Saturday, October 31, 2020

Edgerouter x configuration

Hi to everyone,

I'm trying to configure my edgerouter x and I'm failing.... the setup will be ISP modem/router => ER x => 2 switches => 2 AP's...

I can't take out the ISP router.... and the ISP doesn't allow me to have it on bridge mode...

So, I tried a DMZ. I have that option on my ISP modem/router.
I did the initial set up (Basic one) with the Edgerouter where I chose:

  • A static IP for eth0
  • 192.168.1.10/29 for eth0
  • 192.168.1.1 for the gateway on eth0
  • 192.168.1.1 for the DNS server on eth0
  • Then, for the LAN (chose just one for now) I put the DHCP on and the address on 192.168.2.1/24

The ISP/Modem configuration is the following:

  • primary IP/LAN IP: 192.168.1.1/24
  • DHCP range: 192.168.1.64 - 192.168.1.253

With this I can't even see the ER-X getting connected to my ISP router. it's as if it does not exists despite being able to go to the ER-X config page on 192.168.2.1 (if my pc is connected to it).

If I put the eth0 IP of ER-X to DHCP (Automatically obtain network settings from the Internet Service Provider), I can see the ER-X connected to my ISP router. However, if I get, for instance an IP os 192.168.1.86 I not able to ping it... don't know why...

Can Anyone help me? what am I doing wrong?
Thanks in advance :)



First VLAN advice for separating servers and opening ports?

I'm looking at doing some practising with VLANs on a fortigate 60E next week. I want to create 3 VLANs and 1 of them for servers.

I've got a test lab with a Domain Controller (AD, DNS, DHCP) and File Server and various old desktops.

My query is around is there any guides or anything so I can understand the ports I need to open between the server VLA Nand the other VLANs?



Setting up a cisco router to a switch for small homelab, seller provided a rollover cable, what else do I need to setup this router?

Hey guys, I bought a cisco router and a cisco switch and when I plug the cable going from ISP router into the cisco router, no link lights show up. The seller provided a rollover cable, and I read somewhere that this is this way by default and you have to configure the router to work on your network.

What do I need to go from ISP equipment -> Router -> Switch?

Do I need a RS232 to usb cable so I can remote into the router to configure it?

I'm super new to network equipment so go easy on me lol. Thanks!



Ubiquiti AP- Unifi vs Airmax interesting stats

Good Evening,

I know there's a Ubiquiti page...but I figured this gave us a slightly larger forum discussion. So here:

I find it very interesting and helpful that Unifi has their design page for rough, theoretical AP signal radiation circles. However, trying to design a deployment that's going to possibly use 80 wifi APs, and working off a very very limited budget that I'm already over, I had an interesting idea.

My most important aspect in the design is range. I don't need any users getting any serious speed (10mb/s is plenty), but I need to hit a lot of clients. Rocket M5 radios are cheap right now...like $20 a radio. Look at these stats, and then maybe people can weigh in how far these are realistically going to shoot. I'm only comparing 5Ghz bands so I get apples for apples here.

  1. Unifi Mesh AP Pro $199

8dBi antenna with 22dBm transmission power

  1. Airmax Aircube AC $75 (but stock is hard right now)

5dBi antenna with 23dBm transmission power

  1. Airmax Rocket M5 Radio $20 plus omni directional antenna

27dBm (omni can't handle that, but still) with 10-13dBi antenna

What makes the Unifi all that much better? Range is most important to me here...although obviously cell phones and laptops only fire so far.

Wouldn't the unifi and aircube be pretty close in range here?

The Rocket should have the largest range by far albeit a speed cap because of the 100mb/s port, agreed?

Thanks



Design question: Network Racks

Hello guys

I have a chance to set up a new network room in new construction the way I want to. I want to get one of those "very wide" cabs with cable management facilities built into the sides.

In this rack, I'm going to have about 4 1U servers, about 200 strands of fiber terminating into a few panels, and likely 2 QFX5100-48S Switches. I'd like to have the cable management on the sides as well as actually rack mounted ones between the QFX's. I picture the patch leads coming from patch panel to the left, into some kind of vertical cable managers, down to the U of the cable manager in between QFX, out into that, then up into the QFX in the right spot.

What brands+models should I be looking at other than APC and TrippLite?

Thanks



ibgp next-hop-self vs. advertising external links

What are the pros and cons of using next-hop-self or advertising the external links:

This is what comes tomy mind, but I'm curious what service provider guys think.

Advertising the external link into the IGP:

-feels a bit more natural. you just add one more route advertisement to the network, rather than altering the default behavior of bgp.

-If the external link fails, the border router will withdraw the external routes in both cases. But if the external link is advertised (rather than the next-hop-self command being used), the failure of the link will cause the IGP to withdraw the external next hop, thus the other IBGP routers will also find out through the IGP that something is wrong, and stop using those routes. The IGP is likely to be faster than iBGP, especially when a route reflector is in use. The IGP also only has to withdraw one route versus the potentially hundreds of thousands that iBGP would have to , thus bringing everything down very quickly and allowing for a faster failover.

Using next-hop-self command:

- You don't advertise the external links, thus you don't expose that network to any external attacks. At an Internet Exchange, that might be a shared network, and you would not only expose yourself, but also others. It may be that in such a setup the IX would require that you use next-hop-self, but what do I know?

-You get to choose the next hop addresses. Since these will be very important in your network design, you should take care when you design the network that these are easy to remember. This will make it much easier to read BGP tables, if you know the next hops, whereas if there are multiple peers, you are unlikely to remember the link addresses used to peer with them.



H+ internet.

I have a s10. Just got refurbished. Main board replaced. I now get internet called h+. Wich is ok but its fairly slow. If I restart the phone I will inevitably get lte or lte+ after a restart. But after a little while it will switch to h+ again and won't switch till I restart. Problems? Or is this normal.



Wireless and Wired Users on Same Vlan

So whats the official verdict on this in 2020?

I’ve seen it go either way depending on who you ask. Historically, best practice was separate vlans to prevent half-duplex wireless clients getting flooded by broadcast/multicast traffic. But now with BCMC suppression and other features on Wireless Controllers is that a factor any more?

  • Would be nice to have a single vlan/subnet instead of duplicates.

  • Is there any official best practice to check on Aruba WLCs to make sure BCMC is suppressed? I’ve seen a few different knobs but not entirely sure which combination works well



Creating a custom DNS server like xip.io

Hello!

I have a requirement of creating a custom DNS server like xip.io, which resolves the passed domain name dynamically to an IP address in the request itself. (ex - 127.0.0.1.xip.io has the IP address 127.0.0.1 and so on)

I am a backend developer with moderate experience with Linux and networking, but no experience at all with DNS servers and setup. Can anyone guide me to where do I even start? Google searches didn't help much, they show setting up DNS for personal use. Thank you in advance!



Looking for advice on spanning tree configuration when connecting with someone else's network

Hi all,

We rent a rack in the datacenter and have a fairly simple setup with a pair of ToR switches connecting to the servers. We currently use RPVST+ as spanning-tree mode. Currently however, no settings are made with regards to the spanning tree priority. Everything runs on default. We get the occasional topology change message, but it hasn't given us any noticable issues.

We are having some growth however and are now looking at renting a second rack. I've been reading up a lot on best practices since we have a "new chance" with the new rack and I would like to do it right. This post has been very informative on that: https://www.reddit.com/r/networking/comments/7rguqi/about_stp/

Since we are so small we do not have separate core/spine switches. It's just two racks with ToR switches and two cables in between the racks that we can configure with LACP for redundancy so we can do communication between the two racks. I realize this is not ideal but budget unfortunately at this point does not allow for setting up a network in a spine/leaf model. This is something I'm also still reading up on and I think if we grow further to a third/fourth/etc... rack we would need to build something like that since otherwise we cannot really scale well, but at the moment it is not possible.

Above some context on what we are running now... Now my actual question is: I am unable to find what the best practices are when connecting to another network. I have two concrete examples:

  1. The uplink ports to the internet will be redundantly connected through LACP and the uplink is on a tagged vlan. However of course "behind" this port on the ISP side are a whole bunch of routers/switches/etc... to connect to the internet and I would assume they all have their own spanning-tree priorities and configurations that I am unaware of. How do I ensure that does not conflict with my own configuration, i.e. the ISP networking becoming the spanning-tree topology root? Should it be an "edge" port? Should it have bpduguard? Or other setting?

  2. Somewhat similar to the above; we also have some connections to other racks in the datacenter. Sometimes this will be a LACP connection, sometimes just a single cable to a switch with a tagged VLAN. These other racks are outside of my control and are being ran by a completely different organization. Of course their switches also have their own spanning tree configuration I know nothing about. We just use those connections to access a few IP-addresses over a direct line instead of having to do that through the WAN link. I tend to think they should be configured as "edge" port with bpduguard but the cisco docs suggest otherwise:

Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION

Could anyone suggest what is the best practice for these type of connections?

Thank you!



Firewall Core

Hello!!

Is it a good or bad idea to use firewalls as a core?

I would plug 3 switch stacks to them. 4 VLANs, 300-400 users max. They already have 2x Meraki MX100 for SD-WAN. 750Mbps throughput and they have an MPLS circuit + 1Gbps Internet breakout circuit. Corporate VPN traffic flow on top of the MPLS and Internet traffic gets out locally on the 1Gbps circuit. All their services are in our DC so very low traffic between VLANs.

I had the idea of buying a Core but our company is Cisco only and these 9400-9500 core switches are just too expensive. I'm not sure it's worth the price for them.

MX100 only supports SFP, no 10G. They don't support port channels as well so we're looking at 1G connections from the switch stack.

Let me know your thoughts!



EVE NG | failed to write configuration file

Couldn't find anything on Google about this so I thought i share:

I wasn't able to save or erase config on the IOL routers in EVE:

R1#wr
Building configuration...
% failed to write configuration file[OK]

R1#wr er
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
% failed to write configuration file[OK]
Erase of nvram: complete

I exported the config and cloned the lab. Then I was able to save again. Thank you, colleague!



Newbie needs help....

I cant acces my gateway router.. i deleted the static ip that i think ipv4 pool, and now 192.168.1.254 doesnt work or 10.0.0.0 etc.. the Dns is 169 btw dont know why....easy answer for a newb? Kthx



L2TPv3 not on Cisco 9300?

Our network has grown and is a mess of vlans : ospf / dhcp relays / etc. I’ve been reading up on network overlays and was excited to try L2TPv3. Got ready to set it uo on a Cisco 9300, and it wasn’t an option. ‘MPLS’ is the only encapsulation option on ‘pseudo wire’.

Was hoping to claw back up IPv4 pools for a bunch if vlans and make some bigger pools in the data center. Any suggestions?

Goal: leave native IPv6 everywhere/distributes get IPv4 centralized.



Friday, October 30, 2020

How many VLANs make sense?

Hi all. I've got a new manufacturing customer with approx 225 devices. 8 switches, a point to point connection to another building, maybe 10 servers, and 13 access points. In the past with other clients, VLANing has been set up and I haven't need to touch it.

I'm thinking management, data, voice, guest, machinery. But, since I have a clean slate to work with, I was thinking about breaking off printers and servers to their own VLANs as well.

How far do you guys generally go with it? How many is too many? I mean, I could get away with data, phone, and guest and be good with it as I'm not running out of addresses, but just curious as to how you guys think about what NEEDS a VLAN as I'm not extremely verses in best practices.

Thanks for any input!



Moving routing to our core router

We have a core router, CR1, which is the gateway for our main subnet/vlan 1 and a separate physical router ,SR1 , which routes a secondary subnet. The secondary subnet was only added to extend available addresses. There is no need to separate them with a firewall. My goal is to remove SR1.

CR1 address 192.168.1.1 routes 192.168.1.0/24 SR1 address 192.168.2.2 routes 192.168.2.0/24

From my research I believe all I need to do is to make sure vlan 1 on CR1 has a secondary address such as 192.168.2.1 and then update all the clients on that subnet to point to this address for gateway. I would say I have intermediate knowledge of networking. I get confused with routes/when a static route is needed. Is there a route I need to confirm as well? Does adding a secondary address cause any disruption for vlan1 traffic?



Considering power line adapters for 7 separate rooms with thick walls, am I going down the best route?

Hi /r/networking

 

I'm looking for a bit of additional information to make sure I'm going about the right way of solving my problem.

 

Looking into a business site that will have a reception + 6 rooms. The rooms will all require Wi-Fi access points for customers and internet access for 3 other rooms for members of staff.

 

The business is located in a basement and the walls are thick, so Wi-Fi signal alone won't cut it. I was thinking about getting power line adapters in each room and setting up networks for customers to access when the rooms are in use. I'm aware that power line adapters require the existing wiring to facilitate it and I'm under the impression that they were used previously.

 

Are power line adapters designed to accommodate this many repeaters? Is there a better commercial solution I'm missing other than hard-wiring?

 

Thanks



Anyone use Packet Fence for NAC in an Enterprise environment?

We have about 15 sites, 2200 clients, not including servers and such. Anyone have experience with Packet Fence for network access control? What are your thoughts on this product?



Startup config

Is it better to wipe startup config clean, load image, and load config or can you just copy over startup config with new config needed and avoid wiping the iOS on the switch?



Iptables DROP policy issue

Hi all, I have been trying to solve an iptables issue for sometime now. Basically I have wireguard VPN which uses port 51820. If I try changing the policy from ACCEPT to INPUT DROP, the VPN client can connect but cannot use the internet.

Here is my iptables:

-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 51820 -m comment --comment wireguard-input-rule -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -p tcp -m tcp --dport 4711:4720 -j ACCEPT -A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT -A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport redacted -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport redacted -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport redacted -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport redacted -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport redacted -j ACCEPT -A INPUT -p tcp -m tcp --dport redacted -j ACCEPT -A INPUT -i lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 


Testing/Comparing 2 Different ISP Circuits for Point to Point Streaming

Our team in Washington DC has access to 2 different ISP circuits, each 1GB - Comcast and Verizon.

I'm looking to find out the best way to run a "long term" (a few days or even hours) test to compare the reliability of Comcast vs Verizon.

Whichever ISP circuit we select in DC will be used transport two 7Mbps video streams to and from our main office in NY. (using SRT Video Streaming Protocol).

I'm looking to detect latency spikes or any packet loss along the route from DC to NY and then select a circuit in DC accordingly.

Thus far, RTT times back to NY are lower on Verizon, but with this streaming protocol spikes in latency or packet loss is more of a consideration and would lean us toward one circuit or another.

Is iperf maybe able to be ran over a long duration and possibly be graphed visually somehow?

Thanks all so much!



OVH released their bastion solution on GitHub

https://github.com/ovh/the-bastion

Looks interesting, considering it's what they are using internally.



BGP on Cisco

At my previous workplace I've done BGP on Fortigate (2 fortigates running in HA). This Fortigate used to peer with 2 separate ISP thus achieving multi home. This worked perfect for us

At my new workplace its a Cisco only (firewalls, routers, switches etc) shop (I haven't touched Cisco in about 5 years or so. The requirement is basically the same thing - peer with 2 ISPs and advertise it based on our needs. To achieve the true redundancy does Cisco offer a way to cluster the devices into 1 similar to fortigate? Is this the solution to this problem? Do we run 2 separate routers and then do iBGP then do some kind of HSRP or VRRP?



IPSEC Mikrotik integration with Cisco

I spent a good portion of this week working on an IPSEC/GRE BGP connection to a 3rd party vendor. They are using Cisco and we are using Mikrotik. For those who encounter this combination, perhaps I can save you the time and headache of searching through Cisco and Mikrotik documentation and troubleshooting. This may be common knowledge, but if the Cisco router is using "route" based IPSEC, it will send over a traffic selector of 0.0.0.0/0. If this is the only way the vendor is willing to configure the tunnel, you can create a few IPSEC policies to exclude non-interesting traffic from the tunnel and then a policy for 0.0.0.0/0. Noninteresting traffic should include your management network and any networks traversing the GRE tunnel. The downfall of this method is that you will now need to create exceptions for each network you want to route over. Alternatively, just get the vendor use ACL based IPSEC.



Microsoft Teams upload speed requirements question.

So if I do a video conference from home, it is saying the bandwidth requirements are 500k - 1.2 Mbps upstream depending on quality of the video. If 10 people are in the group conference, it is still only sending upstream to the Teams server, then it is dispersing to the individual participants..correct? I mean i wouldn't need 500k upstream X number of participants if i'm understanding correctly?



Looking for a unicorn? Can anyone tell me if a half-height mini-pcie LTE module (preferably supporting bands 4, 7, and 28) exists?

Asking for a friend.



Co-Channel Interference/Contention: Where do you draw the line?

We have some buildings with ~7 APs per floor. The 2.4Ghz signal is so strong that an AP on floor 3 can see APs from floors 1-6 all on the same channel, with the weakest signal being -70db.

For example, AP on floor 3 (ch11) sees the following APs on ch11:

Floor 5 (-43db)

Floor 3 (-52)

Floor 2 (-59)

Floor 5 (-66)

Floor 6 (-70)

Naturally, we have a controller that manages the radios. It is configured to avoid interference. The controller also claims the co-channel interference is eating up 80-90% of the channel's capacity. I want to turn the radios down, but don't know where I should draw the line.

Our customers are complaining about slow speeds and losing connections intermittently. That makes sense to me because if so many APs are fighting for air time with each other, the speeds are going to drop significantly. I'd love to just get rid of 2.4Ghz but that's not possible right now, nor is band steering.

I've adjusted the Cisco controller's power threshold to -65 from -55. The min power level assignment is at 17 (-10 to 30 dBm scale). This is what I will lower next after I figure out how much co-channel contention is too much.

Bring in a professional to sort this out

Sorry, can't. Our budget was wrecked by covid. I've inherited this problem from a recent retiree and am not an expert. I also have no money to spend on it. I have a decent grasp on the basics of wifi, but I'd love some direction before I start making bigger changes in production.



HP 1810 J9803a load balancing algorithms

Hi,

Could you help me to know which lacp/static load balancing algorithms this model support and how can i change it in webui ?

I need to connect this switch (hp j9803a) to cisco SG300-28 and i want to be sure that the hp support src-dst-mac algorithm or src-dst-mac-ip too..



Creating a strange NAT...

Having trouble locating answers in whitepapers for this scenario. Basically I need a NAT to translate traffic from my internal subnet of 10.0.0.0/16 to the subnet of 10.243.X.X/27 only when traffic is destined for a specific group of public IPs. The reason for this is the other end of the VPN tunnel needs to see the traffic being sourced from the 10.243.X.X subnet, not our 10.0.0.0/16 subnet.

I was trying something like: nat (Inside,Outside) source dynamic 10.0.0.0/16 10.243.X.X/27 destination static PubPool PubPool

I get the error that the source cannot be a subnet.

Any ideas?



Using 44.0/9 (AMPRNet) as private network space.

Disclaimer, I'm not the network guy, I'm the linux guy getting frustrated.

My company has done a ton of acquisitions over the years and because of some choices made up the food chain those companies come into our WAN without being readdressed.

Our WAN routing space has stuff all over 10.0.0.0, but also has things in 172.16 and 192.168.

When we went into the cloud we had issues allocating large enough blocks as the network team were unwilling to give me enough in fear that a future acquisition would clash.

Working with AWS we followed their recommendation and dedicated the entire 100.64 space from cgNAT to cloud only.

I've got a project I'd classify as "devprod" in that it's a dev environment that when it has outages causes headaches as if it were prod. It needs some network space across at minimum a handful of /24.

I've "lost" to the network team several times and had to readdress because management determined it was better to have me address my stuff than to try and readdress an entire business unit during the onboarding process. I've gone from 10.10/16 to 10.11/16 to 10.21/16 and now am about to booted again, with no guarantee it won't happen again in the future.

You can argue all you want that this is unreasonable and I should be given some leeway, I certainly have, but this is my reality.

Is there any reason that I couldn't use the 44.0.0.0/9 allocated to AMPRnet for packet/ham radio? It would be internal and run just as if it were an RFC1918 network. I can't imagine that any host on our WAN would ever want to connect to packet radio.

I can't see a downside to this but again, I'm a linux sysadmin, not a network guy. Is there anything I need to consider here?



How can I make my APs communicate with a Cloud API?

Ok, so I have 4 different GrandStream Access Points, all provided by the employer. The exact models are GWN 7602, 7605, 7630 and 7630LR.

My task is to build an API that receives a request whenever someone connects to the wireless network and collects as much data as it can to build up an analytics dashboard for the location owner. Of course the system would ask for permission and logging in with social accounts is optional.

The idea is to have the end user be presented with a sign-in screen when they first connect to the network and when they select an option (Login with Google, Facebook, Apple ID etc.) or incognito, we need to collect as much data as we can (demographic and stuff like that) so the location owner can adjust their ad campaigns to match the most / least common type of visitor (whatever they want).

I am used to building Laravel REST APIs on a LEMP stack with a Vue frontend so if the system is doable in that way it would be nice, but I am not completely married to this certain stack nor do I run away from other technologies. How do I configure the access point to communicate with my API and store the data I need?



Recommendation for switch replacement

Hi, I currently have a stack of 6 Avaya/Nortel 5520-48T-PWR switches.

Have loved them due to the stacking feature, and the WebUI.

The switches being the age they are, are starting to give me troubles, with failing POE boards and other small issues. I know I can still get them from eBay for around AU$150 etc but am now looking at upgrading.

The above switches really don't have much of an upgrade path (that's affordable) as only the 5500 and 5600 switches can stack together, and the 5600 series only has 10Gb in XFP x 2. Anything up from that is a no go.

So, I am now starting the search for the next replacements.

I am wanting something similar to the Avaya Switches, but something where I can pay a little more and get 1 of the switches in the stack to have 10GBase-T. EOL is ok obviously. For what these are used for the Avaya/Nortel switches have been awesome (although a little noisy, but are in a separate room).

Have been looking at Juniper, but not sure about the specific models etc. One I did find was the EX4300 series, but they seem a little expensive still, I don't think they are EOL yet, so not a huge amount being dumped in the second-hand market.

Basically, a switch that is stackable, has 48 Port with PoE, a WebUI, and at least a model with 10GBase-T that can be stacked with 1Gb Switches.

Any help/recommendations etc would be much appreciated.



MSS and Wireshark

Hi,

Doing a great course on Pluralsight right now about Wireshark while troubleshooting a real world issue. I have a question about wireshark and the way the length and tcp segment is displayed.

Let's imagine I have SDWAN to a Hub location, and behind that Hub is Azure. We are doing a SQL Query from Azure to the SDWAN site.

The 3 Way Handshake then completes and a few options are negotiated. The MSS from Azure is 8960, the SDWAN site is 1318. So, 1318 wins. The lowest MTU across the link is possibly 1405.

Now once data flows, am I right in expecting all packets to have a maximum of TCP Segment length of 1360 and a maximum packet length of 1414 to account for overhead?

The reason I ask is after a few Sql batches, a packet is sent from server to destination with TCP length 4096 and length is 4150.

I am not sure if I have studied too much and gone deep into the matrix. My other thought was maybe this packet is fragmented later on, as I have only captured from machine itself.

Thanks for reading and any info.



Tenda AC11 Router cant find any signal...

I just recently bought a Tenda AC11 router and as soon as I plugged it in I was not able to find any signal such as an SSID to connect to through my phone and pc. I even tried using an ethernet cable but to no fix as well. The only lights lighting up is the SYS and the WAN, LAN, and WIFI constantly blinking together. Please help :(

Edit: I also tried a reset countless times and it still was not able to give out a signal.



Thursday, October 29, 2020

Takeaways From Cisco Catalyst 8k Launch?

Below are mine. Intrested to hear what others think!

  1. The name is confusing. So now wifi, switching, and routing are "catalyst"? When do we get the catalyst nexus 7k! Cisco should just rename the company to "Cisco Catalyst" That would make more sense to me.

  2. Cisco is never brining SDWAN to it's high end modular ASRs. (1006x etc).

  3. FWs from other vendors are the way forward for branch routers and aggregation imo.

4.This is just a better speeds and feeds play.

  1. Moving to these really only makes sense if you use UC features or Cisco SDWAN.


Why can't I ping my phone, but can see it's details and location on an IP lookup website?

I tried using the ping command in the terminal followed by my android phones IP, and it didn't receive any packets. But I can look it up on an IP lookup website just fine.

It doesn't work when my phones connected to WIFI or mobile data. The ping command works for other random websites though.



Firewall Rule Requests

Just curious how everyone intakes firewall rule requests? Specifically if there are templated forms or information specific information required to be supplied.

Curious on how others have streamlined these requests.



Cisco FEX

Hi, the last week or so i have been watching INE's CCIE data centre videos regarding the Cisco Nexus series. All in all so far i have to say they are good. I have gotten to about a quarter of the way through now and arrived at FEX. There has never been a networking topic were i stopped and thought..."I don't need this" or "this seems like a really bad idea" but with FEX i got about 20 mins in and switched off and moved to the next segment in the series.

I have to ask, has anyone else worked with them or thought this over time? Heavy North/South flows and traffic travelling to the EOR switches even for packets that could traverse the local FEX switch. I just sat there shaking my head thinking "surely this isn't implemented heavily today?"

Anyone any thoughts or am I just totally way off here?



Fibre Channel and FCoE question?

Hi, i have been studying the Nexus OS the past week or so, i come from a heavy IOS and ASA background so for the most part it has been pretty straightforward so far. Things like VDC's and the general management of the devices are pretty straight forward to, I picked up VDC's fairly easily having worked with ASA multi-contexts for a while now. Other areas like fabricpath seem like a good idea and pretty straight forward to depending what your knowledge of IS-IS is as well as VPC's.

Now for fibre channel i remember studying this about 2 years ago but for the most part it has all left my brain even if i took notes on it (haven't reread them properly yet). But i wanted to ask, what is the more popular way of doing things as far as storage etc.. goes here with Fibre Channel and FCoE? FCoE seems like the simplified way of doing things (granted i have touched on that yet so i could be wrong there) and Fibre Channel on Nexus (or just in general) seems like a far more complex way.

Which technology is more used these days or is there something else on the horizon that will take over both?



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



Wire shark question

Hey y’all, finally got my first real network job back in May—I LOVE IT!

I manage a ton of end devices at different stores, and I am always in our router and switches, the tickets don’t stop.

Some of my tickets involves latency issues and dropped packets from our store out to the internet.

I was wondering if I could SSH into a remote router/switch and use wireshark to figure out where the packets are dropping or where our latency issue is occurring, if that’s even possible.

I read about SPAN on interfaces but that’s a no go for sure, I’m just a lowly admin trying to figure out what’s the I.P.

Thanks in advance!

P.S if you’re a network engineer/admin and have used Wireshark to troubleshoot, what are some cool things you can do with it!?



Packet Sender Tool

Hello,

I am new to networking and I am trying to play around with a couple of different tools.

I want to send TCP packetz from one machine to another using Packet Sender and capture using wireshark.

However upon filling up the required fields such as Destination Address,Port Number etc.

I am getting an Error Message: Could Not connect.

The Destination Ip address is valid, My port forwarding is also enabled.

I would really appreciate some suggestions.

Thanks in advance.



NETBOX users, is there a way to populate information after NAPALM reads the device status?

Hey all. real quick example. When I added a device, I didn't input the serial number. After the device was added, I clicked on the status tab which makes that NAPALM API call to the box, and one of the pieces of information it retrieves is serial number. Is there a way to have NetBox then go back and fill this info out within the initial device tab?

Also, so far with Arista, it's not outputting the LLDP Neighbors information which is odd. Everything else is working. Anyone run into this issue at all?

Thanks.



Wifi not working inside virtualbox in ubuntu.

I am facing the problem If I connect os to NAT network inside vm it's not connecting to wifi, It is working for default ip but after changing ip it's not connecting to wifi. (inside virtualbox I have installed lubuntu). And I am running vm on main os which Ubuntu.

These things I have tried: I have upgraded os inside vm. Reinstalled net-tools. Reinstalled os inside vm. I have not installed any other softwares like Docker. Only 2 os inside vm(both are lubuntu)

Please help me out with this problem.

Thank in advance.



Number of devices on network and speed

I had a friend claim that adding additional devices to a network would reduce the speed (e.g. adding a printer to the network). I was under the impression that the network speed was impacted by network usage and not by number of devices.

Is he correct that adding devices to a network, regardless of whether they are active or not, slows down the network?



1 or 2 switches

Hello,

I'm new, so please bare with me. I have a total of about 32 devices to plug in for a small business. 24 PoE cameras and a few other devices are PoE. I have a 48 port patch panel.

Should I get two 250W 24 port switches from Ubiquiti or one of their 500W 48 port switches?



VRF-Lite Route Leaking - brain exploding!

Hi all

I've got myself into a muddle about VRF-Lite route leaking. I'm trying to offer a shared service (one subnet now, but several in the future) to both customers.

I've got a router with 3 VRFs, lets call them APN, CUSTA and CUSTB

CustA and CUSTB are part of the same BGP process, I've split them off into their own VRF:

router bgp 64535

bgp router-id 192.168.68.34

bgp log-neighbor-changes

!

address-family ipv4 vrf CUSTA

network 192.168.68.32 mask 255.255.255.252

neighbor 192.168.68.33 remote-as 65000

neighbor 192.168.68.33 activate

exit-address-family

address-family ipv4 vrf CUSTB

network 192.168.68.36 mask 255.255.255.252

neighbor 192.168.68.37 remote-as 65000

neighbor 192.168.68.37 activate

exit-address-family

I've also got my own OSPF process where I've got my Shared service. The shared service is not adjacent to this router, but is a couple hops away.

router ospf 222 vrf APN

capability vrf-lite

network 10.64.222.4 0.0.0.3 area 0

I've defined route targets,

vrf definition APN

rd 33:33

route-target export 33:33

!

address-family ipv4

exit-address-family

!

vrf definition CUSTA

rd 400272:1

route-target export 400272:1

!

address-family ipv4

exit-address-family

vrf definition CUSTB

rd 400272:2

route-target export 400272:2

!

address-family ipv4

exit-address-family

show ip route APN gets me:

O E2 33.33.33.33 [110/1] via 10.64.222.5, 01:40:37, GigabitEthernet0/0/0

I can also get routes from both BGP CUSTA and CUSTB, so I've got at least the VRF set up correctly, with the right interfaces in the right VRFs.

How do I get CUSTA and CUSTB to see routes from APN, but not from each other?

Sorry if this doesn't sound like I've tried - I've been on this all day. I've managed to get routes one way, from BGP to OSPF but never the other way round. I'm asking for a bit of a bump in the right direction!

Thanks in advance!



Need available bandwidth monitor

The boss and the higher ups seem have a fiery passion for speed tests, they want a sensor or monitoring tool to be able to monitor available bandwidth on the network historically and to be alerted when it goes over a threshold.

We already have PRTG and despite giving options like the following, they want something out of PRTG.

  1. Run Speedtest.net with PRTG Network Monitor
  2. How do I differentiate between excessive bandwidth usage with PRTG?
  3. PRTG Manual: QoS (Quality of Service) Round Trip Sensor

Help me /r/networking you're my only hope.



RSPAN with SG350 : how to make it working ?

Hi,

I have already read lot of topics about this issue, but none helped me to solve it.

I have a network composed by several SG350 and would like to make RSPAN working.

I started small with only two switches. Following the user manuals, webinnars, ... I think I configured well the two switches.

On the first switch, I set an RSPAN VLan, a monitor session with a physical port as source and the destination is the RSPAN Vlan with an unused physical port as reflector port.

On the second switch, I set the same RSPAN Vlan, the source is now the RSPAN Vlan and the destination a physical port.

The two switches are interconnected together through a trunk port (and of course the RSPAN VLan is tagged on this trunk port).

The wireshark shows no traffic at all, from the destination port of the second switch. I also created a classic span session on the first switch to check if trafic is at least sent on the trunk port but even not...

I guess I have an issue with the reflector port and how to inject the trafic into the RSPAN VLan.

Does someone have a clue how to make it working ?

I also found this drawing in the User Manual (P52) : https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/350xg/admin_guide/AG_Tesla_350_550.pdf

But I do not understand how to achieve it, the reflector port cannot be the trunk port, the text below does not seems aligned.

Thanks in advance for your help !



Sonicwall TZ600 incorrectly sending https traffic through VPN

Hi,

I'm trying here because Sonicwall support couldn't solve my problem. As stated, I have a TZ600 with latest firmware. I have several site-to-site VPNs configured and working fine for some time. We also use SSLVPN for clients.

Certain HTTPS connections to websites from head office are being incorrectly routed over VPN, although I don't know which one. The firewall then drops the connection (code 448) because there is no SA for that address configured. This is essentially regular Internet traffic that is suddenly going out the wrong way and being dropped. It is not all Internet traffic, only certain websites that do not seem related. I'm told all my settings are fine and that this should not be happening. My other sites have no trouble reaching these websites.

The workaround was to make an NAT route specifically for those websites, which is working for one of the websites in question. I would rather solve the underlying issue than resort to a workaround that I have to keep adding sites to.

In addition, the sonicwall can't reach the content filtering server (which may be because of the same https routing issue) and again, my other sites have no problem. The problem existed before I upgraded to latest firmware..

Has anyone seen this or have any ideas?



Squid Proxy Transparent

Hello guys,

im not sure if this is the right thread to post this question.

So i have put the idea in my head that i want to set up a proxy server at home, which should mainly serve as a cache server. After a short research I came across Squid - free, fast and "easy to set up".

I have an ESXI Hypervisor running on a workstation and all my VMs are located in the server VLAN 20.

After setting up Ubuntu and playing around with Squid a bit, I came to the conclusion that a transparent proxy might be the most appropriate thing to do. Why? You don't need to set the proxy settings on every client, which is a different issue for wireless devices anyway.

I kept the Squid.conf file as simple as possible:

http_access allow all http_port 3128 intercept 

With Netplan I have created a virtual network interface:

 ens160: addresses: - 20.0.20.19/24 gateway4: 20.0.20.1 name servers: addresses: [20.0.20.1] vlans: vlan.40: id: 40 link: ens160 addresses: [20.0.40.100/24] 

These are the IPtables entries for NAT:

iptables -t nat -A PREROUTING -i ens160 -p tcp --dport 80 -j REDIRECT --to-ports 3128 iptables -t nat -A PREROUTING -i ens160 -p tcp --dport 443 -j REDIRECT --to-ports 3128 iptables -t nat -A POSTROUTING -o vlan40@ens160 -j MASQUERADE 

ESXI: The VM is in the port group "VM Network", which is assigned to the normal vSwitch (vSwitch0). VLAN 0 is set there (no tagging)

Switch: The port on the switch is configured as a trunk, with native VLAN 20, i.e. the untagged packets are only tagged at the switch (VLAN 20)

Topology: Meraki MX (Router) -> Meraki MS (Switch) -> ESXI Host -> (vSwitch -> VM Network) -> Squid Server (Ubuntu)

My questions:
- Is this construct even feasible? How would the routing work if the MX(.1) is my gateway. Would i need to change the GW to the proxy and the proxy fordwards the packets to the MX?
- I can not ping 20.0.40.100 from the MX, did i miss something? Do i have to create a new port group with VLAN 40 on the ESXI and assign vlan40@ens160 to it?
Im getting headache only thinking about it, but i want to finish what I have started. Thanks a lot and If you have any remarks, don't hesitate to write :)



Should I change the default FQDN in Ubuntu 18.04 for generating certificates?

I'm using this article to create an image registry for installing OKD on an airgapped environment, which will be used to pull the necessary installation images and move them to the new environment using physical media for installation. It calls for creating

the self-sign CA, server certificate with both the short and fully qualified hostname of this VM

the VM being Ubuntu 18.04. It seems to me that the default fully qualified hostname for Ubuntu 18.04 is just ubuntu. I've tried verifying this with hostname --fqdn as well as checking in /etc/hostname.

I believe the only time any connection outside of the local network needs to be established is when pulling the image files from the OKD repository. So my question is, is this FQDN adequate for my purposes? Is it alright for me to prepare the server certificate with just "ubuntu" as the FQDN? Or should I update it to something else? Thanks!



Looking to transition to an automation-centered role, ideally 100% remote. What skills/experience should I focus on?

throwaway account. looking to transition to full-time network automation in the next 18 months or less. Ideally I want 100% remote with occasional travel, but anything focused on automation / integration / infrastructure-as-code interests me.

Network experience:

  • CCNA (expired last year)
  • 4 years managing countywide k12 network over DIA & dark fiber
  • Cisco & HPE/Aruba routing/switching
  • Aruba wifi
  • Palo Alto firewall

Automation experience:

  • Solved business problems with Python, netmiko, NAPALM, textfsm, APIs, etc
    • automated config changes / audits
    • polled facts directly from devices using custom textfsm templates (started the foundation of a python API for legacy IOS)
    • automated IOS upgrades
    • complex firewall config changes via API
    • CRUD operations and custom reports from NMS API
    • automated device provisioning workflow using freeztp (jinja2, etc)
  • posted several projects to github (wont link here for privacy)

Options I'm considering:

  • CCNP / ACNP
  • Ansible
  • Turn a couple github projects into pypi modules
  • contribute to existing codebases such as ntc-templates

My free time is very limited these days, so I want to focus on the most important skills. Appreciate any input, especially from those who have made this transition. Cheers!



N7K 10g over copper?

Can someone set me straight on this? Can they do 10g over copper using a non CISCO 10g copper SFP+? Or do I need a specific module for it? something like an F2 module?



VLAN hopping/double tagging on a wireless network

Hi guys,

I gotta state that I'm not a pro in this area. Recently I encountered this issue where I have to assess wireless security concerns due to an upcoming project, we're planning to buy Cisco 2802I APs along with a 3504 WLC. I know that we'll have a mgmt vlan in a capwap tunnel from an AP to the WLC, carrying multiple vlans (multiple SSID) to the WLC trunk port.

My question is: do you think it is possible to double tag or vlan hop as a wireless client? If I join a certain SSID that is attached to a vlan in the WLC, it might be possible to hop in another, right?



Anyone here use Forcepoint Cross Domain, or something similar?

Our agency is looking to go with a cross domain solution in the next year or 2, and recently there has been talk of going with Forcepoint and their trusted thin client solution.

First question. How exactly does this work? From my understanding, say you have 5 different networks you administer, you can decide what networks that thin client has access to, and they can switch back and forth between networks, all over one wire. From the distribution console, is this basically similar to how a trunk port and pruning vlans is setup? You decide what networks go over the link to the thin client, so that they only have access to the networks they are authorized to be on? Or does it work in a different way?

Second question. We are a full Cisco network. From the access layer, how are the switches configured for the clients? Is it all just 802.1x on the access ports? Do the ports still need to be assigned a specific vlan?



Stumped on Cisco Native VLAN

I’ve watched several explanations of the native VLAN, everyone says it’s for untagged traffic.. but don’t all interfaces already have a VLAN?

So we know all ports on a cisco switch are assigned to either (A.) default VLAN, or (B.) custom VLAN. With that being said, the purpose of the native VLAN is to assign untagged traffic through the trunk port to a VLAN. My question is.. does that mean "untagged" traffic ONLY comes from the default VLAN?? Anything else would be tagged as it’s specified VLAN right?



Most widely deployed Network Monitoring

Hope you guys are having a wonderful day!

I am in learning phase of Networking. And I want to learn more towards Network monitoring. So, I am just curious which Network tool is majorly deployed in industry.

I want to start with one tool and then move as per requirements.
Tried searching on posted job requirements, but kind of mixed results. So, if the Network Engineer working in industry could post some suggestions/ name of tools they use, it would be a huge help.



Wednesday, October 28, 2020

LACP between HPE and Cisco suspended, what is resolution?

A pair of Cisco 6800 switch has 4 10gig fiber link connecting to a pair of Aruba 7010 controllers. The pair of two links are bundled on each side. On Aruba side the port is up but line protocol is down On Cisco side, the ports are in suspended state.

Tried changing lacp mode to on, didn't work Shut no shit interface, didn't work Disable spanning tree on controller didn't work

I am stumped.



Datacenter Packet Capture Options

Hello,

I have several datacenters that all use Nexus core switches. I have long wanted to get proper packet capture appliances for our datacenters, but ever year it is shaved off the budget. Since Nexus does not have a built in packet capture feature the way Catalyst does, I was wondering what solutions some of you engineers use.

In leu of a more expensive purpose build packet capture system, I am entertaining the idea of just putting a big cheap server in each datacenter, putting it on a span port and running Wireshark on it.

Anyone make a poor mans packet capture device? Looking for opinions/options.



Cisco VSM & Cisco's Abrupt Exit Of The Surveillance Business

I know this isn't strictly networking, but I figure that a lot of shops out there combine network, telecom and surveillance into the network shop, given the fairly tight integration that's needed. Also as a heads up for folks that might not be aware.

We learned of the accelerated EOS announcement of VSM this week and are looking at having to do something with our sizeable plant. We had planned some simple hardware refreshes soon, but obviously that's now much more complicated. I'm really not sure about migrating to a Meraki solution, as the EOS notice is trying to encourage. The two don't even seem to be addressing the same market segment.

We have a pretty considerable deployment of Cisco IP cameras currently, several hundred cameras of various models and multiple 3rd party units as well. Almost the entire plant is H.264. We have a half dozen VSM's and four media servers on our main stack, all virtualized on UCS hardware. A forklift of our cameras is not a plausible solution for us as it would take years and millions of bucks we don't have. Many years ago, we did chat some 3rd parties up for server side, but when they started talking about having to write custom drivers to run the Cisco cams, we knew we didn't want to be a one-off.

I'm curious where my fellow enterprise NE's are at for surveillance plants this large. Plusses, minuses and any tidbits of advice for migrating away from Cisco while retaining Cisco camera support?



Is the ARP table dependent or independent of routing?

Hi all,

I have a question regarding the relationship between the arp table and routing.

In our network, we have a L3 link between two routers R1 and R2. If I do a show ip arp on R1 and I see R2's ip address, then does that mean that routing is established between R1 and R2? Or show ip arp doesn't really verify that routing (in this scenario, the protocol we are using is eigrp) works for a L3 link?



Frustrated with vQFX and vMX dual image setup in GNS3

I’ve been fairly new to networking side off IT (doing on two years) but really like it. I started a job with a large ISP in the US a few months ago and need to get up to speed with multicast ASAP. So I started with the training on Junos genius and am pretty comfortable with the theory. Am starting to lab up some of the scenarios in the training and day one books but the two separate vm’s for control and forwarding plane is making some of the labs unwieldy and hard to organize. I’ve seen rumors or single vm images for vMX but those look older 14.something and seems almost impossible to get your hands on. Is there any tips for 1) some type of layering so that these can look like one device. 2) I’ve looked into EVE-NG as it’s mentioned a bunch in some of Juniper day one books. Same issue with having to use two images 3) I used juniper vlabs but there are limitations. Any help would be nice.



Ethernet from ceiling to central location

I've been tasked with setting up a workstation in the middle of a production warehouse (think forklifts, pallets with 55 gal drums, etc). The computer and peripherals will be housed in a metal cabinet, and traditionally we'd run emt conduit to house and protect ethernet, but this workstation is going in the middle of an open space without any walls or structural elements to attach the emt to. The high voltage will be heavily insulated wiring hung from the 24' ceiling that will run straight down to the cabinet, but I'd prefer not to just zip tie the ethernet to that wiring due to interference risk, and I think emt is out of the question due to the cost of elaborate supports. What would you do in this scenario? Thanks in advance for the input!



IGMP Snooping/Multicast Routing

I have a device that requires broadcast traffic for the controller to be setup. However this device is on a different vlan than the controller software.

vlan 1 - controller vlan 2 - controller

I enabled IGMP Snooping on both vlans (Cisco SG500) Both vlans connect to an ISR 4451 through a trunk.

I assume I have to enable something on the two interfaces on the router.

I have not really done anything with Multicast Routing before so any help would be appreciated. I have found some cisco articles but I don't quite understand what this could possibly break.

Any thoughts advice would be great.



FQDNs That Resolve To Multiple IPs and Firewall Rules

I have a problem that I haven't been able to find answers to with my Google-fu. Our internal workstations need to connect to an antivirus service in the cloud. The hostname they use is whatever.antivirus.com, which resolves to multiple IP addresses. The workstations use the domain controllers for DNS.

The problem is that sometimes the workstations resolve whatever.antivirus.com and get 1.2.3.4 for the IP but then can't connect to it. It seems what's happening is the firewall is querying whatever.antivirus.com and getting a different IP address such as 5.6.7.8, and therefore blocks the workstation's request to 1.2.3.4.

I'm sure a solution must exist for this but I don't know the terms to search for.

Thanks in advance!



Lenovo CNOS - VXLAN BGP EVPN

Hello everyone, Does anyone of you run VXLAN with BGP EVPN in your datacenter using Lenovo switches with CNOS? If yes, how stable is it?



Edge Routers

Hi. I work at a large community college with 25,000 students, where we use an HP Enterprise HSR6602-XG router. We own our own /23 public IP network, with our own AS Number, so we do not rely on ISP's to provide us with IP's. We have our own subnet with ARIN. our router feeds into a HA pair of Fortigate firewalls (managed by someone else)

We have two ISP feeds, to which we have a BGP connection to, and the edge router takes care of choosing the best path in and out. Therefore, we download the entire bgp tables into our router.

HP networking is now Aruba and as far as they have told me, they are not developing a direct replacement for this line of routers, as of yet. Our routers reach end of engineering support in 2024.

As I'm unfamiliar with the world of edge routers, as I deal mostly with campus switching. What router products are out there that can download the full BGP feeds from two ISP's?

My manager is already cringing at the idea of hearing "Cisco", as he despises their support contract system + cost. I've heard Juniper thrown around as well. I don't want to combine routing in with our next gen firewalls because I absolutely do not want that functionality combined into the firewalls.

TIA!



Securing Web Services- Web Application Firewall

We are looking at deploying WAFs in our enterprise network and are trying to short list some vendors. We have web services & portals published that customers user over the internet.

Any of you have good/bad experiences with WAFs that you would be willing to share. As of right now, the short list looks like F5 ASM, Impervia & Citrix NetScaler. Budgeting is not an issue.



Networking specific language

Which is the more networking specific programing language which I can learn and can be useful for me in my networking career ? Thanks in advance



Ruckus R510 won't stop updating

The PWR light slow flashes green for a short time and then goes to solid green while the CTL light flashes green for a few minutes. The CTL light goes out and the PWR light turns red and then it starts this cycle all over again. After 2 days the PWR light just stayed red. I've replaced this Ruckus this afternoon, and the new one is doing the exact same thing. The other 2 ruckus on the network are functioning properly but this one never has. I replaced the cat6 ends in case that's the problem but it's still happening. I tried a different port on the Ruckus modem in the low voltage panel and the problem still persists and I'm out of ideas.



Securing web services - Web Application Firewall

We are looking at deploying WAFs in our enterprise network and are trying to short list some vendors. We have web services & portals published that customers user over the internet.

Any of you have good/bad experiences with WAFs that you would be willing to share. As of right now, the short list looks like F5 ASM, Impervia & Citrix NetScaler. Budgeting is not an issue.



Compatible router ??

Im tryna find a router that's compatible with T-MARC 280 Demarcation Device, without spending 1 k pounds on a Router Fortigate 60e - as that's overkill asf



Securing web services - Web Application Firewall

We are looking at deploying WAFs in our enterprise network and are trying to short list some vendors. We have web services & portals published that customers user over the internet.

Any of you have good/bad experiences with WAFs that you would be willing to share. As of right now, the short list looks like F5 ASM, Impervia & Citrix NetScaler. Budgeting is not an issue.



Networking question regarding destination IPs

I’m relatively new to networking and I’ve got a question regarding destination IP addresses. I was analysing some network traffic on a network and noticed some packets having a destination IP address that is the default gateway for that particular device. I was under the impression that the packets will be routed through a default gateway if the destination IP address is outside it’s local network but the destination IP does not change.

I’m wondering if anyone could give any examples of what would cause a packet to have the default gateway as the destination IP.



Question for CCIEs

Those of you who are CCIEs: Do you feel you learned a lot by studying for your certification?

For example I remember when I was studying for CCNA that I did learn a lot of stuff, both through my job and through going through the curriculum. To be fair I was at the absolute bottom, and the only way to go was up. I thought TCP ports, where like physical holes where you plugged connectors :).

Then a lot of time passed, I learned a lot more just through working, about networking in general not just Cisco related stuff but I didn't study for any particular certification. When studying for my CCNP, I learned very little that I didn't already know (private vlans, MST, that you can give names to interface ranges, that you can to tests on a cable with the tdr commands, OSPF zones and LSA types but that's about it). The exams themselves where a giant PITA with a huge amount of trivia that I had to learn by heart and that I have no use for in the real world since it's a Google search away if I really need it. And I'm the guy that always baffles his friends by remembering some odd bit of trivia from more than a decade ago.

I learned a lot more by reading the fundamental networking books (Radia Perlman's Interconnections, TCP Illustrated, Doyle's Routing TCP/IP, John T. Moy's OSPF - Anatomy of an Internet protocol, Alex Zinin's - Cisco IP routing), even though these books discuss protocols that are now dead (the OSI stack, ATM, CLNP, IPX). But through that they give perspective - if all you know is TCP/IP because that's all you ever used, do you really know how and why things work the way they do and how this all came to be? Some of these protocols didn't die because they lacked technical merit, a lot of them did because of politics and there are valuable lessons to be learned by looking at what ended up on the cutting room floor.



FTD 6.6.1 is now recommended release

FTD recommended release has moved from 6.4.0.9 to 6.6.1.

Been reading some good things here about 6.6.1 but thought I'd start a thread to see what bugs and caveats people have run into on 6.6.1.

6.4.0.9 has been good but lots of nice new features in 6.6.1. Plus with the new security vulnerabilities that were published last week, now might be the time to move to 6.6.1 instead of upgrading to 6.4.0.10. If I recall, I think one of the vulnerabilities actually requires updating to 6.6.1 to resolve. I'd like to believe it's good since it's now the recommended release but ya know........FirePower.

Please include your FMC platform(physical or virtual) as well as managed device model(s).



Is the CCIE Enterprise worth it?

Hello all,

I am wondering if going for my CCIE Enterprise is worth it.

I am a network engineer with 7 years of experience as a network engineer, and more than that if you include when I was a network technician. I currently have a CCNP Enterprise (I got it when it was the CCNP RS), and a few other Cisco certs, and I am working on my CCNP Security now.

I've had the goal of getting my CCIE since I started working in networking. I'm starting to wonder if it's worth it based on some things I've read recently. Is the pay bump between a CCNP and CCIE that big? Is it worth the stress and hassle?



BGP, Automated Systems, and how routing works.

If I have two nodes in two locations, using BGP, under the same AS and advertising the same prefix, how does BGP know if device A in location A and not location B?

What happens if an ip collision happens? I'm talking unicast here btw. Also what happens if I try to send a packet to an "inactive"/unassigned ip address?



What is with admins who will only use Cisco for everything regardless of cost?

I'm relatively new to the industry with only 4 years experience, but I've noticed more and more lately that some admins who have been doing this stuff for 10-15 years will only use cisco hardware. I'm not talking about big pieces of equipment, either.

For example I was talking about getting SFP's for my home lab and a few guys went on an unsolicited rant about how if I get SFP's from anywhere that isn't Cisco that I'm gonna "fry my home lab" or "expose my network". That seems a little extreme to me. This isn't the only example I can think of either. As long as stuff comes from a reputable vendor and is compatible does it really matter that much?



Gotchas on N5K switches

I hate this - but it’s gotta be done.

I’m performing an upgrade on our N5K dcs soon. My test environment contains 2x N5K + 1x2k and whatever server farms hanging off those.

My plan in test is to ensure all N5Ks (fex I’m leaving for now) are joined via vPC, all port channels and their settings are identical on both switches, gracefully shutdown server farms- perform upgrade/downgrade a few times, bring up server farms and hopefully that’ll be fine.

Am I missing anything or is there anything I should look out for?



How do I redirect traffic coming to my website to go through a VPN first(but through a wide range of IPs)?

motivation: I have a partner that tracks visitors coming to my website and he requires that the visitors to be coming from certain countries.

For example, a visitor coming to my website from France, I wanna make some middleware, so that he shows on my website as a German visitor



Tuesday, October 27, 2020

(Windows 10) Internet fails over Wifi but works over Mobile Hotspot that uses same Wifi

When I connect over WIFI directly (PC to router, which is connected to modem), internet has issues (page doesn't load, will download for a bit then stop). The status "Connected, secured" w/ full signal icon. Other times, it will work for a few minutes then will just stop again.

The strange thing is.. it works completely fine on the smartphone that's connected to the very same WIFI. And when I connect my PC to my phone over Mobile Hotspot, internet works fine again (w/ reduced speed tho). Also, yes, I'm sure I'm not using my phone carrier data.

Tried turning off+on router&modem, resetting network setting through Windows settings.

Somehow my PC isn't able to communicate properly with the router, perhaps not being assigned the right IP address or something. And I feel that it's something more about my computer than the router that ruined it's capacity to communicate properly, since I've had virus detected, quarantined recently by Windows Security. Perhaps some vital piece that's relevant to coordinating IP address is corrupt or missing?

Any ideas? Thank you in advance



Cisco 4500-x hardware error?

Had a member of a Cisco 4500-x VSS pair start spontaneously rebooting last week. Logs indicate " STANDBY:VFE txQueNextShareByteParErr. TxQueNsb3to0ParLog:" errors repeatedly. Thought maybe it was related to CSCvc20156 but looking closely those appear to be VfeTqBuffersUsedUnderrunErr
VfeTqDhmParErr errors. Unfortunately no smartnet on this member (not my choice) - anyone see this before? Should I assume this is hardware and just replace the member?



Unknown Unicast Flood on Hub Port

Hi guys, literally I am new in network because mainly i do code, but situation wise I've to manage my company network too. Please help me anyway you know. Thanks in advance.

So, I've got 2 different Switch on my Network, 1 is HP 1920, the other is Netgear S3300 28x.

On both switch, Unicast Storm Control triggered at few port which is connected to Hub.

Any ideas why is that happen? and maybe solution? for now i set the Storm Control Action to trap, because shutdown would make the client down (for sure).



How long do you expect people to learn and adapt to a very large enterprise infrastructure?

So I have been at a job for the majority of the year working in a hybrid network engineering role and it's been pretty tough, not going to lie. I have a wide range of experience but nothing like this and I can't tell if I'm a slow learner or if it just takes a while to adapt.

I have a CCNA which is basically useless when it comes to troubleshooting anything that's not a hardware issue or other simple stuff that is fairly easy to research or at least problems I can work through with some Googling or time spent on the Cisco forums.

I have experience with virtualization, managing servers, hybrid cloud voice deployments and a lot of things like this.

Just curious what some more experienced people here think as this is basically going into my 3rd year in the industry.



EVPN in a campus network using only eBGP?

Most designs for campus EVPN seem to suggest that you would need to have for example OSPF that redistributes loopbacks and then you would have RRs you peer within the same AS.

How about a campus EVPN setup where all the BGP peerings would happen using eBGP with each "PE" switch having different AS number?

At the moment we run a MPLS network between the campus buildings and the remote sites, something like 100 or so "PE routers" at the moment. We're not really using any of those more advanced MPLS features like TE, FRR or not really even QoS as we have mostly fiber runs between the sites.

Do you see any difference/benefits/pitfalls if we went with EVPN and eBGP between every router (switches doing EVPN...)? Mostly I'm thinking of getting rid of RR's as we have many different sites/buildings so it would be nice to separate those and not have the whole network fail because the RR was not available somewhere. Also not having the "complete state of the network" at each site, as they usually have only 2-3 uplinks to other sites and currently only one of them provides the default route so it does not really matter if the network flaps 100 km away from the router.

Thanks for any ideas!



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



Cisco nexus 9336PQ as a “router”

Hi,

I was browsing for for some 40gig network switches and I stumbled upon this one: https://www.cisco.com/c/en/us/products/switches/nexus-9336pq-aci-spine-switch/index.html

Port density and capacity is very nice but I’m a bit concerned if this switch has L3 routing capabilities. I’ve gone through all the documents I could find online but still I don’t know for sure if it can or cannot be used for BGP, vPC and other similar functionalities? Does it need another equipment above it to handle this kind of things?

Any additional info is highly appreciated!

Thanks!



small business switch recommendations with dns spoofing

Hey all,

I'm in need for recommendations for a 24 or 28 port gigabit switch that is managed with POE and dns spoofing. There will be about 18 end points and some AP's.

I'm considering going with Ubiquiti but not sure it's worth the hassle of the extra controller because the environment will not be growing (this is sure).

What switches do you recommend?



Starlink $99/month

SpaceX Starlink public beta begins: It’s $99 a month plus $500 up front https://arstechnica.com/information-technology/2020/10/spacex-starlink-public-beta-begins-its-99-a-month-plus-500-up-front/

"Expect to see data speeds vary from 50Mbps to 150Mbps and latency from 20ms to 40ms over the next several months as we enhance the Starlink system. There will also be brief periods of no connectivity at all."

No mention of bandwidth caps or other restrictions. It will be interesting to see how it performs in real life and if it's viable/allowed for business use. Could be an option as a backup or SD-WAN connection.



Configuring One Way L2L VPN Tunnel?

Hey,

We have sites located all throughout the country which have a site to site VPN connection to our datacenter.

I have ansible setup at our HQ and to automate switch configuration at the retail sites, our HQ needs a VPN Tunnel to all the retail sites. Of course, I only want this one way (HQ -> Retail Sites and not both ways).

Is there a way to configure a site to site tunnel for this kind of setup or is the only option just to configure an ACL on our HQ firewall that has all the retail sites subnets and set it to deny to all

Firewall at retail sites: ASA 5506

HQ Firewall: Meraki MX100



Check Point to AWS Tunnel Using VTIs

Hi. I'm looking into how I can setup a VPN tunnel between our Check Point gateway and AWS. We usually use routed based VPNs but it looks like AWS needs VTIs. Just to check I'm not misunderstanding - the local and remote VTI addresses will be the public IPs of both peer gateways, is that correct?



L2 architecture - Vlan issue

Hello,

I require your help as I'm desperate for a solution on this.

First, here's the imgur link for the images used in this post with description:

Schemes

I'm building an ISP architecture since last year with Nexus 9K3 and I'm trying to keep it as simple as possible by mainly using L2 (some people will call me demon).

Everything works very well with vlan so far ; and I provide different services like :

- Dedicated fiber for direct customers

- Dedicated fiber for customers attached by another cable-operator

- Dedicated Multisite interconnection & internet access

Those are brought up to a Datacenter firewall to access internet with BGP peering ; using Fortigate VDOMs to segregate WAN from customers from multisites customers.

(See Current-situation.png)

But this week, I'm facing a thing that forces me to think more than usual.

I'm speaking of Transit link.

Another service provider wants to use our fiber network to connect his own customers (because he's not able to buy and put in operation hundred of km of fiber like us) ; and wants us to give him back his own customers.

This is common in our country where we distinguish "service provider" (provides L3/internet services) of "link provider" (that provides the fiber)

I thought "great, I'm going to use Q-in-Q to give him his customers and avoid consumming my own vlan Ids!"

His customers will start at vlan 201, vlan 202 for customer 2 etc... But these vlan will be transparent to me as I'll just have "vlan 3499" named after my transit peer.

(See Lab1-QinQ.png)

But here's the issue. Q-in-Q works only with tagged vlan. That means he have to put the vlan ID on his customer's router ; which is not a very nice thing to say to them.

I even tried mapping vlan, but same issue ; mapping native vlan is not allowed.

(See Issue.png)

I can still consume my own vlan ids to give him his customers, but that's not a long term solution.

I was thinking of using VXlan vni, but I can't apply it directly on the interface...

I Had another idea like in (Lab1-reducingvlan.png) but I don't know how to achieve this.

I'm lost in what technology should I use. I focus my work on 1 equipment , a single N9K3 at this moment.

(Sorry for my English)

*Edit : added the imgur link



My email is undeliverable when I try to send to a bank

I get this error - -- host mx2.domainname.com (IP address)

550 Sender IP reverse lookup rejected (in reply to RCPT TO command)

Is it something I need to fix or receipt has some problem?



Supernatting to the same /18 network with multiple peers

Hello Community

And no, the title is not a typo.. i just invented the word.

We (ISP/Hosting) got this ridiculous request a few days ago. Our customer needs to access the same /18 subnet through multiple Site2Site IPSEC to different peers(cities).

The firm hosting the /18 subnet does not allow our customer direct access for some reason...
Because of GDPR they cannot use the same tunnel when they transfer data for each peer (city).

So our job is to make every peer(city) somehow accept that they need to NAT a /18 subnet for our customer through IPSEC... unless we come up with some other idea..

If you got any crazy ideas, they are very much appreciated :)



help with Junos to IOS migration

Hello,

I'm doing a config migration from Junos to IOS and need a little help with part of the new config. The existing Junos config is:

----------------------------

}

policy-options {

policy-statement MPLS_AS_PREPEND_POL {

term MPLS_AS_PREPEND_TERM {

from {

route-filter 0.0.0.0/0 orlonger;

}

then as-path-prepend "65100 65100 65100 65100";

}

}

policy-statement OSPF-ROUTE {

from {

protocol ospf;

route-filter 10.19.8.0/23 exact;

route-filter 10.19.10.0/23 exact;

route-filter 10.25.10.0/23 exact;

route-filter 10.25.8.0/23 exact;

route-filter 10.27.10.0/23 exact;

route-filter 10.27.8.0/23 exact;

route-filter 10.29.2.0/23 exact;

route-filter 10.29.0.0/23 exact;

}

then accept;

}

policy-statement arl_routes {

from {

route-filter 10.18.8.0/23 exact;

}

then accept;

}

policy-statement import_direct {

from {

protocol direct;

route-filter 10.16.0.0/24 exact;

route-filter 10.16.1.0/24 exact;

route-filter 10.16.2.0/23 exact;

route-filter 10.16.4.0/23 exact;

route-filter 10.16.10.0/23 exact;

route-filter 10.16.12.0/23 exact;

route-filter 10.16.6.0/24 exact;

route-filter 10.16.7.0/24 exact;

route-filter 10.16.16.0/24 exact;

route-filter 10.16.14.0/24 exact;

route-filter 10.16.15.0/24 exact;

route-filter 10.16.8.0/24 exact;

}

then accept;

}

policy-statement static-route {

from protocol static;

then accept;

}

}

-----------------------------

What do I need to do to create an IOS config from this?

Any help appreciated.



VRRP & HSRP on same L2 segment - interference possible?

Hello,

while troubleshooting a VRRP problem on two HA-WLCs I found a posting on the vendors forum suggesting to make sure that no HSRP is running on the same L2 segment.

This left me puzzled. Is it possible that those two FHRPs somehow interfer with each other? Different MC group, different virtual MAC address ...



ACL Question

ip access-list extended

deny ip 10.4.0.48 0.0.0.15 10.0.0.0 0.255.255.255

deny ip 10.3.0.48 0.0.0.15 172.0.0.0 0.248.255.255

permit ip any any

I am still able to ping 10.3.2.58, where did I mess up at? Thanks for the help.



Xilinx acquisition likely gives AMD the missing pieces to overcome important NFV bottlenecks and accelerate the move towards white box networking

Many people are so focused on the AI applications that they glossed over the rather curious timing of these recent Nvidia-Mellanox, AMD-Xilinx acquisitions. Both Mellanox and Xilinx are innovators and leaders in the NFV space with their own highly accelerated and CPU-offloaded NICs, with Xillinix's foray into the space being almost as recent as its acquisition.

Intel was the first to entice AT&T and the like with their white box CPE SoC's (Xeon-D/atom Rangeley) with full crypto offload as well as its DPDK ready NIC's since it was deeply invested in the network virtualization transition from the start.

It's apparent that offloading these low-latency workloads onto NIC's with FPGA's and DMA while using kernel-bypassing data planes are where these companies are heading to grab a piece of that massive telco/enterprise IT market share.

Nvidia and AMD giving Intel direct competition I this space bodes well for the future of white box networking.



RADIUS Server GUI suggestions

I'm looking for a simple RADIUS server that allows me manage users with a GUI. The features provided by Freeradius would be more than enough if it wasn't for the lack of a GUI... Personally, I'm pretty comfortable with dealing with Freeradius via the command line, but I need to give user management access to not-so-techy people... The interface doesn't need to be anything fancy, but having the command line as the only interface with the server isn't enough :(

In the last few days I've been searching for a solution with no luck... I've encountered some GUIs implemented on top of Freeradius (daloradius and whatnot), but all of them seem a bit outdated or not maintained.

Any suggestions? Ideally I'd be looking for a free/opensource solution... Thanks in advance for the help.



Cisco AnyConnect login failed

My company recently took over IT operations for another company. We have next to no documentation to go off of.

Users use CiscoAnyconnect for VPN and we need to be able to manage this system for them.

One user is getting "Login Failed" when trying to connect and I cannot find a way to get their password reset. I can confirm that their AD environment is not integrated with Cisco VPN.

Any guidance will be appreciated....where to start especially. We have access to their servers and domain controllers.

Thanks.



New to Nokia 7750

Hey,

If been working in a local ISP still a junior in this filed.We are migrating all our edge equipment to Nokia 7750. My question is, can anyone help me with some commands, I didnt manage to find any cheetsheets, I'm interested in commands such as in cisco routers. For example how can I see if a specific port changes it's state from up to down. In cisco we had show log, in nokia i can't find someting similar. Could anyone help me out?



Juniper QFX5120-48T and virtual chassis

Dear Community,

I have a question regarding this feature that's troubling my research.

We are looking at purchase a couple of QFX5120-48T for one of our customer and want to use the virtual chassis feature .

Looking at the datasheet https://www.juniper.net/us/en/products-services/switching/qfx-series/datasheets/1000639.page it's seems like this feature is only available when purchasing one of the advanced license. However, correct me if I'm wrong, on the previous generations it wasn't the case.

Is there anyone that has those switch or Junip expert and can confirm or disconfirm those information?

Thanks,



Unable to PXE Boot clients from WDS server across different VLAN’s, IP helpers enabled on Core L3 Cisco Switch

Hi Everyone,

I am facing some issues in PXE booting clients from our WDS server and wanted to get some advice on this. For WDS PXE booting we are not going to use DHCP options and instead go for IP Helpers on our switches yet we are facing an issue after making the configuration changes.

Our current Environment-

DHCP Server IP

192.168.99.200

WDS Server IP

192.168.99.177

1st Client on a test 224 VLAN

192.168.224.xxx

2nd test client on 192.168.99.xxx VLAN

In the first example (PSA),

Capturing DHCP packets from Wireshark I can see that the 1st client is not even getting through the L3 switch it seems (photo linked), I tried filtering packets for multiple clients and none of them are able to show their mac address as the source on the discover packet. It looks as though the Discover packet is coming from the L3 switch directly to the WDS server unless I am reading this wrong.

In the second example (PSA),

The client machine is routing through a host on the same VLAN as the DHCP and WDS server through a virtual client. From Wireshark, I can only see the client sending out a multicast Discover packet with no response. In this example, I can see the WDS server can recognize the mac address of the client machine, however.

Note:

We do not have DHCP options enabled on our DHCP server for boot file as recommended by Microsoft

Also,

On the WDS server we did not change anything in regards to the WDS options "PXE Response -Respond to all client computers" and "DHCP Authorization-Authorize this WDS server in DHCP" Can we leave those at the default option?

When we tried enabling those options we saw that the DHCP was having problems. Regarding DHCP settings on WDS server, I can assume this should not be touched as our WDS and DHCP are separate servers?

Two things I wanted to point out, I confirmed the boot image .wim runs properly when booting off a removable USB drive.

Secondly, the WDS server is sitting in a VLAN with no DHCP scope setup therefore we cannot test any clients on the same VLAN as WDS server if DHCP scope is required.

Please let me know where we are going wrong here. Thanks!



Building a rural network for Internet access

Hi, I'm a total beginner here and we are planning to build a wireless network to distribute Internet to some places where the phone and fiber lines can't reach.

We would be getting a 1Gbps fiber connection in town and the houses (maybe 15) that will be getting the connection be about 2 to 5 km away from the main Internet connection. This will all be wireless.

The ISP will provide a modem/router with this connection, what other equipment are needed and please suggest good brands for this. Hoping to have a simple and cost efficient setup for this.

Thanks!!!



UTP 10Gb link on Catlayst 9000

Hello to all,

I would like to ask you about a subject i am currently working on:

Background:- Deployment of Catalyst 9300 48 GE SFP Ports (C9300-48S) + 10GE module (C-9300-NM-8X)- Deployment of new HP ESX platform with 1Gb and 10Gb UTP NICs

After some research I found the Cisco SFP-10G-T-X module (https://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/q-and-a-c67-743938.html) which could be used to connect the new switches (via C-9300-NM-8X modules) to the 10Gb ports of the servers.However, it appears that these modules are not currently compatible with the Catalyst 9000 family.

Problems :

- Modules not compatible with the Catalyst 9000 family- No price information about this module is available on the Cisco commerce / ciscogpl websites.

- Module does not appear to be sold by Cisco --> Compatible models available (ex: FS Cisco SFP-10G-T-S Compatible Module SFP+)

- Maintain 10Gb links between the servers and the 9300s- Stay on top of the use of BASE-T 10Gb NICs on the server side

- Avoid replacing (significant additional cost) the current 10Gb BASE-T 10Gb NICs with server-side SFP+ 10Gb NICs.

Questions and Answers :

- Is it possible to deploy Catalyst 9300 with 10Gb UTP links?

- Is the SFP-10G-T-X module compatible with Catalyst 9000?o If yes, what are the warranty, Smartnet,... considerations?

- If not, are we obliged to use SFP modules on the Cisco side and replace the NICs on the server side?

- What solution could I consider?

Thank you in advance for taking the time to read me and looking forward to your feedback/proposals.

Best regards



Monday, October 26, 2020

Help with Internet

Hey guys, I had to drill a hole in my wall to feed an ethernet cable, the wifi was horrible. I was wondering what I could use to connect that cable (which is connected straight to the modem) so I could use a wired connection to another device besides my PC.

Thanks.



Dot1x Issues

I'm facing a strange issue on my Cisco 9200 series switch. The IP phones connected on my dot1x enabled ports goes to sleep mode after 2~ 3 minutes of inactivity and have to wake them up to reconnect. The ports shows connected on the switch side but I'm unable to ping the IP address of the phone when inactive . While checking the authentication session its shows authentication success at first but as soon as the phone gets into sleep mode I get the error (Authentication failed for client :no response from client). Please help.



Help with Redundant WAN and Redundant Network

Every guide I see on the internet references dual WAN to one device, at least in the topology. I am trying to design a network with full redundancy and want to understand if I have the basics correctly.

Two separate connections from Comcast and Verizon.

Assuming Comcast and Verizon only have *one* single ethernet hand-off, I have designed a network topology with this limitation in mind in order to achieve full redundancy.

(1 Ethernet)Comcast--> (1 Ethernet) Managed Switch --> (2 Ethernet; 1 for each Firewall) Firewall using VRRP

(1 Ethernet)Verizon --> (1 Ethernet) Managed Switch --> (2 Ethernet; 1 for each Firewall) Firewall using VRRP

I posted my diagram on imgur --> https://imgur.com/lMYu06t

I want to know if this will work as I intend based on the diagram and the need for redundancy. I am open for any ideas and suggestions. My goal is to create a simple to understand, simple to implement and reliable for the cheap... within reason.



Distribution/core refresh

In charge of a network for k-12. Previous administration used E-rate to buy dell equalllavent switch to replace our sites Cisco 4500s. The current network is about 99 % Cisco.

I’ve mostly worked with Cisco, I don’t mind working with other vendors, networking is networking, My only concern is reliability. These 4500s hbd lasted 5-6 years and are still running like champs, with the occasional bad port.

Does anyone have experience with Dell collapse core switches? Any thoughts?



48 Port Patch Panel Recommendation

Installing a UniFi Switch 48 PoE switch and curious on recommendations for a good patch panel for punching down Cat 6 cable. Thanks!



Recommendations for generic SFP+ vendors?

Yes, I know, Fiberstore. My manager has concerns about Chinese government involvement in the company, and so I am looking for alternatives. Not worth the fight when I'm already trying to convince them to stop spending obscene dollars on Cisco-branded optics.

Work in healthcare, and after a brief year or so of decent budget for upgrades, the COVID has hammered us hard and we're looking for ways to stretch the budget. Optics is low-hanging fruit.

I'd considered AO/Advantage/InterOptic, but I can't find any information on pricing beyond "request a quote". We used them at $OLD_JOB, so I know they work decent, but I'm still in a "convince the boss/team that this is a good idea" phase and getting quotes is not something I want to be doing yet. If anyone knows what their list prices per optic are for both SR and LR SFP+, that would go a ways.

Who are you using for your optics needs?



android alternative for winscp

Is there any android application that supports winscp's .ini configuration ?



Ethernet cable near radiator pipes

I'm setting up a cable about 4cm away from a radiator pipe. Will that interfere with the cable or not?



100G over distances longer than 80 km

As far as I can tell QSFP28 optics max out at 80 km. What are my options for lighting up a single 100G wave over distances longer than 80km on dark fiber?

FS has a muxponder with 100G coherent CFP transceiver for $20k. Are there any other options in or below that price class?



MacOS Disconnections on Cisco Wireless Controllers

We have been working with Cisco TAC to troubleshoot an issue where our MacOS clients will randomly lose connectivity to the default gateway (and thus internet etc.). The wireless will stay connected in the run state, but the Mac will send out repeated ARP requests for the default gateway during the outages. The outages last between 20 seconds to 5 minutes and is resolved once the client gets an ARP response from the gateway.

We have packet captures showing ARP requests going through the CAPWAP tunnel to the controller but NOT leaving the controller to the gateway during the outages. TAC has acknowledged the problem is on the controller, and I’m waiting to hear back from them.

I’m wondering if anyone else has seen similar issues?

We are a university and having students attending Zoom classes from their residence halls doesn't work very well when the "Wi-Fi keeps disconnecting".

More details:

  • WLC is two 5508 in HA configuration
  • WLC was running 8.5.161.0 and we upgraded to 8.5.161.7 to troubleshoot
  • MacOS versions with the issue so far: Catalina 10.15.7 and 10.15.6
  • 250 APs are running in local mode (the issue does not happen when testing in Flexconnect mode with local switching)
  • Default gateway is a Palo Alto firewall
  • The MacOS client sends an ARP broadcast to find the gateway every 20 minutes but the outage doesn’t happen every 20 minutes
  • It seems like the issue appears during high utilization on the controller since I didn’t see any issues when testing over a campus break when many students were gone
  • I’ve seen the issue on multiple SSID’s including a test SSID which only had my clients on it
  • Client debug on the controller shows no issues
  • This doesn’t seem to affect Windows machines

Thank you!



Cant access to my server by its public ip when Im on the same LAN

I have an owncloud over ubuntu server. I cant access by its public ip if Im in the same LAN. I have to access from it local ip. But if Im outaide of the LAN i can access normally. I dont have the permission from the IT Department (and its a complicated subject) to add this server to the domain, so I have to give to my few users the public ip for enter when they are at home and a local ip for when they want to access in the office.

Im missing a config or something? Maybe something from the iptables?