Saturday, December 7, 2019

Open discussion about any layer 4 issues you've had i the past.

Hello, i'm studying right now and i feel like i have a good grasp on the OSI model. I was just wondering if any of you seasoned engineers had the time to give an example of a layer 4 issue you had in the past, and how you fixed it. I'm eager to hear(read) and learn from you!



Any NTT/Dimension data L1 or L2 network support/engineers here?

Hey guys,

I was wondering hows it like working at NTT/DI? Also how was the interview process like and salary/perks are you guys allowed to have a good work life balance?

Just curious as I saw some roles up for L2 and L1 engineers in the EU.

Lastly hows the shift life like and what technology do you guys work on daily?



(Help) Project mgr new to infrastructure

Not sure if this is the right place but here I am. I’m a project manager who would like to know more about the work we do; mainly data center upgrades, disaster recovery planning and moving our DR to the cloud. Any books or classes you recommend?? I’ve taken comptia fundamentals.

Thanks !



Quick question regarding Reverse DNS Record

I hope i'm in the right spot to ask this.

I recently got my ISP to provide me with a few reverse dns records for some mail servers. I've done this many times and never had any concerns about them working, but this time the results I get back when I test make me wonder if they were set up right, or more likely, that I am not understanding the protocol, and my googlefu is not working on this subject.

Is this an acceptable reverse dns record?

1.2.3.4.in-addr.arpa. 12345 IN PTR mail.acme.com.2.3.4.in-addr.arpa.

Thanks everyone.



Redundant Network Project Help

Hi guys, I hope this is the right subreddit for a question like this, but I'm hoping you guys might be able to point my team in the right direction.

I am part of a college group for our final project. We all have some background in the IT field, but we have run into an issue with our setup.

The topology is 2 routers(Cisco 1841) connected to each, with 2 switches( HP2530-24G ), and 2 servers(Linux). There is also one regular switch connected to both routers so clients can access the redundant network. They are connected via ethernet to be redundant, so that regardless if one of each goes down, the client can still access a web page on the server.

What we have done so far is set up VRRP between the routers, DHCP is set up on both routers, and spanning tree is set up on the switches.

What is happening is that the redundancy seems to work perfectly if we start unplugging the ethernet cables. We have tried all 72 possibilities of connection and they all work. Unless we unplug the power from one of the routers. Then the client will receive a Microsoft default IP? instead of the DHCP network assigned one it needs.

Right now, we plan to look at IP Helper and fiddle with that, and if that doesn't work, take a look at moving the DHCP from the routers to the servers, and see if we have a different outcome from the clientside.

Can you guys provide any insight or point us in the right direction. We plan to meet again tomorrow morning. Thanks!



Just upgraded to 300mbps. But my pc only gets 40.

Sorry, I’m new to this stuff, but idk where to ask. Just upgraded to 300mbps internet today and it works great on my phone. But my pc gets the same as before, about 40-50. So how could I get at least close to 300?

I think the problem is that my pc doesn’t support/accept 5g internet. Which my phone is connected too. As I have a 5g, and then a normal network from the same router.

My connections: Coax cable into network provider modem and then connected to router. (Probably isn’t the problem.)

My pc is using a wifi card connected to the mother board which I believe doesn’t support 5g.

I’m pretty sure I have two options but I just want to know your advice:

Get a new network card.

Or

Wire an Ethernet cord (what type..?) through the house.

The card would obviously be easier but I don’t know which one would really work.



Dynamic IP

I have 2 NASs that I've built at different locations. They are both running freenas. I would like to have them back eachother up. I'm currently stuck trying to a free service to set up a dynamic DNS. Any suggestions? Thanks in advance

Edit: I mean Dynamic DNS not Dynamic IP



Protecting an SFTP server at the firewall level

I am trying to secure an sftp server that needs to be open to the internet and cannot be accessed through a VPN. I have researched methods of securing this device, I am looking for a second opinion on how to go about securing an sftp server that is open to the internet.



Help ws 2960 48P

Hello,

I just bought a Catalyst 2960 Switch and I thought I could just access the web console via 10.0.0.1. But no access

There a mention that I need to use a straight thru cable, but now days we don't use cross over cables. I did the reset procedure and follow the guide from Cisco and nothing.

Help please...Thanks



Help! OSPF neighbors and internet!

I can't figure out how OSPF forms a neighbor relationship with another router that is in another city. Like does the packet has to go through multiple ISPs right? Is this done through a combination of MPLS, BGP, and GRE?

For example,

Router 1 is in San Francisco and Router 2 is in Las Vegas. (How do they form neighbor relations ship?)

Also, how would I make router 1 get its internet from Router 2? (Default route/Gateway of last Resort?)



Recommendations for Cisco OOB console port connectivity at remote sites with cellular access?

I've bookmarked the discussions in the past when people asked for recommendations on which serial console server brands people are using for OOB access to Cisco gear. Opengear seems to get mentioned a lot. For people who manage remote sites and need OOB access to the serial console ports on Cisco routers, switches, firewalls, etc. with cellular connectivity, what are the brands to look at? Is there one company that does cellular (in the US) OOB better than other vendors? Thank you.



OSPF / BGP Load-balancing with multiple paths

I have googled this bit I'm struggling a bit to find a concise answer.

By default with multiple paths in the table what is the load sharing mechanism? Will a session with the same source/destination IP/port always take the same route? Or will it go over multiple paths on a per packet basis?

Reason I'm asking is that we have a VoIP platform whose gateway has multiple paths via ospf, with same cost, into our core network. We've had increased reports of audio issues since moving away from vrrp/static routes and towards L3 switch stack as a gateway with ospf routes to our core



What is scarier than 100's of alarms in your NMS? When your NMS becomes inaccessible.

Yesterday night/today morning was 'fun'.

I was doing something while looking at our NMS after work, when suddenly I notice a small almost invisible ajax popup about not being able to refresh the data in the NMS. I tried ctrl+f5 and our NMS did a 404. Half our DC entered into err-disable.

We spent the entire night going from switch to switch doing shut/no shut repeatedly until stuff started to work. Next week we will do diagnosis ASAP.



Do you guys take the time to update firmware, software, OS, for servers and network equipment?

I find this to take a lot of time out of my physical server setups. For example, I got a hp proliant ml950 gen10 to set up last week. It took no time to build the physical server and get it to boot.

It takes a lot of time getting all the "Intelligent Provisioning" stuff updated, and even then I can't manually partition the Hard Drives this way. Trying to install manually is a pain too. The Windows OS didnt recognize the RAID controller, so I couldnt install windows. And turns out the NIC only supports 1Gbps connections so I wasted time trying to figure that one out. I can't even install the drivers, then try to reinstall the OS because it wont recognize the fkn hard drive so wont find the driver. I load the driver onto my flash drive, and it doesnt fkn recognize exFat. So i make it fat32 and get it to work.

Then you update the firmware/software in the iLO, and of course one of the updates will break iLO when trying to install it, even though it was an update found and initiated from within the iLO itself. And since each reboot takes a million years, it takes me a few days before i can begin setting everything else up on the server.



I'm looking for background pricing info for an HOA to build FTTH or fixed wireless for a rural neighborhood (either paying an ISP to do it or operating it at the HOA level)

As a layperson, I'm wondering what the process would look like for an HOA to help the homeowners of a neighborhood get internet access for the first time. Here are the basics:

  • CenturyLink has what I believe to be a fiber tap right outside the neighborhood: there are 4 or 5 newer-looking large boxes on a concrete pad. I believe this node serves DSL/phone to several nearby neighborhoods, but not to our neighborhood.
  • Our neighborhood is 100 homes over 10k+ acres, up two canyons served by two dirt roads which the HOA owns.
  • There is existing water and power buried in the roads.
  • At the top of one of the canyons, the HOA has leased out a small piece of land to a private company that has installed a large comm tower, with grid power and backup diesel generators. The tower surely functions as a simple repeater since it just has two dishes facing opposite directions. The tower has line of sight to some homes, but not many.

As I said, I'm a layperson, not a networking professional. In general, my question is: what on Earth do I do with this information? Is there anything to do with this information, or is this just a pipe dream?

To try to be more specific, here are some questions; feel free to answer few or none:

  • What is a ballpark estimate if I call up CenturyLink's business line and ask for a quote to run fiber directly from their node to our neighborhood's first residence, which is ~0.5 mile up the road (again, keeping in mind that we own the road itself and there is power already installed)? When power companies bury power for the first time, is it likely for there to be empty conduit already in the road that the power company would be willing to sell back to the HOA for use with fiber?
  • Would it be better for the HOA to hire a 3rd party to install the fiber, and then simply ask to plug into CenturyLink's node?
  • Given that the geography of the canyons would make fixed wireless extremely difficult, how outrageous would it be to consider FTTH for our full-time residents? There is a total of about 5 miles of road that serves our lower ~30 household which are mostly full-time residents. I know density is not on our side, but I'm comparing it to our past: When we all agreed that we wanted power for our community, we made it happen; when we all agreed that we wanted central water for our community, we made it happen. This is a community that is quite close-knit and I think understands the idea of decades-long capex projects better than most communities—we installed water ourselves just a few years ago, with homeowners footing the ~$30k per lot pricetag. Is fiber impossibly expensive compared to power and water, or is it not unreasonable compared to our past investments? Right now, people are tired of using LTE hotspots with 2 bars of service. The neighborhood is reasonably hungry for real internet.
  • If the cost of FTTH alone is not disqualifying, then what do we do with that? If we were to front the bill for the network (and hopefully retain ownership of the fiber?), would CenturyLink be willing to provide ordinary residential fiber service to each individual residence? Or would we need a custom business account for the entire HOA? Or would we need to pay some other company to operate a new ISP on our networking, using CenturyLink for backhaul?

If those are dumb questions, I'm sorry. Like I said, feel free to ignore the questions themselves. My real question is just: is this possible? Where do we start?



Best method to vlan individual PoE cams apart from NVR as a whole?

I am attempting to vlan PoE cams and wondering if it is possible to put each individual cam on its own vlan as opposed to applying a single vlan to the whole nvr. If so, what is the best way to go about tagging each cam if they are on an nvr and not a switch? Is it better in any way to plug the cams into a separate vlan-capable PoE switch, which is then itself plugged into a single port on the nvr?



YouTube channel recommendations?

I’m looking for channels that do large scale installations and things of that sort



Need career advice

Hi,

I’m kinda curious if any of the network consultants out here have experience working in smaller sized companies (70 people) and being taken over by a large company (3000+ people)?

I’m currently in this situation and I’m very unsure about what the future will bring. Atm it’s all very vague what’s to come, but the subtle ‘policy changes’ lately have brought up some doubts.

So long story short, in a period where I felt a little bit down/not motivated/disappointed in my company regarding planning (long days of 10-12h), a friend of mine recommended me to his company and they invited me for an interview.

This all went great, very nice people, it’s a small company.. again, long story short, they gave me an offer which is definately better than my current company, although not by THAT much.

I will list some pros and cons below to the ‘new company’ and my ‘current company’ and really hope anyone can give some solid advice.

New company: Pros: - the office is 30min less driving than my current company - met nice people during the 2 interviews, they seem really friendly - slightly better salary package - 38h/week instead of 40 from my current company, also flexible so I can start early and leave early. So work-life balance (looking from the working hours perspective) is definately better. - real life friend is working there

Cons: - new vendor, my current certificates are not relevant anymore. - not sure if i will 100% like the vendor - stepping into a new company can be scary, at least that’s how I experience it - any other downsides small sized companies can have ..

Current company: Pros: - i’m very familiar with the company - i like the products i work with - i am close to a handful of colleagues

Cons: - long working days - some colleagues are arrogant - multiple vendor partners, i have to deal with products im not familiar with occasionally which causes some stress sometimes - taken over by a giant company with probably much stricter policies (although atm still unknown how this will evolve).

Thanks for any advice, this would be my first job-hop ever and it scares me. The new company knows about my doubts and were very understanding and kind about this, they are willing to give me more time to consider which i really appreciate.



Sitting on broken static routes on a saturday. Thanks Fortigate.

I wonder if I should restrain myself and avoid filling this post with the profanity filling my head, maybe you can help conquer some peace of mind. Because it's either you or booze, and it's just 1 PM in central Europe.

The scenario, branch office can't print from Remote Desktop over IPSec tunnels, printer are offline.Better yet: printer would be online, if the gateway (the same Fortigate managing VPN, Route and Policy on the RD-Site) wouldn't decide to actually play dice with the routes.

This is the connection from the RD-Source to Printer Nr. 1 on remote site

tracert 192.168.204.153

1 <1 ms <1 ms <1 ms 192.168.168.1 <-- hello gateway

2 33 ms 33 ms 33 ms 192.168.0.164 <-- hello VPN gateway on the opposite side

3 35 ms 37 ms 45 ms 192.168.204.153 <-- hello Printer Nr. 1

Now watch what happens if I try to ping Printer Nr. 2, sitting on the same table, attached to the same switch, served by the same router, on the same VPN.

tracert 192.168.204.154

1 <1 ms <1 ms <1 ms 192.168.168.1 <-- hello gateway

2 1 ms 1 ms 1 ms 192.168.100.1 <-- uuh..where are you going, that's the modem's default route

3 12 ms 11 ms 12 ms a81-*-*-*.net-*.co.uk [81.*.2*4.**1] <-- ..and my ping gon fuck himself on the internet.

Any clue before I lose my mind?



Help in understanding Sockets and Connections as it relates to TCP and programming

I have a bit of experience in software development, but little in the world of Networking.

I know that some programming language provide facility called Sockets, that allows you to open connection (which can be seen as a pipe) to a remove host, and using that, write or read information from that remote host.

The bit of networking I know, I am aware of routing, and the fact that on the internet, before a message from host A reaches another host B, it would probably travel via multiple routers.

I also know that TCP is a protocol used as a transport protocol for communicating on the internet. Unlike UDP, it is connection oriented.

Now this is where I am having troubles visualizing/understanding things:

If a route from host A to host B actually spans multiple network equipment in its path (routers, switches etc), how then is it possible to establish a connection between host A and host B? Will the connection span across all these multiple equipments? (I mean at any point in time, would the intermediate equipements be aware of the connection that has been established through them that allows host A to talk to host B?)

Same question above also applies to sockets. When a socket is established with a remotes, are all the intermediate machine also aware and persisting this connection?

I can imagine things if I have host A directly connected to host B...but I cannot understand the setup when it is actually two hosts reachable via the internet.

Explanation that could help me understand these things better would be appreciated!



NZDSF (ITU G655) & Bend Loss Insensitive (ITU G657) in 1 fiber?

Context: C-band DWDM fiber

This sounds great but is this possible? This has been outside of all my sales engineers experience, myself included.

Cheers



Cat6 shielded question

Hi everyone. I have a couple cat6 shielded cable runs for a few ip cameras. The runs go from the camera to a poe switch with metal housing ports. I used cat6 shielded cable connecters and attached the drain wire to the metal tabs of the connecter at the switch side only. Are the cables properly grounded? If not, what’s the way to do so. Also, if i dont connect the drain wire at either end, will the cable preform properly? I thought shielded cable would be better but may have bit off more than i can chew. Worst case gonna rerun with just cat6 and plastic connecters.



Friday, December 6, 2019

Emulation of GSM and PST

this is all i could find here and its outdated by almost a decade.

anyone know how they'd go about emulating cell phone/mobile networks? im looking to learn and i want a more dynamic representation to look at. i found this but im not sure if its what i need/ pretty sure it costs money.

thanks in advance for any interaction this gets.



Supplementing 1Gbps ISP for small office

I have a few clients questioning why they aren’t and shouldn’t got for the 1Gbps speeds that these business ISPs are offering. I told them straight that it was due to the firewall they have in place handling the connection and that all the security features they wanted would slice it down. Long story short is there alternative ways also cost effective to try and capitalize on these speeds without worrying about security features to big it down? I’d like to upsell and provide a little more confidence instead of presenting them with a 10 grand firewall appliance (Fortigate user here). Any input would be appreciated!



Can i use AC + N simultaneously in 5 GHz without drawbacks on this Device?

Hi Guys,

rather basic question but i still was not able to get to the bottom of this with google. The firmware allows for me to select mixed mode (AC+ N) on 5 GHz as well as channel width of 80 Mhz. It's a Linksys EA6300. I have i think 1 or 2 old devices which would benefit from N but do not have AC standard.

My question is: Does the router serve all devices individually with the best service (AC or N), while not reducing the service to N for all devices if an N devices is detected?

Thanks

(if it doesn't work, i can still use 2,4 GHz for N. But here it's the same question. I can select "mixed" so it supposedly uses either N or G service - will it work for every device individually? )



Mac cannot ping VM IP

I'm using parallels for my VM on Windows 10 and my Macbook Pro (2019 15-inch) is running on Mojave. I can't update yet because of software from work is not ready for the newest MacOS version.

What I'm trying to do is get both the VM and Mac to communicate. The VM will ping my Mac's IP, but the Mac will not ping my VM's IP.

Any suggestions?



Palo Alto Optics

So I'm running into the old TAC line of "unsupported optics" when I call into Palo now. We typically just put Cisco in there because that's what we use. I guess it's time to change that. I ordered some "Palo Alto" optics and our CDWG rep told us they were rebranded Finisar, rebranded to Proline. Looking on their site, Proline is twice the cost of Finisar. Is anybody running Proline instead of Finisar? How does it look via CLI? for me, when I run

show system state filter sys.s1.p*.phy

I get the following output:

sys.s1.p20.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connector': LC, 'encoding': Reserved, 'identifier': SFP, 'transceiver': 10000B-SR, 'vendor-name': FINISAR CORP. , 'vendor-part-number': FTLX8574D3BCL , 'vendor-part-rev': A , }, 'type': Ethernet, }

I'd like to see if the proline shows anything different. If anybody can provide that output with a Proline optic, it would be immensely appreciated. Thanks!



RJ-45 adapter on Cisco SFP switch cycling

I have a Cisco SG350-28SFP switch that is broken up into several VLANs and this problem seems to exist on all the VLANs. I have a few SFP to Single Mode transceivers and some SFP to RJ-45 transceivers and the plan is to have this function as a large managed fiber converter.

The SingleMode transceivers seem to be working fine and the hard wired RJ-45 ports seem to work fine. When I plug in an RJ-45 transceiver on to one of my VLANs it seems to be cycling between turning the port on/off and the computer is saying no network/connected. The cycle is about 1-2 seconds before it turns on/off.

I programmed the switch using an RJ45 transceiver on the default VLAN1 and didn’t have any connection problems. Anyone have any input? I’m having trouble googling this due to false responses related to cycling or loop.



Do i upgrade the Firepower management Center before or the actual Firepowers (FTDs) first?

FMC is running 6.2.3.13 FTDs are running 6.2.3.13

I assume I upgrade the FMC first, right?

Also can I just go to 6.4 or is it like the PA where I have to go to 6.3 and then 6.4

Thanks



Network Analyzer Recommendation for GPS Antenna

I'm working on a project and we are required to provide a DTF and return loss test result for a GPS antenna. I've been looking for some recommendation to get these tests completed as most of the higher end analyzers were expensive. We have an LMR400 coax cable connected to the GPS antenna in the roof that is sealed up. Could anyone suggest a good network analyzer under $500 to get the test done? Thank you.



EVPN - Dell S series

Is anyone using the Dell S series for EVPN?
Can you tell us your experiences?



Wired gigabit slower than wireless 1200AC card?

This is what I’m seeing according to speed tests. My ping is almost double and my overall speeds slightly slower. Am I missing something obvious?



Secure remote administration solutions

I've been looking for a way to remotely access our network devices without having to configure IPsec tunnels everywhere. I remotely monitor and manage around 50+ networks globally and have been looking for an easier way but have come up short. TACACS+ says it's encrypted but does md5 even count? /s The higher end Nexus devices support aes it looks like but it might never happen for the IOS devices and non Cisco gear. Palo does it well with SAML support to IDP's but we are a mix of Cisco, Juniper, PA, Meraki and a few others. The overhead of IPsec and securing the traffic to prevent unnecessary access to the NOC and each other is a burden but I think there is no other choice at this point in time. What do you all use as a solution for this? I have read about RADIUS key wrapping but it doesn't look to be widely supported. Thanks in advance!



PSA: You Can't Configure Firepower NAT Without Loosing Your Connection

We have been blessed with the misfortune of being pushed to buy Firepower devices because of the ASA’s going end of life and I just got confirmation of a “by design” feature that disconnects everyone from the firewall every time a configuration change is made.

We are running FDM 6.4.0.4 and I noticed that every time I modified a NAT rule I was getting complaints that our internet connection would drop which in turn causes our site to site VPNs to fail. When I looked into the console to see what exactly happens after I run a deployment I saw messages about a user called “enable_1” that was issuing a log of “no nat” and “nat” statements which seemed to include ALL of our NAT rules. Since we have an open communication with Cisco technicians as a result of all the tickets we had to open about our Firepower devices I asked him about that and here is what he said:

I know this make look counter intuitive, but the behaviour you are seeing is completely normal and is the way FTD handles the deployment of configuration to LINA (the ASA Backend) The enable_1 user is an internal user and it executes configuration within LINA whenever a Policy Deployment requires it.

Does anyone else find this astonishing that if you buy a Firepower device you can’t configure it without disconnecting all of your customers?



How long do broadcast-addressed packets last?

I’m not sure if this is the right subreddit for this, but if i sent a packet to ff:ff:ff:ff:ff:ff, would any computers receiving the packet have to be online then and there, or could they log on a few seconds later and still receive the packet?



Cisco Flexconnect mode Local Switching

Hello, everyone,

I have a customer who has to implement Flexconnect Local Switching, currently in one brunch office have autonomous APs and he want to change in Flexconnect. I have never implemented flexconnect mode I would like to have some information: on the switch I have to configure dhcp pools? and the vlan mapping should be done with the vlan associated with WLANs? The customer has only 3 ssid and for each wants to use this mode.

You can help me engineer a solution?

Thanks in advance



SP folks: Exactly how resilient is the internet against undersea cable cuts?

I work on a very non-SP team (enterprise, tactical, servers etc) and we were discussing the potential implications of something like this:

https://www.forbes.com/sites/hisutton/2019/11/10/russias-suspected-internet-cable-spy-ship-appears-off-americas/#76eb495842d5

I imagine that there are places where physical infrastructure is single threaded, such that it would be relatively easy to cut off internet access to an entire region (e.g. Crimea). Similarly, if a region is logically bottle-necked by design, you could manipulate BGP at a couple key points and significantly degrade or completely block connection to the rest of the world.

But when you're considering large regions with diverse and redundant physical transport (e.g. North America to Europe), am I right in thinking that it would be almost impossible to cut off the connection between, for example, Germany and New York? If I have a circuit from location A to location B with a CIR, I assume that the SP is just putting our traffic on an MPLS network that could probably survive even if every Transatlantic cable were severed (by rerouting through Asia/Pacific/West Coast etc)?

Ultimately, just trying to temper some fear/uncertainty/doubt among non-technical leaders here.



Aruba wireless and iPhones/Macs

We have just migrated our environment from Aruba AOS 6.5 to AOS 8. We are now seeing some users reporting that their iPhones and Mac devices either can't connect at all or disconnected every 5 minutes. Looking at logs on our controllers and monitoring this seems to be the case but can't see any reason why or any pattern. I am using multiple iPhones and OS X devices and not experienced any issues and we have hundreds of other users with iPhones or Macs. All the users reporting the issue are on different iPhone models and OS versions. Anyone had this before? Cheers.



Does any router that has usb-port support 3g modem?

If Wi-Fi router has usb-port does it mean that it will work with usb-modem (3g or 4g usb-stick)?

I mean can I stick this into this ?



Zero trust networking: where to begin.

https://ift.tt/387TRKl

Blue Coat - packet shaper.

Hello guys,

I configured a partition for the Client for shaping traffic - SIZE: 50 Mbps / LIMIT: 75 Mbps (Burstable). I prepared the diagram to check utilization and see that Client can reach more than 75Mbps - Client can reach 79Mbps/81Mbps (two times). Could anyone please explain why? It's related with Burstable option?



How To Ground Cat6 Shielded Cable

Installing a camera system and used cat6 shielded cable and cat6 rj45 shielded connecters. One end of the cable is plugged in a camera and the other end is plugged into a switch. The switch has metal ports and a three prong power plug. If i wrap the drain wire around the two metal prongs on the connecter where the switch is and not connect the drain wire on the camera end, are the cables properly grounded? Thanks for your time.



Thursday, December 5, 2019

Certification's question

Looking to get a career in Networking / Cybersecurity.

What are the main things i need to learn?

What would be the best certificate to help me get a job in the future?

Should i get Comptia A+ or Security+, or another certificate?

Essentially, what do i need to learn to get a cybersecurity job?

As of right now, i essentially have 0 advanced experience, so yeah



Nex-Hop Information

Hello everyone,

I am learning networking and have a couple Juniper devices configured. I have a specific question regarding next-hop routing options. Is a static next-hop routing option necessary? I had an EX-4200 Juniper switch configured without a static next-hop route or any sort of route configured and it was working perfectly fine. However, when using Netdisco I was unable to discover it or see it until I configured a static route to another Juniper switch which acts as the main switch and connects to the ISP for my network. Any help in understanding what benefit a static route gives would be greatly appreciated.



Cisco WLC N+1 HA - What happens after 90 days

If my primary WLC fails, my APs will move to the secondary WLC. All good.

I’ve heard that after 90 days, everything will continue to work but notification will begin to go out.

What if after 90 days my primary wlc is still down and my secondary reboots?

Will the secondary wlc accept the aps after rebooting?

Thanks



Question - Netflow shows Application Traffic at Multiple Petabytes

Going through the process of troubleshooting why Cisco's Stealthwatch is showing Application traffic at 2+ petabytes of data.

On the outset, nothing seems terribly out of the ordinary. With only a few KB of traffic here and there. But on occasion, I will see 2+ Petabytes of traffic to Box. Kind of strange, and during those times I've both checked the user's machine and our firewalls for any abnormalities.

Hell, most times Palo barely registers a few bytes from the hosts, and not to Box. So it's a bit odd and while I have a few places to start looking, I was curious if anyone else had experienced this issue in the past.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



managed switches are not my forte, and I'm not sure if VLANs are the right way to do what I want

For reasons not relevant to my question, I have a small office building with two physically separate LANs. They don't talk to each other, and don't need to. They both have separate connections to the internet.

Each network has its own 8-port dumb switch in a closet. Each network also has its own internet access method in this closet. They are different ISPs.

There is a desire to expand capacity on both of these networks. They just want to add more clients. Bandwidth is not much of a concern at the moment.

My question is this: if I remove both 8-port switches and replace them with say a 48-port switch that supports VLANs, will creating a VLAN for each now-separate network allow them to share this piece of hardware and keep on keepin' on like they are now? Can each separate VLAN be connected to their respective ISP and keep that traffic isolated? I don't want to create some weird loop or other form of terribleness resulting from two different upstream DHCP servers now being on the same switch.

What I have read about VLANs almost sounds like this is what I want, but I haven't seen any examples that contemplate having two completely unrelated networks on the same switch.

Yes yes, the place in question would be better off with better infrastructure and someone who knows what they're doing, but trust me when I say you have no idea how cheap they are. They'd set fire to a dollar to save a dime.



Netdisco and Unifi EdgeMAX Router

Hello everyone,

I am trying to configure SNMP on an EdgeRouter Pro v1.9.1 and are wondering if anyone has been able to get it working with Netdisco. I am pretty sure my SNMP and LLDP configuration is correct but I can't seem to get it discovered by Netdisco.



PoE injector for terminal block?

My office building has ethernet wired to each office ending in a terminal block in a closet. http://imgur.com/gallery/3IfUVGU We use PoE IP phones, and I had previously used a 48 port PoE switch. Is there an injector that can be used in conjunction with this wiring setup, or do I need to terminate each cable and use my PoE switch?

Thank you in advance.



How to force an application running on Ws server 2016 to use a specific NIC?

Hey guys,

I need some help with the below mentioned issue. I will appreciate your thoughts.

ws server 2016 std

The App Sage XRT Treasury 4.0 is installed.

There are 2 NICs - a NIC for all network flows and a second one dedicated for the back up.

The issue is that this third party app SAGE App SERVICE "XDLO_SERVICE.EXE communicates externally and wrongly uses the NIC for the back up. The goal is to use the other NIC - which is meant for external flows.

As a workaround now the back up dedicated NIC is disabled.

Is there a way to configure this app on Windows side to use the specific NIC and not the other one?

I tried using the Force Bind Ip tool but with no luck.

Many thanks in advance!



Cisco ISE, alot of inactive Endpoints?

In Cisco ISE have Alot of inactive Endpoints (Context Visibility>Endpoint>Authentication). about 95% are from my Guest network which makes sense but the inactive Endpoints are using Cisco ISE licenses still even though some have been inactive for 20+ days (after 30 there is a auto delete).

In my Cisco WLC interim RADIUS Accounting Settings under WLANs was not enabled so Googling told to me to enable this, is this the fix for this issue or do i also have to set the "re-authentication timer" under my Authorization Profiles i read this should be set to like 12hrs, but this was in regard to 802.1x wired Auth for Switches, so i am testing this out on my Switch's profile set.

My Main issue is about 50% of my Cisco ISE license are being used by inactive Endpoints

Thanks in adv



Not even getting 1/3 of what I should get

So I bought a new router today and it says I can get 300+400mpbs

I tested and I only got 93. I'm using a wire that connects to my PC. Why is this?!



Please help a chump with Packet Tracer

I am working on an exam for one of my classes where we must subnet to make two networks.

I can provide pictures if needed, but it is two routers connected via a serial port, each with a switch and three computers on each end.

I have IPs assigned to each device, and have made sure that all the interfaces used are set to open, and have addresses assigned as well, but I can not get the PCs on one side of the network to ping the PCs on the other side.

After taking a look at the Simulation Mode, it seems like the packets fail first at the routers, but I am not sure what I am doing incorrectly.

If anyone has any advice/help, it would be appreciated



Point-to-Point APs that will survive a Canadian winter

Hey friends,

Working on a project to get camera + gate access out to a remote area of our campus. We'd like to set up a Point-to-Point wireless to expand our network out to that area. Distance is about 500m with clear line of sight.

We had been looking at the Ubiquiti NanoStation AC, but it doesn't seem all that robust... while the temperature rating fits within our environment, there are no seals around the points of entry etc. and I worry about moisture ingress effecting reliability. Has anyone been reliably using these throughout a harsh winter?

Are there any other reputable options for a simple point-to-point that is rated for outdoor use?

Thanks!



Layer 2 Circuit Issues

We've recently had a layer 2 circuit installed for a new office. IP'd privately and connected back to our core, at which point we send relevant traffic where it needs to go.

Its provisioned as a 200mb circuit, but speed tests show max of 100mb ish, and staff on-site are complaining of time-outs when loading web pages etc.

We have had the provider out to do an etherne test and they say all is good. Ive removed the internal LAN (firewall and Switches) from the equation by directly connecting my laptop (giving it correct IP's), and still the issue persists.

Im stumped as to what could be causing this. Ive run iperf tests which show no issues, i've run continuos ping from the site to external addresses which aagin show no issues.

Anyone able to offer advice on the next step to be checked please?



best way to deal with load balancing web services where users' IPs are changing?

What's the current best practice for load balaning web services in general these days? My current old school Cisco load balancer will serve a given user from a given server for 10 minutes, but it determines what a session is by the source IP. In a world of mobile devices this is probably pretty common? This causes issues in some of our web apps because our load balancer doesn't retain their sticky session to a given server and they can bounce which servers they are on in the backend... in turn that causes them to land on different databases.

Is this an application architecture issue to solve? (I can think of ways to do so... but not great ways). Or are there more modern load balancing approaches that can determine what a session is in some heuristic manner other than IP address alone--so if their underlying IP changes their session remains sticky still?



Connecting 1 server to 2 routers?

So I'm setting up this small project and we have to routers connected parallel to each other to same Modem And I have a server that I want to connect to both of the routers, will both routers be able to access the server? Diagram: Router 1<<Modem>>Router 2; Router 1>>Server<<Router 2



Network Logs/Weird Activity?

I have been reviewing network logs today, and I saw that I have a PC that keeps trying to send traffic to another PC on the network but is being denied for Unhanded internal traffic. Every few seconds it is attempting to send traffic to about 20 IP addresses on our internal network, starts with sending traffic to xx.x.40.1, then xx.x.40.2, xx.x.40.3 and so on. Every time it is denied, and after it hits xx.x.40.20, it stops and then tries it all over again. This PC is used in production and all it is doing is running 1 website and local label printer. Networking is not my forte, so I am a bit stuck. There aren't any other internal machines sending traffic like this.

Thank you for you help!



Nonstandsdd IP addresses

Hi all, wondering if it is possible to have an internal network that is not the standard 192, 172, or 10.

If possible, and if that is the case then all the IPs are routable. Is that right?



completely isolating VLANs

I have a L3 switch (Aruba 2930F) with 3 VLANs: 10, 20 and 30 This is the entire network.

IP routing (intervlan) and Multicast routing is not enabled.

Do I still need to apply ACL in order to lock down/isolate each vlan?

If ACL still need to be applied, would it be something like this on each vlan?

access-list 101 deny ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255 deny ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255 

Thanks



Cisco WLC and Rogue Management

I've had a nagging OCD impulse to go through and manage my Rogue APs / clients on my WLC. we are not in a real big market, and yet between all our facilities we are pulling up somewhere around 250 rogue AP's. I'm struggling with justifying the time to classify these and the question comes to mind; Do others do this?

in larger cities or business campuses it'd take a full time job to manage. Do most people ignore the detected rogues and forever leave them in the unclassified hole, manage them, or simply disable Rogue detection?



When is your WAN *not* a fit for SD-WAN?

It's Thursday. I see no thickheaded post, so I'm going to be thickheaded here and hope some experts can pipe-in and tell me what I'm missing here.

I think the dream for some of us in networking is to have a centralized management system for all our sites, be it within a large city or spanning the globe. The SD-WAN kool-aid brings the promise of centralized management of these sites for those with branches across the country/globe, but what about for those with lots of sites within a large city?

Why am I asking this? Well, I'm looking at the state of my network which spans a large city, and we have around 100 branches/offices, and we have dark 1G fiber between them. However, most of them have low bandwidth, and even bursting is less than 100 Mbps at most; and most of their traffic isn't going to destined for our datacenters it just goes through them* -- in fact, our datacenters have shrunk to the point of putting everything on two or three racks at each location.

Why wouldn't SD-WAN be applicable in this situation? Assume I have competitive bandwidth options (be it SMB-level broadband, metro-ethernet, MPLS, etc.).

Now I realize I'm simplifying things a bit, when asking this, but when is SD-WAN not a fit for a WAN, in a theoretical sense.

There's just a lot of coverage with SD-WAN right now (or maybe the algorithms are making it that way), so it really has me thinking.

Thanks ladies and gents.

Edit- Detail error on my part that needed clarification.



ASR9010vsASR9912

Dear networking community,

I have some questions regarding the ASR9912 & ASR9922.

When would you opt to go for either of these models over an ASR9010?

Is this a matter of slotspace?

Because I have the feeling the options for line cards are way more limited then those for the ASR9010.

Would love to get some opinions on this, thanks in advance.



DIY Q: Link 2 Routers - wirelessly

Hi guys

When it comes to networking, it's always a hit-and-mis with me. Thus, I'll appreciate help from experts. Note, I'm not tooo tech-savvy, but I do know a thing or two.

Ok, I have two routers:

Router 1 is connected to the internet, just fine.

I have another router, let's call it Router 2.

I want to connect them with each other, wirelessly. And use Router 2 as a second Wireless connection to my cellphones and such (using Router 1's access to the internet)..

Anyone, plz? .



[RANT] FortiOS 6.x.x is the Windows Vista of FortiOSes

FortiNet you gotta get your shit together.

I have been a huge fan since the beginning of time, coming from Cisco, Checkpoint, then Palo, but you always proposed an incredible product, with very simple all inclusive licensing for such an aggressive price. You would always be up there with the big boys that would cost three times for half the throughput but always be amongst the best on any Gartner or third party independent tests. 5.6.x was such a masterpiece (yea well not exactly but...), always working, minor bugs here and there, devices been running for 2 years straight without a single problem.

But no, let's fuck it all up to pursue this SD-WAN nonsense. Couldn't you just put in the brochure, add a menu to make the CIOs happy and leave the rest of it alone? Couldn't you just stop forcing people on 6.x.x? What about NOT release 6.x.x. at all?

It is such a pile of garbage I am almost threw one out of the window. If it was painted grey I would confuse it for goddam Cisco ASA . Stuff that always worked flawlessly now are completely fucked. HA? randomly kicks in. DHCP? Fuck I wont work on port 1, only on port 2 and on Tuesdays! GUI? Why stress you with all those long page full of logs that make no sense, a blank page is much better! We are very concerned about you burning out so if you click or add too many rules too quickly, we will make you slow down and freeze the fuck out of the GUI so you go get a coffee! Let's force you on using that useless FortiCloud with the excuse of not adding the internal harddrive anymore (even if you buy the harddrive you cant use it, that was such a Cisco move) and then throwing "Forticloud does not support the latest version of FortiOS, sorry!" IS this some kind of joke?

Rant over. Go back to work.



Advice on architecture for a VPN link

Hi all,

I’m looking for some advice on setting up a VPN link. The situation is as follows, we have two offices in Europe, in the same city about 3-4miles apart. Office #1 has a VPN link towards the US, where one of our partners is situated. We use this VPN link for accessing their internal resources, remote workstations that our people use, etc...

In the Office #1 we have a Sonicwall NSA 2600, while Office #2 is running a Sophos XG 210 rev. 3.

While we were requesting another VPN link for Office #2, we were notified only one VPN link can exist.

Now I’m not too satisfied with the setup in either of those two offices (power delivery, no HA/failover, etc), not a lot of bandwidth is available and due to circumstances of the market here, increasing bandwidth can cost a lot.

So I had an idea about setting up a server in Germany (our HQ is there) that would be the termination point for the US VPN tunnel, and then the offices would connect separately to that server in Germany.

This server would be running like RouterOS x86 from Mikrotik? The only OS I could come up with, that had everything, maybe you guys have suggestions?

I’ve done a couple of measurements and the latency to the US VPN endpoint from offices #1 and #2 is about 150ms. Latency from Germany to the US endpoint is ~120ms and latency from our offices to Germany is 30-40ms.

One important thing to note, this VPN tunnel would be used heavily. Remote desktop connections will mostly go trough it.

The US VPN would be IPSec is I remember correctly, and their side is Cisco.

Would this be an acceptable solution? Or should we just invest in proper gear at one of the offices?

I’m really looking for some reality checks here, so I appreciate all feedback.

Thanks,



MLDC or MLDC Over IP protocol specifications or PCAP files

Hi,

Does anyone know where I could find the specifications for the Motorola MLDC/MLDC over IP or some PCAP files?

Thanks!



Wednesday, December 4, 2019

I've been given a silly task. I'm pretty green and I feel like this may be above me. (Overlapping networks and Fortigate VDOMs and I'm stressed the fuck out)

There are two remote networks. They are physically in one location, but for regulation dodging reasons, they are separated physically. Both networks are on an overlapping /16 network. One is connected to a Cradlepoint cell modem (no firewall). The other is connected as such: Cradlepoint > Fortigate > /16.

I've been told to connect the two networks to the same Fortigate firewall they already have, but prevent the two overlapping networks from communicating...

The only way I can see this working is if I split the Fortigate into two VDOMs. If I give each VDOM one of the Cradlepoint modems, I should be able to keep those two networks entirely separate.

Please don't bash on me for this situation. I had nothing to do with this and my company has been brought in to clean things up.

Our CEO doesn't say no and I'm in my first professional level position in my career. We're an MSP and that should probably tell you a lot.

Edit: went on a rant and forgot to ask... Does this sound like a good solution to you guys? Am I missing something? Is there something better I can do? My biggest concern is killing my connection to the management plane. My only access to the firewall is through a port forward on one of the Cradlepoints.

Thank you.



Enterprise Network Speed Test

I use iperf for testing within our network but it's not user friendly for users at remote sites and on corporate VPN. Is there a product that is graphical, and can be used internally like the Ookla speed test? Thanks for any help.

Jeff



Why would an encryption domain have to be a public IP?

I have never stood up a side-to-side VPN before, and my org does not have any yet. Vendor sends a VPN form. I understand everything on it except encryption domain. Their side is supplying two public IPs, my side only said it needed to be registered host/subnet.

My recollection from a previous life was that an encryption domain was the subnets the VPN needed to access. If I use PAT, this will pose a problem if there is inbound traffic, wont it? And I dont think I'm supposed to be assigning our public IPs to this...

I know this is supposed to be simple, google searches have examples without context so that wasnt helpful. Hoping someone can tell me what a best practice setup looks like....



Eliminate IDF against cable guys wishes.

We are remodelling a 3 story office with 2 IDFs per floor.

By my math and my wheel measurer- I calculated it right at 300 ft to the furthest office jack. That left 28ft extra (CAT6).

I had them run mile tape and it is in fact looking to be right at 300ft, but they keep pushing back.

I think they really don't want to because 1) to make sure I don't have issues 2) it's harder to run cables that long 3) more expensive for them if they quoted it per run.

My logic for consolidating to one closet per floor. -single UPS -i won't have to run generator power to one closet that was added late -wont have to run fiber to one closet that was added late. -possibly fewer switches. I think per floor I can do 5 switches instead of 3 and 3

It's a big gamble that I'm willing to take but don't have any experience with POE gig phones at the upper limits of CAT6 (328ft).

So curious. If it's under 328 ft- am I golden or even if it's under the spec can I have issues...

Thanks in advance!



Cradle Point competitors

The support costs have gone up too much. I need alternatives. What do you use to manage a fleet of mobile 4g offices?



Anyone using UAP AC Pro or UniFi HD AP's in a Plant/WH Environment?

I've never really tried/used omnidirectional integrated antenna APs for mass deployments in WH envs or Plants... I have a new plant (300x300') - Ceiling mounted, 30' - 40' high ceilings... I also see people using the AC AP Mesh w/ External Directional Antennas... Really wanting to use UniFi for this deployment, just haven't used UniFi in a plant/wh area yet... Anyone with experience deploying would be appreciated!



Is this a potential way to block DNS over HTTPS, or just a dumb idea?

I'm by no means any sort of expert on DNS or DoH, so this could be all nonsense I'm writing.

That said, rather than playing whack-a-mole with blocking individual DoH providers, would something like the following theoretically work?

I'm assuming that a DoH lookup request is very small sizewise.

Let's assume your router has a plugin/function called "XYZ" which checks any small packets going to an IP that's not a in previously cached list of "checked IP's".

Now, can the router "hold" that inital DoH request packet, while XYZ transmits it own DoH request to the destination IP - then, if a reply is received, that IP gets put on a blacklist, and the original packet is trashed? And, if no DoH reply is received, the IP is put on the previously mentioned cached list of "checked IP's", so no further checking is required for traffic going there (or at least for a time).

Would something like this work? Is this completely dumb? I'm assuming that this wouldn't break actual Cloudflare etc sites, as those don't share the DoH IP?



Benefits of a port being tagged for one VLAN and untagged for another?

We have Dell switches that are used per equipment rack. It connects back to a central switch, and ultimately to the router.

I have a Dell Poweredge server I was looking at configs on today. The port that connects from the rack switch to the server is tagged for VLAN 73 (development) and untagged for VLAN 109 (production). The PVID is set to 109.

Correct me if I'm wrong but the port is effectively on VLAN 73, as in traffic exiting the server is on VLAN 73? And to my understanding the PVID indicates that untagged traffic that arrives on this port is tagged with VLAN 109?

I'm trying to determine what purpose is served by having VLAN 109 untagged?



Fellow networkers, what's the worst 'I'm right' situation you've had that turned out you were actually very wrong?

Today A VPN to a 3rd party, used for one way access local client to host(across VPN) currently only allowing proxy servers in the remote encryption domain. We decide to bypass proxy, but instead of updating remote encryption domains to replace the proxy IP, its seemed more feasible to add a NAT rule where the proxy IP would be the NAT IP. Thus saving us aligning 3rd parties for changes etc.

Anyway I sent a confident email out saying that the NAT IP (also proxy IP) would conflict with return traffic as that proxy is still in use.

I quickly realised that I made myself look a fool.

Please feel free to send me hate messages.



Graphviz or similar for creating physical network diagrams?

We're currently in the process of documenting our existing mess of legacy network cabling in order to rip it all out over Christmas. The documentation is coming along well in the form of tables, but even a subset was impossible to visualize on a whiteboard - and we will continue to add various bigger and smaller boxes that cables plug into over the next few weeks.

That task would be made far easier if we could just write a definition of our network in the style of "port 7 on device A plugs into port 38 of device B" and have the layout figured out automatically. Graphviz looks like it'd be something that could do this, but my first attempts don't make me hopeful - a test diagram comes out looking like this:

https://i.imgur.com/DJdUmPl.png

The edges are crossing through the switches even with only four devices and four wires. And dot-file / graph examples and discussion on StackExchange make it look like we'd run into far greater issues if more are added. It also seems like neato and fdp are even less suited engines.

Has someone here used Graphviz in this capacity, or does some specialized tool that's able to generate a diagram based on this kind of input exist? If using Graphviz, I'd write some sort of wrapper script to generate the dot-file due to how much repetitive text there is, so manually tuning things wouldn't be an option.

I'm primarily trying to understand if I'm even looking at the right tool, hence no specifics.



Weird issue with meraki and SMB file transfer.

I have a site with a meraki mx100, a few ms-120 switches, and some mr-33 access points. In Azure I have a vMX100 with a meraki autoVPN tunnel to the site.

When downloading files from a SMB share on a server in Azure, wireless clients typically gets ~100 mbit/s but wired clients only get ~20 mbit/s. There is a single VLAN for all the wired clients, and the wireless SSID is bridged to the same VLAN. The clients are typical win10 HP laptops. They don't have any problems with other speed tests, for example to the Internet (the internet access is 200 mbit/s). It's only SMB traffic over the Azure tunnel that seems affected. The issue seems consistent across multiple clients, using different switches and accesspoints.

I know SMB over VPN is not ideal, but the strange issue here is that wireless clients is getting way better performance than wired clients in the same LAN. Anyone have any idea what could cause this?



Tufin, Algosec, Firemon, or Skybox???

Which should my org go with??

The reviews for these tools are about as far from helpful as they could be. I trust y'all, and would love to hear from anyone with experience in any of these.

Who is best? Any to avoid?



Trustwave To Meraki

I need to as close as possible, clone a Trustwave config, over to this Meraki we are replacing it with. There are some pretty big address groups and stuff in place that I can't find a way to mimic on the Meraki. What is the best way to make this firewall transition not a nightmare.



Need help changing the Management VLAN and Management IP on SG300-10P

tl;dr Always lose connectivity to switch after trying to change management VLAN from 1 to 100.

FWIW, I can change the IP address if I leave the Management VLAN set to the default VLAN 1.

I'm using a Cisco SG300-10P switch.

Port 10 on my switch is connected to a corporate switch's trunk port which tags traffic from with the Corporate LAN VID 100. I want to set up my switch's port 10 as a trunk port as well, tagging traffic with VID 100. I'd like to use one of the corporate LAN IP addresses as a management IP address for my switch, so shouldn't the IP address belong to the VLAN Interface 100 and not 1 the default VLAN?

I want to change the management VLAN to 100 since the IP address is acquired from the corporate LAN IP address space, which the switch communicates with via port 10 (a port which tags egress traffic). I want to do this via an SSH connection because I can't get my serial cabling combination to work.

Every time I try to set the management IP address on interface VLAN 100, I lose connectivity to the switch and have to reset the switch to factory defaults. The following is how I've been going about this. Could someone explain what I'm doing wrong? I've tried this several times and I always lose connectivity.

  1. Go to 192.168.1.254 in browser
  2. Change password and enable SSH service
  3. SSH to the switch’s default IP
  4. Create new vlan 100
  5. Put all GE interfaces into trunk mode and add vlan 100 to them
  6. Change the mode on Port-Channel range 1-8 to trunk
  7. Add vlan 100 to Port-Channel range 1-8
  8. Show the vlan table again
  9. Turn off dhcp on vlan 100
  10. Assign an ip address to vlan 100 interface
    1. Can’t connect to the switch with new IP address
    2. Ping new IP address says host is down
    3. IP address doesn't show up in nmap scan of corporate LAN
    4. Device doesn't show up in nmap scan of corporate LAN

I'm very new to networking and configuring networking devices, so please excuse my errors in terminology, configuration, and concepts. I'm glad to provide clarifying information. Thank you!



Need help with forwarding secondary domain radius requests

Can someone please help me with this.... We have a remote site that has its own AD domain. There is a trust setup between their domain and our domain.

I am trying to setup a Radius server for WiFi authentication, and while I can easily get it to work for their domain the second I try and use my laptop from my local domain I get the following error: "The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed."

I tried creating a remote server group pointing to a radius server on our domain, but I cannot figure out how to filter connection requests to actually use it! (Without just sending every request to it)

Help!



L2 switching headaches

I'm having a bit of an issue at the moment and can't figure out why it's happening - as someone who recently passed CCNP Switch, this is causing quite a bit of frustration at myself!!

We have a number of switches that are solely on L2 duties, the only L3 instance is for remote access to the device. There are no static routes or default gateways configured.

We're introducing a physically separate management network (currently we NAT the NOC machines to a pesudo management network that these switches sit in to manage them).

I can freely add the management vlan to a statically configured access port and SVI, but as soon as I connect the switch into the management switch all hosts connected to the device lose their connectivity, permanently, it's not Spanning tree (rapid-pvst+), recalculating as far as I can tell.

There are circa 150 vlan's existing on the switch, these are trunked up to a number of ESXi hosts (no pruning on any of the trunks).

For reference there are 4 switches and they are all Dell 2048 devices, they're trunked between each other via their 10G SFP interfaces, but there is no loop so logically they sit in a line.

I've labbed this up in GNS3 albeit with cisco devices as I can't find copies of the Dell software to use in GNS3, and it all works perfectly. I have hosts sending continuous pings across all the switches, and I can add a new SVI and an access port, with no loss in service.

Any help is much appreciated, I feel I'm missing something obvious, but can't figure out what it might be.

I can post some sanitised config if required, but it's pretty basic, bunch of vlans, 1 SVI for the old management and a potential



MX480

Dear Networking comunnity,

I do have a question concerning MX480 routeurs. We have these chassis in DC and I'm wondering if it would be possible to swap them to AC? We did that already with ASR9006 and ASR9010, we changed the PEMs and Powers and it's working perfectly. Does anyone have some input?

Spent a good amount of time on mr. google but didn't get any smarter of it.

Thanks in advance!



Meraki API Action Batches

Hi everyone!

I saw a video on Merakis YouTube channel about creating action batches using Postman. I tried following their guide but keep getting an error when putting more than one "operation" in the code. It can run one at a time but cannot do multiple. For example, this one works fine;

{ "confirmed": true, "synchronous": false, "actions": [ { "resource": "/networks/L_ABCDEFGHIJKLM/devices/", "operation": "claim", "body": { "serial": "ABCD-EFGH-IJKL" } } ] } 

but this one below does not;

{ "confirmed": true, "synchronous": false, "actions": [ { "resource": "/networks/L_ABCDEFGHIJKLM/devices/", "operation": "claim", "body": { "serial": "ABCD-EFGH-IJKL" } }, { "resource": "/networks/L_ABCDEFGHIJKLM/devices/", "operation": "claim", "body": { "serial": "ABCD-EFGH-IJK2" } } ] } 

Any ideas why? Also I should mention I'm a beginner. Thanks for any help in advance!



Free windows ping monitor tool?

Hey folks,

Does anyone have any suggestions for a good ping monitor tool?

My requirements are:

Must run on windows (server 2016)

Needs to be able to monitor 100 hosts

Needs to be able to send email alerts when a host stops responding

Must be free

Cant be a free trial, i need to run it for a few months

I've done some googling but can't quite find anything that satisfies all of the above.

Thanks in advance!



Nuage SDWAN

Is anybody using or run a POC with Nuage SDWAN, how did it work out ?



Tuesday, December 3, 2019

Purchasing advice for SMB

I'll try to make this as brief as possible without leaving anything out. Looking to purchase some new equipment because we added a significant number of additional network jacks. Company has less than 100 employees, I'm the only IT person. Current setup...

Zyxel Zywall110 connected to AT&T 100 mbit fiber

Qty 2 Zyxel GS1910-48HP

Qty 1 Ubiquiti US-48-500w

Qty 4 Ubiquiti UAP-Pro

Qty 1 Ubiquiti UAP-AC-Pro

Qty 35 Yealink T46g Voip Phones on 3CX

Overall things work really well, all of the equipment has been installed for 4+ years minus the Ubiquiti switch which was a previous expansion. There are things I would love to have but don't currently. For example, even though the Zyxel's suppport VLANs, we aren't using them because those switches are a pain to configure in my opinion and 5 years ago when they were installed we were running Cisco phones and couldn't get VLANs to work with the phones even with Zyxel support. I would also love to have 10 gig between the two buildings using our existing fiber as my Hyper-V box has 10 gig in it as well.

I was pretty set on purchasing all new switches using the Ubiquiti Gen 2 switches that were just out of early access. That way I could gain inter-vlan routing along with the new VLANs with the understanding L3 wasn't available yet (And from what I read, maybe UBNT just removes that part later). After reading this subreddit and some other places I've been spooked on the whole idea.

My main problem is that the owner of the company loves to save every single penny we can on any kind of purchase. He loves that our current equipment cost so little even though there are key things that hold us back (like the Zywall110 being underpowered for the size of our network now).

Do you think with the size of the company that going Ubiquiti would really be that bad of an idea? Am I setting us up for failure later? After using the controller for a couple of years I've really grown to like it for seeing the devices on the 1 UBNT switch we do have and the configuration of the APs, I had hoped to have all my switching in 1 pane and when the UDM-Pro comes out of early access to upgrade the Zywall110 to that.

Any advice is really appreciated. I think I can swing a bit more in cost if it meant much better equipment, but having 1 pane would be awesome as well. Are there any other vendors that come close in pricing?

Edit - I realized I didn't give a total port count. I'm looking to replace all equipment and would need 1 48 port for the main accounting building where the MPOE is, 2 48 ports for the opposite building that's connected via SFP fiber right now (I don't know which type of fiber it is atm, trying to get that figured out), 1 24 or 48 port for the expansion building and I would also upgrade the base APs to Pro's (or all of them to HD's)



Valve CDN Peak Usage

https://imgur.com/a/o7iPHKG

Halo Reach (MCC) downloads began at 12 PM CST. Was wondering how 17.6 Terabits per second of peak usage stacked up to what some of you have seen in your own networks.



Can someone *please* explain PowerConnect 2724 VLANs to me?

Trying to teach myself VLANs... apparently, not a good idea.

For reference: Simplified network diagram

What I'm trying to figure out... well, literally everything. I understand the concepts and theory, but apparently implementation is impossible. In port membership, does "not a member" mean for all purposes or just egress purposes? Does "untagged" mean "switch strips tags" or "switch does not add tags", and "tagged" means it adds a VLAN tag?
In port settings, what does setting a PVID do?

So in short.. literally everything. While the help section says "tagged means all packets forwarded from this port are tagged", that's still ambiguous, does not give a clear definition of what is going on.. and I can't test anything since it all breaks no matter what combinations I try. Nothing has practical examples, so it's impossible for me even begin to have an idea of what needs to be set first.



Questions about DWDM/CWDM

Hi all

We have a dark-fibre link that connects are two DCs. The distance between them is around 38km.

Do we have any options to consider multiplexing? It would be ideal for us to have various 10Gbps (or even 25Gbps courtesy of the Nexus 93180 core) channels across the dark-fibre. I came across this, which is what piqued my interest: https://www.fs.com/au/products/72433.html

Currently we're only looking at a single 25Gbps link over it, however with multiplexing we'd likely use one wavelength for OOB-MGMT, one for backup/vMotion/HA, one for untrusted (pre-firewall INET/DMZ traffic) and others for internal networks as required. I really like the idea of the physical separation.

I've had a lot of experience in the DC and with equipment, just don't know a lot about layer-1 in this capacity.

TIA



Cisco ASA AD Agent Deployment

We have some Cisco ASAs that we need to configure with identity based access rules.

I am trying to find some guides online that list the permissions required in AD to allow the agent to run the required WMI queries.

Anyone got any good links they could share?



Some Internet weirdness going on

Observation: Seeing numerous websites taking longer than normal to load on Comcast residential coax, business coax, and enterprise fiber circuits, also AT&T residential and enterprise fiber.

Data:

This thread

DownDetector graphs trending upwards...

Bunch of traffic from my sites seems to be getting null routed....



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!



7Signal Competitors

I’ve been looking over 7Signal and their Sapphire Eye which provides synthetic testing of surrounding wireless AP’s. Do they have any competition beyond Vendor offerings like DNA Assurance or Aruba Clarity?



Rogers Ignite Aris XB6 Bridge Mode Issue With Cisco FPR1010

Team,

Im running an FPR1010 connected to an Aris XB6 which is in bridge mode. Out of the box the config on the box is set to take the wan into the first port and do a dhcp setroute and an object nat of any, outside . I see the FPR1010 get a public ip address and traffic passes for the first few minutes and then we stop receiving any traffic from the Aris XB6. Ive changed the default AC policy to Allow all to make sure its not blocking anything at that level... I've changed the config from "No arp permit-nonconnected" to permit non-connected and still no issue so changed that back. Im wondering if this rings any bells with anyone as to what would cause the ISP to stop replying to any traffic requests after a minute or so. Ive run a Eero router in router mode behind this Arris XB6 modem before and it gets a public ip and works just fine.. So the issue must be with something on the FPR-1010. Any suggestions would be appreciated. Thanks !



only TCP or UDP?

Hi!

Im trying to understand which protocols are used in online games and I have been collecting some packages in wireshark while playing fortnite. A question that came upp however was why I some rounds almost only got UDP packages and sometimes only TCP. Does this have to do with cross platform or is this depending on which server is used?

Thanks in advance



Refreshing IP Addresses on DHCP Server

I am trying to install a new VPN software and I am pulling the addresses through DHCP and I am looking at the statistics on my server and I have about half left.

I know you can do an /release on the clients computer to stop the lease of the IP address, but my question is, can I get on my DHCP server and have it free up addresses on devices that are not currently connected to the network?



Independent Testing of Networking Products

I am wondering as the title suggests if any of you have come across companies (ie. Miercom) who have done independent R&D testing of competitor's networking products. In other words, if I am looking for a network product (ie. switch, router, firewall, etc) I want to cut through the sales bull and actually see an independent testing report showing how it was tested, the methodology of testing, products used in the test environment, etc. Nothing overtly detailed but also something I could give a higher up and show, "hey, here's evidence not from the vendor of why product X is better than product Y".



Running Firewall via Virtualisation, is it a big no-no?

Hello all,

Recently had my internet upgraded to full Fibre and the router the ISP (BT in the UK) provide is pretty terrible, even changing the DNS server isn't allowed and afaik there's no custom firmware to open up such options.

I used to tinker with various firewalls some years ago but always ran something low-power like a Raspberry PI or Odriod C1 to handle the PPPOE connection and routing. With the connection now being significantly faster I need to use something a bit more powerful, especially if I wish to provide network wide VPN.

I currently have an old PC laying around which runs FREENAS and serves about 3tb of data to the lan. I was considering using something like Proxmox to virtualise FreeNAS and a firewall, something like Opnsense.

Are there any glaring issues that I need to be aware of before doing this? or reasons that you REALLY shouldn't?



SSH service on Cisco device - need to restart after config changes?

I have a Cisco device and am trying to make changes in a pseudo-prod environment. Working on temporarily removing the session limit for SSH to the device. Have a VTY line configured for SSH

line vty 2 4 session-limit 2 logging synchronous transport input ssh transport output ssh 

When I remove the session limit line (no session-limit 2), it doesn't seem to allow any more sessions. Do I need to save the running config and reboot the device? I know that typically changes to SSH config usually require a restart of the service but wasn't sure if this qualified as such.

What I am trying to accomplish: I am working on scanning this device via Nessus and running into an issue where the scanner is able to authenticate via ssh but with intermittent failures. I believe the issue to be related to session limit. The reason I believe this is because I have another Cisco device that I'm able to scan without issue whose VTY lines are configured the same but without the session-limit line.

Cisco device I am able to scan without issue:

line vty 0 1 logging synchronous transport input ssh transport output ssh 

Edit: I have edited my question to include what I am trying to accomplish and more information on what I have had success with.



Cannot access one website

I cannot access https://www.cnrst.ma/ on any device from within the network that I maintain. At first, i thought that our firewall was blocking traffic, but I still get the same problem if I connect to our switch on the WAN side of the firewall.

I can access the site if I connect to a VPN, it also works if I connect to our firewalls VPN, which is hosted within said network.

Any advice greatly appreciated.



Moving from Aruba to Cisco, thoughts pls

Hi,

Long story short, I’m an engineer/consultant who focuses on Aruba products, and I love working with those!

The thing is that Aruba partners are a bit rare in my country and not quite near home either.

I have a job offer from a company which has a (probably) better work-life balance, the pay is slightly better/equal. The “downside” is, they exclusively work with Cisco products.

For switches I probably won’t care, but I like Aruba WLAN+Clearpass+Airwave a lot...

Pro’s and con’s .... hoping you guys can inspire me making the right decision.



What are peers ?

When talking about AS what "peers" mean exactly ? do that mean the traffic will flow through them if a an AS is peered with another ?

I'm talking about that (you can see in the graph section also) : https://bgpview.io/asn/62371#peers-v4

if one AS only have one peers with another AS do that mean that all their traffic will pass through this AS ?



Monday, December 2, 2019

How to tunnel between 2 identical subnets (i.e., both 10.0.0.0/24) ?

I have 2 identical subnets 10.0.0.0/24 at different sites. Both sites have internet access. LAN IP addresses are guaranteed to be unique, like this:
Site A:
10.0.0.1, 10.0.0.3, 10.0.0.5, ...

Site B:
10.0.0.2, 10.0.0.4, 10.0.0.6, ...

I want to slowly migrate all hosts from site A to site B without having to reconfigure them or use different subnets. I do not mind maintaining 2 routers with lists of static IPs which I update as they move, if necessary. All machines must communicate as if they are on the same subnet regardless of site.

For example I have Windows and Linux workstations at both sites. The Windows Domain Controller is at Site A but will eventually move to site B. PCs at both sites must be able to use the DC before and after it moves.

Thanks!



Introducing latency/jitter between 2 physical networks for testing

I’m the AV director for a large organization and we will be expanding to another in town location soon. We will purchase a 1gbps point to point link between our campuses from our ISP to stream live, multi channel audio via Dante and video via mpeg2 network encoders. I need to do all of my homework now as we’ll be moving fast when the time comes to install.

With that, I need to simulate our point to point network for testing by intentionally adding 10ms of latency and 2ms of jitter between 2 physical local networks to see how it affects everything or if it introduces something unexpected.

I have access to a Cisco 4948 and and Extreme Summit x440-48p, as well as a computer with dual nics that can run whatever OS necessary. My guess is the solution is to use the tc command that ships with iproute on a bridged nic passthrough, but that’s where things start to get a little blurry in my mind.

Does anyone have experience with this? Thanks in advance!



Dell N3048 auto assign voip vlan based upon mac oui

Question is regarding a Dell N3048 OS6 switch. I know that it is possible to auto assign phones to the voice vlan using LLDP-MED and the oui-table. But this particular customer wants to automatically assign specific phone vendors to their own separate voice vlan based upon mac oui. So phone vendor #1 will get put in voice vlan 11 and phone vendor #2 gets put in a different voice vlan 12. Is this possible to do with LLDP-MED?

Only way I can think of to achieve the same result might be 802.1x authentication with dynamic vlan assignment. I don't know dell switches well enough to know if OS6 switches support 802.1X authentication or if they support multiple voice vlans.

TIA



Watchguard firebox 21

I need to setup each interface to on the box to serve as a seperate lan. I set each interface to hand out DHCP addresses at 11.x.x.x 12.x.x.x and so on but only the first interface with the normal ips will get internet access even when I tell the other interfaces to use the first as a gateway. I'm not sure what I'm doing wrong.



AT&T Fiber modem extended by way of vlan trunk?

I saw this post:

https://community.ui.com/questions/Simple-networking-Q-extending-homerun/d0910497-c763-440c-bdd2-37a93c4aec98#answer/bd017ef8-df52-4cd7-b6fe-0e9c9838525b

and have a similar problem, although not from ONT to modem, but from MODEM to Router.

I have a switch that I have mounted in my garage that connects everything in the house, including my AT&T fiber modem (ARRIS BGW210-700). I then have another switch as a TOR switch in my rack that sits about 15 feet away, along with my Palo Alto Networks firewall. Currently I run a 15ft ethernet + 15 ft DAC from the house switch to the TOR switch (and the enternet cable goes to the WAN port of the firewall). I'd like to combine these if possible so that there is only the DAC cable going between switches.

I've already configured the two switches (Mikrotik) to Trunk between them, and then assigned a vlan (2000) to one port on either end. I figured that I could use this to bridge the AT&T modem across the trunk to the WAN port on the firewall, but when I do this, I get no internet.

On both switches, I configured the Access ports as follows:

vlan mode: strict
Vlan receive: any
default vlan id :2000
force vlan id: yes

a diagram of what I'm trying to do: https://imgur.com/rka5cBX

Is this even possible? I was thinking maybe I change vlan mode to enabled instead of strict, but i don't know if that will change anything, and for all I know this may not even be possible. has anyone tried anything similar?



Mesh VPN Networking WireGuard multiple Tunnels or another way

I need the ability to create multiple tunnels/interfaces. If I try to start another tunnel the current tunnel disconnects. The reason I need separate tunnels is the devices I used on my gateways are fixed port numbers. I can't do port forwarding since the programming software of the devices doesn't support changing ports (It's fixed at 102) so my plan is to use NETMAP on the gateways todo 1:1 NAT and map the entire network. I would use Linux, but my software won't run on Linux. If I was to have separate tunnels I could just map the whole /24 network and gain full access to any device on the gateway local network. Here is a diagram showing what I need to achieve. If anyone has any other idea that would be great

https://imgur.com/1ODLWeu



IPv6 Static Design Sanity Check

https://ift.tt/2Li2V5w

Network visualization tools

Do you use a visualization tool for ops? What's your favorite?

I implemented Scrutinizer years ago, and I absolutely love the mapping features... Its so nice to just update the connections on the map that we care about once in a while, and have them on a big screen we can all see. Slightly delayed but mostly live. We don't really use the other features of Scrutinizer too much, we have visibility in other ways.

Is there an alternative that you like?



Does anyone know a ton about the EtherCAT protocol? Have some questions

See title - I'm looking for some information on the EtherCAT protocol, specifically how it's encapsulated at layer2/layer3.

From what I gather this is a proprietary protocol from Beckhoff, and IEC wants $410 for the design specs.

Anyone know a ton about industrial/PLC automation and can provide some insight for me?



Best way to test LAN for weak points?

Anyone know the most effective way to test our business LAN and identify if the switches, cabling or anything else is the weak points of the network?



Which data in a Wireshark packet can i use to analyze a public wireless network?

(This is a homework question, I'm sorry if this is annoying, I read through the sub rules and all. I HOPE this is the right sub for this too, wasn't sure if this is something that would go on the techsupport one or not).

So for a project I have to capture data from my uni's 2 wifi networks (public one VS one you have to log in to), and just generally 'compare them'. Now I've watched probably 3 dozen 'Wireshark for dummies' videos in the past week and read through our whole textbook as well as sought out general online resources, but with a knowledge base of 0 and no in-class preparation, I'm not entirely sure what data/custom columns I can use to come to any conclusions about the network other than what IP gets assigned and what ports it all goes through. The only other project detail specified I should capture that from a VM to simulate the first ever connection of a machine to the network, which I did.

I'm not asking anyone to chew it out for me, I would be happy even with a small pointer of what filters/data I should look at.



Network Sim tool with customizable link attributes for convergence and bandwidth analysis

I've utilized CML and scaling and performance has caused issues even with the approeiate licensse and hardware. GNS3 was the same does not scaled well and performance degrades, so I was wondering about a network modeling tool that I could perform on a large scale. Any suggestions.



No TCP-SYN packet through Checkpoint - only for Windows machines?! pcap link inside!

I have a particularity weird problem,

Clients - [SNAT-CPE(111.111.220.38)] -- Internet -- [CHECKPOINT] - Webserver(111.111.217.51)

PCAP files (anonymized), captured on checkpoint external interface: https://drive.google.com/open?id=1xSif_0HrgA1kTcK8-ND-y05byMlMLAy4

  • All client machines are NAT'ed to the same public IP before hitting checkpoint
  • Clients try to access a webserver behind checkpoint.
  • Only macos/linux machines can access webserver
  • All machines can icmp ping webserver.

  • Windows machines fail 3-way TCP handshake
  • TCP SYN packet is never seen on server nor on internal Checkpoint interface.
  • Windows TCP SYN packet is silently dropped in Checkpoint??

  • All traffic can be seen on checkpoint external interface.

  • No "L7" inspection.
  • Nothing in logs.

I have made a rule at the top of checkpoint firewall policy to match my client nat'ed address and webserver address, just accept and log, but still nothing from Windows client. Linux/MacOS works as expected.



Route specific traffic to Security Stack

hello fellow redditers, i have situation where i need your opinion.

for example:

Total customers = 100

Subscribed customers = 50

I am looking to route traffic for the subscribed customers to router through a security stack to inspect all outgoing/incoming traffic only for those.

Any idea how to best do that without being inline? I am looking to get away from GRE option but also our network team is not willing to use VRF as an option as well.

Does IPSec or some other form of routing work that would get me the results i want?

Normal Traffic ------ Internet-->Peering Edge --> CRAN --> Customer Edge Gateway--> Customer (back the same path to the internet)

Subscribed Traffic -------Intern--> Peering Edge-->CRAN --> (Security Stack of UTM, IDS etc. ) --> Customer Edge Gateway --> Customer(back the same path to the internet)



redundant internet and services

Network Gurus, what do I need so that when our primary ISP goes out, secondary ISP will takeover without any interruption in service? This mean internet needs to be working, site to site VPN needs to work, VPN client needs to work, and inbound/outbound rules will also need to work. Basically, everything should be seamless beside a minor disconnect. How much would something like this cost and if hardware is required, would we need one in each location? Currently, we're using a SonicWALL with a simple failover configuration. Not sure if the SonicWALL can do all of this. Thanks



What signal level (dBm) is required for 1000LX?

I have a fiber data circuit delivered by Cogent and my 1000LX SFP won't light up. I'm using the orange SM patch cable they provided. Also tried my own patch cable. This is how it looks (I'm receiving -40 dBm). Using FS SFP-1G-LX-31 transceiver.

DMZ03#show interface Gi0/11 transceiver

ITU Channel not available (Wavelength not available),

Transceiver is internally calibrated.

If device is externally calibrated, only calibrated values are printed.

++ : high alarm, + : high warning, - : low warning, -- : low alarm.

NA or N/A: not applicable, Tx: transmit, Rx: receive.

mA: milliamperes, dBm: decibels (milliwatts).

Optical Optical

Temperature Voltage Tx Power Rx Power

Port (Celsius) (Volts) (dBm) (dBm)

--------- ----------- ------- -------- --------

Gi0/11 50.3 3.18 -6.9 -40.0

For fun, I swapped the polarity and got this (receiving -29.6 dBm)

DMZ03#show interface Gi0/11 transceiver

ITU Channel not available (Wavelength not available),

Transceiver is internally calibrated.

If device is externally calibrated, only calibrated values are printed.

++ : high alarm, + : high warning, - : low warning, -- : low alarm.

NA or N/A: not applicable, Tx: transmit, Rx: receive.

mA: milliamperes, dBm: decibels (milliwatts).

Optical Optical

Temperature Voltage Tx Power Rx Power

Port (Celsius) (Volts) (dBm) (dBm)

--------- ----------- ------- -------- --------

Gi0/11 50.2 3.18 -6.9 -29.6

Looks bad both ways... But why do I get something back when reversing the polarity? Is that a reflection of my own transmitted signal?



Is L4 filtering still a thing on access networks?

We enforce whitelist-based L4 filtering on most student/guest WLANs at the AP, allowing the usual 53/67/68/80/443 and a few others, while blocking the rest. Most of the time this works, but more frequently I find this breaks some new app/service and we need to whitelist arbitrary port(s), which are not always documented.

I think we do this based on historical precedent, looking to cut down on stuff like torrents/viruses/etc. But my sense is these days it's better to just firewall off access to private/secure networks at L3 and leave L4 alone, and let our NGFW do what it does best. Have I missed something?



Cisco cert renewal time... why do I bother? It seems like a scam.

I have a CCNP R&S and CCDP. The thing is, I've had them since 2004. That's when I did all the work for the CCNP (it wasn't R&S at the time, just CCNP) and the CCDP was just two more tests. There was stuff on there about ISDN and token ring.

Fast forward five renewals later and 7 years in a non-technical role. The renewals only require you to take any NP level test to renew (was 640, now 300). It's gotten to the point with these renewals that I just pick some random topic that sounds interesting and read the book and take the test. Last time it was wireless design. Before that was a security one. Before that was a voice one.

Point is, none of them had to do with R&S or Design. If I went to an interview and someone asked me some difficult routing questions, I'd be like ¯\_(ツ)_/¯

I'm completely willing to just let it slide and expire but it's possible my company is going to go under in the next 3 years and it might still help get me to an interview (where I'd probably fail horribly).

I had Juniper, Aruba, and Brocade certs that all expired and it had zero effect on my life.

What would you do? Renew or expire?

Edit: I shouldn't have said it feels like a scam in my title, but I can't change the title. I was originally thinking about how it seems a little fraudulent that I could have a cert in one thing and take a completely unrelated test (5 times!) and have that original cert renewed as if I still know anything about the topic.

The original post was going to be more about that but as I was typing it morphed more into "should I bother?" Sorry for the bait and switch.



Problem with simple rerouting in SDN networks on Extreme Network switches with openflow protocol, using floodlight controller

Hello, so I need to simply just redirect flow but can't find right way to do this.
First of all, I have simple network, with 3 identical switches(S1-S3) all of them are configured and enabled openflow in version 1.3, and are connected to same controller - Floodlight. Also they work on hybrid mode.
Each Switch has at least one host(H1), all hosts are seeing eachother and can communicate between themselfs.
Also I have cleared default flow - one which pushes all flow into controller and replaced with flow that allows 'Normal' flow, so everything works fine.

Now I want to push flow through another switch/host like:
originally:
S2H1 ---> S1H2
but I want to send through S3:
S2H1 ----> S3H1 ----> S1H2

I tried with following Floodlight REST API requests:
{

"switch":"xxx.xxx.xxx",

"name":"some_name",

"cookie":"0",

"priority":"0",

"hard_timeout":"120",

"eth_type":"0x0800",

"ipv4_src":"10.0.151.2",

"ipv4_dst":"10.0.150.15",

"active":"true",

"actions":"set_field=ipv4_dst->10.0.152.2"

}
and i can push that entry to controller, but it isn't shown on switch after command:
show openflow flows

I have also tried redirecting with ports: on S2 if ipv4_src was 10.0.151.2 and dst was 10.0.150.15, then whole flow was redirect into port 3 which was connected to S3, there was flow - if flow in port 2(connected to S2) the redirect to port 2(connected to S1)
And it kinda worked, because switches applied this flows, but there was no traffic - sflow-rt didn't saw anything

Is here someone who may have an idea how to do/bypass this?
Sorry if post is chaotic or grammaticly incorrect, english is my second language



Cisco Live Registration Transfer Offer - Vegas 2020

Hey all. Maybe this won't get deleted.

Our company purchased a registration using CLC's. Employee is no longer attending and no replacement is available.

We are offering to transfer the registration for $1,500 USD to recoup some of the benefits.

Registration is $2,800 standard. (available now at a discount for $2,300)

This is the non-Manager track.

PM if interested.



Finally convinced the owner of the ISP that we've outgrown our ericsson redback SE800's and we now have a beautiful 7750 SR-12! One Question, though...

I'm sure this will be the first of many, please excuse my inexperience with this CLI.

I have created a user, but I cannot login with it at all. I've deleted and recreated, tried changing permissions, etc, but I can login all day from admin via console and SSH, but this new user account says password failed every time. Any idea as to why? Thanks in advance!

Users

User ID New User Permissions Password Login Failed Local

Pwd console ftp li snmp netconf Expires Attempts Logins Conf

-------------------------------------------------------------------------------

admin n y n n n n never 9 0 y

brandon n y y y y y never 6 6 y

-------------------------------------------------------------------------------

Number of users : 2



CGNAT

Hi guys. I just went live with a WISP operation. I have a /28 IPv4 prefix that I'm using to facilitate a CGNAT for most of my customers. I'm curious how many customers I can put behind 1 IPv4 address before port exhaustion becomes an issue. Thanks.



C9500-48Y4C CORE

C9500-48Y4C CORE

We’re looking to introduce multiple stack-wise virtual pairs in our environment to form the core of our network (4 pairs), this is until the 9600s have had a little time to bed in.

Probably will be looking to deploy with the 16.12.x train in the new year.

The setup will be pretty basic with OSPF and v3 area 0 in a full mesh topology with 50G backbone (2x25g).Mainly being used as core device for high speed packet shifting - connecting multiple distributions in a classic 3 tier architecture.

Has anyone experienced any major/minor issues in this version of code (16.12.2)?

Any help/advice would be appreciated