Saturday, October 17, 2020

Cisco's New AP's: 140AC, 145AC, 240AC. Anyone use them yet?

The price point and feature sets look pretty good on this new Cisco Business Access Point & Mesh product line. But I can't find anyone on the internet discussing their real world experience with these units. Maybe because they are too new?

Perhaps my only recourse is to talk about these units with a Cisco sales rep and test them out for my self? Perhaps I take 1 for the team, if they don't work out....

If you have any experience with this new line from Cisco please chime in..

Here are the details regarding these units from Cisco...

Any of those above AP's can also be mixed and matched with any of the new Cisco Business Mesh Extenders listed below...

All of this is managed via a free, non subscription based mobile cisco app called Cisco Business Mobile.

Cisco has had a reputation of being very expensive.. But this new line does not seem to be expensive at all. The AP's start at $165 MRSP, and the Mesh Extenders start at $135 MSRP..

All this looks very good on paper. But would love some real world feedback regarding this new line.

Thanks



ERR_TIMED_OUT

The network has two Cisco Catalyst 3560s one functioning as a core switch and the other as an access switch. Two Cisco 1921 routers. A 2106 WLC and two 1142 LAP's. The routers are running HSRP and OSPF. Clients wireless connection is good and they have have internet access. Websites like Google, YouTube, Amazon, and other big names load and are accessible. However, there are a lot of webpages across the internet that are not loading. Yahoo Mail, Netflix, and Hulu are the big ones. I would say that around 75% of web pages load and function normally, but that leaves a fairly large amount of pages that time out giving the ERR_TIMED_OUT. Can anyone point me in the right direction or help me trouble shoot this? -Things I've tried are switching DNS servers, changing LAP location, changing LAP channels for no overlap, and have even disabled one of the LAP's for a whole day to make sure there wasn't any interference. Also, this happens across all different browsers so it's not just a Chrome issue. If you have tips on trouble shooting then please let me know where I can start.



Using ‘vpn.*’ in domain name, good or bad?

I have an openvpn server running in Azure with a static IP address and it works fine.

My co-workers suggested to install wildcard SSL cert and change the access url to vpn.companyname.com.

But I’m just wondering if it’s a bad security practice to have vpn.* as part of the domain name for the vpn? Am I just being too paranoid?



Web-based tool for Cisco ACI

An ACI web app that acts as a visual aid and verification tool. To try it out, check the GitHub repo below.

https://github.com/smedeyinlo/aci_app_ro



Tracing cat5 wires through wall

Good evening, I am having a pretty tough time finding where the cat5 wires are going in my building. I bought a cat5 toner but had no success finding the end of the wire at the switch panel. This is the toner I have. (I traced it maybe 50 feet but lost it behind the 5th wall)

Noyafa NF-388-B Multipurpose Network Cable Tester Tracker Tracer Test Ethernet https://www.amazon.com/dp/B00BDI6O7Q/ref=cm_sw_r_cp_api_i_Cg7IFbNPQP9QE

After trying 5 different network cables in different rooms, I could not find the ends anywhere near the switches. Now I am looking at potentially getting another toner that potentially work better? The toner I have does not go through walls. Is there a better one that does?

I may get this one but just want to confirm if a digital toner works better than analog to trace through a wall? Sheetrock is about 5/8in thick.

Fluke Networks IntelliTone Pro 200 Toner and Probe Kit (MT-8200-60-KIT), IntelliTone Probe and Toner Kit https://www.amazon.com/dp/B00N2S6RPY/ref=cm_sw_r_cp_api_i_5k7IFbF7TW1MF

If this does not work, does anyone have an estimate on cost for tracing 100 wires throughout a 50k sqft building? I don’t have access to previous owners to ask any questions.



Cisco Umbrella Scenario

Please have a look at this diagram: https://drive.google.com/file/d/1Ph9l3Pn27HG7-67mMatISNt8ycxiNCgC/view?usp=sharing

We are trying to establish an IPSEC connection from our Internal network toward Cisco Umbrella to send some outgoing traffic through that tunnel toward Umbrella and other traffic break out directly to the Internet, three options have been proposed, the one you see is one of them, with having PBR on the Firewall to send traffic destined to Umbrella and directly to Internet through it, do you guys see any issues with this approach? another approach is terminating IPSEC on the FW (which is Cisco FirePower) which has some complexities due to number of NATs needed to be added as well as quiet number of ACLs, what do you guys suggest and why?



IPTV always buffers except on VPN (TCP not UDP)

Whenever I try to open IPTV streaming on any of my devices, and regardless of the protocol (TS or HLS) it always buffers like mad. I have an 150mbps internet currently.

I notice that when I’m on VPN it doesn’t buffer, although it will only do so when I connect with TCP and not UDP. This is the case with OpenVPN or OpenConnect. V2Ray also doesn’t buffer.

My question: Is it possible to not get buffering without VPN?

FYI I’m using Unifi Dream Machine as my router.

Thanks in advance!



Cisco SG300-52P - Cannot figure out cable needed for console access

I am having a very difficult time trying to find the correct console cable and adapter configuration to connect console access on a SG300-52P switch. To make matters confusing, this Cisco model is apparently one of the only Cisco models that does not use the standard DTECH DB9 to RJ45 Console Cable Cisco Device Management Serial Adapter

To make matters worse, I think the device may be stuck in a frozen boot and console access is the only way to fix it. Factory reset does not work at all no matter how long I hold the reset button.

From here I have went into a downward spiral of finding tons of posts online of people having issues connecting to the console and few times people found solutions I can't make sense of them. "needed null model did it", "needed a 1-1,2-2,3-3".

I'm stuck in a place of now I have no idea if I have the right cable or I'm doing the wrong commands with minicom, putty, and screen (Ubuntu system). My laptop is Ubuntu 20 with just USB ports, it does not have serial ports.

Here is what I have so far

Attempt Cable Research Works Notes
1 DTECH DB9 to RJ45 Console Cable Cisco Device Management Serial Adapter Amazon search "cisco console cable" No Cable not supported at all on SG300-52P
2 USB to RS232 Adapter with PL2303 Chipset, CableCreation 6.6 ft USB 2.0 Male to RS232 Female DB9 Serial Converter Cable for Cashier Register, Modem, Scanner, Digital Cameras, CNC,Black Customer Questions and Answers section said it worked for Cisco switches. According to Cisco Forums this model needs a "standard 9 pin straight through" No I am left confused so begin purchasing other cables.
3 TECHTOO USB 2.0 to RS232 DB9 Serial Cable Female Converter Adapter with Prolific PL2303 Chipset for Win10 8.1 8 7 Vista XP 2000 Andorid Linux Mac OS X 10.6 and Above (3ft/1m) Customer and Answer section said Used this to connect to a Cisco SG300-10 managed switch / router. It didn't need any drivers from Windows 10.Prior to this type of cable, you would need to use [[ASIN:B00IDSM6BW Sabrent USB 2.0 to Serial (9-Pin) DB-9 RS-232 Converter Cable]] along with a Female to Male converter. No More research and even more confused now

I don't know what to do and I'm losing my mind buying cable after cable.

The content creator on the frozen boot video responded to a what cable do I need question with

"Female-to-female 9-pin D-connector cable, the SG300s come with one in the box. Pins all connected 1-1, 2-2, 3-3, etc. "

Amazon shows this cable. How do I even plug this into my laptop it is serial on both sides? Will this work with the cables I purchased above?

On the second cable I purchased, I later found a customer review by a guy with the exact model I have saying this

the answer was to buy a small in-line db9 null model adapter and add it before the Cisco console.

Amazon shows this StarTech.com DB9 RS232 Serial Null Modem Adapter - F/F - Null modem adapter - DB-9 (F) to DB-9 (F) but if I buy this will it work with the cables I purchased above?

At this point I am very confused and feel like I'm just guessing by just buying cables and adapters and it's starting to become expensive and frustrating.

What cable combination and adapters do I need for this?



Wan not working

I have a second router COMTREND VI3223U and i connect ethernet cable from my first router to second router and everything works but when i reset second router and connect ethernet cable to wan port but internet led is red, can you help me please?



APs on different networks same SSID

I am just having trouble finding documentation that relates to the subject. I was wondering if it was possible to have APs in different networks (each floor has its own networks). But I’d like them all to connect together working with a single SSID. Or if the best solution would be to add another switch (because all APs must be isolated from the wired network)



Python tools for network engineers

I've already learned a bit about python, no expert but enough to bring down the network on accident.

What are some python tool idea must haves you have on your toolkit?

I wanna develop them on my own, nothing super complex but things that would be massively beneficial for my job and organization as we do not have tools like this yet



Tech Interview for a corporate network engineer job with one of the social media companies. Any tips?

Brushed up on mpls bgp ospf vpn TCP/udp . Any advice on what else to expect

Thanks



The right rj45 connector for solid wires and stranded ones (like a mini rope)

Hey!

I've just noticed (after god knows how many years)... that rj45 plugs differ from one another. Some have 2 pronged pins and other 3 pronged ones. I've been reading for information on this and some say that:

Pins with 2 points can be used for solid and stranded.

Pins with 3 points can only be used for stranded wires?



Gathering switch information commands?

I'm very new to the networking side of things after coming from desktop support with no switch experience and i have a project coming up so basically to get straight to the point, from a switch how would i get the following...

Hostname Serial number Make and model

I am aware of show cdp neighbour and show ver but if someone could give a basic example of what them commands mean and how i can find the following requirements above, i would be very grateful and it would give me a head start!



Wi-Fi 101: Wi-Fi 6E In-depth

What is Wi-Fi 6E?

Wi-Fi 6E is Wi-Fi 6 extended into the newly unlocked 6 GHz spectrum.

On April 23, 2020 the United States FCC voted to allow the unlicensed use of the 6 GHz band. This added 1200 MHz (5.925 to 7.125 GHz) of spectrum for devices like Wi-Fi access points. Previously, devices operating in this band had to be licensed, which prevented use by the general public. This added spectrum is arguably the biggest change in wireless networking since the original 802.11 standard) came out in 1997, or the original allocation of the ISM bands in 1985.

For perspective, there is only 260 MHz of unrestricted spectrum available in other bands. The exact channels available varies by region, but without getting bogged down in specifics: - 80 MHz unrestricted in the 2.4 GHz ISM band). - 180 MHz unrestricted in the 5 GHz band). - 500 MHz requiring Dynamic Frequency Selection (DFS) in the 5 GHz band). - DFS channels require an access point to continuously monitor for the presence of weather or military radar signals. Wi-Fi access points using DFS channels are required to back off to avoid interference. Due to this, DFS channels are often either not supported or not used.

This limited amount of contiguous spectrum makes it difficult to enable wider 80 MHz or 160 MHz channels, and can cause channel re-use and interference. The 6 GHz spectrum allows for any combination of the following:

  • 59 additional 20 MHz channels.
  • 29 additional 40 MHz channels.
  • 14 additional 80 MHz channels.
  • 7 additional 160 MHz channels.
  • 3 potential 320 MHz channels, due to be included in the 802.11be (Wi-Fi 7) standard.

What Is 6 GHz Used For Currently?

The 6 GHz band is in use by many licensed services. In the US, there are 47,695 unique uses between 5.925 and 7.125 GHz. Namely fixed point-to-point radios, fixed satellite service (FSS), broadcast auxiliary service (BAS), and cable television relay services (CARS).

An incomplete list of services using 6 GHz:

  • Communication to geostationary satellites.
  • Police and fire dispatch services.
  • Management of electric grids.
  • Control of natural gas and oil pipelines.
  • Coordination of railroad train movements.
  • Fixed wireless backhaul by service providers like AT&T and Verizon.
  • Mobile TV stations and video relay from remote locations.
  • Radio Astronomy.
  • Portable cameras and wireless microphones.
  • Long-distance telephone service.
  • Ultra-wideband systems.

Automated Frequency Coordination (AFC) is the New DFS

In the US, the 6 GHz band) is broken down into the U-NII-5, U-NII-6, U-NII-7 and U-NII-8 sub bands, with different rules for each.

Indoors, the full 1200 MHz is unrestricted and can be used by normal Wi-Fi networks without concern for those existing services. This is due to the nature of radio transmissions in the 6 GHz rapidly attenuating. In the vast majority of situations, indoor 6 GHz devices won’t be able to detect outdoor radio transmissions. Low-power indoor 6 GHz devices will use the existing CSMA/CA protocol to provide medium access fairness and coordinate wireless transmissions.

Outdoor use of 6 GHz is a little more complicated. Only the U-NII-5 and U-NII-7 sub bands can be used. Due to the large amount of critical infrastructure running in the 6 GHz band, Wi-Fi 6E devices operating outdoors will need to implement Automated Frequency Coordination (AFC). This is similar to how 5 GHz devices using DFS channels need to monitor for radar, and defer to their use of the channel. AFC works by having 6 GHz wireless networking equipment connect to a cloud-based AFC database to report their position. The AFC database would determine the risks of interference with incumbent services and assign a specific channel to the AP.

What Does Wi-Fi 6E Give Us?

TL;DR: Higher capacity, higher speeds, and lower latency.

The only devices that will be able to operate in the 6 GHz spectrum are devices that are based on the Wi-Fi (802.11ax) standard. Unlike every other Wi-Fi standard, there is no backwards compatibility for the 6 GHz band.

To be clear: - Wi-Fi 6E client devices will be able to join and use legacy 2.4 GHz and 5 GHz networks. - Devices supporting Wi-Fi 6 and older standards will not be able to operate in the 6 GHz band. - Most Wi-Fi 6E networks will be dual or tri-band, allowing older clients to connect using the old spectrum, while exclusively allowing 6E clients to operate over 6 GHz.

The lack of backward compatibility is a feature, not a bug. This will limit usage of 6 GHz until Wi-Fi 6E devices are more common, but it provides a lot of benefits. Every Wi-Fi 6E device will support Wi-Fi 6 technologies like OFDMA and Target Wake Time, making transmissions more efficient. OFDMA requires all devices participating in the transmission to be synchronized. Time, frequency, and power must all be synchronized between the AP and client. OFDMA only becomes fully effective when all client devices and access points use it.

Older Wi-Fi generations like 802.11n and 802.11ac were based on OFDM modulation, where each channel was fully reserved to a single user for each transmission. In contrast, OFDMA divides the channel into sub-channels, also known as Resource Units (RU). This allows multiple users to communicate simultaneously, rather than waiting for their turn. Each time a Wi-Fi 5 or older device transmits in a Wi-Fi 6 network, the transmission reverts back to standard OFDM with a single transmission occupying the entire spectrum. Flipping back and forth between OFDM and OFDMA degrades the network for everyone, especially Wi-Fi 6 devices. Things get even slower when older, low data rate devices supporting 802.11b or 802.11g are in the mix.

Going forward, Wi-Fi 6E devices will be a lot less of a drag on 6 GHz networks than legacy devices are on current 2.4 and 5 GHz networks. Until now, Wi-Fi standards have always been backward compatible with previous standards. This allows older and newer devices to interoperate, but restricts overall data throughput to the rates supported by the slowest devices. Legacy devices such as 802.11b/g/n require more airtime to transmit data, increasing latency and reducing throughput for all users. This policy towards always supporting old standards is a great benefit and strength of Wi-Fi. Unfortunately it can also impair the performance of even this highest-end Wi-Fi 6 devices using the 2.4 GHz and 5 GHz bands.

Taken as a whole, the 6 GHz band will allow for more ubiquitous usage of the required aspects of high performance wireless transmissions. All 6 GHz transmitters and receivers will include all the advances in Wi-Fi 6, including wide channels, 1024-QAM modulation, and OFDMA. 6 GHz will provide a cleaner RF environment with less interference, with less issues caused by adjacent or overlapping channel interference. The same policies that guide Wi-Fi network design will still apply, but this big chunk of new spectrum will allow for more design flexibility, better performance, and a better experience for everyone.

Potential Problems with Wi-Fi 6E

If the rollout of Wi-Fi 6E is anything like Wi-Fi 6, early device will likely skip optional features, or have non-working implementations of key technologies like OFDMA. Small Net Builder has a few great articles about the current state of Wi-Fi 6 OFDMA. That same dynamic will likely apply to early Wi-Fi 6E devices. The earliest Wi-Fi 6E devices may not fully comply with the standard, may not implement every feature, and may not perform as expected.

Another potential issue is all the design, testing, and validation that will be required. Wi-Fi 6E brings a lot of new engineering challenges for network operators and device manufacturers. Existing Wi-Fi components and equipment used for design and manufacturing are optimized for frequencies below 6 GHz. Retooling for support up to 7.125 GHz will require changes to antenna design, manufacturing, and validation. Devices will need to be calibrated and tested up to the highest frequencies to ensure that they can generate the expected power levels.

Wi-Fi 6E devices will likely be dual or tri-band, complicating heat dissipation and power management for the multiple bands and MIMO streams to coexist. Proper band isolation will need to be developed and tested to avoid interference within the device. More coexistence testing will need to be done, and multiple bands need to be tested simultaneously. All of these things increase complexity. Even well-engineered Wi-Fi 6E devices are likely going to be power hungry, increasing PoE requirements for access points and limiting battery life on mobile devices.

Another potential issue relates to the scanning and probing that Wi-Fi devices perform when looking for an access point to join. With 1200 MHz to cover and 59 potential 20 MHz channels to scan, a client would require around 6 seconds to complete a passive scan of the entire band. This would cause many roaming and association issues, so the IEEE proposed a fast passive scanning method using a reduced set of channels called Preferred Scanning Channels (PSC). PSCs are a set of fifteen 20 MHz channel spaced every four channels (80 MHz) apart. Passive scanning of these fifteen PSCs reduces the total scan time to the more manageable 1.5 seconds. This is yet another feature of Wi-Fi 6E that will need to be developed, tested, and perfected.

A lot of Wi-Fi 6 and Wi-Fi 6E features sound great on paper, but come with compromises. For example, wider channel widths cause network design challenges, and often run into physical limits. A wider channel requires more OFDMA data carriers being transmitted and received simultaneously. An 80 MHz channel has 996 sub-carriers, while 160 MHz channel has twice that. In a wide channel, the SNR per carrier is reduced, and requires higher signal strength for a successful transmission. Saturating a wide channel with Wi-Fi 6E devices will be hard to do in practice, especially since a lot of this complexity is being pushed onto device manufacturers. Just like with current devices, it will only take one poorly designed Wi-Fi 6E device or one bad actor to limit everyone’s performance. That’s the unavoidable nature of using a shared medium like Wi-Fi.

When Can We Expect Wi-Fi 6E? Should I Wait?

At first, Wi-Fi 6E was a US-only affair. In July 2020, Ofcom voted to allow 500 MHz of the 6 GHz band in the UK. In October 2020, MSIT voted to allow 6 GHz use in South Korea.

There’s no official timeline for when regulators around the world will make the spectrum available for unlicensed use. Wi-Fi 6E has no definitive release date in most countries. In the US, Wi-Fi 6E devices will probably start appearing in 2021 and become more common heading into 2022.

During CES 2020, Broadcom announced several system-on-a-chip products that router manufacturers can purchase to create Wi-Fi 6E devices. Qualcomm also has Wi-Fi 6E chipsets available. Intel announced that it will have WI-Fi 6E chips available in January 2021. The Wi-Fi Alliance plans to have their Wi-Fi 6E certification ready by early 2021, but devices using a draft Wi-Fi 6E certification may be out before then.

Wi-Fi 6E should be a big improvement for high-density and high-speed networks, but it is unlikely to make a large difference in most people’s homes. Think about dense Wi-Fi networks in a convention center, or a stadium — that’s where I think the extra spectrum from Wi-Fi 6E will be most relevant. It should also have a big impact on wireless mesh networks, but time will tell. Keep in mind that only Wi-Fi 6E devices will be able to use the new spectrum, meaning none of the devices you have now will see any benefit.

I've seen many people say that they wouldn't consider buying any networking equipment that doesn't support Wi-Fi 6E. I can't tell you what to buy or what to do, but I don't think that holding out for Wi-Fi 6E is necessary, especially for a home network. Getting use of a Wi-Fi 6E network will require all new devices, and we don't have any of those yet. Even after you can buy Wi-Fi 6E-enabled devices, it will take time until the benefits are relevant to most people. If you have an older network, it might make more sense to upgrade to Wi-Fi 6 now, and wait for mature Wi-Fi 6E products or Wi-Fi 7 which is due in 2023 or 2024. By then, clients supporting 6 GHz should be more common, and the upgrade cost will make more sense.

If you want to chase high channel widths and high data rates, Wi-Fi 6E has plenty to offer. It’s an exciting time for Wi-Fi, but it helps to have patience. Wi-Fi 6E may be right around the corner, but it isn’t here yet.

Further Reading



Palo, ansible and ultimate rule add

I'm wondering if y'all can share your experience regarding automation specifically with Palo alto's ansible and some python in there.....

I recently started working at a large corporation that has multiple firewalls in multiple data centers and I'm trying to figure out the most ideal solution if I'm giving a source and a destination IP only to automate the end-to-end firewall (s) rule add .....

I have a budget for some tape, paper clips and an elastic band - a stapler might be provided but can not be relied on...



Help: Actiontec MoCA 2.5 Setup Question

Hi all - I got two of these MoCA network adapters from Amazon recently and tried setting up my network today: https://www.screenbeam.com/products/home-networking/ecb6250/

Their quickstart guide shows the order going:
Coax Outlet -> MoCA Network Adapter -> Ethernet Port of Modem/Router
https://www.screenbeam.com/wp-content/uploads/2020/09/2354b05-ECB6250-QSG-0535-0856-003.pdf

I tried the above connection pattern, but my modem seems to only want to accept internet in through a coax port and feed it out through ethernet (Tp-Link TC7650). I also tried splitting like so:
Coax Outlet -> Splitter ->
1: -> Modem
2: -> MoCA Network Adapter -> Router
but this didn't seem to work either. Internet was getting to the modem but seemingly not to the router.

Does anyone have any advice they can offer on how to best set this up? I'm confused as to whether my modem can accept incoming network connection via the ethernet port when it seems to typically accept incoming network from the coax and feed it out through ethernet. Provider is Comcast.

Maybe I need something more like this which has coax in and out, https://www.screenbeam.com/products/home-networking/ecb6200/? Can 2.0 mix with 2.5?

Thank you



Building Management System Best Practices and Outage Tolerance

Hey all,

Just curious, from those of you who have larger, multi-building networks, what kind of best practices you know of for connecting a building management system into your switched networks.

Currently our facilities engineers have been plugging in non-managed 8 port switches into our network ports as an access port. Do you allow this or do you require individual ports for each device (to enforce MAC sticky)

If you require individual ports how does your building infrastructure team deal with downtime when you are performing upgrades? Can they tolerate a short (15-20 minute) disruption?



No internet access after disconnecting from VPN

Hello

So this happens when I immediately disconnect the VPN or after a long time like 1 hour. The problem would be solved when I restart my laptop but it takes a while for it to be restarted and besides I don't want to restart it like four times a day! And another interesting thing is that when I use an Ethernet connection( with Lan cable I mean) It wouldn't happen! I use windows 10.

Sorry for bad English



Juniper vs Aruba Switching

I have been using Juniper switches, primarily in office networking but also in some data center applications, for a long time in my career and I often advocate for bringing them into a new organization. They have been solid workhorses for me, having used 4550s, 4600s, 4300s, as core or access switches. There have sometimes been problems but I'd say that is true for any vendor and usually what I have been doing with them is pretty basic features that tend to not encounter many bugs.

In previous companies I have always had the luxury of a connected global network for remote locations and management is done from inside the network or through a VPN concentrator, both things I do not have in my current company and really have no appetite for creating. This is leading me to heavily consider cloud management dashboards. I have so far deployed one site using Juniper SkyEnterprise and it is not great. I have also been deploying Aruba Access points with Central and I am liking that experience which is getting me to consider Aruba switching to go with it. This company has even less need for anything complex at most of the sites so I am considering 2930f or possibly 2930m models.

What is blowing me away and causing me to rethink Aruba switching is the price difference to Juniper switches is high, in this case comparing 2930f 48 port PoE to a Juniper EX3400 has Aruba switches almost 80% more expensive. Is Juniper just priced extremely low? Maybe I'm not getting good pricing from Aruba? Am I making a mistake even considering Aruba switches?



How to remotely access OLT device?

Can someone please tell me how can I remotely access OLT device? Please help.



802.15.4 (Zigbee) and 802.11 (WiFi) Simulation Environments

My classmates and I are doing a project based on Zigbee and wanting to analyze how effective it is compared to WiFi for device communication. We are looking into an environment where we can test the differences in power consumption and other QoS attributes for Zigbee and Wifi. I have found Open-ZB is that a good one or what other ones are there?



Will my pc that is connected to my modem be on the same network as my devices on my router?

My modem has two Ethernet ports. One goes to my pc and other goes to my router. Will my pc be on the same network as my other devices that are on WiFi? Like my laptop or my raspberry pi. Thanks.



Chromebook Self Signed Cert

We are deploying WPA2 enterprise authentication on a new wifi network and deployment has been done with a new generated self signed certificate. This has worked on Windows and MacOS fine.

Until we were given a chromebook, I cannot import the Self Signed Cert into the trust store of the Chromebook. We are using a single certificate rather than a CA. I can see the certificate under the Others tab after importing on the 'Servers' tab:

https://imgur.com/a/OZcmXwS

But its down as untrusted, is there any way I can manually trust this? If I try to join the Wi-Fi network now im getting a 'Authentication Certificate Rejected Locally' error. If I dont have the Cert at all, I see a cert error in NPS logs.

Please could someone help?



DNA Licensing: Is it required at initial purchase of 2800 series AP?

Our reseller is trying to tell me we HAVE to buy the DNA licensing for 2802i APs. I was always under the impression only 9000 series devices required DNA at time of purchase.

They are going to look into it further for me but can anyone here weigh in?



Cannot ping internal network via OpenVPN (under Untangle)

Using Untangle as the firewall. Internal network can access internet. I can access machines remotely via Teamviewer.

Remote users can ping UT/OpenVPN server IP address, but not access internal network via FQDN or IP.

Internet --> Comcast modem (10.1.10.1) --> UT server (10.1.10.60 / 172.16.2.1) --> 2019 Windows domain server (DNS and DHCP server) (172.16.2.10)

I attempted to put the modem into bridge mode, but they don't have a static IP and it kept messing up, so I put it back into router mode with firewall disabled. I configured a static route in the modem from 10.1.10.1 to 172.16.2.0

  • I have configured the Comcast modem with port forwarding of 443 and 1194 UDP/TCP to the UT server.
  • UT server is configured with it's own address space, and I have checked and unchecked NAT OpenVPN traffic.
  • UT Group is configured for Full Tunnel and to push DNS of the internal DNS server.
  • Exported network is configured for the internal private network of 172.168.2.0/24.


Can you have malware in your computer network?

I've read somewhere that you can have malware in your network, but I'm not sure what is meant by that. Malware in the router? What are the signs of something like that? Does antivirus also protect against that? How to remove it?

Thanks



Vlan to Broadcast Van

Hey there! So im configuring Luminex Gigacore Switches for the event industry. Some of you might know the Dante Audio over IP protocol. I have a switch configured with three vlans. First vlan for Dante Primary, second vlan for Dante Secondary and third vlan for AVB (also a protocol used in event industry - Audio Video Bridging). I have configured some trunk ports for link between another switches. My question is: How do i configure ports on a switch to make it possible for a broadcast van to get Dante traffic? Do they have to configure their switch with the same vlan or do i have to use a router? I hope i could define my question understandable.



Changing ifIndex #?

I'm working with a program that acts a server between PC (Windows 10) and another device. Right now, the program automatically selects the lowest ifIndex value network adapter to connect with. Is there any way that I can change the ifIndex value of certain network adapters in order to choose the default adapter for it to connect with?



OSPFv2 LSA Type 3 & 4

Hello everyone!

Almost any Network Engineer knows what LSA Type 3 and 4 are used for:

LSA 3 = Inter-area to OSPF route

LSA 4 = Inter-area to ASBR (who has routes to external routing domain)

My question is:

why do we really need LSA Type 4 to describe Inter-area route to ASBR?

why we couldn't use LSA Type 3 with /32 netmask for it?



Learning automation and scripting for a newbie

Hey everyone. Anyone got any good sources or advice for learning automation and scripting for someone who has never done anything like it? I have no knowledge of any coding processes or languages. Cheers!



Friday, October 16, 2020

A single "device" keeps bringing my whole network down

Few weeks ago my network is down, can ping the main router but can't login, looks like the router freezed. The router looks fine except that Internet Connection alarm light is red. During the troubleshoot I tried rebooting and rearrange cables but no luck.

Finally I have to isolate the network and found out that one device is causing the problem. There is a Macbook pro connected to a 12 ports mac dongle with monitors, "network cable" connected and such.

After unplugging the cable from the dongle, rebooting the macbook and then plug it back usually solve the problem "immediately", like unplugging this cable and then the network just fully restored in a second. However yesterday this problem happens again when that macbook wasn't even turned on.

At first i thought this problem could be a mac loop detect port down, but this time it wasn't even turned on. I have to tell the dude to just use wifi for a while until I fix it.

The network structure is super simple, its just a router out 2 switches(port1, port2), and the problem occurs on the port 2 switch device. I haven't tried to turn off the mac loop detect yet.

I have no idea how to troubleshoot this problem further.



OPNSense Firewall Rules Question concerning direction.

I'm in the process of testing out some new firewall solutions. As background, I had a CCNA years ago, until it expired. In my day to day job, I don't deal with networking issues nearly as often as I used to, being that 5 or 6 years ago I configured Cisco equipment quite often, but now not so much, so I'm definitely rusty.

So in OPNSense, after I created a VLAN, I had to add a firewall rule for the VLAN with the source direction IN allowed to any. Why would the direction not be OUT? I'm having trouble wrapping my head around it and I haven't been able to find any good explanations.

Can someone explain this to me like I'm five?



Subinterface Circuit ID

Should subinterfaces have their own Circuit ID?

I sent a list to a guy at work asking for all the circuit IDs so I can update descriptions, but he only provided the interface IDs and none of the Subinterface information.

In the outdated descriptions, subinterfaces had varying IDs.

Would subinterfaces have unique IDs (aka did he not give me all the info) -or- since it's the same physical connect, they (the physical interfaces & associated subinterfaces) all share the same Circuit ID and the old information is outdated/wrong?

Thank you!



Enabling FEC on 100Gb ports - Cisco

When testing 100gb fibre ports between a Cisco 9500 and a Juniper with a direct fibre between the two I had to disable FEC on the Cisco port in order for the fibre to come up. I was aware of this before hand from a little reading so I knew to disable FEC to bring it up.

I've now got these devices in a DC (still a test environment) connected via a point to point so I decided to look at it again I noticed you can also enable FEC on the Juniper side but only at FEC91. That's fine though because the Cisco has that as an option.

However with this enabled on both sides the link does not come up.

Is it a good idea to have FEC enabled?

I'm thinking it's now not coming up either due to not using an 'official' Cisco 100Gb module or perhaps due to the 'point to point' circuit not being a direct fibre between the two sites?

Seems lots of people have this problem so just disable FEC but is this bad practice?

thanks



Is is possible to deny access from one network to another on localhost?

Hi, I have a host with 2 networks, there are 2 processes each bound to one of the networks. These processes should not be able to communicate with each other:

net A 10.10.10.10--> proc1

net B 10.10.20.10--->proc2

I was wondering if it would be possible to use the firewalld to drop connections from net A to net B and stop them from communicating with each other? or in this case these communication will not be routed through the firewall and something like namespaces should be used?

ps: i know its poor design, its not my idea.

Thanks in advance!



Cisco Sourcefire user agent

Hello all,

I was running a cisco Sourcefire useragent on my windows 2012 server, I wanted to install the new version which is v2.5. in order to install it, I had to remove the old version.

I successfully removed the old version. when I tried to install the new version (v 2.5), it is promoting me to install Microsoft SQL compact 4.0 SP1. when I click install, I am getting an error saying:"an error has occurred while downloading a required file. you may retry downloading the file or cancel setup".

I found the debug file with an error saying:"Downloading failed with HRESULT=-2146697208"

Can anyone help, since all my users are getting blocked from the firewall.

thank you all.



Network Mobile App (Ideas)

Hey guys!!

I've been learning Kotlin to develop mobile applications for android but as I'm a network engineer I'd like to see your input on some kind of network utilities you would find to be useful to include in a mobile application.

Ideally I want an application that would be of public use (someone inserts X information in a database about a network that someone else can see publicly in a map of a city, something like this).

I'm looking for a challenge so any ideas on network utilities or things I can include in the mobile app would be much appreciated.



Need some help with Access Control Lists

Please let me know if this isn't the right sub for this!

Hello everybody, I'm new to this sub but I have a quick question about a Packet Tracer school-work I have to do, and I'm kinda stuck and dont know how to proceede.

So the scenario is the following: There are 3 Networks (A,B and C). I should configure the routers in a way that with the help of ACLs network A and B can't see eachother but both of them can see network C. The routers are Connected in a Triangle so theres always 2 connections on 1 router. (I can't change cut the connections from the router / not route that connection)

The IP-Addresses I'm using for my networks are:

A: 200.10.20.0 / 26

B: 200.10.20.64 / 26

C: 200.10.20.128 / 26

And /30 masks for the Networks between the routers starting from 200.10.20.192 /30 (in total 3).

How do I have to configure the routers now? I used RIPv2 for the routing but after some research I'm not sure if ACLs work with RIPv2. Do I have to use the static route?

Another question: I use standart access lists to deny a whole network to access another network but for some reason the whole traffic either gets permitted or denyed. How can I fix this and/or do I have to use inbound or outbound on the interface for the ACL.



Learning to Code vs Automation Tools

Hey guys, I'm fairly new to networking and I keep on seeing people pushing to learn python/bash to learn automation. My question is, why do we need to learn to create a script if there are widely available network automation tools out there that we can use?



ASA 5516-X Dropped Outbound Traffic

Morning, as the title indicates, I have an ASA 5516-X, in an HA pair (active/standby), that is dropping outbound traffic. I have to manually failover to the secondary and outbound traffic is restored. AnyConnect sessions are able to remain authenticated, OSPF adjacencies are still formed, IPSec/VTI tunnels remain up and I have a full routing table. CPU is at about 25%. SFR module is up/up so its allowing traffic through. Syslogs do not show any entries pointing to an issue. Code I am running is 9.12.4 and the SFR module is on 6.4.0.92. TAC case is open and they have not been able to find anything from sh tech or syslogs either. This is the third time this has happened since March. Google and Reddit searches havent produced much. Has anyone come across this before or any recommendations as far as looking at a particular part of the config? Id be more than happy to provide scrubbed information if more info is needed. TIA.



Layer 3 a 2 switches - Star & Mesh networks

Hey r/

For a school project we are entirely renewing a schools infrastructure. This school wants BYOD and the necessary network changes to accommodate it.

They want to follow another's school method and install layer 3 switches everywhere, Core - Distribution & Access.

But is solely using L3 switches a bad thing? It will work but is there a point in using only L3 switches? We were thinking about it in our school project and this might be something which is done in mesh networks and not in star networks?

The school we are renewing has the budget to buy either type of switches, but because fiber cables are not present in the entire school, they want to build a star network. We were able to approve to have fiber layed in the ground, which is a very costly operation. Because of the age of the school, they want to lay fiber down now to connect all mayor buildings with the core building, and in 5 years or later lay down fiber to connect all mayor buildings together to form a mesh network.



Running Cisco CML in the cloud

Hello everyone,

I got couple of cisco certificates expiring next year and I think I need some place for labbing. Couple of years ago I've been using GNS for small labbing, but I guess it's considered obsolete now. I haven't used VIRL, but seen some videos on it. Since CML is a new VIRL, I guess it's is my option. And I got a small limitation here - I don't have any separate room or basement for buying a server and setting up my homelab (and tbh I'm more looking for plug-and-play solution here!). So I'd like to ask is there any CML-ready cloud service? I was thinking about DigitalOcean droplet (price is per-hour which is very cool since I don't need it running 24/7, only couple of hours per day), but not sure if it will work out - to deploy a centos droplet, install vmware player on top of it and spinning CML VM inside. I guess this would require nested virtualization and I'm not sure DigitalOcean is ok with that.

And as a side question: does CLS licensing require Internet access? or it has an offline option? thinking of deploying CML on one of test-servers but it's a restricted sandbox without any access to global network.

Thanks.



Opensource NAC to alternate port security

Hi can someone have any advice for this kind of open source software, which send alert when detect new MAC or etc similar to port security. We want to secure MAC on each access switch's port, but when user change their seats, we have to change MAC address ( sticky on port) manually, that cost us a lot of time and repeat over and over again.



PaloAlto 9.0 XAUTH Critical Bug / Limits

So after a 17 hour day of dealing with this I thought perhaps this group might find some value in it. Would have saved it for rant wednesday but I'll still be drinking by then.

Background: We had to transition very quickly to work from home like everyone. Which meant lots of VPNs (like everyone) However maybe unlike a lot of people we have gear that cannot run Global Protect so instead we were using the XAUTH feature of the GP Gateways to run these

Problem #1 - Turns out there is a 2k limit on XAUTH. Have a 7k series whose spec sheet says it can handle 60k vpn clients. Nope 2k. But it lumps XAUTH in with the other vpns on the KB article... Nope 2k.

Problem #2 - PaloAlto has decided for reasons I won't fathom to not disclose a critical bug related to XAUTH and all PanOs 9.0 releases. PAN-150646. The way the tech described it:

3rd party vpn clients can't connect with error exceed max-user most likely because inactivity TTL causing stale ike-sa and device capacity is reached. It's caused by the IKE-SA's not being torn down when the timeout occurs. Eventually the box reaches maximum

Course since it wasn't listed among known issues maybe you did an upgrade to 9.0.x a week ago and because it takes time to build up to that maximum the upgrade went fine. The next couple days were fine... then a week after upgrade your phone is blowing up with ticket escalations about critical gear not being able to connect to VPN with zero helpful error logs and your best solution is to downgrade back to 8.1.x and pull out the whiskey.

Good luck all...



Thursday, October 15, 2020

Top Chat Apps for 2020

Overall diversification given heap for #technology based #chatting structuring to #connect distinctive people from every corner of the #globe. Though having many medium but opting best is too hard pile but technology doing its duty to summing us with top #application for interconnection with friends, family and closed ones.

To know more about the top apps that are worldwide famous in rendering top notch features to chat via video or voice while keeping safest or convenient surroundings.

Click here:- https://theblogvault.com/top-chat-apps-for-2020/#utm_source=Tanisha&utm_medium=Reddit&utm_campaign=16-10

instagram #whatsapp #innovation



Automated network mapping tool

Looks like there is a new automated network mapping tool out there, http://www.easypresales.com has anyone tried this out?



Network device inventory and reporting tool

Is anyone familiar with http://www.easypresales.com Network device inventory and reporting tool? It looks nice and is quite a bit cheaper than most of the other tools out there. The Automated Network diagram / drawing functionality is worth taking the risk.



Automated Cisco network diagrams

We are looking to try EasyPreSales ( http://www.easypresales.com ). Automated Cisco network diagrams, network reporting, and Cisco pre sales tools, has anyone used it? It looks pretty cool and is quite a bit cheaper than other tools.



Automated Cisco network drawing

Has anyone tried EasyPreSales ( http://www.easypresales.com ). Automated Cisco network drawing, network reporting, and Cisco pre sales tools? We are looking to try it out, just curious if anyone tried it.



Irritating EIGRP

Just set up 2 new ASA firewalls at different branch sites. I figured I'd do something a little different than my predecessors, so instead of allocating an entire /24 for a few downstream PCs, I only gave them each a /29. Both are put in their respective EIGRP configs as a network, but for some odd reason, these new firewalls are not distributing their respective EIGRP /29 network to the rest of my environment. Anybody ever seen this one, or have a quick solution for it? TIA!



How does one get a backbone traffic?

If I wanted to create a ISP company from the ground up In the balkans(Greece) and ignoring local network infrastructure etc for the purpose of this post.

How would I start to create a data center with a backbone out bunt traffic connection (e.g the size of 1TB/s) ?

I suppose there isnt something as "an internet outlet" where I subscribe to a company and plug my data center into it... :P

So what would be actually the steps for a data center to connect to a fat bandwidth pipe to the outside world?

Like where would the physical location be that I would then have to dig for fiber optics towards it and which are the companies involved for such a thing?



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



Non-Pro asking for networking advice.

Non-IT Pro building a network advice

Hello r/networking! I am currently designing a network for my department at work and could use a little advice/help.

The current network is as follows, a Ubiquiti EdgeRouter-X serves as the primary, and only, router for the network. It provides a route to our Company’s main network infrastructure, and through that the outside world. It connects to that network with one port and our network with the other, additionally it is providing DHCP for the entire network. This connects to an unmanaged switch that then distributes the connection to several other switches.

This network is primarily for internal usage, so connecting to the internet is not a primary use by any means, but needs to be fast when we do need it, as it gets used for live video streaming and uploading.

I would like to get this network to something that is more planned out than just a bunch of random hodgepodge of switches and whatnot that people tacked onto another project at one time or another.

Right now the switches are a mixture of 1G and 100M switches that I would very much like to upgrade as I think they are causing problems with not enough bandwidth at times. We are using several computers with NDI streams in and out, and I think this makes the network unusable for anything else when it is happening.

Any more info please ask, but I’ll try to be as detailed as possible in comments too!



WAN QoS - Prioritising VOIP

Customer has a 20mbps leased line, they keep maxing it out but don't want to upgrade.

VOIP is suffering.

I've created a QoS policy to apply on the outside interface to try give VOIP priority and restrict everything else.

5mbps for VOIP with priority

15 mbps for everything else

(Note: priority is in kilobits and police rate is in bits)

class-map match-any VOIP

match protocol rtp audio

!

policy-map VOIP

class VOIP

priority 5120

class class-default

police rate 15728500 conform-action set-dscp-transmit af12

Do you think this would be the best way to go about prioritising VOIP or is there a better way?



Tricky network troubleshooting

I need to come up with a test for a Sr. Network engineer to test how well they troubleshoot issues. I was going to build a Six router topology. I want to put errors into the configs that this person would need to figure out.

I'm thinking 10 questions. 1 would be easy (Like a shutdown interface) and 10 would be diabolical. Any ideas on some diabolical issues to troubleshoot on a cisco router. I'm looking for something that would stump your average sr. engineer.

Technologies we use are BGP, MBGP, OSPF, Multicast, MSDP, QOS, Route-Maps.



Is there any reason why using static routes would be preferred over dynamic routing?

I know it’s said that doing static routes is good for small businesses but I feel like adding in every single route would be a waste of time while setting up the network. Aside from removing any overhead on the network, Is there a reasoning as to why we wouldn’t just use dynamic routing?



Induced Voltage Protection - Cat5e

Does shielded Cat5e protect from induced voltage, and what is the best way to ground the cables back at the switch, through a shielded connector to the switch or is it better to have external grounds at the switch

Also any input on which is better, Foil shield (F), Braided shield (S), or (SF) Dual Shielded.

Reason im asking is because I have an unshielded cat5e network that I installed myself, setup has been great for years but had a lightning strike very close by. No signs of strike to the building or anywhere on our property but I guess because of the long runs in the attic space I induced voltage onto the network. Because I had a bunch of failed ports directly afterwards, I lost my ISP’s FiberModem, along with My Switch, IP Camera NVR, Media NAS , IP Phone system and a few Desktops.

Was able to Install new nics in the desktops and NAS. But the NVR has Dead Ports, a few dead cameras as well. And the IP Phone, switch, and my ISP’s Modem were trashed. I have replaced all the dead hardware and verified everything functions but have been skittish to leave everything plugged in because of possibly losing it all again.

Shielded cable seems like the obvious solution but can't find much online about Induced voltage concerns only direct lightning strokes. The only other solutions I have seen are Surge Protectors/Suppressors & Gas Discharge Tubes but they can add up in a hurry when you start pricing them out for all the runs.

Any other options out there I may have missed or any general input would be much appreciated.



Which Security Cameras?

Need to order security cameras to install in a couple hundred network closets for a compliance thing...

What is a good security camera, which will support PoE (OR a power brick), have off-site storage, motion detection such that it records only when there is activity, and some form of easy to use monitoring software.

Ideally we want something that is easy to bulk manage and can be installed by a non-technical person in 10 to 15 minutes. Preferably an easy ceiling mount kit for drop-ceiling tiles would be included.

Thanks



Cisco ASA 5516-X Wont communicate on inside interface at all. No packets. Bug/bad interface?

Hello All,

I'm configuring a brand new ASA and the Firewall refuses to communicate on my inside interface.

No matter the traffic type, its denied by implicit deny everytime. I was hoping to get some feedback/advice on how to resolve this.

Below is the setup/config

Router | 10.0.4.253 vlan 300| -------- ASA | 10.0.4.254 vlan 300|

ASA interface config and ACL:

interface GigabitEthernet1/2 no nameif security-level 100 no ip address interface GigabitEthernet1/2.2 vlan 300 nameif inside security-level 100 ip address 10.0.4.254 255.255.255.252 access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any access-list inside_access_out extended permit ip any any access-list inside_access_out extended permit icmp any any access-group inside_access_in in interface inside access-group inside_access_out out interface inside # packet-tracer input inside icmp 10.0.4.254 8 0 10.0.4.253 detailed Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.0.4.253 using egress ifc inside Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7f1a5004b610, priority=501, domain=permit, deny=true hits=5, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=10.0.4.254, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule 

Im not sure why this is immediately dropping? I have a tcpdump listener in between, and the interface sends 0 packets, no arp, nothing.

When my router tries the ping i see the arp requested on the listener with no replies:

10:16:17.018288 ARP, Request who-has 10.0.4.254 tell 10.0.4.253, length 46 


Can someone recommend a good wifi mesh/extender system?

I just needed something simple to setup, secure, (require no downloading of apps) and affordable. I really just need to extend my wifi to a room at the edge of the house. thanks



Networking documentation help

Quick back story. First network engineering position, previous engineer left before I got the position, so I'm flying solo here. Only documentation I have from the previous engineer is a high level topology of the network infrastructure.

I want to create better documentation, but would like some advise on where to start, what type of documentation is necessary, and possibly some templates to help speed up the process.

Thanks!



Verizon FIOS Router -- how to access system shell in 2020?

Years ago I used to be able to ssh into my router then use system shell to create an arp record.

I'm now able to still SSH in but the commands seem all different, and there is no arp or system shell command.

Anyone know how to access this in 2020?

This is for Verizon FIOS router model Fios-G1100



Private Vlans Secondary to Primary

I can’t seem to find this answer anywhere. I want to have the hosts in the secondary vlan in a community vlan so they can’t talk directly to other things in the same subnet at layer 2. I do want them to be able to talk to stuff in that subnet by hitting the router. A L2 firewall sits between the router and the switch. Hopefully that makes sense what I’m saying.



BGP out of path route reflectors

Question for those of you who run out of path route reflectors, perhaps on server hardware, like this guy:

https://archive.nanog.org/sites/default/files/2_Tinka_21st_Century_iBGP_Route_Reflection.pdf

How do you ensure the route reflectors stay out of the data path?

My own thought, given that the inter AS traffic is actually governed by the IGP is to make the router reflectors as undesirable as possible in the IGP. So for OSPF I'd put the RRs in their own area, since the only transit area is area 0, no "transit" traffic will ever pass through a non-backbone area. Another option I can think of is to redistribute the RR loopbacks since that's less preferred by any routing protocol.



What is the best free 'reverse whois' tool? Are there any that don't have a restriction?

I'm basically hoping to get reverse whois information on two companies, but they both have more than 1,000 domains, so I can't find a tool that'll show all of the domains (the best being reversewhois.io, that shows 1,000). It's for a fraud thing, but I don't have budget to pay for more. Do any free reverse whois tools show all domains?

Thanks!



Password recovery on Alteon 2424 help

For an IT guy I don't do these social network things very well so I'm using someone else's account. Very interested to know how to do a password recovery on an Alteon 2424 running version 19 or there abouts. Yes Nortel collapsed years ago and this thing should be in a museum. Google says its impossible but I'm desperate enough to try a brute force. Any help or banter would be appreciated.



Replacement of Stacked 3750 External Switches

Our Edge equipment has a pair of 3750's stacked sitting inline between our edge router ASR1002 and our aging pair of ASA5585's. This existing 4 Ten Gig SFP ports (2 per 3750) are currently in use by the Port Channels which connect the Nexus pair to the HA ASA's.

We have a need for additional 10Gig SFP ports, I was looking at the 2x C9300-24UX + 8x 10Gb Network Module or would it be recommended to to use 2x VPCd Nexus 9k switches instead.

The end goal to upgrade our edge equipment to fully support 10Gb DIA. Hence the need for additional 10Gb ports. This is just one piece of the puzzle as we look to replace all of our edge hardware.



Check Point 730

https://www.checkfirewalls.com/730.asp

Does it allow site to site vpn so we could connect two of our sites together?

It will be used roughly about 120 users in two sites.

We are looking at buying 1 for main office and another one for our branch office.

Could it connect to azure vpn gateway ?

Is this a subscription based service ? Do we pay per license or can we have anyone behind the device to use it ?

Also does checkpoint provide support if we are stuck on configuring it?



Firewall Capacity Planning

Hi All,

We are undertaking an O365 migration, which has shown that amoungst other things, as we start using more our Edge Firewalls are much closer to capacity then the team reliased. Not having done much capacity planning when it comes to new firewalls before, has anyone got any tips or anything to share that might help make the exercise feel a little less like a dark art?

Current ASA5545 (Non-NGFW) - Av CPU 65% with peaks of 85% ish and Throughput Peaks of around 1.2- 1.4 Gbps with around 1000 users using Teams at the moment.

Planning on utilising O365 Exchange, Doubling Teams usage, Streams/ Live Events to begin with for around 3000 Users.



Securely Allow RDP to DMZ Servers

We have a some web servers in DMZ behind PA firewalls. Website installed on them are publicly accessible from Internet via HTTPS.

Developers need to remotely access the server from internal network for configuration and support.

I can just open port 3389 on the firewall from internal to DMZ. But as a security guy, I am just scratching my head, if this solution is real secure and no harm doing this. I'm really hoping there is an better alternative.



Wednesday, October 14, 2020

Platform selection for heavy-multicast oriented network

Hey

Looking for any input/advice on which platform to try for our next PoP without breaking the bank (our main hardware supplier - ebay :)

Network is mostly built/designed to do a lot of multicast routing/replication to a bunch of downstream takers, typical config - port in routed mode, with class-map and ACL (100-300 lines).

Overall, close to 6k groups/ ~ 50Gbps on a backbone and steadily growing.

Over the last 5 years, 6500/Sup2T and 4900M in smaller PoPs proven to work very well but power requirements is killing my rack electrical budget...

10G interfaces downstream interfaces, upstream 10/40/100G.



Wireless network slows during heavy traffic, need help isolating the problem. :)

Hey everybody,

We are having some problems at work. At their busy times, the wireless slows to a crawl. So i got what information about the setup I could and i was wondering if you guys could give me any advice on isolating and correcting the problem.

Here is the setup:

There are about 20 wired computers, around the same amount of voip phones and Id say no more than 20 cell phones using data through wifi on this network. There may be some kind of video conferencing system but they are not using it.

Modem Data:Arris Surfboard docsis 3 modem.

Multimendia Terminal Adapter: Arris tm804

Firewall: Fortigate fg-60e

Voip System: Allworx Connect 530

Switch 1: Netgear 5 port, not sure if gigabit (gs105) or 10/100 (fs105)

Switch 2:Tp Link t1500-28pct

Switch 3: Netgear gs748t v4h2

Switch 4: Netgear gs510tpp v1

So the setup is like this. Switch 2 handles voip, switch 3 and 4 are for data. A cable from the surfboard goes into switch 1, then 2 cables come out, 1 goes to a wan port on the fortigate fg-60e and one goes to a port on the network port on the allworx connect 530. This is not setup correctly right? Then on the arris tm804 there are two cables with a twisted pair going to 2 ports on the tplink switch, ( I believe they could be going somewhere else I could not really tell).

Everything appeared to be setup correctly from the firewall, 1 cable going to switch 3 and one cable going to switch 4.

Then from the allworx there appeared to be a cable going to the tplink switch.

Here are my questions:

1) Should there be that 5 port switch, shouldnt the line be going to the firewall and then form there, a cable from the lan port to the voip system? I would have to worry about nat being done twice correct?

2) If the allworx handles the voip, then why is there a second set of cables going to the tplink from the tm804? Does it add more channels? What is its purpose? I am under the impression the surfboard handles data for voip.

3)I think that 5 port switch is 10/100, obviously that is not enough, but if its gigabit would it suffice, if it should even be there in the first place.

4) I would like to know anything you can spot we did incorrectly or that could be improved.

Thanks for any help guys. I know i may not be explaining things correctly so tell me what you need to know and i will provide the information.

-Brandon



What Is A Low-Cost High Range Communication Infrastructure

As mentioned in the title, I'm looking for types of digital communication infrastructure that can operate in *extremely* low infrastructure regions, ideally low maintenance and use cost (even at the expense of bandwidth). The concept is a backup network to communicate between rural towns in a region similar to Siberia that have little to no connecting infrastructure.

The infrastructure would have to be

  1. No physical connection between nodes
  2. Able to operate in swampland, relatively flat and low but heavily forested terrain
  3. Exist in public frequencies
  4. Have a range grossing 100km

Possibilities I know of so far

- Satellite internet:

Low setup price, low bps, subject to niche ISP, knocked out by clouds which are common in the region (starlink looks preferable but is not yet available and is also facing issues politically in the country)

- HF Radio:

Legally complicated, requires antennae and a not-negligible amount of power, low bps



shortest possible standard ACL list to permit .245 - .254

A tricky question that I haven't been able to figure out (yet)

  1. there's a VLAN 30 with /25 subnet mass, with IPs ranging in 192.168.30.X
  2. I'm supposed to create a standard access list with the least number of entries possible
    this access list will be applied to line vty 0 4 inbound to allow only ssh from the IP sources listed
  3. access control limited to only IP addresses ranging from 192 .168.30.245 to . 254

  4. instead of typing all the IP addresses individually, what would be the shortlist ACL list possible with the least entries?

I have tried the following combination, it didn't work

access-list 1 permit 192.168.30.240 0.0.0.16
access-list 1 deny 192.168.30.240 0.0.0.3

and i tried reversing the order

access-list 1 deny 192.168.30.240 0.0.0.3
access-list 1 permit 192.168.30.240 0.0.0.16

doesn't work either.

the moment i enabled the command
SW(config)#line vty 0 4
SW(config-line)#access-class 1 in

i can't ssh in from 192.168.30.252 or 192.168.30.253 anymore ( i can ssh in if i don't apply the access-list to the line vty 0 4)

could someone pls help me to figure out what i did wrong?



Network Latency

Hi all, small and lowly sysadmin here (admins- delete if not allowed)

The company I work for is having some major issues and frankly I am ready to jump ship, otherwise I think they're going to fire the entire IT Ops Team.

Here's the problem - In our file storage, we experince high latency (500ms to 2400ms) unless we reboot our ESX Hosts, which things calm down for a while. We havn't been able to figure out what is causing this yet. However, we have had a few 'odd' events that have happened in the past few months or so (they could be related, but it could all be totally random):

  • The company fired our VP of IT
  • Had a major wind storm that knocked power out for a few days, but out building was experincing brownouts. Out back up generators failed and so all of the IT racks were plugged into main power which were affected by the brown outs
  • We were technically on two domains, and somehow we lost the trust for one federation to the other, and lost the ablility to talk to our main file servers
  • After moving everything over to the new domain, latency has been a huge issue.

We thought the latency could be because of a bad core switch, but restarting that did nothing.

Does anyone have any thoughts on which route I should look into? Thanks in advance!



Replacing end to end vlans with routing?

So my network was designed via intervlan routing. We have a cat6500 core, which goes to IE4010s. The vlans span multiple switches. This is a bad design no?

Example of how we have it set:

Vlan20 Int vlan 20 10.1.20.250 (core IP)

Vlan30 Int vlan 30 10.1.30.250 (core IP)

Vlan40 Int vlan 40 10.1.40.250(core)

Vlan50 - Management Int vlan 50 10.50.50.250 (core)

There are a couple of more VLANs defined, but you get the hint. How should I improve this so these VLANs aren't traversing all these other switches. We have about 90 total.

Should I go OSPF and replace the vlan subnets into areas?

Looking to improve my design.

Thanks



Cant figure out my mistake with subnetting problems (CIDR notation)

I an given the network ID 172.24.72.0/23

and I'm asked what the subnet address of Subnet A is given subnet A has 24 hosts.

I know that 24 hosts plus 2 for broadcast & subnet ID is 26, and that it takes 5 bits to support this many hosts.

I also know that 32-5 will result in a 27 bit mask

This is where I think I'm screwing up...

172.24.72.0 10101100 00011000 01001000 00000000
/27 mask 11111111 11111111 11111111 11100000
AND 10101100 00011000 01001000 11100000
convert to dec 172 24 72 224

All this leads me to believe that 172.24.72.224/27 should be correct, but my answer is being rejected. after so many failed attempts, I'm given the following explanation:

Subnet A has 24 hosts, so it will need at least 26 addresses (for the subnet ID and broadcast address). The least number of bits that satisfy this is 5 bits. Knowing that, we take the prior subnet and add 32, the result of which is 172.24.72.64/27

I think the detail that I don't fully understand is the part that says, "we take the prior subnet and add 32." can anyone please hint at what I'm misunderstanding? I don't require a full solution. this is not a homework problem. it's from a bank of sample problems I'm using to study.



Scheduling the traffic Policer

Hello, is this possible? Can I schedule the traffic Policer at specific time let's say from 6AM to 6PM on Junos and IOS-XE?

Also, what should I looking for traffic shaping/Policer if I want to apply it dynamically if there is not enough bandwidth to my backbone?

I have MX480 and ASR1002-HX routers.

Thanks.



Tuesday, October 13, 2020

Suggestions needed on improving this learning path

Hi all, I am working as a Kubernetes administrator managing some small scale clusters. Deep knowledge of networking is crucial for me to work, but I have a basic understanding of the concepts. I decided to learn networking from basics to advanced topics. So I created a learning path based on highly recommended books on different forums including this sudreddit. Certification is not my criteria, but need to learn a ton of concepts like tcp/ip, ip addressing, routing, subnetting, dns, bgp, vlans, vxlans, overlay networks, bridge networks to manage physical infrastructure as welll as virtual environments. I like running distributed systems with large scale infrastructure, so networking is one of my favourite areas. My learning path is

Basics:

Network+ cert guide by Mike Meyers

CCNA OCG 200-301 by ODOM

Intermediate:

TCP/IP Illustrated volume 1

Routing TCP/IP 1 & 2 Volumes by Doyle

Network warrior

Ethernet definitive guide

Advanced:

Troubleshooting BGP by Vinit Jain

Internet Routing Architecture by Halabi

According to you, how is my learning path as per my requirements? Do you suggest any additional resources? Thanks in advance.



Colocation help

Looking at getting a cabinet from HE in Fremont.

I'm experienced with Linux and some networking stuff (I guess it would be considered SMB networking) and I understand the concepts of VLANs, subnets, etc.

Unfortunately, I think the network design here will be a little bit too complicated for me. I have a /24 block and an ASN. Do I need a router in the rack to do BGP or something? Will I have to learn Cisco equipment in and out, or is there anything less intimidating for my purposes? (I'm good with EdgeRouter but those are somewhat outdated nowadays and also, not good with BGP from what I hear ((Edit: Mikrotik CRS326-24G-2S+RM ?))) The servers in the rack will be a new Openstack cluster with Nova instances getting dedicated IP addresses. Ideally MAAS in the rack as well. Which only makes the network setup more complicated.

I'm thinking I'm probably in too deep for my level of knowledge...



Looking for good networking forums

Hello all, just looking for some new networking forums to check out. What’s your favorite?



Network tester

Can anyone recommend a network probe / tester for category-5/5e/6 cables which can tell me if (and what) issues exist in the line, if it sees connectivity (i.e. a live switch port on the other end), which VLAN it is in, and any other potentially useful data (like if DHCP is visible)?

I'd like to include a tool like that in my next budget, but I only know about brands like Fluke which can charge thousands of dollars for a tool like this. I was hoping there was at least something that could tell me if there is connectivity and the VLAN without having to spend more than $500 or so. My best bet so far is something like a highly customized SharkJack, but that really isn't ideal.



Can you get internet without an ISP

How would you set up internet without an ISP for the last 12 days I haven't had internet access because optimum in my area is down and fios can't come till the 18th please help

After reading what I wrote I realized this is a stupid question but I still want to know if this is possible



Question about Custom DNS servers/

My job requires me to point every computer to a specific OFFICE DNS server 192.168.1.211 (for example) as a primary and 8.8.8.8 (googles) as secondary. Can someone explain to me the reason as to why we would be doing that? Wouldnt just having googles a secondary be enough? is it possible to monitor the traffic and websites that are being visitied in the office by the employees?

Thanks in advance, not exactly sure where to post this but just curious.



Comcast coax cable, outlet too short

There’s an outlet on the opposite side of my home that works fine. I want to move the modem and router to a different room which has a cable outlet, however, the part that you actually screw it onto is shorter and seems to not allow a complete connection.

I guess my question is, is there different types of cable outlets? Probably a dumb question. Thanks.



Switch throughput question?

Hi, when a switch description says " Switching capacity: 20 Gbps; Forwarding performance (64-byte packet size): 14.88 Mpps " regarding performance/throughput on this link:

https://www.cisco.com/c/en/us/support/switches/sg300-10mp-10-port-gigabit-max-poe-managed-switch/model.html#~tab-specs

What exactly does it mean? Does it mean the switch can take a maximum of 20Gb at one time passing through the switch? I'm not quite sure what 14.88 Mpps means though for a 64byte size packet?

I know this may seem obvious and silly to some, but it had me at a bit of a loss earlier?



Was out of loop for a bit, did Ansible 2.10 not include any new cool network changes?

Getting back into Ansible after 6 months or so. I see 2.10 is out but it doesn't appear it includes any big network changes like 2.9 did? Can't even find list of new network modules included.



SD-WAN Edge Router in design?

We are in the process of deploying Viptela SD-WAN to fully replace Site to Site VPNs and MPLS.

We have multiple locations each with PA firewalls and local internet breakout with two internet connections ( DIA & ADSL).

Question:

Where do we place the SD-WAN router in the design. Security policies says that the traffic should be inspect by PA firewalls.

I could place the routers in DMZ behind the firewalls and do one to one NAT but here is concerned over the broadband which has public Dynamic IP. Another problem, exposing router directly may get hammered with Russian and Chinese botnets and port scanning.

Any other better options ?



No DSCP rewrite? - FS S5900

Anyone know how to set a fs switch to no DSCP rewrite? Cisco has a command "no mls qos rewrite up DSCP". Looking for something similar on a FS switch.



Personal cloud

Just like the title says my wife and I are interested in having a home cloud system. We do a lot of content creation and operate from a bunch of devices. We are not networking geniuses by any means so anything that is closer to plug and play would be great. Can any recommend a solution for backing up content from computers, phones, tablets, cameras, etc? A solution that has a great phone app with easy controls would be ideal too.



Huawei AR617VW-LTE4 DSVPN and DMVPN Compatibility/Dual SIM&Dual Active Radio Confusion

Hi guys,

My service provider is offering Huawei AR617VW-LTE4 to provide connectivity to small branches. Currently, we are using Cisco's 800 series routers with 3G/4G and have a small DMVPN topology. SP insists on AR Routers can do DMVPN, but when I check there is only something called DSVPN which is similar to DMVPN yet I haven't found any compatibility information. Even if it works at first I am afraid it might cause some bigger problems. Do you happen to have any public information about this one either from Huawei or Cisco side?

Secondly, SP is again insists that AR617VW-LTE4 are Dual SIM and Dual Active Radio. When I check the Datasheet there is nothing clearly stated if I can use both of the SIMs Active at the same time. One of the notes it is stated as "The double-card single-standby is supported, and SIM1 is the default master card" that tells me it is an active/standby type of situation am I right?

Thanks in advance for your comments



Remote Maintenance Solution That Is Truly Scalable

Hi guys,

IT professionals working for a company whose employees have to provide remote support to customers (be it for servers, network equipment or industrial facilities) are probably familiar with the following problem:

Giving customers the choice to provide their preferred remote access technology can quickly lead to the deployment of numerous tools and VPN clients. Even if you "dictate" the type of connection to the customer, such as site-to-site VPN, the system will not scale properly. The parameters must be exchanged with the customer, the tunnel must be set up, etc.

So I wonder if anyone knows enterprise solutions that scale better than classic VPN solutions or perhaps can tell how companies with thousands of new customers every year handle their remote support ?

I am familiar with "download Tool X from our website" and share your desktop. But I think there should also be scalable solutions for access to industrial facilities, which also includes topics like monitoring and reporting?



Monday, October 12, 2020

HP OfficeConnect switch not passing DHCP?

Hey all,

I have an 18xx OfficeConnect (L2 only) switch running my environment. I filled the 8 ports and picked up some APs needing POE so I added an 8 port 1920 (L2/L3)

The 1820 works great on its own with a Sophos XG vm as my router (Esx) When I make port 8 on both switches tagged (trunk in Cisco speak) with the Vlans I want, I can set a static IP / DNS on a client on the APs and get out to the internet - but I’m not even seeing the request on the Sophos.

When I enable a DHCP relay OR forward net broadcasting then enable L3 routing and admin on any port/vlan I lose access to the switch admin page and have to reset.

Further, I am unable to set the admin page to DHCP - it doesn’t receive any addressing. Not sure which port/vlan it attempts to request over.

Any ideas ?

Tl;dr - I can ping gateway/dhcp server but don’t receive DHCP requests on dhcp with new 1920 switch.



Cisco Voice change mass number

We are bringing in a new ip phone system and the vendor configured a new vlan for it. Now we have to change the voice vlan for all of our switches at every site. It’s well over a thousand phones.

I don’t want to do int ranges since we have a mixed set of ports configured for various devices.

I am trying to work on a python script that takes the ports that show up for the output show cdp neighbors | include IP phones.

I know I will hand try to parse the ports even if it’s just to get a text file of

int g1/0/6 switchport voice vlan x

For every switch going.

Looking at either nornir or netmiko for this.

Any tips will be appreciated. I have netmiko scrips that work but they only apply the dame command or multiple commands sequence. I have worked on a script that runs a show command, parses certain parts and injects into new function.



Cisco anyconnect vpn disconnect and reconnect issue

Asa is a Cisco 5525. Anyconnect 4.9. A few different users per week that have a disconnect/reconnect notifications that happen constantly through out the day. Cisco says anyconnet is working properly since they do not have to retype their passwords but I feel that wrong. I have tried to adjust my size thinking its a dtls issue. Not sure what to do next. Right now. Vpn-tunnel- protocol ssl-client ssl-clientless Webvpn Anyconnect mtu 1300 Anyconnect ssl keepalive 90 Anyconnect dpd-interval client 90 Anyconnect dpd-interval gateway 90 Anyconnect ssl df-bit-ignore enable



Do Fortigate HA configurations require identical hardware?

We have a Fortigate 200D and 200E. We would like to create some kind of HA configuration.

The 200D is currently a standalone unit. We would like to add the 200E as an active/standby paired unit or as a manual-cold-swap replacement unit to swap in if the 200D has issues.

Are we able to do active/standby with a 200D and 200E? Or do we need 2 identical FG's?



Fair interview questions for a Level 2/3 Engineer position from a non-network guy.

So i've been asked to help interview for a networking position. (I'm not looking for people to do my home work. Just fair categories.)

What are some fair questions for folks that say they have a CCNP for networking.

Keep in mind we're expecting this person to run independently. So seeking these sorts of things.

  • "We need a new ipsec tunnel to X from Y)
  • We're adding new sites. Need you to configure the SDwan and wi-fi.
  • Looking to peer the DC's to the other one over BGP.
  • We want to reconfigure our network schema and take in input on a more agile design between our various segments etc.
  • Update the cert on the client VPN.

Thing is as sec guy i've never been a straight network engineer. I get my part as the main FW guy, and other sort of off hand things around networking. But if you asked me to configure BGP or OSPF, IPSEC tunnels etc i'd have to do a lot of research.

I know the security questions to ask networking wise that are on my level. Or certain packet capture questions that help troubleshoot traffic issues. (Such as TCP syn failures or cert handshake issues)

I'm just trying to be fair. I got told the last questions I asked were a bit too unfair for non-sec folks. (Keep in mind i'm going to ask security questions because at this level everyone should have some ideas/knowhow. )

Thanks for the help.



Changing a FW Gateway IP Impact

While working on a new project I found that a vlan on a firewall had the same IP as an F5 load balancer. This network doesn't have much on it, about 5-6 devices on it, but we are trying to avoid any outage or massive impact. While thinking through this the only thing I can see as an issue is when the gateway IP is changed on the FW the hosts will just need to update there gateway IP. Those devices going down for a few minutes while we switch that over is fine. Otherwise there should not be any other issue, but this is kinda of an odd corner case I have not seen before so I wanted to see if the wisdom of the internet has any other things to bring up.



Moving client owned static IPs

One of my clients owns their own block of static IPs. Currently a couple are configured at their datacenter and a couple are configured at their office location. Just curious if anyone was familiar with the process of moving IPs like this. In the past I've only ever worked with whatever static IPs are assigned by the ISP and then changed DNS records to match.

My Google-Fu just keeps giving me results related to static vs dhcp, and people asking if they can keep a static IP when changing ISPs.



Block whatsapp

Hi all, we have a guest wifi network and would like to block whatsapp on the network.

If i enforce a layer 7 rule, it does block whatsapp when using the web browser, but it does not block the app from working. Creating content categories rules also again does not block the app from working.

I have also tried blocking Facebook and this does not do anything. I have done a packet capture and all IP`s point to facebook.

If i create "Block URL Lists" again it works when using a web browser, bit it does not block the actual usage on the app.

As a last effort i can block all Facebook IP ranges, but that is just going to flood by firewall rules , because there are a LOT of facebook IP ranges.

We are using Meraki wireless and Meraki MX , also integrated with Umbrella.

Any suggestions welcomed.

Thank you



any IOSv images with g0/0-24 ports?

are there any IOSv images for switches that have g0/0 - g0/24 ports?

the reason why I'm asking is my company's EVE-ng seems to run older IOL images where the switch ports are e0/0-3, e1/0-3, e2/0-3 etc...

I just started practicing lab workbooks where the switch interfaces range from g0/0 to g0/24 etc, which mirrors the cisco switches i tend to use at work ( 3850 and 2960 series etc)

so it's kinda tedious to have to change them to e0/0-3, e1/0-3, e2/0-3 etc... when i practice the topologies on my company's EVE-ng

if there are IOSv images that more closely resemble the actual physical switches in port settings, i'll try to persuade my company to pay for the VIRL images



Sunday, October 11, 2020

NetDevOps CI/CD toolchain

I'm starting down the NetDevOps rabbit hole. And I'm interested to see what's going on in the industry.

What are you guys doing??

Additionally. Where do you see SD-WAN and NetDevOps moving forward.



Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it.



Switch question

I have a modem that has all the Ethernet ports used up. My isp only gives me one ip. I want to keep it at just having one ip.

One of the eth cables running from the modem goes to my dvr security camera system. From the location of the dvr, I ran a Ethernet cable to another building where I will set up a router.

The problem is how do I make that one Ethernet cord that goes to the dvr into 2 so that I can hook one Ethernet to the dvr and another running to the router?

I am thinking of using a unmanaged switch, but would that require me to get a second ip address from my isp? I really don’t want to do that. If that is the case, any suggestions what I can do?



Network Design Wisdom

What are some tid-bits of wisdom or 1% improvement that makes all the different when it comes to network design that our community may have?

I’ll start with some examples,

  1. Wireless APs and LAN for a single area shouldn’t terminate in the same IDF. So a floor or areas LAN runs back to IDF1 and the APs in the same area run to IDF2. Thus if an IDF is lost the clients in the area can still utilize the wireless or LAN infrastructure.

  2. The lower or higher portion of your subnet that is excluded from your DHCP scope for a pool of static IPs should start and end on a bit boundary so policy may be applied on a firewall or ACL.

What does everyone else have?



Is the Ubiquiti PoE adapter compatible with other brands?

I bought this Mesh router with the PoE module: https://www.gl-inet.com/products/gl-b1300/

I also have an Ubiquiti UniFi AP AC Lite AP which came with a PoE adapter, I figured I would be able to use that same adapter to power the GL-Inet router, but it doesn't seem to work. I am curious about why? Thought PoE is an open standard and should be compatible across brands, no?

Any ideas of which adapter I have to buy to power the Gl-inet router over PoE?

Thanks!