IPv6 Proxies: 2020-06-28

Saturday, July 4, 2020

VLAN help please! Network has scrambled my brain

Dabbling in VLANs for the first time, followed the guide from: pfsense baseline setup. The setups are almost identical, and has been helpful to help me understand a lot of pfSense. This is my second pfSense setup and I retired my old setup which had a flat network no VLANs.

Right now Unifi AP1 which I want to assign to the "MGMT" VLAN on the 10.0.10.0 network, but the problem is the physical location which connects directly to PORT 2 on my pfsense router assigned as LAN - untagged - 10.0.1.0. This is because there is only one wall cable per major area going to the closet. I don't know how to get this AP1 to connect to the PORT 4 which I've assigned every VLAN in pfSense.

Each Unifi AP is controlling which VLAN it's assigning wireless clients via a different wireless network: "GUEST" wifi network goes to VLAN 40, "MGMT" goes to VLAN 10, etc. I want to have the same experience on wifi when connecting to either AP.

I'm open to getting different equipment if it makes things easier. I feel like I bought the wrong managed switch and should have bought a layer 3 managed switch instead although I'm not sure why I would need L3 or how it might improve my situation? I cannot buy a loud or giant device intended for a server room or rack as the closet is in a central location unfortunately.

Am I doing this VLAN thing correctly? I've been sitting on this for a month now trying to figure out how to "fix" or properly have my network setup. You can probably tell I don't know what I'm doing lol.

Is this how you would setup your network with VLAN?

Any help is graciously appreciated!

Mounting Bracket for 19" TP-Link Switch

I have looked here and found that I need "Mounting bracket D" but I have no idea where to buy it.

TL-SG1024

Cisco ASA, SSH not working

Hi,

I tried searching on google and on cisco community but conld't find. I am trying to SSH into ASA from 15.1.1.1, and I am getting these debug message on ASA.

ciscoasa(config)# Device ssh opened successfully.

SSH0: SSH client: IP = '15.1.1.1' interface # = 2

SSH: host key initialised

SSH0: starting SSH control process

SSH0: Exchanging versions - SSH-2.0-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25

SSH0: receive SSH message: 83 (83)

SSH0: client version is - SSH-1.99-Cisco-1.25

client version string:SSH-1.99-Cisco-1.25

SSH2 0: SSH2_MSG_KEXINIT sent

SSH2 0: SSH2_MSG_KEXINIT received

SSH2: kex: client->server aes128-ctr hmac-sha2-256 none

SSH2: kex: server->client aes128-ctr hmac-sha2-256 none

SSH2 0: kex algo not supported: client diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1, server diffie-hellman-gro

SSH2 0: ssh: kex_choose_conf error

SSH2 0: key exchange failed to completeSSH0: Session disconnected by SSH server - error 0x00 "Internal error"

Can any one help me with what's the issue here, why I am not able to SSH into ASA, Please ask for anydetail if required.

The Bloomberg Network Outage [2005]: Anyone would care to share an opinion?

https://techbeacon.com/app-dev-testing/how-systems-failure-took-bloomberg-customers-offline#:~:text=What%20happened,statement%20about%20the%20systems%20failure.

Changing Network Subnet-Size

Hey guys,I am having an issue with a commercial network. I have a variety of differnet devices in a 255.255.255.0 subnet and am running out of space. There are a few devices that are fixed that I have no access to: fire-alarmig module, break-in module, climate sensors ee. are fixed to an ip and the 255.255.255.0 subnet. What happens if within my controller (using UniFi) change the network scope from 192.168.0.1/24 to 192.168.0.1/16, or 255.255.0.0? Will the devices with the fixed ip and the /24 scope still have service? I have never done this before.

Cheers!

Edit: The thing is, some devices I can control (such as clioent PCs) need to access at least one of the fixed IP devices (a bulding control device). Tahnks a lot for the VLan approach, I really should have mentioned that!

Setting up a proxy server on heroku

/r/techsupport/comments/hl3n59/setting_up_a_proxy_server_on_heroku/

Ping to default gateway/router is unstable

Hi all, recently, my network has been extremely slow and pings to my default gateway are unacceptably high (200-300ms), sometimes even packet loss. I’m directly connected through ethernet and this is the only device that is actively connected, so it definitely isn’t a network traffic issue. I’ve also tried different devices and cables, but I still get the same issue.

I’m strongly suspecting that our router has outlived its usefulness, but I’m not 100% sure yet. I wanted to hear your thoughts and perhaps suggestions on anything I could do to remediate this before I go out and buy a new router.

Hey I've never done any networking ever and I am trying to make a Quiplash Clone like pretend you're xyzzy.

Not sure if it belongs here but as I said in the title im trying to make a Quiplash Clone like pretend you're xyzzy for my friends and I to play. My issue is that I dont know how to collect any data from users(like their Nicknames or any responses to the questions). How would I go about doing this? Thanks in advanced

Friday, July 3, 2020

Fiber question

How would I go about finding out if I have FTTC(Fiber to the Curb) or the location nearest Fiber node? I did call my ISP once, but wasn’t able to articulate my question properly, and after 1 and a half hours, ended up with nothing.

Dsl/Wan on the NBN

/r/nbn/comments/hky88h/wandsl/

Service Providers - where do you choose to originate BGP aggregates in your network?

i.e. Do you originate them on every border router, are they originated in every POP, or are they originated at a central point on your backbone?

Chasing Ghosts in Monitoring

We have a few (thankfully) edge devices that will occasionally go down according to our monitoring servers (some times only some of them). Thing is, by the time you can react to the alerts, even if you were paying sharp attention, the problem is already solved, with no clear evidence along the path as to why we lost monitoring for a minute or any indication that it was actually down in the first place. On top of all of this you have an exec CC'd on these emails wanting explanations for everything with nothing to contribute to the hunt.

Have you fine people ever had stuff like this happen in your networks? What was the cause?

5ghz only modem?

Hi guys, this may be a stupid question but is it likely that my xfinity modem has only a 5ghz bandwidth? I just got a new Traeger for Father’s Day and I’m trying to get it hooked up to WiFi but the Traeger only has 2.4ghz capability. If this is the case, can I use a dual band router to fix this issue? Thanks in advance, Reddit!

FTP Logon Attempt Restriction exceeded, not restricting IP address

Windows Server 2012/IIS 8.0 has FTP logon attempts restrictions set to 5 with a time limit of 180 seconds and set to deny IP address.

We are being hit with dictionary attacks dozens of times within the span of 2 minutes, and IIS isn't blocking that IP address.

What should I be checking to troubleshoot this? It seems like it should be pretty straightforward.

Separation of FTP vs Explicit FTPS on the firewall?

Hi folks, got a scenario where I have to prevent public users (teleworkers) from accessing our FTP server without TLS. The FTP server is managed by our SA and not our team, we only manage and control traffic on the Palo Alto firewall. Users must use PASV mode.

Basically what I've done was port-forwarding of the FTP server, and configured an inbound SSL decryption on the Palo Alto. When it comes to security rules though, seems like after decryption and NAT, both (FTP and FTPS) traffic types are seen as FTP application. Before I configured decryption, the data channel of FTPS showed as SSL application, hence the firewall couldn't inspect to create a pinhole for PASV FTP.

SFTP has been recommended by our team for this use case, but would have to wait for the confirmation from the SA. In the meantime, though, public users must NOT access via plain FTP. Has anyone ever done this before?

What are some of your server naming conventions?

I use Egyptian deities: Nephthys, Sekhmet, Sobek etc

I'll be deploying new servers soon and I'm looking for some ideas.

Wireless TX / Gain Question on Access Points

Hey Guys,

I'm working on doing a Site Survey. I'm having an issue wrapping my head around TX Power, and Antenna Gain.

Take a look at this Datasheet for an Aruba 550 AP: https://www.arubanetworks.com/assets/ds/DS_AP550Series.pdf

The Datasheet states the following:

Integrated downtilt omni-directional antennas for 4x4 MIMO in 2.4GHz with peak antenna gain of 4.3dBi, and 8x8 MIMO in 5GHz with peak antenna gain of 5.8dBi in 5GHz.
2.4Ghz - 18dBm TX Power

When I'm placing my AP in Ekahau, I'm able to specify total TX Power. To get true TX Power, I should take 18dBm PLUS 4.3 (For the 2.4 Band) - giving me a total of 22.3dBm TX - correct?

Also - I understand end devices have smaller radios and maybe unable to connect at far distances - just trying to get a true heat map from the AP.

Wifi Support

Over the last few years I've become the defacto "Wifi Guy" in our org. We support over 40k APs and 80% of our traffic is wireless. As of now I'm a department of one doing troubleshooting and all Ekahau deployment tasks.

My question: How many of you guys have a dedicated Wireless team and how big is it?

Can the network break down by itself?

I see plenty of job ads for network monitoring, I have some basic knowledge but I can't get around the idea what can go wrong with the network besides some defective components, or outside factors, is there anything that can cause the network to malfunction where the cause wasn't on the layer 1? I'm familiar with things like STP but I assume the devices in huge corporation networks are configured properly. What are the possible things that can go wrong and how likely are they?

Configuring VPN behind firewall

Looking for advice on this: Looking at setting up a VPN for site to site purposes. The current setup is ISP Router > Firewall > Internal Router

Both Firewall and Internal Router have firewall capabilities, wondering which option would be best to set the VPN on, Firewall or Internal router, or if there is such thing as 'best' option. I was thinking about the internal router, but would it be possible to set it up on the internal router given the current configuration?

How does the US embassy in Havana get internet?

More broadly, how do US embassies get internet?

Discussion - Why does nobody try to compete with the CCNA exam?

I used to be a Cisco fanboy, but not anymore. However one thing that I respect about Cisco is their documentation. No other vendor documents protocols/processes/products like Cisco does. This is also true with their certs.

My question is why haven't other vendors came together and try to build a decent vendor-neutral network certification that actually teaches you stuff? I was surprised to see that only the CCNA teaches you about subnetting, how to use a serial console and basic routing. The Network+ is a bit useless if you ask me since it teaches you very basic stuff and it hardly counts as an achievement.

Below a list of stuff that should be vendor neutral.

- Subnetting

-IPv6

-Routing with OSPF

-Basic BGP

-Layer1/2 ethernet standards.

-IPsec VPNs

-NAT (including 6to4 4to6)

-Stateful firewalling.

-Protocol fundamentals with wireshark.

-Basic *nix commands (since all vendors use a *nix product as an underlay for their operating systems).

Fiberstore/whitebox switches - Support?

Hi,I've noticed this:https://www.reddit.com/r/networking/comments/7bhq69/fiberstore_switches_anyone_have_a_review/

And well a lot of people on the internet suggesting that their reviews are very bot-ty, and don't necessarily reflect real-world examples. I did, however, find this:

https://blog.kroy.io/2019/01/30/a-new-switch-for-a-new-day/

I'm struggling to find "real" reviews on these switches. I have no reason to believe that their transceivers are anything short of excellent, and you don't really "need" support on those, but switches are something you'd definitely want support on in the enterprise, even if is just firmware updates.

I've yet to know how they even compare "properly" given their dodgy marketing campaigns. In addition to that, there's general whitebox switches too. I guess I'd probably still be rather wary of these when it comes to core/distribution, but again surely you could just buy two and not care?

Open-Source vRouter with VRF or VRF-Lite?

Hey, Y'all!

I'm building a lab environment and need to have VRF on my virtual ToR switch. Any suggestions?

Moving to BGP with Sonicwall, anyone have any gotchas to mention?

We have a pair of Sonic Wall NSA firewalls and we’re going to start BGP peering. Haven’t done this on sonicwall before so I’m a bit nervous that the sonicwall will fall over with two full feeds. Support has said it should be fine, but I’d like to hear from others.

I’ve already been advised from a few friends to use filters to reduce the load, so I have that covered.

Service Provider Automated Provisioning

Those of you that work in the Service Provider area what are your experiences with automated provisioning? What tools have you used? What tasks do you find are suited for automated provisioning? Are there any tasks that you don't use automated provisioning to complete?

On a similar note do any of you use ZTP deployments? What role do these devices have in your network? (MPLS router, G8032 node, etc.)

Cisco ASA cluster issue with public servers

I have a cluster of 2x asa 5545X configured. The cluster itself reports healthy.

The issue I have with it is that one of them doesn’t do public servers (static nat). When I simulate a failure and the other node becomes the master and the only node in the cluster - I can access the internet from inside on any vlan, VPN also establishes fine. But outside access to inside public servers (webserver) doesn’t work.

After I do the procedure in reverse, and the original master is now the only member, everything works as expected.

So I am forced to leave it with just the functional member active.

Has anybody else experienced this or can point me in the right direction?

Which Access Switches on Arista Core?

Hi!

I am using Arista Switches for my core network.

As the Arista access switches are just crazy expensive, I am looking for alternatives with:

Similar CLI
Similar VLAN logic (assign VLANs to interfaces, not interfaces to VLANs)
POE+-Option
Gigabit ports and 10 GbE uplinks

Do you have any good idea for that?

Thank you for your thoughts

ITStril

Thursday, July 2, 2020

Security certification question re:WPS/EAP-FAST/WPA/802.1X

Hey guys. Networking professional here with 15+ years experience, but this is related to a new certification I'm studying for. It's security-related, and I tried to post in the appropriate sub but a mod there denied my post because he claimed it was too open ended/vague, but I think it has to be, as I'll explain in a moment.

The practice test I'm taking asked a question that said something like, which of these is best to configure when you need to support low power or legacy devices? The options were something like WPS/EAP-FAST/WPA/802.1X.

To my mind, when I look at those options, and I see "low power or legacy" I'm thinking this must have something to do with wifi and/or Power over Ethernet (PoE). All those options are either protocols for authenticating or encrypting wifi traffic. Of course some are newer than others, but AFAIK none of them have anything to do with power usage, nor have I ever heard that any of these are resource hogs.

I did try to research possible answers, but the problem is that if I'm right then I'm trying to prove a negative, which can be impossible if there is no proof that spells out that something is false - the proof of the negativity may simply not exist. So, as expected, when searching for combinations of these protocols plus the terms "low power" or "legacy" all I'm getting are results related to what features different WAP models support, and how to configure them. I'm not finding anything that actually answers the question as originally asked.

So what I need to ask is ... does anyone know of any way those protocols have any bearing on CPU/RAM utilization or PoE? If so, can you give me some more specific search terms that might lead me to the feature(s) I need to research? In absence of this, I can only assume this question is 'broken', for lack of a better term.

Thank you.

How are packets allocated and deallocated?

Does the kernel actually create a unique packet in the memory and give it to a process?

Who's responsibility is deallocation?

How to set up Vagrant machine as a router

So I've started a new gig (remote) that requires me to use SonicWall netextender to connect to the customers VPN. Since I run nixos on my machine and nextextender is a proprietary software not really fit to run as is on nixos I created a Centos7 VM to run the VPN software using Vagrant. I run the netextender software in the VM and I can set up a socks proxy by using ssh with dynamic forwarding from my host to the VM.

Now I want to route all my host traffic to the four particular subnets that the net extender sets up through the VM and I'm not sure how to set that up. I also need to access the customers DNS server to resolve internal server names.

How do I set this up using vagrant?

Network Protocol Animation - VisualLand.net

This is a call for old guys out here, Do you remember this site Visualland.net

All network protocols in animated flash files, it was real great resource but it's not available any more. Is there is a copy or alternative that you can think of?

https://i.postimg.cc/pLQM32TX/Visual-Land1.jpg

NAT'd Dynamic IPsec tunnel keeps dropping randomly

Hi All,

Currently having an issue where an IPsec tunnel just keeps dropping for a few minutes maybe once or twice a night and its causing the client to ring everyday(client is monitoring a device in a remote location and gets alerts when the device is not contactable after 1min).

The tunnel is established between 2 Cisco ISR's. Is configured to be a hub-spoke topology. I believe the spoke to be the cause of the issue because when we switch the spoke over to 4G/LTE(instead of fibre) it doesn't drop at all.

Here's where it gets more complicated then your basic IPsec setup(well it is for me anyway) - The spoke is behind another ISR and that ISR is behind a Sophos Firewall. As below

SpokeISR > SiteISR > SophosFW(NAT) > - - Internet - - < HubISR

The Sophos is the only thing that is NATing traffic, the SiteISR is just routing without any NAT(has private IP between the Sophos and itself).

I've tried tuning (spokeISR) the NAT keepalives and the DPD settings but it hasn't made any difference what so ever. Not to mention i don't believe it would do anything anyway as its not NATing.

I have a feeling that the Sophos Firewall is the issue and I'm not sure how to prove it via logs or anything as of yet - i was going to try extending the NAT time on the Sophos to see if that worked - also entering some Static NAT, but the Sophos is already handling IPsec tunnels for itself and don't know if that would work.

Hoping someone with more understanding of IPsec tunnels and NAT would have an idea of why this might be happening or be able to point me in the right direction. I have posted the crypto section of each site to show what they are currently - Also the logs from the HUB when the dropout occurs - if there is anymore information i can provide please let me know :)

##Configs##

#HubISR#
crypto keyring <name>

pre-shared-key address 0.0.0.0 0.0.0.0 key <password>

crypto isakmp policy 90

encr aes 192

hash sha256

authentication pre-share

group 14

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 5 periodic

crypto isakmp nat keepalive 20

crypto isakmp profile <name>

description <name> for spoke routers

keyring <name>

match identity address 0.0.0.0

crypto ipsec transform-set rtpset esp-aes 256 esp-sha512-hmac

mode tunnel

crypto dynamic-map dynmap 10

set transform-set rtpset

set isakmp-profile <name>

crypto map <name> 10 ipsec-isakmp dynamic dynmap

#SpokeISR#
crypto isakmp policy 90

encryption aes 192

hash sha256

authentication pre-share

group 14

crypto isakmp key <password> address <Static-IP of HUB>

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 5 periodic

crypto isakmp nat keepalive 20

crypto ipsec transform-set <name> esp-aes 256 esp-sha512-hmac

mode tunnel

crypto map <name> 90 ipsec-isakmp

set peer <Static-IP of HUB>

set transform-set <name>

match address <ACL-name>

### LOGS from HUB ###

Jul 3 00:23:04.894: [Ident 800001F3]: state = Check Install SA Declare Success

Jul 3 00:55:51.009: ISAKMP-ERROR: (1859):DPD incrementing error counter (1/5)

Jul 3 00:55:56.010: ISAKMP-ERROR: (1859):DPD incrementing error counter (2/5)

Jul 3 00:56:01.009: ISAKMP-ERROR: (1859):DPD incrementing error counter (3/5)

Jul 3 00:56:06.010: ISAKMP-ERROR: (1859):DPD incrementing error counter (4/5)

Jul 3 00:56:11.010: ISAKMP-ERROR: (1859):DPD incrementing error counter (5/5)

Jul 3 00:56:11.010: ISAKMP-ERROR: (1859):Peer <SpokeISR IP> not responding!

Jul 3 00:56:11.011: ISAKMP-ERROR: (1859):deleting SA reason "P1 errcounter exceeded (PEERS_ALIVE_TIMER)" state (R) QM_IDLE (peer <SpokeISR IP>)

Is there any war for my pc to connect to WiFi through iPhone

My pc doesn’t have a wig adapter and I want to connect to WiFi. Is there any way to connect it through my phone with usb or anything?

Hardware Manufacturer out of my MAC address

Hi, so basically the title. It's maybe a dumb question, so feel free to 'ban' it or whatever. I've googled it, I've tried to get it myself but I'm not able to. Maybe it's not possible?

I just wondered if I could get what is the brand of my, say, phone out of MAC address. Thanks in advance.

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

LLDP Packet Interval Timer Mismatch?

Hi there,

I'm looking into some weirdness we have with LLDP on Yealink phones and Ubiquiti UniFi equipment.

I found that the interval timer is set to 60 seconds in the phones and 30 seconds on the router. Would this cause any issues?

Basically if we enable LLDP, it is not working as expected. It DOES put the phones on the Phone VLAN and the PC port on the PC VLAN but is not reliable, the devices have thier IP, but the router sees no IP and we have frequent half-duplex or call quality issues. If we turn it off its business as usual. Standalone (no PC connection) phones on the Phone VLAN without using LLDP work fine as well.

Thanks in advance guys, Phil

Measuring bandwidth pre-AWS migration.

Management want to move servers into the cloud. Variable AWS costs seem to be largely about how data moves, so we'd like to know how our existing data moves on different servers/applications.

I (network guy) have been asked to measure data flow for a week on a server. Also break it down into source/destination. I was thinking Wireshark but I don't want to capture all the data. If I just capture the headers does that give me the correct measure of data? I don't know where Wireshark gets its measurement from.

If it was just data in/out it would be easy, but the source/destination requirement requires a tool that understands IP.

Is there a better way to do this ?

Thanks.

Help Understanding Types of Spectrum Used in Mobile Networks

Been doing some research into the spectrum each major network operator owns in the US. I found this interesting table. https://imgur.com/a/MIvnI5o . Unfortunately, this table also makes me realize how little I know about spectrum... I thought spectrum was "named/described" by numbers (eg 600MHz and 700MHz is low band, 2.5GHz is mid-band, etc), but most of the labels in this table are acronyms (AWS, WCS, BRS, etc).

Do those acronyms somehow align to different numbers (i.e. where is Sprints 2.5GHz spectrum in this table, is it one of the acronyms?).

Has anyone deployed 802.11ax at work or home? Is it what was promised?

As far as I can tell, most places haven't implemented it. Reading about it some time ago it seems like it made major improvement in latency among other things.

Also seems the client devices are very limited as well. I suppose maybe more phones will come with AX when they get 5G as well. Anyone using AX currently? What are your thoughts? Worth an upgrade or not yet?

Router with Cable provider and Cellular provider in one device to distribute internet to home.

I'd like a router that gets 2 signals from the provider: an xfinity and a metropcs. so if xfinity drops or interrupts the signal the sim card from metropcs picks it up. I used to have a peplink that would get xfinity and bellsouth in one router, so im wondering if there is a router that gets a cellular provider and a cable provider in one machine - reason is, the entry cable box outside the house is really crappy, exposed, loose and there is nothing I can do about it. Since I will put a lot of home security in the network, Id like to have a backup in case the intruder cuts the cable box. Can you give me a reliable good brand and model please ? Thank you.

Downvoting innocent questions

Is there a group of people that go around downvoting all questions in this sub? So many honest questions get downvoted for no reason at all, it must make it really unwelcoming and elitist.

(I'll get downvoted for posting this, but hey, magical internet points are not my life.)

Edit: An example https://www.reddit.com/r/networking/comments/hjjnix/im_at_a_loss_whats_causing_downloads_from/?utm_source=share&utm_medium=web2x

What does basic TCP/IP knowledge mean?

Hi, I am a student in Electronics and Computer Science.

I haven't had quite enough exposure to anything networking related yet within the university courses and I have found some job ads that have basic TCP/IP knowlege as part of mandatory requirements.

Just out of curiosity, what am I supposed to know specifically in order to claim I have "basic TCP/IP knowlegde"?

And also what would be the intermediate level?

MPLS Default Route LFIB Issue

Hi All,

Firstly, I'm new to MPLS so this could quite easily be my lack of understanding.

Can anyone think of a reason why the default route in the global table would be showing as explicit-null when the next two hops are P routers and the egress LSR is 3 hops away?

CORE1#sh mpls forwarding-table 8.8.8.8

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or Tunnel Id Switched interface

None explicit-n 0.0.0.0/04096327 Te1/0/1 192.168.10.14

explicit-n 0.0.0.0/00 Te1/0/2 192.168.10.22

The default route is in OSPF everywhere and LDP is up between all devices where MPLS is enabled. There are plenty of other routes in the global table with labels assigned correctly and routing to those is fine. For default route pings, it works from CORE1 itself, but from SW1 (without MPLS enabled) it doesn't route beyond CORE1.

We are in a transition period, which is why the first device isn't a PE for now and just has routes in the global table.

SW1(NO MPLS) - CORE1(P) - WAN1(P) - WAN2(P) - CORE2(PE) - LEGACYSW(NO MPLS) - FW(DEFAULT ORIG)

We have explicit-null set everywhere to standardise the QoS configurations. But even without this it would presumably be popping it. It's as if WAN1 thinks 0.0.0.0 is directly connected so is sending the null.

This was attempted in a tight change window and we had to roll back, so getting additional logs etc isn't possible unfortunately. We might just have to go for another window to get 'show tech' output etc, but it would be nice to go into it with some troubleshooting ideas.

I've tried to simulate it in GNS3 and it seems to work, which isn't helpful for reproducing it.

Any thoughts would be greatly appreciated.

Question about MPLS networks

Hi all,

I am testing some experimental headers in MPLS networks. I am attaching the experimental headers between MPLS and IP because the nodes I use can parse them and use them. I am integrating this with legacy devices that cannot parse these experimental headers. I have done tests using GNS3 and I can confirm that my approach works.

However, I have not worked in ISP's or professional networks so I am not aware of some information. To those of you with a good knowledge of MPLS networks or good experience managing them, do you know if the MPLS routers parse IP headers (or even L4 headers) for any purpose? I am talking only about clients' traffic not routing traffic, so basically the traffic that is forwarded based on MPLS labels.

Thanks!

How can I bypass Sky Wi-fi filter without VPN?(On a Smart TV or at the Router level)

I’m not good with networks but DNS seems to work with BT boxes but not sky boxes

802.3bt and the next few years

802.3bt is still relatively new, and not really worth it JUST for 802.3bt, and because not many client devices support it, or they require injectors which is pointless if you want a full switch to power up say laptops

What do you think the future will hold, say regarding power? Would we need even more switch capacity to just power up our monitors, laptops, TVs etc.. via the network - Essentially getting rid of additional power sources, and no longer needing plug sockets

https://www.versatek.com/blog/why-are-90w-poe-and-ieee-802-3bt-such-a-big-deal/

We (as as a society) use PoE for phones a lot, and in a way that's slowly going away given softphones are getting better, and we also have IP cameras which aren't going to go away any time soon. Would we end up doing the same for other client devices?

Active and Standby cisco routers

Hello guys, I have 2 routers that should be one as a standby and the other is active. But somehow the two routers are active, knowing that on one of them I configured its priority for the NHSRP to be higher then the other. Also I configured the PREEMPT command on both routers. I want one of them to be standby and the other is active . Any solution?

Cisco Aironet 1832 run as normal AP not master with Mobility Express

We have a Cisco1832 AP that I had to reset as nobody knew the PW any more. We want the AP to just run as an AP but after the reset it broadcats the CiscoAirProvision SSID and when I connect to the web interface it only comes up with the Mobility Express setup page.

For some reason I cannot console into the AP and configure it through CLI.

How do I get this one to run as an AP and join our exsisting controller?

We currently have sdwan with windstream, looking for other options.

We have more than 10 locations all on sdwan with windstream. I'm looking at saving on costs. Is there a provider that provide services similar to windstream where they provide all the equipment, monitoring circuits, and onsite repairs? We have a small team. Sorta like an network managed service provider, but just the firewall, circuits, etc.

I'm in the southeast.

Cisco RESTCONF : output show commands

Hello,

I'm posting again about Cisco RESTCONF ! it's very fast to use but complex to find the informations we want. We will buy some Cisco switches for our network so we are using Cisco Catalyst 9300 for our tests (IOS-XE).

Actually, we are facing an issue : we cannot find any YANG model describing the usage of "show" commands.

We are trying to get the result of the commands :

show ip igmp snooping groups
show ip mroute vrf "NAME_OF_VRF"

We tried to find in the Cisco-IOS-XE-native.yang file but without success. We searched through the YANG file if there was a model to pass directly the show command and returns the output but we didn't find anything.

Is there a specific YANG model which can do that ? Or is there any solution to pass a generic "show" command and get the output through RESTCONF ?

Thank you and have a nice day !

Looking for a carrier to choose for my colocation services

Can you share your experiences with working with your carriers in terms of:

Support

Performance (PL/Latency/bandwidth) - need one that will give best avg latency for anywhere around the globe (to the east coast).

Uptime

I am hosted at a carrier neutral facility and can choose from basically all ISP imaginable.

ATT, TATA, PCCW, Cogent, Verizon, Comcast, KDDI and a million more.

How do I possibly choose from and endless list?

Pingplotter Alternatives

I am looking for something that I can replace PingPlotter with. I work for a small ISP with about 30,000 subs and we use Pingplotter for customers that are having issues with connectivity. We normally have anywhere from 10-30 subs in PingPlotter at any one time with a customer's IP being in the software for anywhere from a few days to a few months. We have the software installed on a VM and use the PingPlotter's web interface for level 1 support to enter customer modem IPs and level 2 will monitor the customer connectivity through PingPlotter. I don't think it was quite meant to be used like this but it was something I inherited when I took the role.

The problem is the VM gets locked from time to time by the PingPlotter Windows service. The solution is normally to reboot the server and allow the service to come back up but sometimes that doesn't work and the service hangs. We have even tried building a new VM but it eventually starts doing the same thing. I have tried using the cleaning tool from PingPlotter to clear out old data but it stopped helping after a while as well. It is becoming a huge time suck and not worth the effort but the call center insists on having something.

So what I need is an alternative to PingPlotter that can monitor an IP over time, has web based entry as many people enter data and can be centrally managed by multiple users. I thought about something along the lines of an NMS but feel that is overkill for what this is used for. For all of the "need" for it, I know only a handful of our tech support agents even use it so I don't want to put a lot of money into it a replacement either.

Migrating to MSTP

Hello Am tasked to use MSTP over CSTP; and 've been reading up. So here's the thing: 5 buildings connected in a hub-spoke topo. How should I create the instances? One for each building? Various VLANs traverses amongst the buildings; and some stays in it's own.

Would appreciate if someone can point me to some articles, like case-studies or lesson practical or best practises that relates close to what I need done.

Many thanks ahead!

New Security Protocols

Hey guys!

Do any of you know any new security protocols released in the past 10 years? It they could be complementing or be compared (as a stepup) with IPsec that would be amazing.

Thank you!

Cisco router and the FMC

Hello guys,

I did an access list on the router that will allow a specific public IP from outside the network to inside. But this access list is from the public IP to (ANY).

After that, I created a policy on the FMC that will allow the same IP but with a specific source ports.

My question is that will the FMC block any traffic sourced from this public IP with another port numbers specified on the policy?

Thank you all.

Memory behavior with full BGP tables - Brocade CER NetIron

I'm running a couple of Brocade CER 2024s and across the board I'm seeing some memory utilization behavior that I don't understand.

First thing worth nothing - The CERs behave differently to the MLX and XMR routers, in that they do not have CAM profiles. I'm reasonably sure this means I tune the memory allocation manually by changing the system max variables, the result of which I think has been giving me enough rope to hang myself with.

I'm looking to ingest full BGP tables (Yes; multiple locations, transit providers, and IX/peerings) so I've bumped the system-max ip-cache and ip-route entries up to their max (1572864) and rebooted. The memory usage jumped from %60 to %90, which I assumed meant the memory was pre-allocated. But, as soon as I started ingesting routes, the utilization started climbing. It got under %5 remaining before I decided to roll back, and the utilization has come back down to %90.

So, what's the deal? If the %60-90 jump wasn't the memory being pre-allocated, what was it? I witnessed the exact same behavior across 4 units - so it has to be my configuration or a 'feature', rather than bug.

I have soft-reconfiguration enabled on all peers - including iBGP. I've heard it can cause memory issues but with the routing table sizes I've dealt to date with I've never encountered them - prior to this full table ingestion I only have 120k routes in the FIB. Courtesy of this issue I'm looking to turn soft reconfig off across the board - but it still doesn't really explain the behavior. Is the memory pre-allocated, but I can still exceed it? And if so, to what end? Is there any way to determine where it's consumed?

The show memory command output is just.. unclear. What's the difference between SDRAM and Memory? How is the total memory divided between the MP and LP processes, can I control it?

The only troubleshooting commands I've found are; show memory histogram pool [0-3]
(0-OS, 1-Shared, 2-MP, 3-LP) - I only get output for 2 and 3, and only really useful output for 2. The output is a snapshot which spits out a list of tasks and their allocation during the last time it was alerted. The output indicates some clear memory consumers, the "bgp_io" task consuming %60 of the memory and the "bgp" task consuming %20. But I can't find anything in the documentation about either task or what they actually do.
And; show ip bgp debug memory - for which the output means very little to me.

If it's of any relevance, I'm running NetIron 6.3.0aT183 and have the RT_SCALE license - so according to documentation It can support 1.5m routes in the FIB, though I've had some advice I'm unlikely to actually realize that because of the resources being shared with vrf/ipv6/etc.

Any advice or direction would be greatly appreciated.

Wednesday, July 1, 2020

Study Material for Network + certification

Hi all,

I was hoping to get some info on low cost or or free study materials on the Network + certification.

Making a printer accessible across different VLANs

I would like to create several VLANs to compartmentalize the network and hide some important PCs from the rest. The problem is that those PCs still need to be able to print and get internet.

My managed switch (DGS‑1210 Series) seems to support "asymmetric VLANs" which would supply internet, but it does not seem to have any L3 routing abilities(?) and it also isn't the default gateway anyhow.

So, I guess I would have to put the PCs in question behind a router with NAT/MASQ, its own address space and with static routes in that router and the "parent" router tying things together, plus firewall rules that only admit bidirectional access to the IP range of the (static) printer IPs in the parent net?

Different Public IP per TCP/UDP Session. From one of Venezuela's ISPs.

Hey guys,

It's the first time I see this, I friend of mine who is living in Venezuela sent me the video in the link below. His ISP is giving him a private IP address, but its Carrier Grade NAT solution is assigning him a different public IP address per TCP/UDP session, a Dynamic PAT but for a Carrier Grade NAT solution, a first for me.

https://streamable.com/tou1vu

Has anybody seen this in your countries? I live in Canada and I work for a Service Provider, that's not a practice used here.

We are also assuming they will not configure a timeout for the session as it would be very disruptive since each session will have a new public IP, but to be honest I don't think that would surprise me at this point.

Any thoughts?

Netbox Prebuilt VM

Hi guys, does anyone know if there has been a downloadable pre built vm for Netbox? Thanks

Best Network Monitoring Tool for FortiSDWAN

We are trying to find the best monitoring tool for our FortiSDWAN deployment however the options seem limited/nonexistant

Anyone have any ideas?

If there are two modems with DHCP on a network why is it seemingly random which modem a device chooses when connecting wirelessly?

Simple question I know, is it just whichever modem provides an address to the device first? Like logging into the good modems internal router points to the other modem as gateway with no internet, but connecting to one of the wired routers from the good modem still points to the good modem?

Xiaomi mobiles

Who even face the hotspot issue when u connect computer with mi mobile with hotspot and share the internet from mob to computer or laptop.

And its not show the network. (https://chat.whatsapp.com)

Best labeler/wrap-around label combo

Needing a solid recommendation for a labeler/wrap-around label combo for labeling cables in our datacenter.

What I'd like best is something like https://www.labtag.com/shop/product/wrap-around-wire-cable-labels-1-x-1-eba-29not/

If your post could include a picture of how your cables look with your choice of labeling would also be super helpful in narrowing down a decision.

Thanks in advance guys!

Cisco FN - 70489 - Expired Cerrt

Hi, I've seen multiple discussions on Cisco FN - 70489 but none that detail the solution after updating.

Link for background: https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html

I have updated my IOS-XE to a non affected version (16.9.5) but it does say "After you upgrade the software, you must regenerate the self-signed certificate"

There are commands provided in the workaround sections, but nothing on how to regenerate this specific "Router Self-Signed Certificate."

The Certificate is a "General Purpose" self-signed in nvmram:IOS-Self-Sig#1.cer.

I've only ever generated key pairs and I'm having a hard time Googling this one. Can anyone point me in the right direction? Appreciate the help.

LACP on Mellanox IS5030 40Gbps Infiniband Switch

So I have a Mellanox IS5030 36 Port 40Gbps InfiniBand switch arriving in a few days and I am curious as to weather of not I can configure LACP between the switch and my storage server. I plan to have a Mellanox Connect X-3 Dual Port 40Gbps NIC in the server and I want to be able to use the full 80Gbps of bandwidth. I can't seem to find anything about configuring LACP on this switch, so is it just not in the documentation, or does InfiniBand not need to have LACP configured manually if the links are both going to the same place?

Thanks for any help you can provide!

Edit:

I'm new to infiniband so if I have anything wrong here then please please correct me!

Question about large APC UPS units?

When these are powered down after removing, do they retain previously entered Network information?

I’m trying to get rid of one of these that’s sitting around and my boss wants it all wiped, but since it’s thousands of watts, it’s not like I can plug it into an outlet and manually clear it out.

Using PFSense in a SMB environment

Hello,

I'm currently trying to find ways to save the company I work for some money so they can funnel the money elsewhere. It's a non-profit so every dollar saved helps.

One of the ways I want to achieve this is by switching from SonicWall to PFSense. We had SonicWall for years (YEARS. This is a surprising old company) because the MSP that works with us/me recommended them since the beginning. I talked with the guy and he said he recommended SonicWall because of reliability and because that's what they know best. However, times have changed and open-source seems to be on par with proprietary hardware/software.

Some info about the network:

Really basic. We have about ~60-ish computers. Some are shared, some aren't.
There's only ~40 people that actually use a computer regularly.
We have a "public" wifi network. "public" because it's only for employees. The APs are setup to not allow access to LAN resources.
13 servers. 3 are exposed to the web. One is a web server, and the other 2 are app servers that are going to be killed soon.
No VLANS
A metric ton of IP cameras
In the future, we might be switching to a different PBX that would be on it's own dedicated network.

I want to make a case for switching to PFSense. By switching, I'm estimating over a 50% reduction in firewall/services cost. I'd get Netgate hardware along with one of the support plans they provide. But I know if I propose this to my boss and the higher ups, they will want evidence and whatnot. Some of their concerns will be:

What's the reliability? We had sonicwall for years and it's never failed us
What's the security like? We (seemly) never had a breach past spam email.
What's the true cost?

My answers to those are as follows:

Reliability is just as good, as it is with any hardware today. I've personally have a PFSense based box at home that's rocking 200+ days of uptime.
Security is the same. I can get the Snort pro rules for $400 a year to provide the same coverage and security as the SonicWall is (possibly better?).
Cost would be $800 a year (Snort + Support) + a one-time purchase of the hardware.

So my real questions are if I'm right about questions 1 and 2 and if you have any insights that will help (or deter) me.

Is reliability just as good? From my standpoint, this firewall is mostly a "set and forget" type of deal. The only reason I actually go into the current firewall is to look at the nice interface and experiment with a pet project. I've never run into a problem with anything where downtime was caused by a bug or weird behavior. All down I experienced was related to power issues or my own dumb fault.

Is Snort a good IPS with the pro rule set? Is it comparable with SonicWalls IPS? I want to say yes but I can't find any real solid proof, only claims. NSS Labs doesn't really report on anything with Snort specifically. But I know Cisco owns Snort so not sure if the Cisco points on the reports = Snort or not.

Thanks in advanced.

Im testing Packet Loss. Does this look alright?

Im not an expert on this topic. Im wondering if these numbers look alright. I've been facing lagginess and unstable ping when playing games and I'm trying to identify the problem.

https://imgur.com/a/OZyI214

Practical experiance with Huawei S switches - e.g. S5270

Hi!

I am looking for some new access switches and came across Huawei S5720-switches. Their "LI- or SI-version" seem to be good L2-options.

I know, that many reddit-users are located in the US, where Huawei has a very bad reputation, but did you ever use Huawei switches and can you give me some thoughts about them?

Alternative would be e.g. Aruba CX 6200F.

What I need is:

- 48x GbaseT-Ports

- 2x 10 GbE-Uplink

- Stacking or front-port-stacking with two additional 10 GbE-ports

- PoE-option

- Second power supply option (2 PS or 1PS+RPS)

- STABILITY!!

- Layer-2 featureset

- Full-Feature CLI - "cisco-style"

Thank you for your input!

ITStril

Cant open port 9877 no matter what

I'm setting a teamspeak server but I cant seem to open the 9877 port idk why. I opened the other 2 ones needed first try. Can it be smth windows related or does that port require smth different?

Edit:9987* oopsie

Has anyone ever installed a comms rack ontop of another comms rack?

I've come into a tricky situation where we have a comms cabinet (and I mean cabinet, 1.2m x 1.2m) that has a 24RU Rack which is fully utilized problem is I need to add 4-6 RU of extra gear.

If I managed all the gear in the rack I wouldn't be too bothered, just get the outage and "do the needful" however this is a Government Critical site with shared equipment throughout. The only feasible option I can think of is to install another 24RU rack ontop.

Getting cabling between the racks wont be an issue however I've never done and never seen this done before and so wanted so see what the collective thought of my approach?

CIDR and NAT doubts

I'm studying networks.Can you please clarify soime doubts for me?

Is CIDR used nowdays or we only use NAT? If yes, in what occasions?
How does the CIDR routing works? I mean, how does the router knows what is the terminal it has to make the data arrive?
same question as 2 but for NAT.
I understood this, but is it true?-> using CIDR, 100.30.1.10/16 is different than 100.30.1.10/24, so they identify 2 different networks, the first with 2^16 possible hosts and the second with 2^8 hosts.Or maybe it's that they are somehow the same big network and the second identify a subnetwork inside the supernetwork?
How does IPv6 will handle subnets?

Fragmented packets due to Nxlog messages

Recently I noticed there are a lot of fragmented packets on our core on regular intervals of time. After further investigation it appeard that nxlog on windows and windows server hosts is sending too big syslog messages to our SIEM, and the hosts themselves are fragmenting the packets before they are send out. Have anyone dealt with similar problem? Not sure if sysadmin or networking will be more suitable for this question. Nxlog is using UDP, probably one way of solving it is switching to TCP. Do you have any other ideas or experiences?

CCNP OR MCSE?

Hi. I just got my ccna cert. Looking for a first role in the it. Goal is to be a network engineer. Which option is best CCNP OR MCSE? Thanks

Question: What are the most common machine authentication methods?

Hey guys,

I'm kinda struggling with the idea of machine authentication in m2m-communication in public networking (like a rest api). What are the most common ways to authenticate machines?

I am aware that 'machines' is a heterogeneous term, since it can refer to services, sensors, probably even gateways/hubs, virtual machines and so on, who may all use different communication protocols.

I have a lot of ideas in my head, like hard coded uid/password combination, certificates in some sort of pki. What's the best practice here, and how are these credentials distributed/stored on devices?

I'm having a hard time categorizing these auth methods in a general way like user authentication.

Some tasty literature would be greatly appreciated if you have recommendations on top of your head.

Cheers

VPN Setup - please can anyone recommend reading material?

Hi all, I've been browsing this sub for a while and picked up a few things network-wise, and I was hoping for a bit of help.

I'm one of the tech guys for an AV company, which only really skirts around the networking side to get things linked up for control and/or video and audio feeds.

One common requirement for many of our clients now is to have VPN's linking every installation possible for both my team and the clients for troubleshooting or configuration.

We use Drayteks kit as we have a good relationship with our distributer, and I have followed much of the material they pump out for each router/firewall they have - but I seem to be missing a crucial part of the information needed that I can't wrap my head around...

I have gotten their VPN to work on a close loop system (having the router on my home network and using Drayteks VPN service to link down to it), but I have no idea how I'm supposed to register the details needed to have one external client connect to one of these routers.

I've read and watched what I can online (CompTIA training, some of Google's network training, official and unofficial Draytek guides and walkthroughs) but nothing really stands out as what I have to get setup for a remote use to log in - I looked into setting up a DNS server in our office as it may do something similar, but we don't really have a central machine that is guaranteed to have good uptime to host it.

Can anyone point me in the right direction?

Tuesday, June 30, 2020

DHCP issue : Starting network (udhcpc): FAIL

Why do I have this DHCP issue : Starting network (udhcpc): FAIL ?

More context could be found at https://github.com/OP-TEE/optee_os/issues/3949#issuecomment-651476059

PtMP question- what would you do?

I was looking to setup a PtMP network with Ubiquiti products and had a few questions I was hoping someone could help with. The network is to be able to view cameras at multiple sites. There are 5 sites altogether; one which would be the base station, and 4 other locations. The 4 locations are 0.1km, 0.6km, 3km, 3.6km, in a suburban environment. The 0.1 and 0.6 have direct line of sight, the 3 and 3.6km sites might have some taller buildings in between them and the base station.

Questions: 1) What ubquiti (or other brand, I’m a networking newbie) products would you use for the base station and the 4 other sites? 2) Right now I have internet access at the base station site. If in the future that access becomes unavailable and I can get internet access at another one of the sites, can I reconfigure the setup so as to use the internet at one of the other 4 sites but to use it for all of the sites?

Thanks in advance for all your help.

Can you manually limit the packets received to your router? Need help with possible packet burst issues.

For context, im having an issue when only playing COD modern warfare online. The best theory the community has came up with, is with the way activision runs their servers, they send tons of packets at once, which for lower bandwidth users causes stutters/delays in game, making it unplayable. Idk the full explanation, but thats what i take from it.

I have a tp link archer A7 with 100 down 10 up, and 0% packet loss on my end, so it has to be game/server related because no other games give me issues. Back to my question: Can i limit the incoming packets to my router? Ive tried a dozen different things, and nothing worked. Theoretically, to me it makes sense, the thought that limiting my incoming bandwidth would stop my setup from essentially being overwhelmed and causing stutters. Idk wtf im talking about, so im looking for all input. Thx.

What are your thoughts on the current state of Viptela's network security features? Do you believe they are good enough to allow direct internet access at the branch?

I'm a sales engineer for a large telco & MSP. We do a lot of managed SD-WAN deployments for our customers, however, the "standards" we use are quite antiquated and we are extremely slow to enable new features, platforms, and code. As of right now, I've been led to believe that the security features on the Viptela/Cisco SD-WAN platform are shit, and that they alone are not sufficient to protect internet-bound traffic at the branch. However, I've been doing some digging, and it would appear that the Cisco security features are not quite as limited as I thought...

With this in mind, I'm trying to figure out just why we're shitting on Cisco/Viptela as a branch security device. Is it because it's actually a bad platform, or is it just because we won't/can't/aren't-allowed-to support it. I'm curious to know what your thoughts are.

Would it be Crazy to Start my Mesh on the Top Floor and go Down?

My internet access point is in my basement (unfurnished) but house is rather tall. I just bought Nest Wifi and am wondering if perhaps my best bet is to run CAT6a from my modem in the basement all the way up to the top floor set up the router there and cascade the access points down. I don't connect to wifi in the basement so it seems like a waste to place the router there.

What I would like to do is CAT6 from the modem to the router on floor 3 and have the two APs on the subsequent floors. Just wasn't sure if the antennae are or aren't meant to connect downwards. I assume it should work?

Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.

Propagating session information between two firewalls to control access

Suppose I have a simple network like this:

Supplicant - FW1 - Server

Upon authenticating to the network, FW1 uses some magic to apply an ACL to the supplicant's IP, and access to Server is permitted and everything's good in the neighborhood.

Now suppose I need to throw in another firewall for whatever reason, so now we have:

Supplicant - FW1 - FW2 - Server

Provided everyone's talking Cisco and there's ISE or whatever, the authenticator can inject SGT into the supp's frame and I think everything would Just Work.

However, suppose not everyone's talking Cisco. Is there some way to inject SGT tags into a frame (or something equivalent) with RADIUS? Some other vendor-agnostic way to pass session information around for this purpose?

(ORRRRR is this unnecessary and should we just control access using FW1, which is closest to the source of the traffic?)

Looking for a terminal session manager that also shows icmp ping device status

I'm trying to find software that does a few things in one package. My goal is to have one place I can visually monitor status of several types of devices, and quickly initiate ssh sessions to multiple devices at a time.

On top of all the standard things most terminal software does, I'm looking for...

batch import of CSV device/session list (preferably into folders)
tabbed or windowed terminal sessions
visual overview of device status in the connections tree (icmp ping status)
terminal keyword highlighting
command storage and execution with hotkeys and/or customizable buttons
scripting support (a bonus but not necessary)

So far I've briefly tried

Remote Desktop Manager (really nice interface, having issues with batch import)
RoyalTS
mRemoteNG (only shows device status in details, not in overview/tree)
SecureCRT (this one seems to be the most powerful, but still missing the status as far as I can tell)

Anyone ever looked for something similar?

Am I asking too much?

Am I approaching this from the wrong angle?

Any help is greatly appreciated.

Needing some advice on a network redesign with budget limitations

Hello,

I have a school building that is very large and long, as it has had many additions over the years. Before my time here it was setup as a daisy chain of uplinks between each IDF, which ends up being around 8 hops by the time you get to the other end of the building. This wasn't a problem till devices grew on the network, then it became very slow and other services had problems. Even with vlans and QoS profiles set, voip calls drop and intranet services are slow.

From the MDF to each IDF is old multimode 1Ge fiber that is connected to all Extreme Networks switches, mainly x440's or x460's.

I would like to install new fiber runs from a new MDF location to each IDF, instead of the current daisy chain to eliminate hops. That way there is just one hop to the MDF. Due to budget cuts as a result of the pandemic, we will have to do this as cheap as possible and maybe a phased approach.

I am thinking that we could buy pre-terminated fiber and run that to the locations ourselves and cut out hiring a company to do the work. My problem is I don't know what type of fiber to install. We would like to go to 10Ge, but if I am installing new fiber I will need it to work with my existing 1Ge switches and their SFP ports. If I install single mode it won't work with my existing switches as they can only do multimode. Unless I just get the single mode cable installed and wait for the money to become available for new switches to run it.

If money becomes available later in the year, I would like to buy new switching at each location to support 10Ge uplinks. Extreme switches run about 3k and you have to pay another $500 just to enable 10Ge on SFP+ ports. I am happy with Extreme's products but we are also in a budget crunch. Does anyone have recommendations on switching that may lower the cost but also get us to 10Ge?

Any advice would be appreciated, thank you!

Advertise ibgp routes over bgp with Palo alto

I have two sites that are similar, Palo alto fw behind a Cisco router. These two sites have a radio link between the two firewalls. The virtual routers in the firewalls have ebgp connection to their respective routers. The firewalls also have ibgp peering over the radio link. The firewalls have learned the ibgp routes for all of the virtual routers on each fw. The problem is, we want the traffic to go from one site through the radio to the other site's router. The fw is not advertising the ibgp route into ebgp to route. How do I get the Palo Alto fw to advertise the ibgp route?

SCCM LINK FAILED ISSUE - NETWORK ISSUE?

Hi,

Encountered this SSCM link failed issue and would like to verify what could be the root cause of this issue? We have 1 parent and 2 child servers and this issue is only encountered between parent1 and child2 while connection from parent to child1 is stable. Each servers (parent,child) is located in different site and using different transport medium (mpls, tunnel).

Diagram: https://ibb.co/4ZQY9pW

Now the issue here is we don't manage the Server and I not that familiar in troubleshooting this type of application/setup.

During the issue we can able to validated that ping is working fine and other protocols like RDP from parent1 to child2 while we still see this link failed from SCCM status. Checked also that there no network issue and this is the only issue reported between the site. No link error, congestion, routing issue between parent1 and child2. Also no filtering is being applied that may affect the communication as this issue happens in sometime.

With that, I would like to ask what could be the issue here? Anyone here can shed some light in how this sccm syncronization works?

1, What protocol is being use to check the link status from SCCM parent and child2?

Is it purely SMB being use between SCCM parent - child2?
What other this need to be check on network and the physcal server?

Please share on input and idea how to troubleshoot this.

Thank you

Cisco VPN client not working

Hello guys;

So iam using cisco VPN client for about 7 months and i had no problems with it yesterday I opened the app but It wont open. I have a windows 10 machine and I didnt do any new updates on it. Any one have the same problem or a solution for it, kbowing that I found some solutions on the web but didnt work for me.

Thank you.

Can you re-use Cisco stacking modules?

Apologies for what may be a silly question, but we have a stack of Cisco 2960x switches that have switched their last. I'm placing an order for exact model replacements, but I'm wondering if I can remove the current stacking modules from the existing devices and slot them into the new ones (the expansion modules themselves are in good shape).

Common sense tells me this is possible, but I also wouldn't be surprised if those modules are somehow tied to the device they're first installed in. I don't think we're quite to a point where you have to pay Cisco per switched packet, but I wanted to see if anyone else has done this and how it went. Thank you in advance!

Inter-VLAN routing across IPSec VPN

Hello everyone,

So I have the following scenario in office 1:

1 VPN for employees

1 VPN for servers

Inter-VLAN routing is allowed between those two VLANS so employees can authenticate using AD in the DC and use the DC's DNS server.

Now in office 2 I have an employee VLAN, and I'd like the employees there to be able to reach the servers VLAN in office 1 so they use the AD and DNS server in office 1 as if they were there.

How could I do that? I thought of making an IPSec VPN from office 2 to office 1 setting the servers VLAN subnet as the local subnet in the tunnel configuration, and then a tunnel from office 1 to office 2 setting the local subnet as the one for employees in the configuration. Employees VLAN in office 2 should be able to speak with servers vlan in office 1, and servers vlan in office 1 should be able to speak to employees vlan in office 2. Is that correct?

Thank you

Use Duplex fiber cable in Simplex installation

I'm discussing the following with a colleague and we haven't been able to find our answer through Google.

If we have an installation that has two BiDi Singlemode SFP modules in each end (different wavelength), but we only have a Duplex Singlemode fiber cable (2 strands of fiber together) at our disposal. Is it possible to use just one of these fibers (temporarily) and let the other strand of fiber be left unused, or is a Simplex Singlemode fiber cable required?

To simplify the question: Is a duplex singlemode fiber cable simply two simplex singlemode fiber cables stuck together?

How to best extend WiFi over 100m?

Hi all,

just asking a question on behalf of my dad.

They currently have WiFi installed in a car mechanics garage, but need it extended about 100 metres (to be on the safe side) to reach a portacabin from where they will be setting a mini office up for sales.

What is the best way you can extend the WiFi connection over this distance? There are no buildings in the way of the current car garage and the cabin that they are having done. It does not need to be ethernet as long as the WiFi connection is strong.

Thank you.

Any questions, then please ask.

Windows DHCP/DNS + Multiple VLANs

Hello,

I wanted to separate our VoIP traffic in our office but I'm having a hard time understand the whole concept.

I run a Windows 2016 DHCP server with a single scope ATM (10.10.1.0/24). I have a Cisco RV082 router set as DHCP relay to the Windows DHCP server.

I have a UniFI 16-Port switch as my main switch. Other switches including the VoIP PBX is connected from here.

I want to create a separate VLAN for the VoIP. Been reading the net and found some articles that I should create a new scope on my Windows DHCP server. So I created a new scope, 10.10.4.0/24.

And I'm lost.. what should I do next? Do I have to do something on the router?

Thanks.

Budget router question for coffee shop

Hello guys, my friend is working at a webshop which has a small coffee shop too. They asked me to help them out. They want 2 wifies - one for the webshop and one for the coffee shop for guests. I told theme they should keep the modem at the webshop part and that they should buy a router to connect it with the modem and have a guest wi-fi for the coffee shop. My question would be : what budget router do you guys think would be the best fit ( the coffee shop's capacity is around 10-20 ppl). They didn't say how much they want to spend on it, i guess they want the less expensive thing.

Cisco Asr queue limit TR linecard

Having a cisco asr 9k with a tr linecard and 2 physical links in a bundle interface. Now creating subinterfaces on that be interface. How many service-policies can be applied on the subinterfaces? Cisco doc says 8 queues per port on tr cards. Already have 10 subinterfaces with 'service-policy input / service-policy output). Maybe 16 because of 2 phy ports in the be?

Management VPN alternatives.

Hi all,

I want to propose a new, updated solution to our current management VPN infrastructure. We currently have the following:

Management VPN is only accessible from inside the organization.
Corporate VPN is (for now) the same brand as management VPN, but you can only connect to one VPN at a time.
If you are outside the org. a 3rd party device is needed (AP) to connect to the enterprise network and from there you can VPN to mgmt.

I was thinking to propose either a VDI or HTML5 alternative to replace the IPsec client. The problem I am trying to solve is to eliminate the need of a hardware device to connect to our management infrastructure. By connecting to the corporate VPN first, you eliminate the possibility of connecting to another VPN (unless you use VMs, which this is a no/no).

I have worked with some alternatives in the past, but nothing too serious (i.e. RDP over SSH tunneling). Has anyone had experience using VDI/RDP/HTML5 VPNs for management before?

DNS reverse zone management after ISP change

Hi all,

I tried to google to answer my question, but since I am not sure if my theory is correct, I would appreciate to get a second opinion from the seasoned DNS masters of Reddit.

We are changing our ISP soon and the new ISP is only able to manage the reverse zone. The contract with our current ISP (who also managed our DNS) is valid until September, so our plan is to leave the forward zones with the current ISP until after the major change. We will get new public IPs assigned and the new ISP will take care of the PTR records. We will inform our current ISP of the new IPs so they can update the A records.

Now, I am not sure if I have to inform the current ISP that they have to remove (if that is the correct term) the reverse zones from their management since the new ISP will take this over or if we can just let them know which changes they have to implement for the forward zone and thats it.

I checked our domains in Google dig and couldn't find any PTR records there, so I guess we don't have to specifically tell them to stop managing the reverse zone? I kinda inherited all the infrastructure from a guy who was recently retired and unfortunately neither he nor anyone else could tell me what the current ISP was exactly managing for us in terms of DNS.

What is the best path forward here, so that the change will complete smoothly?

Thanks a lot!

Pluralsight or Linuxacademy for devops networking

Hi,

What do you advise me to take, pluralsight or linuxacademy ?

I'm interested in improving my skills in bash,python,ansible and core linux

I found some interesting courses in pluralsight like nickrusso devops in networking, Linux system programming, some pythons and ansible course

In linux academy, i found more "hands on" exercices less theory, like "Learn ansible by doing", "python scripting for administrators", "linux kernel"

Cbtnuggets i dont know...

Monday, June 29, 2020

[Oxidized] Specific credentials on switches when the source is LibreNMS

Hello !

I have many procurve switches but some have a different password.
With the router.db file, I know how to specify the password of a switch when it differs from the default password but with LibreNMS as source I have no clue.

Where can I tell Oxidized / LibreNMS to use a different password for one switch ?

Thank you !
Have a good day :)

Should i do Palo Alto Networks Certified Network Security Administrator or Palo Alto Networks Certified Network Security Engineer cert?

I am a L2 network engineer with 7+ yrs exp. We have recently installed palo alto firewalls in our project & our scope is limited to allowing firewall rules and troubleshooting few firewall issues whereas VPN tunnel config, etc is taken care by L3 team. Another of my objective is to be able to answer questions related to site-to-site VPN and remote-access-vpn creation in interviews.

Given this, should i do PCNSA or PCNSE? Can someone tell me the important addl topics covered in PCNSE?

Unifi USG Pro 4 - L2TP Client VPN Issue

Hello!

I am at the end of my rope with this one. I know I'm missing something silly. Here's what's going on.

I have a unifi USG pro 4, it has a public address (no double NAT) running a client VPN server. Whenever I try to connect from Mac OS or Windows I get the same error message when looking at swanctl --log

03[ENC] invalid ID_V1 payload length, decryption failed?

03[ENC] could not decrypt payloads

03[IKE] message parsing failed

I've verified bi-directional communication between the client and USG, and checked the shared secret on both sides to make sure they match. This problem occurs regardless of whether the built in USG radius server is being used or a windows NPS server we have configured. In fact, it fails before it even gets to user authentication. I've checked client settings and they appear to match Ubiquiti's documentation. Here is ubiquiti's documentation on the setup.

Everything I have found on that error message listed above has said it's either a shared secret mismatch or firmware/software issue. My USG was running the latest, 4.51 and I rolled it back to 4.50 for kicks, same result.

I could use some creative ideas :) Thanks in advance

Networking and Mentorship Opportunities

Check out this really cool program with 80+ mentors willing to help with resume reviews, interview tips, and networking. There are many full time employees at companies ranging from Microsoft to Saturday Night Live, including a VP at Macy's , a Senior Analyst at PayPal, AI & Cloud Strategist at Microsoft, etc. Link to website for registration and more info: https://columbiavirtualcampus.com/cvc-blm/. It will be ongoing for another 2 weeks so I highly recommend registering ASAP! Open to everyone :)

Using same Loopback as Router-ID for BGP and OSPF

Hi,

I have a configuration where I want to use iBGP and OSPF on the same router (Juniper MX series) using the same loopback as the router-id.

Is this possible? Would there be any conflictions which would cause any issues?

Any advice will be greatly appreciated.

Sharing PPPoE

Can two different routers on two different locations use one same PPPoE credentials? It makes the connection unstable, disconnecting and connecting constantly. I have always wondered this. Thank you

MIDI data across networks?

This is a bit of an inter-disciplinary question, and it is networking with places beyond home:

I have a Mac in the US, and another Mac in another country, used by a relative. Both are connected to the internet. I want to be able to see the Mac in the other country as if it were on my local network. Is this possible?

I want to be able to send MIDI messages from one Mac to the other for use by Logic Pro (a digital audio workstation—probably not particularly relevant, but I figured it's better to be clear).

Using Apple's Audio MIDI Setup, this is already possible—and very nicely streamlined!—but it only works for computers on the same network. Latency will, naturally, be higher if messages are sent across networks, but this isn't a concern for my application.

I've tried setting up a VLAN, which—from my understanding—would be ideal, but it looks like my Mac does not have any network devices that allow for VLAN: the dropdown menu for "Interface" is empty. Others across the internet seem to have run into this on their Macs, too... Still, in theory from what I've learned about VLANs, one would work.

Any help or general ideas would be great. Thanks so much!

MTA Cert holding any weight?

Hello everyone, I had a question about the MTA networking fundamentals and the weight it holds. Does anyone have any experience with it? I get either a free MTA cert (networking, database, or software development) or A+. I am looking to switch careers in the next few weeks and don’t know which route to go? I’ve been studying for about 2 months. It seems the A+ focuses a lot on what isn’t being used right now and therefore seems kind of pointless but I want the insight of people in the industry. Thank you in advance.

STP Help

Hello All!

I am primarily a Server/OS admin recently thrown into the fire with a networking project. We recently purchased a few Cisco Catalyst switches and I am configuring trunking between the new switches and some older Avaya ERS 3500 switches. I have the new switches (let's call them "Switch A" and "Switch B") configured in a stack and am trying to redundantly connect them to an Avaya switch "Switch C".

So I configured 2 port channels, one on Switch A and one on Switch B. Both port channels are in trunk mode and meant to be connected to Switch C. On Switch C I configured two multi-link trunks connected respectively to the port channels.

I connected the first port-channel with two cables, everything looks great. I then connect the 3rd cable for the second port-channel and it gets blocked by STP. Good, understandable as the switches are in a stack. And then here comes the problem. I plug in the 4th cable and the whole network goes down. I can't even get to Switch C when I am directly connected to it. I unplug the 4th cable and everything goes back to normal.

I obviously suspect a loop, but I am confused as to why. It seems I am missing something obvious. Any insight you can throw my way would be appreciated. Sorry for the noob question!

Modem Question (DOCSIS 4.0 / 3.1 / 3.0)

Does having a modem that far surpasses my chosen service plan (in terms of throughput and spec) have any benefits? Or is it simply overkill, monetarily wasteful and or "future proofing" at that point? ;)

For example, If I have a 400Mbps downstream connection from my provider, does having a 3.6Gbps modem on the latest and greatest version of the DOCSIS spec make any difference to me?

Thanks in advance!

AnyConnect receive IP from Sub Interface - Cisco ASA

I've created a new policy and tunnel group for a specific user and when they connect I want them to join a lab network we've created with a sub-interface on the ASA (receiving an IP on that same network).

Is this possible? If so, how do I go about getting a local pool or DHCP working with the sub interface?

F5 Big-IP SSL Handshake Failure

We have a publicly facing VIP on our F5 that does SSL offloading to a group of servers listening on port 80. The servers are accepting traffic that is offloaded from 443 to 80 and you can browse to the web page without issue, but when you try to export some data from the site it does not work. If we bypass the F5 VIP and go directly to the server on port 80 we can export the data without issue.

The config for the offload is extremely basic with the VIP listening on 443, server pool listening on 80, the certificate is verified as working, persistence is set to src_addr, and there are no irules.

The logs show "SSL Handshake failed for TCP 1.1.1.1%1:port -> 2.2.2.2%1:443" even though everything on the web page works except the export button.

We are at a loss and have rebuilt the pool/VIP using F5 documentation guidelines for this basic setup.

Small Business WiFi

I'm in the process of opening an office for a tech startup that's about 4,000 sqft with the ability to scale up to about 10,000 sq ft over the next 12-18 months. I'm curious what a good option is for WiFi. I'm technical and plan on doing the work myself, but have long been removed from the actual vendors that fit well for use cases like this.

My biggest ask (this may be silly) is that it support GSuite authentication for our non-guest network.

Thank you :) And I hope I didn't break any rules by posting this!

Should i do CCNP security or Palo Alto Networks Certified Network Security Engineer (PCNSE)?

I use both palo alto firewall and ASA in my project. I was told palo also certification has more value nowadays than Cisco's security cert. However i was browsing several job openings & majority of them asked for knowledge of ASA rather than palo alto.

So iam confused as to whether to do CCNP security (as CCNA security has been stopped by cisco) or Palo Alto Networks Certified Network Security Engineer?

I am also wondering whether majority of the concepts, protocols covered in either of them will be same (except for names assigned by respective companies)?

Limited connection connecting Arris SB6183 to Synology 2600ac, Comcast

I recently got an Arris SB6183 to replace my Comcast provided Modem/Router. When trying to connect it through my Synology 2600ac it says "Limited Connection" and refuses to connect anything on my network to the internet. It'll get an IP, Gateway and all that but refuses to connect. After two hours it did start working, but then the Arris cycled power and refused to reconnect.

Steps I've tried:

- Cycling power to both modem and router multiple times - Changing ISP settings to set the MAC Address to the old modem's address - Activating the modem, given it wants to allow me to

Anyone have an idea what I may be missing?

ISO the "best" video conferencing.

Does anyone know of a video conferencing platform that

Works on mobile devices, with video/audio without having to install an app?
Offers dial-in number issuing, ideally toll-free as options?
Streams as high as the individual user's connection supports, so if they're using a 1080p webcam and have 30Mbps internet with minimal jitter, I shouldn't see artifacts. In other words, is not applying arbitrary QoS?

OnSIP is the closest I've gotten, but it doesn't offer phone numbers unless you set it up as a separate 'thing'. Which is too bad because its video conference is by far and away the best I've seen, but the reality is that some people would rather route their audio through an actual phone.

I have Teams, it has the convenience of kicking one up from Outlook and internal convenience, but the video quality is extremely lacking compared to what OnSIP offers.

Help with CableIQ results.

Please forgive my ignorance, not my area of expertise here but I’m just trying to learn more. Basically my first time using a CableIQ. I looked through the manual but none of the examples look like the issue I encountered.

Here are the results of the tests I’m confused about.

https://imgur.com/a/CQP9xeN

This is a copper link from two buildings that had been working previously until recently the switches started flapping. The switches were tested as working properly when directly connected.

Thanks for any input/help.

Smaller budget switch options

We are a smaller MSP who normally deal with Juniper and Cisco options.

That being said, I have just come into this company last week, and have been tasked with finding a more budget friendly solution for our smaller clientel.

Requirements.

Reliability

8/24/48 Ports options

PoE for IP phones

Ability to program Vlan.

Of course I was not given a "About this Price" more of a, gather some options.As I said this is a very new upgraded position for me, so previous knowledge is very limited.That being said, before just throwing a post out, I have already put some options together.

Currently I am looking into the HPE 1920 series, I don't know if we should stay entirely away from Netgear.But looking into some of the GS option.

Thanks for any help.

F5 BIG-IP - Forward traffic to all nodes in a pool?

Does anybody know if this is possible? I'm a little unsure how this would actually work from a clients perspective, but i'm checking if this is possible. Can I forward all traffic onto all nodes within a pool? I am looking at the 'clone' function in irule, but it doesn't seem to be working as I'd hoped.

To make things more difficult I'm having to use SSL bridging on this virtual server. The irule i've got so far is:

when CLIENT_ACCEPTED {

clone pool pool1 member 10.10.10.1 8440

clone pool pool1 member 10.10.10.2 8440

clone pool pool1 member 10.10.10.3 8440

clone pool pool1 S member 10.10.10.4 8440

}

Using this code, I get "connection refused" when hitting the virtual server. If I change the second line to:

pool pool1 member 10.10.10.1 8440

It works, or at least, the client gets content back, however the stats show 10.10.10.1 as having a connection, and also 10.10.10.4 but not the other two!

Any ideas?

Thanks in advance

Add delay in cisco catalyst 3750x.

How can i add delay in traffic in catalyst 3750x. My company needs this to simulate real world environment. Shaping didn't sup in this switch. I want to slow down the traffic without bandwidth limit. Is this possible. Help me please.

Looking for a reliable place to Sell IPv4 address

Hi Guys,

I am looking to sell perhaps two /23 or a full /22.

i googled and found one (auctions.ipv4.global) and i was wondering if the Guru's here could point me to a reliable place.

Thank you,

Niamul

How to make all connections to a sever happen over OpenVPN?

Hello,

I have a server setup with OpenVPN installed + an ASA, I'm able to make connections with configured clients. Now I want every connection that happens like SSH, VNC, etc, to work if and only if the client has the VPN connection and refuse everything/everyone else. Can I do this with one server only or do I need another server for that? How would something like that work or be setup? Any help would be appreciated.

Sfp module for gpon Huawei with customizable serial number

Hi, i wanted to know if there are any gpon module compatible with Huawei that has the ability to change the serial number. Thanks.

Sunday, June 28, 2020

Seeking advice concerning which portion does cloud take part in networking

Hello guys!!! I’m currently working on to become a network engineer. I passed CCNA in last May and keeping up to CCNP. But lately, cloud is also trending in every aspects of fields , in which part cloud is useful for networking ? and as a network engineer what ability of cloud or certi should i have ?Any replies are much appreciated...best regards,

How would you interface between dense mode routers and sparse mode multicast routers?

This is an IPTV environment. There are two geographically separated environments managed by different teams. Normally when we need to push video back and forth we drop it onto a "video proxy", something like a Cisco DCM that won't allow reverse flow traffic; to protect the source network. Problem is this particular application needs to be able to speak unicast bidirectionally back to some middleware and a VOD server cluster.

Complicating matters is the source network is all dense mode, and it ain't changin'. The remote network gear is only capable of sparse mode (Arista). These two networks need to talk. We have the bandwidth to statically join all groups (around 500) if that would help the solution along -- this wouldn't be a bandwidth waste as we are normally joined to all groups anyways.

So, I turn to the brains of reddit. What would you do?

Connecting a switch

I work for a large business that has terrible wifi and few active network ports. Am I able to use a cable from a wall network port into a 8 port switch to extend port capacity? It is only temporary, as I need to hook 10 laptops to the network for setup. Or do switches need to be hooked up to the router? Thank you in advance!

Interaction between TCP Congestion Control and Flow Control

Hi all! I've read many articles about the difference between congestion control and flow control, and the answer is mainly in that congestion control avoids overloading the network whereas flow control avoids overloading the receiver.

However, I haven't been able to find a good explanation on how these two interact with each other. For a TCP connection, both mechanism is at work, right? On a high level, they both specify a window size which limits the amount of data sent by sender. And it looks like the unit of both windows could be bytes.

So, can I roughly understand it as the actual amount of data is the min(limit_by_congestion_control, limit_by_flow_control)?

Thanks for all help in advance!

What security features do I need in an AP?

I want to build a network where one of the requirements is to isolate guests from each other as well as from the private LAN.

I assume this is called "Layer 2 isolation" although I don't find much discussion on the topic when googling around. At the moment I'm looking at picking up a couple Unify AP Pros. Is this possible? Having each guest in their own Vlan or at a minimum some way to block communications between wireless guests?

Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it.

Loopback testing on a gigabit ethernet carrier fiber interface.

Okay so back in the stone age days we use to loopback a oc3/ds3/t1 interface to itself and run ping tests to the ip address on the interface. We would keep moving the loop closer to us until the problem stopped(no more dropped packets). This would point us to where the problem is. So fast forward to now (the age of gigabit ethernet). How do i run this same test. it seems like it works when it's physical loopbacked (same light going in and out).

But when i have the carrier loopback the remote end i don't see the same packet input as the same packet output. i've been researching this all weekend, and it looks like ethernet oam/cfm is the way i should go about this. Thats fine if it's the only way but just trying to make sure i can't do a simple ping test with the equipment already in place.

TLDR: can i loop back a fiber gigabit ethernet circuit at ANY point along the path and test with consumer** equipment.

Is it still true that Viptela only allows one of each "color" to be present on a vEdge?

Cisco documentation suggests that is still the case, but I wasn't sure. It seems like such an arbitrary limitation. Can anyone tell me if this is indeed still a limitation, and whether or not they are any plans to remove it? Or is it just a strict requirement for OMP to operate?

Need help with my school lab. Are 2 management IPs required for intervlan routing? Should I put one IP on SVI and then trunk connection? Or 2 SVIs?

Sorry if my question is a little confusing, I am working on a lab for my school. I'll try my best to explain.

So I have VLAN56 on one switch with an IP address on the vlan interface (56) of 10.1.1.2 255.255.255.0. I am trying to add VLAN56 traffic to another switch so it can cross over into my other broadcast domain.

The catalyst has the option for IP routing. My question is can I simply add VLAN56 to the other switch, and trunk the connection between the switches?

Or would I have to create VLAN56 on the new switch, and also give it an SVI of 10.1.1.3 255.255.255.0?

Wake On Lan TP-Link WR740N.

Im trying to setup Wake On Lan for a remote PC in another location using the following
instructions: https://www.howtogeek.com/192642/how-to-remotely-turn-on-your-pc-over-the-internet/
Unfortunately, I am not able to forward the port on the modem to the "broadcast address"
192.168.0.255 and am getting the following error: Error code: 26106 The IP
address is not in the same subnet with LAN IP address. My router is TP-Link
WR740N. Is there anything i can do to resolve this?

Looking for best method and device to simulate a Taclane in gns3 or eve?

Hi I work in a secure environment that uses taclane to encrypt data from the CE side through the WAN and back to the CE side on the other side. I always struggle with understanding and implementing the best device and ultimately configuration to simulate the networks I work on the correct way. What is the best way? Some examples would be appreciated. Thanks for your help. For example you have site A that uses OSPF to connect to all other sites, then that site egresses to a taclane that connects to a PE router that maybe uses bgp or isis for WAN neighborship the hits the taclane on the other side. Hopefully this makes sense, sorry typing on mobile.

How to measure wireless signal strength without access to RSSI?

I am developing an app for iOS and wish to include a wireless strength signal indicator to show the user how good their wireless connection is however Apple has locked this down and does not allow access to wireless signal monitoring. I have come here to ask if there would be any other way I can show WiFi signal bars in my app by measuring the network in some other way? Would dropped packets from a ping be a good indication? The app I'm developing streams RTSP video - could the connection quality also be measured from the number of dropped frames from the video stream?

can anyone help setup this type of QOS ??

https://www.manualslib.com/manual/1486573/Nokia-Gateway-3.html?page=89#manual

MTU on a virtual interface

Hi guys!

Can a MTU be set on a virtual interface or is it strictly a physical interface concept?

A bit of background info: I am troubleshooting packet loss over a VPN connection. I've determined that anything above 1250 doesn't go through. So I'm wondering if I can set a MTU exclusively for the ppp0 virtual interface.

Many thanks!

Cisco 9300-24UX-E as layer 3 distribution

I have a hospital with a campus style network and a horrible design, they have 3 large buildings all sitting off the back of a stacked 4500-X core and P2P circuits stretching layer 2 to access switches in each of the buildings.

My proposal is to create a resilient OSPF network between the buildings to create a full mesh "triangle" which requires an additional circuit from building 2 to 3. I am planning to use cisco 9300-24UX-E's as the new collapsed cores in each building and run OSPF over it for the resiliency.

Efforts have already been completed to give each building their own VLANs, but they currently all terminate on the core in building 1.

Having never worked with the new Catalyst 9XXX series, I have some questions:

Do you agree that this switch I have chosen is suitable? It needs to be mGig copper as they want to save money and also treat it as a server access stack
I know these switches stack, but am unsure if I need to buy a stack-kit/stackwise cables (i.e. do they come in the box?? no amount of googling can answer this for me).

The kit needs to be Cisco, as they are a Cisco-only shop and we'd rather keep it that way. But I am open to other suggestions on hardware models, and even constructive feedback on my design. They are very adamant that resilience is key here, hence the full-mesh approach with OSPF to failover the circuits, and the stacked collapsed-core at each building.

The end goal will also to have the most important of the 2 buildings connected via an etherchannelled P2P circuit, but that comes later...