Saturday, October 26, 2019

LibreSwan -> MX IPSec Phase2 Proposals Issue

Hi,

I am trying to establish an IPSec tunnel from a Ubuntu running LibreSwan to a MX running IPSEC. I  am unable to figure out what I'm missing. It's a proposal mismatch but as far as I can tell, I have everything matching.

I dont have access to the MX but have been given the MX  Configuration snippet.

MX Config Snippet -  https://pastebin.com/EVpZjXky

My LibreSwan configuration  - https://pastebin.com/NFE2qCxM

Connection Up Output - https://pastebin.com/YyGPR9WN

Log - https://pastebin.com/b8t7rSyd

Would sincerely appreciate your assistance...



Job change help needed

I've been in networking for 16 years and am an Infrastructure director at a university in southeast US. Trying to be vague though I doubt anyone from work uses Reddit or this subreddit specifically. Networking, Telecom, and server architecture is all under me. I'm much younger than my staff or peers and occasionally I get overruled in management decisions just because of that. If any peers or my VP can't understand something I'm trying to do they immediately attack my decisions and make it difficult to try new things at all. My age has been the butt of the joke more than one and I've heard many underhanded comments with it involved as well. I've been in this role for almost 3 years and it's driving me nuts. I've had issues with my VP for some time. Some management related and some financially. He is very stingy with raises and has given very poor promotion pay on excuses like time in the position, the area, and my age. Of course there are peers that do very little and they are very well paid in comparison. I feel salary should be dependent on results, not age. Though I'm content, and somewhat unsure why that is given my negative picture painted above, I've never turned down a new position speech from headhunters or companies directly. Very recently I was offered a position with a large MSO as a sales engineer. The role supports a couple sales representatives from a purely technical aspect. Hosted voice, fiber sales, and soon managed services. I'll write up technical specifications, BOMs, network diagrams, some ROI work here and there, fiber plant extensions assessments. Most of that is all remote and 20-30% travel at most. I like what I do but I'm tired of all the red tape with public sector regulations and the peer issues described above. The new job would be an extra 42k/year with 33k of that being commissions. The commission structure is pretty good though since it is from the sales team as a whole and divided amongst the other 3 sales engineers I'd work with. Trending over the last 5 years the sales are going up. I am leaning towards the new position but something is keeping me from just accepting the offer. Anyone made a similar move or are currently in sales engineering? Advice appreciated.



Can't access my firewall

I hve a GB 2100 firewall. I moved it to a new location and now I can't get access to it either by a direct connection or the console Ethernet ports. I know the up address of the firewall but no luck getting a response. Any clues, hints ideas how I can access this? Thanks.



Networking for AV

Hi I work as a sound designer in theater and have done the Dante Training levels 1-3.

I was just wondering if anyone here works as a network engineer for live events and what your experience has been like? Also, what would you recommend for farther education for networking?



Get a Wave vs Purchase bandwidth from local T2

In a very rural area, 300 miles from any carrier hotel and paying $6k per month for 2.5Gbps. There are two providers in the area that have fiber networks from here to KC and STL (Centurylink and Shoeme Electric). We are having a horrendous time with with outages and billing problems on Centurylink and I'm looking to make a change.

Any educated guesses on what a 300 mile wave might cost in MO ? I'm thinking that if I got a Wave all the way to the carrier hotel in Kansas City or St Louis (both aprox 300 miles from here) then I could buy bandwidth from T1, say Hurricane Electric for example, for pennies per Mbps. I know a wave isn't cheap but I have no clue what kind of expenses I'm looking at so not sure when paying a little under $3.00 per Mbps becomes more expensive than 300 miles of wave and pennies per Mbps.

So far talking to Shoeme power has been very unproductive as they pretty obviously do not want to sell me a wave and have been just super difficult to get any information from them for anything other than just buying internet from them instead of Centurylink. They want $11,000 just to bring their fiber aerial, they own the poles, from across the street so I can buy internet from them instead of Centurylink. I don't really know exactly what to ask for and they don't volunteer any information.



Connect switches together with trunk to allow multiple vlan's across

My experience with basic TCP/IP and switches is good.
But as soon as you start trying to explain vlans, tagged ports untagged, trunks and lags, I quickly lose focus (mostly because one thing references another that references the first)

So.
I have a Unifi USG.
It's plugged into a HP 1820-8G POE+
Which plugs into a Dell 2816 and a Dlink 1100-08p
I have a Unifi Access point plugged into the Dlink 1100.
Servers are plugged into the Dell 2816.
All switches are managed.
I want to be able to vlan a VPN connection to one of the servers, and Vlan a SSID on the AP to the internet without giving access to anything else.

How do I trunk and vlan this stuff. Everything is setup with no vlans or trunks currently.?
Explain it like I'm 5 please.



Why do Aruba/Procurve SFP+s cost more on FS.com

J9150A and J9151A cost a lot more than the equivalent H3C Comware, Cisco, or Dell part. I was told by another vendor that it is because there is another chip in those SFPs. Does anyone know more about that or why it is that way?



Ipbasek9 vs universalk9 ios image compatibility issue on 3750x?

Tried upgrading the software on a switch that came with a ipbasek9 image with a universalk9 image and it wouldn't boot the universalk9 from flash. Is that to be expected? I'm still trying to understand the licensing. Do I have to use an ipbasek9 image on this switch? Or am I possibly doing something wrong? I copied the universalk9 bin to flash:, made sure flash was initialized and have tried to force it to boot from that image several times but it always errors out.

Its in rommon now so I'm going to have to try and boot a good image from a USB because for some dumb reason Cisco took away tftpdnld on the 3750x switches...



Cisco ISE and Mac IOS Device

What is the most common and recommend way to deal with wired Mac books or any other Mac devices for dor1x? For windows I always use PEAP Member of Domain Computer. I can’t use it for Mac because they are not part of AD. Is it EAP-TLS? If so how do you push the cert to them on a massive scale?



How to connect two ISP ?

I am trying to solve a study case for my college, but I got stuck in a point, maybe someone could help me:

  • c) The interconnection between the two ISPs is accomplished through static routing, configure.
  • d) Inject the default into OSPF through PE5 and PE6. The PE5 should be the default GW of all ISP, in case of failure, the PE6 will assume this function.

This is my topology:

https://ibb.co/pvNXY5L

Isp tier 2 uses rip as a routing protocol, and the orange"isp 1" uses ospf, my doubt is how I will configure static route to interconnect both isp ? should I configure a static default in orange isp and redistribute in ospf ? thanks a lot..



Helping with DDoS

Hello guys
So I got a big problem. One guy got my IP address. I contacted my IP provider about that and they said that they can not change my IP because their company does not do that. Now after a couple days of trying I find out what his ip is but I do not want to be like him and start ddosing with no reason. What should I do? If somebody know what to do with his IP i can show you that. Thanks for help



Laura Chappell packet capture course.

Hi guys, has anyone if you ever went through Laura's 6 CD packet capture materials? Are they any good now?



Connecting two switches together using single mode fibre and SFP’s

One of my clients require two of their Meraki MS120 switches to be connected together. They are in separate server rooms, around 1000 meters away from each other. Obviously Cat5/6 isn’t an option here, but there is a single mode fibre tie between the two locations.

I don’t normally work with fibre, but I was told by a friend/colleague that connecting switches together requires the use of multi mode fibre, and single mode fibre will not work (something to do with the core diameter).

Is this true? I have a feeling this guy is yanking my chain.



Are there any popular science books about (the history of) networking?

I've entered the networking profession a few months ago after migrating from being a SysAdmin. As most of us will agree, networking and its history is fascinating. As such I wonder if anyone can recommend me any popular science books about networking and its history. While there is an abundance of books about subjects with similar historical importance (from flight to space travel to programming), I haven't been able to find any high quality books about networking. The reason I personally ask is twofold:

  1. As a new network engineer, I want to at least be familiar with terminology and concepts not likely to be found in the wild anymore. I feel it will make me a better networking engineer if I'm able to compare current technologies and protocols to their precursors.
  2. My wife has expressed interest in the field and I want her to get a glimpse of the history behind it.

Any tips?



Friday, October 25, 2019

Forward incoming TCP packet to a different port

Hello so I have been working on this all day and have had no luck. First off I have no router atm, I am just using my mobile phone hotspot.

I have an offsite server that is sending packets to an application running on my windows machine. I have a proxy setup that will listen on a port ( 7776 ). It will then let me log the packet and send it on to its destination. ex: port 56000 on my local machine.

The problem I am running into is I can't tell the server to change what port it is sending to on transmission. I can't find a way to monitor my incoming network traffic for port 56000, redirect it to 7776, so my proxy can then send it on its journey.

I can't have my proxy simple listen on port 56000 because then when the location application starts so it can request the data from the server, it will not be able to bind a listener to that port as well.

What am I missing? Thanks



Comcast Business Routing

I am helping out a small business with a routing issue and I just can't seem to figure it out. Hopefully you guys can help me out.

They are using Comcast Business Gateway.

Public IP: a.b.c.250

Public Gateway: a.b.c.249

Attached to the Comcast Modem Port 3 is a router. On the Comcast side it has an IP of: 10.1.10.10, on the router side it has an IP of 192.168.0.1. Attached to that router is a switch. The router side of the switch has an IP of 192.168.1.1 and the switch side has an IP of 192.168.1.20.

There is a device plugged into the switch with an IP of 192.168.1.241. The device communicates with a 3rd Party for monitoring over ports 3000-3050. I also have a Windows PC plugged into that switch with an IP of 192.168.1.240.

I can get out to the internet just fine from the Windows PC. So, I am assuming that the 192.168.1.241 device can as well. However, the 3rd Party Monitoring Company is not able to establish a connection with the device.

If I plug an additional computer into the switch, I can ping everything on that switch. I plug into the router, I can still ping the devices. However, once I plug into the Comcast modem I can no longer ping anything on the 192.168.0.0/23 network.

I created a Port Forwarding Rule for Ports 3000-3050 to forward to port 10.1.10.10 and I created a Static Route with the following values:

Destination IP: 192.168.0.0

Subnet Mask: 255.255.254.0

Local LAN Gateway IP: 10.1.10.10

Applied the settings, even rebooted the Comcast Modem and I still could not get over to the 192.168.0.0 network. A trace route from the Comcast Modem would go: 10.1.10.10 --> Time out --> 90.x.y.z then die.

Comcast told me their modem is in "Pass-Through mode" but won't help me beyond that. Any tips/tricks/suggestions are more than welcome!

Thank you in advance!



ICMP pings from a core router reliable?

i get that ICMP traffic especially around peaktimes can be finicky, but i've been seeing 3-7% loss at a cross connect that they dont seem to see an issue with. (cross connect directly off this core) no errors are incurring on the link. any thoughts/ideas?



Tips for improving network safety

hello, im just looking for tips on how i can improve network safety and making it better and safer in case anything happens. Im going to ad a pi hole and I run a VPN usually, but I want to do more to make it safer also so im more anonymous online.



Firepower rant

This is the rant provided by a disgruntled user about Firepower: https://www.reddit.com/r/networking/comments/9363af/cisco_firepower_rant/

I have been working with Firepower for the last 3 years, and i can't underline any of the statements in the rant enough. There is just no redemption from this pile of crap.

What experiences have you guys been having over the last year or so? I'm talking 6.4+

I see Cisco avoiding tech guys in our firm as much as possible, and only selling to the management team. Luckily I have attention from mgmt, but you guys might not be as fortunate.

My 2 cents; avoid Cisco Firepower in any case possible. It's not worth the pain.



Fiber Testing Help

Hello all,

I've got a shop With fiber run through it. When the enterprise team of my company came to terminate they were not prepared with proper testing equipment and we were left with the task of verifying the function of the fiber as well as basic connectivity between fiber switches.

Some information:

All of our runs are under 3000ft

We're using singlemode fiber with LC connectors

We only need basic connectivity, enterprise will refine later

All terminations are complete, but we know some are faulty.

My Questions:

What is the most cost effective tester for our cause?

We have a KOMshine Qx70 OTDR. Would this be able to do the job?

Is the Fluke VisiFault enough for this job?

- Thank you for your time or answers.



Jinja2 templating - best way to pass variables to template?

I'm beginning my journey of templating configurations with Jinja2 and Python3. Hey, it's not so hard after all! Even a dummy like me can do it. I ended up following the guide below to get started:

https://blogs.cisco.com/developer/network-configuration-template

However Cisco recommended to pass each variable individually, which is a nightmare if you have more than... one variable. So I began passing in dictionaries with keys and values, which reduced my variables to pass down to just one. I've seen some other examples using .csv files as well, which seems great for large scale deployments.

I'd like to ask what others are doing in their networks to generate configs with Jinja2. How do you keep your variables? Dictionaries? Spreadsheets? Some other magic?

At this point I'm not quite using for loops in my templates, but would like to. Something like:

https://realpython.com/primer-on-jinja-templating/



How to SSH into a computer about 100m away.

Hi, I'm trying to figure out the easiest way to solve a networking issue for an experiment I'm trying to setup. I have a small PC mounted on a drone running autonomous flight software. I'm trying to SSH into the small PC while the drone is flying but I'm having issues as I keep losing connection. The drone only flies about 100m out at a relative altitude of 5 - 10m on a football field so there's direct line of sight between the drone and the router, and my laptop and the router. I've been thinking of getting a ubiquiti picostation M2 , configure it as wireless client and mount it on the drone. What do you think of this? Are there any other solutions?

P.S. I do not have AC power supply out on the field so potential solutions are limited to systems that can be run on a battery/ or that I can create connectors.



help with ARP Request flooding

Hey there,

I noticed a consistent flood of ARP requests (300 - 400 per second) on a remote hosted server's network interface.

It appears that the server is actually responding to all of these (and seemingly answering requests outside the machine's subnet ...)

Some of these requests are for machines within the network gateway Class C ( 32.50.106.0/24, which I would understand), but most of these ARP requests are for other subnets hosted at this ISP.

I'm not really sure what to make of this. Is this normal?

ARP, Request who-has 32-50-97-226.static.hvvc.us tell 32-50-97-1.static.hvvc.us, length 46 IP 32-50-106-121.static.hvvc.us.49032 > 66-96-80-43.static.hvvc.us.domain: 56797+ PTR? 226.97.50.32.in-addr.arpa. (43) IP 66-96-80-43.static.hvvc.us.domain > 32-50-106-121.static.hvvc.us.49032: 56797 1/0/0 PTR 32-50-97-226.static.hvvc.us. (84) // NOT IN LOCAL SUBNET ARP, Request who-has 96-31-94-105.static.hvvc.us tell 96-31-94-1.static.hvvc.us, length 46 IP 32-50-106-121.static.hvvc.us.48571 > 66-96-80-43.static.hvvc.us.domain: 38283+ PTR? 105.94.31.96.in-addr.arpa. (43) IP 66-96-80-43.static.hvvc.us.domain > 32-50-106-121.static.hvvc.us.48571: 38283 1/0/0 PTR 96-31-94-105.static.hvvc.us. (84) 


Chassis/Backplane Style Cisco IOS switch to replace 6509E

Hi All,

I have a site in the field that needs 120 ports on their core switch. I've specced out three 2960X's with stack cables for them, but they are rejecting it because they prefer backplane/chassis style, like the 6509E. However, 6509E and 6807-XL are both EoL. Does anyone know what the non-Nexus style successor is? 9400 looks like it fits the bill, but it's way too cheap. I am seeing refurb 6509E's for more money than a new 9400, so I'm clearly missing something.

Has to be Cisco btw. We don't field anything else. Company policy.



Patch cables

I need to order patch cables, 3ft,7ft,10ft in bulk where the cheapest place to do this? 5E is fine but I do want decent quality also can be booted or non booted. Sizes dont have to be perfect.



Would It Be Possible to Set Up a Test Lab at Work?

Hey guys,

I've been forced into a network admin job role at work which is crazy because I have no background in networking. My current plan is to finish my Comptia training courses, take the Network+ and then build my home small home lab with a switch and router so I can practice with setting up Windows server, testing with wireshark, other stuff. I can watch videos and read books all day, but I don't really grasp it until I have hands on practice.

I'm just wondering if there would be a way to set this up at work instead of home. I want a test lab that runs completely outside our network so I can play as much as I want with no fear of screwing up the production live systems, but I would have to have some kind of network connection, right? Sorry very green at this stuff.



private vlan on trunks

Hi guys,

i want a layer 2 isolation for some webservers. The webservers are virtualised on a physical server that is connected over a lacp trunk to a cisco sg500 switch.

On that switch is also a pfSense with a lacp trunk connected.

Now what i want to achive is a primary vlan 300 and seperate isolated vlans from 301-310 that only can communicate with vlan 300.

Is that possible with my cisco sg500 switch? I know that switch has Private Vlans but i can only configure it for a access port.

Best Regards Dave



Set a pc as half duplex in Cisco packet tracer

Hi.I don’t know that how can i set a pc as half duplex in Cisco packet tracer



Fortigate Models

Hello

I am looking to set up 1 to learn with for my point of present in the data center. I currently have an srx240 H2 which I love but I feel like I should be learning about fortigates because they seem to be very common and I have never used one before.

I'm not going to lose many of the fancy features just to learn my way around the operating system a little bit so ideally I would just like one that can actually do close to gigabit line rate without any IPS or anything like that. All the current firewall does is port forwarding and NAT.

Any recommendations on where to go? Used or new is ok. Would love dual ps too.



Why is the default for the `ping` command to use both IPv4 and IPv6?

I noticed on Wireshark that I will sometimes see both ICMP and ICMPv6 ECHO requests/replies while pinging different destinations. (ex: ping -c 10 destname).

While I understand I can specify a protocol, I'm curious if there exist any reasons someone would want the default over choosing just one.

I've looked at (what I believe to be) the source code for iputils' ping program (github link). To my understanding, both are used if both can be, else "falling back" to IPv4. This leads me to suspect that the default is both protocols because it's 1) a reasonable default and 2) cleaner logic to start with both protocols enabled.

That being said, I still don't know if there's a reason to specifically test the default or whether or not v4/v6 is chosen 'randomly' by ping. If anybody would like to share any insight, I'd greatly appreciate it!



Syslog server & dashboard

Can anyone recommend a syslog server and dashboard that's free / opensource? I've span up Nagios LS which looks nice, but is a pay for option after a 60 day trial

I'd prefer a web based dashboard if possible. I can easily install 'visualsyslog', or 'thedudue' but that would also mean having to then RDP to a win desktop to check the logs. I'd also prefer a Linux variant as there are no windows licenses available spare in the org.

I want to push all CISCO firewall (mixture of PIX and ASA) logs to the server for later viewing etc, there's 30 or so of them so the free version of Kiwi is no good - shame as my old workplace had the full SolarWinds suite which was awesome.

Syslog-ng also seems a bit of a pig to setup, and even then I'd still need to find something that can then parase the logs and display them nicely on a front end.



Creating a separate network inaccessible from the main LAN

My friend has rented an office inside another, larger, office. They let him use their internet via ethernet off their main switch. He has no physical access to that switch or any ability to configure it or the ADSL router. He just has a single ethernet coming off it.

He can see all of their network and visa versa. He obviously doesn't want this and wants a separate network for his own PCs, including wifi.

I've done this before by adding a router but it's been ages and I can't remember exactly what the upshot of it was - if I stick that cable into the new router's WAN port and create a new network, will his network be inaccessible or there's?

What's the best way of doing this? Thanks



Thursday, October 24, 2019

Quick questions about switch lights

So I go to a school where we can see some of the network switches (All Cisco Brumby stuff) through windows, and I had noticed the network port lights are constantly on, no blinking, so I asked my friend who works for the school and he said some stuff about them being Electo-Static switches, and I am pretty sure that's not a thing, so question: Why are the lights fixed on?



Ip passthrough att fiber

Hi guys! Not sure if this is the right place to ask but if I have a gateway, how do I use my router instead? Is this called ippassthrough or bridge mode? Anyone with an arris gateway with att fiber? Thanks!



How do I determine how many routers a company network "needs"?

Hey folks, this might be an odd question but I wasn't able to find an answer for my question, and am not sure how to formulate it correctly. I am currently studying for my ccna and do a lot of labbing in packet tracer where I think of topologies and implement routing protocols like ospf, bgp and eigrp.

But what I have not yet come across yet is, at what point does an enterprise need multiple routers spanned across a single building?

Does a small company with 200 users need more than 1(maybe 2 for redundancy) router which connects only to the isp? My guess would be no, I'd have my router connected to my core switch(es) via ROS and configured vlans.

How about 500 users/devices? In my eyes a single router would still be enough?

1000 users? Would it still be enough with some multilayer switches?

Can you even tell by only a user count how many routers you need? Parameters like security/routing protocol also play a big role right?

And what about Ospf for example? Single-Area will probably suffice for small networks. In case of a bigger building, will I still only need one area? And multi areas to different sites with a tunnel to each other?

I guess that there probably won't be a general answer to it but would be glad to receive some information!

Thanks!



Copy SSID from one Aruba Network to Another

We are using the Aruba IAP205 aps. One of the networks is working great with current settings. I would like to copy all SSIDs to another network of Aruba IAP 205s. I have tried to setup it up on network directly and it does not allow connections. If you can tell me how to copy SSID I would appreciate it.

edit: I am trying to clone an SSID to another network

Thanks



Network Vlan

Hello is this setup possible?

I have a fortigate i want to setup 3 vlans in here. vlan 1(man) vlan2(guest wifi) vlan (user wifi)

Then connect to a Aruba 2930f with also 3 vlan. that have intervlan inside. then the uplink port is a vlan going to fortigate that is assigned in fortigate not on the aruba 2930f.

So the uplink from Aruba switch to Fortigate will be under vlan 1.

and then i will route the vlans inside to the fortigate using the vlan uplink? is that correct?



Common for carriers to block IPSEC traffic?

I am currently trying of a POC for VIptela SD-WAN. I wanted to include LTE backup on the branch routers.

I have a working SIM card, the router gets a valid IP, etc... Everything seems to be working, but Viptela reports that BFD is getting no traffic. When I look at the IPSEC tunnels, the tx counters are going up, the rx counters are at 0.

I am in Canada, trying this with a "vanilla" Telus SIM card. Is it pretty common for carriers to hinder/block IPSEC connections like this? Do I need to request a static/public IP/APN from the carrier for this to work?



VLAN and DHCP help

Hi, I am trying to learn networking and I have a Cisco 3750G to play around with. Not sure what I am doing wrong. I have a pfSense running DHCP to VLAN 2 with 192.168.42.1

On the switch I set port 0/1 and 0/2 to access VLAN 2 with an IP Helper address with the above.

But I am still getting IP's from the Default LAN interface which is 10.10.1.1 Guessing this is untagged traffic? Still learning.

I am sure it is something simple or I am just not getting it. I will say VLAN 2 works 100% on my Unifi switch so I am missing something in the config.



Best way to liquidate networking equipment

Hi,

I recently came across 500 units of networking equipment (splicers and adapter panels for fiber optic cables) and was wondering if anyone has experience selling them in bulk?

All items are Systimax/Commscope brand and in new condition.

ALBUM

Any input is greatly appreciated.

Thank you!



I need help with my wifi router

The model is a tenda ac1200 that I bought recently but now it says that the connection status has no response from the remote server and I really need help to troubleshoot this problem



Subnetting Redundancy (many hundreds of subnets)

So what I'm trying to accomplish seems quite simple but I can't figure out the best way to do it and I'm starting to question if what I'm trying to do is even possible - L3 redundancy without using something that "eats" 2 extra addresses out of a subnet to provide said redundancy.

Working at the level where I'm struggling is a set of core/distribution switches that are responsible for subnetting out an IP block into a bunch of smaller blocks (/29s), one per VLAN. These two switches are N3ks and I have a VPC setup between them each provide 1 link to an N9k rack switch.

So on layer2 everything appears to work properly as expected. On layer 3, things actually seem to work (surprisingly) by having an identical VLAN on each of the 3ks configured with the exact same ip/mask, let's say 10.0.0.1/29.

I don't think this is a correct config though, and that's supported by log lines like this:

Source address of packet received from 00ea.bd68.f001 on Vlan101(port-channel10) is duplicate of local, x.x.192.9

with .9 being the gateway address of this subnet that's indeed duplicated by being configured on both of the 3ks.

Am I mixing layers and things together that aren't supposed to work? If not, what's the step I'm missing to get the 3ks to cooperate better and not complain about duplicates that I thought VPC was supposed to handle? I'm wondering if I have a very poor understanding of VPC.

As far as alternatives, are there any? I know Juniper has VC and others have similar things but that still has a single point of failure on the control plane. Perhaps the only way to accomplish this is by eating IPs so you have 2 physical/1 virtual?

Thanks for any and all advice/feedback!



Firewall behind a SD WAN solution (Velocloud)

Prior to implementing SD WAN solutions in our environment, our company was using a SonicWall connected to our ISP and core stack. Now, our two ISP circuits are connected to the Velocloud; there are two LAN ports that connect to our infrastructure. One is connected to the LAN port of the Sonicwall for VPN, and the other to our core stack. This was done by the implementation team from our MSP.

With this new setup, we're having issues connecting to Azure via point to point tunneling. However, our remote employees have no issue connecting to the VPN went off site.

My question is regarding best practices when connecting a firewall behind an SD WAN solution. Does anyone have any experience with this scenario? Establishing connection to the Azure cloud is critical to our next steps with our company.

I have been informed by my MSP that the Velocloud is capable of VPN and point to point, however, the SonicWALL is less than 3 years old and we still have support and warranty. We're not quite ready to see this purchase as sunk cost. Our initial move towards SD WAN was for aggregation and redundancy (DIA lines from competing ISPs). Looking for advice from the community of experts.



Nexus VDCs....how many do you?

Simple question. For those that are running Nexus 7000s or 7700s, how many VDCs are you using?

I’ve been told by a couple of VARs that 4 is the most they have seen.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



A way to show young students what a network/networking is

I am trying to find a way to do a table demonstration of networking. Either high tech (vr) or low tech (pop-up poster) is what networks and network engineering entails. Something to pull students in.

Any ideas or someone who is already doing this? What works? I am looking for proven methods and examples.



Hi, how do you deploy large number of switches within a short period?

As above, lets say 50+ access and distribution in 2 months. How do you push out the config? All I have seen is lots of copy and paste, box by box via console.



GeoIP updates for owned IP Blocks, how does everyone handle these?

How does everyone manage the GeoIP coordinates for their various IP blocks w/ ARIN/etc?

I have some registered to our corporate office in Canada, but we are using them in the US and its causing some services that do geoip lookup to mess up (being taken to google.ca/etc), I submitted an update w/ MaxMind but not sure if there are other places I should be updating /changing things as well.

I couldnt find any settings in ARIN on a per IP block basis for this but maybe I was missing something.



Anyone use DAC cables with a Cisco 55XX Wireless Controller?

I am wondering if anyone has used DAC cables on a 5500 series WLC. We our moving ours and would like to replace the fiber uplink with DAC. Here's what TAC has to say:

In regards to the question about DAC cable support on the 5508 WLC, please make sure that those cables provide an equivalent interface to the following SFPs, which are the only ones supported by the WLC:

The Gigabit Ethernet ports on the Cisco 5508 Controllers accept these SX/LC/T small form-factor plug-in (SFP) modules:
- 1000BASE-SX SFP modules, which provide a 1000-Mbps wired connection to a network through an 850nM (SX) fiber-optic link using an LC physical connector
- 1000BASE-LX SFP modules, which provide a 1000-Mbps wired connection to a network through a 1300nM (LX/LH) fiber-optic link using an LC physical connector
- 1000BASE-T SFP modules, which provide a 1000-Mbps wired connection to a network through a copper link using an RJ-45 physical connector



Virtual Mobility Master - Device Type Block

Hello all !!

I need to create a simple SSID but with device type policies. Let me explain it....

I need that only computers can connect to my SSID and smartphones can't connect to it.

Is this possible with Virtual Mobility Master - Two 7020 controllers ????

Thanks !!



FS switch with loop-detection?

Hi all,

I recently got a hold on some FS 3900 switches. Now I'm looking to test a few things out before putting them to work. One of the things that I really want to test and see it work is the loop-detection.
I think I found the right commands from this PDF fs3900
The thing is when I connect a utp port on 1/1 and 1/2 to create a loop... how can I see if the loop is detected and what actions is taken?

For now I see this
Switch#show loopback-detection
Loopback Detection Global Information
Global Status : Disabled
Transmit Interval : 10
Recover Time : 60
Action : Shutdown
Trap : None

Loopback Detection Port Information
Port Admin State Oper State
-------- ----------- ----------
Eth 1/ 1 Enabled Normal
Eth 1/ 2 Enabled Normal



MX104 config

Dear fellow Reddit users,

A customer of ours has an MX104.

For this specific model there is:

- 4x10G built-in (2 of those are activated)->20G

- 4 slots for mics cards: 2 slots are used with MIC-3D-2XGE-XFP ->4X10G = 40G, 2 slots are free

The question is could we add 2*MIC-3D-2XGE-XFP(= 40G) & would it work correctly knowing that this device has a max power of 80Gbps .

Thanks in advance!



NetDevOps: Testing in CI/CD pipeline

I’m trying to get my head wrapped around something while I’m trying to develop a CI/CD pipeline POC.

This all revolves around the testing portion on a checked out branch using VIRL. We have many sites and data centers all with their own IP address schema and one off environments. Other than that, they are mostly standard. How can one test this in VIRL with all these differences. This works for software, but I’m trying to understand how this works with so many variations in network.



How do you quickly map topologies?

I am a newer phone support engineer at an Enterprise networking vendor. I find that when speaking to customers I have a hard time tracking their (sometimes extremely complex) topologies for troubleshooting. What tools (digital or otherwise) do you use to quickly map customer environments? I try to use the whiteboard in my cube, but I find it not as useful as one would think.

Your suggestions and replies are much appreciated!



Cable-diagnostics (TSR) statuses

I've never used the TSR feature on our Aruba switches before and I'm struggling to find much info on it.

What I'm after is a comprehensive list of the cable status entries and what they mean. I've just run one test on a port and some of the pairs are showing as "Inter-Short".

What does Inter-short mean?

I get that "Ok" means that something is connected and the pairs are working fine and "open" presumably means that nothing is connected to it, but what else might I see and what would they refer to?

Thanks



Controversial question about DHCP role

I know I might get roasted for this. The standard best practice is to "let routers route and servers serve" when it comes to having your firewall set as static and Windows server handle dhcp and dns, but I'm looking for some in depth logic for why it wouldn't make sense to let a firewall run these networking roles. I can see a few added benefits , the most prominent being that web services would not be interrupted by a domain controller reboot. Firewalls have to be reboot far less often then a domain controller , especially in current iterations of server. Would it make domain authentication any slower? Would it make management of computers any less doable ? What would be the pros and cons?

please don't just Porrot "Because that's the way it's done".



One Linux DNS server + multiple VLANs = DNS resolution dice-roll

I'm having some trouble with a single server that is intended to handle DNS duties for multiple networks/VLANs. Each time I have a workstation ping the DNS server's FQDN, the DNS server doesn't consistently point the workstation to the correct IP address respective to the VLAN the workstation is on.

I'd appreciate it if someone could point me in the direction of what I should research in order to make this work. Days of Googleing have led me down false rabbit holes. What I'm trying to do seems like it should be a basic thing, but I know just enough about Linux to get myself into trouble.

A more verbose description of the situation is below.

Scenario and environment:

1 - I have a Univention 4.4 server (basically a fancy Debian distro) intended to serve as a domain controller and DNS server for each of our networks/VLANs. It is to be known on each by the FQDN of uni1.bz.mycompany.net.

2 - The server has a single NIC and three virtual interfaces, configured as follows:

  • 10.1.1.10 /16 [Physical Network]
  • 10.2.1.10 /16 [VLAN02]
  • 10.10.1.10 /16 [VLAN10]
  • 10.100.1.10 /16 [VLAN100]

3 - I have added DNS Reverse Lookup records accordingly, which point those respective IP addresses to uni1.bz.mycompany.net.

Problem:

Any workstation on any VLAN should be able to "ping uni1.bz.mycompany.net" and be resolved to the appropriate IP address (e.g. 10.2.1.10 for VLAN02, 10.10.1.10 for VLAN10, etc). That is not happening.

Instead, a run of "ping uni1.bz.mycompany.net" from a workstation will resolve randomly to any one of the server's four IP addresses, regardless of VLAN.

In other words (and for example), a workstation on VLAN02 that runs "ping uni1.bz.mycompany.net" will only have a one-in-four chance of being correctly directed to 10.2.1.10, and a three-in-four chance of being incorrectly directed to one of the other IP addresses (10.1.1.10, 10.10.1.10, or 10.100.1.10) instead, which naturally would be unreachable to that workstation.

Expectation:

The DNS server is expected to point workstations to the correct IP address respective to whatever VLAN the workstation is on. If the server receives a DNS lookup request from a workstation on VLAN2, it should respond with the appropriate VLAN2-specific address, etc.

Thank you!



I don’t “get” SD-WAN

This might be a stupid post but I’m struggling to really understand the purpose and power of SD-WAN. I’ve tried to search YouTube for real world examples of SD-WAN in action and see how people actually configure it but all I see is a bunch of marketing wank and slideshows with cloud diagrams all over them.

Is it basically just a fancy GUI that sits on top and cranks out standard configurations? Does it really do anything that can’t be achieved by knowing correct syntax and properly building a network? Is it aimed at organizations that may not have a full time network engineer?

Basically what does it truly achieve that can’t be done by other means.



Advanced routing monitoring tool needed

Hi guys,

I've got a carrier-like backbone network running OSPF and ISIS (various parts used for different services) with BGP on top of it. I've got L3VPN and L2VPNs and it's all done on a whole bunch of ASRs.

I'm looking for a monitoring tool out there that could out of the box perform the following:

- Advanced routing protocols monitoring per vrf (i.e. recieve traps and digest based on specific OIDs, because for example OSPF does not send process ID in traps, but it does router-ID, so If my backbone OSPF goes down I want to know, but if a customer PE-CE one in a VRF goes down, I don't care as much)

- Advanced routing path changes per vrf (regardless if it's next hop of BGP or an LSP path that changed)

- Advanced route changes, if I'm recieving 100 routes from a BGP peer, and suddenly I'm getting 92 of them, I want to know about this change via trap or inform.

Keep in mind that I have aggregate ports towards public clouds and a whole bunch of customers inside them, so I need the tool to be VRF aware and service-instance (EVC) aware as well. I'm currently checking LiveNX Live action, Netbrain and some others but I can't seem to find anyhting that would have a support of VRF as per above.

Any tools come to mind? Observium does some of this, but it does not support SNMP Traps so it's not ideal as I'm dependant on polling timers or syslog captures.

thanks

Edit: Forgot to say, I'd prefer the tool to be on-prem and not SaaS but feel free to suggest.



Looking to replace ASA5505 - stick to Cisco, or are there greener pastures?

As ASA5505 is going EOL, I'm looking to replace it with something new. ASA5506 is the most obvious replacement, but reading some of the posts around various subreddits leads me to believe it might be wise to look around for something other than cisco, with the likes of Sophos and Fortinet mentioned among others.

It's used in a ~100 pc site, a handful of site-site VPNs(one to ERP provider, and a few to small remote offices) and 10-20 remote anyconnect users.

I can't say anything bad about reliability because it's been working fairly well for me. The management is quite a bit of pain though, and it's one of the reasons I would be looking for something that's more straightforward to use(I have quite a lot of responsibilities, and battling ASDM/CLI is just eating up time I could use for other things). Other reason being that I hear mixed news about new cisco products(buggy or not on par with same priced competition).

Should I look elsewhere or just stick to 5506?



Service Provider Cost Savings

For those of you that have worked in the service provider space what are some ways you or your teams have driven down hardware costs? I see all this hype about white box PE routers, but the reality is that just isn't viable unless you are big enough (VzW, AT&T, Century Link, etc) to either build new software or heavily upgrade existing software options to suit your needs.



How disruptive is UDP broadcasting?

I'm developing a chat program and wondering how noisy/disruptive it would be to broadcast the host information as a datagram in a 1000ms/1s loop so clients automatically know how to connect.

How disruptive is it for a network to receive broadcasted UDP to all existing NICs/nodes in general and when is it too much? I wonder about the specific disruptive part where nodes receive a datagram and have to spend attention to drop/ignore it. I know certain clients do the communication entirely with UDP, I can't imagine the amount of noise having e.g. 10 clients doing 10x10 broadcasts all the time instead of just doing 10 connections to a TCP service, that's before the loss of reliability as well but that's not the question here.

I don't care about theorycrafting, I can do that myself. I'd like some actual analytical or gained experience with UDP datagram broadcasting and its potential detrimental effect on other local network traffic. Thanks.



Palo Prisma

Anyone trialed Prisma yet and if so, any good?

We're looking at differing solutions including various SDWan providers, Zscaler for local branch breakout among other use cases. Having recently moved to Palos in our Hubs i thought it'd be worth considering but as it's semi new there isn't much documentation or user reviews on the interwebs.

Thanks in advance :)



Wednesday, October 23, 2019

netstat on local systems shows high number of ipv4/6 Received Packets Discarded, Redirects, Failed Connection Attempts, Reset Connections and Segments Retransmitted

I've been troubleshooting various "network slowness" issues and other things and I've checked and double-checked network switch statistics and ports and various things but nothing really stands out screaming "this is the problem!". I did notice there was one switchport that had very high Received Packets Discarded and I traced it back to a regular old user workstation. I did a netstat -s on it and saw that it was showing a continuously growing number of Received Packets Discarded and so I checked the NIC and ethernet cable and did a Wireshark pcap and some other things. One thing I also did was do a netstat -sp on about 6 other workstations and I am seeing pretty much similar results where systems show a varying degree of seemingly high ipv4/6 Received Packets Discarded, Redirects, Failed Connection Attempts, Reset Connections and Segments Retransmitted. Screenshot of two sample computers

 

I am just trying to determine if these stats are relatively normal or not. I don't seem to have near as many high stats on my local system so I'm guessing it has to do with the various apps users are using day to day (which I don't) or if there is something actually wrong with the network.

 

I am still researching all this stuff, I just thought I'd ask here to see if anyone could offer some decent insight.



DHCP Relay works, but also getting denied at gateway?

Hey everyone, something weird is happening and I'd like to figure out why.

I have a Watchguard M300 firewall doing routing for internal traffic across VLANs. I have DHCP relay set up and working, but in the traffic monitor I'm seeing DHCP replies getting denied at the Watchguard's gateway IP on the client VLAN. Here's some specifics:

VLAN 10 — Servers — 10.0.10.0/24 (DHCP lives here) — Gateway IP 10.0.10.1

VLAN 20 — Ethernet Clients — 10.0.20.0/24 (laptop lives here) — Gateway IP 10.0.20.1

Now my laptop requests an IP and the Watchguard helpfully forwards the request and the laptop gets the DHCP response. However when this happens I also see a deny in the traffic logs from the DHCP server to the client gateway 10.0.20.1 on udp/67.

Why is anything being sent there, and why does it still work? Is it something I'm missing/doing wrong in my DHCP config? I have firewall policies configured to allow DHCP from the client VLAN to the DHCP server and vice versa.

Any suggestions are appreciated. I guess it's not urgent if it is working but you know the only thing scarier than things not working when they should is things working when they seemingly shouldn't.



Routers, ACLs, DDoS, & Resource Utilization

Hi All,

I’m posting this from a throwaway account out of precaution.

I've been a subscriber and lurking on this subreddit for many years. At one time, I thought about becoming a network engineer and took night classes for my CCNA and CCNP (both of which I became certified). My career took a different turn and now I'm in a systems engineer / devops role. In previous roles, I’ve managed WAFs, but never enterprise firewalls.

Without getting into too much detail, I was in a meeting today about two of our internal networks being able to access each other. For reasons I won’t go into, a high level networking colleague claimed that by putting in explicit denies, it could cause undue stress on the firewall if a DDoS attack was launched from one of the networks to the other (however unlikely).

Is this concern legitimate? I was under the impression that firewalls will drop the packets before being processed for routing. To me, traffic is traffic. If a DDoS attack occurs and the router can’t handle the denies, then how is routing the traffic any less strenuous on its’ resources? The only way I can make sense of this claim is for a concern of the configuration size getting too large for the resources available to process it. I understand being protective of your equipment and desire for high performance and high availability. But the argument doesn’t seem accurate to me.

Your input is greatly appreciated!



Landed a Jr. Network Engineer position. I'm underqualified and need help negotiating salary

I'm currently IT support at a local manufacturer. It's pretty much tier 1 and 2 help desk, with a lot of business support responsibilities. I pull around 17/hr or ~35k a year, working in a major city in the deep South

The people hiring me know I'm underqualified, but the start of their newest contract involves a lot of line pulling, punch downs and hardware mounting which I'm good at.

The local director wants someone like me, fully aware of my skill set and where I fall short, so he can train me the way he wants to. I have to negotiate salary with the head office.

From what I've read a Jr. Network Eng. position averages 61k. How should I negotiate this salary, without coming across as arrogant or ignorant when throwing out a figure? Realistically, what salary range should I expect? It is government contracting and they will have me get a clearance relatively quick, and from what I understand the salaries for individuals in companies like this tend to be inflated. I'm 25 for what it's worth.

I'd really appreciate any feedback, suggestions or encouragement in general. Thanks for anyone taking the time to help me. I'm so excited.



netstat on local systems shows high number of ipv4/6 Received Packets Discarded, Redirects, Failed Connection Attempts, Reset Connections and Segments Retransmitted

I've been troubleshooting various "network slowness" issues and other things and I've checked and double-checked network switch statistics and ports and various things but nothing really stands out screaming "this is the problem!". I did notice there was one switchport that had very high Received Packets Discarded and I traced it back to a regular old user workstation. I did a netstat -s on it and saw that it was showing a continuously growing number of Received Packets Discarded and so I checked the NIC and ethernet cable and did a Wireshark pcap and some other things. One thing I also did was do a netstat -sp on about 6 other workstations and I am seeing pretty much similar results where systems show a varying degree of seemingly high ipv4/6 Received Packets Discarded, Redirects, Failed Connection Attempts, Reset Connections and Segments Retransmitted - see screenshot of these two computers

 

I am just trying to determine if these stats are relatively normal or not. I don't seem to have near as many counters on my local system so I'm guessing it has to do with the various apps users are using day to day or if there is something wrong with the network.

 

I plan to do as much research as I can but figured I'd also ask here to get a jump on it if anyone can provide some insight.



Why do gaming companies like blame P2P issues on NAT?

I work at a college, so I get to support home devices like game consoles and Smart TVs on an enterprise network.

From my understanding when you want to play online with friends, the game devs can either use a P2P connection where one player hosts the match and everyone connects to them or just a dedicated server everyone connects to. Games like Destiny 2 on PC and most console games will use P2P.

That's all fine and dandy, but those games will report to the user that they have "Strict" or "D" NAT level since they're behind a firewall that doesn't want P2P or support UPnP. My problem is that it has nothing to do with the NAT settings. My enterprise firewall doesn't like all these outside connections trying to get in. That's literally it's main job.

So why blame it on NAT? It was confusing for me and still is for my users.



Naming DMZ's Micro Segmentation

Looking for Ideas on security zone naming. I am creating multiple "DMZ's" for segmentation.



Comware OSPF Default route in VRF (vpn-instance)

Dear /r/networking,

I'm trying to configure simple lab with HP Comware L3 switches and vrf and for some reason distributing default route doesn't work in VRF aka vpn-instance in comware speak.

OSPF configuration is also simple. For some reason on R2 there is no default route in vpn-instance. Maybe You know what I'm doing wrong?

Routers OSPF config below.

The R1 and R2 routers routing tables looks like this:

===R1========================================= [HP1-ospf-1]display ip routing-table Routing Tables: Public Destinations : 9 Routes : 9 Destination/Mask Proto Pre Cost NextHop Interface 0.0.0.0/0 Static 60 0 10.200.1.1 Vlan11 10.200.1.0/24 Direct 0 0 10.200.1.2 Vlan11 10.200.1.2/32 Direct 0 0 127.0.0.1 InLoop0 10.200.2.0/24 Direct 0 0 10.200.2.1 Vlan13 10.200.2.1/32 Direct 0 0 127.0.0.1 InLoop0 10.200.10.0/24 OSPF 10 2 10.200.2.2 Vlan13 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.31.1.1/32 Direct 0 0 127.0.0.1 InLoop0 [HP1-ospf-1]display ip routing-table vp [HP1-ospf-1]display ip routing-table vpn-instance wifi Routing Tables: wifi Destinations : 9 Routes : 9 Destination/Mask Proto Pre Cost NextHop Interface 0.0.0.0/0 Static 60 0 172.24.1.1 Vlan12 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.24.1.0/24 Direct 0 0 172.24.1.2 Vlan12 172.24.1.2/32 Direct 0 0 127.0.0.1 InLoop0 172.24.2.0/24 Direct 0 0 172.24.2.1 Vlan14 172.24.2.1/32 Direct 0 0 127.0.0.1 InLoop0 172.24.200.0/24 OSPF 10 2 172.24.2.2 Vlan14 172.31.200.1/32 Direct 0 0 127.0.0.1 InLoop0 ===R2========================================= [R2]display ip routing-table Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost NextHop Interface 0.0.0.0/0 O_ASE 150 1 10.200.2.1 Vlan13 10.200.2.0/24 Direct 0 0 10.200.2.2 Vlan13 10.200.2.2/32 Direct 0 0 127.0.0.1 InLoop0 10.200.10.0/24 Direct 0 0 10.200.10.1 Vlan101 10.200.10.1/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.31.2.2/32 Direct 0 0 127.0.0.1 InLoop0 [R2]display ip routing-table vp [R2]display ip routing-table vpn-instance wifi Routing Tables: wifi Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost NextHop Interface 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.24.1.0/24 OSPF 10 2 172.24.2.1 Vlan14 172.24.2.0/24 Direct 0 0 172.24.2.2 Vlan14 172.24.2.2/32 Direct 0 0 127.0.0.1 InLoop0 172.24.200.0/24 Direct 0 0 172.24.200.1 Vlan102 172.24.200.1/32 Direct 0 0 127.0.0.1 InLoop0 172.31.200.2/32 Direct 0 0 127.0.0.1 InLoop0 

Routers OSPF config

[R1]

ospf 1 router-id 172.31.1.1 default-route-advertise always area 0.0.0.0 network 10.200.2.0 0.0.0.255 network 10.200.1.0 0.0.0.255 # ospf 2 router-id 172.31.200.1 vpn-instance wifi default-route-advertise always area 0.0.0.0 network 172.24.1.0 0.0.0.255 network 172.24.2.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0 10.200.1.1 description default-global ip route-static vpn-instance wifi 0.0.0.0 0.0.0.0 172.24.1.1 description default-wifi 

[R2]

ospf 1 router-id 172.31.2.2 area 0.0.0.0 network 10.200.2.0 0.0.0.255 network 10.200.10.0 0.0.0.255 # ospf 2 router-id 172.31.200.2 vpn-instance wifi area 0.0.0.0 network 172.24.2.0 0.0.0.255 network 172.24.200.0 0.0.0.255 


Cisco Firepower VM licensing

Hi Guys,

Please help me with the Cisco Firepower licensing. I am really confused.

In 2017 we bought:

1x Cisco FireSIGHT Management Center Virtual Appliance License - 10 managed devices

4x AMP / URL / IPS licenses to manage our 4 ASA firewalls.

As expected AMP / URL / IPS licenses expired after a year and we got extensions in 2018 and 2019. All good here.

But what happens with the Cisco FireSIGHT Management Center Virtual Appliance License? Is this a one-off, or a yearly cost? The FMC is running fine, I just updated it to 6.4.0.6 using the web interface. But I noticed there is also 6.5.0 release, and it is not showing up using web GUI, so I logged into my Cisco account to download the update manually from there. It does not let me, saying I need more entitlement.

Do I need to renew my FMC license? Do I need smartnet for my virtual FMC?

If so, do I only need it to get new updates?

Cisco, why are you so confusing?!



Not holding professionals accountable for their knowledge is a toxic culture in Networking.

I've started to see somewhat of a worrying trend in Networking. There is a toxic culture of lack of technical accountability and pride in ability. I've seen it when two people sympathise over their lack of understanding on a topic like it's something to be proud of, as opposed to something that is a weakness, somewhat shameful and in need of fixing.

The conversation goes something like this:

Person_A: Oh I have no idea about how STP works

Person_B: Neither do I

Person_A: ha ha, it's too confusing

Person_B: I know right?

End of conversation

I have no issues for someone to come forward with that they lack knowledge in an area, but this softening of expecations "Oh you're a CCIE who doesn't know STP" and just accepting them is really starting to worry me.

It seems that RTFM has become a swear word in most offices now and there is no accountability, just a big group hug between people who have NFI what they're doing. I'm not saying I have all the answers, but I felt like coming into the Networking field it would have some of the professionalism of an "Engineering" (Mech/Tele/Elec) discipline but that appears to have lost some of it's lustre over the last decade. I felt that entering this field I would see a level of professionalism that would influence and rub off on my career. I've yet to see it.

Thoughts?



Using No-Export BGP community in IBGP to avoid becoming a transit AS

Hi All,

I am working on a new design for our border routing. I have our border routers(two mx80's) peering with our upstream providers. I am trying to avoid becoming a transit AS for any of our 3 upstream providers.

I was wondering if there is a way I can accomplish this using BGP communities? I am aware of AS- Path filtering as an option but wasn't sure if I could just send a No-Export to my iBGP neighbors could accomplish the same thing?

Thanks!



Ethernet rename

Okay, I'm a bit confused and maybe you guys can help me. I inherited the network that I am currently running, so, I'm a bit lost. The issue I have is when you physically plug in an ethernet cable to any computer, be it Mac or Windows, the ethernet connection is already labeled as 'TEMP". This is not the WIFI SSID label, this is for a physical hard wire into any computer. I could bring in my laptop from home, plug in a cable, and it would say 'TEMP' is the connection. We are not on active directory yet, so its not like anyone is logging into a AD and getting this info handed down from Windows, plus, it happens on Mac, too. Anyway, could this be getting handed down from one of the Cisco switches/firewall/router? I've been tasked with changing the 'TEMP' name for our CEO because its a pet peeve of his to see this.

I also reached out to our fiber provider to see if it was set up on our incoming router, but, they said that was not the label in the configuration of their router.

Any help would be appreciated.

thanks



Cisco's IPv6 Destination Guard analog in Brocade(extreme) MLX ?

Hello

I'm trying to figure out how can I protect my ipv6 networks (routed by MLX) from being flooded by ND packets when someone is scanning whole ipv6 /64. In Cisco they have IPv6 First-Hop Security - IPv6 Destination Guard.

Is there something like this in Brocade MLX ? https://documentation.extremenetworks.com/netiron/SW/62x/53-1005371-01_MatrixNetIron_6.2.0_RG_Sep2017.pdf



RRI on ASA as a redundancy mechanism does not work

tdlr is at bottom.

So I have a hub and spoke network. On the branch side, there is one ASA 5505 or 5506, with a static IPSec VPN to the data center, which has two ASA 5520's; One connected to ISP1 and the other connected to ISP2. Those two data center ASA 5520's connect to a layer 3 core switch at the data center running EIGRP. On the layer 3 core switch, there are static routes to the subnets of the branches, pointing to whichever ASA 5520 concentrates the VPN to that particular branch. This is obviously a problem if one of the data center circuits goes down, because it means I need to manually move the VPN over to the data center ASA 5520 that has the surviving circuit, and rebuild the VPN tunnel on the branch side to get them back up, ad nauseam. I need a way to automate this so that if one of the data center circuits goes down, all of the tunnels fail over to the surviving data center ASA/ISP circuit without manual intervention.

What has been suggested to me is RRI. Basically, on the branch side, you set a second peer IP on the IPSec VPN crypto map (1st: DC ISP1 peer, 2nd DC ISP2 peer). Then, you set reverse-route on the DC side ASA crypto map for that branch, which injects a static route into the DC, which you then redistribute into your IGP on the ASA. The end result is SUPPOSED to be that your IGP will learn of the branch's subnet dynamically through the reverse route on whichever ASA is currently holding the active VPN, which eliminates the need for static routing to the branch on the DC core switch, and that is supposed to facilitate the failover automation.

This is not what happens. What happens is once the reverse route is injected on the DC ASA, the IGP learns about the branch subnet regardless whether or not the VPN is up or not, so the core switch ends up installing two equal cost routes into the IGP, which breaks the branch. To circumvent that, what I tried instead to do is only set a reverse route on ONE of the DC ASA's for a particular branch and redistribute it into EIGRP, and on the other DC ASA, I do not set a reverse-route, but rather, set a floating static route on the core switch at AD 240 for the branches subnet. The idea is that when all is well, EIGRP learns branch route at AD 170 via the DC ASA where the reverse route is set, and if it loses the VPN for any reason, that EIGRP 170 route goes away on the core switch, and it installs the floating static route at AD 240 to build the VPN via the other DC ASA. Once the main VPN is available again, EIGRP reroutes to the 170 route and everything falls back.

Doesn't work. The reverse route gets injected into EIGRP on the primary DC ASA regardless if the VPN is up or not, so the end result is the core switch always thinks the EIGRP 170 route is valid and failover doesn't happen.

Am I doing something wrong or does this just suck?

tldr; Setting a reverse route on the data center ASA and redistributing it into IGP injects the static route for the branch into the core switch regardless whether the VPN is up or not, and fail-over does not occur because core switch always thinks the route is valid.



CISCO VTI Example

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

I'm trying to set up a VTI between an ASA and a Router. I'm following an official CISCO example on the link above. And I'm confused about the 'IP route 0.0.0.0 0.0.0.0 10.0.149.1' command on both routers. As I can't see the address anywhere in the topology! Unless I'm being blind.

Am I missing something?

I would think the gateway for that command would be;
R1 10.0.149.221 or 192.168.10.1
R2 10.0.149.220 or 192.168.10.2

 Thanks 


Powerline don't reset

Got 2 poweines comtrend. Trying to set them up. I only get solid red light on status.

Tried to press config/reset for 10 seconds but nothing changes only stays solidred

Ethernet doesn't go green & ap light doesn't come on at all

Any ideas or are they just faulty?



juniper mx204 virtual chassis

Hello, we are small ISP and considering this router for usage in DC as a peering router (we would like to provide full BGP in our DC, which we could't so far) and also for aggregating Metro-Access (L2VPNs to our core routers ASR9910)

It looks like the MX204 is now included in juniper flex program and we would need advance license for L2VPN stuff. https://www.juniper.net/documentation/en_US/release-independent/licensing/topics/concept/juniper-flex-program-support-for-platforms.html

Can someone confirm this?

Also we would require HA setup so does this router support virtual chassis active-active setup and MC-LAG?

We are Cisco shop only so is there a good documentation on how to setup the cluster of 2 MX204 ? Also how about ISSU, does it support it in virtual chassis mode?

I am asking specifically for this type of the router because I only found materials for the whole MX series.

Thank You.



Drowning in EAP confusion please someone throw me a lifeline

I've spent half the day trying to understand NPS and Authentication Methods. All the books say nice things, but when you stop and think about it, they make no sense at all. Askingfor help is a last resort, but please someone throw me a bone.

Just imagine for a minute there's a switch / AP, a client and an NPS Radius Server.

  1. If you setup 802.1x for MSCHAPv2, you're going to get prompted for a username and password, you type the details, the password is used to hash a nonce, the NPS does the same on the other side, and if they match you have proof of password and network access. Nice and simple.
  2. If you setup 802.1X for Protected EAP, Clients use the Certificate to trust the identity of the NPS. TLS encapsulation is negotiated for the authentication process. Clients can then use MsCHAPv2 to authenticate knowing the connection is encrypted in a TLS tunnel. Nice and simple.
  3. If you setup 802.1X for EAP-TLS. The client and the server both have certificates signed by CAs that must be trusted on either end. Then certificates are exchanged such as with TLS, which allows the session to be encrypted.

There's 3 problems I have

  1. Do you still need AD credentials or is the certificate enough? One resource states that the Username and Password are exchanged first. After that the TLS session is established using certificates. This makes no sense, why would you send credentials before the session?
  2. Some resources say you cannot have Certificates and AD authentication at the same time. But wouldn't you need certificates to encrypt the 'session' and AD credentials for the accountability part of AAA. Or is the certificate being given to AD user object enough.
  3. The term TLS Session keeps being used. What does this even mean? Some resources make it sound like the session is there purely to encrypt MsCHAPv2 credential proof. Other resources make it sound like there is a persistent session. Which is confusing again because RADIUS is meant to be AAA, the Authentication and Auth make sense, but for there to be accounting this implies RADIUS is being always updated with information. How does that work? Are all packets proxied to RADIUS first and that is the session?

I'm just mostly confused with the order of everything. It makes sense with EAP-MSCHAPv2 and PEAP. Not EAP-TLS.

If anyone knows or even has a good resource that explains it that would be super helpful.



DHCP Client sends GUID as unique ID and not MAC

Hi All!

Having some trouble with a client in our Network. We use DHCP MAC Reservations for our Clients, so they keep the same IP Address. One of our Clients keeps getting an IP Address of our free Range instead of the IP Address from his reservation. When I check the Address leases of our DHCP Server, the unique ID of the lease from the problematic Computer is the GUID, which you can see in preboot instead of the MAC Address like all the other Computers.

Does anyone know how to deal with this Problem?Cheers!

EDIT: Clients are Windows 7 and 10. DHCP Server is Windows Server 2012.



Sky just announced a network freeze because of Brexit. Eh?!

Can anyone figure out why this is happening???

edit: UK based here



Can you use a PoE splitter to convert from 24V PoE to 5V DC with Gigabit speeds?

I need to check whether you can use a PoE splitter to convert from 24V PoE to 5V DC at Gigabit speeds.

The type of adapters I found allow you to connect an Ethernet cable from the PoE device to the adapter, and then connect the adapter's power and Ethernet to the non PoE device. However to my knowledge, this can only yield Fast Ethernet speeds. To avoid this, would it be possible to only connect the adapter's power to the non PoE device, and connect a separate Ethernet cable (just for data) between the two devices?

The reason behind my query is that I'm intending to get a Mikrotik Hex PoE RB960PGS Router and power 2 TP-Link EAP225 V3 access points using the 24V Passive POE supplied through the router's stock power supply. (AP's are not compatible with the Mikrotik's 802.3af/at protocols, and hence I must use Passive PoE). I'm also intending to get a switch, however there doesn't seem to be a PoE powered switch that can be powered through Passive PoE, as these are supplied by 802.3af PoE (example). This is why I'm considering the possibility to get a non-PoE powered switch and use a splitter to power it up without the need of an extra power outlet.

Thoughts?



Tuesday, October 22, 2019

Cisco RTU licenses clarification

We will be moving from Cisco WLC 2504 to 3504.

2504 used PAKs and license files.

I understand the 3504 uses RTU or SmartLicensing

My question is about RTU licensing.

If I buy a 3504 with no AP licences, I could “technically” use any amount of licenses (up to 150) without actually paying for them until we get audited/caught by Cisco and fall into a world of pain.

Is this correct?

Sorry if this sounds like a dumb question, but need to be very clear with not so tech savvy people who will be installing the equipment, and I’m still trying to get my head out of the PAK system.

Thanks!



Why NOT use eBGP as the only IGP?

Intro: We're a small firm, with not a very big network. Basically a DC setup and some access L3 switches for ourselves. We mostly build IT infrastructure stuffs for our clients, but have some clients stuffs running on our infrastructure aswell. I'm currently in the process of "upgrading" our own stuff as I'm the new guy. That means going from an old ASA to Firepower - I know... One of our architects is a hardcore Cisco fanboy, so nothing I can do about it atm.

The Big Decision: So I basically had to choose between OSPFv2 & OSPFv3 vs BGP. (Firepower has no neat GUI support for IS-IS).

My considerations: I will deploy dual-stack v4 & v6. I do not like OSPF. I do not like Ciscos FP implementation of OSPFv3 as a separate process for IPv6. I want to keep things as simple as possible, yet flexible.

Since I do not have a full mesh and want to use route reflectors, I decided to go with eBGP (complemented with BFD) as the only routing protocol on the network for our own devices. I have been doing some research and I still do not see why it would be a bad idea.

Please tell me why it is a bad idea.



Job Change question

So, I've been in IT for 25 years, I'm 47 now. I work as a network engineer for a large company with thousands of locations, got my current job at a 99% cisco shop because my company was acquired and they needed lan engineers. I was really a "do it all" type of guy, primarily focused on VMware at the time, had my VCP cert 6 years ago. So now I'm 100% Cisco and it's been a stressful 5 years. I manage, plan and implement huge remodels, upgrades, acquisitions all the time. But it's so stressful because I don't really know what I'm doing half the time - I'm not really a CCIE level who can just reconfigure and design stuff on the fly.

I've been offered multiple times over the years at my company to switch to the virtualization team, which needs help. I think I know that aspect of server, virtualization, etc.. better than I know my 100% Cisco networking role, which I struggle with, in fear of causing an outage or being alone doing a change at 4 am, where I can knock out 3k people from working in 3 hours if I didn't plan correctly or screw up.

So, I've been out of virtualization for 5 years - I'm looking for advice on whether or not I should just stay a network engineer or go back to virtualization. My current network engineer role is a lot of travel and stress upgrading or integrating new companies, managing teams of 10 people for a weekend, replacing and re-designing 50 switch sites almost quarterly. Sometimes I have to work 18 days straight, traveling across the country, sometimes driving sometimes flying. It's getting old, I get it done but so stressful since i'm never really sure I'm doing it right and hesitant to ask too many questions because then they'll know how little I actually know. Same pay, less travel, 90% sure less stress.

What do you guys and gals think?



How is the Hidden Node problem solved for mobile networks?

My understanding is that RCS/CTS packets are used as a last resort, is the simple explanation just "they're designed to not have that problem"? Or is this an issue only present within 802.11 networks?



setting policy incomplete in Cisco ACI ...

Is anyone around having seen "setting policy incomplete" in an Cisco ACI environemnt, causing a remote endpoint MAC not to be learnt, and traffic to that endpoint is flooded instead of switched? Google has not, TAC case open, they are also struggeling

Would be awesome



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!



Help with Strange IPs

Hey all,

I have two odd IPs on one of my networks that are both outside the range of the configured network / VLAN. I have a /29 network with the Ips going from 97-104 (for example, 192.168.1.97-104 (not my VLAN but an example). There are two IP pinging at 192.168.1.135 and 150 that I cant find out what they are. They arent in the ARP table of the my router, which has all the VLANs listed and info. I can ping it, but cant do an arp -a as I only get what is on that VLAN. I tried it via a browser with no luck and tried to map to it from Windows with no luck....

What else can I use / try to find out what these are?



Need help with a circuit migration

Im working with a remote site that is using a ISR 4300. Currently G0/1 is using an L3 circuit that we will be replacing with AT&T and G0/2 is on broadband.

I've been tasked to work with AT&T to basically replace the L3 circuit. We've already done the DMARC extension and cable runs to the network closet. However, Im trying to think of a way to do this without interrupting service. Should I fail over to broadband circuit the night before and then provision all of the new BGP configurations to G0/1, class maps, netflow, subinterfaces, etc? Then when ATT comes the next morning, should I have the technician plug in the new cable, and I can just do a "no shut" on G0/1 to bring up the new circuit? Will I need to shutdown the broadband circuit in order for BGP neighborship to occur once we're ready for test and turnup?



Bogon or Legacy Allocation?

I'm seeing some ranges being announced by an upstream that appear to be bogons, but upon further inspection may actually be pre-ARIN legacy allocations. For example 162.244.76.0/22, is that what I'm seeing here?



Non-Meraki VPN peer inbound firewall rules don't work

Just a FYI in case you were expecting a feature that is on the dashboard to actually do something.

The section labelled "Site-to-site inbound firewall" would be perfectly suited to applying ACLs to inbound VPN traffic. For example if you have to build an IPSec tunnel to a 3rd party, and don't want to completely pull your pants down you might want to apply an ACL against this traffic.

The section is there, but it doesn't work. You can add rules and save them but when you navigate away from the page they're just gone.

Meraki TAC says the feature is on the dashboard by mistake.

My coworker says this is my fault, and I should have used the Make a Wish button to submit "remove all settings and fields that don't work and are there by mistake"

Edit: to their credit this broken behavior is actually documented: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior#Note_-_Inbound_Firewall_Rules



Cisco Prime Infrastructure Trainings???

Does anyone have a good source for training on using Prime Infrastructure?



Internet Protocols

Do you think we (the internet in general) could overhaul and create new internet protocols to replace TCP and UDP as they are so outdated? I feel they need to be replaced not optimised as they are built on old standards.



Arista PVST+ / Juniper VSTP

Juniper is made compatible with Cisco's PVST+ by using RSTP/VSTP. This works great.

Does this hold true to Arista's PVST+ implementation? Will Aristas PVST+ work with Juniper's RSTP/VSTP implementation in the same fashion?

If not how would you connect two Arista switches to two Juniper switches?



Dell vPC / MLAG

I have 2x Dell N2048 in my testlab. In configured vPC / MLAG on both switches. This is working and de status is Enabled and vPC is operational (show vpc brief).

Ping between both switches is working. But i cannot reach the internet with my laptop. If i connect my laptop on switch-1 i can reach the internet.

Also on switch-2 i see no MAC-address and ARP entry's from my ISP router. On Switch 1 i see this mac/arp entry's.

I use this guide for setting up vPC/MLAG: https://lapsz.eu/blog/2014/04/23/dell-n3048-multi-switch-lag-mlag/

The config is exactly the same.

Laptop and ISP router are VLAN 10.

show vpc brief on both switches:

show vpc brief VPC admin status............................... Enabled Keep-alive admin status........................ Enabled VPC operational status......................... Enabled Self role...................................... Primary Peer role...................................... Secondary Peer detection admin status.................... Peer detected, VPC Operational Peer-Link details ----------------- Interface...................................... Po1 Peer-link admin status......................... Enabled Peer-link STP admin status..................... Disabled Configured VLANs............................... 1,10,100 Egress tagged VLANs............................ 10,100 


Help?

Guys,

I've been studying for an exam and came across a question which I'm stuck on and I'm wondering if any of yous can help me out. It's as below:

When looking at data packets on a network, how do you know which host is the client and which is the server?

  1. Client will request a destination port in the dynamic range and the server will be communicating with destination port in the common/application range.
  2. The client will request a low sequence number. The server will be communicating on a higher sequence number
  3. Client will request a destination port in the common/application and the server will be communicating with destination port in the dynamic range
  4. The client will request a destination IP greater than it's own. The server will be communicating on an IP in the 200's.

Any help would be appreciated guys.



Anyone encounter issues with pass through rj45 connectors?

I never have issues terminating ethernet cables, but I am really interested in trying out 'pass through' connectors, where the wires poke out the end and you snip them off.

Has anyone ever tried these before? Are there any drawbacks?



New Aruba Switches

Aruba just launched (or is about to launch) a new series of switches using their OS-CX:
https://www.arubanetworks.com/assets/ds/DS_6400Series.pdf
https://www.arubanetworks.com/assets/ds/DS_6300Series.pdf

What do you think about the new switches?



C9200 stack module question?

Cisco part C9200-STACK-KIT is two modules and 1 cable correct? Therefore you only need 1 of those per switch?



IPSec Stateless Failover

I'm trying to configure stateless failover on an ASR1000 running asr1001x-universalk9.03.13.02.s.154-3.s2-ext.SP.

I've found a few WhitePapers that go over it but my version can't run some of the commands needed to fully implement it. Any suggestions?



Question about Firepowers

Hey guys,

I have some questions about firepower and the command line(s) for it.

I recently was helping a senior engineer on a difficult VPN problem that we ended up having to call Cisco TAC multiples times on. As is the norm with TAC, they requested access to the command line for the FTDs and ran a bunch of commands I had never seen.

The one thing that really threw me for a loop was all the different command prompts on the FTD boxes. I was hoping someone here could help me figure it out. I tried googling it, but didn’t get very far.

So when I first log into an FTD, the prompt is just “>” I think this is called the LINA? What exactly is this?

Then from there, I normally enter “system-support diagnostic-cli” and that gets me to the “firepower>” prompt, which I can escalate privilege with enable. That operates closely to what I know, ASAs.

But there’s also the “connect fxos” from the LINA prompt. FXOS is the operating system that controls the FTD appliance, right?

It’s all really confusing to me. To complicate things more there’s also a local-mgmt for the fxos which I think may have to due with the HA pair we run.

Basically, is there anyone here that can help explain the layers of a firepower?



Split of Internet bandwidth

My company had acquired a 500M internet bandwidth from a local ISP. We will need to spilt the internet bandwidth up into 100M to another company/building, 100M to another company/building and and 300M to us. Each building has its own distribution switch and each distribution switch is connected to the core. Then the core is conneted to the router and the router to the ISP. May I know what is the term called for performing such bandwidth spilt. And how do I do it on the router? And for security reason, we do not want the companies to interfere with one another.



ISP OLT/ONT

Anyone familiar with what big ISP’s use for their OLT/ONT devices?

Or who manufactures them?

Working on an ISP project and intel seems limited on the web. Or perhaps I’m just not searching well enough...

Appreciate the help, friends.



Anyone know a cheaper (chinese clone) that does full screen wire mapping like the Fluke Network tester?

All of the sub $100 ones i have paged through on ebay do what i want but the lcd half the size and dont do a full screen wire map like Fluke MS-2?

I often used this at my old job and new work wont fork out $200+ Thanks!



Dell Powerconnect 6200p Series

Hi,

I am new to IT profession. My experience on switches is 0.

I was learning about Juniper switches at work and I was able to do basic troubleshooting, not make a complete configuration though.

We are expanding on a new building and we are going to use some of our old equipment. Our old Dell Powerconnect 6248p switches. Although I tried to find a guide online, didn't find much. Youtube has a couple of videos that don't suite my needs to learn what I need. Dell's documentation is a bit confusing, since in there they guide you to use the web interface of their switches and not the CLI.

Does anyone has a clue where I can find more info about the Pc 6200 series with configuration examples? Like a compact tutorial.

Any help will be grateful.

Thanks in advance.



Monday, October 21, 2019

Is stacking worth it?

We have a reasonably sizable network (150 switches across 10 or so buildings), and none of our switches stack. For those of you who buy stacking switches, what is the value? Our network is pretty static, and we haven't found non-stacking switches too impactful to our workflows. For those of you who pay extra for stacking switches, what is the benefit you get?



Meraki Secure Wifi Clients "Filtered" by 10.128.128.128

Hi,

I've just deployed a network infrastructure whose access layer and wifi are running on Meraki devices. I'm seeing a really weird effect that doesn't make networking sense to me. On my secure wireless SSID, most clients are able to function normally, both traversing VLANs to access local resources (such as office printers) and accessing the Internet. About 10% of them, however, are not able to ping the wireless gateway or access any local resources; yet they're able to route out to the Internet.

This is the message I see when the problem occurs. I think this IP is a dynamic Meraki internal device. (10.X.X.X here is a local VLAN gateway IP.)

Pinging 10.X.X.X with 32 bytes of data:
Reply from 10.128.128.128: Destination net unreachable.
Reply from 10.128.128.128: Destination net unreachable.

I'm told by our managed services provider that there are no firewall rules or traffic-shaping policies that would produce this effect. I do think there are some QA problems with the deployment; for example, DNS resolver IPs handed out by our firewalls for the SSID VLANs might differ from the configs on the WAPs themselves. (Investigating that.)

NB: This is not a guest SSID I'm talking about. If experienced across the board by all clients, then what I described would be expected behavior on an insecure wireless network.

Does anyone have any leads I can explore? This is maddening. Thanks!



Any good IT Asset Inventory Software?

Hey guys,

Have any of you had any experience with good IT asset inventory software? I know that there is software that scans the network and gets CPU, RAM, Disk Usage we already use that. I'm looking for software that inventories non-networked and non computer stuff like monitors, bar code scanners, rack equipment, and other mounting equipment ect.

We currently use excel spreadsheets but that has quickly turned into a sh*t show as multiple versions showed up of the same spreadsheet. Then different spreadsheets in different formats with different information all for the same product appeared. It is extremely aggravating referencing a old spreadsheet with bad data when talk to a higher ups.

It would be extremely nice to have a software program that tracks all these "non-computer" (but IT related) things that our IT dept is responsible for. I know of some inventory software that you can enter the product and link to the contact information of the vendor (and also warranty and license data) so when it is time to buy more the procurement process is super fast. But that is for mostly non-IT related things and very expensive so I'm not sure that would work well in an IT dept.

Do any of your guy's IT departments use an IT asset inventory software and does it work well for you?



5 Building Network Architecture/Diagram

I'm creating a sample network diagram for a course and have the following requirements:

Each building is about 500 meters apart.

These buildings were wired with Category 3 UTP running 10BaseT Ethernet. (They now need Cat 6 because of 1Gbps requirement)

Mandatory 1000Mbps to Desktops

A connection to the Internet, routers, switches, printers, cabling, PCs, and firewalls.

My thoughts:

Create 5 separate 1 level buildings or representations of buildings

Each has a switch connecting to a central node/switch at a main building (2 stack Cisco switch preferably)

One Network Printer (anything)

Firewall is hardware or software based (located at central switch/node)

I show one Desktop per building representation (any brand)

*Ports and advanced network information are not needed for this diagram, just basics.*

Questions:

How do I show cat 6 cables on this diagram?

Where would the internet go on this diagram?

Where is the router on this diagram?

Disclaimer: All of this is being done with Visio



Noob Cisco Wireless Question

I just set up a Cisco 5508 WLC and a 3702 AP. The AP is in flexconnect mode. Both the link to the WLC and AP are trunks. Both are using VLAN 255 as their managment ip. Facing the AP I used "switchport trunk native vlan 255", and am able to reach it over its management ip.

My question is, how do I set up an SSID to use VLAN 100 (or any other vlan)? When I go in to my AP, under the flexconnect tab, VLAN Mappings, it shows the wlan, but says its a "Centrally switched wlan". Its grayed out to specify which vlan it is in.

edit - I think I figured it out. I had to add an additional interface to the WLC, specified for the VLAN. Then I assigned that interface to the WLAN. Seems to be working.



Help with transport network architecting

My organization is implementing an instance of a global intranet at my site in five of my buildings. We’ll call that network NetX. NetX is carried through an IPsec tunnel over a black transport network. The team coming out to fully implement the network wants the black transport network up and running before taking the trip out.

Currently, a circuit is up and functional at the boundary of my site, and the black transport equipment is up and running in building 3, see picture linked below. The switch pictured in building 3 is connected to other networking equipment ending with an edge router that is connected to the outbound NetX circuit, but that’s not entirely pertinent information.

Three of my buildings have sufficient dark fiber to make direct connections from building 3 to each of them respectively using single mode fiber, but my problem is with the remaining building, labeled building 1 in the picture. This is a rather large site with several other networks so to carry all the data around we have Cisco NCS 2000 series DWDM nodes configured in an east/west ring configuration. The guy before me who had this project planned to leverage the ring as the backbone for the building 1 to building 3 connection and I’m trying to finish that effort.

Additional notes... the transport network relies on three VLANs. The subnets, per the supporting organization, need to be contiguous on all three VLANs on both sides of the building 1/building 3 trunk. There is no NCS 2000 series node in building 1, but to extend the reach of our core layer there is a distribution layer switch in building 1 to connect access layer services without the need for dark fiber between buildings 1 and 2 for each service.

The issue... I’m no DWDM admin but the way it’s been explained to me, you can create a point-to-point link that’s basically just a tunnel, transparent to the devices on either end regardless of VLANs. That would be great if I had an NCS 2000 node in building 1 but I do not; I need to go through the distro switch first. One of the three VLANs is already in use on the distro switch and it’s preferable to keep the data between services completely segregated. One leading suggestion is to use a GRE tunnel between the two NetX switches carried over the distro switch and DWDM, but I don’t know how well that will hold up trying to keep the three subnets contiguous on both sides of the tunnel. Would that mess with broadcast packets? Could that work? I understand GRE tunnels to be essentially a virtual serial connection between routers and any intro to networking class would teach routers separate networks, not extend them so the contiguous VLAN retirement seems at risk with this solution. Is there any solution that you all can identify that would meet my needs?

My apologies in advance. My career has taken me into project management and when I was in network administration it was relatively simple layer 2 stuff anyway so you might lose me if you assume too much intelligence on my end. I’ve worked to google the situation, read up on tunneling protocols, and worked with the DWDM team to understand that system the best I can, but I’m finding all of the networking specials on site aren’t bringing many solutions to the table, just shrugs, so I’m hoping this community might have the answers... or crush the effort definitively.

https://imgur.com/a/rqBI4Fu



VLANs on Cisco Switch

Hello to all! I'm currently trying to configure a switch with a VLAN. The whole topology consists of a router (R1), two switches (S1 and S2) and two PCs (PC-A and PC-B). S1 is connected to R1. S2 is not connected to R1 but only connected to S1. PCs are connected to the switches. On S1 I have to add a VLAN (VLAN 10) with some name. The network address is 192.168.10.0/24. When I want to assign an ip address to this VLAN 10, I use these commands: interface vlan 10 ip address 192.168.10.0 255.255.255.0

But then I get the message "Bad mask /24 ..."

Am I doing something wrong? Can I use these commands for assigning ip address to VLANs created by me? Or do they work only for the default VLAN (VLAN 1) Thank you in advance, your help will be appreciated!!



Working at a VAR pros n cons

hello, I work in the enterprise space. Have 7 yrs of experience between 2 companies both in the enterprise space and have been thinking about how it is from the VAR perspective. I am not sure what are the pro's/con's. Do you love it? Hate it? Considering going back to the enterprise space?

I have a breadth of cisco/arista experience on the DC/RS side and currently working toward my CCIE RS.