Saturday, June 6, 2020

Networking - File Sharing - Backup

Small Auditing Partnership Firm. 2 PCs and 2 Laptops connected in a Network. All used for same tasks like MS-Word, MS-Excel, pdf, TALLY(Accounting Software), etc none of the files will cross few MBs. Nothing power hungry use. So, we decided that we don't need a NAS. We decide to save all the files in 1 PC and share via Network to other Pc and Laptops. We build this PC with better spec like R5 3400G, 16GB 3000MHz, 512 GB NVMe SSD. This may look like low end PC but for the works we do this is an overkill. Well, want to save all the files in this 512GB SSD (Believe me we won't even need 100GB a year, so this SSD will last at least 4 years) and share it via the Network. The datas are very important to us. Without it zero work. So, here are my questions,

  1. Were our decisions correct?
  2. What kind of backup do I need? Should I use cloud storage or external HDD?
  3. If cloud then recommend something reliable and cheap as we don't even need 20GB a month. And I don't know how a cloud storage works. If 20GB a month, will I have 20GB of data that I stored in previous month?
  4. If cloud, then is there any way to sync periodically data from Network to cloud?
  5. Or should I use a HDD in another PC and back up the files to it via the Network itself.

Forgive me I am wrong somewhere.



Is it just me, or has the quality of Cisco Press books significantly decreased in the past few years?

I just got finished reading through the Official Certification Guide for the new CCNP design exam on Safari/Oreily, and it is a complete joke. Aside from a couple of mediocre chapters on SDN, all of the content is a very light rehash of previous CCDA/CCDP certification guides and 15-year-old Cisco documentation.

I've noticed similar trends with their other newly-developed material, although this is definitely the worst one I've encountered so far.



How my isp switching gateway devices within span of 1 minuute

Long story short, my ISP promised to provide 10Mbps, which he used to, recently some big system downtime happened after that speed came to 3 Mbps. I thought my analysis would be better and found below things.

He uses two providers to give connection which seems a common practice. However

His mikrotik router aka my gateway for internet is accessible at 10.6.6.1 but interesting point is that I can access two devices with this ip. Two devices swap their connection status with in minute. How do someone can do something like that? This is all coming from pain, when he switches to different network connection quality and speed are too flaky Please help me



Small Site Firewalls

I'm wondering what everyone's deploying as a small site (sub-10 users) FW nowadays. We've only had site FWs when we've inherited them from acquisitions, and only until we got them on MPLS or OWS circuits. I've still got those sitting in a drawer, but they're Sonicwall TZ200s which I think have been discontinued and aren't gig capable.

I've got a site coming up which will be off-net and the FW will just needs to be gig capable. I'm not so keen on using ISP provided equipment to do firewalling, even though the production ruleset is bound to be pretty basic - and I'm not entirely sure it'll be site-to-site VPN capable if we go that route down the line. It'll be sitting in front of a C3750x or 3850, so port density on the FW is not a factor.



SD-WAN beginner questions

Hi, I've been studying the last couple of months during quarantine, Python, python libraries with networking and now is the time for me to move on and finally look at SD-WAN properly because at the moment I've never worked on one, never set one up and have no clue how it works for the most part as well sadly to be honest. Below are the main questions I have at the moment about it with how it actually all works.

Are the vEdge routers dummy routers? Meaning are they just a shell almost with a shell config that you can do on them but in the end all they do is hookup to the vManage controller and everything is configured from there?

Are the vSmart, vBond and vManage appliances all seperate physical appliances or are they all in the one physical appliance?

Do SD-WAN devices stop at the border of an enterprise/data centre network? Meaning are all the other devices below it core/dist/access layer routers/switches/firewalls all still normal devices (ASA's, Nexus, SRX's, Catalysts...etc)?

Is SD-WAN similar in the sense that a normal edge router would be when it has SLA's on it and PBR that dictates what type of route out certain packets can take? So all company network traffic send out the private MPLS connection and all public internet traffic goes out the normal ISP connection?

Do technologies like MPLS run with SD-WAN vEdge routers the same way a normal router would run MPLS for the same reason and way?

Thanks everyone



Hey guys, any idea how to assign an IP address to an Alpine Linux host in Cisco CML?

Hey guys, any idea how to assign an IP address to an Alpine Linux host in Cisco CML?



Setting up a Network Floating Licensing Server over the Internet with Static IP

I need to setup a floating license server that my team can connect to for our software. My team members are in different locations so we need to connect over internet. If someone can point me to some guides or direction I need to look into that would be great. I'm not a IT guy but Im a mechanical engineer so I understand some networking.



Desktop ethernet no internet, working on 2nd PC

So let me start off by saying what I’ve tried.

Resetting network switch

Making sure IP/DNS are on automatic

Switching ports and switching cable.

Updating drivers

CMD netsh int IP reset

The WiFi is working fine, as is Ethernet to my 2nd PC and laptop. I tried the same port and same cable on my desktop PC.. network connected but no internet. I plugged my Ethernet cable directly into the modem and I have no problems, it’s only when it’s that one PC to the router.

Edit: I’m on Windows 10. Tried updating and rolling back updates



Where can I buy some short (1'-5') cat5e or cat6 cable that isnt an online store? I'm in texas. If you know a chain that carries them in store that would be awesome.

Thanks



What are some good options for firewall configuration translation (e.g. converting ASA to SRX or Checkpoint)?

I know each vendor usually has a tool, but in my experience they're pretty crappy.

I've been thinking about starting an open source project, maybe creating a file format to import to/export from, and then creating scripts to translate to/from various firewalls. Not sure if something like this exists but I haven't found anything.

I do a lot of firewall migrations at my job, and I know each vendor has their own caveats and peculiarities (zones vs levels, etc.), but it seems like if I can abstract enough into concepts I could at least get the major parts to work like NATs, security rules, and VPNs.



Is this a safe IP assumption?

I need to cache as eagerly as possible an IP address/country lookup.

It's it safe to say the first 3 segments would always be from Canada, or first two? Like if 100 users all had the IPs 208.124.xxx.yyy would every x or y be from the same provider in the same country?



Can I replace Juniper MX with Juniper QFX or Arista 7020SR-24C

I am having multiple MX routers having 200 + Virtual router config with BGP, Each BGP session has a maximum of 100 Prefixes. Can this be replaced with a Layer 3 switch?

Will there be any Buffer issues? routing performance issues?

Cost is the main reason to look for a replacement.



Switch in a closet? Need cooling? After doing too much reading, I presume “no” but would value opinions from those with practical experience.

First.

If I am in the wrong sub, let me know and I will delete the post.

Second. Solo shop, jack of all trades, master of none.

Moving offices. Old space had a conditioned space from previous tenets that had AC. I put my office in there and kept it at a pleasant 68 year round.

New space has no such room and am researching specs and standalone AC units.

Am putting in a Fortigate firewall/router and a Cisco 2960 48 port POE switch. Has an on prem dell tower that manages printing.

I don’t think I need AC based on all the specs.

But I don’t want to be so smart I fail.

Thoughts?

Edit: typos



Anyone had luck deploying Cisco ngfwv HA in Azure?

Hi All,

Anyone had luck deploying Cisco ngfwv HA in Azure?

Been looking through these slides for the Cisco "load balancer sandwich" design - wondered if many people out there had used this design and if it's working well for you? Maybe looking at it soon and wanted to know if anyone had any hints or gotchas.

https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-2064.pdf

Thanks!



DoD network IP address 140.24.171.0 shows up on my netgear C3700-100NAS home residential router (Spectrum ISP) causing internet issues forcing chronic reboots

https://web.archive.org/web/20200606105256/https://pastebin.com/mkJi9kFe

https://imgur.com/a/4zQxfdZ

For months/years now I'm constantly seeing DoD ip addresses in my netgear home residential router logs. I've been with Spectrum for many years, don't work for the DoD and no one in the family works for the government nor anyone that lives have ever worked for DoD etc...

Router is the netgear C3700-100NAS, and I've tested this on three different identical physical units. Home ISP is Spectrum cable.

https://imgur.com/a/4zQxfdZ

Chronically and consistently I'll intermittently get periods where the internet craps out, and by that I mean the router is reachable from another computer that is directly connected via Ethernet cable (not using wifi etc) and I can ping the local router on 192.168.0.1 etc but sometimes even though I can ping yahoo.com or 1.1.1.1 etc on any web browser session I cannot reach any actual website pages. Other times I can ping the router but cannot ping any internet based IP addresses even though I can ping other local device IP on the same LAN.

Suspiciously, many times whenever I start noticing internet problems and log into the router to check the logs I'll always see some wierd source IP address trying to target me and the accompanying router log column description of "[DoS attack: Illegal Fragments] from 140.24.171.0, port 0" in this instance lately it has been from the IP address of 140.24.171.0

I look up this IP address of 140.24.171.0 and apparently it belongs to the DoD network, but I cannot ping it, cannot traceroute it, and have no idea why its always there in my logs. I had even at one point in time sometime back had switched to a brand new router, of the same model, firmware updated, etc but a completely new physical device, but nonetheless I'm still getting these wierd IP addresses showing up on my logs and consistently whenever a whole bunch of them start showing up at the same time I start having internet issues of pages taking forever to load and/or then not loading at all and forcing me to do a hard reboot /power cycle on the router before it will work again..

I'm not using any devices to go between the router (Spectrum ISP), the coax cable plugs directly into my router, and I have a desktop that is plugged directly into the RJ-45 of the router itself, and in all my testing I'm using a desktop directly attached to the router via the ethernet cable and not going in-between anything else....

https://imgur.com/a/4zQxfdZ



Segment Routing Production Experiences

Have any of you installed or upgraded to Segment Routing in any parts of your network? How is the inter-operation between vendors? What type of advice or guidance would you give someone looking at the technology today? What were some of your challenges with deploying the technology?



Ground bus bar will be installed in our MDF by electricians and will be tapping off of ground rod from adjacent building, will there be any issue with multiple grounds connected to our 2 post rack?

Hello,

As the title states, we will have electricians install a grounding bus bar in our MDF. It will be mounted on the wall. The equipment which is mounted on the rack are obtaining their ground from the PDU or UPS.

My concern is, if we wanted to run a dedicated ground wire for the 2 post rack to the grounding bus bar, would a ground loop of some sort occur? We want to ensure the rack has a good ground and would not like to rely on the rack mounted equipment. The ground bus bar will also be used for other equipment in the MDF.

Thank you.

Edit: Grammar correction.



How to configure snort with maria DB

Hi everyone, I'm trying to configure and connect snort with maria DB but facing some issues. So do you have any source where they explained this process? Thanks in advance



Friday, June 5, 2020

How do I port forward if my router doesn't show options for which protocols to use? (TDP, UDP etc.)

I want to port forward Call of Duty Warzone since I'm getting ~500% packet loss in the game and want to eliminate my lag. I looked up a tutorial for how to do this, but there seems to be something missing from my router's settings. I don't see many of the options the tutorials show. My router's port forwarding section looks like this. Any help would be greatly appreciated. Thanks!



Does armored underground fiber optic cable need to be grounded?

Hello all,

I cannot get a straight answer after hours of researching this topic. I plan on running a pre-terminated single mode fiber optic cable with armored tubing between two buildings (less than 35ft). I stumbled across some information that mentioned that the fiber should be grounded.

I was under the impression that fiber optic didn’t conduct electricity and is the ideal solution to be ran underground in PVC conduit between two buildings.

Thank you.



Which routers should I get??

I’ve gone through a couple of routers, tp link archer c7,c2300. Netgear r7000 and I just got an xr300 I need something with good qos features. If anyone can recommend something specifically within the 190$ range with qos features in mind, I did research and I was considering doing an edgerouter setup with an access point or getting an eero router. Idk I did research and the edgerouter lite is looking like something I’d consider. I’m pretty novice when it comes to these sort of things. Thank you in advance good peopl



Does spectrum see the same config page as me when logging in from browser?

I work as a tier 1 network tech for a small company. I manage mostly the internet/phone systems for Dominos stores and I am getting really tired of spectrum configuring the modem improperly(and I know it is done improperly because they sometimes have the incorrect static IP's in the modem for example, or DHCP/firewall is just not turned off). Now, I have no idea what a spectrum technician sees from his/her end. I assume they have a lot more tools at their disposal, but I would like script the modem myself for the specific static IP's spectrum gave us, turn DHCP off, firewall off ect so that I know how it is done, and know that it is configured how we want it for our use case. I guess my question is, can I achieve the exact same results as a spectrum technician by just showing up on site with my laptop and connecting directly to the modem to configure it myself?



How come [Cisco's] vendor documentation often doesn't include the preamble and interframe gap when calculating ethernet overhead?

I get that the preamble and the interframe gap aren't actually fields in Ethernet's layer 2 header, but they still take up bandwidth, so it seems nonsensical to exclude them from bandwidth calculations. I'm specifically thinking of VoIP - Cisco claims that a G.711 call will take-up 87kbps of data when you include RTP, UDP, IP, and Ethernet overhead. However, when you factor in the preamble and interframe gap, that number actually becomes 95kbps.



Networking Upgrade

We are planning a network upgrade to our site (we are currently on a Cisco C4507R-E that is slowly dying).

On our access layer, we have mostly Cisco C2960-X switches. I was planning on stacking those (we don't have the stacking modules yet) to increase the bandwidth between them, and then using a DAC to connect the master in the stack to our Aruba 5400R that we are getting next week. However, on a call with Aruba, they said they could not certify that a DAC running between a C2960-X SFP+ port to an SFP+ port on the 5400R would work. Does anyone have any suggestions as to what I should do in this scenario? The C2960-X and 5400R are in the same closet, if that helps. Thanks to anyone who helps, and happy to provide more details if necessary.



General networking questions:

I should preface this saying I'm not all that knowledgeable in networking. But I wish to learn as much as possible! :) I want to know enough about networking to ensure our businesses network is configured correctly, safely, and is well secured.

I understand that VLAN's is a L2 technology that effectively "splits" a switch into smaller sections, which can then be connected together again via patch cables (although this defeats the purpose) or via routers where each partition can be assigned a muterally-exclusive IP bitmask. Therefore if you have N networks, you need N-1 routers between them to allow L2 communication with LAN devices and L3 communication with stuff from the other LANs. Is my understanding correct?

I know NAT allows multiple users to appear as a single user to the ISP, as NAT plays shenanigans with ports to emulate a single user, but this just makes things so confusing to me, at least in the context of typical edge routers.

If NAT can cloak many devices on a network to appear as a single device, does it improve security? especially with the basic firewall that's often "bundled" generally blocks incoming connections on all ports by default.

On home routers, what exactly does DMZ do? Forward all incoming connections a specific device? How does the router know what traffic goes to my server and what traffic goes to all the other devices?

On enterprise systems, does "DMZ" simply mean to put a specific device on the outside of the LAN? This would then imply that LAN devices must communicate to it over IP since you basically put one of your devices directly on the WAN side.

While doing some research on how to setup a secure and robust network, I came across Steve Gibson's "3 dumb routers" approach. But should NAT be disabled on the 2 inner routers? I don't know if the firewall rules require that be enabled, or if NAT provides extra layer of security and should be left enabled.



Router for small business?

Looking at some of the Synology routers (like the RT2600ac). Low cost and Security are the most important factors. The business is a restaurant with up to 30 people and speeds will be limited/bottle necked by to the standard 30mbps cable broadband anyway.

Features I'm looking for:

  • I don't necessarily need a router with an access point, if we can save money this way.
    • We currently have a AirTight C-75 Access Point. The manual / datasheet even provides radaition patterns, not typically seen on consumer level stuff! :D However it was configured from the previous owner of the business and we'll need to reset it. it seems we need a special UART/RS232 RJ-45 adapter to SSH into its console, although I have not looked into it too much yet.
  • high degree of isolation between "guest" network and critical employee network (with Square POS, employee's BYOD's, NAS, inventory system, etc)
    • I like Steve Gibson's "3 dumb routers" solution, using the firewall of the routers to isolate threats between the networks. But would prefer one device rather than buying 3 junky routers that may lack support and have security vulnerabilities.
  • Wireless isolation on guest network: Ideally each guest user will only see their device and the router. A potential hacker will not have be able to see or intercept traffic from other users on the guest network
    • Not sure if the C-75 mentioned above does this, we don't have the cable to play with the configuration of it.
    • Perhaps a "sign in" page? what would be required for doing what is often seen with Hotel WiFi?
  • Features that enable bandwidth caps or a timeout
    • As a cafe, we tend to have our customers hang out at seating long after meals with laptops. It's unfair to other customers who then have no seating. So with a timeout feature we hope to encourage more movement.
  • VPN capability
    • As the network admin, I might need remote access to the network at some point. :)
  • All the other standard edge-router capabilities (NAT, ipv6, port forwarding, integrated switch and access point, etc)


Comcast Business Gateway as Firewall

Hello r/networking,

Looking for some opinions on what others would do in my shoes and what problems I'm not seeing. I have a small customer who just moved into her first Office. The office is less then 300 square feet and I was wondering if anyone would recommend she just run off a Comcast Business Gateway? I ask r/msp and they recommended UDM (non pro) from Ubiquiti.

The work they do is 99% cloud based and they don't plan on running any internal servers. Just a few laptops that VPN to her clients and they complete their work on their customers networks. Its an accounting\law firm.

Is there any security risk running off a Comcast Business box? I was also considering deploying a USG or Edge Router with an AP as well.

Thanks for the feedback!!



Cisco CML 2.0 how to do wireshark?

I didn't see any document from cisco regarding wireshark on new cisco cml 2.0, on VIRL we used to do tcpdump on neutron port but not sure how that model will fit here in CML 2.0?

Anybody has any thought on it?



Help with VLAN

Hello guys,

I'm not a networking expert at all as i've started playing around with Ubiquiti UniFi switches and AP just recently with no experience before that.

I'm a bit confused right as to why my setup isn't working, so i'll try my best to explain the situation:

We have a bunch of access points with 2 SSID, one for users and one for guest users (which includes employers' phones and tablets) and i've set them up initially to share our production network with some guest policy set up in the Unifi Controller.

Now i've got a problem, our DHCP server, which runs on a machine with Windows server 2008 R2 (I know, it's old af but an upgrade is on its way), is nearly full as the number of guest users has increased lately.

So I thought it would be better to create a VLAN for guest users only.

I've got a Stormshield SN300 firewall in which i've configured a VLAN on the internal interface with ID 100 and assigned a static IP (192.168.100.201/24) on the firewall for that VLAN.

I've set up a VLAN only network in Unifi Controller (with ID 100) and enabled the "use VLAN" flag in the Wi-Fi network settings of the Guest network.

Last step was to create a new scope in the DHCP management of the Windows server and enable DHCP relay on the stormshield firewall.

As i've done all of this i've tried connecting to the guest network only to find out the laptop i was using could not reach the DHCP server. I have even tried to set up a static IP address on the WLAN interface of the laptop but i can't ping either the firewall nor the DHCP server.

So i'm stuck for now. I admit that i have only read about VLANs and never actually used them so most probably there's a problem in my setup.

Thank you very much for your help.



Starting out

Hi, I am not an expert in anything with becoming an isp.

I am trying to find a new side hustle and I was thinking why not become my own isp what do you guys think I should do or know to get started. I am no way a pro in these things, and I have some basic knowledge. It would also be awesome if you guys can give me the amount of money to get started.



Aruba 8325 Speed Groups

Hello good people of /r/networking

First time poster, long time lurking one here

Just got some new fancy Aruba 8325 switches and got some problem with connecting 10gig sfp+ to the switch i got the error: Group speed mismatch

After some google I found this post that solved the problem but does not explain the reason why they done it like this.

https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/AOS-CX-8325-Port-Speed-Settings-following-quot-Group-speed/td-p/552650

Can anyone explain why Aruba has done it like this?



Planning Out Subnet Expansion

Hey everyone,

I have a pair of VDI networks in my environment. Each network sits in a different data center. For example 10.1.0.0/24 is in data center A and 10.2.0.0/24 is in data center B. Recently, we have started to expand the VDI network past 230 devices an naturally each environment is having issues with the DHCP pools and leases. At first we started reducing the DHCP lease time, but eventually we grew past 230 desktops in each subnet, so naturally I think it's time that I expand the networks. Each subnet is bound to corresponding/matching VLANs in each data center (let's say VLAN 10). There's a couple different ways I could skin this cat, and I am looking for opinions on the best/easiest way. Here are the options that I am thinking about:

  1. I could simply create a new subnet in each data center. 10.1.1.0/24 and 10.2.1.0/24 are both available. This would require me to make a new gateway (gateways are on our firewalls), a new DHCP pool (AD integrated), and to update some firewall rules for the new subnets. I would also have to create new VLANs.
  2. I could update the subnetting to expand the available hosts in each subnet. I could update 10.1.0.0/24 to 10.1.0.0/23 and update 10.2.0.0/24 to 10.2.0.0/23. I wouldn't have to create a new gateway, but I would have to update the information on the firewalls, switches, and VLANs to support this.

The caveats to method 1 is that in my VDI software, I would have to create a different pool of desktops as the new network would merit a new distributed port group. I don't think I have the ability to say VDI pool X can use multiple distributed port groups. I would also have to do a bunch of heavy lifting at both the firewall level to create new objects, new ACEs (for logging), and new gateways. I would then also have to create new VLANs on the switches and trunk the new VLANs down my UCS uplinks to the blades.

While I would still have to do some of this legwork with method 2, in most instances it's simply updating the networks to reflect a /23 instead of a /24. My only concern is that I've not done a lot of networking in the /23 space with gateways and stuff. Usually in a /24 my gateways are at .1 and I would guess that this would still be okay, but then does that mean an ip address like 10.1.1.0/23 would be a valid host address? Could a computer/VDI get 10.1.1.0/23 as a DHCP'd address?

Any insight on this would be great. Thanks in advance for your thoughts!



T568A vs T568B?

  1. Why are there two standards?
  2. Which one do you use?
  3. Do you think one will go away completely?


How does server know when client sends data?

I am sending data from my client to the server when a particular event on the client side takes place. However, since the server doesn't know when the client will send data, it reads from the stream but finds nothing.

Is there any way to create a listener so that the server knows when the client is sending data?



Cisco SD-WAN REST Issues!!

WOW!!!

So today i finally tried out the Cisco SD-WAN sandbox on their DevNet site and WOW it was an absolute mess trying to get anything REST related to work. I spent the last 4 hours trying every which way possible to get an API response call back for ANY API call in the end and i got this back everytime.....

>>> arp= requests.get('https://10.10.20.90:8443/dataservice/device/arp?deviceI d=10.10.20.80', verify=False) C:\Users\<REMOVED>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib 3\connectionpool.py:979: InsecureRequestWarning: Unverified HTTPS request is bei ng made to host '10.10.20.90'. Adding certificate verification is strongly advis ed. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnin gs warnings.warn( >>> >>> print(arp.text) <html> <head> <title>Cisco vManage</title> <link rel="stylesheet" type="text/css" href="/login.css"> <link rel="stylesheet" type="text/css" href="/fonts/font-awesome-4.2.0/css/f ont-awesome.min.css"> <link rel="stylesheet" type="text/css" href="/bootstrap.min.css"> <script type="text/javascript" src="/javascript/jquery.js"></script> <link rel="icon" type="image/ico" href="/images/favicon.ico"/> <script> var count = 1, max = 30; function init(){ var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "none"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "block"; checkServerStatus(); } function checkServerStatus() { if(count <= max){ var xhr = new XMLHttpRequest(); xhr.open("GET", "/dataservice/client/server/ready", true); xhr.onload = function (e) { if (xhr.readyState === 4) { if (xhr.status === 200) { var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "none"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "block"; } else { var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "block"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "none"; count++; setTimeout(checkServerStatus, 10000); } } }; xhr.onerror = function (e) { count++; setTimeout(checkServerStatus, 10000); }; xhr.send(null); }else{ var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "none"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "block"; } } function validateForm() { if(loginForm.j_username.value.length==0 || loginForm.j_username.value==" ") { showErrorMessage("Invalid Username."); document.getElementById("j_username").className="login-input-error"; return false; } else if(loginForm.j_password.value.length == 0 || loginForm.j_password .value=="") { showErrorMessage("Invalid Password.") document.getElementById("j_password").className="login-input-error"; return false; } else { hideErrorMessage(); return true; } } function showErrorMessage(msg) { document.getElementById("errorMessageBox").innerHTML=msg; }; function hideErrorMessage() { document.getElementById("errorMessageBox").innerHTML=' '; document.getElementById("j_username").className="login-input-value"; document.getElementById("j_password").className="login-input-value"; } </script> </head> <body onload="init()"> <div name="Login" class="loginContainer"> <div class="loginInnerContainer"> <div class="productCategory">Cisco SD-WAN</div> <form class="loginFormStyle" name="loginForm" id="loginForm" method="POS T" action="j_security_check" onsubmit="return validateForm()" autocomplete="off" > <div name="logoMainContainer" class="logoMainContainer"></div> <div class="brand-logo-text"><span>Cisco vManage</span></div> <p id="errorMessageBox" name="errorMessageBox" class='errorMessageBox '></p> <div id="reboot_message" class="reboot-message-block"> <div class="reboot-message">Server is initializing. Please wait.</di v> <i class="fa fa-circle-o-notch fa-spin fa-3x fa-fw"></i> </div> <div id="login_message" style="display: none;"> <div class='onyx-groupbox login-wrap' name="inputFields"> <div class="onyx-input-decorator login-input"> <input type="text" class="login-input-value" size="18" id="j_username" name="j_username" maxlength="64" placeholde r="Username" value="" onfocus="hideErrorMessage()" autofocus /> </div> <div class="onyx-input-decorator login-input"> <input type="password" class="login-input-value" size="18" id="j_password" name="j_password" placeholder="Password" v alue="" onfocus="hideErrorMessage()" /> </div> </div> <div class='onyx-sample-tools login-wrap'> <input type="submit" name="submit" value="Log In" class="login-b utton" /> </div> </div> </form> </div> </div> </body> </html> 

I don't know if its just THAT API being a crap or what but i stand by what i said a few times on here now.....GIVE ME PYTHON/NORNIR/NETMIKO/NAPALM ANYDAY OF THE WEEK!
I tried port 443, entering the creds in the request, even tried getting REST calls on the vManage box itself and STILL got the same error. THANKS FOR THE DOCUMENTATION EXPLAINING THIS CISCO....UNBELIEVABLE!
After spending almost 4 hours almost pulling my hair out trying every which way to get that useless thing to work, have a rant and putting this to people on here is justified in my opinion!
I don't know if its just that API in particular being terrible or me doing something wrong BUT THANKS FOR THE DOCUMENTATION ON HOW TO FULLY DO AN API CALL CORRECTLY, MY GOD I NEED A BREAK...wow!



Will WireGuard replace IPSec/OVPN/etc. in future?

Obviously commercial site-to-site will remain IPSec for near future as products like Cisco won’t change overnight. But elsewhere, I believe it will. Interest to hear everyone’s thoughts.



I HATE CISCO'S SD-WAN REST API

WOW!!!

So today i finally tried out the Cisco SD-WAN sandbox on their DevNet site and HOOOOLY SHIT it was a shit show trying to get anything REST related to work!I'm sorry for swearing but my god i spent the last 4 hours trying every which way possible to get a API response call back for ANY API call in the end and EVERY F****** TIME i got this back.....

>>> arp= requests.get('https://10.10.20.90:8443/dataservice/device/arp?deviceI d=10.10.20.80', verify=False) C:\Users\<REMOVED>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib 3\connectionpool.py:979: InsecureRequestWarning: Unverified HTTPS request is bei ng made to host '10.10.20.90'. Adding certificate verification is strongly advis ed. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnin gs warnings.warn( >>> >>> print(arp.text) <html> <head> <title>Cisco vManage</title> <link rel="stylesheet" type="text/css" href="/login.css"> <link rel="stylesheet" type="text/css" href="/fonts/font-awesome-4.2.0/css/f ont-awesome.min.css"> <link rel="stylesheet" type="text/css" href="/bootstrap.min.css"> <script type="text/javascript" src="/javascript/jquery.js"></script> <link rel="icon" type="image/ico" href="/images/favicon.ico"/> <script> var count = 1, max = 30; function init(){ var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "none"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "block"; checkServerStatus(); } function checkServerStatus() { if(count <= max){ var xhr = new XMLHttpRequest(); xhr.open("GET", "/dataservice/client/server/ready", true); xhr.onload = function (e) { if (xhr.readyState === 4) { if (xhr.status === 200) { var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "none"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "block"; } else { var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "block"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "none"; count++; setTimeout(checkServerStatus, 10000); } } }; xhr.onerror = function (e) { count++; setTimeout(checkServerStatus, 10000); }; xhr.send(null); }else{ var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "none"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "block"; } } function validateForm() { if(loginForm.j_username.value.length==0 || loginForm.j_username.value==" ") { showErrorMessage("Invalid Username."); document.getElementById("j_username").className="login-input-error"; return false; } else if(loginForm.j_password.value.length == 0 || loginForm.j_password .value=="") { showErrorMessage("Invalid Password.") document.getElementById("j_password").className="login-input-error"; return false; } else { hideErrorMessage(); return true; } } function showErrorMessage(msg) { document.getElementById("errorMessageBox").innerHTML=msg; }; function hideErrorMessage() { document.getElementById("errorMessageBox").innerHTML=' '; document.getElementById("j_username").className="login-input-value"; document.getElementById("j_password").className="login-input-value"; } </script> </head> <body onload="init()"> <div name="Login" class="loginContainer"> <div class="loginInnerContainer"> <div class="productCategory">Cisco SD-WAN</div> <form class="loginFormStyle" name="loginForm" id="loginForm" method="POS T" action="j_security_check" onsubmit="return validateForm()" autocomplete="off" > <div name="logoMainContainer" class="logoMainContainer"></div> <div class="brand-logo-text"><span>Cisco vManage</span></div> <p id="errorMessageBox" name="errorMessageBox" class='errorMessageBox '></p> <div id="reboot_message" class="reboot-message-block"> <div class="reboot-message">Server is initializing. Please wait.</di v> <i class="fa fa-circle-o-notch fa-spin fa-3x fa-fw"></i> </div> <div id="login_message" style="display: none;"> <div class='onyx-groupbox login-wrap' name="inputFields"> <div class="onyx-input-decorator login-input"> <input type="text" class="login-input-value" size="18" id="j_username" name="j_username" maxlength="64" placeholde r="Username" value="" onfocus="hideErrorMessage()" autofocus /> </div> <div class="onyx-input-decorator login-input"> <input type="password" class="login-input-value" size="18" id="j_password" name="j_password" placeholder="Password" v alue="" onfocus="hideErrorMessage()" /> </div> </div> <div class='onyx-sample-tools login-wrap'> <input type="submit" name="submit" value="Log In" class="login-b utton" /> </div> </div> </form> </div> </div> </body> </html> 

EVERY....F******* TIME!!! I don't know if its just THAT API being a piece of shit or what but i stand by what i said on this thread a few days back.....GIVE ME PYTHON/NORNIR/NETMIKO/NAPALM ANYDAY OF THE WEEEEEEK.....Absolute JOKE.
I tried port 443, entering the creds in the request, even tried getting REST calls on the vManage box itself and STILL got the same error. THANKS FOR THE DOCUMENTATION EXPLAINING THIS CISCO....UNBELIEVABLE!
That is the most I've ever swore on Reddit but after spending almost 4 hours almost pulling my hair out trying every which way to get that useless thing to work, its justified!
I don't know if its just that API in particular being a bag of shit or me doing something wrong BUT THANKS FOR THE DOCUMENTATION ON HOW!!!! TO DO AN API CALL CORRECTLY, MY GOD I NEED A BREAK...Haha wow!



Frrouting x86 performance

I am wondering if anybody have done some tests on : 1. Native Kernal performance like raw throughout of Debian or centos running frrouting package. 2. Running vxlan with evpn raw throughout. 3. Any recommendations on 10Gbps Ethernet cards which can achieve close to 8 to 10Gbps with both raw and vxlan encapsulation throughput with just Linux with frrouting ?



Noob with routing protocols - creating a point-to-point link for running a routing protocol with the least implications for packet fragmentation?

Hi,

I've been asked to think about/plan solutions for mobile backup connections for fiber connections. Routing normally works with BGP to the CPE over the fiber. Now I'm wondering what would be the preferred way of creating a point-to-point link over a public mobile network for a backup connection for a backup BGP session? Short and maybe poor description I know. If a tunneling protocol would be needed I was thinking GRE might be what you'd want to use - but on the other hand you probably want some security/authentication as well.

Still I wonder what the implications are for packet fragmentation since I think all kinds of tunneling involves some overhead? My preferred solution would be to use private mobile networks and not use tunneling protocols at all.

If anyone has designed such backup links would be interested to hear how they planned it.



VXLAN - One tunnel per interface

Hi!

I've been working with VXLAN in the company network for a few weeks and have a question I can't find the answer to.

I know that you can bind a VXLAN VNI to a specific VLAN or an Ethernet service instance. But is it possible to bind all traffic from specific interface to be transported trough the tunnel?

What I want to achive is for all frames coming in from an interface gets tagged with a specific VNI, regardless of the VLANs that are tagged to those frames.

I think that this is not possible, but if it was that would be great! Just ask if you need to know more!

Thanks in advance!

/Rob



Why are my REST-API Cisco SD-WAN calls not working...

Hi, right now as i type this i'm currently on the Cisco DevNet sandbox using the SD-WAN sandbox, the main reason why i'm using it at the moment is to play around with REST-API calls to it. However no matter what call i try to do i always recieve this back in the response:

>>> arp= requests.get('https://10.10.20.90:8443/dataservice/device/arp?deviceI d=10.10.20.80', verify=False) C:\Users\<REMOVED>\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib 3\connectionpool.py:979: InsecureRequestWarning: Unverified HTTPS request is bei ng made to host '10.10.20.90'. Adding certificate verification is strongly advis ed. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnin gs warnings.warn( >>> >>> print(arp.text) <html> <head> <title>Cisco vManage</title> <link rel="stylesheet" type="text/css" href="/login.css"> <link rel="stylesheet" type="text/css" href="/fonts/font-awesome-4.2.0/css/f ont-awesome.min.css"> <link rel="stylesheet" type="text/css" href="/bootstrap.min.css"> <script type="text/javascript" src="/javascript/jquery.js"></script> <link rel="icon" type="image/ico" href="/images/favicon.ico"/> <script> var count = 1, max = 30; function init(){ var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "none"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "block"; checkServerStatus(); } function checkServerStatus() { if(count <= max){ var xhr = new XMLHttpRequest(); xhr.open("GET", "/dataservice/client/server/ready", true); xhr.onload = function (e) { if (xhr.readyState === 4) { if (xhr.status === 200) { var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "none"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "block"; } else { var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "block"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "none"; count++; setTimeout(checkServerStatus, 10000); } } }; xhr.onerror = function (e) { count++; setTimeout(checkServerStatus, 10000); }; xhr.send(null); }else{ var rebootBlock = document.getElementById('reboot_message'); rebootBlock.style.display = "none"; var loginBlock = document.getElementById('login_message'); loginBlock.style.display = "block"; } } function validateForm() { if(loginForm.j_username.value.length==0 || loginForm.j_username.value==" ") { showErrorMessage("Invalid Username."); document.getElementById("j_username").className="login-input-error"; return false; } else if(loginForm.j_password.value.length == 0 || loginForm.j_password .value=="") { showErrorMessage("Invalid Password.") document.getElementById("j_password").className="login-input-error"; return false; } else { hideErrorMessage(); return true; } } function showErrorMessage(msg) { document.getElementById("errorMessageBox").innerHTML=msg; }; function hideErrorMessage() { document.getElementById("errorMessageBox").innerHTML=' '; document.getElementById("j_username").className="login-input-value"; document.getElementById("j_password").className="login-input-value"; } </script> </head> <body onload="init()"> <div name="Login" class="loginContainer"> <div class="loginInnerContainer"> <div class="productCategory">Cisco SD-WAN</div> <form class="loginFormStyle" name="loginForm" id="loginForm" method="POS T" action="j_security_check" onsubmit="return validateForm()" autocomplete="off" > <div name="logoMainContainer" class="logoMainContainer"></div> <div class="brand-logo-text"><span>Cisco vManage</span></div> <p id="errorMessageBox" name="errorMessageBox" class='errorMessageBox '></p> <div id="reboot_message" class="reboot-message-block"> <div class="reboot-message">Server is initializing. Please wait.</di v> <i class="fa fa-circle-o-notch fa-spin fa-3x fa-fw"></i> </div> <div id="login_message" style="display: none;"> <div class='onyx-groupbox login-wrap' name="inputFields"> <div class="onyx-input-decorator login-input"> <input type="text" class="login-input-value" size="18" id="j_username" name="j_username" maxlength="64" placeholde r="Username" value="" onfocus="hideErrorMessage()" autofocus /> </div> <div class="onyx-input-decorator login-input"> <input type="password" class="login-input-value" size="18" id="j_password" name="j_password" placeholder="Password" v alue="" onfocus="hideErrorMessage()" /> </div> </div> <div class='onyx-sample-tools login-wrap'> <input type="submit" name="submit" value="Log In" class="login-b utton" /> </div> </div> </form> </div> </div> </body> </html> 

I clearly isn't the JSON response coming back and i've no clue why and its driving me mad!
Do i need to sign in a certain way, the GUI interface signs in fine with the username and password they supply, i've tried all sorts of ways of passing in authentication in the request but i can't get any of it to work. That's just a guess as well (authentication) for why it's failing, it could be anything.

>>> arp= requests.get('https://10.10.20.90:8443/dataservice/device/arp?deviceI d=10.10.20.80', auth=('admin','C1sco12345'), verify=False) RESPONSE: {"error":{"message":"Device data error","details":" No device found for system I P 10.10.20.80","code":"DEV0001"}} 

Nothing is making sense as to why the API calls aren't working



CISCO PT - Setting up a small office

Have you seen this YouTube playlist. I think it has very useful tips on routers and switch configuration. https://youtu.be/8SDKHjqRaho



Does a router accept all frames?

Say a router receives a frame but the DMAC isn't the MAC address of the routers incoming interface does it still process the frame?



Thursday, June 4, 2020

I Need Advice: I always hated to code but now I need to learn it.

I have 3 CCNP certifications and 16 years of experience. I have never written a single line of code in my work, obviously I have done EEM scripts, but no python nor even Ansible. However, as time goes by I see that all vendors in general and especially Cisco are making use of programming, linking APIs, integrated programming tools for Nexus, ISE, FTD, etc. So I see the need to learn coding, plus I see the advantage that many tasks can be automated and as a technical lead I can teach that to my team. But, as I said at the beginning, I have always hated to code, since university. Therefore, I wanted to know if someone here has been through the same situation, someone who used to hate programming and now enjoys it? If so, if you can recommend a good course to start, that has awakened your desire to learn more so that you like to code frequently?

When I start a course on programming I usually end hating it after a week or so. Is there a good course or book for people like me? something that encourage me to keep learning coding while I'm an old network engineer. Please comment if you really have already felt the same in the past :-)

Thanks in advance



Copy data that every user searches inside a network and store data in our network server locally.

How can we store all the searched result in our network so that every time we search the same thing that can be used from own server. For eg there are 30 pc in an office. employee no. 1 searched some data in internet and now if another employee wants to visit same page or download same file. First question can we save the data like that ? Second question can we give that employee our own saved data ? We want to store all the searches and store them locally so that there is less traffic in main network and faster speed for all.



Coding and Automation Basics - Part 1

Introduction

About a week ago, there was a thread on /r/sysadmin from a guy who was having a really hard time with coding and automation. As someone who experienced many of the same frustrations, it highlighted the need for education that is both relatable, and aimed at people who don't have a programming background.

Fact of the matter is that coding isn't easy if you've never done it before, but neither is networking, or systems administration, or whatever your specialty happens to be. As with all things, they key is to start with the basics, and then build up to more advanced concepts over time. This post will be an attempt to provide a foundation to help folks feel a little less lost.

With the introduction out of the way, let us begin.

What is automation, and why does it even matter?

Like many trendy terms, "automation" can mean something slightly different for everyone. For the purposes of this post, I'll keep it simple and define it as a "force multiplier", that is, something that enables you to do more with less by abstracting away the tedious stuff.

The ability to make changes faster how people usually try to sell automation, but I believe the real benefit lies in increased predictability. What does this mean? Well, by automating processes you:

  1. Minimize the potential for human error and make deployments more predictable

  2. Enforce standard configurations for resources to make their behavior more predictable.

A practical example is in making VPN tunnels, where it's unfortunately easy for a tiny mistake to cause the whole thing to fail. You can reduce the risk of silly mistakes by making a script that takes a standard set of inputs and applies all the relevant configuration to your firewall.

Of course. it will still fail if your inputs are bad, but it's your job as the operator to make sure you're entering the right information. Computers are fundamentally stupid, so garbage input will always result in garbage output.

On a related note, I intend to open source some of Ansible playbooks I've written for Palo Alto firewalls sometime in the near future so that there's an actual, tangible example to work with.

Before you start

The first step, before even looking at any particular technologies, is to step back and take a critical look at your environment and ask yourself this:

1. What kind of problems do you have, and how will automation help solve them?

This may sound like a dumb question, but I put it first because it's actually the most important. Technology should not be implemented simply because everyone else is doing it. Any undertaking that doesn't have a clear goal is pretty much destined to be abandoned.

To that end, your first goals should be to focus on easy wins. Still doing config backups manually? Fix that. Want to find out what NAT rules there are on 10 different routers? Do it.

Point is, have concrete goals right from the outset. and then move on to the fancy stuff.

2. Understand that not everything should be automated

Frankly, some things aren't worth the time or effort. As a general rule, if automation makes a process more complicated with no added benefit, then something's wrong.

General principles

1. Be practical, not clever

Generally, any code you write should not be convoluted and hard to understand. If you find yourself using crazy complex logic in your code, consider stepping back to see if the process can be altered to make it simpler. Doesn't matter if it's not the most elegant solution as long as it gets the job done reliably.

2. Use good tools

I've tried writing playbooks in nano and copying my files to a different folder for backups, and it sucks. Using a good editor and version control makes life much, much easier. Personally I use VSCode with git for everything, but I'm sure there are many other options as well.

3. Have realistic expectations

Learning new skills isn't at all easy, but it's definitely worth the effort. Struggling to understand concepts that may be obvious to others doesn't mean you're dumb, it means you're gaining new experience.

What now?

I fully recognize that the contents of this post aren't actionable, but felt it was necessary as a sort of introduction. I also deliberately didn't go into details on any particular languages or frameworks because this is foundational information that applies to everything.

The second post in this series will be more practical, with some example firewall changes in ansible using:

  • simple variables
  • arrays
  • loops
  • maps (dicts)
  • functions (roles)

I'm using use ansible since I'm familiar with it and it's easy to understand, but these concepts will apply everywhere.


That's about all I've got for now; hopefully y'all found this useful.

For those have starting going down this path, was there anything you found especially difficult? What advice would you have for people who just starting out?

Frankly, I just want to talk about this stuff for my own edification as well, so any discussion is welcome



About to use the DevNet SD-WAN sandbox for the first time....

Hi, so i'm relatively new to REST and the requests library in Python. I definitely have decent Python skills after studying it almost night and day for the last 2 months and have got to a stage where I've gotten very comfortable using the SSH libraries (Netmiko, Napalm, Nornir) and want to kind of fill in the last bit of the puzzle (REST). After studying and playing around with the requests library the last week or so I've come to the stage where i want to get my hands on an actual appliance that has a REST-API and Ciscos DevNet SD-WAN sandbox has what it appears to be what i'm looking for.

HOWEVER, after reserving a spot in the next hour or so i'm looking at the topology now and i have to be honest....I'm not sure entirely what i'm looking at.....

What ios are these routers using...
Where is the API documentation for them...

Can i access the devices after i've VPN'd in using AnyConnect using PyCharm on my desktop or are they accessed via my web browser....
Which one do i even start on...

Sadly these are the questions (without ever having worked on an SD-WAN before) that I find myself not knowing.

Any help with any of them would be much appreciated.

Thanks guys



New office in Germany

Greetings!

My US based company is opening a new office in Stuttgart, Germany. I am having a hard time locating anything helpful in having a internet circuit installed. We do have a quote back from ATT that can complete this but will be 60-90 day lead time. I have called multiple German telecom providers and haven't had anything eventful thus far as the language barrier is steep (not that I've actually reached a live person). It would be ideal to have a local provider drop us a data line with a few static ips. I think this would be the fastest outcome. Has anyone here dealt with a similar situation recently? Thoughts, ideas, pointers?

Apologies for any grammar or punctuation errors, on mobile.



Multi-WAN and the un-googleable problem

I recently purchased an RV345 Cisco small business router. it looked like it could do about everything I needed as I upgrade our office. As I dig, it turns out the device has dual-WAN ports, but ONLY supports two external IPs (confirmed via the Cisco forums

Please be advised that our Cisco Small Business routers do not support more than one IP address on the WAN port.

https://community.cisco.com/t5/small-business-routers/configuring-multiple-static-wan-ip-address-on-rv320-router/td-p/2787939 )

I'm trying to find a small business or enterprise router that will allow for 5 or even 16 static-blocks. But after several days on google anymore it's only ads for how many ports their device has, or the promise of dual-WAN, and no useful information as to what's out there, and my boss won't let me flat-out buy another device to see if this one will be able to do it.

Can someone suggest a router that will do this? I know an ASA will do the trick but we've been burned by Cisco licensing in the past and it seems like overkill for all the features it has vs what we need -- a simple firewall w/ port forwarding that supports several WAN IPs instead of just one (or one per eth port). (or is an ASA the answer, and there is no "in between"?)



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



Someone Explain The Point Of Proxy Servers In Modern Networks

Just doing some reading about the Cisco Web Security Appliance, and having worked on Bluecoats in the long past anyways, I actually don't see the point of proxy-servers nowadays. If you have a decent firewall with next-gen features (IPS, Malware Detection, URL Filtering, Dynamic Feeds etc), then I don't see any real benefit of a proxy. Sure you can save a few megabytes from caching, but people have big pipes nowdays, so nobody cares; but even if you did, you'd use a WAN optimisation box like a riverbed which is far cheaper. I'm only frustrated because I keep reading stuff about it, and I just constantly ask myself, well what's it doing that a NGFW can't do already. Is there something I'm missing here? Is it just a bit of offloading for very large networks maybe? I dont know.



Cisco 3750G 8021x - Cisco Phone Fun

Hey guys,

Just bought ISE about two months ago and I'm running into issues with Cisco phones on 3750Gs. I put myself at a supported code base 12.2(55)SE11. The policy in ise works on 3850s and 9ks but not on my 3750s. I see the mac on both the voice vlan and the data vlan.

Vlan Mac Address Type Ports

---- ----------- -------- -----

230 0026.0bd8.d792 DYNAMIC Gi1/0/44

430 0026.0bd8.d792 STATIC Gi1/0/44

Interface config:

switchport access vlan 230 switchport mode access switchport voice vlan 430 ip access-group PreAuthAllowACL in authentication event fail action next-method authentication event server dead action authorize vlan 230 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate server mab dot1x pae authenticator spanning-tree portfast 

Radius configs on device:

aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa server radius dynamic-author client 172.22.198.10 server-key 7 Password ! radius-server host 172.22.198.10 auth-port 1812 acct-port 1813 key 7 Password radius-server attribute 6 on-for-login-auth radius-server attribute 25 access-request include radius-server dead-criteria time 30 tries 3 ip radius source-interface vlan 230 ip access-list extended PreAuthAllowACL permit udp any eq bootpc any eq bootps permit udp any any eq domain permit udp any any eq tftp ! radius-server vsa send authentication radius-server vsa send accounting 

Show Auth sess int

 Interface: GigabitEthernet1/0/44 MAC Address: 0026.0bd8.d792 IP Address: Unknown User-Name: 00-26-0B-D8-D7-92 Status: Authz Success Domain: VOICE Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-domain Oper control dir: both Authorized By: Authentication Server ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-57f6b0d3 Session timeout: N/A Idle timeout: N/A Common Session ID: AC16E62A00000012044642E1 Acct Session ID: 0x00000178 Handle: 0xD3000012 Runnable methods list: Method State dot1x Failed over mab Authc Success 

ISE Auth Profile:

Access Type = ACCESS_ACCEPT DACL = PERMIT_ALL_TRAFFIC cisco-av-pair = device-traffic-class=voice 


Confused about Classful/Classless IP addressing question VLSM IP addressing.

Not sure if this is the right sub to go to, but I was just wondering if someone could simply explain this concept since I have a networking exam soon and I'm confused.

So the firstly is subnetting. The tutor gave an example:

"Network: 172.16.0.0 (65534 Hosts)

Subnet mask: 255.255.0.0

There could be a lot of wasted hosts here, so what if we took that B class network, and divided it into a bunch of C class networks e.g.

Subnet 1 - 172.16.1.0

Subnet 2- 172.16.2.0

Subnet 3- 172.16.3.0

Subnet mask: 255.255.255.0"

Right this part makes sense, however, the only bit I'm confused on is that it said divide it into a whole bunch of C class networks, but how is it a C class network when the first Octet is 172? (making it a B class network)

This is a separate question, but later on he goes on about VLSM and the formulas to work out how many hosts and subnets you get (I assume a subnet is a network?). What I was wondering is that he said 252 (11111100) was most commonly given out by ISPs because there's 2 IP address, but what about 254 (11111110)? How many IP address would there be for a 254 in the subnet mask?



Best way to extend copper (ethernet)?

We have a project at work where someone wants to deploy a copper only device (figure an 8 port copper switch for explanation purposes, even though it's not a switch - no fiber) on one floor, but our lab is on a completely different floor, well past the 100m limitation of ethernet.

One of our engineers suggested using a media converter and while I guess that would work, I just wanted to post on here to see if there's any other suggestions you guys may have? I feel using the media converter is a "hack" per se, but honestly, there's nothing else either of us could think of to resolve this. The only other option would be to deploy another switch down there but we're not going to do that for ONE port.

Any other ideas? Thanks guys and gals.



MSTP and RSTP

Good morning,

I have a question that I haven't been able to find a solid answer to, the general answer I get is it's backward compatible so it doesn't matter. But I wanted to ask the hive mind of r/networking for some possible clarification.

The scenario is, a Juniper stack is running RSTP as the root bridge. I have 4 HP Aruba 2540's running MSTP, since that's the default when enabling spanning-tree on the Aruba switches. I know that MSTP and RSTP are compatible, but I think a majority of these scenario's probably look more like MSTP on the root bridge, RSTP enabled on the switches. My scenario is vice versa, and I know MSTP groups by VLAN. My question is, is there still a benefit of MSTP when the root bridge is RSTP? I am still new to STP in the real-world and only know of them conceptually as individual pieces. I haven't worked with them between vendors and different types of spanning-tree before.

I inherited the network and am not sure why the Juniper stack would be running RSTP and not MSTP as the Aruba's are. But, the same people that set this up also didn't see it as necessary to have spanning-tree enabled on 2 out of 4 of those switches which caused me a headache last Friday as a broadcast storm took down our network.



SVI's not passing traffic.

I have a Cisco ISR with a switch module connecting via 802.1Q trunk to a 2960-X switch stack. There is an SVI on the ISR for each of the vlans on the switch. We recently reloaded the stack (non upgrade) and when the stack came back up, 4 of the 10 vlans were no longer able to even ping the GW on the SVI while all of the others on the trunk were fine. To fix it, I ended up deleting the SVI and the vlan and recreating them to get it to work. J/W if anyone else has seen this before and knows what may cause it?

I Did verify first that the vlans and the SVI were up up.

deleting just the SVI on the ISR didn't work.

thanks!



Cat6 utp or cat5e stp

Hi, i am currently working on a project where i need to connect a couple of access points. I need to run ethernet cable through the wall inside that orange tubing the existing tubing also has some coaxial cable and telephone lines. I will not run the Ethernet cable in the same tubing as electrical cable. For this type of install would it be better to use cat 6 cable with the little cross in the middle or use shielded cat 5e cable with the ground wire properly attached. The length of the cable inside the wall will be about 20m.



Cisco IP Phones not working on C3850 switch

When I connect a pc to any port on the switch, the port goes up and works normally, but when I connect a cisco ip phone to any port, the port doesn’t go up. Happened with several IP phones even though these phones work normally on another switch. The switches are WS-C3850-48P. What could be the issue?



How to manage 2 networks interconnectivity?

My client has 2 public IPs. Public IP A is their original network. Public IP B is another companies network that uses VPN to use some machines they have physically at my clients site.

In the A, they got a shared folder that is accessible throughout all the A network. They use a 10.0.0.0 type of address.

The B uses some 172.0.0.0 type of address.

I need those computers in B to access a folder to read and make changes to files in the A.

A structure is AT&T modem>TP link VPN router>computers that see shared folder B structure is AT&T modem>Palo Alto VPN router(don't have access to configuration)>computers that need access

What's the best way to accomplish this. I was initially making a VPN connection from B to A with tp link r600 built in VPN thinking I would see the computers and ping them but only got as far as getting an IP but not being able to ping. So I can look into it and figure it out if its best. Or if there's something better like FTP server setup or similar alternative. Please let me know.



Recreating network design for multiple companies

Hi,

Currently where I'm at, we have essentially two businesses under one group where both can't talk to each other. We have access lists on a layer three switch, and most of the routing is also on there (Core switch in the diagram). The firewalls are WatchGuard M270s and Cisco switches. OSPF configuration and access lists are done on the switches too. We have some spare kit to play on too

Our current design looks like this
https://ibb.co/9rzr42X

The two firewalls in this diagram aren't in an HA pair, and company 1 isn't allowed to talk to company 2. Company 1 and Company 2 also must use separate ISPs. Not sure why, but apparently the vendors say so. I'm thinking of trying to remove complexity, and have the routing, including OSPF done entirely at the firewall level, removing the router out of the equation too, and simply VLAN'ng it off as if it was a router on a stick

Would the following diagram "work" theoretically?

https://ibb.co/0r6qH3Q

Would it also be something that'd be good say if we buy up another company, or we get bought up ourselves ? I'm trying to see what's best long term for the group, and I'd rather get the design "down"



Nomadix disconnect issues

Hello /networking

Reviving and old thread for some assistance hopefully.
https://www.reddit.com/r/networking/comments/8z9hnm/nomadix_ag2500_connection_timeout/

We have a client who is utilising a Nomadix (Managed by another Vendor) who are getting constant disconnects. WAP clients are getting inactivity sessions and we can see traffic to the Nomadix LAN port drops to 0 sometimes and other times has a noticeable drop with only say 50% of clients being disconnected. We can also see a lot of DHCP offer traffic within the Nomadix network being rejected.

Services routing through other firewalls (Multi service network) do not see these issues. Have not had much back from Nomadix in terms of being helpful. Anyone here with something that may help?



Found some cheap Mellanox IS5022 8-port switches for a computational cluster in my department, need advice.

Hello everyone,

I hope I am not out of line in asking but I need your wisdom. I found some second hand Mellanox IS5022 8x 40Gb QSFP+ unmanaged Infiniband switch and I thought this might a good opportunity to upgrade our Beowulf cluster at my university department.

At the moment we use a regular ethernet switches, which are a bit too slow to conduct numerical computations. So I would love to upgrade to IB but our budget is a bit limited and state of the art IB is not cheap.

I am an aerospace engineer, so my knowledge of networking is a bit sparse.So What I am looking for is:

  • Are these switches suitable for numerical computations?

  • Advice on (cheap) cables and PCIe IB adaptors that would go together with these switches. (I have found some cheap QSFP+ passive cables on amazon.de and a IBM Infiniband QDR/FDR-10 QSFP 1-Port PCI-E-3.0x on a local IT outlet , but I am not sure if they are suitable for my needs)

  • Where I can find some introductory literature on IB relate to these switches

  • Any general advice

Thanks in advance,



EasyIP as IPAM, any experience?

We are merging with another company and they are using EasyIP as their IPAM, while we use in-house developed IPAM application. Is anyone here using EasyIP? What's your experience with it?



Wednesday, June 3, 2020

73.225.120.17 Boot me

No



AT&T SIM in Opengear IM7200

hey guys, really struggling to get an AT&T SIM working in an opengear IM7200. the 7200 says it's stuck at "Establishing connection". the 7200 also sees the SIM properly - correct ICCID/MDN etc.

i've called opengear support - they say it's a problem with the AT&T. AT&T support says it's a "provisioning error" however the guy who set the SIM up for me (it's a corporate SIM card so i don't handle that process directly) says it's set up just like anything else. if i take the SIM out and put it in an old android phone - it just works with no configuration necessary.

there are a few APN configurations ive seen around. anybody here ever get this to work? could you PM what you did?



Input before signing 3YR contract in rural east Texas

TL:DR Home owner extinguishes all options other than 9Mbs down .5Mbps up DSL. Only other option is 3 year contract for CenturyLink business fiber 20x20 at $675.00 a month. Would you do it or move?

Heya peeps! So to expand on that, cables is .6 miles away and the price on getting it run was 40k out of pocket. The DSL infrastructure is so dated that bonded isn't available and when it rains its not usable. My wife and I both work from home. Starlink would be a godsend but there is no foreseeable date soon. My estimate is 2 years away. There is a point 2 point service here but I need to gain 80 foot and it's $300 a month. Anything with a huge latency won't work for me so no unlimited 4G or standard sattalite. So option #1 is listed above in the TL:DR and this situation is so fucked that it almost seems rational to sign a 3 year contract with CenturyLink for 20Mbps up/down and dedicated. That would be more than our house payment at this point as we owe so little. Option #2 we sell the house and move somewhere else in east Texas where we would be able to get cable. We are limited to staying in east Texas and finding a house that qualifies for residential fiber that also fits our budget is still eluding me. I've been at this for 3 years and it's the largest cause of unhappiness and anxiety for us. I've been knocked back to square one about 7 times now and I'm just defeated.

Any advice, ideas, thoughts or opinions are welcome. Please...



How to bridge a subinterface across an HPE MSR2003 router (Comware 7)?

The setup I'm trying to achieve is G0/1.20 bridge to G0/0.20 (no routing, just bridging).

The equivalent commands on a Ubiquiti USG-3P (for reference):
set interfaces bridge br0 stp false
set interfaces ethernet eth0 vif 20 bridge-group bridge br0
set interfaces ethernet eth1 vif 20 bridge-group bridge br0

I am able to configure the main interfaces as a bridge:
[RouterHPE-GigabitEthernet0/1]port link-mode ?

bridge Switch to layer2 ethernet

route Switch to layer3 ethernet

[RouterHPE-GigabitEthernet0/1]port link-mode bridge ?

<cr>
But not on the subinterfaces:
[RouterHPE-GigabitEthernet0/1.20]port ?

link-aggregation Link aggregation group

When I set the main interfaces as a bridge, all traffic is essentially bridged, but I need routing to occur between several other VLANs.

I've tried googling but I can't seem to find any info on bridging subinterfaces on a HP router.
Thanks a lot guys



C3850 Stack upgrade ?

Hi Guys,

I would like to ask if the upgrade procedure for C3850 switches w/ stackable cable and upgrade for C3850 w/ StackWise Virtual is similar or switches with stachwise virtual has different method?

If the above example has different upgrade procedure, can you share the technical docs? now checking docs from cisco.

Thanks



Dual modem on Cradlepoint AER2200

I am working with a small rural office that is switching from DSL to a 4G Verizon Cradlepoint modem. They have the 2nd modem attachment, and a sim card for each. What they want to achieve is running a switch off one of the SIM card lines, and then use the 2nd SIM card line as a dedicated line for a more critical computer. Is it possible to assign a SIM line to individual LAN ports? As in, run Lan 1 entirely on the first SIM card, and then run Lan 2 entirely on the other card?



Deciphering peculiar traceroute patterns

Hi folks, whenever I traceroute I occasionally see some questionable patterns with hops where I'm not entirely sure what it's doing. I've checked out the TeamNANOG traceroute basics video by Richard Steenbergen and I don't think it covers it. Here's an example of one of those patterns. For a set of hops on a single path, the route hops back and forth two routers/addresses, before carrying on with the route. It would look like this (made up values but good representation):

(Before it happens) 96.101 50ms 51ms 52ms

103.111 62ms 61ms 61ms

111.234 78ms 75ms 79ms

103.111 77ms 76ms 78ms

111.234 110ms 108ms 109ms

(Route continues as normal) 104.993 120ms 131ms 128ms

The rtt not increasing when it loops back to 103.111 could be of interest, but I'm not sure what it could mean, or why behaviors like these happen. Any ideas? Thanks



PSA: June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication

/r/Cisco/comments/gw5u84/psa_june_2020_semiannual_cisco_ios_and_ios_xe/

Upgrade from 16.09.04 to 16.12.03A

Trying to upgrade my 9500 switch stack to 16.12.03a. Boot is set to packages.conf but when I try to this install command it says it's not there.

but it is. what the heck is going on? Any help would be appreciated.

SW9500#install add file bootflash:cat9k_iosxe.16.12.03a.SPA.bin activate commit

install_add_activate_commit: START Wed Jun 3 16:14:12 PDT 2020

FAILED: install_add_activate_commit : bootflash:cat9k_iosxe.16.12.03a.SPA.bin is not valid file or cannot be handled by install CLI.

SW9500#show boot

BOOT variable = bootflash:packages.conf; <------------------------------------------

Configuration Register is 0x102

MANUAL_BOOT variable = no

BAUD variable = 9600

ENABLE_BREAK variable does not exist

BOOTMODE variable does not exist

IPXE_TIMEOUT variable does not exist

CONFIG_FILE variable does not exist

SW9500#dir

Directory of bootflash:/

616514 drwx 4096 Jun 17 2019 22:23:11 -07:00 .dbpersist

616519 -rw- 400 Jun 3 2020 15:14:35 -07:00 boothelper.log

665185 drwx 4096 Jun 3 2020 16:14:18 -07:00 .installer

616520 -rw- 666 Jun 3 2020 15:14:20 -07:00 bootloader_evt_handle.log

665186 drwx 4096 Jun 17 2019 22:31:01 -07:00 .ssh

665194 drwx 4096 Jun 1 2020 09:33:30 -07:00 core

673297 drwx 4096 Jun 2 2020 09:10:04 -07:00 .prst_sync

11 drwx 4096 Jun 2 2020 09:01:29 -07:00 .rollback_timer

8113 drwx 4096 Jun 17 2019 22:31:14 -07:00 gs_script

16225 drwx 4096 Jun 17 2019 22:31:14 -07:00 tech_support

16239 drwx 4096 Jun 3 2020 15:14:34 -07:00 dc_profile_dir

616522 -rw- 123888 Jun 3 2020 15:14:55 -07:00 memleak.tcl

24337 drwx 4096 Jun 17 2019 22:31:51 -07:00 onep

616523 -rw- 805037908 May 29 2020 08:49:11 -07:00 cat9k_iosxe.16.12.03a.SPA.bin <------------------------------------

616525 -rw- 2356 Jun 3 2020 15:17:29 -07:00 vlan.dat

616528 -rw- 27231232 Jun 2 2020 08:59:16 -07:00 cat9k-cc_srdriver.16.09.04.SPA.pkg

616529 -rw- 81241084 Jun 2 2020 08:59:16 -07:00 cat9k-espbase.16.09.04.SPA.pkg

616530 -rw- 1647612 Jun 2 2020 08:59:16 -07:00 cat9k-guestshell.16.09.04.SPA.pkg

616531 -rw- 425411576 Jun 2 2020 08:59:17 -07:00 cat9k-rpbase.16.09.04.SPA.pkg

616537 -rw- 34612458 Jun 2 2020 08:59:32 -07:00 cat9k-rpboot.16.09.04.SPA.pkg

616532 -rw- 28931068 Jun 2 2020 08:59:17 -07:00 cat9k-sipbase.16.09.04.SPA.pkg

616533 -rw- 55047160 Jun 2 2020 08:59:17 -07:00 cat9k-sipspa.16.09.04.SPA.pkg

616534 -rw- 35243004 Jun 2 2020 08:59:17 -07:00 cat9k-srdriver.16.09.04.SPA.pkg

616535 -rw- 15856632 Jun 2 2020 08:59:17 -07:00 cat9k-webui.16.09.04.SPA.pkg

616536 -rw- 9208 Jun 2 2020 08:59:17 -07:00 cat9k-wlc.16.09.04.SPA.pkg

616527 -rw- 7554 Jun 2 2020 08:59:32 -07:00 packages.conf

616521 -rw- 400 Jun 2 2020 09:08:32 -07:00 boothelper.log.old

11250098176 bytes total (9060610048 bytes free)

SW9500#



Juniper Switch 4200 schedule shutdown

Hi,

I have some electrical works happening saturday morning and would like to schedule the shutdown of the switch automatically at 5:30 am on saturday so i dont need to wake up to run a command. Is there CLI command to schedule this type of work?

Kind Rgds,

Rutvij



Creating a VLAN on NX-OS using REST

Hi, i'm reading Cisco documentation here:

https://developer.cisco.com/docs/nx-os-n3k-n9k-api-ref-7-x/#!configuring-vlans/creating-a-vlan

I plan on trying out their sandbox soon to give using REST a proper go, I've been reading through the link above and after studying the requests library for a little while now I've a couple of questions if anyone knows the answers.
The payload and POST request example they give for creating a VLAN is confusing slightly only because from what I've seen from the requests library so far and when communicating with REST API's you need to fill out the request with the correct URL, data/payload and content-type you're passing to the API. None of them appear in the example "POST http://<IP\_Address>/api/mo/sys.json"

Does anyone have any experience on this or could shed some light on it because i'm slightly confused on how to structure this API request going off their examples.



Cheapest 8 total port - 4 port (SFP28) / 4 port (1 GB RJ45) Networking switch?

I have been trying to determine the best switch in my budget ($200 or less) that can provide at least 2 SFP28 ports (would like 4 for future proofing if I decide to add an additional 25 gb device) and about 4 1 GB RJ45 ports. Ideally, I would like something that is a bit on the older or cheaper side that can be upgraded by adding or swapping out PCI-e cards with the SFP28 NIC's. I am not sure something like this exists, so please help me find it!

**I would prefer managed but probably unrealistic at that price point. I only really want to be able to set up some basic bandwidth rules and restrictions between LAN users and devices and nothing too crazy (QoS).

Looking for reliability and performance, so I would prefer to stay away from netgear. Lastly, if it has more ports, that is okay - I just don't want to pay a premium for 24 ports or something crazy that I don't have a need for.



Blocking LAN devices from VPNs used for privacy or p2p sharing?

My goal is to block LAN devices from connecting to VPNs outside of corporate visibility and control in order to protect against exfiltration.

Do you fine folks have any ideas?

Right now it looks like I'll research the most common VPNs, find their node IPs, and block those.

So far my research has not yielded much and help is greatly appreciated.

We presently have Sophos UTM.



JunOS vs iOS MTU handling

Hi folks,

I've got a BGP peer flapping between a juniper device I control and a Cisco device of a customer's. We've both confirmed timers look good, and we both confirmed we were set to 9000 for our MTU... However from the Cisco to juniper he can get a full 9000 df-bit ping across but I top out around 8972. Is this a common thing with the two calculating MTUs differently? And as such should I then ensure his MTU is greater than 9000 by enough for the headers/overhead to alleviate that issue?

Thanks for the help.



Classifier-based portmirroring aruba 2930f switch

First, I'm a student networkmanager in my final year of the study and am on internship. (yes even with corona being a thing)

I've been asked to configure classifier-based portmirroring on the aruba 2930f switch and for the destination am using a wiresharkserver (from now on WSS) with a HPERM decoder to send the mirrored packets to.

I've succesfully managed to get packets from 1 workstation to the WSS with a class & policy which are applied to a switchport.

Now I've been trying to configure a IP-range for multiple workstations which are connected to the switch I'm working on instead of seeing packets from one workstation.

The instructions online mention the following: 'SAv4 mask | DAv4 mask'; Which should supposedly allow me to configure an intire range of IP-adresses and have the packets from this range be mirrored to the WSS.

According to the instructions's example: 10.10.10.1/24 = 10.10.10.1-255

Which should be correct to my knowledge (I might just be confused at this point)

However when I configure this in a match statement within a class on the 2930f, apply it to an interface and scan for packets with wireshark I get nothing. Then when I modify the class to: (example syntax) match ip 10.10.10.10 255.255.255.0 any

I do get a load of packages, I'm doing something wrong with the ip-range configuration and can't for the life of me figure out what it is.

I hope I explained my problem clearly.

EDIT: I mention online instructions, These is the instructions I'm referring to, on page 351.

https://support.hpe.com/hpesc/public/docDisplay?docId=a00038764en_us



What are PCI-E expansion cards and their relationship with NIC teaming?

I know NIC teaming is combining NIC together, but what's the exact relationship with PCI-E expansion cards? Thanks.



debug ip packet

I made the silly mistake to run debug ip packet on a router in a remote location, seems like the router crashed, I asked local hands to restart it but it doesnt come back online properly.

I would have expected the debug statement to be removed after reboot? Could it be that I need access console to remove it?



Input and CRC errors

Hey guys, real quick.

It was drilled into me that input and CRC errors are 99.9% hardware (cable/fiber, transceiver, port/ASIC) issues. What is that other .1 that can cause CRC errors once in a blue moon?



Can switches w/ DHCP Servers assign static IP addresses to devices?

im reading mixed reviews on this.



Eve-ng for SDWAN

Dear networkers

I am trying to make a virtual lab for cisco SDWAN (Viptella) and VMWARE SDWAN (Velocloud) I searched for the images with no luck. I stumbled upon this site https://unetlab-eve-shares.blogspot.com/2020/04/163-tb-of-unetlab-eve-images-by-only.html?m=1 Does anyone know if it is legit ? Also, where do you get the images from usually ?

Thanks



MAC Forced Forwarding and Static IP Addresses

Got a little bit of an issue. We are a brand new startup WISP. We use Calix Switches on our network at the edge to bring services to our customers. Those connect to Base Stations, that then feed our customers.

We are going to be enabling MFF (MAC Forced Forwarding) but have noticed an issue. Anyone with a Static IP Address is going get their packets dropped because their MAC is not in the DHCP Snoop table for that switch. How can I get around this other than telling these customers that they need to change their firewall config to DHCP on their wan port and record their MACs?



External Site Monitoring

Hi,

Currently looking into ways to monitor external sites and the response times that an end user would see for these.

Currently looking to to monitor both ports 443 and 80 (note I do not own the sites, I just want to be able to see what the response time to the sites is using the network. Connections are proxied, hence it helps to see if there are issues with clients on VPN's or issues within a network)

I can see from the CLI by doing either of the following.

ncat -v -z google.com 443 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Connected to 216.58.223.206:443. Ncat: 0 bytes sent, 0 bytes received in 0.08 seconds. time nc -v -z google.com 443 google.com [216.58.223.206] 443 (https) open real 0m0.039s user 0m0.002s sys 0m0.005s 

However, I'm unsure on how i can graph the results from these tests.

Does anyone have experience of doing this or have it enabled, if so i'd like to hear about it if possible.

My thought process would the data can be pushed into a log file that gets ingressed into syslog and then we can graph based on the syslog messages. But again, unsure on how to do this.

If this is not he correct sub for this type of question, can I be pointed to one that may help.

Thanks in advance for any help and replies to this.



QoS differences layer 2 and 3

I am having a hard time understanding the concept to apply the policies in my network.

For example in layer 2 I still dont understand is the COS table the same as in the 802.1p protocol?

And layer 3 DSCP is more confusing. Can I have a real life example for VOIP for example how to create the policy and mark the traffic and then apply it.



ACI ECMP static load balancing - hashing

Someone of you have a very good document where is described as internally in ACI the ECMP (not the DLB but the static one) is implemented?

Which info is it using for the 5-tuple hashing ... ?

thanks



Cisco Nexus Vulnerability: CVE-2020-10136

Hi guys, in case you are in charge of Nexus switches i wanted to let you know that about the vulnerability. That's it. Cheers.



Cisco Access Point disk flash space?

Hi Guys,

I would like to ask if possible to check the available space of Cisco AP's from Wireless controller? and what command should I use to find that info?

Thank you and Regards,



Which education path to choose?

Hey guys, I‘m a young networking engineer with a CCNP and have the opportunity to either get study material for the CCIE paid or get a bachelors degree in data science paid.

Would it be completely stupid to study data science as a networking engineer or could it maybe be useful knowledge in the future? Any thoughts on this?



Is there a tool that I could use to check network latency to all of my processes in my PC's Network Activity?

Hello,

If I go to "Resource Monitor" on my PC, under "Network Activity" I see all these processes listed. Is there a way I could find out the latency/ping to all the processes listed?

I believe I could manually type down the IP addresses and ping them manually in CMD, but is there a tool which would do it for me automatically?

Thanks for any help!



Tuesday, June 2, 2020

I have a tower on my property, ISP owner passed away. Some advice needed and details inside. Specifically ubiquiti radios.

I have a tower on my land from a small town local isp provider. I was on a first name basis with the guy and we often texted and I would help with issues on the tower. So long story short the guy has passed and the business went to his mom, it's mayhem.....but we are all trying to keep this thing going while his mom gets some time to hire someone to handle the business. Right now its just the tower owners and an investor trying to act as ISP professionals and.....yeah. We are doing what we can.


OK so im trying to keep my tower alive for now while they figure stuff out and from what I can tell the poe adapter went out on one of the smaller radios (ubiquiti). It's just a smaller wide range radio that shoots to a neighborhood below us. I don't know what its called, I know it's not the backhaul as that ones quite recognizable. I could take a picture, its a skinny rectangle shape. My question is what poe adapter do I get to replace this, the adaper doesnt tell me if its 24v or 48v, if there was a label, it's definitely gone now. Is the amperage standard on these things like is a 48v poe adapter always x amps?

Any help is appreciated, I know this is a strange one.



What do the top of the line Netgear switches i.e. M4300 series not have that Cisco & Juniper do for the SMB environment?

I have setup Netgear M4300 series switches at 3 sites now and all have been running for a year without a single issue.

These switches have many enterprise features such as:

  1. Redundant Power supplies
  2. Advanced topologies such as spine & leaf with switch stacking
  3. Out of band management
  4. Full featured CLI and WebUI with secure login
  5. VLANs, layer 3 routing, DHCP, ACLs, LAGs, etc
  6. 24/7 pro support for very reasonable cost
  7. Lifetime warranty with part replacement

Some of the things these switches don't have that I have noticed on some comparable Juniper and Cisco switches.

  1. ECC memory
  2. Multi-core processing

Opinion The cost for comparable Juniper and Cisco seems to be about 3x. So, I could buy 2 sets of the Netgear and leave one on the shelf in case anything breaks and still be saving money. Just seems a bit ridiculous.



Chassis based switches in Netbox

How is everyone representing their chassis based switches and associated cards in Netbox? For example Cat6k switches with line cards.

One option is to have a parent/child device, which enables me to track serial numbers of line cards individually (and using a custom field EOS of a module type), but tracking interfaces on the device is a little bit clunky because they're not directly visible when I view the switch, I need to click through to the 'related devices'.

The other option is to not track line cards individually and just add all of the interfaces directly to the chassis switch. The (minor) downside of this is I can't pre-configure my device types with interfaces because chassis switches are loaded with cards differently, depending on use.

Any other options?



NANOG is this week and it's free. I've already enjoyed most of the talks so far, great opportunity to join the conversation

https://nanog.digitellinc.com/nanog/live/14/page/69

The chat section is a hoot. Fight about what traditional fire walling and what is currently relevant! Been a blast.



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



Is AWS valuable for my career as a network engineer ?

Hello all , so my work currently focuses on Cisco products and this is actually my first job in my career .

So I'm thinking if i were to change my job for whatever reason ,what should my skillset be ? I'm currently sharpening my skills in Linux and Wireshark but I'm intrigued about AWS certifications but I'm a bit lost on which certificate to pursue?

Another part of my question is about the server's part in a network engineer job as i honestly have no knowledge whatsoever in Microsoft servers , so is studying AWS enough for that or should i look into it further ?

Lastly I'm practicing my programming skills using Python as i feel like the future of automation is using Python so is my choice accurate?

Sorry for sounding as a confused lad but i am haha , many thanks in advance for the help

P.S I've been in my job for a bit less than a year now and I've a bachelor's in Computer Science so i have some background in programming.



SVI vs Layer 3 interfaces

Could someone help me explain the situation in which a L3 routed port would be beneficial to using an SVI on a layer 3 switch? I work on a lot of smaller networks with collapsed core that goes Core/Dist switch > Firewall using a stub VLAN with an SVI on the switch. My understanding is layer 2 info gets sent out an interface if using an SVI, but if the device on the other end is layer 3 does it really matter other than more noise on the line?



SR-IOV Networking and OVS - InterVM isn't working

Hi there,

I hope all of you are fine.

I have problem trying to communicate two VMs in the same hypervisor.
VM1 with PCI-Passthrough/SR-IOV and VM2 with VIRTIO/OVS bridge.

Hypervisor have 2 different NIC, 1 NIC (XL710 4x10G) for SR-IOV and other one used for Open-vSwitch. Trying to ping same subnet, on the same VLAN. I get unreachable, I don't see MACs on FDB, ping to other VMs hosted on other hypervisors are working from VM1.

Maybe something related with VEB and VEPA?

Kindly,

Pau



Very basic cisco networking question

I set this up a couple of years ago and I forgot the answer to my question.

I have an AP on my network that is plugged into switchport 1/0/9:

interface GigabitEthernet1/0/9 description AP1 switchport mode trunk power inline never 

I run pfsense as my router. The network that AP1 is on is vlan 35. That switchport config is below:

interface GigabitEthernet1/0/2 description pfsense-trunk switchport mode trunk power inline never 

In this case, everything is working as I expected it to work, the wireless device that I have connected to AP1 is getting an IP on vlan 35, but the AP itself is getting an IP from my regular network, which is what I want, but I'm not sure how it is able to get an IP from my regular network because I haven't set a native VLAN ID on the switchport with the AP. Is there a default native ID being used?

I don't deal with cisco day to day, I set up this network to learn more about cisco, this isn't a production environment.

Thanks.

EDIT- resolved native vlan ID 1 is being used on the trunk, by default.



Dot1x for shared workstations

I'm pushing out dot1x to our sites and I'm running into an issue with sharing certificates. I have a GPO that auto generates device and user certificates, and the dot1x policy I have set up on my RADIUS server requires both the device and user certs for authentication. The switch config, radius policy and certs work fine. The issue I"m running into is that a set of my users share workstations. They can be on up to 5 different machines. My options so far are to either preload all possible workstations with the potential certificates which is insecure and a bear to manage. I can also generate a new certificate for each login, but that will make a large amount of certificates for each user and makes revoking them difficult (not to mention, security). Is there any GPO, script or config I can use to get workstation to contact our CA and pull down a already generated cert?