HIGH AVAILABILITY + STACK Config SETUP

​

Hi Guys in line with my post weeks ago. https://www.reddit.com/r/networking/comments/bbjw5s/need_advise_for_this_setup/

I've decided to finalize the network upgrade with this setup thanks to s /u/golle i will run stack on the two switch instead.

. See topology below.

https://imgur.com/a/20HDcpQ

​

Now im still unsure if understand stack concept properly.

I assume stacking is the same as HA in fortinet ? with both device as active active. So if i use for example of SW1-TG1 for specific config SW2-TG1 will adopt the same config and role as SW1-TG1 so i cant be use anymore in different role?

​

And also since im planning to run port channel on the access-SW connecting to the STACK-SW with only 2 physical links can i do it this way? (refer to diagram)

​

Notes:

since WS-C3850-24T does not support 4+ 10 G modules we're planning to get 2 WS-C3850-24XS instead.

​

Thank you very much,

DNS Latency Impact on IPv6

Backstory: ISP with all customers running Dual-Stack, 10% of customer traffic is IPv6

Currently we have our customer DHCPv4 Pool set up to use our DNS Resolvers but do not have our DHCPv6 pools pointed to us, they are pointing to Google’s. The latency delta between the two are around 10ms.

I know that not all of the customers devices are using IPv6 (Smart TVs or older hardware) but has anyone tested out the latency impact on the preferential treatment of IPv6 based on DNS alone?

I’m working to move the v6 pools over to our own DNS anyways, but this has me wondering if this will help to shift the load?

For those who say “who cares”, these customers are CGNAT’d

PCI Compliance - Physical Security Requirements

Good afternoon all,

I recently started at a very small shop, however, they are required to become "more" PCI compliant. I believe our existing level is ~6% overall... which is incredibly scary.

I'm using this to my advantage to make things suck less... for example, one switching closet does not have a door...or a roof (open concept layout). It is just an open room accessible to staff and the public freely, with a switch connected to our (currently) flat network, with male ends on every cable plugged directly into the switch. They are old and beginning to fall off, so simply moving anything drops multiple connections. Fun times.

With PCI compliance -- I know part of the basics is physical security to the gear. If I were to put a patch panel in, and wall mount both it and the switch -- would I be able to simply put a 4U wallmount rack for the gear and add a door to the room, and be good to go? Or, because there is no ceiling, does that make the door a moot point?

Option #B is forget the door, get a locking cabinet, and be done with it.

Thanks in advance!

Spanning Tree Question

Just wondering if someone could clear up a spanning tree question we have.

Say you have the following Layer 2 network, we will assume only a single VLAN is used throughout...

`Switch1——-Switch2 | | Switch3——-Switch4` 

Assuming all switches are managed (say Cisco), if you only enable Spanning Tree on Switch 1 (Root Bridge) and Switch 2 but not on Switch 3 and Switch 4, do the BPDU’s just “passthrough” Switch 3 and Switch 4 without being processed, or is disabling spanning tree similar to a Deny ACL for BPDU’s?

If the BPDU’s are just passed through, is it safe to assume that Switch1/2 will detect the loop and shut down the uplink to either Switch 3 or Switch 4?

FortiGate for IPSec? Are they really that fast?

We're quickly approaching the IPSec throughput limits of our PA-3020. We're currently at roughly 60% sustained dataplane CPU utilization with the majority of it attributed to IPSec tunnels and we're adding more and more tunnels every month. We do much more than IPSec on the PaloAlto. Upgrading to a higher end PaloAlto is cost-prohibitive for us so I started to research some other solutions to offload the IPSec.

​

FortiGate seems to have massive amounts of IPSec throughput per dollar compared to Cisco or PaloAlto. Seems like a great fit for us but before I engaged our VAR for demos/licensing?/pricing I wanted to make sure I wasn't missing anything.

​

Do FortiGate firewalls typically reach the throughput advertised? We're just going to be using these for IPSec tunnels with BGP routing over the tunnels. All content filtering/blocking/inspection/IPS/IDS/etc will still be managed by our PaloAlto so we're not interested in the Firewall/IPS/NGFW/Threat Protection throughput of the device.

PON ONU/ONT all-in SFP options

I'm aware of the Lantiq (such as Zyxel PMG3000-D20B) based models, which I believe have a small MIPS16 processor running a (specific?) OpenWRT build on 'em, as well as HiSilicon chipset-based models. I think there is a third, but regardless...I can't find any real information on 'em!

Can anyone here speak to any direct experience using any kind of ONU/ONT SFP (GPON, EPON, any PON!)? Short of some lengthy threads on mikrotik and ubiquiti forums that are sparse on technical details (lots of folks trying to flash firmware edited from someones blog, and generally not succeeding) is not super helpful.

Ideally I'd buy one of each out there to try -- but I can only find the one FS.com sells, and they explicitly state it has only worked with ZTE and Huawei gear, in their experience (which is strange/weird...)

anyway -- you got one? is it working? what ISP are you connected to? what is it plugged into? and more importantly -- what is the management/configuration interface like?

thanks

Basic traffic separation problem for ESXi 6.7 inside Virtual Connect to Nexus to NAS

http://bit.ly/2E4p183

Need some help

I just bought a physical firewall and need help setting it up, but also would like visibility to it when im not home. So is the setup supposed to be, MODEM>FIREWALL>WIFI ROUTER (EERO)>SWITCH? OR MODEM>ROUTER(EERO)>FIREWALL>SWITCH. As it stands i have it setup the first way, however not everything is showing up on my router manger, and since i like to cast it seems like some stuff is connected to the internet but not connected to my network. Im using a fortigate if that helps any.

​

Thanks in advance

Education of Kiddos: "Old Credentials" left on school server

https://www.whec.com/news/gates-chili-csd-students-gain-unauthorized-computer-access-to-privileged-portions-of-districts-network/5348914/?cat=565

​

I... this hits close to home.

​

I made a mistake in college. A big one. But a kindly professor took a shine to me and helped me survive some bad outcomes. I've since done much mentoring various communities. I turned out pretty OK, I think.

​

Given most of the kids I work with now are in the 'hackerspace', just how do I help them see the difference between good whitehat/blackhat. They're not going to learn if they don't poke.

​

Those creds should have been removed immediately. The accounts should have been locked down. All of this is a case study in what NOT to do for account/network security. Yet the kid makes the front page.

​

I'm thinking of the next project where we tear apart an old camera... and what to do.

​

edit: (And this may not be the right forum. I'm hoping more from a security professional point, but then we'd get "don't do that ever" and never find any problems...)

Tips, tricks, techniques to remove lc fiber connections.

What are some of your tips to remove lc fiber connectors from crowded bulkhead and other equipment? I find they are sometimes difficult to remove due to being in recessed areas and other jumpers restricting access.

Cisco ACI - any recommendations for training myself?

So my company is putting in some ACI infrastructure and I wanted to get some self teaching going to learn more about how to configure them as it's a bit of a shift away from traditional Cisco config with the gui, tenants, policies, etc

Can anyone recommend some online (free) training or lab setup guides etc to get my feet wet here?

As per usual, there will be very little training from my company itself. So I need to do a fair bit of my own back here.

Thanks

What kind of information goes out of a corporate network to the world?

I'm trying to do some self study on security and networking integration and it occurred to me. In an environment where you run, say a Bluecoat ProxySG, that intercepts all web traffic. But what other traffic would go out an external gateway (that may required ASG services on a firewall)?

​

I can think of VPN and encrypted tunnels for data transfer/replication. FTP maybe if that's not counted as regular web traffic through a proxy.Streaming services and conference/telephony connections. Is there anything else I'm just not thinking of?

​

I know SAN replications stay internal, they'd never (or very rarely) go out to the world.

BGP or OSPF for MPLS PE-CE routing?

Having an internal discussion at present with my boss. We have a mpls core with our corporate vrf running a l3vpn. We have a bunch of new offices and data centres coming online this year and we are working out how we connect these back to the mpls.

His preference is to go with ospf between the mpls and data centre/office. I prefer bgp.

He's had experience of ospf in large environments, but to me it seems like a massive pita, with added risks, and not much benefit. As a trial we connected a new switch stack up as a DC core to our mpls and instantly I had to fudge my way around it. First enabling capability vrf-lite as we run vrfs within the DC. This then caused a loop (obviously), which meant I had to filter routes on the pe devices. His feedback though is it was worth it for faster failure recovery.

I want to go with bgp. It doesn't come with these dn-bit caveats. It has loop prevention due to as-path. And is just easier to work with.

Anyone else had experience in the same? For a bit of extra information, each new site/DC will have 2uplinks back to different pe's

Dumping Nexus 7Ks what to replace with?

We’ve got a pair of Nexus 7009s with dual sups in each running the core of a small DC. Each has 2 x 48 port 1/10G cards and still have a lot of room open across both switches. All of the compute is virtualized on UCS blades with an all flash storage SAN.

With a licensing renewal coming up its close to 50K just for SmartNet for these 2 switches. I was looking at reducing the footprint down to a 4 slot chassis or something smaller since the 7009s are overkill. I do want to maintain the ability to dual home everything and continue doing maintenance or upgrades in the middle of the day if necessary.

I starred looking at some of the newer Nexus 9Ks but was looking for some feedback if that’s the way to go or evaluate others such as Arista or others. Thanks for the feedback!

For the sake of the window I am about to throw my PC through, please help! NAT Issues are driving me insane!

I installed a PC game (COD WWII via Steam) after not playing it for a long time. I have a completely different PC and router since the last time I played, and I cannot connect to servers for the life of me! I have tried everything I can find and nothing is working. The game says my NAT type is either Moderate or Strict and it randomly changes, causing me to not be able to connect to any servers.

What I have tried:

• Disabled anti-virus AND windows firewall
• Enabled UPnP
• Found the needed TCP/UDP ports for COD PC and setup the port forwarding

Nothing seems to help. I just keep getting the "searching", "expanding", "narrowing" process over and over again when trying to find servers to join.

https://imgur.com/a/p9dGGQJ

Cisco SD-WAN and flow based load balancing

Hey there. Quick question for you guys. I usually read the posts around SD-WAN in this sub. And one thing that kinda surprises me is that most people recommend Cisco SD-WAN / Viptela.

Yes they are around for some time, are one of the leaders and have a mature product.

But if I got that right their load balancing across the WAN links is still flow based? And if I’m not mistaken, this impacts major features such as failover times and also prevents the utilization of multiple WAN links for a single session and per packet link monitoring and bandwidth detection?

Doesn’t that mean that it is impossible to get MPLS-like quality across multiple cheap internet links with them?

Other vendors such as VeloCloud, Talari or Citrix all use packet based load balancing and monitoring.

Any thoughts? Maybe I’m simply overestimating the importance of packet based routing, but for me flow based sounds like a huge disadvantage?

Happy weekend

Coding prep for interviews

Hi Fellow Networking people!

I have been in networking field for 6+ years now. Have a very diverse background and work for a global company. Things seem good but I am trying to up level and interview at companies like google/facebook/netflix where automation and writing code is a must have skill.

I do some coding at my current job but its laborious and takes a while to figure out. I am not able to perform as well as I would like in coding interviews as a result since those are time bound.

I am also facing issues in trying to figure out what type of questions to prep for as there is so much scope interviewers can cover. This means I end up focusing on non relevant coding skills through sites like leetcode.

Can someone with prior experience with interviewing at google/facebook/netflix recommend what I should focus on? I am not asking for sharing interview questions but just some high level advice on what topics and study material I should be concentrating on, specifically relevant to network engineering.

Thanks!

ASA WCCP doesn't accept network objects

I have a sophos webfilter appliance that is causing issues with higher security webtraffic, banking sites mostly. I am trying to direct that traffic around the webfilter using a WCCP ACL, but the sites are load balanced so i cant just enter a few static IPs. Anyone know of a way to either dynamically pull and load those IPs as they come in or otherwise shape that specific traffic around the Webfilter?

(I am working with sophos as well but they just keep telling me to whitelist more things when all the applicable URLS are exempt from scanning)

SecureCRT scripts to make life easier

Hi All,

I've been using SecureCRT for years and have written many scripts to make life a littler easier for myself. I wanted to share a few of them with you, and create a place for others to do the same. To that end, I created /r/SecureCRT. Remember, I'm not a programmer, I'm a network engineer that does some scripting to make life easier, so be nice and don't talk too much smack about my "code". Feel free to share anything that you've written!

Obviously, as you'll see, I prefer PERL, but that's just because I'm old. If y'all don't like the sub or don't find it useful, let me know and I'll delete it.

Segregating a public internet over our corp network

I'm guessing this is totally achievable, just looking for ideas on the best implementation. So a little background first:

​

Headquarters: We have a Sonicwall NSA 2650 with 200mb symmetrical from our ISP. Cisco 3750E as our core switch

CoLocation (down the street): Cisco 3750-X (core) They connect back to us over a comcast business EPL circuit

​

Diagram here:https://imgur.com/a/rJy7LNk

​

The public internet we have at the remote office is currently off a different ISP, segmented from our CORP network. People just use it to stream music, surf the web on lunch, etc. Its only 3MB down though, and we can't get anything else into the building. So since we have a 200MB pipe going between both sites, we want to use that maybe. Obviously theres a security issue since it would ride on the corp network.

​

I'm looking for ways on how to set this up from a network perspective. My initial thought was to keep the UNIFI on the same vlan I have it on now, but give it an SVI since it doesnt have one. I could make it 10.18.2.0 or something. Then I'd have to build that vlan at headquarters too and on the sonicwall. Then I'd make another SVI (vlan 91) and route the traffic over that vlan? Then I'd have to do some sonicwall magic to block traffic to and from that network. Any ideas?

IP of a device set to 255.255.255.0, how can I recover?

Hey!

Long story short I had a device get configured to where its static ip is 255.255.255.0. I had concerns that it happened but just had it confirmed via wireshark.

It’s a small Linux computer that I have no way to communicate with outside of across Ethernet. I need to be able to putty in to the device and reconfigure it so that it’s on a normal ip. Is there any way to communicate to a device who’s IP is 255.255.255.0 outside of a console cable?

Thanks.

Help setting up network switch and wireless.

Hello,

I'm an intern at a technology company. My degree is not in any tech field, and I'm generally not given any technical tasks.

My dad also works at this company, and they are giving him a Cisco Catalyst 3560 series PoE-48 switch, a Linksys E1000 router, and a Cisco Aironet access point. This will be set up at my dad's new church building.

The equipment listed was dropped on my desk, with the switch apparently pre-configured. I still have no idea how to set up the router and access point. I have an ethernet to USB cable, power cables, a single ethernet cable, and my laptop.

If anyone could give me an overview or tell me what software I need, or anything to point me in the right direction, I would be very grateful.

I need to find an answer to this please.

Hello everyone, hope you are enjoying your day. I need to ask a question, does anybody know if a 3G USB dongle has built in GPS or the ability to access GPS?

NATing vs Security Policy

I was reading a thread on here the other day and someone had mentioned, in regards to external vulnerability of a firewall, that you should not rely on NATing to replace security policy.

This confused me a bit because for example, if I NAT port 443 of a specific web server to be exposed to the public internet (Destination NAT), then NAT has essentially created a specific small hole through my firewall. The fact of doing this also "blocks" all other ports from being exposed by default (to said web server).

On our specific firewalls, I can configure this NAT rule to only NAT based on a specific source IP or region. If source doesn't match, traffic won't get forwarded to the web server.

What more can a Security Policy add to this?

I know nextgen firewalls can perform vulnerability and malware scanning on these security rules but I'm asking from just a networking vulnerability standpoint.

Thanks all!

Best Way to Filter Malicious IPs?

We've got some internet facing services. These obviously require unfettered access from anywhere. In doing so, this opens us up to potential attacks, people constantly scanning the open ports, and then trying various exploits on the port. If I notice a recurring source IP, I add it to our inbound filter list. Obviously a tedious task and not exactly the most effective.

I know this is quite a common post on here, so I've been doing some reading about RTBH, BGP FlowSpec, and exabgp. I'm still not 100 percent sure that this is the solution I'm looking for, as it is not really DDOS mitigation we are worried about.

Any one have any other ideas or solutions? Am I missing something obvious?

Let me know if you need more information.

MTU/Jumbo Frames Question

Hey!

I’m just trying to get my head around MTU and Jumbo Frames....

I was wondering if anyone could help?

1. Why would you change the MTU to anything lower than 1500? What does this accomplish?

2. In what scenario would you use Jumbo Frames? I’ve read in some cases that the performance increase isn’t that noticeable?

Thanks!

MTU mismatch. which is right

In my network i am running a catalyst 4900 as my core that has my FW and L2 switches connected. The MTU is set to 9216. On my Nexus 9k (connected to the 4900) the MTU is 1500. Hanging off my 9k is a force10 switch on a blade chassis. the MTU is at 12k. I have ESXi hosts in the blade that has MTU at 1500. My question is if the VM's and the host only transmit at 1500 (and its basic web traffic no images or video) does the 12k MTU matter or for that matter should i increase the MTU on the Nexus 9k to match at least the 4900's

Suggestions for 10GB switches for secondary datacenter for small/med business?

Budget is low on this (for a school), but looking for recommendations for a pair of budget-friendly 10gb switches that could be used in a DR or failover secondary rack.

Thanks

How can I know if our cabling was certified? Can we do it after already installed?

Hi all,

TL:DR below.

When we moved into this new building 2 years ago I was just the on-call IT guy for the company so I had some input but not a lot. I gave references for cabling installers but I guess it was "too expensive" so they picked some ISP guys that did it on their own time (after hours). It appears they did a good job and the cabling is very neat and labeled, however, as we've doubled in size to 100 employees and use web apps, VoIP, network shares, you know all the regular stuff, I can't help but wonder if our occasional network problems are due to the cabling or outside factors (QoS, network gear, etc).

That's a longer topic so keeping it centered on cabling, when I ask my boss if our cabling was certified, what would I ask for? He might say, "what would it (the document) look like?" Also, could I contact a company and have them come in and do a certification after the fact? Like what things would they test for and could they give me recommendations on how to improve our network?

Lastly, our most recent cabling additions as we've expanded into more of the building, management has decided the handyman can do it because he's inexpensive. If he's just using a basic tester/toner (I don't know what gear he owns), how would I know if they cabling is bad, since I don't have an expensive tester? Also on this new side, from what I can tell, he did not terminate the cables, they just go straight from the patch panel in the back to the user's PC.

A couple follow-up questions would be. On the original side where everything is properly terminated, the handyman made his own cabling to run to the cubes which vary from about 8ft - 15ft depending on how far the cube is from the wall. Should I replace all these with patch cables? Granted in the 2 years here I've only had to replace at most 6 ends because they were loose.

Next, what is an inexpensive toner for under $100. I bought a cheap $20 last year and it's junk. I ask this because partly I feel that management expects me to do all this cabling since I'm the sysadmin. However, my expertise is in server and desktop support, I mean I did cabling for very small mom and pop shops early in my career but stopped because I didn't want to mislead people in quality. I think it should be done properly. Should a need arise though, I would like to be able to tone and find cabling.

​

TL:DR

Cabling was done 2 years ago and appears to be done well, but I don't know if it's certified.

1. How do I check and/or should I have a company come in to certify?
2. What do they test for and what recommendations do they offer?
3. Should I replace handmade cables with factory patch cables?
4. Inexpensive cable toner?

Unbricking a UniFi AP

I just bought a few AP's off Ebay and ran into a bunch of issues getting them to work, i have created a walkthrough on Medium about how to unbrick/reflash an AP, as I found the information hard to find.

I go over TFTP and how to use a USB to Serial TTL adapter to flash firmware to the AP. You can probably use these directions to flash custom firmware as well.

What kind of wifi antenna connector is this?

I'm looking to replace a wifi antenna but unsure what connector type this is. Anyone have any suggestions?

​

https://i.imgur.com/35cGNww.png

Configuring source IP addresses for IGMP messages on HP Switches

I am trying to figure out how to correctly configure IGMP snooping/querying on HP 5130 series switches ( HP 5130-24G-PoE+-4SFP+ El ). We are using IP video transmitters and receivers from Crestron (DM-NVX-350/532). It is one of our first times implementing it on a larger scale (12 transmitters & receivers, up to 6 transmitters at a time). We have our own private network and we were provided switches by the school IT department and they configured them initially. We really wanted them to purchase "approved" switchs with easy configuration guides Crestron provides. Apparently you just enable igmp snooping querier and voting on Cisco switches, but this HP does not support that i dont think. Unless PIM snooping has to do with it but i dont think so.

​

This is the reference i am going off of (namely page 30-32). Multicast command reference for these switches - https://support.hpe.com/hpsc/doc/public/display?docId=c04771722

​

There is one central switch with 2 switches attached to 10Gbps fiber SFPs. Currently we cannot send a multicast stream created by a transmitter to a devices on 2 switches at the same time. Crestron has their own management box for routing stream subscriptions. They require that IGMP querying be enabled on all switches.

​

Current configuration for the vlan/10G SFP/every regular port on the switch.

# vlan 60 name hicapvideo igmp-snooping enable pim-snooping enable igmp-snooping querier # interface Ten-GigabitEthernet1/0/27 port access vlan 60 undo stp enable # interface GigabitEthernet1/0/1 port access vlan 60 stp edged-port poe enable 

​

​

Another page talking about what the title says (Configuring source IP addresses for IGMP messages) - http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/5130ei/5200-3944_ip-multi_cg/content/483573774.htm

By default, the source IP address of IGMP group-specific queries is one of the following: The source address of IGMP group-specific queries if the IGMP snooping querier of the VLAN has received IGMP general queries. The IP address of the current VLAN interface if the IGMP snooping querier does not receive an IGMP general query. 0.0.0.0 if the IGMP snooping querier does not receive an IGMP general query and the current VLAN interface does not have an IP address. 

I dont completely understand the part above, and here are my questions: Does the vlan on the switch need an ip address when setting this parameter? Or is it the source from the subnet of querying devices?

igmp-snooping special-query source-ip ip-address 

​

From what i have read it seems like if the source ip is 0.0.0.0 it does not do anything to help with routing streams to the receivers that want them. Thats if the ip is 0.0.0.0 and it does not receive an IGMP general query. But isnt the source ip address whoever is sending the stream? Basically i dont understand what group specific queries and general queries are if those matter. I just want to set it up properly because i believe this is the problem. Also does the source ip address only need to be set on the "master" switch between the 2 other ones?

​

As stated above, the problem i am trying to fix ultimately is: one multicast stream cannot be subscribed to on more than one out of the 3 switches. e.g. sending from one "branch" switch to the other branch switch works, until i subscribe a device on the same switch or the other branch switch. It will move to the latest subscribed device and drop off of the other. I believe properly configuring IGMP querying on all 3 switches will fix this.

​

Thank you for your help and if you need clarification on something let me know.

​

Edit: I should also say we have tried reaching out to the IT administrators but they are not of much help/hard to contact. He said we can get into the switches and do what we need to do. All they did was enable IGMP snooping on all of them initially when we asked about meeting the requirements of these devices. Currently for a couple events we will probably just have to use a 2nd transmitter to make a different copy of the stream to send to the other switch's devices.

Hauwei compatibility with Cisco in China.

I am working on sourcing a new L3 Cisco switch (Most likely a 3850 stack) for our China location, to replace their Hauwei S5700 that is now their L3 core.

I did some digging and it looks like with LACP on the Hauwei, I can do VLAN trunking to the IDF's that are there (S2700). It seems a lot like HP/Cisco trunking.

So, here is the problem that I stumbled on. The SFP's in the S5700 and the S2700 are MXPD-243S. 1310nm, 1.25Gb, Dual LC, SM.

Obliviously, the 1000Base-SX (850mn) adapters won't work , but from what I can tell, it looks like the 243S is compatible with the 1000Base-LX.

Before I go ahead with this project, will the LX SFP's work? Is it worth my time, or should I just swap out the S2700's now along with the core? Will the fibers used with the 243S be compatible with the SX? Or should I just stick with the LX since that seems to be the compatible ones with the fiber they have there?

​

I'm waiting to hear back from them, but it's the weekend now, to get a P/N off the Fibers to the IDF's.

What to code in networking?

Hi, I'm studying networking (ip, tcp, udp, ports, routers, etc) theory and would like to have some practice. Could you please toss out a few ideas what to code in Python (or another programming language) to practice the concepts? Something more interesting that a ping-pong server :)

Thanks!

Backup way to login to Network equipment via Mobile network

Hi!

​

I am looking for device or idea that I will have device with internet and 4G sim card.

The device will run Backup Nagios to send alert in case whole IT equipment is down or couple of critical one. Also I can login to this device remotly and can connect to in case the main internet line is down.

​

Anyone knows such device or suggest something?

​

Thanks

What's in your tool-belt

You have a long night re-configuring, commissioning and decommissioning kit in the Data Center. Aside from your trusty baby-blue cable, what else do you have on your belt?

General - How much Information does a Routing table need to hold?

If we are talking about a Router on the Edge of the Network its easy to understand for me, that with a default Route and one or two other Routes in the Routing Table there should not be a Problem to get packets into the right direction to reach the destination adress.

But i just can't find an answer to the Question, how many routes a more central Router needs to contain to decide, which way a packet should be sent? If there are for example 4 directions a packet can be redirected by a router and he only knows the destination IP Adress. Doesn't that mean, that he would need an entry for every possible IP Adress on the network and the next hop to reach it?

If he doesn't, how should he know, what is the right path to pass the packet? Wasn't able to find that information. Would be grateful for an explanation. No Problem for me to read some Article about it - was just not able to find the answer for myself.

Cheers and thanks in advance.

Router internet connection issue

Hey guys,

The past days I am experiencing a weird problem. I have a Mi Router 3G acting as a wired repeater connected to my modem-router via the WAN port and I have devices connected to it both via ethernet and wifi. While the modem-router recognizes the router, there is no communication between the modem-router and the router except for some kbps of data which I see in the router's admin panel.

When my smartphone is connected to the router via wifi, says "Connected, no internet".

When my PC is connected to the router via ethernet, it cannot load pages at all.

When I put the ethernet cable which is connected to the ethernet port of the modem-router to my PC directly, my PC has internet connection.

I have tried: rebooting the modem-router, rebooting the router, changing operation mode of the router to act like an access point instead of a repeater, turning the router's firewall off.

Any help would be appreciated.

P.S.: I know that the 1st rule of this sub is to not post about home networking, but I couldn't find help anywhere else.

Custom captive portal for Ruckus vSZ-E

Hello,

I'm currently deploying virtual controller - Ruckus vSZ-E ver. 3.5.1.0.862 and I have some problems with setting up guest Wi-Fi with SMS authentication.

My concept can be described with such situation: when the guest is trying to connect to network he will be redirected to captive portal and he have to enter his first name, last name and phone number. After submitting this form he will receive password on his mobile phone.

I tried to use captive portal which is provided by controller but it only consist of one textbox for password and I didn't find any information about customization or any options to do that.

Do you know if there are any customization options for this version of controller? Maybe version 5 of vSZ-E have such options? Or the only option is connecting vSZ-E with other solution for example PacketFence?

META: TIL there are two networking subs

/r/network /r/networking

Any history/reason that anyone is aware of?

pfSense behind USG routing

So I have an idea I've been wanting to plan out and I'd like some input.

I have a few sites with a pfSense firewall (Unifi equipment) and a few with a USG for a firewall. While I would much rather prefer pfSense for the power it has, and it's ability to handle many things much better(Snort, pfblocker, other utilities) I also like the USG's dpi abilities with traffic statistics and the ability to have client traffic statistics.

There's been much talk about a passthrough feature for the USG to be able to get the DPI data and nice graphs but I've had another method in mind that I haven't tried out and am trying to think through. I'll explain some of my network as best as possible and give some reasons and and thoughts I've had.

At one site I have a 10G network, Unifi 48 port with a 16 XG core, like 60 devices in all, 30 switches and 30 AP's spanning a 110)k sq foot, with a few hundred devices every day. I have it set with the pfSense for the router that has a 20G LAGG to the core Unifi 16XG but it only has a 1G ethernet uplink to the fibre GPON. I like having the more powerful pfSense, netgate 2600xd or something like that (it has an 8 core 2.4 atom or something but was discontinued about a year ago, still works and receives official support) as the core to do the routing, IPS, and a few other things.
I have several vlans on my network and some externally available devices/services.

I've been thinking about putting the pfSense router behind the USG. for the following reasone and thinking:

• I would like the overall traffic stats
• Better monitoring of traffic per client
• Application Usage stats
• Usage over time
• Possibly better features in the future for IPS than available on pfSense(cough... maybe... at least a prettier dashboard)

​

I know that's not a whole lot and maybe I could do something similar with and elk stack or something like that but I haven't really gotten that far(yet), and is the reason for my post.

​

Steps I would take:

• Turn off NAT on the pfSense and make the wan(with vlans) have addresses of x.x.x.2 for each subnet(vlan)
• Make the Unifi connect to the WAN and have LAN(vlan) addresses of x.x.x.1
• set a static route on the pfSense, or up stream gateway, for the internet to x.x.x.1 interface on the USG
• Set the gateway address in the DHCP servers to x.x.x.2 for the pfsense to do the internal routing
  

Doing this should, I think, use the pfSense for all internal routing, cross vlan and such, and if it's bound for the internet send it to the USG with the original clients information so the usg can keep track of the traffic and do the statistics and make the onnections. My internal routing would only traverse the pfSense and have good throughput (remember 10 GIG) while any internet bound connections would have another hop pfSense => USG that would still be the 1G copper connection that I still have to the internet.

​

I know it could cause a little latency in the internet connections but I'm not thinking it would be that bad, and I would get the benefit of having a single dashboard for my entire network.

If any of this makes sense or you have any questions or suggestions I'm all ears.

​

If you've tried this, know this wont work, think there's other software that I would benefit more from, or know a better way please let me know

​

.... I don't think I've earned junior admin....

HPE equivalent of Cisco "flexlink"?

I've found that Cisco flexlink is a useful feature to get around the slow reconvergence times of spanning-tree. It's particularly useful between the access and distribution layer, but I don't think it would be wise to use in the core. I need to use this with an HPE switch, but I can't find any equivalent feature in HP. Does anyone know of any?

​

Unfortunately I cannot get around using HP for this setup :(

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

SD-Wan (viptela, silverpeak, velocloud, or Cloudgenix)

For those of you that have already been in the SD-wan market who would you recommend? We are small so pricing will play heavily. 9 sites total -

Headquarters and DR have dual 1 gig links, 7 remaining sites have redundant 50-100mb circuits(Fiber and Broadband) All sites will have LTE backup as well.

VOIP : Trunking 2 BRI interfaces

Hello /r/networking

Not sure if it's appropriate to post here such question, trying my luck anyway

I have 2 BRI interfaces connected to the telco equipment which provides a single number and 4 possible simultaneous calls (2 per BRi interface), My problem appears when I call from the outside to that number, I have "2 incoming calls" displayed in the IP phone instead of just one and to avoid this I need always to unplug the cable from one interface to receive only 1 incoming call
Created a trunk group for the BRI interfaces and tried to enable different algorithms without success, here's the trunk config

trunk group group1

max-retry 4

voice-class cause-code 34

hunt-scheme round-robin both down

any ideas guys ?

Discontinuous wildcards to discontinuous subnet masks ??

Hey guys, ran into a weird one today and I'm having a hard time wrapping my head around it. I am trying to convert a big list of extended ACLs from Cisco over to new Aruba 8400 switches running (ArubaOS-CX). Apparently, ArubaOS-CX does not support wildcards in ACLs. The problem is that there are quite a few wildcards that are discontinuous so converting to standard mask would be rather ugly. After reaching out to Aruba they stated that ArubaOS-CX does support discontinuous netmasks and I should be able to mirror what they have by leveraging this. Not being familiar with discontinuous masks I did a bit of research but there is unsurprisingly a lack of content around this.

​

Wondering if I just invert everything, like this?

​

Extended IP access list Example-out

10 permit tcp any 10.0.224.0 0.255.15.255 => 10 permit tcp any 10.0.224.0 255.0.240.0

20 permit ip 10.0.0.0 0.255.255.3 => 20 permit ip 10.0.0.0 255.0.0.252

Procurve 3400CL L3 Switch routing with Public IP's

Currently I have space in a datacenter (DC) where the DC supplies a copper cross-connect. The cross-connect is attached to a Procurve 3400CL Layer 3 switch. The switch is feeding 5 firewalls. I manage the switch via a private management vlan, the cross connect is on a separate vlan with the firewalls. There is no IP address assigned to the public vlan. Simple.

​

We are moving locations in the DC, and our network configuration in changing. In the new config the DC will allocate us a /30 network, via a fiber cross-connect. Our existing IP range will sit behind the /30. So we will need some very simple routing to make this work.

​

Is it safe to harden the config on the switch and use its layer 3 capabilities to handle this setup. My main concern is assigning a public IP address to the switch. Putting a public ip on a switch feels wrong, but maybe it is okay? Using this equipment would be preferable to adding a new router or firewall to handle this traffic.

​

Any thoughts or experience with this?

​

Any better hardware suggestions?

​

We are not a huge organization, budget is a factor.

VPLS Mesh Network Design Ideas

I have 5 sites interconnected by a service provider on top of a VPLS full mesh network. They are providing an ethernet hand-off at each location, no CE gear required for VPLS. Three of the sites will have two 500Mbps hand-offs (path diversification) on the VPLS mesh network, the remaining two sites will have 1 hand-off on the VPLS mesh (500Mbps) and another for the DIA drain (1Gbps). Because of the size of each location, a router needs to be placed at each location and should use ECMP for routing over the hand-offs. All equipment has to be redundant and the sites with the DIA drain need to have a firewall. Will also need QoS for real-time applications (VoIP). Any design recommendations?

Migrating core from Cisco 3750Gs to Nexus 3Ks

Hello

​

We will be migrating a customer's core from a stacked pair of 3750Gs to a pair of Nexus 3172Ps and would like to get some feedback on our migration plan.

​

Their network consists of 3 Dell switch stack pairs connected to the core. A pair of redundant F5s, a pair of redundant Cisco ASAs and the WAN links also connect to the core.

​

We plan on connecting a temporary Layer 2 trunk between the existing 3750Gs and new Nexus and migrating vlans one by one. Here's the proposed configuration:

​

!! Enable features !!

feature interface-vlan

feature dhcp

feature pbr

feature privilege

!feature telnet

feature vrrp

feature tacacs+

cfs ipv4 distribute

cfs eth distribute

feature hsrp

feature lacp

feature vpc

feature vtp

!feature sla sender

!feature sla responder

!feature sflow

​

!! Enable DHCP !!

service dhcp

ip dhcp relay

!ipv6 dhcp relay

​

!! Create vPC domain (Reverse the IPs on the secondary N3K) !!

​

vpc domain 1

role priority 100

peer-keepalive destination 172.19.42.26 source 172.19.42.25

peer-gateway

auto-recovery

ip arp synchronize

​

!! configure port-channel and VPC for peer-link !!

​

interface port-channel47

description vPC peer-link channel-group

switchport mode trunk

spanning-tree port type network

vpc peer-link

​

!! Configure physical interfaces for peer-link !!

​

interface Ethernet1/47

description vPC peer-link

switchport mode trunk

spanning-tree port type network

channel-group 47 mode active

​

interface Ethernet1/48

description vPC peer-link

switchport mode trunk

spanning-tree port type network

channel-group 47 mode active

​

!! set default route !!

ip route 0.0.0.0 0.0.0.0 <firewall internal IP>

​

!! set NTP servers to local DCs !!

ntp server 172.19.34.7 prefer

ntp server 172.19.34.10

​

___________________________________

!! create test vlan !!

​

vlan 32

name Test

!! Configure temporary L2 link to 3750s !!

​

interface Ethernet 1/x

description L2 to 3750s

switchport mode trunk

switchport trunk allowed vlan 32

spanning-tree port type network

​

!! configure test vlan - CURRENTLY L3 IS ON 3750s. TEST L2 FIRST !!

​

!interface Vlan32

! description Test

! no shutdown

! no ip redirects

! ip address 172.19.x.x/x

! no ipv6 redirects

! !hsrp with switch 2

___________________________________

​

!! configure port-channels & VPCs to downstream switches !!

​

interface port-channel101

description VPC to SEA1C1R1DS0 sw1

switchport mode trunk

vpc 101

shutdown

​

interface port-channel102

description VPC to SEA1C1R1DS0 sw2

switchport mode trunk

vpc 102

shutdown

​

interface port-channel103

description VPC to SEA1C1R2DS0 sw1

switchport mode trunk

vpc 103

shutdown

​

interface port-channel104

description VPC to SEA1C1R2DS0 sw2

switchport mode trunk

vpc 104

shutdown

​

interface port-channel105

description VPC to SEA1C1R3DS1 sw1

switchport mode trunk

vpc 105

shutdown

​

interface port-channel106

description VPC to SEA1C1R3DS1 sw2

switchport mode trunk

vpc 106

shutdown

​

!! configure physical interfaces to downstream switches !!

​

!!(Need speed/duplex?)

​

interface Ethernet1/1

description VPC to SEA1C1R1DS0 sw1

switchport mode trunk

!! speed 10000

!! duplex full

channel-group 101 mode active

shutdown

​

interface Ethernet1/2

description VPC to SEA1C1R1DS0 sw2

switchport mode trunk

channel-group 102 mode active

shutdown

​

interface Ethernet1/3

description VPC to SEA1C1R2DS0 sw1

switchport mode trunk

channel-group 103 mode active

shutdown

​

interface Ethernet1/4

description VPC to SEA1C1R2DS0 sw2

switchport mode trunk

channel-group 104 mode active

shutdown

​

interface Ethernet1/5

description VPC to SEA1C1R3DS1 sw1

switchport mode trunk

channel-group 105 mode active

shutdown

​

interface Ethernet1/6

description VPC to SEA1C1R3DS1 sw2

switchport mode trunk

channel-group 106 mode active

shutdown

_____

And here is the migration plan:

​

- Configure vPC peer-link between the N3Ks

​

- Connect temporary L2 trunk between N3ks and 3750s

- Create L2 vlan 32 on N3Ks and add to trunk port between N3Ks and 3750Gs. (Only allow vlan 32)

- Connect laptop to an N3K port in vlan 32, assign an available IP and test connectivity for the laptop

- Connect and configure N3K 10G ports, port-channel and vPCs to rack 3 Dell switches and only allow vlan 32 on trunk

- Configure Dell switch side uplink to only allow vlan 32

- Remove vlan 32 from 3750 port-channel to Dell switch and enable port-channel between rack 3 Dell switches and N3K

- Connect laptop to rack 3 Dell switch on vlan 32 and test connectivity

- Move vlan 32 SVI from 3750s to N3ks and test connectivity

​

- Repeat for other rack switches

- Repeat for other vlans

- Once no more traffic is going over 1G links from 3750s to rack switches, shut the ports down from the 3750 side

​

- Connect F5s to N3Ks and configure ports, port-channels and vpc

- Move external facing links over

- Move ASAs over

______

Any feedback/suggestions would be very much appreciated. We're trying to minimize downtime and break down the steps as much as possible to simplify troubleshooting and in case we need to backout. We also have some PBR so I imagine we'll need to have that in place on the Nexus before moving the SVIs over. Please let me know what further info you need, I can post the existing 3750 config if that's helpful.

​

Thanks

AK

Cisco AnyConnect VPN keeps reconnecting on Mac

Hello

​

We just spun up a new Cisco AnyConnect VPN environment for a customer and they are currently piloting the service. It is mostly working fine but there is one Mac machine that can't keep a stable connection. Every few minutes it loses connection and reconnects. We've tested other machines on the same network and they are stable. Also tested another Mac and it is also stable. Anyone come across this before? We are using AnyConnect client version 4.6.

​

Thanks

AK

Solarwinds User Device Tracking

Hi All, I think this is exactly what we need to monitor what is plugged into our switches: https://thwack.solarwinds.com/docs/DOC-173597 Has anyone here worked with this product and could give me some feedback on their experience? Thanks

Cisco nexus spanning-tree logging to syslog

I am trying to configure logging on cisco nexus so it send all spanning-tree event logs to syslog but look like its working.

​

I can see all other logs in syslog but nothing related STP

​

# sh run | grep logg

logging level spanning-tree 7

logging server 172.29.0.91 5 use-vrf management

logging origin-id hostname

​

what i am missing here?

Camera VLAN ACL

I am working on this very large network and I just want to double check my work.

​

I have a camera server on 192.168.19.77 that is vlan 19

I have a camera on 10.254.254.11 that is on vlan 500

​

I want the server 192.168.19.77 to be able to talk to the camera vlan (10.254.254.0/24) and the camera vlan to talk only to the server.

​

I have this ACL

​

ip access-list extended SecCameraIN_ACL

permit ip any host 192.168.19.77

ip access-list extended SecCamerasOUT_ACL

permit ip 192.168.19.0 0.0.0.255 any

​

There are many other VLANs that are present in the network and I don't want them to have access to the physical camera on the 10.254.254.0/24 network, but I don't want to change any existing ACLs (this isn't my network).

​

Thanks for the help!

Over-utilizing a 10g link by almost a factor of 3x

I've run into a peculiar situation where we have a 10gig link on a fex N2K-C2348TQ-10GE that's homed on a nx-7710.
was looking into some highly utilized interfaces from our monitoring tools and i stumbled upon this. I'm in the process of gathering flow data as well, to get a traffic summary but has anyone ever seen anything remotely like this ?
** This is a simple access port, no Po/vpc config or anything crazy.

​

​

​

Ethernet106/1/23 is up

admin state is up, Dedicated Interface

Hardware: 100/1000/10000 Ethernet, address: --------------------

Description: <redacted>

MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec

reliability 255/255, txload 255/255, rxload 255/255

Encapsulation ARPA, medium is broadcast

Port mode is access

full-duplex, 10 Gb/s

Beacon is turned off

Auto-Negotiation is turned on

Input flow-control is off, output flow-control is on

Auto-mdix is turned off

Switchport monitor is off

EtherType is 0x8100

Last link flapped 6d01h

Last clearing of "show interface" counters never

52 interface resets

Load-Interval #1: 30 seconds

30 seconds input rate 30027256248 bits/sec, 8777016 packets/sec

30 seconds output rate 27749913728 bits/sec, 9823523 packets/sec

input rate 30.03 Gbps, 8.78 Mpps; output rate 27.75 Gbps, 9.82 Mpps

Load-Interval #2: 5 minute (300 seconds)

300 seconds input rate 30034653080 bits/sec, 8778763 packets/sec

300 seconds output rate 27756727008 bits/sec, 9825391 packets/sec

input rate 30.03 Gbps, 8.78 Mpps; output rate 27.76 Gbps, 9.82 Mpps

RX

40527132025436559 unicast packets 12322847223540 multicast packets 5547494535

broadcast packets

40539459804483238 input packets 18170409363119202701 bytes

0 jumbo packets 0 storm suppression packets

0 runts 0 giants 0 CRC/FCS 0 no buffer

0 input error 0 short frame 0 overrun 0 underrun 0 ignored

0 watchdog 0 bad etype drop 0 bad proto drop 0 if down drop

0 input with dribble 0 input discard

0 Rx pause

TX

40256512917375743 unicast packets 23028410478238 multicast packets 31395730214

94095 broadcast packets

43419103815088140 output packets 743404020901669 bytes

0 jumbo packets

0 output error 0 collision 0 deferred 0 late collision

0 lost carrier 0 no carrier 0 babble 0 output discard

0 Tx pause

Cisco Nexus HSRP + Dynamic routing

I'm working on deploying a pair of Nexus 3k Switches to act as the layer 3 core of our network. They are replacing an existing stack of layer 3 Dell switches. But I'm having some trouble wrapping my head around how to get dynamic routing to work.

Topology is:

Edge Switches (layer 2) > Old Dell / new Nexus Pair (Layer 3) > Fortigate Firewall > Internet/MPLS

https://imgur.com/a/cqtlcj6

The Fortigates terminate our MPLS and Internet. All of our LAN VLANs terminate on the Dell stack. There is a dedicated /24 transit network in between the Fortigates and the Layer 3 switches. The Dell stack and the Fortgates share routing updates using RIP.

Because the Nexus switches don't stack I'm running HSRP and VPCs for layer 3 redundancy for our LAN VLAN interfaces.

I can add the transit VLAN to the Nexus switches so that they can send traffic to the Fortigates.

But I assume I can't run HSRP on the transit VLAN and use the virtual IP for the routing protocol?

If I put an interface IP on each Nexus and use that for routing updates, how do I configure the Nexus switches so that the Fortigates know which switch is active and which is passive? Or do I care?

Since Friday have experienced multiple power/network failures. 95% back, can't get *some* Macbooks onto Wireless

Hi all -

Really strange one here that has me starting to pull my hair out. A disclaimer, I am not a network admin but I am in contact with our network admins so I can relay things back and forth with them.

The short story is Friday we had two unexpected power downs when our UPS was down for maintenance. We lost all power to networking/server gear. I had to replace one Cisco 3750 in a 4 port Stackwise stack but that was the only piece of gear we lost.

Sunday we had a building wide power outage, but everything failed over to UPS, then generator as it was supposed to.

Tuesday we had a switching loop develop on one of the floors that somehow took our network down completely.

It's been a bad week.

The one outlying issue that has occurred since the initial outages on Friday (which was happening on Monday, before the entire network dropped on Tuesday) is that I have a group of Macbooks that are unable to receive any addresses from the floor we had to replace the switch on. It is only Macbooks and one iPhone that appears to be affected. We have the 2015 MBP and the 2018 MBP w/Touchbar for models and the iPhone that's affected is the iPhone 7s I think.

Edit: This has only been an issue since the outage. These Macbooks always were able to connect to wireless properly prior to the outage

The Macbooks themselves return a 169.x.x.x address but I don't think DHCP is the culprit because these Macbooks ALL connect on other floors, where the exact same infrastructure is in place. Additionally I manually set an IP address and confirmed I had network connectivity where I sit, but as soon as I go to the floor with an issue, I lose all connectivity.

Our infrastructure is Meraki for our APs, with majority of our switches being Cisco.

The troubleshooting I have done has spanned the last 3 days. I am at my limit for testing and am making no headway.

Here's the list I've done (and I'm probably forgetting some steps):

• Tested across multiple Mac OS versions (Mojave and High Sierra)
  
• Removed the network list and apple airport .PLIST files from the system configuration on the Macbook.
  
• Ran multiple Wirecaps. If I filter by bootp references, I see when I initially connect to the network, nothing but DHCP Discover messages on the faulty floor but when I move to the other floors, the entire DHCP process flows properly.
  
• Tested with a Windows PC - unable to replicate the issue, connects just fine
  
• Removed any network management that we had in place by Jamf from the Macbooks having issues
  
• Deleted and re-added the RADIUS server certificates
  

It appears that the RADIUS servers are authenticating the connection because in the network connection control panel, I see that the 802.1x is authenticated, it's immediately after that they seem to lose all traffic and connectivity and return the 169.x.x.x address.

I feel like this issue is like a black hole. I can observe the effects, I can run all the tests in the world to confirm it is there, but I. Can. Not. find the root cause of it.

I'm out of things to test, because I think the things I need to look at are things I don't even know about. Please help save my sanity.

Edit: one other thing of note. We serve 3 SSIDs from the WAPs and two of them get DHCP from Windows DHCP servers and one is served from another location.

Why on earth would you use errdisable recovery cause bpduguard

So this command has bitten us on the ass big time, which was implemented by an old team who are no longer here

errdisable recovery cause bpduguard

Someone caused a physical loop which took the network down and BPDU guard did its thing to shutdown the port and stop the loop, but thanks to aforementioned command the port kept coming back up every 30 seconds causing the network to be really unstable.

I'm trying to figure out why recovering a port with bpduguard is even allowed. If BPDU guard kicks in we want that port shot and manual intervention should be the only way to fix it in my opinion.

In what sort of situation is the command useful?

IGMP Querier/PIM confusion

Hello

I'm a bit confused regarding IGMP Querier on an L3 switch. I have a network with 2 VLANs A and B routed by a L3 Switch.

On VLAN A I have hosts that needs to receive a multicast stream On VLAN B I only have a streamer, but his IP is not reachable. Basicaly from A i can ping the B SVI but nothing more.

I'v enabled PIM Sparse-Dense on both SVI but mulicast traffic is not being forwarded. If, on the B SVI i manullay join-group (ip igmp join-group X.X.X.X), it is.

I've figured that i need a querier on Vlan B to subscribe to the multicast group (on behalf of my hosts from VLAN A), but I can't enable IGMP Querier on a interface that is running PIM.

So i'm a bit lost. How can you route multicast traffic if the source is not reachable from your other subnets? Or maybe i've got it all wrong, in this case I need your lights :D

Wireless AP - Which vendor is this?

Hello,

I recently noticed there are (2) wireless AP's forming a wireless bridge to facilitate a single security camera (I knew of the camera, not the AP's -- nor did the admin who facilitated the install, but whatever).

Anywho -- I don't recognize this logo, and the company who installed it simply said "we plugged it in with all defaults and it just worked" -- so, not much help.

Side note, starting to do some PCI compliance stuff, and something about not knowing anything about key networking gear with defaults used likely isn't kosher.

If you can assist with what make/model it is, I would be greatly appreciative.

Thank-you!

Image link: https://imgur.com/a/Ft3gJ5t

Edit: Doing a reverse image search returns IKEA furniture. So. That's neat.

Total noob, need straightening out

My friends,

Help me understand public IP address assignment. I've run into an environment where each publicly accessible server has it's own dedicated public IP. They are in a DMZ but their NICs are all using private addressing. Where are the public IP's for those services assigned?

My understanding was you could preserve public address allocation by using port forwarding ie;

• 1.1.1.1:443 ---> 192.168.1.1
• 1.1.1.1:3389 --> 192.168.1.2
• 1.1.1.1:5345 --> 192.168.1.3

What are the limitations of this? Where is the address "1.1.1.1" actually assigned within your environment in this configuration? Is it a WAN port on your firewall? What if I have 15 public IP's and want them all configured this way? Do I need 15 WAN ports or interfaces on my firewall?

Alternatively, I can directly assign public IP's to my web facing servers and stick them in a DMZ?

What are the limitations of this? Understand you run out of IP's quicker than you would the previous method but are there any other limitations?

Appreciate it and thanks for your patience with a total novice!

Cisco switches for an acidic environment.

*edit: 3 recommendations for a sealed cabinet with a DIN mounted switch. Thanks everyone! I will recommend this route be taken.

​

I am comparing the Cisco options for a switch in an airborne acidic environment. I am comparing the 2000, and 3200 series. The specific questions are based around.

1. Conformal coating
2. SD Card requirements

I am sure 1 and 3 can be answered by our VAR. I am really hoping for peoples experience on question 2.

1. As mentioned, the switch will be in an airborne acidic environment. I see that the IE-2000 series has a few models that come with conformal coating. Today is my first time dealing with installing gear in acidic environments. For anyone that has, do you opt for the models with conformal coating? Do you find it makes a big difference over time? It is only the larger models that offer this.
2. The 3200 series explicitly says that the SD card is optional. On the Accessories list for the IE-2000, it says the SD card must be ordered as it does not come by default. I assume the SD card is optional for all models (as a local backup for easy switch swapping by non-technical people). Can anyone confirm?

Other than the acidic environment, the rest of the requirements are quite low. 4 copper ports (100 or 1000), 1 SFP port (1000), Cisco IOS based. We will pick up the 19" rack mount accessory and a power supply to match.

Credentials showings

how do you guys have your credentials next to your username? IE: username CCNA

Tips on deploying IPv6 at scale?

Hello /r/networking,

I'm really curious to see how everyone else is doing IPv6 deployments at an enterprise scale (if at all).

​

My questions are:

1. How are you assigning/tracking addresses throughout your environment?
2. How are you handling security without NAT? What kind of ACLs are you applying at the edge?
3. Any other gotchas doing this at scale?

Remote Site Setup and Security

I have been tasked with setting up remote access to our network from a moving vehicle. These trucks will have 2+ cctv cameras, laptop access, and various vehicle sensors returning data. The IR829 looked like a good match so I ordered one, grabbed our spare ASR, and an old 3850 and setup a stand alone test site. I have never setup remote site access, let alone a mobile one. Because ultimately there will be multiple trucks running something like this I made a pool for a GRE IPSec tunnel and transverse BGP across the tunnel and used eigrp for internal. Everything connected and then I unplugged it all because I am concerned I do not have enough security for the public facing devices. Is there anything else I should be adding for security purposes? Should I have traveled down another path all together?

​

Test Site Layout

https://imgur.com/a/QAQdp3G

​

BaseTest Run File

https://pastebin.com/Nw2Faszi

​

RemoteTest Run File

https://pastebin.com/z01Exj7K

OSPF Routing on Firewall

Hi all

I'm looking for pros/cons of enabling the firewall to participate in OSPF and any real world experiences you have seen with it.

24p switch under $500 with at least 1 10gbase-t port

Hey there,

Long story short, my 1g connection on my QNAP NAS is not enough anymore but it comes with a 10gbase-t connection (TVS-672xt).

My switch needs replacement anyway (only have 12 ports and I need 21 now) so I was thinking of killing 2 birds with one stone by getting a 24p switch with a 10gbase-t port on it to solve my NAS bandwidth issue as well as my 21port current requirement.

​

So I need at least 1 10gbase-t port for my NAS, any additional SPF+ is always nice to have for future expansion and stacking.

Big criteria, I don't want an ICL managed switch, I'm too old and lazy for that.

​

I have considered SPF+ switches, but then I would need:

- a new NIC in my NAS (+$200)

- new cables as I already have a cat6a to my NAS (about 20ft away)

- I am not convinced by SPF+ to RJ45 transceivers (unless someone can convince me otherwise, the power consumption issue seems like a showstopper)

​

I am also trying to stay under the $500 mark while still getting a switch with room for expansion.

​

So looking at used switches, I found :

- HPE 1950 around $400, anyone knows if the 10gbase-t ports on that one are for stacking purposes only?

- Arista DCS-7050T, still under $500, but only ICL

- Mikrotik CSS326: $140 + $65 for the transceiver. only 2 spf+ ports and less capabilities compared to the hpe1950

​

Any other brilliant ideas? A cheap cisco? A switch with an expansion slot that allows 10gbase-t?

Nexus / NX-OS Book Recommendations.

Hey, y'all. I'm looking for a good book on NX-OS (Cisco Nexus), specifically on the troubleshooting/application side. I'm about to finish up my NP and as I deal with Nexus boxes a lot in my day to day job I was just looking for some more in depth knowledge.

I looked on Amazon and Google, but they both came back with the same book (Troubleshooting Cisco Nexus Switches and NX-OS (Networking Technology) ... Maybe this is the only good book, I don't know, but I thought I would ask here.

​

Thanks.

Triggering the usage of MU-MIMO with 802.11ac devices

I don't know if this is is allowed here of more suitable for /r/homenetworking, in any case it may still be relevant for enterprise & business settings.

Objective: Trigger MU-MIMO in a setup with 1 AP and 2 WiFi clients, all 802.11ac MU-MIMO capable. I'm particularly interested in capturing the exchange of sounding frames (sent by the AP) and management frames containing feedback matrices (sent by the clients).

Problem: Recently I have gained access to a few TP-Link Talon AD7200 routers, which are equipped with 802.11ac radios. To test their MIMO capabilities, I have followed the method described below to trigger the use of MU-MIMO.

However, after running iperf3 tests and analyzing packet captures, I can't find any sounding frames or frames containing feedback matrices, which suggests MU-MIMO isn't being triggered.

My questions:

• In general, how does an AP 'decide' to use MU-MIMO? What conditions must be satisfied?
• Can you suggest a good method to trigger MU-MIMO with the hardware I have?
• Can you spot something fundamentally wrong with my method and setup?

My Setup (w/ diagram):

• AP :
  • TP-Link Talon AD7200
  • OS: OpenWRT LEDE (v17.01)
  • WiFi: 802.11ac, freq. 5170–5250, 80 MHz channel bandwidth
• Clients : TP-Link Talon AD7200, running OpenWRT LEDE (v17.01)

• For convenience and SSH access, all nodes are accessible via a wired LAN, in a different subnet from that used in the WiFi network.

   +-----------------------------------+ | |eth0 | |192.168.1.w | wlan0 +---------+ | 192.168.10.y o client 2| | /+---------+ | | / eth0 | eth0 +---------+192.168.1.1 | 192.168.1.v +---------+/ wlan0 | gateway o-------------|--------------o ap o 192.168.10.1 +---------+ | +---------+\ | | \ | | \+---------+ | wlan0 o client 1| | 192.168.10.x +---------+ | |eth0 | |192.168.1.z +-----------------------------------+ 
  

Methodology: As a first step, I tried to understand the exact 802.11ac capabilities of the routers, and confirmed they are MU-beamformer/ee capable:

• Evidence from AP
• Evidence from client

Then, I've set one of the TP-Links as AP, and two TP-Links as clients, located 1 to 2 meters from the AP, in diametrically opposed directions. All of the nodes are at the same height.

I start an iperf3 server at the AP - iperf3 -s - and run iperf3 in reverse mode (i.e., with the -R option) at both clients to generate downlink TCP traffic (i.e., from the AP to the clients). iperf3 reports throughputs between 300 and 500 Mbps, in both clients.

PaoAlto- determining cause of going over ISP circuit limit?

Basic “failover” Admin here who gets to baby sit the small environments PA 3020. Basically from what I have discovered with our ISP is that we’re going over our 500Mb circuit cap? Which means for us packet loss and slowness apparently.
Is there a way within PA 3020 to get useful information to help determine what’s putting us over that? I checked traffic and I see certain users with amount of data usage, and that HTTPS SSL is like 90% of all traffic.
Or is the ISP supposed to provide a report hat would show what I’m looking for?

Corning Clear Curve Video - How was it made?

Hi everyone,

​

I have been thinking about this a lot and since I'm getting into the fiber area and i discovered this video from Corning I wanted to know if any of you have any idea of how they made this "small network", with which intermidiattes, technology, etc..

​

https://www.youtube.com/watch?v=UBt00CVvMBA&t=1s

​

I would really appreciate the help because I want to do a test like this!

​

Best Regards

What used 10gb sfp switch would you recommended for a deployment?

Need probably 50 switches for business deployment, 10gb sfp would be overkill but gives the sites plenty of headroom and consistency.

Cisco fabric was recommended but I don't know if licensing is an issue... And my limited information has me a bit lost on how easy or hard fabric is to configure.

How would you design this network?

Hey guys,

​

Just wondering if someone can help me with this network design I gotta do. One of our remote offices in Europe is moving to a new location which is a service office. This new office has its own IT team and will not let us to install any NTU or move any of our services across. They do not let us to install access point and DHCP either. All we can get is dedicated internet bandwidth.

​

Current office, we have MPLS and ISDN but we're not going to have any of these in the new office.

​

Now what would you do in this situation to connect that office to the head office? We only have a few staff in that office so I was thinking of either establishing GRE tunnel to our head office or to use a VPN app on users PC. Then not quite sue what to do with Voice as ISDN is not available either.

​

I'd appreciate any feedback on this, thanks!

Summer Research Suggestions

So I was accepted into a summer research program at my university, and will be working with my professor that taught my intro to networking class. I’m new to the networking world and need to come up with a research project. I want to research something meaningful that could help me get a job when I graduate.

My current areas of interest are security, traffic / data analysis, maybe 5g. I just don’t know where to start and don’t want to get in over my head, but want to research something interesting.

Any thoughts / suggestions? Thanks!

I was able to access a skyscraper's roof-top restaurant's Wi-Fi from more than half a mile away (from another rooftop).

Kinda cool.

My laptop remembered the network from when I had been to this restaurant (on my phone, but keychains are linked).

It only could connect from my laptop (large antenna), and only when the antenna was pretty much perpendicular to the building.

[Question] Can my university see my P2P shared file, will I get in trouble?

I forgot my USB cable so I used Resilio Sync (https://www.resilio.com) to copy a video and some PDFs I needed to my phone. The app uses P2P over the uni wifi and I got to wondering:

If I moved a pirated movie from my laptop to my phone over the uni wifi, can they see the file name and/or access the file somehow? For this hypothetical, the uni policy is a strict no-no to sharing of copyrighted and illegal content and the movie was pirated off the uni system (didn't use their internet but my own to get the movie).

I won't get in trouble for the assignment video and PDFs needed to study today, I was just thinking about stuff I do at home that I haven't done (yet?) at uni.

Thanks

Best tool for internal proxy? Details inside.

I am looking to setup an internal proxy that would forward all traffic received to an external haproxy server with the exception of any traffic with a specific destination IP I specify. So basically I want this internal proxy to send traffic with a specific destination IP direct, while sending all other traffic to an external haproxy server. What tool would work best for this? Thank you!

Procurve Switch - MAC address plugged into ports

Hello, we have ProCurve and Aruba Switches. We use a monitoring product called PRTG. I would like to know if there is a way using a MIB to detect port changes, specifically, to keep track of MAC addresses plugged into ports and have alerts when changes are detected. It wouldn't need to be in exact real-time. Is there a way to do this? Thank You!

SSH Monitoring question

Anyone know a simple solution for monitoring data downloads via SSH? For example, Sys Admin 1 has access to Server A. (a file repository or mySQL or Mongo db). They connect to the server via SSH and at some point download data. I just need to know data was downloaded and by whom. I don't need to stop the download.

Other info: All servers are Linux, and all servers are accessed via SSH. I'm aware that someone with networking skills could likely work around anything put in place.

Thanks!

Simple switch config query - pinging a vlan interface.

Really quick query here and apologies for it being such a basic one but just wanted a definitive answer.

I have a switch with multiple VLANS and each VLAN has an IP ADDRESS configured on it. Is it normal that I can only ping the VLAN IP ADDRESS when there is something active on the VLAN? For example a port tagged with the VLAN in question has a device connected to it? I've rarely configured a switch from scratch before and this is something that seems to be the case but I just wanted some confirmation as it may just be the switch I'm working on has a weird idiosyncrasy. Aruba 2930.

Small ISP, many service blocks. What to do?

Hi all,

I work for a small FTTP ISP. We recently purchased some new IPv4 blocks, notably some from the less popular parts of Europe. We had many customers complain that their IP was showing up as being part of those unfavourable countries, and thus they couldn't access many UK services such as BBC iPlayer, or even websites like nectar.com.

I have already made a significant effort to correct as much of this with big fraud database providers as possible, such as MaxMind and a few others, however this has not done much for us.

If you were in a situation where a handful per hundred of customers in a small customer base were being affected by such a problem, how would you look to deal with it?

As far as I am able to see, all of our IP blocks are properly set up in RIPE with the UK as our country, and MaxMind and a few others are returning the correct country.

Thanks.

Network alerting

Hello Reddit's,

I'm new in networking, is there any soft/device that can alert me when a computer/device is connected to my LAN. some of user connecting their laptops into my work network, and i'm not comfortable with that, thought maybe someone can sniff in the LAN.

Thanks in advance

Scheme in servername for httpd respected?

I’ve tried searching to find out the following, but didn’t find a definitive answer / example

I’m looking to see if a web socket request to ws://www.fun.com with the following vhost configuration would work or be discarded

<VirtualHost 192.168.0.1:80> ServerName http://www.fun.com ... </VirtualHost>

Apache docs indicate the scheme is an optional parameter in the servername and most examples I find online don’t have the scheme and add rules and mods to deal with ws or http traffic separately.

I was wondering if the above vhost would work with ws traffic or if I’d need to add another vhost setting with the ws scheme (or better I think just dropping the http scheme and dealing with it all within one vhost config.

Any impact of using switchport block unicast feature

is there any impact of using "switchport block unicast" command on switchport connected to host? does it going to limit my legit traffic or impact on any regular traffic?

​

we are seeing unicast flooding flooding when spanning-tree change and trying to protect my servers with flood.

​

current configuration of my switch ports connected to servers:

​

interface Ethernet1/32

description ostack-compute

switchport mode trunk

switchport trunk native vlan 40

switchport trunk allowed vlan 10-11,20-21,28-31,40,50,100,200

spanning-tree port type edge trunk

spanning-tree bpduguard enable

Routing issue inside Viawest / Flexential network

Hello all, I am having an issue where traffic from a specific IP is getting dropped inside the Viawest network (now it's Flexential, I guess).

​

I reached out to them, but never got a response. As an ISP, what is the best way to get issues like this resolved when you cannot get a response from the party that seems to be dropping your traffic? Anyone know their NOC contact information???

Zayo Being Acquired by PE, Going Private

https://www.bloomberg.com/news/articles/2019-05-08/eqt-digital-colony-agree-to-buy-zayo-for-14-3-billion

​

Also got this email today (we're a customer):

Today, Zayo announced that the company has entered into a definitive agreement to be acquired by two private equity firms: Digital Colony and EQT Infrastructure. When it is closed, the transaction will result in Zayo transitioning from a public company to a private company. Otherwise, Zayo will remain focused on providing mission-critical bandwidth to the world’s most innovative companies.

Over the past two quarters, the possibility of Zayo being acquired was the topic of much chatter. The message I heard from our customers was “please don’t change what you do or how you do it.” Our customers emphasized their desire that we continue to focus on infrastructure, lean into investments and provide exceptional solutions and service. Most importantly, our customers wanted assurance that we would retain the talent and passion of the Zayo team. Under the proposed new ownership, the Zayo team will continue this journey.

EQT and Digital Colony share our vision that Zayo’s Fiber Fuels Global Innovation. Both are experienced global investors in the Communications Infrastructure space. They are investing in Zayo because they appreciate our extraordinary fiber infrastructure assets, our highly talented team and our marquee customer base. We are confident this partnership will allow Zayo to accelerate its growth and strengthen its industry leadership.

Our top priority is providing our customers with innovative solutions and excellent service over our 130,000-mile fiber network, tier one IP backbone and 51 data centers. Please reach out to us via email [here](mailto:tranzact@zayo.com) or at 866.364.6033 if you need assistance with your existing services or if you are interested in additional solutions. This proposed ownership change will not affect contracts, service levels, billing or pricing.

The transaction is expected to close during the first half of 2020, following a shareholder vote and customary regulatory approvals. Until this happens, Zayo will continue to operate independently and as a public company.

Zayo has an exceptional track record, strong balance sheet and consistent, positive cash flow. This transaction is about making a strong business even better -- we will continue to focus on ways we can improve our customer experience and our effectiveness and efficiency.

Please don’t hesitate to reach out to your account team or anyone on the executive team if you have questions.

From everyone at Zayo, thank you for supporting Zayo over the 12 years since our inception in 2007 and for trusting us with your mission critical business.

Best regards,

Annette MurphyCCO, Zayo Group

Strange RDP packet path behavior

Hi everyone, I ran into an issue last night that has me questioning everything I think I know about packet forwarding.

I'm starting to wonder if there's something about forwarding UDP packets I don't know...

​

Network diagram (simplified for ease of discussion):

https://imgur.com/a/bPRvTXI

​

For background, this is for an FM radio transmitter sitting on top of a mountain.

I have a core switch at headquarters (Cisco Cat 4510R+E with Sup8e supervisor cards). Connected to it is an audio sending server. It sends high quality UDP audio packets to an audio receiving server connected to a remote switch (Cisco Cat 3650, running ipbase) sitting on top of a mountain. That receiving server feeds audio to an FM transmitter so you can have your drive-time FM entertainment while you're stuck in Los Angeles traffic.

​

The audio sending server at headquarters is on VLAN 1, and VLAN 1 is extended over a T1, where the remote switch is connected. So on VLAN 1, the server is 10.1.1.100, the core switch is 10.1.1.1, and the remote switch is 10.1.1.254. The server is set to use 10.1.1.1 as its gateway. The audio receiving server is at 10.200.1.100 (VLAN 200 off the remote switch).

​

Up until now, a simple static route has been in place on the core switch:

ip route 10.200.1.0 255.255.255.0 10.1.1.254

​

So last night, we fired up a new 100 meg layer 2 microwave link from headquarters to the mountain top. I also configured OSPF between the core switch and the remote switch. Removed the static routes, and made sure the RIB updated.

show ip route

on both switches showed me exactly what I wanted to see. The new microwave link is now the path on both sides.

​

​

Now, when I checked the port statistics, I was still seeing a bunch of packets going over the T1, and not as many as I would expect to be going over the microwave. I expected to see some traffic over the T1 because we use LAN extenders, so regular broadcast (ARP, DHCP requests, etc) traffic.

I did a remote packet capture on the remote switch - the port connected to the LAN extender. To my surprise, UDP audio traffic from the sending server to the receiving server was still taking the T1!

But TCP traffic (http, etc) was properly taking the microwave link (as verified by another packet capture).

In order to get UDP to take the correct path, we ended up rebooting both audio servers.

​

For the life of me, I can't figure out why updating the RIB, by enabling OSPF and removing the static route, didn't affect the path the UDP packets were taking.

Is there something different about UDP traffic vs. TCP traffic as related to forwarding?

Maybe some sort of forwarding cache that needed to be cleared that I 'm not aware of? Something deep in the TCP/IP stack I'm unaware of?

​

One other clue... A couple months ago, we the same issue with an audio receiving server at another transmitter site that's connected by a Meraki MX. In that case, the audio receiving server is getting UDP packets from the same audio sending server at headquarters, but instead of a LAN extender or microwave, those packets go through an ASA, into a Meraki MX, over the Internet, to a Meraki at the transmitter site. The Meraki at the transmitter site has a local Internet provider and a cellular modem as a backup.

When we tried to move that remote Meraki to use the cellular modem, the UDP packets from the audio sending server continued to flow over the local internet provider - Until we rebooted the audio sending server. At the time we thought it was just a Meraki bug.

Now I don't know what to think.

​

Anybody got any good insight?

​

Thanks!

[questions] fringe cases regarding: untagged trunk port, a computer with vlan aware nic

Those are faulty configurations I am encountering right now. The question is not about how to make things right. But more like "how could this mess has worked..?"

​

[1] What comes out of an untagged trunk port? does the port strip all tagging and just dump all vlans and native vlan together to the end device?

​

[2] if a computer has a nic that is made vlan aware, it can see all the vlans. Can this computer somehow see the trunk line's native vlan as well?

in my particular case:

vlan1 == native vlan, and there is vlan2, and vlan3.

a rogue ip packet with vlan2 ip address and subnet, and intended for vlan2, was put on the native vlan (vlan1).

a computer that has the nic configured to see vlan2 and vlan3 ONLY (Intel Advanced Network Services Protocol) somehow sees the rogue ip packet and the wireshark on this computer sees the rogue ip packet on its vlan2.

Aruba Mobility Master in the cloud (Google Cloud, or AWS)?

I'm trying to setup some labs to play with some Aruba APs (AP-325 and AP-225).

I have a physical Aruba Mobility Controller, but I'd like to setup a virtualised Mobility Master, ideally in Google Cloud, or AWS.

Has anybody had any experience doing this?

Community Experience with Cisco WAAS and Riverbed Failing To Wire (Failing Open)

What is the community's experience with Cisco WAAS and Riverbed appliances failing to wire (failing open)? I'm having a conversation about Cisco WAAS and WCCP vs Inline with some co-workers.

Cisco vWLC and 2600aps Mesh Backhaul issues

I am running a Cisco vWLC and a few 2602i access points in a mesh setup. It’s working as intended except for 5ghz. The backhaul is using the 5ghz fine and client access is enabled on backhaul but no clients can connect to it. I have turned off the second radio on the root ap to do a test and shut down the MAPs and the SSID shows but the client can’t connect.

AP shows access is enabled on the backhaul radio.

I have also put the AP into flexconnect mode to test and then clients can access 5ghz.

Any one have some insight into this? Perhaps it’s something terribly simple or maybe the 2602s just don’t support it?

Any debug commands I can run on the controller or AP to see why the client isn’t able to connect to 5ghz?

Thanks.

TACACSGUI?

Just wondering if anyone has used this along with the high availability feature?

I deployed it today and already have AD integration along with all my LAN devices configured to authenticate against it. So much easier than editing an XML file.

Anyway, I'm particularly looking for information on the high availability feature. In the GUI I can't see any option or way to enable HA.

Crazy Issue with Cisco ASA 5505

So I'll do my best to explain this issue and I was hoping maybe someone else has seen this before.

​

I have a Cisco ASA 5505 with 2 VLANS 192.168.1.0 and 192.168.2.0. Both VLANS have DHCP running on their respective interfaces on the ASA. On the 192.168.2.0 there are 4 POS machines (windows 10). On one of the POS machines there is a software client to run credit cards in which the other 3 machines talk to the one with the client. The device with the client is 192.168.2.104.

​

Here's where things get weird....

​

None of the other 3 machines can run cards through that client UNLESS there is a continuous ping running in the background to the 192.168.2.102 device. If you stop the ping the machines cannot talk through the CC Client (NETePay)

​

Has anyone seen anything like this before? It's worth mentioning that this didn't happen until the ASA was installed. Cisco TAC has logged into the device and verified the configuration and claim they see no issues.

Is it possible to make it so everytime I browse to a certain site it changes a certain part of the url? Examples inside

The reason I want to do this is for reddit. I hate the new design and sometimes I just want to type: reddit.com/r/insert whatever here.
But can I use anything that will always change : reddit.com www.reddit.com to old.reddit.com BUT as well only change those two parts but always reinsert any /r/subreddit part of the url untouched?
I know how to redirect if im ONLY typing reddit.com but was hoping you guys could help with a solution for this.

Solved thanks /u/BaconEatingChamp I'm dumb!

Thanks!

Budget Home lab recommendations

Hey guys,

So I'm slowly building out a home lab for me to tinker with in my down time and I'm currently shopping around for network devices to use. I want to use enterprise grade stuff but I also don't want to break the bank.

I'm only looking for a few basic things like a CLI interface, PoE, and vlans. Nothing fancy but more than what I can get away with with just a home router. Does anyone have any suggestions as to what I should buy? Ive heard Ubiquity makes good stuff but I've only ever worked in Cisco/Brocade environments before.

Confusing VPN/VLAN issue, would like some outside opinions

I have two locations, each with a Meraki firewall, that are configured with site-to-site VPNs on specific VLANS. The VLANS carry security camera traffic from our remote location to the main office where it’s stored on the server.

I have about 10 cameras in total at the remote location. 3 of those cameras can not communicate over the VPN for some mysterious reason. The other 7 cameras are working as expected.

I have set the cameras all up to have identical settings, other than IP addresses.

The switch ports they are connected to have identical settings.

I opened a ticket with Meraki support to go over my VPN settings and they said there is no issue with the VPN.

I opened a ticket with the camera vendor, and they said all the settings look correct.

I can’t for the life of my figure out what the issue is. One thing that makes it more annoying, is that the local firewall can ping the remote cameras by IP – so the VPN is alive and working. But the camera server can’t ping them for some reason. I have disabled windows firewall on the server. No ports that the cameras use are blocked. The server can communicate with the rest of the remote cameras and network just fine.

Any ideas where to look next to work out what’s going on?

Things I’ve already tried:

Disabling the VPN altogether, re-enabling the VPN leaves me in the same situation as before.

Re-IPing the cameras to new IPs.

Trying DHCP instead of Static.

Rebooting all devices in the chain (cameras, switch, firewalls, server)

Factory defaulted one of the problem cameras, still same issue

VPN taking up "dynamic bandwidth" Question

Does using a VPN truly create a "dedicated tunnel" that takes up space from dynamic traffic? I'm trying to resolve why only so many users can use a single hotspot while connected to VPN, but more users can use it if not connected to VPN. Is the VPN doing something with that shared bandwidth that "locks" or "binds" pieces of it for each tunnel? That is what one of the techs in my team is suggesting.

​

My understanding was that the "tunnel" is really just the same data but encrypted and therefore has added overhead. But not that the tunnel is consuming bandwidth that is then unusable by anyone else until the tunnel is turned off.

​

edit: extra stuff

port 80 trapping?

While doing research for my bachelor's thesis I came across a mention of "port 80 trapping" as a possible explanation for an observed difference in RTT between IPv6 and IPv4 traffic. However I can't find any explanation online what port 80 trapping actually is, let alone how it would affect RTT differently for IPv4 and IPv6 traffic.

Can someone here give me a hand? A little explanation or some pointing in the right direction of where I could find an explanation?

How to protect against L3 Targetted DDoS?

Suppose I have two 1Gb internet links from two different ISPs. The IP addresses (which are made up) are 11.0.0.1/25 and 12.0.0.1/25. Somebody decides to DDoS bot of these ranges and our ISPs can offer no protection. We can't redirect the attacks to a cloud scrubbing centre with DNS, because the attackers are specifically blasting our IP space.

​

How do we fix/engineer our way out of the situation? Open to all ideas, apart from buying bigger pipes.

What do you call your Ops Improvement teams?

I'm looking for a fancy set of words to call a operational improvement team at my company. I like OI, but looking for something that is even better and portrays huge change. Ideas?

Is IPSEC a bottleneck for individual data-stream bandwidth?

I've been talking with a co-worker about a IPsec tunnel performance issue we've been seeing. VPN on x86 hardware appears to be limited to about 1Gbps of performance regardless of the network available. This looks to be due to the fact that IPsec has to be processed by a single CPU thread and is limited by that even though we have many more cores available. Now hes saying this is an inherent limit of IPsec VPNs and any system would have that type of limit. I was thinking hardware firewalls would use their IPsec ASICs to overcome that issue but while looking into it I found that Fortinet at least is still pinning multiple IPsec processes to different CPUs. So I don't know if their advertised 40+gbps of IPsec bandwidth would be possible on a single stream or if thats an aggregate max for all tunnels on a device.

What is the maximum throughput you have seen on VPNs and on what hardware?

Cable Tester and/or Network Tester

We are in need of an Ethernet cable testers / network tester. We are installing low voltage structured cabling for homes and small business customers. No one has really asked for certification that something like a $10,000+ Fluke would cost, and if we did get a high end job that required certification I assume we would just rent one for a week. However we need something!

Some people recommend the Pocket Etherent or Netool.io device. Those seem cool, but not commerial enough for the rugged jobsites. I love the cost don't get me wrong.

​

On the low end, I am thinking something like a netscout linksprinter 300 that cost $368 new on Amazon https://www.amazon.com/NETSCOUT-LinkSprinter-Network-Tester/dp/B00I7KSTYO . I like that it has cloud reports that can be analyzed by others remote. It looks like it does support Open/Short/Length Cable but it does not have a Wiremap and Toner. I would think a Wiremap and Toner would be useful. The advertise this device as usually testing with a switch at the other end, and the question I have is in new installs, where we don't have a switch yet connected to the other end, is this device pointless?

​

Next step up seems to be the NETSCOUT LRAT-1000 LinkRunner AT Copper Ethernet Network Tester for around $1060.00. It has everything the linksprinter 300 does from what I cant tell, plus adds a screen, Wiremap and Toner, and I am sure other things?

​

Then step up from there is the LRAT-2000 for around $1600. LinkRunner AT is available in two models: LRAT-2000 and LRAT-1000. LinkRunner AT 2000 adds the following exclusive* features:

• Fiber support
• TruePower™ PoE loading
• IPv6 support
• Reflector support
• More reports: 50 instead of 10

\These exclusive features cannot be added to the LinkRunner AT 1000.*

​

I am not sure if these features are worth the increase in cost. Over time I can see IPv6 support being required. Fiber support sounds nice. What is Reflector support?

​

Besides Netscout, I have been told that the Fluke Networks CIQ-100 Cable Tester for $1224 is a great machine. It seems to have the most true cable tests, but it lacks cloud reporting/managment from what I can tell.

​

I really like/want cloud reporting or remote management. We will have low end low wage techs working some of these testers, so easy to use while have a more advanced tech/manager being able to look at results online is a real plus in my opinion.

​

Any other brands or models I should look at?