasn't hoping that it is going to get loud.

So, I started digging how I can lower noise on 3 fans that are spinning ~ 10 000 RPM when router is not even under load.

I found solution that someone has already changed fans on his Edgerouter PRO 8.

You can find thread on this link.

So my question remains, can I change all 3 fans on my ER-8-XG fan for these lower noise fans?

I am confused because my fans are spinning ~10-11k RPM, and those up to 2-3k RPM.

Thanks in advance.

EDIT: I have already ask question on ubiquiti forums on this link.



Is there a AP that can be set up to change the key every day (for a retail establishment)?

I have a client that has an urgent care. They want to have wifi access for their patients in the waiting room (mostly for kids that have tablets without cell data). Right now, the wifi has a password that is posted in the waiting room. The problem is that right next door is a large apartment complex. I am sure with a directional antenna, the tenants of the apartments could see our network, and then if they visit the waiting room once, bam they can have the wifi password and be set.

I want to be able to either a) load a list of passwords depending on the day of the year, then the staff can give the correct password for the day or b) have a screen, LCD display (run by Rasberry Pi, Arduino, etc) that displays the current wifi password to patients or staff.

Any AP out there that is capable of this? I know someone was doing something similar years ago with a 3rd party router firmware (Tomato, etc) but it was more for home use.

Bonus points if the AP can be programmed with the hours of the business and shut down after hours.



How Are You Conifguring End User Ports Today?

This is something I’ve been struggling with since I took over at a smallish organization several months ago. All of the end user/device ports are manually configured (roughly 1,000 ports). I’ve read up on auto smart port config, but it seems limited in the ability to profile devices. With the amount of device churn that goes on inside an org, how do you keep up with simple things like VLAN assignments and security for access ports?



Which standards allow for dual band Wi-Fi?

I'm looking for a wireless network adapter and I'm not sure which 802.11 standards allow for both 2.4 GHz and 5 GHz bands with a speed of at least 100 Mb/s. I'm trying to look it up but it's still not clear to me.



SecureCRT + Aruba weirdness

When i console in to an aruba switch i have to scroll up to get to the login screen. It also scrolls to the very bottom, past the text when i hit enter. I know there are scrolling options on SCRT when you go to session options. Right now the scrolling options are unchecked. When i console in to a different switch (alcatel) it functions normally. Does anyone know how i can fix this?



IPv6 client behavior in a mixed dual-stack / ipv4 campus environment

I originally posted this in /r/ipv6 :

I have a school campus network with dual-stack IPv6 deployed in a few, but not all of the buildings, as we're currently doing a Pilot.

I'm seeing something on our Wi-Fi when looking at clients (we use Meraki in a bridged mode) where clients are showing up in the reports as having IPv6 addresses, despite those addresses being originated somewhere else, when they are on an IPv4-only network segment.

For example, I see clients having mostly addresses from other buildings in our Campus, but I am also seeing IP Addresses that were likely assigned from home routers, from AT&T, Spectrum, etc.

Is there something I should be doing at least on our interfaces to force a lifetime onto our addresses in a best practice?

Here's an example of how a typical SVI is configured: (we use Cisco)

!

interface Vlan136

ip address 10.155.136.1 255.255.252.0

ip helper-address 10.xxx.1.6

ip helper-address 10.xxx.1.66

ip helper-address 10.xxx.1.25

ipv6 address 2607:xxxx:yyy:9B88::1/64

ipv6 nd ra lifetime 300

ipv6 eigrp 7600

end

I don't believe that clients having an IPv6 address (from the wrong subnet) in an IPv4 network would cause any problems due to Happy Eyeballs- but our CTO is concerned, and I want to make sure I'm following best practices to ensure as devices roam about campus, they get new addresses and drop their old ones.

Thanks!



Should I finish getting my Bachelors?

I've been working Desktop support for a little over 3 years, but have been wanting to get into network engineering. I had been unable to get a network engineering job and decided to start a Bachelor's program at WGU (Network Operations and Security) to see if that would help, however, recently a network engineer position opened at my workplace and I am set to be transferred there soon.

I have another year left on my Bachelor's (maybe a bit less if I really accelerate) but I've already done the main courses (CCNA, CCNA sec) and all I have left are a bunch of filler like Sec+, ITIL, etc. Time spent doing these courses is less time spent studying for things at my job. I could do it, but it would take time away from studying relevant things. Additionally, I know that experience + certs tend to matter more than degrees in IT.

Yet, I know that a degree might be something of a tie-breaker for a position if I've competing with someone with similar qualifications and if I get it, I get a 5% raise at my current job (though I don't plan on being in this position for any longer than 2 1/2 years). Any advice?

Edited: meant to say experience and certs matter more



2 access ports connected together with different VLANs?

Still fairly new to networking, and I'm just trying to figure something out, but any time I ask people here I basically get "idk that's just how it's always been setup."

So we have switches connected together via access ports, with a different access vlan on each side. So say SW1 g1/1 vlan X connect to SW2 g1/1 vlan Y.

My question is, how exactly do these interact? As data passes from sw1 to sw2, does it change FROM vlan X TO vlan Y? I haven't seen (or tested) ports setup this way.



Where to go from here professionally?

I have been working about 6 years in a small non-profit firm (<100 users). I was hired as a specialist and now I'm a network admin. I basically do everything in this office that is related to tech. However, past few years COL has been vastly outpacing my raises, and despite being happy here I really have to move on if I want to keep pace. I make about 70K plus great benefits. I don't have any formal training tech or certs. I'm currently working on getting a Network+ cert (higher ups insisted it), but most of what I'm learning is completely useless IMO/IME. Most of what I do these days is focused on network monitoring/upgrades/security, including our servers. I have two people under me who do more of the desktop support side that I used to do.

I'm definitely looking to switch jobs the next year to someplace larger where I can learn more and hopefully move up in the next 5 years to a salary/position where I can afford to own a home and maybe have kids, which would require being in the low six figures. For my next job I'm hoping to start at about 10-20% more than my current salary.

I was thinking I should try to focus on a security track to build towards this goal, and move into a professional position that would allow me to work my remotely so I could live outside a major urban area.

However I'm not sure what kind of organization I should aim towards? I scored a lot of interviews at colleges/universities in the past, as my background is in academia (I have a masters in a humanities field, and spent most of my 20s pursuing a PhD). I'm kind of tempted to go that way, and maybe get a free masters, but I'm not sure if that would limit me professionally?

I would also disclaim that I'm not 'into' tech. It's not my passion, it's just something I'm good at, but generally outside the office I avoid it at all costs. I don't have a lab, and my all my devices are 3+ years old. This is a contrast I notice between myself and other IT professionals I've met over the years. It's definitely caused some small conflicts between myself and my bosses, as they kind of take the 'more is better' approach, where I am a little more focused on keeping costs down and reliability high by avoiding the bells and whistles. (Biggest conflict reticently was a push to 10Gig switches... which my workplace does not need, and probably won't for another 10+ years.)

Any opinions or perspective are appreciated. Thanks!



Purchasing a new UPS Backup

Hello all,

We are purchasing a new UPS for the companies network and I am looking for some advice. From the research I have done, it looks like I need to find the volt amps (Volt x Amps) of each device that will be connected to it. After that I have learned that it is smart to add them all together and multiply that number by 1.2 in order to leave room for growth.

My question to you is, am I supposed to use the AC or DC Voltage in the equation Voltage x amperage? I originally used the AC math and it ended up being a much higher volt amp than I anticipated.

This link is where I received my original advice from https://www.tripplite.com/products/ups-sizing

Any advice would be much appreciated.



Useful data analysis

I am building a piece of software for an A level project, a network activity monitor and analyser.

In theory the sniffer will detect traffic per day and record it in a file. The data from that file will be displayed on a web-page using d3.js and I am planning on using pattern recognition of that data to detect trends and patterns in comparison with each day and week.

The network traffic I will be using is from my school network. Each student has some kind of internet device and in total perhaps roughly 1000 devices connected to a network in use all day, be it students, administration or teachers

My question is, what is actually useful information to network engineers, I want to use this question and create a success criteria from this. What types of graphs and trends would be especially useful to networking professionals that want to make the networking speed better, or just monitor it. It wouldn’t be a problem if software like this already exists and you find useful as this only strengthens my project by comparing it to software that already exists

Thank you for your help



Dynamic Network Design

Hello Reddit,

I have been tasked with building a multi level network design, in which devices on the network get assigned addresses based on where they are plugged into the network. Ideally, only the top level of the network will require any sort of configuration.

Level 1 will contain the primary application servers and databases. It will also deal with connecting to outside networks. Lets assume it has an address range of 10.0.0.0/24

Level 2 will be the second tier of the network. There could be 8 instances of the 2nd level in our design. I am thinking the network here will have an address range of 10.x.0.0/24, where x is equal to the id of the level (1-8). This level will have a few supervisory devices and applications running on it. Devices on this level will be assigned addresses from this levels DHCP server, in the 10.x.0.0/24 subnet.

Level 3 is where most of our devices are. There could be up to 24 instances of this level, for every instance of the level 2 network. The address range of devices in this level could follow a 10.x.y.0/24, where x is its parent level 2 id, and y is the level 3 id. Devices on this level will be discovering its peer address either through multicast networking, or through an app server in this level.

My question is, is this even possible? To have this type of network, where devices in the level 2 and level 3 require no configuration? They only receive their addresses through DHCP? Would IPv6 be a better option to approach this? Can I get some recommendations as to what network devices I would need to accomplish this? We can place switches and routers between each layer as required.



Can,t detect mac address on specific Bridge-domain?

Hi Guys,

I just want to ask, What could be the reason if specific BD on trunk EFP can't detect any mac address?

Scenario:

VLAN10/VLAN20RTR ----- (SWTRUNK) ----- RTRVLAN10/VLAN20

Let say that the vlan tagging is correct on both RTR, Now for comparison I can detect MAC on SW BD10 but no mac detected on Bridge-domain 20?

Thanks



Learning ELK Stack

We're looking into building an ELK Stack for network monitoring and analytics but we aren't really familiar with the tooling and looking for some education. Can anyone recommend an educational source for these and share your experience with it?

I see a bunch of Udemy courses but I'm not really sure if they're any good or if there is a better resource out there.



Cisco ACLs and dealing with sites with no static IP

I have a question that has been bugging me for a week now. We have a subnet on our core switch that can only access a few specific websites. The teachers want to add more but the sites they want to add are AWS sites that don't have static IP addresses. How do you guys get around sites like this when trying to set up ACLs on Cisco devices?



IOS recommendations and options on 2960X

I have two questions about IOS on 2960X:

  1. Does anyone have a field tested, tried-and-true IOS recommendation for 2960-X? Cisco's documentation seems a bit inconsistent, and the recommended release, as well as most other releases in the download center have a customer rating of 2 or fewer stars.
  2. I've been happy with 15.2(2)E4 or E7, but it seems the switches we buy that come with a later release do not seem to be able to downgrade to this version. Is there a way around this?

Many thanks in advance.



100 Mbps line requirements

Hi, I recently subscripted a 100 mega network contract, they gave me 30 mega for 1 month with the promise to change it to 100 mega after the month, but I still have 30 mega. I've called them and they said that I have 100 mpbs active. Now I've the small ethernet cable (phone like) with 8 connectors/wire connected to the modem, it's also wider than the classic one with 2 wires. The cable that comes from outside (that the technician installed) instead have only 2 wires, white and red. Now my question is, are those 2 wires enough for a 100 mega connection, or I needed another type of cable and the technician was wrong?



Cisco firepower - fmc user identity - citrix useres

I'v been trying to figure out if this is possible somehow.. - spoiler. Im not very good at windows AD related stuff, but do have some backing in the org. im in.

Has anyone successfully deployed user identity for users using a citrix desktop? Im guessing the User Agent wont cut it since thats done via the user and ip address..

I havent reached out to tac yet, experience just tells me i'll be using a few weeks doing that :/



Is there any indicator that shows that a web page is fully loaded?

I am writing a small program to monitor web responses and measure the time it takes for a page to be fully loaded. How do servers tell the browser that a page is fully loaded? Is there a specific http response or something? I am looking for a parameter that I can use to mark the end of the page loading process. Any input is welcome.



EoMPLS fragmentation

Hi

My understanding is that a MPLS-core will not fragment packets containing EoMPLS.

Is there any way to circumvent this? For example:

Lower the MTU on the customer facing interface on the PE which has the xconnect , so that a packet is fragmented before MPLS-tags are added?

Creating a GRE tunnel over the low-mtu part of the network so that the GRE-tunnel packets with the new IP-header which hide the underlying IP packet and MPLS-tags get fragmented and reassembled?

Any other way?

We will implement ip tcp adjust-mss, so the majority of packets will be small enough to avoid fragmentation, but want to support up to 1500 for the customer networks.

Kind regards



Data Center Firewall considerations

Hi,

We are currently evaluating a new data center firewall and there is one fundamental topic which I would like to resolve upfront.

At the moment, we have a dedicated forward proxy farm (approx 20k users) and one option is to get a big data center firewall and run a proxy blade on it instead of the dedicated proxy farm. We have had enough problems with our firewalls even without a huge proxy farm running on it as well.

What are your opinions?

1 - One big firewall which handles everything (Firewalling, Proxy, IPs, Application Control, VPN, ...)

or

2 - a slightly smaller box and dedicated services (the classical approach).

or

3 - Or maybe something between, e.g. IPS as blade, but dedicated proxy farm.

thanks,

max



RRAS NAT with PPPoE

OS: Windows Server 2016

I'm trying to use RRAS's demand-dial feature for NAT, so that computers on the LAN are routed through a PPPoE connection. When using the wizard, it asks for the credentials for the PPPoE, including username, domain, and password. What is this "domain" field for? I've tried leaving it blank, but get an error about "credentials invalid or protocol not supported". If I create a PPPoE adapter in the "Network Connections" panel (general Windows connections, unrelated to RRAS) using the same username/password (it doesn't ask for "domain"), it connects just fine. Any ideas of why it would work fine there, but not in the RRAS NAT?

EDIT: For clarification, I know what a domain is, but I'm not sure which domain it's referring to here.



What do you guys think of Cisco Meraki?

No text found

Thursday, October 11, 2018

Extreme networks price increase due to china Import tariff's



Understanding Juniper VCF

I'm looking at building a Juniper VCF. I'm trying to understand about what components are required and what I can do vs what I can't do. Our network is 50 or so ESX hosts that need 10gbps. Then a large set of devices of 100 to 200 devices that need only 1gbps. These are spread across 5 racks.

I have 2 x QFX5100-48S already that were purchased for another project. I want to use these as Spines. Then purchase another 2 x QFX5100-48S to use as leafs. Then I'd purchase 10 x EX4300-48T to use as leafs, top of rack (2 per rack). So I want to connect half the ESX hosts to the 2 x QFX5100-48S leaf switches and the other half, connected to the 2 x QFX5100-48S spine switches. We are honestly pushing 50 - 100mbps average and 2gbps at some of the peaks through most of this gear. It's not heavily used.

These switches would all be used solely for Layer 2. They would not be doing any Layer 3.

We then have a few SRXs that are connected to the QFX5100-48S spine switches that I plan on using for Layer 3 routing.

Firstly, do I even need a VCF? I'm mostly looking at getting the single point of configuration out of it.

Secondly, can I plug ESX hosts into the Spine switches?

Thirdly, how do EX4300s connect into the Spine switches? This diagram (https://www.juniper.net/documentation/en_US/release-independent/junos/topics/reference/specifications/cable-ex4300-virtual-chassis-fabric.html) shows the spine connections going into the back of the switch, but another article I found, said the QSFP ports are used for spine. Which is it?



NeXt UI alternatives - seeking suggestions!

Hi all,

I've spent far too long now trying to learn my way around NeXt UI (basically a Javascript library) and now that I'm actually trying to pull data from Netbox to draw my maps, things are not going well. My browsers (Firefox and Chromium in Ubuntu 18.04) are barfing on the number of devices in my charts; simply lowering the number causes my error to go away. Further, the error is "Uncaught RangeError: Maximum call stack size exceeded" which cursory searching suggests is indeed some pretty basic Javascript resource exhaustion. The trouble is that we're only really talking about 50 or so devices, so that's obviously not especially workable.

Does anyone know of any alternatives that specifically support interaction? I really, really liked the fact that I could dynamically blow out/collapse my sites/closets, but no other library that I've found supports that nice level of interaction... I was hoping to use it to both impress the C-suite and keep some auditors off my back.

Ones I've looked at so far:

go.drawthe.net - Looks awesome for what it is, but no interactivity.

netdraw.it - No interactivity; not sure it'd take my structured output, either.

draw.io - Not really network, nor does it appear interactive.

asciiflow.com - Not really network, nor does it appear interactive.

textik.com - Not really network, nor does it appear interactive.

netmapper.io - Love this thing, but not interactive. (Thank you, /u/LA33R!)

Any direction/suggestions/encouragement/thoughts are much appreciated. Have a great day, everyone, and happy Friday!



newbie here. VPN and internet sharing troubleshooting. Servers are able to see both router and gateway. I just want the servers to see the gateway.

So before, I guess my modem+router hybrid did this automatically, but now I have a new modem with a new router that are separate and it does not set up the same. Before, when I pinged to servers, they would only see my data coming the VPN, but now when I ping to servers, they can see the total distance my data goes. so right now I get 110 ping going from my home to London to a London server even though I have a london IP address. Before I would generally get 5-20 ping.

P.s. I know that my ping isn't getting lowered. I use vpns to troubleshoot other things and this is interfering with that + I feel like my data isn't being hidden from my ISP.

I googled around and it said something about setting your router to an access point. I do not know is this is the solution for me because I use that router for other things other than being an access point.

Right now my setup is: modem (netgear CM500)-> router (netgear WNDR4300) -> multiple LAN connections, 2 Wireless connections. 1 of the wireless connections is a computer on Windows 7. My VPN is setup on that computer then I use the built in internet sharing through an ethernet cable to other devices to give them internet access on the VPN (these devices do not support any VPN software). VPN location's change constantly and I do not have the ability to modify any VPN.

Is there any way to make it so servers only see my data/packets coming from the VPN without getting any new equipment? I'll take solutions with extra equipment, but again would prefer not to.



10Gtek QSA (QSFP to SFP Adapter)



Strat-1 timing using other than GPS?

STL technology is a new technology using Iridium rather than GPS. The higher power signal is available indoors or other GPS denied environments. Pretty cool stuff, but would this still be considered Strat-1?

http://www.gnss.ca/spectracom/246-stl-option



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



Cisco CSR 1000v questions about throughput

Hello all!

I've been trying to get a straight answer from Cisco for a while now, and it really does depend on who you speak too! LOL.

I have a couple of CSR1000v connected to a 10Gb switch, with the license:

Feature: appx_5G

Now that 5Gb, is it the sum of all interfaces ?

Is it per interface?

*edit

These are my iperf results

[SUM] 0.00-30.00 sec 12.0 GBytes 3.42 Gbits/sec 1074 sender

[SUM] 0.00-30.00 sec 11.9 GBytes 3.42 Gbits/sec receiver

Can anyone shed some light on this please, thx!



CUCM: Robocalls racking up long distance charges

We are having an issue with robocallers calling into our auto attendant and sitting in the queue for long periods of time, racking up enormous long distance bills every month. Any recommendations on how to deal with this? I've added call timeouts on no selection but we are getting so many that even with a couple minute timeout the bill is 70% robocaller charges.

I'm using CUCM 10.x and using Unity Call handlers for Autoattendant.



Reback lab

Anybody have information on setting up an older redback for a lab? I can’t find any information anywhere.



Handling multiple HTTPS servers behind one firewall

Running into a bit of a conundrum here with multiple HTTPS sites on separate servers behind a SonicWall.

Currently Exchange is taking up port 443 with OWA and ECP. Beginning a new RDS instance on Server 2016 and would really prefer if end users didn't have to specify a port number in requests for ease of use and configuration.

I've setup and used WAP and ADFS in the sandbox and would love to go that route. The issue is the domain controller is 2012R2 so I would need to purchase another 2012 R2 license for the sole purpose of running ADFS. I've searched for other solutions and apart from firewalls like Palo Alto and WatchGuard I don't see another good way of accomplishing this.

Do I go against best practice and install ADFS on the PDC? Bite the bullet and purchase another 2012R2 license and then install WAP on the RD Gateway? Or do I make end users get used to specifying the port number? What would you guys do in this situation?

Thanks



OSPF over Dell s4810 tunnels - not possible?

Hello,

This is a bit of followup to my previous post, please refer for a little background.

We're trying to run OSPF (or other dynamic routing) between our two locations. We are hoping to avoid having to exchange routing directly with the MPLS provider(requiring protocol redistribution) by running a tunnel between the layer 3 switches at the two sites.

The Layer3 switches are Dell S4810 at Site A, and S4048 at Site B. They are running FTOS 9.10 and 9.11, respectively.

I was able to get the tunnel working between the two devices(pinging works), but cannot run OSPF on the tunnel. Nothing appears in the CLI, and "show ip ospf" seems to ignore it completely. I checked the logging, and I find this error:

Oct 11 16:55:29 %STKUNIT2-S:CP %IFMGR-5-TNLIP_OSPFV2_CONFLICT: OSPFv2 is not usable on tunnel 5120 with IPv4 outer header Oct 11 16:55:29 %STKUNIT1-M:CP %IFMGR-5-TNLIP_OSPFV2_CONFLICT: OSPFv2 is not usable on tunnel 5120 with IPv4 outer header 

I have been unable to find helpful via Google that matches any portion of this error.
Does this mean it has to run IPv6? We do not currently have IPv6 anywhere on our network, and that seems a bit of a hassle.
Is this an MTU or encryption issue? Default MTU is 1554 on both ends.

CONFIG SNIPS

SITE A:

! interface Tunnel 10 ip address 10.10.1.1/30 tunnel destination 10.25.192.1 tunnel source 10.66.127.201 tunnel mode ipip shutdown ! router ospf 1 network 192.168.100.0/24 area 0 network 10.10.1.0/30 area 0 #sho int tunnel Tunnel 10 is up, line protocol is up Hardware is Tunnel Tunnel mode ipip Tunnel source 10.66.127.201, Tunnel destination 10.25.192.1 Tunnel dscp mapped Tunnel flow-label 0 Tunnel hop-limit 64 Tunnel keepalive destination 10.10.1.2 interval 6 attempts 4 Tunnel keepalive state up, time since last change: 00:30:49 Address is e4:f0:04:3f:58:17, Current address is e4:f0:04:3f:58:17 Interface index is 1224741888 Internet address is 10.10.1.1/30 Mode of IPv4 Address Assignment : MANUAL DHCP Client-ID(61): e4f0043f5817 ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:40:46 Queueing strategy: fifo Input Statistics: 6010 packets, 814626 bytes Output Statistics: 6013 packets, 592732 bytes Time since last interface status change: 00:30:49 #sho ip ospf Routing Process ospf 1 with ID 192.168.100.10 Virtual router default Supports only single TOS (TOS0) routes It is Flooding according to RFC 2328 SPF schedule delay 5000 msecs, Hold time between two SPFs 10000 msecs Convergence Level 0 Min LSA origination 0 msec, Min LSA arrival 1000 msec Min LSA hold time 5000 msec, Max LSA wait time 5000 msec Number of area in this router is 1, normal 1 stub 0 nssa 0 Area BACKBONE (0) Number of interface in this area is 1 SPF algorithm executed 49 times Area ranges are #sho ip ospf interface TenGigabitEthernet 1/10 is up, line protocol is down Internet Address 192.168.100.10/24, Area 0 Process ID 1, Router ID 192.168.100.10, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DOWN, Priority 1 Designated Router (ID) 0.0.0.0, Interface address 0.0.0.0 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Neighbor Count is 0, Adjacent neighbor count is 0 #sho ip route Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route <SNIP> Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------- <SNIP> C 10.10.1.0/30 Direct, Tu 10 0/0 03:14:40 #ping 10.10.1.2 Type Ctrl-C to abort. Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds: !!!!! Success rate is 100.0 percent (5/5), round-trip min/avg/max = 0/8/20 (ms) 

SITE B:

! interface Tunnel 10 ip address 10.10.1.2/30 tunnel destination 10.66.127.201 tunnel source 10.25.192.1 tunnel keepalive 10.10.1.1 attempts 4 interval 6 tunnel mode ipip no shutdown ! router ospf 10 network 10.25.192.0/23 area 2 network 10.25.195.0/24 area 2 network 10.10.1.1/30 area 0 passive-interface Vlan 2 passive-interface Vlan 4 passive-interface Vlan 40 passive-interface Vlan 41 #sho int tunnel Tunnel 10 is up, line protocol is up Hardware is Tunnel Tunnel mode ipip Tunnel source 10.25.192.1, Tunnel destination 10.66.127.201 Tunnel dscp mapped Tunnel flow-label 0 Tunnel hop-limit 64 Tunnel keepalive destination 10.10.1.1 interval 6 attempts 4 Tunnel keepalive state up, time since last change: 00:00:47 Address is f4:8e:38:0c:d6:bb, Current address is f4:8e:38:0c:d6:bb Interface index is 1224741888 Internet address is 10.10.1.2/30 Mode of IPv4 Address Assignment : MANUAL DHCP Client-ID(61): f48e380cd6bb Internet address is 10.10.1.2/30 Mode of IPv4 Address Assignment : MANUAL DHCP Client-ID(61): f48e380cd6bb ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:48:35 Queueing strategy: fifo Input Statistics: 22 packets, 2716 bytes Output Statistics: 29 packets, 2608 bytes Time since last interface status change: 00:01:04 #sho ip ospf interface Vlan 1 is up, line protocol is up Internet Address 10.25.192.1/23, Area 2 Process ID 10, Router ID 192.168.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 192.168.2.2, Interface address 10.25.192.2 Backup Designated Router (ID) 192.168.2.1, Interface address 10.25.192.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.2.2 (Designated Router) Vlan 6 is up, line protocol is up Internet Address 10.25.195.1/24, Area 2 Process ID 10, Router ID 192.168.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 192.168.2.2, Interface address 10.25.195.2 Backup Designated Router (ID) 192.168.2.1, Interface address 10.25.195.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.2.2 (Designated Router) #show ip route Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route <SNIP> Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------- <SNIP> C 10.10.1.0/30 Direct, Tu 10 0/0 03:13:36 #ping 10.10.1.1 Type Ctrl-C to abort. Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds: !!!!! Success rate is 100.0 percent (5/5), round-trip min/avg/max = 0/8/20 (ms) 



Do Lantern bugs eat fiber cables?

Assisting a client today who had one of their IDFs go down. Single switch with multi-mode fiber running to this closet. Spent all day swapping SFPs, patch cables, the entire switch eventually. I could not get any link light whatsoever. Decided to try another pair on the fiber, pulled the tray out to figure out which color pair I'd be tracing on the other side. I look at the back and I see 2 dead Latern bugs and 2 of the 6 pairs of fiber chewed off. Luckily I had one available and switched over to it and everything came back up.

TLDR - Post title....



Does GSM use a combination of TDMA and FDMA or TDMA signaling over FDD carriers?

I am not sure if this is the right place to ask this question, but it is the most relevant subreddit i found.In most places i read that GSM is using a combination of TDMA and FDMA techniques like here . But on etsi.org it says "Time Division Multiple Access (TDMA) signalling over Frequency Division Duplex (FDD) carriers". So which one is it?



Verizon and Spectrum Issues

We're seeing issues with Verizon Wireless customers calling our Spectrum PRIs. Patients get a fast busy when calling.

Only inbound calling is affected - we can call Verizon customers from our Spectrum PRI.

There's a master ticket at Spectrum, for anyone interested.



How do you keep up with the standards, packet formats, state machines, etc to do your job?

I have huge problems keeping, in my head, all the information I need to do my job. On a single day I might work with container networking interfaces, TCP packets, OVS flow tables, firewall configurations, BGP routing tables. I spend a lot of my time debugging wire problems like TCP state machines that aren't behaving the way they should, packet formats (spent all day on VXLAN debugging yesterday) and generally doing research into things that are new or changing. I have notes but I keep having to relearn stuff I learnt. How do you guys deal with this information overload?



What is your go-to cable?

Looking for some good outdoor rated Cat5e. What is your go-to brand or specific type of cable?



Catalyst 3850: output drops, and SVI vs. routed port performance

My NMS just lit up with 7M output drops on a 1Gbps L2 physical interface, on a WS-C3850-24XS running Denali 16.3.6.

Netflow shows a spike on egress traffic for sure. But it's a very brief spike to/from a single source/dest. Netflow also shows minimal traffic egressing that physical interface, aside from this one conversation.

7M drops seems ridiculous when there's nearly all of 1Gbps ASIC-driven L2 bandwidth, end-to-end, between these two endpoints.

Then I realized the endpoints are on different vlans. They are routing through an SVI on the 3850, even though the SVI reports no issues.

The datasheet shows 454Mpps forwarding capacity for the WS-C3850-24XS and NMS confirms we are several orders of magnitude lower than that across the data plane. Sure, it is passing a bunch of traffic, but best I can tell it's well within spec.

Got me wondering if SVIs are routed in software vs. ASIC?

Couldn't find anything definitive online, at least for Catalyst. Found this for ISR, but not sure if that applies here.



DHCP relay in ACI

What is the DHCP server that is working for you ?

Is the relay configured inside the bridge domain of the tenant of which your DHCP clients are connected ? or do you just define a DHCP relay label from the common tenant DHCP policies inside the BD of the tenant of your choice ?

Looking at Cisco website, option 82 seems unavoidable, what are the recommended ways to define your DHCP scope when you have your circuit ID and remote ID ?

If you have this working in your environment I would like to hear your experience with this. Currently my DHCP server is outside the fabric.

We have come a long way since just using a IP helper address .



How to transition to EVPN / VXLAN?

I'm leading a project to transition and existing, very old, network into something a bit more modern.

The current design is a mix of Cisco / Juniper switches and it's pretty simple

2x Cisco 3850-48XS devices act as the "core"

Every rack has a single switch which uplinks to both cores.

Running MSTP

All gateways live on the Cisco devices, of which there are around 30 different VLANs

The cores take a default route only to the internet - no requirements for full tables.

So yeah, nothing really special going on here, very simple flat layer 2 network. No security requirements for the VLANs either

There is some "decent" traffic requirements... some racks are pushing up to 20-30Gb/s. Not huge, but something to keep in mind

The reason for the rebuild is the core is basically out of ports, and we need to add more racks. Also all the switches are now 6-7 years old with no support and old software.

So this is what we have to play with for the new build. This section is set in stone (e.g. we have already purchased)

2x QFX10002-72Q for core

2x QFX5100-48S for all rack switches (20 racks)

So the old school network engineer in me is saying, to basically just build it the way it exists now, keep it simple.

This would be that all gateways (IRB) live on the QFX10K, simple L2 down to the racks but i'd do away with STP and just use MC-LAG to eliminate loops. Super simple and easy. This would 100% work and do what we need.

On the other hand... I kinda wanna do something different so was thinking i could jump on the EVPN/VXLAN bandwagon.

I'm pretty sure it would all work well running distributed gateway on all the rack switch pairs and having the QFX10K handle the inter-vxlan routing. But there will be a period of transitional time where both the old and new network will need to co-exist. We'd basically move VLANs over to the new network one or two at a time, but would still need to maintain full connectivity to the old network. And - there might be cases were i have a servers in the same VLAN existing in both the new and old so i'm not sure if that is a thing I can make work.

Thoughts?



DHCP client list (static + dynamic)

I am trying to get a list of all clients that are active on my dhcp server. Googling revealed that the following file contains all the dhcp dynamic assignments with their relevant lease begin and expiration times:
/var/lib/dhcpd/dhcpd.leases

But what about static IP assignments that are active?



Azure Ipsec VPN to Cisco asa on prem can only be initiated from on-prem side

I've created an IPSEC tunnel between our ASA and Azure. The tunnel works; however it can only be initiated from the Cisco (on-prem side). Once initiated it works in both directions. Some sites suggested the IKE timers which I've modified to 28800. It's set up policy-based vpn using IKEV1.



Who blew up Manchester Teledata?

Anybody know what's going on?

Updates from those in the know would be appreciated...



IPSEC tunnel still established, but stops passing traffic eventually

We have a bit of an odd issue with our IPSEC tunnel. The issue is the tunnel connects just fine, and all traffic works as expected. Then randomly, and this can range from a few hours to multiple weeks before showing any issues, traffic just stops being passed altogether. The tunnel still says it's established, but disconnecting and reconnecting it fixes the issue immediately.

We believe we have tracked down where the issue is occurring, but aren't sure why it's behaving in this manner. Let's say these are the IP's involved:

  • WAN IP: 210.50.50.51
  • pfsense Static IP: 150.30.30.41
  • Remote IP: 140.20.20.31

When we run ipsec statusall on the pfsense appliance, we see the following line:

Security Associations (1 up, 0 connecting): con1000[16]: ESTABLISHED 2 hours ago, 150.30.30.41[150.30.30.41]...140.20.20.31[140.20.20.31] 

That's what it looks like when everyone is working just fine. However, when the tunnel is failing to pass traffic, we notice it is instead using/seeing the WAN IP as the Local IP:

Security Associations (1 up, 0 connecting): con1000[16]: ESTABLISHED 2 hours ago, 210.50.50.51[150.30.30.41]...140.20.20.31[140.20.20.31] 

If we disconnect, and reconnect the tunnel, it changes back to 150.30.30.41[150.30.30.41] as expected.

Is there something we are missing that can prevent this behavior? In the IPSEC configuration, we have the 'My Identifier' field set to IP Address, and manually entered 150.30.30.41, but that doesn't seem to help.

This is on pfSense 2.4.3-RELEASE-p1, strongSwan 5.6.2, FreeBSD 11.1-RELEASE-p10, amd64



Question about Cisco ISE

Hey All,

I'm currently learning Cisco ISE and Cisco Prime, I'm stumped on this one and hopefully someone with experience can point me in the right direction.

We have a Wireless Guest network setup with a captive portal and TOS. The Captive Portal is signed with a certificate but on many devices the certificate is invalid due to the device not being able to communicate out to verify the cert. Anyone have any guidance how to allow network traffic via guest network to the certificate providers CRL? Anyway I can whitelist the IP or something?

Thanks!



10 gig budget switch

I realize that asking for a reliable, 10gb budget switch is a contradiction in terms. But we all know nothing is ever easy. We're trying to start upgrading our network at a colo to 10gb, starting first with our NAS stuff and then outwards. Of course the boss doesn't want to pay for 10gb switches, but we're hoping a proof of concept will convince him.

What would be a good recommended, budget switch that has management (we'll need to be able to show graphs obviously and not fake ones). Right now everything is cat5e but we're assuming we can run cat6 and it should be ok. Fiber is out of the question except aggregating between cabinets (which we would prefer but not bound to it). Prefer to have at least 8 ports or above, but again I realize budget isn't going to be that most likely.

Thanks



Cisco ENC and NFVIS - Anyone using it?

I'm beginning to look at the ENCS platform that Cisco provides as we have Fortinet firewalls but Cisco pretty much everything else. We are at the deployment stage of iWAN but want the flexibility to be able to pivot to Viptella or whatever that evolves into over the next year or so.

 

Like everyone is doing, also looking for some potential cost savings while gaining or preserving redundancy where possible.

 

Is anyone out there using their ENCS product line? How do you like NFVIS? Are you running any non-Cisco virtual servers on there and how are they performing?



A full flat network and lots of headaches

Good Day - This is my 1st post here so forgive me if this is considered low quality or not normal.

I just started my job as #2 in a 2 man IT department. Currently we are on a flat 255 address network. We are rapidly expanding and are going to be doing a network upgrade within the next month. We are fast running out of IP addresses!

In the interim I've noticed some devices with static IPs have been randomly dropping off the network. From wireless AP's to desktops with static IP addresses. Sometimes new deployments don't pick up a dhcp address and I have to manually assign a static IP. Then a week later it will randomly lose connectivity.

My question is this - would having a "full network" with almost no free addresses cause devices to randomly drop off the network?



A few questions on low-level engineering of networks

Hi guys, I'm a CS student and finally got to take an "upper level" networking class, and am loving it, but there's one thing I still can't quite get down clearly. I have a great book but it doesn't detail these doubts as clearly as I'd like. I have a few questions I'm hoping can be cleared up:

  1. How does circuit switching/packet switching actually transmit bits? Say it is running on a wired connection, how does the cable actually transmit binary from one host to another? What clearly differentiates the two?
  2. What does "switching" actually mean? I don't understand it in this context, does it just mean the transfer of information?
  3. What is the reason we prefer packets over a steady stream of bits? Is it because packets include header information that allows the end destination to more efficiently/quickly build back up the entire data, instead of piecing it together without context? (As well as more easily identify data loss)
  4. In the context of 3., how does an end host know when to start/allocate space for a packet and then end (wrap up packet and move to next) - are these just signals that are asserted?

Thank you so much, and apologies for the low-level questions, but I'd feel much better about my knowledge if I understood these things, they're really bugging me. Any suggested reading is also highly appreciated!



Windows Server 2016 : How to automatically ADD a new DNS record when a host get a DHCP lease

Hello everyone,

I have a Windows server 2016 VM which runs DHCP & DNS services.

I set up a DHCP scope and create an IP reservation for one specific host (which is the only DHCP client at the moment).

This part work great, my client gets its IP / GW / DNS server.

My problem is the following :

I would like to automatically *ADD\* its IP address into my DNS server and make a record based on its hostname but for the moment not a single A record has been created even though I checked the options on my DHCP server (Scope properties -> DNS tab) : all options to "dynamically update DNS are ticked".

Questions :

Do I have to create a new A record first and then It will update automatically ?

Or is it suppose to dynamically add new DNS entries when a new IP is given by my DHCP ?



DIY - LAN Cable Tester With or Without Arduino

There is nothing worse than running your drops only to realize that you have a fault in one of the cable runs. The best approach is to get it right in the first place by using a "LAN Cable Tester." Sometimes, cables can also tear because of poor material quality or bad installation or sometimes they get gnawed by animals.In this project...

https://create.arduino.cc/projecthub/tarantula3/diy-lan-cable-tester-with-or-without-arduino-3c41d7



Help with shared web hosting for Nextcloud

I can't figure out this problem and would really like some input. I want to provide Nextcloud (kind of like Dropbox but hosted locally) to our clients. Right now I have an ESXi VMWare server set up and my goal is to have maybe ten or twenty Ubuntu Server VMs running, each with a Nextcloud server running in it.

If I only have one external IP, is it possible to for people from different clients to access this server but be directed to the correct VM hosting their data?



Alternatives for 120km+ 100G / 200G transport gear?

Greetings! I'm in search of a solution to push 100G or 200G between two of my sites that are about 120km fiber-length from each other. So far the most promising product I've come across is PacketLight's PL-2000M muxponder which is a bookend solution giving you 200G bandwidth between two sites that can be broken out as any mix of 100G / 40G / 10G clients. Pricing is in the low sixties for a complete setup.

Can anyone recommend a product with similar capabilities and pricing? I'd like to see what else is worth looking at before I make a decision on the PacketLight gear.



Cisco C9500-32C or Cisco NCS-5011 as P-routers

Hey fellow networkers!

We are going to replace our old ASR9000 which is our P-layer core network.

Our CORE network is connected with 8 P-routers via dark fiber and wavelenghts (point-to-point no ISP in between)

So i have been looking into buying some new equipment and at the moment i am looking at either the new high performance 9500 which have 32,100Gbit ports or NCS-5011 which also have 32, 100Gbit ports.

The NCS-5011 is places as an WAN-agg router and the 9500 more as an as far as i know (campus) layer3 switch? but it also have a "CORE template"

Today our P-routers is only handling functions OSPF v2 (IPv4), MPLS LDP, Multicast-routing, PIM, BFD.

In the future we will use same functions as above but probably with Netflow, SGT, OSPF v3 or ISIS for IPv6 (no SD-WAN etc)

I have read and compared the data sheets and i cant find any limitations in IPv4, IPv6, Multicast, SGT table, netflow tables

Is there something else i should watch out for? What do you think?



Who uses certificates for IPSEC VPN peer authentication ?

Who uses certificates for IPSEC VPN peer authentication ?

I'm actually curious, been in networking for quite a while now seen my fair share of typologies and deployments however all ipsec VPNs have been deployed with PSK auth - Any of you guys seen authentication done with certificates? if so what challenges did it bring ?

Thanks



Fan less switch 5 or 8 ports fully managed

Hello

I`m looking for 5 or 8 ports switch. Most important thing is fan less and fully managed by SNMP/CLI.

SNMP v1/v2x/v3; RMON; Radius; DHCP; 802.1q; 802.1x; 802.1p; 802.1d; 802.1s; 802.1w; 802.3ad; 802.1ab; NTP.

Actually i find:

D-Link 12p DGS-1210-10 (10x100/1000Mbit 2xCombo/SFP DGS-1210-10P

TP-Link 8p T1500G-8T (8x10/100/1000Mbit, 1xPoE-PD) T1500G-8T

TP-Link 10p T2500G-10TS (8x10/100/1000Mb/s 2xSFP) T2500G-10TS

Any additional suggestions? What else do you know to use with the same or similar configuration? Something from HP, Mikrotik, Juniper etc.



switchport trunk allowed vlan 200 vs switchport access vlan 200

Hello folks,

I've been looking our cisco config for the past day (2960X) and I was curious with something that someone in our team added.

What's the actual difference between using switchport trunk allowed vlan 210 and switchport access vlan 210 ?

interface GigabitEthernet1/0/1

switchport trunk allowed vlan 210

switchport mode trunk

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

end

interface GigabitEthernet1/0/2

description esx-1

switchport access vlan 210

switchport mode access

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

end

I don't really see the difference between the two, except that one is trunked and restricted to only vlan 210, and the other one is just an access limited to vlan 210 ?

Could that possibly be a mistake or just some trivial stuff that doesn't matter ?

What's the point of having a trunk port but restricted, instead of an access ?



Newbie practicing ASA VPN on PT

Hello, /networking

newbie here practicing on PT.

so here's the scenario, I've got a remote network that i want to connect to the HQ via VPN. on my Remote network I'm using a router as the edge and HQ is an ASA 5505. so I've tried checking the connection from my HQ (VLAN 10 192.168.1.10) to the Remote network(192.168.8.0) without the VPN and it works. but when I'm testing icmp from a VLAN that is map to the VPN ACL. my packets get stuck at the ASA. Below is my code for my ASA and Remote Router. I have not setup any NAT for this as per my understanding I should only do NAT if my networks overlap. Correct me if I'm wrong

REMOTE#sh run Building configuration... Current configuration : 1549 bytes ! version 15.3 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname REMOTE ! ! boot system flash c1900-universalk9-mz.SPA.155-3.M4a.bin ! ! ! ! ! ! ip cef no ipv6 cef ! ! ! ! license udi pid CISCO1941/K9 sn FTX15241TIS license boot module c1900 technology-package FoundationSuiteK9 ! ! ! crypto isakmp policy 10 encr aes authentication pre-share group 2 ! crypto isakmp key cisco12345 address 209.165.200.230 ! ! ! crypto ipsec transform-set VPN_SET esp-aes esp-sha-hmac ! crypto map VPN_MAP 10 ipsec-isakmp set peer 209.165.200.230 set transform-set VPN_SET match address VPN_ACL ! ! ! ! ! ! spanning-tree mode pvst ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 1.1.1.1 255.0.0.0 duplex auto speed auto shutdown ! interface GigabitEthernet0/1 ip address 192.168.8.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0/0 ip address 209.165.200.226 255.255.255.252 crypto map VPN_MAP ! interface Serial0/0/1 no ip address clock rate 2000000 ! interface Vlan1 no ip address shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 209.165.200.225 ! ip flow-export version 9 ! ! ip access-list extended VPN_ACL permit ip 0.0.0.0 255.255.255.0 192.168.1.0 0.0.0.255 permit ip 0.0.0.0 255.255.255.0 192.168.2.0 0.0.0.255 permit ip 0.0.0.0 255.255.255.0 192.168.3.0 0.0.0.255 permit ip 0.0.0.0 255.255.255.0 192.168.4.0 0.0.0.255 permit ip 0.0.0.0 255.255.255.0 192.168.5.0 0.0.0.255 ! ! ! ! ! line con 0 ! line aux 0 ! line vty 0 4 login ! ! ! end 

..

ciscoasa#sh run : Saved : ASA Version 8.4(2) ! hostname ciscoasa names ! interface Ethernet0/0 switchport access vlan 3 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 no nameif no security-level no ip address ! interface Vlan2 nameif inside security-level 0 ip address 192.168.5.1 255.255.255.0 ! interface Vlan3 nameif outside security-level 0 ip address 209.165.200.230 255.255.255.252 ! object network NET_REMOTE subnet 192.168.8.0 255.255.255.0 object network NET_VLAN10 subnet 192.168.1.0 255.255.255.0 object network NET_VLAN20 subnet 192.168.2.0 255.255.255.0 object network NET_VLAN30 subnet 192.168.3.0 255.255.255.0 object network NET_VLAN40 subnet 192.168.4.0 255.255.255.0 object network NET_VLAN50 subnet 192.168.5.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 209.165.200.229 1 route inside 192.168.1.0 255.255.255.0 192.168.5.2 1 route inside 192.168.2.0 255.255.255.0 192.168.5.2 1 route inside 192.168.3.0 255.255.255.0 192.168.5.2 1 route inside 192.168.4.0 255.255.255.0 192.168.5.2 1 ! access-list VPN_ACL extended permit ip object NET_VLAN20 object NET_REMOTE access-list VPN_ACL extended permit ip object NET_VLAN30 object NET_REMOTE access-list VPN_ACL extended permit ip object NET_VLAN40 object NET_REMOTE access-list VPN_ACL extended permit ip object NET_VLAN50 object NET_REMOTE ! ! ! ! ! ! ! ! ! telnet timeout 5 ssh timeout 5 ! dhcpd auto_config outside ! dhcpd enable ! ! ! ! crypto ipsec ikev1 transform-set VPN_SET esp-aes esp-sha-hmac ! crypto map VPN_MAP 10 match address VPN_ACL crypto map VPN_MAP 10 set peer 209.165.200.226 crypto map VPN_MAP 10 set ikev1 transform-set VPN_SET crypto map VPN_MAP interface outside crypto ikev1 enable outside crypto ikev1 policy 10 encr aes authentication pre-share group 2 ! tunnel-group 209.165.200.226 type ipsec-l2l tunnel-group 209.165.200.226 ipsec-attributes ikev1 pre-shared-key cisco12345 ! ciscoasa#sh cry ciscoasa#sh crypto ipsec sa There are no ipsec sas ciscoasa#sh cry ciscoasa#sh crypto isa ciscoasa#sh crypto isakmp sa There are no IKEv1 SAs There are no IKEv2 SAs ciscoasa# 

did I mess up the configuration? or is it just a newbie mistake of forgetting some configuration?

PS. I've set the sec level of the inside and outside Interface of the ASA so i can test the vpn connections first.



Wednesday, October 10, 2018

Why do IOT devices use Telnet? is it CPUs?

The Mirrai attacks in 2016/17 were largely successful because of the over-reliance of IOT devices using Telnet for remote-admin. I'm writing an essay for uni which touches on this topic, and I'm wondering if it would be accurate for me to say that the IOT devices use of Telnet, is because of the CPU load which would be required to use an encrypted protocol such as SSH.

If not; what is the reason for using such an outdated protocol? sheer incompetence?



Calculating uptime

We are trying to set goals and standards for next year. One of the goals I would like to set is at least 3 9 uptime for network availability.

We have a single data center with 13 remote locations that connect back to the data center.

What is the best way to calculate network uptime across these locations as it is often only 1 site that goes down?



True or false: an Ethernet interface with no learned MAC addresses will egress zero unicast traffic.

I want to say that's always true, or are there exceptions?



Cisco SMB Hardware Recommendations

Hi all,

EDIT: Not necessarily from their SMB line, for a company of let's say 100 users.

Currently operate 2 locations, each with 1x SG350X-48MP doing DHCP. One location is an office which has an RV345 above the switch, the other location has an 892FSP above the switch. I really like the SG350x and haven't had any issues, other than one dying the other day...not sure what happened but that's for another post. Anyhow, soon the second (hq) building will be completed and the locations will be combining into a 2 building campus with fiber between. I will move the 892fsp to the main building as well as installing about 160-170 ports, was planning on doing this with 4 stacked SG350X-48MP switches. However, I believe I would need all the SFP+ ports to stack them. Once the two buildings are connected there will be around 50 computing users between the two. 80 or so employees total with associated personal wireless devices.

We are also using WAP581 access points. Also super happy with them, blazing fast. However, the Single Point Setup functionality only supports I believe up to 16 WAPs in a cluster. We will have a third building up in a year or so and will definitely be above 16 so I don't want to switch then, I'd rather switch now, since we may end up going above 16 anyways with just this second building.

  1. What would be the best way to connect fiber between the two buildings - switch to 4 switch stack?
  2. Would you recommend a different Cisco switch that is 48 Ports of at least PoE+ in the same price range (~$1700)?
  3. What Cisco WAP would you recommend? The WAP581 is only about $320, don't want to go too far above that.

TIA.



Certificate management?

Hello, /networking.

How do you all manage your SSL certificates so that you have them all in one place, know when they expire, protect the keys, etc.?

I really don’t want to mess with Excel spreadsheets. Surely there’s some great app/service that handles all that.

Any good recs?



Faxing problems. SIP trunks, shoretel, and a Multitech faxfinder

We currently cannot send or receive faxes. We have a Multitech FaxFinder-240IP-2 fax server appliance paired with a ShoreTel phone system (v. 14.2). Here is what we know: • When an incoming fax arrives, our provider sends it to our SIParator device which routes it to our ShoreTel PBX. • Once it’s handed to ShoreTel, its routed over a vtrunk via “off system extension” to the FaxFinder appliance. • It reaches the FaxFinder appliance correctly, but gets hung up at “negotiating” and the call/fax fails to complete. The error descriptions in the logs are generic and provide little to no detail on a possible solution. I’m happy to provide Wireshark packet captures that we’ve gathered while troubleshooting. Any help would be greatly appreciated.



Cisco Nexus 9000 QSFP to SFP+ 1470nm

We are buying a 10Gbit wavelength from our ISP and want connect that to our existing Nexus 9000-series switch. We have some QSFP ports on the Nexus switch that we wanna use. Is there any adapter sfp module that enables us to running 10G?

The ISP is are giving us 1470nm 40km on one side and 1310nm 20km on the other side. The speed is 10G.



Small Office Network. Netgear VLAN, HPE 1950-12XGT-4SFP+

I've recently joined small-ish company and now have the pleasure to also be partly responsible for our network, which is a pure Layer 2 network. We have a few Servers running with the usual services (smb, email, voip) but also provide 2 even smaller subcompanies with network intrastructure too (some shared services). The current network consists of mostly Netgear switches, which work reasonably well in this simple configuration, besides the occasional needed resets every few weeks/months.

I've been toying with the idea of improving our infrastructure to improve network availability and add some much needed separation. Am i correct in the assumption, that it would be best to add separate vlans for the services and look for a layer 2+/3 switch as our main switch for intra-vlan routing?

If we have a shared voice vlan, does this mean i have to hand over vlan trunk to their switch. We're also responsible for those, but it has happened in the past that people fiddled with them, so i'd like to make sure our internal network can no longer be easily influenced by any changes in the network topology at their end. Thinking about rogue dhcp servers, loop detection, etc. Any recommendations?

We have a Netgear GS724Tv4 which appears to support vlan routing as a L3 Feature. I know we should probably be looking for a more enterprise grade solution, but does anyone have experience with netgear VLAN routing, any known problems with those (i vagely remember reading about performance issues)?

As an alternative, i'm also considering the HPE 1950-12XGT-4SFP+ as a main switch , which peaked my interest because of it's 10G RJ45 capabilities for future upgrades (bandwidth increase to file server and access switches), does anyone have one of those running in a similar configuration?

I also remember reading that 10Gbit can be run over Cat 5e/6 for shorter runs, any oppinions or experiences in that department?



CiscoASA5505 - New WAN IP - Windows SBS DNS not working

Hello:

Today I had to install a new ISP into a Cisco 5505 for a remote office of ours...

Tunnel is up passing Phase1 and Phase2. I can SSH into the new external IP all looks good from a networking standpoint *I believe.

However DNS from a Windows SBS server is not working. It was not touched before this cutover so the only change was to the WAN IP on the 5505. We can ping 8.8.8.8 from the users PCs but unable to hit google.com etc.. We cannot ping 8.8.8.8 from the SBS server.

The SBS was setup with the DNS to point to itself inside its NIC then the forwarders were blank in the admin controls. Again nothing was changed other then the WAN IP on the firewall.

Any help guidance would be greatly appreciated.



Cradlepoint AER1600 LP6 module - does anyone have one they can rent to me for a week?

Got screwed over by a Cradlepoint vendor who shipped wrong item, then refused to replace in a timely manner. Have an out of town job for a week and I need the LP4 to LP6 upgrade module. PM me if you can help, thanks.



Cisco FirePower - High unmanaged disk usage

FMC is saying that one Firepower device has "High unmanaged disk usage on /Volume".

I've googled around but haven't found anything particularly useful about the message. Most of places tell you to check and clean out various directories on the drive, but I've done that and it is nowhere close to full. I thought maybe disk usage may refer to disk activity but I don't think it is.

I know it was a bug in 6.2.2 and below but I'm running 6.2.3 so in theory that shouldn't be the problem. I could upgrade it further but I don't have 5 years to spare right now.

One other thing, the device was unable to talk to FMC for a couple of weeks so maybe that has something to do with it. I thought maybe it buffered all its info in that period of time and it needs to be manually removed, but I can't find anything significant to remove.

Anyone dealt with this before?



Hpe switch Vlan understanding help!!

Coming from a cisco world with switch ports access and trunk, now in my new job found very difficult and struggle with hpe office connect switch 1910 and 1920. I have read a lot of guides but i cant understand the options tagged,untagged,access,hybrid,trunk,include,exclude per interface and per vlan options!! For example i have 3 vlan(1-native,5-voice,10-data) router connected to port 1 of switch and the ports 2-9 will be access and are only for data and only pc will be connected, 10-15 are for ip phones and after pc connected so access for the both vlans.Of course for the uplink (trunk)?? i need also all the vlans to be passed to the switch!!! Some ideas?? Thank you!!!



@Risk Technologies

Hello fellow IT people,

I was curious if anyone has any experience with using @Risk Tech for network monitoring. I work for a Transit Authority and part of our greater risk pool, they want us to implement this device to monitor traffic and send reports back. It takes north/south east/west netflow traffic having a few legs into the network.

We have Palo Alto 3020s in place as our FW and dont really see much of an added benefit to using this. Although we might be forced to use it for insurance reasons, I just wanted to see if anyone on here has any experience with them specifically.



Multiple Juniper security advisories

The whole list is here.

Happy upgrading!



Switch Cost Differences

I'm looking at different options for a new network stack for a SMB currently built on Cisco SG300's.

I'm a long time SMB admin, did some time at an MSP and have only ever really dealt with businesses between the 50-100 user mark. As such, I've seen a lot of lower end gear, and only at one larger client do I recall seeing something like a stack of Catalyst switches.

I've long made due with the small business grade equipment, and haven't really ever seen a need to upgrade.

Now at my current gig, I'm looking at implementing 10gig for our virtualization hosts and revisiting our whole stack. We don't have a lot of feature needs (at least I don't think we do).

In any case, I've been looking at every different vendor, from Ubiquiti to Aruba to Cisco..

My question: What is so much better about a $3000 switch than a $300 switch? How do businesses justify such a large expense?

I'm asking from a position of ignorance.. I honestly don't know.