Saturday, January 18, 2020

Hurricane Electric Peering experience

Greetings, Does anyone have any experience peering with Hurricane at a local IX? We recently acquired a /23 from ARIN and will be announcing it to our current internet/transit provider. We are moving into a facility with an IX (KCIX) and Hurricane is a member of that IX. I know that Hurricane offers free peering and will advertise their customers routes to you (175k+) but have also heard horror stories about Hurricane. (As with any ISP). Is anybody solely peering with them, and if so, how much benefit are you gaining from it?



F5 Ltm code recommendation

Hi, We are planning on updating the code from version 11.6.5 to a stable release. Could someone suggest a stable release and how you certified the code before upgrading?



Eve-NG: Setting a VLAN on the "Cloud Network" link to the real network?

I have a single Intel NIC on my computer connected to a real Cisco switch. I'm running Eve-NG on VMWare Workstation Pro 15.5.

In Eve-NG, you can connect your Eve-NG topology to your real network.

I'd like everything in my Eve-NG topology to connect to a different VLAN than my Windows host OS.

Is this possible?

Obviously, I'd still need to be able to access my Eve-NG VM from my Windows host OS through a browser. I don't mind if the Windows host OS and the Eve-NG VM are still on the same VLAN, but I'd like the routers inside my Eve-NG topology to connect to a separate VLAN on my network.



Are any of you doing segmentation using vlans and a pair of “big internal firewalls?”

I know network segmentation is one of those things that has no standard solution. And then you can get into the minutiae of network segmentation versus “micro-segmentation.”

I know some solutions out there are leaning towards all host-based for segmentation. Basically creating an orchestration layer to manage iptables/windows firewall, etc.

However there’s also this concept of segmenting different stuff off into their own vlans and making them go through a NGFW to talk to any other VLAN.

Anyone here doing that? The architecture kind of boggles my mind a bit. For one thing: do the firewalls just sort of replace your core switches at that point? Or do the firewalls hang off the cores like a big router on a stick? Either way, these firewalls will now handle routing for the network.

I am wondering how the solution looks and if that’s viable? Or is host-based segmentation the way to go.

And if you go with host-based, do separate vlans for everything even make sense? Or would you basically do some minimal vlaning and just rely on the orchestrated firewall rules of each host?



VNC/Parsec/RDP 1Gbe vs 10Gbe differences?

Hello,

I was just curious is there is any speed/lag well performance benefits using 10Gbe over 1Gbe for using different remote viewer protocols?

My guess is the latency would be similar but content loading would be quicker so the only benefit would be a better resolution? Thats my guess, please could someone tell me the real deal benefits (if any).

Cheers



What is the use of NAT Exempt for IPsec VPNs

Howdy,

I was just curious as to what reason you would use the NAT Exempt feature for when creating an IPsec VPN tunnel on Cisco ASA?

I'm not sure if I should enable it for site-to-site VPNs?



setting up VCSA (vmware vcenter) with reverse proxy ?

/r/vmware/comments/eqmaza/setting_up_vcsa_with_haproxy/

sFlow Datagram Description

Hello, everybody,

for my master thesis i am currently working on sFlow and trying to understand the datagram. Some points are self-explanatory, but some like 'sampleType_tag' are not. I have already read the sFlow documentation (https://sflow.org/sflow_version_5.txt).

Does anyone have a tip where the datagram is described in more detail or literature about it ?

Thanks a lot !



OOB management device recomendations

Im looking for a new OOB device, for my network devices to attach to via console, and also if possible to connect server iLO, is that possible?



Network meltdown caused by L2 failure - mitigating impact on L3 devices

Ive been dealing with a total loss of a DC this weekend casued by some server person deciding to bridge ethernets on a host....directly connected switch was not running any kind of storm control, root guard etc whic then caused the meltdown of 2 core routers due to them running 100% cpu until loop was stopped. Believe this was due to trying to process "to the box" traffic in cpu.

First task is to implmenet storm control etc on the DC switches.....

Our network has grown massively over the years, from a simple 1 rack presence with 2 edge routers into a multi country MPLS with 8 or so core nodes running MPLS. Issue is that in legacy data centres these core devices are also acting as edge routers for the DC LAN.

What is best practise in moving services away from core devices? for example DC1 will have 2 MX routers which are full mesh with other dc's running bgp/mpls, and then vrrp between MX routers on the DC LAN into whatever switches we have in place.

In my mind i see best practise as moving DC LAN edge away from core and inserting another L3 device in between. So instead of it being:

CORE ROUTER > DC SWITCH > DC LAN

moving to a model such as:

CORE ROUTER > DC EDGE ROUTER > DC SWITCH > DC LAN

then either ebgp between edge router and core or just plain old statics for stability.

Is this the kind of model i shuld be looking at or are there better solutions in place?



Will fs.com-branded 1G/10G/100G SFPs and DACs work on Cisco equipment, N3K switches in particular?

Hi, my company plans to buy N3K-C31108PC-V and N3K-C31108TC-V as our core- and datacenter- switches. Original Cisco SFPs are extremely expensive and we're looking for a non-OEM solution.

Generally, will Fiber Store (fs.com) branded SFPs, AOCs and DACs work on those devices?

We plan to buy a lot of 1G SFPs, 10G SFPs, 10G AOCs, 100G AOCs, 100G DACs, etc... to interconnect those N3K switches, as well as an array of C2960X's and 9200L's which will uplink to the N3K core switches.

Also, will service unsupported-transceiver and no errdisable detect cause gbic-invalid commands work on newly bought N3Ks to enable non-Cisco transcievers?



DSCP settings help?

/r/HomeNetworking/comments/eqg4a1/dscp_settings_help/

Dual Band WiFi Routers with 30+ Concurrent Users

Hi,

I wanted to from community if they can recommend dual band (2. 4Ghz + 5Ghz) wifi routers that can support concurrent users limit of:

30 50 75

Any cheaper routers especially those you are using your self would be helpful. Thanks.



decentralised VPN thoughts

Hey, i recently find out about an project called mysterium (mysterium.network website) it is a decentralised VPN. I don't know if it is trustable and really safe and better than normal VPN's. Has someone with experience in coding, IT etc. looked it up and it's code since i have no experience in such things i can't check it up myself. I think it is open source.



What is Logical Configuration of a Network (any network)

I have to make a presentation My professor asked me to make presentation on data communication and netowrks And logical configuration But i dont understand what is logical configuration. And he also want me to make a LAN using a router Can you guys help me with it plzzz.



How do I access the modem once I put up the firewall?

I hope this question isn't too basic, I'm new to networking, no certs, and just getting my first experiences with it.

Basically I'm wondering how this works.

If I install a firewall it's ip is 192.168.1.1:8080

I have a watchguard t15 firewall

What happens if I need to access the modem/router again, because now the firewall is the new default gateway at 192.168.1.1.

The modem/router is a cisco model I can't remember the name.

What is the IP of the modem now? How do I get back to it's back-end? Do I access it through the firewall?

Another thing I thought is if I just unplug the the firewall from the modem/router then plug in my computer would that solve my problem and I'd be able to connect to the back-end.

If I plug in my computer directly to the modem/router will it now become 192.168.1.1 again and the new default gateway.

At this point I will have turned the modem/router on pass through so through traffic passes through it, and the wifi is turned off.

I'm really sorry if this is to basic I tried to google search it before I posted.



Route phone number to service that records the call

Hello everbody,

(I hope this is not the wrong category for this question though)

I have a question that is related to VOIP, siptrunks and PSTN. I tried to find my answer on Google but it is all very overwhelming so I hope somebody could help me out with the following question:

I have a dutch phone number that I use to receive & make calls on my cellphone. Is it possible to 'forward' this number to a service that records the call? I have heard of things like a siptrunk?

I have 2 requirements for this service:

  1. The service needs to accept every incoming call for free.
  2. The service needs to handle at least 30 concurrent calls.

Is this even possible? without breaking the bank?

I hope someone could help me out!

Thanks a lot!



Network bonding without special tools, is it possible?

The accomodation I am staying at allows 5 simultaneous device connections per user to their wifi network. Interestingly, the speed limit is based per device rather than per user. In my case, each device is allowed 100mb down. Recently, I learnt about network bonding, which allows combination of multiple NICs. From my understanding, this should be possible as all of my 5 devices are connected to the same ISP. So my plan is to purchase 5 wireless dongles, connect them to a spare raspberry pi, and connect the raspberry pi to a router. If this works, I should be able to achieve 500mb down.

I have found a [commercial solution](speedify.com) for this problem. Their solution works by routing the packets of all NICs to their own server, and perform some aggregation there. As I do not have a separate server to connect to, I am simply wondering if networking bonding is possible without separate tools.

However, before I buy 5 dongles, I am wondering if this will work? If so, what is the latency like.



Separating lease line bandwidth onto several networks

Hi all. I’m looking for the best way to achieve the following...

Create 10 separate private networks using 10mb each of a single 100mb fibre lease line.

Currently the lease line is presented to a Draytek Vigor 2862 router.

What is the best way to separate the cct into the individual network? Is this achievable by plugging the draytek into a layer 3 switch and creating vlans with the ports on the switch plugging into 10 separate switches?



Friday, January 17, 2020

Does tracing a VOIP call back to the device used to make the call rely solely on the IP address?

If I accessed the Internet on my laptop, the only way to trace me is by obtaining my IP address.

If I made a VOIP call from my mobile device, is my IP address the only way to trace my VOIP call back to my mobile?



Cisco Router "Problem"

Heyo Reddit!

For my homelab I use a Cisco 2911. I have a ROAS configuration.

Trunk ports, everything works perfect. Great!

I come back to my workstation and suddenly I can not route anymore. I ping my gateway and its good. I ping my servers gateway and no luck (I should be able to ping, no ACL's are set)

Background:

Server Network - 172.21.4.0 /22

Client Network - 10.0.0.0 /24

The Problem -

The route works originally, but after X amount of hours and the route is broken. The route is still in the routing table. The trunk is fully functional between Switch and Router.

This has had me through a loop for a week now and I am lost for a solution. Ideas?

If I am missing any information to help, ask!



How does a VLAN manage bandwidth on a larger network?

I have a Media over IP system that needs to be installed in a larger office, last time it was attempted by another tech, it massively slowed the network down.

My initial thought was to isolate all the devices related to the MoIP system on a VLAN to stop the system from broadcasting to the entire network.

Does this seem like a good solution? If so, how exactly is bandwidth managed in a VLAN?



Netflow on IOS

Hi I am having trouble with Netflow. We used to use simple netflow but since we went to this advanced config type, it has not worked. What am I missing? Router model: ISR4221 image: 16.9.4

Thanks!

----------------------------------------

flow record NETFLOW

match ipv4 tos

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

collect interface output

collect counter bytes long

collect counter packets long

!

flow exporter y.y.y.y

destination x.x.x.x

source GigabitEthernet0/0/1.300

transport udp 12007

!

flow monitor NETFLOW

exporter x.x.x.x

record NETFLOW

interface GigabitEthernet0/0/1.300

bandwidth 10000

encapsulation dot1Q 300 native

ip flow monitor NETFLOW input

ip flow monitor NETFLOW output

ip address x.x.x.x 255.255.255.0

no ip redirects

no ip proxy-arp

ip ospf priority 0

arp timeout 300

service-policy output QOS-PARENT-OUT

ROUTER#sho ip cache flow

IP packet size distribution (0 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 0 bytes

0 active, 0 inactive, 0 added

0 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts



pvlan questions

I work for a small managed hosting company that colocates servers. We have three racks there, and connectivity managed by the datacentre. They present a couple of uplink ports plugged into one of the rack switches. The other two rack switches are connected to this. The switches are Juniper EX4200's.

Right now, everything is a fairly flat network, with one large broadcast domain. Each port with a server connected is configured as trunk port, with a native (i.e. untagged) vlan for normal traffic, and another VLAN for ipmi.

The problem is that this doesn't provide much isolation between customers. Whilst we are a managed provider and don't tend to give many customers root access, this is still a concern.

We'd like to move to a setup that uses PVLAN in order to provide isolation between servers. In this setup we'd have:

- the Uplink ports (and inter-switch links) as promiscuous ports

- Most servers on an isolated secondary VLAN

- Some servers (hypervisors for our Cloud platform) in a community secondary vlan.

There are a couple of things I'm not sure about, however:

- Some customer servers connect to each other via their public IP address for file synchronisation and such. We'd like to keep these in an isolated vlan if possible. How would this communication work? (would it?)

- How would we retain IPMI access on a separate vlan? We use 10.0.0.0/16 space for this and only machines configured with access to the IPMI vlan can reach it.

Grateful for any assistance you can provide!



Install question

Not sure if this belongs here, but I've got a question for everyone. So a client of mine wants to have a pc in their main office that's connected to a warehouse. No problem. The also want a monitor behind the main desk which is about 10 feet away that shows a slideshow of the work they've done so that the customer can see the finished product. Again. No problem. They also want a monitor in the warehouse to display to the employees what orders have come up. That would be about 70 ft distance cable run. I'm wondering if I should just mount a tablet connected to wifi to display the work order put in from the main computer? Or possibly put a touchscreen monitor so the employees can mark off the completed jobs. Thanks in advance guys and gals!



HP StorageWorks 8/24 SAN Switch Part 2

I'm trying to use this switch in conjunction with a CCENT tutorial but it seems like on Cisco switches, once you log in, you are automatically put into privileged exec mode. On the switch I'm playing with, that doesn't seem to be the case.

I googled around to try and find how to get into this mode on this switch and its OS but I can't find anything that works.

The switch is running Fabric OS 7.2.1d and I have tried cmsh and also a sys command my friend suggested but neither got me into the higher modes. Any one have any ideas?

I have tried with being logged in as admin and also root and I've also typed in help and didn't see anything. I also read using a "?" should yield results, but that only seems to in the preboot area.

Also I'm connected through Putty and using a USB Console Cable.

https://www.amazon.com/Console-Essential-Accesory-Ubiquity-Switches/dp/B01AFNBC3K



Palo Alto Documents

Hey guys,

has anyone some documents on palo alto stuff laying around somewhere? I'm currently on the Cisco Firepower train, but we plan moving to palo alto shortly, that's why im giving myself a little bit of head start for the topic :)

Maybe some cool technical guides, presentations of features etc.

Cisco has some cool documents and pdfs on their stuff which they present on cisco live (THE cisco event)

Kind regards



Cisco Content Services Switch (CSS11501) --> F5 concepts

I know CSS is ancient and long since EOL/EOS but unfortunately, I am tasked with migrating 2 production boxes to an F5 infrastructure.

Trying to figure out the equivalent concepts for groups, content and services. i.e. group=virtual server, content=iRule, services=POOL. Anyone know if this is correct?

I know they might not line up exactly but close enough is good too.



How do you test bandwidth over an MPLS link at a large enterprise

I have lots of users complaining about speeds, and to be fair a lot of locations we have are running T1 connections. but they run a speed test and they will get .23 mbps. we all know a speedtest.net is not the most legitimate way to test network bandwidth. we run Cisco every where. i know i could install an agent on their computer and run the test that way. but is there a way to really test bandwidth at a remote location without involving the end users?



Migrating MPLS phased approach?

Just looking for quick and high-level suggestions/advice, I can do the leg work of figuring things out from there.

Helping out a friend with migrating MPLS providers, while keeping the network functional as there are multiple branch locations that will be cut over individually.

What is the (I guess) easy/cleanest way to get this done? We plan to do the data center leg first where all of the branches come to for services while migrating the sites we will keep both MPLS links connected for new and old. BGP is connecting the MPLS network, redistributing EIGRP from the internal side.

Attached is the most basic high-level diagram, If more info is needed I can provide

Is it just a matter of configuring a separate BGP process for the new Provider and redistributing EIGRP to it, and the routing table will handle having both MPLS networks in its table and route traffic accordingly?

https://ibb.co/NsQhXQ4

Just seeking advice for the "easy" way to do this. Thanks guys



PearsonVue Warning

I know this is cert related, but thought I would share it here since it affects more than just one exam in Networking. On a whim, I ordered the Cisco Approved Practice Test 300-115: Implementing Cisco IP Switched Networks (SWITCH) - 30-days online as I was scheduling my exam. Normally I wouldn't but today I felt like I should. My thought process was that hey, more practice tests couldn't hurt right? I paid the €108 and thought I would be well on my way to practicing exams, through the official, non-cheating way. As of yet though, I have received nothing. As far as I know I've wasted that €108 since PearsonVue online chat assistance did nothing but told me to wait for 20 minutes, and calling in told me to email someone, which I haven't heard from either. Not even a confirmation of my email. So if you're thinking of buying the official exams through them, save your money. It's not worth the hassle.



Port scan with Networked HVAC Controllers

Hey everyone, I have an issue that none of the on-site engineers can figure out and hoping to get some new ideas to try.

We have a bunch of HVAC controllers on a separate VLAN specifically for these devices. Every day, they go offline until we run a port scan with Angry IP. Vendor has made sure these devices never go to sleep, they are always active and I have verified the settings for myself. I know they dont sleep because the scheduled AC times still run and change even when we can get to the GUI and dont ping. Once we run the port scan, pings come back and the GUI is online.

Does anyone have any ideas what may be happening here? Our network infrastructure team says its the vendors issue and the vendor says its the network teams issue and I cannot get anywhere. Thanks



Core switch reccomendation

Hi!

I'm replacing our current network infrastructure and am in doubt about which switches to choose:

- 2x 3810M (for redundancy)

- or: 2x 6300M

- or 2x 5406R

These core switches will have uplinks for all other locations in the building(s):

- 2x 2930F 48PoE Stack (Floor 2)

- 2x 2930F 48PoE Stack (Floor 1)

- 1x 2930F 48PoE Stack (Floor 0)

- 2x 3810M 48PoE Stack (Floor -1) via FC or Stacking with the other 3810M

+ 6x other Switches from Alcatel with 48 PoE

All switches/stacks will have redundant 10Gb connections.

My dilema is wether the 3810M will be enough for all this in the long term (10+ years), or should i get better switches (5400/6300)? Or even some other even better switches?

We might also conect our 3 servers (vmware) servers to the 3810M via 10Gb FC...

This all looks a bit too heavy to me, connecting all these 10Gb FC uplinks to 3810M...

What do you guys think?

Anyone with the experience on these switches?

Thanks!



Cat 9800 and Umbrella integration

We've had our shiny new Cat 9800 wireless controllers humming along for close to a year now. We're dipping our toes into integrating Cisco umbrella across our network for yet another layer of protection.

We have a few wireless networks that we'd like to apply specific Umbrella policies to and according to the umbrella wlc integration guide this looks like a great way to accomplish this if I had an older WLC.

Referencing the official Cat 9800 setup docs and the command reference, I can only find information on a global parameter map and nothing for individual wlans/vlans/etc.

Does anyone have any insight on further configuration? Is the 9800 integration just not completely baked? I figured I'd test the waters here while I'm waiting on my support channels.

I've got a call into our local SE to see what he could come up with. I'll post back with what we find.



Error 90002 help for ffxiv

Morning y’all going to ask you a pretty common question I guess from what I’ve learned so far. So I’m playing FFxiv and I get 90002 error codes and get disconnected. I have went into my computers firewall and did the port forwarding necessary and also into my routers firewall and have done port forwarding there as well. Currently redownloading the game to see if that’ll fix any corrupted files during first download. Any help on this issue would be greatly appreciated. I guess I should also add that my internet connection isn’t the very best either because of the area I live in. Ty ahead of time for any help given



Serious question: How a military networking infra works?

I've been a (somewhat) Sysadmin in the Israel army but I've never been able to understand how the infra actually works under the hood.

How are they able to 'encrypt' and manage all the data the goes inside the network?

How is it possible for them to use it as a private network that does not go outside, and i know they do have some solutions to get things from inside the network to the regular internet network (such as documents and files) and vice versa.

It'd be very nice to understand how is it working. I've never been a networking guy myself but this subject sounds cool and unique to me.



Cisco AireOS WLC: When could it be worth to go with 8.10?

Hi

We've finally migrated from a single WLC 2504 to a 3504 (soon to be in HA mode with a second 3504) end of last year. (Unfortunately the decision to go with 3504 was made just months before the IOS-XE based new WLCs were released)

I'm currently runing AireOS 8.5.160 with 1850i's (in local mode, so 8.5.160 is OK, no FlexConnect) and have checked out Ciscos's "TAC Recommended AireOS Builds" where 8.5 is still *the* recommended base version. However 8.10 brings WPA3 support and has some other nice additions, yet I hear that there are usually valid reasons as to why one should not run the bleeding edge release branch unless there are valid reasons to do so.

I've been tossed into Cisco WLCs end of last years so I don't have longterm experience with Cisco WLCs to judge how reliable Cisco's release process is on AireOS. When do you people usually upgrade to a newer release branch and how have the experiences been on AireOS 8.10 so far for those who are already using it?



Rancid Unable to login - Telnet

I installed rancid on CentOS 8, and i'm trying to backup TP-Link TL-SG3424P switch

From terminal all works fine:

telnet 1.1.1.3

#Asked for username/password

Typed pass and i'm in

switch>en

show running

.cloginrc file

add method 1.1.1.3 telnet

add user 1.1.1.3 username

add password 1.1.1.3 userpass enablepass

add autoenable 1.1.1.3 0

and getting error

clogin error: Error: Couldn't login: 1.1.1.3

How to specify enable password in .cloginrc file ?

ssh requires uploading private keys and it requires switch reboot (according to manual), that's why i tried telnet



Thursday, January 16, 2020

How does medium tracks that I have read 5 blogs this month?

There are two ways in which medium can track a user

  • Userid
  • IP address

Lets concentrate mainly on IP address based tracking. What I found was even if I read 5 articles this month. If I open medium in an incognito window I am able to view the blog contents.

Also we know that incognito browsing does not hides our IP address, its "no VPN". so my question is how is medium unable to track me, when I use incognito and let me view the blog?



Site-to-site vs Client to site VPN

I work for Company A that just signed a contract to collaborate with another medium sized Company, B. This partnership requires about 30 users with dedicated Desktop PCs from company B to access some servers in A's HQ.

Option 1: Setup a site-to-site VPN and work with Company B's Network Engineer to limit access to specific Mac addresses?
Option 2: Configure l2tp VPNs on those desktops so that users can access A's network as needed?

What's best? Thanks in advance.



Cisco Anyconnect vpn phone with legacy asa, looking to move to Fortinet

I just found out about this today. We apparently have a legacy asa that provides internet vpn capability to some remote users cisco ip phones using the old ipphone anyconnect technology. That asa is ancient, it cannot even be upgraded anymore. There have been some ugly asa vulnerabilities in the last few months and this thing needs to go. I am not interested in firepower. I need to come up with a better solution to handle these phones, has anyone else ran into this before? How did you handle it?

So this post doesn't get flagged as low effort, I have determined AnyConnect's IKEv2 mode only works against Cisco gear, AnyConnect uses an EAP scheme called "EAP-AnyConnect". The only devices that implement that are - you guessed it - Cisco.

The IKEv2 is also somewhat proprietary: https://wiki.strongswan.org/issues/2173



Dear FS optics, we're breaking up

Dear FS SFP-10G-BX 1270/1330 10km,

I am sorry to inform you that this last outage was the last straw, I think we should see other people. The first two outages you caused I wrote off as pure unlucky coincidences. Even the third outage when an entire switch chip you were plugged into got fried and the switch TAC put all the blame on you, I still defended you due to your sister's, SFP-GE-BX 1310/1550 20km, proven reliability and wide spread use in the network. However, after tonight's skyrocket in symbol errors and FCS counters on an aggregation switch, we must part ways.

It has been fun and I wish you all the luck in other networks.

Love,

Majestic-falcon

P.S - Please don't make your sister choose sides, I am already replacing enough optics :)



Extreme Identifi Wireless BPDU Filtering

Question for you all, does anyone use BDPU filtering in their wireless APs? I have a few APs in my campus that keep having their uplink killed due to BDPU guard triggers.

My topology is set to bridged at AP, so my AP dumps the traffic into their specific VLAN on the edge switch instead of funneling it back to the controller.

But, I suspect I have a user that is running virtual machines on their computer and their NIC is set to bridged. So, when it attempts to join the spanning tree my switch just kills the AP.

Anyone have any ideas how to track it down or extend the BDPU filtering to the APs edge?



Meraki MX w/ Ubiquiti Unifi switches. Can I connect a second ISP into one of the unifi switches and is the MX smart enough to set it up as a WAN 2? Or does the second ISP have to plug into the MX directly?

I know it's not an ideal situation but it's what I have right now.

Thanks in advance.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.



Theoretical Subnet Mask Question

Hello, I have a quick question. Consider the scenario

A computer connected into a switch with an IP of 192.168.16.50 with a subnet mask of 255.255.240.0

A computer connected to the same switch with an IP of 192.168.16.55 with a subnet mask of 255.255.254.0

Even though these computers have different subnet masks, they still have the same three octets. Would they be able to communicate?



Deployment of Aerohibe AP 250s in an old Cisco Environment (First time building Network Architecture)

Hey all, new to networking. I have a few years in IT, and Information security, but this is my first time deploying and implementing Enterprise Network Architecture.

My company is changing their networking Equipments, Old Cisco Catalysts 2960 Switch [EOL], Cisco ASA 5512 X Firewall [Nearing EOL], And I can't remember the AP Model off the top of my head.

After reviewing vendors and discussing we went with the Aerohive AP 250s as our Access Points. I need to plug in the APs into the old network, and have them function properly.

I'm a bit lost at what I would be looking / what I should be looking for.

Example: I didn't think to check how the APs function, and that's huge in networking (I'm learning).

I'm looking for any helpful bits of advice, and questions I should be asking.

Thank you



Meraki MR84 Outside Enclosures?

Hello all, We are attempting to mount an MR84 with external antenna Dual-Band Omni (MA-ANT-20) on the site of our building and I was looking at NEMA enclosures to secure it. Its unfortunately in a place that makes it very easy for someone to show up with a ladder and steal.

Do you guys have any suggestions of vendors to look at and for something that will also enclose the antenna?



Palo Alto PA-220 Comparables

I've been more familiar with SonicWalls and Sophos lines of equipment in the past, and haven't really had the chance to work with Palo Alto.

For this next job I have coming up I have to branch a separate private network off of a university network, the university's IT suggested the PA-220 with it's 3 year threat protection and URL filtering subscriptions.

Either I need to decide to start working with a new device in the PA-220, or see if I can find any comparables in the SonicWall and Sophos line.

I'm up for either one. I just want to know what's the best to use.



Juniper VLAN IP Address for Switch

Hello,

I'm totally confused on how to configure an IP for a management VLAN in juniper's switch.

I see two options online and I don't know what is correct, under VLAN or IRB

Option 1:

set vlans MGMT vlan-id 10

set interfaces irb unit 10 family inet address 10.10.10.254/24

set vlans MGMT l3-interface irb.10

Option 2:

set vlans MGMT vlan-id 10

set interfaces vlan unit 10 family inet address 10.10.10.254/24

set vlans MGMT l3-interface vlan.10



Dell N3048P CPLD Update Woes

Last night I updated the firmware on my N3048P stack from 6.1.1.7 to 6.5.4.10. I also updated the boot code as per Dell's instruction. The last step for fully updated switches is to update the CPLD version from 13 to 20, however the command doesn't work and I get the below issue. Trying to google this and I run into the same 3 posts over and over that talk about CPLD, but nothing on my problem. If any of you kind souls can help, I would appreciate it!

console#update cpld ^ % Invalid input detected at '^' marker. 


Trying to route traffic to a device on a remote network using Teamviewer VPN and Multi Port Forwarder

We maintain BMS controllers in customer buildings. This requires us to access both a server on site (providing a web-based frontend), and the individual devices on their LAN. In most buildings, the IT department will either open the ports we need, or provide VPN access. However some of the buildings don't have IT departments. They have a cable or DSL connection for building management and/or public wifi use, and we're expected to just "do whatever you need to do" to get remote access. When the router password is the default, we set up the forwards we need.

But there are a few buildings where either the password was changed at some point in the distant past (and nobody currently employed at the building knows it), or they have those infuriating "cloud" routers where you need the actual ISP account info to access it. For these buildings, we use teamviewer to at least get access the to the server and web UI for the system. This is mostly sufficient, but any major changes require direct access to the controllers themselves.

Teamviewer is able to create a VPN on a virtual network adapter. What I want to do is connect to our devices on the remote LAN by using the remote server to route between the virtual adapter and the physical adapter. I found a program called Multi Port Forwarder that appears to be able to do this, but the specific setup for this use-case is slightly above my capability. I've read the (limited) online help documentation, but they don't have an example that is doing quite what I am trying to accomplish, and the help screenshots are from an older version with slightly different config options.

For the connection I'm currently trying to set up, my TVVPN IP address is 7.150.157.92, the remote server's TVVPN address is 7.81.229.26, the remote server's LAN address is 192.168.0.108, the LAN address of the remote device to which I'm trying to connect is 192.168.0.240, and the port on which I need to connect is 4911.

I have MPF installed on the remote server and have both remote desktop and VPN connections established with teamviewer. Here's my best guess as to how MPF needs to be configured. I point my controller programming tool at 7.81.229.26 and attempt to connect to the controller over port 4911, but no joy. The activity monitor on MPF lights up, so it's seeing the incoming request at that port and triggering the rule, but either it's not passing it to the LAN, or it's passing it in some weird way so that a proper connection can't be established. I've tried fiddling with various settings and turning things on and off, but none of my fumbling has been successful.

What am I doing wrong?



Generate zenmap topographic map from cli

Hello all,

All is in the title. Is it possible to generate a zenmap topographic map from command line ?

Thanks :)



Cisco ASA - IPsec tunnel trying to use ‘DefaultL2LGroup’

/r/Cisco/comments/epjlr3/cisco_asa_ipsec_tunnel_trying_to_use/

Adding Fiber to internal network at work - I'm a software/mathematics guy looking for advice

Ducting is to be laid for fiber and I am being tasked with choosing fiber, media converters and switches. I am familiar with fiber in that I studied lasers from an applied math/physics perspective, setup free space optics experiments for single and two mode lasers in research lab with a single fiber cable (SIMPLEX I think is how it is called in networking) but I have not worked with end-user equipment in this regard. I have extended part of the existing network to other buildings < 100m and I have set up routers/APs/virtual machines/firewalls/VPN etc and am a linux user (if relevant).

The new building will have 5+ fibre connections coming to it from around the site so I am looking for advice with fiber types and then converting to RJ45. The fiber will run outside in buried ducting and we are looking for a consultant to terminate the fiber ends correctly (I am reluctant to terminate the ends myself and have said so). My known constraints/issues are:

  1. Fiber running outside for 100s of meters (but under 1km)
  2. 5-6 fiber (one per building) connections coming back to one room/switch
  3. I do not want to get locked in to a particular/single manufacturer if possible to avoid having to buy proprietary patch leads or something anytime I want to add a device to the network.
  4. The longest length of the site appears to be ~400m (corner to corner)

I've read a few posts including https://www.reddit.com/r/networking/comments/3gx5dz/ysk_if_you_dont_about_fiber_optics_and_how_they/. Looking around individual media convertors seem to have a few comments saying to avoid them, mainly due to if another person takes over managing the network they may not find the converters etc. I am looking for a rack mountable, multi port cable media convertor. My thinking is if it's rack mountable it will be seen and we can label it. My google search has found this:

http://www.ot-systems.com/en-ww/product/detail.php?MID3=4&SID=87

From the image I naively assumed it worked as 8 individual media convertors (fiber in and the next adjacent RJ45 out), but I am interpreting the applications image to suggest the device is smarter and I do not need to take pairs (unless I am reading it wrong). Either way using 1 or 6 patch panel leads (one for each fiber in) to connect the media convertor to the switch is not an issue. However, the fiber connection is SFP and from my reading I do not think this restricts the types of fiber I can use but I am unsure.

So my uncertainties and unanswered questions are:

  1. Do I need simplex or duplex fiber? Does it matter these days?
  2. Can I arbitrarily use either SIMPLEX or DUPLEX with the above media convertor?
  3. For multiple fiber cables coming in is the media convertor above suitable? Are there better recommendations?

I will need media convertors at each other building but they only need a single media convertor.



Accidentally used a U/Utp cat 6 instead of cat 5e. Do i absolutely need to ground it and if so can i ground it directly to a power outlet with an external cable?

Also, i've read many comments elsewhere saying you need to ground both ends and some saying only 1 end. I dont know what to believe.

Since non of my devices can ground, what is my cheapest choise? Thanks for any help!



How to generate Cisco config files?

Hello everyone!

I got a job offer yesterday and am really looking forward to this position as a junior network & security engineer. During my interview they mentioned that they will rollout 100 switches for a project this year and when I asked them how they generate the config files, they said they didn't and it's all done by hand but will move to a new solution next year. I was pretty astonished by that answer since I have recently started getting back into python and learn some network automation/programming and thought that it's common to automate a process like that.

Now in my homelab with the 4 switches I have, I haven't generated and rolled out whole configs yet. I am currently working with the library netmiko and have only done small things like shutdown unused switchports, configure port security and draw a map of the topology with scripts.

Now I thought about how I could help my future employer to automate this process, since my start date is in March.

How would I go about automating this? Are switch configurations usually planned in excel/csv files that I could information from and generate a config file from? Or should I not generate a config file but instead use netmiko to send every single command to configure it? From my experience so far, sending commands to shutdown switchports for example when not using a range command is very slow and may not be ideal for this purpose.

What are your experiences and what resources should I look into? Any help is appreciated thank you!!



Website is not available after open a browser new, after refreshing everything works fine.

Hi, I have a problem at my company. If anybody of us open a browser new and try to get on a website (doesn't matter which site) their is no connection. After refreshing the browser, everything works fine. Had somebody an idea how to solve this problem? Thank you very much.



Multicast tooling

Hello everyone,

I am searching for a tool that generates Multicast packets.. Just a bit clueless which 1 is good and which 1 isnt.. If you got some tips or recommendation let me know!



Wednesday, January 15, 2020

Cisco or Arista SW scripting to pull IOS (EOS) version and Model info

Hi

I would like to ask what is the best way to get IOS(EOS) version and model info from Cisco or Arista SW from scripting? The value can be JSON type or some value.. We have jump host and can ssh into all these SWs.

Let's say we want to make some nice inventory feature based on the scripting data from the jump host.



Telco providing -2dB on a LX connection

So, I just wasted several days trying to get a circuit turned up because it turns out the provider is sending me -2dB when the Cisco SFPs will only accept it at a max of -3... Didn't notice till I put a light meter on it and was like 'Damn, that's a good signal' then started thinking that maybe it was outside the max receive range. Checked the spec sheet, and yup max receive is -3... Thankfully Amazon Prime has attenuators that'll be here tomorrow.

Is it just me, or is the spec for transmit power on LX -9 to -3 dB ? Could they be using the wrong optic on their side or perhaps just have one that is transmitting outside of spec?



Replacing Nexus 5k in VPC with 9k

So we are in the process of replacing our two Nexus 5k's in vPC with a static pinning fex (Nexus 2k each). This is not dual homed. We would like a non disruptive way of replacing the 5ks but having an issue figuring out a way to do this. It was no issue shutting down the first 5k as the vPC did a great job of handling traffic from our servers which are plugged into each side. The problem is getting back to the 9k once we are ready to replace the second 5k. Would be simple if I could vPC between a 5k and 9k but that's not an option. What is the best way to go about this?



[Questions] Connecting 2 different routers to a single MotionEyeOS operating system

I'm not sure whether this is the correct subreddit to be posting this, if not please do inform me and I'll take it down and post it on one that is more appropriate for it.

I am currently running MotionEyeOS on a basic computer, which is connected to my router via Ethernet connection, to access the dashboard of the Operating system I have type in the interface wlan0 IP address that the OS assigns (for instance 10.10.2.109). This MotionEyeOS Setups will be Called HUB.

Using a raspberry pi which is situated in another location (using another router and in turn assigned a unique IP address) I would like to feed the video stream directly to HUB.

I cannot find any documentation, video, etc on how to do so. (images below should help clarify problem).

https://imgur.com/a/KHVYtED

The only potential solution I can see to this is adding the router configuration in the file wpa_supplicant.conf within MotionEyeOS. However, even after doing that it doesn't seem to work.

I'd appreciate any help, thanks!



Network diagrams with interface names and IPs

Topic title says it all. I’ve tinkered around with network diagrams all my career, and never really been satisfied with how they turn out if I try to include interface names (ex. xe-0/1/2) and accompanying IP addresses in them. Things just become so cluttered.

Artistically speaking, if you don’t have a balance between space and content, the composition will overall feel cluttered. Your eyes won’t really flow over the diagram. Basically it stops being something nice to look at, and coworkers won’t adapt to them.

I’ve had cases where I’ve caught coworkers trying to map out what interferes connect to what devices and the IPs and I’m like “dude I made a drawing for that. I shared with all of you it’s on the sharepoint.” Well, they don’t like looking at it because it’s cluttered.

All of the resources out there like networkdiagram101.com feature examples where interface names and IP addresses are generally excluded. That’s not the kind of document I’m trying to make. I want it to be a technical document where if you see an IP you don’t recognize in a traceroute you’d visually see exactly which interface you hit, etc.

Is that my problem that most diagrams aren’t supposed to be that granular? Are they just supposed to abstract the literal and depict the logical, i.e. which devices are connected to which devices, and don’t include granular details like which port and what IP the connections are?

To me they just become a lot less useful.

Are there any example of any diagrams out there with very granular information that don’t look like a jumbled cluster of text boxes everywhere? Or is that just a problem with granularity?

Also icon size: if you’re doing network diagram 101 style pieces then small icons work great. If you’re trying to depict and label 4-5 interfaces coming off one device, you can’t attach all that to a small icon easily. But using bigger icons tends to make things look almost juvenile and unprofessional. Almost cartoon like it that makes sense.

I want something that’s easy to look at while also being very granular and containing tons of info.

Any suggestions?



Core switches and automation

Hey all,

It's time to replace our core infrastructure and management wants it automated. We do a little bit with ANSIBLE, mostly on new ISR routers out of the box which works well to not make mistakes. Also use it for small changes across a large number of devices which is great. However, we never got it to work on Nexus 7.3

Now, any sort of ACI type of solution from anyone isn't happening. So where does that leave us? I spoke with Juniper and wasn't terribly impressed and already know how the Cisco game goes. In an ideal world, every config change takes place via running the entire config file rather than bits of smaller playbooks, like how a server runs a puppet agent every 30 minutes. Cisco has a ton of ansible modules and they are sending us demo equipment to test but is Juniper just friendlier here?

Simple design, couple of cores and then top of rack switches. I can go into more detail but design help isn't really what I need, it's automation advice. Thank you!



Security+ prep question

Hey guys! I am prepping to take the Sec+ exam and Im wanting to hear from you guys on what exam prepping you used and what materials and resources you accessed.

Thanks!



Simulating multiple WiFi clients? (hotel)

Hello!

I am working on a hotel network upgrade project.

I haven't had any WiFi-heavy projects up until now.

Is there a way (or even a point) simulating multiple WiFi clients for network testing? I am mainly looking to test APs at central locations such as the pool or the dining room.

Also, any hotel-networking related advice is welcome!

Thanks!



Perimimeter firewall placement help please - where in the perimeter should it go? On the very edge?

I'm in over my head and I appreciate any guidance I can get on the proper placement of a firewall(s). I know enough to know that I don't know what I don't know. I've been with this company 25+ years and the group that handled security and firewalls is gone now. Because I've done some network work over the years my management assumes that I know everything about firewalls which I don't. Are any of these scenarios valid? What is the best practice?

a. Scenario 1 - Can I use the firewall as a gateway?

b. Scenario 2 - Should I have separate gateway router(s) between the ISPs and firewall?

c. Scenario 3 - Should I route traffic through the firewall back into the L3 switch and use the L3 switch as a gateway?

d. Something else?

Diagram: https://imgur.com/a/RosgbvR

This is new construction and we have a pretty hefty budget. We expect max bandwidth utilization to approach 1 Gbps. I think we will use PaloAlto PA 3020s.



I Need some help and guidance.

Hey Guys,

I hope everyone's Wednesday is going good. I am hoping someone can help shed some light on an issue I can't seem to figure out. I've been at this for two days and I just can't seem to figure out what is going out. So to give you a break down, I have TWO sites. That are connected via a site to site VPN using Cisco RV345 SMB Routers (yes I know they suck)

-------------------------------------------------------------------------------------------------------

So we have Site A: Site A is where we have our Domain Controller, as well as our Unifi AP Controller, NPS, Printer server, etc, etc. It's our main site/HQ.

Base network = VLAN1 - 192.168.16.0/24

Device Network = VLAN11 - 192.168.11.0/24

Guest WiFi Network = VLAN14 - 192.168.14.0/24

Main WIFi Network (NPS/802.1x) = VLAN15 - 192.168.15.0/24

--------------------------------------------------------------------------------------------------

On Site B (Which is about 1 block away): So site B is a warehouse that also has a few offices.

Base Network = VLAN1 - 192.168.17.0/24

Device Network = VLAN11 - 192.168.11.0/24

Guest WiFi Network = VLAN14 - 192.168.14.0/24

Main WiFi Network = VLAN15 - 192.168.15.0/24

So to give you a quick breakdown Site B has A handful of Unifi APs that are being controlled by the controller at Site A. Those APs have IPs from site B. Each Wireless network is on it's on VLAN back on site A so we wanted to mimic the same setup here at site B. The issue I ran into was that site B is not able to get an IP address from the DHCP server on site A so we created local DHCP servers on the router for each VLAN. We also broke each site down with its own range so as to not have duplicates. So site A has 10-100 and site B has 101-200 hope that makes sense.

Anyway the main issue I am having right now is that VLAN on site B is the only VLAN that is able to communicate back to Site A. If I just on any of the other VLANs I cannot ping, the server or do a complete traceroute. But if I am on VLAN1 everything works correctly. I can ping the server and I see the traceroute complete. So it seems like the other VLANs can't make sure of the VPN tunnel. I do see a static route for 192.168.16.0 on the router. But the VPN is setup using GRE interfaces, I've always uses site to sites where you list the networks that are available. I also checked the access rules and created rules that mimic any VLAN1 rule that I found. As well as the GRE rules for the VPN.

Anyway I hope I explained this right and didn't confuse you to much. So bottom line is if I am on any of the other VLANs on site B I can't communicate with the server back at the office on Site A. But if I am on VLAN1 it works correctly. So Anyhelp you can provide or if yall can point me in the right direction it would be greatly appreciated.



Windows Network VPN Server / Concentrator that prevents users configuration

I am looking for a VPN server in a Windows network to provide the capability that requires that computer to have a specific, non-copyable setting (certificate, encrypted PSK that can't be transferred.). I don't want to use Always-On. I was looking at using an OpenSSL system with a installable client but want to make sure that the users cannot move that configuration to a personal computer. I'd like it to be setup by IT ONLY.

I have searched far and wide and its a difficult thing to locate any perspective on.



Why does a Cisco WLC present a 'Login as:' prompt when using SSH?

When SSHing into a WLC you get a 'Login as:' prompt which you can type anything in before being presented with the username and password prompt.

Why does this exist? Is it a legacy thing? Why was it never removed?



Doing Windows file transfers over a long-distance/high latency connection (to AWS)

tl;dr - drag-and-drop file transfers over a 1gbps connection with ~30ms RTT, how to make more better?

We have our Windows file servers on AWS West Coast, mapped as network drives for most users in a Windows desktop environment.

We've just opened up an office in Texas with ~50 users who will regularly be moving tens of gigabytes of data back and forth from their workstations to the AWS servers, mostly through drag and drop file file copies.

We are getting a 1gbps AWS Dx installed for this office, but even with that I expect the RTT will be in the ~30ms range which can cause sloth-like performance for SMBv3 traffic (From what I understand).

What are my options for optimization on this connection? Is there changes that can be done on the workstations, or on our firewall on the site (PA-3220)? Or will we have to turn to a WAN optimizer? Any recommendations?

In a prior life I casually worked with Riverbed Steelheads for a site running over a satellite connection, but that was a very different story (16mbps, 1200ms) and I was only doing minor maintenance, not setting up or baseline configuration.



Dumb Routing Questions! My auxiliary switch (on a different floor) cannot route to my firewall (which is also my wireless controller)

Alright so, I'll preface this by saying I am by no stretch a network admin - but my company doesnt have one.

I'll try to be as concise as possible here. All HP procurve switches. VLANs in question are MGMT and WIRELESS.

 

I have a core switch, connected to the firewall.

On the core I have a number of vlans -- MGMT, WIRELESS will be relevant for my question here. (to note, there never used to be an MGMT vlan - if you wanted to manage a switch you had to be physically at it - I added the MGMT vlan, and can now talk to all the switches from my desktop computer)

From the core switch, I can ping the firewall, and my wireless access points can communicate to it as well to get their IPs, and do wireless controller-y things.

 

I have my vlans tagged on trunk ports that run downstairs across fibre to the switch for that office space. MGMT and WIRELESS vlans are configured on the downstairs switch as well (and tagged).

From my downstair switch, I can ping my core switch - but cannot ping the firewall, which means my AP cannot get an IP/be usable. The AP was working until relatively recently -- only change I can think of is the implementation of the MGMT vlan and a route 0.0.0.0 to x.x.100.10 (mgmt IP of core switch)

Not sure what I need to add/modify/remove to make this work properly... Any help is appreciated!



Upload speeds slow for 6 months. ISP has no idea why..

Back in July 2019 we noticed our upload speeds were about 1/3 of what we pay for. I opened a ticket with the ISP and they replaced the modem. Speeds were good for 4 days and then they dropped back down. Opened another ticket and the field engineer came out to check the lines on the poles. They found a cracked wire on the pole, replaced it, and speeds were back to normal. 4 days later... back down. They came and replaced the modem again since all they provide is refurbished equipment. Speeds were back to normal and what do you know? 4 days goes by and they are back down.

ISP escalated to the NOC and NOC said they don’t see any issues. The field engineer supervisor said it could be an issue with static IPs? Didn’t really see how that was possible. I asked to have a temporary modem with a new range to give us time to test/reconfigure everything (we have 15 IPs with multiple site-to-site VPNs and other configurations that need time and planning.) Corporate denied giving us a new modem without paying and we refuse to pay. The issue was 4 months old at this point.

To add more complexity to the issue, we have another modem here for a customer that we provide disaster recovery services for. This modem is coming off of the same line from outside into the building. There is a splitter connecting both modems. This modem has 0 issues and the upload speeds are exactly what they should be.

7 months later and they are increasing our rate code today to “see if it helps”. They already did this 2-3 months ago and it didn’t do anything.

We monitored our network upload to see if somehow something was causing it internally but nothing was found.

Does anybody have any idea what could be causing something like this or anything we can look for/do that will help figure this out? Thanks in advance.



Questionnaire ( Native or untagged VLAN port is supported for AP)

Hello,

Do they mean that the switch port can be configured access or trunk for the AP ?



Small Business Network

Long-time lurker here,

I recently started my internship at a company and they are wanting a complete network redesign and a windows server to be implemented. I am a senior at university and I know the basics of networking but I haven't done an actual real-life project like this before! Does anybody have tips for designing a network for a small business? Are there any documents for network design best practices?

~12 computers (wifi but wanted to be wired in the new design)

~ 2 printers

~ will be implementing VOIP phones this year so I am to include those in the design

~ 1 new server

Thanks!



NPDESI exam

Hi everyone

I am currently trying to get certified in python for networks. I looked it up and the Cisco website says it will be retired at the end of February. Now, I was wondering if Cisco is offering a new but similar certification or if anyone knows any other good Python certificates.

Thanks to any responder in advance. I also apologize if this is a duplicate post, I searched for similar posts but didn't find anything.



Replacement current usercore and servercore switches

Hi all,

I've been recently promoted from service desk to Group System Engineer and one of my first tasks is to replace our current core as it's getting fairly old right now (+/- 10 years).

The plant where I have to replace it has +/- 60 end user switches (model HP Aruba 2530's).

Our current setup is

Servercore: 2x HPE A5120 48G EI switch JE069A

Usercore: 3x HPE A5500 - 24SFP JD374A

As all our current equipment is already Aruba, so I'm thinking to buy Aruba core switches but have no experience with these at all.

The budget they gave me for total replacement is €25 000.

I hope I'll be able to have the equipment for that price (including gbics etc)

On the Aruba website there are so many models and that combined with the small experience I have in networking; I would like some advice on what to buy.

Like what switches are the equivalents of the HPE for Aruba ?

Thanks in advance



Cisco ISR Performance License

Hi there,

Does anyone know if the limit is only on the WAN port? or does it apply on all the ports?

Im planning to use the ISR to ERSPAN on the one of the switched ports and send that info to a server



Printers lose link to switch when in power save mode - switch incapable of 10 M half duplex, how do you tackle that?

Hi!

Since the introduction of switches lacking the capability of half duplex (Extreme Networks X450-G2 for instance), we see that printers (and probably other stuff) lose the Ethernet link when the printer enters power save mode. This means that a printer cannot be managed and no status can be read from it during the power save mode. Looking back in the logs, we see that those same printers “flapped” between 1 G full duplex (FD) and 10 M HD when connected to old (10 M HD capable) X450e switches. With the X450-G2’s, they instead alternate between 1 G FD and no link. I think it’s safe to say that this is because the printer only advertises 10 M HD on the Ethernet link auto negotiation when it is in power save mode and the switch cannot accept that, so the link is brought down.

One fix is to set the power save mode of the printer to a less aggressive setting, but that raises the sleep power from 0.9 W to 36 W (Canon IR-Adv). Putting a small consumer switch between the printer and switch (with a power draw of ~5 W) also solves the problem, but adds to maintenance and cost.

More and more switches come out in multi-rate versions capable of 2.5 and/or 5 Gbps on the switch ports, dropping the support for 10 Mbps. This will also cause problems with power save gear that goes to 10 M HD (but is not the case here).

Does anyone else have this problem? Any info on how printer manufacturers tackle this problem?

/Fredrik



Multicast, IGMP snooping and Meraki MX

Hi guys,

I have some questions concerning Meraki equipment and how the MX firewall handles multicast traffic:

Example scenario: topology

1 x MX --> 3 x MS --> 5 x MR -> 5 IPTV STB Each MR AP has an IPTV STB connected.

In this test scenario, the IPTV provider has 3 channels - Channel 1 (8 Mbps), Channel 2 (8 Mbps) and Channel 3 (4 Mbps).

As IGMP snooping is available on MS Switches, each MR AP only gets the specific IPTV multicast stream, that the STB has requested. Happy network.

The MX firewall, on the other hand, doesn't have IGMP snooping (I don't understand why...), so the MX floods all STB requested IPTV multicast traffic to every directly connected MS Switch, even the switches only connected to one MR AP / STB (see topology). Not so happy network.

In our real life scenario, you have to increase IPTV provider channel nr. from 3 to 50 (3-400 Mbps total multicast traffic) and increase the amount of MS switches connected to the MX from 3 to 8, and you would have around a constant ~350Mpbs * 8 = 2.8 Gbps of multicast traffic being passed through the MX.

This causes a lot of unnecessary congestion on the network backbone link between MX & MS.

I know that setting an aggregation switch between the MX firewall and MS switches, that has IGMP snooping would solve this issue, but that's besides the point.

Would this amount of multicast traffic flooding negatively impact the MX performance, and if so, how much?

Thank you.



Portable small 4G device

HI all

i'm just wondering if anyone's come across anything extremely small and portable with 4g and ethernet connection. Basically found myself in a data centre where i need a 4g connection get some kit online (so hence needed an Ethernet port to connect the kit to) s that once kit was online could ge tthe mac address. was a complete ballache, but i've started looking around for somthing i can just carry, grab the sim out of my phone, plug it in and then give the switch an ethernet connection out. Not expecting great speeds or scale able, just to get me out of a fix in the future!



Guest WiFi users disconnected too quickly when they lock their devices

Hi All,

I have users reporting an issue where they get disconnected from the WiFi when they lock the screen on their devices. When users wake their devices they are having to re-authenticate again by logging back into the WiFi rather than it just automatically re-connecting them. I am using Cisco ISE to authenticate users, users are directed to a web portal where they can log in with their AD accounts or alternatively they can register a guest account.

On the WLC, I have disabled idle timeouts however that has not had any impact. On ISE, I have added Radius Idle timeout values and Radius session timeout values to the authorisation profile however both of these actions have failed to stop user sessions being dropped when their devices are essentially in sleep mode. I want users to only have to authenticate once a day per device and after that I want their sessions to stay live so that their devices automatically connect to the WiFi without the need to login for 24 hours.

Does anyone have any suggestions on how I might achieve this ?



Why have some country's double domain endings like .co.uk or .com.tr ?

No text found

Ospf LSA summarization

Can someone please explain it more for me? We're using OSPF in our network but we're not doing any LSA summarization. Are there any drawbacks to using it?



SecureCRT sessions shortcut creation script so you can launch from Windows search, Everything etc

whipped this up because I hate clicking through SecureCRT and its search is slow:

https://github.com/chonty/securecrt-shortcuts



Tuesday, January 14, 2020

HPE DAC to connect between HPE server and Allied Telesis Switch

Does anyone know if HPE 10Gb DAC's work to connect between HPE servers (NC550SFP & 560FLR-SFP+) and Allied Telesis switches - particularly the x510 range?

I'm looking at upgrading the switch in my homelab, and have a pretty good option on an AT switch, but don't want to have to spend a lot of additional money on switching to SFP+ fibre optics as well.



NetEngr quit and have been tasked to create a few FW rules which I kinda know how to do but havent in so long!

Sysadmin here, but now both that and noob netadmin I guess. Long story short our network engineer quit. And now I’ve been given the task of taking over a project that requires opening ports on the FW to allow this new vulnerability tool we’re using. It’s basically 5 lan IPs that need “any to any” access to all our gosh given servers, We use sonicwalls FWs.

Any suggestions on how to get this started would be appreciated! And no, leaving my job is not a suggestion although down the line, yeah. Thanks In advance and sorry for the noob question, just stressed and reaching out anywhere to get a tad assistance from my digital community.



What should I do with my /24 block of IPv4 numbers?

Hi everyone. I'm new here, but hoping someone has wisdom for me.

I own a block of 256 IP numbers that I applied for back in the mid-90's. I used them briefly back then, but want to use them again now (they've been unused most all this time). I'm just a software dev though (sleepless.com) not a networking company. I know that the #'s need to be routed, and the only machines I'd want to route them to are cloud machines on Digital Ocean, or AWS, or whatever.

Is there any way I can get my numbers routed to a cloud machine on a cloud hosting provider? Or should I just sell or lease them to someone else? I'd prefer not to sell them, I'd rather lease them.

Thanks in advance.

j.h.



Is there away to tell if my ISP is throttling my Internet?

Recently I called my ISP (spectrum) regarding getting rid of my cable tv, they said they would give me a “deal” and lower our bill to what new customers pay ($60 less than what we were paying). After that phone call our internet suddenly got very slow. I was wondering if it’s possible that they are now throttling our data.



Looking for "Cloud Provider" to Put One Linux Box and One Virtual Cisco Router in the Cloud for a Single Training

Hello Fellow Networkers!,

As the title implies, I've been selected to give a training on basic Ansible and Python for my organization. The training will be conducted at a hotel over the course of two days. Ideally, I would like to put a virtual Cisco router and a Linux box in the cloud somewhere pre-configured with a publicly accessible IP (or at least publicly accessible in some manner, a range of ports, etc.) so that people can access it via ssh and do things. I know on the hotel wireless you can go external with no issue from past experience. I suspect client-to-client communications are out on the hotel wireless, so no laptop with VMs. I haven't dealt with cloud providers much, professionally or personally, and I don't know a good starting point. I assume someone like Amazon may be too feature rich or costly for what I'm looking for. I would appreciate any feedback on providers that may work for this.

Thanks in advance.



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!



Verifying VoIP/(Skype/Teams) performance over WLAN

Are there any tools to test VoIP/Skype/Teams performance between two wireless endpoints? For example a tool that would allow me to play a high-quality audio file over the call, and the other end would also have the same audio file and then it could compare the call quality to the original? And also log if there are any problems like bad call quality, parts of the audio lost or something similar?

Or would that be a completely wrong way to approach this :)?

What I'm trying to do here is after the initial WLAN setup to make sure it works well even when we're doing some iperf tests at the same time etc. And if someone has issues later on, we could have a solid measurement when and if that happens. As most people luckily don't have to spend 8 hours a day in skype meetings so just asking the users might not really give exact facts when and if it is happening



Cisco Firepower default 30 mins timeout

Does anyone know how to change the default timeout for pushing a deployment? Right now, if I deploy and it fails, it may take up to 30 mins before it timeouts and lets me try again. Trying to find the setting that will maybe set it to 10 mins instead.



It's 2020 and I have questions about token ring, CAUs, LIUs and LAMs

So I am a vintage IBM enthusiast and hobbyist that collects and restores old MicroChannel machines and I've been looking to network my machines for awhile now. Now, I could just be a normal person, stick LANStreamer cards in these machines and get a generic Ethernet hub, but that just doesn't feel right. No, I want the *full IBM expeirence* and that means connecting these machines to a Token Ring network managed by the finest IBM equipment available, and it just so happens I was given a box of MicroChannel adapters and an IBM 8230-003 Controlled Access Unit loaded out with four, four-port LIU's and a coax in-out module by one of my Uni professors.

Now, as I understand it, LIU stands for Lobe Interface Unit and while these modules sport four RJ45 jacks each, I'm fairly certain I can't just directly connect systems into it and that I need a LAM, or Lobe Attachment Module, which is effectively a 1U or 2U item with eight to thirty-two ports. Oh, and there are also serial ports on the back for use with up to four(?) LAMs, though I assume these are just for management of the LAMs.

So, my questions for you fine people are as follows...

- Can I directly connect systems to this CAU? Or do I need a LAM?

- If I need a LAM, how exactly do I go about connecting it to the CAU?

- What type of LAM (eg: IBM 82xx) would be "correct" to use alongside this CAU? I'm a stickler for period correctness and I don't want to just stick a newer LAM onto my older CAU.

- What resources or other information can you give or recommend to me that might be helpful?

- Am I insane for wanting create the first new Token Ring network in however many years?



Monitoring as new Network Admin

Hey guys. Just inherited an environment w/ financial trouble. Expectation is just to maintain and upkeep. No budget to add-on. I am still young in Network Admin role so I was looking for best day to to day monitoring / best practices. Environment is:

- Cisco ASA as edge firewall w/ HA (1 for VPNs)

- mix of dark fiber, e-Lans, and dedicated internet circuits to branch offices

- mostly HP (pre-aruba) l3 switches running RIP

- windows servers handling DHCP, DNS, Exchange, ...

- plenty of VLANs

- vm environment (lead Sys Admin mostly handles this)

- bunch of helpful utilities to monitor like WhatsUp, Splunk, Lansweeper, ...

Biggest thing is I'm not too familiar w/ RIP + BGP and want to make sure I know what to look for day-to-day.



How do you have wireless set up?

I've been working on redoing our wireless network. Right now we have two SSID's, corp and guest. Both secured using a PSK. Corp has access to our data center. Guest is internet only. As always the corp wifi has been loaded with personal cell phones.

Here is my plan:

Corp wifi with RADIUS connecting to AD
Guest wifi for actual guests with a login portal (access requested through the help desk and accounts will expire)

What do you do for personal devices like cell phones? Don't allow it at all? Should I make a third SSID with a PSK called Intenal-Staff or something?



Huge mind F*CK network drops in s2s tunnel

Hi Guys, I need to borrow your brains for this, every hour on the 24th minute the connection times out, no matter when i start the connection or bound the vpn it always drops at 24, for example i start the connection at 9:00am the connection will timeout at 9:24 am, same behaviour as if i start at 9:22

so here's the description of the environment
I have tunnel between site A(sonicwall firmware 6.5.1.5) and site B(Cisco Asa firmware 9.13), there are no keepalives running, i have an app that makes connections every second to a port that runs on 12400 on the other side, the tunnel proposal are as follows
Phase 1

Main mode IKEv1

DH group 5

Encryption AES-256

Auth SHA256

Lifetime 28800

Phase 2

Protocol ESP

Encryption AES-256

Auth SHA256

Lifetime 3600

The troubleshooting steps i've tried
Changing the proposals to IKEv2

Enabled keepalive on both sides and on one side only

Switched from windows to linux to see maybe it's an OS thing

nping a different port (3389) while the app is running

One thing that did work is from cisco asa to azure and have it the app run there

Any ideas? as i'm losing both sleep and my mind on this



Recommendations for reliable wireless setup for class?

I started teaching a class of 14 students today and we had a lot of technical issues which took a lot of time away from actually teaching to fixing the issues. We currently have a consumer-grade D-Link DWR-921 which constantly dropped WiFi when there was too many clients connected. WAN connection seemed to work fine, albeit a bit slowly because we're using LTE to get past some restrictions set on the school's network, but LAN connections kept disconnecting and lagging all the time.

I requested a new device and I hope someone who actually knows about networking makes the decision on picking a replacement.

In the meantime, I was hoping if any of you could recommend a good, low to medium budget device or setup in case the new replacement is equally shitty.

So use case and requirements here:

- 14 students + 1 teacher, each one has a laptop and Raspberry Pi, so it should handle 30+ connections.

- Easy-as-possible management. I need to be able to set internal static IPs, port forwarding, see connected devices etc.

- Preferrably wireless but if the device count gets too high to work for wireless I think we may be able to get switches

- 4G/LTE option so we can access WAN without restrictions

I did a quick search on this sub and Ubiquiti was recommended many times, I just don't know which model/setup would be good for this use case?



Issues w/ getting traffic past my Meroki Firewall

Was wondering if one of the networking geniuses here could help me figure this one out, since I am at a complete loss.

I have a reverse proxy setup for one of my applications here on property and that appears to be working correctly. My issue is whenever someone tries to hit my reverse proxy via the FQDN externally the traffic dies at my firewall according to my tracert. But internally everything works fine.

The tracert shows the correct public IP from FQDN, it just appears the traffic doesn't know where to "hop" after the firewall. I have looked at the firewall settings and everything appears to be correct, but obviously it isn't because it's not working.

I have tried to look at the following on my firewall

- Tried Port forwarding

- Checked my Inbound rules to make sure the source destination and port is correct

- I even looked into setting up a static route for this traffic, but didn't implement it because it appeared like it would break a lot of things if I tried this and I didn't want to risk breaking other things on my network.

If anyone has any ideas on where to look next that would be appreciated. I am still new to all this networking stuff, and I am not that familiar w/ Meroki to boot.



Mikrotik RB4011 as Multicast RP

Hello,

I'm looking to learn Mikrotik routing & also play with (without using cisco hardware of which I'm already familiar) multicast at home. I have a few $ in my paypal from selling some stuff so was thinking of picking up an RB4011. I'm pretty familiar with Cisco IOS, vyatta, edgeos (ubiquiti), and pfsense already & would like to add Mikrotik RouterOS to the list of software I'm familiar with. I'd also like to do inter-vlan routing with the RB4011 (I have a Mikrotik CRS317 already in "production" using switchos). From what i understand I can use a cisco rollover console cable to configure everything via CLI.

Anyone have personal opinions on using RB4011/RouterOS as a multicast RP and/or inter-vlan routing device? I'm thinking the best interface to use is the sfp+ connected to the CRS317 with 802.1q for each vlan SVI.



AnyConnect Tunnell-ALL except for xx.xx.xx.xx

Have a use case where I need to tunnel-all traffic through the RA VPN except for some specific CIDRs. Has anyone done this and if so can you share your config? I can't use split-tunnel with exceptions for the traffic that needs to be tunneled because it changes often and is tied to our offices source IP. Wondering if using Tunnel-ALL allows for a deny or permit to route that traffic locally via the client?

Thanks



Fortigate 1000D Fin Packet SPAM

Hey all,

One of our Fortigate 1000Ds is SPAMing out about 500Mbps+ of traffic containing only FIN packets to various CDNs. This is causing it to consume it's own resources to 100% utilisation. It has been starting and stopping over the past short while has anyone else experienced anything like this recently?



Cisco WLC - AP move between two controllers - are clients disconnected?

So.. I'v done this a million times for various reasons.. but now im a bit unsure due to a comment from a colleague.

When moving an AP from one controller to another (same Mobility group) via the primary/secondary controller on the actual AP.

Will the client keep their connection alive without having any sessions killed to the radios/interface/whatever flipping?



Thoughts on working in vendor support?

Hi all,

I've got an interview coming up for a TAC-type job for a major network vendor. I've never worked a "normal" networking gig, though I have extensive experience with firewalls and Intrusion Prevention/Detection Systems.

What are your thoughts on working in vendor support? Pros Vs cons?

If anyone has any experience they'd like to share, it would be greatly appreciated!



Cisco: Automating config change if IP SLA fails?

Ive not dug much into EEM/TCL so am looking for advice from someone who has.

We have a bunch of ASR's acting as SBC's (not fully CUBE licensed though). What i want to achieve is if an IP SLA action fails then for a specific dial-peer configuration to be changed. Then when the IP SLA next succeeds for the config to be put back as it was.

Is this possible? if anyone has some examples that would be great!



Has anyone found a Tripod or stand solution for Cisco WAP571?

Has anyone ever found a stand with a decent mounting solution for wireless access points? The building is listed so drilling the normal mounting plate onto any surface is not an acceptable solution. The stand does not need to be large, 30cm off the ground is acceptable.



Isolated VLANs

Hi, I am just looking for a bit of advice on how I would set up my DMZ network so that I can isolate my virtual machines from each other, my setup includes 3 host machines, each with 4 1GB connections set up in a SET. I then have ~10 virtual machines spread between the 3 devices. I don't want the vms to have any connectivity to each other unless they go through a firewall at the end of my promiscuous port. I can then have better control for access etc

I want to be able to move the virtual machines between any host without connectivity issues. at the moment all machines are using an IP address in the 192.168.10.x range with a default gateway of 192.168.10.1 which is the firewall at the end of the promiscuous port.

Here is the code I am currently using below. The issue I have at the moment is that the machines on each host can ping each other, but they don't go through the Promiscuous port to achieve this, it appears to be a direct connection. I would presume this is because they use the same port.

Machines on Host 1 cant ping machines on Host 2. It doesn't attempt to send this traffic through the promiscuous port either as my firewall reports no traffic. Is this because the machines are on the same subnet and are trying to find the other vms using broadcast rather than routing via default gateway? I suspect the reason the machines can ping eachother on the same host machine is because the ports are what is isolated. Not the traffic from each VM, so as far as the switch is concerned any traffic on host1 is coming from host1 and it wont differentiate between host / vm etc.

Any advice on a better way to configure this or changes to make it work would be appreciated!

configure vlan 2-3 exit vlan 2 private-vlan primary private-vlan association 3 exit vlan 3 private-vlan isolated exit ! interface Gi1/0/1 channel-group 1 mode on exit ! interface Gi1/0/2 channel-group 1 mode on exit ! interface Gi1/0/3 channel-group 1 mode on exit ! interface Gi1/0/4 channel-group 1 mode on exit ! interface Gi1/0/5 channel-group 2 mode on exit ! interface Gi1/0/6 channel-group 2 mode on exit ! interface Gi1/0/7 channel-group 2 mode on exit ! interface Gi1/0/8 channel-group 2 mode on exit ! interface Gi1/0/9 channel-group 3 mode on exit ! interface Gi1/0/10 channel-group 3 mode on exit ! interface Gi1/0/11 channel-group 3 mode on exit ! interface Gi1/0/12 channel-group 3 mode on exit ! interface Gi1/0/23 channel-group 4 mode on exit ! interface Gi1/0/24 channel-group 4 mode on exit ! interface port-channel 1 switchport mode private-vlan host switchport private-vlan host-association 2 3 exit ! interface port-channel 2 switchport mode private-vlan host switchport private-vlan host-association 2 3 exit ! interface port-channel 3 switchport mode private-vlan host switchport private-vlan host-association 2 3 exit ! interface port-channel 4 switchport mode private-vlan promiscuous switchport private-vlan mapping 2 3 exit 


Issue changing cisco WLC management interface IP

I want to move the WLC to a new management vlan.

but the device never becomes reachable on the new ip. I know the new subnet is working because the switch that is connected to the WLC is already operating on it with its management interface.

What I did:

on WLC (cisco 2504

reset system in 0:10:0 image no-swap reset-aps config wlan disable all config interface address management <new ip> <netmask> <def gw> //interface vlan id remains set to 0 

on SWITCH (cisco small business)

conf t interface range <2 interfaces in the LAG> switchport mode trunk switchport trunk native vlan <management vlan> switchport trunk allowed vlan add <tagged vlan for ssid 1> switchport trunk allowed vlan add <tagged vlan for ssid 2> channel-group 2 mode on 

afterwards i cannot access the WLC on the newly configured ip and have to wait until the WLC reboots from the scheduled reboot without saving.

What am I doing wrong?



Monday, January 13, 2020

has anyone done this / is it possible?

ok so I find it hard to explain, so I created a diagram - https://i.imgur.com/lKRPas2.png

has anyone ever broken a QSFP 100G CWDM based optic (using some sort of product) into it's 4 individual waves/channels, then connected that to another CWDM shelf? Not talking about DAC cables that let you breakout 40gb into 4x10gb, but actually running 40G/100G over multiple CWDM channels.

e.g. if you had a CWDM shelf with say 8 channels, and 4 happened to match the 4 waves on the QSFP, could you run 100G over 4 channels whilst still using the 4 remaining CWDM channels (over a single dark fibre pair)?

did some searching, and came across this for 40G - so (at least for 40G) it might possible?



ASA NAT Issue: Cannot ping Server in DMZ - Static Nat not working

Hi all,

I cannot seem to ping server in dmz from "OUTSIDE" (Static Nat). However, I can ping Outside from inside (PAT).

Could anyone point me to the right direction please?

object network INSIDE-OUTSIDE
nat (inside,outside) dynamic interface
object network DMZ2-OUTSIDE
nat (dmz2,outside) dynamic interface
object network DMZ1-OUTSIDE
nat (dmz1,outside) dynamic interface
!
nat (any,outside) after-auto source dynamic any interface
ASAlab2(config)#
ASAlab2(config)#
ASAlab2(config)# sh run
: Saved

:
: Serial Number: 9AMKNK263EE
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2095 MHz
:
ASA Version 9.9(2)
!
hostname ASAlab2
enable password $sha512$5000$+Kpz/EysDD1un1b5YiX/MQ==$k3TtQlPYooJmTbkU/HIykA== pbkdf2
names

!
interface GigabitEthernet0/0
description WAN
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.252
!
interface GigabitEthernet0/1
description LAN
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ1
nameif dmz1
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/3
description DMZ2
nameif dmz2
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
no ip address
!
ftp mode passive
object network INSIDE-OUTSIDE
subnet 192.168.0.0 255.255.255.0
object network DMZ1-SERVER
host 192.168.1.10
object network OUTSIDE-DMZ1
host 10.1.1.10
object network DMZ2-OUTSIDE
subnet 192.168.2.0 255.255.255.0
object network DMZ1-OUTSIDE
subnet 192.168.1.0 255.255.255.0
access-list OUTISDE-DMZ extended permit ip any host 192.168.1.10
pager lines 23
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network INSIDE-OUTSIDE
nat (inside,outside) dynamic interface
object network DMZ2-OUTSIDE
nat (dmz2,outside) dynamic interface
object network DMZ1-OUTSIDE
nat (dmz1,outside) dynamic interface
!
nat (any,outside) after-auto source dynamic any interface
access-group OUTISDE-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA

quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
console serial
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:1d55c3acd48ddf7aa7f83d370abfc6ba
: end

Thanks



No DHCP for Virtual Machines over Host Wifi - HPE OfficeConnect Switch 1920

Hello,

We have an HPE OfficeConnect Switch 1920 switch connected to a Fortigate Firewall. There are several VLANs configured:

10 -Trust LAN/Trust Wifi

20 - Wifi Guest

30 - Security

  • Our wireless access points are configured to tag traffic from either the Trust or Guest network and it works perfect for our internal and guest user devices.

  • I have a virtual machine running on my Mac host and it refuses to get an IP address (Bridge mode, IP should be on same subnet as Trusted network) when I am using the Wi-Fi connection on my Mac.

  • When I hardwire it (trusted network) it works fine and when I go to other locations using my Wi-Fi it works fine. It's only not working at the office on Wi-Fi.

  • I did some packet sniffing and determined the host is sending out a DHCP request, the firewall is sending back an acknowledgement, but it's never reaching the client. Somewhere on the switch it's being lost for some reason.

  • If I set a static IP for the Virtual machine it also works fine when using the Mac Host on Wi-Fi. This is unfeasible though as a solution for all users.

Any thoughts on this? Thanks.



Program for Testing Customised IP Headers?

I'm currently working on a university research project that involves modifying IPv4, and would like to test various implementations of my new protocol using real network traffic. I've been doing some work on Network Simulator 3, but it obviously doesn't create real traffic that can be sent to a physical router (which I would like to do eventually so that I can try reprogramming the router).

Can anyone recommend a program that allows you to control specific sections of a packet's IPv4 header? I want to start by changing the value of the 'Version' field (so that I can get a router to accept such packets, rather than automatically drop them), and I also want to modify the address fields to implement a new addressing scheme (which would obviously require modifications to the test router).

I've read here that the NetScanTools Packet Generator provides "full header control for predefined packet types", but I'm not sure if that feature is contained in the freeware version and I'm not willing to pay for the Pro version unless it has all the features I need.

On the other hand, the Ostinato Packet Generator is within my price range, but I'm not sure if it provides the necessary control over packet headers/protocols.

Thanks in advance for any help!



Am I reading these firewall rules correctly?

KB: https://newvoicemedia.atlassian.net/wiki/spaces/DP/pages/100697150/Technical+prerequisites
Some thing for a department using VoIP....
From what I’m gathering here it’s basically just https? And the ephemeral ports are not something you open on the firewall that seems kinda crazy doesn’t it?
XY prob: they’re having delay settings with things like phone status updates. My theory is it’s an IP relaxation setting for the app installed in their Salesforce.



need advice on a networking device

I've got a simple network in ONE building. The people there need to access a server in anOTHER building a few city blocks away.

Someone set up a wireless link that joins the buildings, and it works. The people CAN access the server as needed.

What doesn't work is the person who set it up made the gateway in the OTHER building the gateway for the ONE building, resulting in the ONE building basically merged with the OTHER building, using their internet and DHCP and so on. This is undesirable.

I know that I need to set up a route in the ONE building so that only requests for the server use the bridge. Hook the bridge up to one particular LAN port, set the route to that port.

Any recommendations on a low cost business wifi router that will accomplish this task simply and properly?