Saturday, March 16, 2019

For those of you who have worked in pre-sales at one of the big telecoms...

... what was your experience there, and would you recommend it to to a fellow engineer? I'm expecting an offer from one of the big guys and I'm trying to decide whether or not I will accept it (assuming that the salary or benefits are right... I haven't gotten an offer letter yet but I've been told by the hiring manager that the job is mine).

I've wanted to get into pre-sales for a long time, and I think that getting an architect title on my resume would be very valuable for my long term career prospects, but, I want to do legitimate solution design and I'm just not sure how much of my job would be that vs parroting marketing material.

I'm also anticipating CCIE R&S certification by the end of the year, and I'm not sure if by accepting an offer now, I'll be selling myself short. I'm pretty light on years of experience, you see, and it isn't clear whether I'd actually be able to get your average "CCIE-level" position.

Note: When I say "big telecoms", I'm referring to companies like AT&T, Verizon, Centurylink/L3, BT - not a local or regional carrier.



Need help trying to set up a static IP address

https://ift.tt/2XZn6u1

[WORKS BUT SHOULDN'T] Why can a router take the same public IP address of the parent router without issue?

Fellow network administrators, I've got a weird issue to talk about today. I have a router (router A) that is assigned an automatic, public, routable IP address from our ISP via Ethernet (which then goes directly to a fiber media converter, etc.). This Router A configured for dynamic IP addressing and therefore it receives its IP address automatically from the ISP, which happens to be a static IP address FWIW. All is fine and dandy with this... devices connected to it successfully receive DHCP, DNS, Internet access, and other services as expected by this router.

Underneath this router, one of the devices is another router (Router B; connected via Router A's LAN port to Router B's WAN port). All sounds normal, less the potential double NAT, right? Unfortunately, this is where it gets funky. Router B's WAN port is set to a static configuration that matches Router A's configuration that it automatically receives from the ISP. Devices connected to Router B's LAN work perfectly fine, too.

Obviously, if our ISP were to change our IP address or other settings this configuration would break immediately. These are the facts and then my questions:

  • This configuration, while it doesn't seem as though it should work, works.
  • Nothing appears degraded or slow in the network as a result of this.
  • Devices in Router B's LAN can access the Router A LAN (specifically, the router web administration page).
  • Router A's DHCP service does not appear to be assigning Router B an IP address.
  • Router B is not [in] the DMZ of Router A. Router A, from its configuration pages, does not appear to know that Router B even exists.
  • Router B is successfully doing port forwarding without the same ports being opened through Router A. What even? 😂
  • Router A/B are confirmed to be in a double NAT environment, per the issue that this post is addressing.
  • Router A was provided by the ISP.
  • Router A and Router B have different DHCP ranges, scopes, but potentially the same subnet mask for their LAN's.
  • There are normally no other devices other than Router B on Router A's LAN ports, but they have been known to coexist without issue for short amounts of time... I can recall a particular situation where the router needed restarted before Internet access could be restored shortly following devices being connected and used on Router A's LAN though, unsure if this was a coincidence though.

So onwards to the question! How does this even work properly and what exactly is happening? How is traffic even routing properly back into Router B if Router A doesn't know to route the traffic in its direction? Am I confusing myself or something?

Cheers!



IPV6 and drinking

So I’m in school and every time our text for reading says hexadecimal I take a shot(not literally every time but enough). Tis in honor of St Patty’s day and the fact I am terrified of memorizing IPV6 notation.



HSRP Isolation between VPC Pairs

I'm tearing (what's left of) my hair out over trying to use this recommendation for HSRP Isolation of Dual L2/L3 Pod - https://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/118934-configure-nx7k-00.html#anc7

I'm labbing it on eve-ng using the Nexus 9000v and will be looking to roll that onto Nexus 92160.

NB. while that doco is for N7 it has a caveat saying that it'll work for N9 too.

VPC pairs are up and running. The PACL is configured and applied to the VPC DCI, but it just isn't blocking the HSRP hellos. Mucked around with TCAM carving just in case.

I saw a recommendation for just changing the HSRP authentication password on the VPC pairs and disabling gratuitous arp hsrp duplicate. This appears to work but I can't let it go that I've failed on the PACL front.

The Cisco feature navigator seems to imply that the 9000v (and the 92160s) don't actually support PACLs.

Can anyone either put me out of my misery or further into it by confirming/denying that the PACL option is not going to work?



QoS is disabled in WRT300N on Packet Tracer

So i'm trying to show the QoS settings on the Access point in Packet tracer but it's grayed out and i'm unable to select it, Any idea?

Note: I know i could do QoS settings differently via CLI but i need the GUI.



BGP AS traffic Monitoring

Hi guys. I am looking for a tool which can graph traffic based on AS number. More and more ISPs have started to inquire about traffic level toward their AS, when we ask for peering connection. Network Core = Juniper MX204. Any open source tool recommendations? Thanks.



Wireguard + OSPF

Hello,

I want to share some OSPF routes through a wireguard tunnel. Both ends have Linux machines with quagga installed.

They only send each other OSPFv2 hello packets - and nothing more.

I've set both interfaces to non-broadcast and configured each machine as neighbour of the other.

Does anybody got a working OSPF setup over a wireguard tunnel and is able to give me some hints what I'm missing here?

Thanks.



Securing SIP over the internet. Best practices?

Hello,

My company offers SIP services over the public internet and I was ask if there are any best practices to make the network more secure.

Apart from using TLS authentication in SIP, is there any way for the firewall to inspect SIP in L7? I am referring to a traditional firewall and not a NGFW.

The current policy is to allow from all on the SIP ports (5060-1 and some random high ports).



ALFA AWUS036ACH Disconnects While Using Virtual Box.

Hey all!!

This is my first time ever setting up and having some experience with Virtual Box. I'm in the Army at JBLM in the barracks so I have Comcast as my provider(150mb).

I bought this Wi Fi adapter to learn the fundamentals of hacking and what I notice when I try to "ifconfig" my interface by wlan0 does not have an ether. Would that cause me problems later on in my journey?

Also, because I am using Windows 10 as my host system (poor me) my USB Wifi adapter disconnects every time I try to run Virtual Box.

I also try plugging in the adapter after I launch my terminal in Kali Linux only hearing that it disconnected yet again. I look at my WiFi settings and the network options go from multiple user names to just my user name.

When I begin to run "airdump-ng" it kicks my connect off and I have no mac address, or stations when executing the command. I only understand that is just for deauthenticating a client, but I am frustrated it will ruin my learning experience as well.

I installed all the latest updates and upgrades for the distributions, checked the USB device and Network settings only for my device to keep kicking me off.

If anyone has any solutions, I would very much appreciate all the tips.

Once again, thank you all!



QOS / Police - inbound from internet

I have a remote office, which has 100mb fibre internet, with a bunch of vpns back to our various data centres.

The VOIP solution there is an onsite PBX in the style of a 3cx server, with a sip trunk coming in over the internet connection.

During busy periods they can often max out their internet connection which causes voice quality issues.

What is the best way to try an ensure that there is always bandwidth available for voice?

Would I have to police on the internet link on ingress to our router or egress from the router to our Lan?

I was thinking I could use class-map, match VoIP ip addresses in one class and do nothing, and match all in another class and police to 90mb.

Would that solve my issue and should I police on outside interface lan-bound or inside interface lan-bound?



Peer-to-Peer TLS certificate verification

I am working on a peer-to-peer networking application. Each node in the network can both receive and transmit data to other nodes in the network. The data being sent through the network is sensitive, so we are using SSL encryption on both ends.

Usually, a trusted Certificate Authority would issue a digital certificate to a web server. This certificate verifies the identity of the web server and its public key. In our case, however, there is no centralized web server. Each node in the network would need to have their own self-signed digital certificate and public/private keys. Each one of those self-signed digital certificates should be trusted amongst all the users.

How would we go about trusting those self-signed certificates with as little user impact as possible? (Preferably, all work should be done automatically in our application and shouldn't require any manual installation/trusting of digital certificates).



To Flow Control or not to Flow Control

I’ve have been trying to get to the bottom of our paused frames appear after we switched to 10GB on two servers and it appears that it’s more than likely due to one server running off SSD’s trying to move files over to Platter drives on the other is causing some kind of caching issue and Flow Control was the protocol generating these pauses.

Having said that I have been reading conflicting information on Flow Control and wether is good or bad. Windows now seems to enable it on both RX/TX by default but I am not sure if we should be disabling that. Does anyone know anything on the pros and cons of flow control?



Suggestions regarding 10gb network for video editing

Hey everyone, sorry for the incompetence but I’m a networking newbie and need a pointer in the right direction

I’m trying to create a network to edit videos off of a free nas there are currently 12 editors that would be working off the system I have the building wired with cat 6 and a fiber line running from the server room to the editing room.

I’m at a loss on where to start, If anyone could give me suggestions or maybe even a build guide I would really appreciate it.



Quick question for Dynamic VLAN port assignment

Let's say I have a Wired and Wireless LAN config and I want to dynamically assign users a VLAN with radius. Dot1x on the interfaces facing users, APs are configured for dynamic VLAN...

Let's say I have 500 users. Do I need to create something like VLANs 100-600 for user VLANs across all switches and do they need to be tagged facing every access port? Or does Dot1x and Radius somehow properly tunnel the VLANs back to the default VLAN?



Is there a way to migrate back from ACI to CLI/DCNM managed Spine and Leaf?

Hi guys

I am looking at ACI and I am wondering if this is possible: let's say you have implemented ACI and you either consider that you do not need it anymore (consider it was used to manage the fabric only and less for policing)

I just started reading these topics and I was wondering if there is a way back from ACI on once you in you are all in.

regards
MM



Backup/Save ports forwarded

I know this is probably not possible, but can you save/backup your portsforwarded in Windows 10?



Metal Cabinet

Hello,

I am purchasing a steel cabinet to put my networking equipment in and was wondering if the steel material will cause any issues with the wifi network being broadcasted form the router on the cabinet? Also, will the cabinet affect the Ethernet cables at all?

Thanks



Trying to replace Brocade MLX routers - VyOS maybe?

We have multiple Brocade MLX8 and 16 and since these boxes are out of warranty and contracts, we are planning to replace them with something we can upgrade and get some kind of support.

The rest of the network devices are Juniper MX480 routers. We are on a 10GbE network, but I think the MLX8 and MLX16 are way too overkill for what we need. Therefore, we are not looking for routers with exact specs.

The topology is full-mesh and each circuit is done via VLAN, so each router has a single physical connection (10GbE) to the WAN and each circuit (we are paying 10Gbps for each one) was done via VLAN tagging. To give an idea, here is a topology of a single site https://imgur.com/a/7u4V1PS

We got some quotes from Juniper and Cisco and the prices are way too expensive. We are talking about $300K range. I remember VyOS recently started their subscription model. The one I am not sure of is if VyOS would meet our use case.

We are running IS-IS but this can be change to OSPF if need be.

We are running BGP

We are going to deploy IPv6 very soon

About the hardware, I am looking at the following :

|2x[SUPERMICRO SYS-5018A-FTN4](https://www.amazon.com/SUPERMICRO-SYS-5018A-FTN4-SuperServer-5018A-FTN4-Server/dp/B00I7Z1QL2/ref=sr_1_10?crid=3F5ASNXHBU0AJ&keywords=supermicro+c2758&qid=1552748836&s=gateway&sprefix=supermicro+c27%2Caps%2C145&sr=8-10)|**$1200.00**|

:--|:-:|

|2x[Supermicro 8GB DDR3 SDRAM](https://www.amazon.com/dp/B00J4TJG94/?coliid=I8ZUBX55OYKT7&colid=18Q3UNGWJO66E&psc=0&ref_=lv_ov_lig_dp_it)|$128.98|

|2x[Samsung 860 PRO 256GB 2.5 Inch SATA III](https://www.amazon.com/Samsung-512GB-V-NAND-Solid-MZ-76P512BW/dp/B07864XMTK/ref=sr_1_3?keywords=samsung%2Bssd%2Bpro&qid=1552749099&s=electronics&sr=1-3&th=1)|$160.00|

|VyOS Subcriptions|???|

Can I pass traffic close to the line rate with VyOS using the hardware above?

Should I look into Xeon-D boards instead of Atom?

What 10GbE card should I use?

If I turn-on the zone base firewall with the same hardware, how much throughput are we talking about with this hardware?

If you are running VyOS in production, what is the box you are using?



With virtualisation and automation more prominent, why are we still stuck with written exams

This is a conversation I've had with a few colleagues, general consensus is the current certification format isn't all that great for NA/NP tracks etc. Also due to brain dumps, exams are now starting to have very obscure questions and things that may not actually be used in the real world.

To date all major vendors now have their kit in a virtual form, you can spin up a virtual SRX, Cisco etc in a matter of minutes. Throw in some automation into the mix and voila you've just setup a basic network in under an hour. So this got us talking how vendors could use virtual labs to actually test our skills, pretty much the same way as CCIE lab exam but at NA/NP level. I know there are simulations in some exams, but you're limited to the capabilities of the simulator.

To me it makes much more sense, you'd need to do some serious studying to know how to setup BGP, OSPF etc memorising answers won't really work in this sort of situation.

From my experience in a previous role, I know McAfee's professional services certification follow a similar approach. You present to them a project you worked on for a customer and they'll assess if you gain a certification or not. This type of certification method would also be good, but I'm guessing it'll cost a lot more and time.

Do fellow networkers think that the certification format is due for an overhaul?

edit: word



nslookup for some sites doesn't work

Guys, I just started to learn networks (I'm 8 yo btw) and in this video [ https://youtu.be/i5-o7mlfjBM ] I'm suggesting the 'nslookup' terminal command to see how translation from web site name into IP address works. It is working fine for many cases but for some it doesn't.

Here are the examples that don't work:

> ~ $ nslookup snn.com

Server:                2600:4040:400f:3700::1

Address:        2600:4040:400f:3700::1#53

Non-authoritative answer:

Name:        snn.com

Address: 192.254.190.68

when I paste 192.254.190.68 into web browser I see:

Sorry, this page doesn't exist.

Please check the URL or go back a page.

404 Error. Page Not Found.

another example:

nslookup sonos.com

Server:                2600:4040:400f:3700::1

Address:        2600:4040:400f:3700::1#53

Non-authoritative answer:

Name:        sonos.com

Address: 23.203.23.170

returns:

Invalid URL

The requested URL "[no URL]", is invalid.

Reference #9.5395fea5.1552736383.1ca25ed

It doesn't work for youtube.com either.

Can you explain what is wrong, please?



Meraki 802.11ax (WiFi 6) APs are out now, MR55 8x8:8

https://meraki.cisco.com/products/wireless#models

MR45 and MR55 are now out. Can’t wait to see how the 8x8:8 model performs.



How to check vulnerability on FortiGate Firmware?

Hi people.

I want to be sure than my firmware don't have any vulnerability. What is the best practice to check it?

My firmware version is v5.6.4 build1575.



Extend Meraki Free Personal License

Hey Guys,

as part of a Meraki Training I received an MS220-8P as well as a MX64 and an AP with a free 3 year license for personal use as a way to keep up to date with the Meraki products.

Now the license is coming close to an end and I'm not willing to buy a license for my homelab.

Has anyone of you tried to get the license extended for free and what were your results?

What else can I do once the license runs out, I don't want to throw away perfectly fine hardware - I guess OpenWRT would be an option at least for the AP, though I don't think the MX64 is supported



Distribution Layer

I'm reading through the Campus Network for high Availability design guide by Cisco and came across a cable representation I haven't seen before. It's basically 2 cables with a circle around them, could someone tell what that represents. It's used in Figure 2.

Source: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/HA_campus_DG/hacampusdg.html



What is your favourite "hack" in networking?

I will list some hre:

- /31 masks

- On Cisco routers, change SSH using NAT as per example below:

interface loopback 1

ip address 169.254.255.255 255.255.255.255

ip nat inside

interface Gi0/0

desc [outside interface]

ip address a.b.c.d 255.255.255.y

ip nat outside

ip nat inside source static tcp 169.254.255.255 22 interface Gi0/0 54321



Connecting both wifi and ethernet

Hey guys, two computers at home, one is ethernet and one is wifi - I need to get both of those on the same network so I can RDP between the two on a lan, among other things. They both go to the same router...am I missing something here ?



Where are the most active Networking communities?

While this Subreddit has nearly 160 000 subs, what other online communities do you browse to talk networking?



Friday, March 15, 2019

Question about changing switch stack# in a production environment with already configured ports.

We installed a new stack at one of our locations. The stack from top to bottom is going 1, 3, 2, 4. We had no knowledge of this until later on when we already have configuration on the ports for switch 3 and 2 (Traced MAC addresses to find the ports, you know the drill, etc.) ((We are remote)).

The question is, when we change switch 2 to switch 3 and switch 3 to switch 2, will the config for each switch hold on to the number? Or change with each switch?

Example: 2/0/35 is currently configured with switchport access VLAN 10, when we swap switch 2 so that it is now switch 3 will the configuration now have 3/0/35 on VL10? Or will it stay 2/0/35 on VL10?

Any help is greatly appreciated.

Edit; Switches are Cisco Catalyst 2960X-48FPS-L



[Humor] Me explaining to my wife what I do for a living...

So watching YouTube this morning in bed with my wife when a Linus Tech Tips video came on (the video in question) and she starts asking what I do for a living (I'm a senior network engineer).

Wife: "So you like move cables around for a living?"

Me: "No, generally there are cable techs who work all that out before I show up on site and leave the cable either dangling in front of the gear, or plug it in for me"

Wife: "So what do you do?"

Me: "I configure the networking equipment to do what the customer needs it to do"

Wife: "So you do a whole bunch of complicated stuff that a Best Buy switch can do out of the box?"

Me: "Uhh, well it's not usually that simple"

Wife: "How so?"

Me: "Well I might have to configure a VLAN"

Wife: "Is that hard?"

Me: "Uh, well no"

Wife: "So what's difficult about it?"

Me: "Doing it at scale"

Wife: "So you configure a thousand VLANs?"

Me: "Well uh, very rarely that many"

Wife: "So what's at scale?"

Me: "The VLANs can be, sometimes the firewall rules, and sometimes I need to reboot things"

Wife: "Right...So what is it you really do again?"

Me: "ugh I mostly do what Linus does between 8:20 and 8:35 in that video"

Thanks hun, way to take the wind out of my sails regarding my 10+ year long career.

(Joke post btw, my wife is actually really understanding but this was a funny convo).



How can I replace a coaxial input router, provided by mi ISP, with a Fortigate 100D working as a router and firewall?

I have a network with 40 users and we are surviving now with a 20mbps bandwidth. Here in Peru we can choose for an assimetryc network service that uses a coaxial entry to a really bad router and i want to replace this device with a fortigate 100D that I have.

I know that I can put the Fortigate back of the router of my ISP, but I want to put the Fortigate first above all so i was looking for some adapter but I couldn't find some alternative that give me some kind of guide about my specific requirement.

I would be very gratefull if you can help me to find a solution for it.

Thanks in advance.



Best Practice regarding routing traffic to HSRP router ?

Hi,

First sorry for my english AND i'm far from a pro in networking this is mostly educational purpose so sorry if i say something stupid ... trying to improve myself :)

I got a question about the "best way" to forward traffic to 2 physical router configured as HSRP.

Here is a graph :

https://imgur.com/vglgr6n

and here is more info :

Endpoint's GW are on SW03

SW03 got multiple VLAN configured with each their own subnet + SVI

Endpoint are on multiple VLAN

As far as i know about HSRP (and believe me that's few, i discovered it yesterday ...) it NEED to have a "leg" in each subnet.

it mean there is a need for 3 IP (2 physical + 1 virtual) in each VLAN for it to work.

my question/problem is :

in this case, the LAN rooting is done by SW03 is there a possiblity to make a roote from SW03 to VRRP WITHOUT the need to assign 3 IP in each subnet AND configure all ip/vlan/subnet on the router(s) ?

And obviously keeping the high availability of HSRP.

well, writing this post i realised that there is still a need to 2 connections from SW03 (2 physical router) hence the "graph" is false so now i'm thinking this post is useless xD

regardless here is the rought idea i HAD before while i was writing this post :

SW03 :

int gig1/0/24

int gig1/0/24 no switchmode

int gig1/0/24 ip address 192.168.100.2

ip route 0.0.0.0 0.0.0.0 192.168.100.1

Router(s)

int G0.0 ip address 192.168.100.1

ip route 0.0.0.0 0.0.0.0 192.168.100.2

If anyone can confirm there is no other way that 3 Ip/vlan to maintain HSRP thay would still be a mini win ;)

if there is another way ... i'd be glad to hear it ! :)

thanks in advance



Coaxial to Ethernet Bridge

Is there anything that can be bought to extend a coaxial connection across a switched network?

For example: coax A --> Ethernet Switch VLAN 10 --> Coax B

I'd like to see if I can extend a coax connection across a VPLS network for shiggles.



FirePower Appliance

My current employer is looking to upgrade their current aging firewall infrastructure. We run mostly ASA 5510s.

We were looking at upgrading to ASA 55XX-Xs but have taken notice to the firepower appliances series also. They offer better throughput for the money. They also have a much larger port selection on them compared to the ASAs. We want to run ASA code on the appliance and not the FTD stuff. Is this doable, and will we get the appropriate throughput thats advertised if we run it on ASA code? Or does it not make sense since we won't be taking advantage of all the NGFW stuff?



I need a recommendation on a high port count networking switch.

Hey guys,

So long story short, I have two computer labs at one of the schools I manage. One has 35 pc's and a teacher pc, and the neighboring lab has 20 pc's... for a grand totale of 56 PC's.

Right now, they are all Dell Optiplex 7000 series computers, connected via cat 6 to a 1gigabit switch. I want to put a 10Gbe NIC into the teacher PC.

So I'm looking for a port that will allow me to connect one computer via 10Gbe, and still be able to connect all of the other pc's via their 1 Gigabit nic's.

Any recommendations?

Reason: The teacher pc runs a monitoring/control software that can be quite bandwidth intensive. So my train of though is, if I give her 10gigabits of networking throughput, she will be able to handle the multiple simultaneous connections to all of the pc's (bare in mind, the lab pc's aren't experiencing any networking/bandwidth bottlenecking, it's only the teacher pc when she tries to connect to 30+ pc's at one time.

Thanks!



External Thunderbolt QSFP NIC?

Is there such a beast as an external QSFP-compatible NIC that would work on a Mac/PC? I realize that Thunderbolt 3 maxes out at 40Gbps so am not concerned about bandwidth, but wanted something that could at least let me read the DOM and get a link to run LLDP, etc. talking to a 40G/100G host on the other side.



How can I connect an ISP modem that gives me a coaxial using a Fortigate as the entry of my network?

I have a network with 40 users and we are surviving now with a 20mbps bandwidth. Here in Peru we can choose for an assimetryc network service that uses a coaxial entry to a really bad router and i want to replace this device with a fortigate 100D that I have.

I know that I can put the Fortigate back of the router of my ISP, but I want to put the Fortigate first above all so i was looking for some adapter but I couldn't find some alternative that give me some kind of guide about my specific requirement.

I would be very gratefull if you can help me to find a solution for it.

Thanks in advance.



Single hand off or LACP from carrier?

We are in the process of re-configuring our network topology. We are working on creating a hub/spoke design over a city wide dark fiber to 5 of our offices. The dark fiber hand off to each of our offices is a Cisco 2960L switch. (We do not get access to these Cisco switches but we can ask for them to be configured any way we please.) Our in house switches will vary a little but most of them are Dell N4032F switches as our top of rack equipment. My question is: Would you have your provider configure the Cisco 2960L with just a single 10G SFP+ port connecting back to your equipment? Or would you rather have a 2x 10G LACP connection just as a cable redundancy in case of cable failure? We will be using short copper Twinaxial DAC cables as the cross connect cabling.



Greenfield Deployment

Howdy networking,

I have a new deployment that we are putting the final touches on and want to get some ideas on best practice here with a new server and switch cluster going in.

Short story, we have an access control system that is considered business critical so we are going to run a single VM on top of two ESXi boxes and use HA to keep her running. We have a new Dell SCv3020 SAN going in to support the two VM's as well as two physical (I know) active directory servers, and one "management" machine. The management machine will handle Veeam backups for the VM as well as run the client application for the access control.

Coming in from the field we have controllers with redundant NIC's (previously one NIC and one modem) coming back on separate fiber paths, one existing and one new.

I am thinking my best bet for the production side of the network is 10GbE from the ESXi hosts to my "core" switches (Aruba 2930M with 4 port 10GbE module) which are separate at the moment, but I will have a 10GbE port available on them so I can tie them together. I wanted to avoid doing them as a stack so if one dies it doesn't take the other with it, not necessarily from a physical failure but from a mis-configuration point too.

I am planning on teaming the NIC's on my AD and management servers, and uplinking them to both of the core switches. Originally I was going to have two isolated segments running on the main and backup network, but this seems like it would become a DNS nightmare for the single homed machines trying to resolve a hostname if it got the IP from the backup network. This network is on an island and there is no routing being proposed.

I am not thrilled about the Microtik as the SAN switches, but they originally called for HPE OfficeConnect 10GbE switches and that just seemed, cheap. At least the Microtik have redundant power supplies....

Here is a diagram I put together, it doesn't show the tie between the two core switches or redundancy from my fiber aggregation switches, but I am thinking this can all be a flat network and let RSTP do its job.

https://imgur.com/a/qPUiL1e

Any suggestions for improvement would be appreciated!

Thanks



Alleged RF interference between router and vehicle key fob.

I have the following in car video components installed in a Ford Explorer:

WiFi connected cameras (5GHz) Cradlepoint router (5GHz radios only, 2.4 GHz disabled)

Apparently since the installation of these components, the keyfobs for Dodge Chargers and Jeep Cherokees parked nearby work intermittently.

I can't see how it's possible for my components to be leaking into the 300-500 MHz range... and the people on site are having trouble reproducing it consistently enough to do any kind of effective elimination.

The only constant is the Explorer being parked nearby.

I figure getting out there with a spectrum analyzer with the full range of frequencies is really all that can be done at this point.

Just curious if anyone else has seen something funny like this with Dodge/Chrysler key fobs.



PCAP Report/Dashboard

Hi there,

Today I was doing my biz with some PCAP files, Bro and was wondering “Man there’s gotta be a better way to do my report”. I’m a consultant, so I’m looking for something to pop on my laptop or hosted in the cloud somewhere.

I know I should invest in something like a ProfiShark, but I can do my captures just fine.

What are you guys using for my use case?

PS: I saw something using Kibana, but I don’t lnow, never tried it https://www.elastic.co/blog/analyzing-network-packets-with-wireshark-elasticsearch-and-kibana

EDIT: a better explanation below.

• ⁠You tap into a network and you end up with a bunch of packet captures • ⁠I want to feed these PCAP files to a tool that would create a dashboard, graphs, etc... of the captured traffic

Question: what do you use for your report for your analysis/dashboard? Or do you do everything manually?



Cisco PVRSTP changing 1 vlan instance with multiple running

Hello,

Was wondering if anyone had ran into this. I have a configuration 4500 Cisco switches running per vlan rapid stp. I need to alter 1 VLANs spanning tree instance however we've hard coded all vlans 1-4094 to a fixed priority of 4096.

If I wanted to change just one VLANs spanning tree do I need to reinput all of the other VLANs (e.g. 1-238 priority 4096, 240-4094 priority 4096 and set the VLAN i want to the priority i need) or just setting the single VLAN as different priority be sufficient? I can't lab this unfortunately GNS3 IOU aren't behaving.

Thanks



ASA 8.2 Double Nat

Hi all,

I'm not familiar with pre 8.3 ASA code, I have a site to site VPN i need to set up and I have to double NAT it. My inside LAN is 10.0.0.0/24, I need to translate that to 192.168.192.144/28 to go thought a VPN to a remote network at 192.168.192.128/28.

Any help on that syntax?



Acquire certifications via college or self teach?

I am currently in college run for networking, but they don't give me my certifications (CCNA, ComTIA A+, and MCSA) I have to take these tests on my own. My college has also done a poor job of making sure i know everything I need to take my tests due to the college trying to keep up their high passing rate. So my question is if I just decide to not go through the college and self teach my self and get my certification, will I be able to get a job? Will employer's really care?

Tl;dr Self teach and get my certifications (CCNA, ComTIA A+, and MCSA) or go through a college and will it make it harder to get a job?



SD-WAN circuit choices : DIA vs Broadband

Hello all,

Looking to learn from other's experiences here for enterprise SD-WAN implementations, what kind of performance was seen with the circuit types?

  1. Two broadband Internet circuits
  2. One Broadband , one DIA

Traffic profiles mostly voice calls, O365, web browsing, file sharing, web meetings, limited video conferencing etc.
Basically trying to determine if two diverse broadband/non-DIA Internet circuits can be used to achieve the same level of service as a single DIA or MPLS.

Thanks in advance.



[q]Refreshing on networking information

I had a networking background in university, but when I graduated I worked in a different section of the IT team. It has been sometime, and I want to refresh on my networking skills. The problem is that the resources I found was discussing it like it's for someone who never read anything related to networking, and something that needs five pages to disucss is spread across thirty pages. It's frustrating. Is there a resource where I can refresh on concepts and protocols and design elements quickly and without necessarily looking at Cisco CLI ?



What is software defined networking? | Opensource.com

No text found

Help With A APC 1000XL UPS

So long story short, I bought a server cabinet of eBay as I needed to expand my current Server setup. The guy who I bought the cabinet off also had an old UPS. He wanted to sell it for £20, I thought to screw it and said sure. The worst thing that was going to happen was that it was not going to work and I had wasted £20.

So to the part where I need help. When I got home I pressed the test button and the UPS powered up for a second beeped and then shutdown. I had originally assumed this was because the UPS battery had no power and therefore shut down. However, when I plugged the UPS into the wall and then tried to turn it back on, nothing happened no lights and no beeps. I had thought this might have been because there was no load so nothing was going to happen because of this. So I plug an old computer up to it and then retired, however still no luck.

The UPS is an APC 1000XL If anyone knows why the UPS won't power up, any help would be greatly appreciated or if the UPS is just dead.

Thanks, Guys

edit: Ok, so I've just found a smart plug that had power monitoring that I had laying around and connected the UPS to that see if it was pulling any power from the wall. And currently, it doesn't seem to be drawing any power. I know the cable that is plugged into the UPS is good. Any ideas?



Armored vs Normal OM3 Fiber Patch Cable

I just purchased Armored patch cables from Fiber Store and thought I would share the difference between it and a normal patch cable.

https://i.imgur.com/etZqISi.jpg

Here is their blurb about them:

Armored fiber optic cable with build-in metal armor can provide stronger protection of the optical fibers than standards fiber optic cables.

They definitely seem a lot sturdier.



Distribution of internet using micro hydro?

Is there any possibility that we can distribute internet connection to whole village using electric lines? I'm thinking of this as a great potential for rural development. Is it possible please suggest me.

Edit: This is for Bajura, Nepal.



1815I-E-K9 APs not picking up global config from controller

I noticed an issue recently whereby i tried to SSH to a remote 1815I that i sent out to a branch office and i couldn't. After exhausting all other options i noticed on the controller the AP didn't pick up the global config and when i tried to make it AP-Specific and enable it, it said the default credentials were enabled. We have around 60 APs, mostly 702Ws and a few 3702Is and it only seems to be affecting this model.

I have a test one in my office which has the same issue and i've tried to reset the config to factory and moved it over to our backup WLC but that didn't work. Our WLC version is 8.8.111.0 which is listed as compatible with 1815Is.

I'm not really sure what else to try. Any wireless gurus out there know why this might be the case or can guide me to troubleshoot this?



Fiber Transceivers

I have some existing fiber cables at SFP+. Are all fiber transceivers in this class detachable? I have a tap I am going to be installing and the other half would need to use the optical connector. I am not sure if I need to order more cables for my project as I do not want to disconnect the organization just to have a look 👀

Thanks!



netool.io or PockEthernet?

Anyone used both of these and able to give a recommendation?

Its first use is going to be used in a couple of our offices so i can find what wall ports are connected to what switchport (CDP), but obviously other features will be used in the future.

I saw that netool.io can do pcaps to your mobile which is pretty cool



What’s then benefit of PAM4 optics?

Hey, reading up on the new(ish) PAM4 QSFP28 optics and I don’t quite understand the benefits of them.

So, right now I can buy a QSFP28-LR which is good for 10KM or a QSFP28-ER which is good for 30KM. This is at 100G. There are 40G and 10G options that can get 40KM and 80KM respectively.

So reading about PAM4 (https://www.smartoptics.com/article/100g-dwdm-pluggable-transceivers-pam-4-coherent/)

It seems that: “it needs amplification to get out of the blocks and dispersion compensation to go beyond 5-6km. A separate DWDM multiplexer with an amplification system and dispersion compensation is therefore required to connect data centers together”

Soooo why would I go a PAM4 optic if I need the additional amp and DCM even before it gets to LR and ER distances?



OpenGear Console Server - Failover Interface

Hi All,

First time using an opengear console server. I have purchased CM7132-2-DAC (4.3.1 firmware) to provide OOB access to our networking devices. Everything is working great except for the failover interface. I have plugged NET1 and NET2 into our upstream switches, both ports are in the same VLAN on the switch side.

From RTFMing I believe I should be able to configure a single IP address which will be active on Net1. If Net1 fails / the probe address fails this IP should failover to Net2.

I've configured the Network interface with a static IP and set the failover interface to be the Management LAN interface (Net2) as well as the probe IPs: https://imgur.com/MmOoXRp
I've then tried to configure the Management LAN interface: https://imgur.com/scSg2Ad

If I try and use the same IP as I set on Net1 I receive an error saying it's already been used on Net1. If I leave this blank and try and shutdown Net1 nothing happens.

Am I miss-understanding how this works and Net2 needs its own unique IP meaning our operators would need to access this via the second IP in the event of failover? The manual isn't clear on this.



Thursday, March 14, 2019

Correct way to wire Ethernet

Hello everyone! First time posting here, not sure if this goes here but feel free to move the post to the correct list.

Today we had to wire one of our offices and my coworker said that this is the professional way to attach the cable to the wall. To me it seems really unprofessional and not up to standards. Is this the correct way to wire Ethernet cable?

https://i.imgur.com/xThKThT.jpg



Restructures

Hey gang,

Not sure if this is the right place to post but just looking for some advice.

I work as an engineer for a MSP. Today the company told us that they’re going through a “restructure”, you know the drill. Luckily my branch was unscathed by the job losses but everyone else was hit pretty hard. Im not sure how long my job will be there for. My question is this; should I jump ship now? Or hang in there and hope I don’t get cut.

At the moment I’m thinking I should just cert up and hope for the best.

Thanks for any advice



Subnetting for beginners

I’m taking a basic class on networking and they’re teaching subnetting but my instructor teaches too fast so I can’t really grasp subnetting, can someone explain exactly what it’s for and how to do it? Maybe link a YouTube video to help but I’ve already watched a couple of videos.



Help with Pause Frames

We are receiving pause frames on one of our servers. Passing data from one server to the other is resulting in a hefty amount of these pause frames logged on the switch. I not even entirely sure what’s going on as I have never seen this before. This is over 10GB copper, two Win10 servers and a Cisco SG250X-24. Can anyone shed some light on what’s happening and how to address it?



POTS -> FXO gateway -> Switch -> IP-PBX?

https://ift.tt/2CnSMQy

TCP Reset flag

Hi All,

I am analyzing some firewall logs in SIEM. I am totally new to this domain, just want to know

the concept of TCP reset flag.

As far as My understanding TCP reset flag will set if the connection got interrupted inbetween or

server unable to process the client request or duplicate request received from the client to the

server

Also on my payload I could able to see the TCP reset -I and TCP reset -O can anyone explain what

it mean ? do I need to take much attention on TCP reset -I and TCP reset -O.



Connecting a SAN using MPO breakout cables

I did plenty of research about MPO breakout cables, but I never found anything that suggested this as a possible use case. I am trying to connect a SAN that is on a different floor from my switches (Nexus 5672UP) using four 12 fiber, OM3, 5 meter MPO breakout cables with 6 LC connectors (that are labeled 1-12). The SAN has two shelves with six 10Gb SFP+ interfaces each, and the optics are the Cisco branded SFP-10G-SR. Breakout cable is similar to this, except type B (have four of them): https://www.fs.com/products/74323.html. We have an MPO panel with 72 strands of MM fiber ran between floors. There were 24 strands of unused, MPO terminated fiber, so I thought I would try and make this work. Has anyone else done this before? I'm not able to get a link up on any of the switch ports. Re-seated the cables, SFPs, reversed the connectors, still nothing. Is this even a possible use case? Everything I have seen with MPO cables is splitting a 40Gb QSFP into four 10Gb ports.



Choosing the correct network equipment in a cisco world?

What is the best approach when looking for a specific Cisco router/switch for an enterprise/campus environment? in terms of horsepower to handle an environment?

Do you use certain tools, software (free or paid) to measure your current performance on a chassis or if you're doing a new install you know which equipment to pick with confidence? in reality, you need a piece of equipment that can handle current and future demands, but when you look at the chassis specs throughput ranging from lowest end 300gb to highest 2 TB + you can read for ages the features, specs, technologies that just throw you off.

Example, there are three different models under the 6800 series switch/router, I'm like well 150-250 users with 2-3 servers, VoIP, internet, wireless and camera system should work with a 6832 switch as the core and maybe 4500/9400 as the access switch, anything above to me sounds like an overkill.

Will greatly appreciate if there free tools, capacity planning or something that I don't know in the Cisco site that can make it easy to select the right equipment.



Weird ARP Attacks

We are having a weird problem with ARP on a particular VLAN

  • Many Macbooks in the network keeps broadcast them as Gateway MAC that cause other Windows clients on the network could not access network.

  • So far, only Windows clients received bad ARP.

  • On the network, we do setup dhcp snooping (Meraki at both layer 2 and layer 3)

  • I have checked the Macbooks that broadcast ARP, but could not find anything special on them

  • This is a wireless network with client isolation setup.

https://i.imgur.com/PKW0KX6.png

https://i.imgur.com/LJPArlJ.png

Do you have any recommendations or ideas ?

Thanks !



network device inventory & discovery

Anybody have a program or script that can query a given subnet or find devices from CDP accessible with a given set of credentials and dump them to a file. Text format, csv, json, yaml, I don't care as long as long as I can input the list into Python.



Tool for tracking network equipment additions or removals?

Does anyone have a good way to keep track of when networking equipment is added and then eventually removed (decommissioned) from the network?

Obviously this could be manually tracked via a spreadsheet, but anything else would be better.

Currently stuck without a good way to do this, so doing spreadsheet comparisons is what my team is stuck doing.

Thanks!



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



Guest network on same network as corporate?

Is there anything wrong with having a dedicated guest network inside the same IP scope as your private network? What's best practice - same scope or entirely separate scope?

For example, your company uses 10.1.0.0/16. 10.1.0.0 to 10.1.199.255 is on the LAN zone and 10.1.200.0-10.1.255.255 is on the guest DMZ zone. Is there anything wrong with placing guests inside the same /16 scope? They are obviously in a different zone (LAN vs DMZ) and also different VLANs. There are no firewall rules to allow LAN to DMZ or DMZ to LAN and the default policy is DENY ALL.

Or do you guys prefer to use 172.16.x.x or 192.168.x.x?



Help with physical layer of parallel bridge network

Say I have a node that needed to communicate over a 5.8Ghz wireless p2p bridge, and a 915mhz wireless p2p bridge via Ethernet. could I use an ethernet switch with two WAN ports to connect the node to each bridge? what is the smallest and lightest possible configuration here?



Books / training resources for small DC network design?

I'm tasked with redesigning a DC network for a 3-node ESX stack. I spend most of my time managing access networks, so I'd like to build a better foundation. If it matters, we're a Cisco/Dell/VMware/Nimble shop.



Can you help me understand how secure this network setup is?

I've got a bit of a disagreement with a person I work with. I say all devices must be password-protected. He says I don't need to worry too much about an unsecured device on a private network that is only accessible via a VPN. I'm learning about networking and it would be helpful if you could explain the security risks (or not) with this setup:

A user wants to access a device with a private network IP (for example 172.XXX.XXX.XXX) from the internet (From outside the LAN).

The user must log in to a VPN client with two-factor authentication before inputting that IP address in their browser.

There is a firewall that only permits three different IP addresses through to the private network, the VPN being one of them. If the user is not logged in to the VPN there is no access.

What is the possibility of a network intrusion to this device? What sort of attack(s) should I watch out for? Am I right for being worried a device is not password-protected behind these layers of security?

Thank you for your help!



Limiting Load on Servers

Hi All!

I recently started a job where an engineer who has been responsible for the network in our 300 strong office for the past number of years told me the following, I'm pretty sure it's not correct but just wanted to run it past you ladies and gents for clarity.

He has explained to me that a Network Design Engineer from HPE advised him a number of years ago that the best design for our office was to limit all desktop ports to 100Mbps even though the desktops and switch ports are capable of 1000Mbps.

Apparently the reason for this was to "Limit" the load on any in-house servers we have. We are only using the switches for Layer 2 with the firewalls providing Layer 3 (Router on a stick). To me this sounds bogus but I find I'm slightly doubting myself on this one.

Can you guys shed any light on this? I'd be happy to answer any questions about the rest of the network within reason.

Thanks!



Firepower 6.2.3.11 and User Agent

If you use the User Agent, you may want to hold off on rolling out the 6.2.3.11 FMC upgrade. Despite just being a minor patch, it upgrades the MySQL version, swaps release trains (enterprise commercial to community), oh and is no longer built against OpenSSL, in in fact just breaks SSL on startup because it can't initialize ciphers. Meaning none of your user agents will be able to connect.

Preemptively paging /u/ciscofirepowersucks because why not.



Cisco ASA FQDN issue

I'm using an ASA device as a gateway for an app server. The app server needs https access to a URL. I created an FQDN access rule and it's working 9 out of 10 times. I can see the ip changes for that URL every minute. What can I do to make it work 10 out of 10? I have the firewall and app server pointed to the domain controller for DNS. I assume domain controller is just pointed to google.



I got a quote, I think its high - setting 4 floor new office Network Infra

Hello all!

My company just leased a new office in London. We are setting up our internet infrastructure for our office. We have contacted a network infrastructure company called 'CloudSwitched'. https://www.cloudswitched.com

The office is 6 floors (we lease it all, we sublease (2) floors to (2) different tenants). 6 Floors in total + a rooftop

We plan to have 30 - 50 in this office in next 5 years. Starting off with 10-20 (on our 4 floors + rooftop)

They gave us a quote of approx $10,000 to install this through all 6 floors:

Image of Quote:

https://i.imgur.com/N3IfirH.png

https://i.imgur.com/Gz84IBK.png

----

I feel that this is high for all 6 floors and 3 vLans. I know a lot about technology and computers, but not a lot about networking. IMO - We simply need some network switches, with a router, and a few Wireless access points. I can set that up in my house for:

$400 - Nighthawk Router or something$300 - 64 port network switch

$1000 - 4x $250 Wireless access points.

That is $1500, lets say $2500 with labor.

----

What do you guys suggest? Im really not a pro on this. Am I under-killing it? or is the quote over-killing it



Mixed network - Issue with all Cisco switches dropping

So I have a mixed environment of switches:

-3 x 3 stacks of Dell N1548 rapid-pvst, rstp, mst

-2xDell 4048 rstp, pvst, mst

-15 Cisco C2960L-16ts-LL rapid-pvst, pvst+, mst

The issue i'm having is if there is a change to one of Cisco's config all the Cisco switches will blip and drop for 1-2 minutes. For example setting a port on the Cisco to trunk to the main network, change default vlan etc. I'm not really sure what is causing this. My only hunch is it has something to do with spanning-tree, but I could be really far off base.

Anyone ever see this type of behavior before? Any suggestions would be greatly appreciated.



A10 Load Balancers - Aflex to inspect payload

Hey everyone,

I'm reading through the A10 AFlex guide right now and have done the normal items of redirecting 80 to 443 and some URI redirection. What I am thinking about doing is having the A10 inspect the payload for a certain string.

We terminate SSL connections on the front side of the a10 and then decrypt it from a10 to the web servers from the inside interface. So I would ideally be able to put this on the inside interface.

I have a certain user agent string that I am looking to identify in our traffic and attempting to sniff it out with a non network grade sniffer has been difficult.

Has anyone ever done anything like this before? I know the load of this might put some stress on the A10 but this is likely my best bet.



Double NAT issue

Might be more suited for r/HomeNetworking, but I figure I'll ask it here. My apartment complex has internet included. I do not have access their router for port forwarding. I have a router in my apartment for my own private network. Is there anyway I can use an AWS instance (or someone else) to give me a public IP. My thought is to have my router VPN somewhere and have the VPN forward traffic. I'd like to be able to port forward, but that may require a Site-to-site VPN.

Any suggestions?



Need help with Aruba/HP_Procurve python script - Give Platinum

Guys,

I am struggling to make a python3 script work my Aruba/HP_Procurve switches. I have taken it down to a basic format but still no luck. It works fine for most "show" commands except if I use "sh time" or "sh up time". If one of those command is used, the output runs a bit together. I'm happy to give Platinum award for correct script (1 month of reddit prem).

Here is an example of the output where I run the "sh version' command then the "show time" command.: (running 16.0x firmware version on switches)

Boot ROM Version: KA.15.10
Active Boot ROM: Primary <--- End of "show version" command
ed Mar 13 15:06:09 2019 <--- Begin "sh time. Should say Wed, not ed, and no newline
Script complete.

Code snippet:

aruba = {

'device_type': 'hp_procurve',

'username': username,

'password': p,

# 'global_delay_factor': 2,

}

net_connect = ConnectHandler(**aruba)

output = net_connect.send_command("show ver")

output += net_connect.send_command("show time")

print (output)



Android Clients "No Internet" on WiFi

Hello. I have been banging my head against this for a few weeks now. I am working at a location that has Arista Networks Wireless, (formerly Mojo Networks). PC's on the Wifi and iPhones work just fine. But Android clients not so much. All Android clients show "No Internet". They have a valid IP but think there is no internet and use their cell connection for internet access. When I look at an AP I see the phones. They appear to be connected fine. I can ping them. But they think they have no internet. I am baffled by this. What is it about Android that is causing this to happen?? Anyone got any ideas of what I should be looking at?



ESXi ISCSi dual 10GbE weird con issues

Hey,

maybe someone can help me out of my cursed black hole. I puzzled around with it nearly the whole day today.

Test setup is Simple:

https://files.planetlan.de/getp-1cOQMRSAIy05

My Problem:

As Soon as I try to Connect my LUN over vmk1 (192.168.246.10) I only receive timeouts:

2019-03-14T16:39:40Z iscsid: Login Target: iqn.2004-04.com.qnap:tvs-873:iscsi.qnap1mdf.0ee550 if=default addr=192.168.246.10:3260 (TPGT:65536 ISID:0x1) 2019-03-14T16:39:40Z iscsid: Notice: Assigned (H66 T0 C0 session=d, target=1/1) 2019-03-14T16:39:40Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:41Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:42Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:43Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:44Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:45Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:46Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:47Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:48Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:49Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:50Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:51Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:52Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:53Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:54Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=1 Failed=0 2019-03-14T16:39:55Z iscsid: Login Failed: iqn.2004-04.com.qnap:tvs-873:iscsi.qnap1mdf.0ee550 if=default addr=192.168.246.10:3260 (TPGT:65536 ISID:0x1) Reason: 00080000 Initiator Error: (0x0008 Connection timed out.) 2019-03-14T16:39:55Z iscsid: Notice: Reclaimed Channel (H66 T0 C0 oid=1) 2019-03-14T16:39:55Z iscsid: Notice: Reclaimed Target (H66 T0 oid=1) 2019-03-14T16:39:55Z iscsid: DISCOVERY: transport_name=iscsi_vmk Pending=0 Failed=1 

Weird thing is; If I try to connect the "long way" over vmk0 at 172.16.13.8 everything works instantly, LUN is there and Connected ;(

To be sure in testing I removed all Firewall Rules on the iSCSI Server, Service is listening correctly:

tcp 0 0 192.168.246.10:3260 0.0.0.0:* LISTEN - tcp 0 0 172.16.13.8:3260 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3260 0.0.0.0:* LISTEN - 

Routing Table of the ESXi:

VMkernel Routes: Network Netmask Gateway Interface 172.16.13.0 255.255.255.0 Local Subnet vmk0 192.168.246.0 255.255.255.0 Local Subnet vmk1 default 0.0.0.0 172.16.13.1 vmk0 

And ping is fine too:

vmkping -I vmk1 192.168.246.10 PING 192.168.246.10 (192.168.246.10): 56 data bytes 64 bytes from 192.168.246.10: icmp_seq=0 ttl=64 time=0.164 ms 64 bytes from 192.168.246.10: icmp_seq=1 ttl=64 time=0.325 ms 64 bytes from 192.168.246.10: icmp_seq=2 ttl=64 time=0.211 ms --- 192.168.246.10 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.164/0.233/0.325 ms 

On the iSCSI is no log, no Connection try, nothing. It doesn't matter if I conf ESXi with port bindings or without.

There are currently no VLANs involved also the ESXi is actually a new installed factory default installation, changed:

- added Vswitch + Portgroup

- added vmk (https://files.planetlan.de/getp-1qFYGeVRwYXN)

No Chap or further Authentication involved. iSCSI Server set to r/W all.

Any thought impulse would be appreciated, I need to confess I'm stuck :(

Thank you in Advance.



What happens if a Cisco trunk mode port has an access VLAN and a native VLAN that are different?

Ignorant question here, but I'm coming from the HP and Brocade world. I'm looking at a Cisco port. It's in trunk mode with a set of VLANs allowed on the trunk. The Access Mode VLAN is 1, and the Trunking Native Mode VLAN is 99.

Does the Trunking Native Mode VLAN setting take precedence for untagged traffic since the port is in trunking mode, and the access VLAN setting doesn't get used at all? Otherwise this looks like two untagged VLANs at the same time.



Opensource ERSPAN server

Hi, I need to mirror traffic from multiple POPs to central POPs hosting expensive telco analyzer servers. Problem is, POPs are separated by L3, and AFAIK our Juniper QFX51xx and EX4300 can't do ERSPAN. Do you know any free software on a server that could get SPAN traffic on an input interface and do ERSPAN (mirror over GRE/UDP/whatever)?



Port Flapping On Trunk

I retired a couple of old switches yesterday and replaced them with HP 1920s switches. They are on separate sides of a building. There are 2 Ethernet runs between these switches. I have ports 47 and 48 on each configured as below. The problem I'm having is that port 47 is going up and down and I can't figure out why, it didn't do this with the old switches. It it likely the configuration, or more likely a loose connection somehow?

The cable run didn't change. It's the same runs that were in place with the old switches.

If I take one end of the cable and plug it into a dumb unmanaged 5 port switch the link light stays solid like it's supposed to. That's what makes me think it might be a config issue, but I can't see that either. It's a simple config and I've used it in several other places.

interface 47 addport TRK 1 exit

interface 48 addport TRK 1 exit

interface TRK 1 no port-channel static spanning-tree port mode vlan participation include 10,20,30,40,50 vlan tagging 10,20,30,40,50 exit



JunOS policy + logging?

Inherited an srx240h2 and need some help with finding some bad traffic. Abuse complaints from the outbound NAT IP but I am having a hell of a time finding out what the actual source IP is behind the FW. I setup a policy to deny the busiest hosts and that broke something, so I had to remove it. I then created a policy locked down to the busiest host and a know good destination IPs. However when looking at the logs I still see traffic to IPs not on thee 'destination address' group. So how do I setup a policy locked down to destination IP? None of the destination IPs in the logging screenshot are specified in the policy so they should be dropped but I am not simply not seeing it.

And if someone can tell me an easy to identify bad traffic with no destination IP and no knowledge of what is behind it that would be super helpful. Assume I have no access to anything behind the firewall outside of a list of IPs.

https://imgur.com/a/BmqZD7P



Any advantage to put VoiP phones on there own LAN vs VLAN?

We have an office rewiring and they want to know if there is any advantage to having the voip phones on their own physical network vs a VLAN. Right now the phone acts as a switch to the pc. If we did this there would be a dedicated switch just for phones that would get its own LAN configuration and port on the router which is a USG pro. I've asked our VOIP provider and they said its not necessary but IDK I feel like I need a few more opinions.

Thanks



Looking for a VPN router, but not the "normal" kind. Not even sure of the correct terminology for what I need.

Sorry in advance for the wall of text, but I don't know how better to explain what I'm looking for than to explain how and why I need it.

I work for an HVAC controls and building automation company. We install and maintain control systems in commercial and industrial buildings. In order to support these systems, we need to remotely access our controllers, and that means opening ports. As you can imagine, the IT departments in these buildings are pushing back harder and harder against this. I understand why they don't want to do it, and they're not wrong, but their bosses and my bosses still expect me to do my job, and that requires access. In a perfect world, they would get a separate internet connection for our controllers so we don't have to deal with their network security at all, but the world isn't perfect and management usually doesn't want to pay for a separate connection.

Teamviewer is helpful to get around some of the issues. As long as we have a PC on their network that has internet access (some of our installations require a windows machine as a server anyway), we can remote in and do some of what we need to do. But sometimes we need direct access to the individual controllers, and teamviewer only gets us into the PC. Plus, not every site has one of "our" computers as part of the installation where we can install teamviewer.

This seems like the perfect situation for a VPN router, but not the sort you find when you google "VPN router".

I need to separate out our equipment onto a separate network, and be able to connect to that network remotely without having to beg/bribe/threaten network administrators to open any ports. I know teamviewer can do this (to establish a VPN connection to the PC, at least), so there must be an actual router that does it. I believe it's called tunneling. As far as the building's network is concerned, all it would see is our router sending regular old encrypted web traffic on normal web ports. I assume the router would have to connect to some sort of server to be told when to allow incoming connections, since without any open ports, I wouldn't be able to initiate a connection remotely.

What is this sort of setup even called? Are there any off-the-shelf routers/services that do this in a relatively plug-and-play fashion, or will it need to be hacked together? Is any of this even plausible, or should I just give up and go back to wrestling with IT admins?

For those that slogged through all that, thank you.



Can't Find Cisco SG200 and Netgear ProsafeJGS524E IP Addresses

Hi All,

Still new to this :) We have four switches in our environment, but I can't find the IP addresses for the two in the title so I can log in via the browser.

Yesterday, I couldn't find the Netgear IP address, and this morning we had a power outage that caused everything to go power down, and now the IP address we had reserved for the Cisco in our DHCP via Windows Server isn't accessible.

I've ran ARP on the command line, and the Cisco unit still has the reserved IP address and it shows the same IP address in our server DHCP address lease. However, I ran the Advanced IP Scanner, and the IP address reserved for the Cisco is pointing to a Microsoft device.

For the Netgear, I have the MAC address, but I can't find it in our ARP table, DHCP server, nor the Advanced IP Scanner.

Any suggestion on how to find the IP addresses for these units? Also, any thoughts on why the IP addresses are conflicting even though the DHCP server has the MAC address for the Cisco switch on reserve for the specific IP address?

The set up is Arris Surfboard SBG6950AC2 > Netgear Prosafe JGS524e >NetVanta 1550 (Mitel Phones connected) + Dell R320 Server + Cisco SG200 (PCs connected) > Mitel 250 Controller + NetVanta 1531(Mitel Phones and printer connected).

Thanks in advance!



Unifi Cloud Controller Question

Okay so I think i may be having a brainfart as I cant get my head round this...

So essentially I am setting up a unifi controller for use with remote clients that cant have it installed on site.

If the client has a firewall on site with say 2 vlans for wireless. Example 10 & 20.

When I adopt the unifi AP remotely onto our controller and setup an SSID for them e.g testwifi and testwifi2 and add the appropriate vlan to each in the controller like so:

testwifi / vlan 10

testwifi2 / vlan 20

How is my controller going to know where to send this traffic? As the firewall my unifi controller is behind has no knowledge of these VLAN's. Does it need these same VLAN's configured here?

Or will it just pass through to the unifi dish and them the firewall/switch at site will understand what to do with this information?

Im sure this is an obvious answer but im tired and just cant get me head round this.

Any help much appreciated



Anyone ever have to do some type of lab in an interview to prove your skills? What did you have to do?

No text found

ASA LDAPS not working after upgrade from 2012R2DC to Server 2016

Recently upgraded to 2016 Domain Controllers and now the VPN will not work via LDAPS. I've verified that LDAPS works on our client machines and using the LDP.exe tool and can establish a connection. Below is the error when performing a test on the ASA.

"Connect to LDAP server failed"

"Unable to read rootDSE"

Not sure if this an ASA or Domain Controller(2016) issue and ran wireshark which shows a "RST flag" from the ASA. Also came across this thread but the URL the user posted seemed to show a different problem. [https://www.reddit.com/r/networking/comments/7ey59e/asa\_ldaps\_issues\_after\_updating\_dcs\_from\_2008r2/](https://www.reddit.com/r/networking/comments/7ey59e/asa_ldaps_issues_after_updating_dcs_from_2008r2/)



Skype for Business via VPN/MPLS: How to get it working?

Skype for Business uses Interactive Connectivity Establishment (ICE) to determine available media paths for their sessions. We are facing connectivity and quality issues when Skype Sessions are being held by people of the same organization in different countries. Via the Skype/Teams Admin Center we see that the Skype Clients establish a direct connection (via the rather slow MPLS) instead of using the internet and routing the session through Microsoft GN. Now, i‘ve found no information whatsever how we can affect this session establishment in order to improve this. Does somebody have similar problems?



Openvpn Alternative/ SD-WAN/ Viptela

We are using Openvpn between different sites over the world, the speed/latency are a big issues, we are looking at

viptela/sd-wan to replace openvpn. Any of you using viptela? can you share your experience?

Any of you using any sd-wan solution? how is it performing?

Or any other recommendation/solution that can help?

If you are using openvpn, how do you deal with speed issues?



Route All Branch Office Traffic through HQ ISP IPSEC VPN

Hello,

I am trying to figure out routing to get all the traffic from my branch office to exit out of my HQ ISP connection.

Currently I have a site-to-site vpn tunneling traffic to my HQ through an ASA at the branch to my FTD at HQ.

I don't quite understand how to route all traffic through the S2S VPN. Here is my topology. Public IPs changed for privacy.

Branch ASA:

inside: 192.168.62.0/24

Outside: 208.110.221.170

Gateway: 208.110.221.169

HQ FTD:

Inside: 192.168.64.0/20

Outside: 69.200.85.82

Gateway: 69.200.85.1

Thank you for any help!



Traceroute inspect with Cisco ASA

This may be a really dumb question, so forgive me in advance. I'm very new with Cisco ASA and stateful firewalls in general.

I want to allow pings and traceroute from my "trusted" zone (security level 100) out my "untrusted" zone (security level 0). I am familiar with the fact that I need to set the global policy to inspect icmp traffic for it to be stateful and that allows pings to work fine, but traceroute just gives me *

Can someone explain this to me?



Network Diagnostic Tool

Does anyone know of any point-in-time network diagnostic tools? I am looking for something to use on a reactive basis when we suspect there is a problem, rather than full time monitoring.

My organization provides technical support for applications which move large amounts of data across the network. We often encounter issues with our customer's environments which prevent or cause performance issues with transferring data. We need a way to prove or disprove that it is a network issue and to identify the issue so we can point the customer in the right direction to fix the issue.

We currently have a tool which is a standalone executable that runs on Windows or Linux command lines. The user inputs an IP address of a remote host and the tool automatically runs diagnostics between the two hosts, outputting a nice report with its findings. It checks things like packet loss, jitter, link congestion/bandwidth capacity, latency, MTU and RTT for each hop. Unfortunately, this is a legacy application which no longer receives updates or support and is quickly becoming unable to support new operating systems and technologies.

I have done some research but it appears that most network diagnostic software has moved to a full time monitoring solution and many are cloud based. We do not want to provide full time monitoring to our customers, but we do want to be able to help them get our applications working if they encounter network issues.

I know that most of this can be checked with standard OS or other free utilities, but we would like to provide a tool which requires little effort and knowledge for our customers to use.

I'm hoping someone may know of a tool that could meet our needs.



Amazon Proxy/VPN Flag on new IP Block

Has anyone had recent success contacting Amazon to remove a Proxy flag for a newly purchased IP Block? I'm not certain if they are maintaining their own database to track known Proxy and VPNs or if they are using an outside resource, but any time I attempt to request they remove a flag, they appear to not have the ability to or at least not know how to when working with whatever tier tech support I'm reaching. My real question here is, does anyone have a reliable method for removing the Proxy/VPN flag that amazon displays when using newly purchased IP Blocks. I've tried using the contact info listed on Arin but I never receive a response to any emails sent, and going through their customer service has created weeks of frustration and no progress. It seems like a straight forward request but no matter how detailed I am, it appears my attempts aren't reaching the right people, and escalations still don't make it to the right people. Any info would be greatly appreciated, thanks in advance.



Does your HR dept. have their own VLAN?

Do you VLAN HR into their own section or are they sharing with someone else?



How we can troubleshoot DNS server ? If my pc is having connectivity and able to access YouTube.com and not Facebook.com?

No text found

What would have been the quickest way to Dx the google DNS problems last night, and would would the best configuration to resolve and prevent?

Got a call around 0400 UTC claiming every computer in the building is completely down! There is no internet anywhere! A quick remote in to my servers, my desktops later and I determine that the claims are exaggerated. But there are symptoms:

I have two facilities, A and B, about 45 minutes apart as the crow flies. Both are running 24/7 with overnight having only a skeleton crew so no on-site IT.

Buildings A and B both have an in-house DNS server that keeps local records and forwards other requests to the 8.8.8.8 and 8.8.4.4 servers.

I remote into a couple of machines at building B, no problems whatsoever.

Building A can connect to some sites but not others, usually receiving timeout errors, but there was an occasional weird message I've never seen about a protocol not being added to the host. Websites that were loading were either perfectly fine or possibly running very slow. FQDNs that allowed ping could ping without problem. Traceroutes didn't give any indication as to what may be wrong. At the time, downdetector wasn't indicating any problems with the big sites (ebay and google, which loaded, netflix and reddit which didn't). Double checked from my home, so no problems.

Since even when the problem isn't DNS it is always DNS, I use nslookup and query google servers directly and have no problems resolving anything.

Checked the firewall, no problems. Rebooted it for kicks and giggles just in case something weird was going on, still having problems.

Call up my fiber provider to check the circuit. They see nothing wrong with the link, but they have a note saying that there are a lot of reports of problems with google's DNS. The tech sets his own DNS servers to point to google and replicates the problems. He remotes into a box off premise somewhere, switches to the google DNS and replicates the problems there as well. Problem found, I update my DHCP servers at A (but not B since they aren't having any problems) to point to the ISP's DNS servers, everything working normally again.

What steps should I have taken to diagnose the DNS servers as being fault sooner? From the tests I ran it was resolving hostnames, but the performance was really slow. I wasn't seeing excessive ping times, just failed to load pages or really slow performance on some websites but not others. What should I have been looking for to spot that the problem was with google?

Also, are the google DNS servers not as reliable and good, amazingly awesome as I have been led to believe over the years? What would be a better configuration for me to use to prevent this from happening again?



Cisco catalyst replacements / future roadmap suggestion

Hi everyone.

I'm in the middle of creating a roadmap and got stuck, need some input.

We are a cisco shop like many others and most of our sites (30+) needs a refresh of the L2 Switch segment today or "soon".

The new Cisco 9X00 models are the "future" but I'm getting tired of how hard they are pushing their DNA solutions down our throats... We dont have ISE and we probably never will (no need/roadmap).. Implementing Cisco DNA / ISE for our sites/factories will cost way more then just the pricetag of the Switch + License..

The whole DNS "solution" looks good, but we really don't need it.. Whats the options? We have mixed Wireless at each site (Aruba, Huawei,Cisco, Ruckus) and Cisco ASA / Fortigates / Palo alto's (We buy companies to it's a large network legacy..)

Cisco REP is really really trying to get in DNA advantage license and just giving the switches away.. But next time we refresh the licenses we are going to have a very expensive bill to pay.. for something we really don't need.

Replacing Cisco for another brand will be very very hard due to the ease of getting external help (cisco TAC, consultants etc)

I just need a stable L2 switch with PoE/PoE+ and good QoS support with 4P Uplinks (1G/10Gb) for the next 5++ years to come..

HP -> NO

Juniper?

Arista?

Whitebox and do our own orchestration?

Thanks



Windows always on vpn vs firewall vendor solutions?

In my company we currently use Palo alto global protect always on VPN. We have recently gone through a merger and the other half of the company use a manual windows VPN connection.

At some point this year the domain will be updated to server 2016 and the infrastructure guys have suggested rolling out the new windows always on VPN solution for the newly enlarged company, rather than adding the new users onto the Palo alto solution.

Anyone have experience of windows always on VPN Vs firewall vendor solution and able to offer the experiences?

I'm open minded, it's less work for me at the end of the day if the vpn is pushed down to the server guys!



Spanning traffic from Watchguard Firebox M4xx series

Hello!

As the name suggests, I need to mirror traffic from a watch guard firewall, but it appears not to be possible. As per their user documentation.

Three questions.

  1. Their documentation was from 2016, so might be outdated, does anyone have any experience with port mirroring on a Watchguard Firebox M4xx series FW, is it possible?

Before the firewall, there are a number of unmanaged switches. There is an unmanaged switch per area of the business, plugging directly into the firewall.

Port mirroring is what I'd usually do, but it's not possible from the switches or firewall and I want to use the least intrusive method.

Network tap is the next method I'm considering, but I've never actually used one.

  1. Say there are 10 ports I need to mirror, how many ports need to be on the tap? Sorry if this is a dense question, I've checked around but can't actually understand how they work.

  2. By that I mean, do they copy all Tx and Rx traffic they receive from a device they're plugged into? Or just from a particular port?

I appreciate anyone's help.

Please and thank you!



Does anyone recognise this optical connector?

I just found on a remote site some optical fiber with connectors that I'm not able to identify. It does look a bit like MTRJ, but I don't think it is. Anyone familiar with that?

https://i.imgur.com/Cj8SjhC.png

https://i.imgur.com/f2I3nXJ.png

https://i.imgur.com/Cb9W6f3.png



Study material for 802.11?

Hello guys, what study material should I refer for Wireless LAN (802.11) ?

Any recommendations(textbook, videos) would be appreciated, thanks!



I have never used a 3rd party firewall before, always used windows firewall

Is there any benefit at all to using something else that windows would not offer? I have a decent understanding of networking and how firewalls work. It seems like such a basic utility that I cant possibly imagine what an alternative would offer.



Wednesday, March 13, 2019

Bought public IP addresses. Now what?

I'll soon have our organization set up with a couple large Internet connections at two different locations across our city (the primary datacenter will have a 40Gb/s connection and the DR site will have a 5Gb/s connection). Different Internet providers for each connection for redundancy. The end result is to have the DR site be the backup Internet for the primary if the primary Internet connection goes down. We have a 10G WAN circuit between the two sites.

I've registered an ASN for our organization and we have our own IP address blocks that were recently purchased. We're currently using our ISP's IP addresses for all our public addresses. In brief, what are the next steps to start using our own IP blocks? I assume I need to let our current ISPs know to advertise them for us, but I'm not sure where or who exactly to start with that. We'll be using Palo Alto firewalls on the borders at each site if anyone has any specific advice for them.

Thanks!



Receive DHCP Lease But Can't ARP Gateway

What would be the the cause of someone to be able to receive a DHCP lease from a DHCP server/router, but then not be able to ping the gateway nor surf the internet. Basically DHCP seems to be working, but nothing else is. Can't ping the gateway, nothing in ARP, etc. In the DHCP server, I can see the MAC of the computer, IP it has, etc.

There is a layer 2+ switch between the router/dhcp server and the client's computer. Doing tagged VLANs to the router and untagged access ports to the computers.

Someone said its because DHCP broadcast is layer 2, and actual DHCP is layer 7?



Throughput licensing on the Cisco ASR is bullshit

It's fucking up my design. The simplest design I can think of is get 3 ASRs, plug them all into a switch, and run iBGP between them all. But then I need to think about what happens to the traffic once it sees the BGP table. Normally? No worries, it just routes it to the best exit, just design pathways that are redundant with enough throughput. With Cisco ASRs? You burn licensed bandwidth routing within your AS. So now I need to make sure I don't do that, which means I'm adding another layer of routing behind the ASRs, which means those also need the BGP table, meaning I need an ASR there too for the same reasons I bought an ASR in the first place.

I know I can make it work with limited tables and additional routers that are cheaper (e.g. a cat 9300 running BGP). I don't need full tables, I want full tables. It makes routing more straightforward to understand. There's also a non-zero political impact. This is a rare instance where bragging about my badass triple homed BGP network that can handle 30Gig+ and takes full tables from everyone happens to be justifiable in business terms. Do you have full tables, multiple partial peerings, enterprise-class routers configured for optimal routing, and a class B to work with? I want people to be jealous, and I think I have the budget to do it.

When I close my eyes I imagine 3x 48 port 10gig SFP+ switches that can run full tables. I plug them all together in a full mesh, plug all sorts of stuff into the other ports, and it spits it out where it needs to go. I shouldn't need to license double throughput for "suboptimal" flows as routers route traffic within my AS.

Please think to include alternatives as you roast me, maybe I'll spot a gem I can work with. As far as I can tell a bunch of the Ubiquiti Infinity routers would do the job just fine and let me route everything how I'd like to, but they don't offer a line item for warm fuzzies, and I need at least 20 warm fuzzies.



Is it worth upgrading Asus AC66U to AC88U?

Saw the AC88U on sale on a Chinese site, looking for 8 ports and link aggregation but besides these two things is there any other differences between the 66u and 88u?



Is bgp evpn VXLAN, overkill for a small MSP thag needs Multi Tenancy support...?

As the title suggests, I work for a small MSP with about 100 customers. Our current network is very old and has end of life network gear.

As we look to upgrade the network, our manager wants us to explore the idea of a Layer 3 network and eliminate Layer 2 from the network core. A good idea indeed, however, is it worth the added complexity ?

We have VMware hosts and some standalone bare metal servers too. J don't think we can afford NSX, so the Multi-tenancy has to be taken care of in the network. In our current design, we have a firewall pair that acts as a GW for all vlans. Each customer gets their sets of vlans, which have the GW on the FW and connect to it via VLAN extension through the network.

So, as I explore the idea, I think I have 3 options.. 1. Listen to the vendors and look into evpn + vxlan. .. is it worth it ? (Also we don't have money for nsx) 2. Replace customer specific VLANs with VRFs on a L3 network. 3. Buy new gear, but keep it L2, just like we have now.

Any suggestions would be welcome..



Why route-tagging was implemented to fix mutual redistribuiton between BGP/EIGRP

Sorry for this long post folks, but this is just something I don't understand and might require someone with higher Routing skills.

had a strange issue that was resolved with route-tagging a while ago,

but I could never figure out why this problem even happened in the first place. Picture of topolgy added.

https://imgur.com/a/83UNU2N

Our IGP is EIGRP within the datacenters and we connect to our branches via BGP (ISP MPLS network).

Before the problem:

We have 2 Datacenters that both have WAN(MPLS routers that do BGP to the branches) Routers. All our branches connect to DC1 MPLS router, but if we flip the Default information orginiate(failover) command to the 2nd DC, we can make all the branches go that way. This was also the way that our 2 DCs would talk to eachother....they would just go right through their WAN routers to get to eachothers DCs..

Both the WAN routers would do full mutual redistribution without any filters...so any routes in DC1, DC2 and any branches would get advertised right into eachother. kind of a mess but it worked.

What started the problem:

1 day someone decided to add a 10gig metro-e circuit between our 2 DCs core-to-core(blue line in picture)..now the DCs have a new way to talk to eachother because the metrics for going through the 10gig is better than going through the MPLS.

Life was all better now because of faster speeds and less latency between DC-to-DC talk...BUT...a new problem emerged:

The problem was that when a branch fell off the network and came back up(whether power outage or circuit outage) all of a sudden the branches subnet from the cores routing table would not go directly down to the RTR and to the branch...it would instead traverse the 10gig link to the other DC and down to the WAN router and to the branch. This was only for the return traffic from the branches perspective.

Example just to make sure i'm clear:

Let's say there is a user in the branch that wants to ping a user off core 1 in DC1 - the user sends a ping and it goes up to RTR1 then to core1, but the return traffic ping would go to Core2 in DC2 and down the RTR2 to the..so this would essentially be asymmetric routing. This would ONLY happen when a branch loss connectivity and came back up and had to be learned on the network again. It was not a problem that was discovered right away when they implemented the 10gig ciruict.

So i know this problem was for sure caused by mutual redistribution so the higher ups implemented route tagging at both RTR1 and RTR2 to filter routes learned at RTR1 to not be redistributed back into RTR2 again.

Here's the part I don't understand..why would the return traffic be going to the other DC?? There is something here I'm missing I don't understand.

But i did receive a very brief response from the guy who fixed it. I asked why did this happen and he said the following:

"Locally the router has the route in BGP from 2 directions, one is local (from redistribution) and the other is through MPLS, on the BGP RIB the AD is not used to decide the best path, in this case is considering that the Local BGP route is the best way to reach the destination, so is not even considering the MPLS one, and that’s why it is talking the EIGRP path, the TAGS will fix the issue."

Can anyone decipher in more plain words what he is attempting to say here?



Pitfalls of just throwing a switch at it?

SysAdmin trying to further my networking knowledge. I've got an office that I need to add a workstation to, the 2 current workstations and the MFP are all wired directly to the server room. It's about 300 ft of multiple floors & twists & turns, I really don't want to run another cable just for a new workstation. Is there a huge con to me just throwing a Smart Switch in the room and having all the devices go to that? If I reproduce this type of setup throughout the labyrinthine building, will it bite me in the ass? Is there a best practice where this is fine for a room that has 4 or more devices, but not less?



Looking for Cisco NPE-G2 card

Dear /r/networking denizens. This is probably a long shot, but.... I'm trying to track down a hand-me-down Cisco NPE-G2 supervisor that someone might be throwing away. I am trying to conduct a science experiment with a 7200VXR router, but the NPE-G1 supervisor that I have right now isn't up to the job.



Virtual Firewall as the Edge (x-post from /r/Sysadmin)

Hey all,

I posted this in /r/sysadmin as well and would love your input.

I'm curious if anyone is using a virtual firewall/router as their edge gateway for an on-premise datacenter.

I've been looking at new firewalls and have been chewing on the thought of virtualized firewalls as the edge, handling both internal (east-west) traffic and external internet (north-south) traffic.

It seems risky, but at the same time, seems like there could be advantage:

Failover - architected the right way, the firewall VM would failover to a different host if the main host craps out, and you might get a hiccup. Additionally, it seems like most VMs will also run in an active-passive so even if the VM itself fails you can have your passive takeover.

Cost - It's more OpEx than CapEx. For example, at CDW I see a Palo Alto VM-100 license with all the addons (ThreatPrev, URL Filtering) is ~$3500 for the first year, and each subsequent year is only renewal for the security services. The VM-100 is capable of 2Gbps throughput. A comparable hardware model, the PA-850, is running you ~$12k without any of the addon services.

Flexibility - If we end up needing more than 2Gbps throughput, I don't need to buy new hardware. I just buy a license for the upgraded VM and I don't even have to go into my datacenter to perform the upgrade (provided I have a proper HA pair).

I think the major concern would be security and putting one of our critical services (internet connectivity) on shared infrastructure with everything else. Now a failed cluster doesnt just mean internal services are down, but so too is our access to SaaS and cloud workloads.

Seems like one of those things where you won't be a hero if it all goes well, but you will 100% get fired if it goes south.

Curious what everyone else is thinking about this..



ASA 5510 Replacement?

We currently use a 5510 as a VPN/EDGE firewall for a directly attached site. It is EOL. The Cisco website shows the next replacement as a 5512-X but I'm seeing that as EOL in 2021. Is there something that I can replace this 5510 with that doesn't have such a close EOL date and won't force me into a FMP?

EDIT: The VPN I am referring to is a single L2L for failover, no cisco any connect. How are the FTD 2210's if I'm just using an ASA image?



Need advice on a PAT pool overflow

I've recently taken over the border of a multibillion dollar company. They were a small company that has gone gangbusters nearly doubled in size in the last 10 years. We're now at the point where we are starting to overrun our primary PAT pool for traffic.

Ultimately I know the answer is that I need to split traffic between multiple public IP addresses, but part of the issue with a company growing this much is that documentation of network needs has not been great. We have no idea who has a third party that has whitelisted our current public IP and even the app and server teams have no idea who they have.

How would you handle this challenge in your network? Any advice for someone taking over the firewall and security infrastructure for a company going through these growing pains?