Saturday, February 9, 2019

Networking w/ Python

I have started the Codecademy Learn Python 3 course and as I am going through it I am having a hard time connecting it to how Python can help me for day to day networking.

So I ask of you:

  1. What was your first Python program? What did it do and why did you need it?
  2. Where do you run your programs? From what I can tell, they can be run directly on the IOS-XE devices.
  3. What real life problems have Python programs solved for you or how did they make you more efficient?
  4. Any links to must have programs? Like scripts you think everyone could benefit from.
  5. How did you transition from CLI to Python/API?
  6. Useful tools.
  7. Courses/Books you used.

Thanks!



5520 ASDM

Hello.

Trying to get a 5520 ready and running into issues getting ASDM to function.

I have a laptop connected both by console and by ethernet cable to the mgmt0/0 port.

ASA Version is 8.2(1)

ASDM is old, asdm-621.bin

hostname halcyon

domain-name halcyon.local

interface management0/0

nameif management

security-level 90

ip address 172.31.1.250 255.255.255.0

asdm image disk0:/asdm-621.bin !Ihave an update that I am having hard time getting my update in there.

asdm history enable

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

ssh version 2

http server enable

http 172.31.1.0 255.255.255.0 management

ssh 172.31.1.0 255.255.255.0 management

username admin password ^!)&^*^%)!#%!#% encrypted

Scratching my head here...

I can SSH into the ASA through the management port, but still no go on asdm.

I have tried both 172.31.1.250 and 172.31.1.250:443 to no avail (443 is default)

I have tried to get through multiple browsers. Notta.

Trying to get new files in here on multiple angles, I have tried just plugging in a USB stick into the back but it is not recognized.

If I use SecureFX I keep getting a "host specified port 22 matched several entries, getting userauth failure, then it authenticates as uder admin, sys no entries for host contained matching key, and repeats.

I changed the ASA to:

no ftp mode passive

Additionally---I have formatted a USB to FAT, and loaded all of the updates to it. I cannot get the thumbdrive to recognize.

Seems like all venues are failing here...



Asus RT-AC87U privacy withdraw consent, how to do it?

Hiya,

I see below in the Asus RT-AC87U in administration>privacy:

" Administration - ASUS NOTICE( for privacy)

Please note that users are required to agree to share information before using DDNS, Remote Connection (ASUS Router APP、Lyra APP、AiCloud、AiDisk), AiProtection, Traffic analyzer, Apps analyzer, Adaptive QoS, Game Boost/Game IPS and Web history. At any time, users can search for the contents of the terms at this page or stop sharing the information with other parties by choosing Withdraw. "

Where is the option for withdraw option as it's not in the original firmware anywhere?

Thnx



Packet Loss to Router

Hey all,

I'm in the process of setting up a home lab and so far I've got a Edge Router X and a Cisco SG300. The ERX is doing the vlans, or so I believe but I feel there may be some conflict with the switch.

I'm seeing about 5% packet loss to my first hop when running WinMTR and wierd disconnects in some games I play because of this I believe. Same result if I plug directly from testing device to the ERX on a different ethernet port/subnet bypassing the switch completely.

I've done updating firmwares on both devices, changed cables, etc. I'm thinking it must be some issue with the vlans on the switch and the packets possibly flooding the ERX? Here are my configs, I would appreciate any pointers. Thanks in advance!

ERX: https://pastebin.com/Jc0Hddxt
Switch: https://pastebin.com/kgLHskyX



Use Azure (and ExpressRoute) as your Internet gateway

Is anyone using Azure as their internet endpoint as opposed to getting one from your ISP? Interested in hearing about your experience, esp. costs which I assume may not be cheap.

On-premises --> ExpressRoute link --> Azure --> Internet



Frequently asked networking questions for SRE /DevOps

Hey guys,

I have an interview coming tuesday and I want a quick refresh on the networking part.

Any resources will be highly valuable for my preparation.

Thanks in advance.



Change DNS on Alcatel LinkHub HH40 modem / router

Can't figure out, WAN section fields are disabled - how to set Clouflare 1.1.1.1 or any other DNS on Alcatel HH40 modem / router?

Help file not much of help.



How to I close port 3389 on a remote computer and open another port on remote computer, for RDP connection?

I want to close port 3389 on a remotely accessed computer and open a different port to remotely access the computer.

eg.

Currently: My computer > RDP > port:3389 (open)/remote computer

What I want to do: My computer > RDP > port:3389 (closed), port: XXXX (open)/remote computer.

Any ideas how I can achieve that?



Solutions for LTE failover WAN

Maintaining a large home in a rural environment that's utilizing a LTE service called VTEL Wireless (vermont telephone) it works well when it works which is most of the time. We can have a failover to DSL for $80+ a month— not ideal. Anyone have a good solution for short term failover. Looking at LTE modems set as failover. Verizon has good service in the area. ATT would probably work.

What do you all use in the enterprise world?



How to I connect the switchport module on my Cisco 1811 series router to a fastethernet port in IOS

So I have a Cisco 1811 series router and I want to create a virtual link between a port or ports on the switchport module and the fastethernet port, see the photo here for the two ports in talking about: https://imgur.com/gallery/sDs8X9w. Is there any way to do this in the IOS? I’ve been trying for a while now



can someone recommend best servers books and certs plz

Hello networkers , I am network administrator and Help desk guy , all day we dealing with servers ,
different servers so i really want to get hand on all our servers and get information on server as much as possible from different books ,so i need your help guys, can someone recommend best server books or certs ??

Thanks



Linksys EA9500 vs WRT3200ACM vs Ubiquiti Edgerouter 4

I am not super experienced when it comes to networks, but have quite the project to manage. I need a router that can handle 200+ wireless devices as well as all home/office needs (gaming, streaming, etc). I am using cheap wireless access points placed throughout the house (Xaiomi Mi Router 3) that seem to be working well so far, but I am looking to upgrade my main router (Mikrotik Routerboard). Of the 3 routers listed in the title, which would be most likely to best suit my needs? Is the EA9500 overkill? Thanks in advance for any advice you can give me!



Campus network restructuring, some advices?

Hi guys,

We are trying to face a network migration and I'd like to get some advices or ideas from other members of this community.

First of all, I know is 2019 and there are new technologies that could solve my problems but, as usual, there are some "bussiness needs" to fullfil:

1) Re-use as much as you can current network hardware (limited budged)

2) Make the network more stable

3) Permissions based on network client roles within the enterprise

4) Flexibility to support new requeriments (for example, new roles)

Second, some technical details to give you some background about the current state of the wired network:

  • Campus of 20 buildings all connected with fiber

  • All HP switches forming a 3-tier network

    • 2 x switches Layer 3 at Core (CORE)
    • 2 x switches Layer 3 on each Aggregation/Distribution (AGG)
    • n x switches Layer 2 at Access (ACC)
  • We are using HP IRF (sort of stacking) in CORE and AGG

  • All ACC switches are dual-homed to AGG switches

  • All AGG switches are dual-homed to CORE switches

  • Layer 2 from ACC to CORE

  • CORE holds all VLAN interfaces

Third, due to different reasons, and as you may expect from a L2 "flat" network, we are experiencing network loops and broadcast storms. Also, network access is uncontrolled with no security in mind. So the idea is propose to management a couple of alternatives that could solve or, at least, minimize these issues.

Said that, here you have a couple of ideas I have in my mind to start off:

  • Move layer 2 boundary from CORE to AGG

    • Convert CORE-AGG to routed ports
    • Create VLAN interfaces on each AGG
  • Re-address the network maintaining an ordered IP addressing scheme (summarizing each AGG)

  • Routing would be OSPF

So far, we are fulfilling requirements number 1 (no new hardware is required) and number 2 (loops and broadcast contained to the building, not perfection but better than nothing).

My problems begin with client roles :(. To keep it simple, we are thinking about the following:

  • 3 types of users with different permissions:
    • CORP: normal corporate user, full access
    • PARTNER: bussiness partners living amongs us, restricted access
    • GUEST: no internal access, just internet
  • We have some use cases for DMZ-style subnets in buildings, examples:
    • Servers/Devices reacheable from the internet, video conferencing devices, etc.
    • We called this role simply "DMZ"
    • Permissions should be: permit LAN->DMZ, deny DMZ->LAN, permit DMZ->INET and open only some ports for INET->DMZ
  • A subnet providing tight control to allow hosts to comunicate with only certain servers, example:
    • Printers (talk only to print servers), IP cameras (talk only to DVRs), others
    • somewhat static permissions, just minor changes required from time to time
    • We called this role "SERVICES"
  • A VOICE subnet for IP phones (full access, no problem)
  • Finally, we have our network-management subnet (MGMT) (full access, no problem)

So, every building should have a VLAN and subnet for each of these roles.

Well, let's talk how to deal with role permissions.

For GUEST and SERVICES we are thinking in using ACL, that is, one ACL in the interface VLAN GUEST (deny all RFC1918 addresses) and another ACL in the interface VLAN SERVICES. Let's say we feel confortable with this solution (is not elegant at all, I know).

On the other side, how would you solve DMZ and PARTNER permissions?

Key points to consider before answering:

  • Hardware is not MPLS capable (I wish it was :( such a pity)

  • VRF-Lite is a possibility but links between CORE-AGG should be layer 2 (no support for subinterfaces) and I don't like the idea (we are trying to avoid layer 2 as much as possible, right?)

  • Hardware is not even capable of doing GRE tunnels "to glue" those subnets with a centralized firewall (too bad again)

  • ACL are stateless packet filters incapable to fullfill DMZ and PARTNER policies

  • Adding one firewall per building is not feasable (nor a good idea from my perspective) mainly due to budge constrains

That's all, I'm sorry to made this text so extensive but I wanted to bring you the whole picture.

Thanks in advance for your help. Regards.



Incredibly bad ping spikes

I've been having I've been having incredibly bad ping spikes, upload and download speeds are fine but every so often it it will shoot up and make any online game disconnect, the spike lasts for 1-5 min, I tried buying a new Ethernet cable but this did not fix the problem, It is incredibly frustrating does anyone have any ideas whats happening?, upload and download speeds are fine but every so often it it will shoot up and make any online game disconnect, the spike lasts for 1-5 min, I tried buying a new Ethernet cable but this did not fix the problem, It is incredibly frustrating does anyone have any ideas whats happening?



Global Enterprises: How do you break down your IP addressing?

So I know everyone here is a fan of the cutesy 10.location.vlan.host scheme, but this only works when you have less than 256 sites. I'm curious to know about the ways global organizations, with hundreds of sites and multiple data centers, design their IP addressing scheme. Do you divide each geographic region into summaries? Do you break down IP address bocks for function (for less complex FW rules) or by location (for greater summarization)? A mix of both perhaps?



Remote Access VPN Logon Banners - Best practices for placing a banner for remote users.

Wanting to add a logon banner for my companies remote vpn services for the end users. Have seen some examples online but does anyone else have some links or verbiage that is generic but yet satisfies the legal dept in the event a user account is compromised. I have searched in this NIST article but honestly couldn't find anything on logon banners perhaps i missed it.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf



Multiple Student accommodation setup

Hi all,

I've just visited an building that a friend owns as he asked me to check out all the things IT.

Whilst onsite I've noticed that all the rooms are on the same LAN! I can't confirm the config until he gets me login details from a previous supplier.

They have a cisco meraki firewall and some cheap smart managed tp link switches and unifi wifi that appears to be in guest isolation with a voucher system.

I'm immediately think that I should split these rooms up into their own vlans as a minimum.

Just wondering how people tend to handle the networking / monitoring for these kind of shared accommodation buildings?



Hello, does anyone know why my internet keeps jumping up like this?

Everytime I play a game my ping keep jumping up and spiking

https://imgur.com/IPLj4eE



Assigning 1 IP on a different number

Howdy! I'm working to resolve an issue with a conflicting IP, I am running a script that sends a signal to a IP camera, that camera uses 192.168.1.20, but my internet is also on 192.168.1.1, so if I'm on the internet it shows the camera is not connected, but when I disconnect it works, what I'm trying to figure out is on a basic router setup can I assign just 1 computer a specific IP, IE: 192.168.10.### so that my computer can still get internet, and the camera will work.



Configuring a Route Reflector (Cisco)

Hey, r/networking!

I am configuring an iBGP topolgy and already have full connectivity.

I am not using a full-mesh topology: https://imgur.com/a/KXHkqqc

and i want to use Hub1 and Hub2 as route reflector (for redundancy).

I have 2 questions:

  1. Not all of the routers are directly connected to the hubs. Is this going to cause a problem? Can i make a route-reflector a client of another route reflector (so Internet 1 can be a RR, but a client of Hub1, same for I2 and Hub2)?
  2. Which is the best practical way to achieve the dual RR?

Thanks in advance!



Making E1 take priority over O.

Ok, so we're in the progress of switching our sites to a new isp and moving our currently layer 2 mpls connections to layer 3. Our isp is setting our mpls connections as E1 and our current routes for VPN are O. how do i make E1 take priority over the O VPN connection? at some point in the past someone changed our AD on our OSPF to 19 and i was thinking if i set this above 110 which is what E1 is then maybe this would take priority? but as i started thiniking about it more today i'm not sure this will work. any ideas?



Looking for SMEs for content development

Mods apologies if this isn’t the correct sub, but no one browses those job subreddits.

We at INE.com are seeking Subject Matter Experts (SMEs) to develop and deliver video training content.

This is a x-post from /r/ccie, but those of you browsing /r/networking on a Saturday are likely the ones that I want to find as well, as many of you are likely already SMEs in other industry specializations.

Technology domains I’m looking for SMEs in include:

  • Virtualization (ESXi, Hyper-V, KVM)
  • Wireless
  • Service Provider (transport, ops, etc.)
  • Sysadmin (Linux, DNS, DHCP, AD, etc.)
  • Juniper JunOS
  • Palo Alto Networks Security
  • Network Security
  • Pen testing (OSCP)
  • Microsoft
  • Storage (netapp, emc, Dell, etc.)
  • Network & Systems Automation (python, ansible, orchestration tools, etc.)

Feel free to post here, PM me, or email me at bmcgahan at INE dot com.

Brian McGahan Director of Content - Networking www.INE.com



WAN network management for zero dollar's

So I just started a new job. I have ten sites with two T1 bonded at each site. They are oversubscribed at each site, No one can tell me if provider manage the routing or we do. No usernames or passwords kept for the routers or switches.

I got complaints of slowness on the network when they have 5-7 years old servers.

How do I get better handle on traffic management in the short-term with a zero dollar budget?

Where do I start in rebuilding this network?



PCI Compliance class/Certification?

I've been getting more restaurants/catering halls that I manage/install there networks for that run pos systems specifically micros pos. To keep there POS machines and server separate I normally create a separate LAN and firewall rules in between to drop packets. One of my recent installs There POS was connected to a ISP supplied router/modem and I double NATed to keep POS on the ISP router and STAFF/GUEST WifI network on mine to keep it separated. Since I've been getting more customers with this kind of setups that fall under PCI rules/scans I was curious if there are any certifications/classes that I could take so I can offer my customers the best security.

Thanks!



Example of templates for tier-three Campus LAN Records On your entreprice

Hi Everyone. My name is Darwin and I have a doubt about use the template to define records to easy readables.

I working on Campus LAN high Density as Network Enginner Junior. But for reasons out scope of this post I must do records of all network throughout the enterprice. Yes, entreprice has A lot of records but outdated (a lot of ). As I said , reasons are out scope of this post.

Most important Is if you all can help me Show me templates that you use on your enterprice (obviusly only if you can). If you want send in private mensages is all right as well.

I've has been making some templates but is still confuse to me. For instance, the following is a dumb network which has:

1 ) Excel records

2 ) diagram

3) Running config (saved with ftp for Recovery Disasters )

1 ) Excel records :

https://ibb.co/QpBkrQT

2 ) diagram (obviusly diagram is not made on PQ, I would use Microsoft Visio O Could you recommend some free diagram Software ?)

https://ibb.co/61kSCJR

Switch#sh run Building configuration... Current configuration : 1936 bytes ! version 16.3.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Switch ! ! ! ! ! ! ! no ip cef no ipv6 cef ! ! ! ! ! ! ! ! ! ! ! ! ! spanning-tree mode pvst ! ! ! ! ! ! interface GigabitEthernet1/0/1 switchport access vlan 10 switchport mode access switchport nonegotiate ! interface GigabitEthernet1/0/2 switchport access vlan 10 switchport mode access switchport nonegotiate ! interface GigabitEthernet1/0/3 switchport access vlan 20 switchport mode access switchport nonegotiate ! interface GigabitEthernet1/0/4 switchport access vlan 20 switchport mode access switchport nonegotiate ! interface GigabitEthernet1/0/5 ! interface GigabitEthernet1/0/6 ! interface GigabitEthernet1/0/7 ! interface GigabitEthernet1/0/8 ! interface GigabitEthernet1/0/9 ! interface GigabitEthernet1/0/10 ! interface GigabitEthernet1/0/11 ! interface GigabitEthernet1/0/12 ! interface GigabitEthernet1/0/13 ! interface GigabitEthernet1/0/14 ! interface GigabitEthernet1/0/15 ! interface GigabitEthernet1/0/16 ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 ! interface GigabitEthernet1/0/24 no switchport ip address 10.0.0.1 255.0.0.0 duplex auto speed auto ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface Vlan1 no ip address shutdown ! interface Vlan10 mac-address 0001.6449.4b01 ip address 192.168.10.1 255.255.255.0 ip helper-address 10.0.0.2 ! interface Vlan20 mac-address 0001.6449.4b02 ip address 172.168.50.1 255.255.0.0 ip helper-address 10.0.0.2 ! ip classless ! ip flow-export version 9 ! ! ! ! ! ! ! line con 0 ! line aux 0 ! line vty 0 4 login ! ! ! end 

Greatings.

Best Regards to all.



How outdated would a book published in 2009 be?

Hi everyone,

I've been checking out my local library for books with in-depth information on networking concepts and also exercises. I found quite a few books but they're generally published around 2008-2009. Is it bad practice to study these books, as the information might be outdated? I got my CCENT a few months ago and so I have been hoping to build up on my knowledge.



bgp output question

Hello,

Please explain to me:

alpha-st# show ip bgp 10.0.0.0./24 bestpath

BGP routing table entry for 10.0.0.0/24, version 292989359

Paths: (3 available, best #1, table default)

Multipath: eBGP

Advertised to update-groups:

806 809 851 855 1467 1617 1715

1739 1773 1785 1793 1802 1807

Refresh Epoch 8

xx yyy, (received & used)

20.0.0.1 (metric 101) from 20.0.0.1 (30.0.0.1)

I need explanation for every address in the following row:

20.0.0.1 (metric 101) from 20.0.0.1 (30.0.0.1)



bgp received route without network mas

Hello,

Why do I not see network mask (even though 'show ip bgp "prefix" ' shows it as a /24)

router#show ip bgp neighbors x.x.x.x routes

Network Next Hop Metric LocPrf Weight Path

*> 10.0.0.0 x.x.x.x 200 0 48011 205203 i



IP/Name resolution issues

So I’m not the network guy, but he doesn’t research “this is broke” things to fix them, he only fixes things you’ve already researched a solution for him...

Anywho, so we are having issues that I’ve assumed were DNS but really not sure. Our Nessus scans on some devices will report a vulnerability with a different DNS Name and NetBIOS name, and sometimes different DNS names with the same IP.

We have issues remoting into devices using the host’s name and sometimes IP as well, which makes less sense to me.

It’s mostly on devices using the VPN, but not always.

So today we came across a device we couldn’t remote into by name or IP.

I pinged Name1 and got IP1. I did a ping -a IP1 and got Name2. Did a ping Name2 and got IP2. Ping - a IP2 gave Name3. Ping Name3 and got timed out responses.

Anyone know what could be causing this and what a possible fix to these issues could be?



Friday, February 8, 2019

G.INP / G.998.4 and routers/modems (ISP)

Hey everyone and anyone that works at the ISP level or deals with modem/routers, I've ran into what I think is going to be a huge issue for us, and I'm needing confirmation on my theory, or at least I hope proof that I'm wrong and out to lunch, about seems to be happening with our connections.

So we're a tier 3 ISP, last mile provider doing PPPoE over the local telco's lines. We have the following equipment deployed deployed within telco's service area for our clients to provide either dedicated circuits for voice, or data, or both;

  • Cisco 1841, or 1921 with either adsl or VDSL2 WIC/HWIC's
  • Cisco 1841, or 1921 connected to a Zyxel router/modem
  • ZyXel 1432, or 3925

These circuits have been running without issue for anywhere from 4 years to a month, and in the last 4 months we've ran into the exact same issue twice - PPPoE PADI goes out, but nothing ever comes back, this is confirmed by telco, and our servers show no logs of the PPPoE connection being attempted. After too many hours troubleshooting and fighting with telco - who of course is insisting its our equipment, even though we've had 0 issues with it anywhere and tried swapping out router/modems to no success until coming to the exact same solution both times.

Starting back in Oct, telco started rolling out upgrades to their circuits with the G.INP / G.998.4 standard to, well to do exactly what that standard does, improve SNR on DSL circuits so as you can bump up the speeds and distances some because it lowers the amount of noise induced on the lines.

So now my theory - at least until I can get exact model numbers off the VDSL cards - from what I have found on the docs for Cisco ADSL and VDSL2 WIC's, they don't support G.INP / G.998.4, our ZyXel 1432 don't seem to either. But the ZyXel 3925 do explicitly state support for it.

The fix was putting in a new (new to us, just started deploying them in the last 6 months) ZyXel 3925 in bridge mode, the plugging our Cisco into it, and everything was good to go again.

So either I'm not googling the right terms for what I'm looking for, or people who know enough about this standard know what the issue is already and haven't posted about it online. So here I am, am I way off on this, if so, please point me in the right direction.

Thanks in advanced!



Junos sflow config check

I'm trying to send sflow to a collector from juniper vc, does anything look wrong with my config?

{master:0} [edit protocols]

username@vcname# show sflow

polling-interval 10;

sample-rate {

ingress 500;

egress500;

}

collector ip address of collector {

udp-port 6343;

}

interfaces ge-0/0/7.0;

interfaces xe-0/2/0.0;

interfaces xe-1/2/0.0;

{master:0}[edit protocols]



File explorer search is very slow and we will do anything to fix it, any budget.

So we manage a network for a franchise medical practice and their billing department is centralized with 11 people that do nothing but search client names and email the bill using excel. It is incredibly frustrating that they use excel and the windows search on a mapped drive to search client names. They open it in excel after the search, and then create a new bill to mail off, but they refuse to change to an application specific system.

So we have upgraded the server to the latest i7, with a Samsung 860 pro ssd(sata, not m.2), we have a 96 port gigabit switch, we have had then organize the folders alphabetically to help with indexing, but it's still slow. I'm wondering if we can just throw enough hardware at it to fix the problem or if file explorer will always be our bottleneck? I read that there are limits and it's not what it was designed for. We are reaching the end of our rope here and hoping someone out there has advise. Thank you for any responses!!!!



My employer offered to pay for me to attend any I.T conference in the US | Which ones do you recommend?

**Cross posted**

In my 7 years in I.T, i have never had a chance to attend an I.T related conference. I have been to a few meetups but thats it. I got a new job at the beginning of this year and my new employer told me that the I.T department has some money in the budget for me to attend any conference that is I.T related.

**ANY conference**. I am the network admin/server admin/security admin (infrastructure engineer) so most conferences are interesting to me. Here is my current top 3:

1)Defcon

2)Cisco Live (I work a lot with cisco and have 3 CCNAs and a CCNP)

3)Blackhat

Does the community have some cool infosec/networking summits/conferences that you have heard of/attended that you recommend?

I know attending conferences can help my career (and my employers) and i want to make sure i take advantage of this opportunity this year and years to come, so this list is not for just this year.

Thanks



Product specialist role Router)

Hi I’m a network engineer and a company wants to interview me for product specialist router position, with networking in mind I’m trying to understand what type of questions are usually asked for roles like these? I’m not looking for any exact questions but just to get an idea on what to expect because if it’s networking I kind of know what questions are usually asked but for a product specialist I have no idea. Anything will help. TIA.



Best way to test Cat5e POE+ for drops caused by the power draw

So I have some long Cat5 cable runs a customer installed and am trying to determine if they are an issue. The runs are between 35 and 200 feet and are POE+ (48 Watt) devices. I don't get drops if I just plug a laptop in, and the drops in total are very low but still a problem due to some high speed devices on the network.

What is the best way to test if I'm getting interference from the POE+ power over that long line? Hooking a computer or tester up won't do much good if the issue isn't with the CAT5 cable but is being caused by the high power draw over a long distance interfering. Anyone have a good way to test to determine that is what is causing the drops? I can't tell the customer to replace all the cabling without some sort of data to back it up even if it seems incredibly likely that is the issue.

I'm going to measure the cable runs on Monday and will have more data about precise length and total number of drops. I don't know why the hell they installed cat5 on a critical application. They didn't bring me in until after they had some issues.



Establish a static IP Virtual lan

This may be an incredibly basic question for you guys, and I apologize if it's been asked before in any way.

I'm attempting to establish a mostly remote-work based business and want to create some sort of online LAN which collaborators can connect to and access an intranet. I would also need a static IP address for this VLAN and use it to access internal services in other companies (some companies, like Sony need to whitelist a static IPv4 address so we can access sensitive data).

What exactly is it I should look for? Would a VPN service with a static IP option work? Ideally this would cheap (we don't have a reliable source of income yet) and be cloud based as I am travelling and relocating relatively often.



DHCPv6 clients reusing expired leases

During the course of troubleshhoting abandoned leases clogging up our DHCPv6 pool I noticed that my linux laptop will reuse old expired leases unless the dhcp server has marked that address as abandoned. This appears to create abandoned leases. Has anyone else observed behavior like this?



Connecting firewall to GNS3

Aloha,

I have been attempting to deploy a Cisco firewall to my GNS3 environment. I currently have a virtual box, Oracle machine, deployed on my laptop. I tried pointing my GNS3 to the Oracle virtual box and deployed the ASA to GNS3 using a real ASA image, but that doesn’t work. Is there a way to deploy a Cisco ASA firewall to GNS3 using a virtual box on the laptop that I use to run GNS3, or do I have to use a standalone ESXi hosts machine as my virtual server?



Why Base stations and Base station controller need to be synched?

I have some theoretical knowledge of what Mobile Backhaul is and what SynchE/1588 is. I also understand why two radio devices (or any TDD based devices, for that matter) need to be synched. What I don't understand and can't google out, is why do I need to synch BS and BSC?

Thanks.



Recommended resources for IDS and maybe IDS in IoT? (Books, Papers, Articles, blogs)

I realize that this might not be 100% relevant to this subreddit but I'm looking into doing some reading into IDS (maybe look a bit in their implementation in IoT) and as well as looking online I figured that I should ask if any of you have any good books/blogs/practical tutorials to recommend on the subject or significant papers that made advancements in the area.

This is for a uni project, so also any project ideas that maybe you have to suggest are welcome!

If this post is against the subreddit's rules I'll be happy to delete it, I'm just trying to get into that part of networking atm and could use a starting point.



Loopback interfaces on L3 Switches

Disclaimer I should know this but never really use loopback interfaces so bear with me. If i have 2 switches connected via a trunk port and i want to create a loopback interface on each switch in the same subnet. Will it use the native untagged vlan to pass that traffic from switch to switch? What if the native vlan is vlan 1 and is already used :(

Thanks in advance.



Load balancer in front of every server

We decided to use LB (or ADC nowadays) in front of every service we publish to internet even if there's only single server. Idea being that we can use WAF and have greater visibility to the services.

I'm wondering whether we could extend the idea to every service we run from DC (except maybe for AD etc.). For the same reasons, to get better visibility to the traffic and see whether it's the network or the server that is slow.

Anyone done this kind of setup, or any ideas?

Thanks!



2FA solution that server guys would like too

Looking for a 2FA solution mainly for VPN (FortiGate/F5 SSL VPN) and Citrix VDI access, currently using SMS passcode but only for sending SMS. I'd like to have an mobile app too, and I'm not a big fan of smspasscode.

I know the server guys have been wondering about 2FA also, I'm guessing for O365/Azure mainly. Would be nice to find a solution that everyone could use instead of installing multiple authentication systems. We use Clearpass but it doesn't really do 2FA.

Any suggestions?



Switch becoming unreachable when issuing switchport mode trunk

A port on an upstream switch connected to a downstream switch is set to an access port. The port on the downstream switch was left at it's defaults. When issuing switchport mode trunk on the downstream switch, I can no longer ping the downstream switch. I issued the commands below on the upstream switch right after configuring the downstream switch as a trunk port and still can't ping the downstream switch. Before making changes to the downstream switch I issue the reload in 5 command, to wipe out any changes that cause loss of access. Both switches using VLAN 1 as the native VLAN. Does anyone think that deleting the vlan.dat file on the downstream switch would help? Has anyone encountered this situation before?

The only error messages that the switches give is a mismatched native VLAN on ports g1/0/12 (525) and g1/1/1(1)

interface GigabitEthernet1/0/12- G1/1/1switchport trunk allowed vlan 11,220,525switchport mode trunkswitchport trunk encapsulation dot1qspanning-tree bpduguard disableservice-policy output 2P6Q3Tend

The working configs are as follows:

Upstream switch:

interface GigabitEthernet1/0/12description to Downstream switch G1/1/1switchport access vlan 525switchport mode accessswitchport nonegotiateno logging event link-statusstorm-control broadcast level 5.00spanning-tree bpduguard disableservice-policy input IPPHONE+PC-DATAend

Downstream switch:

interface GigabitEthernet1/1/1switchport trunk allowed vlan 1,525spanning-tree portfast disablespanning-tree bpduguard disableend



Configure Audiocodes 440HD to work with 2 or more SIP providers

I have 10 440HD's in use. I want to set up a second line on them using a provider different from the first line. However, it seems that the SIP Proxy and registrar settings cannot be changed on a per line basis on the phone's web interface. Am I mistaken? Is there another way do to it?

I am on the latest firmware: 2.2.16.142.12



WAN handoff - fiber or copper?

I recall hearing that copper handoffs have some loss at Gigabit speed over normal Ethernet. I have a site going from 200 Megabits to 1 Gigabit, is it worth switching the handoff to 1G multimode from copper?



Juniper ScreenOS to FMC

Trying to migrate a customers Juniper Screenos firewalls to FTD ASAS joined to an FMC deployment. I know cisco has a screenos to asa migration tool, was wondering if they had produced any new tools for firepower yet? Any help is appreciated.



Question about ARP broadcasts and VLANs

So I am making a small lab to demonstrate voice vlans for work to show the advantage of it over running 2 cables for every workstation. I am using a Cisco 2961-S switch. My current setup is a Mitel 3300 gateway plugged into Gi1/0/1 then 2 Mitel 5330 IP phones plugged into Gi1/0/2 and Gi1/0/3. The phones then have a computer hooked into the PC port. The phone were able to connect to the Gateway and call eachother and I could see requests from one computer on the other.

My question is that when I ran wireshark on one of the PCs hooked into a phone I was able to see ARP requests from the Mitel Gateway on it even though it is on a different VLAN than the computers. I turned on stick port-security and ensured the computers were on the data vlan, but am unsure why they could see the arp request from the gateway. Port settings are below. I apologize if I missed something stupid, but still learning networking (working on ccna, so this is also a learning experience for me).

vlan 5 data
vlan 6 voice

Gi1/0/1
switchport access vlan 6
switchport mode access

Gi1/0/2 & Gi1/0/3
switchport access vlan 5
switchport mode access
switchport voice vlan 6



Best practice for securing internet facing DMVPN/SSL VPN hub?

Any best practices for securing a CSR1000v that acts as a DMVPN hub and the headend for Anyconnect SSL connections? Wondering if its possible to pass these connections through a Palo Alto VM?



Does someone sell a 24 patch cable set to match a single row patch panel to 24 port switch?

I spent a lot of time making ~14 patch cables of near exact lengths to cleanly meet a patch panel to switch. See images.. https://imgur.com/a/UUhuVQ2

If I ever needed to do that again or continue on my current setup.. is there a pack of cables designed for this purpose with the correct lengths? Making them by hand is quite a bit of work and probably results in high risk for error/durability issues. Bringing them to the side seems messy/excessive and using 6" and 12" cables wont satisfy OCD. Ill take any critiques on my setup in the pics too..



Point to point antenna routine maintenance?

Do point to point links need to be serviced at any regular intervals? Should, say after a set amount of time, alignment be inspected? External wiring inspected? What would one look for in a routine maintenance schedule? What are common issues that may occur?

Thanks!



One ISP Handoff - 2 WAN devices

All,

I know you are going to rip me apart for this - I haven't done a whole lot of networking in the past year or two and am extremely rusty and can't wrap my head around it with everything else at the moment.

Here is the scenario - I have a new site coming online next Friday. I typically have the Fiber directly terminated on the site firewall without any other internet facing devices.

I was just informed this morning for this new site that our phone guys need a WAN connection for an Edgemarc device. I do not want to NAT this through our firewall. I have a /29 block from the ISP on one subnet, which includes their gateway so, 5 usable IPs.

I believe I can just terminate the ISP on a switch and then our firewall and edgemarc device off of that - but I am lost on the configuration of it. Should it just be a layer 2 switch? if I put all 3 devices on one vlan - what else do I need to do(minus hardening and management)? Do I need routes on the switch?

The last time something similar came up - it was a layer 3 switch which needed multiple wan subnets, which I do not have here. and the timeline isn't going to allow a change order to the ISP.

I know this is basic math - Go easy.. or take your shots with a bit of an answer. :)



AnyConnect + FIPS

Anyone running this? If so good bad ugly? I read the cisco document and for it to work you have to enable FIPS on the client side and I am curious if that will cause issues without non-FIPS applications in the wild?



Suite-B-GCM-256 on a Cisco ASA 5506-X

Hi all. Can anyone please confirm the config required to set up a VPN that complies with Suite-B-GCM-256 on a Cisco ASA 5506-X? I have the following so far, need to check if I'm missing something.

crypto ipsec ikev2 ipsec-proposal AES-GCM-256 protocol esp encryption aes-gcm-256 protocol esp integrity null crypto map X.X.X.X 1 match address Y.Y.Y.Y crypto map X.X.X.X 1 set pfs group 20 crypto map X.X.X.X 1 set peer X.X.X.X crypto map X.X.X.X 1 set ikev2 ipsec-proposal AES-GCM-256 crypto map X.X.X.X interface outside crypto ikev2 policy 10 encryption aes-256 integrity sha384 group 20 prf sha384 lifetime seconds 86400 crypto ikev2 enable outside 

I'm not 100% sure about "encryption aes-256", the RFC states AES-256 in CBC mode, but CBC isn't mentioned on the ASA. Is CBC implied in AES-256 on the ASA 5506-X?

Cheers!



Can I ping hostname of device behind a NAT?

This is an industrial environment, where a Windows XP machine has one sole wired connection to a managed switch, and is given a static 172.x.x.x address. In order to upload data to our network, we use a NAT to translate the 172 address to our standard 120.x.x.x address

I can remote in and ping the 120 address all fine and good, but I would like to be able to ping and connect by hostname because it's easier to remember by our naming convention.

Is this possible?



Free Virtual Appliance Web Filter

Hello all. I am in need of a web filter, appliance that is free that is a virtual machine inside of hyper-v. I am open to all solutions that are free forever. I just need it to be local on my network and come with a gui. Thanks in advance.



SP Network Engineer - What am I worth?

I apologize ahead of time if this isn't the correct place for this type of post, this isn't early career advice so I believe this fits in. I think I could be doing better and I'm considering a change of scenery. I'd wholly appreciate some career advice from people within the same realm.

My Background:
* BS Computer Science
* No Certs (I'd probably get my NP to boost my resume before going on market)
* Official Job Title: Backbone Engineer
* With the company for 11 years on and off
* Started as a Tier-1 helpdesk rep, worked up through the ranks and have done internships through college
* Interned with: Tier-2 helpdesk, Ops Techs (in-field), Sales Engineering
* Landed full time position with the top core engineering group after college
* 5 years in current position

Company Background:
* Medium-sized Tier-2 regional service provider
* 400K Total Customers
* Provide dedicated services to commercial entities, upstream services to cable providers
* $25-50M revenue a year
* 200 Employees
* Comparable Market: Akron, OH
* Median market income: 60K

Team Background:
* My group is the highest-level (non-management) technology department in the company
* I am one of four engineers
* Cisco shop
* Standard Salaried 8-5, Rotate On-call shifts, Twice weekly overnight change windows as needed
* Off-hours availability expected

Day-to-day:
* Design and deploy new network segments, augment existing ones
* Upgrade legacy equipment
* Co-ordinate our ops team in the field for deplyoments
* Research and development
* Deploy and configure active DWDM equipment and deploy waves for internal and customer use
* Configure and deploy core and PE equipment (Core Routers, PE Routers, PE Metro Ethernet Switches)
* Work heavily with IOS-XR/IOS-XE/IOS
* Work with vendors frequently
* Manage IGP operations, route reflection, and core traffic manipulation
* Manage peering at IX borders (Transit/PNI/IX Mesh) and analyze netflow for ingress traffic manipulation
* Configure and troubleshoot customer-facing services (DIA/BGP/L2VPN/L3VPN/Wave) for sales engineers
* Stood up/configured/deployed/manage our core DDoS mitigation system
* Design and manage management networks
* Be an escalation point for our Tier-2 helpdesk and troubleshoot issues
* Work with servers/unix systems/vms occasionally, being fluent is a requirement
* Work with Software Engineers on NMS and automation

Personal Accolades:
* Favorable quarterly and annual reviews
* Unofficially considered the "lead engineer" of our team by management
* Go-to guy for anything BGP-related (I love BGP)

My Salary: Just shy of 55k/year

Our environment is very sales-driven. Sales people in our company are typically driving the direction my department takes and what projects we work on. I'd like to move far and away from that, I'd probably look toward enterprise. My real passion is management, I love working with my co-workers and generally helping other people. I feel like I have a lot of ideas from a management perspective and I've been told it's something I should pursue. Unfortunately, a management position in this company wouldn't open for another 10-15 years. I would love to hear any thoughts on my current situation and suggestions moving forward!



Best TR-069 Server Software/Server? (ISP)

Hey Guys,

We are looking into cutting OpEx cost (We pay around $70k year for a managed ACS) and wanted to move it to open source / or paid and saved. The features we would be looking for is being able to mass upgrade/send scripts to the devices like change local password, SSID/Password, etc.



Reliable open source application that can receive and send data via TCP

Can anyone recommend an open source application that would allow me to test my applications ability to send and receive data via a TCP connection? I plan to install it on a separate PC from my application I'm testing.

Preferably an application I can run on Windows but can also use Linux.



Are Most NOC Jobs Monitoring and Keeping SaaS Cloud Apps Up ?

I'm studying for my CCNA Routing & Switching certification and was expecting to get a NOC job where I would be supporting network infrastructure devices like routers and switches. It seems like alot of the NOC jobs out there now are simply keeping SaaS cloud apps up and working with alot of server maintenance and API work.

Can someone clue me in on the current state of things?



Meraki assigning multiple public ips to internal routers

So we're going to have one fibre line into our building leading into an mx250.

Currently working out how to assign the public ip addresses we have through that line to the various businesses in the building.

Each business should have its own public ip address assigned to their own router.

Rudimentary map here: https://i.imgur.com/cI6dSWg.jpg

Had a look into NAT but not sure that's the right solution.

I'm a bit of a networking newbie, so any pointers into the right protocol to be using that would be highly appreciated.



ADSL Telephone line wiring help needed.

I don't know if this the correct subreddit first of all but I am trying to attach a telephone extension to downstairs. This is socket I have that goes into another socket that has the main cables in it. Now the main cables are good since internet is working but I need some help to know in which way to attach the wires for the extension for telephone line. The imgur link below has whats socket I have and what wiring I had in the extension, everything labeled. Also one of the cables was 100% never connected to anything.

Side notes: Other side of the extension is good because it was untouched. I live in Malta which I think we use UK standard if that helps.

Pictures of what I have: https://imgur.com/a/b9Qkq0Y



Campus Style 'Anycast Gateway' - Sanity Check

Hi Guys,

Looking at re-designing our head office network (collapsed core) and want to go Routed at the access layer, to stop BUM traffic traversing the core and have some nice ECMP going off - and all the other nice features that go with this architecture.

We have Juniper Ex2300's in the access layer in a VC config at the moment with the standard feature set. These were only recently put in as a like for like replacement of the old access layer so these will have to stay.

We currently have vlans that span between 2 wiring closets via the core. so for example, vlan 10 exists on both access switches and the SVI/IRB for this vlan is on the core switches.

With the routed access layer, we don't want to re-ip if possible but we still want the flexibility to have these vlans exist on any switch - this is solved via a simple L2 trunk between the access switches (yes I know we should be using fancy overlay technologies but we are cost prohibited atm)

My question is to do with default gateways for the VLANs - now these will sit on the access layer, but the vlans will span both access layer switches - I was originally thinking VRRP between the access layer switches via the L2 trunk. however this is a licence based feature on Juniper 2300's (lol wut?) - So I was thinking about some sort of anycast gateway setup (if possible, and would this work?) - I could configure the same IRB on each access switch but change the mac address to the same value on each IRB per switch using the 'set mac' command - allowing an active/active gateway setup

would the above pose any issues? I am looking to lab this out but I would be interested to know if anyone has done anything like this before?

Thanks



Branch office connectivity

Hello!

I inherited a network, with two offices, one located in a different city. Linking the offices are 2 MPLS tunnels offered by different ISPs on 2 different routers. If the main link goes down, we have to manually add/remove static routes on servers and clients and do the reverse when it comes back up. I know there has to be a better way of dealing with this. Kindly help out, any suggestions are welcome



GSM to SIP gateway suggestions for failover in the UK, Mitel PBX

Hello,

I need to sort out the possibility of GSM failover in the UK for Mitel PBXs in hospitality. I'd like failover available for inbound on our SIP lines. Where the SIP fails, it will hunt on to a couple of mobile numbers. Possibly allow a dial prefix to dial out over them when there is an issue, or use the expensive route warning option on the mitel routes.

I've started looking and not reached out to anyone yet. Seen sites like https://www.voip-info.org/voip-gsm-gateways/ with tons of products to look at.

Does anyone have any experiences to share? Or products to recommend before I dive into this seriously and invest time?

Any advice on devices that support good monitoring as well would be appreciated. SNMP I guess would be the preferred method here.

Thanks in advance.



Draytek Vigor 2830n woes

Hi, not sure if this is allowed here and apologies if not!

Our office has just added a Draytek Vigor 2830n (old router but better than our previous). We mainly use Macs and every Apple device we have connected to the WiFi has access to the internet and local network. All perfect! However, any other device we've tried to connect - a Windows 10 laptop, a Chromebook, an Amazon Echo, will all connect to the WiFi but have no internet access.

Has anyone experienced this before?



Great Firewall of China blocking my Website

Hi guys,

How do you deal with GFW of China blocking your website? This is happening with me for over a week now. They seem to block it in different ways, but in all of them, TCP establishes but SSL does not, either because they reset it or because they try to reduce the cryptography to really low levels (eg: use SSLv3), which cause us to drop it. Seems like its based on the FQDN, but changing names all the time to avoid it is not feasible :(

How do you guys deal with it for a fix that doesn't involve hosting your website in China or recommending customers to use VPN? Any CDN Provider capable of Tunneling it out of China?

Thanks



Question on APIPA

What reason would a network printer set to DHCP have a APIPA address even if you power cycle the printer?



Need clarification on image upgradation for cisco stacked switches

Iam planning to upgrade IOS in stacked switches 3560, 2960. Cisco doesn't have any documentation for steps for upgrading image in these switch models however it does have a document for upgrading image in 3750 stacked switch (link below). I have 2 questions:

  1. Can i follow these steps exactly as it is for upgrading for 3560, 2960 switch models as well?
  2. Is there any potential problem or bug that i need to be aware of when upgrading stacked switches that is not mentioned in cisco documentation?

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/64898-upgrade-3750-stack.html



Packet Loss on Wired Connection

So for the past 3 years living in on-campus apartments, I have never had any packet loss issues. In November I noticed huge packet loss issues ranging anywhere from 2-25% packet loss. On average, it hovers around 2-5%. I have asked to get this checked when the coordinator came in to check on it, he asked me to run the program I've been using to monitor the packet loss (PingPlotter) and to run some games in the game I play that is able to show real time packet loss (Fortnite).

So there I am in my apartment playing Fortnite while he watches the packet loss on the top left corner of the screen. It fluctuates from 3-7% and he says that it's normal due to network congestion. This back-and-forth I have with the IT department here about my packet loss is getting really annoying. I've lived in the same place for the past 3 years and I have never experienced packet loss at all and then all of a sudden it's considered normal.

I am on a wired connection. I was just wondering if it is really normal because when it does spike up to 10-20% I do experience low connection speeds even when trying to open up pages or when I'm trying to submit assignments. I have looked online and many people have stated that packet loss over 1% is considered bad already.

I was wondering if this is in fact normal.



Type-C to Ethernet adapter

I am looking for a good Type-C to Ethernet adapter that supports promiscuous mode. I have tried two so far (not an official one), but they all only capture my computer's traffic, not whole network.

Can anyone recommend an adapter, which supports promiscuous mode?



WiFi USB Adapter/PCIe WiFi card purchase advise

First of all worry for bad formatting, im on mobile.

So my recently purchased TP Link Archer T9UH AC1900 WiFi Adapter broke yesterday and Im looking for a replacement.

Im not sure what the benefits/disadvantages of Wifi adapters/PCIe wifi cards are so i dont know for which type of product I should go.

My requirements on the product are the following:

I want to be able to fully access my bandwith which is 300Mbit down and 30Mbit up. (Which was no problem with the tp link archer)

Should have all modern standards (5Ghz, etc)

Distance between my PC and my Router (Connect Box from UPC/Unitymedia) is about 8m going through 1 plasterboard wall.

Cost should be 70-80€ max.

Thx in Advance for any advice!



Catalyst 9500 and 9200

I have a network project and my provider offers me one stack of 2 cat 9.5k for L3 and 10 switchs 9.2k 48 P for L2 thank you for advising me these new switch models are stable and DNA licensing is necessary ? and if I buy 4500X with 2960 I risk to find them end of life next year ?



Packet loss or disruption?

In an enterprise, when you have 2 internet lines(both of which are used) terminating in 2 different Data Centers, what happens when you shut down one of the internet line on the gateway (Internet) router? Assume 30% of the traffic uses this line. iBGP runs between the 2 enterprise gateway routers.

I am specifically interested in how skype, vpn, applications and lets say a file upload/download to the DMZ for e,g will get affected.Will skype/vpn user gets disconnected or just freeze and reconnect? What about file transfers?

Will this be considered as packet loss or disruption?



Thursday, February 7, 2019

Logging into Cisco routed ASA from a device for which it's the default gateway

Hello, I have an ASA firewall in routed mode acting as the default gateway for several subnets. After looking through the running-config I found that it allows certain subnets to SSH into the FW, but my tests show that any given device can only SSH to the ASA only when using the ASA IP address in that same subnet (sample topology).

In the sample topology, 10.0.0.100 can only SSH into the ASA using 10.0.0.1, not 10.1.1.1. Also, the ASA has a management interface configured (not shown), but neither computer can log into it. The ASA has inbound ACLs allowing any host to SSH to any host from any interface, so I'm not sure what I'm missing.

I'd like to log into the ASA using the same IP address (preferably the mgmt interface) no matter where I'm starting from. Does anybody know what I'm missing here?



Quick noob question no upboat pls

In an enterprise environment if there is a bunch of workstations connected to a catalyst switch with a transceiver in between, and one particulary switchport shows up/up with 2-3 packets input and 10+ output, no errors on the interface, but can't ping the workstation IP, is it possible that the workstation is turned off?

I had thought if the workstation was turned off the port would show down/down (notconnect), but then I thought maybe if it's going to a transceiver first it would show up/up. Even if the siwtchport is plugged into a workstation that's turned off, isn't there still electricity/frames/anything constantly transmitting across the wire?

If the switchport is up/up and passing traffic but the workstation cannot be pinged the only other thing I can think of is bad DHCP pool because ISE/ip helper checks out



BGP route-reflector and BFD?

I'm trying to configure BFD for our BGP on our MPLS network. I've configured it already for EIGRP which we use as our interior routing protocol and it's pretty straight forward-- just both sides of each directly connected interface. But for BGP in a route-reflector setup, what interfaces is BFD configured on? We have loopbacks that we used to peer up to the route-reflectors. Does the bfd configs go on there?



How Are You Managing Smart Licensing Internet Access Requirements On Your Network Kit?

Since smart licensing is just a new annoying thing I have to take care of, and I am wondering how you guys are managing internet access for all your kit so that it can reach the smart license servers? It seems very annoying that I need my kit to "speak to the internet" in order to use my licensing. I'd rather my management access of my kit did not have internet access, but now I've got no choice. I am therefore wondering how you guys are managing this BS internet-access requirement for your switches/routers/fws? So far I'm basically just using a NAT overload to give it internet access. I'm wondering if there is some proxy, or more elegant method of keeping your kit in contact with the smart-license servers?



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



Virtualization at the edge -approach, issues and concerns

Hi guys

How do you deal with the virtualization at the edge or in hub sites. Today I had an interesting discussion with my colleagues about this. The conclusion (theirs) was that we do not virtualize at the edge because the support model is going to be a nightmare. More exactly we will have a Cisco UCS that can run virtual appliances for us but the Host OS will not be supported by our team and then there will be issues around that (each support team pointing to each other).
Another concern was who does the backup for these devices and any other support activities that require hands and eyes in the remote locations (hub sites or edge)

To be honest I think that this is a non issues but since I have no experience with these I thought I would ask around to see what others think. Please share your opinion and experinece



Lab-network Need 1000+ IP addresses on same subnet (DHCP) easiest way possible..

I have an AT&T Router (Uverse internet) and some switches, access to computer hardware, wiring etc. My issue is that I immediately ran out of IP's since the 192.1.x.x/255.255.255.0 network that the router leases from only allows 190 or so. How can I get 1000+ (500+ needed) on the same subnet with minimal effort (disregard throughput etc. )

My 'idea' so far is to simply leave the router as default, and use a Netgear FVS318 ProSafe VPN Firewall and simply wire it to the router with 176.16.x.x / 255/255/252/0 network settings for the DHCP to hand out IP's to the rest of the lab. Seem reasonable?

Ideally I'd like to be able to cross access devices from the 192 network (router) to the 176 network but not sure if it's wise.

I believe this is the router if that changes anything?

https://www.newegg.com/Product/Product.aspx?Item=9SIAJ7W8HJ3141



Cisco ISE 2.3 -> 2.4 Upgrade Experiences

With the recent End of Maintenance and Support announcements for ISE 2.3, we need to start planning an upgrade to 2.4. Wondering if anyone here has already gone through this upgrade and what their experiences were.

The upgrade process looks like a hell of an awful time (3-4+ hour upgrade time per node, changing Guest OS settings in VMware, etc.), and there are some things in the 2.4 release notes that don't give me warm fuzzy feelings about having a smooth transition.



Deactivating SSID on specific Aruba (Instant) APs in the night / SSID only on some APs

I recently started work as a sysadmin for a small hospital. The network infrastructure is quite okay and consists mostly of HP Procurve and Aruba-branded-HPE stuff. While proper wifi controllers are to be implemented in reasonable time, at the moment Aruba Instant is in use.

The hospital does not want certain external visitors (they see as sketchy) to populate the entrance hall to use the wifi so we are told to shut it down in the evening.

No problem from a technical point of view, even if it's solving human problems with IT. Except, the area around to the A&E/emergency room uses the same SSID - and there are no such problems with sketchy people as there is enough hospital staff, so people would like to keep wifi active there.

Is there any way in Aruba Instant implementations to stop selected APs from broadcasting the SSID in certain timeslots (without manually removing patch cables) or is the only scriptable solution to shutdown the APs switch ports through some external job? Thank you for your help.



ASR as a b2bua

I've been chucked into the deep end with a project that's completely new to me. Been tasked with building a voip solution utilising Cisco ASR as a sort of SBC via inbound and outbound dial peers.

I understand how dial peers work, they match on a pattern and then define a session target. Correct?

This is where I'm not 100% sure..... Say we have a number of different voice carriers coming into our network, we've been asked to provide them with 2 X /27 subnets, one which we will target, and one which they will target. If I'm correct in thinking, what the IP addressing behind our leg of the ASR/SBC is actually irrelevant. As long as they hit the ASR/SBC then the dial peers will ascertain what the other leg of the call actually goes to?

Can anyone help fill in the gaps of my knowledge?



Controller interface vs Serial interface

I have a voice cisco 2900 gateway router, and I'm trying to eliminate some uneeded PRIs and shut some T1 interfaces to make sure there are no issues with voice calls. Looking at the config, is for example Controller T1 0/0/0 represent interface Serial0/0/0? And Controller T1 0/0/1 the same physical interface Serial0/0/1 is?



Anyone have any experience with a CXR Larus Tiempo bits clock? Trying to get NTP out of it.

I work for a telco. We have a CXR Larus Tiempo 6400A for a bits source for our voice switch. I am trying to use it as an NTP source for our network but am having trouble getting time info out of the NTP network port.

I noticed that under General Settings there is an System Operation Mode with 3 options one of them being Clock Distributor. It's currently set to BITS.

I am thinking correctly for the NTP to work I would have to set the system mode to Clock Distributor? I can't to BITS and NTP out of one unit?

I have not been able to find any documentation about this device and emailed the manufacturer with no reply.

Anyone have any experience with this?



Cable planning

Hey, I'm regulary doing networks for events. To plan the cabling before I currently draw a network plan fitting to the location, basically where should the switches deployed, where the will the cable run. Addition to switches we have some access points and printers.

To determine the length of cables I currently manually measure in a PDF by measurement tools and write it down in a excel.

Is there any affordable software solution to help for that scenario? I know there are some big solutions, mainly for data center planning. They are to specific and most time cost a huge monthly license fees.

Thanks for suggestions, if there might be any.



Difference between socket and port from software side.

Just wanted to know the difference between a socket and a port from software perspective. From what I have understood, a socket is the interface the transport layer uses to provide services to the upper layers, while a port is used to identify the service or protocol like HTTP or SMTP. Please correct me if I am wrong.



LoRa and Xbee pro900MHz

I created a post before about wirelessly transferring messages from sensor to gateway that would be at most 2km apart from each other. The message would go through gateway to local server. I would be working with 40 endpoints (that are present in field) sending messages to the local server. Just to recap my requirements:

  1. I am currently working with 40 nodes that wake up every 1 minute. So I would like to have battery life of at least 3-5 years.

  2. I would like to have 95% accuracy from the node.

  3. A fully bi-directional messaging feature is the goal.

I did try several tests with LoRa and I started getting results that I need. however, I noticed LoRa's packet drop starts increasing over time. Since I am in no rush to push the changes, I am looking into propriety products where development efforts could be eased. I recently came across Xbee pro 900MHz (https://www.digi.com/products/embedded-systems/rf-modules/sub-1-ghz-modules/xbee-pro-900hp). Digi offers complete solution as far as I know and I like the range the product offers. Before ordering the module, I would like to know what you guys think about Xbee pro 900MHz usage compared to LoRa. Please keep in mind that power or price is not a concern to me.



Beginner MPLS Resources

I thought I would ask this here, as I know many of you work on large campuses or in the SP space.

I currently have a network that uses VRF-Lite to keep tenants and departments separate on a campus network. It's getting to the point where I would like to use MPLS for more expandability, and to reduce the number of VLANs on trunk ports. Are there any resources or starting points that you've found particularly useful? We're a Cisco shop, so it can be vendor specific, if you want.



1G Network Saturated - 10G advised?

Have a network with a few servers saturating the switches totaling roughly 800 mbps daily.

What can I gain from adding 10G cards into the servers, connected to 10G switch, then aggregating some 2-4g connections to my other switches? The other users are nowhere near using the 1GB bandwidth. Can I expect to clear up the perceived network congestion and see improvement in the main application (db webapp)? Worth the cost?



Need help with finding a goof Pentesting Firm/Individual

Any good pointers when are evaluating Pen-testing firms?

Is it normal for them to ask to install appliances to grab network information?

how would you evaluate a company or individual for pen testing?



Nexus 5k L1/L2 ports?

I can't seem to find any documentation on what the L1 & L2 ports do on the Nexus 5k.

Right now we have 2 5ks as VPC peers, using the mgmt ports for vpc keepalive. I'm building an oobm network so in researching using the mgmt interfaces for actual management, I'm trying to figure out what exacly L1 & L2 can be used for. Can I use them for vpc keepalive? Or something similar to how Fabric Interconnects use L1 & L2 to cluster?



What do you use for OOB Switches?

I'm just curious what others are using for OOB switches? I'm spec'ing out a hub & spoke topology for OOB at a hospital. The spoke switches really only need a couple of ports - just curious what equipment everyone else was using.



Cisco 2960L problem resetting to "factory default"

Background

I have a number of 2960L's (cisco WS-C2960L-8PS-LL, running Version 15.2(6)E to be exact). So far they've been working fine (mostly).

My application is very primitive. I am using these in manufacturing test stations to power up and configure some PoE-based devices that we are manufacturing. I am literally just using them as power sources, DHCP servers and LAN for a factory workcell (no routing to outside network). The "network" consists of just the 2960L switch, a PC with a patch cable going into one of the switch ports and the other ports get plugged in whenever we configure devices at the factory.

I had been successfully configuring the switches by following the "Easy Setup Guide". Basically you take it out of the box, power it up, connect an ethernet cable to a laptop configured to get it's IPaddress from DHCP and follow directions using the web interface provided by the switch at it's default IP (10.0.0.1).

Problem

Unfortunately, while configuring the last one, I got dragged into something and had to leave it for several days. When I came back I figured I could "reset to factory default" following directions in the Easy Setup Guide and start over. That's where the problems started. The setup guide has instructions for performing a "factory reset" so I got a USB cable launched a terminal emulator and did the following:

mySwitch>enable Password: ***** mySwitch#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete mySwitch>reload 

At this point I removed the usb cable, waited for the LED's to indicate full boot, and then tried to connect my laptop as before. Unfortunately, the switch isn't giving my laptop an ipaddress like it did before and so I can't use the instructions in the Easy Setup Guide. So, I reconnected the USB cable, and saw that there was this on the console:

Would you like to enter the initial configuration dialog? [yes/no]: no Would you like to terminate autoinstall? [yes]: yes 

I really really don't want to get lost in the CLI of this thing, so I terminated the "autoinstall" hoping that it would just be like it was when I first took it out of the box (that's what "factory reset" means, right?). Unfortunately... that didn't work either, it did not give my laptop an ipaddress, and worse, when I went back in to the CLI, and did an "sh run" I saw that it didn't even have the factory default ipaddress 10.0.0.1 (it had none, "no ip address" for vlan1).

If there's no way to get this thing back to actual factory default. I would really like to do the following without going insane:

  • Assign an ipaddress and netmask.
  • Make it become a DHCP server, so when I plug in my laptop, it will give my laptop an ipaddress.

If I can do this, I think I can get back to the web interface of this switch and finish my configuration.

As I said, I have a very primitive setup-- I don't care about vlans other than vlan1, just want to connect a PC to one of the ethernet ports and use the thing for DHCP, power and communication with devices on the other ports. Any advice would be much appreciated as I am stuck!



Would seeing this output cause you concern?

So, I had an intermittent problem where I would lose my connection to a host. I would run a ping for a couple of minutes and eventually, pings would stop coming back for a minute or 2. Not being in Ops anymore but still having my access to the hardware, I decide to have a look, as it feels like a layer 2 problem. So I do a sh mac add add xxxx.yyyy.zzzz while ping are dropping. here is the output

sh mac add add xxxx.yyyy.zzzz

vlan mac address type learn age ports

------+----------------+--------+-----+----------+--------------------------

switch 1 Module 4:

* 2 xxxx.yyyy.zzzz dynamic Yes 0 g1/1/3

Ops is dicking me around: We can't reproduce the problem, so no problem. G1/1/3 is not on module 4 and it is the FAST-HELLO port for the VSS.



Protocol vs Interface vs Service

I have been confused by these terms for quite some time, particularly between Protocol and Interface. From what I have understood, A protocol is how the layer communicates with a corresponding layer (OSI Model) and provides a service to the layer above it and the medium through which it does so, is by the interface. So does that mean that the protocol contains services and interfaces?

Please correct me if I am wrong. Thank You!

I put in effort this time. Sorry for not doing so the last time!

Cheers!



I need help with creating a network diagram

So I'm fairly new in the industry and we are a rather small IT company. Now one of my tasks as a beginner is to create a network diagram. I have no idea how I should approach it and what exactly I should do and wanted to ask you guys for tipps. Are there any tutorials etc.?



Cisco ISE Guest Identification

ISE Version: 2.3

Portal Type: Self-Registration

Issue: Would like a way to tie MAC address to Guest Usernames

I'm failing here. I have a user I need to track down but I cannot find them in any of the ISE Reports I have searched. Either the identity field shows up blank or has the MAC Address as the username. I cannot find who this MAC address is registered to. The AUP Acceptance Status, although we require an AUP at the time of registering an account, it has never shown a Username if the user went through the self-registration portal. I have also checked Radius Accounting, Authentications, and everything under Guest reports. It seems like the username will pop up at random when they authenticate to the guest wireless network. I very well realize this may have not been set up correctly.

I wish there was a way to see what ISE knows; which devices are tied to which Guest account since there is a limit of concurrent device connections per guest user.



NSX multi sites question

Hi,

Let's say you have Data Center A and B and you stretched a subnet in NSX across both sites. These two DC are connected with high bandwidth links (let's say dark fibers).

Now these two sites are also connected to several remote sites (desktop users) through a WAN.

Now you have a server on that stretched subnet that can move between DC A and B.

If a user on a remote site wants connect to this server and it's currently located in DC B, how do you make sure the traffic from this remote site take a direct path to DC B and not go to DC A first then go through the dark fibers links to DC B ?

thanks



Protocols vs Interfaces vs Services

Could someone please tell me the difference between these 3. What I have understood so far is that the protocol operates within each layer and provides the interfaces and services.



Cisco 2960-XR w/ IP Base: mgmt port not on VRF?

Hi all,

Just got a C2960-XR-24PD-I switch, where I am doing static routing between VLANs. I configured the “Fa0” port with a IP on my management network, and then set up the needed VLANs and their SVI’s which got their requisite IPs.

In reviewing the resulting routing table however, I see that the management network is being added to the same default routing table that the SVIs are on; due to the topology of the networks, however, I do not want the management net to route to the SVI networks... It should just be a means to access the switch’s management plane. How can I separate out the management port from the SVIs?



Cisco 9500 Stackwise Virtual

Hi,

Has anyone deployed this on their networks? It's been out for a while now and wondered how people are getting on with it. Has the software been reliable? I am considering using it on a 9500-40x where it would be useful to have multi chassis etherchannel.

Thanks.



Which is the better job: NOC Technician or Network Technician?

I'm pursuing a career as a network engineer.  I was recently offered two jobs.  I'm trying to figure out which job would be better for achieving my goal of becoming a Network Engineer.  I have a 4 year degree and CompTIA Network+ and Security+ certifications.  I should have my Cisco CCNA (R&S) by this summer. I have about 3-4 years of mostly Tier 1 support type experience.

Which one do you think is the better job?  Which one will offer the better path towards becoming a Network Engineer ?

1. The first job is working for a SaaS in the Healthcare industry.  It's official title is NOC Engineer.  Its salary is about 10K more than the other job below.  Here is the job description:

The NOC technician position is a great opportunity to work with fellow engineers, gain experience in a variety of technologies and explore other roles within the company.

Who will love this job

  • Problem Solving: You will monitor and troubleshoot the server, network and operating systems and the internal production systems in a data center environment. We strive to resolve issues while maintaining a 99.9% uptime rate for all systems.
  • Learning: You are a lifelong learner; you will have the opportunity to gain knowledge of how our infrastructure works in relationship to our customers and end users
  • Communicating: You will work with internal teams to report or resolve system related or network issues and communicate them to the rest of the team
  • Delivering: You will be responsible for monitoring, maintaining and troubleshooting 250+ servers and 150+ network devices located at more than five locations and resolving issues in a timely and efficient manner
  • Graduate degree or Undergraduate degree in engineering or Computer Science
  • Two to three (2-3) years of experience with network and server hardware and the ability to diagnose and troubleshoot basic problems
  • Must be able to work in a 24x7 rotating shift environment on either the Swing or Graveyard shift
  • Knowledge of basic TCP/IP and other Internet protocols as well as experience with tools such as Ping, Traceroute, NS Lookup, DIG, MTR, Netstat, Netsh, etc.
  • Working knowledge of operating systems; Windows OS, Linux OS
  • Ability to troubleshoot Cisco network devices, routers and switches and other network related hardware
  • Knowledge and experience with the Zabbix and other Open source monitoring management system \a plus*
  • CCNA, MCSE, Network + or Linux + certification is a plus
  • Experience with XML \a plus*
  • Scripting experience (Python, Ruby, Perl) \a plus*
  • Knowledge of relational databases and experience with ADO.Net with SQL and Oracle databases \a plus*
  • Experience with server-side languages such as PHP, Pythin, Ruby, Java, JavaScript and .Net \a plus*
  • Database technologies such as MySQL, Oracle, PostgreSQL and Mongo DB \a plus*
  • 90% Desk/phone work
  • 10% Standing/moving throughout the office

We offer comprehensive benefits to keep you healthy as you grow in your life and career. Your merit-based compensation will reflect the impact your work has on the company and our customers.

2.  The second job is for a large federal government agency working as a contractor.  The official title is Network Technician.   This job will pay about 10K less than above job. Here is the job description:

Job Summary

XYZ Company is seeking a Network Technician to assist in the development and maintenance of network communications. Knowledge of LAN/WAN systems to install and administer internal and external networks. Test and evaluate networks. Has knowledge of commonly used concepts and practices and relies on experience and judgement to perform the functions of the job. Can work under general supervision.

Minimum Requirements

Bachelor’s Degree plus 0-2 years of relevant experience

Must be able to obtain Government Suitability clearance

Preferred Qualifications

Previous Government system experience is preferred

Clearance Required Yes

Comment



Question: Is it possible to block a website/services at state/provincial level

I've been doing research on website filtering as part of my cyber-security research paper for my Networking class.

While browsing, I've stumbled upon an article regarding Pennsylvania's attempt to block pornography sites back in 2003/2004. At first, I didn't know blocking websites at state level was possible since the US' network infrastructure is highly centralized (especially ISPs with a national footprint). This was considered unconstitutional thus was not implemented.

However, I also found an article about Quebec's plan to block gambling websites but that was also struck down due to communications being a responsibility of the Canadian federal government.

Speaking of Quebec, I've also read an article about retailers blocking traffic from Quebec since they did not have a French version of their site. What baffles me is that GeoLocation in IP address are sometimes incomplete (no state/city/etc) and/or ISPs would borrow IP addresses intended for another locality to make up for the shortage.

Which leads me to this question: can websites/services be blocked at a state/provincial level? I don't exactly know how ISP infrastructures are setup in the US. Actually, I'm not familiar with how ISPs setup their networks, although I believe it should be the same as how internal corporate networks are setup, but at a larger scale. For the opposite (websites blocking certain states), I think it's possible, but the inaccuracy of IP addresses pretty much defeats the point in my opinion.



IPSec Ikev2 test server

I'm trying to set up a local IPSec server to test our equipment before we release it to customers. I have a Cisco ASA 5505 firewall, but I've never used Cisco equipment before.

Do you guys have any tips for an easy way to test the IPSec setup locally? The equipment uses Ikev2 with only PSK.



Favorite L2 FTTH metro switch

(Probably only relevant to FTTH or other service provider operators) First time poster, long time listener.

I'm interested to hear what folks prefer for FTTH L2 switches (typical deployment is in MDU settings, such as commercial office buildings or apartment complexes). Ultimately most focused in just breaking out unique port-based VLAN's and a sane CLI. These are generally uplinked to an MPLS environment with a head-end L3 BNG router - so again, not looking for a bunch of fancy functionality on the L2 access side.

My own experience is limited to Alcatel & Juniper switches, they certainly have trade-off's. The ALU stuff is fairly cheap, but the OS has memory leaks which eventually drop SNMP/SSH/telnet access but still forward packets (the most recent Dec '18 firmware appears to resolve this issue). Juniper EX is stable but a bit expensive and is clearly a campus product line. A quick break down of desired functionality:

Required...

  • SFP/SFP+ with DDM exposure (have optics, can program to match any vendor DRM sillyness)
  • ZTP - unattended firmware & configuration fetching
  • Q-in-Q (double stacking of VLAN tags)
  • RSTP
  • LLDP

Nice to have...

  • ERPS / G.8032 "ring" support
  • modern SSH (v2 w/ key support)
  • stacking support (mainly to make field tech install work easier)
  • OAM
  • Private VLAN (hide mgmt network for CPE's)
  • RADIUS
  • IPv6 mgmt (SSH, SNMP, NTP)
  • IGMP snooping
  • NETCONF/RESTCONF or any idempotent mechanism for deploying configuration changes

A couple models compared... these very from metro ethernet / service provider focused, to WISP, and even SMB/enterprise geared products:

Vendor / Model Street $USD Specs (latest firmware release)
Alcatel-Lucent OS6450-U24X $1,650 22 SFP-X, 2 SFP+, w/ stacking module (Dec '18)
Mikrotik CRS328-4C-20S-4S+RM $350 20 SFP-X, 4 SFP+ (Feb '19)
Dell 8024F $1,000 24 SFP+ (Dec '18)
Planet Technology MGSW-28240F $1,000 24 SFP-X, 4 SFP+ (Nov '16)
Cisco (Small Business) SG350XG-24F $2,200 24 SFP+ (Nov '18)
Juniper EX4300-32F $2,200 32 SFP-X, 4 SFP+, 2 QSFP+ (Dec '18)

Much appreciate feedback, thank you!



Considering Fortinet FortiGate-60E for homelab - what are the subscriptions/costs

I'm a student and I'm considering a Fortinet FortiGate-60E for my homelab.

I've played with PfSense, Untangle, Sophos on my Chinese Core i5 Qotom, but I don't know if I had a counterfeit chip, but I was never able to get more than 100Mbs on my 300Mbs line with AV, HTTPS etc sniffing, so I'm considering an appliance such as the FortiGate-60E

A few questions:

- How much does a full subscription cost for NGFW, AV, Web Filtering + Antispam Services for home/students?

- How much throughput should I expect to get

- Is there anything else I should consider?



Wednesday, February 6, 2019

What is it like to be in pre-sales at a large ISP, as opposed to a VAR or vendor?

I've read a lot of discussions about the life of a pre-sales engineer at a VAR, and then some regarding life at a vendor, but I cannot remember a time I've ever heard anything about being in pre-sales at an ISP specifically.

So... for those of you out there who currently work or have once worked in pre-sales at an ISP, what is/was your life like? And how does it differ from the VAR environment?



When should I start doing Cisco Labs and/or GNS3

First post, bear with me..

Alright so a little backstory on me

I am in the AF and have just graduated tech school for Cyber Transport Systems (basically networking/sys adm/computer security) 6 weeks ago, got my Sec + cert and am currently looking at furthering my knowledge about networking on my own time.

While at tech school we got to play around with simulations similar to what I assume GNS3 and Cisco labs provides. But after looking at some of the labs I feel as if there are a bunch of things that weren't taught to me that I feel like I should know. I know basic routing and switching, vlans. BGP and such but don't know a thing about how to analyze packets or how to even read a log.

My question is this, should I go ahead and start with the labs anyway having the basic routing/switching knowledge that I do have and try and learn hands on how to setup a network and connect it myself? Or do you think there are specific classes online that I should be looking at first before I attempt to do any labs?



Edimax Switches

Hello Network gurus,

Does anyone here have experience with Edimax switches? One of our clients today had a user lose internet connection. Went to site and traced it back to the Edimax switch. They were the only user on the Edimax switch and in the end I just patched them through to a Cisco switch (which the rest of the office used). Just thinking now I might have to go back and try and diagnose what’s wrong with the Edimax and after googling my heart out I have found nothing. Any tips?



Interviewers, what questions do you like to get from the interviewee? / Interviewees, what questions do you like to ask the interviewer?

As the interviewer, what questions do you like to get from the person who you are interviewing?

As the interviewee, what questions do you like to ask the person(s) interviewing you?



Hey All! Today I came across a design that struck me as odd. It consists of two L2 switches plugged directly into their own separate ISP (multi-homed) uplinks. Each ASA in the pair sat behind its own ISP switch and both switches were trunked and port-channeled together. Is this secure/common?

I’m used to the idea of L3 devices like routers or firewalls being the termination point into the network. This kind of threw me off but I’m glad to have come across the design. I’m just wondering if it’s secure to have internet traffic ingress on a L2 connection and trunk data across the internal network.



Patching Switches?

We've had a risk assessor come though as part of our annual security assessment. We've been told we need to keep switch at the most current firmware in order to be in to be in line with best practice from a security perspective. I've spoke with some of my local peers and the collective response has been switches are patched only if there is a problem or new feature set. So my question is what's your practice?



After trying to help an affiliate engineer set up an IPSec tunnel for several hours...

...I literally wrote his config for him in Notepad and attached it to an email. What are some of your experiences with gross incompetence within the field?



line issue cleared during diagnostics - que ?

Hi,

"line issue cleared during diagnostics" is this some sort of cop-out from the ISP, in lieu of actual RCA, or does some magic really happen when they run a particular line test? I couldn't find anything on the net about it, but I do seem to recall from previous life working with carriers, that this kind of explanation was provided every now and then.

Would anyone know in more technical detail how is that possible, for constant prolonged packetloss to be cured by a given kind of diagnostics?

Cheers



Crazy Fiber question

I had fiber between two Juniper Ex3300-48P switches working. It stopped and found fiber had been cut. I ended up pulling new fiber since the other one was very old. Multi mode fiber and gbits are for multi mode. Plugged in fiber today and no link. Tried switching ends on fiber on one end and still no link. It does flash quickly for a few times then stops. Any ideas?

Thanks for the help in advance



3rd Opinion: OM1 to OM 3

Got into a heated discussion with my boss regarding the purchase of OM3 patch cables (2 meters). Our entire backbone is OM1 and so is almost every other fiber run. He also knows that OM1 and OM3 are not really compatible, but went ahead and purchased OM3 cable and argued that: because the OM3 patch cable is fairly short, it shouldn't cause a significant loss of signal and he wanted to future-proof this install. Admittedly, I get a little hard-headed about this stuff and I can't really fathom why you would do this intentionally. Is mixing MMF standards okay for short distances ? or is it a recipe for headaches down the line?



Why do we complicate networking?

The end goal of a network engineer is to move packets from point A to Point B smoothly with integrity. When i go to groups with my colleagues, they talk too much jargons and technologies but their networks are not any special. Why do some network engineers want to sound cool and knowledgeable?



Honoring XFF header through Cisco ASA

Recently I found out that Cisco ASAs are removing XFF from the HTTP header. Is there an option to not strip it off when traffic passes the Firewall?



Zscaler issues

Any Zscaler users out there? I'm having intermittent performance issues in all the Zens we terminate into (SF,LA, Denver Dallas). Not really getting anywhere with TAC after 2 days.

If anybody else is experiencing similar let me know, thanks!



Company Doing a Vulnerability Scan Wants VPN Access

We have a security assessment coming up and I was told they need VPN access into our internal network to do a vulnerability scan and I'm not sure what to set up. I was thinking about a Clientless SSL VPN connection but I'm not sure. The company emailed me and said they just need remote access and will be connecting to an Ubuntu server to run the vuln scan.

Any tips on what to do? They didn't really give me much information.

My company firewall: ASA 5510 using ASDM 7.2

Edit: So I was informed that a Site-Site might be the way to go. This is what I have right now.

IPsec Site-Site

Peer IP Address: 123.123.123.123 (company"s public IP)

Connection Name: 123.123.123.123 (company's public IP)

Interface: Outside

Protected Networks

Local Network: Not sure what to put here. I'm used to putting a certain IP but I assume a vuln scan needs the entire
network

Remote network: 123.123.123.123 (company's public IP)

IPsec Enabling

Group Policy Name: DefaultGrpPolicy

|x| Enable IPsec

IKE Authentication

PSK: ******

Device Certificate: None

Encryption Algorithms

IKE Policy:

IPsec Proposal: 3des-sha



SonicWall TZ300 vs Cisco ISR 921

Good afternoon my fellow Engineers.

I manage about 170 locations that all have SonicWall TZ300's with about 5-10 employees at each location. I recently ran across the Cisco ISR 900 series routers, specifically the 921. It appears they're similar in price, and the 921's may possibly be cheaper. I need to confirm with our Cisco rep. However, before I do all of that, I'm curious if anyone has experience with SonicWall and Cisco SMB gear and if they prefer one over the other and why. I have about 20ish locations that I'm going to be rolling out new gear to so I'm tossing around the idea of trying out the ISR 921's.

Obviously I'm aware that in general, Cisco is better than SonicWall, and all SMB gear is meh, but still looking for opinions.

Thanks