Saturday, July 18, 2020

We're an MSS and we have messed up customer firewalls rules

We run mss services wherein we have full control over the customer firewalls and all policy changes are done by us based on tickets opened by the customer.

The customers buy this service with the hope that the policies created by "experts" are going to be secure and tight without the dreaded - any any rules.

But lo and behold, all 10-15 of us have access to these customer firewalls and every time a ticket opens up, one of us makes the changes.

And its a mess! Multiple any-any rules allow traffic to all ports, fortunately, people do bother putting the source and destination addresses. I have no realized when a new ticket comes in now for a firewall, change the traffic is already allowed under some previous rule and you don't even need to do anything!

The bigger question is how to even maintain tight firewall rules, I am thinking a weekly fine-tuning of rules is a must and a reporting tool that can keep sending out emails every time traffic any any rule is created..how do yall do it?



Cucm directory search

Hello guys, I have 2 call managers on different branches, they are connected via VPN. It their any way sotm that the IP phones on a branch to search for names that are on call manager in the other branch?



GS110TP going offline, becomes unreachable, but traffic still working on some ports

I have a brand new GS110TP. I have only added a vlan, everything else is factory settings. I have the LAN going into one port, and several Meraki APs and Ubiquiti gigabeams. The Merakis stay online, but after about a day the switch itself indicates it's disconnected (via the Meraki dashboard) and I can no longer reach the management interface by its IP.

I would have considered this an anomaly, but I put another of the exact same switch, also brand new in its place and now a day later it's doing the same thing.

What should I be looking for while the device is still reachable and online? Any idea why some ports might not be powering devices while others are?

Wake on LAN attempts have done nothing.

I have a few of these on the property and only these last two I bought are doing this. These are the same model as my existing ones but they have a slightly different light layout on the front panel and they have me log into the management console using a netgear.com account rather than a local user.

Thanks!



What is the highest DDoS attack you have seen?

I am just asking around because we were recently attacked and there are some proposal to just upgrade the internet to a 10G capacity. I’m not really into it because I think we are not really trying to address the issue there and if the attack is very high then we might end up in the same situation. Plus, it is bandwidth on demand so we’ll have to pay more if that happens.



What Certifications to look into getting

Hello, I'm a student just out of high school into college, I was wondering if there were any certifications that I should see about signing up for classes to help me actually get a job in the field. My original plan was to go for the Cisco stuff however I don't know if it is the best option anymore due to the CCNA stuff getting a complete rework this year and I don't know if their now Broad knowledge certification means much to employers or the field in its entirety. I'm already heading towards an associate in Networking at my local college but I would like just a little bit more to put myself on the radar for employers to choose me over any other person. Thanks for the help in advance, I don't know if this violates rule #5 for this sub and if it does I apologize.



Open Source Network Detection Software

One of my customers runs his company only with open source solutions.

Now he wants to monitor and secure his network consisting of FS switches (https://www.fs.com/). This from the endpoint to the server and also the complete network, so that a data outflow can be prevented because it is detected as an anomaly.

For this purpose, I have worked quite conventionally with Vectra AI or Cisco Stealthwatch.
Is there an Open Source solution that reliably does the same as the two commercial solutions?

Thanks for the help



Hard time understanding the Subnetting

I just can't get the subnetting. I've been through many videos & books but I just can't find a way to understand the VLSM & FLSM for CCNA. Can you guys help me out by providing a good resource? Thanks in advance.:)



Online course for IT networking fundementals for DevOps

I'm a fresh grad from an unrelated engineering field that through chance got a job as a DevOps engineer. I use to learn basic data science in python but never really learn anything related to network, I never even make a website or databases like MySQL, PostgreSQL, or MongoDB.

through my job, I've learned basic DevOps stuff such as ansible, chef, gitlab-ci and Kubernetes (YAML engineering). But I always have a problem when something related to networking comes up such as whitelisting IP's in HAproxy and ingress. I don't really understand how DNS works. I don't understand what mac is.

I know there is a lot of blogs or website that I can read on and learn these specifics, but my problem is I need a structured lesson plan so I didn't miss fundamental stuff and also skip stuff that I wasn't aware of. Moreover, a course will help structure my learning.

thankyou for your help.



Sanity Check - "Show Interface" on a trunk shows "Last input never" is this normal behavior?

While working on a python project to list all the unused interfaces I noticed that some of my trunks are showing "Last input never". I am trying to figure out if this is a normal. Does a physical interface only count untagged traffic in that field?

Switch : Cisco WS-C3560G-24PS

SW Version: 12.2(55)SE10

GigabitEthernet0/28 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is amac.addr.ess1 (bia amac.addr.ess1) Description: UPlink MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000BaseTX SFP input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 5570000 bits/sec, 580 packets/sec 5 minute output rate 1349000 bits/sec, 286 packets/sec 70240904603 packets input, 21532416360140 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 1 runts, 0 giants, 0 throttles 1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 146005811046 packets output, 165583112705541 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out 

Interface Configuration:

interface GigabitEthernet0/28 description UPlink switchport trunk encapsulation dot1q switchport trunk allowed vlan 201 switchport mode trunk spanning-tree portfast trunk end 


Can a country shut down its internet for good?

Hey.

I don't know if you follow the news, but Ethiopia recently and bunch of other countries like India have the habit of shutting down internet in times of unrest and protests. I know pretty basic stuff about networking (as much as a CS bachelor degree is concerned) like an abstraction of how routing is roughly done. how countries and organization can restrict access to Autonomous Systems that they don't like (simple things actually in Network layer).

So my question is, what can be done to prevent governments who may shut down access? is satellite internet a viable thing (how about the delay)? overall, are there people doing things to prevent such catastrophic actions from authoritarian regimes?



Need to extend some cat5e, best way..

I've got an old waiting closet that's getting redone. New rack, patch panels, etc... but keeping existing cat5e wire..

95% of the cables have enough slack to reach the new panels. For those that don't, what's the best way to extend?

My plan was to terminate the 20 or so short ones to a standard 110 block. Then punch down a new cat5e from that block to the new panel.

Will that pass testing?



Some questions on remote/cloud management for someone considering moving from UniFi Switching to Aruba

I own a small MSP that does all UniFi hardware at customer sites. APs and Switches mainly. Total of about 500 devices in the field.

I have a UniFi controller hosted in a VPS that all hardware reaches back to for configuration and monitoring. It works very well and only costs $25 a month which is the cost of the VPS.

I first cut my teeth working corporate IT with older HP Procurve stuff. Back when the 5400zl was on its way out, the 2910al was the top-of-rack switch, and the 2530 had just come out as the end-user edge/access switch.

UniFi's 48 port Pro series switch (USW-Pro-48-POE) costs me about $1050. I was looking at pricing on the Aruba 2530-48G-PoE+ Switch (J9772A) and saw that it was around $1600. I know it's a layer2 only switch but that's all my current UniFi stuff is and feature wise, that's fine with me. I think the 2530 is a far better built and more stable product than the UniFi stuff and it comes with that juicy lifetime warranty.

So I'm considering Aruba switches but my question is on remote management. I can VPN to each customer site and then SSH into the switches to configure them but this seems awfully inefficient compared to what I have now.

So with that background in place, Here is the question: Does Aruba have something comparable to the web-based configuration that I have with the UniFi controller? Does it work well/is it easy to enroll new devices? And how much does it cost per switch/AP per month?

General impressions are also welcome. :) Thanks.



Miserable with internship

TL;DR - New internship with service provider company. I hate the work I'm doing - NATs, ACLs, very menial and unmeaningful work. Very standardized and surgical work. Is all IT like this? There are good benefits, should I leave after internship or hold out?

Long post - I would still appreciate any feedback.

Hello, I am needing a some advice from the experts who have been in the space for a long time. Yes, I realize that career questions aren't usually welcome here, but this isn't a question about how to crack into the field, but whether I should stay. I would greatly appreciate any advice.

I am 19 years old and I am pursuing a 2 year IT degree at a community college. The degree includes CCNA, Microsoft and Linux content. One of my adjunct professors liked my performance in class and asked if I wanted to apply to her team at a large health IT company as an intern.

I started in May and the whole company is working from home with no plans to return until at least next year. This is a large corporation. We create software solutions for hospitals and have large staff teams to support our clients. Not going to explicitly name the company, but there's only a couple of companies who dominate this industry in the US, so take your guess.

My job is a very support-oriented job. We work NATs, ACLs, VPN tunnels, load balancers, etc, but currently as an intern I'm starting with NATs and ACLs. I am extremely miserable in this job. All of the tickets I get are very similar. For example, a client puts in a ticket to NAT their address so they can access our datacenters, or a ticket to open a firewall port to allow a solution through. Our datacenters are extremely complex and interwoven, and it feels very impersonal and surgical. It's so complex that a lot of the existing engineers still don't know where everything is or how everything works. We use Cisco, Palo Alto, f5s. But it feels very mundane and tedious. The best analogy is that it feels like helpdesk -- for networks. I have worked a few helpdesk jobs before.

My boss is an excellent manager. I am very fortunate to have her as my manager and she was also an excellent professor. I can't bring myself to tell her how I feel about the job. I just feel very dead working this job, and it's making me question whether I'm in the right field or not. I know I enjoy the field - I've always been attracted to IT, I used to build networks at home as a little kid and obsess over operating systems and things kids don't usually like. So I do enjoy IT, but I didn't think it would be like this. I'm really feeling burned out and hate the work I'm doing. I was imagining it would be more like "here's a complex problem - go fix it" or "we need a new setup here - go build it". Not menial tasks over and over again like adding NATs or punching a hole in the firewalls. My big question here: are all IT jobs like this, or can I find something different in a smaller business?

I'm reluctant to leave because of the great compensation. The internship program is a year long, and afterwards I'll get hired on starting at 55-60k a year. The benefits are great as well. I finish my degree at the end of this year, so I'm looking to become an official team member in the spring of '21.

I do plan to continue for the full year, but I'm not sure whether I'll have the strength to carry on anymore after that. I greatly appreciate your advice!



Dream Machine Pro help

Hi there I’m looking for some help with my ubiquiti dream machine pro .. I followed the steps to set it up it’s getting access to the internet no problem and it’s updated .. but when I plug in an rj45 cable into port one there is no internet access at all .. have I missed a bit or is there another step I’ve missed? I’m hoping it’s not a duff unit and it’s just me doing something stupid

Appreciate any help



Help with AP slow speeds

I have Centurylink Fiber Gig which is supposed to be roughly 940/940. Current setup is Fiber->Edgerouter-X->TP-Link Eap225v3 (all Cat 6)

-Eap225 in middle of second floor, separate 2.4/5 bands, 5G is 20/40/80 with auto channel and high power.

Fiber straight into MacBook Pro I get 700/940 regularly. MacBook Pro out of the ER-X I get about the same (700/900)

Standing directly under, and honestly anywhere in the house, the MacBook Pro on 5G gets 180/220

Why the terrible drop in speeds? Any recommendations or anyone experiencing the same?



Rural broadband design and operational challenges

Hi Everyone:

I been tasked to do a research on this. I'm not a 100% network engineer so my knowledge is limited.

Where should i start ? i know this is kind of a big question but any books you have in mind works for me.

For broadband i have fiber , 5g, satellite. do i need to know all the details on how they work?

Should i start learning how those technologies

I know how to setup a network from the firewall to switches and routers (internally) and how to get a link from a ISP ( this should cover design). I've helped to set up fiber ( as a backup/learner)

Any help is appreciated and cheers!



SD-WAN: SilverPeak or Meraki

Can anyone please share their experiences regarding the SD-WAN solution from Silver Peak and Meraki. We are looking to use the solution to have an DIA and Broadband connection connecting our remote offices (each 300 users) with HQ. Has anyone deployed these in production, what are their pros and cons. ?

Our basic requirements

- Internet failover mechanism, and but keep our existing firewalls

- MPLS VPN and IPsec VPN replacement.

- No internet backhaul.

- No DPI, URL Filtering needed.



[AMA Request] Friday's Internet Outage: An Insider that can tell us the technical side of the story

I am making this request for educational and training purposes. If someone with insider knowledge *wink* could tell us the technical side of what happened yesterday and provide analysis so we can learn from it and prevent it from happening in the future. Obviously, you are encouraged not to give out information that may put anyone in trouble or damage the reputation of any firm. Just keep it technical. My questions are:

  • What happend?
  • What went wrong?
  • What went right?
  • How did you recover so quickly?
  • What was your troubleshooting steps?
  • How can you prevent this in the future?
  • What's your overall analysis?

Thank you



Site-To-Site VPN help

Hello,

Got a bit of a headscratcher here. Trying to setup a lan-to-lan vpn between our head office and a branch site. The type of tunnel is an IPSec tunnel. The issue i'm having is that the tunnel comes up ok but i'm not getting any traffic passing either way. I thought it might have been the way i set it up so i removed them and tried again. Still no joy.

Did some digging and found a post that looked similar to the issues i was having and they got around it by using a different hash (MD5 instead of SHA). I tried that but didn't yield any results. So far i've tried every other variation using both IKEv1 and IKEv2 but can't get traffic to pass.

I did setup a PPTP lan-to-lan tunnel and did manage to get traffic flowing through it, but i don't really want to be using a PPTP tunnel as it isn't really considered secure anymore.

Anyone had a similar issue?

P.S the routers in question are Vigor 3900 (HO-Server) and Vigor 2862 (Branch-Client)

Thanks in advance.



Switch with POE ports for Cisco APs

Hi, i need litle help with Cisco air-cap 2702 model and powering. I need recomendation for switch which has POE ports (minimum 5 POE and in total minimum 24 ports) and can power 5 Cisco APs.



Access over External IP

Hi guys, I have an IP cctv which I’m trying to configure for external access.

I can connect to the system over its LAN IP (192.168.0.3) and while I am not connect to the LAN I can connect to it over its WAN IP.

What I want to do is be able to connect to the system via its WAN while I am connected to LAN. The reason for this is I have to have the system set up twice in its app.

I believe what I am trying to do is configure a hairpin NAT. Apologies, I’m not too savvy with these kind of things.

I hope this makes sense and someone can help 😃



Find physical switch port?

I came across this

https://www.reddit.com/r/homelab/comments/ht77vx

Yes, it's homelab but it intrigued me because it could definitely be used in an enterprise setup, and I wouldn't want to make anything myself. It's far better to have supper from a manufacturer and probably costs less in the long run . Essentially we have some wall ports at work, and they're configured for different VLANs. The cables are nice and tidy.

Most of the time you can look ar the back of a phone, find the MAC address and then find what switch port it's connected to. There's a colleague at work who's incredibly stubborn. I've basically corrected five years of bad wiring, and made everything neat. He still pulls on cables for ports connected to the wall, which has undone a lot of my effort through Covid...

Would Fluke's netscout provide a similar thing to the above? Are there cheaper alternatives? We'd only need something basic. Hopefully this could convince one of the more stubborn members of staff who's been there 15 years to not pull on cables that are connected into wall ports. We have some cables that are 10 metres long given the wall port is about 8m away from the desk

We do already have an actual network tester too, and that's a cheap thing that you can buy from Amazon. Not fantastic, not Fluke, but not bad either



Friday, July 17, 2020

2 Router (2x DHCP Server) into 1 Switch

Hey networking gurus

I was wondering if this setup would work. I have two routers (2 ISPs) that will go into one switch which will then connect to another switch via a single cable. The second switch will distribute the network to various devices.

Can I then specify that PC4 will connect to the internet via Router 2 ? Presumably by specifying the gateway to be 192.168.2.1 ? Topo diagram in the picture below.

OTP - optical termination point M1 - modem 1 M2 - modem 2 R1 - router 1 - 192.168.1.1 R2 - router 2 - 192.168.2.1

Will devices across the two routers be able to see each other and connect to each other ?

https://i.imgur.com/92wqT2B.jpg



Ad-hoc android input device + Windows service?

Hello all, I work for a msp comfortable with Screenconnect. Wondering if there's a Windows app that can run during boot that pairs with an android app for touchpad/kb controls? Intended for mobile use targeting Win10 tablets with no Internet connection, which my luck on android has thus far required. If I can broadcast an ap at boot before login that may help as well. Thanks in advance.



Cloudflare outage on July 17, 2020



Internet keeps disconnecting

Hello. I'm having a very frustrating time with my internet this afternoon. Everything was working fine until I was using Surfshark VPN on my iMac for about 30 minutes, my computer went to sleep and then I got it started again and I've had problems since. I have used Surfshark many times and have never had problems until now. I keep getting it to work again for a few minutes but then it goes down again. All of the lights on my modem and airport are green when it happens. Whenever it goes down the "internet" part of airport utility will say "not connected." I've completely turned off the vpn, done hard resets on modem and airport, restarted several times, I flushed the dns cache. Spectrum says there is no outage. I get it to work again by reseting the modem and airport but then it happens again shortly after. What could be the problem? I'm guessing the vpn messed with something. I’ve also tried doing a hard factory test on the airport router and the problem still keeps coming back. Could it be causing a problem that I used the same network name as before when it set it up again? I even tried using another tp-link router and couldn’t really get past setup. It could but auto detect so I tried cloning mac and it said it was setup but then nothing loads. What the heck could I still try? The regular Ethernet connection from modem to my iMac seems to work fine when I turn WiFi off.



Will a network switch improve performance?

I use a 200mbps/15mbps cable internet connection and I was wondering if a network switch would improve any parts of network performance.



PSA - There appears to be some major DNS issues CloudFlare at the moment

Just noticed that discord was down for a DNS issue as were several other websites. The common thread seems to be that they're all using CloudFlare for DNS.

Nothing appears to be announced yet. They're looking into the issue and some services are back to normal.



Trying to Setup VeloCloudVirtualEdge in Azure

disclaimer- im not a networking person

I've been tasked with deploying the VeloCloudVirtualEdge ARM template from https://code.vmware.com/samples?id=6437 I was given the Orchestrator Server Address and activation key as the velo edge was setup by a SD-Wan provider for the customer (name starts with T)

Using these instructions https://docs.vmware.com/en/VMware-SD-WAN-by-VeloCloud/3.4/sd-wan-azure-virtual-edge-deployment-guide/GUID-DB8C0DC4-6F33-48BE-8463-8F8602527B1A.html

This is a new Azure environment so nothing there is in production, only has a couple of test servers.
The instructions Deploying Virtual Edge with ARM Template is what i am using for referencing.

My issue is i'm needing instructions for the Azure side of this or some example i can go off of.
Also the ARM template is calling for "Public Subnet" - Public Subnet IP Range for Edge interface and I'm not sure what is needed for that.

Thanks



25Gbps Speedtest

Until today, I had been thinking that speedtest.net is limited with up to 10Gbps tests. I was doing some usual performance tests on my server, which is running under Microsoft, on Amsterdam data center. Suddenly, I wanted to do a speed test and opened the application. Even though my server supports up to 50Gbps according to tests that I have done with NTTTCP, it is surprising to see a number more than 10Gbps on speedtest.net.

There might be a bug with the Windows application of speedtest because I only get high results when I first open the app and press the test button without changing the destination server. I know that networking just does not mean "speedtest" but wanted to share this unusual experience.

https://www.speedtest.net/result/d/61d72984-376b-42a3-8cd3-1973e128c149



Relative cost of copper SFPs

I recently had to source some copper SFPs. What struck me while reviewing the quotes was that the copper SFPs, both 1G and 10G, are relatively expensive compared to optics.

Does anybody know why this is? Are manufacturing costs higher or is it just due to smaller volumes? Or is there some technical reason like power budget or heat dissipation that makes them more expensive to make?

Inquiring minds want to know.



Looking for a highly experienced Back End Dev

Hello, I am looking for a highly qualified individual who is fluent in SQL and has lots of experience with back end software, such as MySQL. This individual would be preferred if they have created and managed databases, as well as retrieved back end data to showcase on a front end platform.

If interested, shoot out a DM.



2910al Setup - Interesting issue

Okay, we have a 2910al on our LAN (it is in an MDF that is going to be ready to route to other IDFs). We have plugged a computer into one of the ports after setting it up and it gets Internet, DHCP, etc. From any of our other LANs we cannot SSH into it UNLESS a laptop (or any other device) is plugged into any of the other ports.

So, uplink port is plugged in THEN:

Nothing else plugged in, can't ssh into it

ANYTHING else plugged into any other port, can ssh into it from any of our LANs

What would cause this? I've never had this issue with any of our other switches. We've always been able to SSH or telnet in and make changes and continue setup with only the uplink plugged in and no other devices.



Layer 3 segmentation without vlans!

Hi Guys,

So I'm trying to get away with not setting up vlans on a switch. I know that in the past the IP address of the vlan doesn't matter to the client systems. For example if my layer 3 switch has vlan 10 with IP of 192.168.255.254/24 I can still hook up two client systems on a 10.10.10.0/24 network and the client systems can communicate with themselves, albeit not with the layer 3 portion of the switch, but layer two seems to pass the traffic just fine between the two separate networks - without vlan segmentation.

I know everybody will say create a vlan for my below senario, but I'd like to understand if it's really necessary or just a best practice to isolate the networks on the layer 2 side? Like do I really have to create an addtional vlan If I want to run two separate networks on the same switch... if so why? Because it seems to work fine with only one vlan.

Here are the links to diagrams :

https://ibb.co/fC62CNg

https://ibb.co/wyP5y6f

Best,

Mud

P.S. if you are really curious about why I'm using both 10gig link and 1 gig link on the iMac Pro computers it's because the AVID ISIS server doesn't support the iMac Pro 10gig ports, but the FreeNAS does.



Twice NAT on an old Cisco PIX FW ver 8.0.4 - Help with config

I have a host in a lower security level, 10, needing to reach a host in a higher security level, 100. I'll say DMZ to Inisde. I originally tried an ACL to allow the traffic with a no nat exemption but I found nonat is not applied when going from a lower to higher security level and it attempts to send the traffic out the outside interface I could see using the packet-tracer command.

With this, I went for a 1 to 1 NAT with an ACL allowing the traffic which looks like it would work if there wasn't asymmetric routing on the return traffic. So I need the source IP also natted to, say, the inside interface IP so the return traffic will come back through this PIX rather than the inside hosts GW. I have done this on an ASA before which I believe is called twice NAT but I cannot find the syntax for a PIX if it is even possible. Current setup detailed below.

dmz host: Z.Z.Z.171
inside host: Y.Y.Y.234

----scrubbed current relevant config----

interface Ethernet0 nameif outside security-level 0 ip address X.X.X.2 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address Y.Y.Y.230 255.255.0.0 ! interface Ethernet2 nameif dmz security-level 10 ip address Z.Z.Z.1 255.255.255.0 ! nat (inside) 0 access-list nonat_inside nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 0 access-list nonat_dmz nat (dmz) 1 0.0.0.0 0.0.0.0 global (outside) 1 interface global (dmz) 1 interface ! static (inside,dmz) Z.Z.Z.182 Y.Y.Y.182 netmask 255.255.255.255 ! access-list inside_acl extended permit ip any any access-list dmz_acl extended permit ip host Z.Z.Z.171 host Y.Y.Y.182 access-group inside_acl in interface inside access-group dmz_acl in interface dmz 

----current trace forward flow----

PIX#packet-tracer input dmz icmp Z.Z.Z.171 0 0 Y.Y.Y.182 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: static (inside,dmz) Z.Z.Z.182 Y.Y.Y.182 netmask 255.255.255.255 match ip inside host Y.Y.Y.182 dmz any static translation to Z.Z.Z.182 translate_hits = 0, untranslate_hits = 3 Additional Information: NAT divert to egress interface inside Untranslate Z.Z.Z.182/0 to Y.Y.Y.182/0 using netmask 255.255.255.255 Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group dmz_acl in interface dmz access-list dmz_acl extended permit ip host Z.Z.Z.171 host Y.Y.Y.182 Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 7 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (dmz) 1 0.0.0.0 0.0.0.0 match ip dmz any outside any dynamic translation to pool 1 (X.X.X.2 [Interface PAT]) translate_hits = 7005, untranslate_hits = 847 Additional Information: Phase: 8 Type: NAT Subtype: rpf-check Result: ALLOW Config: static (inside,dmz) Z.Z.Z.182 Y.Y.Y.182 netmask 255.255.255.255 match ip inside host Y.Y.Y.182 dmz any static translation to Z.Z.Z.182 translate_hits = 0, untranslate_hits = 3 Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 148178257, packet dispatched to next module Phase: 10 Type: ROUTE-LOOKUP Subtype: output and adjacency Result: ALLOW Config: Additional Information: found next-hop Y.Y.Y.182 using egress ifc inside adjacency Active next-hop mac address Y.Y.Y hits 1 Result: input-interface: dmz input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow 

Side note: I'm in a network migration off this old gear and eliminating this asymmetric mess I inherited but this is needed in the meantime.

Thanks!



Deleting vlan from multiple interfaces with single command in JunOS.

At work I'm suppose to delete a single vlan from 7 interfaces with command "delete vlans <vlan name> interface <interface name>". I never really worked with JunOS before, so I'm wondering if I can do it with a single command instead of executing it seven times for each interface separately. I have learned from Google that the JunOS equivalent of IOS' interface range command is wildcard range, but I was unable to find out if I can use it in my scenario as well, or how the syntax is suppose to look like.

Can you help me out?



Is there any podcasts related to networking?

TLDR: cant see properly for a week. Need something to listen to.

I've this viral infection in my eyes which makes it difficult to keep eyes open for a long time. Doctor prescribed me to take rest for at least week until it heals.

I've reading CCNA for past few weeks and i am enjoying it. I dont take a whole 1 week break. So, could anyone recommend me podcasts or video that i could listen and gain some knowledge rather than just sitting and overthinking?



Question about Switch Chasis

The facility I work at is using a Cisco C9410R, which has its advantages I admit, but is currently victim to some of the worst spaghetti monster patching I've seen. I'm planning on doing a rack clean up, but have no idea how to properly patch down these switches without being able to put patch panels between switches. Has anyone come across this issue before and have any advice on how to make a clean run? Any advice is appreciated.



Cloud ERP system wants to access local SQL database

The cloud ERP company wants access to a local SQL express DB on our local network. They want me to open ports TCP 1433 and UDP 1434 on the main Firewall. This doesn't seem right. What should be the proper way to allow communication between the ERP and the local DB be?



Is using 3rd party memory in Cisco UCS going to get me denied TAC support?

Would I be denied TAC support for using 3rd party memory? Cisco branded is so expensive. From what I see it should be not be a issue. But wondered if something ne had experience?



Cisco DNA vs Extreme Fabric

If you were building a SDN architecture for a large enterprise what vendors SDN solution would you lean towards out of extreme and Cisco. What experiences, good and bad have you had with the vendors?



TB3 Connection Questions

Hey Fam :)

I know this is not directly about networking, but I don't know which specific subreddit is the best for these questions and this one seems to be the closest. If you think this post would be better in a different sub, just link it in the comments! :)

I work at a medium sized video production company. We are looking to upgrading to a Raid solution for our editors to edit off of. That itself is a whole new topic and there will probably be a whole lot of questions regarding networking and so on, but thats not for today.

Today is about moving our editors pcs into the same 19" server rack. Goal is to move all the pcs out of the editing room for a more quiet and less hotter work environment. All the workstations already exist and we only want to move them into a 19" rack-mountable case and using as few cables as possible to connect all the peripherals and monitors in the room.

My first guess was just using TB3, but the motherboards don't have a TB3 slot(s). My next guess were TB3 PCIe add-in cards (like the Gigabyte Titan Ridge). There are a lot of options out there and it probably depends on the motherboards which one is the best. Sadly the "so called" best one out there (the Titan Ridge) only natively supports Gigabyte Boards, and we have MSI z390s in our workstations.

I read that every other motherboard which has a Thunderbolt AIC header and Thunderbolt options in the BIOS will support the card. Is that true? What do I have to look out for choosing a add-in card?

And finally, is the TB3 connnection on those cards only for data or do they also support video output?

My dream setup would be to just connect a single TB3 to the rack mounted Pc, run it into the office, split it up via a dock and connect all peripherals (mouse, keyboard, video and audio) to that dock? Is that possible?

Does anyone has expirience with such a task/problem and might help me with a few tips and tricks?

Sorry for any gramatical errors, english is not my native language! Thank you for taking your time reading this and have a great day! I look foward to any incoming answers. :)

Greetings

Linus



A Router/Mesh Solution for a Friend

Hey everyone,

So I’ve somehow ended up the position of sorting the bosses network out in his new office building, luckily the builders are in and can lay cables at the stage they are at with development so that’s that headache gone!

I did a degree in Networking Management 10 years ago but since ended up changing careers and am quite out of the loop with new technology/devices.

It’s mainly having good reliable WiFi coverage throughout the fairly large building which all have solid thick Yorkshire stone original walls.

My thoughts were to have a wired POE Mesh system, around 5/6 should provide enough coverage.

Staff will mostly be connected with WiFi there from working laptops, there will be around 20/24 wired plugin points In my mind which will probably go unused for the majority but need to be there. Cat6 or cat7? Never used Cat7 so I don’t have a hands on experience of what to expect but I do believe it’s still backwards compatible? will it be more troublesome?

Upto 2k on the hardware. Cabling and faceplates etc not included in that.

Looking for mesh device suggestions and any thoughts? Also any recommendations on switches and a central router. Maybe there is something else I haven’t considered?

Thanks in advance! :D



How to log not information using script editor of Cooja Simulator?

I need to log node relater information such as: churn, latency, Packet loss rate, rank...etc using the script editor, I have no idea how to acheive this!

please some help is appreciated.



Could you point me to some literature for this networking problem?

Hi!

I just started learning about network programming this semester in a class. With the Covid situation, the class was completely online and only consisted of a few mediocre student presentations. We have to do a final Python project and I'm at a total loss as to how to approach this. There wasn't any literature provided, and to be honest, I don't even understand what we are supposed to do (or what to google). So I was wondering if you could point me to some literature that I can work through to understand what I'm supposed to do?

I've never been in a situation where I didn't even know what to google, this is pretty embarrassing. I'd really appreciate your help!

The problem we're supposed to solve says to "determine a master from a set of equal servers. Make sure to avoid a split brain scenario. The conditions under which the master is determined have to be clear. Actions executed on the master (or non-master) should be freely configurable (e.g by running a python or shell script)."



Thursday, July 16, 2020

Can anyone ELI5: network switches?

Why are some switches called Layer switches, Core switches, Access switches, Distribution switches? What's the difference and what decides what a switch is termed?



Is there a simple python script I could use to pull certain information from a group of cisco switches?

For example, if I wanted to see if a certain command is set on about 200 switches, could I use python to search for which switches have that command, or which switches do not have that command?



Paging SysAdmins with Exchange 2019 Experience

/r/sysadmin/comments/hslrpg/paging_sysadmins_with_exchange_2019_experience/

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



CWDM MUX transceiver question

Hi team,

I'm looking for some info on these Fiberstore CWDM MUX units
https://www.fs.com/products/97784.html

FS have confirmed these optics https://www.fs.com/products/52770.html will be compatible, my question is, if the MUXs are paired A:1271-1371 / B1471-1571 how are the 1270 transceivers received on the 1470 side?

Sorry for the noob question, couldn't find any solid info for these A/B paired units online.



Colocating a few servers, do I need a managed or unmanaged switch?

So I currently have a few servers that are colocated at different datacenters. These are just single-server colos so I haven't had to do anything other than send them the server and they handle everything on the networking side.

I am considering renting a 1/4 rack and putting my servers there, but if I did that I would need to handle the networking myself but I am unsure of what kind of hardware I need.

The servers are used for VPS. Each server has about 15 separate VMs each with their own IP address. The datacenter is providing me with a /26 block.

Since all of the network for the VMs are managed on the servers itself, do I need anything other than an unmanaged switch? Or will I need a managed switch to handle the IP addresses being assigned to each server?



Can I ask for router suggestions here? I've tried countless other tech subs and I've just been shit on. Kind of tired of it honestly. Not everyone is a master at these things. Just delete if not allowed, don't even bother telling me about it. If you can answer, details below and thanks.

I have 1gb of fiber in my home. I'm currently using the Netgear R7000 which is suppose to be 1gb capable. After having my service tech come over countless times and testing at their modem and getting speeds of 800/900 plus up and down consistently, they tested at my router, he immediately said before running the test that I would be around 300 and inconsistent. It was, spot on. He informed me that Netgear has that router locked to those speeds. I call Netgear and asked them wtf, they market at 1gb capable but it's locked.

They actually have the nerve to tell me I needed to pay for a patch/update/driver to unlock it so I just hung up.

Got a 1gb service because its suppose to be enough to work for my home. But, my wife and I have stopped using the wifi on our phones because our data is simply better.

I game, a lot and am hard wired and even then, it's laggy at best.

I am also in a graduate program and I can't have the class videos and other videos on the web play on higher resolution making it difficult to take notes.

Essentially, I'm looking for a product that itself isn't garbage and from a firm that isn't trash also.

Thanks for your time.



Palo Alto to Cisco ISR4451 Ikev2

We used to have an IKEV2 tunnel from an ISR 4451 to a Cisco FTD but have since decommed the FTD and are trying to re-establish the tunnel to a Palo Alto.

With the FTD, we didnt need a virtual tunnel interface on the router and were able to complete the connection just using a crypto map on the exit interface. We have modified the IPs in the crypto map for the new peer address but no dice.

My Question:

Do you need a virtual tunnel interface on the router when trying to accomplish this between a Cisco ISR and Palo Alto Firewall



Bridging Two Subnets?

Apologies for the stupid question but I have recently setup a new network using a Ubiquiti Dream Machine router and multiple access points. The new network was created using the subnet 192.168.1.0/24. All devices on the network are on this subnet. I've also created a VPN server that places all VPN clients on the 192.168.2.0/24 subnet. I am managing everything remotely at the moment.

Everything is working fine except for the fact that the Epson printer that is connected to the wireless network is connected to a completely different subnet (10.0.0.0/24; its IP address is 10.0.0.54).

I cannot ping or log into the printer but I know it is on the network because I see it in the clients list as being connected to the 2.4GHz network @ 10.0.0.54. Looks like it has a manual IP address setup in the printer settings.

How can I bridge these subnets so that I can ping & access the printer @ 10.0.0.54 from a device on the 192.168.1.x network? Is this even possible?

I could always just change the subnet properties of the current network so that devices sit on 10.0.0.x instead of 192.168.1.x but I kind of just wanted to turn this into a learning experience to see if I could somehow bridge these subnets, get into the printer and change the printer's manual IP address back to the 192.168.1.x network.

Is researching static routes the correct path?

Any ideas would be greatly appreciated...

thanks



Best syslog server for Mac?

Hi everyone, What's the best syslog server for a small business? Possibly the simplest and most easy solution because we are not pros Thanks



Healthcare System Vendor Change for Switching

Part of a mid size healthcare system and my boss is looking for advice on switching switching platforms over the next ~6-9 months as our old Cisco gear needs to go. We got quotes from Cisco, Arista and Aruba. My biggest worry (may be unfounded) is switching away from Cisco during Covid could cause unnecessary instability. Any thoughts?

This is my current high level pro/con list is below. We do layer 3 at the core switches, L2 everywhere else with NAC assigned VLANs and 802.1x. Only need 1G at the access layer.

Cisco. Most expensive. What we know. TAC is pretty good. Not a good time do fancy DNA stuff but we will be paying for it...

Arista. Slightly cheaper. Seems very similar to Cisco. No experience with their support

Aruba. Much cheaper. Seems like it takes a better engineer to operate and work around the quirks. Their support blows from experience.



Cisco Management Interface

I think I'm missing something fundamental... In a situation where you have multiple VLANs and multiple SVIs how do you determine which interface is allowed to be the management interface? how do you disallow other interfaces from allowing management access? My question is specific to the 2960XR.



Understanding SFP+ Ports

Trying to understand SFP+ ports on switches.. Can switches be daisy chained together using SFP+ ports with ethernet cables? And.. yes, I know daisy chaining switches isn't the best option



Will interfaces in a port channel inherit vlans if they have existing vlan config on them?

For example:

interface TenGigabitEthernet1/1/1 switchport trunk allowed vlan 5,6,7,8 switchport mode trunk switchport nonegotiate channel-group 10 mode active interface TenGigabitEthernet2/1/1 switchport trunk allowed vlan 5,6 switchport mode trunk switchport nonegotiate channel-group 10 mode active interface Port-channel10 switchport trunk allowed vlan 5,6 switchport mode trunk switchport nonegotiate end 

(I know this is not set up ideally but it's what I've got - Te1/1/1 is currently suspended) Does adding vlans to Po10 overwrite the interface config? Or does that only work when there isn't a vlan statement on the interfaces.

If I change Po10 to allow vlan 5,6,7,8 will this cause te1/1/1 to come up and te2/1/1 to go down? Would that cause a visible outage?

Thanks!



2N Verso Call to Iphone Mobile Video app

Does anybody has any experience with this?

https://apps.apple.com/us/app/2n-mobile-video/id1188403431

On the Iphone XS, the app instantly hangs up the call from 2N Vereso. Even with the latest update to iOS.



Do I need a license for this? How do I find out?

I Have a project where we've been asked to provide WiFi to a very large campus area and I'm looking at using a Ubquiti RocketPrismAC with a sector antenna (It appears I may also be able to get away with a PrismStationAC or LiteAP AC but overengineering this may be preferred) mounted on the roof of one of the buildings in the grounds which, in turn, will establish point to multipoint connections.

What I can't figure out is if I need to get licensing of some sorts to use this rocketprism antenna, and I'm not entirely certain how I would find out. It's 5GHz so it isn't a microwave dish but has a high signal output and is covering a reasonably large area.

I'm In Dallas, TX. Not even sure where to start trying to figure it out



OpenVPN client - server through Internet

Hello everyone, I'm really sorry I'm new into all this networking stuff and I have issue understanding one thing about VPN connection.

So let's say I have a client on my local network with IP address of 192.168.2.100 and my external IP is let's say 90.90.909.909.

My server is in different city with IP address 192.168.3.100 and external IP 09.09.090.090.

They are not connected by any means at this moment - they are just 2 PCs in their own networks.

I have issue getting my head around which IP addresses I need to use while setting OpenVPN up and how to route data to the devices accordingly so I would honestly appericiate any help. Also, to be clear, this is just for personal use, it's not company or work related.

Thanks in advance, I hope this is the thread for it, I was looking for newbie networking but I didn't find it.



Issue with optics

Hey guys,

Wondering if you could assist me with an issue im having.

Im having an issue with 2 x 25G SR optics between an NCS 540 and Nexus 9k. I am seeing light on both sites, but for some reason, the optics don't come up. When I loop the optics on each device, they come up. Also, when I connect the optics to the same NCS or different NCS they come up, and when I connect the optics the same Nexus or different Nexus they come up. It's only when I patch the optics between the 9k and NCS I have this issue.

Have anyone seen this issue before?

Cheers,



Fortinet vs Watchguard

I've had a look here:https://www.reddit.com/r/networking/comments/cr6d7l/watchguard_vs_fortigate/

And here:https://www.reddit.com/r/networking/comments/hrlyt0/sonicwall_vs_watchguard_vs_fortinet/

At work, we use Watchguard M270s. I have a Fortinet 60E at home, for a home lab that I'll eventually move to Sophos XG at home purely as it's expensive as hell for one person!

The issue I have with doing a comparison, is most people saying "But I like it" and tbf that's my own decision too, but then I'm trying to think about what exactly I like about it

The UI is slicker, sure but that's hard to justify to the businessPacket capturing is God awful on Watchguards too.

Troubleshooting is perhaps easier on the Fortinets

Gartner puts Forti up with Palo Alto, but the business probably won't care for that.

Does anyone have any other reasons other than "But I like it"? (Either way ie: if you like Watchguard or Fortinet)



Cisco IOS-XE, can someone explain the output of show platform command?

Hi, What's the difference between the "Software Version" and "Firmware Version"?

FYI the device was downgraded from 16.12.1a to 16.08.01a in order to comply with our customer's security policy.

#show platform Slot CPLD Version Software Version Firmware Version --------- ------------------- ----------------------- ------------------------ 1 07091401 16.08.01a 16.12.01a 2 07062111 16.08.01a 16.12.01a 3 07051680 16.08.01a 16.12.01a 


Double Nat issues with inbound SSH

Hi

I have a home office that need to perform admin on servers on a remote office. The remote office has (for historical reasons) a Telco-provided Cisco router facing Internet. That router has an internal address of 192.168.99.0/24. Behind the Cisco, there is an Netgear FVS318 router/switch where all local servers are connected. That network is 10.0.2.0/24. The Netgear's default gw is 192.168.99.1 (the Cisco) and the Cisco-issued IP is 192.168.99.3 .

Public IP <-> Cisco <-> 192.168.99.0/24

192.168.99.3 <-> Netgear <-> 192.168.99.1 <gw IP from Netgear>

Netgear <-> local net 10.0.2.0/24, local IP 10.0.2.1

Clients 10.0.2.0/24, default gw 10.0.2.1

All internal clients and servers connect fine to Internet. I can also from the internal servers use SSH to my home office after configuring port forwarding properly. The problem is when I try to SSH into the remote office. I have configured port forwarding (22/TCP/UDP) in the Netgear to the main local Linux server. According to the Telco support, the Cisco has no firewall active and should pass all inbound packets through. I suspect that the double NAT prevents the SSH packets from reaching the Netgear router. When I run wireshark on the home office Linux box, I only see an immediate Connection refused back from the public IP of the Cisco.

Any advice? Should I try to remove the Cisco since it obviously does not fulfill any purpose except complicating things?



Juniper iBGP export and import

Hi,

I'll be adding an export policy on one of our routers. It already has an import policy running with it. If I add an export policy, will all the ibgp neighborship reset?

I'm just worried that it might reset once the configuration is confirmed.



How can I learn from scratch ?

[Please tell me if wrong sub, I’ll post elsewhere]

So : title. ^

This is hard for me because I don’t understand what this is : HTML is a language. pdf is a file type. Networking is...what ?

I have a huge interest in ethical hacking. I’ve been told to learn Python, PHP, JavaScript. So I began with Python.

And, solid knowledge of Networking. This ones a struggle. I basically understand how the internet works but that’s it.

No actually, not so much.

Where can I start ? I prefer learning with books and practice instead of videos, but I’ll take anything I could work with. I’m not asking for a complete course, but for references. I like learning in my own, and I know you guys don’t like not specific questions (which I totally understand, it’s really annoying), so I’ll follow up later with more precise questions.

Thank you all in advance and have a great day.

Picture me as Jen in the IT Crowd : IT stands for Internet Things, right ?



Wednesday, July 15, 2020

LF WAN Experiences: Silver Peak vs. CloudGenix; Palo Alto vs. zScaler vs. Fortinet

Hello all,

We're near the end of a decision for our WAN overhaul.

Status: Distribution company, 1 HQ, 30-50 warehouses all US based (warehouse footprint from an IT perspective is 2-15 office workers [pre-Covid-19] and 5-20 warehouse pickers, about 2-5 of them have a handheld scanner, so low bandwidth)

Also have two service providers that we utilize for a total of 4 external datacenter connections in our WAN

Current:

Fortinets everywhere as firewalls

HQ has 2x1Gb internet connectivity

MPLS network everywhere, most warehouses also have 20+ Mb internet connection

VOIP connectivity/resilience is a priority (currently, when the MPLS goes down at a warehouse, VOIP will be down too)

Future:

SD-WAN with 2 network connections (plan to eventually go dual internet circuits, waiting for term'ing on MPLS)

Not so hot on our Fortinets, would prefer a better performer.

On the SD-WAN side of things, it appears that CloudGenix and Silver Peak would fit our needs; both (say they) can take an internet circuit and a MPLS circuit, and either can go down and we'll continue to have our connectivity. As we migrate away from MPLS, both indicate the transition will be seamless. Bandwidth isn't too much of a concern for us: VOIP and ERP are priorities, but both are relatively low bandwidth. Advice/opinions looked for here: was either one for you a bad experience? Are they products as advertised?

On the Firewall side of things, I'm in quite a conundrum: Fortinets are our current FW everywhere and our client VPN. I *could* leave the Fortinets everywhere, but I'm ready to leave the Fortinets behind (admittedly, this is a little political, CIO doesn't like Fortinets and generally prefers Cisco, so I'm already doing a bit of a sales job by suggesting something other than Cisco). We're expecting full IDS/IPS, web-filtering, and other strong "next-gen" security features from any solution. Here's my summed up thoughts on each:

Fortinets: cheapest option to keep them, but have to almost clean slate them to get us at correct spec. We do have IPS licensing, but we don't use it.

Palo Alto: the implementation would be physical firewalls at our HQ, and their Prisma "cloud firewall" for our warehouse locations. The Prisma would integrate to either the CloudGenix or SilverPeak for the firewall functionality. We'd go with their Client VPN as well (from the HQ firewalls).

zScaler: before all this, I have never heard of them. SilverPeak is partnered with them for the firewall. They seem to have everything we would need for a cloud firewall integration to the SD-WAN box that would be local to the warehouse. I'm told they can only do web filtering on ports 80 and 443 though. And they don't have any hardware to sell, so I'd still need a standalone firewall at the HQ.

Firewall comments: seems that either Fortinet or Palo Alto would be a "complete" firewall solution, but zScaler could only be useful as a firewall at our warehouse locations.

Firewall Questions: Has anyone done either SD-WAN + cloud firewall? What limitations have you experienced?

Are any of these amiss?

Biggest leap for me here is the "cloud firewall" of most of these, first time considering and possibly doing these.

I'm intentionally try to remove my leanings to make the most objective post I can. I'll try to respond to any questions or concerns.



Choosing a Virtual Networking Environment

Background:
I'm 18 months into my first helpdesk job, self-taught (homelab) with no certs, and an amazing opportunity has fallen into my lap at work.
I work at a very small MSP, and generally network design for our larger clients is outsourced to network engineers. It's known that I have an interest in networking and I've mentioned that I use GNS3 at home, so someone has thrown me a bone (or a live grenade) and asked me to take care of it.

Not releasing that I might be out of my depth, I agreed, thinking that it would be as easy as downloading the IOS images and configs from each of the routers and then jamming them into a GNS3 appliance. I quickly found out that there's more to life than 7200's and this was going to be a much bigger learning opportunity than I would have hoped for.

 

The job:

One of our larger clients would like to create a virtual networking environment, initially just for three of their routers. All three routers are Cisco ISR 4351/K9. Two are running IOS XE Version 15.5(3)S4b, and the other is 15.5(2)S3.

 

Ideas I have on how to achieve this, and what I think are the pros and cons:

  • Have them purchase a Personal Cisco Modeling Labs license (Enterprise license is way out of budget)

    • Pro: This will almost certainly work
    • Pro: $199/year subscription will cost them less than if they were being billed for the time it took me to make this reddit post
    • Pro: It could be easier to deploy on their existing infrastructure than other solutions might
    • Con: I have never used this software before, only used my VIRL subscription to download IOS images
    • Con: I haven't been able to find any information on whether or not we can add Windows VMs to the topology
    • Con: This solution would not scale up to their entire network if they chose to do so in the future

 

  • Use GNS3 (this comes with some questions as well as pros and cons)

    • ?? Is GNS3 capable of running the IOS XE images if we copied them from their physical devices?
    • ?? If not, will we just need to purchase a Cisco Modelling Labs license anyway?
    • Pro: I am familiar with this software (not an expert by any means, but an acceptable working knowledge)
    • Pro: Easily able to add computer VMs to the topology
    • Pro: It's free
    • Pro: Easily scales up to and beyond their actual network
    • Con: Less up-to-date community support available
    • Con: If anything goes wrong the buck stops with me.
    • Con: I don't even know if it's capable of emulating these routers

     

That's kind of where I'm at. If this is too long and you can't be bothered reading, I have some bit-sized questions that I haven't been able to find answers to

  • Can GNS3 emulate ISR 4351/K9 routers if you can copy the IOS XE image from the physical device?
  • Does the Cisco Modelling Labs Personal edition let you download VIRL images, or can they only be used within the modelling labs software?

 

Although I've been struggling to find the answers to these questions over the last 48 hours, it's been a great challenge so far and I'm grateful for the opportunity to push myself. Big thanks to this community in general, you've all taught me so much and kept me interested in networking despite my day job revolving almost entirely around Microsoft desktop support.



pfSense and bell business line (ca, ont)

I don't know what i'm doing wrong.

PPPOE, Vlan35, the proper credentials, IGMP and ipv4 and 6 traffic are allowed and I just can't seem to connect to bell with their own GPONs pulled from different HHs. Are there different GPON models/families for business?

the HH2000 is just pissing me off how locked down it is.



Network Automation Consultants / Integrators

I'm doing some research and I'm curious if there are other companies offering similar services to Network To code in that they're offering to use open source technologies to help your company get up to automation readiness and then automating things. I know there are companies offering there specific software to do automation but NtC is more of an "integrator" with your existing infra and using open source tech.



WiFi experiences interrupts whenever Phone connects to WiFi.

We have at least 5 devices connected to our Network on average. Lately whenever a certain device (Galaxy A10e) connects we experienceunbearable interrupts with potentially 5 minutes up uptime in between service interruptions. It is only the one device... when it is disconnected there is no issue whatsoever.



Looking for a Firewall/Security device that does 3 different things (repost).

(My previous post got deleted for low effort. So I will try to put more effort into this one. The replies I got for the previous one were very good.)

Hello.

I am an experienced Network Administrator. Unfortunately I have very little experience with routers and firewalls. We recently decided to move our infrastructure to AWS. For this we need a device that does a Site to Site VPN connection. This is the primary function that we need this device for. It needs to be very reliable since it is the key to our communication with AWS.

We would also like to have the device do DHCP for us. As well as allow users to VPN into the network from the device. For example if a user is at home and needs to do some remote work.

So far I have only looked at the dell.com website. Because we do a lot of business with Dell and have a sales rep.

Our price range is $1000-2000

So far this is the best we have found. https://www.dell.com/en-us/work/shop/accessories/apd/a9918016

Some have suggested Fortinet devices. The department that usually handles our routing and firewall (this is the first time we've had to do it ourselves) suggested using a Cisco ASA 5515. Unforunately that is out of our price range.

My biggest issue is that I have a hard time reading the Tech Specs. Because I am such a newbie to be honest.

For example: https://www.dell.com/en-us/work/shop/accessories/apd/a9918016

says

 VPN tunnels (site-to-site): 1000 IPSec VPN connections: 50 SSL VPN users: 2 

Am I to understand this correctly it can do 1000 site to site tunnels but can only handle 2 VPN users? That seems really strange.

I appreciate all your help. Thank you ahead of time!

edit: Also I should mention. We don't actually need any of the firewall stuff. We are already on a firewall that is managed by a whole security team. They do a good job. We just need the VPN and the firewalls seem like the best devices to do that.



Removed ASA from HA Pair - Lost access to outside from inside devices

Hey this is a bit long winded but I'm looking for some insights into what might have happened here and if anyone has run into this before.

On Sunday the SFR module on our Primary/Active 5545 died and our secondary took over. We left the two firewalls in an HA pair Monday and yesterday we received the RMA for the from Cisco. Our plan was to remove the non-working ASA, change the working one to Primary and insert the new RMA one as Secondary.

We got as far as completely removing the broken one and making the existing one primary (failover lan unit primary) when we completely lost all internal to external access. Internal - internal still worked but internal - outside did not. Wireless, ethernet, servers, data (user) networks. All public facing websites were down as well.

Our Setup:

Behind our firewalls we have two Catalyst 9500's stacked which act as our core switches - access layer feeds off of this.

Connected to the 9500's are two VPC linked Nexus 93240's for 10/40G connections to servers.

Finally, behind those sit the Nexus 9348's which handle 1G connections and a lot of management access ports.

Here's a detailed list of what we did:

  1. 5:48 PM - Unhooked cabling from broken firewall (broke HA pair)

  2. 5:50 PM - Issued command on working firewall (failover lan unit primary)

  3. 5:50ish PM - Lost all internal - external internet access

  4. 6PM - Checked routes, verified config on existing firewall wasn't missing any configuration or had its configuration changed

  5. The firewall could ping out (8.8.8.8). The 9500 couldn't. We could ping between the 9500 and the firewall. Something seemed off, checked routes again, nothing out of the ordinary or missing that we could tell.

  6. 6PM - started phone call to TAC

  7. 6:20-30PM - On the phone with TAC, Started wondering if it was ARP related between the firewall and the 9500's. Shut the interfaces on the 9500's to the firewall, didn’t seem to help. Rebooted firewall. Didn't seem to help. Still can't ping 8.8.8.8 from 9500's.

  8. 7pm - On the phone with TAC, they are looking into the switch side of things (9500/93240) we try pinging from the 9500 to 8.8.8.8 and it works. No changes were made. However, webpages hosted internally on servers that come off the 93240s cannot be seen from a 4G connection (external). So something is still wrong. TAC is seeing nothing wrong on the switch.

  9. 8PM - We switch to TAC firewall engineer. He see’s nothing wrong. At this point we may have gone down several rabbit holes with TAC (switch and firewall side) but over the next 2-3 hours certain sites and services began to work again. In one case, a server that hosts two public facing sites had issues (one site was available by 4G, the other was not). Different IP for each site, but still.

  10. 11PM – Everything is working. Internal – External is back up, public facing sites are now available.

  11. This morning everything is working fine - we plan to put the other firewall in place this Saturday.

Cisco TAC is as baffled as we are as to why things werent working.



How to Buy time during an Outage (Corporate Politics and you Pt.1)

A few friends have encouraged me to post stuff like this as they found it helpful. Most posts are are of a technical nature, but the hardest part of being a lead NE isn't technical.

Communication, Budgeting, planning equipment refreshes, outage management, project management are key skills to being a lead NE.

I'd like to contribute what I believe are key phrases and concepts to survive as an NE in any environment. While I worked at VARs and an ISP, most of my XP is at an enterprise. So that is who this is targeted at.

How to buy time during a Network Outage;

People outright panic during outages as we know. I've been cursed at by CIOs, PMs, my own Manager when these have occurred. What you have to convey during this time is a calm, "just the facts" demeanor that acknowledges the issue and their concerns while notifying them you're working on it.

Example phrases to use when this happens.

  • "We're aware of the issue and still investigating the root cause, updates every 45 minutes"
  • "We're aware of the issue and working with the vendor to resolve it"
  • "We're still investigating the issue and have no ETA but will keep you updated."
  • "We've identified the issue and are working to resolve it as soon as possible, multiple vendors are engaged."

If you don't at minimum acknowledge the issue and their feelings things will go downhill, fast.**, it makes it harder on everyone. It shouldn't work like this, but it does usually.**

Once the outage is over

Control the narrative (or it'll be controlled for you).

In more toxic environment, they're looking for a vendor, person, or ISP to blame/fire. In others they want to understand root cause to prevent it in the future. This is actually an opportunity sometimes.

Assuming the outage wasn't fatfinger related.

Explain, and build relationships

You can tie this back to your yearly architecture reviews and budget requests. "X failed because my funding was cut for Y refresh", "We requested an outage window to update this devices old code, but none was given". If you can tie the technical failure back to your challenges with your business it can give them motivation to listen to you and fund you appropriately. If they don't care, that's pretty much a red flag and you need to bounce. Companies like that usually end up relying on VARs tbh.

As part of your yearly budget requests, and architecture reviews you need to identify all of the areas where equipment is under-designed, needs redundancy or refresh. If they don't fund your requests, and you have no options, you need to convey the risk in a respectful manner. This is key post outage.

Lastly,

Don't take it personally, people get mean when the network goes down. Especially at Hospitals and Financial Institutions. Do a Headspace, take some CBD, and don't let the VPs, Middle Managers, and Yes-men, push all the blame on you and leave you out to dry. That's assuming you follow process around changes, communicate and set expectations around outages and listen to your peers.



Adding a new vlan to an existing REP segment. Alternate port

I am trying to add a new VLAN and it isnt traversing the link. It seems that REP is blocking the new vlan. Is there a way to me to allow the VLAN to traverse the blocked port?

The port is a trunk link. Both vlans allowed on each end and an int has been set up.

It is saying that as the alternate port, some VLANs blocked.

It is a ring. I am unable to get it across the new interface because its saying blocked.

Help would be appreciated



New VLAN is blocked. Interfaces configured for REP. How can I allow the VLAN to traverse the trunk?

I am trying to add a new SVI. It is not traversing the interfaces configured with rep segment. Anyone know how I can allow this new VLAN to pass traffic?



Moved to Mac, soliciting tips/gotchas

Made the leap from PC to Mac for my work PC a few weeks back. Definitely a learning curve but I am happy overall. Curious if anyone has any tips or tricks they can share. I have brew installed. Im using Atom for text editing, really wish Notepad++ was available. Outlook sucks, I hobbled it to kinda fit my needs. I am a inbox zero person and I did a lot with Quick Steps to achieve that. Excel is ok, Ill be much better when I learn the ctrl and page up/down and home/end shortcuts. Haven't had to do much with visio yet, I had heard of Lucid Chart as a good alternative. There are a few company specific apps (Cherwell and ForeScout) which have fat clients that are Windows only. There are web portals but they suck.

I know Im not the first so I am curious what you guys have run into.

Thanks,



zsh highlighting

Anyone have suggestions or use highlighting for Cisco/network highlighting on zsh? I’ve used it for years on securecrt. however, I’m trying to move away from SecureCRT.



PRTG Channel Settings Advice

Hello r/networking

I'm looking for some input from any PRTG experts here cause there doesn't seem to be too much documentation on this issue. I have PRTG deployed in our network and I'd love to change over the bandwidth reporting from kbit to mbit. So I went over to the channel configuration and made the change in the link below but my conversion seems to be different and different speeds. Example previous bandwidth was 40,000 kb is not 20 mbit. Any advice?

https://ibb.co/D4bRM2Q



F-Secure paper about counterfeit switches

A while ago we had an [interesting thread](pb4ugoout) about /u/pb4ugoout's probably counterfeit Cat 2K switches.

Lots of photos, fun discussion of a suspect bit of hardware, subtle font differences, the correct shade of blue for the console port, etc... in that thread.

Now F-Secure have released a paper on the topic: https://labs.f-secure.com/assets/BlogFiles/2020-07-the-fake-cisco.pdf



CSR1000v restapi connection issue

Hey Guys, I am having a issue getting started with restapi on the csr1000v. When running a simple curl command from the command prompt I get this error. Seems to be a issue with the certificate but can not figure it out. Its a temporary self-signed certificate as i am doing this in EVE-NG Lab. Any thoughts on what could be going on. Below is the error I receive.

Trying 172.16.20.28...

* TCP_NODELAY set

* Connected to 172.16.20.28 (172.16.20.28) port 443 (#0)

* schannel: SSL/TLS connection with 172.16.20.28 port 443 (step 1/3)

* schannel: disabled server certificate revocation checks

* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.

* schannel: using IP address, SNI is not supported by OS.

* schannel: sending initial handshake data: sending 147 bytes...

* schannel: sent initial handshake data: sent 147 bytes

* schannel: SSL/TLS connection with 172.16.20.28 port 443 (step 2/3)

* schannel: encrypted data got 7

* schannel: encrypted data buffer: offset 7 length 4096

* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

* Closing connection 0

* schannel: shutting down SSL/TLS connection with 172.16.20.28 port 443

* schannel: clear security context handle

curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log



2nd ISP and BGP question

Hi,

We are a small team (two members) and maintaining 8 core sites in a VPLS network. We currently have single Internet access at site A and planning to get a second one at site B. We do not have BGP at this point, but once we get the site B internet access, we are planning to do BGP with the provider and implement iBGP internally.

Site B Internet bandwidth will be half of site A. To prevent asynchronous routing we are planning to prepend our ASN at site B since site A has a faster speed we will keep it as the primary. Eventually, we are going to upgrade site B speed if the network demands it. For now, just half.

  1. The question that I have is, is our plan make sense?
  2. Should we utilize site B for something else other than keeping it idle until site A goes down?
  3. Instead of keeping the site B Internet access idle, what would be a good use case to make good use of this?
  4. Once we get to the point of getting the same speed as site A what would be the best approach?

Thanks



bgp ipv4 filtering

Hi all,

I have to rethink our bgp route filters, as the ipv4 route count is still increasing and now will reach our old devices limits soon.

There is no possibility of upgrade, and a partial bgp table is better to our multi-homed setup that no table and just default routes IMHO.

Last time I added default routes to all our bgp peers and filtered out routes with an as-path length of 20 or longer, routes with a prefix longer than 25, then allowing routes with as-path up to 4 different as (no matter how many prepends). That reduced the installed routes to 715k.

That filter used the philosophy of "near is more important than far", as I thought that to long distances carriers might share infrastructure mostly.

But after having issues from emea to south east asia with some providers, but others not I want to inverse the idea.

I will remove routes with an as-path longer than 20, prefix length of 25 or longer and as path of 3 different as or less. That will reduce the routes to about 445k, at least on my tests.

What do you think?, any ideas would be appreciated.



Sonicwall vs Watchguard vs Fortinet

I have a remote office that currently has a Sonicwall firewall that is end of life and will need to be replaced in 2020. Historically we have always used Sonicwall TZ series firewalls at remote offices but I am thinking about trying something else out. What are everyone’s thoughts on WatchGuard Fireboxs and Fortinet E series? This office has around 35 employees and uses a site for site VPN to connect back to the main office. Everything they use is either Citrix or cloud based.



Do most wifi chips now send Gratuitous ARP?

Need to know if my wireless adapter sends Gratuitous ARP. Plan verify this by running wireshark on a server on the vlan as the wireless device. This should work right?

Also, just to confirm arp messages are sent and stored by the OS, not the wifi card, correct?



Tuesday, July 14, 2020

Cisco AireOS-based WLC and IPv6: Do mentioned restrictions apply to us?

Hi

We have 2 3504 in an SSO HA mode, currently we are on AireOS 8.5 but I'm regularly checking the caveats list for 8.10 since that is likely the last major release train of AireOS given the new WLCs are based on IOS-XE.

I'm planning on introducing IPv6 in our wireless network and I'm reading up on Cisco documentation. I've come across the wireless LAN configuration guide from Cisco and saw the IPv6 mobility restrictions. There Cisco writes: "The Dynamic VLAN function for IPv6 is not supported".
Dynamic VLAN is definitely something we are using and sending according reply attributes from our FreeRADIUS server to the WLCs.

However I'm uncertain if the restrictions apply in my setup since the 2 3504 are not running independently and there is no mobility group shared with other Cisco WLCs - so we shouldn't be affected?

I've not found similar references to IPv6 in the guide for IOS-XE based controllers so they must have fixed some IPv6-related things with the move to IOS-XE.



Monitoring traffic by source and destination

What way do you know of can monitor the bps from a certain subnet towards a server farm that I have in another subnet.

preferably, I'd like to get the numbers through SNMP since it's more accurate than Netflow. However, I tried NetFlow and SolarWinds NFA. it gave me the result by node not by subnet



Is this a malicious piece of software running on my device?

This summary is not available. Please click here to view the post.

Apartment internet bandwidth monitoring?

Hi all,

A client who is supplying internet connectivity to an apartment building would like the ability to track bandwidth usage to see top users. A Juniper SRX550 is supplying the clients DHCP on a public /23. Switch’s are all Juniper EX2200.

Could I please have some recommendations for free or low-cost software for this? I have previously used Solarwinds and LibreNMS for network monitoring but don’t think they will do the trick here.

Thank you for any suggestions!



TAP working as passthrough nothing to analyzer

Working on a 1GB path with a optical to copper TAP (ntap). Think it's a older c model as it's the blue one. Connect the fiber jumper and v data passes through the v tap back to the network, no link is established on the A/B side of the TAP (analyzer). Currently hooked up to a laptop to try and see if data/link is present.

Verified connections are 1GB on fiber side,hard set laptop to one gig, same results. Besides patch cables are good.
Tried multiple taps (same brand,/model).

Any thoughts on what could be issue?



Network+ Certification question

Has anyone here used the CompTIA CertMaster certification training course? And if so was it worth the money? I am currently self studying but I am not feeling to confident in my studying practices which have been the CompTIA study guide book by Mike Meyers, Prof Messer Video course, and practice exams.



CenturyLink Fiber+ Enterprise 1Gb - IPv6

I have Fiber+Enterprise with a 1Gb connection. I have a Ciena 3916 and an Adrian NetVanta 5660. Does anyone know anyone at CLink that can help me figure out how to get IPv6 enabled on my circuit? It’s available but I can’t find anyone that knows how to turn it on.



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



Choosing a port over another on a L2 switch

Hi r/Network

We have the following scenario:

https://github.com/alexma2344/sitio/blob/master/assets/images/red.jpg

Where the edge switch parque industrial (L2) at the bottom, has APs connected to it, and then forwards that traffic to "Torre" via "enlace backup" (on its right).

We'd like this traffic to reach "Torre" via the yellow fibre link on the left.

Am I right to think that, in order for the traffic to be forwarded to the yellow link, the end devices must have the router on top as their gateway. And that STP or the switch itself has nothing to do with how the traffic flow goes.

PS: I know this could be better formulated but I have limited information about this setup. Just trying to make some sense in general lines.

Both ports are designated - forwarding

Thank you in advance for any inputs.



Remote Desktop Software

If I wanted to code my own program to allow me to remote access a desktop of my coworker in order to help them out, how would I go about doing that?



This device has booted from the backup JUNOS image.

This switch is booted off the backup partition and also happens to be on a different version of JUNOS then I want.

user@EX4300-32F> show system alarms 2 alarms currently active Alarm time Class Description 2020-07-05 13:14:35 PDT Minor Host 0 Boot from backup root 2020-07-05 13:13:53 PDT Minor Rescue configuration is not set {master:0} user@EX4300-32F> show system snapshot media internal fpc0: -------------------------------------------------------------------------- Information for snapshot on internal (/dev/da0s1a) (backup) Creation date: Apr 16 17:43:31 2019 JUNOS version on snapshot: jcrypto-ex: 17.3R3.10 jdocs-ex: 17.3R3.10 jsd : powerpc-17.3R3.10-jet-1 jsdn-powerpc: 17.3R3.10 junos : ex-17.3R3.10 junos-ex-4300: 17.3R3.10 jweb-ex: 17.3R3.10 Information for snapshot on internal (/dev/da0s2a) (primary) Creation date: Jul 2 17:11:31 2019 JUNOS version on snapshot: jcrypto-ex: 17.3R3-S4.2 jdocs-ex: 17.3R3-S4.2 jsd : powerpc-17.3R3-S4.2-jet-1 jsdn-powerpc: 17.3R3-S4.2 junos : ex-17.3R3-S4.2 junos-ex-4300: 17.3R3-S4.2 jweb-ex: 17.3R3-S4.2 

Is there a way I can repair the da0s1a partition, reboot and then

request system snapshot media internal slice alternate 

to get back to a good state?

Is there a different order of operations I should follow? Online blogs don't really account for the root partitions being different or that the version I want is on the bad partition.



Brocade vRouter vyos upgrade

I have been asked to start doing research on Brocade's vRouter vyos upgrade. I saw Brocade Vyatta was squired by ATT to virtualize their platform. I can't find any updated information on Latest vyos code or any documents regarding the upgrade procedures. Please help on how to begin upgrading Vyatta vyos(not the open source). Current Brocade is running on Dell iDrac. Any help would be much appreciated.



Looking to upgrade Switch at location with weird fiber configuration

Good Morning everyone,

I am reaching out to see if anyone has any experience in trying to make an old fiber configuration work with modern switches. We are currently using Allied Telesis switches, both with very interesting configurations. One is half-duplex, no auto-negotiation, and speed is set to 10. The otherside is full-duplex, auto-negotiation, speed 100. This is working without any issues. We tried dropping in our new Aruba switches without any custom configuration using the existing transceivers (they are supported) and no dice. I assume it has something to do with the fiber configuration on each of the ports, but Aruba does not support those previous configurations. Might just be a case of old fiber, or an old demarc, but unfortunately this is an off-site location and no documentation exists. Any help anyone can provide would be greatly appreciated!



International Circuit speed issue.

We have an Metro-Ethernet(ELAN) that is currently going half way around the world.. It's a L2, that we are running L3 over.Spectrum is our provider and we have multiple legs in the USA already. Then we added a long haul to make it to China. The NNI's are in LA, San Francisco, Hong Kong.. So there are 4 vendors over all involved in this.It's supposed to be a 50Mb circuit, and they have looked at it numerous time for us and everyone says it's provisioned correctly.

HTML5 speed test that is internally hosted comes up as 13/11Mb. Ping 250ms and 3ms jitter.

If I do a iperf3 with default setting, that is about what I see.

[ 4] 0.00-10.00 sec 7.88 MBytes 6.60 Mbits/sec sender [ 4] 0.00-10.00 sec 7.88 MBytes 6.60 Mbits/sec receiver 

But if I do -P 20, I can actually see the 50Mb.

[SUM] 0.00-10.00 sec 53.2 MBytes 44.7 Mbits/sec sender [SUM] 0.00-10.00 sec 51.2 MBytes 43.0 Mbits/sec receiver 

Is this just what is to be expected for going this distance?



Machine on remote LAN unreachable but maintains IP lease

I'm working in an environment where I SSH into a remote machine and then SSH into other machines in the LAN (of which there are two). Overnight, one of the machines now ssh errors with "No route to host" and ping errors with "Destination Host Unreachable." I checked the router status and both machines still have local IPs, and my understanding is that means that they are still communicating to some extent.

Any advice for how to diagnose this without going to the server physically, as a networking noob?



Global BPDUguard disabling interface without portfast.

So correct me if I'm wrong, but I was under the impression that BPDUguard only gets enforced on interfaces that have portfast configured.

I have a Sonos device that was not coming up because the port was going err-disable (Sonos uses STP, who knew?). BPDUguard is globally enabled, portfast was enabled on the port:

Global:

spanning-tree portfast bpduguard default 

Interface:

interface GigabitEthernet1/0/6 description Sonos switchport access vlan 20 switchport mode access spanning-tree portfast 

I thought that removing "spanning-tree portfast would bring the interface up just fine, however the switch was still placing the interface in err disable even after removing this line.

I had to use "spanning-tree bpduguard disable" to get the interface up.

Am I misremembering how BPDUguard works? I'm reading the official Cisco documentation that says:

Spanning tree shuts down STP ports that are in a Port Fast-operational state if any BPDU is received on those ports.

What am I missing?



WS-C6506 - 10Gb Module Installation

Hey,

I'm having to install an additional 10gb module in our WS-C6506's ( WS-X6708-10GE) core switches this weekend (Each switch already has 1 of these installed already)

I've inherited these and have never installed modules into them so operating a bit in the blind :)

Is there anything to look out for or is it as simple as installing the modules and letting them do its thing?

Cheers



Any test set recommendations for layer 1/2 troubleshooting.

Hi all. Does anyone have any recommendations for a test set that can:

-Get basic port info (name, vlan, etc) -Test cable connectivity (pin out, line loss)



How do companies like Panera, Lowes, & Starbucks preload their website when connected to Wifi?

We want to do that with our small coffee shop. How can we make it so that when people connect to our wifi, they get brought to a terms and condition page?



Installing and running GNS3 VM in VirtualBox for Mac OS

I am trying to configure a network for a work project in GNS3 so I am using youtube tutorials (David Bombal mainly) to get my GNS3 and VirtualBox set up. I have installed the GNS3 VM into VirtualBox, but when I start GNS3 up it does not automatically get the VM running, and under my "server summary" there is a red box next to the VM but my local server has a green light. Can anyone please help me get this up and running??



plenum vs riser in open areas

I know local jurisdictions will come into play, but this is bothering me.

We have a large, open warehouse-style space that is heated/cooled by rooftop package units. No ducting. They just blow air into and out of the space. Is it okay to use exposed riser cable? It doesn't seem like the space is a plenum, but it is technically "air-handling space". I just can't find any reliable information about this.



Dynamic Multipoint VPN (DMVPN)

Hello all,

I'm having a stump here trying to wrap my head around DMVPN topics. Particularly a real world deployment. Let's assume you have a hub with three spokes. Each of the four spokes are connected to the local ISP via eBGP. I've inserted a picture for visualization.

*Note: I've disguised a central router as the "internet"*

https://imgur.com/a/sQYbfgu

With this configuration, i'm using EIGRP to advertise both my internal networks and tunnel network.

With BGP out of the equation, my VPN works perfectly fine. The problem is, i need to access the internet. So, naturally i configure eBGP and advertise my internal network and NBMA address (public ip address attached to the ethernet interface). Naturally, eBGP will populate the routing table, as it has the lower administrative distance than EIGRP. This essentially makes my VPN useless.

This is where my confusion sets in, what does a real world design look like? How do i define network traffic going to the internet or network traffic going to my other spokes? I cannot visualize or figure out what a real world deployment looks like. The only thing i can find is labs *without* an actual internet connection. Should i use a static "0.0.0.0 0.0.0.0 (next hop)" route to get to the internet? This way all traffic is directed to the internet, EXCEPT the longer matches via EIGRP?

I've got the configs down, i just want to be able to make it work in real life. Any kind of explanation or clarity is appreciated. I hope this is written clear enough.



Cisco Aironet 3800 problem

I have a problem with an AP that just won’t join the controller. I can see the mac address on the port and AP gets assigned an ip address and I can ping it from the controller but it just won’t join. Also, I saw the logs on the switchport and I’ve noticed that every 10 minutes the port gets down then up again. I’ve tried connecting to a different port and a different switch, nothing changed. The led of the AP keeps reverting between red and green. Could someone help me with this issue?



Determining L4 or L7 Load balancer

I have a need in a shell script to determine if a L4 or L7 load balancer is in use. I don’t care, at least for now, about any more detail than that. Simply is it a 4 or 7?

My vision is to do a curl and inspect the response. But I’m stumped as to what to look for. Any advice? Thanks?

Really nothing more complex than this pseudo code -

curl http://my.intenral.site # inspect response if checkForL4 then return 4 Else if checkForL7 then Return 7 else return 0 

More detail about my use case. Working with a very complex piece of software. Many variables to tune. A problematic piece is around the LB environment. If it’s an L4 then this collection of app runtime Variables need to be setup in a certain way. If a L7 then this different but overlapping set of variables needs to be set in such and such a way. In my org (large, distributed, siloed and very bureaucratic) we deal with at least 13 different groups re: load balancers. Some use this product, others use that. Some “allow” L4 if it’s the Tuesday before a full moon, others don’t. Some respond to questions within a week, others not so much. All seem to randomly change stuff on you.

So I’m trying to do a monitoring script that can on a schedule to hit URL’s used by our several dozen installations, look to see how the LB is configed and throw and alert if needed. Again a simple L4 or L7 answer is all that’s needed. I don’t have a foreseeable need for anything more.



Monday, July 13, 2020

SSH into Mac over internet.

I want to be able to ssh into my Mac sitting at home over the internet. I enabled port forwarding on my router, however I still can’t ssh into the Mac.

  1. Port forwarding is enabled on the router and pointed to the Mac.

  2. Remote login is enabled on the Mac.

What am I missing?



SPAN ports IP addressing

Just wondering if a SPAN destination port needs to be on the same subnet at the devices on the source SPAN port?

For example, if I had computers with IP of 192.168.1.1 and 192.168.1.2 on the Source ports mirroring into a Destination port with a computer of 192.168.2.1 running Wireshark, will Wireshark still be able to pick up traffic?

TIA.



Question about DNS over HTTPS (DOH).

I am testing DOH on our AWS environment in the company. I have installed DNSCrypt on one of the EC2 instances on a linux in one of the accounts in a particular region. I have setup a few other test EC2 instances on windows to connect over Route53 to route traffic through DOH.

The idea is to be able to use doh for browsers, API clients, and more importantly server-to-server type communications, MQ traffic... etc. The idea is to use DOH instead of the regular DNS server type entry for any end client system.

With DNSCrypt, i am only able to use an alphabetical URL within Firefox browser. But I would rather want to use an IP address so that this can be used to plugin to any end client so that the connection is doh enabled end to end irrespective of what browser is used (IE, Chrome, Safari) etc.. and the other connection types like i mentioned above.

What are your thoughts?