Saturday, March 2, 2019

What would three Cisco certified techs (CCNA) argue about?

Sounds like the start of a joke but my company won't let me hire any network people for my team and we can only use vendors. They say it is because the network engineers in the past have always argued and called each other morons and said they are configuring equipment wrong.

We have a fairly simple network with 15 offices across three states using AT&T MPLS. 1 Cisco ISR 4321 & 1 Cisco Catalyst 2960 at each location.

So my question is what could they have been arguing about that is worth calling each other morons? My assumption is that it is just what VLAN numbers to use or if we should administratively disable ports or use port security?

I am just curious if I could convince my management that they were arguing just to cause office drama and we can trust Cisco certified techs. They are all trained to a best practices standard.

Any help is greatly appreciated. If this post is not allowed please remove it.



A question from the sweet old days, I live in Syria and I am having a strange problem with my DSL phone line, I need some help please

Hi, I have a 4Mbps ADSL2+ line in my home (which is a big deal depending on where I live), a 300Mbps D-link Router and a 60 Meters (65 yards) cable from the phone cabin to where the router is, so up until 2 weeks ago, everything was OK, Attenuation Down Stream was 30 and up stream was 25, SNR margin for downstream was 17 when the electric power was off and 10 when it was on (we are used to getting more noise when power is on, it's everywhere), but recently, the line is kinda having some issues, The router connects as usual, and then after a couple of hours, SNR margin starts to drop till it gets to 6 or 5 and then it disconnects, and when it reconnects it gives me 3Mbps (which is still OK), but it keeps disconnecting and giving me slower speeds until it becomes somewhat stable somewhere around 1.5Mbps (sometimes less than 1Mbps), with SNR margin of 6 for both up and down.

when I pick up the phone (which is connected through a filter) I hear so much noise when the speed is at it's worse, and I get Attenuation Down Stream around 40 and upstream around 32 then.

keep in mind that I have an aluminum wire that connects the cabin to the router, and it is now a year old, and we kinda have a rainy weather in these days, but the noise isn't related to the rain or the wind, sometimes I get a noisy line without rain or wind.

here is what I have tried so far:

1- examined the wire where I can examine it, and removed some of it's damage that has happened because of the friction against some walls over the past year.

2- connected the line to the router directly without any filters or phones.

3- tried different routers.

if the problem is from the wire, then why does it give me good speeds sometimes all of a sudden?

and since I can replace the wire with a proper copper one (but it does cost me some money), should I consider that? or should I try something else?

any help is appreciated, this thing has been driving me crazy, By the way I am a medical doctor so I don't really know if any of the above makes sense :D, but here is why I am here asking you guys what I should do.

and sorry for my English, it is my second language.

Thanks



Out of Order Packets

So with a recent post on Fortnite reddit, they've brought to light that the UE4 engine has had some problems with out of order packets. Meaning the packets arrive in a different order then they're sent. These packets were originally dropped and now it appears as though they're reordering them inside of a buffer, assuming this also means that the buffer still can only hold so many packets before it will once again dump the packets if they arrive too late.

https://www.reddit.com/r/FortNiteBR/comments/awagpo/packet_reordering_technical_post/

Essentially this is packet loss, even though the game does not alert the user of the issue (packet loss indicator) and there is no way to diagnose this problem as of right now.

Packet loss or extensive out of order packets would result in degraded simulation accuracy and make it very difficult for people to predict where people are going, register shots, and otherwise participate in a real time fashion. This doesn't just effect Fortnite, it effects all games and how extensive depends on the engine and the netcode. I did not know this was a huge issue, but apparently it is.

Currently there does not seem to be any sort of ways of diagnosing this. I assume this isn't just the game, rather your connection, so ideally you could test this outside of a game setting. I also assume this would effect something like VOIP calls. Too big of a buffer and it introduces input delay which desyncs the conversation, too little and essentially you get packet loss and a garbled conversation.

There are tools for jitter, bufferbloat, latency, and bandwidth. Is there one for testing the severity of reordered packets or practical packet loss? IE depending on the size of the buffer it counts late packets as packet loss.

As mentioned earlier I believe this wouldn't just be applicable to helping diagnose problems with games, but also VOIP.



IPv6 question

I'm looking at beginning to roll out IPv6 at work.
A router will announce prefix with O flag.
On servers I will manually configure their IPv6 addresses.
Clients will be able to get DNS information through stateless DHCPv6.
Some clients however need a static IPv6 address as well.
What is the best way of handling this in a way so that I don't need to use stateful DHCPv6 for all clients?

DHCP server is running on Windows Server 2019.
Network is not split into different VLANs.



Quick question regarding drops

So I have a question, it doesnt really need an indepth answer.

I was wondering how most people deal with purely glass wall presentation rooms. As in can you have a drop in the floor? do you just run cables in there? Just trying to get ideas on whats generally accepted

Thanks in advance



Wendell Odom's OCG and TCP Retransmission logic

I've grabbed Wendell Odom's CCNA book set to begin studying for the CCNA and I'm a bit confused about how he explains how the TCP retransmission system works.

Figure 1-7 shows web server Larry sending a web page to web browser Bob, using three

separate messages. Note that this figure shows the same HTTP headers as Figure 1-6, but

it also shows a TCP header. The TCP header shows a sequence number (SEQ) with each

message. In this example, the network has a problem, and the network fails to deliver the

TCP message (called a segment) with sequence number 2. When Bob receives messages

with sequence numbers 1 and 3, but does not receive a message with sequence number 2,

Bob realizes that message 2 was lost. That realization by Bob’s TCP logic causes Bob to

send a TCP segment back to Larry, asking Larry to send message 2 again.

First of all he lists the sequence numbers as sequential integers, but I'm guessing he's doing that to simplify things since it's so early in the book? Because it's my understanding that TCP sequence numbers don't work that way at all. But my real confusion comes in where he explains that the client notices it gets segment 3 before it gets segment 2, and the client explicitly requests the specific segment it thinks it's missing. Isn't TCP retransmission logic all based on the sender's side, based on ack timeout? And wouldn't receiving segments out of order happen naturally occasionally anyway?

This book comes highly recommended practically everywhere, so is there just something I'm missing here? I've looked around to find a case where TCP works the way he explains it, but all I can find is to the contrary. This is the newest edition of this book, that was release after they updated the CCNA.



Cisco 2821 Router

Is 60$ + 30$ shipping too much to pay for a details about Cisco 2821 Router 256MB RAM, 64MB Flash used off ebay? I'm setting up a home lab to study for the CCNA.



Python Automation for Dual-Stack Routed Access Design

Hey, folks! I've got a small Youtube channel where I demo network configuations, and most recently I've been documenting my progress in deploying Python scripts, using Ansible, etc. I posted my last video here, and was given good feedback so thought I'd post this one too. Disclaimer, I consider myself a total beginner to network automation, so if there's issues with the script, then you have my apologies haha.

The script is there for anyone to play around with or use and improve in any way they want.

My latest video is deploying a dual-stack configuration over a routed access design. The script connects over IPv6 to make IPv4 changes, and IPv4 to make IPv6 changes, so temporary drops in adjacencies do not affect reachability. The scripts starts with a basic EIGRP config to bootstrap general connectivity (I liken it to scaffolding) and is stripped away at the end when the final configs are applied.

If you just want to see the script in action skip to around 31 min 30 seconds!

https://www.youtube.com/watch?v=-W_6_-y6Upo

Thanks!



Bulk Domain WHOIS data

Does anyone know how one can go about obtaining Whois data in bulk? I know there exist paid services (see links below), which offer exactly what I'm looking for, but I find it frustrating that there doesn't appear to be a legitimate way to go about grabbing this data. The reason I find it frustrating, is because the data itself is open and free.

I've thought about automating and parsing the results from running a command line whois but this goes against the disclaimers listed at the bottom of the command result output. I've also reached out to IANA and the best they could do is provide me with zone files. I've additionally reached out to PIR who manages the .org domain who also pointed me towards their DNS zone files. I'd appreciate any feedback or guidance into areas I can further research.

https://domainnamestat.com/ and https://www.whoisxmlapi.com/



Slow connection made with mellanox connect x2 and x3

Using latest build (1809) of windows 10. From startup my connection takes sometimes a couple of minutes to connect. I had read issues like this from other users of the x2 and they said they fixed it by going with the x3. So I upgraded and still have the delay. I looked for drivers from mellanox but am not exactly seeing the one that stands out to me. The transceivers I'm using are 10gtek for mellanox. With 20' fiber to an Aruba s2500 and the router is a pfsense build running on an i5 4590.

Anyone know of drivers I'm supposed to download or any tweaks to windows I can make so I have a connection by time I'm to the desktop?



Office networking build help

Hello folks,

I will be starting my web development company soon and have just rented an office that I need to set up so myself and 3 other employees can optimally work. I have come to you today because I need help in designing my office network. I have talked with my ISP and will have a fiber optic cable running into my office and to the "server" rack, but from there on it's all me and I'm not a networking guy so I need your help (please).

I am thinking to start with a 9-15 U Wall mount cabinet to put a 16/24 port managed switch in it, a NAS and a super fast WiFi router on top. There will not be more then 4 workstations plus printer and security cameras DVR, a projector and idk maybe 2 other wired internet connections, so I should not need more then 16 ports, but just in case I will be growing in size I'm thinking to get a 24 port switch. So far seems easy (except I don't know what brands I should pick so if you could help me with a specific model name that would be great). The thing is that since we're doing a lot of web development I will most likely be needing to access the network remotely more then a couple times, so I'm wondering do I need a firewall? And how should I set up the network so I will have only one computer (let's say the one hosting a few web servers) be accessible from outside the network and not the personal workstations.

What do you think and do you know any good articles I could read on this topic? Thanks

Edit: I am in a little town in Romania, not USA



Opinions needed on re-wiring a small office network

My current project is replacing my offices existing SOHO-grade network with proper business quality hardware. The existing network was built in two parts as the building was renovated to add more office space at some point. Currently there is a closet on the main floor containing our modem, router, switch, and a patch panel with all of the runs to the back half of the building. There's a second closet upstairs with a switch and a patch panel with runs for the front half of the building. There's a single gigabit uplink between them.

My gut is telling me that I'd rather have all the runs terminated in a one location along with all of the network hardware, but I'm having trouble coming up with a concrete reason WHY it would be better to pitch to management. I know that rewiring half of the building is not in the budget currently, so my proposed solution is to run 24 lines from the upstairs patch to the downstairs one. The cost to do that wouldn't be nearly as running brand new lines, but still a lot of cost if there's no real benefit.

The easier (and cheaper) option would be to keep the layout as it is and install a new switch in each closet. If I was doing that, I would either install a second uplink and LACP them, or look at replacing it with a 10gb uplink instead.

Any input/opinions would be appreciated!



Can anyone tell me what this is doing?

I'm trying to install this application on my laptop, but it tells me to do the following:

  1. Click win+R and enter the command "hdwwiz.exe"
  2. Select "Install the hardware that I manually select from a list"
  3. Select type of hardware: "Network adapter"
  4. Choose "Microsoft" adapter- "Microsoft loopback adapter"
  5. Wait until install is finished and click
  6. We have installed the adapter, now we need to adjust it a little. To do this, go to "control panel, network and internet, network and sharing center, change adapter settings. There should be connections to the adapter we installed:
  7. Go to he properties of this adapter, right click on the "IPv4" and go to properties

It then tells me to enter a various number of IP addresses in the IPv4 advanced window.

Is this a scam/backdoor of some sort? If not, what does this do? Can anyone help me out?



SIP / VoIP Phone in loud workshop environment.

Just installed a new phone system (Sangoma FreePBX.. it's pretty good). 2 of the Sangoma Phones / extensions are in a loud environment / machine shop. The new phones don't have as loud a ringer as the old phones. No-one can hear them.

There are loud ringers for SIP systems but they're pretty expensive at around £250 / £300 each.

I was thinking using something like this.. VoIP to analogue adapter: https://www.voipon.co.uk/fanvil-g100s-analog-adapter-ata-gateway-p-7924.html

Then this.. a loud ringer for a traditional analogue system: https://www.discountcommunications.co.uk/acatalog/BT-Loud-Indoor-Telephone-Bell-877905-DC9814341.html?gclid=CjwKCAiA8OjjBRB4EiwAMZe6y85yqiDwItHsEmM3O7CzM1osciyxTeiwS9aTrHNDMld_kvqevLcosxoCaiIQAvD_BwE

Then was Gona give the Adapter / Ringer it's own extension.. then set it in a ring group so it rings along with the handset extension

Would this work?



Residential advice request, UK : House full of people, all need connection

We have a situation where the house contains multiple adults and children all streaming, playing, generally living digital lives. Throughout the day and night, and often with a peak when everyone is online at once.

Our house has Bt Broadband, which keeps cutting out. They talk us through fixes, but every day it starts the orange flashing. The Sky TV box and the extender to a more distant room also keep dropping and requiring a reboot/reset on a daily basis.

So we are thinking big picture, take a step back and consider the best solution from the ground up.

What we need to think about is:

Broadband supplier - If we have multiple users, what should we look for in our supplier? Would we be better off considering a 'business' line or would cost be prohibitive? Would it even help, what with it just coming through the same landline?

Do we just need our own router as the main incoming device and put the supplied BT hub out to pasture?

Internal networking - presumably we need cat5 where possible instead of relying on wifi, but is there a good guide on residential rigging? Types of routers, repeaters, etc?

Have I missed any points here? Any advice would help us out.



Leviton Quickports or Monoprice Keystone help

I am having a hard time deciding to either using leviton cat6 Quickports or Monoprice Keystone jacks.

I previously installed 12 cat5e leviton Quickports to 6 of my rooms with leviton wallplates, and then 6 to my patch panels (2x12 ports) 3 years ago.

I am in the process of installing 14 runs of cat6 cable, so I'm going to need 28 Quickports/keystone jacks.

Part of me wants to keep everything consistent with my existing leviton infrastructure, since I already have the leviton quickport patch panel.

When I price the leviton build out I'm going to end up spending ~$150 just for 28 quickports, and Monoprice build out with all new keystone wallplates, 40 keystone jacks (10 cat5e, 24 cat6) and new patch panels will be ~$70

I feel like I'm falling victim to the sunk cost fallacy, since I want to keep it all leviton. Mainly due to how the leviton wall plates are aesthetically nicer to me, quickport patch panel is lower profile, and the 30 year warranty (but I'm not sure that even applies author since I'm not a leviton certified contractor)

Any input would be great. Right now I wish I would have used the Monoprice when I initially setup the cat5e jacks to make this decision easier.



Friday, March 1, 2019

Cisco TAC alacart pricing

Does anyone know how much cisco tac per case pricing is? If you call in with nonsmartnet can you pay for support. The reason I ask is because I have a million dollar support contract and every case I open ends up being a bug or some issue that is their fault. Feels like I am a sucker for paying for support.



Router supporting 4in6 MAP-E and PoE?

I am looking for a wired router supporting both MAP-E 4in6 encapsulation and PoE for less than 100 $. Any recommendations?



Strange loopback reachability issue

I am running into a very strange problem that I've been pulling my hair out for the past few hours over. I operate an ISP running the following architecture. Every link in this diagram is using IS-IS for loopback reachability, then running LDP on top of that for MPLS label distribution.

We distribute only transit (link) subnets and loopbacks into the IGP.

We are having a strange issue where a specific loopback address (10.30.1.74) is having reachability issues from one of our core routers (Core-02). Core-01 can ping 10.30.1.74 just fine, however, Core-02 cannot reach it.

To try to figure out what is going on, I have done the following:

Traceroute from Core-01 to 10.30.1.74:

root@Core-01> traceroute 10.30.1.74

traceroute to 10.30.1.74 (10.30.1.74), 30 hops max, 52 byte packets

1 172.16.15.2 (172.16.15.2) 15.830 ms 21.660 ms 21.762 ms

2 172.16.15.14 (172.16.15.14) 14.914 ms 21.869 ms 27.982 ms

3 172.16.20.177 (172.16.20.177) 19.808 ms 21.863 ms 22.025 ms

4 172.16.22.220 (172.16.22.220) 0.943 ms 0.857 ms 0.814 ms

5 10.30.1.74 (10.30.1.74) 1.059 ms 0.858 ms 0.803 ms

Perfect, this is working fine.

Now let's try that from Core-02:

root@Core-02> traceroute 10.30.1.74

traceroute to 10.30.1.74 (10.30.1.74), 30 hops max, 52 byte packets

1 172.16.15.6 (172.16.15.6) 8.094 ms 21.316 ms 22.125 ms

2 172.16.15.22 (172.16.15.22) 40.049 ms 32.727 ms 35.296 ms

3 172.16.20.177 (172.16.20.177) 40.850 ms 42.099 ms 32.925 ms

4 172.16.22.220 (172.16.22.220) 18.017 ms 21.872 ms 21.895 ms

5 * * *

6 * * *

Ok, that's not good, it seems to be "getting stuck" between PE-02 and PE-03.

So, as a sanity check, let's traceroute from PE-03 to Core-02:

root@PE-03> traceroute 10.10.0.21

traceroute to 10.10.0.21 (10.10.0.21), 30 hops max, 40 byte packets

1 172.16.32.17 (172.16.32.17) 1.051 ms 1.111 ms 0.817 ms

2 172.16.22.217 (172.16.22.217) 15.297 ms 18.195 ms 21.619 ms

3 172.16.20.180 (172.16.20.180) 16.360 ms 18.245 ms 21.903 ms

4 172.16.15.21 (172.16.15.21) 18.458 ms 20.179 ms 19.407 ms

5 10.10.0.21 (10.10.0.21) 1.007 ms 1.078 ms 0.906 ms

Weird, that seems to work fine.

Now it gets even weirder. Let's change the loopback address of PE-03 from 10.30.1.74 to 10.30.1.80.

Once I do this, no issues with reachability between any routers. Both Core-01 and Core-02 can reach 10.30.1.80 without issue.

10.30.1.74 is not used anywhere else on my network. If I take PE-03 offline, 10.30.1.74 does not appear in the IS-IS database or LDP database whatsoever, so this is not an issue caused by duplicate routes.

Any troubleshooting ideas on what I should try next? Sure, I can just throw away 10.30.1.74 and never use it again, but I really would like to know what's going on here, it could be a symptom of a larger issue.

Also, please let me know if you would like me to post any additional command outputs from the routers!



Cisco Buckets vs VLAN

Is this a fancy way to say VLANs and sale more crap to us?

buckets dont talk to other buckets, ok. buckets need a "fusion router" to talk to each other, ok.

whats the difference in buckets and vlans?



Power across the world and Cisco switches

Fun one at work that I am having thrown at me now: Build a box that has a router and a switch that we can take anywhere in the world and use. Trying to figure out if anyone here has experience with power in Japan. I have searched some say parts of Japan uses US power standards and other parts use EU power any truth in it?



Does anyone use tac_plus to authenticate Cisco devices?

Hello:

My company uses tac_plus to authenticate network devices against it. This seems to work fine on IOS and ASA, but I tested it against NX-OS and it didn't work. I already started doing some digging but am not finding any good explanation for why that is. I know in some implementation of ACS/ISE you have to manually add new devices, but that doesn't seem to be the issue here. Has anyone run into the same issue?



Public IPv4 assignment and routing

So we are getting into the collocation business and are looking to distribute public IPv4 addresses to our clients. We have been given a a set of transit IPv4, 24.x.x.x/30 and another addressable block 35.x.x.x/29. Currently we have the 24.x.x.x/30 set to the WAN interface eth0 and have 35.x.x.x/29 assigned to eth1.

We want all the 35.x.x.x/29 addresses reachable from the internet. How would one accomplish this without using a NAT.

The router we are using is a Ubiquiti ERPro-8.



What's the proper way to handle DMZs & Internet Peering in a multi-DC deployment?

Ex: Would you announce the same prefixes & have backdoor links between each of the sites for iBGP peering? Or would you advertise different prefixes at each site, use "allow-as in", and use other methods to ensure high availability/load-sharing for public facing services? (If so, what would those methods be?)



What kind of patch cords do y'all use?

I work in a company of about 600 employees spread over 5 offices globally. I came from a very large enterprise environment where things like patch cords weren't an object that got parsed over financially so we exclusively used Panduit for both copper and fiber. I feel we're in this gray area of being in between really small startup and use any patch cords we can get our hands on, and enterprise where we need reliable, quality patch cords.

Curious to hear what people are using in their environments!



Showerthought: Defining and enforcing the organizational standards upon which automation depends is more challenging than implementing automation itself.

When I started down the automation path, I saw it as a purely technical challenge. I now see it as a meta-challenge involving political/diplomatic aspects, at least as challenging as the technical ones. What's your take?



Business expanding to neighboring building in same parking lot - fiber or wireless bridge?

I'm tempted to suggest the business owner run fiber between the buildings. I know it would be a better link than wireless bridging, but I don't have any idea on the cost. The buildings are approximately 100-150 ft. apart, separated by an asphalt parking lot.

Google Map of the 2 buildings

Not crazy far.

I've looked at AirFiber, and Nanostations, and will happily consider those.

My plan with a fiber setup would be to share internet and DHCP from the main building, so there was only one router. The fiber link would go into a switch on the other side, and would simply be an extension of the current network. It would be a full 1Gbps link (possibly XG in the future). With AirFiber/Nanostation, can I still have DHCP come from the main building? Can I have the two buildings be on the same subnet? Or do I need a router to route traffic between two separate networks?

My experience would lead me to want to have one large network rather than 2 smaller networks linked together.

In the main building, they have a Ubiquiti Unifi setup with a USG, 3 AP-AC-Pros, and a 48-port PoE gigabit switch. Comcast business cable internet. In the new building, I'd plan on having a Unifi PoE switch, and at least one more AP-AC-Pro. In the main building, there are probably 20 computers. In the new building, probably 10 more. All-told, there are probably 50-60 total devices (including a couple cameras and guest wifi users).

If we did a wifi bridge, would it need to be roof-mounted?

This is a street-level view of the 2 buildings.

Thanks for your advice, reddit.

EDIT: Wanted to ask what others have spent running fiber in a similar setup. I would expect between $10k-20k to cross a paved parking lot, but that's just my imagination.



Network related job interview questions

Hello, so I just earned my CCNA and I've been applying to get my first networking job. I've gathered that sometimes interviewers will ask questions like "What is your favorite routing protocol and why", or other networking related questions during an interview. I'm hoping you all could share some of the questions you've been asked (or that you have asked) so I can better prepare myself. That way I can avoid looking totally stupid.

Btw...I'm still trying to figure out how I would answer that question haha. I don't really have enough experience with routing protocols to form an opinion.



LLDP-MED and IP phones

I have this reoccurring problem that's been happening in our environment for some time now regarding IP phones (specifically, Shoretel phones) and LLDP-MED with Netgear Prosafe M4300 switches.

Basic config looks like this:

vlan 100 "Phones"

vlan 200 "LAN"

!

voice vlan

!

int 1/0/1

desc "Phone/PC"

voice vlan 100

switchport mode access

switchport access vlan 200

LLDP-MED is enabled by default on all switchports. The phones tag themselves for VLAN 100 as soon as they come up thanks to LLDP magic, they DHCP on VLAN 100, including scope option 156 (ftpservers=x.x.x.x, layer2tagging=1, vlanid=100), they download their config from Director, and everything works great!

...until it doesn't. At some point, LLDP just stops working altogether. This means the phones will drop into the LAN for DHCP instead.

I have possible workarounds to this issue (primarily adding Option 156 to the LAN so the phones can at least FTP the conf files they need, and adding the LAN subnet to the site config so they can at least make calls), so I'm not concerned about that. My concern is that LLDP just stops working until the stack is rebooted. I had this issue with two different sites today, and both switches only have an uptime of 18 days.

Switch firmware is 12.0.7.10 and the switches are in a stack config (usually with a couple of M4300-12X12F). I haven't seen this issue on our standalone switches. Or at least, I haven't noticed it yet.

My primary question is: does anyone know WHY LLDP suddenly stops working? Has anyone experienced this issue with other vendors?



WIFI and commercial oven

Hello

I am looking for a WIFI antenna (for VoIP) that can withstand continuous heat up to 400 degrees F (205 degrees C). It will be placed in a commercial oven, a place where we work and where our old analog phone worked. Do you know a model or an alternative? The oven is insulated steel with 6 inch walls ...

Thank you!

EDIT: Anything that can be wired to the outside of the oven suits me, but I do not know the right component! So I called it a WIFI antenna, it may be another therm that I should have used ...



Community network

I've been curious about starting a network where I live. I've looked into a few things but can't seem to figure the best way to get started. I'd like to have as strong and fast a connection as possible. Can someone help me get started with this or if it's even realistic?



Cisco Catalyst 9300 IOS-XE Image

Hi All,

I have to deploy ~ 50 Cisco Cat 9300 48U-E switches in the next couple of weeks and trying to select a stable IOS-XE version. Does anyone have any issues with Fuji 16.9.2 or Everest 16.6.5? I know that there were some horrible bugs with DHCP snooping in some versions. Has this been resolved?

Thanks



Ear protection?

So I just learned that a data center can get up to 85 dB and that is well above the dB level that can damage your hearing. I just started a job and it's the first job that I actually go to physical devices (precious work was always remote) and so them offering ear plugs was kind of weird to me. But after searching I've decided to use some protection.

However anything that's in-ear always hurts my ears. I struggle to find ear buds that don't hurt or don't just fall out all the time. So I've been shopping around for something not in-ear. I'm getting a little confused about the measurements and what I need to a room full of servers, switches, and routers. Is there anything you suggest? What level protection should I look for?

I know this isn't necessarily networking, but it is something us networking admins/engineers/analyists need to think about so hopefully this thread can help someone else as well.



Has anyone noticed their Wireshark no longer decrypting?

I work with the wireless infrastructure at a hospital and I have been using wireshark to capture an issue we are having with a device. Normally I have no issues with getting my captures decrypted (having placed our key in the decryption key field). However it is no longer working and nothing has changed with the WLAN.

Any thoughts?



Upcoming Sox Compliance...

Company is working towards getting Sox compliance. As a network engineer what are the pitfalls or gatchas that I have to look out for. There is a lot of info on the web and it's making the noggin spin right now.



Juniper vSRX NAT match on HTTPS URL

Does Juniper vSRX have the capability of matching on an HTTPS URL among other things and performing a destination NAT action?



SFP-10G-SR cable length

I am trying to run a short 1m connection between devices using two SFP-10G-SR. Cisco says that SFP does 26m but does not say “up to”. Can I run 1m optics without issues?



Dumb Question About Routing Firewall and Switch

Firewall: Cisco ASA 5512-X

Switch: Aruba 3810M (L3)

Switch IP: 10.240.1.254

Firewall IP: 10.240.1.1

DHCP Server (Win): 10.240.1.253

Setup from inside to outside

Switch -> Firewall -> ISP Fortigate Firewall -> ISP Modem -> Internet

I have a question about routing that im trying to understand.

Take one of my vlan for example: 10.240.10.0/24 (Corporate)

In the firewall the routing is set

route inside 10.240.10.0 255.255.255.0 10.240.1.254

VLAN is configured on the switch

IP addressing is assigned by DHCP server

On the Switch the default route is set to the firewall

ip default-gateway 10.240.1.1

ip route 0.0.0.0 0.0.0.0 10.240.1.1

ip routing

So our switch is sending all our inside traffic to the firewall to reach the internet

but now the firewall also has a route command inside sending inside traffic to the switch.

Im a little confused on this setup and how its working. I assume the route on the firewall I can get rid of?



About BGP Session

does bgp protocol need /32 neighbor IP to establish a session either in iBGP or eBGP?



Usb to serial windows 10 recommendation

Hi guys,

Anyone know an good usb to serial adapter with windows 10 support (without blueschreen every 5 minutes?)

Thanks!



L2TP/Ipsec vpn not working one one network through windows10 build-in.

So I created my own l2tp/ipsec VPN server with Softether on my windows server 2012 r2 VPS. It works perfectly fine through windows build-in on my laptop on home internet. However when I am at school and trying to connect to the vpn it says: the l2tp connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer

I can however connect to my vpn from my phone on the school internet. A friend of mine also has a l2tp/ipsec vpn and his one works though windows build in on the school internet. But he didnt configure it himself so he can't help me out either.

Does someone have an idea how to fix this problem?



CCNA/CCENT or Computer Networking A Top-Down Approach - By Kurose & Ross?

I'm currently looking to learn about networking, and was wondering which of the two mentioned in the title would be a good place to start? I'm a complete noob to networking, but my preliminary researching/googling has brought me to the point of picking between these two. Any help is much appreciated! Thanks in advance!



Looking recommended (free) in depth wifi monitoring tools?

Edit: yes, I noticed I butchered the title. What I get for typing late on mobile.

Hey guys, so our base networking shop just got tasked with testing the dorm commerical WiFi for official reasons why the internet is so horrible (It has gotten better after a upgrade, but still not on par with any college or apartment wifi that can be compared to their setup). I am one of the only two dorm residents left in our shop ATM so it's my problem to help get solved (finally after complaining all the way up the chain). People have been complaining for months, maybe years. If we can have enough data collected across the multiple dorm buildings of any and every legitimate issue we have a chance to force a contract renogotiation with either our current ISP or get a new one (subsidized is being mentioned).

The dorms currently have ISP owned routers spread out every couple of rooms to cover the entire buildings. Each resident has to pay for access to the wifi. I want to not only take speed tests from a large number of residents in a way where the data can't be prioritized, along with sticking a old computer or two (which I can install any needed OS) in each building for a few days or a week at a time.

I am perfectly fine paying for a cheap Vps to run speed tests to, to avoid prioritization.

Some of the things I'm hoping I can set the computers to monitor and log for:

Any time the pc temporarily disconnects for the wifi Any time the pc is connected to the wifi, but loses internet access Any time the network has high latency Constant speed tests, with highlights of the lowest speed results.

I have done some research, but haven't found a free/affordable program that does what I'm looking for. Brownie points if anyone knows of a user-friendly program on windows that we can have our more technically inclined residents install and run. It would be easier than scrounging through my hoarded collection of spare parts to put a few rigs together.



Thursday, February 28, 2019

Double NAT Help

Hi all. I need help. So I'm with a mobile ISP. They provide me with LTE. I play playstation 4 alot but I cant ever with friends unless they have an open nat type. I want to somehow give myself an open or moderate nat type as I'm sitting on a strict nat type all the time. My ISP has got a double NAT in place. So even if I port forward my side it won't work. Is there a work around? Please help as I'll greatly appreciate all the help.



Sanity Check -- about to buy SD-WAN (Versa) for 50 sites

We are about to buy a co-managed SD-WAN solution from CenturyLink which would use Versa's SD-WAN product. The hardware is an Intel C2558 based x86 box that Centurylink brands as its "medium" sized box. The large box is last gen Xeon D. Centurylink wants a pretty hefty monthly license fee for the boxes which includes the support and management cost.

The hardware isn't very impressive -- single PSU, last gen CPUs, etc.

A few questions:

  1. Does anyone have Versa from Centurylink? How is performance? How is the service?
  2. Can Versa be deployed as a VM or hardware install on other hardware? have you done this? It appears it does require Intel QuickAssist (which is on Xeon D and C3000 CPUs in the current gen).
  3. Anything else I should know before I pull the trigger on this?


BGP Path Selection Unwanted Results

Some of my networks are traversing a path that isn't the shortest path from what I can telling using multiple looking glass servers. Typically traffic is balanced across both of our BGP routers via pre-pending certain networks. Recently, I noticed that a handful of networks were no longer obeying what I deem is the shortest path. The BGP routers we peer with are different vendors so the only explanation I can think of is the traffic that is not be obeying, ~500mbps, is coming from our peer's directly connected network where, when traffic is sent to the peer, the local route is used. I have attached a network diagram in hopes to illustrate the issue better. How can I force traffic to use the other path?

Network Diagram



Wireless troubleshooting for the Masses

Hey guys, I'm looking for a wireless troubleshooting solution for 30+ field techs and trying to decide if I need to buy hardware or would a good software solution help with my issue. I need to read the spectrum and determine what is causing the interference. I am not using any particular appliance to provide WiFi as we have several devices out in the field and techs will also troubleshoot customer bought wireless equipment. Most of the techs are residential installers.

Whats the main difference between a hardware based RF analyzer like the Oscium Wipry 5x and software based analyzer like the Netspotapp?

I understand the Oscium does have software that comes with the USB RF analyzer but would you get the same results with Netspotapp and just using a phone with 2.4/5GHz chipset built into it?



Where to start on the network automation journey?

My company is starting to put focus around network automation. The problem is, automation seems to mean something different to everyone. For some it means cranking out configs by inputting a few variables, others want to see automatic network remediation while others (like myself) have written some python scripts to save time by automating mundane tasks and want a place to share with others. I just started on this team and I have a solid networking background (CCNP) and some python scripting skills. I’m wanting to get opinions from others working in a large corporation exactly how they got started down this automation path. A few things I’m interested in feedback on: -Is there a specific platform that helped (Ansible, Puppet, a Linux server to launch scripts from, etc) -What are good resources to reference? (Products/consultants/online resources/training recommendations/anything) -What were biggest challenges to the network automation journey and how did you overcome? -What are good use-cases to start with when trying to automate?

Thanks for any and all input! I really want this to be a success just need some help on how to get started.



Design consideration for MetroE network. Would you place Layer3 switches for the connection points?

Hello I have a client that is installing a Metro E network and wants to use Layer3 switches (Arista) as the backbone for the sites. How common is that?

Maybe I'm old but I always separate switching from routing so I would only consider a traditional router for each of the sites' connection point with a L3switch as the next hop inside. Is my perspective too old fashioned or rigid?



Excessive Transmitted / Received Pause Frames on Procurve Switch

Been looking at the switches in my organisation, and can't help to notice that some switches are throwing up "Received Pause Frames" and some - "Transmitted Pause Frames". We're using HP Procurve 1810-24G switches at the edge and Cisco 3750X stacked at the core. The switches are linked to the 3750X by a single cable as a trunk. I'm not sure whether this is the cause.

Here's a screenshot - https://i.imgur.com/MIFUqar.png

As the "systems / infra guy" is "afraid" to let me touch - just about anything - (its political - he even threatened to ask me to sign a resignation drafted by him! After uncovering his security lapses/practices) - I can only just check and take note until i'm given the authority by the management to rectify this.



Manage Public IP’s with Solarwinds?

I am looking for a way to manage the public IP’s that we own with our existing Solarwinds system.

Ideally, I would want to script it to do a DNS Lookup, ARIN / APNIC / RIPE check and details import, and basic up / down response.

Anyone know of a way to do this? Or if not, does anyone have recommendations on tools that can do this?



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



How to get past the Helpdesk gate keepers?

I have a problem with being randomly disconnected from my work’s network and I’m hoping someone might have some insight on the best way to approach this.

I work for company completely remotely. I’m not even in the same state as their call centers. They have VPN connection points in several different cities across the US and I’m completely dependent on connecting to one of their VPN connections for everything I do at the company. I’ve worked there for 5 years now and I’ve never had any trouble connecting or staying connected. Im using a edge router x with a Fiber connection via frontier fios. 100mbs up/down.

We use a specific proprietary software at this company for doing the job I do. Which is working with customers over the phone. Recently the software has been freezing in the middle of my contacts and dropping calls. Which makes it look like I’m hanging up on customers. As you can imagine, that looks really bad to management.

When this happens, I never lose connection to the VPN but their IT department has been running ping tests from my work computer to google, while connected to the VPN and those tests have shown dropped packets. When I disconnect from their VPN, I don’t see any dropped packets on the work computer and Ive used ping tests on other computers in my network to test the connection and haven’t found any dropped packets, even when the work computer is showing dropped packets at the same time while connected via the VPN. From what I’ve heard from the other people that work at this company, this is common behavior for the VPN. I also have more evidence that leads me to believe the VPN is the problem but I don’t want to make this post too long.

I’ve contacted their Helpdesk about this multiple times, they do the same thing every time, they point to the dropped packets while connected to the VPN, blame my network, then refer to my ISP. They refuse to troubleshoot the VPN past that. They then tell my manager that it’s my network. Which makes it look even worse and at some point my manager will have to tell me to switch ISPs and possibly even fire me, if it gets worse.

So that’s the overall situation that I’m trying to solve. I like my position there and I want to stay within good standings but the issue is both making me look bad and making it much harder to do my job.

Ive become good at switching to a different VPN connection point, when the VPN starts to lag, but that doesn’t stop the calls from dropping before switching and sometimes all the VPNs are lagging. I’m in the process of setting up a script in my router that pings their VPN and pings google, then emails the results to my email, in order to time stamp the connections. I could probably use that information to go above the Helpdesk but that’s going to burn a lot of bridges really fast and in my mind, there’s no guarantee they won’t still blame the router / ISP or say the script wasn’t approved, so the results can’t be trusted.

Im wondering if anyone else has any other ideas?



ATT Midwest Area wide outage

Who all is experiencing issues with any of ATT's WAN services? Trying to identify if this is larger than just a single MPLS Cloud.



Configuring a Static Route over a VLAN (nxos)

hi,

apologies in advance, i need some assistance with putting static routes on svis on a nexus switch.

the intention is to have some inter vlan routing for a handful of vlans, but traffic involving vms on the dmz routed on a sonicwall. all the vm hosts are connected only to the nexus.

at the moment i have a router on a stick setup with the nexus acting purely as a switch for dmz traffic, it looks ok, vms connected to the switch, on different dmz vlans, can ping each other.

i'd like now to have static routes on the (non-dmz) svi vlans so they pass vm traffic destined for the dmz and beyond to the router, and i'm not even certain that is possible, or if instead, i should be physically connecting the vm hosts to the sonicwall as well as just the nexus, and present dmz vlans from the sonicwall, and the internal vlans from the nexus.

anyway, looking at this document:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/unicast/configuration/guide/l3_cli_nxos/l3_route.html#pgfId-1102964

gives me this example:

switch# configure terminal

switch(config)# feature interface-vlan

swicth(config)# interface vlan 10

switch(config-if)# ip address 192.0.2.1/8

switch(config-if)# ip route 209.165.200.224/27 vlan 10 <===209,165.200.224 is the IPaddress of the interface that is configured on the interface that is directly connected to the switch.

with this explanation:

"Adds an interface static route without a next hop on the switch virtual interface (SVI).

The IP address is the address that is configured on the interface that is connected to the switch"

does this mean the IP address/mask in the last command is that of the routers interface to the switch, with the router interface to the switch (or one of its sub interfaces) being 209.265.200.224/27?



NETSH Trace is not returning actual data

I'm trying to capture some traffic using netsh but I'm not getting the data I'm looking for, so I hope someone can help me out. Unfortunately, I can NOT add programs on to any of th systems I'm working with, and I don't have access to Message analyzer. I have used the following commands:

netsh trace start capture=yes ipv4.address=x.x.x.x tracefile=filename.etl

netsh trace start capture=yes provider=Microsoft-Windows-NDIS-PacketCapture level=5 tracefile=filname.etl

The captures run fine. I attemptet to look at them several ways. I converted to a csv with netsh dump, and I imported the data into powershell with Get-winevent. The data is very vague and doesn't have information like destination ip, just messages like "Packet fragment (54 bytes)". All examples I see online have actual data like IP's and ports. What am I doing wrong?



Building Layout for Access Points

I have some building plans and I know the model AP's we are going to use for this new building. I am trying to design a flow for where the AP's should be but I cannot seem to find any programs to map it out. Does anyone know of one? Preferably free. The only ones I can find are designed for existing wifi network mapping and coverage.



Weird traffic cutouts after connection added to a site

Hey guys. Got a confusing mystery here and just wanted to bounce it off you experienced people for some ideas or insight.

The Layout

So there's a small school district that consists of a few schools. The schools connect back to one "main" school via a gigabit ELAN provided by an ISP. The main school has a L3 switch which handles all the routing. For Internet, a connection goes through the ELAN to a county office. It's not ideal, but things work fine. Or at least they did...

One day a charter school is added to the mix. They work out an arrangement to connect into the district network via Ubiquity wireless units and piggyback back to the county for Internet access. They get their own VLAN from their site all the way back to county where they get Internet access as well as VPN access to their other charter schools.

Here's a bad diagram.

Ever since that happened, some subtle but nonetheless weird things occur on the district network. In particular, monitoring software that periodically pings district equipment will alert periodically over switches, cameras, and other monitored networked equipment as being offline. This seems to only happen during peak working hours and when the networks are being used. It does not happen on weekends or weeks that schools are not in session. The charter school network's equipment doesn't appear to be affected at all.

One day during a storm knocked out the charter wireless for a couple days. The issue went away. When that link was repaired, the issue came back.

Summary of Troubleshooting

  1. The monitoring server is at School1 which is where the routing switch is. I packet traced the ELAN-facing port here and I packet traced the ELAN-facing port at School3. I could see the pings get sent from School1. I could see the pings at School3. I then see the ping replies come back through School3. But then I don't see the replies come back to School1.

  2. Networking equipment within School1 doesn't exhibit this behavior (pings here never have to traverse the ELAN).

  3. This behavior tends to clear up within 10 minutes, but then a different switch(es) or camera(s) at a different school(s) will exhibit the same behavior.

  4. Manually pinging a "down" switch during one of these episodes is met with no reply. Telnet, etc., doesn't work.

  5. Surprisingly haven't heard complaints about phone calls or web videos mysteriously stopping?

  6. I thought maybe STP might be in conflict somewhere so I filtered bpdus on links between the different networks (district/charter, district/county). Didn't change anything.

  7. I also monitored the port utilization on the ELAN port at School1 and School3 thinking maybe they were congested but School3 is rarely above 100Mb/s and School1 is rarely above 300Mb/s.

Any ideas or explanation that could be causing this weird behavior? Part of me wants to just say it's the ISP's (ELAN) fault because I can see the ping replies disappearing in it. But I really don't get why it only happens when the charter connection is up?



Understanding a NAT Translation

Hi,

Just had a quick question about a NAT statement in my environment that I am inheriting, can you please explain what exactly it is defining. I have changed some of the IP information for privacy:

R1# ip nat inside source route-map RMAP_1 interface Dialer0 overload

R1# ip nat inside source static tcp 10.120.100.25 8080 142.23.24.132 62701 route-map RMAP_1 extendable

R1# ip nat inside source static tcp 10.120.100.25 443 142.23.24.132 63701 route-map RMAP_1 extendable

-I understand that the first line is PAT, it is basically saying the inside source is a route-map, and it should translate to the IP address on the Dialer0 interface (this is PPPoE), and overload so it uses PAT

-To add some context the route-map is matching pools of addresses in an extended ACL called traffic_for_nat

-The next two lines are static NAT right? From what I understand is is stating that the inside source is 10.120.100.25 to the outside of 142.23.24.132. Extendable needed because I am making translations to the same external IP correct?

-So what is the route-map doing in those static statements?

Any help is appreciated!



Stem Expo advise

I was asked to run a small stem Expo exhibit for grades 5-8 that relates to networking. Any thoughts as to what activities I could run that wouldn't be difficult for young kids and still have a little bit of a wow factor?



PBX server and port 53 question

Hello everyone,

I have recently received access to our firewall. I had to open up ports for remote access. After locking down most ports and whitelisting the correct IP address everything seems to be running smoothly. Except for the fact that 4.2.2.2 ( a well known Level3 DNS server) keeps hitting my firewall port 53 ( DNS port) every 5 seconds or so multiple times on lots of different high lvl ports 30000+ . Now I do not have access to our PBX server but we do not use 4.2.2.2 in our environment for DNS although I am not able to see the settings on the server so I cannot confirm. they are all UDP outbound connections. It just seems really excessive as 8.8.8.8 ( google dns) only hits once and a while. Is this normal or am I somehow getting hacked? DNS spoofing?



Dealing with PLC Equipment that use same I addressing

I work in a manufacturing environment which has a lot of equipment using PLC networking.

- We have an Electronics Manager who is in the midst of an effort to connect all of this equipment to a central server running a PLC control and monitoring interface.

- We have Cisco networking - 3750X Layer 3 switches at the core, and 2960 layer 2 switching at remote closets (where the PLC device would connect).

We have encountered a scenario where a vendor has installed their equipment on 2 lines, same equipment in each line, and both lines have the same IP addresses for each part.

- In this case, there is one primary interface for each line, and both use the same IP - let's say 10.1.1.1

- The goal is that our PLC server needs to be able to monitor both lines without conflict.

- The vendor advised us to use NAT translation for the ports where the two devices will be connected so that each one would appear as a different IP.

My question is... Can a Cisco 2960 switch perform this kind of NAT translation on a port to port basis?

Otherwise we are planing to put in two small Routers in front of each device to perform the NAT function for us.

I don't know that I'm in love with this plan, although I'm still somewhat new to the world of PLC networking, and maybe that's normal?

Was curious to see how someone else would approach it.



Can't find a legitimate ISP.

Hope this is the right sub. If not, lemme know.

Back story- my company bought a building about 2 years ago and we haven't been able to get a legitimate ISP to provide us with a workable internet connection. Currently we have 15/1 mbps connection from a wireless modem from Verizon. We're around 30-40 employees on any given day, and most are using some kind of streaming service at any given point.

Our physical location is in New Bedford, which is one of the biggest cities in Massachusetts. And we're right in the middle of the city. But we're also on a wharf, which has been the problem. I guess putting in telephone polls or digging through the concrete is too much of an expensive hassle for ISP's. Here's what I've tried or considered so far...

• Comcast wants us to pay ~$17k to have them install the infrastructure for cable internet, and even more for fiber. I asked about petitioning other businesses on the wharf to agree to signing up with Comcast, if they would wave that fee. But what they said was that it would cost them even more per building, so it's not worth it.

• Verizon is more or less the same as Comcast.

• Business class satellite internet has a cap on gb's per month, maxes out at around 35 mbps, and doesn't like weather.

• I've talked to a couple other fiber providers, who want almost twice as much as Comcast.

• We could add a second and third line of 15/1 from Verizon, but that would only help so much.

• What's interesting is that the company that was in this building before us was a large health insurance company, and they got their internet through Light Tower (now Crown Castle Fiber), which is a fiber network. I reached out to them and they're telling me that in order to connect to the building, they have to lease a conduit through the local power company, which would end up costing us over $2k per month.

What's frustrating is that the hotel that is literally across the street has internet. I'm completely out of ideas. Any help would be amazing.



Static w/ SLA vs BGP for redunant VPN setup

I have 2 hub locations with a dozen remote sites over VPNs. Each remote site has a VPN to each hub. Hubs are ASAs and remote sites are Juniper SRX devices.

What's the best way to implement failover in the event connectivity is lost at a hub?

I've never configured BGP before, and I was thinking static routes to each hub with lower metric route tied to SLA to drop it from table in the event it can't be reached.

Thoughts?



Network mapping software

I am looking for software that can be relatively easily deployed, that can produce network maps that cover the following primarily:

Layer 3 Map

Layer 2 Map

Trunk/Port Channel connection map

Not going to complain if it also includes individual ports on a deeper level (like clicking on a switch stack). It would be amazing if the map could show a global view that has like, concentric circles or something that shows where "vlan 50" is on everything, where it connects to (like which trunks it runs across sort of thing.)

We have LibreNMS already, and it only shows single physical connections (not even port channels). Yes, its a useful tool, sometimes, but I'm looking for something more granular.



Any other service providers feel the pain from this morning's Fortnite update?

My transit links and Akamai caching boxes got some good exercise for four-ish hours this morning thanks to Fortnite v8.00 dropping. Things are settling down now but that's probably the largest surge of early morning traffic I've seen since I took over this network a few years ago. The sustained load out to our customers held steady at just under 50 Gbps at its peak.



xpost - Meraki MX Users - how do you like the client VPN?

I've seen some mixed reviews mostly based on it not having an actual client. I am considering deploying this for a small remote facility that will host a handful of servers.

The primary users that would connect to this network via VPN are not the most tech savvy. Ideally this would be a solution that's easy for them to connect to



Workplace network Help!

Hi all, I’m hoping someone can help me with an office networking problem. I’ll preface by saying I’m a Veterinarian and while I feel I’m good at medicine, networking is not a strong suit. I do have moderate computer experience (have done a few builds, can replace motherboard capacitors etc), but I’ve been pounding my head against what I assume is a basic oversight at work for a couple of days.

Scenario: Out veterinary clinic was built In the early 90d and has a dozen workstations or so. We have a wired network for the workstations to access our practice management software and printer off a central workstation. This has never been connected to the internet, mostly to avoid any chance of compromising our client data and of paranoia that we would be more likely to experience crashes with the workstation from employees using/downloading things without knowing what was “safe”.

In the last few years we’ve found the need to add internet access to individual work stations to access email and help clients place online orders at out front desk. I’ve run Ethernet cables to our separate wireless modem (not connected to the offline network) and allowed access individually to the workstations that need it. I’m trying to do the same thing with a workstation at our front desk and having issues. To start the computer (running windows XP professional) only has 1 Ethernet port, which is occupied by our offline network cat5. I’ve had this issue once before, and purchased a usb to cat5 adaptor and that worked no problem (newer workstation running windows 10).

I installed the drivers and connected the 2nd Ethernet cable via the adapter. If both networks are enabled only the first one to connect works... If I enable the one connected to our internet, and then enable the offline network connection I will have internet access but am unable to load our software from the central “server” computer. If I enable the offline network and then internet the opposite happens, can access software but not internet.

Each connection works totally fine when enabled by themselves, but not together. I changed the IP ranges for one of the routers so avoid any overlap, but that didn’t help.

I’m totally stumped and lost here, and guessing I’m overlooking something fairly simple or not understanding a concept all together. If anyone is willing to give me some advice I would be very grateful. I’d also be happy to offer you back companion animal pet advice in return!

Some other specifics- the offline network is connected together via a Cisco router with internet disabled, and just used to assign IP addresses to the computers and printers.

The online network uses an Apple airport router and switch to allow multiple computers to access internet (we have our lab equipment, radiology suite etc all hard wired in).



I Made a Boo-Boo

Long post, so I'll start with the TL;DR: This week I learned Fortiswitches come with spanning tree disabled out of the box. Fun times where had.

I'm not exactly sure what happened in my brain this week, but everything that could go wrong, did go wrong, and everything was because of stressful former weeks, too much work and bad planning.

I had earlier (a couple of months ago) designed up a new proposal for an upgrade for a customer. My boss was a bit eager to try out a couple of new solutions for this customer and not just go for a standard Cisco setup on the layer 2 segment. As my company and our customers widely use Fortigates as their primary firewalls, we started checking out other Hardware products besides FortiWLC, and landed on Fortiswitches. Fortinets Security Fabric structure is pretty cool, and we went for a couple of 248's. At first we ordered up a FW-cluster and a 248 to test at the customer site. This was working quite well, and the customer ordered up two additional 248's to replace their stone-age 2950, some old HP-switches and an Allied Telesis stack.

The week before, all my planning went to shit, as I was side-tracked by more pressing issues. I wrote up a quick plan, but forgot essentials as creating a change, getting this change accepted in CAB and preparing some more details around a roll-back plan and overall plan for the migration to new equipment, as well as much needed essential research on Fortiswitches.

Migration day came, and I prepared to possible configurations; one where I set aside dedicated Virtual Switch Link interfaces for the Fortiswitches directly to the Fortigate, and one where we daisy-chained the fortiswitches. The first topology worked fine for all the equipment, but you can't view the switches on the Fortigates, which was one my main goals to make configurations easier. I rolled back and went for a daisy-chained topology. All Switches showed up in the Fortigate management view, and I started configuring up all necessary trunk-ports and access-ports. The last two cables remained, and the job would be done within the agreed upon billable time.

The last two cables however, where attached to another old HP-switch, which was a dedicated AP and WLC switch. This switch hadn't had any LAG config, but two cables where connected to the Allied Telesis stack nonetheless, One port was of course in blocking-state and the other one was forwarding. As I was interested in getting the job done, I didn't give this much thought, and hooked the cables up to the Fortiswitches.

Big mistake.

Apparently STP isn't enabled on Fortiswitches out of the box, however, everything seemed to be working fine and I got the good ol' pat on the back and thanks.One and a half hour later, our monitoring guys are calling frantically, the WHOLE site is done, nothing is working as it should, but from our device-database, we're able to reach the servers at the site, but devices on the same VLAN's aren't able to reach each other. Luckily, but alas, to no help at resolving the issue - I was able to reach the Fortigates over the Loopback interface, and lo and behold; topology and duplicate OSPF router ID's everywhere. I quickly disabled all interfaces I knew where connected to other bridges, and set the Fortiswitch directly connected to the Fortigate as Root bridge, and the topology changes stopped, however, this didn't help at all. And devices on same VLANs or had policies in place, where unable to reach each other.

After 16 hours of troubleshooting, and completely messing up the whole environment, and using my poor colleagues time on troubleshooting with me; we rolled back everything to the old equipment, and everything, except for the poor vcenter, came up and worked again.

This sucked so bad, as well as I'm stuck with the worst conscience for my colleagues who also had to help get everything up. I'm now in a re-planning phase, and setting up an identical lab to the proposed solution for the customer, to really cover all aspects and doing everything from scratch. A hard lesson was learned this week.



FlexVPN design .. where to firewall hub site?

Hi all

I'm currently designing a deployment with FlexVPN.

For reference i'm using a lot of iWAN documents as they're more comprehensive than anything about FlexVPN, and the differences between FlexVPN and DMVPN don't mean much for topology anyway,

I've seen quite a few designs with this kind of setup for the hub routers in the hub site (in my case it is the corporate head office)

https://i.imgur.com/cBCghgJ.jpg

The "outside" of the hub routers is NAT'ed to public IPs which the spokes create tunnels to, and the traffic to them is mananged by a firewall, which is fine, but wouldn't this mean that the tunnels terminate on the "inside" LAN, bypassing the hub site's firewall, which seems like a security risk to me ... im not sure I trust my branch offices that much?

Thanks in advance



Network issues from cold boot

At one of the classrooms of one of our schools we have a very specific but unknown issue.

The whole classroom is equiped with HP Z-series (mini) workstations.

On a cold boot they all show the yellow network error icon on the Windows lock screen and are unable to log-in. After a reboot (warm-reboot) the issues are gone.

Did anyone hear of these issues before and how to further troubleshoot this?

All the workstations which have issues are on the two similar switches (Cisco 2960).



Filter based forwarding / Policy based routing OR static routing?

Servers in their own VRF need to access routes in multiple other VRFs. Instead of route leaking I decided to use filter based forwarding to match on destination address and forward using a next-hop in a different VRF. Alternatively I could create around 20 static routes and specify a next-hop table for each. Are there any advantages / disadvantages to either approach? *Route leaking is not an option as I'm working with around 50k routes*



GRE with HSRP

Hello together.

I have a question about routing in a network.

The network looks like this: https://imgur.com/a/Y6rNuur

So R1 and R2 are configured with HSRP. Outside ip address is 10.0.0.1

The outside adress of the other router is 20.0.0.1.

Now I have configured GRE-Tunnels on R1, R2 and R3 with the IPs from Subnet 172.16.1.0/24

How should the Multilayer Switch be configured that the routers know each other tunnel address and reach their VPN destination (10.0.0.1 and 20.0.0.1)



Wednesday, February 27, 2019

Baselining throughput over an ISP

What method do you rely on to baseline the throughput of an ISP circuit, for instance a L3VPN over metro ethernet circuit?

I usually see one of these used:

RFC2544 Y.1564/EtherSAM IPERF Speedtest Website File Transfer (FTP, SCP, Filezilla, etc) RFC6349



Private to Public VPN help

Hey guys!

So I have a scenario here. I am used to building IPSec VPNs over the Internet between two Cisco routers using static up addressing

I have never done a scenario where one side is static up address and the other end is not.

Both sides will use Cisco 1921’s

Side A Static Piblic Ip Address using normal ISP

Side B Private address using 4G módem with internet connection

Has anyone done this in the past? I’m kind of lost right now



FortiGate Network Connections

We are using an FG60E for a specific set of traffic we are routing out of one of our remote locations. We don't want this traffic to route back over our Corporate WAN. This is working with no problems.

We broadcast an SSID with a particular VLAN. This traffic is sent to the FG60E and sent out through the WAN port to the internet. This is done using LAN1 for the internal traffic and sent out over WAN1.

Internally we have a Solarwinds server that receives netflow data from all of our routers. We would like to report on the traffic going out of this firewall to validate and track use, capacity plan, etc. For this my thought was to use another LAN port that we allow onto our network. LAN4. LAN4 will be receiving a DHCP reservation from the onsite DHCP server and thus be on our network. Netflow stats will be sent to our netflow server through this port.

Here is where we get issues. Netflow works just fine. When LAN4 gets connected to the network I can connect to the FG60E over the IP of LAN4. However, traffic going over the SSID VLAN loses it's connection to the internet once that connection is made.

I've been beating my head against a desk trying to figure out why this won't work. Out of blind luck we had it working for a few weeks then it all of a sudden stopped. I have been thinking it is a policy issue on how traffic is routing. I've tried every variation I can think of to make it work though.

I'd be grateful for any suggestions or thoughts on what I might check.



Ubiquiti p2p interfering itself?

My company has a couple Ubiquiti p2p links. On the dashboard, I keep coming across where it shows that its current channel is over crowded. I'll move it, but then 30 minutes later, the new spot turns red and says it is over crowded. Is this bugged? Am I being targeted?

https://i.imgur.com/fdKV71q.png

Anyone have experience with this?



Help Choosing New Fiber Optic Modem

For background I am a college student in charge of my fraternity's internet system. I've turned a collection of switches into a functioning network with UNIFI APs and a UNIFI Security Gateway acting as the network's router.

I noticed however that although our internet connect is rated for 125/25, the Gateway is only receiving a 100 Full Duplex connection to the modem.

The modem, according to our ISP (Metronet), is not supplied by them, although I find no information about the modem when I try to research its model number.

I suspect the weak link in the network is the modem, which receives a fiber line from the wall.

I was wondering if anybody could suggest a new modem that could support faster 1GBPs throughput , especially if we were to upgrade our service plan.

Additionally, would this be a plug and play installation, or would I need to set up the modem? If so, what would that entail?



I'm at work, trying to direct certain IPs to LAN and everything else to WiFi. Would love some help!

I read this comment and this article but apparently I'm still doing something wrong.

Here's my scenario. I have my routing table set to send everything over Wi-Fi by default (172.16.134.13) because I deleted the default entry for Ethernet. (I could have also put Wi-Fi at a higher priority.) I have this list of IP addresses for various services that need to go over Ethernet (interface 130.210.194.179, gateway 130.210.194.192, subnet mask 255.255.255.192). Here are a few, where *** is a wildcard and XXX is just a redacted number:

  • 130.210.92.**
  • 130.210.92.***
  • 130.210.93.**
  • 130.210.93.***
  • etc
  • 131.253.80.**
  • 131.253.80.***
  • etc
  • 128.XXX.XXX.XXX
  • 166.XXX.XXX.XXX
  • 52.114.XXX.XXX
  • 52.109.XXX.XXX

Now, I know which ones are class A or B or C, and I know what the "default" subnet mask is for each. But I don't know what entries to make to force these ranges of IPs (like the 13X.* ones, are those on my subnet?) or specific IPs (like the class A addresses at the bottom of my list) over the Ethernet interface. I tried this to get the first set working, to no avail (on Windows):

 (Destination) (Subnet Mask) (Gateway) (Ethernet) route add -p 130.210.80.0 mask 255.255.255.192 130.210.194.192 metric 266 if 3 

What am I doing wrong? I know the destination field matches addresses by which is most specific. Where would the IP 130.210.88.1 be routed to? Would this not match the entry above, given the rest of my routing table?



Who manages your industrial/SCADA network?

It seems like in many organizations, the industrial/plant/SCADA networks aren't managed by the IT department, they are managed by the "operations" group.

How common is that? Being a networking guy it drives me nuts. It seems like they try to put serial stuff everywhere and giant L2 domains anywhere that serial won't work.

In my organization we've had pretty good luck having the IT department manage most of that, and so it's smaller L2 domains and Ethernet over serial wherever possible, but it was a big battle



DIR / DIR Bootflash Not displaying any files

Odd problem I ran across. Do a DIR or dir bootflash: command is not showing any files, even though there ARE files, most importantly the IOS on it. You can even see the show run calling for it in the config below. I also ran a dir all-filesystems and cannot find the IOS in the output at all. Thoughts?

router#

router##dir bootflash:

Directory of bootflash:/

No files in directory

7113240576 bytes total (5711249408 bytes free)

router##show run | i isr

boot system flash bootflash:isr4300-universalk9.16.06.05.SPA.bin

router#



Connecting two Cisco switches via Access Ports

Hello All,

I know there is many forum posts on this topic, just hoping someone can point me in the right direction. I have a topology in which my switch is being connected to a client's switch. Both sides of the link are access ports but configured on different VLANs.

We have a computer in a remote building connected to their switching infrastructure and we are hoping it will grab an IP from DHCP from our router. I made a quick and dirty diagram of what is going on.

When traffic enters my switch on the port configured as Access for VLAN5, is the port tagging that traffic as VLAN5 and hopefully should grab a DHCP address from the appropriate scope, the same way as any other client would if they were directly connected to my switch on a port configured as Access for VLAN5?

https://imgur.com/YKmFy6W



Automated Cisco network crawler

Hey

I have in the past had people ask me about my network crawler and it was really complex and not good for normal people to run as it was complex. I did some work with docker and fixed that.

Here is a demo of the setup and how to run it if any of you care. Works with Nexus and IOS stuff. Currently it doesn't do EIGRP.

https://www.youtube.com/watch?v=koJc_LmFpAI I suggest watching at double speed



I need a simple reverse web proxy - suggestions?

I need a simple web reverse proxy. The requirements:

  • Listen for http/https requests on one interface.

  • Terminate ssl connections using wildcard certificate.

  • Proxy the http or decrypted https requests to a backend server IP address based on an exact match to the original http request header. No wildcards needed.

  • Runs under windows

That's it. It doesn't need to be high performance. It doesn't need to cache. It doesn't need to load balance. It doesn't need to check on backend server health.

Anything fit this bill?



Attempting to understand Cicso site2site VPN. Need some help.

EDIT: Upon further reading, it looks like everyone with this Pace 5268 gateway have problems passing VPN traffic, so they all switched to Arris NVG599 and put it in passthough mode and the problem disappeared.

Forgive me, I am not a networking guy. I am attempting to set up a Cisco site2site VPN from my house to my office.

I purchased two Cisco RV130 routers.

At my house I was able to turn my Comcast modem/gateway into pass through mode so that the RV130 works as the main router.

But at my office we have AT&T and the Pace 5268 gateway doesn't have any pass though or bridge modes. The best it can do is "DMZ+" mode.

The way I understand it is that I need to tell my Office RV130 what my Home RV130 WAN address is, and vice versa, so that they can connect to each other.

The problem I see is that when I program the Home RV130 and provide it with my Office WAN address, it's actually pointing to the Pace 5268 and not the RV130 at the Office.

Am I going to need a gateway at the office that will offer true passthough mode to make this work? Or is it possible to get it working with this DMZ+ mode? Or maybe I am an idiot and just misunderstanding things...



Looking to switch to network automation role this summer

Appreciate any pointers in how some folks made the transition in recent times.

I’ve spending quite some time every day these days on restconf, Yang, netconf, python etc.



VRF Help

I posted this question a few months: Multiple IPs in the same subnet

I've decided the best route is to use VRFs with the overlapping IPs. I have setup two routers with the IPs configured and the ip routes in the VRFs.

If I do:

interface GigabitEthernet1/0.1 description VRF1 encapsulation dot1Q 1 native ip vrf forwarding VRF1 ip address xxx.xxx.xxx.xxx 255.255.255.240 interface GigabitEthernet1/0.2 description VRF2 encapsulation dot1Q 2 ip vrf forwarding VRF2 ip address xxx.xxx.xxx.xxx 255.255.255.240 

I can ping the other side router (which would be another provider) from VRF1, but not from VRF2.

Ultimately, I can only ping from whatever subinterface has encapsulation set to vlan 1.

Does anyone have an idea why this isn't working for me?

Edit:

Here is a drawing: https://imgur.com/a/yfWuthK

Some background: we run IPSec tunnels to each provider. Currently, one provider VPN tunnel terminates on the ISR I have, the second provider terminates on an ASA. I want them both to terminate on the ISR. Both with public IP addresses. Both providers have some odd reasons for not changing the peer IDs, so I'm trying to figure out how to point each provider at the public IP that was assigned to them during the initial setup. One solution, since they have different routing tables, is to use VRFs. But, I can only ping the provider that has the VRF encapsulation set to vlan 1. If there is another way, I would be interested in it.



HPE/Comware IRF Mis-configuration (loop?)

Good day, folks.

Got a question regarding HPE/Comware & IRF configuration. I've fallen in the standard trope of being immersed in the Cisco-verse and now assisting in managing an HPE environment.

I've read through both the Configuration Reference and Command Reference guides and in doing so, believe I've discovered an issue with the IRF/stack configuration in addition to a severe bottleneck between the ESXi hosts and SAN; all installed and configured by a previous MSP.

Topology and sanitized IRF related outputs. You will see the hosts are on on a separate stack than the SAN, but interconnected and bottlenecked by a single 1Gb link between an intermediate switch and the SAN stack. Additionally, I believe the IRF configuration on the SAN switch is incorrect and causing a loop.

The configuration guide states--

"This loop elimination mechanism will drop a large number of broadcast packets on the IRF physical interfaces."

I recently stood up LibreNMS and see on 3 of 4 40G interfaces used in the SAN IRF stack are indicating high levels of discards that appears consistent with this statement.

1/0/41

1/0/42

2/0/41

2/0/42

.

I believe to correct would require the SAN stack IRF Ports as shown below and per the configuration guide

IRF-port 1 members are 1/0/41 & 1/0/42

IRF-port 2 members are 2/0/41 & 2/0/42

When you connect two neighboring IRF members, connect the physical interfaces of IRF-port 1 on one member to the physical interfaces of IRF-port 2 on the other.

.

I suppose after all of this, I'm just looking for confirmation. Am I seeing this correctly or missing some crucial bit of information?



What routing protocol would you choose to last for the next 5 years?

We all know the IPv6 shenanigans. So, I think OSPFv3, what do you guys think? I want to know your opinions.



POE powered switch. Help

I purchased a ubiquiti nanoswitch passthrough but this is passive POE and always outputs passive POE. I need a switch powered by active POE and does not output passive POE. 4 to 8 port unmanaged.

Long of it: Have a location where getting ac power would be unnecessarily complex but need an unmanaged switch with at least 4 ports. Purchased a nanoswitch but this passes the passive POE out to all ports which would damage devices being connected to it. I've been looking online but when you search POE powered switch you get switches that output POE and take ac power it. Its fine if the switch can output POE so long as its not passive poe.



Best company to buy refurbished Cisco ASR from?

Looking to purchase an ASR1001-x, the 10gb licenses, and smartnet. for under 15k CAD. I've gone through some Cisco partners looking for quotes and the licensing is killer.

While the unit price was fine ($8200) the licensing to enable the 10Gb ports, support for the chassis, for the ip base license and for the support on the 10Gb port license totaled $20,000! This is madness.

How can Cisco even offer a 2.5Gb default licensed option but not have the 10Gb ports enabled. Ridiculous.

Anyone have any advice on buying grey / refurb? I've been on ebay and just random places on the internet and they all sell the router for about the same price as I was getting from the Cisco partners so I don't see the advantage.



Change control will only allow L2 switch install after hours. Really? What's your experience?

Does anyone have tips on dealing with Change advisory boards who deny change requests for simple items like this and demand it be performed afterhours?

In the context of this request. This is a brand new switch....non stackable, that will have a single link extended to it from an existing stack of switches upstream. Already accounted for STP priority and set it accordingly to a value higher than the upstream switch, no vtp, and only 10 vlans.

Who is in the wrong here. I see it as change control doesn't understand the technology or the words on the paper I've written so the just default to a "better do it on the weekend just in case" mindset.

But a printer has just as much ability to flood a segment with bpdu's as a switch could possibly have. Does that mean you save printers until after hours as well?

I guess my rant here is people who lack understanding of technology and create roadblocks in your career or work/life balance. Whats the most effective way to push back on ignorance like this. Or am I the one who is ignorant here?



EigrpV3 Routing Help.

I am currently a networking student working on implementing eigrpv3 across three different routers. From my understanding, Eigrpv3 seems fairly simple to implement. You just enter your AS number and Router ID. Then you enable it on the interface. For some reason, I cannot get router 1 to form an adjacency with router 2. However, router 2 will form an adjacency Router 3 and I'm at a lost. Here is the config I'm testing in packet tracer. Could someone tell me what I'm doing wrong?

hostname R1

!

!

!

!

!

!

!

!

no ip cef

ipv6 unicast-routing

!

no ipv6 cef

!

!

!

!

license udi pid CISCO1941/K9 sn FTX1524R4L6-

!

!

!

!

!

!

!

!

!

no ip domain-lookup

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0

ip address 209.165.201.1 255.255.255.252

duplex auto

speed auto

ipv6 address FE80::1 link-local

ipv6 address 2001:DB8:ACAD:2::1/64

ipv6 eigrp 1

!

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

ipv6 address FE80::1 link-local

ipv6 address 2001:DB8:ACAD:1::1/64

ipv6 eigrp 1

!

interface Serial0/1/0

ip address 209.165.200.225 255.255.255.252

encapsulation ppp

ppp authentication chap

ipv6 address FE80::1 link-local

ipv6 address 2001:DB8:ACAD:A::1/64

ipv6 eigrp 1

!

interface Serial0/1/1

no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

ipv6 router eigrp 1

eigrp router-id 1.1.1.1

no shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/1/0

!

ip flow-export version 9

hostname Router 2

!

!

!

!

!

!

!

!

no ip cef

ipv6 unicast-routing

!

no ipv6 cef

!

!

!

!

license udi pid CISCO1941/K9 sn FTX1524A21O-

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/1/0

ip address 209.165.200.226 255.255.255.252

encapsulation ppp

ppp authentication chap

ipv6 address FE80::2 link-local

ipv6 address 2001:DB8:ACAD:A::2/64

ipv6 eigrp 1

ipv6 enable

clock rate 2000000

!

interface Serial0/1/1

ip address 209.165.200.230 255.255.255.252

ipv6 address FE80::2 link-local

ipv6 address 2001:DB8:ACAD:B::2/64

ipv6 eigrp 1

!

interface Vlan1

no ip address

shutdown

!

ipv6 router eigrp 1

eigrp router-id 2.2.2.2

no shutdown

!

ip classless

!

ip flow-export version 9



I'm in a little over my head and need some help.

Good afternoon guys. I landed a sweet internship while I'm in college. First off i work for a company that has 9 buildings and 5 IT guys including myself. As soon as i started working my boss gave me a huge job that I'm kinda in over my head with.

So every switch the company owns are all pretty much out of the box default settings. Some had IPs set for management and nothing else was touched. I was tasked to figure out where every switch is and set them up. I took a few classes in college where my teacher actually taught CCNA and various other certification courses which probably helped me land this job. Myself and my boss are the only ones that know much about how to set up switches and the other three coworkers don't know much.

Question one: We have a mix of Cisco and HP/Aruba switches scattered through the company. Is there a way to figure out what is physically connected to the port? They have zero documentation and this is part of my job. Eventually they want to vlan stuff out but if I don't know what is plug in which port i cant effectively vlan anything.

Question two: is there some documentation out there on best practices on how to properly set up switches? Most of them have default settings and im making my way through them and setting things up slowly. I'm just doing the simple stuff such as setting up console passwords, disabling telnet and enabling SSH setting up other passwords. In this day and age security matters and i would like some guide lines on how to secure these things the best way possible.

If this is the wrong place to ask these questions let me know. Thanks guys for any help!