Saturday, March 28, 2020

What is the worth of these Cisco routers/switches (I assume)?

Here are the images - https://imgur.com/a/sactgdj

I'm unsure if this is the correct place to ask but forgive me if I'm wrong. What is the value on a bin of these? Thanks a ton!



Cisco Net Academy replaced Soso!

They used to shoe Soso at tge landing page now it's a somewhat generic picture :(

https://imgur.com/a/7oujB8O



COVID made me work from home but I need help

Hi guys so as many other people nowadays I'm forced to work from home. I'm working/studying in microscopy laboratory and we use specialized software that is protected by HASP key (physical USB drive that serves as license and software doesn't work without it). This key is stuck somewhere in server room in one of the computers, never saw it personally, but it's in PC that is visible in faculty network so as long as you are connected to faculty LAN you can use the software (it only works only if you are connected by cable, wifi doesn't work no idea why).
You might guess what is my problem by now. I need to work with this software from home but I have no idea how to make it work. I googled for hours and tried many things but nothing worked.

Can't replicate HASP key, it's illegal and nearly impossible. VPN, SSH tunel and proxy I tried doesn't work (maybe I set it up wrong, I followed some guides). I don't know what my next step is. Any idea is more than welcome.



VR networking tool

I work in networking and i need some VR tools to keep my mind sharp while i'm away from my equipment. here is something i'm kinda talking about Twitter video link



Mesh MPLS VPN Configuration

Hello I am having trouble understanding how a mesh vpn is configured. I know how MPLS is configured between two clients using vrfs, rt, rd, BGP and CE to PE routing protocol etc. In my scenerio I am trying to have a mesh connection between 3 clients so that each client can communicate with the other. Could someone explain how this is achieved during the mpls configuration process?

Topology: The 3 routers with mpls beside them are the ones I am trying to configure.
https://1drv.ms/u/s!Aofz8f82GdrBgYhSMpwKPUdxMrlNHg



Any connect agent encountered an error.

Hi all,

I work for a large global company and I am burnt out tryin to solve this issue with the outsourced support team. It’s been going on for about two months.

Wondering if anyone has exp with this any connect issue. Since I started my job at this company, my vpn has only been able to connect to a location in Canada. I am now only able to connect to a location in India.

I have the correct certificate. I keep seeing issues with ISC under services when I google it and seems like that’s not the problem.

Any suggestion would be helpful. I am running v4.8



Juniper vSRX + AWS site-to-site VPN doesn't work with acceleration enabled.

Hi,

I am in the processes of bridging our legacy infrastructure to AWS using their site-to-site VPN.

I have observed that if the site-to-site has acceleration enabled ( "acceleration" is AWS's buzzword for anycast ) the tunnel doesn't come up. However if the VPN has acceleration disabled the tunnel comes up without any problems. From a technical perspective, "acceleration" usually dst-nats a public IP to a private one (So this could be the issue) otherwise everything should be the same.

Does anyone have this working? Does anyone have a clue what the issue could be?

This is the redacted config for the VPN:

set security ike proposal ike-prop-vpn-0bc9831-1 authentication-method pre-shared-keys set security ike proposal ike-prop-vpn-0bc9831-1 authentication-algorithm sha1 set security ike proposal ike-prop-vpn-0bc9831-1 encryption-algorithm aes-128-cbc set security ike proposal ike-prop-vpn-0bc9831-1 lifetime-seconds 28800 set security ike proposal ike-prop-vpn-0bc9831-1 dh-group group2 set security ike policy ike-pol-vpn-0bc9831-1 mode main set security ike policy ike-pol-vpn-0bc9831-1 proposals ike-prop-vpn-0bc9831-1 set security ike policy ike-pol-vpn-0bc9831-1 pre-shared-key ascii-text [TOP SECRET KEY] set security ike gateway gw-vpn-0bc9831-1 ike-policy ike-pol-vpn-0bc9831-1 set security ike gateway gw-vpn-0bc9831-1 external-interface reth1.0 set security ike gateway gw-vpn-0bc9831-1 address [TOP SECRET IP] set security ike gateway gw-vpn-0bc9831-1 no-nat-traversal set security ike gateway gw-vpn-0bc9831-1 dead-peer-detection threshold 3 set security ipsec proposal ipsec-prop-vpn-0bc9831-1 protocol esp set security ipsec proposal ipsec-prop-vpn-0bc9831-1 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-prop-vpn-0bc9831-1 encryption-algorithm aes-128-cbc set security ipsec proposal ipsec-prop-vpn-0bc9831-1 lifetime-seconds 3600 set security ipsec policy ipsec-pol-vpn-0bc9831-1 perfect-forward-secrecy keys group2 set security ipsec policy ipsec-pol-vpn-0bc9831-1 proposals ipsec-prop-vpn-0bc9831-1 set security ipsec vpn vpn-0bc9831-1 ike gateway gw-vpn-0bc9831-1 set security ipsec vpn vpn-0bc9831-1 ike ipsec-policy ipsec-pol-vpn-0bc9831-1 set security ipsec vpn vpn-0bc9831-1 df-bit clear set interfaces st0.3 family inet address 169.254.221.34/30 set interfaces st0.3 family inet mtu 1436 set security zones security-zone trust interfaces st0.3 set security ipsec vpn vpn-0bc9831-1 bind-interface st0.3 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone trust host-inbound-traffic protocols bgp set security flow tcp-mss ipsec-vpn mss 1379 set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor 169.254.221.33 export EXPORT-DEFAULT set protocols bgp group ebgp neighbor 169.254.221.33 peer-as 64602 set protocols bgp group ebgp neighbor 169.254.221.33 hold-time 30 set protocols bgp group ebgp neighbor 169.254.221.33 local-as 64704 

Thanks!



TerraMaster F2-210 refusing connection on initial setup, cannot proceed further than detecting the NAS. Ideas?

No text found

why does Cisco 1921/K9 say its a Gigabit router when it doesn't get gigabit speeds?

Bought an old 1921 a while back for a project at work and ended up never using it. Now I'm using it for a test lab/learning and I just found out that it doesn't even do 1Gbps... more like 60Mbps.

On this page, its referred to as a gigabit router: https://www.cisco.com/c/en/us/products/collateral/routers/1900-series-integrated-services-routers-isr/data_sheet_c78-598389.html

On this document, it shows that it only gets like 60Mbps: http://www.anticisco.ru/pubs/ISR_G2_Perfomance.pdf

Am I missing something?



Dedicated VPN Appliance Placement Advice

I'm looking for some advice on where to place dedicated VPN appliances on the network. Right now we terminate all remote access VPN's at the internet edge. What are the pros/cons to running dedicated VPN appliances at the edge vs behind it?



Fixing Double NAT'd, reverse proxy, domain names

Looking for any possible ideas and solutions!

My ISP double NAT'd me, and finally (after 2 years) setup a port forward for me. So I setup a reverse proxy on my local network, then looked at the sub domain to redirect to different docker containers (services) internally etc...
However, its very annoying having to type the port in the FQDN (ex: https://sub.domain.com:23485/ It is annoying and ugly for me and my users.

These are the 3 possible "solutions" I have came up with so far... not even sure if they would work... Sadly it looks like Domain records (ex: cname, a etc...) are not able to redirect requests to an ip:port, only to other domain names or to a specific IP. So these are some alternative solutions I'm pondering on...

  1. Setup a T2 Nano in AWS then setup a reverse proxy (or application level load balancer?) there to redirect to my public ip : port automatically.
  2. Setup a VPN or tunnel? to basically anywhere... (A T2 nano, a friend/relatives house, or pay for a VPN service/box etc...)
  3. Maybe a simple AWS Lambda function that can run and redirect the request? Not sure if S3 would be able to do it, but maybe???

Any insight on what will or will not work, or other solutions not listed would be greatly appreciated!



How to use cache proxy serve in ip balancer in Ryu?

Hello. I have created an IP balancer, here is the code https://github.com/spartakos87/cache_balancer/blob/changes/ryu_cache_balancher.pyAs a balancer my code works well, I make a get in 10.0.0.2 I get to redirect the HTTP request to 10.0.0.1 My problem is that I want to use a proxy server that can make a cache of "website". So, I redirect the traffic again in 10.0.0.2 my proxy get the HTTP request from the client but I don't see any traffic from my proxy to server 10.0.0.2 Can anyone help me with this? I am stuck a lot of days.



IP's of core internet routers?

Is there a list anywhere of Core Router IP's domain names, Thinking more in the UK, I want to start a project to track latency to different of the internet during this time.



Extreme vs Meraki

Looking for some feedback on switches and if anyone has gone from Meraki to Extreme (or the other way) and has comparisons.

We are a k12 school with 12 buildings, 9 for schools, the rest for operations. Currently running all Cisco 2960Xs or older. My crew is limited in time and expertise and I can’t hire more people. I’m a director who’s geared more to education than pure technology, but I know a bit and understand the bridge between the two worlds.

My issue is, my networking guy is leaning more toward a Extreme (so I’m leaning more toward Extreme). However, if he leaves, it’ll be tough for me to hire someone with the experience I need, meaning I’ll be doing more of the work - at that point. Meraki is more appealing. My vendor is providing extreme management center at no cost to us if we go that route.

I like them both, but because we don’t have either, we can’t do a side by side comparison. While we are into replacing it right now, we will need a new head end distribution unit as well.

What’s been quoted for us is: Extreme - x450-G2 Meraki - MS-250

We will stack what we can stack and most switch to switch is fiber (there are a few rogue locations within buildings that require little throughout that’s on copper).

Thanks all for the help. Appreciate having communities like this we can bounce questions off of!



Mapping Script

Was wondering if anyone has seen any scripts (bash, python, etc.) that would take in one table of devices with port MAC/IP addresses and then another table of MAC addresses, and show adjacencies?

I have been debating making one but was curious if something like this already existed.



Fixing the spaghetti mess in my network rack

My office network racks look horrible. Any tips on cleaning up the fiber cables? Each rack looks like a spaghetti dinner. They are thinner than traditional cat5, should I just use velcro straps?



Is there a tool for comparing two IXPs?

Hi all, I am looking for a tool that compares two Internet Exchange Points, no matter if it is a website or a script.

I'd like that it compares members of that NAPs (e.g. LINX LON1 and LONAP has in common COLT AS8220 but 1&1Versatel AS8881 peers only on LINX).

I know that PeeringDB has APIs but don't know if is there anyone that uses them for this purpose.

Thanks



4G/5G Modem for Small Business

Hi r/networking,

I'm in Australia, in a part where we can get 4g/5g networks but the NBN hasn't arrived yet. We're in a temporary move for a renovation, and to put things short, the wired Modem isn't going to come with us.

We're looking for a 4g/5g Modem for wired internet. The most important thing is quick/easy setup and reliability - we can afford to break the bank a little. This is for a semi-retail business with 10-20 computers on the wired network. We've got wireless covered - we just need a wired solution.

Any recommendations on modems, or just what qualities/buzzwords to look for? We're currently looking at Simcard Modems, but we're not picky.

Edit: One more thing. We only have one day to buy this and set it up (not my choice, I only got this task about an hour ago). So something we can't pick up in a store is probably gonna be too slow to get.



V SOL V1600D8 GEPON OLT Outband Management | Urdu

Please Subscribe the channel to support and also like and share with your Friends.



Reconnecting network adapters

Not sure if this is the right place for this, but here goes:

I performed a network reset yesterday to try and solve a connection problem I was having. Now, I can't connect to any network at all. How can I re-enable the network adapters so I have internet again?



Just reset a modem....

So I wanted to try port forwarding because of minecraft. Followed some kind of a guide on a random website, how to factory reset modem settings, due to my family's memory loss of all the passwords they set on every networking gadget. One of the steps was "resetting the modem", so I did that... and then I read the description. "Do not reset your modem, because that will require us to reset the connection"... So now I'm waiting for dad to come home, so he can call our ISP. Yay



Cisco ISE API

https://www.reddit.com/r/networking/comments/cck4kk/cisco_rant_ise_ers_api/

I saw this post but not able to add any comments so I am creating a new post.

That bug was fixed long time back and I am able to use CSRF without any issues so let me know if you have any questions.



Same ip range used at remote sites

I started a new job a week ago, i just got around to visiting the other sites we have 3 in total. We only have 1 internet circuit that exists at one location and the other 2 locations access the internet and server resources at location 1. While doing a tour of the locations i noticed that the 2 remote locations are using the same ip range, what problems would this cause in the network?



Device to send graaceful shutdown of user/endpoint PC's on fire alarm input?

Hi crew.

As stated, a requirement for my works new building has popped up. Compliance in this respect is a new world for me. Does anyone know of a device / software platform that can receive an alarm input (ie, 48v, or open circuit, etc) and trigger a graceful shutdown of user machines using a on-device client?

The intent is to have users that may be using headphones etc sit up and take notice of the alarm.

We've had issues with these machines (windows pc's) working with W.O.L, etc, so don't want to rely on a non-client solution.

Any ideas?



Friday, March 27, 2020

Disposable CoronaVirus Network Engineer

So I started working at a hospital around 3 months ago for a temp company around 3 months ago in Atlanta (yes Atlanta is one of the CoronaVirus epicenter) , yes the biggest hospital in the South.

I signed up to upgrade all their switches but it seems the other temp is not as talented and cannot learn the new technologies (televideo, webex, Cisco DNAC, wireless sensors, etc, etc) as fast as I can, so I, so I'll be in the hospital working more remote than my coworker but still any 2nd shift in hospital networking task ill have to go. Anyways all the networking employees that normal went into the hospital are now going to be working remote and me and the other temp employee well we have to answer to any new switch related issue that come up until the Coronavirus event is over. So far my temp agency did not discuss any new pay rate or anything.

I did not get hired to work along the newest Chinese biological warfare disease patients.....just thought it was going to be a little dangerous but be careful, now its very dangerous it seems. Also my coworker decided to not wear PPE (mask, safety googles) like I do and he got sick so he was forced to be suspended without pay for 2 weeks. So I guess if I get sick with CoronaVirus and it seems its super easy to get being how infectious it is, ill be without pay for 2 weeks as well. However I have a condition that might make it take longer than 2 weeks to get better.

Anyone else having to put up with BS here with their network Engineer position like this during this event? I feel that quitting is the only option to survive. Maybe if they offer more pay it would be worth it. Last week I refused to go to the hospital but now my boss has forced me to go today and yesterday and its going to be the norm now. I kidded myself hey if you eat healthy you wont get sick. I'm not sure I can keep kidding myself any longer. I didn't get my CCNP and 15 other certs to be cannon fodder.

What would you do in my situation?



Untanglebox

Hi guys,

I just took over as a sysadmin for a place - reallya do it all 1 man it guy..

The msp they use setup untangle boxes, what is your guys thoughts on them?



Analyzing Multiple Large PCAPs Without Merging?

TL;DR I am looking for an efficient way to parse through and analyze multiple large pcap files without having to merge them all.

The information I am looking to extract is pretty simple, I just need the tcp streams present and the total # of bytes transferred in each stream. The output of 'tshark -r capture.pcapng -n -q -z conv,tcp' is pretty much exactly what I am looking to get. Unfortunately, the issue I am faced with is that I need to gather this output for hundreds of pcaps and synthesize them into one report. Normally I would merge the capture files together quickly and use tshark to do this, but in this case I am looking at 100s of pcaps amounting to over a TB altogether. Have any networking gurus out there been faced with a similar issue, or does anyone know of any open-source tools that could prove useful in accomplishing this? Unfortunately in this case, using less pcaps and gathering this information on a smaller scale is not an option.

Any suggestions?



Is there a documented list of maximums for VLAN tags on Cisco Switches?

The company I work for is using VLANs to segment traffic. It started out as just as 15 or 20 VLANs. Now we are at just over 200 VLANs which are trunked to all our ESXi hosts network ports.

I've heard some anecdotes from friends and colleagues that the overhead of processing packets against all these tags could overload the switches. The number I hear is around 300 - 400.

Is there some documentation which details if there is indeed a maximum for the number of VLANs tagged? I'm coming up empty in google searches.

EDIT: Sorry. Should've mentioned that I hear our networking people mention 2ks, 5ks, 7ks. We are looking to deploy NSX and take the load off the switches. We are purchasing 9ks for that but NSX is going to take some time to deploy with out stretched thin team.

EDIT2: Also worth noting that I'm not on the network team. I don't have direct access to the networking infra.. I'm sort've caught in between security wanted the segmentation of each application and networking, who does the work. I am usually the one submitting the request for the new VLAN to be trunked to my hosts to accommodate a new application.

Thanks in advance.



Network rack labeling

Hi there

I saw a post about using a Dymo Rhino printer for some people.

Anyone use these?

https://www.fs.com/products/65341.html

Or have a recommendation for it? I got sooo much fiber to label and its a mess. Need to at least label the spaghetti since I can't clean it



Network Access Control with non-talkative devices

Hello /r/networking

I was wondering if any of you would have a pro-tip on how to handle the following NAC scenario. For once we are talking about devices that are connected to a switchport that are not noisy. In fact, they do not initiate any communication from their side at all, they just sit and wait until they receive an ARP broadcast that is addressed to them or some server/control device is sending information over to process.

Having such devices together with NAC is, as you can imagine - troublesome. Because the device will not get authenticated if it doesn't initiate network traffic and thus the switch will not be able to create an access-session for this device.

Now my question to you would be: Can you handle such a situation at all if we exclude the option to set the device to DHCP so it shouts once plugged in - let's say the device cannot do DHCP for the sake of the post. If yes, how?

Any brainpower is much appreciated!



Mobile network intermittent blackout

This quarantine has gotten me stuck with my mobile network which I use as a WiFi Hotspot for a bit online games on PC. There often occurs a blackout period where the signal is good, the mobile shows that "some data" is being transferred on the speed counter but nothing works. Can't even load a webpage. It takes few minutes to get auto resolved. Any idea how I can avoid this or track what is happening?



Need help - route appearing to be received from BGP peer, but doesn't appear to be.

Maybe I'm tired (working on 3 hrs. sleep) or just stupid. Here's my situation. Starting yesterday afternoon, one of my providers had an outage, had to disable them while they fixed their issue. Lost access to a remote network we run in another city. According to routeviews, network is being advertised correctly across the net. But I cannot get there, ping & traceroute & SSH all fail.

Even now, after re-enabling the provider that had the issue (re-enabled this morning), on my edge router for this network I see the following "bad" route appearing to come from one of my providers:

ASPATH in the route MYASN MYASN MYASN PROVIDER2 PROVIDER1 PROVIDER1 MYASN

From my edge I am not advertising this subnet locally, it is being advertised out of the remote site. It appears locally that one of my three providers is announcing the route back to me, but I'm at a loss.

I've tried doing a soft reconfiguration of my BGP with my peers (they all support it), I've gone through my config several times and can't find anything. I need to be able to manage this remote network from our office as the equipment there is locked down for limited access.

My equipment locally is an ASR1002X. I can't really provide many more details but I'll try to if needed. (Secure sites).

Any ideas, suggestions would be greatly appreciated.



Feel Good Stories or Lessons Learned from COVID-19?

I was just wondering if anyone had any lessons learned or any feel good stories about their networks and adapting to the new work from home / emergency measures that had to be implemented?

In the last 2 years I had fought for, and got, increased internet bandwidth and new Nexus DMZ switches and Palo firewalls. This was probably 2 to 3 years before management really wanted to spend the money.

It just feels good to know that my planning and percieved "gold plating" of the network paid off and we didn't run into any network issues during this emergency. Just the normal firewall rule adjustment here and there.

Anyone else?



Ping failing between ER-4 and SRX320 despite correct OSPF routes showing in RIB

I have multiarea OSPF setup between an ER-4 and a SRX320 and inter-area routes are showing up, but I can't ping any of those inter-area subnets from the ER-4. I can ping from the SRX subnets to the ER-4, but pinging to the SRX subnets from behind the ER-4 fails. OSPF seems to be setup properly, the interface connections all seem to be fine, the correct routes are being added to the route table.

ER-4 Config:

firewall { all-ping enable broadcast-ping disable ipv6-name WANv6_IN { default-action drop description "WAN inbound traffic forwarded to LAN" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } ipv6-name WANv6_LOCAL { default-action drop description "WAN inbound traffic to the router" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow IPv6 icmp" protocol ipv6-icmp } rule 40 { action accept description "allow dhcpv6" destination { port 546 } protocol udp source { port 547 } } } ipv6-name lanv6 { default-action accept } ipv6-name localv6 { default-action accept } ipv6-name wanv6_lan { default-action drop enable-default-log rule 10 { action accept description established/related state { established enable related enable } } rule 20 { action drop description invalid state { invalid enable } } } ipv6-name wanv6_local { default-action drop enable-default-log rule 10 { action accept description established/related state { established enable related enable } } rule 20 { action drop description invalid state { invalid enable } } rule 30 { action accept description "Allow IPv6 icmp" protocol ipv6-icmp } rule 40 { action accept description "allow dhcpv6" destination { port 546 } protocol udp source { port 547 } } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp description Internet dhcpv6-pd { pd 0 { interface eth1 { host-address ::1 prefix-id :1 service slaac } interface eth2 { host-address ::1 prefix-id :2 service slaac } interface eth3.10 { host-address ::1 prefix-id :3 service slaac } interface eth3.15 { host-address ::1 prefix-id :4 service slaac } prefix-length /60 } rapid-commit enable } duplex auto firewall { in { ipv6-name WANv6_IN name WAN_IN } local { ipv6-name WANv6_LOCAL name WAN_LOCAL } } speed auto } ethernet eth1 { address 192.168.15.1/24 description Local duplex auto ipv6 { dup-addr-detect-transmits 1 router-advert { cur-hop-limit 64 link-mtu 0 managed-flag false max-interval 600 other-config-flag false prefix ::/60 { autonomous-flag true on-link-flag true valid-lifetime 2592000 } reachable-time 0 retrans-timer 0 send-advert true } } speed auto } ethernet eth2 { address 10.10.10.1/30 description "Local 2" duplex auto ip { ospf { dead-interval 40 hello-interval 10 network broadcast priority 1 retransmit-interval 5 transmit-delay 1 } } speed auto } ethernet eth3 { duplex full speed 1000 } loopback lo { address 10.255.255.1/32 } } protocols { ospf { area 0 { area-type { normal } network 192.168.15.0/24 network 10.10.10.0/30 } parameters { abr-type cisco router-id 10.255.255.1 } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN1 { authoritative enable subnet 192.168.15.0/24 { default-router 192.168.15.1 dns-server 192.168.15.1 dns-server 1.1.1.1 lease 86400 start 192.168.15.38 { stop 192.168.15.243 } static-mapping CentOS { ip-address 192.168.15.52 mac-address 20:25:64:3c:1c:66 } static-mapping DESKTOP-84K1ME3 { ip-address 192.168.15.41 mac-address 70:8b:cd:2e:c1:c0 } static-mapping DESKTOP-88BL9UN { ip-address 192.168.15.39 mac-address 18:1d:ea:ff:d1:c9 } static-mapping ES-8-150w { ip-address 192.168.15.44 mac-address 74:83:c2:15:c1:64 } } } static-arp disable use-dnsmasq disable } dhcpv6-server { } dns { forwarding { cache-size 150 listen-on eth1 listen-on eth2 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } } ssh { port 22 protocol-version v2 } unms { disable } } system { gateway-address 173.61.5.1 host-name ubnt login { user admin { authentication { encrypted-password $6$cTDYN93M6w2$XsffGtfkBaM.lCUhaQt34VW7poAvpcxd7LqYgQQyLuw0wYjEmoCJgOayPtXIEvIJL.a.qvoSyfLxBMacm9GqG/ plaintext-password "" } level admin } user ubnt { authentication { encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66. } full-name "" level operator } } ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat disable ipsec enable ipv4 { forwarding enable } ipv6 { forwarding enable } } static-host-mapping { } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone America/New_York } traffic-control { } vpn { ipsec { auto-firewall-nat-exclude enable } } 

SRX320 Current Config:

version 18.3R1.9; groups { global { security { policies { default-policy { permit-all; } } } } } system { root-authentication { encrypted-password "$6$zPzxSn6o$7caaG.fC3St4qMNwe17CM6txBX1u5xvxnBXuPZGphyn9jVH1x6Vb0mPQmePNGncoQy8Zu3hru53IinPAXtPIA/"; ## SECRET-DATA } host-name SRX-FW1; auto-snapshot; name-server { 1.1.1.1; 1.0.0.1; } services { ssh { root-login allow; } netconf { ssh; } dhcp-local-server { group VLAN10 { interface ge-0/0/6.10; } group VLAN15 { interface ge-0/0/6.15; } group VLAN20 { interface ge-0/0/6.20; } } web-management { https { system-generated-certificate; } } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } phone-home { server https://redirect.juniper.net; rfc-compliant; } } security { log { mode stream; report; } forwarding-options { family { inet6 { mode flow-based; } } } screen { ids-option unt-scr { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/0.0; ge-0/0/1.0; ge-0/0/2.0; ge-0/0/3.0; ge-0/0/4.0; ge-0/0/5.0; ge-0/0/6.5 { host-inbound-traffic { system-services { dhcp { except; } dhcpv6 { except; } bootp { except; } all; } } } ge-0/0/6.10 { host-inbound-traffic { system-services { ssh { except; } all; } protocols { ospf; } } } ge-0/0/6.15 { host-inbound-traffic { system-services { ssh { except; } all; } protocols { ospf; } } } ge-0/0/6.20 { host-inbound-traffic { system-services { ssh { except; } all; } protocols { ospf; } } } ge-0/0/6.21 { host-inbound-traffic { system-services { all; ssh { except; } } protocols { ospf; } } } } } security-zone untrust { screen unt-scr; host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/7.0 { host-inbound-traffic { protocols { ospf; router-discovery; igmp; } } } } } } } interfaces { interface-range ALLINT { member-range ge-0/0/0 to ge-0/0/7; speed 1g; link-mode full-duplex; } ge-0/0/0 { unit 0 { family inet; family inet6; } } ge-0/0/1 { unit 0 { family inet; family inet6; } } ge-0/0/2 { unit 0 { family inet; family inet6; } } ge-0/0/3 { unit 0 { family inet; family inet6; } } ge-0/0/4 { unit 0 { family inet; family inet6; } } ge-0/0/5 { unit 0 { family inet; family inet6; } } ge-0/0/6 { vlan-tagging; unit 5 { vlan-id 5; family inet { address 10.0.0.1/28; } } unit 10 { vlan-id 10; family inet { address 192.168.25.1/24; } } unit 15 { vlan-id 15; family inet { address 172.30.30.1/24; } } unit 20 { vlan-id 20; family inet { address 172.19.20.1/24; } } unit 21 { vlan-id 21; family inet { address 10.10.20.1/30; } } } ge-0/0/7 { unit 0 { family inet { address 10.10.10.2/30; } family inet6; } } cl-1/0/0 { dialer-options { pool 1 priority 100; } } dl0 { unit 0 { family inet { negotiate-address; } family inet6 { negotiate-address; } dialer-options { pool 1; dial-string 1234; always-on; } } } lo0 { unit 0 { family inet { address 10.255.255.2/32; } } } } routing-options { static { route 0.0.0.0/0 next-hop 10.10.10.1; } router-id 10.255.255.2; autonomous-system 65356; } protocols { router-advertisement { interface ge-0/0/7.0; } ospf { area 0.0.0.0 { interface ge-0/0/7.0; interface lo0.0 { passive; } } area 0.0.0.1 { interface ge-0/0/5.0; interface ge-0/0/6.10; } area 0.0.0.2 { interface ge-0/0/4.0; interface ge-0/0/3.0; interface ge-0/0/6.15; } area 0.0.0.3 { interface ge-0/0/2.0; interface ge-0/0/1.0; interface ge-0/0/6.20; } } l2-learning { global-mode switching; } lldp { interface all; } } policy-options { prefix-list SSH_IP_LIST { 192.168.15.39/32; 192.168.15.41/32; } } firewall { filter SSH_IP_FILTER { term 1 { from { address { 0.0.0.0/0; } prefix-list { SSH_IP_LIST except; } destination-port ssh; } then { discard; } } term default { then accept; } } } access { address-assignment { pool VLAN20 { family inet { network 172.19.20.0/24; range irb20_NET { low 172.19.20.10; high 172.19.20.200; } dhcp-attributes { name-server { 1.1.1.1; 1.0.0.1; } router { 172.19.20.1; } } } } pool VLAN15 { family inet { network 172.30.30.0/24; range irb15_NET { low 172.30.30.10; high 172.30.30.200; } dhcp-attributes { name-server { 1.1.1.1; 1.0.0.1; } router { 172.30.30.1; } } } } pool VLAN10 { family inet { network 192.168.25.0/24; range irb10_NET { low 192.168.25.10; high 192.168.25.200; } dhcp-attributes { name-server { 1.1.1.1; 1.0.0.1; } router { 192.168.25.1; } } } } } } vlans { VLAN10 { vlan-id 10; } VLAN15 { vlan-id 15; } VLAN20 { vlan-id 20; } VLAN21 { vlan-id 21; } VLAN5 { description "Server Management Vlan"; vlan-id 5; } } 

ER-4 route table:

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 > - selected route, * - FIB route, p - stale info IP Route Table for VRF "default" S *> 0.0.0.0/0 [210/0] via 173.61.5.1, eth0 C *> 10.10.10.0/30 is directly connected, eth2 C *> 10.255.255.1/32 is directly connected, lo O *> 10.255.255.2/32 [110/1] via 10.10.10.2, eth2, 00:22:18 C *> 127.0.0.0/8 is directly connected, lo O IA *> 172.19.20.0/24 [110/2] via 10.10.10.2, eth2, 00:22:18 O IA *> 172.30.30.0/24 [110/2] via 10.10.10.2, eth2, 00:22:18 C *> 173.61.5.0/24 is directly connected, eth0 C *> 192.168.15.0/24 is directly connected, eth1 O IA *> 192.168.25.0/24 [110/2] via 10.10.10.2, eth2, 00:22:18 

SRX320 route table:

inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:23:10 > to 10.10.10.1 via ge-0/0/7.0 10.0.0.0/28 *[Direct/0] 01:27:08 > via ge-0/0/6.5 10.0.0.1/32 *[Local/0] 01:27:08 Local via ge-0/0/6.5 10.10.10.0/30 *[Direct/0] 00:23:10 > via ge-0/0/7.0 10.10.10.2/32 *[Local/0] 00:23:10 Local via ge-0/0/7.0 10.10.20.0/30 *[Direct/0] 01:27:08 > via ge-0/0/6.21 10.10.20.1/32 *[Local/0] 01:27:08 Local via ge-0/0/6.21 10.255.255.2/32 *[Direct/0] 4d 21:29:50 > via lo0.0 172.19.20.0/24 *[Direct/0] 01:27:08 > via ge-0/0/6.20 172.19.20.1/32 *[Local/0] 01:27:08 Local via ge-0/0/6.20 172.30.30.0/24 *[Direct/0] 01:27:08 > via ge-0/0/6.15 172.30.30.1/32 *[Local/0] 01:27:08 Local via ge-0/0/6.15 192.168.15.0/24 *[OSPF/10] 00:22:13, metric 2 > to 10.10.10.1 via ge-0/0/7.0 192.168.25.0/24 *[Direct/0] 01:27:08 > via ge-0/0/6.10 192.168.25.1/32 *[Local/0] 01:27:08 Local via ge-0/0/6.10 224.0.0.5/32 *[OSPF/10] 4d 21:29:50, metric 1 MultiRecv 

Any help is appreciated. I'll provide any further details as needed.



ASA-5545 to Azure VPN

Hi everyone!

TLDR : Are there any caveats or hurdles that you ran into while provisioning a tunnel between Azure and ASA?


I am new to the whole cloud networking portion of this job, and recently was tasked with setting up a VPN between our datacenter and Azure. We have multiple offices that are currently connected via DMVPN and Meraki VPN that will require access to the Azure resources.

Currently, as a temporary solution to accessing Azure resources, we have a Meraki network leveraging a vMX100 in Azure and are accessing resources via a static route from our DMVPN network. So it seems to me that building a tunnel between our ASA and Azure might be a more traditional approach to this, the only thing I'm worried about is on this ASA we have a few other high visibility tunnels terminating on it, which makes our change window very tight.

Are there any caveats or hurdles that you ran into while provisioning the tunnel? The Microsoft documentation seems pretty well put together, but I find myself going down a lot of rabbit holes with it.

Thanks in advance for your input!



Cisco C1100 series throughput

Has anyone used these and can let me know if they are line speed? I tried to open a TAC case but these jerks won't even answer that question since I don't have support on a C1100! I might just go with Juniper since they are being a-holes. I'm looking to land a 1Gbps DIA and use it for BGP with default routes. I know the 4K routers are performance licensed based but couldn't find anything on these or the SOHO 900 series either. The only performance mentioned is IPsec throughput which doesn't apply to my setup. I will have Palo's behind them pointing to a pair of C1100 via HSRP.

Happy Friday! Hope the craziness slows down for everyone and you can enjoy the weekend.



Enlighten me what Merlin firmware did to my asus 68u

I live out in the sticks, and been on viasat for 5 years. Never has an issue with my router with slow speeds, as I was getting a whopping 15mps if that.

Fast forward to last week we get fiber 1 gig, I had to pay about 5k for them to bring it out to me.

So when I hooked it up I was only getting 200mps, I know QQ right, so I setup my workstation as a pppoe point through wan mini port and I got 937mbs.

I was going to just buy a new router but most are delayed until april 23.....covid .....so I upgraded the official firmware, no change, then I tried merlin and now I have the full speed.

This is odd what did merlin do? I already has hw acceleration on and all QoS off.



Does cisco VIRL (lab simulator) support EVPN+VxLAN?

I am planning to buy Cisco VIRL simulator for lab work so does VIRL support spine-leaf topology if i want to practice, it does has 9000v instance but not sure whatever NX-OS comes with it can support all EVPN+VxLAN?

Does anyone using this simulator?



Have you ever seen a device with different physical addresses when connected to a 2.4Ghz or 5Ghz Wireless network?

I have a user having issues with our client-locked VPN. Macbook Pro.

With 2.4 Ghz

Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : mynet
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8265
Physical Address. . . . . . . . . : A2-D8-6A-FB-B1-50

With 5 Ghz
Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : mynet
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8265
Physical Address. . . . . . . . . : 00-21-6A-F6-8B-5A

Googling thus far hasn't yielded much - any ideas?



Anyone familiar with Wifi Access points enclosures for outdoor use?

Have a Cisco 2802i AP which per Cisco is not for external use.

But I also see that Cisco approves the use of NEMA enclosures such as this one: http://www.eaccu-tech.com/cabinets-racks/1026-00-oberon-nema-enclosure-for-wireless-access-points-hinged-cover/

Would it be ok to deploy the 2802i (internal antennas only) within this enclosure?

How much is such an enclosure going to affect the AP's coverage cell?

Thanks!



Wireless: client switchover time when AP fails

Hello,

I have a customer demanding very short downtime on clients connected to an AP that fails/disconnects. When an AP fails, the clients connected should switch to another AP in less than 1 second. Is this even possible?

From what I understand, the reconnecting process goes like this:

  1. Client has to become aware that he lost connection to the AP (I don't exactly know how but I know it takes some time)

  2. Client scans (with probe requests) all channels (some clients allow setting the channels, and smaller amount of channels results in lower scanning time, but I don't think this can be done in every environment)

  3. Client receives probe response from an AP and has to go through the process of authentication and reassociation

Can the process above be sped up in any way? In my testing, clients lose about 3-4s of pings, and Webex/Whatsapp calls take 6-9s to reconnect, but apparently this is not enough, even though the chanse is very small that an AP disconnects, let alone that the client is connected to that exact AP and sending data at that exact time.

I know 802.11k/r helps with roaming, but could it maybe also help with this?

Thanks in advance!



Thursday, March 26, 2020

What network automation tools did you build and which framework did you use?

As the title says. Recently started using netmiko and ansible. And currently learning Nornir. A few questions and ideas I have if you guys don't mind:

  1. Which framework do you prefer and why
  2. Do you have a menu of sorts in Python where you choose what script you want to run? Or are all your scripts in separate folders (and in git)?)
  3. Which framework do you use for which tasks?
  4. What's the most complex automation you've built and which tool did you use?

I like Ansible for "show" commands and to push configs but I ran into problems with Ansible version that changes and then breaks my playbooks. Also it's not smart to where you can do lots of "if this then that then check this etc" logic.

Studying Nornir now. I've heard it's way more versatile.

Gracias



Can Someone Show Me What a BGP Request Looks Like?

I want to write a script to use nc/ncat/netcat in order to hit port 179 on a BGP router. I have searched all around and all I can find are the Cisco IOS commands or services with looking-glass APIs. My question is what is the syntax/format of a simple BGP table lookup? As in the actual data contained within the request. If someone could point me to an RFC that has this info, that would be cool too. So essentially what do I need to send to a BGP router in order to illicit a response?



Chosing the right VPS for an arbitrage trading bot for crypto

Hello there, newbi here. I'm looking for a tool, or general knowledge of any shape or form, to get me to chouse the right VPS to be in the "middle" of 50 crypto exchanges. It needs to be in the "central" point among thesse exchanges, keeping in consideration mainly latency ( liquidity and other factors on the exchange can also be a parameter that could influence the choice of the VPS's location, but this all come in at a later refinement stage). Any suggestion?

Interesting would be to get reference to hardware or software used into a slightly similar problem: SOR ( smart order routing ) in traditional finance.

(Python preferred)



Weird SNMP behavior, wondering if it's specific to 3850s or IOS more broadly

Set up some new 3850s recently, one running 16.3.7 and the other running 16.6.7 (hoping to get that first one upgraded to Everest soon). Hooked up their management interfaces (which are in their own VRFs) and added a default route in that VRF, but did not add a default route to the global routing table (it's solely an access switch so I hadn't bothered to add any routing statements beyond getting the management port up).

After setting them up I tried adding them to our monitoring systems and found that while I could SSH to the management interface just fine, I couldn't get SNMP data when querying the management interface. We've got plenty of other devices set up like this (monitoring/management on a separate interface) and SNMP queries to them works just fine; we even had a few other 3850s set up like this that were working just fine, running the same version of code, so it was a bit of a headscratcher.

Eventually I figured out that the 3850s on which SNMP was working properly had default routes in their global routing tables. Went ahead and set one on one of the misbehaving switches, and SNMP queries started working immediately. As far as I can tell, it's responding from the management interface; I don't see return traffic coming back from a non-management IP interface on the 3850. It's like under the hood, it's doing a check of "I received an SNMP query from xyz. Do I have a route (in the global table) to xyz? If yes, did I receive this on an interface that's in Mgmt-intf? If yes, do I have a route (in VRF Mgmt-intf) to xyz?" Without a route in the global table, it never gets to that second step and just times out.

Anyone seen anything like this?



Airconsole Confusion

So I’ve spent all day trying to figure out why I can’t get my Airconsole to pass a connection via Ethernet to my wireless PC.

I have a piece of hardware that I normally set my laptop to 192.168.255.126 subnet 255.255.254.0 so that I can connect via Ethernet to 192.168.255.129. I have tried practically every configuration that I can think of, but still cannot connect to the same hardware when using the Airconsole. I currently have the AC set to the same 192.168.255.126 IP address and left the DHCP server on. I can connect and ping the AC, I can SSH into the AC and ping both the hardware at the .129 IP and my laptop IP, but it won’t pass through the .129 IP to my PC directly. There’s practically no documentation on the AC that I can find. Any ideas on what might be wrong?



Ruckus R510 and Cisco 2960G

Hey everyone! Looking for a bit of help as I’ve never worked on a ruckus AP before.

I have a Ruckus R510 currently running ZoneFlex connected to a Cisco 2960G. I have 3 VLANs that I want to bring down to the AP: vlan 10(mgmt), vlan 30 (internal), vlan 40 (guests).

I want to management the AP from the mgmt network. In the “Internet” settings I set the management vlan to 10 and assign and IP in that network. I assigned the appropriate VLAN ids under the WLAN Advanced settings. I also went to the eth0 interface and made sure that was set to “Trunk” and set the untagged vlan to 10.

On the Cisco side the interface is set as a trunk allowing the vlans 10,30,40 and the native vlan is 10.

However after all is said and done I cannot reach the AP UI. So I am at a loss.

Anyone have any suggestions?

TIA.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC.



Using Second Cisco ASA for More Anyconnnect Connections

I have a Cisco ASA 5505 connected to a Cisco 2911 Router. We are having to move several people to work from home (obviously), but the 5505 has a 25 VPN license cap. I have a second ASA 5505. Is there a proper way to hook both of these up to the 2911 to allow for remedial load-balancing (such as just giving the extra 25 users the public IP that is set in the second ASA)? There is a route table set up in the 2911 that points 0.0.0.0 to the first ASA.



This... shouldn't work.

Sysadmin for a 1000 user multi-site corp here. I've been trying to figure out why random users have been having difficulty maintaining a solid connection to VPN recently. I was chalking it up to congestion due to the higher remote usage lately. For reference, we have a Pulse Secure PSA cluster using split tunneling on our VPN because we don't have a huge pipe. Client routes take precedence over tunnel routes. My own connection was having the same issues. One day it would be rock solid for 10-12 hours, the next day I'd maintain a connection, but could only reach internal hosts for 10-20 seconds, then I'd just get timeouts. Disconnect, reconnect, same thing. Today I had a continuous ping running to my corporate gateway (192.168.0.1) and was getting the expected timeouts. Then I disconnected the VPN, and I started getting responses....

Ok, wtf. I don't have that subnet anywhere on my home network.

tracert 192.168.0.1:

Tracing route to 192.168.0.1 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms pfSense.redacted.net [192.168.1.1] 2 4 ms 3 ms 3 ms 192.168.0.1 Trace complete. 

Dafuq...

Traceroute from the router (UDP):

1 * * * 2 B3302.BLTMMD-LCR-22.verizon-gni.net (100.41.222.84) 10.542 ms B3302.BLTMMD-LCR-21.verizon-gni.net (100.41.222.82) 5.054 ms B3302.BLTMMD-LCR-22.verizon-gni.net (100.41.222.84) 6.779 ms 3 * * * 4 * * * 5 HundredGigE1-9-0-0.BSTNMA-LCR-21.verizon-gni.NET (140.222.236.11) 20.813 ms Bundle-Ether1000.BSTNMA-LCR-21.verizon-gni.NET (140.222.229.47) 19.213 ms HundredGigE1-9-0-2.BSTNMA-LCR-21.verizon-gni.NET (140.222.237.31) 16.929 ms 6 192.168.0.1 (192.168.0.1) 17.708 ms 16.380 ms 15.325 ms 

Help me out here. Why am I getting a response from a 1918 address after six hops over the internet?



Pro and Cons of Fortinet versus Meraki

If you were to choose between Fortinet and Meraki, who would it be and why?

Further, we want to use switches, firewalls, and WAPs all from the single pane of glass. SD-WAN too. We're an extremely distributed network with our remote offices not having a ton of users.

Does one of the other's security team stand above?

Thanks in advance!



V SOL V1600G1 GPON OLT Basic Setup with Real World Examples

Please subscribe the channel to support and hit the like button also share with your friends.



Questions about multi-area ospf

Hi, me and my university group are working on our networking design project. This is the topology where ospf is in question https://i.imgur.com/DtkQbZO.png. We're unsure whether we setup multi-area ospf within the red circle or the blue circle

another note on router_inverness_1 the left of it isnt configured yet as we're still waiting to sort the firewall. we were supposed to have a meet this week but covid has our country on lockdown so we've had to postpone. slightly related to this, can i add a network later on onto ospf?

Any information helps

Thanks, david



Switched From Verizon to FirstNet cell network, port forwarding does not appear to be working

So I am working on a old military base, due to its remote location we are running off a cell data network on Saturday we switched from a Verizon network to AT&T's FirstNet network. People working at different locations need to be able to access this network remotely to sign into a NAS where mission-critical data is stored. We had websitex.com redirect into the myqnapcloud login page so people could login remotely and sign into the NAS. When we switched over to the FirstNet network we were initially told that they did not give out static ip's for security reasons. We were eventually able to secure a static ip through the state. We are using a cradlepoint aer2200 router that we had to do a factory reset on in order for it to register the new static ip. After that we set up port forwarding on ports 80, 8081 and 443 on the router so that whenever people type in websitex.com they can login into the NAS. However currently whenever someone types in websitex.com they are directed to the cradlepoint routers admin login page. So port-forwarding doesn't seem to be working? Anyone have any ideas?



Running into issues when attempting to convert 3 SSL Intermediary files from GoDaddy into PFX format (via OpenSSL). More inside.

Bottom line is i need to get a pfx file out of these SSL cert files I'm working with.

Below is a screenshot of the files I'm working with:

https://imgur.com/a/XwPG0oB

I've been using the following link as a reference:

https://www.godaddy.com/community/SSL-And-Security/How-do-I-convert-CRT-to-PFX-or-get-a-PFX-certificate/td-p/99690

When running the following via OpenSSL:

openssl pkcs12 -export -out export.pfd -inkey privkey.pem -in d22a2246a7486EB.crt 

error:

Expecting: ANY PRIVATE KEY error in pkcs12 


Visio Rack's

I've been trawling round the internet looking for a 19U rack stencil for a diagram i've got to do, only seem to be able to find big ones - anyone got any pointers ?



Network mapping

Can anyone suggest a self-hosted network mapping/document building software? I have multiple networks that I manage and would like to be able to create network maps for them. Ideally, software that would have a remote agent running on the remote server, scanning network and uploading the info to a my server. TY



SNMP-acces problem

Hello all

I am very new to networking but I am willing to learn about stuff and look things up. But I couldn't find the solution to this problem.

Goal:I want to monitor my PCs network usage. But I want to do it with a program on another computer, with the "PTRG Network Monitor". (My PC runs Windows 10 Pro and the monitoring PC uses Windows Server 2016 Datacenter)

What I did/know so far:After a bit of looking around and reading the manual. I see I need to add a "device" so I can link my PC to the software (not sure how relevant this is). I added a "sensor" that pings my PC to see if it is online and a HTTP one. They both work.

But than I wanted to get a networking sensor (and later other sensors like CPU-usage). I did not know how this would work so I just tried it. It said it needed SNMP-acces. After reading some things about it and flowing a few tutorials. I added the feature (it is not stranded on WIndows 10). I checked it and it is listed in the features list.

But I read i multiple sites I need to turn the feature on (using Control Panel > Programs and then clicking on Turn Windows features on or off). But I can't find it in there.

When I go to services, I can see it and is says it is running. I set it up so it gives all types of data and added the IP of the computer with the monitoring software.

But is doesn't work.

Any ideas what I forgot? A guide to follow? Or just the sollution?

Thanks in advance!

Greeting GreenVirusRed



firewalls question

2 firewalls in question:

SRC(VLAN1000)-----FW1------------Interface VLAN2000------------FW2----------DST(VLAN2000)

I only need to apply the FW rule on FW1, right ?

Thanks



Help with firewall blocking Linux clients

Hello, I am having problem with a network, the firewall allows the traffic from Windows clients but blocks the traffic from Linux clients.

In order to allow the traffic of a Linux client I have modified the TTL to 128 and I have disabled the timestamp, now, the only difference is the windows size value and the windows scale, Windows uses a windows size value of 64240 with windows scale of 8 and I cannot find how to set these values on Linux.

Thanks for your help.



ESX - ACI Problem - Port Down Events

Hello

i have a strange problem. and i really dont know how to go on at this point.

we have 2 DCs both DCs have 2 ESX Servers which are connected to our ACI Streched fabric.

Connection is like:

ESX100 - Leaf 11 port1 & Leaf 12 Port1
ESX101 - Leaf 11 port2 & leaf 12 Port 2

only on leaf 11 i get port down events. onyl for a few seconds down, then it gets up again.

and it just comes and goes.

we checked the cabling, the sfps -all changed.

still the same.

on DC2 we also have this problem. so it cant be a HW issue. it has to be something configwise.



Do I need a 4 year degree to put Network Engineer on my resume???

I spent 6 years as an Air Force 3D1x2. It was a merger of two military specialties. So I went to military instruction school to be a WAN type of guy. Multiplexers, Oscilloscopes, clock rates, long haul circuits and such.

We merged into a LAN type job detail, routers, switches, cabling etc.

Anyway, I spent 2 years doing WAN stuff and 4 years doing LAN stuff. I know CISCO IOS and command line like the back of my ass, but never got a degree or CCNA. The military never required it, so I didnt think I needed it.

After 6 years in I left the military and went to school for something way out of field. International Security and Diplomacy. 2 semesters short of my degree but dont tell mama. I am VERY close to getting my CCNA, I am learning the theory to the configuration muscle memory i became great at when I was active duty.

My resume tip toes around the fact it's been 5 years since I touched a switch or router in a production environment, but will soon contain certs for CCNA, AWS, CCNP, Net+ A+, and all the associated niche certs because I am interested and dedicated.

Anyway, to my main question, are the recruiters and managers looking at my resume that says Network Engineer and laughing? OR is that an accurate job title?

I always thought you needed a 4 year degree to be an engineer of any sort. If it shouldent be IT Engineer, should it be admin? Even thought i dont know shit about the desktop or server world?

Thanks in advance for your thoughts and opinions.



FS Switch QinQ

Hey All

Just wondering if any of you guys have configured QinQ on S3900

My ISP provides us with a VLAN that we must QinQ all our internal vlans so they can be transmitted to our remote sites.

Our service VLAN is 301 and inner VLANS are 2-10 and 30 and I'm stuffed if i can get it working

Any ideas would be appreciated, config below

interface ethernet 1/1

description *** Uplink-facing access switch ***

switchport hybrid allowed vlan add 301 untagged

switchport dot1q-tunnel mode access

switchport dot1q-tunnel service 301 match cvid 2

switchport dot1q-tunnel service 301 match cvid 3

switchport dot1q-tunnel service 301 match cvid 4

switchport dot1q-tunnel service 301 match cvid 5

switchport dot1q-tunnel service 301 match cvid 6

switchport dot1q-tunnel service 301 match cvid 7

switchport dot1q-tunnel service 301 match cvid 8

switchport dot1q-tunnel service 301 match cvid 9

switchport dot1q-tunnel service 301 match cvid 10

switchport dot1q-tunnel service 301 match cvid 30

!

interface ethernet 1/25

description *** ISP ENNI Uplink ***

switchport mode trunk

switchport trunk allowed vlan add 301

switchport dot1q-tunnel mode uplink



Some advice on how to make it work...

I am trying to setup my mofi 4500 router. What i want it to do is use the teathering from my phone to the it but it wont work with my iphone at all and only stays on my andriod for 2 minutes then turns off..



NTT/AS2914 enabled RPKI OV 'invalid = reject' EBGP policies

Exciting news! Today NTT's Global IP Network (AS 2914) enabled RPKI based BGP Origin Validation on virtually all EBGP sessions, both customer and peering edge. This change positively impacts the Internet routing system.

The use of RPKI technology is a critical component in our efforts to improve Internet routing stability and reduce the negative impact of misconfigurations or malicious attacks. RPKI Invalid route announcements are now rejected in NTT EBGP ingress policies. A nice side effect: peerlock AS_PATH filters are incredibly effective when combined with RPKI OV.

For NTT, this is the result of a multiyear project, which included outreach, education, collaboration with industry partners, and production of open source software shared among colleagues in the industry.

Shout out to Cloudflare for the open source GoRTR software and the OpenBSD project for rpki-client(8).

I hope some take this news as encouragement to consider RPKI OV “invalid == reject"-policies as safe to deploy in their own BGP environments too. :-)



Wednesday, March 25, 2020

Torn up inside over iperf3

Hey r/networking!

This is my understanding of iperf3:

The client (iperf3 -c 10.0.0.5) is uploading to the server (iperf3 -s) and the result of using those options with the command will show the upload speed of the client.

If the client uses the -R option (iperf3 -c 10.0.0.5 -R) the download speed will be tested from the server.

Am I correct about how it works? I can't believe how confused I am over this. Gotten lots of contradicting answers from people.



Simple ACL to stop communication with VLAN... am I nuts?

Alright I thought this would be simple enough but I have to be missing something here...

In brief: I have a VLAN that my backup servers reside on. I am trying to segregate from the rest of the network.

Physical infrastructure is a stack of Cisco 9300s.

Basic setup is:

  • VLAN 700 - Segregated Backup vlan (10.60.55.0/24)

  • VLAN 4000 - Regular Server VLAN

Server setup is:

  • Veeam Backup Repository - VLAN 700

  • Veeam Proxy/Server - VLAN700 on 1 NIC, VLAN 4000 on another NIC.

The goal is to stop VLAN 700 from being accessible to anything other than traffic that is already on VLAN 700.

My access list is as follows:

interface Vlan700 description BACKUP VLAN ip address 10.60.55.1 255.255.255.0 ip access-group BACKUP in ip access-list extended BACKUP permit ip 10.60.55.0 0.0.0.255 10.60.55.0 0.0.0.255 permit tcp 10.60.55.0 0.0.0.255 10.60.55.0 0.0.0.255 established permit udp 10.60.55.0 0.0.0.255 10.60.55.0 0.0.0.255 deny ip any any 

Works fine and dandy, except whenever this ACL is in place, my Veeam backup jobs fail saying it cannot contact the backup repository (aka the backup server on VLAN 700).

From the Veeam server I can ping the backup repo, even RDP the backup repo, but can't get the backup going.

Anyway, can someone sanity check my ACL?



Cisco design idea for redundant nexus distribution switches

Looking for some ideas on how to connect an access switch to two distribution switches.

I was thinking of having 2 trunk link per switch (4 on access switch) and using svi to route upstream.

An alternative would be vrrp to the switches, but a bit of reading around bgp was suggested for load balancing or just glbp.

There aren't too many devices on the access switch less than 20, so just wondering which would be a better direction to take



Network question for you all... Are Xenpak and X2 able to be plugged into the same ports?

I’ve looked all over the internet and couldn’t find a clear cut answer. Figured someone with some more experience might be able to help me out here. Thank you in advance!



OK to update to SFOS v18.0.0_GA on whitebox Sophos XG Home ?

/r/sophos/comments/fp355z/ok_to_update_sfos_v1800_ga_on_whitebox_sophos_xg/

Setup embedded PC to act as router while connected via 4G LTE

I'm an absolute novice and am asking for some general advice on what kind of networking setup i need to include here.

Background:

The buisness I'm working for is adding IoT capabilities to the scientific instrument we develop and manufacture. This involves putting an embedded PC that has a 4G LTE dongle attached inside the instrument and running software on that embedded PC.

In terms of networking, you can think of the instrument as a PC. The embedded PC is getting all required information from the instrument via websockets or ModBus TCP.

The embedded PC has two ethernet ports. One is used to connect the PC to the instrument.

Question(s):

How do i set up the embedded pc to be able to talk directly to the instrument via TCP/IP?

It's almost like the embedded pc needs to act as a router?

The instrument normally has a static IP.

If this is too much/too little information, please let me know so i can edit and know for future reference.



How to manage user-based access to a mesh wi-fi network

The company I work for is trying to build a solution that will allow for user-based access to a wi-fi mesh network similar to the way this works in some Shopping centers and Hotels.

Scenario:

  1. we generate users and allocate bandwidth(usage plan) to the user through some interface(could be CLI or ideally REST API)
  2. any device that user logs in with will be allocated to his/her account
  3. ideally, the bandwidth to be shared across all allocated devices in order to never exceed the total bandwidth from the usage plan
  4. ability to remotely control the system(create/modify/suspend users, change usage plans) and pull the usage data on a per allocated device
  5. the user is free to walk around without the need to reconnect to the network as we will place a necessary number of access points around the area

Problem:

  1. we were not able to find an out-of-the-box solution that can support these requirements except for Cisco Meraki which is insanely expensive and not economical for us

Question:

  1. does anyone know an open-source software that may help us to achieve these scenarios or at least a few of them if not all?

Any thoughts are highly appreciated.

Thank you!



When using my home computer, why are sites not blocked (they are blocked when using my work computer) when using an SSL VPN (Sonicwall Netextender in this case) to connect to my company's network?

When on my home computer and I connect to the VPN and use remote desktop to log into my work computer, the sites (youtube, facebook, etc...) are blocked as expected. But when on my home computer and I log into work VPN only, I can access the sites on my web browser. Is it because I am not going through my company's firewall unless I Remote desktop?

I constantly have my work's VPN on for when I remote desktop. When connected to my company's VPN and I am not using RDP to connect to my work computer and I use the web browser on my home computer, can my company see my internet traffic? If so, to what extent?



Jabber / Expressway Split DNS

/r/sysadmin/comments/fokivm/jabber_expressway_split_dns/

Tool to get better insight into network performance

Hi All,

As someone who is not a networking guru please forgive my newbiness here but I work in a multiple datacenter environment connected by cross DC private circuits. Our core switches are different variations of Nexus's. I'd like to have some kind of tool to have better visibility into the network. More specifically - I'd like to be able to have metrics on how much bandwidth is currently being pushed through a particular switchport.

I know this is a rather vague question but I basically need tools to give me better network visibility into our switches to find bottlenecks and issues as the Nexus OS doesnt seem to have many tools built into the CLI(I could be wrong about this but i am by no means a switching expert). Is there an enterprise grade tool that could help with a situation like this?

Thanks,



Upgrading FXOS/ASA code on ASA 4110

Hi All,

This is my first time working with an ASA cluster (master/slave) and I need to upgrade FXOS, and the ASA code. These are non FTD clustered 4110s running logical ASA 5525x. From the Cisco white pages it looks a little convoluted and pretty much all my searches bring up HA pair upgrade procedures. I just tried upgrading a master/slave unit through FCM and while it looked like the master was still active in FCM the logical ASA was unreachable via ssh when I disabled the logical ASA on the secondary unit. I was hoping someone could shed some light on the upgrade procedure and if it should be done via CLI or through FCM? I found instructions for both but at this point just a little hesitant on upgrading them and bringing the cluster back down.

Thank you



Juniper Ex3400 PoE+ con interface being stupid.

Sooo, we have some poe switches that power our voip phones in my office and of-course today one of them alerted the network data ops guys. So I ran into the office connected up a serial cable fired up putty pointed it to the correct com port and of course nothing no response just a blank putty CLI session.

Did the same with 2 more Ex3400’s just a few U’s below and I was able to get a response and auth in... Anyone see this BS before? Should I power cycle it?



Does the Cisco 2702i Aux port only do pass though network?

It seems like I have it setup correctly. My 1810 and 1815 access points can get corporate VLANs from home over OEAP, but the 2702i doesn't. Is that just the way it is with the 2700 series?



QoS Shaping for dynamic bandwidth percentage?

Hello,

I'm working on a new QoS solution for our, well, nonexistant one. I have been given the decree to have a dynamic 40% of our bandwidth set for our voice and meeting traffic. As in, they want to have 40% reserved for this traffic but if we're not using all of it, some of it can be reclaimed by other, lower priority traffic. We currently have catalyst 9500s at the core and 9300s on our access layer.

I was going to set up traffic shaping, but I know that I can't use the priority command with shaping. Does the priority percent command make it dynamic, or should I set up traffic shaping? I don't want to touch policing right now. We have 2 500M circuits going out to the internet so bandwidth should not be too much of an issue.

Here is what I have so far:

class-map match-any zoom_qos

match ip dscp cs7 cs5

policy-map zoom_qos_policy

class zoom_qos

shape average percent 30

class class-default

bandwidth remaining percent 20



Traffic scrubbing simulation on home computer

Hi!

For my thesis at university I would like to simulate a traffic scrubbing architecture for DDoS protection. Could anyone recommend me a good platform to do so? I would like to simulate routers, endpoints and scrubbing centers with as little resources as possible needed, although if you can suggest a cloud-based approach, I'm open to that as well.

Thanks, Zoly



Proposal meeting for new NMS

Morning all,

I'm in the final stages of the evaluation of a new NMS solution. I'm sure, many of you have been here before and I'm just wondering if you have any advice before I meet with the company owner this afternoon.

~~~~context~~~

We are a small MSP and consulting company. We build, design networks mostly for new constructions but we also revamp old networks and for some clients even manage them. The bulk of our managed services are commercial properties like office towers and malls. Low user count, (minus guest wifi which is isolated) mostly building automation, cameras, digital directories and displays.

Before me, they had mostly junior net admins and their goal was to just maintain the infrastructure. I was hired to fill in the gaps of knowledge and improve security before shit hits the fan. I've been implementing security, standardization, and generally just fixing poor configurations throughout he portfolio. I've also implemented netbox and TACACS+ (both only span a handful of sites as I haven't gotten approval to do a full rollout yet)

Currently, they are using zabbix very bare bone installation. It hasn't been maintained for ~4years and has been failing. They don't want to fix it and told me to find them an alternative.

Over the past month i've tested OPmanager, PRTG, Domotz, and Solarwinds.

OPmanager, easy to implement and pretty happy with the out of the box experience. Less modular than PRTG and solarwinds.

PRTG, the licensing model doesn't work well for us. We'd need to really fine-tune the amount of sensor we use. Most of our switches have only a few devices despite being 24/48 port switches because they are for camera and wifi coverage.

Domotz, different than a traditional NMS solution but was pleasantly surprised. When it works it works well and could meet a lot of our needs at a very low price point. However, I found it buggy and any L3 devices disrupt its ability to do anything. Will definitely revisit this in a couple of years as it matures.

Solarwinds, network mapping, and modeling are what really stood out for me as a step above the others. The downside though was I found it the hardest to implement out of the box but with the most potential.

Zabbix, this is what we currently use. I want to spend time training on it and doing a full rebuild. If we're going to continue using it I need a way to assign work, and filter out useless information and alerts better. I'm convinced I can get what I need from it, the question is how much time can I spend on it.

The company owner is a sales guy, electrical engineer architect type, guy. Not technical, but knowledgeable on core networking concepts. It's a small company and they've never invested anything other than man-hours into their MSP side. We're not currently meeting contractual obligations and I'm leveraging that for this whole project.



Anyone experiencing performance issues with Pulse Secure PSA7000?

Hello,

is anyone experiencing performance issues with Pulse Secure PSA7000's? Can't handle more than 5000 concurrent VPN users and connections are dropping on medium utilization. GW software upgraded like month ago to the newest version.



AWS Workspaces, DIA/LIB (Direct Internet Access/Local Internet Breakout) and specific country/ies legal demands

Looking into some options involving AWS Workspaces in India, for some reasons I recall a few years' back comments referencing the Information Technology Act of 2000, amended with section 69. At the time of this topic being discussed, apparently this requirement implied utilization of a local ISP, for all Internet traffic (business and residential alike), so that further controls could be applied by local government.

I would like to hear from someone doing business in India and having leveraged AWS Workspaces, if the Internet usage within AWS Workspaces complies with the act mentioned above. Even more so - how is this applied in cases of other SaaS services that may not "exit" local ISPs (e.g. Cisco Umbrella, Zscaler, etc.)?



"Speed Up Your Internet - (Lower Your Latency)" - does this actually work?



802.1X Fail Open when ISE server is unreachable

Does anyone know the correct switchport/switch configs to allow for a "fail-open" to occur when the ISE servers cannot be reached by the switch? I want the switchport to allow all devices (voice/data) when my ISE servers cannot be reached for whatever reason.



Is my PC adapter broken or My school has blocked my internet?

Hi everyone.

So my PC just can't access internet anymore, but I can access to my school home page.

When I look at my PC ethernet port, the left light is solid Red and the right is blinking orange (or yellow).

At the other ethernet port at HUB, it still green normal.

So my PC ethernet adapter is broken or my school has blocked my internet connection.

Note that my school internet has proxy and my PC is Dell Vostro...and I have my windows 10 update about 2 week ago (not sure if this relate to this problem).

Thank you guys very much.



Cisco Networking Stack Feature Licenses [Network Essentials, Network Advantage, Network Premier]

Hi Guys,

Do you also have any experience with the Network Stack Licenses?

Can the Network Essentials, Advantage or Premier features be used after the evaluation period ends w/o any connection to a Smart Account (if it's even possible to assign the device at all to an account another than the SA of the original owner)?

Here an example of the CLI output how it looks like if the device is not assigned to the SA (Smart Account) that owns the actual license information.

Switch#show license all Smart Licensing Status ====================== Smart Licensing is ENABLED Registration: Status: UNREGISTERED Export-Controlled Functionality: NOT ALLOWED License Authorization: Status: EVAL MODE Evaluation Period Remaining: 88 days, 22 hours, 51 minutes, 6 seconds Export Authorization Key: Features Authorized: Utility: Status: DISABLED Data Privacy: Sending Hostname: yes Callhome hostname privacy: DISABLED Smart Licensing hostname privacy: DISABLED Version privacy: DISABLED Transport: Type: Callhome License Usage ============== (C9300-48 DNA Essentials): Description: Count: 1 Version: 1.0 Status: EVAL MODE Export status: NOT RESTRICTED (C9300-48 Network Essentials): Description: Count: 1 Version: 1.0 Status: EVAL MODE Export status: NOT RESTRICTED Agent Version ============= Smart Agent for Licensing: 4.8.5.2_rel/13 Reservation Info ================ License reservation: DISABLED Switch#show version Cisco IOS XE Software, Version 16.09.04 Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.9.4, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2019 by Cisco Systems, Inc. Compiled Thu 22-Aug-19 18:14 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2019 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON BOOTLDR: System Bootstrap, Version 16.9.1r [FC2], RELEASE SOFTWARE (P) Switch uptime is 1 hour, 8 minutes Uptime for this control processor is 1 hour, 10 minutes System returned to ROM by PowerOn System image file is "flash:packages.conf" Last reload reason: PowerOn This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Technology Package License Information: ------------------------------------------------------------------------------ Technology-package Technology-package Current Type Next reboot ------------------------------------------------------------------------------ network-essentials Smart License network-essentials dna-essentials Subscription Smart License dna-essentials Smart Licensing Status: UNREGISTERED/EVAL MODE 

Thanks.

Andre



ACL inbound and outbound, how they work ?

Hi all, hope you guys doing well under the current pandemic outcry. I'm a uni student majoring in networking technology currently studying CCNA routing and switching parts.

I am having some hard time understanding the direction of ACL application. I just practiced the concept with packet tracer, Router 1 has two directly connected networks 192.168.10.0/24 on G0/0 and 192.168.11.0/24 on G0/1. I configured standard ACL to deny all traffic from 192.168.10.0/24 and permit any. Applied it on G0/0 inbound means I will get 'destination host unreachable' icmp message when pining from PC1 [192.168.10.1] to PC2 [192.168.11.1]. But shouldn't pinging from the other way (from PC2 to PC1) work as I permitted any traffic?

Second configuration is I removed the same ACL form int G0/0 and apply to int G0/1 outbound. For this case, should the traffic flow in both directions be denied and I should get icmp host unreachable message?

I just quite don't get the concept of it and it becomes way complex when it comes to extended ACLs.

Would very much appreciate hearing from some network gurus :)

Thanks in advance and stay safe!



RTSP multiple unicast vs RTP multicast

Hi,

We are trying to implement a low latency video streaming over a private WAN network (without internet). Setup is one main hub which broadcasts live to 45 remote sites. So transmitter/encoder is in the main hub and receiver/decoders are in the remote sites. My main option is using either RTSP multiple unicast or RTP multicast. I understand that the most efficient solution would probably be RTP multicast but I am hesitant as I am inexperience in implementing it and that might be to risky for me. As I have to check and enable features on the switches and routers on both the server and remote receiving sites and other stuff. Thus I am more leaning towards the RTSP multiple unicast as it will not need any adjustment on the core network. However I am also not sure if this will be viable. Will using RTSP multiple unicast on 45 sites run smoothly assuming bandwidth allocation is enough? I read somewhere that "multiple clients connected to the server at the same time will generate multiple packets for the same video frame being duplicated for each client". Is there any truth to this? Any thoughts on using the two protocols?

While I have theoretical general knowledge on Networking and broadcasting I lack the experience so be easy on me hehe any help is appreciated thanks!



PPTP vs IPSec VPN for remote access to work network

/r/mikrotik/comments/foly24/pptp_vs_ipsec_vpn_for_remote_access_to_work/

Tuesday, March 24, 2020

43.0.0.0/8

It appears 43/8 will find its way to the IPv4 transfer market.

https://blog.apnic.net/2020/03/25/announcement-regarding-ipv4-address-block-43-8/



Someone PLEASE help me with setting up QoS rules.

So for some reason, my WiFi has been slowing down significantly with only one other device connected, i’m trying to prioritize (high) all traffic going to my PC. When i’m attempting to create a QoS rule, it asks for a DSCP CLASSIFICATION. Then there’s a long list of random numbers such as CS7-111000 CS3-011000 etc.. what do i do about this?



Brocade 300 Successor Product Line

I am looking for opinions on successor products for the Brocade 300. The use case is in small SAN environments - no more than 2 storage devices, no more than 4 hosts. These are typically budget sites. FC please - I am aware of iSCSI cost/benefit - but I would like to restrict this discussion to FC only.



Use of NAT/PAT in a Uni

Recently started as a Sysadmin for a University. I noticed a lot of the subnets are NAT'd with a public IP rather than. The only exposure to this that I have is with a firewall/UTM handling NAT and assinging private IP's in my previous internal networks and sometimes doing a Static NAT.

What would be the goal/purpose of this?

For example: my workstation and many others around me all have public IP's. Even student/staff wireless. Wouldn't it be more conservative for this and the rest of the network to be a private IP?



Fortinet implements quantum mechanics in the login process

There is a 50/50 chance that you are either logged in, or you are not.

https://imgur.com/R82eizp



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC.



Need some help with VLAN's

Hello,

I need some help with a networking project.

I have two L3 Network switches (GS728TX) and wanted to make a VLAN network with them. (this is my first time dealing with VLAN)

The thought was to use my FritBox as a router but learned fast that the router wont support VLAN.
My question is now is it possible to somehow make it still work, maybe by changing some settings in the switch?

My plan was as followed (.X is port number):

FritzBox LAN 1 -> Switch 1.1 (VLAN10)

FritzBox LAN 2 -> Switch 1.2 (VLAN11)

FritzBox LAN 3 -> Switch 1.3 (VLAN12)

FritzBox LAN 4 -> Switch 1.4 (VLAN13)

Switch 1 -> 10G fibre -> Switch 2

Switch 2.1 – 2.6 (VLAN 10)

Switch 2.7 – 2.12 (VLAN 11)

Switch 2.13 – 2.18 (VLAN 12)

Switch 2.21 – 2.24 (VLAN 13)

All VLAN should be the same subnet. (192.168.178.XXX)

I want the VLAN only so I can use all ports of the Router over one switch.
I want to make it that way so that in the device listing of the FritzBox the devices are spread over all existing LAN-Ports and not just one so its easier to keep track.
I hope I could explain it so you can understand, I’m glad to give more information if needed.

Thank you all



What improvements do you want to see in Nexus 9k in the future releases?

Question says it all.

Have a chance to communicate with the NXOS software leadership soon, what improvements do you guys want to see in Nexus 9k :)



What kind of Modular switch do you guys use / recommend?

We are looking at getting a new Switch Chassis. We will want around 140 gig and another 40 or so 10G. We would want it modular so that if we need more 10G copper in the future we can swap them out.

I don't really like HP too much and the Dell is $$$. Any other recommendations?

thanks!



Help me find a POE switch

I'm looking for a switch that is powered by POE (as it's going in a location with no local power) Would be greatful for any recommendations



Do I need Jumbo Frames?

Basically my network has a new-ish core and REALLY old L3 access layer switches. L3 switches have jumbo frames turned on for years now. New core sends out warnings about it. I read that jumbo frames can cause some performance benefits. Thoughts?



Cisco Firepower 2100-Clientless VPN

Hello Guys,

We used to configure client-less VPN on ASA appliances to access RDP servers behind our ASAs, at that time , installing the RDP plugin was one of the prerequisites for the RDP to work.

Currently, we have a 2110 Firepower appliance which we would like to do the same.

Anybody knows if still we need to add some plugins on the firepower for RDP to work through client-less VPN.

Thanks



Cradlepoint Nemo/split tunnel configuration help.

Hi guys, Ive been doing alot of research on my current routing issue and Im finally going to reach out to yall for some help. My company has a NEMO/DMNR configuration for reaching internal data through LTE. We are working on solution to have a split tunnel. Raw traffic goes out basic internet, internal traffic goes out NEMO. My issue is with my cradle-point I have discovered all nemo traffic is sourced based on the subnet and in the routing table it has top priority over anything else. Even with traffic steering rules and ACLS ALL traffic in the Nemo advertised subnet will go through the tunnel instead of checking the destination address and sorting it from there. I can provide more information if needed. Hopefully somebody here has worked on this kind of solution before. Thanks for the help.



Boss: You are essential employees to the hospital. You are the front line. LOL nope

Me: If we were essential employees. Then we wouldn't have been reduced to nothing and outsourced to an Indian company. Not going anywhere near a COVID patient.



Facebook over IPv6

I'm seeing issues with reaching FB over IPv6, and some others?

This is from Sweden, Europe and the FB datacenter is not fair away :)



Mapped drive performance is poor over Cisco Anyconnect VPN

Hi All,

Has anyone got any tips to improve mapped drive performance for remote VPN users ? Everything on the VPN performs fine apart from when access mapped drives. Files take a while to open and browsing files structures can be a bit sluggish. Even right clicking files for options such as copy or open stalls and causes file explorer to go into ''not responding''

I have looked around online but can't find anything except people reporting that mapped drives are poor over VPN as SMB traffic is very chatty.

I am tunnelling all traffic for remote users so their traffic is treated the same way as if they are in the office and their internet based traffic is filtered by sourcefire. We have plenty capacity at our internet gateway so that isn't causing the problem.

Any ideas ?



CheckPoint VMs - Policy routing performance? Any experience?

Hey,

Due to the apocalypse, I'm having another internet circuit installed (1GbE from a tier 1 transit carrier). The CheckPoint VMs are the perimeter of my enterprise (10,000 users). My VPN appliances are ASA FP2110s which sit on the internet, but a full tunnel with its next hop to the internet to the CheckPoint. I need traffic to flow through the CheckPoint for VPN users to maintain security policies.

If I were to bring a new circuit in, I'd need to put the ASAs on this VLAN, and have them follow the default route to the CheckPoint but the CheckPoint to steer traffic to override the default route through the current carrier and use the new carrier.

The idea is - traffic sourced from 172.22.0.0/22 (VPN subnet), PBR the traffic out the new circuit.

In the lab, this works perfect. I have no issues with configuration. I'm looking to see if anyone out there has experience with this and what the performance would be?

Thanks.



ASA help

Hello reddit! First of all I hope everyone is staying healthy and busy during these crazy times.

I've been trying to solve this issue for over 3 days but just can't seem to wrap my brain around it. I have a webserver with an internal IP address of 192.168.2.100. It's configured to use a 1 to 1 static nat however I cannot load the webpage when I browse to it's public IP. The error I see in the ASDM log is below.

Deny TCP (no connection) from X.X.X.X to X.X.X.X flags ACK on interface outside2

I'm really bad at working with ASA so ANY help on this would be greatly appreciated. My show run is below 

interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X - (not in use)
!
interface Vlan12
description Optimum
nameif outside2
security-level 0
ip address 1.1.1.1 - (IP changed, in use)
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network NET-OBJ-LOCAL-NETWORK
subnet 192.168.2.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network websrv_ext
host 1.1.1.2 (IP changed)
object network websrv_int
host 192.168.2.100
object-group network DM_INLINE_NETWORK_2
network-object object websrv_ext
network-object object websrv_int
object-group network DM_INLINE_NETWORK_1
network-object object websrv_ext
network-object object websrv_int
access-list 101 extended permit icmp any4 any4 echo-reply
access-list 101 extended permit tcp any object websrv_int eq https
access-list 101 extended permit tcp any object websrv_int eq www
access-list 102 extended permit ip any any
access-list 102 extended permit icmp any4 any4 echo-reply
access-list 102 extended permit tcp any object websrv_ext eq www
access-list 102 extended permit tcp any object websrv_ext eq https
access-list outside2_access_in extended permit ip any4 any4
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu outside2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside2) dynamic interface
object network websrv_int
nat (inside,outside2) static websrv_ext
access-group 102 out interface inside
access-group 101 in interface outside2

Thanks in advance for any insight you could offer



WTF is Dispersive Networks?

CTO sent me a slide deck from them and it's just full of buzz words and bullshit. Can someone tell me how they're different at a technical level compared to other top-of-the-market SDWAN offerings?



Allowed vlan remove 2-19 ...., found after reboot on SG350 Cisco Switch

Hi guys,

i have configured an SG350 Cisco switch, with 10 ports on it as trunk ports, these ports are connected to an ip phone and then to pc.

what have i done in details, is that i configured the ports with this config:

switchport trunk allowed vlans all

and i have vlan 10, 20 and 30 with dhcp, 10 for data and 20 for voice and 30 for cameras, all works perfectly, i get vlan 20 on the ip phone and vlan 10 on the pc, but  after a reboot to the switch, the pc wasn't getting ip and was checking the running config on one of the ports, and i found this additional command that was added on its own

switchport trunk allowed vlan remove 2-19,21-4094

how is this coming automatically, am i missing something? or it is a bug?

Thanks in advance!



Cisco VXLAN ESI on N9K Platform

Is anyone running a Cisco Spine/Leaf VXLAN fabric? Are you currently running VPC for MLAG? I still don't understand why the EX/FX series don't support ESI. So much more straight forward than VPC and you don't require inter-links between your leafs.



Cyber Security / Networking

Hi, this question is a little out of place here but thought I’d give it a shot anyway. I start my new job next week and as a kind of ice-breaker / first assignment I’ve been tasked with a presentation with a topic relating to Cybersecurity. The topic of the presentation is very vague so I can pretty much branch out into anything. I don’t want to just do the same old basic security presentation that I imagine everyone does; I want to put some effort in. Has anyone got any interesting topics that I could look into, I kind of want to look at it from a networking perspective as this area interests me. If you have any ideas I’d love to hear, thanks.



Automating configuration changes. Is there a tool similar to Oxidized?

Hi all! I've been on a mission to manage our switch-config backups using open source tools... but it's been a struggle. We have some older HP Comware 5 switches that no one seems to support out-of-the-box.

This past week I finally got my backups working using Oxidized! I'm a Linux-tourist but I found that custom definitions for these switches was doable.

Now I'm looking for a tool to push config changes to these devices... does anyone have any suggestions? I've tried deploying Ansible (prior to Oxidized) but developing custom device types has proven to be a nightmare... I've all but given up on it. Maybe there's something Ruby-based that my Google-fu is failing to find?



How to transfer large file to multiple user without using FTP SERVER.

Hi reddit, So I need to transfer a large file size like 55GB (for work from home) And I tried using ftp but in my country ISPs have limit on FTP download. So i was looking for a way to transfer this huge file to multiple users but the data has sensitive information that I don't want other people to get ther hand on.

Is there any torrent service which is secure for sensitive files. Or any other recommendations



Why would one use switchport port-security violation restrict ?

No text found