Saturday, June 29, 2019

How can I set up my network to allow for a request of Port 80 but show the domain name at the URL?

Hi!

I have a website that currently had a main page <Domain.com> that points to a web server(running Ubuntu Server) with that is port 80 I have a Synology Server that runs on port 5000(http) and 5002 (https)

I'm trying to get synology.<domain>.com to point to <public IP> :5002 and display synology.<domain>.com in the URL bar but it just changes to <public IP>:5002

I'm also trying to get CertBot to certify that subdomain, but because of this issue that I'm unsure how to solve, it won't work.

Right now I'm using a URL Redirect in the DNS (I'm using namecheap)



GTT Communications down?

https://bgp.he.net/AS3257

One of my servers at Chicago VPS can't connect to our data center in Charlotte which has 8 connections. It appears to stop at GTT's network.

traceroute to xxx.xxx.xxx.xxx, 30 hops max, 60 byte packets

1 host.colocrossing.com (198.46.150.130) 0.044 ms 0.017 ms 0.018 ms

2 10.4.1.133 (10.4.1.133) 0.705 ms 0.674 ms 10.4.1.189 (10.4.1.189) 0.533 ms

3 ae7-1107.cr2-atl1.ip4.gtt.net (69.31.135.93) 0.302 ms !N 0.277 ms !N 0.257 ms !N



Anyone ever come across “TheRouter”?

Looks like an interesting project, software-based router built on top of DPDK:

http://therouter.net/

Not sure if any have experience with it?



Our VAR is proposing 2960Ls for L2 replacements. Are these any good?

I am working on a project to replace a ton of EoL switches in our network (2960s) and I was pushing for 9200 w/ poe and sfp+ ports. They came back with a quote for what appears to be mostly 2960L switches and a few 9200s. I noticed that the 2960L is a “smart managed” switch which seems kind of off to be and makes me feel like I am getting something similar to meraki or unifi with a Cisco label on it. Am I wrong to be concerned? The only reason they are pushing the 2960L is because of Cisco’s July discounts but I am not a fan of going from cli with more granular features to a gui managed switch. We’re also a budget conscious customer based on our previous purchases with them but I’s rather make the extra investment to build for tomorrow instead of today.



When did you stop job hopping?

I’m early in my career - only been at it for 3 years. Currently on my 2nd IT job and about to take a promotion to my first true networking role.

I feel the constant pull to move up and on to the next level and I’m wondering - does that feeling ever go away? When did you stop looking to the next opportunity and settle in for the long haul?



Fiber-Optic Cable Types and Compatibility

Does it matter what network specifications Fibre-Optic cables and modules have when using them with 10Gb equipment? I'm considering the following, but there are some issues that I can see:

Will there be any issues with compatibility between the 2, or will they work fine when used together?

Also, sorry for all of the questions I've been asking recently. I'm a newb when it comes to networking, so I'm still learning things in the industry.



Should I make notes?

I'm planning on studying on the comptia network+ from cybrary. I won't be giving the exam right now but I just want to gain knowledge from it. So while studying should I be making notes? Or should I try to understand so good that I'll remember it later as well?



Security+ worth getting?

Looking to transition from a network Technician to focus solely on network security.. I have 6 years exp. Is the security+ worth getting or should I get a different cert?



Setting up VLAN trunks for new metro-ethernet provider

Hi,

My company just switched metro-ethernet providers, and naturally once we switched our equipment to their CPE's nothing worked and I have the weekend to figure it out. Our networking guy isn't with us anymore so it falls on me and while I can get by sometimes, VLAN's are something I'm still weak on.

We're on a hub and spoke metro-ethernet network with about 15 satellite site and a hub site, which apparently was all flat before with no vlans. The provider sent me a list of vlans for each circuit so I can set up VLAN trunking but I'm hitting a wall.

Here's our setup: Each satellite site has a router (Ubiquiti edgerouter lites) doing NAT, connected directly to the CPE. The WAN address for each site is the address for its gateway set up in the router at the hub site (PFSense). At the hub site, the CPE plugs into a switch (Ubiquiti Edgeswitch), which the router is also plugged into.

What I've done is created the VLAN's on the switch and tagged them on the ports the CPE and router are plugged into. I've created the VLAN's in the router as well and assigned them to the LAN interface, and I've also tried creating VLAN's on the satellite routers for their WAN interface with their appropriate VLAN ID, but all the sites are still showing as down. What am I missing / screwing up?

Hopefully this doesn't violate any rules - any help is much appreciated.



Cisco Unified Communications Upgrade Woes

I know I'm probably preaching to the choir here when it comes to this, but why can't Cisco UC upgrades just be straightforward? We are going through an upgrade of everything UC related (UCCX, CUC, CUCM, IM&P, CER). This weekend I had a maintenance window to upgrade our UCCX pair and although the new software successfully installed on the inactive partition, the switch version failed due to database issues. At this point, my maintenance window is getting close to ending so I do not have much time to troubleshoot. As a result, I decide to stop and wait for another maintenance window. Fast forward a few hours later and I'm getting calls saying that our help desk customers are sitting on hold indefinitely even though there are agents available. Upon investigating, something occurred when I rolled back the upgrade that caused some sort of internal system issue (and mind you, I rolled back following Cisco's documentation to the letter). I debugged my scripts and all was working as intended. It seemed like UCCX was having issues maintaining state information for agents and CSQs. Although the fix for this was simply a reboot of the primary and secondary nodes, it is still infuriating that something as simple as a direct software upgrade and backing out of said upgrade is anything but straightforward and almost always involves TAC since none of us really have access to the internals of these applications. I mean, I had to get TAC to obtain root access once just so they can run a script as a workaround so I could get a secondary node to properly install.

My coworker who manages our ISE deployment has also had his share of problems when it comes to performing upgrades on ISE.

/endrant

EDIT: Sorry if my post seems like a mess, still haven't gotten any sleep.



What kind of practice of routing service is this

In the past, all of my trace routes and looking glasses have looked "normal". Generally fell into a few categories. Transit, direct peering, or regional IX peering.

Somewhat recently, nearly all routes have suddenly started to look artificial and I can't figure out what exactly the ISP is doing. Nearly all of my trace routes look like some variation of this through most of the USA.

Trace route to Looking glass service

1 <1 ms <1 ms <1 ms 192.168.0.1

2 1 ms 2 ms 2 ms ISP's local CO

3 7 ms 6 ms 7 ms ISP's remote datacenter

4 10 ms 10 ms 10 ms ISP's peering/transit POP

5 38 ms 39 ms 38 ms nyiix.gi3-6.cr1.nyc1.choopa.net [198.32.160.157]

6 37 ms 45 ms 49 ms vl42-br2.pnj1.choopa.net [108.61.2.89]

7 * * * Request timed out.

8 118 ms 50 ms 38 ms 172-245-40-49-host.colocrossing.com [172.245.40.49]

View from Looking Glass service

1 192.168.106.2 (192.168.106.2) 1.150 ms 1.106 ms 1.077 ms

2 172-245-40-49-host.colocrossing.com (172.245.40.49) 9.466 ms 10.437 ms 11.307 ms

3 10.3.1.253 (10.3.1.253) 1.832 ms 10.3.1.229 (10.3.1.229) 1.801 ms 1.773 ms

4 vl201-br2.pnj1.choopa.net (108.61.16.85) 16.378 ms 16.297 ms vl202-br1.pnj1.choopa.net (108.61.16.81) 32.560 ms

5 vl42-er1-q8.pnj1.choopa.net (108.61.2.90) 2.058 ms 2.029 ms 10.64.0.26 (10.64.0.26) 1.544 ms

6 ISP's peering/transit POP 29.464 ms 31.163 ms 29.953 ms

7 ISP's remote datacenter 32.409 ms 31.071 ms 32.354 ms

8 ISP's local CO 37.640 ms 37.613 ms 37.584 ms

9 Me 37.555 ms 37.530 ms *

New York City is over 1000 miles away, yet the ISP is announcing at several NYC IXs. This also applies to Oregon, California, Texas, and Illinois. All major IX locations.

A small local ISP, about 30,000 customers state wide. They have an unbundled $40 non-intro zero-fees symmetric 70Mb package. I can't see them making huge amounts of net profit. I assume that whatever practice they're doing is relatively affordable and therefore common.



VLAN Tagging on EdgeRouter Infinity

How easy is it to set up VLAN Tagging on the Ubiquiti EdgeRouter Infinity? I recently purchased Gigabit FTTH from my ISP (Bell Canada) and would like to bypass their HH3K router completely, but to my understanding I would need to remove the SFP module from the HH3K, place it in an SFP port on the EdgeRouter, tag that port with VLAN 35 and log-in with my Bell PPPoE credentials in order for the internet to work. If possible, could somebody please tell me the process on how to set up the EdgeRouter to work properly with this configuration, and whether the steps I mentioned are correct?

Note that I haven't purchased the EdgeRouter yet, but it was recommended to me by someone in the r/homelab subreddit. The Gigabit FTTH internet is the only service I have with Bell Canada, so no other VLANs would need to be tagged.



netmiko question: How to send CTRL+C to Cisco device to interrupt/cancel command

I'm using netmiko to run traceroute through a Cisco device and set the expect_string='[0-9]{1,3} \* \* \*'. This successfully returns the output once the traceroute stops getting a response, but I can't run the next command until the traceroute finishes trying all 30 hops. I tried to send \x003, but that didn't work.

How can I interrupt the traceroute command through netmiko?



Meraki please ship switches with power cords

This is a stupid situation. Flew into NY to setup a new network for our new office in Manhattan. I didn't order power cords for Meraki MS switches thinking they come in the box. Bhoy, I was wrong. The whole project is on hold since I can't find the C15 type cord anywhere in 10 miles radius in NY Manhattan. Ended up ordering online but getting delivered on Sunday. This is unacceptable from Meraki side



Anyone using FS access switches for enterprise?

Looking at alternatives to Cat9K for a new campus- not too excited about adding a big pile of complexity to access switching which was basically a solved problem 15 years ago. Anyone have a large deployment of FS or other white box switches that they're happy with, works reliably, and hopefully can be controlled via Ansible?



Voice/UC using Viptela?

I'm currently looking at converting my routers to Cisco's SDWAN solution.

One thing that is unclear to me is how voice/Unified Communications is handled. Currently I have branch routers connected to either SIP trunks or PRI.

I can't really see anything in the documentation about voice licensing or implementation on SDWAN routers.

Is it supported or at least on the roadmap?



What could be wrong? Suddenly slow speed on wired connection.

Deleted



3850 Stack - Upgrade to Everest or Downgrade to Denali

We recently purchased 3 WS-C3850-48F-S switches that we are planning on stacking. Two of the switches came with 16.03.07 (Denali 16.3.7) installed while the third switch is on 16.06.05 (Everest 16.6.5).

In order to have all 3 switches in the stack running the same IOS image, should we downgrade the third switch from Everest to Denali, or upgrade the other two switches to Everest?



Zero config and Net Browsers

Network computers all run Bonjour necessary for company software. But company computers are advertised in Finder/Network Browsers for Macs and PCs on the network. Is there a workaround to allow these computers to use mdns while not showing up in network browsers? Managers do not want employees to have visibility of these clients.



Friday, June 28, 2019

Need Networking Consultant. Video Over IP NewTek NDI , 135 Cameras over IP. CHICAGO / LA

I am looking for assistance / consult on building out a large 10GB / LC Fiber network for a permanent install in Chicago. I am a video engineer by trade that has a good amount of networking experience, just not enough..

130+ BirdDog NDI boxes (HDMI to NDI)

LC Fiber connections / 10GB CAT7 runs / CAT6 1GB connections

All Ubiquiti hardware preferred

I have a V1 diagram drawn up for reference.

DROPBOX LINK TO DIAGRAM

https://www.dropbox.com/s/hna7hh0yox6yut6/Inhance%20Digital%20Chicago%20Diagrams%20Film%20Play%2006.28.19%20V1.pdf?dl=0

Thank you.



Bridging Firewall

Does anyone know of a firewall that can reasonably protect things in a bridging environment?

I'm faced with a situation where I am forced to deal with a (vertical market) system that requires Layer 2 adjacency (no way to route across a router), and simultaneously am required to put a firewall in place so that only authorized traffic can cross between the two portions of the network. Also, there's a strong desire for the equipment to be suitable for an industrial (IEC-60495 type) environment.

Bandwidth requirements aren't that high (100mbps total throughput) and the system is isolated from the internet. Also, something that's COTS is strongly preferred, otherwise I'd just whip up something with linux and ebtables.

I've looked at the Checkpoint 1200R, but it doesn't seem to have the ability to filter between the bridge ports. I haven't tried to lab up the rugged Cisco ASA, but from the documentation I'm not convinced either.

TL;DR: I'm in need of a firewall that can work between two bridged ports. I don't think they exist.



IOS XE 16.9.2 or Catalyst 9K's nuking crypto/SSH access on reboot?

Has anyone experienced this happening with their Cat9K's? I've experienced it on both the 9300 and 9500.16X platforms so far. After experiencing power outages and taking a reboot the devices come up with their crypto portion having vanished. Along with it goes SSH access. Everything else seems to be okay.



SD-LAN Thoughts?

Anyone got any experience in the software defined LAN space?

We currently have SDWAN (Velocloud) and Wireless (Aerohive) which are both centralised orchestrated management and deployment. Having these (especially SDWAN) has spoilt us and made us realise how clunky traditional switch deployment and then ongoing management really is, especially at the branch level.

Looking at Cisco DNA centre with the 9k range. Also open to other vendors, off the top of my head Meraki, Aerohive Switching. Also open to going from another angle and maybe using ansible but feels like were pasting over the cracks a little with something like that.

Any thoughts?



Spanning Tree, LACP, and possible EIGRP reconvergence issues I am unable to track down

So this last week or two I have been running into some really strange issues in our environment.

We have been upgrading the code on our IE3000 switches. The method is this: One of our employees fires up his LAB IE3000 with updated code, matches the config to the production IE3000, then replaces the flashcard. This has been a fairly standard process for a while, but recently whenever one of these IE3000 switches is rebooted I see the following log in the distribution switch:

__________________________________________________________________________

Jun 27 2019 08:46:56.954 PDT: %LACP-SW1-4-MULTIPLE_NEIGHBORS: Multiple neighbors detected on Gi1/8/35: new neighbor(sys-mac-id: ****.****.8800, port: 0x102), old neighbor(sys-mac-id: ****.****.8800, port: 0x103)Jun 27 2019 08:46:56.958 PDT: %LACP-SW1-4-MULTIPLE_NEIGHBORS: Multiple neighbors detected on Gi2/8/35: new neighbor(sys-mac-id: ****.****.8800, port: 0x103), old neighbor(sys-mac-id: ****.****.8800, port: 0x102)

__________________________________________________________________________

Now the next logs below are a different day, but checking syslogs and talking to the employees we had some IE3000s upgraded this morning, shortly after those IE3000 switches reboot EIGRP reconverged causing issues with our network. I have a feeling this is related I am just too new to understand the underlying issue.

__________________________________________________________________________

Jun 28 2019 06:19:00.355 PDT: %SYS-SW1-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (78/74),process = LTL MGR.-Traceback= 0x99C03DCz 0x99B3390z 0x97DB034z 0x97D5690z 0x97C19E0z 0x9AB276Cz 0x9AB2A48z 0x9AB4CE4z 0x9AB6BE8z 0x9AB7044z 0x9AB7D14z 0x9AB904Cz 0x5124844z 0x51382A4z 0x5144AA8z 0x5499280z

Jun 28 2019 06:32:29.731 PDT: %SYS-SW1-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (3/3),process = LTL MGR.-Traceback= 0x97D58F0z 0x97D5928z 0x9AB2800z 0x9AB2A48z 0x9AB2D5Cz 0x9AB7E38z 0x9AB904Cz 0x5124844z 0x51382A4z 0x5144AA8z 0x5499280z 0x5493654z

Jun 28 2019 06:36:35.733 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor ******* (Vlan2301) is down: holding time expired

Jun 28 2019 06:36:36.861 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 210: Neighbor ******* (Vlan3322) is down: holding time expired

Jun 28 2019 06:36:39.637 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 220: Neighbor ******* (Vlan3311) is down: holding time expired

Jun 28 2019 06:36:39.637 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 220: Neighbor ******* (Vlan3312) is down: holding time expired

Jun 28 2019 06:36:39.637 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor ******* (Vlan2302) is down: holding time expired

Jun 28 2019 06:36:40.185 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor ******* (Vlan2301) is up: new adjacency

Jun 28 2019 06:36:40.881 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 210: Neighbor ******* (Vlan3321) is down: holding time expired

Jun 28 2019 06:36:41.377 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 210: Neighbor ******* (Vlan3322) is up: new adjacency

Jun 28 2019 06:36:42.457 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor ******* (Vlan2302) is up: new adjacency

Jun 28 2019 06:36:42.693 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 210: Neighbor ******* (Vlan3321) is up: new adjacency

Jun 28 2019 06:36:42.853 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 220: Neighbor ******* (Vlan3312) is up: new adjacency

Jun 28 2019 06:36:43.053 PDT: %DUAL-SW1-5-NBRCHANGE: EIGRP-IPv4 220: Neighbor ******* (Vlan3311) is up: new adjacency

__________________________________________________________________________

Lightweight topology:•Nexus 7K Core --> VSS Catalyst 6509 Distribution --> IE 3000 Access

•Redundant links running from the VSS paired 6509 to the IE 3000

•We use LACP for the etherchannel bundles.

6509 Distribution Port Channel Config:

interface Port-channel180

switchportswitchport mode trunk

!

interface GigabitEthernet2/3/32

switchport

switchport mode trunk

channel-protocol lacp

channel-group 180 mode active

!

interface GigabitEthernet1/3/32

switchport

switchport mode trunk

channel-protocol lacp

channel-group 180 mode active

IE3000 Port Channel Config:

interface Port-channel1

switchport mode trunk

!

interface GigabitEthernet1/1

switchport mode trunk

channel-protocol lacp

channel-group 1 mode active

!

interface GigabitEthernet1/2

switchport mode trunk

channel-protocol lacp

channel-group 1 mode active

I have never seen an IE3000 cause an EIGRP reconvergence in my very long 2 years as a network engineer. I am leaning towards a spanning tree issue. Unfortunately, STP is something I have not really had to deal with yet. So I am having a fun time running the spanning-tree summary and detail commands with a blank face.

edit: forgot how to format.



Do you think PoW(iFi) could ever be a thing?

Just an idle Friday afternoon thought. Transmitting power wirelessly can be done via inductance but the range is very limited. I think Tesla once claimed he could transmit electricity wirelessly but I don't know what ever happened with that. Feel free to delete if you think this is too stupid a question.



What do you guys use for vulnerability management?

I have been using Qualys for about 7 years, good product but very pricey. New manager decided it's not worth the renewal cost, and wants me to look for an alternative.

I tested Nessus/Tenable but it's the same yearly maintenance cost. I would love to hear what y'all are using.

Thanks



Has anyone used/run INE Team Training before?

Looking for options for team trainings for our limited staff here. I've used INE all access before on my own, but now I see they have a team based thing here: https://ine.com/products/team-training-1-year

Anyone dealt with it before? Anyone have other suggestions along the same lines? Mainly looking for cisco training. Routing/switching, Nexus, ASDM, ASA, Call Manager, etc. along those lines.



Is using PfSense as main firewall, load balancing and FailOver suggested?

Hi, my setup is 3 Xeon bronze servers of which i currently use one as PfSense box which is right now used as a routing unit, firewall and caching. I have around 100 users for this box and another 150-200 users to be added soon. I have 2 fiber optic connection to 2 different internet service providers (which as of now i connect to a Mikrotik router and from the to the PfSense) and i have 2 SFP ports i can use on the PfSense box. Should I plug in the fibers to my PfSense and do load balancing and FailOver on it or should i keep using the Mikrotik router? Suggestions very welcome. Thanks.



Cisco switch/ASA will only allow pings for 5-10 minutes

Hi All,

I have a strange issue, we have a 3750/5505 combo in a pretty standard config. OSPF is running on both devices, handful of 10.5.x.x subnets on the switch with a transit vlan between the switch and ASA. I created a new VLAN recently for a lab switch and noticed I couldn't ping out to 8.8.8.8 but my computer could, after troubleshooting I couldn't source ping from any VLAN on the switch other than the transit VLAN. If I reboot the switch I can ping from all VLANs out to 8.8.8.8 for about 5-10 minutes, which time I have network connectivity at all from anything other than the few couple of computers on the network.

I though it might be some xlate or other timeout settings on the ASA but those are all default. I'm completely stumped on this one.



Creating Whitelist for Prod Servers

Hoping this is the correct sub to present this. High level over view, Ive been tasked with creating a whitelist for our production servers to allow access to only what they need (internal/external), based upon their function and then add an implicit deny statement at the end of an ACL (on a Cisco ASA). Currently, the servers have free reign and we need to tighten that up. Our current approach at building this list is to monitor a low level servers traffic for 30 days via NetFlow and then to also stand up a new VM, based on our template for new VM build, and then monitor through NetFlow as well, to gather a baseline of where it should be talking to. We know this will be a long process and are going to break services and applications along the way but are there any gotchas or best practices that can be passed on? Any feedback would be appreciated. Thanks.



NAS (Network Access Server) Location in a Cisco Three Tier Architecture

Tier 3 ISP offer internet connectivity to end users and to that it needs a NAS to supply PPPOE or IPOE connectivity through the layer 2 network.

But considering a three tier architecture where does a NAS is placed?

I would say it does bridge distribution and access layer, but I'm not sure about it.



Cabling Issues

I'm troubleshooting a site with about 50 access points across 2 switches.

The access points always draw power but regularly go offline and need POE disabled to reboot them. We've replaced both switches as precautions but the issue continues. Of the 50, there's likely 20 rebooted a week and there are no patterns.

I want to question the cabling but my company did it and doesn't have any documentation (despite being less than 6 months ago). Looking at pictures of the site the cabling is run into the ceiling through the same spot as some high voltage outlet cabling but those cables are in a flexible aluminum 1/2" conduit. It's the aluminum conduit that's noticeably touching the CAT5 cables.

I know how to test to ensure the common standards are met like distance and termination, but I don't know how to check if there's interference on the line other than a long iperf and to watch for CRC/interface errors. Is there any way to determine if cabling is bad for some reason other than distance/termination?



What is your electrical circuit setup for your homelab?

To start, I'm not knowledgeable enough when it comes to electrical stuff. I've been running my homelab through a "regular" outlet in my house. I have 3 routers, 4 switches, WLC, APs, and a couple of HP G7 servers. Being cautious, I do not turn them all on at the same time but only the ones that I need at any given time.

So, it brings me to a question in the title above. Also, did you have to have an electrician run a separate "beefy" circuit for your homelab? Any recommendation?

thanks!



Webserver with pfSense Please Help!

Hi! All,

I have configured my pfSense as a VM in ESXi with (2xNIC Port for WAN & LAN), and I have 4 Public IPs are shown as the picture (those IP just an example) below:

- For Internet: 103.16.1.67/24 I use it with my LAN Network 177.88.88.1/26 (DHCP) - I am able to access the Internet via. 67 on Windows 10.

My Questions

  1. How do I configure my Public IP for DNS1 IP .68, DNS2 IP .69, and Webserver IP .70 while they are in the LAN Network of 177.88.88.1/26 to access the Internet using those Public IP?
  2. How do I configure DNS1 & DNS2 & Webserver to work together with pfSense? (I really don't know how the workflow does?
  3. How do I setup a secure network for my Webserver?

Image: https://drive.google.com/open?id=18YZRMdO7NfB8qh9QTPLz3paIETfN0FjZ

Thank you!

Regards,

Jr. K



Question regarding Observium

Hi,

I'm creating an alert checker which will trigger when the processor is above 85% during 3 minutes.

I can create the checker for the 85% but who do I include the "more than 3 minutes" trigger?

Thanks!



Running EVE-ng on bare-metal on Supermicro SYS-5028D-TN4T Mini Tower

Hello Everyone,

I'm a complete and utter noob when it comes to VMWare so please bare with me. I'm planning on setting up a virtual lab at my home to study for some certifications. I'm doing a lot of research on what computing platform to get for the lab and I have my eyes set on SYS-5028D-TN4T Mini Tower from Supermicro. I'm only going to be running EVE-ng, Ubuntou, and maybe a couple or Windows server instances (all using ESXi 6.5) but I don't know enough about virtualisation setups to tell if that hardware (assuming 96GB of RAM) is enough or not. has anyone tried setting up EVE-ng (bare metal) on this tower? how many vCPUs and RAM did you allocate for your lab to run smoothly?

any and all help is greatly appreciated.

CHEERS



Thursday, June 27, 2019

A Manager gave me a job on the condition I learn the basics of R/S in 3 weeks.

I work as an English teacher for a tech company, I’ve been intent on passing the CCNA and applying with them. Today one of my students said they have an open entry level position through a contractor that must be filled in three weeks.

If I can explain down to the 1’s and 0’s how the networks are connected, and pass the approval of their engineers I have the job.

They said to focus on the R/S book and packer tracer labs. “Show us you know the basics”

So my question: Does anyone have recommendations on the topics I need to study for a 3 week crash course into routing and switching to impress an engineer?

(I have every book and lab available to me)



Needing help diagnosing latency issues

Hello everyone. I've got a strange issue I've never ran into and nobody I've reached out to has been able to help me. We connect to an application hosted on a remote server for a big portion of our work. I noticed the other day that people were having a lot of connectivity issues. I pinged the server and got super high (1200-1500ms at times) numbers, so naturally I assumed it was on the hosting side for that server, but then I started pinging random website/ips and noticed this type of latency issue with the server in question, and basically anything I try to ping. The network is ~100 devices. Windstream ISP/modem, PFSense router that I put in place myself to replace a Cisco ASA when this issue first started (just trying to see if it would make any difference). As far as browsing the web goes, we never have any issues, and download speeds are stable and good. Local network traffic works fine.

Windstream says it's something to do with our hardware. One tech came out and plugged into the modem directly, pinged sites and got good numbers, but it sometimes takes a hundred or two packets to see anything out of the ordinary.

Is there any way I can try to determine the cause with tools like PFSense and Wireshark and the like? I've been looking into it all I can with ntopng, Wireshark, etc and I just don't think I know what to look for. I'm going to attempt repeating the test the Windstream tech did because I don't understand why our hardware would be causing this. The only thing I can think of is maybe a machine is infected and randomly spiking our bandwidth so high that the network lags? I don't know!

Any insights? I very much appreciate it!



Got a weird one issue.

Having a hard time wrapping my head around this problem. Working at a place with multiple sites, lots of computers, phones, POS systems, etc. we use a large application that runs the POS systems and records a whole bunch of stuff and sends it to a centralized server. Essentially use it for financial purposes and data and blah blah blah.

So last week one of the sites started trying to send packets from the POS to the server, but then the server tried sending packets to our core and then right to the firewall, where it was promptly dropped. Nobody could figure out why it was happening but changing the POS out seemed to have fixed it.

So today the same thing happened at a different site, we didn’t have the time or resources to change out the POS but changing the IP of the POS seems to have temporarily fixed it.

If it’s any help at all we use BGP as the routing protocol. I’m hoping this is enough information for someone to possibly point me in the right direction, eventually this is going to be a bigger problem, but I just have no idea why this would start randomly occurring at different sites, and there are so many POS systems it would be a massive project and a huge time and money sink to change out everything, without a guarantee it wouldn’t happen again.

Any suggestions would be great.



Cloud Storage/Offline Site

Hi everyone not sure if this is the right subreddit, but I really need some expertise with cloud storage (would also appreciate if you point me to the right subreddit for this topic :), also posted to r/cloudstorage).

I'm currently working at a small financial company in Toronto, Canada and we're currently looking for some (budget lol) ways to store our client files and company data. The problem is we work with private financial data, so there would be complications if we store our files outside of Canada. I was wondering if anyone knows a service where we can store all our data online in Canada. I found services like sync but not sure if there are better ones that others would recommend.

We're looking for around 600GB to 1TB+ and we do not need the ability for concurrent users to constantly access the data as we would only use the service to store server backups. Would really appreciate the help, thank you!



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



How are the electrical pulses that are bits put onto the wire? What physical component on the NIC is actually sending these at seemingly impossible speeds?

I was thinking of how insane gigabit internet is when you think of the millions of bits that are sent in such a brief amount of time.

What physical component of the NIC / computer is actually “writing”/sending these onto the wire?

I compare it to Morse code via Telegraph. There must be some physical gate that sends the bit.

Thanks.



How to start web interface on Aruba 2920’s.

I’ve got four Aruba 2920’s in the environment I recently took over. They have a RJ45 console port as well as a usb micro. I have a usb Cisco console cable but couldn’t get any connection with putty to run through the setup. Do they need a special console cable?



Network Diagrams - Visio or Draw.io

Anyone willing to share some network diagrams either in Visio or Draw.io format?

I've recently been promoted to a Consultation/Design role and my previous role didn't really allow me time to spend formalizing diagrams and making them professional looking. Now that I am actually expected to send this type of information to clients, i'm nervous that they wont be good enough.

If anyone is willing to remove any company/personal information and share that would be awesome!

I'm sure other members would benefit as well.

Many thanks!



Help hiding clients in network browsers

I have been asked to hide client computers in the net browsers on our network. As far as I know it is peer to peer without any real planning, Ad Hoc mix of Macs and PCs. Ip addresses are dynamic I believe. DBMS that all staff uses and is installed throughout the network. Bonjour is installed on every computer, prompted by Filemaker installation. I have seen Avahi errors on computers as well.

I was told to only find the client solution and no logical/physical topology information is available to me. I am debating quitting my job because no one has any real insight into the network or they are unwilling to share it.

Please let me know if there is anything I can do to hide these computers on network browsers, Windows and Mac.



From hourly Noc eng role to Salary LoraWan network eng.

I am considering accepting an offer at different tech communications company, and am looking for some advice. From an hourly noc role to a salary based role in which I have no idea what to really expect. Its new tech, and a new team, which can be exciting. But I can also see a lot of weight being held on the small team of engineers. It will be a great learning opportunity. I would be leaving 5 years of tenure, and great benefits. A cushion job I must say. I am still pretty inexperienced, so not sure what the new company would expect of me the first 90 days and beyond. Thanks all.



Looks like stop&shop hasn’t learned how to hide their scan gun SSIDs yet



Juniper SRX240 Dual Wan question

I am adding a second backup WAN connection to my router and got it working mostly but I am trying to figure out the routing preference. One is PPPOE and one is just a direct WAN connection.

Lets call nonpppoe wan1 and pppoe wan2

When I do the routing like this:

 routing-options { static { route 0.0.0.0/0 { next-hop [gatewayipofnonPPPOEwan](WAN1); qualified-next-hop pp0.0(WAN2) { metric 1; } } } } 

It works, when wan1 goes down stuff starting going to wan2 automatically BUT the problem is I also have an IPSEC vpn running on WAN1 to a second location that obviously goes down when wan1 goes down, is there any way to make it automatically swap interfaces when one goes down to keep the vpn tunnel up? BGP would be lovely but is not an option, I doubt I could get an ASN and I don't even think my ISP has stuff in place to not let people use BGP.

I would also like to use WAN2 as the main line since it is faster than WAN1 but when I try this:

 routing-options { static { route 0.0.0.0/0 { next-hop pp0.0(WAN2); qualified-next-hop [gatewayipofnonPPPOEwan](WAN1) { metric 1; } } } } 

It breaks the vpn between our office an no one can connect to the IP of WAN1 for a separate SSL vpn we run (not worried about making that redundant right now just need it to stay on WAN1 and work even though WAN1 is second preference in routing table).

It is almost like it shuts down the second priority interface until the main route/hop is unavailable then uses it (if I unplug WAN2 then stuff works right away again).

I have PHASE 1 of the VPN is setup to specifically use the WAN1 interface.

The second location only has 1 internet connection as well so that complicates things, the second office has a Juniper SSG5.

I've been trying to find info online to solve this with no luck. The SRX240 is also past EOL so support is not an option.

I am probably doing the routing wrong.

I also don't need load-sharing I just want fail-over.

WAN1 is only 30mbps, WAN2 is 1000mbps so load-sharing is not really needed, BUT WAN1 is dedicated fiber and WAN2 is just Bell Fibe a lot faster but not nearly as reliable and nowhere near the up-time.



CCTV over network setup?

Hi all!

I need to setup a CCTV system for my warehouse for our conveyor system, but it can't be connected to our company internet. My problem is, the video cables need to run about 700ft to their intended monitors (which is about 7x the max length of HDMI) . Can I setup a network that can encompass the CCTV controller so I can broadcast the transmission wirelessly?

Thank you in advance!



Celestica Smallstone XP D4040, console non-responsive

Hey all, I was advised to reach out to you all to see if I could get pushed in the right direction.

I've got a couple Celestica 32x40gbe switches. They seem to be similar (if not clones of) the Penguin Arctica 3200xlp and the FS N8000-32Q. I think Celestica is the OEM, and Penguin and FS rebranded them.

Both of the ones I've got have no operating system on them, but they power on. One of them was giving me an output from the console and I was able to get into BIOS, as well as get ONIE and SONiC installed.

However, now, neither of them seem to be outputting anything from the console port. I've tried every common baud rate just to be sure. Even hooked up an oscilloscope to try to calculate the baud.

I can't find any technical documentation for the device, and attempts at contacting all three brands have not been successful because I don't have a support contract, nor am I the original purchaser.

It just seems crazy that I had one of the switches ready for me to start developing a config file for SONiC, and then suddenly the next day it just doesn't work.

I'm half tempted to grab a SOIC8 clamp to reflash the BIOS chips, but I'm not even fully convinced the main board is the issue.

The ASIC chip is on it's own board that includes a gigabit NIC (management port), USB port, and the console port.

I haven't done a thorough trace, but I'm pretty confident that the ASIC board connects to the main board via a pair of PCIe board to board connectors. And the console port is using a PCIe lane. It just seems pretty crazy to me that the main board wouldn't have an independent console port, even if it was just jumpers.

Has anyone ever worked with this type of switch? Is there a console/serial connector on the main board that bypasses the ASIC board's console?

Thanks for any and all help!



Redundant ISP Network Design Sanity Check

Hi Everyone,

I am hoping to get a sanity check on a redundant internet design I am putting in place. I have been waffling back and forth about the best method(s) and decided I should try to get some feedback from others. Let me preface by saying my current role is not 100% network engineering (hasn't been in about 5 years), so I may be overlooking some things.

The hardware involved internally is 2x Nexus 3Ks as "cores" with 2x Palo Alto firewalls in an HA pair. I added 2x Catalyst 2960s as "internet" switches yesterday which I will explain more about. I have included a diagram of the current design in place at the end of the post.

The N3Ks are connected via a vPC so I can span my physical port channel ports between the two cores. My initial design was to have one ISP link connect to the first core on VLAN 100, and the backup ISP connect to the 2nd core on VLAN 200, this way I could come out of the N3Ks to the firewalls with a bunch of redundant LACP links (connected as LACP aggregate groups on the PA firewalls). I was feeling skeptical about connecting the ISP links to the core switches, even if it was just layer 2 that technically has no access to anything else. But, the cores hold all the layer 3 HSRP SVIs and port channels to all the internal switches, and it felt like a security risk that would cause shifty, wide eyes if anyone audited it later on.

So, I redesigned things a bit, the end result looking like the diagram in the link at the bottom. I added a pair of C2960s as "internet" switches as shown in the diagram. These are trunked, not stacked, as I am trying to keep things as independent as possible to reduce single points of failure. I have had stacks entirely seize on me in the past (don't know if that really happens anymore). Since they aren't stacked, I can't span physical port-channel ports between the C2960s "properly." They are currently connected to the PAs as non-LACP aggregate groups. I will say that everything is working fine, but I am getting a lot of port flapping on the C2960s as the aggregate groups seem to be bouncing between internet switches, but there is no packet loss and the sessions don't seem to have any issues. I have also simulated failures by disconnecting links and it all "works." I did try single link LACP port channels between the C2960s and the PA firewalls. This also "worked" but the aggregate groups on the PAs would never be "fully up" since it can't negotiate one LACP aggregate group to two different physical switches with different IDs. Failover also worked, but it took quite a while for LACP to renegotiate on failures, so this isn't ideal.

The long story short is that the current design is working, but the port flapping is bothering me. Am I being overly cautious by not connecting the ISPs to the cores on layer-2? From a technical perspective that design works just the way I want. Should I just stack the C2960s and do proper LACP port channels and risk a possible stack failure? Am I overlooking something obvious? Any feedback would certainly be appreciated.

Current Design: https://imgur.com/EMU5Mtq



Power Monitoring

I'm having an issue at my data center where I'm seeing a small number of my devices reboot during a couple times of the day. The devices do not have any shared network equipment or PDUs and so I believe the cause is external.

I'm wondering if I'm getting a brief drop from 208V to 180V or something like that.

Does anyone have any recommendations on something I can use to monitor input power on a high-frequency basis? I thought about dragging a UPS over there and having it log input but the spares I have only sample on a 1 minute basis and if there's an issue I suspect it would need to be much more granular to catch it. Ideally, it's something I can order from Amazon and have overnighted. I'll need two of them so that I can monitor the A and B power feeds.

EDIT: And yes, before you ask, I did open a ticket with the DC.



What are some of the pros and cons for network automation?

I'm interning at a company with a network engineer and he kind of keeps hinting me that networking might be gone as a career in the future due to automation.

He doesn't know Python at all and seems very pessimistic about learning it.

I have a feeling that it's not the case and there will always be a need for networking as a career. What are your guys takes on the pros and cons of network automation?



Two links on FW - DNS settings

Hello there,

I'm not sure if this is the right place or not for this question but here it is!

I'm planning to take over a new client who has 2 offices and planning to create a DR site in Azure. I'm planning to setup Meraki as their FW in offices and Meraki VM on Azure. I will have two links in each office which one would be 1G as primary and another cheaper option as backup. I have TS servers hosted for each site and users use it as Gateway to RDP to their PC. as of now, TS Public DNS record is pointing to their main Link IP so if that link goes down users won't be able to connect through the second link unless someone change DNS record manually.

Now I was thinking to use the DNS services offered by AWS or Azure with HealthChack to make the DNS record change seamless. Did anyone take this route for Fail-over?

Another idea I have for this client is to deploy OpenVPN server on each site for mobile users who don't have a PC. I'm going to put their shared files in namespace so they can access them no matter which site they are connecting and using the DNS geolocation/healthCheck policies to connect each user to closet live VPN server. Do you think this method make sense?

Thanks.



Firewall rule for single user?

Hey all, sorry if this is the wrong place, but is there a way to allow a specific user access to a site that remains blocked for the remainder? If I want to give Bob access to pinterest because he makes cute things for the office, but I don't want everyone else wasting time on it?



Question on Cisco NXOS Port Channels

I am looking at my nexus 7k switches and trying to use that as a template to configure some 9k switches. Both run nexus. However on my Nexus 7k I have something like this.

interface port-channel 10 description L3 to 9K-01 ip address 10.1.0.200/31 ip router eigrp 100 ip pim sparse-mode 

And on my 9k When I try to do something similar

 interface port-channel 10 description L3 to 7K-01 ip address 10.1.0.201/31 ip router eigrp 100 ip pim sparse-mode 

It doesnt take the ip address command. Its only inputting the description field. On the 9k if i hit ip ? this is my only options.

access-group Specify access control for packets port Port policy 

I have enabled the same feature sets on both. Any ideas what I am missing?



Getting Speed test from multiple sites

Hi Guys ,

Iam the network Engineer responsible for a company with 19 remote sites ,

today the CEO asked me to give him daily report about the speed test to show the max upload and download each site is getting ,

it's time consuming to rdp to a PC to each site and run a speed test from there ,

is there any tool or method that can make facilitate this requirement ,

I Have brocade router on the sites and I have SolarWinds Orion for monitoring



Switch from DHCP to Static

Sooo I've got a question.

At home we use a static IP and my school uses a DHCP server.

So every time I go to school I have to switch up my adapter settings and when I come back home I have to switch it back to static IP every single day. So is it possible that this is automated? so I dont have to waste like 15 minutes daily switching up my settings.

Im on Win10 btw



Advice on a Motel Network

So Im trying to update this current network at this motel. Im willing to completely create a new network with new up to date products. The current network has terrible products.

Goals:

Get full Wifi coverage in Building B and C.

Have products that will allow me to create a landing page and restrict each user to have speeds of 6 mpbs Download / 6 mpbs Upload.

Current structure :(See Diagram) Diagram

-The motel has a 100/100 line from the ISP located in Building A

-Building A has a Bridge that points to Bridge B located in Building C.

-Building B has no access points and is only getting signal from Bridge A.

-Building has Bridge B which connects to a Switch that is Connected to Access Points A,B,C.

Additional Pictures and info

- Building B has 8 inch concrete between the two floors. Not sure if that will be a problem if I have to put access point on the bottom of the concrete. Building B

- Bridge A faces Building B and not directly to to Bridge B. This bridge is supplying all of Building B and is very unreliable. Bridge A

- Between Bridge A and Bridge B there is some trees. Also Bridge is located behind the window where the arrow is pointing in the next picture. Trees between Bridges

My main question is what options do I have to create a good reliable and secure network for all the guests? Which option would be the easiest as far as cabling goes?

Thanks in advance to anyone attempting to help.

P.S Im a Beginner



I'm trying to create some requirements for implementing a VPN in an enterprise setting.

I'm an intern working on prototyping an external security operations center (SOC). At the current stage of my work, I'm focused on writing out some requirements for a VPN solution. Those requirements will then be used later when I will be trying to decide which VPN would be best.

Since the SOC will be offered as a service to other businesses, I decided to place a VPN software on a server on the customer side and a VPN concentrator on the SOC side. The reason for a VPN concentrator is because with many different customers, the concentrator will be able to differentiate the VPN connections.

The customer VPN will only be sending log/audit data to our SOC. So it's only used for secure communication.

I don't have any formal experience with VPNs so I'm not sure how to write the requirements for this. I'm trying to have the requirements so that when I'm actually researching different VPN solutions, I will be able to score the VPN solutions by seeing if each of them meets my requirements or not. For example a requirement might be: "the customer VPN software shall use a secure encryption method." I would then use this requirement to score a VPN.

Once again, I don't have much knowledge on this so I appreciate any help.



Wanting to take advantage of fiber

Just wanted to know why OS2 seems to be less expensive than OM2. I've been browsing on fs.com.

I do know that OS2 is singlemode and OM2 is multimode.

I'm tasked with looking into fiber as an option to run to 18 barns all connected through a single, indoor walkway. I've been looking at prices and I kept getting prices around $1500 for 350m, 48 fiber cable while the singlemode, same distance and fiber count is only ~$500.

I guess my next question is the longest cable should be close to 700m, the shortest will probably be around 400m, is there a minimum distance with fiber? Could the signal be too "hot" to be reliable? I haven't been able to find an answer to this.

My plan is for the 48 fiber cable to connect in a maintenance closet to a fiber switch. The cable will then run ~330m to a break out box where the fiber pair strands will be split into duplex fiber. Those duplex fiber cables will then go to a PoE switch (PoE swtich will power the APs, I know fiber is in development for PoE (yes, that's actually a thing)) in the center of each barn with 3 or 4 WiFi APs connect to that switch.



Favorite SSH Session Manager?

For the longest time I would just save my session in Putty and work that way, but recently I have been playing around with multi-putty, and sometimes use mremoteng for remote desktop.

Curious what everyone else here likes to use.



Advice on whether to renew or not

Hi Guys,

I hope this is allowed here. I have done quite a few certs from all vendors but most specifically Cisco and Juniper.

I have up to JNCIP for the enterprise track but only JNCIS for security.

My question is that I have recently changed roles to more of a pre sales role and dont really deal with any technical or Juniper for that matter.

Would you recommend still recerting or trying to go for the JNCIP-SEC or should I just leave it ?



Issues w/ wifi captive portal when using Sectigo issued SSL cert

Hello,

Our old COMODO CA issue SSL certificate is about to expire.

The new certificate has been issued by Sectigo and some of our users are experiencing authentication problems.

Are you familiar with this certification authority ?

Thanks.



Changing Subnet Mask question

Hello everyone,

quick question. As far as I know this should work, but I haven't done something like this, so I wanted to make sure.

We are in dire need of more IP addresses in the growing company. The network was never intended to grow this lage, but 6 years later, here we are. The original plan is a cleanly seperated VLAN, but the config is giving me a headache since it should work, but it doesn't. Even 3rd level says it should work. But it doesn't.

So to bridge the time I need to troubleshoot this, I thought to expand the subnet from /24 to /23. And implement the VLAN after that, since we planned on using that IP range anyway.

We're using 192.168.0.0 /24. All our workstations using DHCP, so no need to run around and change them all. Only servers, printers and network components using static IP, maybe a couple of the oldest workstations as well.

All in all not that many, so the change wouldn't take up much time.

Changing to /23 would mean the network includes 192.168.0.0 - 192.168.1.255. All I know tells me the change would be ok, since clients in the new range, using the /23 Subet Mask, would be able to see the old range, even when it's using the /24 mask, because there no routing rules preventing that (so far).

I only change the subnet mask of existing clients. IP addresses of servers, routers and the like will stay the same. No desire to open that can of worms. Workstations are mac bound to their IP address, so they would stay the same as well.

Only new clients and the byods would initially use the new range until the VLAN is implemented.

Making the change would be ok as well, since my laptop starts out in a range I have access to and change it to a range I have access to as well. Worst Case I can think of right now i a short disconnect during the transition of servers and network components.

Am I missing something?



Maximum devices communicating on single NIC

We have a situation where we have 14 networked cameras connected (via switch) to a NIC on a PC.

The cameras stream data fine, until we add one more camera. At any number over 14 all connections fail.

Is there some hidden limit here?

We’ve tried slowing down the data rate from the cameras and it makes no difference.

We’ve tried offsetting the start time of each camera’s transmission and this fixes it.

Any help appreciated!



Wednesday, June 26, 2019

What companies, organizations, or vertical markets are the early adopters of IPv6?

In addition, are there companies or markets that are running IPv6 at the internal workstation level? How much has IPv6 really penetrated the enterprise market, and if "not much", who is using it and how/for what?



Multiple 1G links over single 10G Wave

Hi all,

Looking for the most cost effective way to transport multiple 1G links over a single 10G Wavelength service from a fiber provider.

I’ve heard the term used “muxponder” but I’m unclear on how these products work and no clue how much they cost.

Apparently they allow you to have pure layer 1 connections that are completely separated across a single 10G wave.

Any other creative solutions, I’m open to!

Thanks



Diagnosing Ethernet issues in new building my company purchased

To start we recently purchased this building that was renovated 5 years ago and the previous owners installed 2x 2-port cat5e keystone jacks in each office. Only one port per plate is actually connected to a patch panel. Over Ethernet speed tests get around 40-60mbit and over WiFi you can get at least 300mbit.

I’ve noticed some of the wiring is extremely old and damaged, there’s some mismatched jacks and wiring, though the patch panel is cat5e. Some wires are not using all 4 pairs.

Our switch is gigabit and all that. I’ve used cat6 patch cables from the patch panel to the switch. Is there anything I should test or figure out?

The only real option I see is re-running all the existing wiring by taping new cat6(a?) to it and pulling it through. I don’t think it should be too difficult as the building is only 3000 sq ft and two stories with drop ceilings and I know where all the wiring goes. Is this worth it? We need reliable, fast Ethernet for voip and video calls.

One other side benefit to rewiring is right now the wiring to the network closet is too short to reach the rack so I have the patch panel wall mounted near the ceiling and 6ft patch cables to the switch which is ugly as hell.

What should I do reddit?



Default Originate on ProCurve 3500yl

I’m in the process of restructuring my home lab into iBGP to play nice with NSX, and to learn interior protocols. The existing architecture is fairly simple:

  1. Global routing/firewall with pfSense, peering with FRR

  2. One core L3 switch, ProCurve 3500yl servicing the rack and underlay

  3. One access L3 switch, ProCurve 3500yl servicing WiFi and general home connectivity

Each switch hosts a /16 supernet with various VLANs.

Where I’m running on fumes is with distributing a default route from the core to access (0/0); summary routes over iBGP work fine, and I foolishly solved this prior to the redesign just by redistributing connected routes (bad practice, I know).

The question: how is this normally handled in an enterprise setting (if even relevant)? The default-info originate command is missing from K16.02 on the ProCurve line, so short of just assigning 0/0 on the core to the access neighbor, I’m at a loss. Curious if I’m missing a fundamental concept knowing that this is very simply addressed on IOS for both BGP and OSPF.



For those in Texas

I have a plan to move from Boston to Texas preferably Dallas, Houston, FW or Austin. I am a network engineer with 8 years under my belt. I am pretty good with enterprise networking both wired and wireless. I have working knowledge of automation with ansible and python. Am also good with AWS networking. Currently on 130k. With a family of 2 kids and a wife,it is becoming expensive in Massachusetts so looking to settle in Texas,the only place my wife is willing to relocate to. I need help with insight into job opportunities there and salary information. Possibly good neighborhoods to settle.

I appreciate.



Extreme Networks to Acquire Aerohive

Just got the email this morning. Blah blah market leader blah blah synergies blah and all that.

Thoughts?



Bridging iOS hotspot into existing WiFi network on a boat

Garmin Chartplotters have wifi to connect your tablet or phone to them to use their app in conjunction, however they only work as WiFi AP’s and can’t be a WiFi client. Problem here is if I want my non cellular iPad to connect I won’t have internet on it.

I’d like to somehow bridge (hope that’s the proper terminology) the hotspot from my phone into the WiFi network the Chartplotter creates.

Any suggestions?

Was looking at some of these open WiFi routers, but not sure if they only route as I don’t want to create another network, or if they can (bridge) https://www.gl-inet.com/products/gl-ar150/

Thanks



I started at a new company a few months ago and I still feel like a dumbass

So I'm looking for advice. I started a new QA job few months ago and feel like I'm going through the day to get as much done as possible because there's never not a ton to do at a startup (I do not own the company). I fear that I am approaching everything with the work harder but not necessarily smarter approach. I take a bunch of notes but some things don't get documented or get lost in the rigmarole of day-to-day work. Is there anything that anyone can suggest to force myself to step back and approach problems without taking so much time that it starts holding things up? Thanks in advance.

Note: sorry if this comes across as early career advice that is not my intention. I've been working for a few years and am looking to people who may have gone through this before.



Extreme Networks to Acquire Aerohive Networks



Netmiko and python as application on windows question

Hello,

I've been using Netmiko for a while now and it is really awesome. I can run it from my PC since I have Python installed and everything works great. Now I would like to create a script that works kind of like an application, where I can give it to our helpdesk (who doesn't have Python installed) so they can do certain tasks without me being involved and without giving them access to Cisco devices. Does anyone know what would be the best way to do that? Is there a good way to convert it to exe or PowerShell or anything like that so it can run on any Windows PC without Python?



Firewall CLI manager (ACL)

Hi,

Since more than one year, I work to dev an application to manage firewall ACL in CLI.

I would like to share my project here because I think it can help many net admin.

PHP-CLI Shell Firewall

Features:

- CLI with autocompletion (TAB, ?, CTRL+R, ...)

- PHPIPAM integration

Can be disable, it is possible to import, refresh or search objects from PHPIPAM

- Wizard and demo

Wizard to create configuration and launcher. Demo to try application

- Multi-constructor (Cisco, Juniper)

There is a template engine so it is possible to create other template, there is a HTML grid template based on AG-Grid

- Multi-location (site/datacenter)

One config file can contain more than one site

- Multi-environment

It is possible to create many launcher, one per environment

- Rule monosite, failover and fullmesh:

ACL monosite:

  • basic ACL, source(s), destination(s), no automation. For this ACL category you can not enable fullmesh option!

ACL failover:

  • without fullmesh option: failover ACL(s) will be automaticaly generated for all failover sites in inbound or outbound.
  • with fullmesh option: like without but source and destination of ACL will be isolated per zone to process automation.

- import/export

It is possible to import (with prefix or not) a backup, for example for VPN rules which are in dedicated files

- backup in JSON and CSV (compatible with GIT)

JSON for machine and CSV for human, both files can be saved in GIT (text)

- SCP to publish configuration without commit

Compatible with bastion, the network admin have to commit configuration from firewall local flash storage

Use environment credentials to secure it ;-)

- config topology to detect right zone/interface

- dual-stack (IPv4 and IPv6)

- rule description and tag

- rename, clone rules

- locate, filters objects (host, subnet, network, rule, flow)

- ...

We use this application to manager many Cisco ASA firewalls and Juniper SRX.

ToDo:

- Dev namespace to permit publish application on Composer

- Many firewall templates like Checkpoint or others

- Manage firewall NAT/PAT

- Other IPAM addon like NetBox

- Other DCIM addon like NetBox

- Translate in english and french

- ???

This application is compatible with DCIM PatchManager too.

I will create a Discord, Slack or Gitter channel about my project for support or to talk about it.

What do you think of my project?

Sorry for my bad english ;-)

@+



Wireless infrastructure - Cloud based? Or on-site controller?

Hi all,

Wondering what people would recommend for a wireless infrastructure. Let's assume the physical survey is done and we're looking at 5 access points. Would people recommend a cloud based solution like Cisco Meraki? Or would we get better performance/security from having an on-site wireless access controller?

Thanks



Help me make sense of this

I inherited an environment(school district) that didn't have a guest network. Everyone knew the passwords to the wireless ssid. Now that summer is in I have a chance to configure a guest network.

Our Access Points are Extreme APs

Wireless controller is Extreme Controller that is vm running on our HP Blade Chasis.

Guest topology configuration requried me to st a Layer 3 IPv4 so the guest splash page will work.

https://photos.app.goo.gl/m1V45hnmHaTH9Qz17

Our blade chassis has 4 NICs. On the switch that the blade chassis is attached the interfaces are configured like below:

interface GigabitEthernet1/0/26 description Blade Chasis NIC port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 10 120 155 to 156 tagged port hybrid vlan 6 untagged port hybrid pvid vlan 6 broadcast-suppression pps 3000 undo jumboframe enable stp edged-port enable 

vlan 6 is our servers

vlan 120 is 1:1 wifi

vlan 155 employee wifi

vlan 156 is prod wifi(don't ask me)

vlan 10 is the guest wifi I'm creating

I can't ping the 10.1.10.2 from the switch the controller vm is on.

My Question: Are the interfaces configured correctly? What am I missing?



Types of Pre-assembled Fiber Cables

Hi there everyone,

I suppose this could be a ridiculous question, but I'm diving into the pre-assembled cables and I've done a lot of research about this and I might need some help of you.

Here is the thing, I've seen some websites with online sell of pre-assembled cables, a lot of them, alot of brands, but I think checking them gave me even more doubts.

Heres why, there are alot of fiber cable types in the market, loose tube, tight buffer, breakout, ribbon , etc..

My question is, in pre-assembled cables why do you see most loose tube, tight buffer and breakout? And each one are usually used in which application ?

This is part of my job, working on projects, and until recently I didn't work with fiber cables, and I'm now starting to learn something about pre-assembled cables.



Finished CCNP R&S! What now?

Hello fellow networkers!

im in my early 20s, live in Germany and as the title already reveals i finally finished my CCNP R&S!
I'm overly happy and excited about it and i got to tell you, it was a really tough path and there were times where i wanted to give up. But you got to keep your head high and ask yourself why and for whom you do it. I do it primarly because some day i want to become an expert in this field and i want to be someone who others look up to and say "this guy networks!". With higher expertise i also expect a higher salary which hopefully will grow as i gain experience over the years.

To my situation:
i have to admit that i am pretty dissatisfied with my current position. I am 2 years out of my vocational training and im currently working for a customer where i solve Layer1 problems. Layer2 is very rare. Even though i make good revenue for my company, i personally gain nothing out of this and it really makes me feel worthless in this atmosphere. Several times have i thought about leaving, but i always think im not qualified enough to applicate for a junior/senior position. Cisco is all i know and is all ive teached myself. Through this certification ive gained a good understanding of routing and switching and im ready for something new which i can put on my resume.

Career path:
- so i was thinkining i could continue my cisco path with CCNA Security. Security is a huge factor in the industry and being able to deploy and manage a secure network (keyword: firewall) is a valuable skill. But after i found out that after cisco certificate revamp 2020 there will only be one CCNA certificate and all others are being dropped, i ask myself if it still makes sense? I still believe that the subject matter is very useful and there is no doubt it would benefit me.

- Programming: Ive come in touch with python a little bit because i had this really monotonous task which i saw no other way than to automate it. It was fun and i will continue to code, but only solely casually.

- WLAN: ive played a bit with WLC and ive written 1 or 2 documentations about it, but i can fairly say, that i have no prior experience or knowledge about WLAN. Is CCNA Wireless an option?

- Other vendors: little experience with HP and Extreme. Dive more into those or other vendors?

- Cant think of any more points, do you have one?

So my question for you: which step do you think should i make in order to benefit my career path the most. I prefer going the security path because i think that this is a useful skill you can apply everywhere and is appreciated.
I am greatly looking forward to hearing you answers :)

Thank you!



Recommendation for books about cellular networks?

I am an undergraduate majoring in Computer Engineering and have been hired to work as an assistant researcher at my University by of my Professors. We are going to be researching the security of cellular networks and specific technologies such as 4G, LTE etc. As the most junior in the project I feel that I need to quickly develop my knowledge in this field.

I have found lots of short technical descriptions of cellular networks and how they work on the web, but I'd love to find some more long form learning resources about mobile networks in general.

Any suggestions you have related to this topic would be welcome! Could be about the history of cellular networks, textbooks, security, 5G, anything! Even if you know some online Youtube courses that would be great.

I have quite a large budget to spend on research so fire away!



Fortigate 500E Help for a LAN-Party?

Hello!

We are hosting a LAN-Party for the 1st time,and need help with the policies on our Firewall. What ports needs to be opened, policies for making this event secure and safe and other general advice on the network parts of these kind of events. All info would be much appreciated. The size of the LAN is about 60 users with a agespan from 13-23 years old. We are also running 5 Cisco Swithes under the Firewall, 1 for trunking and 4 on the tables. Any additional info regarding the switches would also be a plus alltough i think we got most covered in that department.

Hope to see some positive answers.



Enterprise WPA (EAP-TLS), use NPS or ISE

Hello all,

in the past I have created a few Enterprise WPA2 Wifi already, usually using Windows Network Policy Server as Radius. These NPS were Domain joined and had a certificate from an enterprise PKI so that I could use EAP-TLS. This usually worked flawlesly.

My question: I now have a Cisco ISE at my disposal and I wonder if there would be a benefit to using the ISE as Radius over NPS? I like the idea of having all security relevant logins on one solution.

Oh, and just FYI: Windows Server PKI, Win10 Clients, Windows Server NPS OR Cisco ISE, Cisco WLC 5520.



Wireless network cutoffs

Hello all,

Strange issue with networks from two different ISPs. They use the same range of ips 192.168.1. When connected with cable the devices work correctly when someone connects to either of them wirelessly faces cutoffs. Does it affect them that they are using the same ip range? Is interference from other networks related?

Thanks a lot



Can someone explain why this xconnect link requires a static route to lo0 to bring S2 up??

I've been playing around with xconnect config and got stuck trying to bring the link up fully, I tried everything I could think of but no dice, after adding a static route to the lo0 address it came up successfully.

Can anyone explain to me why and if there is something required elsewhere to bring this up without:

Xconnect2 is directly connected to Xconnect 1 - config is identical in reverse IP order

Xconnect2#show xconnect all

Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State

UP=Up DN=Down AD=Admin Down IA=Inactive

SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware

XC ST Segment 1 S1 Segment 2 S2

------+---------------------------------+--+---------------------------------+--

UP pri ac Gi0/1:3(Ethernet) UP mpls 10.255.1.1:911UP

Xconnect2#show mpls forwarding-table

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or Tunnel Id Switched interface

17 No Label l2ckt(911) 3033 Gi0/1 point2point

Xconnect2#

Xconnect2#show ip int br

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 10.1.1.2YES NVRAM up up

GigabitEthernet0/1 unassigned YES NVRAM up up

GigabitEthernet0/2 unassigned YES NVRAM administratively down down

GigabitEthernet0/3 unassigned YES NVRAM administratively down down

Loopback0 10.255.255.1YES manual up up

Xconnect2#

Xconnect2#show run int Loopback0

Building configuration...

Current configuration : 90 bytes

!

interface Loopback0

description BGP LINK

ip address 10.255.255.1 255.255.255.255

end

Xconnect2#

Xconnect2#show run int GigabitEthernet0/0

Building configuration...

Current configuration : 220 bytes

!

interface GigabitEthernet0/0

description WAN LINK TO XCONNECT1

mtu 9216

ip address 10.1.1.2 255.255.255.0

ip mtu 1552

duplex auto

speed auto

media-type rj45

mpls mtu 1552

mpls label protocol ldp

mpls ip

end

Xconnect2#

Xconnect2#show run | b r b

router bgp 111

bgp log-neighbor-changes

redistribute connected

neighbor 10.1.1.1 remote-as 222

!

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

ip route 10.255.1.1 255.255.255.255 GigabitEthernet0/0

!

!

!

mpls ldp router-id Loopback0



Tuesday, June 25, 2019

I love how everyone on /r/networking seems to enjoy their jobs and wants become more knowledgeable.

It's really cool to come here everyday and see positive, knowledge-seeking posts. There's rarely ever any complaining or "rants". It's always, "I'm having trouble overlaying VX-LAN. Any advice", or something like, "How do I IP?". Even the latter gets some knowlegeable, helpful answers. I wish I knew everything you guys do, but I'm glad to be a part of this professional community. I know that if I have a networking question, someone here can, and willingly will, answer it.

Thank you /r/networking. This sub reddit is one of the most valuable resources I have stumbled across.



What did yall replace your EOL 6509s with?

Currently looking at designs to replace our Core VSS and Server VSS setups at our bigger sites - any suggestions would be very appreciated!

Chassis options seem to be overpriced now and the pizza box 9k designs will cut it real close with port usage.



SNMP v3 issues across IP structures

Hey guys! I’m new in town.

I just inherited a network in the middle of migrating from a 192.x.x.x to a 10.1.x.x structure and I seem to be having trouble getting my servers and hardware to see the UPS using snmp v3. Works fine on snmpv1.

UPS is on the 192 structure and servers and hardware are on 10s

Any tips would be appreciated.



How to setup multiple internet connections on a single router? (Is it possible?)

We have an office with multiple people working out of it, and some of them require their own internet connections with their own IP (having other people in the office access the same site on the same IP on a different account can cause problems).

I want to be able to add an additional connection through the ISP but not need to setup new routers in the office for every single person. Can routers do this? If so, can anyone point me in the right direction for how to set this up?



Help in creating a test lab environment for new equipment

Hi,
So I’m actually newbie at installing anything and recently we have ordered a Managed switch and Unifi Equipment. The problem is that after initial setup we were forced to use it on production and then problems happen haha.
If it’s possible to ask for advise about creating a separate network (physically too) to test new equipment before running in production.
My setup could be like this:
Wireless router (which is connected to the main LAN but with DHCP) then connect a test pfSense box then the managed switch then the UNIFI. Or hotspot a phone then use it as a WAN connection ? Thanks for the tips!



Want to test cert auth instead of domain credentials via GPO/NPS?

Hi everyone,

Quick question! I recently set up our company's NPS server and created a few new SSIDs on our WLCs. They are mimics of our old setup on another domain and currently we have one corporate SSID using mac filtering (I know... it sucks) and all use domain username and password for auth.

After doing some research I would love to use cert based, automatic joining for laptops to this/these SSIDs. I've read a couple articles on how to accomplish this but I would preferably like to test this out before mucking with production. Am I correct in assuming the following that I can test this out and not affect the production wireless SSIDs by doing the following:

  • create a new Network and Connection Request Policy for cert based auth
  • create a new TEST SSID on the WLC to... test with ;)
  • create a new Security Group in AD with some domain computers (laptops)
  • create a GPO(s) to add the cert and configure the computers to auth automatically using the cert

I'm mostly concerned with the first two bullets. I want to make sure I can create new, separate policies within the NPS server to test the cert based auth without affecting the current SSIDs everyone is using which utilize domain credential auth. Thanks everyone!



Cisco ASA 5500 Pre 8.3 static NAT issue - is it me or the ISP?

Hello Everyone,

I've got a weird issue with an ASA running pre 8.3 code with NAT.

My setup is pretty basic. I have an internal server sitting at 172.22.109.253 that I want to static NAT to 201.14.14.219 (Just an example address to protect the innocent). My end goal is to have that public IP address respond to SMTP and HTTPS requests and forward it internally to the above RFC 1918 address.

After much troubleshooting on this issue another network engineer passed it to me.

Right now the configuration is as follows

Access List(which as I understand it is evaluated first on pre 8.3 code) is:

access-list outside_access_in extended permit tcp any host 201.14.14.219 eq https

access-list outside_access_in extended permit tcp any host 201.14.14.219 eq smtp

The above ACL is applied on the inbound direction to the outside interface

Next comes my nat section:

static (inside,outside) 201.14.14.219 172.22.109.253 netmask 255.255.255.255

Then my interfaces and routes are as follows:

Outside(VLAN 2) - 201.14.14.218 255.255.255.248

Inside(Vlan 1) - 172.22.109.1 255.255.255.0 (This is the default gateway for the server)

route outside 0.0.0.0 0.0.0.0 201.14.14.217

Using this configuration, everything should flow as planned, however I am not able ping, telnet on port 25, telnet on port 443 or connect to 201.14.14.219 at all, even after adding a "permit ip any host 201.14.14.219" to my access list.

If I do a show nat I get untranslates on that entry and if I run a packet tracer it says all is well, every check passes. I even have other servers statically NATing with the exact same configuration(except IP addresses of course) and they work fine. For example, a webserver at 221 that works wonderfully.

My coworker seems convinced it's an issue with the ISP but the ISP of course says it isn't them and is telling us that we have to change the netmask in the NAT statement to match what they're routing for - so a 255.255.255.248 instead of /32. Not mentioning the fact that the ASA won't even allow you do that do that, my coworker and I are under the impression that defining the mask in your nat is simply telling your ASA you're NATing to a single host. Is that a correct assumption?

I also attempt to port scan that address and get a message that all ports are closed.

And, I should add that the mac address and arp entries in the firewall are correct, and 172.22.109.253 is pingable from the ASA.

I'm not really sure how to proceed at this point, as the ISP is wanting an hourly rate to continue troubleshooting. Any ideas as to what i'm missing here? I usually work with post 8.3 code and never run into this type of issue.

Thanks all



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!



VPN tunnel failover - best practices

TL;DR Can you have a VPN tunnel failover configured on the same device?

I know about line failover, i.e with Cisco ASA active/standby, if the line/device goes down, standby takes over BUT what if those are fine but the VPN tunnel goes down?

Thanks!



Best way to copy data from NAS connected to a remote machine?

Hi,

I have a NAS drive attached to a remote machine. Now, I SSH into the remote machine and then SSH into the NAS, copy the data to the remote machine and then copy the data to my local machine. As you can see, this is slow and also creates a lot of problem with rsync.

Is there any better way to do this?

Thank you in advance!



How to handle "ASN registry lookup failed. Permutations not allowed." errors?

I have a python application where part of it uses the ipwhois module to do RDAP whois lookups on IPs. I see a number of IP addresses that cause the error:

ipwhois.exceptions.ASNRegistryError: ASN registry lookup failed. Permutations not allowed. 

Anyone have an idea of what this actually means? I see this is usually triggered by government owned IPs, but also see it seemingly occurring by random organizations.



What kind of DDoS it is?

I got email from ISP saying your machine is scanning some foo network and they provide following netflow details, i don't have netflow so not sure what happened that time so trying to understand what is going on and does anyone notice this in their network?

74.XX.XX.40 is my server and 128.XX.XX is foo network and look like they are targeting 3283 port which is apple xchat i believe. also it could be reflection attack also.

25-Jun-2019 01:46:38 GMT-0400 74.XX.XX.40:3074 -> 128.XX.XX.13:3283 17 30636 25-Jun-2019 01:46:06 GMT-0400 74.XX.XX.40:3074 -> 128.XX.XX.126:3283 17 65090 25-Jun-2019 01:46:06 GMT-0400 74.XX.XX.40:3074 -> 128.XX.XX.59:3283 17 61502 25-Jun-2019 01:46:06 GMT-0400 74.XX.XX.40:3074 -> 128.XX.XX.208:3283 17 61180 25-Jun-2019 01:46:06 GMT-0400 74.XX.XX.40:3074 -> 128.XX.XX.165:3283 17 15180 25-Jun-2019 01:46:14 GMT-0400 74.XX.XX.40:3074 -> 128.XX.XX.49:3283 17 53544 25-Jun-2019 01:46:14 GMT-0400 74.XX.XX.40:3074 -> 209.XX.XX.67:3283 17 45908 25-Jun-2019 01:46:06 GMT-0400 74.XX.XX.40:3074 -> 128.XX.XX.214:3283 17 60214 25-Jun-2019 01:46:14 GMT-0400 74.XX.XX.40:3074 -> 128.XX.XX.172:3283 17 55292 25-Jun-2019 01:46:06 GMT-0400 74.XX.XX.40:3074 -> 209.XX.XX.207:3283 17 63112 


Utilizing NAT for an IP migration

I'm needing to readdress a production system we have. However, there are several 3rd parties that either point to this via IP or DNS.

What I'd like to do is utilize NAT to translate the old IP to the new IP. Both addresses are publics that I control the space on.

I'd like to remove IP a.a.a.a from this equipment. I'll be readdressing with b.b.b.b.

I'd like to then set up a NAT rule that forwards/translates anything from a.a.a.a to b.b.b.b. But if someone connects to b.b.b.b it goes untouched.

I set up a static translation. Pinging a.a.a.a responds with a.a.a.a, but if you ping b.b.b.b it says it was successful with a response from a.a.a.a. I just imagine this causing issues for anything TCP.

I'd appreciate any help or insight - I'm definitely not firing on all cylinders today.

I've tried the following

ip nat inside source static b.b.b.b a.a.a.a 

and

ip nat pool IP_MIGRATION a.a.a.a a.a.a.a netmask 255.255.255.252 ip nat inside destination list ip_migration_test pool IP_MIGRATION redundancy 1 mapping-id 100 ip access-list standard ip_migration_test permit b.b.b.b 


Thoughts on re-designing router core

Hello everyone,

I am looking for some affirmation based on best practices, etc. on this plan I've come up with.

We currently have three datacenters but are moving out of one of them. We'll call them DC1, DC2, and DC3. We're moving out of DC1. DC1 and DC2 have bigger routers than DC3, so I am going to move the router from DC1 to DC3. In the meantime, I am going to try to clean up some of the mess that was put in years ago. I'll try and explain.

This picture is kind of a diagram of the mess that is our network. Back in the day they LOVED to do everything layer 2 here and it drives me crazy on a daily basis. Note: I did everything privately addressed to mask our public IP information. In production right now, everything is publicly addressed.

Each datacenter has one router that connects to 2 core layer 3 switches. They are not stacked. Each DC has leased fiber running between them in sort of a loop, currently.

I tried to the best of my ability to diagram out how the different VLANs and such are connecting each site, but I'll try and bullet point these out as well:

  • All three of the routers are currently on the same broadcast domain. There is a VLAN tagged from the router, through each core local switch (since the leased fiber is plugged into the core switches), then on to the remote core switch, and then tagged up to the router at the next site. That is depicted by the green dotted line.
  • Each site also has L3 connections from the router to the core switches. It is a /30 from the router to core1, and a /30 from the router to core 2. Note: this connection is on the same fiber that the previous point is, just a different tagged VLAN.
  • Next, DC1 and DC2 currently are all on a shared /28 for their inter-communication. Again, this is across the same leased fiber that connects all of the routers on that broadcast domain.

So, it's safe to say it's a cluster.......

Since we are shutting down DC1, I want to take that router and move it to DC3, so it's the perfect time to clean this up. This second image is what I am proposing we design, but I want comments on if this is best practice, concerns, etc.

  • I want to do straight up layer 3 between the router and the core. I will make it a /29 and MLAG from the two cores into the router - no shared broadcast domains between the two routers. iBGP will connect via Loopback
  • Then, the core switches at each site will also share a layer 3 /29 in a MLAG set up as well.

This gets us to only doing layer 3 between everything (as it should be!).

Any feedback would be appreciated. Thanks!



Ubiquiti Switches

Hey Guys,

I"m starting a new job next week and one of my first projects will be upgrading the infrastructure. The company is a non-profit so they dont have a huge budget. They are currently using Nortel switches and Cisco 1130 APs. The network itself is pretty basic... 2 VLANS... one for voice the other for data...

Have any of you guys deployed Ubiquiti in an "enterprise" environment? The UniFi® Software-Defined Networking (SDN) platform looks really sweet!! I'm a huge fan of Ubiquiti's access points, but I've never used their switches.....



Best way to fail L2 over an L3 network?

I'm currently using OSPF and MP-BGP in my internal network. I have a paired device that will continue the management network across itself, so that you can always access both systems should the uplink on one side go down. The connection between can also be split of course.

I'm trying to figure if there's some fancy trickery I can do using VRRP+OSPF or if I should just put it into MP-BGP somehow (Like it's own vrf and then leak the full routing table between it and the management vrf).

Thoughts/ideas?



VIRL setup onESXi

Hey,

Question about setting up VIRL on an ESXi environment. I don't do the VM setup so I'm not sure about the network setup. What is the purpose of the Flat, Flat1, SNAT and INT networks? Do they need to be setup for VIRL to work? Our systems guys are a PITA so I need to make sure that I give them the correct specifications when I ask them to build the ova.

I know the first NIC should be the management network, but beyond that I'm not exactly sure what needs to be done. Do I need to have these VLANs set up on the switch? Are these just networks that need to be used by VIRL itself? What is the easiest way to set this up?

Should I set up a new vSwitch with VLAN ID All and no physical adapters associated? Then associate that new vswitch with those four interfaces on the VIRL host?

Thanks.



Show details of transceiver in CVR - Nexus 7K?

G'day everyone

My google skills have failed me, either because of half a bottle of wine or because the answer doesn't exist, so I was hoping someone could share their experience or confirm I'm out of luck on this one.

I've just moved some coloured ZR SFP+ modules from native 10G ports into CVRs in QSFP ports in breakout mode. Three of my four links came up no problems, but one hasn't. I suspect a physical issue, but when I did the usual 'show int ethx/x/x transceiver detail' to see if it was low light vs no light, I got some awesome information about the CVR itself, but nothing about the SFP+ module inside it, including light levels. Tab complete and the trusty context sensitive help haven't come through for me this time.

Can anyone point me in the right direction, or is the caveat of using the CVR that I no longer get the DOM information and I should just get my junior to stare into the fibre and evaluate how blind he becomes on a 10 point scale (he's got two eyes, it's fine)?



Sonicwall PCI Complaince

A company I'm supporting is using a Sonicwall TZ105 device. It's about 5 years old (a guess). The company's PCI compliance scan failed recently. The failure is on the port the SonicWall device uses for the "Virtual Office" to install the NetExtender.  Our security company is stating that we need to have a SSL Certificate for those open ports.  Is this accurate?  If so, can I just purchase these certificated through our web host and install them?



Juniper study books for Junos beginner

Hi all,

I'm looking for some good Junos books but i'm a bit lost at the (official) study material / books that come in handy.

I'm looking at the day one guides but i wonder if this will help me enough for certifications like JNCIA and the security / enterprise routing track (like Routing the Internet Protocol , Exploring the Junos CLI, Second Edition )

I also see some of these books being recommended ( https://www.amazon.com/Junos-Enterprise-Routing-Practical-Certification/dp/1449398634 ) which seem more in like with the material i'm used to like CiscoPress.

FYI i bought myself a SRX210 for study and just re-certified my CCNP, so i'm comfortable with network principles. Its just the Junos details and OS navigation that i'm worried about, as well as the exam preparation.

I like learning out of books and physically working with devices (hence the SRX210.) If online learning is the only proper resource then i can deal with it as well, however i find Junos Genios an absolute pain in the ass. The material itself is great but their Android app keeps crashing, i can't full-screen their videos on my PC etc. What a hot buggy mess.

Thanks for any recommendations.



Issues With Powerline Ethernet Speeds..

Hey gang. I figured you guys would best be able to offer me some advice.

My primary reason for using Powerline Ethernet was to use in-home streaming on my Xbox. 5Ghz wifi was... Serviceable, but I had to keep streaming quality at lower quality settings to avoid sudden spikes in muddled garbage. Really ruins the experience overall. Good quality, more lag and sudden halts in streaming. Low quality looks pretty bad.

So I did some reading, and came up with using powerline. I was aware the I wouldn't necessarily get blazing speeds, but that latency would be a huge benefit to it. And so, I went on Ebay and got a couple cheap D-Link adapters, and finally set them up a couple nights ago.

It was underwhelming. I was still getting huge spikes in lag. I was able to set quality a bit higher, and latency was marginally better (tested it). But no real improvement.

I quickly noticed what I believe to be the problem. My speeds were low. REALLY low. My 5Ghz wifi speeds often reach well over 75 mbps during game downloads. But after checking my speeds through the Xbox interface, I was seeing a pathetic 14mbps. I knew Powerline tends to be a bit slower, but makes up for that in latency. But this was embarassing.

The adapters I have are 200mbps adapters. I guess the typical entry-level stuff nowadays. Could it be that there's something wrong with them? Maybe I should try for better units? Could it just be that my home's wiring is not up to par? These houses weren't exactly built yesterday...

One thing I've noticed, at least according to others, is that file transfers across my network seem to be quite low. I think my router is capable of 300mbps transfers, but actual transfer speeds tend to be more in the range of 15-25MB/s depending on types of files. Can I just chalk that up to overhead and call it normal? I'm a comcast router from about 4 years ago. Would it be worth a try to just swap it out for a newer model?

Sorry for essay guys. Thanks so much for your help! :)