Saturday, July 20, 2019

Do fractional circuits generally underperform compared to full circuits

I will admit this is entirely anecdotal, but it seems that fractional circuits (e.g. 200mb, 500mb) seem to always underperform, while full circuits (e.g 100mb FastE or 1000mb GigE) actually perform pretty close to their theoretical max.

Unless I am imagining the above entirely, I assume it has something to do with the QOS/traffic shaping that goes into provisioning these fractional circuits?



Port Forwarding for Call of Cuty Black Ops 3 for PS4

I'm having a hard time connecting to matches on BO3 on my PS4 so I followed this Port Forwarding guide and I have some questions still.

So I have a Cox Modem and an ASUS router and all our devices are connected to the 2.4 GHZ wifi on the ASUS router, so should I use the modem's gateway, router's gateway, or both to add these services when Port Forwarding? I added all the services to my modem's settings linked to my router and I thought that would do it. (0.252 is my router). What am I missing? I heard something about DMZ also and I just don't get it so if anyone can help me I would appreciate it a lot.



What are the best LCOL cities or general areas for IT right now? Preferably for contract work.

Full disclosure, I'm not a network person (yet) but I'm crossposting this to various IT subs because I'd like to cast a wide net and see some responses from people in all stages of their careers.

I’m partial to New England because I have family up that way but open to going almost anywhere in the continental US. I’d like to avoid high cost of living areas like NYC or San Francisco. I’m open to any type of work, government, healthcare, education, pretty much anything. I’m also open to living anywhere from a metro area to a small town to way out in the boonies.

I have an IT degree, three years of help desk experience and one year of contract Desktop Support, during which I managed a hardware deployment/rollout for a pretty big company. I’ll have the Comptia Trifecta by the end of the summer, and I’m hoping to have my CCNA by around Christmas.

What parts of the US seem like good options for IT nowadays?



Jitter/Ping inconsistencies for facility

I am having issues understanding what's going on.

We are experiencing extremely high jitter/ping on some nodes of our network. Each compound on the property is connected using wireless bridges due to impossible cable runs. These bridges are working perfectly fine and all have around -60dBm which has been working fine. Recently an area on our facility has been experiencing weird latency issues.

 Pinging 192.168.10.201 with 32 bytes of data: Reply from 192.168.10.201: bytes=32 time=5ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=5ms TTL=64 Reply from 192.168.10.201: bytes=32 time=4ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=9ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=4ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=666ms TTL=64 Reply from 192.168.10.201: bytes=32 time=105ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=4ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=4ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=5ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=279ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=5ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=4ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=12ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=5ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=8ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=108ms TTL=64 Reply from 192.168.10.201: bytes=32 time=5ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=6ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=4ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=4ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=109ms TTL=64 Reply from 192.168.10.201: bytes=32 time=103ms TTL=64 Reply from 192.168.10.201: bytes=32 time=134ms TTL=64 Reply from 192.168.10.201: bytes=32 time=137ms TTL=64 Reply from 192.168.10.201: bytes=32 time=132ms TTL=64 Reply from 192.168.10.201: bytes=32 time=103ms TTL=64 Reply from 192.168.10.201: bytes=32 time=217ms TTL=64 Reply from 192.168.10.201: bytes=32 time=121ms TTL=64 Reply from 192.168.10.201: bytes=32 time=466ms TTL=64 Reply from 192.168.10.201: bytes=32 time=222ms TTL=64 Reply from 192.168.10.201: bytes=32 time=194ms TTL=64 Reply from 192.168.10.201: bytes=32 time=103ms TTL=64 Reply from 192.168.10.201: bytes=32 time=103ms TTL=64 Reply from 192.168.10.201: bytes=32 time=240ms TTL=64 Reply from 192.168.10.201: bytes=32 time=103ms TTL=64 Reply from 192.168.10.201: bytes=32 time=146ms TTL=64 Reply from 192.168.10.201: bytes=32 time=237ms TTL=64 Reply from 192.168.10.201: bytes=32 time=103ms TTL=64 Reply from 192.168.10.201: bytes=32 time=106ms TTL=64 Reply from 192.168.10.201: bytes=32 time=102ms TTL=64 Reply from 192.168.10.201: bytes=32 time=181ms TTL=64 Reply from 192.168.10.201: bytes=32 time=203ms TTL=64 Reply from 192.168.10.201: bytes=32 time=105ms TTL=64 Reply from 192.168.10.201: bytes=32 time=103ms TTL=64 Reply from 192.168.10.201: bytes=32 time=365ms TTL=64 Reply from 192.168.10.201: bytes=32 time=185ms TTL=64 Reply from 192.168.10.201: bytes=32 time=192ms TTL=64 Reply from 192.168.10.201: bytes=32 time=192ms TTL=64 Reply from 192.168.10.201: bytes=32 time=306ms TTL=64 Reply from 192.168.10.201: bytes=32 time=149ms TTL=64 Reply from 192.168.10.201: bytes=32 time=322ms TTL=64 Reply from 192.168.10.201: bytes=32 time=542ms TTL=64 Reply from 192.168.10.201: bytes=32 time=463ms TTL=64 Reply from 192.168.10.201: bytes=32 time=120ms TTL=64 Reply from 192.168.10.201: bytes=32 time=6ms TTL=64 Reply from 192.168.10.201: bytes=32 time=393ms TTL=64 Reply from 192.168.10.201: bytes=32 time=229ms TTL=64 Reply from 192.168.10.201: bytes=32 time=174ms TTL=64 Reply from 192.168.10.201: bytes=32 time=306ms TTL=64 Reply from 192.168.10.201: bytes=32 time=162ms TTL=64 Reply from 192.168.10.201: bytes=32 time=319ms TTL=64 Reply from 192.168.10.201: bytes=32 time=106ms TTL=64 Reply from 192.168.10.201: bytes=32 time=396ms TTL=64 Reply from 192.168.10.201: bytes=32 time=228ms TTL=64 Reply from 192.168.10.201: bytes=32 time=287ms TTL=64 Reply from 192.168.10.201: bytes=32 time=317ms TTL=64 Reply from 192.168.10.201: bytes=32 time=367ms TTL=64 Reply from 192.168.10.201: bytes=32 time=466ms TTL=64 Reply from 192.168.10.201: bytes=32 time=195ms TTL=64 Reply from 192.168.10.201: bytes=32 time=920ms TTL=64 Reply from 192.168.10.201: bytes=32 time=573ms TTL=64 Reply from 192.168.10.201: bytes=32 time=298ms TTL=64 Reply from 192.168.10.201: bytes=32 time=6ms TTL=64 Reply from 192.168.10.201: bytes=32 time=436ms TTL=64 Reply from 192.168.10.201: bytes=32 time=575ms TTL=64 Reply from 192.168.10.201: bytes=32 time=435ms TTL=64 Reply from 192.168.10.201: bytes=32 time=8ms TTL=64 Reply from 192.168.10.201: bytes=32 time=4ms TTL=64 Reply from 192.168.10.201: bytes=32 time=303ms TTL=64 Reply from 192.168.10.201: bytes=32 time=105ms TTL=64 Reply from 192.168.10.201: bytes=32 time=124ms TTL=64 Reply from 192.168.10.201: bytes=32 time=298ms TTL=64 Reply from 192.168.10.201: bytes=32 time=1079ms TTL=64 Reply from 192.168.10.201: bytes=32 time=818ms TTL=64 Reply from 192.168.10.201: bytes=32 time=109ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=471ms TTL=64 Reply from 192.168.10.201: bytes=32 time=131ms TTL=64 Reply from 192.168.10.201: bytes=32 time=194ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=356ms TTL=64 Reply from 192.168.10.201: bytes=32 time=105ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=154ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=7ms TTL=64 Reply from 192.168.10.201: bytes=32 time=110ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=287ms TTL=64 Reply from 192.168.10.201: bytes=32 time=5ms TTL=64 Reply from 192.168.10.201: bytes=32 time=117ms TTL=64 Reply from 192.168.10.201: bytes=32 time=216ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=110ms TTL=64 Reply from 192.168.10.201: bytes=32 time=110ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=165ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=105ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=200ms TTL=64 Reply from 192.168.10.201: bytes=32 time=3ms TTL=64 Reply from 192.168.10.201: bytes=32 time=2ms TTL=64 Reply from 192.168.10.201: bytes=32 time=7ms TTL=64 Reply from 192.168.10.201: bytes=32 time=5ms TTL=64 Reply from 192.168.10.201: bytes=32 time=203ms TTL=64 Reply from 192.168.10.201: bytes=32 time=107ms TTL=64 Ping statistics for 192.168.10.201: Packets: Sent = 242, Received = 242, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 1079ms, Average = 88ms 

It seems to come in waves, but there are always intermitttent 2ms pings even when the flood occurs.

Any ideas? We've tried just about all the obvious solutions. New cable run, realignment, cleaning, changing channels, changing strength of signal, etc.

Thanks



bird-msgpipe - bird and messaging systems fusion

Hi r/networking,

Using Bird internet routing daemon usually require configuring filters using Bird special configuration language, changes in filters require reloading of the configuration for the changes to take effect.

Various ideas that attempt to automate the configuration process for bird exists, most of them are script bases solution that interact with bird via its control socket following a change in the configuration.

The bird-msgpipe introduce a new paradigm that uses modern messaging system which employ pub/sub model to provide a way to pass the route information.

For example, a client that subscribe to the appropriate channel can then process the route information and publish back to bird-msgpipe (which subscribed on another channel for updates) a routing decision.

The msgpipe protocol is a new protocol for the bird protocols, its based on the pipe protocol. Instead of connecting between 2 routing tables, msgpipe have one connection between the source routing table and a NATS publish channel for one direction and another connection from NATS subscribe channel to the destination routing table for the other direction.

Protocol msgpipe can be thought of as a pipe with very sophisticated filter manipulation enabler, which works outside of bird internal mechanism and not require configuration reloading. There are additional ways to look at it but this one was the original POV.

This version, bird-msgpipe, is a highly experimental POC that were devised following a discussion I had about SDN and L3 traffic steering.

There are quite a few limitations and some known issues and probably handful of bugs which need to be squashed.

There is a simple, yet quite complicated to bring up, demo that showing how the target routing table of msgpipe protocol is populated following manipulation of a client.

I would like to hear thoughts and get feedback from community members that find this idea intriguing.

The project reside in https://github.com/gilwo/bird-msgpipe/tree/msgpipe.

Thanks,

gilwo



Moca and Comcast (Docsis 3.x) over the same coax cable

Hello,

I am trying to help out a small business to get decent WiFi coverage and running into some issues with wiring.

I am aware that the proper solution to the issue is to run Cat6 cable and be done with it, but I am pretty terrible at running cable and owner doesn't want to hire somebody to run cable. So I am trying to see if there are cheaper/simpler alternatives.

What I need to do is to install at least 1 more AP. The building is all wired up with coax, but no other cabling. Due to how everything is laid out, cable modem needs to be in one specific room. The Coax cable from the street comes into an attic, where it gets split into multiple rooms, including the one with the modem.

So my question is - could I use Moca adapters on the same cable that's carrying Comcast's TV and Internet signal? I don't need more than 100Mbps link. According to the standards that I see, Moca and Docsis do have overlapping channels, but I am not sure if there are any special Moca adapters that are designed to work like that.

Any suggestions?

Thanks!



Locally hosted speed test website?

I'm just looking for recommendations on a locally hosted speed test solution.

Something where if a user calls and says "the internet is slow", I can ask them to go to this site and run the speed test and tell me the results. This server would be located in our data centre and would be helpful to know "is it the LAN/WiFi or is it the WAN/Internet that is slow"



Question regarding DNS and Route 53?

Hey Guys,

So I'm a bit confused about DNS and Route 53 and it's use cases. My understanding is that DNS servers are lookup tables where you can put in a URL and get the corresponding IP and vice versa. It's something used by ISPs to convert www.google.com to the correct IP address.

However, Amazon seems to be offering Route 53 as a service to developers? Why would a developer need DNS services (isn't DNS being taken care of by their ISP)? With regards to a company, why would a company need DNS for their web server? Isn't this something that only ISPs would need / use? Thanks.



How do I request Openreach to install Fibre along our road? (UK)

Our street is one of the few in our area that does not yet have FTTP, and the copper cable speed is horrendously slow, to the point where streaming 144p videos is a struggle sometimes. We are around 3/4 of a mile away to the nearest cabinet.

Every website I've checked seems to think we have access to fibre when I know for a fact that our stretch of the road does not.

The quality of our internet has affected our professional lives as intermittent connections interfere with submitting work from home, which as a home worker is extremely important.



Trade-in EOL/Surplus network equipment?

We have a bunch of switches/routers that are due to be pulled out of offices/data centers due to a number of reasons. Some of it is pretty rubbish, but some of it is is still worth some £££.

Currently we just pay a company to dispose of it, but I'm hoping we can get some value out of the devices instead.

Does anyone dispose of their kit either by getting some trade-in against new kit or sell it in bulk?



Trunk not working?

I have two nexus 9K switches operating in a vpc domain with the svi’s in hsrp. For the sake of keeping it simple while troubleshooting, I turned off the secondary nexus and took hsrp off.

The problem I have is when I trunk 10 2960X switches to the nexus, half of them show up in cdp neighbor and “show int trunk” shows all the vlans forwarding on the trunk however I cannot ping any of the SVIs on the nexus. The default route is there.

I decided to test the switches that are trunking properly and everything works fine. I then took one of the bad switches with the same configuration and trunked it to a working switch and they were able to ping the SVIs on the nexus. What gives??



Where to now?

Hey, y'all,

About four months ago I landed a job in a small IT shop (four people; the CTO, help desk tier 1.5, a web/database guru, and myself) in which I wear many hats. My experience and training are all in network design, deployment, security, and maintenance. However, at this company I get the wonderful opportunity to learn many sysadmin, mbxadmin, and more in depth cybersecurity than I would at a larger company with the same qualifications.

This is of course a great opportunity, being my first career position after my discharge from the army (only took two years with no degree lol) but I have a CCNA, whereas our company uses 95% UniFI and HP L3 PoE switches. This is not too much of an adjustment from Cisco, but I'm not sure what certification to get next. I would like to understand our PAN's beyond just being able to keep them running, but the next class I would be available to attend would be in March.

TLDR; I need to learn our cyber security architecture and just how PAN works in general, but will not have a formal opportunity for some time, should I just bite the bullet and get the lower level certs such as Security+ (money is not an issue if you have better suggestions.)

Responses appreciated, thank you!



why don't BFD implementations expose the measured OWD??

Talk about a missed opportunity. Why doesn't every BFD implementation let me query the measured latency to a neighbor???!

I am unreasonably annoyed by this.



Looking to sell leftover INE rack tokens.

https://ift.tt/2Ssfyxx

Friday, July 19, 2019

Dear men in networking: I don’t care about your language—I just want to be treated with respect

Forewarning: This is a rant and I believe it is a perspective that needs to be shared. That’s it.

I’m a female network engineer working in a NOC full of only men. They’re always tripping over themselves to not curse or use weird vulgar analogies when complaining about our company’s executives or whatever because “Oops, can’t say that because celestialparrotlets is in the room!”

I’ve never given a negative response to the dumb things they say about our company/execs and have never given any indication of a reaction other than to chuckle sometimes, because I honestly don’t care and sometimes it’s funny to me. I get it, we’re blowing off steam. But these guys still get all weird about it when I’m in the room. My manager will loudly warn everyone about getting in trouble with HR and then pointedly look at me when this happens.

Give you one guess as to why.

These same dudes worried about me hearing their nasty, unoriginal analogies for bending over for our execs or whatever are the same ones who won’t ever answer any of my questions or address my ideas with a straight face. I constantly get teased like we’re all in middle school and these guys have a crush on me or something. It’s demeaning and infuriating.

Can I share a secret with you all? The women in your workplace don’t really care about the dumbass stuff you say when you’re letting off steam. We’ve all heard Bad Words before; it’s nothing new. We just want to be treated with respect like anyone else and be taken seriously. So please stop teasing us and either answer the goddamn question we just asked you or go fuck off and we’ll ask someone else.

Also, if you can’t handle yourself enough around a woman who is mildly attractive in order to answer a procedural question, rethink your life and get some help.



Revive older, more powerful equipment, or buy new, cheap equipment?

During a design session for a new server room, our company made a very strange set of choices for equipment. One was pricing out three brand new 48-port gigabit Juniper switches, one for each rack. They are access switches, with an optional 10Gb module (that we aren’t buying).

The countering solution is reviving two HP 5900AF Comware switches that are sitting on a shelf. They are a bit older, but are fully 10- and 40-gig, which all of our servers have. The trouble is that we would have to buy RJ-45 modules, which technically costs a less than the new switches, but would require either longer runs to a Com rack, or buying a third 5900 (not cheap) for the third rack.

All three racks will be 75% to 100% full at all times, with mostly RJ-45 1/10Gb. Some other devices will be using Q/SFP+, but not many.

I want to know if there’s possibly a better option that I’m not seeing. The biggest problem is the budget (shoestring), which we’re shoehorning onto the construction (also shoestring).

Oh, and we can’t buy refurbished or used equipment because reasons. So, yeah. That.



Great day for a fiber cut!

Verizon Transport reports fiber cut between Olivehurst and Sacramento,CA. 2 Ciena Ultra Long Haul rails and 1 Fujitsu Ultra Long Haul rail are impacted. Verizon Field Operations technician was dispatched out to Sacramento, CA to perform OTDR reading and was showing damage to be 42,000 feet or approximately 8 miles out.

As of 22:24Gmt Verizon field technicians have found 3 cables damaged in a homeless camp 384 count,600 count and a 216 count cable damaged. Cables were damaged by vandalism. Damage was located by the bike bridge going over the American river. All 3 of these cables are Verizon's. Field operations reports additional resources in route. Repairs and restoration is still in progress. No estimated time of repair yet.



HP port numbering is a mystery

I'm trying to simply assign some untagged vlans to a couple of ports on a switch here, but I'm having nothing but problems. Just updated the firmware.

HP J9576A 3800-48G-4SFP+ Switch Software revision KA.16.03.0007 

It's two stacked switches. Here's the command and response I get:

DNS-CORE-STACK# conf DNS-CORE-STACK(config)# vlan 200 untagged 1/37 Module not present for port or invalid port: 1/37 

And here's a bit of show config that makes me think that the port syntax I'm using is right:

vlan 200 name "VLAN200" untagged 1/1-1/6,1/27,1/29 tagged 1/22,1/24,1/26,1/28 ip address 10.10.20.254 255.255.255.0 exit 

I'm pretty dumb at networking. I'm actually trying to assign two ports that are set on dynamic LACP. Could that be it?

DNS-CORE-STACK(config)# show lacp LACP LACP Trunk Port LACP Admin Oper Port Enabled Group Status Partner Status Key Key ----- ------- ------- ------- ------- ------- ------ ------ 1/37 Active Dyn1 Up Yes Success 0 0 2/37 Active Dyn1 Up Yes Success 0 0 DNS-CORE-STACK(config)# vlan 200 untagged Dyn1 Dyn1: Inconsistent value. 

Any assistance would be most appreciated.



DAE Feel afraid/fake even though you are viewed as an expert?

I started Cisco R&S almost 10 years. I'm comfortably employed as a senior engineer and have a CCNP. I would like to jump to an opportunity at a Cisco VAR as a consultant but feel stressed/ worried. Mostly I guess not confident in my knowledge, feel like people think too highly of my skills than what they are. Do you just have to take the plunge?



Help configuring a router so that I can connect to a sever that’s connected to it from outside the router

In my office there's a 16 port router that I use to image new computers. I have an old server connected to the router that I use as the imaging server. So basically I can connect a bunch of PCs and then PXE boot them to image.

The router is connected to one of the ethernet jacks in the wall which goes to a switch in our switch closet. (Honestly I don't really know why it's a router in the first place, since it seems like a switch would suffice, but that's another whole topic.)

Anyway, if I login to the imaging server, I can access other computers in the building that are not connected to my router, but if I were on a computer in another room I can’t access the imaging server.

My goal is to be able to image computers in the computer labs without having to unplug them an bring them to my office.

If anyone can point me in the right direction, I'd appreciate it.



Cisco/Viptela - FEC vs Packet Duplication?

Hey all - not sure if this is a noob question or not, but I'll throw it out to everyone regardless -- looking into some of the new features of 18.4 and found FEC and Packet duplication ... and i'm trying to figure out the difference between the two.

On the manual pages:

https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/06Policy_Basics/04Centralized_Data_Policy/01Configuring_Centralized_Data_Policy

it states:

Apply loss correction to matching data packets.

Forward Error Correction (FEC) recovers lost packets on a link by sending redundant data, enabling the receiver to correct errors without the need to request retransmission of data.

FEC is supported only for IPSEC tunnels, it is not supported for GRE tunnels.

  • FEC Adaptive – Corresponding packets are subjected to FEC only if the tunnels that they go through have been deemed unreliable based on measured loss. Adaptive FEC starts to work at 2% packet loss; this value is hard-coded and is not configurable.
  • FEC Always – Corresponding packets are always subjected to FEC. 
  • Packet Duplication – Sends duplicate packets over a single tunnel. If more than one tunnel is available, duplicated packets will be sent over the tunnel with the best parameters. 

In my setup, I've got two WAN paths - primary as Color1 and secondary as Color2.

Does FEC Always/Adaptive send traffic down both paths or just one?

Packet duplication specifically states that it sends traffic down one tunnel - and if FEC and packet dup both only send traffic down one path, what is the difference between the two?

----

and then to just go down the rabbit hole one step further - if i've got two data center end points and tunnels terminating on both - if traffic is going down both paths, how does the head-end devices know which packet to drop? or is that on the endpoint to decipher?

Thanks all



Help! Firewall interface / VLAN / VoIP phone configuration / Messy environment

Hello everyone,

I'm looking for assistance with some messy network configuration problems I've been having (I'm a new-ish Sys Admin at an MSP - haven't done a whole lot of networking in larger environments). The environment has pretty much been held together with duct tape, it seems, and I'm here trying to clean up the mess.

https://imgur.com/MpFghRT Here's a brief overview of the relevant parts of the environment (they do have ESXi hosts, a DC, file server, app servers etc etc, but I don't think they're relevant for now)

Basically, I'm trying to setup VLANs for their VoIP phones so the phones in their secondary building (going through the AirFibers) can communicate with the phones in their primary building, and so they're also segmented for QoS purposes.

I attempted to create a L2 Bridge between the X0 and X3 LAN interfaces on the SonicWall, but quickly discovered that DHCP cannot be done over a L2 bridge (the SonicWall is currently doing DHCP for their entire network).

Switching DHCP over to their domain controller is an option that I've considered, but have not implemented yet, as I'm not entirely sure if this is the best solution (or even a solution at all).

HOWEVER, they are now going to be switching over from the SonicWall to a Sophos XG appliance.

It seems you can tag VLANs to a bridged interface of a Sophos XG using the CLI, but I've been reading mixed answers on whether or not this is truly doable, and also whether or not the Sophos can do DHCP on bridged interfaces (I'm fairly sure it can).

Should I use their DCs for DHCP? Do I need to use a switch for interVLAN routing? Should I reconfigure the entire switch layout and do away with the dual LAN interfaces?

I'm probably leaving out important details (let me know if you need any more information!), but I'll leave it at this for now. Also, I haven't done a whole lot of network diagramming, so I apologize for the sloppy one I put together.

Any direction on where I should focus my efforts would be VERY much appreciated.

Thanks :)



Can anyone here recommend a good Cat 6A keystone?

All the Cat 6A keystones I have tried are either feel too low quality or are nice but way too expensive ($15). I also need to get them in both blue and yellow. Do you guys have any good recommendations? Maybe something around $5.



Spotify problems caused by my firewall, how to troubleshoot?

On my network, spotfiy refuses to play more than 6 seconds of any song. I've tried a bunch of the fixes suggested on the Internet, and nothing fixes the problem.

The problem occurs on my desktop computer (wired network), and on my phone (wifi).

I'm pretty sure the problem is within my Sophos SG UTM firewall. If I turn wifi off on my phone, spotify plays fine. In this scenario, my phone is connecting to an AT&T microcell which traverses an ipsec tunnel through the same firewall and ISP that my regular network uses. This would appear to rule out problems on the devices themselves and any sort of bandwidth issues.

Anybody have any tips on troubleshooting Spotify issues from a network perspective?



ARP poisioning from different interfaces?

Hi,

So I know generally how ARP spoofing works, but I'm not sure about one thing. Let's say we have 3 computers:

Computer A: 1 network interface with ip: 1.1.1.1

Computer B: 2 networks interfaces with ip: 1.1.1.2 (B1 interface) and 2.2.2.2 (B2 interface)

and Computer C: 1 network interface with ip 2.2.2.1

A is connected to B1, and C is connected to B2.

B wants to talk to A, so it sends an ARP packet with B1 to get A's MAC address.

Lets assume C is quicker then A and knows when B sends this packet (edit: I know naturally it wouldn't know this, that is why added this as an assumption, lets say for example, B sends this packet at exactly 5 o'clock, every day, and C knows it.).

So before A sends his answer to B, C will send an ARP response to B2, claiming to own the ip address 1.1.1.1. Will this work even though B2 is on subnet 2.2.2.x? In other words, C will be able to see what B planned to send to A, right?

Another question: Is there any easy way to model this situation (and similar situations) with VMs or something?

Thanks!



What do you think of my road map.

I plan on getting an associates in network and systems administration, while I am pursuing my degree I plan on getting the Sec+, Net+, CCNA and MCTS.

Also I do plan learning a little bit of python, become proficient in virtualization with vmware and get an aws cert.

I want to have a good understanding networking/cybersecurity/cloud to be able to be “future-proof” what do you think and let me know if you have an suggestions. Thank you in advance.



Cisco 6840/6880 VSS or Nexus 9K (Greenfield DC WAN Aggregation Design) ?

Hoping for some real world feedback and input on a WAN Aggregation design constraint our organization is dealing with. We also are getting conflicting information from our SE team at Cisco. High Level Diagram Link.

Voice outsourcing vendor environment. We are building out a greenfield DC and are having internal discussions on WAN Aggregation [switch block] design for the datacenter. We have VRF-lite within the datacenter (and full VRF implementations across multiple MPLS providers) that we extend (L2) down from the WAN aggregation block to our telephony environment (SBCs). We have a lot of customers dropping connectivity directly into the DC also that we have to terminate. Business requirements also mandate use of WCCP redirection for web filtering appliances (more on that below).

We have two options available (mostly because we already have these in inventory) for use for the project, Cat6840s (also could use Cat6880s if anyone can provide a tangible benefit to using that vs 6840) or Nexus 93180-YC-EX switches for the core WAN Aggregation switches.

Our (WCCP) design requires the use of Cat switches somewhere in the design as they natively support WCCP-redirect. Our web filtering infrastructure hangs directly off the 6800s in the design. We looked briefly at N9K ITD (Intelligent Traffic Redirection) but it did not work with our requirements (multiple service groups and server clusters).

In a perfect Utopian world, we would (and management wants) a 6800 'Core' WAN Aggregation switch block in a VSS configuration with pairs of Nexus 93180s hanging off of it in an etherchannel/vPC configuration for additional port density. I however have concerns about the single control plane (and single point of failure it presents) with the VSS configuration. I know VSS has come a long way in terms of stability from when it first was implemented and I guess I have some biased due to past issues.

Do I bother fighting/pushing management towards using N9Ks as the 'core' switch block and reverse the design so that that Cat6800s hang off of them (router on a stick design solely to support the WCCP-redirect)?

I posed this exact question to our (usually very helpful) SE team at Cisco and was surprised with the response of using Cat vs N9K due to concerns about routing protocol peering over vPC. Their quotes were

"I spoke to "X-Senior Engineer" briefly about the 9k positioning. He agreed with me about the peering of routing protocols over vPC. He did not see any reason for concern but did prefer the 6800/VSS. He didn’t cite [additional] technical reasons, I think we’ve just been ‘raised’ @ Cisco to position Cat in those scenarios."

I asked for any CVDs they could share and they never got back to me.

Am I crazy to not want Cat6800 VSS as Core [WAN Aggregation] switch in a datacenter? Thank you all in advance for any input or advice and for reading this long blurb.



I am on Carrier-Grade NAT/NAT444 and port forwarding works. How is that possible?

I cannot seem to get my head around this. My ISP very recently put me on CGN/NAT444 which means I should not be able to make customized port forwarding, but to my surprise I can. I tested it with built-in router UPnP protocol and it works.

How is it possible for my ISP to allow me to port forward on a huge NAT of theirs? How incoming connections knows my specific router on the internet in the first place?



FirePOWER administration

Hi Guys,

I work at a relatively small company so each of the IT staff members has multiple responsibilities. Mine include network administration, but I cannot commit more than one day a week to it, so I am not really a skilled network admin.

Anyway, as someone responsible for networking I was tasked a couple of years ago to deploy FirePOWER on top of our ASA firewalls to give us more security and visibility into the network. I managed to install the VM and SFR modules to all the firewalls and configure everything with the help of official documentation, ITPRo TV video series and a book. It has been working without big issues since, I keep updating the software, definitions, rules and recommendations.

But making it work is one thing, and actually using it for what it is intended to is another. I mostly rely on Cisco recommendations when it comes to which rules to enable, and which should drop traffic. When I look at the list of "intrusion events" from time to time and actually analyse them I mostly see false positives. Attacks related to Apache on the servers not running Apache at all. Servers flagged as infected with CnC that as far as I can tell are not infected with anything.

So my question here is... are there any resources to help me manage this properly? Ideally FirePOWER related, but could also be more general resources that I could apply to FirePOWER.

Thanks in advance!



NetworkConfigUtility - Nornir utility wrapper of sorts

Happy Friday morning (or evening/night for others). I wrote a little package that can assist w/ pushing configurations to devices using Nornir as well as retrieving information using the built-in NAPALM getters and the system CLI. You can choose to send to a single device or groups of devices based on the filter type and how you filter your inventory using Nornir's 'F' method (to pay respects). It's currently a work in progress and I'm always open to suggestions and feedback.

Intent in the end is to have this automated so that instead of manually specifying a file, the configuration would come from an external source. (such as a change management ticket). Lastly, since it's using Nornir, Python 3.6 or higher is required (should put that in the setup.py in the future). Source code and all that jazz can be found here:

https://github.com/naonder/NetworkConfigUtility



Subnetting example

Could somebody please explain me why Net1-Net2 can be subnetted, and Net2-Net3 and Net1-Net2-Net3 not?

The question is based on IPv6 and one should consider that Net1-3 are in the network of some company.

Net1: 2001:db8:0:a00::/56

Net2: 2001:db8:0:b00::/56

Net3: 2001:db8:0:c00::/56

I'm really lost and hope that somebody can explain it for me.



Virtual firewalls in public clouds

I apologies for this being a bit of a ELI5 post, however after some reading I am still a little confused.

I have been reading some docs regarding the vSRX, vMX etc range form Juniper (similar Cisco et al versions exist as well) and they are pushing the marketing that you can build these in your public cloud networks, especially if you're doing hybrid cloud. I am at a loss as to what for, however; what do they give you that either AWS or Azure doesn't give you out the box?

Currently we have a data centre running Juniper and we have a very small presence in both Azure and AWS globally, and most of this is quite simple with VMs, some database, and 3 k8s clusters across both clouds, however I am now building our project plan to move large portions of our web infrastructure in to the public cloud and I am reading Junipers docs on vSRX in both AWS and Azure but cannot see why I would pay for this. Is someone able to explain what I am missing here?
The VPN tunnels from our DC to all our cloud locations were simple enough to setup and they never change, and we have ACLs which are changed depending on our changes in the cloud so I guess there might be some automation between what you do in the cloud and then the firewalling between a vSRX and our physical SRX but, I am not sure what.

Cheers
Chris



Thursday, July 18, 2019

What is the relation between frequency and data rate?

Hi y'all.

I've seen different network cable(Cat6) that have different frequency and can support different data rate. Some brands have Cat6 cables that have frequencies of 250 MHz or 650 MHz and can support data speed of 1Gbps. But I saw another brand that have the same frequency but their cable ca support more Gbps. So my question: Is there a relation between frequency(MHz) and data rate(Gbps)? Does they affect each other?

Here is the brand I'm talking about. It's Ubiquiti UniFi Cat6 cable : https://www.gowifi.co.nz/specs/Ubiquiti_Unifi_CAT6_DS.pdf



Removing extension from Avaya and putting it on CUCM (Migration)

Hey all,
So I made a previous post about slow migrating from AVAYA to Cisco. We managed to get everything working without touching the config on the AVAYA G650. Our two T1 PRI are now plugged into the Cisco ISRs We added an intermediary ISR to plug in to the AVAYA system so the AVAYA system works as it always has. The intermediary ISR talks to CUCM via the lan. We configured everything on CUCM and almost everything works.

What we are having trouble with is getting the Avaya system to call the Cisco system after we remove an extension from Avaya. It doesn't even attempt to make the call. We get the instant busy signal from the station we are trying to call from. None of us are Avaya folks so we are at a loss of how to proceed.

For example,

extension 6100 was on the Avaya. We removed the station from the Avaya and put it on the Cisco. Now when we call the extension from an Avaya phone, no attempt to connect is made. We played around with route patterns and aar analysis on the Avaya but we dont want to break anything.

The only way we can currently get it to work is dial 9 and the full number to call from Cisco to Avaya. Any suggestions?



Estimation of shortest path number of hops.

Is there any network (graph) metrics that helps estimating number of hops of a shortest path in a weighted graph without any dependence on edges weights .

Only estimating hope counts , like: The shortest path between Nodes A and B may lay in path of hops : 6 and 8 .



Do trunk ports need to be numbered different on switches?

If I uplink a l2 switch to another do I assign it like Trnk1 on the first switch and Trnk2 on the other switch? Or what happens if they have the same trunk number?



VPN Tunnel anti-replay check question

Lately I've been getting a lot of anti-replay errors on a VPN tunnel connected to a third-party. It's been up a few years but this started about a month ago. I have several other tunnels on the same device that are not having any problems.

I ran some packet captures and I see some ESP packets with sequence numbers that have already been received at least once, sometimes more, so they cause the error and get dropped. The recommended fix is to increase the anti-replay window size for the tunnel incrementally until the errors go away, but I don't want to assume that there isn't something else going on.

You can also disable anti-replay but it's a global command and I don't want to do that for all the tunnels.

From what I've read there are various possible causes that are relatively benign, e.g. QoS implemented somewhere in the path, congestion or a mismatch with the device at other end, particularly if it's from a different manufacturer. I don't know what kind of device they have on the other side, my end is an ASA-5555-X running 9.6(4)10. I think anti-replay is a Cisco thing and not supported by all manufacturers. I plan on contacting the other party but it might take a while to get a response.

Does increasing the window size compromise the security of the tunnel at all? I've read that it doesn't but thought I'd ask if anyone here has any experience with it, or any other thoughts.



Does anyone have eNSP?

Hi everyone, I am currently pursuing the HCIA R&S cert, but I haven't been able to get the simulation software, it was available before on the Huawei forum but a month or so they required users to upgrade their accounts and I have no way to upgrade mine.

Does someone has the installer for the latest version of eNSP? Thanks in advance for your help



Trouble with dhcpd on ASA 5506-x sub interface

On to the next hurdle I suppose...

I swear this sub interface used to give out addresses from this pool without issue. Something got wrecked though.

Here's the interface + sub interface config:

interface GigabitEthernet1/3 description SonosDirectConnectionPort no nameif no security-level no ip address interface GigabitEthernet1/3.103 description VLAN103_Sonos vlan 103 nameif insideSonos security-level 50 ip address 10.100.100.1 255.255.255.0 

Here's the pertinent dhcp config:

dhcpd address 10.100.100.3-10.100.100.25 insideSonos dhcpd dns isp.dns.1 isp.dns.2 interface insideSonos dhcpd lease 604800 interface insideSonos dhcpd enable insideSonos 

Trial and error previously led me to think it was necessary to disable call-home to get dhcpd to work properly, not 100% convinced this is necessary now. Related to this had executed:

no service call-home clear configure call-home 

The physical port here will have a dumb switch wired-in so not 100% this NAT config is necessary either. Had configured:

object network Sonos subnet 10.100.100.0 255.255.255.0 object network Sonos nat (insideSonos,outside) dynamic interface 

Finally, had defined catch-all ACL for the interface via access-group:

access-list ForVLAN103 line 1 extended permit ip any any access-group ForVLAN103 in interface insideSonos 

Whether via link runner, client directly wired into port 1/3, or dumb switch wired into port 1/3 — clients do not get a DHCP address. tcpdump on wired-in client shows no inbound bootpc/DHCP frames whatsoever...despite the outbound discover frames from 0.0.0.0 ==> 255.255.255.255.

dhcpd state appears correct:

asa5506x# show dhcpd state Context Configured as DHCP Server . . . Interface insideSonos, Configured for DHCP SERVER 

dhcp statistics are very uninteresting. dhcpd bindings...well there simply aren't any.

Necessary DHCP processes appear to be running on the ASA:

asa5506x# show processes | include dhcp Mwe 0x000055e7be3f66a4 0x00007fa6569cadb8 0x000055e7c5bb4060 47 0x00007fa6569c3030 30896/32768 dhcp_daemon 223 asa5506x# show processes | include DHCP Msi 0x000055e7be4193b2 0x00007fa6569d5e38 0x000055e7c5bb4060 14 0x00007fa6569ce030 31776/32768 DHCPRA Monitor 222 Mwe 0x000055e7be3f198c 0x00007fa6569e0ec8 0x000055e7c5bb4060 9 0x00007fa6569d9030 31872/32768 DHCPD Timer 221 Msi 0x000055e7be41ac85 0x00007fa65768ae98 0x000055e7c5bb4060 8 0x00007fa657683030 30128/32768 DHCP Network Scope Monitor 75 

I think I'm executing a packet-tracer that should shed light on the behavior:

asa5506x(config)# packet-tracer input insideSonos udp 0.0.0.0 bootpc 255.255.2$ Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 255.255.255.255 using egress ifc identity Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: insideSonos input-status: up input-line-status: up output-interface: NP Identity Ifc Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule 

Please correct me if this syntax is not useful here.

Scratching my head.

Not sure why clients can't get an address.

What did I configure incorrectly?



I want to set up a network for a restaurant

I want to include the obvious, a compute with a POS application that connects to wireless printers, security cameras.

But I also want to have WiFi for guests would I need a separate router for that, or could I use one router with multiple SSIDs

I also want to have orders placed through our website hosted by something like hostgator

Anything helps, thanks!



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



Network size before needing a route reflector?

At what iBGP peering count would you start considering using a route reflector cluster?

This is more a conceptual question than a specific issue I'm trying to address, I'm doing some network expansion at the moment and I'm starting to wonder what to look out for at scale.



Best way to manage ACLs on Cisco Switch?

I have recently moved to an environment where a lot security is controlled at the core switch level. The default gateway for most if not all of our vlans is the core switch. I usually try and push towards using a firewall for this kind of security, but it seems like architecture wise it can go either way.

Any tips for managing a large set of ACLs configured on a Cisco Nexus Switch? I am very comfortable in command line, but managing such large amounts of ACLs just seems a little cumbersome compared to doing it in something like ADSM. Also it is sometimes not 100% clear which ACLs are in use and are necessary. Maybe I just need to get better in command line, but I feel there has got to be a better way to approach cleaning up these massive ACLs in the core.



STP Loop with Third Party Switches

I manage a network mostly comprised of older Avaya ERS 3500 series switches. Recently another department has bought a package that comes with it's own server rack, 2 switches, and servers. The vendor tells me that all they need is 2 trunk ports that allow VLAN 84 to flow through. One port dedicated to SW1 and another to SW2 Every time I have plugged their switches into the server access switch, it immediately causes an STP loop and takes my network down. The problem is that another company is in charge of managing the Cisco switches that they have. I have provided a rough drawing of the setup below.

[Core(VSP)] ------------ [Server Access (ERS 3500)]==========[Unman SW 1(Cisco)] -[Unman SW 2(Cisco)]

My question is, what can I do on my server access switch to prevent the STP loop from on my end?



RIP converging faster than OSPF problem

I am conducting experiments on routing protocol convergence, and comparing how fast they converge. On OSPF the tests came out to be about 6 seconds to converge. Then I tested RIP and it converged within 2 seconds!!!

The only setting I have is carrier-delay set to 0 msc for all links.

Why is this happening? How is it possible that RIP comverges so fast? Can anyone explain this to me?

Thanks for any kind of help!



Will two different wavelength SFPs talk? A 1310nm on one side and 1510nm on the other.

The replacement SFP they sent me is a 1310nm and we have a 1510nm on the other side. The link isn't coming up. I've tried playing with all the settings I could think of but link just doesn't come up.

I'm thinking it's because of the difference in wavelength?

I rarely change SFPs so it's not a subject I know much about.



IPAM - How big does your network have to be to benefit from it?

Hi All,

I'm struggling to find the benefit of having an IPAM solution to manage IP address. Microsoft's DHCP and DNS have worked fine for me in the past. I can implement something like NetBlox or phpIPAM, but once it's up and running how is it different than just logging into my DHCP server?

I'm fairly early in my career, so maybe I'm just missing something.



Packet analyzer for analyzing network traffic on process level

Hello. Is there a packet analyzer available that could allow you to analyze the network traffic of processes? For example, it would let one view the network traffic coming from the chrome.exe process. The reason I am looking for one is that I have multiple processes communicating to the same destination IP address on same destination port and I want to be able to differentiate between this network traffic using the same destination.



SFP port not transmitting on a BladeSystem c7000 Enclosure.

The SFP is on the HP 10Gbe pass-through module. What’s connected to the port now is a twinax up to a Cisco switch. The ILO is showing that the network port is unknown. I tried reseating the twinax and the light on the connected switch would go green but a minute later would go black. Then I put in a fiber HPE 10Gb SFP to a different FEX but nothing changed. Last thing I tried now was to put a fiber loop back in. I notice that the light inside the SFP was on prior to plugging in the loop back but went off after I plugged it in for a minute.

Anything else I can try to troubleshoot this?



Huawei NCE

Hi there,

I am curious to hear what's your opinion on Huawei NCE in general and for more detailed aspects such as usability (UI) and programmability API?

https://e.huawei.com/se/products/network-management-and-analysis-software



Fortianalyzer : Multiple VDOMS

Looking at getting a Fortianalyzer unit. We currently have F1000D on which we will be putting lots of customer VDOMS. We want to monitor each of these VDOMs but we also need to monitor a few seperate Fortigates as well.

I know you can have it monitor seperate fortigates or a fortigate with seperate VDOMS but will there be an issue with trying to do both on the same Fortianalyzer unit?

Any caveats I should be aware of if trying to do such a thing?

Thanks



Cisco BiDi SFP+ for Multimode

I fear that this is probably a dumb question but are there any 10G BiDi SFPs for Multimode? I‘m trying to get around a lack-of-fiber issue. Thanks for your input.



Cisco ASA BFD/BGP Configuration

I want to enable BFD with BGP on a new ASA deployment, just looking for some verification of the config:

1. Define BFD template

bfd-template single-hop Standard-BFD-Template

interval both 300

2. Apply BFD to interface

interface GigabitEthernet0/0

bfd template Standard-BFD-Template

bfd interval 300 min_rx 300 multiplier 3

Is that it? On IOS platforms you need to associate BGP with BFD like below:

neighbor ip-address fall-over bfd

But i cant find a comparable command within the ASA documentation. Is something similar needed or not?

thanks!

EDIT:: Found it buried within an obtuse command reference guide. Its the same as IOS

neighbor fall-over bfd (router bgp)

To configure BFD support for BGP so that BGP is registered to receive forwarding path detection failure messages from BFD, use the fall-over option when configuring the neighbor.

neighbor ip_address | ipv6_address fall-over bfd



Advice on bridging 2 different LANs, but have them manage DNS, DHCP, etc independently

I would like to share a resource between 2 different LANs. Network A (192.168.1.1) and a network B (10.0.0.0)

I plan on setting up a ubiquiti wireless point to point link for the connection between the networks (2 sites, about 300ft apart)

I need both of the networks routers to manage their own DHCP, DNS, etc because they both have their own internet connections, I just need a server shared across both sites.

Both sites currently running routers flashed with DD-WRT (I know, I know..)

any advice on the configuration of this? I've been racking my brain and can't nail anything down. Thanks!



Wednesday, July 17, 2019

Cisco Stateful inspection throughput (Multiprotocol vs Max)..?

what is cisco Stateful Inspection throughput ( Multiprotocol) vs Stateful inspection throughput (Max)...?



Tools for IT admins

Go to easyapps.app to go check out some of my free networking tools :)



Configuring multiple SSIDs on Cisco Aironet 2600 Series Access Point

Hi all,

I have three Cisco Aironet 2600 Series Access Points that a client has asked to have an additional SSID created on. Currently, they just contain one SSID. I have one access point set where I created an additional SSID, but I'm having trouble getting the encryption keys to be set so they are different.

Does anyone have experience with this series that can offer some hints? This is my first time working with Cisco access points, and the client does not have a controller.

They also want the second SSID to have certain traffic blocked. I was thinking an easier route if they want to go that way would be to buy a wireless router and configure a separate interface on the watchguard firewall and then block traffic that way as I can't even seem to figure out a simple second SSID with its own encryption key. The client has the current SSIDs set for WEP encryption.

Thanks



fixup protocol and MPF commands

When I am configuring a 5506x I get something i am unsure of by way of an error and info lines.

The error states something about a configuration type existing. "Inspect configuration of this type exists, first remove that configuration and then add the new configuration"

Also it says that the cryptochecksum has changed, which I haven't run into before.

And finally i get quite a few info lines saying various things about an array of protocols. "INFO: converting 'fixup protocol ftp 21' to MPF commands"

Can someone explain to me what is going on? This is all happening when i upgrade the flash to the newest asa984 build via USB and putty.



Need some help with QoS

Guys, Gals, I feel like I'm missing something that should be really basic--but I'm just not seeing it, so I've gotta ask for some help. Diagram is here: https://imgur.com/a/ww23rxq

My environment consists of Cisco 2960-X switches at the access, and 9500-48Y4C at the core. I've rolled out a marking policy to the access switches that very closely mimics the End-to-End QoS book. The core is simply trusting DSCP markings. Here's a snippet of the code I'm using for marking. Repeat this code for 7 other classes of traffic.

ip access-list extended VOIP-DATA remark RTP permit udp any any range 16384 32767 class-map match-any VOIP-DATA-CLASS match access-group name VOIP-DATA policy-map MARKING-POLICY class VOIP-DATA-CLASS set dscp ef 

I can see traffic being categorized and tagged correctly according to my policy when doing packet captures. However, I'm not getting any DSCP-tagged packets on the return traffic. Initially, this led me to think "Ah, I need to put this marking policy at my first network device at the WAN edge to mark packets on the ingress." I did this at the switch marked "Edge" on the diagram. (This switch provides WAN connectivity to our HA ASAs.) The same policy was configured and a "service-policy input MARKING-POLICY" command was applied to the interfaces connecting to the ISP equipment.

After some more packet captures though, I saw what might be the problem. The originating traffic has a random source port but a static destination port. So an HTTPS connection will have a destination port of 443. The return traffic uses the source port as 443. According to the access-lists I created, it's only looking at the destination ports, thus not marking the return traffic--regardless of where that marking policy exists on the network.

So my question: How should I tag this return traffic on the way back into the network? I want it to be tagged the entire time it is on the network, so I would think it should be tagged at the "Edge" switch. In the End-to-End QoS guide, I couldn't find anything that addresses this scenario. If it were as simple as creating another line on the access list with the source port specified, wouldn't it have been documented? This leads me to believe that I've just screwed something up. That's entirely possible. So tell me, what am I not getting here?



How do I send data via tcp ip socket so a browser renders it?

I have a custom homebrew tcp/ip server.c I can get a GET request read.
What data do I have to send on a socket for the webbrowser to say,"Hello World."?



How to connect the VMware virtual PC to the Huawei eNSP

Hello folks, I'm working on the RADIUS configuration on the Huawei AR router, but the device is on the way to my company. So I have to do the test in the eNSP.

Do you guys have any suggestions?



Experience with Skybox Security?

Curious if anyone here has any experience with the Skybox security suite, we have almost all their modules but have run into countless bugs and roadblocks with the product. Seems to be getting “awards” for vulnerability management but I’ve had quite the opposite experience with the product. Just wondering if anyone else here as used it.



Amazon error in my favor...

Ordered 250' of Monoprice solid copper, CMR rated 350MHz Cat5e. Received 1000' of Monoprice solid copper, CMR rated, 500 MHz Cat6. Not bad for 40 bucks.



VPN / iPhone / Setup / Help

I'll keep this as short as possible. It's slightly complicated - but not really.

At home, I have an AT&T Fiber Modem which is also a wireless router.

I also have a Cisco Router that automatically makes a VPN connection back to my office. This router also has a wireless connection and POE Ports.

So, when I'm home and want to be on my home network, I connect to the AT&T WiFi. When I want to work, I connect to the Cisco Router's WiFi. I also have a Cisco Phone connected to a POE port on the back of the Cisco. All of this works fine.

In my office, I have a computer that I use for both work and pleasure and I switch between the wireless networks depending on what I'm doing. I want to move the Cisco phone to my office.

I have an ASUS RT-66U Wireless Router I have put into Bridge Mode. It connects back to the SSID of the Cisco Router.

I have the ASUS plugged into a small Netgear POE Switch. I have the phone plugged into the same switch. Phone powers on but will not connect back to the phone system in the office. Any idea's on how to get this to work? Thank you in advance for any help you can provide.



Firewall recommendation for 5 Gb/s throughput

I work for a sports organization that puts on sporting events. As part of this, a few times a year we put on large-ish scale events and have to set up networking to support them. Normally, we partner with a local cable/phone company and simply tell them where we need access and they set it up. For example, we'll give them a list of 15-20 locations on the property and tell them how much bandwidth each location needs, then they will deploy a modem at each location and we take it from there. That's all pretty easy.

We have an event upcoming in 2021 and I just did a site visit to get a lay of the land. This particular event has partnered with the local cable company, but rather than having them deploy access at each location, they got them to put in a 192 count single mode fiber backbone that terminates in a server room on one end and spans the entire property with hand holes having between 6-24 fibers each at key locations, so the ISP is going to give us a 5 Gb/s IP handoff in the server room and we'll distribute it as needed ourselves.

We have plenty of switches and other equipment to handle that, but the one piece of the puzzle we don't have that we are researching is a firewall capable of handling that throughput. Our intent is that we would install this in the server room and put it between the Internet handoff from the ISP and our event network.

We don't need much in the way of features - pretty much just NAT and the ability to create 5-10 virtual interfaces so we can segment the LAN into different networks. We expect that we'll be supporting approx 1000-1500 concurrent users with approx 45% of those being various media / TV outlets covering the event - they're historically our heaviest users in terms of bandwidth since they tend to upload huge files (photos, videos, streaming, etc), another 45% being public WiFi (i.e. smartphones and tablets in hospitality suites) and the final 10% being staff doing general browsing / e-mail.

The one minor caveat here is that since this is a special event, we really will only need this equipment for about 30 days. That being the case, if we can swing it, we'd like to avoid spending a ton of money. All of the readily apparent commercial offerings seem to be in the $10-15k price range for something that can support that throughput and number of users, so it'd be a $20-30k investment for a HA solution.

In the past, I've successfully used commodity x86 hardware running pfSense, but that was for much smaller events (i.e. 1 Gb/s bandwidth with a maybe 150-200 concurent users). As it happens, I've got access to some decent x86 servers with 10Gb networking, but I'm not thrilled about the idea of slotting pfSense in for something of this scale. I'm sort of stuck between going the pfSense route which is very cost effective but doesn't offer much in terms of support, and going the commercial route which would do everything we need and be a supportable solution but would also be very expensive (insert obligatory "you get what you pay for")...

I've heard of VyOS, which sounds like it might be another consideration but before I start diving down a rabbit hole I wanted to socialize this and see if anyone could offer any ideas or recommendations.

If we need to go the commercial route, we can do it, but the money we spend on that will have to come from somewhere else. We have approx $75k budgeted for IT support for this event and that has to cover a lot more than just the firewall solution, so we're trying to determine if there are viable options that won't suck up 30-40% of our total budget.



Dell S4148 with VLT, LACP and VLANs

Hi, i am trying to setup a pair ofnew S4148 switches for my servers to utilise.

One of the (many) problems i am having revolves around utilising VLT with VLAN.

I have attached my current setup below. Using this setup i have 2 servers configured with an LACP team. with 1 port in each of the 2 switches. It works great, i disable an NIC the other one is working within 1-2 seconds.

However, i want to segregate this traffic onto a VLAN. I can also get this to work, however i cant get it to work in conjunction with LACP and when creating a team the ports dont failover properly. To enable the VLAN configuration i used the same as below, however i also added this to both of the port channels on both switches.

switchport mode trunk

no switchport access vlan

switchport trunk allowed vlan 200

The ports show as online on the servers until I manually add a VLAN of 200 to them, then it shows "Faulted LACP negotiation" If i turn off active mode then the ports work as intended.

Is there something that i am missing? Sorry if this is such a basic question, i have been reading the dell manual but its 100's of pages and i learn better by seeing how things dont work then do work!

Thanks in advance for any help.

config t spanning-tree mode rstp interface ethernet 1/1/26 no switchport exit interface ethernet 1/1/30 no switchport exit vlt-domain 254 discovery-interface ethernet1/1/26 discovery-interface ethernet1/1/30 vlt-mac 00:00:00:00:00:02 backup destination 192.168.90.220 peer-routing interface vlan 200 ip address 10.200.10.12/24 interface vlan 40 ip address 10.40.12.12/24 interface port-channel 1 vlt-port-channel 1 exit interface port-channel 2 vlt-port-channel 2 exit interface ethernet 1/1/1 channel-group 1 mode active lacp rate fast interface ethernet 1/1/9 channel-group 2 mode active lacp rate fast 


Difference between Cisco ASAv, NGIPSv and FTDv..?

Difference between Cisco ASAv, NGIPSv and FTDv..?



FortiSIEM even as we already have an outsourced SoC

https://ift.tt/2JFtf9D

Pinkie

So I don't know if there are any other fans of Pinkie by IPUptime here, I discovered this app several years ago and while it does seem to have its flaws (seems to have the developer's path to his c:\users\ etc path set by default, for some reason it always reminds me to register when I launch even though I have, things along that line), it's a great all-in-one tool for Windows to do multiple ping streams, subnet calc, ping sweep, port scan and others..

However as I was downloading this to a new machine a few minutes ago it struck me that this program hasn't been updated since early 2012. Does anybody have any alternatives in mind which do most if not all of the above in one friendly GUI tool?



Connecting a QNAP with an AWS Snowball with SFP+

Hey,

Just today received a snowball from AWS, which as 2 SFP+ ports, an RJ45 port, an included SFP cable and an included RJ45 cable.

I'd ideally like to connect using SFP+ as it allows for 10GBps transfer rate, whereas the RJ45 is limited to 1GBps.

I've connected the cable, and it is recognised by the QNAP, I assign it a manual IP address of 192.168.10.1 and I assign a manual IP address to the snowball of 192.168.10.2 with subnets of 255.255.255.0

I can not however ping the snowball from the QNAP.

If I connect the RJ45 cables directly between devices and configure IP addresses, I can ping the other device over the RJ45 interface.

Is there something else that needs doing with SFP? I am slightly familiar with the technology, but never configured it.



how to test Cisco ACI practical skills at a job interview?

I'm hiring an ACI engineer for an upcoming project. We don't have any ACI infra and no fellow peers with ACI knowledge. How to evaluate candidate's practical knowledge in this situation? I'm a believer of custom lab tests but we can't lab test ACI with no ACI in place. All ideas welcome



IPSec Tunnel Issues

Hey all,

I've got an IPsec site-to-site VPN between a Watchguard Firewall and Cradlepoint Router. There are 2 tunnels going through this, lets say 192.168.0.1/23 and 172.16.0.0/24 at the office end, and 10.0.0.0/24 at the client end (Cradlepoint). The client end will be using the tunnel to authenticate with the domain and network resources back at the head office, so we need the tunnels to be established before the user logs on from the 10.0.0.0/24 network.

The IPSec VPN establishes right away and without issue, and as soon as it does, the tunnel between 192.168.0.1/23 and 10.0.0.0/24 works right away as well. For some reason, the second tunnel between 172.16.0.0/24 and 10.0.0.0/24 does technically establish, but traffic from the client end (10.0.0.0/24) will not work unless a client on our office end in the 172.16.0.0/24 subnet pings/sends traffic to the client end first, after which everything works as normal. Statistics on the VPN does verify that both tunnels are up. It would appear traffic between this second tunnel will fail if I restart the Cradlepoint router.

Any ideas on how I can troubleshoot this?

EDIT: just some more information -- when the client traffic fails, I do not even see it hitting our firewall log. If I send a ping from behind the firewall in the 172.16.0.0 network to the client end, I see that traffic and once the client can successfully communicate, I then see all the respective traffic in the firewall log.



Looking for advice on VLANs and AP setup

Hi all, I am looking for advice on the best approach to take on a project I have volunteered to help with. Background We have a small caravan setup where customers can rent a caravan and stay with us to relax and unwind. We have 6 caravans in total, each having their own T-link AP where, during their stay, they can connect to the wi fi and use our internet. Up until now all networking has been done by a 3rd party engineer who has become unreliable at best. I have recently decided to get more involved as I now have more time and need to get this more secure!

Aim We have 6 caravans which are in close proximity, but separately have an AP in each van. I would like to implement a more secure setup in terms of how the wireless networks are configured. Each van has its own Wi Fi AP and should not be able to connect to devices on other APs(the other 5). Each van will hold either a group of friends or members of the same family so each AP needs to function as if the customers were on their home internet. But not be on the same LAN as their neighbour! Currently it’s a bit of a mess as each van as a t-link AP which all connect to a main AP connected to a Draytek router, which in turn connects wirelessly to an AP some distance away where the main router/ internet(gateway), supply exists. Currently these individual APs have the DHCP server on as well as the main router(gateway) handling DHCP. We have no passwords for the APs in each room and no password for the draytek where these APs connect too!! So right mess! Seems this engineer wants to be in control while not being around to actually provide support. And let’s not go there on the multiple DHCP server setup!

Clearly to get control and have any hope of configuring this network, the APs and draytek will need factory resetting and setup fresh!

I am more than capable of resetting this kit and resetting up the config as it is, minus the multiple DHCP servers. However I would like to introduce a better level of security between the devices in each van.

I’d like to setup vlans so that each van/ AP has its own VLAN but still talks back to the draytek AP to get it’s internet.

It looks like I might have to get a new switch/ router to replace the draytek as downtime is going to be an issue, so I can’t really go wading in and reset the draytek to start configuration changes as the setup may take longer that anticipated and I can’t risk the customers being down for long periods.

So is it possible to get some advice on VLAN setup and can you recommend a suitable replacement for the draytek router? We have a Draytek Vigor 2820vn which has 2 t-link CPE210 APs plugged in. One to supply the vans and the other receives signal from the main gateway/ router.

Sorry for long post but felt detail was important.

Really hope you can help!

~Thanksrepoc



FTTC/ADSL Router with WiFi

Finding some limitations with Draytek gear when using them for private wan i.e. glue block RFC1918 on the wan side with a routed RFC1918 block on the inside.

  • Can only do a single routed subnet (no NAT)
  • DHCP scope has a limit of 50
  • Cant use the routed subnet over the inbuilt WiFi AP

Do you guys have recommendations that would not have the above draw backs, without spending silly Cisco money?



Simple Question about PPPoE

Good Morning Network Pros,

Editing my post so as not to violate community policy.

Without going into too much depth, in regards to PPPoE, the dialer router is referring to the client-side right? Just want to make sure that a dialer router would have client configs, not server.

Thanks!



URL filtering block pages on SSL without installed CA cert

We are trying to get a customer's guest wifi set up with URL filtering that displays a block page.

It's easy to do the filtering, and with SSL interception we can serve the block page, but you're still left with a certificate error and this is generating user complaints.

As this is guest wifi, installing the firewall's forward-trust cert as a CA is not an option. But the customer insists they had it working before with Fortigate.

Is this possible via DNS-based filtering somehow, or else when using an explicit web proxy?



How do you manage firewall rules at your organization?

I work in an MNC, easily above 100,000 employees. Firewall requests are stored in excel sheets along with their request ID's and other stuff. And there are many many of them, because we have many layers/zones. DMZ, LAN, partner companies etc.... It's segmented right and left.

So basically every firewall rule is added in an excel stored in a shared drive, looked and cleared by a security team, and then goes to the implementation team.

I'm curious to what the rest of the world is doing. Do you use excel to store all the rules or do you have a custom web page with a DB or some other software/application? I'm not talking about the ticketing system either.



Preferential treatment for a single L3VPN in an MPLS network

Within the UK and Europe we operate an MPLS network between data centres, all of our customers have an L3VPN, and we also have a corporate vrf and a production (audio) vrf.

We are looking at extending this network over to a couple of data centres in the USA, but obviously bandwidth costs over the Atlantic aren't as cheap as fibres/waves between UK/euro data centres. For example we have 10gb between all our DC's in the UK, but our transatlantic links are going to be 200mb.

The only traffic that will be traversing these links are going to be corporate and production, so 2 L3VPN's will have a PE in USA.

Now, my concern is that with corp traffic traversing the same links as prod it is not beyond imagination that a developer in one continent could do something that sucks up the majority of that bandwidth, leaving our production vrf which carries audio in the shitter.

We do have QOS in place. Traffic is marked/classified on ingress, put into queues according to marks, and then when it hits mpls links we tag the encapsulated packet and put it in a queue of the correct type.

Prod traffic is marked correctly to match our QOS schema.

Apart from this how can I gaurantee that someone in an office, or even corp backups don't smash these links and ruin our production audio quality?



Networking Concepts and Theory

2 months ago, I created and posted videos from my Networking basics course on the HomeNetworking subreddit . So far they have been received very well! So I hope that someone here can use them as well! Feel free to give some feedback on my work.

The entire Playlist can be found here:

https://www.youtube.com/watch?v=rIZ61PyDkH8&list=PLR0bgGon_WTKY2irHaG_lNRZTrA7gAaCj&index=1

Or the individual videos can be watched here, should some people be interrested in specific topics.

Introduction to Networking - OSI Model

https://youtu.be/rIZ61PyDkH8

Introduction to Networking - IP addresses

https://youtu.be/oieIGwUPaKE

Introduction to Networking - MAC Addresses

https://youtu.be/_Fdj1fY0gp8

Introduction to Networking - Routing and Switching

https://youtu.be/xSiE0tahshI

Introduction to Networking - TCP / IP

https://youtu.be/vCN0Um46YIk

Introduction to Networking - TCP & UDP

https://youtu.be/0-MldfyhIuo

Introduction to Networking - Ports / Protocol

https://youtu.be/oiYrsR5oJSE

Introduction to Networking - DNS

https://youtu.be/TEa39TjT8Dg

Introduction to Networking - Wifi Security

https://youtu.be/EbyooalphZU

Introduction to Networking - VPN Tunneling

https://youtu.be/1ozFz3GJ4PM

Introduction to Networking - VPN Protocols (IPSec)

https://youtu.be/XwPKacfLekY

Introduction to Networking - Encryption 101

https://youtu.be/B6DBRX7nyNk

Introduction to Networking - Public Key Infrastructure

https://youtu.be/LGEGd21WDjw



AWS VPN not working

Where I work, we use AWS as our major cloud provider and we have the Mikrotik Routerboard setup for our office network. To access services launched in a private subnet (in our VPC), we setup a VPN connection between our office network and the AWS VPC. It used to work, but for some reason (probably someone who has access to it, messed up the config), it just doesn't work anymore. I brought down everything that was setup on both the AWS side and on Mikrotik, and started from scratch. It shows that the VPN tunnels are up on the AWS S2S Connection created, I also enabled route propagation for the Virtual Private Gateway I created and I also made sure the static routes on the AWS S2S Connection had both the CIDRs of our office network and the AWS VPC. Like I said, it once worked, but for some reason, its not working anymore. Basically, I have done all I think I should and need some help at this point. The only thing I noticed which wasn't so before is the fact that on following the steps for setting up the configuration file downloaded after creating the AWS S2S connection, when I am setting up the second tunnel and I got to :

IPTAB ---> IPSEC ---> Policies, the Policy shows as invalid, and this wasn't the case before. I would appreciate any form of help I can get on this platform, as this has been pending for a whole and is stalling a lot of processes and making the rest quite difficult to carry out. I have put the config file downloaded from AWS

Thanks.

! Amazon Web Services

! Virtual Private Cloud

VPN Connection Configuration

! AWS utilizes unique identifiers to manipulate the configuration of

! a VPN Connection. Each VPN Connection is assigned an identifier and is

! associated with two other identifiers, namely the

! Customer Gateway Identifier and Virtual Private Gateway Identifier.

! Your VPN Connection ID : vpn-08d141c3fd6b51b71

! Your Virtual Private Gateway ID : vgw-016ad674953b130da

! Your Customer Gateway ID : cgw-033891c118beab950

! This configuration consists of two tunnels. Both tunnels must be configured on your Customer Gateway, but only one of those tunnels should be up at any given time.

! Note that Mikrotik RouterOs does not support Active/Active or Active/Standby setup with AWS hosted VPN solution.

! At this time this configuration has only been tested for RouterOS 6.36, but may work with other versions.

! This configuration uses the Winbox utility to configure the IPsec VPN connection. Winbox is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.

! You can download this utility from: https://mikrotik.com/download

! IPSec Tunnel #1

! #1: IPSec Proposal Configuration

!

! An IPsec proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman, and lifetime.

! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.

! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.

! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH

! groups like 2, 14-18, 22, 23, and 24.

! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".

Go to IP Tab --> IPsec --> Proposals

a. Click on "+" button

b. Name: ipsec-vpn-08d141c3fd6b51b71-0

c. Auth. Algorithms: sha1

d. Encr. Algorithms: aes-128-cbc

e. Lifetime: 01:00:00

f. PFS Group: modp1024

g. Select Apply and Ok

!---------------------------------------------------------------------------------

! #2: Internet Key Exchange

!

! A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime,

! and key parameters. The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key

! parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.

! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.

! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH

! groups like 2, 14-18, 22, 23, and 24.

! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".

! The address of the external interface for your customer gateway must be a static address.

! Your customer gateway may reside behind a device performing network address translation (NAT). To

! ensure that NAT traversal (NAT-T) can function, you must use the corresponding IP as the "Local Address".

! Create an IKE policy permitting traffic from your local subnet to the VPC subnet.

Go to IP Tab --> IPsec --> Policies

  1. Click on "+" button and select the General Tab

a. Src. Address: local subnet/mask

b. Dst. Address: AWS VPC subnet/mask

2) Click on Action Tab

a. Select Tunnel

b. SA Src. Address: our-public-ip

c. SA Dst. Address: 18.184.46.8

d. Proposal: ipsec-vpn-08d141c3fd6b51b71-0

e. Select Apply and Ok

! Create an IKE policy permitting traffic from the Inside IP associated with your Customer Gateway to the inside IP associated with the Virtual Private Gateway.

Go to IP Tab --> IPsec --> Policies

3) Click on "+" button and select the General Tab

a. Src. Address: 169.254.43.50

b. Dst. Address: 169.254.43.49

4) Click on Action Tab

a. Select Tunnel

b. SA Src. Address: our-public-ip

c. SA Dst. Address: 18.184.46.8

d. Proposal: ipsec-vpn-08d141c3fd6b51b71-0

e. Select Apply and Ok

Go to IP Tab --> IPsec --> Peers

5) Click on "+" button

a. Address: 18.184.46.8

b. Local Address: our-public-ip

c. Secret: AIKdxv0HYlJJZO8IvT1o2KblazaMsG5v

d. Hash Algorith: sha1

e. Encryption Algorithm: aes-128

d. DH Group: modp1024

f. Lifetime: 08:00:00

g. DPD Interval: 10

h. DPD Maximum Failures: 3

i. Select Apply and Ok

! ----------------------------------------------------------------------------

! #3: Tunnel Interface Configuration

!

! A tunnel interface is configured to be the logical interface associated

! with the tunnel. All traffic routed to the tunnel interface will be

! encrypted and transmitted to the VPC. Similarly, traffic from the VPC

! will be logically received on this interface.

! The address of the interface is configured with the setup for your

! Customer Gateway. If the address changes, the Customer Gateway and VPN

! Connection must be recreated with Amazon VPC.

Go to IP Tab --> Addresses

a. Click on "+" button

b. Address: 169.254.43.50/30

b. Interface: Select the WAN/Outside interface

c. Select Apply and Ok

! ----------------------------------------------------------------------------

! #4 Static Route Configuration

!

! Your Customer Gateway needs to set a static route for the prefix corresponding to your

! VPC to send traffic over the tunnel interface.

! An example for a VPC with a subnet/mask of 10.0.0.0/16 is provided below:

Go to IP Tab --> Routes

a. Click on "+" button and select the General Tab

b. Dst. Address: 10.0.0.0/16

c. Gateway: 169.254.43.49

d. Select Apply and Ok

! ----------------------------------------------------------------------------

! #5: NAT Exemption

!

! If you are performing NAT on your Customer Gateway, you may have to add a nat exemption rule to permit traffic from your local subnet to the VPC subnet and vice versa.

! This example rule permits all traffic from the local subnet to the VPC subnet.

Go to IP Tab --> Firewall --> NAT

  1. Click on "+" button and select the General Tab

a. Chain: srcnat

b. Src. Address: local subnet/mask

c. Dst. Address: AWS VPC subnet/mask

2) Click on Action Tab

a. Action = accept

b. Select Apply and Ok

! Similarly, create a firewall rule permitting traffic from the Inside IP associated with your Customer Gateway to the IP associated with the Virtual Private Gateway.

3) Click on "+" button and select the General Tab

a. Chain: srcnat

b. Src. Address: 169.254.43.50

c. Dst. Address: 169.254.43.49

4) Click on Action Tab

a. Action = accept

b. Select Apply and Ok

! Note that there may be multiple firewall rules configured on your Customer Gateway. These rules may be conflicting with the nat exemption rule.

! It is recommended to position the nat exemption rules such that they are evaluated in an order before any other conflicting policy.

! IPSec Tunnel #2

! #1: IPSec Proposal Configuration

!

! An IPsec proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman, and lifetime.

! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.

! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.

! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH

! groups like 2, 14-18, 22, 23, and 24.

! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".

Go to IP Tab --> IPsec --> Proposals

a. Click on "+" button

b. Name: ipsec-vpn-08d141c3fd6b51b71-1

c. Auth. Algorithms: sha1

d. Encr. Algorithms: aes-128-cbc

e. Lifetime: 01:00:00

f. PFS Group: modp1024

g. Select Apply and Ok

!---------------------------------------------------------------------------------

! #2: Internet Key Exchange

!

! A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime,

! and key parameters. The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key

! parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.

! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.

! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH

! groups like 2, 14-18, 22, 23, and 24.

! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".

! The address of the external interface for your customer gateway must be a static address.

! Your customer gateway may reside behind a device performing network address translation (NAT). To

! ensure that NAT traversal (NAT-T) can function, you must use the corresponding IP as the "Local Address".

! Create an IKE policy permitting traffic from your local subnet to the VPC subnet.

Go to IP Tab --> IPsec --> Policies

  1. Click on "+" button and select the General Tab

a. Src. Address: local subnet/mask

b. Dst. Address: AWS VPC subnet/mask

2) Click on Action Tab

a. Select Tunnel

b. SA Src. Address: our-public-ip

c. SA Dst. Address: 18.195.152.6

d. Proposal: ipsec-vpn-08d141c3fd6b51b71-1

e. Select Apply and Ok

! Create an IKE policy permitting traffic from the Inside IP associated with your Customer Gateway to the inside IP associated with the Virtual Private Gateway.

Go to IP Tab --> IPsec --> Policies

3) Click on "+" button and select the General Tab

a. Src. Address: 169.254.43.146

b. Dst. Address: 169.254.43.145

4) Click on Action Tab

a. Select Tunnel

b. SA Src. Address: our-public-ip

c. SA Dst. Address: 18.195.152.6

d. Proposal: ipsec-vpn-08d141c3fd6b51b71-1

e. Select Apply and Ok

Go to IP Tab --> IPsec --> Peers

5) Click on "+" button

a. Address: 18.195.152.6

b. Local Address: our-public-ip

c. Secret: eSNn_G1dBp6NJxf5zEO5sm77GCxSIBku

d. Hash Algorith: sha1

e. Encryption Algorithm: aes-128

d. DH Group: modp1024

f. Lifetime: 08:00:00

g. DPD Interval: 10

h. DPD Maximum Failures: 3

i. Select Apply and Ok

! ----------------------------------------------------------------------------

! #3: Tunnel Interface Configuration

!

! A tunnel interface is configured to be the logical interface associated

! with the tunnel. All traffic routed to the tunnel interface will be

! encrypted and transmitted to the VPC. Similarly, traffic from the VPC

! will be logically received on this interface.

! The address of the interface is configured with the setup for your

! Customer Gateway. If the address changes, the Customer Gateway and VPN

! Connection must be recreated with Amazon VPC.

Go to IP Tab --> Addresses

a. Click on "+" button

b. Address: 169.254.43.146/30

b. Interface: Select the WAN/Outside interface

c. Select Apply and Ok

! ----------------------------------------------------------------------------

! #4 Static Route Configuration

!

! Your Customer Gateway needs to set a static route for the prefix corresponding to your

! VPC to send traffic over the tunnel interface.

! An example for a VPC with a subnet/mask of 10.0.0.0/16 is provided below:

Go to IP Tab --> Routes

a. Click on "+" button and select the General Tab

b. Dst. Address: 10.0.0.0/16

c. Gateway: 169.254.43.145

d. Select Apply and Ok

! ----------------------------------------------------------------------------

! #5: NAT Exemption

!

! If you are performing NAT on your Customer Gateway, you may have to add a nat exemption rule to permit traffic from your local subnet to the VPC subnet and vice versa.

! This example rule permits all traffic from the local subnet to the VPC subnet.

Go to IP Tab --> Firewall --> NAT

  1. Click on "+" button and select the General Tab

a. Chain: srcnat

b. Src. Address: local subnet/mask

c. Dst. Address: AWS VPC subnet/mask

2) Click on Action Tab

a. Action = accept

b. Select Apply and Ok

! Similarly, create a firewall rule permitting traffic from the Inside IP associated with your Customer Gateway to the IP associated with the Virtual Private Gateway.

3) Click on "+" button and select the General Tab

a. Chain: srcnat

b. Src. Address: 169.254.43.146

c. Dst. Address: 169.254.43.145

4) Click on Action Tab

a. Action = accept

b. Select Apply and Ok