Saturday, July 25, 2020

asr1001 EOL

Last go around we got screwed with Cisco announcing EOL on the asr1001 line literally 3 months after we bought 12 of them. I'm gun shy to pull the trigger on the asr1001-x due to this as I had been expecting Cisco to announce a replacement by now.

So my first question is are there any other options out there that are 1u, do IPSEC and BGP on 3-4gbit/s of aggregate traffic with tons of NAT rules and hundreds of acls? The ISR line is not powerful enough, I do not want something like 6wind and I am not seeing much else from other vendors.

If the ASR1001-x is the best choice, can anyone recommend a good certified refurb Cisco vendor?



About a network switch

I want to get a 8 port switch and I was wondering if I can put it behind the TV, where ventilation is going to be limited. Is it a good place for it or it should have more ventilation?



Sharing internet between two vlans.

Total newbie here. Excuse me if I don't match up to the rules.

Let's say I have 2 vlans; 11 and 21; on an L2 (read no inter vlan option) switch and I have a soho router (read no sub interfaces).

Is it possible to share internet from the soho router between these two vlans?



Flying Solo (Kind Of)

Hello, I've applied for a new network engineer role with a global company, the role and pay look really good (25% increase) but I would be the only network engineer for the APAC region (I live in NZ), with 1 in Dublin and 7 in Boston. Currently I work in a team of 13 in the same office, so it’s easy to just go a colleagues desk and get ideas, troubleshoot, have a chat etc. Due to the time zones, I would basically be the only active engineer at the time and any questions or interaction with other engineers would always be via email I imagine. Has anyone had any experience on this type of role ? I think I would just find it too hard to engage and build a working relationship with the other engineers.



[RANT] - Cisco TAC

Apologies if this off topic but I believe it's something that should be shared. I've been working with Cisco since 2003 and always thought they had stellar post sales support but the last five years or so have been really terrible. In this latest case, I had a C3750X pass away and needed an RMA through our valid SmartNet contract. This should be an easy process. It took 2 months and (this is not an exaggeration) 8 separate TAC engineers assigned to the case to resolve and in the end it was us telling TAC what they were doing wrong (wrong UDI-PID in license). The RMA arrived over night; however, getting the IP Services / Advantage license transferred over was a nightmare. For reasons unknown to me, generating a license is very difficult and naturally, about a month into this, SmartNet expired on the device. Cisco dropped us like it was hot so fast. The case was closed immediately and emails would not be responded to and we got stuck with an RMA with the wrong license until we renewed SmartNet (which was already in the pipeline and in process). It took another month of back and forth passive emails with Cisco (why we kept getting assigned people that only respond at 2am PST is beyond me). It wasn't until we spent the better part of a day calling Cisco over and over and over again until someone finally generated the correct license for us. Point being this was the final straw for me and Cisco, if there are alternatives available, I will never recommend Cisco or SmartNet to another client unless their post sales support gets their act together.



Engenius WiFi Router EWS377AP Firmware Change Log?

I can't locate this on their site, anyone able to provide any information on firmware changes for the EWS377AP-v3.7.4 update, or any of their firmware versions?



Open Source NAC?

Anyone have any opinions on or experiences with open source options for NAC they can share? I know packetfence seems to be the forerunner and it has its own sub but want to ask a wider audience before digging into this specific project or any other options. Good, bad, ugly feedback is welcomed. Right now just looking to get feedback on the state of options out in the open source world.

If a little context helps, I am looking for something that is network vendor supplicant flexible and can be deployed on a very large scale (I.e. hundreds of sites with tens of thousands of endpoints) without breaking the bank (read: no solutions which have linear cost per endpoint). I would even love to hear about commercial solutions if they can fit the bill, just very gun shy about the obvious players (ISE, clearpass) for obvious cost and scalability challenges.

Even biased opinions or tangential opinions are welcomed. Bring it on!



Issue with hard wiring multiple computers on the same network

I am currently trying to hard wire multiple computers to our router/modem and I can't seem to get it to function. We currently use the XB6 gateway from xfinity that acts both as a modem and a router. Out of the back we have one ethernet cable connected to a device, then a second connected to an unmanaged network switch (Linksys SE3005). Out of the network switch come two more ethernet cables leading to devices in different rooms. Why bypassing the switch (via a female to female ethernet extender), the computer can obtain an ip and access the internet just fine, but when things are routed through the switch, the computer cannot access the internet nor ping the modem. I have tried multiple cables, and verified they all function properly, and connection to the internet via wifi or bypassing the switch functions as expected. I have reinstalled network drivers on my device, flushed my DNS cache, tried using static and automatic IP on my network adapter, reserved an ip for my device through the modem, all without success.

Ive gone through many guides on the internet trying to solve this problem (most suggest the same sequence of steps) and all were unsuccessful. I am not sure what to do at this point, but I am fairly certain the problem is originating at the ethernet switch, not my computer. Does anyone have any suggestions?



Is DevNet in demand?

As much as people gripe about Cisco and certs in general, I skyrocketed my career by quickly studying for and attaining certs early on. There was a pretty tangible change in the quality and pay of offers I was getting as I moved up the cert ladder.

Is DevNet in demand in that kind of way? I jumped on the DevNet train pretty early but haven't had recruiters knocking down my door about it. I work in automation and the automation job messages I get are never even Cisco related. I get the feeling that DevNet is more of Cisco's way to try to steer the Networking field towards development and APIs and create this demand rather than answering an existing need for this demand? Am I off base here? Is enterprise networking actually pursuing development?



Im a beginner and nedd help !!!!!

I have been reading about networking and is very interesting but i am new in this so my problem is

Where do i start to learn ? , What topics should i learn first?

Pls give me resources like webpages, books, study guides, yotube channels, etc

Thank you for your comments I ll be reading them



Is there a way that an ISP/mobile service provider can connect the PC/laptop someone is using with their mobile phone?

Hello, forgive me if the question is stupid, I'm a beginner. Is it possible for an ISP to make the connection which device a person owns? Perhaps through websites visited? or the kinds of things each person is streaming? Let's say person A searches for "makeup" in their laptop and phone, while person B searches for "sports" in their devices on a single network, does the ISP have some kind of data mining algorithm that can assign ownership to devices?



Come someone recommend me some networking books that will bring me to the right track in this study area?

So far I only know that Computer Networking A TopDown Approach 6th Edition is a good book. Which, let's say, 10 more books I should read to become expert in this field?



MDM/EPP recommendations

Hey guys,

We have a small client, maybe 20 PCs at most with a couple of high speed media servers.

They will be remoting in from home, using a teamviewer like solution (RGS) to edit high speed video.

The solution works great. The users connect over the VPN and edit with HPs RGS software. It create a LAN like architecture - the vpn does, which allows the users to type an IP address in on their home computers of the local LAN at work.

We have a serious need for security so I’m going to block all internet and disable spilt tunnel. The video editors will simply edit off the “local media server”. However the client also wants us to install an MDM solution or a EPP solution on all the computers. The computers at the office and the computers at their home.

Does anyone have any cheap recommendations. It’s only 20 computers so this isn’t the right environment for solar winds or anything like tripwire.

Just something that a security profession will consider adequate.



Recommend processor for labbing

Hey i am planning to assemble a new pc. I know this is not the correct subreddit for this but please hear me out first. I am currently studying for ccie. I dont have physical routers and switches. I am planning to use it for labbing with gns3 or eveng. The thing is i dont know if new amd chipsets support virtualization properly. I will also be running VMs ( learning firewall and cyber security too). Can somebody please suggest good processor (intel or amd or any other alternative). I will be honest and say living in third world country has its downsides. Sadly everything is costly here if not unavailable. So i am looking for mid range components that can provide optimum performance. Also can someone please tell me how do you guys lab?



Jr network engineer interview next week need tips

Hi guys,

I have an interview opportunity next week for a jr network engineer position. I'm a sysadmin/helpdesk guy who's currently still trying to get my CCNA and i'm about 50% through the course. The interviewer mentioned that he did not mind. My only previous experience with switches was using them for multicasting.

The interview will involve a troubleshooting test using Packet Tracer and I'd like to ask you folks what are the specific commands i should take note of.

Just off the top of my head, I'd think that ping, traceroute and telnet would be the most important, aside from viewing the status of the interfaces.



Open Networking OS recommendations

Just wondering if anyone can help us with some recommendations.

We are looking into moving into world of open networking. We have a few Mellanox SN2100 switches that's Cumulus Linux compatible. Cumulus licenses for these switches aren't exactly inexpensive.

Before we commit to Cumulus, we are just wondering if there are other options like Sonic, Big Switch, Pica8 etc.

Have people tried few NOSs like Sonic? Is there a NOS that has a GUI for configuration so we don't have to learn all the command lines? We had some Netgear switches, and we are familiar with their GUI so something similar would be nice.

Anyway, would love some recommendations on what others have deployed so far and why.

Thanks in advance.



Receiving packets mismatch using Cisco's T-Rex and Intel X540-AT2

I'm generating linerate traffic at 64, 128, ...1024B packets with T-Rex on one interface on one server, which is connected via an Ethernet cable to another server which receives the traffic.

I'm having problems with calculating the received traffic.

The traffic is generated using the STL part of T-Rex - the config file is the following:

from trex_stl_lib.api import *

class STLS1(object):

def create_stream (self):

return STLStream(

packet =

STLPktBuilder(

pkt = Ether()/IP(src="192.168.1.1",dst="192.168.1.4")/UDP(dport=12,sport=1025)

),

mode = STLTXCont())

def get_streams (self, direction = 0, **kwargs):

# create 1 stream

return [ self.create_stream() ]

# dynamic load - used for trex console or simulator

def register():

return STLS1()

The 128B config is the same, except for this line:

pkt = Ether()/IP(src="192.168.1.1",dst="192.168.1.4")/UDP(dport=12,sport=1025)/(82*'x')

, which (hopefully?) creates a packet of 128B size (I was checking these in Wireshark, they were of correct size, i successfully created .pcaps of required size).

I have made the calculations on the receiving side by getting ethtool statistics every 0.1 seconds and then getting a sum every 10 time segments of 0.1 secs, so there's higher precision (so for 60 seconds of incoming traffic, 600 datapoints which are then summed to 60 datapoints to have packets per second information).

What I'm putting in the results file are the rx_packets and rx_no_dma_resources fields. Those when added together when ethtool is called ad-hoc (after testing) get me the exact number for rx_pkts_nic. I supposed:

rx_packets: processed packets by the kernel

rx_no_dma_resources: dropped packets by the kernel since it has no memory/cpu cycles to process them

rx_pkts_nic: total received packets on the interface

Now, what's my problem?

When I add rx_packets and rx_no_dma_resources fields from the results file, at 64B the result is 15360462 packets, which is 15.36 Mpps. Linerate with 64B packets is 14.88 Mpps. Same thing is happening with 128B as well, the result is 8678046 packets, where there should be 8.45 Mpps. 256B added value is 4659059, 4.53 Mpps is expected (AFAIK).

Am I adding something up incorrectly? Are the config files for T-Rex incorrect? Is it something else? Are the lines I'm grepping from ethtool not representing what I think they do?

If needed, I can provide the .pcaps on which I based the configs and the results files.



Use static route to specific host or add default gateway?

From vlan 20 on my switch, I need to reach a specific host on vlan 30

I could add default gateway on my switch. That would send all traffic (not destined to the local network) to the DG and make it to vlan 30

But I also could add a static route: ip route 10.10.30.5 255.255.255.255 10.10.30.1

Wouldn't adding a static route be more secure that having a default gateway?

Do you guys always have a default gateway on your switches?

Thanks



Need advice for a home 4g network setup

Hi,

I'm planning moving back home to rural France for a year to save a ton of money on rent versus living in the UK in a nice flat I rent alone. I work in VFX so I've been working remotely full time since covid-19 started. My current research suggests that a mimo Omni directional antenna may be best as I don't really have direct line of sight to the nearest cell tower. I'm planning on running said antenna on my roof and piping it down to a solid 4G router. I'm looking for any advice to keep the entire setup under say £400 pounds. It's for my work so I'm willing to spend good money on this for it to prioritize speed and stability over ease of use etc as being technical comes with my job. Looking forward to hearing from anyone out there especially if that's already something they've done.

Cheers!



Looking to deploy FTTH in a village

Hi. I’m looking to rollout FTTH in q village, around 20-25 connections. I’ll be reselling internet from a business and they will give me 50% of the plan.

My question is: Should I go with EPON or GPON? I don’t have budget for fibre splicing machine, so is there any alternative for that?



Implementing Wired 802.1x & MAC-auth. Scared as hell...

So last week I started preparations for implementing 802.1x and MAC-auth on our wired network, and we’re also assigning the VLANs dynamically. We have Aruba access switches and 2 ClearPass appliances, and with the help of a very skilled consultant the first tests are going really well.

Now, this post isn’t actually about technical issues, it’s more about emotions. I have been a network engineer for over 15 years, and pretty good at my job. When I wanted to connect a device to my network, I configured a switchport in a vlan, connected the device and everything worked. This is how I’ve done my job for over the past decade.

The change that is coming to my infrastructure demands a fundamental new way of managing the network. All ports have an identical config, and I have to assign devices to VLANs (or “user roles”) in ClearPass, and ClearPass will tell the switch how to behave.

To be honest, I am as scared as hell for what’s coming. I truly believe that it will all work wonderful AND we will benefit from the additional security, but the things that can go wrong just blow my mind. What if my ClearPass servers stop working? What if the computer certificate on the clients get messed up? I find the additional complexity pretty daunting, and I worry about when things start falling apart and I can’t get it fixed.

Have you been in a similar situation? How do you deal with this kind of changes? Any tips and tricks on how to mitigate risks for this particular case?



AP stealing gateway

We run Aruba/Airwave - we currently have a problem where the Virtual Controller AP is stealing the gateway IP for our entire site. This started occurring after a recent Airwave and AP firmware update.

When looking at the ARP table in our cores we can see our gateway address associated with the MAC of whichever AP is the current VC (we tried disabling the port the original VC was on, but the problem just moves to the new VC)

I've been on the phone to Aruba support for hours this afternoon and we're still no closer to figuring it out.

Has anyone had this type of issue before?



I need a simulator

Hi,

I need a simulator that supports the creation of different subnets and CIDR blocks to exercise myself . The software should run on Linux .



NOC Day to Day Responsibilities!

Hey everyone,

Thanks for your comments! Can you please share day to day duties of NOC technician. Tools they use to perform monitoring, performing application and server triage.

Helping management with KPI’s, server monitoring, infrastructure deployment

Many thanks!



How to reduce ping

So I've been playing csgo and valorant but I can't get a good enough ping ...it keeps fluctuating between 200 -400 ...iam using it via wifi and iam from india ...is there anyway that this can be reduced ? I've looked into configuring the router but I kinda have doubts and scared if it didn't go as planned and ends up causing a problem ...



Friday, July 24, 2020

Summer trainee project

Hi all. I'm an engineer student and i get a summer trainee for a month in company routing and switching department. I supposed to do a small project in this period. Can any one help me with an idea?



question about why not to use meraki

on posts from this sub i usually read how IT do not recommend meraki for their main router. i have a situation. my boss's good friend is highly recommending we transition from all our routing equipment being managed by outside contracters to be managed in house with equipment replacement. this friend is recommending we use meraki for all of it. POE switches for 1500 voip phones and computers, meraki mx68 for about 40 remote sites, and mx450 for main router. all configured in a star typology one to many vpn connection. tell me why you guys do not like meraki for this scenerio. what are your gripes with meraki besides price? thanks in advance.



Cant get switch to use password based SSH

DISCLAIMER: Repost from r/ccna

Hey Guys! Working on CCNA studying and just got in a bunch of switches for homelabbing. IM trying to set up SSh access so i dont have to constantly switch around a serial cable. Took me a while but I eventually got my switch accessible from the network and sshable. Now the problem is that no matter what I cannot get IOS to use password based authentication instead of key based authentication. Using putty, i can SSH into the switch but after it prompts username it times out without giving me a password prompt. Using debug ip ssh the switch just says host key authentication failed and password authentication failed even though it never prompted me for the password.

Config Here:

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Level2

!

boot-start-marker

boot-end-marker

!

enable secret 5 password

!

username admin privilege 15 password

no aaa new-model

system mtu routing 1500

!

!

no ip domain-lookup

ip domain-name fios-router.home

ip name-server 1.1.1.1

!

!

interface Vlan1

ip address 192.168.1.9 255.255.255.0

!

ip default-gateway 192.168.1.1

ip http server

ip http secure-server

logging esm config

!

line con 0

logging synchronous

login local

line vty 0 4

privilege level 15

password a3b2f5c4

login local

transport input ssh

line vty 5 15

privilege level 15

login local

transport input ssh

!

end

Note: I have an identitcal switch running ios 12 that has the exact same running config but works perfectly and prompts for password. I cant figure out the difference



Cisco router 1921 help

I have just begun my studies and while I have thought I wasdoing good on the book part as soon as I got my hands on real equipment that all changed. I have a 1921 main unit that has an ethernet cable from my providers router running in on GE0/1. I assigned DHCP to that port and its showing up on my router as a connected device. However on GE0/0 I have an ethernet cable running from it to an HP server. I configured the settings on that port for dhcp to get an address assigned. Both ports are listed as up. The GE0/0 port that is plugged into my server is not getting a connection. Its getting a limited connection with no internet. I plugged the ethernet from my providers router into the server and I got internet access immediately. Can someone explain to me what I am doing that is causing the limited connection with no internet? Many Thanks



Anything similar to bmon for windows?

I want to be able to view the Network layer data and Transport layer data passing through my laptop with a windows OS, so far I can only find Application layer network monitors which has too much information. Ideally I would like something similar to Linux's bmos. I can't install Linux or duel boot as its incompatible with my laptop model.



What is a "programmable fast path complex" in terms of a Service Routers line card?

Nokia (Alcatel) has line cards called Input/Output Module. The documentation on it says "IOMs contain the required traffic-processing fast-path complexes based on the FPx (their NPU) network processor. Fast-path complexes are responsible for buffering and QoS"

But I can only find information on fast-path in terms of DLSAM error correction.

What's a complex? What's a fast-path? (Obviously it's a fast path, but deeper than that).



Beginner to ACI and SDN question

I've just accepted a role where I will be helping to starting the move from a more traditional blended network topology to one leveraging Cisco's ACI and SDN. My background is in software engineering and DevOps. My best languages are Python and C type languages.

What I am really wondering is how important is going through CCNA, CCNP, CCIE to get to this place. My workplace has plenty of skilled network engineers who will be there helping me to understand both their network architecture. Could I be successful implementing ACI and SDN just relying on my colleagues to help me with requirements or should I prioritize going through the whole suite to catch up.

Thank you for your advice



Anyconnect LDAP + certificate authentication query

Hi folks,

On our remote VPN from our ASA we are using LDAP + certificate based authentication, and adding the UPN as the username from the certificate.

The issue we are having is for newly built machines, and I am trying to understand exaclty how it works. A new machine will initially have only a machine cert. In order to register them for an user cert, they'd need to logon frst to the VPN - as we are using AlwaysOn and deny internet access unless they're connected to the VPN.

So for newly built machines that only have a machine cert (Anyconnect is set to search both for a personal and a machine one) - the authentication succeeds. But the user can't login with the UPN - they have to use their sAMAccountName. Given they don't have a user cert yet, how does this work? Does the option set in the tunnel group to use the UPN for the certificate doesn't apply to machine certs? Is it only the user cert that will have the UPN in the Subject Alternative Name field? Even though I understand the general concepts - I'm a bit of a beginner when it come to certificates. Your help is much appreciated!



Cisco AP 4800 (8.10) and Infoblox (7.3.2)

I ran into an incompatibility issue with Cisco AP 4800 (8.10) and Infoblox (7.3.2).
The Infoblox will not provide IPs via DHCP to these APs.
The same set up works fine with 3702s and 3800 series APs.

Performed the following troubleshooting test:

  1. Connected a laptop to the same switch port and received an address on the correct VLAN / subnet = Infoblox is working correct for this scope
  2. Created a DHCP scope on the same L3 switch that SVI resides for that VLAN, all APs got their IPs = the APs boot up process and DHCP request process works fine.
  3. Tried couple different IPs for DHCP relay to Infoblox, I tried couple grid members as well as the grid master.

Let me know what you think...



Cisco Mobility Express

Hi All,

Have a Mobility Expres 1832 AP. I just went through set up where I assigned it mgmt IP 192.168.188.100 255.255.255.0 192.168.188.1

It is connected to the switch (2960) and it shows up in CDP, but the IP doesn't show up, and I can't ping it. The device 192.168.188.1 (gateway) has not arrived on site yet so I don't have that in place. The mobility Express AP is flashing red, and I'm wondering if that is because it doesn't have a valid gateway device (since 192.168.188.1 isn't on the network yet), but I would have thought at least I could ping it from the switch (192.168.188.230). SSID is also not showing up in the air. Any thoughts? Wait for the gateway device?



Cisco SD-WAN (Viptela) training

Does anyone have any good training resources they could share or point me to to get started towards Cisco SD WAN



Out of support isr routers

We work with Parkplace to support servers/ switches that reached end of support. I was wondering what would happen if we were to include our dmvpn routers, they are mostly 1941 models, support ended in May but because of time and budget issues we wont replace them within a few months.

If a router would fail, park place could send us another one but how could we activate the security license?



What are you using for Config Change Approval and Tracking?

We're using a hodgepodge mix of Sharepoint and Word docs for management to track and approve network changes and it's plain awful. Often when an engineer writes a MOP that gets rejected by our weekly review team, by then they've moved onto another project so someone else needs to pick up where they left off. There's little to no info as to why the original config change was rejected, and no way for us to easily suss out how the project evolved over time (MOPs are written in Word docs that are rarely commented). Is there a centralized solution out there that actually works well for engineers and management alike, or is there an actual legitimate need for this?



VLAN Design Question

I'm a Microsoft consultant and work mainly with client management and related infrastructure. I think I have a fairly robust understanding of networking as well, but I ran into a network design at a customer recently which felt a bit flawed to me and they failed to explain the benefits of doing it that way that would outweigh my perceived drawbacks. So I thought I'd post here and get some other perspectives on it. I've simplified the example to get at my question. The environment in question had more sites and a lot more VLANs and subnets.

You have two sites connected through a WAN-link and each site has servers and clients.

You want to separate clients and servers putting them on different subnets and you want to segment your network so you create two VLANs at each site, on for clients and one for servers and route the traffic between them.

At this client, they had elected to use the same VLAN id at both sites for the two network types. So the client network in site A and site B were different subnets but the same VLAN id.

The main argument they had was that it reduced the number of VLANs in the environment and simplified management.

My argument against was that it caused a bit of confusion and also prevented tagging a port in Site A with the client network of Site B for testing purposes.

Any experienced network engineer who can talk about pros and cons and why one design is preferable over the other?



WLC CLI commands

I'm trying to change the VLAN ID of an interface using the CLI of my WLC, but the only options I found in the config guide were to delete the existing and then create a new VLAN interface. These are the commands to create a new one:

config interface create "VLAN 81" 81

config interface address dynamic-interface "VLAN 81" 192.168.81.46 255.255.255.0 192.168.81.1

config interface port "VLAN 81"

Lets say I already have interface "VLAN 81" created and mapped to port "VLAN 81", how can I change "VLAN 81" to "VLAN 90" using the CLI? I know it can be done with the GUI, but unfortunately I don't have access to it. Thanks in advance!



Tips on vlan routing on a layer 2 switch?

Bare with me limited knowledge of networking. I have a switch,router, and two servers. I'm trying to to create two vlans. Both servers are on different vlans with different ip addresses. I'm trying to do a basic test just to ping each other on different vlans to see if they can reach each other. I've read that to do this for layer 2 switch. You would need a router connected to my switch with one port shared with the 2 vlans for them to communicate.



Anyone familiar with using SD card to recover IOS? Industrial ie3010

So my flash failed on a IE3010. I was getting NV invalid argument responses. I tried to format and fsck to no avail. Unfortunately the switch rebooted and is now in boot loader. It is still showing nothing when I try to dir the flash, and getting unable to write to sector on SD.

I am getting a spare SD card to try and get an IOS back on the switch. Xmodem failed because its not allowing anything to be copied to flash.

Anyone have experience with this or any ideas of what I should do? Switch is at EOL, but I need to try to get it up until it can be replaced. Would inserting the new SD card allow me to recover in bootloader?

Ty



How does googles DNS work? How can the same Resolver address be used worldwide?

It has same low ping in Europe, US, Asia. So 8.8.8.8 is an alias right? how can you see the actual servers under that name



Cant connect to router

I know this is a beginner question and quite simple. I recently bought a TP link load balancer TL-R470T+ and I changed the Lan address from 192.168.0.1 to 192.168.1.1 and I cant access the router via browser. My Ipv4 is set to obtain automatically and I dont know whats going on. Any help is appreciated. Thank you.

PS Nothing is connected to the router except my laptop



Identifying SBL and Non-SBL Anyconnect users

Hi folks, anyone got a nifty way to see who is and isnt using SBL on our VPN? either client side log checking or from ASDM ?



Looking for something I can plug into my ISP router that acts as another HotSpot that can provide me 2 DNS Servers separate to my Router entirely?

Hey guys,

I'm not really Tech Savy in my old age! However I have an Apple TV and it only allows 1 DNS Server to be added. Ideally I need 2.

I'm using a Smart DNS Server to access Geo-Restricted content. However I need my normal router to use my regular ISP DNS Servers. Is there anyway I can buy another Device that can plug into my Routers LAN port to offer me a total different HotSpot for my Apple TV seperate to my ISP Router and that I can add the 2 Smart DNS Servers to it?

Sorry if this is a little confusing. Any help is appreciated.



Question for network engineers on what you mostly deal with daily at work

I’ve had so many help desk roles and I’m tired of doing that so I’m gonna get my Cisco cert and go for a engineer job. If were asked what’s the main thing you deal with on a daily basis as a network engineer what would that be? I’m not talking the server side but the router, switch, and firewalls.

Hope that question makes some sense.



Thursday, July 23, 2020

Cisco Prime alternatives

Hi, I have been tasked to find a solution that can aid us in keeping track of device configs as well as being able to deploy IOS updates to devices. I ran a trial of this on Cisco Prime and it does exactly what we want it to do. One key aspect is the ability to use our Cisco CCO login to find the latest, recommended IOS images directly from Cisco. We spoke to our Cisco account manager who has basically told not to order Prime due to it going EOL very soon with his words basically being "you'll be throwing money away".

I was wondering if anyone could recommend an alternative product that could allow us to keep a backup of configs, allow us to automate IOS upgrades and obtain the IOS images directly from Cisco rather than us having to put them into a repository.



Simulating a DSL connection/Creating a DSL line

I am looking for a way to simulate a DSL signal/connection to test and simulate a connection to a modem. A DSLAM would be suitable, however if there is an alternative or any further ideas to try out in order to test various modems, would be great.



H3C WAP722S AP

Hi Guys, is there anyone in here knows anything about H3C product? Im struggling to access their AP. It always fails too boot Booting App. I tried to reset the AP but still the same output. Appreciate any help. Thanks!



Remote Server - (I’m not Tech Savvy)

Hi Reddit Family,

I currently live in California, but I plan on moving to Arizona temporarily. I want my main server/VPN to be connected to my home location in California.

Any help information would be greatly appreciated 🙏🏾



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



DSL speed questions

I am researching switching to a DSL provider and I am trying to figure out what sort of speeds I should be able to expect.

When I had asked what speeds I should expect and they are telling me 45x4 is the speed I should expect.

Would anyone be able to help me figure out what 45x4 would be in Mbps?



Doesn't encapsulation increase uploaded/downloaded the file size?

I don't know if I should've asked this question on askprogramming but this sub seemed more relevant. I've read the rules. This question seemed appropriate.

I've been wondering this for years and I really don't get it. I couldn't find an answer yet.

We have a file. We're going to send it using the internet. The file gets divided. Those divisions gets encapsulated with several headers and it gets sent division by division. The encapsulation diagram shows that the actual size of the file division in the whole encapsulation is very small. Headers occupy most of the space.

When I look at the actual transmission, what we have sent is exactly the file's actual size. When we get the file, what we received is also the file's size.

What happened to all the data? Why do we transmit only the file? What happened to the headers? Did we not transmit or receive those?

This gets me really confused.



Good books \ ressources for network security

As the title says, im looking for dome good books or other ressouces for network security. Like different firewall zoning concepts.



Fiber scope recommendations

I'm looking at either a "new cheap fs.com type one" or a better quality type one used on ebay. I probably will scope three or four pairs a month on average, maybe less, so I don't need the high end stuff.

I know nothing about brands or anything like that so I'm not sure if there is good, bad, or a scope is a scope



Crossroads in my career - input / perspective valued.

Hi guys,

I've been working as a Network Infrastructure Specialist for around 8 years now, I've worked on a multitude of projects with the organisations I've been employed with (all enterprise organisations- no vars/msp) lots of infrastructure transformations, project delivery and support. Very hands on and technical.

I recently got notice of redundancy from my current employer (retail sector) and it's made me weigh up where I want to go in my career. The end goal is to work as a systems engineer / solutions architect for a vendor (or as close as I can get)

I've been presented with the opportunity to go into network infrastructure pre-sales with a Cisco premier partner. This isn't a hands on technical role but will give me that business and customer engagement experience that I see alot of systems engineer positions looking for. My only concern is that my technical skillset might get dull as time goes on, however I plan to keep labbing / studying on the side of I take this position.

Has anyone in this sub made a similar move? Any customer facing systems engineers got any advice? Alternative routes? Is this an advisable move to get to where I want to be?

Thanks 🙂



DHCP Server

Very noob question here but how do you guys handle dhcp in production environments? Do you use the one included in routers or do you have a dedicated box just to run dhcp



CloudFlare added upload test on their speedtest.

Cloudflare has added upload test on their speedtest today.https://speed.cloudflare.com/

https://imgur.com/UhIkH4i



virtual BNG?

Hi,

we are running two Cisco ASR1002F boxes als BNG for 500-600 L2TP Subscribers, supported by a Freeradius AAA Server.

I'd like to update the outdated boxes to newer (and 10G Capable) hardware. Shure, i can keep the old scheme and update the hardware 1:1 no more up-to-date boxes (e.g two ASR1001X with maximum PAYG Licensing), but i wonder if there is a better, more modern and a litte "SDN-ish" approch for this solution.

Has anyone made his experience in this area and would like to share it?

//AndSch



HP5120 (Comware 5) specific privilege for one user

Hey !

I'm sorry to ask for help once more but I couldn't find any solution on the web.

I'm configuring a HP5120 switch and I'm trying to configure a "RO user" for my backup software (which I have done on my HP5130 switches and it works perfectly).The only issue is that I can't find a way to assign a specific privilege level to one user.

To me, only these 2 commands are related to this issue (I'm using publickey authentication):

user-interface vty 0 15
authentication-mode scheme
user privilege level 3
terminal type vt100

&

local-user test
authorization-attribute level 1
service-type ssh

But the authorization-attribute command has no effect, only the user privilege level but it is applied to all the users.

There has to be something I'm missing / misunderstanding.

Thank you in advance,

Have a wonderful day !



RSA key generate

Is there a way to automatically generate a RSA key instead of manually inputting "crypto key generate rsa modulus 2048". I'm uploading the templates via a tftp but need to type this everytime in order to enable SSH. Is there a certificate I can buy or an automation method.

Also, I've read online about RSA key expiring on a switch, is this true?



Video Conferencing & WiFi

What is the current general consensus for video conferencing while on WiFi or hard wired? I am currently a network engineer for a medium organization. Teleconferencing demands are increasing dramatically due to covid, everything felm zoom, Skype to web ex meetings.

When asked if the current WiFi will support the increased of when met with complains of crashes and choppiness what should I be looking at? I am currently armed with prime and an ekahau but I thought they voice and video had quality of service demand along with latency demands.

In a Cisco environment are there minimum wap specs I should be looking at? I usually tell them that I would rather they used wired connections for video conferencing and I had understood that WiFi is still one collision domain and if there are several devices there will be issues. Also some places still one have fast Ethernet for the Waps while others will have gigabit feeding the waps. In the end these sites are connected via mpls and then connect to the internet thrift ojr main noc.

Any advise will be helpful. I am currently an network engineer with ccna route and switch but barely getting experience in this aspect especially wifi assessments.



Need Help in Wireless Networking some large spaces.

Hello everyone,

it should be obvious that im new to this community, however i believe i can find my answers with your help in here.

i have a problem in my enterprise, im nor networking nor it guy, just a middle management one.

we would like to have seamless internet connection in our whole enterprise which consist of nearly 50000m2 and some closed spaces, and some reflectors (like steel sheets etc.) but when we get quote for the process we had figures like $100.000 with some Dell products. I was wondering there should be cheaper way to integrate our whole enterpise to the WIFI Network, in that point i need your help.

Could you be so kind to advise me better and cheaper options?

sorry for my english not my native one.

thanks in advance.



Windows Server VPN without AD?

Hello,

Can someone please tell me if there's a way to enable direct VPN connection between server and one client (both running Windows Server 201x) without setting up the Active Directory?

I was thinking about L2TP/IPsec or SSTP since PPTP basically has no security but I can't create certificates nor create users without AD.

Thanks in advance.



Question: Features like port sec and DHCP rate limiting are implemented to prevent DOS attacks like DHCP Starvation and MAC Flooding. The solutions usually involves the device to shutdown the port or drop further incoming packets. Isn't this what the attacker wants to achieve?

I am a networking student with CCNA R&S and 0 networking working experience. I know that I am definitely missing out on something, please help me fill in the gap.



Cat 9500 or 9400 for Collapsed Core

An office with roughly 600-800 endpoints, currently using a mix of 2960x and 9300s, looking to replace 6509 chassis. Can anyone advise me whether I should go with the 2 x C9404R chassis and have a sup-1 in each chassis (running StackWise virtual) and 2x24 10G Line cards or I should look at 9500 (C9500-48Y4C - 48 x 1/10/25G SFP+ and 4 x 40/100 QSFP+ ).



Dynamic VLAN assignment - access switch ports

Hi guys,

Looking for ideas/opinions on how to dynamically assign VLANS to access ports. End goal would be to detect an interface going up, discover the Mac OUI and dynamically assign the correct voice and data VLAN based on that OUI. Bonus points if I can assign other interface configs like QoS.

I’ve been looking and so far looks like best option is some form of EEM script, or using Cisco smartports.

These scripts would be run on Cisco catalysts 2960-X ,IOS 15.2.

Thanks in advance!



Visio page master template

Hi all,

I know this isn't a networking question, but I guess many of us use Visio on a day to day basis.

So we use Visio for documentation and to plan new projects. We have a "template" that adds a little bit of corporate identity to the page (adds a border, company logo, a text field with page number, page title, etc).

At the moment whenever we need to create a new page in the existing Visio, we open the template, copy all, create the new page, paste all, and start working from there. So my question is, do you know of any kind of "master template" mode in Visio? Something like in PowerPoint?

So that you could for example change the logo on the template page and it is changed in all other pages.

I could just find ways to create a new Visio template (*.vstx), but that only creates a new Visio file with the template, not a new page in the existing file.



Cisco Aironet CAP3700 Series For Home Use

I just recently acquired a fortigate and starting to experiment around. I came across with ebay Cisco CAP3700 series and the price varies from $50 to $200 used.

I found a 3702A-A-K9, CAP3702E-A-K9.. and I look up Cisco datasheet. they all appear to be the same speed if I read it correctly?

If i plan to get one access point for home use, does it really matter which 3702 model?

https://www.cisco.com/c/en/us/products/collateral/wireless/3700-series-access-point/data_sheet_c78-729421.html



Wednesday, July 22, 2020

TCP congestion-avoidance algorithms

Ever wondered why windows updates break your internet link for all other traffic? Or why the speed of a single download might be unstable, and fluctuate?

Fundamental understanding of the technology we indirectly use allows us better ability to troubleshoot the systems we directly use. I think networking fits in the former category for most, and that learning some of the mechanics of it is a valuable addition to every engineer's skill set. Something like TCP algorithms is a step deeper, and I find most network engineers don't really have an understanding of how buffers work.

The linked presentation is about the protocols we use to communicate over the Internet, explaining the reason for some of the behaviors and limitations that we observe. Geoff Huston the chief scientist at APNIC, he is an excellent presenter and illustrates these concepts in very digestible ways. I think these 25 minutes of content is something that every technical person would get value from - Geoff's talk is first up starting at 2:15 in the link below:

https://apnic.zoom.us/rec/play/7MZ-cb2h-Dw3H4KR4QSDCqR_W47rLPms0iBI-PZYnUq2VSQKMQHyY-QXMyMgW878mQs8TaPg_Ho0VnQ?continueMode=true&_x_zm_rtaid=lWU0xL9vRIWuYCxeEtLdVA.1594879713746.d4ca2fb70a28fe92601f3fba1e006be7&_x_zm_rhtaid=749



Not sure if this is the right place to ask this question but here goes

Comcast recently did a “maintenance” in my area (we literally saw them a few houses down walking around and tinkering with things). Since then my internet has been complete crap. Anytime I do a speed test it times out. One thing I did notice is my “jitter” is upwards of 200 - 600 ms. Any idea what this means?

Before this we were getting 800-900 mbps.

I have a Comcast technician coming out but just wondering if there’s anything I can do on my end to troubleshoot.

So far I have reset the modem,unplugged and replugged everything. Did a walkthrough with a Comcast representative, and still nothing.

If this post is in the wrong place I’m completely sorry but I couldn’t find any relatable posts.



SumoLogic - syslog and netflow

We are test driving Sumologic as a replacement for netflow reporting through Solarwinds NPM/NTA. The SE is saying to send syslogs into Sumo as an alternative to netflow. However, with traditional catalyst and nexus switches the syslogging is only messaging on fault notifications and auditing type events. I feel he is assuming all cisco devices report traffic flows to syslog like an ASA or Meraki router\firewall. Am I missing something?



Ok. I know that this is 99% likely to be a very very stupid question,

But can you staple an Ethernet cable to a wall and expect it to still work at its fullest?

Yes, you may now facepalm, but I don't think it's supposed to happen. But I def to know the answer with 100% confidence to let someone else know.



Viptela SDWAN (vEdge Cloud) in Azure

We are working on a project to connect our cloud instances to our on-prem infra using SDWAN. Our POC is in Azure so we have been advised to deploy a vEdge Cloud router with the multiple NICs. Our security mandated that we have a firewall connecting our Azure instance to our on-prem network, so the flow would look something like vEdge Cloud <--> FortiGate <--> VNET for hosts.

I've been reading up on Cloud onRamp but with the above set up, I don't believe it is possible. Has anyone successfully done this set up before to manually configure a vEdge cloud and connect your cloud to on-prem network? And could provide some details on how this was implemented? The only documentation I found online is the Cloud On-Ramp and the Viptela how to deploy the VM in Azure guide.. but doesn't really talk about any design consideration.

Note that we were able to deploy the vEdge cloud, it's just the inter-connectivity between on-prem and Azure we're having issues with.

Thanks in advance for your help.



Sorry - super confused business partner here. What is an ENI? Can someone please explain it in autistic terms for me?

I think I may support a product with ENIs. I work for AWS. I'm struggling to find a reasonable explanation of what an ENI is in regards to cloud computing or VPCs. Help is greatly appreciated! Cheers



MACSEC

Is anyone using MACSEC switch-endpoint? If so, what supplicant are you using?

Other than MTU concerns have you run across any 'gotchas'?



Virgin and Netgear D6400 - won't connect

Hi folks I would like you help if possible.

I'm with Virgin Media, using their modem/router - since the WiFi signal isn't the greatest I bought a Netgear D6400 to be used as a router / WiFi (probably overally better performances)

I switched the Virgin Media to modem only, then plugged the D6400 (virgin port 1 ethernet to netgear red port, then port 1 netgear to ethernet on my computer)

However the ethernet connection only worked once Couldn't log in on routerlogin.net When the eth worked and I opened routerlogin the wizard said that there was no connection detected Obviously the wifi isn't working...

Could you please help? I thought it was a straightforward process but isn't at least for me.

Thx



WHY MY MGMT ADDRESS GET TRANSLATED ?

Hi, Good day to all!

I'm having issues accessing my device/router as well as discovering from my poller via snmp. We notice that this issue happens on a certain time. Here's sample output of the issue which I can't connect from our remote server.

Note: that I can ping the device without any packet loss, Plus no interruption on its routing protocol.

ssh 172.27.136.222 ssh: connect to host 172.27.136.222 port 22: Connection timed out or sometimes it gets stuck after typing the password Password: <stuck> 

After issuing the "show users" I'm able to see my remote server address, means that the server can connect but somehow get's interrupted. (Note: I'm able to access the router thru a backdoor)

During the investigation, I ran a packet capture to verify what is actually happening .

Link(Photo): https://ibb.co/DktB6pK

From the link you will see two set of communication, the one Above photo is the time that device is unable to remote and the Below photo is the time that we can access the device.

a. Above photo (ssh not working):

Notice that 192.168.200.200 (remote server) sent a SYN (random ports-54656 / tcp-22) but I see different address send the reply as opposed to the destination ip which is 172.27.136.22...and after that 192.168.200.200 (remote server) sends a re transmission.

b. Below photo(ssh working):

Notice that 192.168.200.200 (remote server) sent a SYN (random ports-32824 / tcp-22) but here I see that the router mgmt ip sends a reply which is correct.

Forwarding: REMOTE SERVER -----> HUB(Tun100) ------> (Tun100)SPOKE(loopback99-mgmt) 192.168.200.200 172.27.136.222 Response: REMOTE SERVER <----- HUB(Tun100) <------ (Tun100)SPOKE(loopback99-mgmt) 192.168.200.200 172.27.136.222 Configuration: interface Loopback1 ip address 10.118.2.45 255.255.255.255 ! interface Loopback99 description Management ip address 172.27.136.222 255.255.255.255 ! interface Tunnel100 ip address x no ip redirects ip mtu 1400 ip nat outside ip pim nbma-mode ip pim sparse-mode ip nhrp map x ip nhrp map x ip nhrp network-id 23 ip nhrp holdtime 500 ip nhrp nhs x ip nhrp redirect zone-member security IN_ZONE ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel vrf ISP tunnel protection ipsec profile SPK_PROF shared ! ip nat translation timeout 14400 ip nat translation tcp-timeout 14400 ip nat inside source route-map NTPOL interface Loopback1 overload ! route-map NTPOL permit 10 match ip address ACL:NTPOL match interface Tunnel100 ! ip access-list extended ACL:NTPOL permit tcp any host 10.125.156.118 eq 8080 permit tcp any host 10.125.156.200 eq 1352 permit tcp any host 10.125.156.201 eq 1352 permit tcp any host 10.125.156.206 eq 1352 permit tcp any 141.251.0.0 0.0.255.255 permit tcp any 134.177.0.0 0.0.255.255 permit tcp any 192.32.0.0 0.0.255.255 permit udp any any range 3478 3481 permit udp any any range 50000 59999 permit tcp any any range 50000 59999 permit tcp any any eq 443 ! adnt-pa0869rz1#sh ip access-lists ACL:NTPOL <-------- NO MATCHES? Extended IP access list ACL:NTPOL 10 permit tcp any host 10.125.156.118 eq 8080 20 permit tcp any host 10.125.156.200 eq 1352 30 permit tcp any host 10.125.156.201 eq 1352 40 permit tcp any host 10.125.156.206 eq 1352 70 permit tcp any 192.32.0.0 0.0.255.255 80 permit udp any any range 3478 3481 90 permit udp any any range 50000 59999 100 permit tcp any any range 50000 59999 <---- seems like due to this? 110 permit tcp any any eq 443 NAT TRANSLATION: Pro Inside global Inside local Outside local Outside global tcp 10.118.2.45:640 172.27.136.2:22 192.168.200.200:58758 192.168.200.200:58758 tcp 10.118.2.45:640 172.27.136.2:22 192.168.200.200:59150 192.168.200.200:59150 

Question:

  1. So we can see that NAT affects the ssh connection but how does the router/remote server selects the source port is this randomly generated?
  2. This issue normally happens during office hours can we somehow link this to the volume of client(note no congestion)?
  3. Also why router is translating Loopback99-mgmt ip even if NAT is not enable or loopback doesn't have ip nat inside?
  4. What possible solution can we use?

Thanks



zscaler testing

Hey reddit:

I'm an it admin looking to try zscaler but am having a hard time getting a POC set up. If you run zia / Zapp in your infra please dm me



Losing skills

Networking is a use it or lose it skill. For the past 3 years I have been primarily a Cisco ISE, WSA, WLC and Umbrella admins. Been having vpn problems for the past 2 months. Touching an ASA again I feel like I lost some of my networking skills. Anyone know of any free labs to improve my practice? I work in a 100% cisco environment. Thanks



C9500, Gibraltar and ACLs with object-groups

this is a weird one.

its almost like in this post but upped a notch.

I have an extended, named, ipv4 access-list with exclusively ACEs containing object-groups. It is bound to a vlan-interface, so I'm checking all the boxes as per documentation.

I know I need to add the "log" for ACEs I want to see matches for, as only then it goes through software and counts them up, so for testing i have every ACE being logged...but:

  • none of the ACEs ever show up in the logs or have hits
  • i know the ACEs are hit and enforced to traffic as connections/pings drop or are conducted according to ACL changes
  • putting a no-object-groups ACE somewhere in the mix after a hitting object-group ACE (with the log statement) shows the message from the previous hit
  • the log message has the action (allowed/denied) of the permission of the non-object-group ACE to it. So for example an ACL with "10 permit icmp object-group net1 any log" and being closed by "200 deny ip any any log" will result in "%SEC-6-IPACCESSLOGDP: list xy denied icmp 10.21.31.41 -> 10.20.30.40 (0/0)" although the ping went through just fine.
  • the log-generating ACE will have the hitcount go up.

another example:

ip access-l ext xy 10 deny ip any object-group priv-net log 11 deny ip any host 169.254.169.254 log (846 matches) 20 permit ip any any sh object-group Network object group priv-net 192.168.0.0 255.255.0.0 10.20.0.0 255.255.0.0 169.254.0.0 255.255.0.0 172.16.0.0 255.248.0.0 172.24.0.0 255.252.0.0 172.31.0.0 255.255.255.0 10.30.0.0 255.255.0.0 host 169.254.169.254 

i specificially added the "host" entry to the object-group aswell to make sure I'm not running into some masking brainfart or typo. But ACE 11 gets all the hits and logs, whereas traffic isn't allowed aswell after removing 11

"sh ip access-list xy exp" also expands the object-group just fine and i have in fact the same 2 lines above each other



Duplicated domain name on submenu buttons (LibreNMS)

Hey !

I have an issue that just appeared out of nowhere (I mean I don't remember doing anything and it was working a few day ago) with the submenu buttons.

When I click on a "main" menu it works fine : Devices -> All Devices -> Network, then I can click on a switch and go to Graphs or Health. But if I click on Overview or Processors (Health submenu), it brings me to "https://example.fr/https://example.fr:443/device/device=80/tab=health/metric=overview/" which of course results in a "404 Not Found" error. However I can manually access to "https://example.fr:443/device/device=80/tab=health/metric=overview/" if I delete the duplicated domain name.

The top left "LibreNMS" button has the same issue.

Has anyone any idea on how to fix it ?

Thanks a lot !



Call managers Directories

Hello all,

i have 2 call managers in different buildings. Every call manager have its own directory.

is there any way to combine the call managers' directories?

so that if I searched for a name that is in the other call manager, i can find it.

thank you all.



Directly Attached Copper cables and compatibility

I was asked to plan a switch-migration to a different vendor (Juniper to Cisco, in this instance). There's a few servers connected to the current switch with passive DAC (twinax) cables (10G SFP+). These are juniper branded.

Is it essential to replace these cables with Cisco branded ones when I replace the switch? Will it work? Is it risky?



Connection between 2960s

At one of my sites I have had an ehternet connection between two Cisco 2960s that ran fine for a while now. Sunday storms came through and that connection ceased to work. The switch on one end is trying to send packets, but the other end is dark. Tried moving ports same results, checked cable for connectivity - all pairs good. I can hook my laptop up to this end and get network, plug back into the switch and its gone. I replaced the switch, same. I put a dumb switch on the end of the cable and plugged it into the 2960 and the port comes up, so is it a transmission issue with the cable?



VLAN 1 - Can someone explain like I'm 5

I don't understand VLAN 1. I've read that Cisco say it is considered a security practice to configure all ports on switches to be associated with VLAN's other than VLAN 1 - but uwhat does this mean?

What do you do with VLAN 1? It says the Native VLAN shouldn't be on VLAN 1, what is the Native VLAN?

If I just disable all unused ports is that ok?

As you can tell, I really don't understand it, can someone explain to me like I'm 5



Multicast troubleshooting

This diagram shows an outline of my network. Each router is a Juniper SRX240 running in flow mode. The red lines are layer 3 OSPF (/30) links, the black lines are access ports to video encoders or decoders.

I have a problem where the data from video Encoder 239.0.0.18 is being doubled, i.e. if I set the bitrate to be 10Mb/s then I get 20Mb/s going down the line to the Main Office router. If I change the IP address for the encoder to send video to 239.0.0.180 (an address I know has no decoder setup for it) then I still get the 10Mb/s going down the line to the Main Office.

The encoders setup at the 239.0.0.3 - 239.0.0.10 are working fine (i.e. data isn't duplicated). I think this may be because all routers have the following config

pim { rp { static { address 172.31.255.102; } } interface all { mode sparse; version 2; } } 

Should I add the router in the "Remote Office 2" to the static RP on all routers? If so, is there a way of doing this dynamically so I don't have to update all the routers when a new video encoder is added to the network?

Thanks.



How to setup advanced network?

/r/linuxquestions/comments/hvsbya/how_to_setup_advanced_network/

SNMP Issue - HP 2920-48G Switches with Domotz Pro

Hello all,

I run 2 HP 2920-48G switches on my network. I also have a bunch of smaller HPE managed switches throughout the building. I am using SNMP v2 to create a network topology through Domotz Pro. However, for some reason, the 2920's aren't showing up with their interfaces the way the rest of the devices are. This is causing the network topology to be completely wrong: since the 2920's are the top level switches, Domotz can't figure out how everything is routed. I've checked my private and public community strings multiple times to make sure they match. I've tried changing my trap source and response from RFC 1517 to the specific IP of the switch, but that didn't change anything. Has anyone had any experience with this? Thanks in advance.



Netbox - Connect one dual LC SPF+ port to two SC/APC ports on patch panel

I´m using Netbox to document our network. I´ve added all the equipment to the rack and now I´m trying to connect a single SFP+ module on a switch to a patch panel. The cable is dual LC connector on one side and two SC/APC connectors on the other side. The problem is that an SFP+ module counts as a single port but on the patch panel it is connected to 2 SC/APC ports. How can I represent that in Netbox?

Thanks in advance.



Tuesday, July 21, 2020

Can you LACP and uplink port and a regular port?

New to networking and doing some labs on LACP and was wondering - If I have a 3560 POE 8 port switch and it has an uplink RJ45 port. Can you LACP the uplink with port 8?



Starting to with data center

Hello my fellow network redditors, i'm in need of some feedback on the design that I have on a topology, these topology will be for new server racks, they're adding new servers and new racks, I have some budget for network equipment, I will add a C9500-48Y4C for our core switch to upgrade our old core switch, then from there it will be connected to the C9500-32QC aggregation switch, this switch will be the middle man between the core switch and the rest of the switches for the racks. Each rack will have a C9300-24UX with a 2Q network module, the servers will have 10G Ethernet ports. Now im not really familiar with the term 'Top of the rack switch' or what models but I'm using the C9300-24UX since all of the ports can support 10G.

I'm having doubts about the selection of the switches I picked and the decisions on this. In my mind I have the 'Go big or go home' mentality when it comes to this kind of projects, I think it's a bit overkill having 40G uplinks between the top of the rack switch and the aggregation switch, I even think about bundling the cable to reach 80G, and then connect the aggregation switch to the core switch and using the 100G speed and then ALSO bundling the ports to reach 200G. Is this good? or should I take other considerations into this? There are about 500 users on the network and do hit some of the servers pretty hard, is this a good design I have made? other suggestions? I just want to know if I did a good job on this or went full on overkill on this.

Any feedback will be greatly appreciated.

Edit: here is a basic design I have made
https://imgur.com/a/BjdGSRc



NXOS-9.3.4 on Cisco Nexus 9396PX

Recently i am trying to configure BFD for BGP on Cisco nexus 9396PX which is running nxos-7.0.3 and turned out BFD doesn't support multi-hop and that feature only available on NXOS-9.2.X or later release.

Question-1: is it safe to upgrade from 7.x to 9.x (even cisco recommend 7.x on their website)? I am sure soon cisco will say 9.x is now recommended (is there any ETA on it anywhere on cisco website?)

Question-2: Can i downgrade from 9.x to 7.x if incase see any issue?

Anyone running nxos-9.x in production without any major issue?



IDF Closet Cable Management

I worked at a local convention center. And upon seeing the state of the IDF closets. I made it my mission to clean them up. These pictures are from the tunnels underneath the exhibition halls. Which had ZERO air flow. And was easily 100* +.

Total time was probably 100+ hours.

IDF closets Before and After



Layer 3 network cannot reach WAN sites but firewall can

Hi All,

I'm stuck in somewhat of a pickle and I cannot figure why it is not working for the life of me.

So the setup is this

PC ---> Layer 3 switch ---> Firewall ---> ISP managed router at Site1 ---> ISP managed router at Site 2 / other WAN sites

The layer 3 switch, firewall and ISP routers can reach site 2 and other WAN sites.

However the PC and VLANs configured on switch cannot see any of the sites at all. In fact, it cannot even ping the outside interface of the firewall (and all ICMP is allowed)

We have been given a 10.200.12.0 / 28 subnet by the ISP for our LAN side and we have asked them to setup a static route for our own site (10.10.0.0/20)


Router IP: 10.200.12.1

ROUTER 1 show ip route has:

S 10.10.0.0/20 [1/0] via 10.202.12.2, Bvi 1

C 10.200.12.1/28 is directly connected, Bvi 1

and a RIP route to our other sites


Firewall IP: 10.200.12.2 (WAN IP) 10.10.15.2 (Firewall Inside L3 IP)

Firewall show route has:

Gateway of last resort is 10.200.12.1 to network 0.0.0.0

S 10.10.0.0 255.255.240.0 [1/0] via 10.10.15.10, inside C 10.0.1.0 255.255.255.0 is directly connected, statefailover C 10.10.15.0 255.255.255.0 is directly connected, inside C 10.200.12.0 255.255.255.0 is directly connected, WAN S* 0.0.0.0 0.0.0.0 [1/0] via 10.200.12.1, WAN


Switch has 4 VLANs setup

VLAN10 - Servers 10.10.1.1

VLAN20 - Workstations 10.10.2.1

VLAN150 - Firewall Layer 3 10.10.15.10

VLAN 160 - Router uplink 10.200.12.3 255.255.255.240

Switch has 2 static routes setup

0.0.0.0 0.0.0.0 10.200.12.2

0.0.0.0 0.0.0.0 10.10.15.2

I cannot ping from VLAN10 and VLAN20 to any of our other WAN sites.. Infact VLAN 10 and 20 can't even ping the firewalls outside IP



MST Spanning Tree and Reconvergence

Good Morning All,

So I have discovered that when topology on my network changes (add/remove switch), MST does it's thing and recalculates the network. I have a core switch that is set as STP root (priority 0) and it all works well.

In my network, I run a mix of Cisco and Aruba. They are all running MST. Ciscos also run portfast on each interface. Each switch only has 1 IP (Management IP, VLAN 100).

My problem is that when the switches recon, this VLAN becomes inaccessible and you can't establish connections to any management IP. I have read that reconvergence takes usually no more than a minute, but in some cases it's up to 30 minutes before all switches are back "online". It's only VLAN 100 that's affected, all other traffic is fine (for example to end devices).

Is 30 minutes a reasonable reconvergence time? I have a total of 33 switches and about 3 of them have other switches hanging off them. Are these "daisy chained" uplinks to other switches causing me these long convergence times?

Any help is appreciated.

Cheers.



Arista Core Option Comparable to Cisco 9600

Currently researching core switch replacement options. First pick is the Cisco Catalyst 9600 with 40/100Gb and 10/25Gb line cards. We want to do our due diligence, so we're also considering Arista based on recommendations I've seen in this sub. We met with our Arista sales rep and SE today and were impressed with what they had to say, but wanted to confirm the accuracy of some of the info, as the devil is often in the details. Also, taking recommendations for an Arista switch that'd be comparable to the Cat 9600 mentioned above.

Wanting feedback on the following:

Non-impacting code upgrades. Is that right? We won't experience any impact to traffic forwarding when code is upgraded? This just doesn't seem right based on all my existing experience with other vendors.

Is there any support for full NetFlow? I only see support for SFlow.

Do you really get a hold of a Tier3 support rep right away when calling TAC? If so, how are the engineers?

The SE suggested both a chassis and non-chassis platform (7368X4). He mentioned the 7368X4 may be more cost effective, especially when needing to add ports since the modules are a different beast than line cards - no onboard ASIC, etc, they're really just ports on a card. Are there any cons or tradeoffs when choosing a non-chassis option like the 7368X4?

They showed us some graphs with occurrences of bugs and security events in comparison to other vendors. They were extremely low in comparison to others. Have you found that Arista has fewer bugs and security issues than other vendor platforms?

Any experience with CloudVision? Seems really nice, but not sure how much value it'd provide for one pair of core switches.

I understand the CLI is nearly identical to Cisco so configuration shouldn't be an issue. However, have you found troubleshooting to be any different? I often google networking problems we're having and it's often easy to find a cisco document or fellow networker that's solved/posted the fix. Not sure if that's the case with Arista.

Finally, any recommendations for a pair of Arista core switches based on the following requirements:

  • < 30 10Gb ports
  • < 10 40Gb ports
  • < 10 100Gb ports
  • Flexibility for other port speeds in the future like 25Gb
  • Capable of redundant and hot-swappable components like sup, power supply, fans


Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



Is it better to split VLANs across more than one port?

Say you had 10 vlans. Would it be better to turnk 5 to one switch port and the other 5 to another switch port to divide the traffic across two lines?

Am I better off with LACP?



Teleworker box vs VPN client?

Hi,

You can buy stuff like this

https://meraki.cisco.com/product/security-sd-wan/teleworker/z3/

I see the appeal in the sense that you can have a desk phone plugged in nice and easily however you can still do that with a VPN connection via client software too even if one of my colleagues is introducing more security risks than he is removing, but that's another story

You could in theory make a VPN over DDNS given ever changing customer IPs too, but that's not the norm. You can also allow a user's IP address to connect to your office using a phone you give them too via a client

Unless of course this is essentially just yet another firewall albeit in a satellite office so to speak. If so you can already tunnel from fw to fw

What's your preference and why? Am I missing something too?



Extending existing switch into newer Nexus switch for migration.

My experience with NXOS is minimal. I've worked for years with the previous Cisco IOS so do I have quite a bit of experience. In order to try and keep as much uptime as possible we want to extend our old 4948 and very tired 3560 switches to a group of isolated ports on the newer 96 Port Nexus switch. I have connected each one of these switches to the Nexus switch successfully but the only port that seems to see any traffic is the connected port and not any of the other ports that we assume are isolated to just traffic from that switch. Is a private-vlan the right way to approach this. The old switches are all only vlan 1. Do we want to make it a private-vlan and then a vlan 1 child?

Thanks for any input.

Mike



Radius Server

Hello Folks,

Is there any way I can use my windows pc as a radius server? Are there any free softwares for this? Please share link . I researched a bit and got freeradius but this seems to be for Ubuntu or Linux Distros. Trying to check if i can make windows PC as radius server and send some user authentication to this. Any help is appreciated. Thanks.



Setting a local-preference for iBGP VPNv4/vrf routes?

I'm trying to do something which I thought should be straight forward but I'm obviously going wrong somewhere.

I have two PE routers which have the same customer attached to both. Both PE routers are receiving the same prefixes via eBGP from the CPE routers.

I usually use AS-PATH-PREPEND so that one route is prefered over the other but in this scenario I can't do that. As such I have setup a policy-map importing the BGP received routes so it's increasing the local-preference of the received routes in the primary router.

My issue is that as soon as that route is then shared across other PE routers it sets the local-pref back to the default.

if I look at the route on other PE's (all shared via RR's) then the local pref is set to the default BGP local pref of the advertising router.

Is there some caveat I'm missing about changing the local-pref for VRF/VPNv4. For none VRF prefixes it works fine.

thanks



SHDSL Configuration

Hi, right now i have a config like below

controller dsl 0

mode atm

line mode 4-wire enhanced

ignore-error-detection-15

interface BRI0

no ip

encap hdlc

sutdown

isdn termination multidrop

interface ATM 0

no ip address

ip nat outside

ip virtual-reassembly in

no atm-ilmi-keepalive

pvc 0/35

encap aal5mux ppp dialer

dialer pool-member 1

interface vlan1

ip address 192.168.27.26 255.255.255.248

ip nat inside

ip virtual-reassembly in

interface Dialer 0

ip address negotiated

ip mtu 1492

encap ppp

dialer pool 1

dialer-group 1

ppp auth chap

ip nat pool pool1 192.168.27.0 192.168.28.0 netmask 0.0.0.255

ip nat inside source list 1 interface Dialer 0 overload

ip route 0.0.0.0 0.0.0.0 192.168.27.25

dialer-list 1 protocol ip permit

how can i configure g.shdsl to this so i can get positive feedback from a feed between 192.168.27.26 and .25? with this setting i can ping both ips without problem but i'd like to see if i can make a g.shdsl config.



Viptela SDWAN - Questions

Hey guys/gals,

I have been working with viptela on cisco's dcloud for a small deployment, but I have a few questions. Unfortunately scouring through the command reference guide and sdwan documentation I am not seeing answers.

1 - I know you can disable SSH per VPN entirely. But what is the proper way to restrict SSH on a vedge router in CLI (in ISR/ASR this is normally done with an ACL on the VTY interface). I cannot see at all how this is done.

2 - In the vmanage there are two modes of devices, CLI mode and vmanage mode. If I change these modes, will the routers configuration reset, or will it convert all existing CLI config and migrate them into various templates?

3 - Is there any good recommendations for articles/documentation regarding this besides the cisco sdwan docs. Any books? Any got'ya's you'd like to share?

thanks a bunch!



dot1q tunnel with switches or L2TPv3 with routers?

I was trying to use Q in Q tunneling or dot1q tunneling to tunnel some isolated vlans to another part of the network. Has anyone set this up with ipsec or encryption? I cant seem to find any documentation on it.



vSRX deployed in Oracle Cloud not accessible from home

Hello,

I deployed a vSRX in Oracle Cloud but the following is happening:

1- I'm able to ping fxp0 from my home PC 1

2- Not able to shh fxp0

3- Not able ping or ssh ge-0/0/0

First, I didn't configure the new OCI routing instance and was not able to ping fxp0 or ge-0/0/0 from my home PC, but I was able to see in the show security flow that I'm receiving a packet on the srx but not able to reply once i ping the public ip of fxp0. I had the default route 10.0.76.1 which is ge-0/0/0 next-hop and only the default routing instance.

Then i followed the Oracle blog Blog and they suggested creating routing-instance for my revenue ports (ge-0/0/0 and ge-0/0/1) to avoid asymmetric routing and i changed the default route. The new configuration and the one running now is below.

Now i'm able to ping fxp0 but not ssh it but i'm not seeing the ping traffic in the show security flow session.

How can i make the fxp0 and ge-0/0/0 pingable and able to ssh it from home PC. Can someone tell me what is missing

[edit]

root# show | no-more

## Last changed: 2020-07-21 16:37:45 UTC

version 15.1X49-D172.1;

system {

root-authentication {

encrypted-password "$5$hy8.OvoE$ubrnzVD4wmIaUG.sP8yOi4z99RVho07G2P6T3x9yml1"; ## SECRET-DATA

}

name-server {

169.254.169.254;

}

services {

ssh {

root-login allow;

}

web-management {

http {

interface [ fxp0.0 ge-0/0/0.0 ];

}

https {

system-generated-certificate;

interface [ fxp0.0 ge-0/0/0.0 ];

}

}

}

syslog {

user * {

any emergency;

}

file messages {

any any;

authorization info;

}

file interactive-commands {

interactive-commands any;

}

}

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

}

}

security {

log {

mode stream;

report;

}

screen {

ids-option untrust-screen {

icmp {

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

syn-flood {

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

queue-size 2000; ## Warning: 'queue-size' is deprecated

timeout 20;

}

land;

}

}

}

nat {

source {

rule-set Trust-2-Untrust {

from zone trust;

to zone untrust;

rule source-nat-rule {

match {

source-address 0.0.0.0/0;

}

then {

source-nat {

interface;

}

}

}

}

}

}

policies {

from-zone trust to-zone trust {

policy Trust-2-Trust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

log {

session-init;

session-close;

}

}

}

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

}

policy Trust-2-Untrust {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

log {

session-init;

session-close;

}

}

}

}

}

zones {

security-zone trust {

tcp-rst;

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

}

interfaces {

ge-0/0/1.0;

}

}

security-zone untrust {

host-inbound-traffic {

system-services {

all;

}

}

interfaces {

ge-0/0/0.0;

}

}

}

}

interfaces {

ge-0/0/0 {

unit 0 {

family inet {

address 10.0.76.4/24;

}

}

}

ge-0/0/1 {

unit 0 {

family inet {

address 10.0.80.5/24;

}

}

}

fxp0 {

unit 0 {

family inet {

address 10.0.28.3/24;

}

}

}

}

routing-options {

static {

route 0.0.0.0/0 next-hop 10.0.28.1;

}

}

routing-instances {

OCI {

instance-type virtual-router;

interface ge-0/0/0.0;

interface ge-0/0/1.0;

routing-options {

static {

route 0.0.0.0/0 next-hop 10.0.76.1;

}

}

}

}

[edit]

root#



JUMBO Frames

Looking for a cheap increase in network performance. Anyone had any good or bad experiences by enabling jumbo frames ?

Thanks



Advice needed on network engineering path

Hello guys I’m 22 I’m really interested in getting into networking. What’s the best advice you could give to someone who wants to get their foot in this industry and what are the best certs to study for a newbie?



Juniper: 'hidden reason: protocol next hop is not on the interface'

Hi,

We're conducting a POC for DDoS Mitigation, we have a peering with a DDoS Trigger Server(INI) and the scrubbing center. The goal is, in the event of a DDoS attack going to x.x.88.0/24, the INI will advertise x.x.88.0/24 with community tag 123456:911 and next-hop ip of the CoreRouter(x.x.x.246) to the BorderRouter1. Once the prefix from the INI is accepted by the BorderRouter1, it must advertise the prefix via community tag to the scrubbing center. Then the advertisements on the other upstreams/ISP will be rejected via the community tag of the prefix. But the advertisement of the INI must only reside only in BorderRouter1 to not confuse the other routers about the path going to x.x.88.0/24.

We're doing manual triggering of the INI first to check if the configurations on the router works. During the manual triggering of the INI, attached image(BorderRouter1 Output during manual triggering.jpg) shows the results we got on BorderRouter1.

We're receiving x.x.88.0/24  from the INI with community tag and next hop ip x.x.x.246 but the preferred next hop interface is gr-4/0/0 which is the tunnel interface facing INI. I'm seeing 'hidden reason: protocol next hop is not on the interface' in the outputs.

How can I prefer the route from the INI on the BorderRouter1? Any tips to solve the 'hidden reason: protocol next hop is not on the interface'?

For reference,

Diagram and output: https://drive.google.com/drive/folders/1ZtXfp9JckmTwtJZW3Hd5uXP9Oud0kjBZ?usp=sharing

Config:

BorderRouter1

COMMUNITY STRING

show configuration policy-options community POC-TEST

members 123456:911;

In BorderRoputer1, to INI

IMPORT

show configuration policy-options policy-statement POC-Import

term Migitgation-Community {

from {

inactive: next-hop x.x.x.251;

inactive: community POC-TEST;

route-filter x.x.x.88.0/24 exact {

inactive: community set POC-TEST;

}

}

then {

local-preference 300;

community add POC-TEST;

next-hop x.x.x.246;

accept;

}

}

term REJECT-Anything-Else {

then reject;

}

EXPORT

show configuration policy-options policy-statement REJECT-EXPORT

term REJECT {

then reject;

}

In BorderRoputer1 to Scrubbing Center

IMPORT

show configuration policy-options policy-statement REJECT-IMPORT

term REJECT {

then reject;

}

EXPORT

show configuration policy-options policy-statement POC-Exportv2

term Migitgation-Community {

from community POC-TEST;

then accept;

}

term REJECT-Anything-Else {

then reject;

}

BorderRouter2

EXPORT

ions policy-statement Peer1-export term POC-TEST <<<PEER 1

from community POC-TEST;

then reject;

----output ommitted----

..policy-statement Peer2-export term POC-TEST <<<PEER 2

from community POC-TEST;

then reject;

----output ommitted----

CoreRouter

None



Engenius Bridge version 2 and 3

Will these 2 devices work together if I need to replace 1 and can't find another version 2 device or would i have to replace them both?



Anyone had any luck decrypting Dell switch passwords?

I'm in a bit of a pickle with a project. I'm working with dozens of Dell switches that the customer doesn't have the password because previous tech was being vindictive.

I can do a password recovery on the devices easily enough but it would save a lot of time if I could decrypt the password. These switches are at various remote sites and are not easily accessible so consoling into every single one is going to be a pretty complicated and time consuming affair.

From experience I've run older Cisco password hashes through an MD5 decrypter.

Anyone had any luck doing this will Dell switching?



DDoS POC Auto-Rerouting Inquiry

Hi, 

We're doing a POC with a partner wherein we are testing an auto-rerouting for a DDoS attack.

Attached is the diagram(POC Diagram.jpg).

Test IP: x.x.88.0/24
Corp Network ASN: 123456
Scrubbing Center ASN: 134190
DDoS Trigger Server( or INI): 45352
Community tag for auto-rerouting is: 123456:911

Target end-state:
1. Once a DDoS attack going to x.x.88.x has entered the Corporate network, the INI will advertise the x.x.88.0/24 prefix with a community tag of 123456:911 and a next-hop IP of the loopback of Core Router(x.x.x.246) to BorderRouter1.
2. Once BorderRouter1 receives the prefix from the INI, it should not export it to its other iBGP neighbors (CoreRouter(s)).
3. It should prefer the route from the INI but should not prefer the INI as the next-hop for x.x.88.0/24 but instead will rely on the next-hop set by the INI on the test prefix which is Core Router(x.x.x.246).
4. Once BorderRouter1 receives the prefix from the INI with community tag, it will automatically advertise the prefix to the Scrubbing Center.
5. Then BorderRouter1 will deny the x.x.88.0/24 prefix advertisement with community tag to its other ISP(Other peerings).

Current state(Manually triggering the INI, prior to live attack):
1. Once INI advertises the the x.x.88.0/24 prefix with a community tag of 123456:911 and a next-hop IP of the loopback of Core Router(x.x.x.246) to BorderRouter1, BorderRouter1 preferred next-hop to the x.x.88.0/24 prefix is the p2p peering with the INI instead of Core Router.
2. Because of this, points 2-5 of the target end-state are not accomplished.

***Even though INI advertises the x.x.88.0/24 prefix it should not be the path going to x.x.88.0/24.

During the manual triggering of the INI, attached image(BorderRouter1 Output during manual triggering.jpg) shows the results we got on BorderRouter1.

We're receiving x.x.88.0/24 from the INI with community tag and next hop ip x.x.x.246 but the preferred next hop interface is gr-4/0/0 which is the tunnel interface facing INI. I'm also seeing 'hidden reason: protocol next hop is not on the interface' in the outputs.

Thus, points 2-5 of the target end-state are not accomplished.

Hoping somebody can help.

If you have questions, feel free to ask.

Thanks in advance.



Going beyond Layer 4

I have only worked with Cisco switches and routers and some firewalls. I don't have much system or coding experience. Recently, I wanted to know a bit more about the web side, and wanted to work with WAF's. But I find it very hard as I do not have much knowledge on HTTP stuff, and not an iota of JavaScript. People who take care of the Web side of things, or work with WAF's, how do you fill in the gap? Any approach you can suggest?



Benefits/disadvantages of pure L3 links between switches vs /30 VLANs

Hi all,

I have discovered that my predecessor used sometimes option 1 (subject) and sometimes option 2 to establish links between switches, example below:

switchport access vlan 333

switchport trunk encapsulation dot1q

switchport trunk native vlan 333

switchport trunk allowed vlan 1,2,3,4

switchport mode trunk

Can anyone summarize REAL benefits or disadvantages of using one or another ?

Obviously the fact that using /30 subnet for the dedicated "link" vlan (333 ^^^) wastes one of those 4096 available, but apart from that, from performance or any other perspective ?

Maybe the possibility of easily adding more VLANs to the "VLAN-ed link" in the future ?

Thanks



Monday, July 20, 2020

IPSEC is the bane of my existence because of ISPs f***ing up their DDoS mitigation appliances

I've been troubleshooting connectivity issues between two locations for a few hours now. Turns out it's someone in-between throttling ESP (IPSEC) traffic. I know this because as soon as I force-enable UDP encapsulation of the ESP traffic, the throttling issue goes away.

I was getting 10KB/s (yes you read that right) between the locations using non-encapsulated ESP. As soon as enabling UDP encapsulation, I was maxing out my line speed.

I've seen this at least a few dozen times in my career. Some Tier 2/3 ISP gets the bright idea to install a DDoS mitigation appliance or traffic shaping appliance to save on their bandwidth bills and misconfigures it to heavily restrict non TCP/UDP/ICMP traffic. Eventually enough people complain and they fix the issue but every so often it creeps back up.

So, ProTIP: Always force enable UDP encapsulation on IPSEC traffic for site-to-site.



NOC Interview this week!

Hello,

What questions to be expected for a NOC interview?

Job description doesn’t mention anything other than basic to intermediate unix administration?

Can you please guide - thank you!



ASAv30 Reboots

Hi

We have ASAv30 that reboots every 2 days or so if not twice a day on the extreme days, this is main vpn gateway so you can understand the blow back we get, we are running a below images, i get no logs indication nor warning of what has gone wrong, the crash files mean nothing to us as you need Cisco to decode it and we dont have support, i know it sucks. Has anyone seen similar issues, IOS upgrade may be? bug? capacity issue?. Any lead will be great

Cisco Adaptive Security Appliance Software Version 9.6(1)

Device Manager Version 7.10(1)



Network Testing Tools

Good afternoon,

I will preface this by saying I'm dumb with networking, I'm actually asking this for my network team. I handle servers on my side.

I work for a school district and we have to test our school sites to see if they can handle the traffic load of all teachers streaming their classes over WebEx on our Aruba WAPs. The thing is, our folks don't have a great array of tools to do this. We have to do it quick, because if we have to light up additional fibers we have to do it before August 12th.

Do you fine folks know of anything we could use to pull this off? Our core is fine. We have 40 GbE up to the ISP, but each school only has 1 GbE links which were due to be increased anyway to 2 GbE at elementary and 10 GbE for secondary. Those sites are possibly going to choke without adding to it.



SD Access Network migration from traditional network

I have an upcoming upgrade from Legacy Traditional Network to SD-Access for a customer.

The existing design is below

9500 (core1)---trunk---- 9300 (stack switch1)

| |

| |

9500 (core2)---trunk---- 9300 (stack switch2)

We want to migrate switches and subnets over in phases.

What is the best strategy and approach? How to integrate with existing network? How to keep same subnets both in old network and fabric?

Can anyone please share their experience and suggestions. Any help would be highly appreciated.



New comcast business modem, VPN not working

I could use some help sorting out an issue with Comcast. They just replaced our modem (which was working fine) with a new one (model CGA4131COM). I've copied all of the old settings/forwarded ports and everything works great including remote desktop, except our VPN. Getting the following error:

The VPN connection between your computer and the VPN server could not be completed, The most common cause for this failure is that at least one internet device (for example, a firewall or a router) between your computer and the VPN server is not configured to allow Generic Routing Encapsulation (GRE) protocol packets. If the problem persists, contact your network administrator or Internet Service Provider.

I've tried PPTP (which we were using just fine before the modem switch) and tried setting up L2TP w/ preshared key - no dice. Comcast's only advice was to use bridge mode.

Any ideas?



Bash script to check if a port is accessible from Internet.

My initial solution was to run a basic server at the chosen port and execute a lambda function (or Google's Cloud Function -- basically an external API call) that checks if the port is accessible from outside and returns true/false.

But now that I started actually working on it, I am thinking can I skip the external API altogether by using the IP of the same machine??

This is the flow (let me assume I want to check if port 222 was accessible and not blocked by any security group/ISP):

  1. Start a basic server nc -l 222
  2. Get the external IP IP=$(curl --silent icanhazip.com)
  3. Try connecting to the port nc -N $IP 222 < /dev/null
  4. Check if that was successful echo $?

So basically in step 3 I did not use an API call to a lambda function that checks port from an external server. I am using the same server but using the external IP.

My question is, will this work in all cases?? Is it good enough? I mean I still feel writing an API will be foolproof but I am curious if I use the IP will the call go through the internet and come back (and doesn't change to localhost at DNS resolution)??