Saturday, August 29, 2020

Guys can /36 ipv6 adress be converted to /35?

I have the IPv6 adress 2406:6400::/36 what will be the /35? Is it possible?



Suggestions for RFCs to read?

Yeah, I'm of those nerdy guys who will just read RFCs for the hell of it.

I'm looking for suggestions for some RFCs to read. Preferably ones that are conducive to just reading, rather than using as a reference, etc.

Any suggestions? What are your favorite?

Edit: I should have known better... Please, no April fools RFCs (my favorite is those is hyper text coffee pot protocol)



Is there such thing as a battery-powered switch/hub?

Sorry if there's a better r/ for this. I work on copiers and printers. Sometimes outlets are a premium and extra cords in the case suck. Anyone heard of a battery powered 5 port switch or hub for on the go service?

Thanks in advance.



Question about some weird DNS

I work in software support, networking knowledge is pretty minimal -- basically just enough to know when/how users need to enter their creds to get to the server's file share and when there's an issue.

So an office called with an issue the other day -- software can't connect to the SQL database. Usually this is because they just booted the database computer up and since we set the SQL service to delayed start, it takes upwards of 5 minutes for the database to be available. Not the case this time, instead I could navigate to the share just fine in File Explorer, but when I ran a ping, the IP came back 142.xxx... something super weird. Even stranger? when I ran ping -4 server it came back with the correct IP of 192.168.1.xxx. I ran a tracert server and it hopped 12 times across four states....

I changed the connection parameters in the software to just use IP after I verified it was static, but being software support, all I could do was tell them to bring the issue up with their netadmins. But I'm a learner and would really like to know what causes this, as I've seen it a couple times.



Assigning a /32 to subscribers.

With public IPv4 becoming quite scarce now, I have an impetus to save addressing wherever possible.

I'm already assigning /31s to customers, but I figure if I could assign /32, I could double the number of subs for my given addressing.

I'm thinking that this would be achieved by assigning /32 to the client via DHCP with a gateway not on the same subnet, then proxy-arping or thereabouts for the gateway address.

Does anyone do this currently? I've considered PPP, but for resource reasons I prefer not to use it.



Multiple static IPs to avoid ports (80,443) used twice

Hi there,

keepin it short. Read the rules and not sure if I'm using the right forum?

I do have one static ip, webhosting my site there. Want to host myself a Synapse Server to chat and a Bitwarden Instance. Those two would also want to use 80 and 443. As I'm new to networking at all, I wanted to ask if there is a Way to make that possible? Couldn't find clues in a reasonable time and decided to ask instead of headin in the wrong direction.

Your God of Mischief, Loki



PoE++ ethernet switch?

this may be a bit off topic for this subreddit, but I figured someone here might have an idea.

I work in video production, mostly live events. we just got these amazing robo cams that can be powered via a PoE++ switch. (our old robos used PoE+, and I have confirmed our current PoE+ switch does not power these new cameras)

the cameras can also be powered via 4-pin XLR, which is fairly standard for high-end cameras, but it is very convenient to be able to power via the ethernet cable that controls the camera, and not have to run an extension cord out to a usually very crowed stage.

So, I’ve googled PoE++ to look for some purchase options, but, and this is the darndest thing, I can’t seem to find anything. Its like PoE++ switches don’t actually exist. The engineering spec for PoE++ exists, but, no actual pieces of hardware.

am I an idiot? a blink idiot? Anyone have any ideas? Bueller?



New home pre-wired Ethernet port question

Hi guys. So just moved into a new home and there are three pre wired Cat 6 wall plates in the home. These three wires are then ran to the laundry room where they are unterminated cat 6 cable ends. My project today was to terminate these ends and plug them into my switch. I began by removing the wall plate and examining which termination standard was being used and to my surprise( keep in mind this is my first time terminating cable ends) the cabling, while it does follow the B standard posted on the wall plate itself, does not follow what I had found on the internet

The termination on the wall plate is as follows: 1. Orange/white 2. Orange 3.Blue/white 4. Blue 5. Green/white 6. Green 7.Brown/white 8. Brown

Does anyone have any insight? Thank you



How should I price structured wiring

Hi, I do some structure wiring on the side and I need advice for pricing. Per drop or hourly. Thanks



Do you guys have any recommendations of learning material to take a deep dive into TCP (and Wireshark)?

Most of my career I have mostly been worried about layers 1, 2, and 3. Node A can reach Node B - we're good. But in my current job, I'm learning that TCP packet analysis is an invaluable skill that I need to use almost all day, every day. This is my first time actually truly diving into packet analysis. I've done it before, but not nearly at this level. This is my first time taking captures across multiple devices and trying to figure out what's going on.

For example, I'm currently working on a case where there is a source, firewall, and destination capture. I can tell from the captures that the firewall seems to be dropping the return traffic (or there is some routing issue on the return traffic). But that's not my concern with this post. I'm only using it as an example.

What I want to learn more about is TCP itself. In the source capture pictured below, I see [SYN, ECN, CWR], [SYN, ECN, CWR], then [SYN]. I see the first two in the firewall, but not the [SYN]. ... yet, I see a third [SYN, ECN, CWR] in the firewall. A total of 4 [SYN, ECN, CWR] in the firewall. Picture of PCAPs here: https://imgur.com/a/QxJaTZj

Why only 2 retransmits but 3 out of order packets? Why the simple [SYN] after [SYN, ECN, CWR], and why am I not seeing that in the firewall capture? That's the level of TCP I want to learn.



/31 mask on Wan interface of firewall.

Is it possible for an ISP to assign you a /31 mask to use on your wan interface of your router or Firewall?

Typically when a customer needs a single IP from an ISP they assign a /30 and use 1 IP on their interface and 1 gets assigned to the customers device. 1 is used as the network address and 1 is used as a broadcast address. Out of 4 ips 2 are wasted and the customer only receives 1 useable.

Wouldn't a /31 give the customer the same thing but save the ISP 2 ip's? IP on ISP interface 1 IP on customer interface. No network address and no broadcast.

I guess my question is could an ISP hand out /31 instead of /30's to save ip space? Or does a client need the network and broadcast address of /30 subnet.



Help me with an IP camera & Network switch fiasco please

Hi, as all these tricky jobs go I got drafted in to add to and sort out some issues on a previous install.

NVR - Router - connected together in a basement

Router - 80m cat6 - Network switch 1 (2 uplinks and 4 POE )

Network switch 1- 20m cat5 to 1 4mp cctv camera

Network switch 1 - 200m cat 6 to network switch 2

Network switch 2 ( has option for cctv and lan mode) - 10m cat6 to ANPR camera Network switch 2 - 10m cat6 to 2mp camera Network switch 2 - 10m cat 5 to 4 mp camera

The added bonus is an an additional alarm output cable from the NVR to a motorised barrier using cat6 but at nearly 300m

It was working although with lags and delay but now the alarm triggers in the cameras are not opening the gate, if I manually trigger the alarm on the NVR you can hear the relay make noise and work but nothing happens. It was working well until network switch 1 was introduced to add the 4 mp camera.

Any and all help is much appreciated

Thanks



Question about cellular

Hello, I’m studying for my sec+ and net+ certs. I’m not sure this is covered in those exams, but I’m very curious on cellular technology. Talking about 4G LTE voice and sms data, the stuff we think of as “phone” services, are still just converted and passed to the TCP/IP stack same as the data connection? But it doesn’t become an IP packet until it makes it to the tower and is then converted? I’m having trouble finding good info about the process online. Thanks in advance guys!



Help debunking today's AMA with proof "Russia didn't hack the DNC"

Over at, /r/WayOfTheBern/ there is an AMA with Bill Binney NSA whistleblower and Trump Supporter/Voter. He is there to promote his claims that "The Russians never hacked the DNC" He claims "I have proof".

In his last AMA at /r/conspiracy no one challenged him

From that AMA, here is his "proof" with "forensic evidence":

https://turcopolier.typepad.com/sic_semper_tyrannis/2019/02/why-the-dnc-was-not-hacked-by-the-russians.html

https://larouchepub.com/other/2020/4731-william_binney_makes_his_case.html

https://consortiumnews.com/2017/07/24/intel-vets-challenge-russia-hack-evidence/

Do the experiment yourself!: https://turcopolier.typepad.com/sic_semper_tyrannis/2019/0

This makes no sense to me. There are many other scenarios that could account for these numbers. Assuming his data is correct, does anyone want to help me debunk this?



SFP Question

Hi guys,

I have bought a Ubiquiti EdgeRouter 4 with 1 SFP port and 2 Netgear gc110 switches and would like to connect them via fiber but I will need SFP modules.

Now my question is can it just be one brand? or does Ubiquiti need Ubiquiti and does Netgear need Netgear? I hope you guys can help.

Thanks in advance.



Zeroshell

I am working on setting up Captive Portal using Zeroshell Opensource. I am aware that it offers its own Radius service, but can anyone guide me through how to setup authentication using external radius server?



can someone help me understand home computers

Is every computer able to be reached from the outside world?

Is every person able to give enough information about their computer to someone else to receive unsolicited "knock knocks"? Is there like anything outside of their control like the ISP company they use that makes that impossible?



second hand fortigate 40c: spams my syslogd with all traffic instead of only denied packets

Hi.

Before I move on to get an actual new device I have this older fortinet 40c that I've been struggling to set up. All I need for this segment is basic firewall so I created the necessary rules that only allow outgoing traffic to certain networks and ports, with "deny all" rule afterwards. Now, I want instant notifications if anything hits the "deny all" rule with "violating traffic log" enabled so I figured I'd use "config log syslogd" to instantly receive these violating packets(if any). However, fiddling with all the options I've found there in the manual, it still spams me on literally each packet that IS allowed with message "traffic is allowed."

I thought maybe I could update the firmware and see if that helps but fortigate support didn't really want to hear about it(previous customer still owns an account with this serial number).

I looked through web and cli interfaces to no avail. It still spams me and also logs all the allowed packets into the memory log, along with denied ones for which i created a special rule too, before the main "deny all", with violating traffic log OFF, it still logs that too!

Is this how it's supposed to work? This seems wrong, why would it still log everything, including traffic hitting the deny rule with logging disabled? I want it to only fire up syslog message upon encountering any packet that hits the rules with "violating traffic log" enabled so that I can instantly investigate.

Yes I did execute reboot several times after changing "config log setting" settings but nothing particularly helped to narrow the logging events down to those explicitly marked to be logged. Still wants to log everything.

Yes it's also true that "deny" messages have severity of 4(warn) rather than 5(notice) for "traffic allowed" messages but those "allowed" are still useless bloat I'd love to prevent from being logged. I double-checked in CLI that "allow" rules have "set logtraffic* disable". No idea why it's still logged.

Maybe someone would also be kind enough to provide me with a firmware for this particular box?



Friday, August 28, 2020

RADIUS troubles with VPN and DHCP

Hi guys,

Long story short, I have a Draytek 2830 that is acting as a VPN server. It authenticates to an Win2016 RADIUS server that sits behind a Layer 3 switch on a different VLAN from the routers interface. There are static routes between router and L3 Switch.

When a computer authenticates, it successfully authenticates with the RADIUS, but the client receives an APIPA address (169x x x) and can only get access to the public IP of the router. everything else is non responding (public and private ip).

Does anyone know what might be causing this issue? I've spent way too much time on this.

Thanks in advance!



I would like to transmit data and stream audio over an optical link. Can anyone advise me?

I'd like to transmit data between PCs with direct line of sight. I'd also like to transmit audio from a device to my home speakers using an optical link.

Really I want it to be a project for me to work on so if there's a COTS system ready-to-go out the box I'm not interested.

New to networking. I'm a design engineer but I don't deal with wires or sparks.

  • What might the architecture look like?

  • What components do you need?

  • What programs do you need?

I just discovered project RONJA which might be a good starting point.



Connecting 2 houses 1000 feet apart via fiber to extend LAN. What's the best way to do this?

I'm trying to connect two homes with fiber to extend the LAN from Home 1 to Home 2. They are about 1000 feet apart, separated by woods. I would bury cable in the ground between the two.

I know fiber is the best choice, but I've never used fiber so I'm wondering if somebody can dumb down for me exactly the process. I'm guessing I would need direct burial fiber, possibly pre-terminated. Then, once I have the cable, is it simply a matter of having a switch on each end with matching fiber ports, and then I connect it to my Ethernet LAN in both homes.

Questions that come up:

- Do I need to trench or use conduit, or if I buy direct burial fiber am I fine as long as I'm down a few inches?

- Any specific kind of cable, certain spec? I'm new to the fiber world, and OM1, OM2, OM3, OM4, etc don't mean a lot to me.

- Do I need a pre-terminated cable, and if so what kind of connectors?

- Can I buy just any switch with fiber + RJ45 ports and plug the fiber into my home Ethernet network and be good to go?

I would appreciate it if anybody could give specifics on recommended cable and switches on each end so I make sure I'm buying the right stuff.



bgp vs ospf route

Hello friends, once again I'm stuck somewhere in networking where I can't quite wrap my head around something. Really sorry about the poor drawing by the way.

Let's say I have a small topolgy of 3 routers attached in a triangle below.

 ISP |eBGP | RT1 eBGP/ \ ospf / \ RT2 ----- RT3. ospf 

RT1 is learning only a default route from the ISP via eBGP.

RT2 somehow knows this default Route from BGP peering to RT1. Is this automatic? Will one eBGP neighbor always relay its default to another eBGP neighbor or do I need to explicitly redistribute this or network it to the other neighbor?



Multi tenant subnet convention?

Curious how others who have setup networks/subnets for buildings that have tenants that need to utilize shared internet, is it usually a good idea to just do a /24 network for each tenant if it’s a couple dozen employees?
So for example make tenant 1 a 10.102.200.0/24, and then tenant /2 a 10.102.201.0/24 ? Is is there a better approach/practice?



VLan's on Nanostation M2 Wireless Bridge

This weekend, I am turning up new switches on each end of a wireless bridge.

It is configured for Bridge and Simple on the networking tab.

Device Model: NanoStation M2 Network Mode: Bridge Wireless Mode: Access Point WDS 

Is there anything special I need to do to have it support Vlan tagging? I am going to be doing a Trunk on the M2 port on each side, and have a native vlan and tagging about 8 other Vlans..

I'd hate to have an issue tomorrow morning when we remove the HP switches and put in the Cisco ones with tagging.



Recommended resources to learn and understand how vpn with all relevant protocols (bgp...) work?

I did a few setups but they were cloud abstracted so I'm not 100% sure on how it really works and I want to fix this.



Cisco WLC 5520 AVC statistics

I'm trying to programmatically get AVC stats from my wireless controller. The equivalent of the output of:

show avc statistics top-apps

Other than Netflow (I'm not sure I can get this exact data with netflow) what is the best way to get this data? Is it available via SMTP? Do I have to scrape an ssh session?

Any insights would be appreciated.



Help setting up LACP in FreeNAS

New to FreeNAS and I could use a bit of help. I am trying to configure LACP. On my switch I have port 21 and 22 on lag1, with lag1 being untagged on a single vlan and excluded everywhere else. My FreeNAS server has 2 NICs, each with a static up on the same vlan. I know you are not supposed to have two NICs on the same VLAN, but I figured just for setting everything up. I am trying to bond them on the FreeNAS side and it says the network is already in use by another NIC. I’m assuming this has to do with both NICs having static IPs on the same VLAN, so what should I do about this? Do I put them both in different VLANs from the one I want to do the link aggregation on? Should I put lag1 tagged on the VLAN I want to use and untagged on my default VLAN?



Cisco 3650-48-TS Question Re SFP Ports

My google-fu is failing me and I can not find a straight answer to this question and I'm hoping someone here knows for sure.

Does using the 4 additional SFP ports on a Cisco 3650-48-TS disable the last 4 standard ethernet ports of the switch?

Thanks!



Do I need to tag ports connected 2 switches?

Hey guys, i'm super confused with the HP VLAN terminology and inner working.

I have 2 switches, us1-sw02 and us1-sw05.

sw02 has 5 vlans, 1, 20, 69, 100, 101

sw05 has one vlan 1

Both switches has vlan 1 as default vlan. There is no management vlan, my predecessor made it that way.

Anyway, this is insanely confusing to me. So sw02 is the core switch cause it has all the servers hooked into it. The only empty port is 14.

sw05 is just a temporary switch I found on the shelf.

So I connected port 14 on sw02 to port 48 on sw05 and so far both switches are talking to each other. I didn't create a trunk or tag anything on any switches.

From sw05, when I connected to say port 1 using my laptop, I could receive an IP and be able to access the entire network.

How is this possible? Is it because both switches are forwarding all traffic through the Default_VLAN?

Do I need to create a new VLAN for my purpose on sw005 and tag port 48 and also port 14 on sw02?

Any help is appreciated. Thanks.



Project to assess current infrastructure at a college - tools/suggestions?

My team has been engaged to go through a small college campus and document their building to building connectivity, likely as a first step in an overhaul of their core network infrastructure.

One of the things they are asking for, once we have completed the discovery and analysis (analysis being capacity, free pairs in the cabling, cable type, etc.) is that they are asking for software to help maintain the diagrams and help with capacity planning.

Normally, this is a Visio thing all day, but does anyone know of any tools to measure/analyze/plan capacity for cable/strands between endpoints?



Ethernet Tester for home use

I'm looking to test ethernet cables (especially the ones I've crimped together) for bandwidth, speed. Any idea on a tester that won't break the bank? I have CAT5a and CAT6, but not convinced they are up to par.

I've seen some of the Fluke and other crazy expensive testers, but haven't found much that is in home-use cost range and gets good ratings.

Thanks in advance!



HP Aruba Switch to Hyper-V Nic Teaming

Hello guys,

I want to create a redundant network connections for my Hyper-V Server. I have to VLANs that have to be seen by the Hyper-V Network switch.

Whats the best way to go about that? Nic Teaming and LACP Trunk on Switch?



RIFT - Routing in Fat Tree Networks

Does anyone have rift implemented yet to simplify building the DC fabric / 3-stage or 5-stage clos topology? The benefits seem huge,but wondering where this stands in ratification and adoption by Juniper and other vendors. Thanks!



Is inbound traffic allowed on open sockets?

ISPs tend to block all inbound traffic. What if I keep the socket alive after the initial handshake with a remote server, and the protocol doesn't impose any limit on how long the socket can be kept open. Can the server send traffic towards me through the socket channel without needing the client to first send a request? I was told that's how push servers work. But I'm confused how this is possible. Isn't the socket just a resource allocated by the two endpoints (client and server)? How is my ISP supposed to know anything about the opened connections to not drop inbound traffic in the middle?



Application like Fortinet SSLVPN Web Portal or similar...

Hi,

im looking for a software that provides a similar functionality like eg Fortinets clientless SSLVPN Web Mode.

So:

  • Login to a Webportal via HTTPS
  • User Authentication and Authorisation in combination with an LDAP or Radius Server, OTP integration would be nice
  • access to "internal" Web applications
  • Optional: clients for SSH, RDP VNC a.s.o.
  • Flexible GUI customisation

Is there any single purpose application availible for this single job?

I'm fine with commercial products, but it should be a complete self hosted application without any recurring subscription fees.



Create a group based on Resolved IP Addresses in LibreNMS

Hello,

I'm trying to create groups (of switches) based on resolved IP addresses as I used their hostname to add them into LibreNMS.

I have tried (almost?) every single ipv4 rule but none works as I would like to. Some seem to include the switches on which I have the Port module enabled but I've not been abled to include the others.

Thanks a lot for your answers !

Have a nice day ;)



Fortigate firewalls HA redundancy is not working

In our enterprise network, we have configured fortigate firewalls in active-active HA redundancy.

The problem is that it doesn't work. My colleague and I have spent weeks on trying to fix this but nothing seems to work.

Below is the description of what's happening, can someone please provide any helpful input on this?

We have 2 fortigate 60 E firewalls configured in HA mode for active active redundancy. The secondary firewall is supposed to take over when the primary fails.

For testing the redundancy, we have triggered the failover by either rebooting the primary fortigate or by disconnecting WAN cables on the Primary and connecting them on secondary.

On secondary: Users are able to connect to FortiVPN and can reach the direct VLANs on the core switch but cannot connect to networks beyond the core switch.(For eg: Virtual platform, Corporate LAN)

On primary: User is able to connect to FortiVPN and can reach all the networks.

After the failover, The cluster MAC addresses on the Cisco switch are learnt from the secondary unit on the respective interfaces.

However the networks are unreachable beyond the core switch.

When on secondary, on the Fortigate sniffer-

For the working traffic, in the request packet, we see the MAC Address as 0000.0000.0000 as the destination while the source is Fortigate MAC

In the response packet, we see the Cisco MAC as the source but the destination is again 0000.0000.0000.

Still this traffic works.

For the non-working traffic, source, destinations are all 0000.0000.0000. This traffic doesn’t work.

 The fortigate TAC engineers weren't able to provide any advice either.



Thursday, August 27, 2020

Cisco AP Finder

Hello, I’m trying to locate some cisco APs. The AirCheck fluke is very expensive. Is there a cheaper alternative?

Thanks



Cisco 9500 - which mode is it running in??

I've searched and searched and it's getting really frustrating not being able to find this simple answer. I'm wondering if it's maybe because I'm framing the question wrong.

I'm simply trying to determine if this stack of two 9500-24Y4C switches is compatible with ISSU. It's currently running 16.9.4 and we want to update to 16.9.5. Strictly speaking I'm pretty sure this upgrade is compatible with ISSU.

One other requirement for ISSU is for the switch to be running in INSTALL mode. This is what I can't find an answer to. All I've found is to use the show version command but that's for a 3850 and it does not show the same information on a 9500.

The last requirement is to be running stackwise-virtual and I'm pretty sure I am based on the result of running show stackwise-virtual.

Is it just me or is Cisco's documentation good in some areas (step by step process instructions) but piss poor in others?



Firmware upgrade on Cisco WLC 2400

this is my first time doing a firmware upgrade on Cisco WLC, I have few questions. I notice there are two image files in Cisco firmware page , 1.base image 2.AP Bundle image

Would this procedure work?

1.Download base image onto WLC, and do not reboot yet

  1. Download AP Bundle image onto WLC, go to WLC, under global-config, pre-download AP image.

  2. Reboot WLC

or do I have to follow the exact procedure outlined in release notes ,

  1. Download base image onto WLC , pre-download AP image, and reboot
  2. Download AP bundle image onto WLC , pre-download AP image again and reboot

I'd like to stick with rebooting once, but I am not sure if this could pose any issues? Also, when AP pre-downloads the image, does it use base image file or AP bundle image file??



Controlling access to servers by unprivileged Users/VLANs

Hi Team,

Looking for opinions/pros/cons about the following approaches. I am a SysAdmin of almost 20 years but have not dabbled too much into networking. I have basic VLAN knowledge (can tag/untag/trunk e.t.c). Example network is 2 VLANs for 2 /23 subnets. Let's call them "Servers" (1) and "Users" (2).

What would be the best way to limit access that Users have to hosts on Servers VLAN? The ideas I came up with using my basic experience is;

A) Two virtual interfaces on a virtual server that the Users need access to. One VLAN per nic;

- Means users can access that single host with no access to other hosts on VLAN.

B) One virtual interface on the virtual server with both VLANs assigned, with firewall on server

- Avoids multihome issues, however adds overhead for managing firewall

C) *least knowledge* Implement some kind of access control on the switching network. I assume this is possible and this is probably where I will need some education.

Cheers :)



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



Changing from Cisco to Dell

I am a sys admin and backup to the network engineer at a fairly large school district. We have 18 campuses hooked up dark fiber with all Cisco networking (Catalyst 9500 and 3850 switches). Our boss is trying to save money and mad about smartnet so he's really hoping to switch to an all Dell network. Does anyone here have an experience like this? We feel like the layer 2 equipment isn't going to make much difference but we are very skeptical about the Layer 3. Hoping to hear some success stories from someone here.



No connectivity between switches over fiber

I'm deploying a switch to a new building and I cannot get them to see each other (no activity light, no ping, no lldp).

The connection goes (from MDF to IDF), Ruckus ICX 7150 --> 1G Brocade SX SFP ---> 50/125 MM patch cable --> MM 50/125 fiber drop --> 50/125 MM patch cable --> 1G Brocade SX SFP --> Ruckus ICX 7150

Things I've have done:

  1. Test fiber drop lines for signal and correct polarity (-6.41db)
  2. Test a different patch cable in the IDF (I should swap out cables in the MDF to be sure, so that's next on my list)
  3. Swap out and test the MDF switch with a different and known to be working HP switch and matching HP SFP
  4. Make sure ports are enabled
  5. Make sure STP is not blocking port (both STP and 802.1w are disabled on both ends.
  6. Made sure switches can see the SFP installed.
  7. Both Ruckus switches are on same firmware
  8. Vlans are tagged the same on both ends on the port
  9. Logs are not showing anything indicating errors, blocking ports, or anything else as far as I can see

We have made this work over other fiber drops so I know it can be done. I feel like I'm just missing something easy and stupid. Any ideas where I could try troubleshooting would be appreciated!

Thanks.



Beginner help, two bridges via Proxmox

I have a host machine (proxmox) with several VMs. I want one of these machines to act as a proxy for all the traffic:

Internet - proxyVM - others

By default i got a bridge, vmbr0 and i can set proxyVM tap (generated by proxmox on vm creation) to this bridge (together with eno1). Now I can ping to google.com from proxyVM, great.

Internet - host - vmbr0 - proxyVM

Now I want another bridge to connect proxyVM and all the other VMs:

Internet - host - vmbr0 - proxyVM - vmbr1 - (all VMs)

In Proxmox I created another bridge (cant set the gateway not sure why). I added another network device on the proxyVM. Not sure if this is needed but it gives me another tap that I can add to vmbr1. So "brctl show" looks okay? I guess? I see 2 interfaces on vmbr0, eno1 and tap0 from proxyVM. I see 2 interface on vmbr1, tap1 from proxyVM and taps from the other VMs that I set up.

However still I cant reach to Internet from any of the VMs.. am I missing something? What do I need to set this up? Thanks! Total beginner here...



Networks questions. Need answer. Stuck with these

Q1 An application on a device, which is connected to the Internet via a 100Mbit/s

Ethernet connection, generates a 1,200-byte block of data. The service provided by

the transport layer is reliable. How long does it take to transmit the Ethernet frame?

Explain clearly any assumptions made.

Q2 Interleaving is used in a VoIP application to conceal burst loss. Consider that 24

packets (numbered 1 to 24) of speech are to be transmitted and the interleaving

depth used is 8. All the packets are 225 bytes and the transmit rate is 10 Mbit/s.

i) If transmission starts at t = 0 seconds, at what time is transmission of packet

number 4 complete?

ii) Supporting your answer using the information given, explain a disadvantage of

the interleaving process.

Q3 An application is running on top of UDP at the transport layer and IP at the network

layer.

i) What type of service do UDP and IP provide and what are the characteristics of

such a service?

ii) What is the disadvantage of using such a service at the network layer?

iii) What is the advantage of using such a service at the network layer?

iv) Giving reasons, explain what needs to be done at the data link layer and the

application layer to ensure that the sending application’s data is replicated at

the receiver.

v) Why is there a need for UDP if it provides the same service as IP?

Q4 A company is implementing VoIP to carry voice calls between sites. WAN

connections between sites will carry voice and data. G.711 CODECs are used ,

generating 8,000, 8-bit samples per second. The speech sample size is 20ms and

the additional overhead required per packet is 25%.

i) How many bytes are there per packet?

ii) What is the total bandwidth required for 50 concurrent calls?

iii) The network administrator decides to change to a G.728 codec which operates

at 16kbps and has the same sampling period as the G.711 codec. Explain one

advantage and one disadvantage of this change.

Page 3 of 4

Q5 Two nodes, A and B, are attached to opposite ends of a 2km cable. Node A has one

frame of 9,744 bits (including all header and trailer bits) to send to node B. The

signal propagation speed on the cable is 0.5x10-8 s/m and the transmission rate is

100 Mbps. There are five routers between A and B, each inserting a 20-bit delay. If A

starts transmitting the frame at time t = 0s, and assuming the same link layer

protocol operates across all links, at what time does the last bit of A’s frame arrive at

B?

Q7. Using a frame sequence diagram, give an example of an exchange of frames

between X and Y that involves the three different HDLC frame types. Give a detailed

description of what is happening in the exchange. Include, where appropriate, frame

sequence numbers in the form [N(S), N(R)].

Q8 Packets of four different data classes D1, D2, D3 and D4 are queued for

transmission at a router. All packets are 500 bytes in size and the transmit rate is

10Mbps. At t = 0 seconds all queues are full, each containing 10 packets.

i) Assuming priority queueing, where D1 is the highest priority and D4 the

lowest priority, at what times will transmission of the last D1 and D4 packets

be complete?

ii) Assuming round-robin queueing, with the same assigned priorities as in (i), at

what times will transmission of the last D1 and D4 packets be complete?

iii) If weighted fair queueing is used and the weights assigned to D1, D2, D3 and

D4 are 0.2, 0.3, 0.1 and 0.4 respectively, at what times will transmission of

the last D1 and D4 packets be complete?

Q9 Two stations are communicating across a data link using the HDLC protocol and

both stations are busy generating frames. The data rate is 400Mbit/s, the end-to-end

delay is 20μs and the fixed frame size is 250 bytes of which 8 are overhead. A

window size of 4 is used and the ARQ mechanism is go-back-N. The protocol is set

up in such a way that for information frames all acknowledgements are piggybacked.

Assume that there are no frame errors.

i) Calculate the efficiency of the given data link as described above.

ii) What impact will increasing the window size to 12 have on the efficiency of

the link?

Q10 Using a diagram to help illustrate your answer, compare the role and scope of

operation of layer 2 source/destination addresses with that of layer 3 and layer 4

source/destination addresses in the exchange of messages between two end-points

in the Internet.



Would anyone in networking be interested in free-space optical communications?

Hi, I noticed that there wasn't a sub for the field of free-space optical communication, a.k.a lasercom and several Redditors suggested this as one of the places it might appeal to. Would anyone be interested in subscribing to /r/lasercom?

Bit of background: Lasercom involves transmitting highly focussed signals, usually in the infrared or near infrared spectrum, across thousands of kilometers, improving space-based communication and delivering the internet to remote locations. SpaceX being a more prominent example, but the technology been demonstrated on various space and interplanetary missions and has been developing for the past few decades (with the first successful demonstration by Japan in 1994).

Lasercom is a big growth area of engineering right now, offering faster, smaller, more secure communications than currently provided by either fibre or radio. It's going to dominate the satellite market - that's a certainty. All the big space/telecoms players have their toe in it. Within the next 5 years there will be multiple constellations being built each with hundreds of satellites with inter-satellite optical links. I suspect it will make X-band satellite comms obsolete in some applications, and will play a significant role in the way the internet develops during the 21st century - Particularly as the networks of near-Earth satellite constellations continue to grow.



Wireshark or other Capture Software

Hi Reddit Folks,

Is it possible to track activity on a computer connected by an RDP session?

For example, on my computer I can track web browsing but if I RDP to another computer and web browser, is that trackable somehow?

I'm trying to see if users RDP'ing into other devices are web surfing.

Thanks in advance for your help and time!



Announcing: A new way to get the latest and best of DevOps delivered

From trend reports, webinars, articles, new service updates, and Twitter threads, there's a lot of DevOps content out there.

Ever wanted an easy way to see only the best stuff? If so, check out our newsletter 'The Leading Edge'. It's a bi-weekly email that sifts through all the latest news in DevOps to bring you the best that's out there. It's the easiest way to stay up to speed on what's new in the cloud.

Interested? Sign up here



CISCO ISE authentication problems

Hello all,

I have upgraded my cisco ise to the latest version which is 2.7.

Befor upgrading it, I was facing many problems regarding the authentication. I thought that if I upgrade it to the latest version, it may solve my problem.

ISE is not always authenticating the users, most of the times the users are rejected because of authorization profile.

Most of the time I solve the provlem my restarting the PC . Eveyday ian facing issues with ISE especially with authentication.

Any recommendations?



Segment-routing TE + TI-LFA possible? And does SR-TE have a fast reroute mechanism at all

Whatsup Reddit,

I was Reading an article on the web explaining how segment-routing TE doesn"t go very well hand-in-hand with TI-LFA because intermediate routers in the traffic engineerd path would have problems linking to which actual node-SID an adjacency-SID could belong. (Basically, if the path contains an Adjacency-SID, then it would be difficult for an intermediate node to find out to which node that sid belongs)

However i was wondering how such a populair protocol as SR is supposed to provide fast rerouting capabilities then..

I did Some research on Google and saw that Cisco has published an article explaining how a router that initiaties a tunnel can fast reroute the traffic to another router incase the First hop dies, But nothing About support from intermediate nodes along a path. There was a draft named "draft-hegde-spring-node-protection-for-sr-te-paths-05" But i could not really find support from major vendors when it comes to articles or information whether this ever got implemented.

Does anyone here have any familiarity with SR, and knows how fast reroute is supposed to be configured with SR?

Appreciate it



Wifi showing wan disconnected

I was using my wifi it was working perfectly until i get buffering i checked the router's site and it shows wan disconnected but the cable is connected please if you could help



I have 2 trunk connections going to the core. It is going to one of our distro switches. What protocol can I use to make the second connection redundant? So it takes over if the first int fails?

Is there a way for me to do this? We have 2 trunks from our core to our distro. Instead of having both connections, I would like it to go through only 1 trunk and then use the secondary if there's a failure.

Any help is greatly appreciated.



Fire at LHC Telstra

If you have services down this morning that transit LHC Telstra be aware there has been a fire and the building has lost power to some areas

https://www.cbronline.com/news/data-centre-fire



Is anybody using Cisco TrustSec?

Hello,

I am studying CCNP ENCOR nowadays and I have stumbled upon TrustSec. I have been hearing for this technology since 2012, but I have never seen it in production anywhere.

Has anyone seen it? Does it do the job? Is it worth it? Or is Cisco's way to lock customers into running full-stack Cisco devices?



recommendation: Best BGP resource/book/website/cbt troubleshooting

looking for a recommendation for the best resource you use/used to get up-to-speed and troubleshoot BGP.

Running Cisco Nexus 5000/6000 and Cisco 12.x 15.x code on L3 switches and routers in limited areas of my infrastructure. BGP has been working well with no issues over the last several years (set and forget zero expansion of infrastructure) and has not been documented well.

Thanks



Packetloss monitoring multiple locations

I am looking for a solution to monitor packetloss from different locations in the World. Preference is given to a SAAS application without maintenance like UptimeRobot, Pingdom etc.

We have now a few VPS servers with Smokeping and a cluster Smokeping setup. But if we want 50+ locations for monitoring it's very expensive.



Wednesday, August 26, 2020

Ruckus r600 heartbeat

I just installed a r600 ruckus AP and it keeps disconnecting every 2 hours and gives me a heartbeat loss error. I only have the 1 AP unleashed. Any ideas?



Need no strings attached DDNS

I have several users that travel and I need a completely free DDNS service that you don't have to confirm every 30 days or whatever to keep it activated. I would install whatever desktop app or service so it updates DDNS. Then in my own DNS would create a record to point to it. Lastly I have a webserver that runs a cron job and parses the IP and updates access to the websites from that DDNS resolution. I do it from home using my synology.me address and it works great. Just need to find a solution for my users. Any suggestions?



MTU & TCP MSS Question

Everytime I study MTU, I seem to get it and then I do work in real life and it confuses me. I had an issue the other day and wanted to check my theory.

I had a firewall that we could not browse to via HTTPs. When doing a packet capture and troubleshooting we saw the following -

  1. Successful 3 Way Handshake
  2. TLS CLient Hello
  3. On the response Server Hello, Certificate we saw a packet that was 1512 in length, although the MTU of the link is 1500 and the MSS negotiated in the handshake was 1460.
  4. When we lowered the MTU to 1400 on the Management Interface we then saw the MSS negotiated to 1360
  5. After 1360 the connection was successful

So, when the packet was 1512, why was it not fragmented and then put back together at the other end? This packet contained everything in the one packet it needed it was just too big for the link. I thought when a packet is too big it is fragmented as long as fragmentation is supported. Or, a certificate packet is not allowed to be fragmented as I noticed the 1512 packet is marked as DF.

Lowering the MTU now has less room for TCP payload via MSS so now it works, but it doesn't contain the same amount of data that was in the 1460 payload does it? Is it not the data the issue, but the overhead on top as the 1512 packet had 1460 of payload? Can the cert etc fit in the 1360 payload but because MSS was 1460 tried to get as much data in there as it could?

Hope this question makes sense, wanted to post it on ask stupid question but missed it on Monday.

Thanks

Brad



Trying to get a jump on networking

Hello all, I am a junior computer science major and am very interested in networks. What are some ways I can get a jump on learning networks before I take networking next semester? Books, YouTube channels, podcasts, webpages to learn are all appreciated! Thank you so much in advance!



Need help getting Internet shared to different devices.

So due to the COVID pandemic I am not able to go down to this remote site to physically access some servers to install a few programs.

The servers does not have rdp enabled and to enable rdp on these servers, which are running on Ubuntu 18.0 I would need to download the installer. I do have access to a local team that has a laptop and a internet access by mobile data sharing. Is there anyway I can share that internet connectivity from the laptop to the servers?

I would appreciate any help on this matter. Thank you!



CIS MAJOR - Windows or Cisco?

Hey all,

First-time college student majoring in CIS. Taking a few CIS classes and wondering your thoughts on working with WINDOWS OR CISCO?

I am also working on these classes to attain certifications to get into entry level IT positions to gain experience as I know fully how much this field prefer experienced candidates.

What are your thoughts on which side to choose on and what are the pros & cons? Does getting a Bachelor's significantly increase salary level or does experience outweigh more. Is it best to have both Bachelor's and Experience if so then my goal is to gain these certs. And work my way up in IT positions entry level while studying my courses.

Thanks, Reyben



Network tester

I am not sure if this is the best place to post this but I am torn between ideal VDV ii pro or the klein scout pro 3 money is not a factor and I will be getting extra remotes and all that. Just want to know which one is best. I had an ideal VDV version 1 at one point and liked it a lot.



How do you tell what hardware is a good fit at a certain level?

I’ve been evaluating Network hardware for the last few weeks. How do I figure out whether a given device will handle a certain use case? I’ve heard of different metrics: - X number of users - “10,000 to 20,000 concurrent connections” - 1,000,000 packets per second - 2.5Gbps or 1.5Gbps with firewall or 200Mbps over VPN

But the spec sheets don’t consistently address the same metrics.

Then I get anecdotal advice like “Brand X won’t handle 200 users. You need Brand Y.” Sometimes I can detect a flame war comment and sometimes it sounds legit. How can I objectively evaluate what I need and what hardware will fit?



Smart Office Fail: TP Link Plugs Won't Stay Connected to TP Link Servers, Local Only Control

Cross post from Mikrotik subreddit too in case it's specific to office router...

Finally getting around to playing with some smart plugs to start offering services to my clients for smart offices and am running into a network connection issue.

I have a Mikrotik CCR1009-7G-1C-1S+ with a fairly simple setup (DHCP, NAT, Firewall, a few VLANs) for my office. One of the VLANs is an IOT VLAN and I am trying to get TP Link Smart Plug Minis to work on my network. When I first boot up the plug, everything works fine, it joins to WiFi, local control and control of the plug over the internet works great. After almost exactly 5 minutes, the plug switches to "local only" control in the TP Link app and access to the plug over the internet doesn't work at all, it shows the plug is offline. About 10 minutes later, the plug briefly drops off network completely it seems and then rejoins and now works fine again. This process of working, then not working, then working again repeats over and over.

At first I thought maybe it was PiHole blocking something with TP Link servers, but the plug does work fine at first and I changed DNS on router to use 8.8.8.8 and it still had same problem anyway. I brought the plug to another location (a mikrotik router as well with built in wifi) and the plug works fine there non-stop. I also tried a different temporary access point on the network in case the main AP had some weird issue with the TP Links. I also disabled 5GHz on the APs.

So obviously the plug doesn't have a problem and it's something with my office setup causing it to not work. I am out of ideas.... and I have no other issues with any other device on the network or any VLAN.

Any ideas smart networking people?



Palo Alto Python Script

Would anyone here be interested in a script I've written?

A co-worker of mine had asked me if we could strip the CPS(connections per second) in show session info as the OID for CPS is just a table of the individual TCP/UDP/other and connections per second isn't a pollable/reportable metric. We know we can view a graph of the CPS in Panorama, but for alerting and other monitoring applications we use, this doesn't work, and it's not exportable.

So I used the XML API and call the show session info and I then use regex to strip out the content of the HTTP GET, use a timestamp module, append both of those two a list and then write/append to a CSV, and then set that function to execute every X times in schedule(you can set whatever frequency you want in the scheduler)

From there I'm either going to present it in Django, or import it as a custom HTML resource in our Orion NPM.

I've scoured thwack to see if I could write directly to our Orion DB and then just query whatever I have written to the tables through Orion and build the metric that way.

import datetime import time import re import schedule import os import urllib3 from csv import writer import requests from urllib3.exceptions import InsecureRequestWarning urllib3.disable_warnings() #ignores cert errors requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) #function of the api call def api_call_csv(): #api command to be sent defined command = "<show><session><info></info></session></show>" #calls api key from locally stored env variable api_key_inet = os.environ.get('API_KEYINET') #calls API hostname from locally stored env variable api_host_inet = os.environ.get('API_HOSTINET') #executes XML API call using request module, and arugments above req = requests.get('https://%s/api/?type=op&cmd=%s&key=%s'%(api_host_inet,command,api_key_inet), verify=False) #api call content block decoding xml to UTF api = req.content.decode('UTF-8') #create REGEX search object to filter CPS and any digit inside prog = re.compile("<cps>\d*</cps>") #findall matches for RegEX object result = prog.findall(api) #convert Regex Matches to string rsstg = ''.join(result) #strip first XML tag strip_first = re.sub(r"<cps>", '', rsstg) #strip XML tail strip_out = re.sub(r"</cps>", '', strip_first) #change working directory of where CSV needs to be created os.chdir(###insertCSVpath###) #define time in float ts = time.time() #format timestamp from float to YEAR-MONTH-DAY, HH:MM:SS st = datetime.datetime.fromtimestamp(ts).strftime('%Y-%m-%d %H:%M:%S') #put TIMESTAMP string into list, along with connections per second output final = [st, strip_out] #function to open/append CSV file with list of time/CPS def append_list_as_row(file_name, list_of_elem): #open file in append mode with open(file_name, 'a+', newline='') as write_obj: # create a writer object from csv module csv_writer = writer(write_obj) #add contents of list as last row in csv file csv_writer.writerow(list_of_elem) #close csv when done writing write_obj.close() append_list_as_row('###CSVfilename###', final) """call the API function and schedule to execute every 10 seconds, change to whatever interval you need """ schedule.every(10).seconds.do(api_call_csv) while 1: schedule.run_pending() time.sleep(1) 

you'll need to store your private key, hostname as environment variables this method or you can just replace the api_key_inet and api_host_inet variables with the respective strings for testing, but i don't recommend storing them in you .py file

Go easy on me, I'm still pretty new at python, but maybe this will help a few others.

**We, unfortunately, don't have ORION SAM which can't execute scripts of most languages to pull in information, I wish NPM would do the same.

Time CPS
8/25/2020 2:16:00 PM 632
8/25/2020 2:16:10 PM 416

etc etc



Python for Network Engineers: free course starts Sept 1

I periodically run a free course on Python for Network Engineers. The next course session starts on Tuesday, September 1.

The course covers Python fundamentals with a network engineering bent. It is definitely oriented towards beginners.

The course last eight weeks and covers the following topics:
- Week1 - Why Python, the Python Interpreter Shell, and Strings
- Week2 - Numbers, Files, Lists, and Linters - Week3 - Conditionals and Loops - Week4 - Dictionaries, Exceptions, and Regular Expressions - Week5 - Functions and the Python Debugger - Week6 - Netmiko Basics - Week7 - Jinja2 Basics, Introduction to YAML and JSON, Complex Data Structures - Week8 - Libraries, Package Installation, and Virtual Environments

The course format is a lesson a week for the corresponding eight weeks. The lessons are delivered via email and consist of videos, exercises, and additional content.

There is a good chance I will add a Week9 to the course that covers classes, modules, and packages since I have been working on videos about this recently.

About me--I am a long-time network engineer and fairly long time Python programmer. I wrote the Netmiko library and work a certain amount on NAPALM and Nornir. I teach courses on network automation on Python, Nornir, and Ansible.

Sign-up is available here:

https://pynet.twb-tech.com/email-signup.html

Feel free to ping me if you have any questions.

Regards, Kirk



Launching Twingate

ProductHunt Launch 🚀🚀🚀

Hey Everyone!

We’re finally launching Twingate to the world and I wanted to share with everyone here :)

https://www.producthunt.com/posts/twingate

In short, Twingate is a VPN replacement that’s more secure, easier to setup and offers a frustration free experience to your users.

  • ZeroTrust Identity based perimeter - you can start by allowing access to entire network like a VPN and gradually move to a more granular access control.
  • No public IPs - keep everything in your private network
  • Keep your existing network - no changes required. We don’t require setting up a DMZ, playing with firewall settings etc.
  • Split-tunneling by default - only secure traffic goes through the system so it doesn’t slow the whole network and user don’t mind keeping it on

And best of all - its really a matter of minutes to setup and get running…
Though we just launched, we did have several large companies (hundreds of employees, multiple locations across the globe) on our beta and their migration from traditional VPN was a matter of hours to couple of days.

As r/networking experts we'd love to hear your feedback!



Switch Troubleshooting

Hi there! Wondering if there is manual/book/blog to troubleshoot switch issues? Also can you tell what is your general approach in troubleshooting issues.



Simple static IP network question. More IPs. Subnetting.

We have devices that require static ips and the are all on a 172.x.xx /24 network. 256 address. We need more IPs because of more devices. If I move up to a 172.x.x.x /23 with 512 addresses will I need to visit every device to update its subnet? Also can I keep the same gateway 172.x.x.254? Thanks for any help. I’m not a network wizard ☹️



data link layer traffic

Hello guys,

for university I have to make a little project - I am pretty advanced in python programming but this project has to be a network related topic so my choice was to combine these two in some sort of form, so here is what I plan on doing:

analysing data link layer traffic and visualizing it in a python based application

so what I plan on doing in detail is:

  • analyse traffic via wireshark (most likely pseudo generated traffic but I am not to sure about this one yet)

  • specifically look into layer 2 (data link)

  • take the won data from this and "analyse" it, that means finding anomalies and trends and tons of other things you can do with data

  • display all this won information in a python tool / application, mainly graphically showcasing what I "researched" and giving the user the option to filter for specific interests for example

 

So I am pretty advanced in Python programming so I am good for that and I also have basic to advanced knowledge in networks and network related topics but one big question remains:

this project has to answer a scientific question in some sort of form - so basically what is my main goal by analysing the traffic from the data link layer

So currently I am trying to find some ideas to what the main "analysing goal" could be and thats why I came here:

Do you guys have some thoughts about what I just described and maybe could shoot me some ideas on what I should focus on or to say it in other words what would you as a reader interest the most?

(thanks for your answers guys and I hope this post doesnt violate any of the "homework" related rules as I am not looking for specific help and I know what I have to do and how, I just want to hear if anyone has some ideas or thoughts that didnt come to my mind yet)



Anyone have experience with Foritnets SD-WAN/FW?

We're looking to evaluate fortinet's SD-WAN.

It's looking to solve some issues for us.

  1. Meraki not being a true SD-WAN and the inability to granularly control traffic.
  2. Meraki's lack of true FW capabilities. (Stateful inspection doesn't actually happen unless a rule is applied.)
  3. Meraki's are also a pain to dig down on security issues.

The demo we got and their lit all seems fine and dandy, but would like to hear others thoughts or issues they had before we setup a POC.

Thanks.



Youth STEM non-profit seeking network infrastructure equipment...

Hello all,

The students of the International Association for Astronomical Society located in the Denver, Colorado area is building out a youth astronomy and aerospace space sciences research facility to help facilitate youth research and learning in the STEM fields. Examples of recent projects and activities can be seen on the group's Facebook page (fb.com/iaasorg).

The program has a 40+ year track record of success in readying students for jobs in the STEM fields. For most of that time, the program has relied on donations from community minded individuals, groups and organizations to help fund it's operations.

As part of the Star Haven Observatory project, the group is seeking donations of gently used (recently manufacturered - less than ten years old) network equipment to build the network infrastructure.

If you know a company that is upgrading their network infrastructure and would be willing to donate the "old" equipment to a 501(c)3 non-profit, please let the group know via email - donate@iaas.org.

The group also gladly accepts in-kind and financial support. Donations of gently used laptops, desktops, servers, monitors, DDR3 memory and SATA hard drives are welcomed as the program refurbishes the donated items for use by it's students and local community.

The students appreciate any support you can provide.

IAAS Facebook page



Cisco AP C9120AXI-Z Registration with WLC 5520 Issue

We have few dozens APs trying to register to WLC , The APs are getting DHCPs, default Gateways, The WLC is located at our DC, connectivity across the network is fine, I can ping the WLC from the LAN network, When I debug capwapp on the WLC i see no attempts from the APs trying to join the network, there other different model APs already registered on the WLC from different sites,we have not installed APs (C9120AXI-Z) in our network before, what am I missing,? gone through Cisco docs, at least i should have see attempted registration by the APs.

- WLC AIR-CT5520-K9 Version :8.10.121.0

- Cisco AP Software, ap1g7-k9w8 Version: 8.10.105.0



Question about patching STP

Hello guys,

Sorry if this is not the right community. Company which we bought cameras from also patched cables on both ends ( camera, patch panel ). We have troubles with PoE adapters dying in cameras so we looked if the cabling is done correctly and we found out they removed shielding foil on every cable ( picture of the patch panel: https://imgur.com/a/NZKapXa ). I couldn't post image here so I used imgur.

I want to tell them to do the job again correctly but I don't have any good arguments. They said the cable is grounded this way and the foil is touching the cable so it doesn't matter if they removed it.

I would like to prove them wrong and make them fix it.



OSPF - adj as p2p with broadcast

Hello,

Can someone please explain me why can we established the full adjacency with one router as p2p and the second as broadcast but we can't learn the routes?



Tuesday, August 25, 2020

Tacacs+ mysql

have anyone implemented tacacs+ with mysql backend ?? curious !!



why is my wifi speed slower when the router is on the same desk as my laptop or phones? (but runs much faster when thy are at least 6 feet away)

why is my wifi speed slower when the router is on the same desk as my laptop or phones? (about 200 to 220mbps)

if I put the laptop or phone at least 6 feet away, then I get much faster speeds, up to the full 300mbps tier that my modem is subscribed to.

thanks!



Need Help Identifying An RJ-?? Cable

I hoping this is the correct sub for this question - if not, please let me know where I can submit this.

I need help in identifying what type of RJ-?? cable end this is. Here is the best image I can get.

This cable is a standard RJ-45 Termination on one end, and has been "spliced" on the other end to make two RJ-?? connections that connect to two CenturyLink Routers.

The "Problem" is that I want to move the two modems to a different physical location but I can't due to the length of the RJ-45 cable. I have bought a longer RJ-45 cable which will allow me to move the two modems. I plan on manually terminating the two RJ-?? ends to connect to the two CenturyLink modems.

I purchased these RJ12 6P6C pieces since they looked nearly identical to what was currently being used in the CenturyLink Modem. However, you can see here that they're not exactly the same (best image I can get).

Can anyone help me in identifying the correct ends currently being used so I can purchase some more? Any/All help is greatly appreciated!



DevOps from Caltech or DevNet Associate from Cisco or going solo?

I have been SysAdmin, Network Admin, and Network Engineer for almost 20 years.For two years, I am working on Cisco Meraki devices and love managing my fleet using APIs.

I am in a cross road and would like to hear your suggestions. Shall I attend the new DevOps certificate from Caltech or go for the DevNet Associate certification from Cisco.

I have been in Cisco's track from 2002 and i have a CCNP, and I have learning credits that I can use to take the exam and buy few learning materials. But I thought I will need a broader understanding of DevOps outside my Cisco's world. I searched for learning tracks and come across the Caltech DevOps program, but I am not sure it is a fit for me and couldn't find a review for the program. It is a 9 month program for $4,500 and I have to pay for it.

Shall i do my own track or stick to one of the above two. I motivate my self and work hard when I have an exam to pass or if I pay for it, but not sure if that works here, as this is a new territory to me. I live in Bay Area and will probably look for work once I finish the program or get my certification, and I am not sure how the job market is

Thanks,



What happened to the old Cisco networking 101 videos.

Hello /r/networking.

Just wondering if anyone knows why Cisco have made all the old networking101 TechwiseTV videos private?

I remember watching these videos way back and thought they would be cool to show some of the jnr guys. Jimmy Ray really tells good story.

I tried to find these videos in archive.org but seems they aren't archived there. Anyone know of a non youtube place these might still exist?



DNS behind firewall

I needed to setup a domain name with some CNAME records to get access to some services we have running in our office behind our firewall.

We have a Synology NAS so I'm using the free domain from synology we can get for DDNS. I'm then using a reverse proxy to route the traffic to the appropriate locations on the office network based on the url subdomain.

However for the DNS, I'm using the DNS service that is on our NAS. Which also is our active directory and has the AD DNS zones associated with that as well.

Through the firewall im letting in all udp/tcp traffic on port 53 and directing it to the NAS.

Is there an issue with letting in any web traffic on port 53 to get access to the DNS server for the purpose of solving the domain I set up? Considering the AD stuff is also there?

Would I be better to use a cloud DNS?



help with Ethernet

so i dont know if this is the right sub to write on but yea so my network's name is Archer and i just bought a new pc and when i connect it with ethernet it shows the network connected as Archer2 so why is that i cant make a lan minecraft server for my and my 2 brothers so how do i fix this and be as the same network that the whole family uses??



BGP Optimization

I'm looking for a way to optimize BGP traffic based on netflow/snmp data. In particular RTT and mostly Link utilization. We currently have 1 large commit @ ISP A and we want to take a small commit @ ISP B. I'm worried when i bring up ISP B that it will instantly max out the commit. I'm looking for a open source type of solution. I noticed a lot of the old answers on other reddit posts were either Noction or XCA/Boarder6. These are not an option for us. I appreciate any direction or feedback.

Thanks!



Mellanox SN2700 Help

I need help with Mellanox SN2700 and Open Network Install Environment. Thanks in advance to anyone who can answer my questions. I'm using Putty w/ serial console port cord.

1) How do you boot into BIOS or EUFI? If you aren't supposed to do that, then how do I change BIOS variables? I tried holding F1, F2, ESC, DEL, and F10 on bootup. I also pressed TAB on bootup to maybe switch boot modes. Nothing has happened except for straight boot into ONIE. Console output has told me that I'm using AMI BIOS firmware. https://ami.com I think I read somewhere you can change BIOS variables from ONIE. Can someone point me to docs that describe how to do this? I wasn't able to find info.

2) I've gotten EEPROM and I2C and TLV header info errors upon performing ONIE update directly from plugged in USB. Installation of new ONIE finishes, but TLV errors show up on each boot and I think it's interfering with NOS installation. Can anyone tell me what I'm doing wrong?



Installing Cisco ACI Simulator on ESXi - no network connectivity

Hello,

Trying to get ACI Simulator running at work and it is not working.

Install instructions are very minimal - https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/3-x/simulator/install_vm/b_Cisco_ACI_Simulator_VM_Install_Guide.html

Basically accept all defaults, put in the IP with default GW and you are good to go. I have tried it at home with Vmware Workstation and it just works, as simple as described.

At work though it doesn't and to make it much more fun, I have 0 access to the vmware environment. I have to submit a request and some nice guy with Indian name will work on it and will deploy it. And then I could do some remote screen share, but latency of what feels 15 seconds between me pressing a button and me seeing a response to that button doesn't really yield to good troubleshooting session. From networking side - no ARP entry. VLAN seems to be correct, so does the IP.

Install says to use promiscuous mode on the network, which can't be enabled easily (welcome to corporation with policies and lengthy exception process), but to be honest I don't understand why it would be needed - it's just a single IP on a single VLAN. And I don't believe promiscuous mode is enabled in Workstation anyways, but it works there...

So has anybody installed ACI Simulator recently on ESXi host? And if yes, did it just work or did you have to tinker with it a bit?



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



What makes someone interesting to you when networking?

What makes you remember someone?



routing traffic through transparent devices (riverbed, IDS/IPS, etc)

I have a question about routing traffic through these devices. We are not corp 500, but we have enough locations (small locations) were we install riverbed devices and IDS/IPS devices. Our current setup is very basic (I think)...here is what it looks like.

ISP router----->firewall/router--->riverbed and/or IDS/IPS----->network switch---->a handful of VLANs

This works for us because most if not all of our VLANs are all we need to pass through these devices, however, every once in a while a request will come in to add a new network and instead of adding a VLAN on the existing switch and sending the traffic through the transparent devices, we have to assign the new network its own interface on the firewall/router. This is easily doable, but now the traffic doesn't make it through the riverbed and/or IDS/IPS devices. We do have security services on the firewall, which is better than nothing, but there is no WAN optimization and/or the same level of IDS/IPS that the appliance provides.

The question I have is, could this scenario be converted to fully routed and add the riverbed and/or IDS/IPS devices as a 'hop' so that traffic has to pass through those devices regardless if it is connected at the router, directly, or hanging off of the switch as a VLAN?

I realize that this is something that needs additional thought and discussion, I'm not asking to actually implement (at least, not at an existing location, possibly in a new location and/or if there is a big upgrade in the future), but instead, would like to discuss how others are doing this.

I am not the main networking person here, I'd say more junior, and the senior network admin doesn't have a good answer for me. I've asked, but the type of response I'm getting tells me that he isn't sure about setting it up another way.

To be clear, I'm not saying this setup is wrong, for our needs it works just fine, I'm just trying to learn a bit more about other ways it can be done.

Thanks.



Fixed dad's printer over SMS

A few months ago my dad's printer wasn't working. Would have been quicker/more efficient to troubleshoot over the phone but I did it over SMS because I am sick and demented and found it entertaining. Plus, you can't screenshot phone calls 🙃.

https://imgur.com/a/LoX94L8



Unable to ping device

I have an iPad Pro that my PC can’t seem to ping. When doing an arp it doesn’t appear in the table.

The iPad has an internet connection and is on the network and I can ping it from a separate laptop. This is causing me to be unable to remotely connect to my QNAP NAS.

All other apple devices I own can connect and there is nothing blocking it in the NAS allow/deny list.

I rebooted everything and even wiped the iPad but to no avail.

Does anyone have any other suggestions?



Atuba APs and HPE OC 1920s DoS protection

TL;DR: Why did DoS protection on HPE OC 1920s switch stopped Aruba APs from communicating to each other?

Sysadmin here. Got a task to deploy a bunch of Aruba AP (IAP-303) with an HPE OfficeConnect 1920s PoE switch. Updated and preconfigured the switch. Turned DoS protection options, loop protection and storm control (not that I know exactly how each feature functions). Connected up 5 APs. After a few minutes one becomea a Virtual Controller master and I logged in with default credentials. After waiting a few minutes none of other AP show up. Some 10 later another AP decides to redirect me to its IP and seems its own master Virtual Controller. This goes on and I can't figure why they can't each other... Lots of fiddling around but no luck.

Next day and an HPE later I decide to remove this switch from the equation. Hook PoE injectors and an unmanaged switch and everything works! All connected show up in a master VC!

After resetting the switch to factory defaults I figured the DoS protection options were blocking communication between APs. Later storm control gave me trouble disabling some ports APs were connected to.

Anyone care to enlighten me as to why these two features would cause this?



Aruba ClearPass vs. Linkrunner AT 1000

I am a student network technician for a university, and we recently switched to Aruba Clearpass from Cisco for our wireless management, as well as AAA for cisco devices. I just came back from my Covid-break to this new deployment, and I am not at all familiar with Aruba. The issue I am having is when troubleshooting switchports from their termination location, the link runner will not read out any vlan or switch information. I suspect it is due to some sort of MAC authentication, as the linkrunner does not broadcast a MAC when running it's tests.



VTP replacement in Juniper

Hello,

I want to apply the equivalent to VTP in Juniper switches, however, I'm not able to find the right solution. I tested MVRP but it is showing that the dynamic VLAN is showing on the trunk uplinks.

The dynamic VLAN doesn't show in the VLAN table as usable VLAN that I can assign to the access port on my switch. It even shows as a weird name like "__dynamic_vlan-0010__ ".

With VTP, the server shares the exact VLAN database and names to the client switches and I can use this VLAN in the other switches. Is MVRP a true replacement of VTP or it is only for tagging trunk uplinks?



Wireless/bluetooth console cable?

My team is looking for a bluetooth console cable solution. From what I've seen, there doesn't seem to be much any choice in this market.

Is Airconsole the only player here? My manager wanted me to try to find a solution that can be purchased through CDW or Amazon because paying for it will be easier through established accounts.

Any suggestions or is Airconsole it?



10GBE link to 1GBE device

Can you configure a 10GBE switch port to run at 1GB and connect to a 1GB host (firewall)?

The switch is Dell S-4100 series with built-in 10GBE ports.

Thanks



Using Cisco ISE instead of NPS for Windows 10 Always-On VPN

Hi all,

Most of the documentation for Windows 10 AOVPN suggests using Microsoft NPS server to handle the authentication for user tunnels but since we have Cisco ISE I was wondering if it is possible to use this instead. Does anyone have any experience of this?

Thanks



Books worth a read

Hello folks, I am looking at picking on of these following books to read after completion of my associate certification.

First one is Behrouz's Computer-Networks, a Top down approach, and the other is Computer Networking, a Top-Down approach by James Kurose & Keith Ross.

Aim of reading is essentially to keep refreshing myself with the concepts of networking over and over, since I believe this is an endeavor where you have to continue learning on real life use/experience as well as study material. Which one would you possibly start with or stick to on the long run?

I can gain access to both copies.



Serial console server advice (single port to 48 port, product suggestions wanted)

We're looking for a range of serial console servers to offer customers. I have used Raritan for 4 to 48 ports (customers are very happy with these) but they seem to lack the desktop range as they don't have any units with 1 or 2 ports and their 4 port unit is a rack unit and too costly for someone who needs one or two ports on their desk or in a remote office. As we have a requirement for SSH support, the selection of products gets very thin. Opengear is of course an(/the best) alternative, but at a very high cost and also only from 4 ports and up. I know about Lantronix EDS1100/2100 (verified SSH support) and their xDirect 232 (only says support for telnet, not SSH, but states "Security: 128/192/256-bit AES Encrypt" in the data sheet, weird). Moxa has their NPort 6100 series that supports SSH but cost too much (the 5100 series is OK in price and only lacks SSH; how much does an SSL implementation cost???). I have looked a ton of others too, but they're either too expensive or lack SSH support. Aten has a one port model called SN3101, but some sites say it's gone end of sale. I have no idea if it is a good product either.

I'd like to see a manufacturer with a complete line of products from 1-port to 32- or 48-port units that support SSH. Failing that, I can live with one vendor doing 1-4 port desktop units and another 4-48 port rack units. I also like to be able to use a login syntax like Raritan uses, where you specify your username and, optionally, the serial port that you wish to connect to:

ssh -l admin:1 192.168.51.101

or (if a port is named Router1):

ssh -l admin:Router1 192.168.51.101

Any suggestions?

/Fredrik



VLAN Export

hello everyone, we have a lot of vlans but no overview of which vlan ids are already in use. therefore we thought about creating a simple excel file with vlan id name and switch.
my question is whether it is possible to make this evaluation without having to attack each switch individually with show vlan? we use cisco equipment.



Help in port forwarding.

Hi guys

my isp is an asshole

he has blocked all the ports necessary for a minecraft server

i cant change my isp at the moment

so please suggest some solution

he wont allow any ports

and yes i am under 2 routers

1 at my home

2 at the isp's



Electrical engineering questions regarding PSUs

Hello everyone,

As we are getting more and more energy cautious these days, I have a couple of questions answered regarding the power drawn by our electronic devices. I think to be lacking basic electrical knowledge which I will try and cover.

Suppose you have a server/switch/whatever appliance and has 2 PSUs for redundancy. Each PSU is 1000W and both of them are plugged in. Does that mean the appliance draws 2KW of energy? Or is the passive one drawing the minimum amount to stay up?

My second question is regarding "modular" power. I want to budget the power coming from the PDU and I want to put as little strain as possible, because we had an outage not long ago. If, for example, I have a pair of PoE+ capable 3850 switches in a DC with no PoE devices and I put a PoE capable PSU, does the switch draw the minimum amount of power from the PSU (power for the switch to function properly) or does it waste the full power in case a PoE device requests it?



Advice in ESXi

Hi guys, I currently have the ESXi running on an old PC.

The Vms will be mostly to study (university) and learn some more things. Now I needed some advice from you since I'm undecided.

I need to access the ESXi GUI remotely and the solution I have for now is, a Linux VM with anydesk that automatically connects when ESXi connects, and then I remotely access that VM and from there I access ESXi but I don't like this implementation, I would prefer something faster and more professional.

I know I could use openvpn but in this case I can't do port forwarding ... A service that I use on one of the Vms is ZeroTier to access Nextcloud remotely, however I already tried to do SSH tunneling with ZeroTier and I couldn't.

Does anyone have any advice on what would be better in this situation? Or know how to use ZeroTier to do this ?



Using IS-IS on packet tracer

i'm trying to implement isis routing protocol in packet tracer but it is not supported. Is there any way around it like writing my own script for it?

I'm required not to use any other routing protocol.



Same AS BGP Peering Different locations.

Hello everyone,

So I Have AS with public IP address announcing to service providers.

What I think is to split my IP address subsets in Branch A and Branch B, AS numbers will be sames on my side. (It can be sames ISPs but dont know exactly at this moment)

I have task at this moment to build another branch in different city with BGP peering with different ISP. Can anyone provide best practice scenarios to achieve this goal ?



APC AP8881 / NPS / Guest PDU becomes unavailable occasionally

Hi!

We have 4Ñ… APC AP8881 that are connected via NPS/In-Out ports. Sometimes a guest PDU becomes unavailable by snmp. FW version is the same on all PDUs( 6.4.4 ).

Can anyone suggest what could be the cause of this problem?



Cisco REP deployment for a partial ing topology and STP spokes

Just wondering if anyone who has used Cisco REP has benefitted from the design and would do it again?

Has anyone had it working with 3rd party (Wireless Relay) spokes with STP turned on, even though there is no redundant path back to the main ring. Just accident prevention.

Currently looking at this on Cisco recommendation for a in-place upgrade.

Thanks



Monday, August 24, 2020

Controlling OpenDaylight Controller

Hello all,

I am running SDN experiments by connecting network simulations to OpenDaylight controller running on an Ubuntu virtual machine. I can't find the code where ODL algorithm runs. I want to override it and change the routing algorithm according to my study requirements. I have downloaded DLUX and Yang tools with ODL and they can detect my network normally. Everything works and the packets travel fine from source nodes to the desired destination nodes using the default ODL algorithm.

Does anyone have an idea how to edit the controller's routing algorithm?

Many thanks in advance.

Software used:

Riverbed Modeler 18.8

OpenDayLight Oxygen 0.8.4

Ubuntu running on Virtual Machine

WireShark



Setup IPSEC in Hub/Spoke fashion

I'm trying to setup IPSEC tunnels in a hub/spoke type fashion. I've emulated this in GNS3 by creating three sites. Each site uses an IOSv router as it's WAN router. I'm using site 2 as the hub and sites 1 and 3 are the spokes. I've been able to get the IPSEC tunnel up (ACTIVE/ACTIVE) between Site 1 and Site 2. But I can't stablish the IPSEC tunnel between Site 2 and Site 3.

I generally know how to do setup an IPSEC tunnel between two sites (point-to-point); such as what exists between Site 1 and Site 2. But as soon as I have to add an additional IPSEC tunnel to the hub router, my understanding falls apart.

Here is a diagram of how the simulation is built.

Network Diagram

As you can see I'm using three layer 3 switches as a transport network between the three sites. I want both IPSEC tunnels to land on the same interface (gi0/0) on the Hub router. All traffic in the transport network should be encrypted.

PC1 should be able to ping PC2. Likewise, PC3 should be able to ping PC2. PC3 should not necessarily be able to ping PC1.

The diagram above should show all of the relevant config.



Looking for "unconventional" port forwarding server

I am not really sure what is the name of such software, but I will explain in details my use case.

I have a multi-container system running on multiple virtual machines (AWS EC2), each container have a specific port assigned through its entire life-cycle and it is meant as stand-alone application, each VM has its own pubic IP and they are currently not load balanced. I will be often moving those containers around (for autoscaling, VM OS updates, etc...) to different VM, thus the IP will change quite often.

To avoid the end user from changing the IP every time he launches his application, I have assigned a unique DNS A record per container. Unfortunately I just discovered that the vendor that is used to consume the application running on the containers, does resolve the DNS record and save the IP instead (whatever...).

**So now I am looking for having one IP (static) routed to different IPs depending on the requested port**

What I am looking for is some kind of port forwarding server (since once assigned **the container port never change**) that I can run on a VM.The working principle would be the following:

  1. Assign a static IP to the VM where the port forwarding software is running
  2. After the container has spawned it will register itself communicating its port and current IP
  3. The port forwarding software will simply proxy the request to the container
  4. When the container it is stopped it will first de-register itself

I hope I don't have to write this all by myself and there is already a solution out there.

Thanks



Unable to get link lights on Chelsio T520-SO using SFP+

Hi all,

I'm new to working with fiber so please bear with me.

I've got a Dell R520 that I've just installed a Chelsio T520-SO fiber adapter into. The server is running Ubuntu 18.04. I've got a compatible Chelsio SM10G-SR:10G transceiver on the adapter side and the switch (HP5406) which is using a HP short-range 10G transceiver (genuine j9150a). Between the transceivers, I have a 3-meter aqua fiber cable. I have another server with the exact same transceivers, T520-SO Chelsio card, and the same exact cable that the previous administrator installed, which is running great. I've even tried swapping everything between the existing server and the new server, but have been unable to establish an active link or get link lights while in Ubuntu.

Ubuntu sees the card and interfaces just fine. When I was in the Dell UEFI BIOS and viewed the network adapters, the switch link light lit up. Not sure if this meant the link was good or not.

I've installed the Chelsio Unified Wire drivers, configured link speeds to 10G, disabled auto-negotiation, and disabled FEC per documentation found here, I.3 and I.4 sections: https://service.chelsio.com/store2/T5/Unified%20Wire/Linux/ChelsioUwire-3.13.0.1/Chelsio-UnifiedWire-Linux-UserGuide.pdf

Here's some additional information:

:/lib/firmware/cxgb4# lshw -short | grep network /0/100/1/0 eno1 network NetXtreme II BCM5716 Gigabit Ethernet /0/100/1/0.1 eno2 network NetXtreme II BCM5716 Gigabit Ethernet /0/100/a/0 network T520-SO Unified Wire Ethernet Controller /0/100/a/0.1 network T520-SO Unified Wire Ethernet Controller /0/100/a/0.2 network T520-SO Unified Wire Ethernet Controller /0/100/a/0.3 network T520-SO Unified Wire Ethernet Controller /0/100/a/0.4 enp5s0f4 network T520-SO Unified Wire Ethernet Controller /1 bond0 network Ethernet interface /2 enp5s0f4d1 network Ethernet interface ethtool enp5s0f4d1 Settings for enp5s0f4d1: Supported ports: [ FIBRE ] Supported link modes: 1000baseT/Full 10000baseT/Full Supported pause frame use: Symmetric Receive-only Supports auto-negotiation: Yes Supported FEC modes: None Advertised link modes: 1000baseT/Full 10000baseT/Full Advertised pause frame use: Symmetric Advertised auto-negotiation: Yes Advertised FEC modes: None Link partner advertised link modes: Not reported Link partner advertised pause frame use: Symmetric Link partner advertised auto-negotiation: No Link partner advertised FEC modes: None Speed: Unknown! Duplex: Full Port: Other PHYAD: 255 Transceiver: internal Auto-negotiation: on Current message level: 0x000000ff (255) drv probe link timer ifdown ifup rx_err tx_err Link detected: no /etc/network/interfaces auto lo iface lo inet loopback auto enp5s0f4d1 iface enp5s0f4d1 inet static address 10.1.5.4 subnet 255.255.255.0 gateway 10.1.5.1 

Any clue where to go next? No network activity and it seems to assign it's IP just fine.



Anyone know the Fortigate VM-16 Azure throughput?

I've been trying to get some throughput numbers for the VM-16 when hosting in Azure, but the official Fortinet doc doesn't provide them. I contacted my reps and they said those numbers are still at least a month out. Anyone here running it in prod with some rough throughput estimates?



python scripts for networking.

I need to create a script in python that will that will build a list of all ports on all switches on a given vlan. So I am just trying to extract all the tagged and untagged ports from the output and create a list with it. Any help would be great.



Subnet change to DHCP scope for AnyConnect VPN pool

Sanity check time!

I have a Cisco ASA with AnyConnect remote access VPN configured. Pretty standard stuff. Currently the network is 10.100.99.0/24 It's running low on IP's and I want to change the subnet mask on the DHCP Server (Windows box). I want to change it to /23. I'm concerned there's something I'm missing but so far I see it as not an issue.

My plan is as follows-

  • Log into Windows box via remote connection software (Just in case).
  • Change subnet mask on DHCP server (Windows)
  • Connect to VPN and test.

If I understand correctly, this should be fairly seamless as the group-policy just shows the ACL's to what the clients have access to.

The tunnel-group shows the correct IP of my Windows DHCP server.

the group policy on the ASA shows the following

group-policy companyname-VPN attributes

dns-server value ipaddresses of DNS servers

dhcp-network-scope 10.100.99.0

vpn-simultaneous-logins 3

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client

pfs enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_companyname-VPN

default-domain value domain.com

webvpn

The ACL referenced looks good and will not be changed.

Does this sound correct? With everyone working remotely, the last thing I want to is mess up their VPN!!!

Thanks!



changes to the SDA Fabric - DNAc

Hello all,

I'm currently learning how the SDA fabric for Cisco works in DNA center.

When reading Ciscos docs about LAN automation, it seems that when wanting to configure something on the fabric (for example fabric edge node), you must delete the device in DNAc and re-push all the configs there.

For example, I want to change an interface description or change an Ip address on 1 of the fabric edge nodes uplinks. Is there not an easier way of doing such a small change? I'm presuming you can only use APIs, since I can't change anything in the CLI of fabric edge node....at least i dont' know how to do that.



Connecting Switch to Access Port with Voice Vlan Configured

Hello everyone,

Quick question. I know that Cisco access ports with voice vlans configured are technically trunks, but if I plugged in a switch to that port with the voice vlan tagged and the native vlan set to the data vlan, should it work?

For example, the access port is configured with voice vlan 3 and access vlan 2, while the switch trunk connected to that port is configured with tagged vlan 3 and native vlan 2.

It seems like it should work, but it doesn't work in my testing. Is there a specific reason why this doesn't work? Not looking at it from an implementation point of view, but to get a better understanding.



5G small office connection?

Has anyone implemented a 5G wireless connection for the main link of a remote office? We have a office with 8-10 users in the middle of a industrial site where a fiber connection is not available. We currently use ipsec tunnels back to the main office for some RDP, email and file sharing. Not sure good this would work for our situation.

The AT&T 5G coverage map shows great coverage for the location but I've heard mixed reviews on 5G.

Thanks for any input!



How do I diagnose/isolate an electrical problem in an ethernet network?

I have an IT client that seems cursed. Network devices end up failing. We have replaced several switches and firewalls that have individual ports failing. I suspect there is some problem with grounding or leakage/noise from the main electrical system. What procedure should we follow to diagnose/isolate the cause of the problem?

I can go buy some network testing gear, but it is not clear to me what would be the most efficient allocation of time and money.



Cisco "Special" DNA Images difference to "normal" Images

Hey,

so we recently got ourselfs some C9200 and C9300 and we got the note from the distributor to use the Special Releases for Cisco DNA, but they could not explain to me what these releases do different then the normal Images.

So I just wanted to ask you fine folk, what am I missing here?

I am talking about the releases found here:
https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/compatibility-matrix.html

As far as i can see it, the non special releases are also supported for DNA like 16.12.4 . The recommended release for DNA is 16.12.3s though.

Normaly i would deploy the 16.12.4 Image because of a Critical PoE Error in 16.12.3a (normal recommended release)

Also i do not have any kind of changelog for the these Sepecial Images, i would need to keep track of each bug ID individual to see if a issue is fixed in a release.

Has anyone of you expierience with this? What is this fuss all about?



Microsoft RDC using bandwidth capped client terminal.

We are considering a new ERP (Distribution/Accounting Software) for our company and I'm having trouble determining the viability of RD as a connection client. The remote client will be my home office, and we are located in BFE, so our DSL maximum is 1.5mbps and our alternative is a WiFi hotspot which has suitable bandwidth, but is capped at 15GB/mo under the current plan. Bigger plans are available, but at a costly premium which needs to be factored into our decision. I am concerned that RDC will eat up too much of our data. From what I can see, the minimum requirement for RDC is 1.5mbps, but I doubt we will get 1.5mbps consistently on DSL, so I'm thinking the Hotspot is the only option here, but then I have to deal with the cap. My ERP provider told me that RDC doesn't redraw the screen but everything I have read says that is does, which sounds like a real data hog.

Does anyone here have experience with RDC and limited data caps? And if this belongs in another sub, I would appreciate some advice as to where to post it, since this sort of falls into a few categories.

Thanks in advance