Saturday, November 16, 2019

Ubiquiti Networks US-16-XG-US 10G 16-Port Managed Aggregation Switch - Use Case Questions

I have a client that wants to upgrade their networking and servers.
I am purchasing a 45Drives AV15 (Has 2x 10GBe) and a Server (With 2x SFP+ 10Gb)

I Don't have much experience with SFP Links

A question I have is:
I can't seem to find a definite answer and would like to know if the following setup will work. I've read that its an "aggregate" switch but I would like to know if the sfp+ ports can be used as a standard 10gb switch port. I am using the ubiquiti fiber lc gbics.

Ubiquiti Switch 1
10GB SFP+ -> Server SFP+ 10GB Port 1
10GB SFP+ -> 2nd Ubiquiti Switch
10GBe RJ45 -> Office Gigabit Network Switch 1
10GBe RJ45 -> Nas 10Gbe Port 1
10GBe RJ45 -> Server Gigabit Port 1

Ubiquiti Switch 1
10GB SFP+ -> Server SFP+ 10GB Port 2
10GB SFP+ -> 1st Ubiquiti Switch
10GBe RJ45 -> Office Gigabit Network Switch 2
10GBe RJ45 -> Nas 10Gbe Port 2
10GBe RJ45 -> Server Gigabit Port 2



Cisco Smart Licensing

Well since Ci$co has decided to drop the hammer on about 90% of my network hardware over the next three years I guess it’s time to start making a list.

Can someone explain to me the process behind Smart Licensing when the devices in question will never touch the internet? I know about the satellite on premises option but according to the white paper the server itself is supposed to be able to call home instead, which is also a no-go.



Bgp problem "open failed: Connection refused"

Hey guys I am doing some labs to study about bgp, but I am doing a simple neighbor config, but doesnt work.

I have a router in a ibgp working fine, but I dicede to connect this router to a external AS "10", anyone could help me please ?

when I do a debug bgp:

*Nov 17 00:00:37.059: BGP: 20.0.0.101 open failed: Connection refused by remote host, open active delayed 18250ms (35000ms max, 60% jitter)

My configig

router bgp 10

neighbor 20.0.0.101 remote-as 30

The other router:

router bgp 30

bgp router-id 172.20.3.3

neighbor 20.0.0.102 remote-as 10

Thanks



Cisco it's 2019, your product images of 240x130px are not cutting it anymore.

Cisco's product photos are so damn small, it's like they're optimizing for dialup. How can a company in 2019 seriously expect someone to buy a $500,000 device when you cannot even make out what it looks like. If the photos are high res, the website still shows them blurry. Come on guys, this is pretty simple stuff.



Is the book, "The TCP/IP guide" by Charles M Kozierok worth it?

As you might be able to guess by the title, I am considering getting the book listed above. I have read some reviews that it is starting to show it's age. I was curious what other people's opinions were of the book. Thanks in advance for any input!



How to view which ACK packets cumulatively acknowledge multiple data packets in a Wireshark trace?

Say I have a trace (I uploaded it here https://www.cloudshark.org/captures/d37a26bda955) and I want to view which ACK packets cumulatively acknowledge multiple data packets.
Now I know that cumulative acknowledgement is a process in which the receiver sends a single acknowledgement in response to a certain number of frames received. I guess my problem then would be:

  1. How can I find that certain number of frames, and subsequently.
  2. How can view which ACK packets cumulatively acknowledge multiple data packets in a Wireshark trace?

From looking at the trace, to me it seems as though only packet 22 and 28 are ACKing multiple packets, but I am having a hard time figuring it out.
Thanks!



Does PMTUD really exist?

Sounds like a stupid question I know, but everything I’ve read about PMTUD lacks any kind of examples or packet traces. I’m honestly not even sure when and where it’s actually used. I would like to see it in action on my network. I’m able to do tcpdumps or rspan to grab captures. Where do I look to see PMTUD? What does it actually look like on the wire?



Can you console into a Cisco device with this adapter?

Update: i just bought the usb serial which i should have done yesterday xD. Appreciate all the responses, seriously, you guys have come up with great alternatives.

Hello everyone,

I had an issue where i needed a console cable to connect to a Cisco AP, in a bit of a hurry i went for this one (because it is small and compact):

https://www.amazon.co.uk/StarTech-Console-Rollover-Adapter-Ethernet-Blue/dp/B0035PS5AO

it is a rollover adapter, i just received it but it seems like i chose the wrong one for laptop to Cisco device connection , because my laptop does not recognize it. Does anyone have any clue if this could be done with this adapter?

i appreciate any response 💯



SNMP/Orion, y u do dis?

One of my N7Ks was working fine with Orion. Then it died. I swapped the chassis out and replaced the config from back up. Everything is working except for SNMP. I can't even snmpwalk the device. It gives me an error about it's password (v3). It's vPC peer is still fine. I wiped all the snmp related config from the RMA chassis and replaced it exactly with the config from it's working peer. Still can't walk to it. I know there is a setting that references the mac address that could still be using the mac of the device that failed but we do not use that.

Anyone have any ideas on what else can cause this? Thanks!



EVE-NG "add picture" option - How to add a picture / logo to a Topology?

I am trying to add my website logo to a Topology via "add picture" and it appears in the "Pictures" segment in the left hand column, but I can't get it to appear on the actual Topology.

Anyone successfully done this before? Input appreciated, thanks!



Zscaler Private Access

I am doing a POC and like the product. It simplifies VPN setup and connectivity but it's not cheap. Anyone else using it? I would like to hear your thoughts



looking for dedicated server / VPS hosting provider with BGP (exotic locations)

Looking for something like this https://www.reddit.com/r/networking/comments/44644l/dedicated_server_with_bgp/ but updated to the current situation and with options for more exotic locations that fall outside of the regular large hubs, mainly in Latin America (bonus points for Colombia and I'm already with Hostdime but kind of hate them), Africa, Asia (besides the obvious locations) and mainland China.

I've looked at various options, Netactuate & Vultr in particular but they don't really offer in exotic locations. I've spoken to Dedimax and they can resell just about any location, but only a few have the option to speak BGP there, which is what I absolutely need for doing anycast announcements / withdrawals.



EIGRP Properties as Distance Vector & Link State?

I'm currently studying for my CCNA and taking a closer look at EIGRP. Since eigrp is neither a distance vector nor a link state protocol but instead has features of both types and is therefore an advanced distance vector protocol, I'd like to know:

What are the Distance Vector properties that eigrp follows?

What are the Link State properties that eigrp follows?

From my understanding EIGRP's link state properties are:

  • neighbor relationships and sending hello packets
  • keeping information about the network in a topology table
  • not sending periodic updates like rip, but only on topology changes and a full update once a neighbor somes up

EIGRP 's DV properties :

-split-horizon

-successor/feasible successor routes based on the next hop

What else am I missing?

Thanks in advance and sorry for the shitty formatting (mobile)



Friday, November 15, 2019

wifi radius remote connection

hello

is there anyway I can connect to a wifi radius server from another location remotely with the ip address or anything via some type of vpn?



Low cost Router SBC

Hi, I’m looking for a low cost SBC with a SFP port and minimum 2 Electrical ports. A comparable one is the SolidRun ClearFog Bass but I’m looking for other options to compare. Openwrt support would be a bonus but not mandatory. Max traffic expected is around 300M through the router. Any suggestions would be appreciated. Thanks



Proxy affecting specific applications

I am unsure if it fits here or guide where it would. After a migration to a new cloud proxy, a location with GRE tunneling has reported 2 issues. One was for WhatsApp calls not connecting for all users and now recently for a few users, only Google Chrome is super slow. The support team tried reinstalling, cache related clearings and still it persists and insists this is only after the migration.

Any ways I could trace this issue?



Grandstream access points, anyone?

The last time I had something to do with Grandstream, when I wanted to have an old fax machine connected to a voip PBX with a Grandstream HT286 which didn´t work (I considered that voip ATA junk). But I saw Grandstream´s GWN7630 access point. From thhe datasheet and release notes it looks interesting:

- MediaTek MT7615 chipset, no Broadcom, no Qualcomm... That Mediatek is considered low cost, right?

- 2.4GHz 4x4 (who needs that, but hey it looks better than 3x3...)

- 5 GHz 4x4 with MU-MIMO

- PoE+ in

- AirTime Fairness

- Dynamic VLAN Assignment with RADIUS Server and Wireless (good for eduroam)

- Inbuilt controller for 50 access points, something like Aruba´s instant, ok.

- no multicast/broadcast controls

- no SNMP, really?

- they promise 200+ clients, well Aruba promises 1500 clients for its AP-555. Well I consider Grandstream´s number more realistic...

- 802.11k/r/v roaming - good only if it really works

- ~100$, the last cheapish access points I bought were from MikroTik and those are really junk

So has anyone actually experience with Grandstream access point in general or perhaps in higher density rooms?



Setting alert for err-disable interfaces - SolarWinds

https://ift.tt/341WjzT

BGP redundancy for default route

Hello all,

We currently have 2 VPCs for AWS. We have 2 datacenters in 2 different cities that are connected to eachother via 1 gig circuit which we run EIGRP over. We have a total of 8 ipsec tunnels.

drawing of scenario:

https://imgur.com/a/JthkCM1

2 tunnels from DC1 to VPC 1

2 tunnels from DC1 to VPC 2

2 tunnels from DC2 to VPC 1

2 tunnels from DC2 to VPC 2

These tunnels are terminated to our 2 ASAs at the 2 different DCs. we plan on turning to route based VPNs to use VTIs to peer with VPCs via BGP for route exchange. DC1 is our default route DC where we would like our DC1 firewall to advertise the default route so the default traffic comes to DC1. DC1 firewall has a default route to outside interface (internet 1) and has static routes to all the LAN subnets. DC2 on the other hand needs to advertise a few subnets so that traffic bound to DC2 goes straight there instead of being routed through DC1 then back to DC2. DC2 firewall also has a default route pointing outside(internet 2) so in case a situation came where DC1 tunnels goes down, the VPCs have a way to get to a default route from DC2...which brings me to my question. So the good thing here is that both my firewalls have all the static routes to each Datacenters LAN subnets: So DC1 Firewall has all the LAN routes necessary to get to DC2 via the 1 gig link and DC2 firewall has all the LAN routes necessary to get to DC1 via the 1gig link. So my question is what is best way to advertise all these routes to be redundant like how I explained. If DC1 tunnels goes down, all the routes necessary to get to DC1 need to be advertised via DC2 firewall, then use the 1 gig link to get there. So I guess I would need to have both the firewalls to advertise all the same routes to the VPCs and just put weights on the routes correct? Such as maybe prepend configs on the DC side?

For the sake of making this a little easier to explain, for this question, all I care about is traffic coming from the VPC to my datacenters; not the other way around....so just inbound traffic; not outbound.

My apologies if this sounds like a confusing question. Please let me know if you have questions. can't thank you enough



Suggestions for building an SLA?

I'm trying to create a simple icmp sla between two customer sites on our MPLS network. From site-A I ping sourcing the IP address of our ethernet handoff, to the customer router interface IP at site-B. Then repeat the process at site-B sourcing our IP address to the customer router interface at site-A.

Long story short, we do this instead of just pinging the A-B interfaces on our side due to a crazy bug which we have been experiencing which has been blackhole-ing our customer traffic even though our A-B has been reachable from our addresses perspective.

However, I want to repeat the process at site C, but there is no customer network hardware at site C. We hold the the gateway address to a directly connected end host. However the customer has told us that he does not want us to bounce pings off their end host as a means to detect connectivity issues.

Short of firing up an end-host of our own to sit on the same subnet, is there a better way to do this? I was testing on another switch here-- putting the VRF and gateway address on an SVI, then cross-connecting it to another port on the same switch that has a valid ip on the same subnet (but not in the vrf to avoid invalid ip issues), but that doesn't seem to work at all. Any suggestions?



Become part of my team



FWaaS

Word has come down from the god above to looks at Firewall as a Service to replace our on-Prem ASAs. We currently have an external firewall for internet/vpn concentration and an internal firewall for internal traffic segmentation and connections to some external agencies.

It looks like the FWaaS landscape is pretty small right now but who are the big players I should be looking at?



Dell Force10 Switch, how to tell if it is bricked

Alright so I was tasked with installing a Dell Force 10 managed switch for our business network. The switch was purchased off of eBay, I have no idea if it was listed as a for parts listing because this was bought before I started working here. Two people have tried to get this thing working, but they weren't successful.

The Model for the Switch is force10 sa-01-ge-48t.

I was able to research enough to figure out the Pin layout and configured my own RJ45 to DB9 connector. I also have a USB to serial cable which does read as COM3 on my computer. I set the correct settings in PuTTY for the serial connection and when I open the connection I just get a black screen in the terminal.

I'm at the end of my ropes here due to the fact I can't for the life of me figure out how to get this thing to connect. The two people before me who tried to get it to work came up with the conclusion that the switch was bricked. I'm starting to think the same thing as well.

Sorry if it's something obvious, just started to do this stuff for our business and I'm still learning quite a bit. Knowing my luck as to when I post to Reddit with a question its something right in front of my face.



Why do we still recommend a standalone firewall / UTM & not virtual? Who offers best UTM VM?

I'm thinking of moving to virtualization of edge routers as our standard for clients with an existing on-prem server. Much more economical & I really don't see the down side if it's setup right. Anyone else? What are you using?



HPE 5130 switch FIPS and public key based login

Dear all,

We have HPE 5130 switches in our infrastructure. The guy who configured them enabled the FIPS mode. From the document I could find, this is a security level which applies certain rules.

I've asked my colleagues about this FIPS and the answers I got are really vague. However, there seems to be one point where they agree: "don't login in the machine, otherwise, you'll have to connect every 90 days or your user/password will expire".

I searched through the HPE switch documentation and couldn't find this rule explained ("90 days or die").

I also saw that it is possible to configure a key based ssh authentication instead of password but I'm not sure if it's possible with FIPS mode "on".

So my questions are:

  1. Is this "90 days or you die" rule true or not? Can it be changed and keep the FIPS mode "on"?
  2. Can I really configure a FIPS enabled HPE 5130 switch ssh public key authentication?
  3. If the "90 days or you die" rule is true, does it also affect public key authentication (i.e. do I have to connect every 90 days even with public key authentication) ?

And if you're wondering why I didn't contact HPE support on this is because I've been told that we don't have support for these devices :-)

Thanks in advance for your help!



Cisco 9800 Controllers

Has anyone taken the leap and deployed 9800 controllers yet? We have a few small branch 2504's out there that need replacement and are making the decision between the 3504 and 9800L's. I was burned a few years ago on the 5760 platform/controller on a switch, was honestly surprised that Cisco went back down the road of the IOS based controller again. Cisco hasn't been able to come up with any real reference customers for the 9800's. I'd rather go with Aruba, but due to other decisions made and past company issues with Aruba wireless it isn't an option right now, and while I love what Ruckus does in the space, I can't trust Brocade/Ruckus/Arris/Commscope with all the uncertainty. Environment includes some mesh and P2P backhaul with 1562's outside and then primarily 2800's inside. No initiative to look at Wave 6 right now.

Biggest concern in the potential EOL on the AireOS platform, the 3504's have only been shipping for 2 years, but don't want to buy something then turn around and have it EOL'd shortly thereafter, but also not convinced or sold on the IOS controller platform. What is everyone else doing with Cisco wireless?



SSLVPN Timeout - Best Practice

Is there any reason to not set SSLVPN auth-timeout to 0 i.e. infinite?

I'm thinking:

  • Security, if a user connects and forgets they connected they might be on the office network days after they initially connected
  • Technically? Not sure if there is an issue here


Checkpoint blocking traffic - reason: Address spoofing

So, I'm currently setting up a new WLAN (Cisco APs with Mobilty Express as a Controller) for our office. I have currently only one AP connected to test connectivity. Only problem so far is getting the time from the NTP-Server as it is behind a Checkpoint gateway. I adjusted the rules on the Checkpoint to allow ntp traffic from the AP but the Checkpoints keeps dropping the traffic with the reason Address spoofing.

The APs subnet is not directly connected to the Checkpoint but the Checkpoint has a route to the subnet, if that is any help. Any ideas why the Checkpoint is blocking the traffic?



Question: NTP P:123 - Random IP Addresses

Hi Guys.

I have Security Concern with a particular Device on the Network, it appears its attempting to Connect to Various IP Addresses using UDP:123, I cannot seem to work out why or what the Device actually is, it doesn't appear to have a Hostname.

Any reason why it would be Connecting to NTP123

(end point doesn't appear to be a Timeserver in most cases)

(Edit) Spelling.



Routing MTU / MSS issue

Hi, in our network design ( https://imgur.com/a/4mIiUl0), we have two paths for connectivity to AWS cloud from our data centre – one via Direct Connect (primary) and one via IPSec (secondary). The MSS observed on the Direct Connect in the syn packets is 1460. The MSS observed on the GRE over IPSec patch is 1374 obviously due to the additional overhead of the tunnelling. In the edge case where traffic, for whatever reason, leaves the private cloud environment and returns via the Direct Connect, I have observed an issue where due to the MSS that the servers on the AWS side announces, certain packets (the ones I have seen that fails have DF set) can be sent back over the IPSec path that are larger than the maximum MSS and are subsequently dropped. My questions as follows:

  1. What is the best way from a design perspective to cater for this?

1.1 Would one way be to artificially adjust the MSS of syn and syn, ack packets on R1?
1.2 Or is the key for MTU to be adjusted on the relevant interfaces on R1?

  1. What actually happens with established TCP sessions when routing changes from tx and rx over the Direct Connect to tx via IPSec and rx via Direct Connect?

2.1 Will sessions need to be re-established?
2.2 What role does PMTUD play in this scenario?

Thank you



cloud managed wifi and switches for SMB

Hi!

I have a few smb customers that want to upgrade network with cloud managed devices.
I normally using Meraki, but for this customers, Meraki will be to expensive.

I have some options:
1. UNIFI
2. Netgear insight
3. Wait for Meraki-Go to be released here in my country
4. Engenius Cloud

What do you guys recommend? other brands I should consider?



Wireless channels 169 and 173 - does anyone use them for client access on their APs?

No text found

Problems wth RADIUS server

So we are currently getting an issue where user connected to our Wifi are losing there ID.

So we have a RADIUS Server that is on our Cisco ISE controller that authenticates to AD. So if you want to connect to the Wifi you use your AD credentials. This is working fine but for some reason the device loses its ID it connected to the Wifi with. This by it self is not a problem since the user is already connected and has an internet connection.

The problem is that i work at a school and we block access to the internet during exams and we need to block it on a user level. This is not possible when they loose their ID adter being connected a while. Does anybody know how on earth i am supposed to solve this why are they loosing there user id after a certain amount of time??



how does an IAP device work?

I use an IAP device as a telephone, I don't know anything about it, how does it work? the signal source is about 12KM away. what specific signal does it use? its connected to a receiver put on about 10meters height. i couldn't find anything about it on the internet. specific information please. a photo of the device: https://twitter.com/hmz022011/status/1195260560033636352?s=09



Collapsed Core & Distr. OSPF B2B Best practice

Hello

If i deploy two Devices as collapsed Core/Dist., i conenct them with a portchannel, and create a dedicated SVI with VLAN for the b2b OSPF Connection - in which area should this SVI be - Areao 0 or the branch area?

are there any benefits if i deploy two interfaces - one in Area 0 and one in the Branch area?



Thursday, November 14, 2019

Purposes of an ISP provided switch?

We recently had a new internet service installed at our work place which uses a wireless point-to-point hardware versus fiber or cable. My only experience is with home ISPs but typically you get a modem which connects to a router. However, this ISP provided a 24-port PoE switch with the incoming connection from the point-to-point radio connecting to port 1, and the outgoing connection to our router on port 24. I asked the ISP if it's possible to not use the switch and just connect directly into the router but apparently that won't work. I have a basic understanding of switches (obviously not enough), but what is the purpose of the switch in this case? Seems kind of odd having a 24-port switch when only two are needed. My only guess would be perhaps for PoE to the radio?



Stealthwatch Incorrect Network Usage Reporting

I'm curious if anyone has experienced stealthwatch reporting incorrect internet usage... like 2 Exabytes of usage and 22 Petabytes of internet usage.

Not sure what to do about this -_-



Question About Port Mirroring

Hi all, when port mirroring on most managed switches, is the mirrored traffic just inserted to the mirror port WITH traffic that this port is already sending and receiving? I have a laptop I connect to with TeamViewer to support a client and need to inspect traffic from another device. I'm wondering if I can mirror to this laptop's port without interrupting normal internet traffic.



VRRP with a single router

I have a customer that wants cable redundancy from a single router to two switches. Is it possible to run VRRP with two physical interfaces on the same router? I can't say that I've tried.

If this were possible, I think the only way it would fail over is if you admin shut the port, right? It should always be able to "ping" it's peer since they're on the same box.



Can You Help With This?

Hey, so my weakness is networking I guess you could say and I am having trouble with a branch of ours (I am remote at corp).

We have a fortinet firewall set up at a branch. We have a fax service that goes through faxfinder server at corp. A single user is unable to ping the fax server from their PC. We are not sure why. I am able to ping our core SW, I can even ping my pc here at corp from their PC at the remote site.

I do a tracert to the fax server and it will name resolve the IP, an the hop dies after the first hop. The first hop is the Firewall IP address then hop 2 states request timed out.

Is there something wrong with my VPN tunnel or maybe our switch back at corp? This seems to only be happening for this user.

Anything I need to look at? Do you need more info.? Let me know, thanks.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



LAN party looking to upgrade to 10 Gbps network, handled by a newbie

https://ift.tt/2rDTOFl

Sizing Layer 3 Switches

I'm in the process of planning some segmentation for our network to better isolate systems, but ran into some specs that have introduced some new questions I didn't know to ask. We have some el-cheapo SG-300 cisco switches that can do rudimentary layer 3 switching, but apparently they have some tight limits that might be a problem. From this link I gleaned this:

The SX300 switch, in a layer 3 mode, it will hardware switch up to 100 IP addresses. Once above the 100 IP addresses, it gets in to software switching additional requests. The routing module in the switch can report SFFT over flow conditions once that treshhold is reached.

The MAC table can support up to 16000 MAC addresses. The IP table if I remember right should be maximum around 510.

However, this switch is designed for only 100 users. Anything above this can be beyond the capability of the switch.

I have realised now I have no idea how to "size" a layer 3 switch, or how to configure my topology to work around these limits. I was looking at ubiquiti's EdgeSwitch products and it appears in their admin guide on page 20:

The ARP cache can support 1,024 entries...

My intuition here says ARP cache >= # Hosts being routed is needed but I am not sure if that is correct, or even what effects a full cache would have on further clients. I assume it would mean constantly re-arping "who has x.x.x.x" if the switch was dealing with traffic constantly from more hosts than it has entries. Any guidance is appreciated.



How to send() a message through a socket that is 64 bytes in length, not including the protocol overhead?

I have a network that I am working with and I would like to test the round trip time of sending a packet and receiving it. Easy enough, I have a server and a client (client seen below) and I could measure the time it takes from sendall() to recv(). My issue is I want consistency in packet size so that my RTT values from each run can be adequately interpreted together. Does anyone know how I can form a request that is 64 bytes (arbitrary number I chose) in length exactly, not including the protocol overhead? Thanks!

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_address = ('localhost', 10000) sock.connect(server_address) try: # Send data message = "This is the message. It will be repeated." sock.sendall(message) # Look for the response amount_received = 0 amount_expected = len(message) while amount_received < amount_expected: data = sock.recv(16) amount_received += len(data) finally: sock.close() 


Physical Optical Loopback

I am turning up a new AWS DX circuit at one of our offices and have been struggling to create a BGP neighborship between my switch and the DX gateway. After a little troubleshooting I discovered the vlan I was using on the trunk for the DX gateway was being blocked by spanning tree although my switch says it is the root. When I run CDP neighbor I see my switch on the port that should be connected to AWS. My theory is my service provided has left in place a physical loop back on the circuit when they were testing. Has anyone ever seen this or played around with looping a port back into its self and what was the behavior you saw?



“Our systems have detected unusual traffic from your computer network” does this happened to anyone and did i did something illegal? Can i get to jail for it, what does this mean?

Im really scared i might get to jail rn, because i was watching some porn and probably got into some illegal sites or something. Please give me answers im scared af



Netflow aggregation / AS-stats replacement?

We currently use a couple of Juniper MX with uplinks to transit providers.

I'm using AS-stats (https://github.com/manuelkasper/AS-Stats) to graph per-ASN netflow data. This works fine for 16-bit IPv4 traffic, but doesn't work with IPv6 and 32-bit ASNs.

What's the easiest way to replicate this with something like pmacct?



Anyone here buy used Meraki? [Question]

I posted this over on r/Cisco as well, and figured I would post here too just in case some of you aren't part of the that subreddit. :]

Does anyone here buy used Meraki, as long as they are unclaimed and ready to be claimed on your network? Also, if anyone has networking equipment they no longer need and want to sell. Feel free to PM me, and I would love to take a look at what you have.

Thank you.



Single IP stops responding to specific port

I need help with understanding why this happens. We have a server that stopped responding to calls on 443. When troubleshooting we can ping, remote, and perform other tasks. The server listens on 80. We tested with calls from with in the VLAN (we dont use intervlan ACL's) and outside the ACL. Finally we tested by changing the IP address and everythign started working. My gut says that this is a server issue with its internal firewall but the admin couldnt find any configuration blocking 443. We also tested loopback on 443 and it worked.



Hostname reference doc lost

For naming routers and switches in the field we use a PDF reference document and none of us can find it all of a sudden. Can anyone point us in the right direction as to the official name of this naming convention so we can get a new copy?

Example of a field router name is: ELPSTX04R01

We've always used a PDF and I stupidly never took the time to read anything about it. I just popped it open, got the state/city reference then closed it.



looking for router for load balancing/round robin

Hello,

I operate a number of large worker dorms in areas where satellite internet (ranging from 5-25mbps) is the only option. What I've been doing is setting up a separate dish/modem in different quadrants of the buildings, and people connect to the nearest access point.

Is there a router or technology available that can effectively load balance 2 to 5 different internet connections? At my urban offices I have used sonicwall but it works best as a failover, not necessarily load balancing

thanks!



Survey: Network Simulation - Which Tools Do You Know?

Dear everybody,

In an effort to analyse the current market for network simulation, we'd like to invite you and your colleagues to participate in the following survey on network simulation tools.

We are two students from the Cooperative State University Stuttgart, Germany, and conduct this survey as part of a student research project that aims to gather a comprehensive overview of current tools used in the field of network simulation.

Link to the survey: https://s.surveyanyplace.com/s/ network-simulators

The survey takes about ten minutes and all of your answers are completely anonymous. By participating and sharing this survey with your colleagues you would help us a lot!

If you have any questions, please feel free to comment on this post.

Best regards,
Timo and Michael



Capture filter in Wireshark; remote mirror session from Aruba switch

I've configured one of our Aruba switches to forward inbound traffic to my desktop so I can capture it remotely in Wireshark. I followed this info.

I'm specifically interested in DHCP on UDP ports 67 and 68 but only at specific times - there is an issue with DHCP snooping that only happens randomly and infrequently throughout the day.

The transmission from the switch is wrapped up in udp port 9999 but if I set up the capture filter in Wireshark to watch traffic only from the source switch IP and UDP port 67 and 68 (ip src 192.168.xxx.xxx and udp portrange 67-68) I obviously see nothing as it's all coming in 9999.

Is there a way to filter what is captured, in this setup, or am I stuck with capturing all of it and then filtering on display?

I'd rather not have to capture all of it, continuously, all day because the problem I'm investigating happens intermittently and I have no idea when it's going to happen.

Many thanks



Lan-to-lan VPN with Softether (server) and Draytek (client) - no routing

Hello

I've done several lan-to-lan vpns to connect two different sites using two identical devices (draytek routers). The configuration is easy and straightforward. One site uses the network 192.168.100.0/24 the other 192.168.200.0/24. A device on network 1 can ping network 2 and vice versa. Any L2TP client can also ping both networks.

Now the problem:

This costumer uses a ISP provided router that can't be managed by me. I can only request to open specific ports via email and pray that they do it correctly.

So, because I've used softether before to remote-to-lan connections, I thought that I could make a draytek to softether ipsec tunnel and route the traffic between two networks.

Softether is running on a windows computer with IP 192.168.11.10 (gateway 192.168.11.254).
Draytek is the gateway on the other site with IP 192.168.10.1

I've created a user and password on the softether server and to test if everything is OK I've remotely connected to the VPN using my phone LTE connection and I was able to ping devices on the 192.168.11.0/24 network.

Now, I've created a lan-to-lan access on draytek using the same user name and password combination. The vpn connects successfully but I can't ping any device. After reading the manual, I noticed that I should use the softether "EtherIP/L2TPv3 over IPsec Server Function" for a site-to-site vpn connection. Now I can see that softether lists 192.168.10.1 as connected and draytek can ping the softether server but I can't ping the draytek router.

So I though that something is wrong with the routing tables. On the windows machine I did "route add 192.168.10.0 mask 255.255.255.0 192.168.11.10" and now I can access the draytek admin page from the 192.168.11.0/24 network BUT I can't ping any other device. Note: Draytek lists 192.168.11.0/24 via VPN on the routing table.

There is not a lot of information on the internet, I've tried to create a L3 virtual switch but maybe I did something wrong.

I kindly ask for an advice from an expert as I can't connect and route between both networks.



Share your opinion about Cisco DNA Centre

University student here, I'm currently studying IT and for my final year project I have been assigned "intent-based networking". One of the devices my professor assigned me was the cisco DNA Centre server. I was given the freedom to design a network making use of it and I've been reading up about it. I'm a little rusty in networking but from what I understand it is like the next generation "all in one" for network management assisting in deployment, application integration and comprehensive dashboards for logging, troubleshooting and network at a glance. I'm quite impressed with the versitality it provides and the value it can add to a network.

I would like to know more about the real-world application of the DNAC, to those using the device right now, what do you use it for in your enterprise network and how does it bring value added results? I would love to hear in detail.



Physical switchboard with LibreNMS API integration

Hello r/networking,

For a few weeks now I have been working on and off on a project, given to me by u/sysvival (you may now him as the Wifi Banana Guy).

The goal of the project was to make a physical switchboard to display the status of the networking devices by turning LEDs on or off.

  • Green LED: Everything is in working order.
  • Yellow LED: A device has restarted within 24 hours.
  • Red LED: An interface has changed status from up to down.

To do this I wrote a script in python (my first ever Python script) to run off a Raspberry Pi. The script requests a list of all devices in the network from the LibreNMS API, and then sorts them by name.

After sorting the devices checks are made to determine if any light other than the green should be on.

GIFs and pictures of the switchboard

(The APC device is just a random device we had laying around that I used for testing purposes.)

Pastebin link to the code

I would love to hear your feedback.

Cheers!



Having a three site p2p VPN but with only 2 IPSEC tunnels?

I was sure this was possible but I'm struggling to get it working.

I have a ipsec VPN from an ASA (in my control) to a third party (out of my control). I've connected another site via a new IPSEC VPN to the ASA. What I want to happen is for this third site to connect to the ASA via the IPSEC VPN and then be able to send traffic across the original IPSEC to the third party.

I've enabled same traffic intra & inter interfaces and made sure the subnets are encompassed in the original VPN but I cannot get traffic to come into the ASA via the IPSEC VPN and then hop over the original.

Is it just a case where I'm mistaking and this isn't possible? I know I can do it via a client based VPN fine.

Thanks



Problems with Firmware Upgrades using Extreme Management Center

I've been trying to get this sorted on our DEV switch all week and so far keep hitting the same problem. The firmware is downloaded and installed to the secondary partition, but it then it just does not reboot.

The logs are less than helpful:

EXMC:
2019/11/14 1:30:00
Executing commands as USERNAME via PROTOCOL:

2019/11/14 1:30:07
Executing commands as USERNAME via PROTOCOL:

2019/11/14 1:33:50
Firmware Download summitX-22.7.1.2-patch1-11.xos(2): (IP) - Operation Complete. Downloaded summitX-22.7.1.2-patch1-11.xos :

2019/11/14 1:33:50
Check Device Status: (IP) :

Switch:
11/14/2019 01:33:50.42 <Info:AAA.logout> Slot-1: Administrative account (USERNAME) logout from PROTOCOL (IP)
11/14/2019 01:33:50.42 <Info:AAA.logout> Slot-1: Previous message repeated 2 additional times in the last 1 second(s)
11/14/2019 01:33:20.01 <Noti:EPM.install_status> Slot-1: User USERNAME: Image installation finished with status success.
11/14/2019 01:31:39.08 <Noti:EPM.Upgrade.Strt> Slot-1: User USERNAME: Image upgrade has started.
11/14/2019 01:31:38.96 <Noti:EPM.DnldStatus> Slot-1: User USERNAME: Download of image finished with status success; Image integrity check passed.
11/14/2019 01:30:26.47 <Noti:EPM.Upgrade.DnldImg> Slot-1: User USERNAME: Download image from hostname ip address IP file name FILEPATH/summitX-22.7.1.2-patch1-11.xos VR VRNAME
11/14/2019 01:30:12.96 <Info:AAA.LogSsh> Slot-1: Msg from Master : Did password authentication for user USERNAME (IP)
11/14/2019 01:30:12.96 <Info:AAA.authPass> Slot-1: Login passed for user USERNAME through PROTOCOL (IP)
11/14/2019 01:30:07.51 <Info:AAA.logout> Slot-1: Administrative account (USERNAME) logout from PROTOCOL (IP)
11/14/2019 01:30:07.50 <Info:AAA.logout> Slot-1: Previous message repeated 3 additional times in the last 1 second(s)
11/14/2019 01:30:03.01 <Info:AAA.LogSsh> Slot-1: Msg from Master : Did password authentication for user USERNAME (IP)
11/14/2019 01:30:03.01 <Info:AAA.authPass> Slot-1: Login passed for user USERNAME through PROTOCOL (IP)

I have made sure that the "restart devices after upgrade" tick box is checked but it seems that the reboot script simply isn't called

Any advice would be greatly appreciated



Private network blocks and their Subnet Masks confusion.

Hello /r/networking

I would love to get some input on why exactly it seems that /24 is the default mask for a Class 3 even tho RFC 1918 clearly says its a /16 for the Class 3 networks and Class 2 is /12. Why is it that in this modern era it seems forgotten what the actual standard is? I now know that RFC 1918 defines completely diffrent numbers than i was taugth in the past but i would like to know why is the text of RFC 1918 ignored by so many instructors?

I personaly find it quite wierd that the real masks are being forgotten. Like a Class 2 nobody thinks can actualy carry 1048574 Hosts even tho thats the amount they can carry acording to RFC 1918 when you calc it. And nobody thinks that a Class 3 can carry 65k hosts even tho thats the real number.

Well when i say nobody i mean nobody that has not gone and gotten them selfs the information straigth from the source.

Maby its a more isolated example than i think that the masks defined in RFC 1918 are forgotten by a lot of users. Also i use the Class 1-3 instead of Category because i dont know why actualy. I know the wording in RFC 1918 is Category.

Please point out any errors in this post as i would love to learn about them.



Network Topology Diagram Frustrations!

Hey,

Bit of a dull topic that i'm sure many of you have similar frustrations with but thought i'd get a discussion going :)

I am really struggling at the moment to keep all of our documentation (currently Visios) up to date as even the slightest change means going and editing various diagrams. It is also difficult to ensure other team members are doing the same & maintaining certain levels of accuracy.

What do you all use and are there any better alternatives to the standard "Visio"? Ideally we'd like something automated but not sure which products are the Go To for these sorts of things.



Help out a junior after a long night in the DC.

Hi guys.

We lost a lot of our equipment yesterday. Now it is all up(AFAIK). We were not able to find any substantial logs yet. But it looks like we had a BPDU on a (unreal tournament voice)epic kill streak. Or a very malformed packet. I mean suddenly most of our switch ports entered err-disabled state.

What else could it be?

How do I track where the BPDU came from assuming I don't have logs?

How to prevent a future disaster like this?(I am assuming disabling BPDU on everything I touch)

Mostly Cisco/Dell/Mikrotik.



Looking for peering and transit examples for VPN providers

Hi all!

I've just accepted a job with a relatively small consumer VPN provider. Although I'm not in their networking/IT department, I do want to wrap my head around some of the issues and grow into that space.

1) I've read about peering and meet-me rooms in DCs. However, everything I can find communicates these topics in the context of ISPs and large network-heavy organizations such cloudflare and Netflix so I'm having a hard time wrapping my head around practical applications for VPN providers. Does anyone have an example or resources where I can learn more in this context? For example, would a VPN provider who's customers stream a lot of Netflix benefit, through a reduction of public transfer costs as charged by their DC provider, from joining a meet-me room where Netflix also resides? Also is this the same or similar to Netflix's openconnect program?

2) During the interview process they mentioned transit costs as one of their KPIs and said this was measured in $/ Gbps (IIRC). I'm having a hard time wrapping my head around how this could be measured practically. Again, all I find are examples that are hard for me to translate to the VPN provider context eg articles about recent events related to cloudflare and Netflix transit costs. How might a VPN provider measure transit costs in $/Gbps? As I understand it, data center providers generally charge a flat rate $/GB/month based on 95th percentile rate that month.

Looking forward to diving in so thanks everyone for your ideas and suggestions!

Cheers



Wednesday, November 13, 2019

Network Certifications

I have been out of the networking loop for awhile and came back to realize the CCNA was changing. I'm uncertain whether to do the new one vs network+. I couldn't find a lot of info regarding this. Wasn't sure if maybe I should just wait till the new one launches to get more info. I did a version of the old CCNA course (didn't get Cert) and worked as a network administrator and am looking to confirm my knowledge in the area primarily. I didn't see any posts regarding what certs are considered good, but I may have missed it. Thanks



Cisco ACI

I'm trying to lockdown our Cisco ACI environment security-wise. Does anyone have any tips for doing this? What are your Cisco ACI security tips?



3Com 4800g Putty keyboard not working

Recently purchased this 3Com 4800g PWR off eBay to start playing with POE equipment and VLANs in my network. Bought a USB to RJ45 serial console cable off Amazon. Using putty settings as indicated on the switch (19200, 8, 1, N) I am able to connect via Com3 and see the bootup sequence of the switch.

Now that I can see whats going on, I cant communicate with it. I have forced a driver updates from the FTDI Chip website as recommended by the Amazon description. I have tried every keyboard setting change in putty that I can think to try. I have tried using other terminal clients such as TeraTerm. Still, I cannot get the terminal to recognize my keyboard input, therefore I cannot configure this switch to give it an IP address and get to the web GUI interface.

My computer does not have a serial port, nor does this switch have a tradition 232 serial port, so I am forced to use a USB to RJ45 console type cable like the one I have purchased. I have looked on ebay for an original 3Com console cable that would work for this switch with no luck. I dont want to keep throwing money at amazon to order different console cables in the hopes that one will work. Someone please tell me what I am missing here.

Edit: Missed a word



where is the open source version of the ONE that microsoft developed



Security question

Hi! I have little knowledge of the networking world so please bear with me. I started a minecraft server and opened the port so friends can play. My dad thinks that we will be hacked. Several people have the same problem but I can't understand any of the answers because I have no knowledge of networking. Please explain like I'm five: 1. The threats that open ports pose to my network. 2. Anything I can do to prevent said threats. Thanks a ton! (P.S. I know my username is immature)



SRX in Transparent Mode not able to ping other devices in same VLAN

Hello Everybody,

I have an SRX in transparent mode, and i configured the two zones trust and untrust and all the polices to allow everything.

I have irb.0 which is in VLAN 3 and has an IP of 172.16.4.254. Devices that are connected to the SRX are able to ping each other. however, i can't ping from the SRX(172.16.4.254) any other devices and vice versa.

From the srx if i ping 172.16.4.1 it will not work and even if i do:

root# run show security flow session source-prefix 172.16.4.1 . it doesn't show anything even though that 172.16.4.1 is continuously pinging 172.16.4.41

below is the SRX config:

.

root# show

## Last changed: 2019-11-13 15:09:27 UTC

version 20190829.221548_builder.r1052644;

system {

root-authentication {

encrypted-password "$6$nPgEtVzv$MBDUcWfKFSDG2x3HYBj0A0Sej7xFvV6E1MK7wudzui7jHv.1n/dTS4jUcxu1lWGNt12GEOjnFSKEBUajcoiyZ/"; ## SECRET-DATA

}

services {

ssh;

netconf {

ssh;

}

dhcp-local-server {

group jdhcp-group {

interface fxp0.0;

interface irb.0;

}

}

web-management {

https {

system-generated-certificate;

}

}

}

name-server {

8.8.8.8;

8.8.4.4;

}

syslog {

archive size 100k files 3;

user * {

any emergency;

}

file messages {

any notice;

authorization info;

}

file interactive-commands {

interactive-commands any;

}

}

max-configurations-on-flash 5;

max-configuration-rollbacks 5;

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

}

phone-home {

server https://redirect.juniper.net;

rfc-compliant;

}

}

security {

log {

mode stream;

format syslog;

report;

}

screen {

ids-option untrust-screen {

icmp {

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

syn-flood {

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

timeout 20;

}

land;

}

}

}

policies {

from-zone trust to-zone trust {

policy trust-to-trust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

from-zone trust to-zone untrust {

policy trust-to-untrust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

from-zone untrust to-zone trust {

policy UntrusttoTrust {

match {

source-address any;

destination-address any;

application any;

dynamic-application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

from-zone untrust to-zone untrust {

policy UntrustToUntrust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

log {

session-init;

session-close;

}

count;

}

}

}

}

zones {

security-zone trust {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

}

interfaces {

ge-0/0/1.0;

ge-0/0/2.0;

}

}

security-zone untrust {

screen untrust-screen;

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

}

interfaces {

ge-0/0/3.0;

ge-0/0/4.0;

}

}

}

}

interfaces {

ge-0/0/1 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/2 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/3 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/4 {

unit 0 {

family ethernet-switching {

interface-mode access;

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/5 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/6 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/7 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/8 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/9 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/10 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/11 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/12 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/13 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

ge-0/0/14 {

unit 0 {

family ethernet-switching {

vlan {

members vlan-trust;

}

}

}

}

cl-1/0/0 {

dialer-options {

pool 1 priority 100;

}

}

dl0 {

unit 0 {

family inet {

negotiate-address;

}

family inet6 {

negotiate-address;

}

dialer-options {

pool 1;

dial-string 1234;

always-on;

}

}

}

fxp0 {

unit 0 {

family inet {

address 192.168.1.1/24;

}

}

}

irb {

unit 0 {

family inet {

address 172.16.4.254/16;

}

}

}

}

access {

address-assignment {

pool junosDHCPPool1 {

family inet {

network 192.168.1.0/24;

range junosRange {

low 192.168.1.2;

high 192.168.1.254;

}

dhcp-attributes {

router {

192.168.1.1;

}

propagate-settings ge-0/0/0.0;

}

}

}

pool junosDHCPPool2 {

family inet {

network 192.168.2.0/24;

range junosRange {

low 192.168.2.2;

high 192.168.2.254;

}

dhcp-attributes {

router {

192.168.2.1;

}

propagate-settings ge-0/0/0.0;

}

}

}

}

}

vlans {

vlan-trust {

vlan-id 3;

l3-interface irb.0;

}

}

protocols {

l2-learning {

global-mode transparent-bridge;

}

rstp {

interface all;

}

}

[edit]

root#



Is there any point in subnetting outside of a VLAN?

If you can have 4096 VLANs, why would you have multiple subnets? Does anyone actually have 4096 VLANs? Why don't we all just use class A networks with 8 mask bits? That way, you have a huge number of hosts per subnet, and if you need another subnet you just create another VLAN for it.

What am I missing here?



Odd issue with NIC settings and SQL-backed application

Here's an interesting one. Hoping someone may have some ideas.

We have Unifi 48-750w switches. The PCs are all home runs, though half go through a PoE phone. We have a SQL-backed application that we run extensively on all workstations. SQL Server 2017 on Win Server 2016, 96GB RAM, 14 cores, SSDs, seems to be sufficient for the load. There was a noticeable difference when upgrading to Windows 10 on the workstations. The difference was noticed on both PCs upgraded to 10 and brand new PCs that came with 10.

After a significant amount of research and trial & error, I narrowed it down to NIC settings. Going through the Advanced options in device manager on the NIC, and disabling everything in there makes a significant difference in the speed of the application. NICs mostly have recent firmware, especially the brand new ones. Firmware updates haven't seemed to make a difference. I haven't had time to go through all of the different settings to narrow down if it's a specific one yet, requires user testing between each change. Any thoughts? Thanks!



Modify Cisco Unity Connection Single Inbox Notification Emails

Is there a way to add a logo or branding to the single inbox messages in Unity Connection? I have looked everywhere I can think of and can't find a way to change or modify the email message. We are trying to add a logo and/or branding to the voicemail messages.

We know there is a way to do this with html notification messages but we would like to be able to pull this off using the standard single-inbox message.

Alternatively, is there a way to get the html notifications to work properly with single inbox? From what I can see the html messages behave as completely separate messages independent of the users voicemailbox/MWI light.



Simple Aruba Intra-vlan routing question

Hi everyone,

I have a few switches connected with, say, 4 vlans enabled.

192.168.1.0/24 (prod servers) 192.168.2.0/24 (workstations) 192.168.5.0/24 (guest WiFi) 192.168.6.0/24 (future dev servers lan)

I want .1.0 and .2.0 to talk. Currently it’s being handled via our L2 firewall. Ping times between them are about 1.5ms. Intra, it’s about .5ms

what I don’t want are all vlans talking. I literally only want these two to be able to communicate. 5.0 and 6.0 need to be isolated.

If I turn on IP routing on the switch, won’t that enable all VLANs to talk to each other? Assuming this, I’d most likely then need to then setup acls..

Is this as simple as just creating a route from 1 to 2? Am I overthinking it?

Any help would be appreciated!



OpenDNS/ Cisco Umbrella

My company is about to introduce this product on our mobile (iPad, iPhone's) and laptop devices. So far it seems like a nice easy product to use. Which isn't like Cisco at all. Every time i explain how it works and what it can do for us everyone understands the first time. Whats your take on Umbrella? Anything I should look out for?



Fortigate 500E dropping CIPSO packets.

My company recently upgraded from a Fortigate 620b to the 500E and one of our sites has to use CIPSO. The 500E sees these packets as malformed and drops them. I can't get approval to tunnel this particular sites traffic through the 500E, so I'm stuck having to have a seperate firewall (620b) and other equipment set up just to support this one site. Cisco equipment has the ip security ignore-cipso command to get around this issue. The Fortigate does not. Does anyone know of a work around for this on the Fortigate 500E? Thanks.



New to 5596

Does the 5596 need an expansion module to route traffic? I noticed a 5596 had n55-m160l3-v2 module installed and a show module says it a O2 gem with l3 asic.



Designing a Datacenter Render Farm

I need advice on a datacenter network. It will be a render farm with the following elements:

  • 160 Render nodes, each having dual 10Gbps ports (not sure if RJ45 or SFP yet - advice welcome)
  • An orchestration server, to coordinate render jobs (1Gbps connection fine)
  • A license server (1Gbps connection fine)
  • Dual (redundant) NVME Storage Servers - will require high-speed connections (40Gbps or 50Gbps, dual ports)
  • A firewall with a 10Gbps fiber line to the outside world (possibly dual 10Gbps connections)

I know very little about datacenter networking - my experience extends about as far as networking a small office. I don't intend to build this myself (I'll hire someone to design, deploy, and configure the network) but I do want an idea of costs and configuration.

Any advice welcomed. Apologies in advance if this breaks subreddit rules, I think I comply with the design requirement.

Deployment in Canada if that makes a difference. Remote management preferred.



newbie friendly alternative for this subreddit?

I am new to this and I want to ask questions that may seem stupid for example when I want to ask a stupid Linux questions like "where is Google chrome?" I will post it on r/Linux4noob, but questions like "which driver should I tell xorg to use if I have 2 graphic cards one of them is discrete and how can I switch between them ", I will post this on /r/Linux or /r/linuxquastions

do you know any popular subreddit about networking, and for newbies



Cisco APICs, FIPS mode, and AAA alternatives?

I’m going to be required to run my APICs in FIPS mode. Currently we use ACS to authenticate. FIPS breaks that authentication since it’s done with TACACS+. It looks like the only other way to authenticate without using local accounts (which won’t be allowed) is with LDAP.

So my two questions are:

  1. Is LDAP compatible with RSA and would it be an easy implementation? Anything that’s too complicated would like become a long prolonged process requiring the politics of getting multiple teams together and getting everything to work correctly.

  2. Is there another way? RADIUS key wrappers are FIPS compliant. They’re not supported by the APICs though.

Ok, third question:

  1. Anyone here if there’s any plan to implement RADIUS key wrapper compatibility in any future APIC code versions?


Breaking fibre ring causes breaker trip

I have a fibre cable ring operating and periodically I need to break this ring at the same switch in order to add another unit as the site grows. Now everything stays online as it should via the uplink but we have a device in a port on this switch that is connected to a breaker (emergency alarm) that trips every time I disconnect the downlink. It trips again when we reconnect the downlink also. I’m at a loss as to why this happens.

I’m not sure it’s anything to do with the network but I’ve got to rule it out.

Any help is appreciated.



Firepower - I want to convert port-rules to App Rules

I have a firepower firewall that has about 500 access rules on it. The rules are all port-based, and I want to change them to be app-based. Now my worry is that it's not that simple to just swap ports to Apps because of app-switching during a session. So say a user is using office 365. Previously, they would just need 80/443 or whatever to get to the website. If I just change this rule to permit ssl and http with application checking, there would be a check now to see what office365 app they are using, and try to match that against a rule (so say they open th office365 excel page, the converted rule will not recognise the app, so would block it). So I'm worried I might miss these kind of rules. Is there some sort of migration tool for this to help me switch them over from port-based rules to app-based rules?



Tuesday, November 12, 2019

Cisco product strategy for Cisco ASA?

This post is not about vendor comparison (Check Point, Palo, Fortigate...) and why they are better or worse (just kidding).

So when I have to use Cisco ASA nowadays I wonder what is the product strategy for this product.

Cisco still sell the ASA(v) boxes together with their Firepower lineup.

Cisco is still working on their feature parity unified image in addition to their hybrid ASA image, their genuine ASA OS and Firepower image. I don't get what to use and I'm driven by the limitations of each OS to chose the "right" platform, which severely limits all other options.

Cisco rapidly lifecycles their "old" appliances. It feels like a constant flow, not with new features but features already present replaced by something else, a bit different but essentially the same. New features (aka bought 3rd party cloud services) itself are poorly implemented into the system.

Overall it feels like an unfinished piece of art done by multiple artist you already paid for or a surgery gone wrong but still in progress.

I'm confused, why would should anyone invest into the ASA platform? All signs point to Firepower. Is it the legacy of the AnyConnect or former edge firewall glory?

There are vague statements on the Cisco forums where they are headed with ASA OS but I miss the overall big picture.

Has someone some insight into the Cisco ASA/FP masterplan and where they are headed?



Is it possible to upgrade IOS-XE version from 3.03SE to 16.X on 3650 switch?

Looking to purchase a Cisco WS-C3650-24 switch from ebay and see the software version it comes with is 03.03.00SE (IP Base).

I see that the newer versions are 16.X and was hoping to see if it's possible to upgrade to that? If so, do I need to purchase an image? What would the steps look like for upgrading? Thank you!



Advice re: Clients connecting to VPN with CG-NAT

Hi all,

Looking at some firewall solutions for a client, and one of their highest priority is replacing their current solution due to the VPN being intermittent. Right now, the problem is if they have clients behind CG-NAT, the connections sometimes won't work, sometimes will. We've been told it's an issue if more than one to three users connect to the same mobile tower. This is a bit out of my purview, but a contractor basically said we need a technology that's compatible with CG-NAT clients. From my reading, I can only see for sure that this rules out PPTP due to GRE tunnels (which we're not using anyway). But, would IKE or IPSEC work etc? Or will we have to go with SSL based VPN like OpenVPN? Will this even work?

Whilst I love OpenVPN, I'd prefer to work with something that's got inbuilt support for all clients (if possible). Do any of you have firewall solutions with VPN's inbuilt that you know for sure work in this scenario? Thanks!



Intra-VLAN communications... lost it tonight, would multiple Layer 3 devices hurt?

So I'll begin with the equipment I have:

Cyberoam CR100ing Netgear XS728T Cisco SG-300 52

The Cyberoam is performing L3 functions between 3 VLANS, 1, 20 and 30.. and up until tonight has been working just fine.

Tonight I had to reboot a couple Windows servers, two on VLAN1, 1 on VLAN20. I also have a Qnap TV-1635 on VLAN30.

After rebooting the servers, and power cycling the SG300 (to enable Jumbo Frames) I lost the ability to ping devices on VLANs 20 and 30 that had static addresses. Those who had pulled DHCP however, were fine. Everything on a specific VLAN can ping it's own GW

Take the Qnap for example.. has two hot interfaces, I could reach the web GUI via the 1GB link that was DHCP. I lost communications with the static'd 10G interface. Nothing I did could resolve it. During troubleshooting I added a 10g nic to a Backup server and static'd it on VLAN30.. couldn't ping anything on VLAN30 but the GW. I could reach devices with static'd addresses from earlier this week on VLANs 1 and 20... but not 30.

I then set the 10g interface on the Qnap to DHCP... would not pull an address. Made sure it's port was untagged for VLAN1, tagged for all others and it's PVID was changed to 1. And every single port on the Sg-300 is untagged VLAN1, tagged all others.

No dice.

I've had so many weird issues with using the Cyberoam for routing that I'm beginning to wonder if I shouldn't enable L3 on the 10G Netgear switch. (which terminates the Qnap, backup server and Vsphere hosts). Or, since this is a small network....say less than 100 devices. Should I cut my losses and just revert it all back to VLAN for simplicities sake? I'm used to have servers, storage, networking, etc all on their own VLANs but those were larger environments. Should I keep it simple stupid?



application aware routing - dual wan routers

i run a small business with one location; our DSL line can't keep up with our needs, we can't increase the speed, and satelliet is the only other option in the area. i did some research and am currently leaning towards setting up a dual wan router, but I need to control what applications use which uplink, and I have had trouble finding options (the Meracki MX looks plausible). are there products <$1,500 (or close) that can do this that I can look at and evaluate?

Usage requirements

  • i want to make sure that the video conferencing goes over the DSL line, and not the satellite uplink (which has terrible latency); i don't control what conferencing solutions our clients use and there are a ton (webex, skype, zoom, slack, blue jean, etc.), i can't control this by port, etc. - it seems I need a solution that can detect / fingerprint at the application layer and route based on that. is that doable?
  • then i want to use the satellite for other applications to ensure the DSL line is avail for video conferencing etc. e.g. if you are streaming youtube videos, listening to spotify, uploading/downloading files via gdrive or box, browsing reddit instead of working ;) etc. - i want that to use the satellite connection

thanks in advance!



A simple way to monitor network traffic (not internet traffic)?

Hi,

I am looking for a simple way to monitor traffic on my network. I've setup my Raspberry Pi to share media to multiple devices and sometimes I get really slow transfer speeds when copying files over the network. So, I am looking for something that tells me how much data and what speed each device is pulling from the Pi. For example, "iPad has downloaded 42GB at 15MB/s".

I did some searching and it looks like Wireshark might be what I am looking for but it looks complicated. Maybe someone can instruct me on how to get the information I want from Wireshark? Thanks.



Good Day Everyone ! Attached link is about management structure of a company without managers . Appreciate if you can view and click like . Have a Good Day ahead !



9300 Crashes with incorrect inputs

Curious to see if anyone has this issue.

On 3 different Cisco 9300 switches using Network Essentials I run to an issue when I type the wrong input in enable mode think like

switch#"ihateyou"

When I am consoled in the connection hangups and never comes back unless I reboot. I am using IOS XE fuji 16.9.4 (MD) which is recommended by Cisco.

They are not in production yet. I havent tested this on SSH. Anyone have this issue. Is there a fix?

I really liked these switches until smart licensing and this recent bug.



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!



Policy Based Routing in Aruba 2930F Switch

Hello Internet,

Having a bit of a problem with some policy based routing, and I need someone smarter than myself to hold my hand here:

We have a switch which needs to split an ATT provided subnet for failover purposes.

ATT Router 172.16.31.1/30 < ATT LAN 172.16.71.1/29 < Our Gateway/LAN 192.168.10.0/24

I have the following relevant configuration on my switch:

class ipv4 "wan1" 10 match ip 172.16.71.0 255.255.255.248 0.0.0.0 0.0.0.0 exit policy pbr "primary-wan" 10 class ipv4 "wan1" action ip next-hop 172.16.31.1 exit ip routing vlan 1000 name "WAN PRIMARY" untagged 6 ip address 172.16.31.2 255.255.255.252 exit vlan 1001 name "WAN ROUTED" untagged 7 ip address 172.16.71.2 255.255.255.248 service-policy "primary-wan" in exit 


Beginner Routing Question: Regarding Cisco phones and TFTP servers

Just a quick question from a guy with a phone background not a network background. Our network guys want me to begin learning this side of the game to hopefully become a bridge between our departments. So please bare with this (more than likely) day 1 beginner question.

So for a Cisco phone to receive its config it needs to reach the TFTP server, this much I know. I’m also aware that gets distributed as option 150 configured in DHCP. My question is though, ASSUMING the router has knows the path to the subnet, is there anything else required in order for a phone to communicate with the TFTP server if it's in another subnet? My gut is telling me it’s all good to go but I’ve no real way to test it without a operational lab. My thinking is if it knows the ip address via option 150, and the router knows how to get there… should be all that is necessary right?



Cisco WLC / Guest WIFI Question

I am currently configuring my WLC for Lobby Ambassador operation.

I have the feature working fine.

I currently do not have any Layer 2 security enabled however and would like to enable it, but it does not seem I can do 802.1x using the credentials setup by the Lobby Admin. A PSK is out of the question and I only want the users to deal with 1 login.

Is there an easy way of enabling layer 2 security that I'm missing?



Palo Altos have let through traffic other security systems have flagged

Has anyone else had this happen? Obvious throwaway account is obvious but I need a little anonymity here. We have a dual vendor security stack featuring Palo and Cisco where our Cisco ASAs block traffic at the internet edge and our Palo Altos act as a secondary line of defense inbound from the internet as inline IPS units. We replaced our Cisco Sourecfires with Palos for vendor variety and capability in 90% of our locations but still use Sourcefires as inline IPS units in the other 10%. We recently saw our Palo gear allow two pieces of malware to get by them that were blocked by our Sourcefires. I've heard mention that Fortigate/Fortinet and Sourcefire have flagged things as high that Palo Alto hasn't in the past from our IR guys, but I seem to see nothing but positive and glowing reviews by others on most of Reddit. We definitely use strict rules that we have a lot of manual input on for our profiles and policies.

Does anybody know what procedure Palo uses to classify files & hashes as malware? How do they determine risk level? TAC is tight-lipped due to NDA and in the cases we've opened with them the only answer seems to be enable SSL-Decryption and we'll get back to you on the rest? Palo flagged them both as grayware once we opened a case.



Question about VLans

So my company is installing a IP camera intercom system in a new building. We previously believed all equipment would be located on the same network (a verizon modem with several Ubiquiti switches). However now we have learn one of the pieces of equipment needs to be on another network (about 2 miles) and that piece of equipment will be plugged into another Verizon modem. Now all of this equipment needs to be on the same network to communicate.

So if I purchase two Ubiquiti Edge Routers X and place one at each location plugged into the Verizon modems will I be able to create a VLan between those two Verizon modems to act as if all the equipment plugged into those routers were all on the same LAN?

Hope that made sense.



External BGP monitoring & alerting.

We've been using a free service provided by BGPMon for years.

They are ending that service soon, and before we throw money at the problem, we want to make sure we have evaluated good solutions.

The new Crosswork Network Insights solution is a contender.
As is a similar service from UPX.

Both look like they will do what we need.

Any other players in this niche we should evaluate?



Fluke DSX-602 for troubleshooting copper issues?

We have aging copper infrastructure. I am starting to see failures that are difficult to troubleshoot, but I suspect aging copped is to blame. It has been installed for about 8 years There is possibility that rooftop conduit could be full of water, or recent construction could have put strain at corners of cable runs, combined with heat. I don't know, anything is possible.

Increasingly we are doing more cable installation as well, mostly for small labs and IP camera installations but never certifying, just doing basic wiremap testing. This is not going to stop.

I have been looking into test equipment so I can really know what is going on with the copper. Is there any better choice than the Fluke DSX-602? Just to recap, this would be used both for troubleshooting existing aging infrastructure, and certifying new installations.

THANKS!
--Dan



Cisco IOS Images: Does the "DRAM" column indicate how much RAM is required to load the image in memory, or is it only a recommendation?

On Cisco's IOS release listing like this one, it has a column for "DRAM".

I'm trying to see if I really need 512 MB for the 15.2.4M11 release, or if 256 MB will still work.



What factors determine the transmission rate reached by a TCP connection?

Hey everyone.

I am an IT intern working on a small network at a company. I have been learning in-depth about TCP and the ways in which you can improve or bog-down the performance of a TCP connection. A thought has crossed my mind- what factors determine the transmission rate reached by a TCP connection?

Some things I have thought of are window size, max segment size, and error control, but I am sure I am missing some more niche and important factors as well. Anyone have any ideas?

Thanks!



Trying to closely firewall the DC with HW FW at the edge - worth the trouble?

We've previously trusted on the physical hardware appliances on the DC edge. With varying degree (one of the problems) we've added each server/service there and tightly tried to choose what to allow where. I'm starting to wonder if this is actually just wasted man hours and do we actually prevent anyhing malicious.

Or maybe we just could put all the servers in one /24 and use host based firewalls and call it a day?

Maybe just have host firewall rules to first allow management SSH/RDP access, then allow traffic to the services (usually just couple ports max) and then deny eveything else. Quite simple and not that many rules to manage as we use jump hosts/VPN for management. All the servers are run by us.

Besides spending lots or hours trying to manage the hundreds of rules, this also makes VM mobility quite a lot harder than it could be. We could be running BGP on the host and after moving the VM to another DC we could just advertise the /32 IP from there. We run the core network between our sites and DCs so doing /32 wouldn't be a problem for us. Or maybe use LBs in front of the servers and do BGP advertisements for hosts when the LB sees it active no the local DC. Or something we could do with the EVPN VXLAN fabric we're going towards to.

And every time we create a new subnet, it takes couple of days to figure everything in every FW in every DC. This is also a documentation issue though.

Do you see any benefit of doing several /27 and /28 etc. and trying to firewall those on a hardware appliance, or should be just go more "cloud like" :) ?

Thanks for any ideas!



Asset Tags within device config

Wanted to reach out to see if anyone has accomplished this with Cisco equipment. I think for the most part we could re-purpose an SNMP field to be our asset tag, which would tie into our data import for asset and inventory management. However I run into my dilemma when working with switch stacks, each switch is an asset and is tagged individually. However I haven't found a way to ID each in config. Does anyone know a way, within an SNMP string, to ID each switch with an asset tag? Or any way at all? Thank you for your time fellas!



Trex Traffic Generator (openSource)

Hello All, Does anyone know where I can get a OVA of TREX?

It is a open source traffic generator and can push up to 200G full dup.

And alsoa does anyone else have good or bad marks about this product?

https://trex-tgn.cisco.com/trex/doc/trex_vm_manual.html



Multicast Routing -- What's the Big Deal?

Hi,

To simplify--I have a small but relatively complex network. My core is a pair of FortiGate firewalls that handle Layer 3. My access layer is Layer 2 only. It hosts multiple VLANs--about 8--on two stacks and three singleton top-of-rack switches. Platforms: routing is FortiGate; switching is Cisco: Meraki, Nexus, Catalyst to be added later.

After deployment I handed the network over to a managed services provider, for better or for worse.

I have a requirement for IPTV, based on multicast. It works fine now within a VLAN, but I have to route multicast traffic from the IPTV segment to a user segment.

I confess near-total ignorance of multicast. The MSP is acting like this will be a big-deal redesign and downtime-requiring deployment.

Can you give me the gist (high level) of what enabling multicast routing typically entails and whether it is, indeed, a bid deal, requiring downtime?

Thanks.



How do we apply Infrastructure as Code to a physical environment?

I've been researching for this a few days and nothing comes to mind. I have an physical environment ( switches, firewall, access points, cloud servers - most of them microsoft solutions ) and i've been thinking if its possible to automate some of the trivial and day to day activities with scripts and such like backups of our devices. But is that it? Or there is more that we can do with coding to improve our physical infrastructure?

Im new to this world. so i dont know where to begin.

Thanks in advance



BFD between Nexus 3500 and Juniper MX Router.

Has anyone gotten BFD to work between these too?

We have tried lots of settings on the Juniper side.

Originally tried the following.

 bfd-liveness-detection { minimum-interval 2000; } 

Below is current state.

Using the defaults on the Nexus 3500 the minRX/minTX are 2000ms, hold timer is 6000ms, and multiplier 3.

Session state is Down and not using echo function Session type: Singlehop Local Diag: 0, Demand mode: 0, Poll bit: 0, Authentication: None MinTxInt: 2000000 us, MinRxInt: 2000000 us, Multiplier: 3 Received MinRxInt: 2000000 us, Received Multiplier: 3 Holdown (hits): 6000 ms (4), Hello (hits): 2000 ms (22062) Rx Count: 18813, Rx Interval (ms) min/max/avg: 101/282/2040 last: 1887 ms ago Tx Count: 22062, Tx Interval (ms) min/max/avg: 1743/1743/1743 last: 1545 ms ago Registered protocols: bgp Downtime: 0 days 10 hrs 40 mins 8 secs Last packet: Version: 1 - Diagnostic: 0 State bit: Down - Demand bit: 0 Poll bit: 1 - Final bit: 0 Multiplier: 3 - Length: 24 My Discr.: 23 - Your Discr.: 0 Min tx interval: 2000000 - Min rx interval: 2000000 Min Echo interval: 0 - Authentication bit: 0 Hosting LC: 1, Down reason: No Diagnostic, Reason not-hosted: None 

On the Juniper side we have the following.

bfd-liveness-detection { version 1; minimum-receive-interval 2000; multiplier 3; transmit-interval { minimum-interval 2000; threshold 6000; } session-mode automatic; } 

Address State Interface Time Interval Multiplier 172.17.113.237 Down ge-4/1/1.0 0.000 2.000 3 Client BGP, TX interval 2.000, RX interval 2.000 Local diagnostic None, remote diagnostic None Remote state AdminDown, version 1 Replicated Session type: Single hop BFD Min async interval 2.000, min slow interval 2.000 Adaptive async TX interval 2.000, RX interval 2.000 Local min TX interval 2.000, minimum RX interval 2.000, multiplier 3 Remote min TX interval 0.000, min RX interval 0.000, multiplier 0 Local discriminator 23, remote discriminator 0 Echo mode disabled/inactive, no-absorb, no-refresh Session ID: 0x551b 

Any help would be greatly appreciated.



Remote side unexpectedly closed network connection - PuTTY

So i'm just starting to trouble shoot this issue and everything i've tried from my googles is not working. I'm looking to see if anyone has expereince something similar or has any suggestions:

I am using putty to ssh into a switch in our network. I am able to get to the switch and enter credentials but as soon as I hit enter after typing the password, the connection drops and I get an error message that says "Remote side unexpectedly closed network connection"

Any ideas as to why I am able to get to the login prompt but get kicked off as soon as I log in?



Email alert based on Monitoring Policies (Prime Infrastructure)

I have a system contains (100 switches) and monitored by Cisco Prime (3.3). I created a Monitoring Policies with settings like that:

Feature Category: Interface Health

Parameters and Thresholds: Input Utilization

Condition: Greater 90% 3 time

Reaction: Alarm Critical

I want the PI to send an email when the monitoring policy trigged (eg: some interface have utilization > 90%). Please help me on how to do this.

Thank for reading.



Cloud Wireless - Meraki or Aruba Central

We are looking to replace Ruckus wireless for our company with over 500 APs. We have a few sites so cloud appeals to us. We are now looking at Aruba or Meraki. With many reports it's not clear if it's Aruba Central or their controller when they analyse. Has anybody done detailed comparison of Meraki and Aruba Central?



802.1X issues on Cisco switch when connected to VoIP phone passthrough or unmanaged switch

Hi there,

i've been dealing with a really weird issue lately.
We have a Cisco Catalyst 3850P-S running 03.06.08 and authenticating via dot1x on Aruba Clearpass.
Almost all of our workstations are connected through the VoIP phones to reduce the needed switch ports.
Recently I've noticed that a device connected and authenticated in this scenario stays "visible" on the switch port even if it's unplugged from the phone. The same happens with a unmanaged / dumb switch connected.

The port configuration looks like this:
switchport access vlan 10

switchport mode access

switchport voice vlan 50

authentication control-direction in

authentication event fail action next-method

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

dot1x timeout tx-period 2

spanning-tree portfast

spanning-tree bpduguard enable

Example:
I'm working on my desk, my laptop connected via ethernet through my phone. Now I need to go to a meeting and take my laptop with me. When trying to connect my laptop in the meeting room via ethernet, my device only get's a 169.254.x.x IP address and my MAC address isn't visible on the new switch port. When looking for it using show mac address-table | inc MAC, I still see the address on the switch port my VoIP phone on my desk is connected to.

I know that it is a really weird issue and I hope that I explained it somewhat comprehensible.
My question is if it's a Cisco, VoIP phone or Clearpass issue.

Thanks in advance!



Monday, November 11, 2019

Cyberoam DNS request routing

Hello all,

I'm in need of help with an issue using cyberoam FW. I know its not the best FW, but currently this is what I'm given to work with. I've summarized the issue below, I'd really appreciate if someone can suggest a solution? one of the solution that could fix the issue is a function used on Sophos FW called DNS request routing however that function is not available on Cyberoam FW. Please see below link to the sample topology.

· Clients (Win10,7) on left-hs are not able to reach the AD server on right-hs

· There is strongswan ipsec tunnel between cyberoam and AWS-VPC.

· DHCP to clients (win10,7) is from cyberoam.

· If we set static DNS on cyberoam with winAD server IP, the client still can’t authenticate with AD.

· At the moment primary DNS is 8.8.8.8 and seconday DNS is WinAD server IP, clients are able to browse internet but not authenticate with AD. If we swap primary & secondary DNS client cannot browse and cannot authenticate.

https://drive.google.com/open?id=1RuuRPwNFpgpgVsNcmIo05XZAYzCEVh8S



Residential DSL provider is terrible (CenturyLink). Need a modem that has strong diagnostics/metrics, thinking of Cisco ISR with VDSL WIC?

Hey folks, my ISP is terrible and I'm tired of not having good data on the quality of the line and DSL physical layer to use for troubleshooting/evidence that they need to fix things. Wondering if there are any modems out there that have really good diagnostics/line quality/monitoring capability. Presently i'm thinking either a Cisco router with a DSL WIC or some kind of DSL modem with an open source firmware that is able to do same.

Any recommendations?



IPv6: what are the practical benefits of implementing it over an IPv4-only network?

I’ve been told by very smart people that IPv6 is amazing and should be implemented everywhere. I’ve also been told by other really smart people that there’s no reason to implement it at all. I’ve also been told by slightly fewer smart people that it’s stupid and we shouldn’t support it. Those fewer smart people are the ones in charge. Because of them, there is no IPv6 support on our entire network. We even have policy to disable IPv6 kernel modules and AAAA record lookups.

Our WAN supports IPv6. Our equipment supports IPv6. We have our IPv4 /29, but we need more IPs. v6 seems like a perfect solution.

I feel like there’s something critical I’m missing. I understand the absolute basics of IPv6, but I’ve never seen an actual IPv6 network implemented anywhere I’ve worked. NAT and small address spaces has always been the preferred network.

Besides the gargantuan increase in address space, and the lack of need for NAT, there doesn’t seem to be much different between the two. The cost for a v6 block is low, and it would solve multiple problems we have.

Is there something IPv6 is doing that validates this concern, or is it just ‘I don’t know it so it’s bad’ mentality?

I can’t think of anything except more extensive IP blacklists, some minor performance hits on our hardware devices, and the labor needed to switch over or Dual-Stack.



termshark v2: a terminal UI for tshark - now with stream reassembly and dark mode!

Hi everyone - for those of you that use Wireshark regularly, I just published termshark v2 on github. Termshark is a terminal user-interface for tshark that copies Wireshark's layout - it tries to be Wireshark for the terminal. Termshark v2 is snappier than v1 and features dark mode, piped input, stream reassembly and more. You can see the ChangeLog via the website, https://termshark.io, and there are binaries on github at https://github.com/gcla/termshark. Hope you enjoy it, and I would love to hear if it's useful to you.



Wireless - Ekahau Sidekick Offset

Quick question for any wireless pro lurkers out here... what offset are you using with your sidekick? I was looking at -12, but that seems possibly a bit aggressive.

I do have old scanners in my environment, so perhaps I am on the right path.

Thoughts?



How do I assign an IPv6 address to a system?

I am working on assigning an static IPv6 address to a firewall.

If it was an IPv4 address, I can easily assign a static IP address like this:

If 10.10.10.13 is available in the 10.10.10.0/24 subnet then I can assign 10.10.10.13 to the system.

How would I select an IPv6 static IP address from an IPv6 subnet and assign it to the system?

Thank you.



PSA: Possible PearsonVue Breach

This morning I came into the office with email confirmations from StubHub for a concert and a college football game worth over $2,000. The only place I have ever used my work email for any sort of purchase was at PearsonVue for my CCNP and CWNA exams (I have to use my work email for exam reimbursements). I have never ordered anything else to be shipped to my office and the new StubHub account listed my office as my address and used my full legal name which I do not use outside of a professional setting (including other online ordering, etc). I also never store my credit cards on any site and I'm not even sure that's an option on Pearson's website but clearly they're keeping the information on the backend. Something else that was fishy was that they forced me to add "security questions" to my account this morning when I logged in to make sure my card wasn't stored there. Either that's a very strange coincidence or they know that there was a breach and haven't disclosed it yet but have increased security. I'm posting here because I figured you guys may want to check your credit card statements and change your PearsonVue passwords since a lot of you use PearsonVue for certifications.

Mods, if you want to remove this because it somehow violates sub rules that's fine, I just figured this would be informative to quite a few people here.



Network Automation/Scripting Use Cases?

Hi all,

I'm currently wanting to learn about networking automation/scripting through Python for Cisco IOS and wondered what sample use cases there could be that don't rely on DNA Centre? Ones that are more reliant on pulling information from existing configuration on devices like troubleshooting ospf?



What would happen if packet 4 in this trace was lost?

Hey everyone. I am learning on my own right now about TCP and SMTP. Here is a trace I generated https://www.cloudshark.org/captures/d37a26bda955.
The first three packets are for a TCP handshake. The 4th packet is a data packet sent from the server to the client. What would the next two packets be if this packet 4 were to be lost?
My current guess is that the server would resend the packet with the EXACT same payload, ACK, and SEQ, and then the client would just acknowledge that as usual.
Am I correct, or am I missing something special here?
Thanks!