Saturday, August 24, 2019

Best certs to get? Currently a 25N enlisted in the army and looking to further my schooling

No text found

How does an ISP run cable drops to multiple buildings from one line.

I want as detailed as possible because I can't wrap my head around it. How do ISP's have multiple drops off one wire, I just can't wrap my head around it. Me and a buddy are curious about becoming an ISP and we still have a long way to go, but for the life of me, this is the one thing I don't understand... Like i'm genuinely curious how it actually works. We were going to start as a WISP to get more knowledge as we go, but this is the only thing that stumps me..



Ask reddit crossover episode.



pzen as a FW?

Hi Folks:

I am looking at Zscaler pzen and thinking how backwards it is for a company that did marketing where they smashed appliances, to start selling appliances.

Are they going to start offering ingress hardware firewalls, hardware sd-wan, and CASB features too?



Can someone explain how ports and sockets really work?

So in my understanding in a client-server model, a client binds an ephemeral port number to an IP address and sends it out over the internet to find the server. This is where I start to get confused. let's say the server is a web server so it is listening on port 80 or 443. One how does the request know how to go to port 80 and why did we even have to use an ephemeral port? Two where does TCP come in and is that similar to the socket that both sides created?



Good resources to crash course and really learn networking? Specifically regarding ISP/cloud related networking (firewalls, bgp, vlans, more)?

Networking has not been a strong point of mine over the years. I've primarily been a desktop tech / Jr. Sysadmin in companies that had separate, dedicated network engineers or teams. I've got the fundamentals of stuff from server, like DHCP, general IP subnetting, DNS, etc. But I recently took a new job at a colo/cloud company that is tons of networking and I'm feeling a bit out of my depth.

I'm going to be working with firewalls (Cisco and Fortinet), VLANs on said devices, network load balancing, bgp, VPNs, edge routing, router HA, and much more, and this stuff is all way outside my scope of knowledge.

The company knows I don't have all this knowledge, and I was up front about that (my current strengths lie more in the Windows/Linux/VMWare support and management end of things), but I'm doing a lot of training and will have to pick all this stuff up.

What are some good resources (books, videos, courses, whatever) I should pick up to get a better grasp on this stuff from the colocation/cloud/ISP end of things, and broaden my perspective on networking and how the internet as a whole works?



Nexus 7k port led won't lit

Port LED stays Amber until I insert a sfp, the light goes off, no light at all.

I tried different ports and verified the SFP is compatible and operational.

What's causing this issue?



faucet, gns3 and arista

Does anyone know if its possible to control an arista 7048 from the faucet sdn controller.

Secondly, is it possible to setup this in gns3. I can get faucet setup in gns3 but dont know how to get the arista into the setup.



Need help with a wireless access point recommendation

I think I’ve found one but I’m not sure if I even know what I’m looking at https://www.amazon.ca/dp/B07FXJHXP4/ref=cm_sw_r_cp_api_i_GSByDbCH7BHBP

This I what I found and if I’m reading correctly I should be able to set it up as a WAP by connecting an Ethernet cord to it in the wan port, but then also be able to connect a computer to it with an Ethernet cord into the lan port. I’m just not sure if I’m even understanding the product correctly and would greatly appreciate some help



What is an alternative to ngrok?

I want the alternative to assign an IP, not change every time you use it



Controlling BYOD access to corp network

Context: company merged last year with a company which allows any device to connect to corp WiFi, our WiFi only allows corp assets to connect to corp WiFi , all other devices are classed as guest.

Our side of the business has used 802.1x to identify corp assets and allow access to corp WiFi, all other devices have guest internet access only.

We have to implement a company wide WLAN, and I'm looking for ideas on how best to control access to corp resources on non-corp devices.

If I had my way I would lock it down company-wide exactly as it is in our part of the business right now, but I'm aware that management folk are used to using their own devices - mobile and laptop - and would kick up a fuss if we didn't provide them continued access the way they are doing it now.

Any suggestions on how to improve security by blocking non-corp devices on corp WiFi, but also allowing some kind of authorized BYOD policy?



Recover Config from Bricked Nexus Switch

Does anyone know if a trick for recovering a running or startup config from a Nexus switch that has been bricked due to a bug? We had to initiate an RMA on our Nexus after it wouldn’t boot back up. The backup of the config is a little out of date. It’s not the end of the world but it would be nice if there was an easy way to get the most updated config. For reference, we can’t even console into the bricked device.



LAN connectivity monitoring

I'm looking for an opensource or free tool to monitor my lab's connectivity. I'm having some odd, intermittent problems with containers communicating on approximately 100 different hosts. All are on a local lan but occasionally having sessions die.

Does anyone have any recommendations for something that I could setup to constantly/periodically check connectivity between endpoints on the LAN? Endpoints are all linux/docker/mac. I'd love a container I could deploy, have it discover its peers and report connectivity characteristics to some central DB/node.

thanks



Extreme Competitors?

We're looking at the possibility of a complete campus network refresh. We currently have an old Enterasys network with a bit of the newer Extreme tech layered on top. We use policy driven networking to a small degree, but want to do more of that. Extreme is pitching their automated campus solution to do a fully policy driven network which looks really interesting. The idea that I can create my networks in the core and then have policy dynamically get them out to the edge where they're needed is really attractive.

I'm unfamiliar with what other vendors can do though. Who can complete with Extreme for a fully automated network? What products should I be looking at?



snmpwalk command equivalent of show cdp neighbors?

Hello, I'm new to the community! Hope you all doing well in the land of packets.

I had one question about how I could get the same result using snmpwalk, as I would get running show cdp neighbors?

I've used snampwalk with the "CISCO-CDP-MIB" module but I can't seem to get the correct results or at least the ones I'm looking for. Some of the IPs that I'm interested in are missing, in fact any IP that shows up in the show cdp neighbors command is not to be found in the snmpwalk command.

Any help would be appreciated. Thank you.



Suggestions on Wifi Hotspot Management with SMS OTP Authentication wanted

Hi

Newb network 'guy' here, please excuse the rookie questions, I hope this is the right place to ask!

An intending client approached me to propose for wifi hotspot management where they want to collect data from intending internet users and which will send an OTP by SMS to the user's phone for authentication. User data must be collected and sent to the client.

Wifi equipment, and internet access to be provided by them, I can suggest, but I'm really only supposed to design and install the hotspot management software, networking and SMS OTP parts.

Im looking for any suggestions on I can configure and deploy, that can come in cheaply enough?
Im not averse to a bit of work (I was investigating a combination of managed switch, pfsense+packetfenceif it comes to that).
Any advice greatly appreciated.



ACI dual-sided vPC with IBM vLAG - Benefits?

Hi all,

We recently migrate our core network from plain old Catalyst and Nexus switches to ACI, and stumbled upon one case.

An IBM integrated system (PureApp) was connected to the network via 2 port-channel (non-vPC) stemming from its ToR switches. As we migrated, unbeknownst to us there's also a feature which is somewhat identical to vPC on the IBM ToR switches (called vLAG), hence we configured the ACI downlink towards the PureApp system as two separate vPCs (left of the diagram).

Apparently, on the IBM's side, they suggest moving towards the recommended dual-sided MCLAG design (on the right). However, having looked up on the Internet, we haven't found out the real benefits of such design over the existing, separate vPCs.

Can someone point out to me on whichever benefits should I consider for the dual-sided MCLAG design?

Diagram: https://imgur.com/dqyihLR



Friday, August 23, 2019

Trying to understand how Infiniband works in a network environment.

Hello all,

I am very interested in getting into high performance computing at some point. Right now I'm just a helpdesk tech, but I think with some learning I can make it happen someday.

I am choosing one topic at a time, and something I am having difficulty understanding is Infiniband and how it works in a network. I understand that it is a 100gig networking standard used to interconnect devices. What I don't understand however is how it is used. Is it just used to interconnect devices on a cluster for instance, like between nodes, so that data throughput between the nodes is faster and you can take advantage of faster reads/writes and not get bottlenecked by the network connection? Boy this is going to sound embarrassingly novice here: but if not, then how would you run 100gig connection from the demarc to the Infiniband switch and have that work effectively?

For example, say I have a 100gig Mellanox Infiniband switch with 18 ports. I have all 18 ports hooked up to 18 different nodes. I would then have to share 100gig divided by 18 ports, right? That reduces the throughput to effectively 5.5gig then. It would be limited by the outside connection to the building so this must surely be just a protocol used for clusters and interconnected devices within the network right?

Why not just use 100gig fiber? Infiniband has virtually no packet loss I was reading, but is this really worth it?

I much appreciate any pointers on this topic, thank you!



Load balance LACP

If I have two layer 2 links, one being 10 Gbps and one being 1 Gbps... Is there a way in LACP to make the 1 Gbps link bear traffic ONLY if the 10 Gbps link goes down?



Anyconnect clients cannot do DNS lookups

VLAN102 is defined via subinterface on my ASA 5506-X. IP subnet is 172.16.20.x. DNS servers live on VLAN100 as does a Windows domain. DNS and Windows services are ACL allowed between VLAN102 and VLAN100. I'm focused on DNS for this posting.

AnyConnect setup was configured via ASDM wizard, AnyConnect vpn clients are placed on VLAN102 via the assigned pool, 172.16.20.250-254 (testing pool therefore quite small). Authentication and connection goes smoothly for these VPN clients. These VPN clients can talk to other hosts on VLAN102 without issue. Clients wired into VLAN102 have no issues with DNS. VPN clients, connected via AnyConnect, however cannot perform DNS lookups to the VLAN100 servers, as desired. Logged error is, somewhat predictably I'm learning:

 5 305013 172.16.20.250 61706 10.0.20.80 53 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:172.16.20.250/61706(LOCAL\pjt@int.paulteeter.net) dst inside:10.0.20.80/53 denied due to NAT reverse path failure 

Syslog Details go on to elaborate:

An attempt to connect to a mapped host using it's actual address was rejected. 

Pertinent running config should be...

ip local pool IPv4_VLAN102_Pool 172.16.20.250-172.16.20.254 mask 255.255.254.0 interface GigabitEthernet1/2.100 description VLAN100_Management_Server vlan 100 nameif inside security-level 100 ip address 10.0.20.1 255.255.252.0 interface GigabitEthernet1/2.102 description VLAN102_Testing vlan 102 nameif insideTesting security-level 80 ip address 172.16.20.1 255.255.254.0 object network NETWORK_OBJ_172.16.20.248_29 subnet 172.16.20.248 255.255.255.248 object network NETWORK_OBJ_172.16.20.0_23 subnet 172.16.20.0 255.255.254.0 object-group service DNS description DNS over tcp & udp service-object tcp-udp destination eq domain object-group network VLAN100_DNS_Servers network-object host 10.0.20.80 network-object host 10.0.20.19 access-list ForVLAN102 extended permit object-group DNS object Testing object-group VLAN100_DNS_Servers access-list ForVLAN102 extended permit ip any any nat (insideTesting,outside) source static NETWORK_OBJ_172.16.20.0_23 NETWORK_OBJ_172.16.20.0_23 destination static NETWORK_OBJ_172.16.20.248_29 NETWORK_OBJ_172.16.20.248_29 no-proxy-arp route-lookup object network Testing nat (insideTesting,outside) dynamic interface access-group ForVLAN102 in interface insideTesting group-policy GroupPolicy_AnyConnect_basicAuth_VLAN102 internal group-policy GroupPolicy_AnyConnect_basicAuth_VLAN102 attributes wins-server none dns-server value 10.0.20.80 10.0.20.19 vpn-tunnel-protocol ssl-client default-domain value int.mydomain.net tunnel-group AnyConnect_basicAuth_VLAN102 type remote-access tunnel-group AnyConnect_basicAuth_VLAN102 general-attributes address-pool IPv4_VLAN102_Pool authentication-server-group Active_Directory default-group-policy GroupPolicy_AnyConnect_basicAuth_VLAN102 tunnel-group AnyConnect_basicAuth_VLAN102 webvpn-attributes group-alias AnyConnect_basicAuth_VLAN102 enable group-url https://vpn.mydomain.net/basicAuthVLAN102 enable without-csd 

Let me know if additional config details would be helpful.

From various postings here and on Cisco's community, it seems like my VPN ip pool is not being NAT exempted properly...possibly?

I was considering a static NAT of each VLAN100 DNS server to VLAN102 but am not certain that would even help.

Curious to hear suggestions about how to fix my config to support what I'm trying to do. Am open to split-tunnel option such that only VLAN102-intended traffic does DNS via the VLAN100 servers. But sending all DNS requests to the VLAN100 servers is just fine.



Security Certification

Hey everyone, I'm looking to round out my resume a bit. I would like to take a good security course, but not really looking for another Cisco Cert and something maybe a little more advanced than a Security+. Something that covers best practices, cryptography, system vulnerabilities, and network attacks across a variety of operating systems and security tools.

Anyone have any recommendations? Thanks.



Launch Cable Suggestions

We just bought a new OTDR and are deciding to buy some new launch cables for testing purposes. Our old ones were OptiConcepts brand. Anyone have a suggestion on what brand to use? Haven't had to buy any for a few years.



Internet upgraded to Gig speed, currently have ASA 5506-X - upgrade options?

My apologies from the beginner level question but networking isn't something I have to dabble into very often anymore. I've always dealt with Cisco ASA appliances and have shied away from other options due to unfamiliarity. However I'm looking for firewall options that will pass thru 1Gb outside speed. Should I explore higher end ASA products or am I wasting time and money on upcoming legacy Cisco products? Whats the general verdict on the Firepower Series?



Jumbo Frames - Cut Through and Store and Forward

Had an interesting issue at work. There is an application that sends really huge frames > 1500bytes. Our environment spans quite a few hops to the receiver of this app's data. There is a mixture of store/forward and nexus 3ks (cut through) and Aristas. Analyzing the span capture off the Arista interface leading to the receiver we noticed the huge packets but where left scratching our heads....How is a jumbo frame being sent throughout our network if the MTU is 1500. After some digging through data sheets we came to the conclusion that even though a switch is not configured on its interface to support jumbo, if the platform itself can support it it will still process the frame and forward it.

The takeaway is that cut-through switches only look at the destination frame address. Therefore it doesnt care how big the packet size is and so jumbo frames are sent on egress interfaces that are set with 1500 bytes by default

Store/Forward switches such as a 6509-e with a 720 card does support jumbo frames. Even though its not configured the mere fact that its supported means it will be forwarded.

Do my fellow engineers on this thread agree or disagree?



Apple Devices not wanting to Hop AP

Hi All,

Not sure if anyone else has noticed but apple devices would rather sit on a weak signal from an AP that you have moved away from rather than connect to a new one with a stronger signal. Has anyone dealt with this? any solutions? Getting complaints from iPad users saying they are dropping out of our VPN when moving around the building.



multiple wan public addresses port forwarding issue

Hello,

I am using a fortigate device:

wan connection interface:99.99.99.33

i have been given 2 additional addresses from my isp

99.99.99.198

99.99.99.199

1-i am not sure where i can add these 2 ip addresses as additional wan addresses in forti, i added them in ip pools

2- i have a webserver in dmz 192.168.100.150 listening on port 80

i need to create a rule that make login from the outside to this webserver from one of the additonal wan addresses with port 8080.

example when i type from outside: http://99.99.99.198:8080 it will show the web interface of the webserver on my dmz. please write me the steps because what i did didnt work.

This is my configuration

Policy And Projects > Ip pools > created 2 ip pool objects

name: ip_pool_1

type: overload

external ip range: 99.99.99.198 - 99.99.99.198

second one name ip_pool_2 external ip range 99.99.99.199- 99.99.99.199

then i created a virtual ip

name: web in

external ip address /range: 99.99.99.198-99.99.99.198

mapped ip address/range 192.168.100.150- 192.168.100.150

port forwarding enabled

protocol:tcp

external service port 8080-8080

map to port 80-80

then policy & objects > ipv4 policy > new policy

name: to_device

incoming interface: wan1

outgoing interface: dmz

source: all

destination: wen in ( the ip i created before)

schdeule: always

service: http

action: accept

nat: enabled ( also tried to disable it same thing)

ip pool configuration: use outgoing interface address

enable this policy: enabled

How do i solve this? Help!!

thanks



Wifi Extender Implementation for large commercial property - nonpro looking for advice

Hello cable runners and bearded administrators

I'm unfortunately the guy in my office who can google, and as such I've been tasked with filling the holes in our property's public wifi network.

The network directs users to a captive portal prior to allowing access. Are there plug and play wifi repeaters I can use that won't stop users from accessing and logging in to the main wifi network? I've seen extenders in the past that were logged into directly, and I'm trying to avoid something like that. Ideally it would be as transparent as possible, without having to drag techs from 4 states away where our IT HQ is and have them run new cable for routers.

I'm having a hard time finding a clean explanation and any assistance would be hugely appreciated. I can probably physically access most of the routers currently in use, but I'm not 100% sure.

Thank you,



AP's not getting 30w on 4510

We aren’t getting much help from Cisco TAC so maybe one of y'all can point me in the right direction.

We have a 4510R+E with 8 - 4748UPOE blades, dual 8T SUP's and running Version 03.10.03.E IOS. Our issue is with power to the new 3802 AP's. Some ports we get 30w and others we only get 15.4w. There doesn't seem to be any pattern in the allocation and the overall power available should be more than enough to supply 30 AP's over 8 modules.

Any ideas why the switch isn’t supplying enough power to the AP's? What can we do to correct this?

Info:

Mod Ports Card Type Model

---+-----+--------------------------------------+------------------+-----------

1 48 10/100/1000BaseT UPOE E Series WS-X4748-UPOE+E

2 48 10/100/1000BaseT UPOE E Series WS-X4748-UPOE+E

3 48 10/100/1000BaseT UPOE E Series WS-X4748-UPOE+E

4 48 10/100/1000BaseT UPOE E Series WS-X4748-UPOE+E

5 8 Sup 8-E 10GE (SFP+), 1000BaseX (SFP) WS-X45-SUP8-E

6 8 Sup 8-E 10GE (SFP+), 1000BaseX (SFP) WS-X45-SUP8-E

7 48 10/100/1000BaseT UPOE E Series WS-X4748-UPOE+E

8 48 10/100/1000BaseT UPOE E Series WS-X4748-UPOE+E

9 48 10/100/1000BaseT UPOE E Series WS-X4748-UPOE+E

10 48 10/100/1000BaseT UPOE E Series WS-X4748-UPOE+E

EX:

Gi4/45 auto on 31.6 30.0 AIR-AP3802I-B-K9 4

Gi4/46 auto on 16.2 15.4 AIR-AP3802I-B-K9 4

Gi4/47 auto on 16.2 15.4 AIR-AP3802I-B-K9 4

Gi4/48 auto on 31.6 30.0 AIR-AP3802I-B-K9 4



Directing VLAN traffic to alternate gateway

I want to direct our VOIP traffic, on it's own VLAN, to our backup WAN link.

Is it typical to use Policy Based Routing to accomplish this, or is there a better/easier way to get traffic from one specific VLAN to a different next-hop than the default-gateway?

This will be N7K's linked to ASA



DHCP reservation AND static IP?

Lets say I have a IP reservation for a client in a DHCP server.

Then the client will receive that IP-address.

But what if i also set that IP as a static IP-address on the client?

Should it work? In practice and theory?

In my experience it will work for some time (until dhcp lease time expire??), then it stops working.



I have come into possession of a small box of Siemens WS-AP3610 APs. Despite my Googling around, I can't seem to find any information on the wireless controller that would have been used with them.

If anyone is familiar with this, what type of wireless controller operates these? Is it an appliance or software? If it's software is obtainable?

Thanks!



Time to move on from a networking career?

I've been a network engineer for 25 years and I want to do it anymore.

I should have a much more senior position, but I'm not interested or curious enough to learn about new protocols and services. I also tried management and didn't like that.

It's stupid to leave a good paying job that doesn't demand too much from me, especially at my age and with my limited skill set, but I've been spending most of my time planning an early retirement.

Has anyone else felt the same? Any suggestions?



Client to Site VPN on TL-ER6120

I am trying to configure a client to site VPN on an TP Link TL-ER6120. The challenge is, the client is a remote user who always has a different local IP address and range. I have a few VPN users setup and they are working fine but they have a static local IP address. I can't seem to find anywayto create a client to site VPN user that can have a changing local IP address. It won't allow me to use 0.0.0.0. Any thoughts without having to resort to software like RADMIN VPN? Thanks.



Become an ISP

https://ift.tt/2KQoMkO

SNMP Reporting Question

I'm looking for a way to generate a report that returns a near comprehensive list of every device on the network, whether that device has SNMP enabled and what version of SNMP is running. It should also return ip and domain name.

I've setup an instance of Librenms but can't seem to get what I have mentioned above from it, of course that may be down to my inexperience with the tool. I also have access to Lansweeper and PRTG.

Hopefully I have been clear but please let me know if not.

Thanks.



Client not accepting DHCP address

Hi

Got a strange problem here and Google is not giving me answers.

The problem is 100% client related but this is another case of blame the network... but before I hand it over to the devices team I wanted to try my luck here :)

The problem:

Upon booting the notebook, it connects to the SSID correctly, authentication 802.1x via ISE etc is all OK.

In Wireshark I can see the DHCP cycle including the ACK coming in. Our DHCP server (Infoblox) also shows a lease for that notebook but it keeps it's APIPA address. And the notebook starts again, DHCP Discover,...

https://imgur.com/a/aAk9fxV

After 15 to 30 mins the problem is solved by itself. Rebooting the notebook seems to work sometimes too, like 1/10 chances that it pulls through. When the problem is present, switching to the LAN cable doesn't matter, the problem remains.

This is a global problem and I've been able to pinpoint it to notebooks who have the Siemens software (TIA, WinCC, etc) installed and are running Win10 (build 1809 atm). The combo Siemens Win7 is fine but they are getting migrated soon. The problem started about 2 months ago.

On the site I'm troubleshooting I have 270+ clients on that SSID with Win10 but without Siemens software who are working fine.

Things I have tried:

  • ipconfig /release /renew helps 1/5 times
  • Troubleshoot problems from win10 works 2/5 times.
  • Disabled ipv6
  • Assigning a fixed IP resolves the problem
  • Stopped several Siemens services without avail
  • Eventviewer is useless, only event 1001, error 0x79. No indication of other interfering applications or such

It seems to me that some kind of Siemens service/process is disrupting the cycle.

Siemens forums are not really a great resource either.

Any tips, tools you can recommend me?

Thx!



Please, help clarify! CIDR w/o AS#

Hello network gurus,

As far as I know (very little), in order for BGP to work, a certain CIDR must have an AS assigned. If no AS is assigned, then there is no way for traffic to reach that CIDRs since routers don't know how to get there. True? (ignoring static routes)

If I look for a CIDR here: https://bgp.he.net/ip/ and it comes out as "not found" .. does it imply no AS is assigned?

And does the above imply I can actually send traffic to those CIDRs and be sure they are not bothered, since my packets will die on my first-mile ISP router?

As far as I've understood, this happens when some public routes are used for internal routing and thus are not advertised.

Thanks!



Thursday, August 22, 2019

Configurable MAC address on VLAN Interfaces

I want to configure a specific MAC address as MAC address of VLAN interface (SVI/IRB) on Cisco and Juniper Switches. Looks like they do not seem to support (Cisco Catalyst 3650, Juniper EX 4300). One way for me to achieve that on Cisco switches is to configure HSRP with a specific MAC address. Not sure how to achieve that on Juniper (VRRP does not allow me to configure a specific MAC address).



ENCS experience

Does anyone have any recent experience with ENCS? I am looking at it to possibly deploy SD-WAN, firewall, and eventually some other virtual appliances. I would want to be able to automate site deployments. My two biggest fears is how stable is this platform, how hard is troubleshooting issues between virtual devices, and what are the throughput limitations (I know this depends on the hardware, amount of VNFs, features running, etc).

Any more recent input and experiences would be appreciated.



Canadian VAR's ahoy

(x-post /r/sysadmin)

Hey folks.

I've been put in a position where I have to find some kit in Canada (specifically Toronto) in a real hurry - I don't have time to source it through my normal channels and ship overseas 9I'm in Australia).

Looking for a shout out from anyone who has experience/recommendations for a reliable VAR in Toronto who can supply

Palo Alto
Juniper
HP
Ubiquiti

kit on short notice, although only the first two are really time critical.

Anyone got any decent recommendations?

Thanks



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



BGP Route Reflector / Black-Hole Solution

The Powers-That-Be are finally on board with migrating from the manually-updated-ACL-on-each-Edge-router solution we are using now to a centralized BGP router reflector or similar for black-holing IPs.

Conceptually, I've found a lot of documentation on the topic and we've sucessfully simulated it's use in our environment. What I'm curious about is, what software do you all run your RR BGP session on? We're trying to avoid a hardware solution. Ideally, this would be license-free, but we can find the budget if necessary.

Similarly, any software or automation recommendations for managing and updating the RR is appreciated as well.



FortiGate Question - Virtual Wire Pair for Redundancy?

So I am replacing a core switch at a client site with two new core switches to add some redundant pathing between the Fortigate HA Pair and client access switches. We're a watchguard shop so Im still new to the fortinet stuff.

Question is, I'd like each firewall in the HA pair to connect to each core switch - in the event that one switch goes down, it would have a redundant path to the second core switch via the other link. How would I go about designating a "failover" port for the LAN on the fortigate, and is this even possible? I've read about the virtual wire pair but not sure that's applicable here.

EDIT: It appears that most of the physical interfaces are assigned as members to the LAN interface "hardware switch" - with STP turned on, is it as simple as just adding another connection to a member port?

Thanks in advance.



Employer requesting I install sophos root certificate

I'm a remote employee. Occasionally when I come into the office I use my employers network. I'm using linux which our admins are unfamiliar with. I get ssl errors when trying to access any site over https. Our IT guys want me to install a root certificate on my laptop. Am I correct in assuming that this certificate will be used to encrypt my ssl data which will then allow my employer access to whatever data I send or receive over ssl?



Surge protection for ethernet line running between buildings?

I have a network in a building, then ran a 100ft ethernet cable from the switch in that building to a router in a small building in the back to get a wired connection back there. This is in the South East part of America, so we deal with a lot of lightning strikes. How should i protect the network from a surge from a lightning strike near or on that ethernet line (running a fiber optic cable isn't an option). I only need the protection on the main building side, the other side is using a cheap off the shelf router that i'm fine with replacing in case something happens, but the switch its plugged into on the main building side is very expensive.



Cisco Firesight Threat Defense and Office 365

OK waring guys:

If you have Office 365 (cloud) configured for your users, it will NOT work properly with Cisco FTD firewalls if any kind of IPS/IDS is being utilized, or any custom rules. We are running FTDs and FMCs with 6.3.0.3 code, and in order to get Office 365 to work at all, we had to TRUST the traffic: aka, no inspection or higher level processing. We also had to open a lot of ports.

I don't know if this issue exists in Palo Alto or other platforms, but it is a big problem (among many) for us with Cisco firewalls.



3Com Transceiver

I need help finding a transceiver PN for a 3Com Switch: 3COM
4210G 24 PORT (3CRS42G24-91)
Can you tell me if this switch is the same of HP 4210G Series? (JF844A)



FreeRADIUS and Aruba issues

We are having a nightmare with FreeRADIUS and Aruba AOS8 controllers. Currently we are experiencing an issue where a user can authenticate once on a device and then if they disconnect (turn their wireless off) or after a short amount of time (5-10 mins) they will get disconnected and won't be able to reconnect again at all. The device will either say incorrect password or just generic message that it is unable to connect to the network. A different account on the same device will be able to authenticate and connect again once and will then experience the same issue.

We have an old AOS 6 environment pointing to the same FreeRADIUS servers and configured in pretty much the same way on the Aruba side (all settings are the same apart from ones that might have changed between AOS 6 and 8) and that can authenticate fine.

We have logged ticket with vendor and they have had a look but no ideas currently. Was just wondering if anyone had come across anything similar with FreeRADIUS? I very little Linux or FreeRADIUS experience and another team is currently looking after the server. I have checked the RADIUS client config on the configuration file they have provided from the FreeRADIUS and all seems ok. Is there any other configuration file that would be worth checking from FreeRADIUS?

Thanks



Wifi - 2019 - Wanting to move away from Cisco

So who's the next best? Aruba?

We have had so many wifi issues with Cisco. New controllers, new aps, etc and the more we work on the system the more instable it is. Horrible user experience and TAC is worthless. Literally worthless.

So who does it better in 2019? We'll be moving from ACS to Clearpass so we're thinking Aruba. We've used in small scale branch deployments, but not large offices.

Thanks!



Vlan Question

I am running into a predicament where I am attempting to manage a network and I ran into an issue with an IP-Phone that is also connected to the computer for internet. (Internet cable connects to IP-Phone port, another port runs to PC's ethernet port. Is there a way to split each device on a separate Vlan?



Why Cissp cert is so in demand ? and is worth for a network professional ?

I was search for oportunity based in key words, and cissp has more than twice oportunies than other certis, why ?

and for example I am a network engineer, always worked with firewalls and router devices, is worth to me to take it ? thanks a lot...



Breaking out QSFP28 to 10G

I'm likely to have a new router with QSFP28 ports. I need to connect up some existing routers which only have 10GBASE-LR.

Does a QSFP28 support being broken out to 4x10G, and does it then handle the wavelengths required to connect to 10GBASE-LR?



EX2300 losing port aggregation, losing console, and not accessible; hard reboot is only fix (crosspost from /r/Juniper for more visibility)

https://ift.tt/2TTSjwQ

Cable tester fixes connection problem?

We have a CAT5 cable that runs from the switch through the wall and connects to a printer. One day, the printer went offline. Did some troubleshooting with the cable tester (cheap ones that you get from amazon) and found out that pin1 of the ethernet cable was showing weak signal. I plugged it back in to the printer and the it is back online. Next day, the printer is offline again, I simply pulled the ethernet cable from the printer, connected the cable tester to it, ran through each pins couple rounds, and plugged it back to the printer. The printer is back online. It's not a switch port problem, because on the first day, I changed the port and the printer was still offline. I restarted it, and it was still offline. The only thing I did on the second day was to pull the cable from the printer, stick it in to the cable tester, run though each pins couple rounds and plug it back in. The printer has been going offline randomly ever since, and I simply use the cable tester to put it back online. I'm pretty sure that replacing the cable would fix the problem permanently, but does anyone know why using the cable tester fixes the connection?



Not Able to Ping 8.8.8.8 from ASA 5508-x and Download ASDM

So this is my issue. I have an ASA 5508-X that I have setup. Last week I had everything working and was able to get to the http://192.168.1.1/admin and install the ASDM console. Something happened between now and then so I reset my ASA back to factory defaults. I thought it was a license issue because i kept getting that the license was expired so I uploaded a new license and that is resolved. I am still having an issue trying to get to the ASDM console. I can ping my ASA which is set to GbE1/3 and is 192.168.1.1. When I try to ping 8.8.8.8 I get the No route to host message. I have the network cable going from my laptop to port 3. and it is up and running. Any Ideas?? Here's my config file... No I forgot to save my previous config before going back to factory settings...noob mistake.

ASA Version 9.12(2)4

!

hostname ciscoasa

enable password ***** pbkdf2

names

no mac-address auto

!

interface GigabitEthernet1/1

description FiOS

nameif outside

security-level 0

ip address 71.127.XXX.XXX 255.255.255.0

!

interface GigabitEthernet1/2

no nameif

security-level 100

no ip address

!

interface GigabitEthernet1/3

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet1/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/7

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/8

shutdown

no nameif

no security-level

no ip address

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

boot system disk0:/asa9-12-2-4-lfbff-k8.SPA

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-openjre-7122.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

!

object network obj_any

nat (any,outside) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b77caea5806ee5d186a1e08e7372a62b

: end



Aruba LACP

Hi everybody.

I'm reasonably new to Aruba so just looking for a bit of direction with an LACP issue I'm having.

Background: I'm doing some work for an organisation that has grown a fair bit so we've installing a core/distribution layer pair of 8320's. Access switches are a mix of Aruba 2530 and 2540s.

We're looking to run MCLAG for links to access switches but for some reason the LACP is getting blocked. VSX has been configured on the 8320's and looks to be operating just fine.

Core Switch #1

interface lag 1

description Inter-Switch Link

no shutdown

no routing

vlan trunk native 1 tag

vlan trunk allowed all

lacp mode active

lacp fallback

interface lag 30 multi-chassis

vsx-sync vlans

description TO ACCESS SWITCH

no shutdown

no routing

vlan trunk native 10

vlan trunk allowed all *this will be limited down later*

lacp mode active

lacp fallback

interface 1/1/17

no shutdown

lag 30

udld

udld mode rfc5171 normal *not sure if this should be ArubaOS*

vsx

inter-switch-link lag 1

role primary

keepalive peer 192.168.127.2 source 192.168.127.1

vsx-sync mclag-interfaces

CoreSwitch1# show lacp int

State abbreviations :

A - Active P - Passive F - Aggregable I - Individual

S - Short-timeout L - Long-timeout N - InSync O - OutofSync

C - Collecting D - Distributing

X - State m/c expired E - Default neighbor state

Actor details of all interfaces:

------------------------------------------------------------------------------

Intf Aggr Port Port State System-ID System Aggr Forwarding

Name Id Pri Pri Key State

------------------------------------------------------------------------------

1/1/49 lag1 50 1 ALFNCD d0:67:26:ff:f2:1e 65533 1 up

1/1/50 lag1 51 1 ALFNCD d0:67:26:ff:f2:1e 65533 1 up

1/1/17 lag30(mc) 17 1 IE d0:67:26:ff:f2:1e 65534 30 lacp-block

Partner details of all interfaces:

------------------------------------------------------------------------------

Intf Aggr Port Port State System-ID System Aggr

Name Id Pri Pri Key

------------------------------------------------------------------------------

1/1/49 lag1 50 1 ALFNCD d0:67:26:ff:93:86 65534 1

1/1/50 lag1 51 1 ALFNCD d0:67:26:ff:93:86 65534 1

1/1/17 lag30(mc) 0 65534 IE 00:00:00:00:00:00 0 0

Core Switch #2

interface lag 1

no shutdown

no routing

vlan trunk native 1 tag

vlan trunk allowed all

lacp mode active

lacp fallback

interface lag 30 multi-chassis

vsx-sync vlans

description TO ACCESS SWITCH

no shutdown

no routing

vlan trunk native 10

vlan trunk allowed all

lacp mode active

lacp fallback

interface 1/1/17

no shutdown

lag 30

udld

udld mode rfc5171 normal

vsx

inter-switch-link lag 1

role secondary

keepalive peer 192.168.127.1 source 192.168.127.2

vsx-sync mclag-interfaces

CoreSwitch2# show lacp int

State abbreviations :

A - Active P - Passive F - Aggregable I - Individual

S - Short-timeout L - Long-timeout N - InSync O - OutofSync

C - Collecting D - Distributing

X - State m/c expired E - Default neighbor state

Actor details of all interfaces:

------------------------------------------------------------------------------

Intf Aggr Port Port State System-ID System Aggr Forwarding

Name Id Pri Pri Key State

------------------------------------------------------------------------------

1/1/49 lag1 50 1 ALFNCD d0:67:26:ff:93:86 65534 1 up

1/1/50 lag1 51 1 ALFNCD d0:67:26:ff:93:86 65534 1 up

1/1/17 lag30(mc) 1017 1 IE d0:67:26:ff:f2:1e 65534 30 lacp-block

Partner details of all interfaces:

------------------------------------------------------------------------------

Intf Aggr Port Port State System-ID System Aggr

Name Id Pri Pri Key

------------------------------------------------------------------------------

1/1/49 lag1 50 1 ALFNCD d0:67:26:ff:f2:1e 65533 1

1/1/50 lag1 51 1 ALFNCD d0:67:26:ff:f2:1e 65533 1

1/1/17 lag30(mc) 0 65534 IE 00:00:00:00:00:00 65534 0

Any experience Aruba people out there can point out what I've missed?

Cheers in advance.



Multiple Cisco PPTP Connections with different Auth

Hi Guys,

I've been stuck on this one for a while now, I've done this with other routers such as Mikrotik, however I cannot seem to work this out on Cisco.

I have the router acting as the PPTP VPN Server, I want Customer1 to login in and receive the 10.20.20.1 IP address and Customer2 to login and receive the 10.30.30.1 IP address.

I have successfully been able to have both routers connect to the PPTP server with the local auth, the only issue is they both connect to VPDN-Group Customer1, and both receive the 10.20.20.1 IP address.

Is there a way in Cisco that you can assign local auth to specific VPDN Groups?
Please see config below:

vpdn-group Customer1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

session-limit 1

local name Customer1

no source vpdn-template

l2tp tunnel timeout no-session 15

vpdn-group Customer2

accept-dialin

protocol pptp

virtual-template 2

local name Customer2

no source vpdn-template

l2tp tunnel timeout no-session 15

!

interface Virtual-Template1

description Customer1

ip unnumbered Loopback0

peer default ip address pool Customer1

no keepalive

ppp encrypt mppe 128

ppp authentication ms-chap ms-chap-v2

!

interface Virtual-Template2

description Customer2

ip unnumbered Loopback0

peer default ip address pool Customer2

no keepalive

ppp encrypt mppe 128

ppp authentication ms-chap ms-chap-v2

ip local pool Customer1 10.20.20.1

ip local pool Customer2 10.30.30.1

username cust1 password 0 cust1

username cust2 password 0 cust2



Wednesday, August 21, 2019

Question about rollover cables

I see everywhere saying that you cannot use an Ethernet cable for console connections. This makes sense. However, I recently started looking into auto MDI-X and how that applies to patch cables.

Is there a program somewhere that acts as an "emulator" to allow a regular Ethernet to receive from a console port? Even potentially a driver that I could install that acts like a console connection emulator for an Ethernet nic?

Finally, why hasn't a standard like auto MDI-X not already been implemented as a standard for making console ports easier to use?

Probably a dumb question, but if it never gets asked, then I will never know.



ATM Network connection

We have a few ATM machines (where you can buy Cryptocurrencies) in our office and they are all connected to our office network inside our firewall. Now we want to place our ATM machines around the city and we don't know yet how they will get internet connection. We considered using 3G usb Dongles connected to each machine but I am not sure how secure it will be and how we will reach them for instance if we want to apply some updates .

Any thoughts about how to accomplish this would be very appreciated.

Thanks.



How to access Cisco ISE Bios?

Hello friends.

I wanted to ask you if I can access the Bios via the Serial Port on a Cisco ISE. The Serial Port should be on Port 10 (see Figure 2):

https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8-1/installation/guide/csacs_book/csacs_ovr_ucs3500.pdf

My task is to change the boot order to USB for a recovery - is that possible with a RJ45 to Serial Cable?



Ruckus vs Unifi

My wife’s company needs to roll out APs throughout a nursing home she is responsible for. Her IT company wants to put in Ruckus r310s and I’m wondering why not install Unifi APs? The only advantage that I see in the Ruckus r310 over the Unifi AC-Pro is their ability to have more SSIDs which they do not need. What are your thoughts on pros and cons and why they would insist on installing Ruckus? The only thing I can think of is the higher cost and annual support subscription costs but I probably don’t know enough. Can anyone educate me?



Recommend me an access switch

We are about 1/3 of the way through a campus wide access switch replacement. Before I got here a decision was made to go with Meraki from the core to the edge. After a lot of issues getting the MS425 stack to work in the core with the existing 2690's we started buying/installing the MS350 edge switches. The edge switches have been fine but there are a lot of weird issues with the core and you never really know what's going on because you cant see any useful logging. I think I may have an opportunity to switch to something else for the rest of the project and would like some input. The HP Aruba switches look like a decent option but I can't figure out which model I would need.

Requirements:

  • Stacking
  • 10G uplinks
  • mGig Ports
  • Layer 3 might be good for future but not 100% required (although with the other requirements it looks like I'm in layer 3 territory anyway)

What model HP should I look at or should I look at a different vendor?



Strange DNS behavior, am I poisoned?

Hey all,

I have a local DNS caching server set up.

I also have a few local hostnames assigned ( Orion, Gemini, etc.) for different servers here.

I ran `dig orion` and `dig gemini` commands and received these unexpected replies:

orion. 10 IN A 23.202.231.166

orion. 10 IN A 23.217.138.107

gemini. 10 IN A 23.217.138.107

gemini. 10 IN A 23.202.231.166

These are not my IPs, nor are they IPs that I recognize.

These IPsseem to map back to Akamai Technologies.

At first, I thought they might be a default public DNS (root server or something), but these IPs do not respond to DNS queries, nor are they listening on port 53. (Note: They are open on port 22, 80.)

In addition, searching for the IPs in Google return multiple results that other people have had these IPs returned to them when resolving what should be a local hostname.

I did restart the local DNS services (which clears the local cache.) After the service restart I am not seeing these mystery IPs appearing anymore.

Any idea what is going on with these IPs? Is my local DNS cache being poisoned?



Looking for suggestions on what networking blogs to read

Looking to spend more time reading networking blogs, but could use some suggestions on which ones are worth reading.



Ruckus ZoneDirector OIDs

I'm looking for a specific OID for a ruckus zone director 1200. Is anyone familiar with the process for finding them? I have a generic SNMP template that I am using on my monitoring server, but it's missing the network traffic and AP count OIDs



Any CBRS books out there yet?

I haven’t found any yet, but I’m looking to get into this.

Only thing I have found is a class from comscope but it’s $500ish dollars.



Emulating Network Conditions

Hi

So currently my aim is to emulate specific network conditions on a linux vm such as bandwidth, packet loss, jitter and delay which I can currently do using netem scripts.

However, my aim is to emulate specifc network conditions such as WiFi, GPRS or Satellite. The problem is that apart from network speeds I am struggling to find references for metrics like packet loss or latency that a GPRS or Satellite network may experience.

Looking at sources such as wikipedia I can only find common network speeds but no other metrics.

Does anyone know where I can find these metrics?

Thanks alot in advance



What is your company doing for Guest Wireless?

How are you letting guest connect? Is it open with PSK or registration type? Trying to figure out a quick but secure way to get guests on the guest wifi network.



Reaching internet from a BGP router

Hi!

Diagram I'm setting up eBGP between the ISP and my client's network. That is not a big deal, public services work wonders.

Navigation traverses through this router - which is an F5 - and goes to the internet NATted to a couple of IPs on the public range.

Now, absolutely everything that should reach the internet does, except for the F5 itself. Since it does not go through the F5, its packets are not NATted, and thus, come out with its real IP (the peering network). This network, of course, is not published to the internet, so the F5 does a couple of hops and then dies.

How do I make my device reach the internet?

Thanks!



3rd party company set up Cisco switch for my company and I feel like I'm locked out of it.

I work for a company that is acquiring smaller companies rapidly and our infrastructure is playing catch up. Before I got here there are 2 cisco switches that are synced with a Meraki cloud. This setup was commissioned out to a 3rd party network consulting company.

We want to add a new switch and integrate it into our Meraki. My game plan is to download the running config files off the current 2 switches and upload them to this 3rd switch once it arrives.

The switch models, and the next one that is being ordered, are Cisco MS120-48LP. https://meraki.cisco.com/products/switches/ms120-48

Here's the issue though, I cannot find anyway to get into the switch's CLI or the http splash page when you type in the switch's IP address into a browser. I think this 3rd party company locked the switch down to prevent getting into these resources. The IP address page times out and there's an ethernet port on the back of the switch, which I assumed was for serial cabling into. I have a usb to RS232 converter which connects to the Cisco rollover cable.

I tried using Putty at various speeds to get to the CLI and made sure all settings were correct, but nothing I tried worked. I ran an ethernet cable to this management port and got to a management webpage, but this only allows to change the same settings as you can do in Meraki. It's not the http splash page that allows you to download the config file, etc.

I've contacted the consulting company, but they're giving us the run-around and told us "There is no local config on Meraki switches and also no capability to access a CLI" and "these features never existed" (which I am smelling total bullshit on). Everything my gut is telling me that they disabled these features to force us to go through them.

Is it possible to disable the CLI from the management port and disable the http splash page on these switches? If so, how can I unlock these features and get into the CLI or this splash page? Once this new switch comes in, can I plug it in and just use Meraki to clone the settings into this new switch?

Feedback would be greatly appreciated, thank you!



Catalyst 9k, stacks, mismatched licenses ?

Hello all,

My understanding is that when building a stack, the license level has to match. I believe the mismatched switch(es) won't even join the stack ? This makes sense to me otherwise how would it work ? If the least licensed switch became master - I'd assume you'd lose advanced layer 3 features for example, and the config would get trashed with missing sections...

I have a client that has various 9300s, of various license levels (Net. Essentials vs. Advantage). We looked at the show license right-to-use output from one of their stacks, and 2 of the 3 switches reported Network Advantage, but the 3rd switch showed output for both Essentials and Advantage. What would this mean ? Was this switch license upgraded at some point ?

Sorry for the lack of details and history on this, I'm playing catch up/forensics trying to unravel what they have purchased and how it's working. My general MO is buy what you need, get it all the same, build your stack, and go on with your life. I'm just struggling unraveling what this client has and how to get them to where they need to be. Thanks.



RADIUS not using Loopback IP as Source IP even when configured

Hi,

I am seeing an issue where Juniper EX4300 is not using the Source-IP of a loopback in the RADIUS packets it sends out. Interestingly - in the NAS-IP attribute it still sends the Loopback IP I configiured. Basically the Source-IP of the RADIUS UDP packet and NAS IP are different. Its using the IP address of my uplink which has reachability towards the RADIUS server in the IP Header and puts the RADIUS attribute NAS-IP with the loopback IP. This is causing some problems for me and I would like both the IP header and NAS-IP to use the loopback. Any knobs I need to be aware of achieve this ?

Thanks in Advance.



Cisco wlc question

Hello,

I have a question that I hope someone can answer. We have a Cisco wlc that has a quest network configured on it. I have been asked to update the certificate for this wireless network as the current cert is an old Symantec one that is no longer trusted and people struggle to connect. I have bought a new certificate and have read a bunch of guides on how to upload the new cert, but none of the guides say what to do with the old cert. So my question is what do we do with the old cert? Do we delete it somehow?

It is a 3rd party cert and it is still valid.



Available high scale virtual routers - alternatives to Mikrotik CHR

Hello,

At my company where we have a pretty high scale network (5000+ devices) we are hosting our core network on our own appliances in a datacenter. We are working with a lot of Mikrotik devices so as a result we are using the CHR images on vmware for routing in our DC.

Lately we have some issues with the performance of the Mikrotik CHR images in combination with our AMD Epyc processors. When we route about 1Gbps throughput through an appliance with 4 threats we notice a cpu load at about 60%. Doing the same with FRR we are able to route 1Gbps of packets at about 20% cpu on 2 threats.

We have this issue since we swapped our servers from Intel CPU's to AMC Epyc's. We have had numerous support cases on this matter with Mikrotik, VMware, ... After about a year debugging on this matter we are now looking at other options.

Are there any recommendations? Currently we are looking at virtual Cumulus appliances as an option. Also VyOS is currently being looked at. Any experience sharings with these are appreciated.

Features that we use:

  • BGP
  • IPSEC / L2TP /PPTP/SSTP
  • VLANS
  • LLDP
  • Radius / LDAP
  • STP / RSTP / MSTP
  • LACP Bonding
  • DHCP (with options, relay)
  • NAT
  • Firewalling
  • Policy Based Routing
  • SNMP

optional:

  • VxLAN
  • Wireguared
  • Linux Shell (iperf, tcp dump, dig, nmap, ....)

Any help is appreciated, if you want more info on our setup, just let me know!



IAID vs Different types DUID in DHCPV6 messages

3 types of DUID - appending Link layer with timestamp, vendor assigned unique ID or only Link layer addresses Whereas IAID is just the Link layer address. My doubt is which one is a better candidate for uniquely identifying a DHCPv6 transaction(solicit, advertise, request, reply)? Thanks



Use Fortigate as switch vs Cisco 2911

So here's the context:

At remote office with 5 people, I have a Fortigate 80e with 14 open ports as the main router/firewall. Below that, I have a cisco 2911 with a switching module with 15 ports being used (this router used to be used for PRI phone connections). The problem is that the switching module is only 10/100. This 2911 is also the DHCP Server for voice and data subnets. This office decided to purchase 300/30 Mbps internet without consulting us but doesn't want to purchase a gigabit switch to make their lives easier. So I'm stuck with what I have. Here's a quick Visio diagram of the setup:https://i.imgur.com/1NsL5Jh.png

So here's what I'm thinking. Since the Fortigate doesn't have enough ports, I can use the 2911 switching module for the printers and move everything thing else to the Fortigate. My question is, how can I use the Fortigate ports as a "switch" when the DHCP server is on the 2911? Should just make the Fortigate the DHCP server, and the 2911 a "dumb" switch?

Or should we just push them to buy a gigabit switch?



Two AP controllers on different VLANs. How are APs finding the controller on the other VLAN?

We have two AP management VLANs with a Mobility Express controller on each. At times, when the controller on one VLAN is rebooted, the APs on its VLAN join the controller on the other VLAN.

I don't have any ip forward-protocol commands on my core for anything CAPWAP/LWAPP, and I do have DHCP option 43 configured.

how are these APs finding the other controller?



Data Center Patch Cable Cleanup Advice and Suggestions

This weekend I am going to be embarking upon a small data center patch cable cleanup. It’s only two 42U racks. In a vacuum, I feel like the easiest way to do things is to simply remove all existing patch cables and re-run with appropriate length cables. While this approach is an option, it would be nice to be able to track each cable move so that I can be confident that every device is plugged back into the correct port after it has been managed. The reason for this is that I am not super-duper confident that the administers of the servers effected will be readily available to validate everything post cable move.

I do have full access to all switches so I can validate Mac addresses, arp tables, cdp and such.

Does anyone have any words of wisdom or general advice for this type of scenario?



RJ45 crimping question

My boss insists that when crimping an rj45 onto cat5e, we should squeeze the crimper multiple times to ensure a good connection on each side. I believe the opposite. I feel that squeezing the crimper once is fine and any more than that is asking for trouble down the road. Can I get a verdict from you folks on this please?

Thanks!



Same VLAN-ID in different networks?

Maybe you can help me out on my mental blockade: Is it possible for two machines in two different subents to communicate, when they are in the same VLAN?

I just had to VMs on the same portgroup in my vSwitch (so the same VLAN-ID), but they were in different subnets (IP-wise), so they couldn't communicate. After I changed the IP, so they are both on the same subnet, I could finally ping eachother. But why did I have to change the IPs if they are already on the same VLAN (VLAN 1)?

What has priority? VLAN or subnet?



Dual 5GHz radios vs doubling bandwidth (40/80/160)

We're running a 40MHz 802.11ac deployment today and we're seeing quite a lot of throughput need (28 clients downloading 7 GB at the same time and that kinda stuff). Got me thinking about MU-MIMO, which isn't really useful as our clients doesn't support it, AND;

What would be the benefit of running two 5GHz radios vs just going for 80MHz bandwidth - if any? We're running Cisco 2802i APs, and I can't really see why dual 5GHz would be beneficial unless you're allready running 160MHz on your primary 5GHz radio?

Anyone running dual 5GHz who got some points to throw in?



ISE BYODs with TLS, joining Windows Server domains afterwards or before?

Hello guys,

a few days ago i asked a similar question at r/sysadmin . Basically i have ISE set up for BYODs with a provisioning app

that configures clients for TLS authentication, ISE beingt the sub CA.

If a BYOD would have already joined a domain before going through the BYOD web configuration the auth fails (domain client does not get the personal cert in his certmanager and only admins can see them on that device (win10))

to make my question less complicated, did anyone manage to set up an ISE BYOD policy with TLS and the ability for those BYODs to join an AD afterwards?

Because apart from joining a domain before being TLS authenticated sounding illogical to me it also does not work,

on the other hand,

joining a domain after a successful TLS authentication did not work for me (the client does not carry the personal cert over from normal win10 account to the certmanager of the AD account, so an AD account would not be able to go further with authentication because he does not get the personal cert in his context )

any clues,info is appreciated, also keen to know if anyone does have an ISE with TLS and Domain join setup for BYODs.



Tuesday, August 20, 2019

Copying encrypted secrets in config to a different AireOS device

I should know the answer to this but for some reason I have an uneasy feeling, so I came here for advice (or possibly to be called an idiot).

I have 2x Cisco AireOS WLC devices A and B.
I want to export the config from A and restore it on to B with some minor changes like hostname and IP address.
In the config of A are encrypted secrets, many secrets, some of them for admin, some for each radius server, snmpv3, etc.
I know that the same secret on a different device creates a different hash.

Can I just import the config file with A's hashes and magic will happen to convert these to working secrets on B?
Or do I need to do re-enter the secrets?

No, this isn't an HA scenario I really do need to export/import the config files



Cisco DNA Rollout

I was tasked with implementing DNA Center into our infrastructure, from the ground up. Let's embark on this journey and see how it plays out.

Completed thus far:

  1. discovery phase
  2. hardware/licensing ordered (in hand)
  3. UCS (3 Servers, 6 Host)
  4. CIMC Installed
  5. DNA Center installed on UCS
  6. Fully built lab that replicates our prod environment
  7. Templates built for various switches
  8. golden images loaded based on switch model
  9. Global hierarchy built out (partially, more on that later)
  10. Provisioned a switch remotely, locally, and in the lab)

Before I get into my experience with DNA-C Appliance, I want to pre-warn ANYONE that is looking into rolling this out.

  1. Do NOT under any circumstance, forget:
    1. CIMC Password
    2. Maglev Password
    3. DNA-C Admin Password

Standing DNA up has been frustrating to say the least. I had to build routes from the core to the pizza box. I had to build routes to the lab that only traversed the internet VLAN and nothing else (because of how or environment is set up, if I staged a live switch, it would break one of our sites due to IP conflicts).

Frustration 1:

RADIUS

If you plan on implementing RADIUS to access DNA-C so you do not have to create/use local accounts -think again. This is not possible without ISE (very clever Cisco). I spent countless hours troubleshooting why RADIUS wouldn't work. I followed their documentation to a T (funny, they have documentation for something that doesn't work). I spent hours on the phone, Webex, and email with TAC -to no resolve.

I created a new friendly name on the RADIUS server, used the existing Cisco shared secret that we use with other Cisco gear. I tried creating it from the ground up (to ensure there wasn't a key mismatch)

TAC Resolution (from the guy that created the documentation for RADIUS/DNA) "Implement ISE, RADIUS to the DNAC simply doesn't work" -fantastic!!

Advice: Implement ISE alongside DNA or be prepared to make user accounts and privileges (your own little AD)

Frustration 2:

Templates

Get ready to configure the hell out of some switches. I know with automation comes a lot of manual behind the scenes shit to get it up and running, but my word. Cisco, no baseline templates? You have to build from scratch. Beings we are in the middle of a network refresh, the sentiment of having to configure a switch once (template building), granted the config is correct (DNA yells a lot), I guess it's ok. Once you iron the kinks out and the template is bullet proof, you can go ahead and lock in your Day0 template. After your Day0 is tried and tested, its time to build your DayN template (this is where you will adopt and claim a switch into a site within DNAC), pretty much prod ready.

Templates ARE fickle. The way DNA interprets them is a mystery. I have taken a switch config from one that I was replacing, threw its config into a DNA template, and it error'ed out every single time.

Advice: use variables properly. I found strings worked better on L2 switches (for mgmt interfaces) and integers worked better on L3 switches (for mgmt interfaces and plan interfaces).

Frustration 3:

Global Settings

The hierarchy is downright despicable. It is a mess to say the least. Clunky and certainly not intuitive. The interface was not planned out well, I am not sure what design language they were going for, but I am not a fan. For instance "Provision" contextual menu at the top, houses sub-options, that you wouldn't know, because its not clear. This so happens to be where DNA's bread and butter live "Plug and Play" or "UPnP" to kick of provisioning.

Menu Navigation goes something like this:

  • Design
    • Network Hierarchy
    • Network Settings
      • Network
      • Device Credentials
      • IP Address Pools
      • SP Profiles --> QoS
      • Wireless
    • Image Repository
    • Network Profiles
    • Authentication Template
  • Policy
    • Dashboard
    • Group-Based Access Control
      • Group-Based Access Control Policies
      • Scalable Groups
      • Access Contract
    • IP Based Access Control
      • IP Based Access Control Policies
      • IP Network Groups
      • Access Contract
    • Application
      • Application Policies
      • Applications
      • Application Sets
      • Queuing Profiles
    • Traffic Copy
      • Traffic Copy Policies
      • Traffic Copy Destination
      • Traffic Copy Contract
    • Virtual Network
  • Provision
    • Devices
      • Inventory
      • Plug and Play
    • Fabric
    • Services
  • Assurance
    • Health
      • Overall
      • Network
      • Client
      • Application
    • Dashboards
      • Sensor
      • Dashboard Library
    • Issues
      • Global Issues
      • All Issues
    • Manage
      • Sensor-Driven Tests
      • Client Intelligent Capture
      • AP Intelligent Capture
      • Issue Settings
    • Platform
      • Overview
      • Manage --> Bundles --> Configurations
      • Developer Toolkit --> APIs --> Integrations Flows --> Data and Reports --> Multivendor Support
    • Runtime Dashboard

As you can see, this is very convoluted. I am used to it now, but you can see why it can be unwelcoming when just beginning.

Frustration 4:

Provisioning

This is what DNA was built for, automating switch configurations by the way of templates. Well, I can tell you, when it works, its amazing -WHEN IT WORKS.

I have had more error then provisioned messages. You claim the switch, select the iOS image you want (upgrade to golden image if you so choose), set the parameters you defined in the templates, set and claim the device to the site in which this will be deployed. Sit back, cross your fingers, and prepare to be pissed.

There is a bug with chrome, while filling out your parameters, you can not scroll down far enough to see "DHCP or default gateway properties".

  • Temp work arounds: F11 (sometimes works). Enter the value in notepad, copy it, go to the line above, click then tab and paste. Janky, but works.

Advice: do not interrupt DNA when it is provisioning. you will end up with a blank switch (no image) in ROMMON. If you find yourself in this predicament, console into the switch "wr erase" "wr mem" "sh boot" make sure it is NOT the .bin file, make sure this is pointed to "BOOT variable = flash:packages.conf" if you don't, you will disable UPnP and DNA will not be able to do its job.

I understand that every network is different. Every template will vary. Every use case will vary. This is just MY experience thus far. I do NOT hate DNA (contrary to what I have written). It is a newer product with a lot of bugs. It has a great use case and demographic. I am just giving you my POV (the engineer in the trenches). Others that use DNA, once it is already set up, will think it is the greatest thing since sliced bread -I will probably join them in that consensus. For now, while standing it up, I still think it needs work.

Right now I am fighting a 9200 L2. Let me know if you want to hear about the fun I am having with this....

I hope this didn't deter anyone. I just needed to rant more then anything, and maybe I will run across someone that can give me pointers and help my deployment go a lot smoother then it has been. If you made it this far -CONGRATS!

TL;DR

Cisco DNA is great when it works. It still has a lot of shortcomings and obstacles to overcome. Be prepared to exert a lot of time and energy implementing this into your environments.

-NetworkGnome



wierd question about packets, you probably have never seen this one before

So I need to make a connection to my own server go from my lan out to the internet and come back rather than it just going through lan to reach the server, how does one do this? connection type is tcp/udp. comment any other information you need.



New Gig as Network Installer

I landed a gig as a Senior network installer for DoD and will be travelling CONUS and OCONUS on a large team refreshing hundreds of small to medium-size networks. This is pretty much a dream job. No one job should take more than a couple of weeks to complete. It sounds brutal, but I've always wanted to to something like this. Anyhow, I have a question about essential tools. Any recommendations as far as the best, most essential tools to bring? At the least, I was thinking about splurging on an electric screwdriver with some balls. Nothing is as satisfying as mounting equipment in mere seconds.



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!



Build vs. Buy - Networking Software

Been reading up a lot on this; wondering what the consensus is here. I have a biased opinion coming at this from a vendor perspective, so I find this very interesting.



Riverbed sales model hopelessly broken? Or are we just too small to be worth their time?

We are (formerly) happy Riverbed customers. We're a small business with a couple of Steelhead appliances that are nearing end of life. We'd like to replace them.

I've tried calling Riverbed directly-- sales calls go to voicemail, not returned.

I've filled out the web form. Someone called to qualify me and then set up a sales call by appointment. No one called.

I reached out to Insight to have them get a quote for me, theory being that they have enough buying power to be taken seriously. They've been trying to get a quote for over a week now.

The latest, per my Insight rep, is that every purchaser must be qualified prior to receiving a quote, and there is currently "no one assigned to the New Orleans area" and therefore no one available to approve a quote.

We've been customers since before the world went cloud crazy (since about 2006). I can promise you we didn't have any trouble getting attention from Riverbed sales then. Riverbed should be ashamed.

Can anyone recommend a wan optimization appliance to replace them? I've always felt Riverbed was best of breed, particularly since we're slinging large AutoCAD models over the WAN link all day. But apparently they are now manufactured from unobtanium. The worst part is going to be burning my orange screwdrivers...



Rough costing for 10Gb L2 / dark fiber

My org presently has a 1Gb metro ethernet circuit from Spectrum between our office and our colo.

We're looking at upgrading the bandwidth of that connection from 1Gb to 10Gb.

Spectrum has given us a quote, but it's more than we can afford.

Crown Castle has fiber about 100' from our building, and is already on net in our DC so I'm going to solicit a quote from them as well.

I'm wondering if there's any cost benefit of ordering bare / dark fiber vs a service like metro ethernet, if that's even possible.

The two locations are about 50 miles apart in Central Florida.

Questions:

  • Any idea on what ballpark I should expect for pricing?
  • Is there any benefit to ordering dark fiber vs metro ethernet?


DIRECT-2TLAPTOP ideas

Trying to track down a rogue ap with the name "DIRECT-2TLAPTOP." We are narrowing it down but are struggling to pin it on our campus. I've done some googling and was hoping I wasn't alone on this one. I was expecting it to be related to a direct tv product. Anyone else experience this before?



Need help/advice with subnetting for Azure vNets/AWS VPC networks for direct access via MPLS

I am currently planning our migration to accessing resources within Azure using our Express Route Circuits (think of Azure been directly connected to our MPLS network) and was wondering what people’s recommendations regarding VNet/Subnet IP Address assignment scheme are when using AWS/Azure.

Unfortunately (and for historical reasons) we are very unorganized IP Address scheme which is making it difficult to come up a good addressing scheme within Azure. Essentially the networking team (they not a proper networking team and I have more networking experience than them) are only able to allocate me with two /16 subnet ranges for use within Azure – 172.17.0.0/16 and 172.18.0.0/16. For awareness, 10.0.0.0/8 is reserved and I cannot utilize it and 192.168.0.0/16 is not an ideal as range a number of networks scattered thought the range. The rest of 172.16.0.0/12 are used by our third party’s which we have S2S VPNs for and need to route traffic to.

Our plan is that we want all our services/servers hosted in Azure, to be located in two different data centres, so the two /16’s help in this case. My first thought are:

  • Assign one /16 to our main/preferred Azure DC and the other to the DR DC.
  • Divide the /16 into 26 separate /20 network range.
  • Each /20 network is assigned to a subscription (think of a subscription as a Business unit, Ie Accounts, Development, Sales)
  • The /20 network is then submitted depending on the business/application requirements ie device the /20 into /27’s for each application/server.

Is anyone able to suggest anything better in regards to subnetting for our Azure/AWS networking?

Apologies if I made any mistakes in my subnetting. Subnetting is not my strong point.

Thanks



How many ways to use an access-list?

I have a few hundred routers and switches being onboarded and I need to go through and clean up some dead access-lists that are no longer in use. Lot's of them.

So, how could I automate this? How can access-lists be used? Where do I find if they are in use? Here's the thought process I came up with.

is it applied on an interface? is it used for snmp acl? nat overload? prefix-list for bgp? statements for QoS policy-maps? ipsec/dialer interesting traffic? line vty access control?

What else can they be used for? How would you logically go about finding dead acl's?



2 Separate Wireless Networks

I have two small offices right next-door to each other however I cannot run ethernet between the two and need to have a separate LAN network for each as there is an outdoor breezeway between the offices. The first office already has it's network setup and works decent. However I need to do some type of wirless bridge or repeater to the 2nd office sharing the same ISP(Uverse Gigapower). The catch is I need to keep both offices on it's own LAN. They do not want to see devices between the offices as the offices are two divisions under the same company. Suggestions of inexpensive solutions would be greatly appreciated.



Help adding additional VLAN

Can anyone tell me what I'm missing here, a few weeks ago I added 5 VLAN's to my workstation via powershell. Today I need to add another VLAN and powershell is not letting it happen.

I'm not quite understanding how to skip/bypass the VLANID fields that I previously used, as they are already assigned obviously. And if I try to enter the existing VLAN ID's it thinks I'm trying to create a duplicate, which also wouldn't be allowed. I'm missing something stupid here, what is it?

Below is the output from ps.

PS C:\Windows\system32> Add-IntelNetVLAN

cmdlet Add-IntelNetVLAN at command pipeline position 1

Supply values for the following parameters:

ParentName[0]: Intel(R) Ethernet Connection (7) I219-V

ParentName[1]:

VLANID[0]: 6

VLANID[1]:

Add-IntelNetVLAN : Failed to add one or more of the specified VLAN IDs.

At line:1 char:1

+ Add-IntelNetVLAN

+ ~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (IANet_PhysicalE...SKTOP-KNE62TB"):CimInstance) [Add-IntelNetVLAN], Ex

ception

+ FullyQualifiedErrorId : Error executing cmdlet.,Intel.PowerShell.Network.VLAN.AddIntelNetVlan

PS C:\Windows\system32>



Summary of CenturyLink's December 27, 2018 outage.

The FCC report on CenturyLink's DWDM outage that occurred last year is out.

Full Report: https://docs.fcc.gov/public/attachments/DOC-359134A1.pdf

In summary:

In the early morning of December 27, 2018, a switching module in CenturyLink’s Denver, Colorado node spontaneously generated four malformed management packets. Malformed packets are packets that, while not rare, are not typically generated on a network and are usually discarded immediately due to characteristics that indicate that the packets are invalid. In this instance, the malformed packets included fragments of valid network management packets that are typically generated.

Each malformed packet shared four attributes that contributed to the outage:
1) a broadcast destination address, meaning that the packet was directed to be sent to all connected devices;
2) a valid header and valid checksum;
3) no expiration time, meaning that the packet would not be dropped for being created too long ago; and
4) a size larger than 64 bytes. CenturyLink and Infinera state that, despite an internal investigation, they do not know how or why the malformed packets were generated

Due to the packets’ broadcast destination address, the malformed network management packets were delivered to all connected nodes. Consequently, each subsequent node receiving the packet retransmitted the packet to all its connected nodes, including the node where the malformed packets originated. Each connected node continued to retransmit the malformed packets across the proprietary management channel to each node with which it connected because the packets appeared valid and did not have an expiration time. This process repeated indefinitely.

The exponentially increasing transmittal of malformed packets resulted in a never-ending feedback loop that consumed processing power in the affected nodes, which in turn disrupted the ability of the nodes to maintain internal synchronization. Specifically, instructions to output line modules would lose synchronization when instructions were sent to a pair of line modules, but only one line module actually received the message. Without this internal synchronization, the nodes’ capacity to route and transmit data failed. As these nodes failed, the result was multiple outages across CenturyLink’s network.



Wireguard: confused about routing/subnets/interfaces

Hi,

I am trying to achieve this setup https://i.imgur.com/Kgr2Ena.jpg, where clients at Office A, B and C can all communicate with each other. However, I'm struggling with the wireguard config, routing and addressing on physical and virtual interfaces.

I have followed this guidance https://github.com/pirate/wireguard-docs#setup and enabled relaying/forwarding on the cloud server, as well as added the forwarding rules to iptables.

I have the wireguard VPN on subnet 10.200.200.0/24 and can successfully ping between any combination of the 3 peers (10.200.200.1, 10.200.200.2 & 10.200.200.3).

Now I'm unsure how to get clients on office subnets in B & C to communicate. Do I also need to enable relaying/forwarding on the the two office wireguard peers in order for them to route from their respective office subnets to VPN subnets (eg 192.168.110.0 to 10.200.200.0)? As well as add the office subnets to the AllowedIPs list in each peers config?

I also need to make sure clients in A can communicate with C. There is a Meraki AutoVPN between A and B, so I need to make sure peer B can also forward traffic to C from A. Lastly, I presume I will need to setup some static routes so A and C can communicate.

Thanks in advance.



Visio 2013 stencils for a network diagram?

So, at work I've just been given a licence to Visio 2013 for my work laptop \o/

I'd like to use it to map out my current home network and my current target home network.

What stencils do you know of? I'm finding the default ones lacking (and a bit dated). I don't really trust %99 of the stuff google throws back, especially as it's my work laptop.

I'd like to be able to represent

  • Powerline Ethernet
  • access points
  • modems
  • routers
  • NAS
  • Docker Containers
  • VM's

Also, pointers on best practice for this as well would be appreciated.

Cheers



IP Reservations for Devices Connected to WiFi Outside DHCP Range

Hey, first time poster here. Had a question that I thought you folks might know the answer to.

We have a bunch of Roku streaming devices we're setting up at my work which work on WiFi only. We are setting up a solid amount of these, 100+. I wanted to make IP reservations for these devices outside the normal DHCP range so we don't eat into a solid amount of our available IPs from our WiFi network. Unfortunately, using the regular reservation setup in our router, it won't let me do a reservation unless I make that range available to the DHCP server.

Basically, we have a network that issues 192.168.1.2 to 192.168.3.255, but I would like to reserve these Rokus in a separate range so they don't take up half a subnet of my available IPs, say 172.16.100.x.

We have pretty decent hardware, Fortinet across the board for our APs, switches, and the router. I feel like I should be able to do this, but I'm not sure how to approach it without adding the other range to the DHCP. Is this even possible or am I approaching this the complete wrong way?

Thanks for reading!



Cisco static route not working (basic networking)

I have a pretty simple problem here, i am trying to route between two networks on a cisco isr and i cant ping from one network to another.

The router has two interfaces one on the internal LAN the other on a perimeter network which i want to be able to access the internal lan

Here is my config

interface Vlan1 ip address 192.168.1.12 255.255.255.0 ! interface Vlan10 ip address 10.0.0.1 255.0.0.0 ! ip route 0.0.0.0 0.0.0.0 192.168.1.1 ip route 192.168.1.0 255.255.255.0 Vlan1 interface gigabitethernet 0/0 description LAN ! ! interface gigabitethernet 0/1 switchport trunk allowed vlan 1,2,10,1002-1005 switchport mode trunk 

So i can ping the internet from the router so one static route isworking but all the clients on vlan cant access the internal network using the static route.

The following commands just time out

ping ip 192.168.1.1 source vlan 10

ping ip 192.168.1.1 source 10.0.0.1

Can anyone spot any config mistakes i might have made



Unable to access Joomla administration page from local network

Hi guys,

I'll try to explain the situatuin as short as possible:

  • I have a joomla website let's call it example.com and it's local IP is 192.168.x.10
  • I have restricted the access to Joomla administrator page so I can access it only from a few IP addresses
    • one External IP for when I work from home (I have a fixed IP from my ISP)
    • one internal IP 192.168.x.20 which is in the same subnet as the website
  • The problem:
    • I can access the administration page only from the external IP
    • I looked into the logs of the website server and it seems that when I try to access the page from the local IP it sees it like it's from the gateway (192.168.x.1) not from 192.168.x.20
    • This happends only when I try to access the admin page through example.com/administrator, It works when I try to access it through https://192.168.x.10/administrator

Where should I begin?



Monday, August 19, 2019

Core switch to ASA gateway

Hi Everyone!

I've got an ASA5508 managed through FMC and a c3560 core switch with most of the SVIs on the core handling the inter VLAN routing. The core switch default gateway is pointed to the internal ASA interface.

I'm considering doing a redesign of the connection between the core and ASA, and I'd like to do a port-channel and have subinterfaces as the default gateways on the ASA, to better restrict traffic between VLANs since right now it is wide open. Our other sites are connected via DMVPN, using HSRP internal and using EIGRP to redistribute routes between sites.

Currently, I've got the following on the core...

interface Vlan8 ip address 192.168.8.41 255.255.255.0 standby 8 ip 192.168.8.1 standby 8 priority 200 standby 8 preempt ! interface Vlan9 ip address 192.168.9.41 255.255.255.0 standby 9 ip 192.168.9.1 standby 9 priority 200 standby 9 preempt ! interface vlan 50 ip address 192.168.50.41 255.255.255.0 standby 50 ip 192.168.50.1 standby 50 priority 200 standby 50 preempt ! ip route 0.0.0.0 0.0.0.0 10.101.8.254 ip default-gateway 10.101.9.1 

On the ASA...

Gi1/1 Inside 192.168.8.254 Po2.50 ServerMgmt 192.168.50.5 

ASA policies seem fine, as I have it set to any/any. If I set the VLAN 50 host gateway to .1 I can access it just fine, but once I set it to .5 (the ASA) it's not accessible. I can see the routes being redistributed to our other sites, but if I try to reach a host on the VLAN 50 subnet, it times out once it reaches this core.

Looking at the ASA logs it looks like SOME of the traffic makes it through the ASA, but only asymmetrically. My initial thought was PBR, but I wasn't sure if there was a better way to handle this. Thanks in advance!



VPN Best Practice

Simple question really, is it safe to create a VPN that goes direct into the lan. Or is this really what a vpn is all about? I'm asking because it seems to be a big no-no to put an SSH server exposed directly to the public. Why would VPN be different?

Previously I was using the "AnyConnect" feature on my ASA5505, but on the upgraded 5508 they want me to pay almost 1000$ for a license to use VPN on my mobile devices - for a single consultant, this is nuts.

So - I will create a VPN into my lan using openvpn on a linux machine in the lan. I'd open and nat the port to the machine and voila. I guess at this point I'll get another IP range for my vpn.

Can anyone confirm this is the correct way to do things? or offer a better method?

Currently I have my "lan" and a "dmz" on another interface. lan priority 100, dmz priority 50, and public = 0.

Thanks.



OOB (Out of Band) Management access

Our ISP provides us a 100mb circuit for out of band management, have any of you configure one on a Cisco ASR off an ISP. Looking for example configurations ... Static route ? will I be using the circuit IP address to access the box OOB remotely?

Currently, our ISP provides us a GB bandwidth and an extra 100mb circuit that is not in use now- they mention it is for OOB access.

I have done OOB internally to the network, but never of an ISP. Any config ideas to get this going will be great :)



Legacy cisco switch MT-RJ female ports

Want to use this switch for a home lab. Looking to buy a media converter to use these ports. However weird I end up buying the wrong one. Any recommendations?

I don't need to use these ports but it spark my curiosity.



DDOS flood attack blackholing enterprise edge ?

We encountered DDOS flood attacks that were captured on our firewalls. I also have noticed brute force logs on the Cisco ASR (Edge) from specific IPs (China). When using the show users command, the IP source was coming from that location. Question is can I blackhole the IP with null 0 off my edge internet router, I have done this multiple times in the past but in a service provider environment not in enterprise. Is it even worth it? Or the ISP should take care of this?

Any additional security best practices, examples etc?

Cisco example shows this IP route 41.14.14.5 255.255.255.255 null0 tag 999



Were you over 30 without any real experience when you started studying networking?how hard was that?what did you do to keep on?Are you now satisfied from your career? Please share your story ,if you don't mind!

No text found

What is the equivalent of ip local-proxy-arp of Cisco IOS on JunOS ??

Any Juniper experts - please let me know, will continue to google meanwhile.



From the Vlan 44 interface I am not able to ping the Vlan 3 interface of the Core Switch

Hi everybody;

I have the following scenario (IP's are fake, is only orientative example), i am implementing a new mobility express topology because in our company everybody is still using ethernet cable :S, the following topology is that:

https://imgur.com/NRxwtMN

    Laptop                  ------        WLC                           --------      Switch 1                      -------          CORE

Ip Address                                DHCP Pool                                     Int Vlan 44                                           int vlan 3

192.168.45.231                       192.168.44.0                                 192.168.44.2                                 192.168.3.1/24

255.255.254.0                         255.255.254.0                               255.255.254.0

GW                                           GW                                                Int vlan 3

192.168.44.2                           192.168.44.2                                 192.168.3.4/24

Vlan 44                                     Vlan 44                                          default router to:

                                                Management vlan 10                       192.168.3.1

                                                192.168.10.90/24

                                                 Default GW for vlan 10                 Management vlan 10

                                                 192.168.10.22/24                        192.168.10.22/24

From the test laptop i am able to ping his GW 192.168.44.2 and the IP 192.168.3.4 but i am not be able to ping the CORE Ip address 192.168.3.1.

From the Switch 1, obviously i can ping the IP 192.168.3.1 from the Core, and even i can ping 192.168.3.1 source 192.168.44.2

On Switch1 the use default ip route to the ip address 192.168.3.1 (interface vlan 3 of Core)

On Core i use this static route:

ip route 192.168.44.0 255.255.254.0 192.168.3.4

What's wrong? I forgot something? I only use in this case static routes.