Saturday, June 8, 2019

Anyone at CLUS this year?

I'm looking to meet people smarter than I am. You know, maybe start that conversation that opens doors or just to say hello.



Old router with ATT in-laws

My father in-law has a slow b/g router from ATT. He also has basic internet (5 mbps). How do I work through getting him upgraded internet and modem/router without bill increase? I believe that his plan and model/router are significantly out-of-date. What’s your advice?



Proper way to secure plywood to metal stud wall which will hold a wall mounted rack?

http://bit.ly/2Wn5aaB

Firepower High unmanaged disk usage on /ngfw

I need help. I've been trying to figure out why a Cisco Firepower 2110 shows the error "High unmanaged disk usage on /ngfw " after being on a couple of weeks. It has over 50% free disk yet I still get the error. Rebooting free's up a couple of GB and the error goes away for a couple of weeks. I've opened two cases with TAC and they provided no help after searching poking around in the command line for 30 minutes or so each time. I've also checked around the internet and none of the usual fixes of emptying certain folders seems to help. Anyone else have this problem?



Experience with Lenovo RackSwitches?

Has anyone got experience with Lenovo RackSwitches? Lenovo bought the RackSwitches from IBM, along with the x86 servers, back then I didn't give them much thought because they were just some random third party OS on Trident silicon.

Apparently they didn't die off, Lenovo has even listed new 100G products (NE10032) with the "ThinkSystem" brand on their website, they're listed in the Gartner Magic Quadrant (unremarkable position on the quadrant, but at least they're "important enough" for Gartner to include them?), yet I don't know anyone who actually uses them.

Are they actually bought and used in any data centers? Pricing-wise they seem to be quite a bit cheaper than the "usual suspects" (Cisco, Arista, HPE, Juniper), so if they were any good I'd assume this would propagate through word-of-mouth.

Has anybody not only heard of them, but can provide firsthand experience?



Outdoor rated patch cable that is in white color? Thank you

Hello!

Do you guys know where to find outdoor rated patch cable?
I think the rating is called CMX/CMR.

Thank you very much!
I am located in Sweden, so inside europe is OK =)



How can I monitor VMs are running and connected to the internet? Linux based VMs with proxmox.

I have a few VMs that I need to access the internet. Occasionally the VM is running but the network seems to have disconnected and I need to reboot the VM. Is there a way to monitor within Linux that outbound connection is working and get notifications if it stops? The main line on proxmox never has an issue. Just the connection within Linux VM.



Arista launches campus PoE switches

Anyone else been keeping an eye on this with great interest?

My only concern is their proposed alternative to stacking in the white paper appears to utilise the 8 mgig ports on the front at L2 to get a total of 10 access switches, with 2 in a MLAG configuration having uplinks to the distribution/spine. The other alternative would be to have groups of 5 utilising 25Gb ports between switches and 25Gb to the spine/distribution. This of course, assumes you do not have sufficient fibre/capacity to dual home each switch back. What are your thoughts on this design?

https://www.arista.com/en/products/720xp-series



Can anyone chime in on what it’s like being a network engineer? I’m trying to figure out what’s true and what’s misinformation

No text found

Mega basic VLAN question that I can't seem to solve.

Hi,

Really need a bit of advice to fix this scenario.

Mega basic config, but can't seem to get this working.

Basically, I have a Cisco switch with DHCP enabled for voice (don't have access to this), connected to a Dell fibre distribution switch (Powerconnect 6024F), where I then have to pass traffic across to a 3560 and down to a VoIP telephone.

I want to tag the packets when they leave the Cisco voice, so they can be passed across the Dell, to the 3560, to the phone.

Current theoretical config that doesn't seem to work:

Cisco (voice/DHCP) - Dell (port 16, configured as access on VLAN 999)

Dell - Cisco 3560 (already configured as a trunk, added VLAN 999)

Cisco 3560 trunk (already configured, has "trunking VLANs Enabled: ALL" in the config, so assuming that it'll accept my VLAN 999)

Cisco 3560 - test VoIP telephone - Access port on 999

Reaching out and would really appreciate some pointers in where the config doesn't look correct?

Can post configs if required.

Thanks,

/storr84



Weird Virtual WLC issue

I have a small lab and got given some older Cisco APs. To run them, I figure I would try the trial of the virtual WLC OVA running in VWMare player on Ubuntu on an old NUC but I am running into this weird bug.

Once I get the initial config up, the management interface is not responding on either SSH or WLC. It responds to ping, but when I go in through the console, it can't ping out. Weird thing is if I reinstall, the initial config screen is available over HTTP, but not once the management interface is configured. What am I missing?

All I do before I lose it is configure the management int, the service-port int (on a random different subnet, i.e. Mgmt is 10.0.0.0/24, service is 192.168.1.0/24) and the initial WLAN stuff.



Can a L2 2960X mark DSCP based on the source IP addr?

Hello

I've read the article about QoS on this platform, but somehow i'm still confused about the possibility.

I know i can mark the DSCP field based on the ingress interface (on a per port basis), but can you match the source address if the switch is not L3?

Basicaly, what i want is to create a policy map that match a subnet and set DSCP to AF41. Is it possible?

On a more general standpoint, is it worth it to mark DSCP on a layer2 switch? I heard that QoS was almost only needed at L3.

Thanks!!



Routing versus Streaming throughput using FreeBSD at 10Gbps and over.

On the one hand you have Chelsio publishing benchmarks showing a FreeBSD based router with over a 40Mpps NetMap throughput using it's T580-CR adapter here (it was published in 2015). Next there is a different benchmark here using a T580-LP-CR adapter, also a 40Gbps adapter. (This one is dated 2014) And here we have a Chelsio T62100-LP-CR which features an almost total offload at 100Gbps.(Published in 2016). The T580-CR seems to have a current cost of around $600 new, but you can find them cheaper. Then there is Netflix showing a machine pushing almost 90Gbps of TLS traffic here. (From 2017) Oh, I forgot, Netflix also likes Cheliso adapters too.

One the the other hand I have seen more than one posting here(within the last year and a half) saying that FreeBSD as a router would be lucky to get away with pushing enough packets/traffic to to need more than a 10Gbps adapter. Now mind you one of those comparison posts also used NetMap. All of these posts are newer than any of the above. I am not posting these as I may have misinterpreted what I read, i.e. I'm covering my ass... :)

I can't believe that a firewall/routing workload is so much more demanding compared to a TLS streaming workload that it would destroy enough of the performance to bring down network utilization by what, 60% or 70%?

What am I missing? They both can't be right unless I have catastrophically misread one side or the other.



Friday, June 7, 2019

New access switch breaking phone system. Help..

I have a head scratcher here. I am hoping it's something super simple that I've overlooked. We recently purchased new Cisco 9200 switches to replace aging equipment. We put in a stack into an IDF, fairly simple config with basic interface vlan and voice vlan configs. We have 2 fiber lines running from core to this switch in an portgroup. All good, everything plain and simple. Once I moved over my devices my phone systems IP PAD interface ports on my core went down. These are the only affected ports of the whole site. It's became super noticeable because the phones drop outside calls.

STP was checked, trunk checked. We removed the portgroup to make sure it's not a loop. Once the switch is disconnected from core, all is well. Moved the devices back to old switch and working correctly. I need some ideas!



Surface Pro or iPad

Strictly from a tablet perspective. Which tablet makes your job as a Network Engineer more efficient? Best tablet apps you use?



Getting a new upstream ISP--they asked if we'd like the MTU to be 1500 or 9000. Why would one want the higher MTU for an Internet connection?

No text found

SonicWall SSL VPN user login report

I use an SonicWall NSA 3600 for SSL VPN access. I need to view a log or report of all the SSL VPN logins by a specific user and the associated source IP's. I can't seem to find this information. Can anyone point me in the right direction?



Looking for a cheap LTE console server

Title says most of it. I am looking for a cheap LTE console server for remote access. Does anyone have any recommendations? LTE access from an external IP is required and I only need about 4 ports max.



OrionToolkit: A PowerShell module for interacting with the SolarWinds NPM API

Background

Over the years, I've cobbled together PS scripts for doing this and that with Orion's API.

Recently, I needed some advanced syslog filtering. Rather than write another hack-job, I decided to do it right (or at least, better).

Then I thought, why not do the same for my other tools?

A few days of refactoring and OrionToolkit was born.

While in early development, I'll leave it on GitHub. I plan to post to the PS Gallery once it reaches a certain level of completeness.

Contributions welcome.

Implemented cmdlets

  • Add-OrionNodes - Add one or more nodes, and their interfaces, to NPM
  • Get-OrionNodes - Query and filter nodes based on many properties, including wildcards
  • Get-OrionSyslog - Query syslog messages with advanced inclusion/exclusion filtering

Example usage

Add a single node, including all interfaces with descriptions containing the string "LINK", and add custom properties for DeviceClass and DeviceType:

PS C:\Users\austindcc> Add-OrionNodes -NodeIP "10.100.20.40" -SNMPv3CredentialName "access" -CustomProperties @{'DeviceClass' = 'Network'; 'DeviceType' = 'Network_SwitchAccess'} -IncludeInterfaces "*LINK*" NodeName NodeID IPAddress Interfaces -------- ------ --------- ---------- Switch-Example 2200 10.100.20.40 {PscxDynamicType69} 

Get all Cisco nodes with average polling response times greater than 100ms, or polling packet loss greater than 1%:

PS C:\Users\austindcc> Get-OrionNodes -Vendor Cisco | ? { $_.AvgResponseTime -gt 100 -or $_.PercentLoss -gt 1} | ft nodename, avgresponsetime, percentloss NodeName AvgResponseTime PercentLoss -------- --------------- ----------- Switch0001 13 10 Switch0002 13 20 

Get syslog messages from all Cisco devices for the past hour:

PS C:\Users\austindcc> Get-OrionSyslog -IncludeVendor Cisco | ft datetime, nodename, message DateTime NodeName Message -------- -------- ------- 6/7/2019 10:21:10 AM Router-01 Te1/0/5: Rx power low warning; Operating value: -22.5 dBm, Threshold value: -19.0 dBm. 6/7/2019 10:16:31 AM Router-02 Gi0/1: Rx power high warning; Operating value: -2.1 dBm, Threshold value: -3.0 dBm. 6/7/2019 10:07:08 AM Router-03 Duplicate address 10.51.182.1 on Vlan50, sourced by ec9b.8b07.6793 6/7/2019 10:06:42 AM Switch-02 Faulty fan detected 6/7/2019 10:06:42 AM Switch-02 Abnormal temperature detected 6/7/2019 10:06:41 AM Switch-02 Fan Failure 6/7/2019 10:04:06 AM Router-03 Duplicate address 10.51.184.1 on Vlan60, sourced by 943f.c25f.4627 6/7/2019 10:03:36 AM Router-03 Duplicate address 10.51.184.1 on Vlan60, sourced by ec9b.8b07.679d 6/7/2019 9:49:11 AM Switch-01 FRU Power Supply is not responding 6/7/2019 9:43:30 AM CoreAgg-01 Snooping Querier received a non-matching query interval (125000 msec), 

GitHub



Having trouble with ACLs between vlans using an ASA and Netgear M4300 Layer 3 switch

So, at work we are moving from a flat network to a segmented one and I'm having trouble with the ACLs on the layer 3 switch. As of now I have traffic coming in through the ASA, then it gets pushed through the Firepower module, back to the ASA, then down to the Switch. The switch holds the VLANS that are 10 LAN, 20 DMZ, 30 TEST, and 99 Management. Then traffic goes to Nutanix Hosts where all the VMs live.

The problem I'm having is getting ACLs on the switch to work in only one direction. For example, I want The domain controllers in 10 to be accessible from the Test VMs in 30, but I dont want servers in 30 to be able to talk to anything else in 10 since 30 will be used to test new things. Here is what I have:

access-list 130 permit ip host 10.10.10.12 10.10.30.0 0.0.0.255

access-list 130 permit ip host 10.10.10.11 10.10.30.0 0.0.0.255

access-list 130 deny ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255

access-list 130 deny ip 10.10.20.0 0.0.0.255 10.10.30.0 0.0.0.255

access-list 130 deny ip 10.10.99.0 0.0.0.255 10.10.30.0 0.0.0.255

access-list 130 permit ip any any

ip access-group 130 vlan 30 out 1

And Ive tried every combo of putting in on the inbound and outbound of vlan30 and 10. Just cant seem to get it right. It either allows everything or nothing.



Observium sysLocation string

Hello, I'm having a problem while trying to change the sysLocation string of my devices in observium, I have to make location changes in the map of the equipment and I would like to create groups inside the observium where when placing a device it would automatically take the geolocation of that group, however I can not make any changes in the sysLocation string the maximum that I got was to change the default latitude and longitude for new devices. Anyone know how I can check something related, if there is this possibility.
Thank you in advance for your help.



Mac based VLANs

Hi!

Anyone familiar with configuring a network for mac based vlans vs port based? Specifically for VoIP vlan. Running a SonicWall TZ400 to Dell N3048 stack. Any help is very much appreciated! I’ve already scoured Dell support with no avail.



Senior Project

So I’m going into my final semester of college as a networking major. I have to take a senior project class and was wondering if anyone had any ideas on what I can do. Preferably something with a raspberry pi.



PE to P Routing Redundancy

We have numerous PE routers coming back to one of our POPs with two ASR9K P routers. These PE routers are all single threaded fiber back to the pop so they can only land physically on one device at a time. We are planning to add a pair of Nexus 9K's in front of the ASR9K's for port aggregation. The N9K's are fully meshed with the ASR9K's for redundancy. I am now sorting out a clean method for establishing routing redundancy from the PE routers to each of the two P routers. The nexus are L2 only and our IGP is OSPF. Below are the current options we have come up with, but it feels like there should be a simpler method.

  1. Convert the PE-P links from /31 to /29 and setup multipoint/broadcast OSPF to each P router. Con:Waste lots of IP's
  2. Create two VLANs on the PE routers with one VLAN going to each P router. /31's on both interfaces with OSPF. Con:Less wasted IP's but more complex and potential for loops.
  3. HSRP on the P routers. Build OSPF from PE routers to HSRP primary IP on P router. Con: One P router will always be primary and difficult to load balance.
  4. Make the Nexus L3 and bring up OSPF to the PE routers directly and OSPF up to the P routers. Con: Don't really want to add more hops in the path, but may be the most simple solution.

Any thoughts or ideas would be appreciated!



Bad Archive

Hey, I'm transferring a software upgrade on to an ADVA 206. I'm unable to access the device via CLI so have to connect via Telnet Relay. Every time the transfer reaches 96% it fails with the message File Services Status Bad Archive. Is this an issue with the software or the device?



I made a Python script to change VLANs based on the vendor MAC addresses [Cisco]

Hi All,

I have a lot of printers that are being installed in the next few months, so I made a script to change VLANs based on the vendor MAC address of the devices. I've also used this to quickly put computer labs or APs in the same networks.

If you think you could use this, please feel free to check it out here: github.com/robschn/mac-change-vlan

Usage

  1. Enter the vendor MAC of the devices. This is the first 6 of a MAC address and must be in Cisco format, HHHH.HH.
  2. Enter what VLAN you want all the devices to be in.
  3. Enter the IP of the switch the devices are connected to.

Vendor MAC for the devices. Must be HHHH.HH format: 0000.0c VLAN would you like the devices to be in: 10 IP of the switch the devices connect to: 192.168.1.1 

Once you log in, the script will run a search for devices containing the vendor MAC. If a device is already in the VLAN you specified, it will not be added to the list.

Username: cisco Password: Logging in now... Searching for MAC address... Found these interfaces: ['Gi1/0/3', 'Gi1/0/5', 'Gi1/0/9', 'Gi1/0/11'] 

If the interface is a trunk:

Gi1/0/3 Skipping, port is a trunk. 

Else:

Gi1/0/5 Modifying, please wait... Done! Gi1/0/9 Modifying, please wait... Done! Gi1/0/11 Modifying, please wait... Done! 

After the interfaces are done, it will write memory and exit:

Writing to memory, please wait... VLAN changes completed! Exiting program... 


Allow Android to get time but block internet access

Hello everyone, I'm bit stuck to let my users use our android devices without accessing to the internet while having NTP enabled. Indeed, we found that android seems to request some check to google over HTTP protocol to check the integrity of NTP answers. And I sadly can't root my devices :/

Do you have any idea how could I achieve this ?

Thank you in advance, best regards, ssoflashy



Office has Slow WiFi. Please help

Posting for a friend of mine.

My friends small business has been having issues with WiFi speed and telephone systems. Comcast is telling him the incoming line is adequate and problems persist with their networking equipment. Networking company points the finger at Comcast saying the incoming speeds are slow and lines need to be replaced. My friend is paying for the single access point "Business 150 Plan" but is left wanting more on the performance of their network speeds.

So finally my friend had a survey done on the WiFi and received the final test reports back. Being a lamen not 100% sure how to proceed, I figured I would ask some professionals here on Reddit for advice on how he should proceed. Below is a link to the network test reports. Really appreciate any and all help with this.

https://i.imgur.com/sNo5u0w.jpg



how to ping from PC of VLAN to local IP inside DMZ

Hi all, I'm using a FortiGate 100E with the configuration below:

- VLAN1 (IP 10.123.10.20) go through WAN1

- VLAN 2 (IP 10.123.20.20) and DMZ (default gateway 192.168.100.1) go through WAN2

I have setup DMZ local IP for a PC is 192.168.100.20 and any PC in VLAN2 can ping to this IP. But I can't ping from any PC of VLAN1 to the IP 192.168.100.20 even when I have set up the route policy of VLAN1 to DMZ as same as the VLAN2 to DMZ. Otherwise, I can still ping from VLAN1 to default gateway 192.168.100.1

Can you guys please help me with this case? Many thanks.



Get two VLANS to communicate with one.

If I have three VLANs on a Cisco layer 3 switch, let's just say 1, 10, and 20, and I want data to be able to move from 10<->1 and 20<->1, but not 10<->20, how would I go about this?

Here's a visual diagram: https://imgur.com/a/8PQm1wn



Large European Routing Leak Sends Traffic Through China Telecom

Just had this read: https://blog.apnic.net/2019/06/07/large-european-routing-leak-sends-traffic-through-china-telecom/

"Yesterday (6 June 2019), Swiss data centre co-location company Safe Host (AS21217) leaked over 70,000 routes to China Telecom (AS4134) in Frankfurt, Germany, some for over two hours.

China Telecom then announced these routes onto the global Internet redirecting large amounts of Internet traffic destined for some of the largest European mobile networks through China Telecom’s network. Some of the most impacted European networks included Swisscom (AS3303) of Switzerland, KPN (AS1130) of the Netherlands, and Bouygues Telecom (AS5410) and Numericable-SFR (AS21502) of France."

What are your guys thoughts about this?

It is really that China Telecom could have done something against this?



Possible Routing Issue

GM Reddit,

Hoping someone could give me some next step idea's on a issue I am facing. I currently have a router/firewall on a stick topology for my network. I have a watchtguard M440 running the show. My network is pretty much all flat with about 5 vlans. All vlans plug into a port on the watchguard and each port has its configured IP as the gateway for the network.

The gateway IP's configured on all the interfaces on the watchgaurd are ending in .254. No static routes on the watchguard or on any of the switches.

192.168.10.x

192.168.20.x

192.168.30.x

192.168.40.x

192.168.50.x

I have added a sonicwall to my network going out a different WAN connection. My plan is to move some of the networks off my the watchguard and over to the sonicwall. I want to leave my infrastructure subnets (servers,network equipment) on the watchguard for now. Let's say Server infrastructure is 192.168.10.x and network infrastructure is 192.168.20.x. I added an interface to the sonicwall for the infrastructure and network infrastructure networks on my sonicwall that are the same subnet as the watchguard.

Sonicwall interface 1: 192.168.10.1

watchguard interface 1: 192.168.10.254

Sonicwall Interface 2: 192.168.20.1

Watchguard interface 2: 192.168.20.254

On the sonicwall, I have it physically connected the same. Flat vlans directly from the switch to the corresponding interfaces.

When I go to change my personal laptop gateway to 192.168.20.1 from 192.168.20.254 (because I want to go out this specific WAN pipe (sonicwall)) I am no longer able to communicate with the server infrastructure subnet(192.168.10.x). I have internet connectivity, but can't ping or RDP to any of my servers. Of course if I add a second default gateway to my laptop pointing to the watchguard again, I can then communicate but I'd like to get it working without this method.

The weird part is my DNS settings are pointed to the servers on the server subnet and I can still resolve public domains on the internet. So it appears DNS is still working but I can't ping or RDP or manage my servers.

Hopefully this is enough information to start a conversation. Thanks!



Issues with Aruba Instant AP's (x-post sysadmin)

Hello dear Redditors,

I need help with our Aruba Instant AP's, 'cause I'm really losing my mind.

We are having a couple of issues with a small scale Aruba Instant AP network, most (if not all) of which are Aruba AP-92.

The main issue is that the access points frequently “kick” clients off the network, sometimes the Wi-Fi networks also go down / invisible, sometimes the network won’t let the users connect to anything (no internet, no local devices).

Another minor issue is that when they work, they’re unusually slow, in quite an odd way.

One way data transfer is fine. But everything else isn’t.

RDP is very slow. Server connections take a long time, and running reports on our ERP take much longer than on wired network.

This is our configuration:

  • We have two Wi-Fi networks, one for workers and one for guests (altough the previous adminconfigured that as a workers network as well, don't ask).
  • These networks are being broadcasted from multiple AP’s distributed in 3 different buildings all connected through a high speed radio link.
  • All the AP users complain about being “kicked” off the network – Wired users don’t have any issue.
  • I haven’t seen a VC in the network.
  • No master AP has been configured.
  • The configuration has been the same for about four years or more, but the issue has been ongoing for about four months.

The master AP is usually assigned to a location that’s not where our main server is.

Last month I have tried configuring one AP as a master that was near our server, but another admin reverted the change, rambling about me misconfiguring the AP, despite the fact that I've thorougly followed the manuals.

I could provide some logs but they may have company infos inside 'em so I'm giving them in chunks on request.

I’ve been “kicked” off the network like six times typing this, and a couple more times earlier this morning.

Log File #1

I could throw in some golds to the people who will contribute positively.



tkined error !

Good evening all, I'm wondering if someone here have used tkined for network mapping, I finally installed the application after all, but I can find the ip-tracking tool. What am I doing wrong? Or you can tell me somo good programs for network mapping. thank you all



Thursday, June 6, 2019

Request: What questions do you ask candidates to try to understand their grasp of network design?

I'm sure more than a few of you saw my post this week about how to handle interviews, but in the process of giving a few this week, I realized I'd like to refine the scenario I present when interviewing about design.

To clarify, I'm trying to determine the candidate's ability to approach a given scenario and talk about one or more of the following:

  • How would you organize addressing?
  • How would you provide reachability in the provided topology? What routing protocols would you use? How would you handle internal and external connectivity?
  • As the network grows, what are some potential issues with the responses you've given? How might you change your answer if scalability and/or reliability are paramount?
  • What are the caveats to your proposals? Are there any tradeoffs I should be aware of?

Unfortunately I only have about 45 minutes to get insight into how candidates approach design. That means I have to try to strike a balance of depths vs. time. I feel like I've been able to do that well in the other areas where I normally conduct technical interviews, but so far I've been a little frustrated at how much time gets eaten up clarifying things when talking about design. I want to make sure a given candidate can talk about why they're proposing a specific solution, because there's almost never just one "right" way to do things, but I only have a limited amount of time to spend working with them on a given scenario.

I have a feeling my current scenario is too open ended. I'm providing candidates with a couple of small "data centers" (where services are hosted) that each have their own internet connection. I provide a L2 link between sites (to try to keep things simple) and have asked candidates how they would go about designing such a network in terms of the points mentioned above. I feel like I need to put more "rails" on the question, either by providing more initial assumptions/constraints or by making the initial scale of the question smaller.

Have any of y'all asked questions like this in interviews? I'd love to hear about approaches/typologies, and how they worked out (successful or not).



Fortigate Transit VPC vs AWS Transit Gateway

Hello there,

How are you? We are a healthcare company looking to move to aws. Due to HIPPA compliance,we need extreme security at the edge of AWS. May I please hear from those who have deployed both solutions about the pros and cons. We are leaning more towards a fortigate vpc setup



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



"Skinny" cables

Looking at cables like these (https://www.fs.com/products/72229.html) in misc lengths for in-rack 10G baseT storage traffic. I can't find any reviews or reasoning to say that these would not work just fine - is there something I am missing? I love how skinny these are and easy to work with. I use them for switch uplinks already.



How to monitor metrics for Azure ExpressRoute quote?

We are looking for numbers to estimate our bandwidth for O365 traffic in order to get a good idea of what kind of package we'll need for Azure ExpressRoute. Could I just monitor traffic to *.office365.com? Would this give me a good idea of what to quote?



Cisco AP Firmware

Hey,

Is there any way to get the autonomous mode/mobility express firmware for Cisco APs without the needed contract ?
In my case its the Aironet 2800 Series.

Regards!



OpenDNS flagging any new instance of Wordpress install as malware - Why?

Purchased a new domain + hosting (GoDaddy), site is able to be accessed fine at the home directory. Any new sub-directory that I install Wordpress on (from cPanel - fairly straightforward process) causes that subdomain to be blocked by OpenDNS for "malware". Any idea how or why this is? I've deleted and re-created the entire contents of the site (it's brand new, nothing of importance is on it yet) and I can't get around this issue.

Thanks



MPLS failover over VPN in a bad network design

Hi gents,

I'm working to find a solution on this topic, trying to leave the complexity low as possible:

This is the layout:

https://imgur.com/a/3OJh9ph

I have a branch office provided with internet and MPLS connectivity and I need to failover on Internet VPN if the MPLS link goes down .

Remote branch office LAN need to reach all the HQ subnets.

On branch firewall I have the default route poiting to the MPLS router, tracked with an ip SLA that removes all his associated routes if the link goes down , at this point VPN kicks in and traffic now flow into the VPN tunnel .

The problem comes into getting the traffic back from VPN to branch, because some of the subnets (vlan 8,20) use the core switch as default gw that have a static route for the branch subnet pointing the MPLS router.

The VPN instead terminate into an ASA firewall , that can route the traffic back for his connected subnet (eg. vlan 153 , cause the lower AD) but not for vlan 8 and 20, those are getting routed to the MPLS router in any case, because of the static route .

Any suggestion to accomplish the desired configuration?

My best idea right now is to start an IP SLA on the core switch that removes the default route to the branch in case of failure (pinging the branch firewall through MPLS) and letting ASA to announce learned route from VPN via OSPF.

Otherwise I can decide to overload all traffic coming from the branch to an unused NAT IP when coming form VPN , but in that case I get a big management overhead (ACL and so on) and a big loss in accounting, other than making the network design filthier.

Also, I can't do VTI with BGP and ip SLA directly on the ASA firewall, because of the multicontext.

Any suggestion would be appreciated,

If something is missing or unclear please ask, I've tried to keep the explanation brief.

Edit: schema revision



Selfhosted smart/dynamic routing between linux POPs?

I have two POPs (A and B) which need to communicate with one another with as low latency as possible. A and B's default routing is extremely unreliable and slow. Negotiating better routes between A and B is unfeasible for several reasons.

I have two different POP's (C and D) with much more reliable links to both A and B. I would like to setup a redundant/smart reverse proxy which redundantly routes traffic from A to B through C and D depending on latency/packet loss.

I'm currently running a non-redundant reverse proxy through A<->C<->B which seems to do the job, but has an obvious single point of failure.

Does anyone know if there's any selfhosted solution similar to Cloudflare's argo? Has anyone done anything similar? Layer 4 or layer 7 solutions are both welcome.



10Gb DC Grade switches with RJ45?

I'm having trouble finding a DC grade switch with 10Gb RJ45 ports. Most of them CISCO/SF/HP all go with SPF+.

All of our servers come with RJ45 10Gb ports.

Is RJ45 viewed as unreliable for 10Gb?



Massive RE-IP effort. Curious to see others input on how to start.

So, i'll try to make this as short as possible while giving as much details.

We are underway of starting a large Re-IP effort for both v4 and v6 blocks. I won't get into the why's, but unfortunately, it has to be done. I'm going to use one block as an example. This is one v6 block out of about 50, and v4 is not quite as large but still large. We had our first discussions of how we will tackle this as a team yesterday, but I want to get a jump on it and wanted to get some input from all of reddit land.

Lets say we have a v6 block of 2001:1:2:3:4:5::/96. These are used for all loopback addresses. Obviously, not ever IP is in use. We have an IPAM app that is used to allocate IP's from a documentation point of view. Should be about 99% accurate. The thing is, our manager is asking for the following info (again, we have different block types, so not just loopbacks).

1) What devices it lives on

2) Interface Description

3) Block Size

My initial thought is to write a script. I wouldn't even know where to start though. I should break this down into manageable tasks, but still a bit overwhelming. Using the example, my first thought would be to do a ping sweep on that block. That's a boat load of v6 /128's.

I'm a bit lost. Any direction or recommendations would be appreciated.



TP-Link Managed Switch VLAN Issues

Hi all. So I've got a TP-Link SG3210 and I'm trying to set up VLAN networks. I'm having an issue with the switch where everytime I select port 1 to be a trunked port, the switch basically locks up.

I've remoted into the console port about a dozen times and done a factory reset so that I can get the switch back to a state where I can actually IP back in and start configuring it, but everytime I simply select "Trunk" for the port type on port 1, it locks up again.

Anyone have any insight on this? Is this just a software glitch or am I doing something wrong? Thanks!



Help in setting up mitmproxy

I was trying to setup mitmproxy on my Windows 10 laptop. I was able to install the mitmui and mitmdump but can't get past that. I set up the proxy settings to 127.0.0.1 and port 8081. Which were default on the browser. But can't seem to access the mitm.it for further processes as well as I am not able to locate the certificate installed when the mitmproxy interface runs for the first time to manually install it. Any help in the direction would be useful as I couldn't gather much from the documentation and other guides for the same.



Advice: SFP+ to 10G-BaseT transceivers

Hi folks,

We run Aruba Procurve switches (mostly 2540s and 3810s) and I was wondering if anyone has had any experience with SFP+ to RJ45 coppper 10G-BaseT transceivers. The switch and the server are in the same rack so no distance issues with 10G over copper.

Thanks.



Multi-vendor network management software

I'm after some recommendations on easy to use network management software/tools for a multi-vendor environment where there are Cisco routers, hp/cisco/dell switches etc. The software needs to be easy to use to save network admins time and also give general sysadmins access to troubleshoot network related problems, such as sysadmins who dont know command line. Does something like this exist?



DNS across VLANs in IPv6?

I made a post on superuser but noone replied, so ill try it here aswell.

I have a small experimental IPv6 network, which looks like this:

https://imgur.com/a/p6zOrNw

With 2 clients connected to a L2 Switch, and the L2 Switch and a AD/DNS Server connected to a L3 Switch.

Now, i had the server connected to the L2 Switch before, and with SLAAC + stateless DHCPv6, the DNS requests were all going fine and everything was working. Now i moved the server to its own L3 port and put both ports into different VLANs. Heres the problem: While the Clients and the Server can still ping each other, and IP autoconfig still works on the clients (the server has a static IP), DNS does not work anymore. I already changed the DNS Servers IP on the L3 switches config, but nothing i tried and looked up solved the issue. The server is on windows server 2012 R2, the clients on windows 10 Pro, the L2 switch is a Netgear GS105E and the L3 switch a Cisco Catalyst 3560. Sorry for bad english, hope someone has an idea!



405 Error - Handling CONNECT requests with GCP Load Balancer

I'm rather new to networking so please go easy on me ;)

I'm having a problem getting a load balancer to forward connect requests to an instance group in GCP.

Overview:

I set up instances in an instance group which act as a proxy server. They're running and individually operational (using their own IP addresses, what I expect to happen works perfectly)

However when trying to use the instance group with a load balancer (have tried TCP, HTTP2, HTTP and Network group resources) I get a 405 "The method CONNECT is inappropriate for this URL" for all of them.

Is there something I'm missing? I configured the firewall to accept all traffic (yes, I know this is dumb), set up affinity to route Client IP traffic to a known VM to keep sockets open, etc.

Thanks!



Calling all VAR Engineers

Hello all!

I’ve found myself curious as to the experience of others before in the VAR post-sales side. Would you all mind terribly answering the following:

  • Does your company have standardized design, implementation planning, meeting documentation?
  • Does your company utilize baseline engineering practice standards or is it up to the lead engy and “best practice”?
  • Are you rotated in/out of a billing status?
  • Is there a global knowledge archive for all customer engagement, product info, “gotchas”?
  • Your most common customer type?
  • What are some pain points YOU have in your project process or customer engagement process?
  • Your company size (statewide, regional, national, global, etc)


NX-OS and EEM Scripts - Use Cases?

So I've run into EEM scripting once or twice, first via TAC and then through some additional reading of my own. I find it interesting (at least in theory as the TAC guy couldn't get it to work right).

I was wondering if anyone had any good use cases where they have seen them deployed and what they were trying to do with them. I'm always up for suggesting new things to my management in an effort to reduce workload, provide better information, etc...

Thanks!



How to connect Ryu SDN controller to Alcatel Lucent OS6860E

Hello,

as in title, I want to connect python-based Ryu controller to this switch with openflow 1.3, and it is possible because it once worked, but i don't know why.Here's what I am doing(vlan already exist, there is regular connection between machines etc. etc):

On Switch:

- openflow logical-switch vswitch mode api version 1.3.1

- openflow logical-switch vswitch controller IP:PORT

On controller:- ryu-manager ryu.app.simple_switch_13

ryu is starting ok, but there is no connection between switch and controller. I've tried to search on the internet for the answer but almost all tutorial are using mininet, not regular switch.



DevOps in Networking - Automation in your workplace

Is anybody currently using any automation within there network infrastructure? Is your company taking the step towards automation and DevOps?

I ask as I've been put on some training for AWS and Automation. Would love to see if anyone out there is currently going through the same change and how they are implementing it.



ASR920 and Nexus 7k port-channel

Hey all,

We're recently moving from a ME3400e to an ASR920 for our edge. We normally have two layer 2 links running in a port-channel to our core from the ME3400. The core is two Nexus 7010's running VPC.

Current configuration with ME3400e is below;

interface Port-channel1 description [Global] LACP link to Core port-type nni switchport trunk allowed vlan <customer vlans> switchport mode trunk spanning-tree portfast trunk end ! interface GigabitEthernet0/1 description [Global] Uplink to Core01 port-type nni switchport trunk allowed vlan <customer vlans> switchport mode trunk udld port channel-group 1 mode active service-policy input PMAP-QoS-IN end ! interface GigabitEthernet0/2 description [Global] Uplink to Core02 port-type nni switchport trunk allowed vlan <customer vlans> switchport mode trunk udld port channel-group 1 mode active service-policy input PMAP-QoS-IN 

As we can see with the following output, layer 2 port channel is up on me3400;

Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 1 Po1(SU) LACP Gi0/1(P) Gi0/2(P) 

Current configuration with Nexus core is below;

interface port-channel60 description vPC link to Edge switchport switchport mode trunk switchport trunk allowed vlan <customer vlans> spanning-tree port type normal spanning-tree guard root no lacp graceful-convergence vpc 60 ! interface Ethernet2/6 description vPC 60 link to Edge switchport switchport mode trunk switchport trunk allowed vlan <customer vlans> udld enable channel-group 60 mode active no shutdown 

As we can see with the following output layer 2 port channel is up on Core01 (core02 is the exact same config);

Flags: D - Down P - Up in port-channel (members) I - Individual H - Hot-standby (LACP only) s - Suspended r - Module-removed S - Switched R - Routed U - Up (port-channel) M - Not in use. Min-links not met -------------------------------------------------------------------------------- Group Port- Type Protocol Member Ports Channel -------------------------------------------------------------------------------- 60 Po60(SU) Eth LACP Eth2/6(P) 

Now we move to the new ASR920 and Nexus Core configuration, first the ASR920;

interface Port-channel1 description [Global] LACP link to Core no ip address spanning-tree portfast trunk service instance trunk 1 ethernet encapsulation dot1q <customer vlans> rewrite ingress tag pop 1 symmetric service-policy input PMAP-QoS-IN bridge-domain from-encapsulation ! interface TenGigabitEthernet0/0/24 description [Global] Uplink to Core01 no ip address udld port ethernet dot1ad nni channel-group 1 mode active end ! interface TenGigabitEthernet0/0/25 description [Global] Uplink to Core02 no ip address udld port ethernet dot1ad nni channel-group 1 mode active end 

From below output we can see that the port-channel is up as Layer 3, not layer 2 on the ASR920;

Flags: D - down P/bndl - bundled in port-channel I - stand-alone s/susp - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 1 Po1(RU) LACP Te0/0/24(bndl) Te0/0/25(D) RU - L3 port-channel UP State SU - L2 port-channel UP state P/bndl - Bundled S/susp - Suspended 

The nexus core config is the exact same using the ASR920, just a different interface so I won't post that again, but the port-channel for the ASR920 on the nexus side is up at Layer 2. So the issue I am having here is the link appears to be going down, because one side is layer 3 and the other layer 2. Wondering if anyone has any insights into what's going on here?



Newbie question

Hey guys. Right now I am learning linux and programming. So I am tipping my toes into all of this and it is really fun. Due to future career (probably at least) it would be really good for me to know networking and how all of this really works. I couldn't find a course which would teach me everything about networking from the ground up. Since I am a newbie, I began looking up more and more which left me more confused than anything. Do you guys have any good sources/courses as a recommendation? Or any recommendation really. Thanks in advance. EDIT: I wanna learn how networks work, how the internet works from the basics.



Wednesday, June 5, 2019

RDP into PC on a shared Ethernet port from servers second NIC

So basically I have a Dell r710 and I'm too cheap to buy a Gigabit switch so I hooked my second machine that I wanted to use into one of the remaining ports on the dell and turned on shared ethernet in windows. It works great! It was super quick and easy but I have one problem.

I can't figure out how to RDP into the machine plugged into the Dell. It's basically on it's own LAN I see but I was wondering if there was a way to get to the second machine from my main Desktop that's completely separate from this setup.

The desktop is on the same LAN as the Dell server but not as the second machine?

Sorry if this doesn't make any sense, but thanks for any help you all can offer!



How to add 2VLAN connection to a Port in a Managed Switch?

Model: T2600G-52TS(TL-SG3452)Hardware Version: V3Firmware Version:

Hi, 

So we have 1 Managed switch to Bldg. B, and an Unifi UAP-AC-PRO setup with VLAN30 and VLAN40 option.

Our Local LAN is 10.10.6.x 

VLAN 30 is 192.168.30.x

VLAN 40 is 192.168.40.x

We do have 2 internet connection 

Default Gateway 1 is 10.10.6.10

Default Gateway 2 is 10.10.6.9

We added the 2 default gateways  and set an IP of 10.10.6.245 for the Managed Switch.

I can ping the Access Point but no internet

Maybe adding the VLAN30 and VLAN40 to the Port where the Access Point was plugged can solve the problem.. but can you add 2VLAN in a Port?

Any tips on setting this up? Thank you



Has anyone successfully replaced MPLS lines with SDWAN+Multiple Broadbands?

I recently got a new boss come in and he just about hit the ceiling when he saw we were spending $1,000 a month per MPLS line in the business. We explained that we used it for latency-sensitive traffic like PCOIP and VOIP, but he's very deadset on reducing cost by using cheap SDWAN boxes and getting two or three plain (read: cheap) broadband lines.

So far we've done this in three sites and all three are worse than they were to start. Average latency spiked from 40ms internally to 100ms or more. Citrix says it isn't their SDWAN box (it's never Citrix, right?), Juniper says it isn't their SRX/EX devices, and the ISPs are plugging their ears. We've overhauled the QOS rules and path balancing (duplicating traffic, marking paths bad if above X utilization or latency), still nothing.

A part of me just wonders if it can't be done.

Has anyone successfully cut out MPLS?



Fiction Research Request: Will wired networks always be more secure than wireless and creating a private internet

Thanks for any insights.

This story takes place in 2065 and the two characters (minor criminals) are members of a guild. They need to converse securely, and to do so, they enter a dream-like state that's something like technologically assisted lucid dreaming with networking. So, to be clear, they aren't in the same room when they do this.

My question is, how feasible would it be (as near as you can guess given this is decades into the future) for this guild to basically create its own private Internet so that they don't have to use "the Internet" to send secret communications? A sort of darkweb that others cannot access but that is supported by an infrastructure of physical cables within the city? I'm assuming they would not want to use wireless communications.

Or, if they had their own satellite in orbit, might that then make it safe for them to do this wirelessly? (keeping in mind that anything can be hacked with enough will and time...I'm assuming).

Quantum computing exists in this world, which I imagine makes a difference, but I'm no expert.



Firewall, switch and access points. How to setup a guest and private network?

For a small building, a small cisco switch and cisco firewall and a couple access points. How would I go about programming a guest network and an internal network?



Database with dhcp leases over the last 5 years from a public wifi network. 70m+ What to do?

I'm in the process of shutting down my app-engine app that was logging all leases on one of my public networks. Over 70 million records total which include private ip, mac address, timestamp, and boolean for if the lease bound successfully. If I had all the time in the world I'd try to use this to find traffic patterns, busiest spots, repeat devices, ect. But I don't have time. Is it OK to give this out to the world for big data to use as example data? Or would that violate some privacy laws? There is no redirect/accept terms page when connecting to the wifi.



Disable diffie-hellman-group1-sha1 on older hp switches

Hi

I am trying to change the key-exchange diffie-hellman-group1-sha1 to diffie-hellman-group14-sha1 on a bunch of varying models of HP switch.

They don't seem to offer a command to change the key-exchange. My googling ability isn't working so well here, does anyone have any thoughts or do I just need to have the company replace the switches before this can be addressed?

The majority of the switches are ProCurve 2910/2920

Some other models:

J8697A

J9148A

J9729A

J4899B

J9088A

J9729A



Nexus 9K - NX-OS vs ACI

All,

I have done some reading on various threads here as well as checked out some videos and articles to get a feel for it. However, with that and some meetings with my VAR and SE, I still feel confused on the direction to take here. I'd appreciate input as well as suggestions on what resources to look at.

My background: 6 years of campus LAN/WAN (L2 and L3 to the access), ASA/PAN, ISE, some wireless, etc. For the Data Center, I have done Nexus 5K with 2K in vPC/HSRP, but I was more administering that (not engineering) and getting used to NX-OS as well as the UCS and FIs. Looking back, I'm lucky to not have broken much. I have been in the new environment for 2.5 months and getting up to speed with things. There's some knowledge gap as the long-term engineer/architect of 20+ years is no longer with us unfortunately (hence the position opening).

Current Situation:

-Data Center with non-Cisco core setup in that vendor's vPC equivalent. 2 chassis in the cores + 17 or so ToR switches. It's stable but aging and nearing complete EoL.

-The downstream switches where the servers plug into are connected to each core over that 'vPC' trunk. The SVIs live on the core, but each stack (1-5 switches) has unique VLANs.

-The WAN connections land on Catalyst switches, several routers are the BGP peers with these SPs, and there is a full-mesh iBGP configuration internally

-The firewalls plug into various DMZ switches (non-Cisco)

-Some servers plug directly into the core

-We have a second DR DC, but most of the storage/compute is rented during scale-up for testing. There's some switching there in an isolated environment that contains the same Layer 2 and Layer 3 VLANs and subnets, but it requires shuffling of cabling and other configuration modifications. We do not expect to have Active/Active DC due to the lack of infrastructure, but it would be nice to streamline the DR testing.

-Our team does not touch the storage/compute gear. It's not UCS and it is not part of this project, so it is being left alone

Design Considerations:

-Looking at pure Spine/Leaf with the N9Ks looks good, but I feel like we'll struggle with the L2 to L3 struggle due to the sprawl of the VLANs. How do we overcome this? We're talking 200+ port density for a single VLAN. Each Leaf appears to be its own L3 segment, so it seems like a similar issue to bringing routed access to the IDFs

-My VAR tried to tell me most people stick with L2 in the DC, but this seems wrong to me. He kept bringing up vPC, but that would be L2 and not L3 routed, which although would make this migration easier, would not be future-proofing

-ACI keeps coming up - My team does not have much Nexus experience, and he made it seem like going ACI is a learning curve with or without that experience, so it was a non-issue. However, having the two DCs and not expecting Active/Active seemed like it would double me up on APICs. I'm also concerned because the concepts of Bridge Domain, EPG, IS-IS, are foreign at the current moment.

-Potential ACI Benefits

- There is a desire to have more visibility and micro-segmentation of DC traffic (user to server as well as server-to-server). ACI seems to lend itself nicely to achieving that, albeit with some additional bolt-ons and a greater understanding of the server environment than I currently have. Also, the orchestration and automation aspects may be time-saving, given our team consists of two to three people supporting around 1500.

I'm currently going through CCNA Data Center material and trying to get up the speed. At the end of the day, I'm finding the DC networking to be a little overwhelming. I just haven't used the overlays like VXLAN in the past and a lot of other things come up which are new concepts to me. I have VIRL and dCloud access for virtual NX-OSv configuration as well as CBTNuggets, but I feel ill-prepared to make any decisions yet.



Is that possible to set vpn routing in my situation?

We have 2 sites (Site A and B, site A is with 192.168.4/24 and B with 192.168.5./24 both with vpn router and real Internet IP) with a card access system. Site A is the one who has the card access server store all users information. We have a site B which we want to install card access device. The card access server uses port 1740 to call the card access device and card access device use 1750 port to call card access server. Both side we have real Internet IP. The saddest thing is the card access server software has no vpn routing function inside.

I read some vpn routing on Internet. Usually it is set on one side vpn router with true IP. Then the remote program can point to that true IP and it works. But our server software doesn't have such function, it can only do a boardcast on port 1740 to find the devices and we must work out everything on network level.

Thanks for any advices.



DHCP web interface alternatives to webmin

Hello, I'm installing a dhcp server on CentOS 7 and I'm looking for an alternative web interface (tried webmin but very unsatisfied so far...), anyone has any suggestion? thanks in advance.



Cisco WLC + 802.1x + LDAP - Without RADIUS

Hey all, wondering if anyone could lend some knowledge here.

We are moving from WPA2 on our Cisco WLC 3504 and towards 802.1x. The head of the Engineering team wants EAP-TLS to be used in conjunction with LDAP for auth against our DCs.

I have setup the WLC side of things with instructions found here, but as we are not using a RADIUS server, I can't find any great instruction sets to setup the certificate side of things.

All endpoint machines are MacBooks and I will distribute the certs via Jamf, but wondering how generation of the certificates occurs.

Any help would be greatly appreciated.



Best practice for IP SLA convergence with BGP?

Hello, we're in a remote area, fairly isolated on an island. We occasionally experience outages downlink on our ISPs who each have their own infrastructure. Neither will support BFD although it's not really a solution for this problem.

I'm looking to track 5 SLAs with 20/80 thresholds and then use the EEM to alter the route.

Since I'm not actually down between me and the neighbor (ISP), what would be the best approach? Should it be something in BGP router config? Like removing the neighbor remote maps? Or would it be a good idea to change path prepend and local preference on outbound and inbound route-maps for the primary ISP?

Or maybe I could have a route-map for backup ISP with lower permit that has no prefix-list filter, and the EEM inserts/removes the prefix-list?

Primary ISP is much faster, and backup ISP is only used in cases of failover so currently the local preference is lower on the backup ISP, and backup ISP is also path prepended 3 times, and all traffic is going through primary ISP.



Cisco ASA: Service-policy on a Tunnel Interface?

Is it possible to do something like below:

service-policy tcp_bypass_policy Tunnel2

service-policy tcp_bypass_policy inside

The service-policy on physical interface works fine, but when i want to apply this to a Tunnel interface the option is not available. Not sure if its a bug, or a known "does not work"

The reasoning behind this is that we want to have dual vpn tunnels from an ASA to Azure (active-active vpn's to minimise downtime), but struggling to get this working over VTI's. With physical interfaces we could group interfaces into "zones" but you cannot do that with VTI's, so was hoping to achieve the same by using tcp_bypass



Yealink T41P + SLM224P, Voice works, no data (vlan question)

I used to configure switches in another life, and tried to pick this up for my current employer. I think everything has been setup properly, but the phoning company (who don't configure switches) seems to be stonewalling me with "It works on our end, its your problem". I was wondering if someone could help me look at my port assignment and maybe see something obvious going wrong on my end.

https://i.imgur.com/5kh8RQV.png is my noted down vlan assignment (tagged, untagged, excluded).

There are 3 vlans (1, def - 10 data - 20 voice), voice works, but connecting a pc to the phone will give it a 169..... IP address. Phone are configured to VLAN 10 is data for pc in the web interface. All the data only ports are working fine, but the combined (1 through 6) are the issue for me.

Port configuration -> https://i.imgur.com/7sIEfDQ.png, should I be swtiching PVID to 10, and make them untagged on the vlan assignment maybe?

I've read the rules and I don't think its infringing, if it is, maybe you could suggest a different subreddit before deleting the post!.

My last conclusion would be that the routerboard (maintained by the phone company) has port security enabled, disabling double MAC addresses (but I dont know if that is still a thing?)

Thanks!



Show cli command history Cisco ACE

Hi guys,

Does any af you know how to show cli command history on a Cisco ACE load balancer ? :)



Can anyone recommend decent cloud guest wifi onboarding provider?

hi folks.

i hope it's in a right spot.

Need a decent guest wifi onboarding cloud provider for couple of use cases. Will not be anything big, just incase i need a bit more that our regular setup provides.

There's so many (purple.ai, volare splash etc) out there, but none of them have really caught my eye. Does anyone have good experience with some and can recommend?

needs:

a) EZ as possible captive splash page design; would prefer to give access to end customer to design it themselves. Multi-tenancy would be awesome ofc, so i can give different users different access to their own sites.

b) compatibility with major social logins, SMS and E-mail registration

c) some analytics would be nice, but deep stuff not important. marketing/campaign crap is out. Again, EZ is priority, would give access to customer themselves.

d) works okay with Aruba Instant wifi gear

e) API functionality in case someone needs to integrate with some PMS etc

Doesn't need to be free, paid option is very much okay if reasonable.



Urgggghhhh Phones Not Respecting DSCP😵🔫

Yealink Phones configured with DSCP 46/EF, a wireshark trace shows phones are sending 0/BE in the tag. A day in the life of a network engineer ! 😂🤷‍♂️ I love my job really, it’s the moments like these when the cause of an ongoing issue is found, corrected and customer is super happy 👌👌



Private Isolated VLAN & non-PVLAN Trunk ports

Here is my issue, I am trying to stop client A from talking to client B. I have Guest Isolation enabled on my UniFi AP’s and it works BUT only when two clients are on the same AP. If I have client’s connected to two different APs they can talk to each other. I want to setup PVLAN Isolation on my switch to prevent the 2 clients from talking while on different WAPs.

The issue I run into is getting my non-private VLAN99 traffic untagged on those wireless AP uplinks. Once I change those ports GE1/15, 16 or 17 from “Trunk” to “Private VLAN – Host” I am unable to add VLAN 99 as anything other than a community VLAN. Not sure what I am doing wrong here. Seems like a common setup, but just can’t get it working a %100.

I essentially need to convert my LAG (GE1/15 & 1/16) & GE1/17 to a type of port which contains tagged traffic from my Private VLAN400/Isolated VLAN410, but also is configured so that any untagged traffic is VLAN99.

Hope this makes sense, thanks in advance!

PS…. The gear I have in place is the gear I have in place. I can’t change the switch, APs or firewall. I also know this isn’t a catalyst switch and might be limited but to limit this specific functionality doesn’t seem right.

Here is my horrible network diagram: https://snag.gy/iNeqyP.jpg

Here are my VLAN descriptions:

· VLAN 10 – Default VLAN, connected to X0 on SonicWALL

· VLAN 99 – Wireless Access Point Management VLAN, connected to sub interface on X0. This VLAN needs to allow devices on it to communicate with each other and need to be able to connect to the internet.

· VLAN 100 – Network Management VLAN, connected to sub interface on X0. This VLAN needs to allow devices on it to communicate with each other and need to be able to connect to the internet.

· VLAN 400 – Primary Private VLAN for my isolated VLAN 410

· VLAN 410 – Private Isolated VLAN - Guest Wireless VLAN, connected to X2 on my SonicWALL. Devices on this VLAN need access to the internet only, they should not be able to talk to any device on their own VLAN or any other VLAN. Essentially, I would just like these devices to access the X2 SonicWALL Gateway IP

· VLAN 500 - Primary Private VLAN for my isolated VLAN 510

· VLAN 510- Private Isolated VLAN - Guest Wired VLAN, connected to X3 on my SonicWALL. Devices on this VLAN need access to the internet only, they should not be able to talk to any device on their own VLAN or any other VLAN. Essentially, I would just like these devices to access the X3 SonicWALL Gateway IP

Here are my switch port descriptions on my Cisco SMB SG350 switch:

· GE1/3 – Uplink to SonicWALL X0 interface & 2 x SonicWALL Virtual Interface VI:99 & VI:100. Trunk port, VLAN 10 UnTagged, VLANs 99/100 Tagged

· GE1/4- Uplink to SonicWALL X2 interface – Private VLAN Promiscuous port, Primary PVLAN 400, Isolated VLAN 410

· GE1/5- Uplink to SonicWALL X3 interface – Private VLAN Promiscuous port, Primary PVLAN 500, Isolated VLAN 510

· GE1/15 – Uplink to UniFi HD wireless access point – member of LACP LAG#1. This is a port I am having issues with. I need VLAN 99 (a non-private VLAN) to be the untagged VLAN of this LAG BUT I also need the Primary PVLAN 400 & Isolated VLAN 410 tagged on this port. My AP’s will tag client traffic as VLAN 410

· GE1/16 – Uplink to UniFi HD wireless access point – member of LACP LAG#1. This is a port I am having issues with. I need VLAN 99 (a non-private VLAN) to be the untagged VLAN of this LAG BUT I also need the Primary PVLAN 400 & Isolated VLAN 410 tagged on this port. My AP’s will tag client traffic as VLAN 410

· GE1/17 – Uplink to UniFi AP Pro wireless access point. This is a port I am having issues with. I need VLAN 99 (a non-private VLAN) to be the untagged VLAN of this LAG BUT I also need the Primary PVLAN 400 & Isolated VLAN 410 tagged on this port. My AP’s will tag client traffic as VLAN 410

Much thanks in advance!!!



Taken on a network that's flat

Hello, i've taken on a network in a school that's flat apart from a VLAN for the phones.

I have no real skill in networking at all but I know enough to know that I don't know enough to sort this :). The switches are all HP 2920's and a core switch which is a HP 5412.

From what I've read, it'd be great to have servers, printers, physical security devices (gates, doors) all in their own VLANs (or one other VLAN) - can someone offer their opinion on this?

My other question is, what would be the best route to have someone come and sort this - is there a place to find network consultants/freelancers, or would it be best contacting an MSP? Or is it worth me picking up a book and learning it all?

Thanks



Tuesday, June 4, 2019

cisco IOS XE autoqos trust dscp -- what is it doing? :)

When I apply auto qos trust dscp to our wan interface, the switch applies an input policy:

policy-map AutoQos-4.0-Trust-Dscp-Input-Policy class class-default set dscp dscp table AutoQos-4.0-Trust-Dscp-Table 

We noticed this policy seems to be remarking some qos packets marked with EF down to CS5. Does anyone know what is happening here?



Networking for big cloud provider?

Does anyone work for a big cloud provider on their network team? What is your day to day like? What hardware vendors do you use? What skills do you value that are different from traditional network engineers?



What are the advantage/disadvantage of using spine-leaf networking design?

What are the advantage/disadvantages of spine/leaf topology and when and where I should use that?

I can sure google it but I would like to know what other folks thinking of it?



IPv6 Deployment Security vs IPv4?

So been working as an ISP getting IPv6 implemented on my edge (Been up 40 days now!) and now getting it into my lab access network. Before I start building out further, I was curious what I should do to be mindful of security for my equipment and services differently than IPv4?

I was going to basically just finish building put the vpnv6 out there, and then build our some ranges to get my DNS servers turned up to resolve from. But turning this up on my firewalls and all, I can't imagine it's any different strategy wise?

Thoughts/input/concerns would be appreciated. After a world of IPv4, I want to get IPv6 up and going as an alternative to CGNAT for people finally.



Connecting Aux port to NGFW console.

I need a few bits of info if anyone can provide it. I am attempting to connect to a ngfw console port from a cisco r4300 aux port and I am unable to do so properly. When I connect im just getting ÿÿÿÿÿÿÿÿÿÿÿÿ from any input I give it.

here are my settings.

Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int

* 1 1 AUX 115200/115200- inout - - - 116 1 0/0 -

Line 1, Location: "", Type: "xterm"

Length: 54 lines, Width: 230 columns

Baud rate (TX/RX) is 115200/115200, no parity, 1 stopbits, 8 databits

Status: Ready, Connected, Active, Modem Signals Polled

Capabilities: EXEC Suppressed, Modem Callout, Modem RI is CD

Modem state: Ready

Modem hardware state: noCTS noDSR DTR RTS

Special Chars: Escape Hold Stop Start Disconnect Activation

^^x none - - none

Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch

00:15:00 never none not set

Idle Session Disconnect Warning

never

Login-sequence User Response

00:00:30

Autoselect Initial Wait

not set

Modem type is unknown.

Session limit is not set.

Time since activation: 00:03:09

Editing is enabled.

History is enabled, history size is 10.

DNS resolution in show commands is enabled

Full user help is disabled

Allowed input transports are pad telnet rlogin ssh.

Allowed output transports are pad telnet rlogin ssh.

Preferred transport is telnet.

Shell: enabled

Shell trace: off

No output characters are padded

No special data dispatching characters



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!



Zyxel SBG3300

Hello.

Has anyone had any problems with the Zyxel SBG3300?

Router seems to randomly drop the network including ethernet and WiFi. DSL will stay up but all LAN is dropped for around 15 seconds at a time.

Seems to happen once every few days. I'm starting to think I need to RMA the device. I've factory reset a few times and reset up my vlans but it still continues. Also unable to ping the device during the strange event. Wondering if it is a overheating issue but device is out of direct sunlight etc.

Thanks!



DNS choices

Is it better to use individual DNS servers? Thinking about using Level 3 for primary and Google for secondary



Anyone have experience decoding "show cpu profile dump" from an ASA?

Just curious to see what methods can be used.

Specifically I am looking to figure out which DATAPATH feature is hogging CPU.



EPC Architecture

Sorry if this is the wrong sub to ask this question. I am curious to learn more about the specific hardware used in modern EPC architecture. I am a intro radio hobbyist and am specifically curious in what type of hardware/vendor makes base station antennas/etc. I did some research and it seems like ASR-5Ks are the preference for inside the EPC for things like the PDN-Gateway and Serving Gateway.

Would appreciate any resources or insight from any ISP folks.

Thanks!



Cisco ASA, RSA Token Authentication & Server 2012 LDAP issues

Alright so .. I am in the middle of implementing RSA Token for VPN Access. We have a SOC who I am working with and were able to set up the AnyConnect Client as well as authentication between the ASA and our DC. The issue I am having now is when I try to log in with an AD account on the VPN, the ASA can successfully authenticate and pass the request to our Server 2012 DC but the Server terminates the response back. I've ran WireShark and changed the logging reg key for LDAP and I'm seeing TCP Resets but I am hitting a deadend. Any suggestions? We do have a Forcepoint Web Filter but we have a policy that allows the servers unrestricted access, nothing being filters. Logs in there show nothing



I need to configure a Ubiquiti radio to work as a bridge in router mode

Setup looks like this: MikroTik router -> Ubiquiti AP (bridge mode) -> Ubiquiti client radio (bridge mode) -> customer supplied router.

I want to use my MiokroTik (DHCP server enabled) to shape traffic to the customer's router. Our provisioning software (Sonar.software) uses address lists and Mangle Queues to limit bandwidth and it works great. However, I can't rely on the MAC of the customer's router to stay the same as they can replace it at any time. I have been able to shape traffic with the client radio in router mode as it has an IP in that mode. However, I need to eliminate that layer of NAT as many users have issues with gaming systems, etc., with double and triple NAT. I would like to configure the CPE radio (airOS firmware version current) in router mode but functioning as closely to a bridge as possible. Again, the primary focus here is eliminating NAT from the radio's configuration.

I've seen a post talking about using DHCP relay and a static route but it is a bit over my head.

I worked on getting DHCP option 82 working correctly as this is a typical solution to this provisioning issue but from everything I've read and experienced, this feature is SUPER beta on airOS at this time. I'm skipping it.

Any input is much appreciated.



Saw at a customers today - I can’t make this shit up

Was doing an AP upgrade for a local customer of mine (I do freelance IT services on the side). So I was checking the drops and the switch ports to make sure everything would go smooth.

Something didn’t seem right so i went to the attic and here they have a cable run with 10 network cables coming from each of the unifi APs going to 2 Netgear dumb switches instead of just fucking running them to the MDF with the core switching infrastructure. If that wasn’t bad enough these switches were sitting RIGHT NEXT to the heating ducts, their entire heating system etc.

IMO it was only a matter of time before something caught fire. Anybody have a bottle of gin i can “Borrow”?



Netmiko copy tftp script not working

from netmiko import ConnectHandler

from getpass import getpass

import ipaddress

import time

from ipaddress import IPv4Address, IPv4Network

from datetime import datetime

rtr1 = {

`'device_type': 'cisco_ios',` `'ip' : '`[`172.28.1.1`](https://172.28.1.1)`',` `'username' : 'test',` 

'password' : 'test',

'secret' : 'test',

}

net_connect = ConnectHandler(**rtr1)

net_connect.enable()

output = net_connect.send_command('copy tftp://172.28.1.26/new_99_rtr.txt flash' + "\n")

print output

Hello folks, no matter wtf I do, I just can't get this script to copy a file from tftp server to Router. I think it's all because of that 2nd enter/return I need to push to copy the file. No matter how I modify the "\n" I can't get it to work. When I go into the Router and type "show history all", it shows that it inputs the command and presses enter, but can never press enter the 2nd time to get it to copy the file such as this:

RT001#copy tftp://172.28.1.26/new_99_rtr.txt flash

Destination filename [new_99_rtr.txt]? Press enter once......

Accessing tftp://172.28.1.26/new_99_rtr.txt...Press enter twice........

Loading new_99_rtr.txt from 172.28.1.26 (via Serial0/1/0:0): !

[OK - 9469 bytes]

WOrks just fine when I do it from the Router, yet in the script, the script just sits there and thinks all day... I've tried adding more \n\n\n no matter what it just does not work. really annoying issue, I hope someone knows of a really dumb mistake I'm making here.



Help with radiusdesk radius server

Hey guys, so I'm trying to use radius desk as a authentication server for a Unifi access point using wpa2-enterprise. I have added the unifi AP as a NAS device using the IP of the network that the AP is on. I have also pointed the unifi AP to the radiusdesk server with the shared secret.

But when I try to login into the network on my smartphone, I don't know which EAP method I am suppose to choose. I have tried PEAP method and since I dont' have any certificates on my smartphone, i chose the don't validate option and tried to connect and nothing happens.

Any ideas where I did something wrong?



FortiGate CPU issue causing latency and packet loss.

Just trying to see if anyone else has had this problem. We have two FortiGate 1240b firewalls that have CPU0 constantly pegged at 100%. CPU 1-3 are no higher than 45%. The miglogd service is generally at 99.9% usage and if we kill the service it just pops back up at 99.9% usage. If the A side is failed over to the B side, the problem goes away for about 10-15 seconds before resuming on the other side. We’ve tried rebooting each side individually and we’ve shit both sides down at the same time and brought them back up. Solar winds shows total throughput at under 6Gbps and none of the links have over 40% utilization with most under 5%. We’ve turned off application monitoring as well. This problem started about a week ago one morning and continues to plague us. We’re on code version 5.2.7 and upgrading would take quite a bit for us at to get done at the moment.

Has anyone ran across this before. Fortinet support hasn’t been the greatest so far and there is practically nothing in Google University about this issue.



ShoreTel telephony woes...

Hi,

I have a Cisco 250 series switch (8 port), and it basically sits on my desk, connected into an access switch, and the port it's connected to is configured as a trunk port. It contains Vlan 45 (data), VLan 61 (Voice), and VLAN 30 (Mgmt - Also required because the management IP is on VL30)

Initially I thought "Oh I can just enable switchport voice vlan 61" and be done with it, but it appears you can't actually do that on this switch... I then messed about with the cables, and found that the phone said "vlan hopping to option 156 vlan" ...

I then looked here:

https://community.spiceworks.com/topic/387718-using-shoretel-phones-on-dhcp-and-vlan

This looked promising except for the fact that you can't enable dot1q ports in the "normal" Cisco way. I configured ports as "general" ports which appear to give a similar feature

Now what I have is essentially three ports for voice, and four for data, with one as the uplink. This isn't ideal as really we'd like to use the ShoreTel phones (IP 420, and IP 420) and free up a port too given that they too have their own network ports... What I'd like to do is make ALL ports useful for voice/data really...

If I changed the vlan autostate triggered event then the switch completely crashes..

My config is as follows:

sh run config-file-header redacted v2.4.0.94 / RTESLA2.4_930_181_045 CLI v1.0 file SSD indicator encrypted @ ssd-control-start ssd config ssd file passphrase control unrestricted no ssd file integrity control ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 ! ! unit-type-control-start unit-type unit 1 network gi uplink none unit-type-control-end ! spanning-tree loopback-guard vlan database vlan 30,45,61 exit voice vlan id 61 voice vlan state disabled voice vlan oui-table add 0001e3 Siemens_AG_phone________ voice vlan oui-table add 00036b Cisco_phone_____________ voice vlan oui-table add 00096e Avaya___________________ voice vlan oui-table add 000fe2 H3C_Aolynk______________ voice vlan oui-table add 001049 Mitel_phone_____________ voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone voice vlan oui-table add 00d01e Pingtel_phone___________ voice vlan oui-table add 00e075 Polycom/Veritel_phone___ voice vlan oui-table add 00e0bb 3Com_phone______________ loopback-detection enable green-ethernet energy-detect green-ethernet short-reach ip dhcp relay enable bonjour interface range vlan 1 ip access-list extended "IT-Infrastructure Access" exit hostname redacted ip ssh server clock timezone UTC 0 minutes 0 clock summer-time BST recurring last sun mar 02:00 last sun oct 02:00 sntp server 172.16.30.41 sntp server 172.16.30.42 sntp server 172.16.100.43 ip domain name redacted ! interface vlan 1 no ip address dhcp ! interface vlan 30 name Management ip address 172.16.108.52 255.255.255.0 ! interface vlan 45 name "IT Infrastructure" ! interface vlan 61 name "Voice VLAN" ip dhcp relay enable ! interface GigabitEthernet1 spanning-tree portfast spanning-tree port-priority 240 switchport mode general switchport general allowed vlan add 45,61 tagged green-ethernet energy-detect ! interface GigabitEthernet2 spanning-tree portfast spanning-tree port-priority 240 switchport mode general switchport general allowed vlan add 45,61 tagged green-ethernet energy-detect ! interface GigabitEthernet3 spanning-tree portfast spanning-tree port-priority 240 switchport mode general switchport general allowed vlan add 45,61 tagged green-ethernet energy-detect ! interface GigabitEthernet4 spanning-tree portfast spanning-tree port-priority 240 switchport access vlan 45 green-ethernet energy-detect ! interface GigabitEthernet5 spanning-tree portfast spanning-tree port-priority 240 switchport access vlan 45 green-ethernet energy-detect ! interface GigabitEthernet6 spanning-tree portfast spanning-tree port-priority 240 switchport access vlan 45 green-ethernet energy-detect ! interface GigabitEthernet7 spanning-tree portfast spanning-tree port-priority 240 switchport access vlan 45 green-ethernet energy-detect ! interface GigabitEthernet8 switchport mode trunk switchport access vlan 30 switchport trunk native vlan 30 switchport trunk allowed vlan remove 1 ! interface Port-Channel1 shutdown switchport access vlan 45 ! interface Port-Channel2 shutdown switchport access vlan 45 ! interface Port-Channel3 shutdown switchport access vlan 45 ! interface Port-Channel4 shutdown switchport access vlan 45 ! exit banner login ^C ****************************************************************************** * WARNING * IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY Unauthorised users are subject to criminal and civil penalties as well as company initiated disciplinary proceedings. By entry into this system you acknowledge that you are authorised to access it and have the level of privilege at which you subsequently operate on this system. You consent by entry into this system to the monitoring of your activities. ****************************************************************************** Access to this device is centrally managed. All access and changes to this device are logged. ^C banner exec ^C ############################################################################## This is a private system. If you have not been specifically authorised to access this system you must disconnect immediately. ^C macro auto built-in parameters desktop $max_hosts 10 $native_vlan 45 macro auto built-in parameters host $max_hosts 10 $native_vlan 45 macro auto built-in parameters ip_phone $max_hosts 10 $native_vlan 61 macro auto built-in parameters ip_phone_desktop $max_hosts 10 $native_vlan 61 ip default-gateway 172.16.108.254 


Cisco Live 2019 San Diego Thread

Just wanted to start a thread for CLUS 2019. Meetups, activities, places to go, things to see, vendor events, etc.

I'm traveling in on Saturday to have a free day to explore. I've done a ton of browsing and my day will be:

Balboa Park

Tacos El Gordo

Ocean Yoga

Sunset Cliffs

Sushi 2

I also plan to attend a Reddit meetup and the Welcome event.

Enjoy your visit!



Firewall replacement recommendations?

I have an SRX 1400 to replace. It was running full enterprise subscriptions, so i need a box with the same candy. I'd rather not go with another SRX as i hated having to use the junosspace server to manage all the idp/av/malware/etc policies.

In the past we've used PA's, but their pricing model started to suck when we needed 10 gb interfaces for some of our DMZs to keep backups from running in to business hours. ( I need at least 3 10ge sfp+ interfaces, more would be better)

Our PA rep says they have better pricing now. Also considering Fortigate (2000e ? ), but i know a lot of you guys have more experience in this arena that i do. Looking for opinions.



Anyone running Extreme Switches - and happy?

My current role has these throughout the org at both core and edge. They seem to perform well enough and the few times I've engaged TAC, they've been good.

My concern is the switches themselves seem to have a mortality issue. I haven't even been here a year and have already seen several go "tatsoop"(out of a total less than 50). These are all POE's, so it's entirely possible there are issues in the wiring plant contributing to that.

Meanwhile, the support renewal is coming up and I'm getting Aruba quotes. All we use these for are segmentation - certainly no need for a lot of high-end features.

Edit: One of those failures is loss of poe on an entire block of ports on a vc member at a remote location. I'm *really* not looking forward to that replacement trip.



how to prevent random WAP connecting to WLC?

I might be misunderstood by process of how WAP connects to WLC. I am trying to figure out how WLC authenticate a WAP. I understood WLC discovery and establishing CAPWAP tunnel part.
Lets say someone plugged in a WAP in one of walled ethernet ports in my office. That WAP does not belong to my company. Few questions.
Does that WAP get IP addresses using DHCP? i am assuming Yes.
Does that WAP shows on WLC?
Does that WAP gets latest configuration from WLC and starts broadcasting SSID?
How do i prevent such 'not-owned-by-my-company' WAP from connecting to WLC?



Suggestions to tool that can scan for security issues

Hi everyone

I have a multi vendor network, and am looking for a tool that can create an easy overview of whats going on.

Devices Cisco Hp Riverbed ISE

I'm thinking stuff like Cv's Patch version Field notices Security Advisorys

Freeware is always easier to suggest to managers 😛



Why does youtube do this?

Hi, I am new to the entire networking scenario. I have got hands on project where I need to separately capture YouTube data from a mixed traffic data. I tried using Wireshark's capture filter "host www.youtube.com" But I have no way of knowing weather it is capturing all the data from youtube browsing that is being done, or not. Please help me out! Also I noticed that in between the data transfer another port is being connected to. So that makes two ports active at the same time for data transfer, source IP and port being the same. Why does this happen?



Aruba router issue, what is going on?

ST2-CMDR: Port 1/A1 self test failure ERR:

ST2-CMDR: Port 2/A1 self test failure ERR:

We have a pair of Aruba 3810m switches in a stack.

After a reboot , the first port of the first fiber module went dark.

Exhausted all troubleshooting.

--Wiped the switch, firmware upgrade

--RMA the first switch in a stack.

--Replaced trancievers.

Still the issue remains

One thing i noticed is that when the router is booting up, the ports led flashes green and moves on until it reaches that faulty port and it flashes amber for couple of times then all other ports come up green except for that port which went dark (LED).

Strongly think this is some boot/firmware bug but wanted to ask anyone encountered similar issue?



Help installing TFTP client package on a Cumulus box.

I've been tasked with creating a script that copies Cumulus configs to a TFTP server that we have running on a linux box. I can get TFTP no problem on a ubuntu server distro, but I am having a world of problems installing TFTP onto Cumulus. Any advice which repo is needed in order to install the TFTP client for the my script?



Monday, June 3, 2019

Where does a VPLS WAN connection connect

I have some confusion regarding where an ISP controlled VPLS WAN connection between remote sites would connect in a network topology. For example, would the connection go into a core layer 3 switch behind the firewall or would it go into an external interface on a firewall like any other ISP connection with a VPN tunnel between sites? My lack of understanding partly come from having only used layer 3 IPSec VPNs before.

Thanks!



Router/Modem Help

Moved to a new house recently and have my gaming PC in the basement. Using Comcast atm and before you say anything, cannot run an ethernet cable down here unfortunately, had new floors installed and dont want to go through that hassel. Currently using the router/modem combo through Comcast and instead of paying the "rental fee" I would like to buy a modem and router and probably a wifi-extender to help with connectivity in the basement. I have been doing some research for a week now and the favorites that I can see are ASUS, Ubiquiti or Netgear Nighthawks.

My question is, which one should I get? Are there any bundles out there for all 3 items? Not trying to spend 500 for these expensive routers that I see and with my knowledge of PCs, I know nothing of networks. My main issue is getting wifi in the basement, which as we stand now, it isnt horrible but I believe a wifi extender/repeater would help immensely. Sorry for the inexperienced questions, I just have on idea what to get and what would help me best with the PC being in the basement.

Thank you,

From a network newb



Sanity check about 1 GbE and 10 GbE connectivity

Running into a strange issue.

Have a 10 GbE network working mostly fine on a Netgear ProSafe M7100-24x.

Setting up a new HP Z8, I’m seeing that for one port, when Cat 7 is connected to the 10 GbE NIC, I get no LED: no amber, no green, nothing. Windows says a cable is unplugged. In BIOS, there’s a function to flash the LED to identify which port is which, and even that doesn’t work when the Cat 7 is connected.

The Z8’s 10 GbE NIC works fine when I either: (1) connect to a different drop with Cat 7 or (2) if use a Cat 5e in the problem drop to connect and set it to 1GbE speed.

Similarly, when I connect a MacBook Pro with a 10GbE adapter and a Cat 7 cable on the problem drop, I get no connection when using any Cat 7 cable. However, just like the Z8, I can connect fine with Cat 5e.

So for two different workstations, why might a 10 GbE NIC totally fail to get a connection with different Cat 7 cables but work fine with Cat 5e?

Tried lots of different Cat 7 cables that I know are good.

Is something screwed up with the cabling in the wall? Crimped wrong or something?

I’m having a tech come out to check the cable but I just wanted a sanity check that I’ve actually isolated the issue.



Nokia (Alcatel Lucent) MPLS Certifications - Are they worth it?

I have been working on a new project of designing a new private MPLS infrastructure utilizing Nokia (legacy Alcatel Lucent) equipment. We recently completed our design phase for the first 300 sites or so and just kicked off some basic training about the SR-OS platform and their NSP management platform. The training has been hit or miss for the level of detail around MPLS that I am looking for and has been lacking in many other important areas such as QoS. All of our classes thus far have had a mixed audience with a few network engineers but mostly telecom technicians that run our SONET and TDM transport equipment. Have any of you gone through their SRC courses or training? Is it worth taking the SRC (certification) level courses compared to taking some of the standalone courses that are not “SRC” courses?

Thanks for any and all input!



Expressgateway security

My work is looking at putting encryption across our HQ to MPLS to expressgateway to Azure Tennant network link.

MS says encryption isn't necessary, that it is inherently secure/private, yet they are working on providing an encrypted expressgateway in the future.

We do not secure any other facility to facility WAN links, using MPLS.

Is expressgateway as "secure" as MPLS, knowing MPLS is more private than secure? Is the any security concerns with expressgateway? (I Google search and get mostly marketing crap)

Thanks in advance for your assistance.



What's the job market like in your city?

I work in Boston and the market is booming, but the high cost of rent to own an old, noisy apartment has me thinking about moving to another area. Need to make six figures in order to own anywhere cool, and you aren't getting much.

I'm looking for an area large enough to have a demand for senior network engineers but with a reasonable cost of living.



Passing link state in L2 topology

Hey everyone, looking for some advice regarding a L2 customer aggregation project we’re working on. We recently bought some NCS 5001s to use in Satellite mode with our ASR 9Ks for the sole purpose of 1G customer aggregation. ASR9K would be all 10G ports, NCS all 1G with a bundle between the two. 10G customers would peer (BGP) directly to the ASR, 1G customers to the NCS in satellite mode (managed by the ASR). Turns out the NCS in satellite mode forces auto negotiation, and Cisco's solution is to "tell customers they must use auto negotiation " which is not a viable solution for us. So now we have NCS 5001 that we are trying to not have to RMA. Using the NCS as a standalone L3 device would be simple enough, although buying the licenses for this would be pretty expensive, as well as more work from a management / provisioning perspective. As such we are trying to come up with a L2 solution.

Where we keep getting stuck is how to pass link state from the NCS to the ASR, so that we can have BGP on the ASR shutdown due to the NCS port going down, vs needing to wait for the BGP hold-down timer to expire. The few things we've looked into (l2vpn w/ l2transport propagate remote-status, Static L2TPv3 Pseudowire, and q-in-q) all boil down to have the same problem of not being able to shut the sub-interface on the ASR side of the trunk when the remote side goes down. This could also be solved by using 1-1 port mapping between the ASR and 5001, but that would defeat the purpose of this port aggregation switch.

I am almost certain a technology is out there that will accomplish what we need, I just do not have enough experience to have run across this in the past. Wondering how you guys would tackle this problem if faced with the same situation. Let me know if I can clear anything up, thanks!



Fiber adapter options

Hi,

I'm pretty sure I'm going to have to replace a switch which is housing connections for about 12 SC OM1 duplex multimode fiber lines.

The replacement switches SFP modules use LC and I want to reuse the existing runs. Is there a better way to do this aside from getting a ton of individual SC -> LC adapters and LC patch cables?

I guess I'm looking for some kind of block adapter? I think I've seen them before, where there is a whole bunch of connectors for adapting a large number of fiber lines from one connection type to another, but I'm not sure what they are called and I'm having a hard time finding one because of it.



What is a 'flash: ' directory ? I am using a jumpStation

So I am an intern at a company that writes python scripts to automate the testing of networking devices. I learned something new today and I was wondering if anyone can clarify this for me.

Today I was to test a switch and login it using putty (SSH). So what in putty I can access the python console. When you are in the python console, you can run any script you want as long as it's in your current directory. I had trouble running a script today because my python files were in the C drive on the local directory of the jump station. However, python was saying there is no file with a certain name in this directory. So I type commands to tell me what directory putty/python is in currently:

>> import os >> os.getcwd() 

and the output was:

'flash: ' 

What is this directory ? A coworker told me it is a RAM but I'm a little confused here. Keep in mind this is a terminal for a switch. Can anyone describe to me what is a 'flash: ' directory ? Thanks for the help!