Saturday, February 27, 2021

Multiple Firewalls at the edge of the network?

Hey Guys,

We have a small business of a few hundred people, they are protected with a Sonicwall 4600 series firewall.

Our ISP has given us about 15 static public IPs to use its fiber 1 gig service.

We have a very specific workflow and we need to add a Palo Alto to our network for performance improvements.

I know that our ISP has a juniper switch installed and then a device with about 5 Ethernet ports and a few SFPs.

I’m wondering if it would be possible to have both a sonicwall and a Palo Alto at the edge of each of their respective networks?

The idea would be to use a separate static IP for the Palo Alto and just install it side by side next to the sonicwall. Then go directly to the ISP device. That way the Palo Alto doesn’t have to sit behind the sonicwall.

I want to put a select few computers behind the Palo Alto because it has better performance. I don’t want to put the Palo Alto behind the sonicwall because I need real time Site to site video playback. The Palo alto handles this type of real time playback better than the sonicwall.

We dont have the budget to replace the sonicwall with an adequate size Palo Alto. So we just want to use a mini Palo Alto side by side next to the sonicwall.

Is my idea possible?



Is Starlink a WISP Killer?

I have a close friend who's thinking about working a Networking job for a mid tier WISP. He has a few other offers on the table. I've advised him that WiSPs are direct competitors to Starlink and will likely go the way of the horse and buggy over the next 12-36 months. He's on the fence, but it's a tantalizing offer. Obviously he doesn't want to get a start headed down a dead end road.

So what do y'all think? Is Starlink going to get rid of WISPs? It seems like they plan competing within the same market. Also, is Starlink a threat to traditional ISPs like Spectrum or Charter?



Network ring design for maximum resilience?

I'm designing a network for new train system and the stations are arranged in a ring of about 20 stations. Each station has 72 strands of dark fiber between them, and the plan is to run eigrp (we are a heavy cisco shop) with two switches at each station for HA. Assuming that under normal circumstances we only lose one switch at a station during a failure situation, what would be the most dependable layout for fast convergence and maximum uptime? A simple ring? Triangles? What other design options are there?

Thanks for any suggestions!



Sending SMS throw SMPP looking for course or certification

Hi,

I want to start a business of 2FA and Bulk SMS like Twilio. I did many searches online, and many people were talking about SMPP, SMSC, etc.. but I'm looking for a webinar that covers the topic of sending SMSes to throw SMPP and more.

What course do you recommend me to take?



S2750-28TP-PWR-EI-AC Firmware issue

Hi all, have an old S2750-28TP-PWR-EI-AC which had the flash system formatted (so missing the startup file). I created an account on support.huawei.com, registered the device, and downloaded S2750EI-V200R011C10SPC600.zip which is the latest firmware for the S2750-28TP-PWR-EI-AC. As the switch has no firmware I had to load this over serial, which even over 115200 baud took 4 and a half hours to transfer the 27MB firmware file (S2750EI-V200R011C10SPC600.cc). But once I try to change the startup file to the new filename, I get this:

``` Flash startup file (can not be cleared) current: s2750ei-v200r007c00spc500.cc new : s2750ei-v200r011c10spc600.cc

Error: The file is not a valid startup file. ```

Any ideas? There were no errors during transfer, really don't want to wait another 4 hours to try the same file again. There is an FTP client, but this is at a remote site and I'm removing into an old MacBook Pro with a USB<>Serial adapter to do this. No way I can get a local FTP running, the switch can't use a gateway so has to be on the local network :(



Where to start with OSPF implementation??

To make a complex issue as simple as I can... I work in an environment that utilizes static routing almost exclusively. I would like to implement OSPF and eventually redistribute it into BGP for all of our WAN connections.

The problem I am running into is that I don't know where to start when it comes to designing areas. I know areas need to reach back to area 0, but our network is a mess topology-wise. I would like to make the OSPF configurations as simple as I can for the sake of newer technicians in my work center. However, I have no idea how I will be able to have all areas reach back to area 0 without the use of virtual links.

If anyone has advice on transitioning a large network utilizing static routing over to OSPF I would greatly appreciate it.



Router/NAT on public or private (or both) network

I'm taking a practice exam for AWS, though their VPC technology may be different than Cisco there were 2 options. One to place the NAT on the private network and one to place the NAT on the public network. Shouldn't it be on both or in the DMZ? I answered private and the correct answer was public. Then I thought the same question for a router as an Internet Gateway. Any help would be appreciated, Thanks!



S2750-28TP-PWR-EI-AC Firmware issue

Hi all, have an old S2750-28TP-PWR-EI-AC which had the flash system formatted (so missing the startup file). I created an account on support.huawei.com, registered the device, and downloaded S2750EI-V200R011C10SPC600.zip which is the latest firmware for the S2750-28TP-PWR-EI-AC. As the switch has no firmware I had to load this over serial, which even over 115200 baud took 4 and a half hours to transfer the 27MB firmware file (S2750EI-V200R011C10SPC600.cc). But once I try to change the startup file to the new filename, I get this:

``` Flash startup file (can not be cleared) current: s2750ei-v200r007c00spc500.cc new : s2750ei-v200r011c10spc600.cc

Error: The file is not a valid startup file. ```

Any ideas? There were no errors during transfer, really don't want to wait another 4 hours to try the same file again. There is an FTP client, but this is at a remote site and I'm removing into an old MacBook Pro with a USB<>Serial adapter to do this. No way I can get a local FTP running, the switch can't use a gateway so has to be on the local network :(



Where to start with OSPF implementation??

To make a complex issue as simple as I can... I work in an environment that utilizes static routing almost exclusively. I would like to implement OSPF and eventually redistribute it into BGP for all of our WAN connections.

The problem I am running into is that I don't know where to start when it comes to designing areas. I know areas need to reach back to area 0, but our network is a mess topology-wise. I would like to make the OSPF configurations as simple as I can for the sake of newer technicians in my work center. However, I have no idea how I will be able to have all areas reach back to area 0 without the use of virtual links.

If anyone has advice on transitioning a large network utilizing static routing over to OSPF I would greatly appreciate it.



Cisco Identity Based Firewall Access - Issues

Hello,

I’ve recently setup identity based access on our Cisco firewalls using Cisco ISE.

I have five locations that this is setup for. Rules are in place for wired and wireless networks that require identity to work.

My problem is that when someone swaps from either wired or wireless, they get a new IP address on a different subnet and thus the identity rules no longer work.

I’m really struggling to find a solution to this. Is there anyway that I can resolve this without asking people to lock and unlock their machine? I’m not sure if there’s any AnyConnect modules available that can assist with this?

TIA.



Cisco Identity Based Firewall Access - Issues

Hello,

I’ve recently setup identity based access on our Cisco firewalls using Cisco ISE.

I have five locations that this is setup for. Rules are in place for wired and wireless networks that require identity to work.

My problem is that when someone swaps from either wired or wireless, they get a new IP address on a different subnet and thus the identity rules no longer work.

I’m really struggling to find a solution to this. Is there anyway that I can resolve this without asking people to lock and unlock their machine? I’m not sure if there’s any AnyConnect modules available that can assist with this?

TIA.



Novice question: How to create LAN over internet?

Hi all, my question might look stupid but please pardon me. I am trying to setup high availability with 3 servers. Keepalived and HAProxy are used for this. Keepalived Virtual IP requires nodes to be in same subnet , but the VMs I am working on are located in different regions with different public ip ranges. Now, how can I setup a LAN between these servers, so that all will be connected in same subnet? I tried Wireguard and Nebula but due to security settings they provide, the Virtual IP is working fine but can't be reached from other nodes. What do you suggest for this? Thanks in advance.



Wireless Coverage in Warehouse

For our wireless experts.

I am relocating my business to a new warehouse (still being build). One of the needs I have is providing wireless coverage (prefer a mesh or seamless handoff) for our warehouse staff that use tablets as part of their work. The ceiling is 22' and the dimensions are 31' x 67'. I am looking for an AP that most likely would need to be mounted vertically. Any suggestions/ideas for equipment providers that have a good quality product and can survive in a open warehouse environment?



Cheapest 10G router?

We're lucky that we colo in an ISP that runs our local IX, and ports into that are free at any speed (yay!).

This org has traditionally used UBNT EdgeRouters as our needs were very simple, we've since dabbled into Mikrotik simply because we needed some 10G ports and the price was cheap enough we figured "lets try it". So far it's been halfway decent but the lack of IPv6 support and some other routing oddities are driving me to look elsewhere.

We've got a 1G DIA link, a 10G IX link, both receiving on net + defaults (which means about 500 routes on the DIA side and about 90k on the IX) and two 10G ports in a LAG back to the switches.

I'm hoping to find something a little more enterprise than the 'Tik without a 30k pricetag.

TNSR on Netgate looks promising but the forums show some BGP growing pains, this may be very interesting in an year or two but I don't think now.

Any ideas here?



Router is at the address ending .254 on network

Hello, fellow networkers, if I may I would like to ask a question.

I have a homework to create a B class network.

I've assigned two networks of IP's 128.1.0.1 and 128.1.0.2 with SUB of 255.255.0.0

Then I forgot that I saw that in the requirements was this requirement but I don't really know what that means : Router is at the address ending .254 on network

What is this supposed to mean?

Thank you very much for any help and feedback, have a nice weekend guys.



How do/ do you guys monitor the built in shaper usage in ISR and ASR routers?

During a monitoring tune up session it occurred to me that this might be interesting to monitor rather than have to calculate it from the sum of all the interfaces. Is that a thing and does anyone do it?

Back in the day you'd monitor your router capacity by keeping tabs on CPU and memory, but nowdays you have an ASR that's hardware is capable of 20Gbps but you only have the 2.5Gbps license so you can run out of throughput long before the CPU load ramps up. I can see how being able to plot a trend and see when you might need to look at upgrading the license might be useful.

Interested to hear your thoughts.



EOL Enterprise Firewall Questions and Recommendations

Hello. We have a Cyberoam CR 500iNG-XP in our office but it is due for EOL next month so in my understanding the support and the subscription based features will also end. So my first question is, with appliances like this, is there anything else we can do to this after retiring it? Can we repurpose it to a let’s say a linux server or are these things locked? Or is it wiser to look for exchange programs with suppliers? Pardon me if this is a dumb question. Second, in buying NGFW’s, how many years normally is the life of these appliances before it goes EOL? Lastly, I’ve found these recommendations to replace the said model in other forums, mentioning Palo Alto PA-3000, Sonicwall NSA4600, and Fortinet E or F series. I'm still checking them out. Any comments on these models? Thanks!



Friday, February 26, 2021

UDP Packet Corruption

Hey ya'll, i made a few posts a few months ago asking how to do reliable high rate UDP transmission.

I'm able to now receive data at a high speed from SFP+ fiber connected to another device. Only thing is, i'm getting 99.9% accurate data, and it always seems to corrupt in the same area, usually towards the end of the file transmission.

The device sends me packets, and i dump the entire packet minus the initial 4 byte header into a Memory Mapped File on Windows. I keep track of position for file write and this for the most part is able to assemble the file correctly except towards the end.

I don't get any packet loss on these full dumps, i discard the entire MMF if i get anything less or more than the desired amount of packets. But when i do get the full transmission, towards the end of the file i get random bytes being flipped to 0's, never the case for them to be flipped to 1's. I did a HEX compare and it's strangely always in the same area of the dump.

I don't think there's anything wrong with my algo to store the data since there'd be rampant corruption everywhere and i treat the data the same whether it's at the beginning of the transmission or the end.

My system, Windows 10

Xeon Silvers @ 2.2Ghz

Intel X710 10G adapter

Jumbo frames is set, datagram size is 8400

Method used to catch the data : Registered IO with a 2GB ring buffer, and i dedicate a single thread to polling the receive constantly.



Is there an affordable rougher that oust one vpn network and a regular network?

Like 1 WireGuard WiFi, so I can be protected and one normal network. I find putting a vpn on a router as you’re ONLY network is annoying. Certain sites block it etc

*router



Standard RJ45 Connector with Pass Through Crimper

I've got the Klein pass thru ratcheting crimper and ran out of pass through connectors today.

I know the tool says "not for use with standard connectors" on the packaging. I figure if I remove the blade, it should do the job just fine.

Has anyone ever had an issue using this tool with standard, non-pass thru connectors?



Cisco Firepower 2100 series - Import/Export config and Factory Reset

Hey all,

I have 2 FTD's managed by an FMC in our environment. However, the admin password to log into the FTD's CLI is not known to anybody and I've read around that I have to factory reset the FTDs in order to recover it. You would think that you could manage all admin credentials from the web gui, but of course cisco separated the credentials from the web gui and the cli. So far my experience with ciscos new generation of firewalls has not been a great one (old school ASA and IOS guy) and was wondering if anybody here has any experience with recovering admin credentials from the cli. What steps did you follow? Any hidden "gotchas" when doing this? Was it easy to add these devices back to the FMC?



Python for Network Engineers free course starts next Tuesday

Pretty much once a quarter, we run a free online course on Python for Network Engineers; our next course starts Tuesday, March 2nd. The course is a self-paced, online course though we run it as a cohort on a particular schedule.

The course is a lesson a week for 8 weeks and consists videos, exercises, and additional content. The course is at its core about Python fundamentals, but it is wrapped up in examples and exercises that should be more familiar to network engineers. The lessons come out every Tuesday morning (U.S. Pacific time)

The weekly syllabus is as follows:
- Week1: Why Python, the Python Interpreter Shell, and Strings
- Week2: Numbers, Files, Lists, and Linters
- Week3: Conditionals and Loops
- Week4: Dictionaries, Exceptions, and Regular Expressions
- Week5: Functions and the Python Debugger
- Week6: Netmiko Basics
- Week7: Jinja2 Basics, Introduction to YAML and JSON, Complex Data Structures
- Week8: Libraries, Package Installation, and Virtual Environments

A bit about myself--I am a long-time network engineer (CCIE emeritus) and very into network automation. I am the creator/maintainer of the Netmiko Python library and work quite a bit on the NAPALM project.

Just let me know if you have any questions.

The sign-up page is here:

https://pynet.twb-tech.com/email-signup.html

Regards, Kirk



Intervlan Rounting vs Dynamic Routing

I don’t understand doesn’t intervlan routing allows hosts from different subnets to talk to one another what’s the difference between that and dynamic routing



Anyone with experience using Cradlepoint's SDK for REST APIs?

Hey Folks-

Curious if any network folks have used Cradlepoint's NCOS SDK to make any cool apps? I am trying to get mine to connect to location tracking services using REST APIs, and is very curious if anyone has them talking directly to something like NMS or similar.

Basically, those of you with IOT fleets, running any cool stuff locally on those devices?



Securing Trunk Ports in a NAC Environment

Hey all! So, I am working on a project to implement network access control and our Security teams have requested that we also secure our trunk ports. Primary Scenario is as follows: a number of our wireless APs are utilizing a trunked interface to extend L2 domains to our wireless SSIDs. Some of these ports are physically accessible to end-users, and there are frequently cases where users will unplug the AP and connect a laptop/desktop/etc..

What options/best practices exist to prevent a knowledgable end-user, or worse, a threat-actor, from attempting to do this and obtain unfettered access to our network?

To be clear, we are already implementing a black-hole native VLAN, switchport nonegotiate -- what other solutions exist to prevent unauthorized access on these non-NAC'd interfaces?



ICMPv6 type relevance and acceptable filtering

I've been reading RFC 4890 to figure out what ICMP types I need to allow in, and this seems to be the recommended range:

1-4, 128-137, 141-143, 148-149, 151-153

However, it seems like some of these (namely 137, 148-149, 151-153) are intended for upstream routers. I'm just working on the firewall configuration for a bastion host, is the range defined in the RFC good or do I need to remove the 137, 148-149, and 151-153 ranges?

Edit: I've also seen a comment on here which recommended only 1-4, 128-136. Any guidance is appreciated.



A plea for suggestion. Ports dropping connectivity.

Hello everyone, I work with a library that is having very odd connectivity issues. Its not a complicated situation but its probably going to be hard to convey the overall issue. So here it goes :

Problem : We have 40 or so Dell Optiplex 9010's that are used for public access computers. 20 Dell Optiplex 90-somethings that are used for staff computers. "Not sure the exact model but what is important is that they are not 9010's" What we experience is that random public computers "and ONLY the public computers" will drop their ethernet connection randomly. So no link lights at all and the switches thinks nothing is plugged in. There is no consistency with what computer screws up or when. We will have no problems for a month and then randomly 2 computers will stop working. No consistency with what computers screw up it just seems to be luck of the draw.

Current fix : Re-seat cable at the computer - re-seat at the patch panel - re-seat at the switch - restart the computers - Administratively shut down the port and then bring it back up. One of these will generally fix it.

The complicated : We never had a issue with any of these computers until we did three things "unfortunately all at the same upgrade time" We upgraded the libraries switches from Cisco 2950 "the old 10/100 switches" to Cisco 3650 - We moved the network closet to a bigger room "located 100feet away from original closest" and extended the old closest to the new room with cat6a cabling.

The complicated 2 : Initially we focused on the cabling because the switches think nothing is wrong and re-seating the cables fixes the problem most of the time. The existing wiring is cat5e and although we do know the wire pathing ect.. we have no true idea of cable length on the existing wiring. Our guess is a average of 150ft and then we extended it another 100ft with cat6a to the new closet. We looked around a few days ago and saw massive service loops in the ceiling so it is a concern that we are cracking that 300ft mark but my gut/experience tells me that cables that are to long do not show this kind of problem and generally I will see negotiation problems on overly long runs.

The mind blow : So we are faced with no pattern on the computers - no pattern on the fix - and no pattern on time frame. However yesterday we had a computer that would not come up for anything. We swapped cables around with the computer next to it and the network connection comes right up, plug the other computer in to the dead line and nothing. Swap them around and the one cable works but the original does not. Jiggle all the cables, nothing. port shutdown and port enable, nothing. As we stared at a rack in confusion I grabbed a short cable from the table and plugged in a laptop to the inactive port at the switch and boom fires right up. WTF.... Unplug the laptop and plug the original cable back in a boom it works.... WHAT THE F!

The mind melt : So if its only the Optiplex 9010 "the staff computer have NEVER done this and we have a handful at greater run length than the public computers" then it has to be the network card on the pc's? But if the network card is mad then why does swapping cables fix it. If its something with the switch then why does it only happen to the 9010's? If its something with the cabling then why is it completely random? We get no errors on the switch as far as port stats go and we see no reconnections ect.. from the pc. Just here one moment and gone the next.

What kind of rubs me the wrong way is that the cisco switches report nothing at all wrong. No flapping, no errors, no port negotiation attemps, no STP attempts just f your cable there is nothing plugged in.

Sorry for the wall of text guys but I am just throwing crap at the wall and seeing what bounces back. This network is setup to the tits with redundancy and properly installed equipment. Everything is E-Rate funded so no expenses spared when installing the cabling. Grounding everywhere, grounded patch panels, shielded cabling , ground bars in the rack, cable trays in the ceiling.

Side note : we have even switched public computers to the second cisco switch in the stack and it still happened. We even replaced one of the switches with a hot spare and it still happened. IT HAS TO BE THE CABLING OR PC's but whaaaaaattt theeee....



Kerbero simulator help

Hi all ita my First Time here, I have to do an exercise with a web-based kerbero simulator that the university gave ti me. I start the simulation with a code Then I send the code to the AS that replies with a Key and a ticked both encrypted I can decrypt the Key with the previous code and this Is the result: {K_C_TGS=xxx, TGS=xxx, timestamps=xxx} I red online that I should make the authenticator but i don't actually know how to do that, any help?



What are common bandwidth control mechanisms on L2 and L3?

I know of TCP sliding window, but I'm sure there's some other mechanisms to avoid packet loss on a congested network.

I just had a ADSL modem completely drop everything just because one client is using up the upload bandwidth. Other internet connections/routers are still fine even when someone uploads something.

We implemented a workaround by enabling traffic shaping on the firewall before the ISP router, limiting it to just below the maximum bandwidth. I'm trying to understand where this problem could be coming from. What are some good search terms so I can read up on that?

Also the ISP told us it is a common problem with ADSL, and moving SDSL should fix it, but costs a lot more. right...



Networking to Cloud

Hey everyone,

Looking for some advice. I've been in networking/security for some time now and thought of the idea of getting in to a more cloud solutions architect role. It looks quite interesting, and I've researched and analyzed a lot of the job postings related to cloud engineers/architects, but most are geared towards devops developers and programmers. I'm more interested in the design and integration of it from a networking point of view, hybrid deployments between on prem and cloud, etc, as this would utilize my background a little more.

My conclusion at this point, is that it would be difficult to land something without some sort of programming background, which I have none of. Here's another thing, I absolutely hate programming more than anything on this earth, it's just not for me. Also, if I study cloud, it's almost impossible to study programming at the same time, while having a full time job already and a family.

Therefore, I'm just looking for some honest feedback and advice, and I'm curious to know if us network/security guys can get in to cloud roles without having that pre-requisite of a programming background. In addition, how do you like the work? Do you spend all day, every day in visio drawing diagrams, bc that also would be boring.

Thanks everyone!



Two-router OSPF with multiple paths

Hi Guys, I feel like I should know this but I want to confirm that what I want to configure makes sense.

I have a router and L3 switch with two paths between them as below:

 Primary Route (low cost) +--------+ +-------------+FIREWALL+----------+ |eth1 +--------+ |ve 2 +--------+ +---------+ | ROUTER | |L3 SWITCH| +--------+ +---------+ |eth2 |ve 3 +---------------------------------+ Backup Route (high cost) 

I want to configure two interfaces on each system and setup an OSPF neighbour relationship. I want to ensure that traffic ALWAYS passes through the firewall appliance, except if it is no longer able to forward traffic.

Will there be any issues with having two interfaces on the router and on the switch both talking to the other?

I would use STP except the router does not have any L2 switching ports, just L3 interfaces. I am also already using OSPF for route distribution elsewhere in the network.

Thanks in advance!



Point-to-point Wi-fi

Hello!

We need to deploy a wireless solution for a new temporary warehouse. The building is currently under construction and will be ready in 1 month. Fiber/cable internet circuits on the other hand will be ready by July only. We want to be up and running once the building is ready so I think we have no choice of going with a wireless solution.

The building is right behind our main distribution center, I would say around 300-400 meters away. 5-6 users, laptops, RF scanners, wireless printers, etc. Nothing big. 50-100Mbps of bandwidth is enough. We have 5 units in that new building which represent 20k sq ft total.

Now the first option I see is to go with LTE with MX68CW firewalls to fit in our SD-WAN solution (we already have spares of these).

Second option is to go with a Point-to-point wireless solution, to extend our main campus to that new building. I'm not a wireless expert but I think something like the Aruba 387 series would fit our needs.

First option will be for 2-3 months until we get our fiber circuit. Second option on the other side we could keep it for the whole duration of our lease (1 year). We would also save the fiber costs.

Please let me know your thoughts and suggestions!

Thank you



Does anyone have any networking resources concerned with Free Space Optical (lasercom) networks?

Hi, I'm interested in networking resources concerned with Free Space Optics. I'm familiar with the CCSDS 141.0-P-1.1 Blue Book standards on Optical Communications Physical Layer. I'm familiar with some different types of modulation (on-off keying, pulse-position modulation etc.).

I'd be interested in seeing something with regard to different architectures, optical relays, dusruption tolerant networks; anything I can get my hands on. Are there any go-to resources or references?



CWDM interference?

We're using a lot of fiberworks 8+1ch CWDM panels. The previous week we had a 10 second (unknown cause) interruption to a link between two sites. We're running 10Gbit on channels 1550, 1570, 1590, 1610, the previous 4 are 1Gbit. The link is about 40km long, but due to multiple CWDM panels on the way we have to use 80km optics. The 10Gigs are also protected by MacSec.

1550nm came back up as expected. C9200

1570nm didnt come back up. C9300

1590nm didnt come back up, and the switch in the switchstack that has the SFP+, a Catalyst 9300 went into some sort of error, all ports were green and orange. The other switch in the stack, also C9300, had one of two regular Gi ports stop passing traffic to a different switchstack (Gi1/0/1+Gi1/0/2 goes to a separate switch, Gi1/0/1 and Gi1/0/2, and Gi1/0/1 stopped, Gi1/0/2 continued).

The optics on the affected switch (1590nm) reports it has a low signal, -25db, threshold being -24db. Only this end and this single switch reports low signal.

To remediate the issue, we booted the lower switch in the stack using 1590nm by taking its power. As soon as the power was taken from it, the 1570nm interface on a separate switch came back up again.

Am I seeing interference / chromatic distortions?



Connect to HPE 1920 web interface

So we’ve inherited an old HPE 1920 48p PoE switch. I’ve received sparse documentation but can’t for the love of god figure out how to connect to the web interface. It doesn’t seem to have a physical reset switch.

There’s two VLANs: 888 Management 172.18.0.0/24

801 Clients 172.18.1.0/24

There are 4 ports that MAY have the management VLAN “tagged” on them (not sure what this means). There is nothing else connected to the switch.

If I just connect my laptop to a port it gets a weird IP 169.64.something. Unless I manually set its IP4 to something.

How do I configure the laptops IP to be able to connect when I Do find the right port? Do I fill in the DNS field? There is no router connected (have a Ubiquiti EdgeRouter4). DHCP?



Asking for some connection methods

I have 2 computer A and B, and I need to connect wifi for computer B from A. Any idea?



Thursday, February 25, 2021

Router Data Flow vs. Switch

Hey Everyone! I'm a Network novice and I was hoping you could clear up a networking aspect that remains a mystery to me. When I imagine say a 48 port switch and the massive amount of data that can traverse it, how is it that a router will typically have 2-4 ports and be able to support that? Granted, majority of traffic would typically be LAN only I suppose. If 48 clients connected to a switch access WAN, does all that data flow run back and fourth through that routers 2 ports? I think I'm missing something simple here, I appreciate your help.



Firepower 4110 Cluster - Once device shows it's Port-channels and associated interfaces as down

I've been assigned a issue that seems to be baffling me and I'm hoping someone has experienced the issue. I'm fairly new to Cisco Firepower devices.

I have 2 x FP4110's in a cluster, FTD1 and FTD2. The cluster is operational, which I can see in the Diagnostics out in the GUI.

  • 2 x Port-channels are configured, in additional to the Cluster Port-Channel.
  • Port Channel 3 is using Eth1/1 and Eth1/2
  • Port-Channel 2 is using Eth1/3 and Eth1/4

On FTD1...

  • Both PO2 and PO3 are down showing no operational members.
  • Each of the associated interfaces belonging to the respective Port-Channels are showing down (suspended(no LACP PDU)).

On FTD2...

  • Both PO2 and PO3 and all associated interfaces are up and fully operational.

On FTD1, I noticed in both PO2 and PO3 Port-Channel configs, the following config line...

lacp cluster-detach

Other than that line, the configs for each of the port-channels is identical. I'm leaning toward this being the issue, but I also have the questions of how did it get this way and how to resolve it. I don't see anything in the logs.

My searches turned up limited results for this config line, only finding reference in release notes referring to the CCL PO48 and it going into this mode after an upgrade.

Both FTD1 and FTD2 have been up for over 800+ days, and no upgrades have been performed.

To resolve the issue, can I simply run "no lacp cluster detach" under the Port-Channel interface config?

On top of the issue, the device is located in the UK and I'm managing it remotely from Los Angeles.

Has anyone seen this before or have any ideas what may be causing this issue?

Thank you in advance! Your assistance and expertise is appreciated.



can i connect my desktop directly to my cisco router? so i dont have to buy a switch

i found an old cisco router at a garage sale. Im playing around with it. It has

ge0/0 ge0/1

fa0/1 fa0/2 fa0/3 fa0/4

my isp comes into ge0/0

my desktop is connected to port fa0/1

how can i go about configurating this,

ive never set up a router with a desktop unless i had a switch in between

i will buy a cisco switch eventually but id like to get this working for now



MikroTik for 10gig in the server room

Hey everyone!

I'm looking at a 10 gig upgrade for our office, at least for the backend to the access switches and server connections.

Our use case is simple. Standard file transfers and AutoDesk software, all reaching back to a file server, as well as your standard AD and other windows services. Currently the server is connected to a 10 gig switch which immediately hands off to a single gigabit connection to drive 5 access switches in my IDFs.

We're not doing any layer 3 stuff in these switches at the moment.

I'm intrigued by the MikroTik hardware, specifically the CRS 312 and CRS 317 for my server room. For the price they seem to be what I need, how very I'm not finding very many reviews on them from a business perspective.

Are any of you guys running these things, or have heard negative or positive feedback on them?



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



Stating route to cable modem causes ARP (CM600/ER-X)

Hello,

I'm trying to add a static route for my cable modem (Netgear CM600) on my router (ER-X) . I do that so I can advertise it over a BGP session I have, without it, BGP won't advertise the route since the link isn't in the local routing table.

Weirdly, when I add the static route, even tho it has a /32 CIDR, it causes all outgoing traffic to try to ARP request instead of forwarding the traffic.

I suspect it's because of the inactive link that the modem leaves on initial DHCP.

I'm trying to figure out how I can create this static link without everything becoming ARP(ed)?

Some routing excerpts:

A normal connection, with everything working properly (and WITHOUT my static link):

S > 0.0.0.0/0 [210/0] via 192.168.100.1 inactive

*> [210/0] via MY_ISP_IP, eth1

Adding the static route produces the following:

S *> 0.0.0.0/0 [210/0] via 192.168.100.1 (recursive is directly connected, et

h0) )

*> [210/0] via MY_ISP_IP, eth1

S *> 192.168.100.1/32 [1/0] is directly connected, eth1

Ideas why that routing entry would cause everything to ARP? I am guessing the word 'recursive' is the culprit.



IST and VLAN assignment

in encor ocg,there is this topology https://ibb.co/44NGvXh,correct me if im wrong, why sw1 to sw2 links are access not trunking?!! why would you do that , access ports dont send BPDUs right?i dont understand why Gi1/0/2 is blocked is it normal STP forward blocking process negotiation , the book:

It appears as if traffic between PC-A and PC-B would flow across the Gi1/0/2 interface, as it is an access port assigned to VLAN 10

i gone through the [cisco 802.1s whitepaper](https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24248-147.html) and i encounters the same exact topology and explanation, can someone clear this to me thanks



What IPV6 address is 1::1?

I can't do a Google search because it doesn't work even when I put quotes around the search term like this " 1::1 " and try to search for results.

I thought ::1 means local host. So, what's the difference between ::1 and 1::1?



Virtualization

I was directed here from r/virtualization so hopefully this is the right place.

I work so a smaller company and I'm fairly tech savvy so I get asked to "help out" with a lot of the operations tasks. I have a basic understanding of networking but very little in terms of Virtualization.

I have a group of ~20 employees on Windows 10 machines that use a VPN to connect to our clients billing system to provide support for the client's customers. However, we also have internal applications that require the agents have access to our network for functionality. The client provides the VPN so I can't change that. My idea was to setup Virtual machines that would be able to connect to the VPN so that my employees could have access to both networks simultaneously. This should work right?



Strange NTP Destinations

Hi, I have a FGT pointing to north-america.pool.ntp.org for NTP services. I'm seeing it try to get to destinations like 74.208.235.60 (pakrats.com) and 216.6.2.70 (up2.com). Are these legitimate NTP servers? pakrats.com doesn't look like any NTP server I've ever heard of.



SSH0: TCP send failed enqueueing/Requeueing error

Hi guys,

I am having a problem over SSH. I am SSH'ing to a remote router & switch and I noticed that the terminal responses were very slow when entering commands and they would lock up at times and sometimes close the session down.

For example if I entered ''show run''

I will get the response ''Building configuration...'' but it would take about a minute or longer to show any output, and if I started hitting the space bar to see more of the config it would be v ery slow or it would stall and lockup entirely

I connected via telnet as a test and everything was fine. So I ran some debugs from a telnet session while connecting in again over SSH.

I can see this error message being logged over and over again.

*Feb 25 16:56:36.058: SSH0: TCP send failed enqueueing

*Feb 25 16:56:36.986: SSH0: TCP send failed, Requeueing

The remote router and switch are connected to a 512/512kbps Vsat link and the only traffic on this link at the moment is management, link is not yet in use, so I know it is not a QoS issue.

Troubleshooting I have done. so far

I have regenerated the SSH keys on both router and the switch, no difference was seen.

I have jumped from a PE onshore router to the remote router and switch using SSH and got the same behaviour.

I have telnetted to the router and then SSH'd through to the switch and I still see the behaviour.

I have googled the error however that has not yielded anything that suggests what might be causing my issue.

Router is a Cisco ISR 4321

Router image: isr4300-universalk9.16.09.02.SPA.bin

Switch: Cisco 2960X

Switch Image: c2960x-universalk9-mz.152-2.E7.bin

The link is solid, pinging over it rarely drops a single ping

Any one got any ideas what could be causing the issue with SSH ?

TIA



Win10 - On 10% (on avg) of our PCs, a globe appears at the bottom right on Network Connection. It says "No Internet" but devices have internet. - O365 Issues.

Typically I would say that as long as everything works, leave it be. However, sometimes on those PCs, it loses connection to Office365/Outlook.

I currently have two different "fixes", but really they are just workarounds. I would like to possibly know what is causing the issue so I can resolve this permanently and not have to dick around with it every week.

"Workaround #1"

Lets say a PC is on Ethernet. I will connect to wifi (using usb wifi if its desktop). And then wait a second, then connect back to ethernet.

If the PC is on Wifi, I plug the device into ethernet, then back into wifi, then it seems to work.

"Workaround #2"

I run ipconfig. Went to network adapter and input her same exact ip address information as a static IP address. Confirmed. Then changed it back from Static to DHCP. Now the globe has disappeared and now shows Internet. Now her outlook is working just fine... Noting that the the DHCP address before and after setting static are still the SAME.

Both of these "Workarounds" will allow Outlook/O365 to connect.

Any ideas that could lead to a permanant fix would be great. But I would also appreciate any PDQ script or anything to possibly remotely resolve this without having to remote in, or walk to device to implement one of the above fixes.



Fiber Optic Cable Types for Indoor Backbone < 300ft

Hi all,

I am an AV and IT integrator. I'm not new to fiber optics at all but I am wondering what you all choose for fiber optic runs under 300ft that are all indoors. Most of this is generally drop ceiling or occasional conduit. I only usually pull 6F for these applications and FREEDM One tight buffered was the last product that Corning recommended to us that I installed. I think this is similar to Belden FX tight buffered. I've also installed breakout type fiber (consultant spec) such as Belden FI3B004RB.

When do you choose armored cable? I hesitate on that since it is 3-4X the cost. I also don't see a reason to use loose tube or gel-filled for indoor-only use.

I know you can use innerduct but that may be more expensive than using armored?

Do you have a go-to product?

I know a lot of you here don't install your own fiber but I'm sure you have a say in what other contractors use.



Acquiring of Surprise IoT Devices

One of our campus sites decided they were going to do an "upgrade" to the conferencing equipment in one of their boardrooms. They didn't think to contact TS until the very last minute as the gear is already installed.

The devices connect to their own basic Best Buy router and need an internet connection for the meetings and any firmware updates.

Currently we have two options for the internet connection

Option A:

Acquire an MR52 Meraki AP that has two gig ports available. The WiFi on-site is already completely segregated. This cheap router will then connect directly and simulate being on one of the WiFi SSIDs. An issue with this solution is double NAT.

Option B:

Connect the cheap router directly to an access switch and put it on it's own PVLAN.

Also, the Router is broadcasting it's own SSID that some of the equipment will be connected to.

Any other ideas on how we can provide an internet connection as securely as possible are appreciated.

This site is also extremely remote, thus no new DIA can be added.



Catalyst 9800-L HA question

Hoping this is going to be a short and sweet one. I've got a pair of N+1 5508s that we'll be moving away from, and I'm just wondering; I've heard the HA on the 9800s actually works so I'm setting it up. the topology information given in the Cisco Doc shows the RP ports are connected via a Vlan/Switch. Is it acceptable to just connect them to each other (as I've done with my ASA's), or is it necessary to burn two more switch ports and a dedicated Vlan to make this work?



Config file

Hey guys, I have a quick question about how to upload a config to a switch beside the copy and past

I know that there's an other way by uploading a file to the flash and then copy it to the running config, but what kind of file? .txt or something else? and how to create a backup file

many thanks



Rack layout for Colo - question about Cisco switch stack

For those of you who like to balance your racks out so they're identical with redundant equipment, how do you handle switch stacks? Do you run a pair of stack cables horizontally between the racks (gross) or run a super long stack cable up and into the ladder tray, then back down (do they even make a stack cable that large?) OR, do you not do that and just home the stack in the same rack?

Just curious - I don't personally like the first 2 options and think I should probably just home them in the same rack



VLT uplink to single multihomed ISP

We are changing vendors and are migrating our Cisco switches from Cisco to DELL.

I am now in the process of moving the ISP uplinks from our Cisco core switches to a DELL S5232 VLT-pair. However, I am not sure on how to mimic the Cisco config.

Current (Cisco) situation:

Our Cisco core switches are configured in a VSS pair.

We have a single fiber uplink to 2 ISP and both VSS members are connected to 1 of the uplinks. This situation works well and if 1 of the links go down, the default gateway switches to the working link.

New (DELL) situation:

The big difference in my opinion is that with Cisco we had a single routing table between the VSS peers and this is not the case within a DELL VLT. Moreover routes aren’t synchronized between VLT peers and the VLTi only passes port-channel traffic so these uplink ports are 'orphaned' in some way.

How to make uplink B the backup default gateway for VLT peer A and vice versa?



Question about global IP address allocation/deployment

How does the process of the regional internet registry allocating IP addresses work?

I understand that each RIR allows organizations, often ISPs, to request IP address blocks that they then have assigned to them. The backbone isps then peer with each other using bgp in order to have routes with each other.

What I’m confused about is how exactly does the assignment of the global ip work; how do existing routers on the internet know the new owner of the IP address? In what way is the IP address binded to the new organization?

I assume it might have something to do with the AS numbers but I’m not sure how.

If anyone has a link to a writeup or good resource about this level of the internet (IANA, tier1/backbone, BGP) I would be interested in that as well.

Sorry if this is a very noob question, I’ve done a lot of googling/ searching Wikipedia and I still haven’t found a conclusive answer.



How to discover switch IP's and credentials? (Networking noob)

Hello,

I'm a SysAdmin and a networking noob....I have been tasked with the following:

Upgrade (firmware) and refresh credentials on all switches across the environment.

We have multiple locations across the US and there are probably 15 switches. The problem is the previous regime didn't document any switch IPs or creds.

My question is, how can I discover the switches and somehow obtain the admin creds? To the best of my knowledge they are all Cisco switches. If needed we can reset them but that is a last resort.

Thanks and sorry for the silly question.



Network to Code Nautobot

A bit of a rant here: NtC released a new product, Nautobot, and it's big enough that my Google News filters picked it up. Cool! I go to the site https://www.networktocode.com/nautobot/ and the man image looking back at me is a screenshot of NetBox? I read the entire front page and it's nothing but buzzwords about "Source of Truth" "data sources" and "automation." I click for more info and hit a login page.

Nope.

This is not for lack of understanding about this realm of networking, my title has "network" and "automation" in it. I live in NetBox. But if your product page is just a screenshot of someone else's product, and no real description of what you're doing, and no easy way to get more information: That's a problem

NtC, I love some things you've done, but I have no idea what this one even is and I'm your target audience.



Scanning which IPs are whitelisted on Shutdown Network

Hello everyone, I'm from Myanmar. Currently we are dealing with Military Coup and the Junta is shutting down internet from 1 am - 9 am every single day. Fortunately for me, I've discovered, that some IPs addresses are whitelisted on my ISP firewall, by accident when I was trying various VPN to bypass shutdown. I discovered those IPs purely by luck and I wanted to know if it is possible to scan which IPs are open on the network so that we can built VPNs on that similar initial IP (eg. 14.xx, 52.xx).



Changing out router

Newbie here

I helping out a family friend

I have some IT experience but not enough with servers

The router he has that connects to some fingerprint scanners uses internet to communicate.

The router has a small range and a very limited amount of connections we got a new router and i gave it a name and password, it connects to all the devices but it doesn't distribute any Internet.

Is there another step that I'm missing? I plugged it into the same port the previous one was in and yes the previous one was given internet access.



Personal ripe account

What are some benefits I could have as a network professional if I had a RIPE account on my personal email?



Wednesday, February 24, 2021

Restrict TLS 1.3 below connection.

Can anyone help me this how to restrict traffic below TLS 1.3?



Increase Subnet vs Multiple Interface IPs

So I am currently in a debate with another technician about either:

* a) adding another /24 interface + dhcp_pool to a VLAN

* b) just changing the subnet mask to /23 (which can be done as gaps were left during the design)

This is for a wired network and would not increase beyond /23, would just mean updating the netmask in DHCP (this network is almost pure dhcp, with 100 static leases and maybe 10 actual static ips on devices)

Is there any performance reason for picking one over the other (ie broadcast traffic etc). Security is not a concern, in this case, so addressing the space separately (via /24) does not matter.



Wireless Certificate Issues

I was wondering if anyone mayt be able to provide some insight into an issue I am experiencing at the moment. We have certificate based wifi setup, but several users are having consistent issues with connecting. The issue seems to be the certificate, as when you try to connect to the wireless this will state that the certificate for the network cannot be found on this computer.

The certificate is locally on the computer within Personal > Certificates, there is also a valid cert for the local machine in the same location. The certificate is used for VPN also and this works fine, so that seems to indicate that the certificate isn't the issue. If I generate a new certificate for the user, this will work for a number of days and then revert back to the above error.

When looking in to this, I can see when a successful connection is made, the WLAN-AutoConfig event log shows the below fields;

Identity: [firstname.lastname@domain.com](mailto:firstname.lastname@domain.com)

User: Domain

Domain: Domain

When the connection is failing it shows;

Identity: NULL

User: [firstname.lastname@domain.com](mailto:firstname.lastname@domain.com)

From the auth exchange it states the client is failing to respond with their identity, and then is timing out. As far as I know the above information is taken from the certificate locally on the machine. Does anyone have any ideas why the identity field is being presented as NULL after a period of time?

Apologies if this isn't the correct sub reddit, mods delete if needed.



Upgraded Comcast to 1,000 down and 1,000 up, only one computer is getting 600 down and up

The other computers are pinging at 100down and 9.8 up.

Switch we are using is tp link 8 port gigabit destkop swtich TL-SG108.

Why aren't the other computers pinging in the 600's?



I port forwarded 2 ports

so i did something super stupid, i port forwarded ports 80 and 443 to devices on my network, and now i can't get back into my router to turn it off, any help?



Multicast TTL on windows

So I've been testing out some proprietary software on windows 10 that is using multicast. I was able to get it to work on a flat network, however, once I tried to route it things failed. I knew my multicast routing was set up correct, so I did a Wireshark and found the multicast packets were being sent with a TTL of 1.

I talked to the company about this, asking if there was a setting they had in there. They told me the problem was with windows, and that I needed to change a multicast TTL setting in windows. However, I'm unable to find anything like a registry setting. I've only found programming guides to tell the Winsock how to handle it. From what I can tell it's on the program itself. Does anyone have any other insight?



Vmware nic teaming and Aruba OS switches

I am replacing my current HP5406 with a pair of Aruba 8320s. currently, in my VMware environment, each server has 2 10gig ports combined on a Standard vSwitch with nic teaming on and route base on ip hash selected. On the HP switch, they connect to two ports trunked (hp uses that term for link aggregation) with lacp turned on.

My hope was to split the ports between the two 8320's (VSX is setup) and use MC-Lag to give me redundancy. After doing some research today, I found out that lacp and mc-lag are not supported by VMware on standard vswitches. Now I'm at a loss on the best way to connect them. Should I just change the teaming to route based on origination port ID and just plug them into access ports and is redundancy between two switches not feasible?



Spanning-tree sanity check

Just to make sure i am not going crazy. I'm about to modify some STP priority numbers and i want to ensure there wont be any reconvergence.....

Switch 1 - Core - PVST Root bridge for all vlans - Priority 4096

Switch 2 - Old Core - PVST - Priority 24576

Switch 3 - Access - PVST no specified priority

I plan to run the command "no spanning-tree vlan XX priority 24576" on Switch 2 Old Core. From what i can tell since the root bridge is already living on the new core it shouldnt cause the VLAN to reconverge but the switch itself may have a small disruption for that vlan.

*** This is during a scheduled maintenance window ***

Thoughts?



Understanding RD in a VRF

Hello,

I am trying to understand the route distinguisher attribute and I have a question.

All the documentation I have read online state that the rd is a tag to assign to the route. For example, if VRF A has rd of 100:100, then the route of 192.168.1.0/24 will be identified as 100:100/192.168.1.0/24 in the routing process (NOT the routing table).

However, in the huge environment I am currently working with, every VRF on every router has a unique RD.

Example:

Let's say that we have this scenario : R1 --> MPLS <-- R2, and we want to configure VRF blue. The documentation states that the config should be:

vrf forwarding blue

rd 100:100

on both devices.

However, I am seeing in our production the following:

Router A:

vrf forwarding blue

rd 100:12345

and Router B:

vrf forwarding blue

rd 100:54321

I thought that the rd was a way to identify VRFs, just like the VLAN number is for VLANs. Am I Wrong? Or is it the VRF name that is the primary key?

What is the difference/benefit of having the same rd on the same VRF on every device vs having different rd?



Router DMZ Question

I have the typical setup like most people with the ISP cable/modem w/wifi. I need to figure out how to get my lab to work properly. I need to figure out a way to have traffic from the internet to hit my ADFS Web Proxy that I have in a DMZ. If I setup the cable modem to port forward 443 to the DMZ, will that stop all 443 traffic from my normal devices from access https sites on the internet or is the port forwarding only for inbound traffic.



HA WLC SSO 3504 redundancy port down

Hi all,

I have a very simple design with 2 3504 connected directly to the RP, I would like to understand why when the RP goes down the 2 wlc go in split brain and does not trigger the RMI. is this correct?



Youtube won't work on Wireless Network but works on Wired Network

Hi everyone,

We are a public school and we have had this problem for a long time now. If I can provide any more details, please let me know.

Following is the topology:

ISP -> Firewall(ip:192.168.2.252) -> Core Layer3 Switch(ip:192.168.2.251)

Core Layer 3 Switch is connected to WLC(ip:192.168.2.8) and 2951 Router(ip:192.168.2.253, serving DCHP server)

We are using Google's DNS(8.8.8.8 and 8.8.4.4) in our network and couple months ago we tried to change the DNS servers to GoGuardian's(Filtering and Monitoring) DNS servers, but that day we have seen couple issues(like YouTube not working) so we had to revert back everything. Ever since we have had this issues even though everything is reverted back.

We can go to YouTube on wired network but not on wireless. We can ping google.com fine on wireless but not YouTube.com.

But can do nslookup for YouTube.com so DNS works fine.

BTW Ping to google.com and YouTube.com on wired network shows "Redirect Network". But remember Youtube.com works on wired. This "Redirect Network" does not happen on pinging on wireless network.

#nslookup on wired network

>nslookup youtube.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: youtube.com Address: 172.217.10.78 

>ping youtube.com on wired network

PING youtube.com (172.217.10.78): 56 data bytes 64 bytes from 172.217.10.78: icmp_seq=0 ttl=115 time=18.267 ms 36 bytes from 192.168.2.251: Redirect Network(New addr: 192.168.2.252) Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 c6f7 0 0000 40 01 394a 192.168.2.152 172.217.10.78 64 bytes from 172.217.10.78: icmp_seq=1 ttl=115 time=18.607 ms 64 bytes from 172.217.10.78: icmp_seq=2 ttl=115 time=18.594 ms 64 bytes from 172.217.10.78: icmp_seq=3 ttl=115 time=18.532 ms 64 bytes from 172.217.10.78: icmp_seq=4 ttl=115 time=18.181 ms 64 bytes from 172.217.10.78: icmp_seq=5 ttl=115 time=18.726 ms 64 bytes from 172.217.10.78: icmp_seq=6 ttl=115 time=18.606 ms 64 bytes from 172.217.10.78: icmp_seq=7 ttl=115 time=18.201 ms 64 bytes from 172.217.10.78: icmp_seq=8 ttl=115 time=18.387 ms 64 bytes from 172.217.10.78: icmp_seq=9 ttl=115 time=18.608 ms 64 bytes from 172.217.10.78: icmp_seq=10 ttl=115 time=18.639 ms 64 bytes from 172.217.10.78: icmp_seq=11 ttl=115 time=18.536 ms 64 bytes from 172.217.10.78: icmp_seq=12 ttl=115 time=18.399 ms 36 bytes from 192.168.2.251: Redirect Network(New addr: 192.168.2.252) Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 ba68 0 0000 40 01 45d9 192.168.2.152 172.217.10.78 64 bytes from 172.217.10.78: icmp_seq=13 ttl=115 time=18.445 ms 64 bytes from 172.217.10.78: icmp_seq=14 ttl=115 time=18.800 ms 64 bytes from 172.217.10.78: icmp_seq=15 ttl=115 time=18.728 ms 

#nslookup on wireless network

$ nslookup youtube.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: youtube.com Address: 208.70.74.21 

Ping YouTube on wireless network

$ ping youtube.com PING youtube.com (208.70.74.21): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 Request timeout for icmp_seq 3 Request timeout for icmp_seq 4 Request timeout for icmp_seq 5 

OMG: Just did, whois 172.217.10.78 and got

OrgAbuseHandle: ABUSE5250-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-650-253-0000 OrgAbuseEmail: network-abuse@google.com OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE5250-ARIN 

but did whois 208.70.74.21

OrgAbuseHandle: ABUSE898-ARIN OrgAbuseName: Abuse Department OrgAbusePhone: +1-661-554-0287 OrgAbuseEmail: abuse@multacom.com OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE898-ARIN 

This ip is not even show org is Google.

Seriously lost here. Would WLC cache stuff and somehow affect us?

Some of current DHCP configs on our 2951 Router:

! ip dhcp pool WIRED network 192.168.2.0 255.255.255.0 default-router 192.168.2.251 dns-server 8.8.8.8 8.8.4.4 ! ! ip dhcp pool WIFI network 172.16.0.0 255.255.240.0 default-router 172.16.14.251 dns-server 8.8.8.8 8.8.4.4 lease 7 ! 

Wireshark shows TCP traffic to

172.16.0.14 208.70.74.21 TCP 78 [TCP Retransmission] 53468 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=110210111 TSecr=0 SACK_PERM=1 TCP Analysis Flag: This frame is a(suspected) retransmission 



Vlan 1 bandwidth saturation question

Does it matter if vlan 1 (the SVI) is pegged on bandwidth if the actual physical interfaces are in a port channel which effectively doubles the wire bandwidth over vlan 1's capacity? Would I experience any issues?



Cisco 1921 usbflash0: is driving me crazy

hey guys, I'm trying to copy my ios from my usb to the flash but the router is not detecting it as usbflash0: like usually with other routers! and when I do #dir flash: I got this # Directory of usbflash0:/

even if I typed dir flash and not dir usbflash0:

any help is welcome



Limit upload speed on devices in network

Hi,

Can anyone explain to a beginner how to limit the upload speed for each device in a network?

Im using a wireless Netgear router (R7000) and have 40 Mbit upload speed from ISP. I want to limit it to say 10 Mbit max per device. Is it possible?



BGP routing on the VM or LBs in active-active DC

We're planning to have only two DCs, 5-10ms latency between them. How would you do active-active for services? I'm thinking EVPN/VXLAN would be quite hard, as there's always the issue of how to route towards the local GW (FW) and not tromboining the traffic. Currently we have 4, 2 in each location and we're doing some sort of vmware clustering spread to both DCs to get "high availability" (in quotation marks as this has failed several times causing VMs to lose disks and causing long downtimes...)

I'm thinking I would have two options: LB (currently F5, maybe HAProxy in future as we're doing super simple stuff) advertising /32 towards our network and each server having two NICs, one for DC 1 and one for DC 2. When server is in DC 1, it has 192.168.1.0/24 (for example) connected, and in DC 2 it has 192.168.2.0/24 connected. Based on these LB would do AS prepends so the correct LB would get the traffic.

Other option would be to run BGP on the hosts. Configure both 192.168.1.1 and 192.168.2.1 as BGP neighbours and then configure something like 192.168.99.x/32 as the "floating service IP" that the services listen to and always is the same no matter which DC the VM is in.

If we have one VM in each DC I guess the options are pretty much the same? Our problems are with availability, not with performance of a VM.

Any thoughts? Thanks!



POC timelines on new products

my company has traditionally been a cisco shop. generally when it came time for network gear refreshes, the companies approach was to goto cisco/CDW and ask for their recommendations. Last year we started looking at SD-wan and did what i would say is our first real POC in our department and we compared 3 vendors. of course just as we were kicking things off covid hit, which ment we had to refocus alot of efforts else where to support heavy work from home requirements, plus now dealing with trying to do this POC while remote. On top of this, one of the vedors really caused alot of delays.

Long story short, the exec team started getting unhappy about the length of time the POC was taking. now we are starting the process of replacing our aging ASA firewalls, and are looking to vendors other than just cisco given the reputation of FTD. we initially proposed looking at palo, fortinet, and FTD (because "cisco" shop and past relationships they are scared of shaking up with cisco). Execs came back and are telling us that they are afraid of how long it will take after the SDwan POC and want us to only look at FTD and one other vendor. While i will try my best to give FTD a fair shake, i cant really see it beating out palo based on everything i have heard and seen, and this is mostly going to be us convincing executives to again move away from cisco.

but where im really going with this is, what is a realistic time frame for these kind of POCs. obviously it depends on environment. Were looking to first replace our internet border firewalls, which currently only do filtering. we have a separate environment for AnyConnect, dont terminate tunnels on it, etc. we want more of the next gen features, but are not looking to add these things to the mix at our internet border routers. Were more of an MSP/ISP for our clients that host specific services for them, and also offers internet connectivity through our DC that runs through our security stacks. Each client is brought into their own VRF, and then then currently has an ASA context between them and our core. then there are a few internal contexts for our services and internal stuff, and finally the internet border firewalls that are between our core and internet (so client internet traffic goes through 2 firewalls, the context and the border firewall). the big push is to replace the borders this year, but the 5585x thats handling the contexts also needs to be replaced next year, and we need to consider it when choosing a vendor as we want a unified solution between them. so when considering this, how long should we realistically consider a POC should take?



Help with a network question, Is it even possible?

Hi,

I am trying to come up with a solution at my job to easily connect and configure some ticket validators when they come into the workshop. I want to set it up so they always connect to the configuration server without having to manually configure the IPs on the machines (a long and awkward process)

An example:

The device has the IP 10.111.49.20

It connects to a gateway 10.111.49.1

The gateway is routed to the configuration server 10.250.1.50

The configuration server is always the same for all the machines but the device IPs & gateway IPs are always different. They can be anything within the 10.x.x.x range

I have been experimenting with a virtual machine with openWRT installed running on the configuration server. Is there any way to wildcard a gateway IP? Any suggestions or a push in the right direction would be greatly appreciated.

Please excuse my noobishness with networking, I work mostly on hardware repair.



Assigning static IP to every device?

Hello all,

This might seem very dumb to some of you but here goes.

I am helping a friend setup a business. The ISP provided me with all the info in regards to the static IP they set, the gateway, DNS server(s) and subnet mask. I setup the router using this info. Plugged in a managed network switch which is running a few devices. Now do I have to configure every single device on the network with a static IP since the ISP provided one or does the switch automatically set IPs to the devices?

I am also setting up a NVR and the cameras do not show up, why is this the case? I have set up port forwarding and got nothing so far.

Any help? Sorry this is a big all over the place.

Thank you all.



Multisite Isolated Iot Network

Sysadmin here that's been asked to solve a network problem. I've got a multisite network connected via elan and I've been asked to spin up a network for our internet of things devices. They only need an internet connection, they need to be isolated from our other networks.

Create the /22 on our Internet Router (provides dhcp) ->802.1q trunk-> Core switch -> elan to remote sites -> tagged ports on switches at remote sites?

I'm sure I'm overlooking something. Or if there's a better way to accomplish this please let me know. I've never been a fan of flat layer 2 networks but that's what I'm working with. We're not about to deploy additional routers and switch to layer 3 between sites.



Do Spine-Leaf architectures need STP?

I started working with mininet and I decided to implement a spine-leaf architecture and as far as I knew Spine-Leaf architectures do not need any loop preventing algorithm. I also read it in this article https://www.arubanetworks.com/spine-leaf-architecture/

The problem is that if I don't use a controller with STP enabled I cannot reach host to host. I can communicate between hosts and leafs or spines but not host to host. Anyone knows why it happens? Why I need to enable STP?



Nokia 7250-XR3

Greetings

Does by any chance anyone has datasheet for Nokia 7250-XR3 router?

Thanks



Question: IP PIM Multicast (sparse mode) on Catalyst with bidirectional flows?

Hi all,

I was wondering whether the following is possible and I could get some advice on below setup:

We have a (Catalyst 9300 & Nexus 5500) network setup with IP Multicast Sparse mode in use.

A while ago a second source / streamer has been added at a last hop switch which also has receivers connected to it.

Here the problem appears:

Example

The green arrows indicate the working main stream

The orange is the secondary which is being passed through till the RP

The red is NOT going through as it has a Prune flag on it on the RP for an unexplainable reason.

Any first thoughts?



CCNP SERVICE PROVIDER

Hi guys,

Straight to the point...I have my CCNP Enterprise at the moment. I recently got a job with an ISP and I realized I am not familiar with some technologies (IS-IS for example). I have now decided to go for the CCNP Service Provider cert, but I can’t seem to find a lot of training content online. I have been able to find the SPCOR training by Sikandar Shaik on Udemy but I’d also like to take the SPRI and SPAUTO concentration exams as well.

I would be very grateful if you awesome people would be able to recommend some content for the course.



Check a inter-nexus link between two datacenter

Hello,

I need to check a link between two nexus that is an optical fiber between two datacenter. And i want to check the performance of the link.

What is the best way to do this ?

Thank you



How to force a port to be non-edge once I use "set protocols rstp interface all edge"

Hello,

If I use the below command on ae0.0 to be p2p, does this override the command " set protocols rstp interface all edge" which states all port to be edge.

I am really confused about what "mode point-to-point" does, i read it forces to consider a full-duplex and it seems it makes it forwarding directly without waiting for the counters.

I need help with this, i need to exclude the uplinks from the "interface all edge"

set protocols rstp interface all edge

set protocols rstp interface ae0.0 mode point-to-point



Tuesday, February 23, 2021

Meraki Go

Anyone using/deploying Cisco Meraki Go switches and can comment on their experiences with such? We have typically deployed SG2xx switches but are considering some Meraki Go switches for a VOIP project.



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



Subnet my own networks on ARIN db?

We ran into an issue where one of our /19's is using up a whole 10Gbps link. My transit provider only allows announcements that are in the arin database, so right now I can't advertise the /19 as two /20's across our multiple links, and they don't have bgp multipath enabled on their end.

How do I split that /19 up into two /20's that are advertised as "NET"s in ARINs database? Would that be a "Reassign Addresses" back to myself as /20's?



VLANs and Subnets for Multiple Sites

These archived posts discussed valuable content on the topic of vlans for multiple sites.

https://amp.reddit.com/r/networking/comments/2lrl53/vlans_for_multiple_sites/

https://amp.reddit.com/r/Cisco/comments/fwugfi/multiple_sites_vlan_numbering_best_practices

I really like the concept of the scheme 10.<site-id>.<vlan-id>.<host> and a VLAN across multiple sites. But one thing gives me problems, the assignment of IPs with DHCP.

For example, I have two sites with subnets that have DHCP clients in them. Both subnets share VLAN ID 50. 10.10.50.0/24 - Site A clients 10.10.100.0/24 - Site A server (the DHCP server 10.10.100.20 is located here) 10.11.50.0/24 - Site B clients When a client makes a DHCP request, it is broadcast across the entire VLAN (across both sites) and relayed to VLAN 100 to the server subnet.

How do I make sure that the client gets an IP from its respective subnet for it's location? How must a DHCP relay agent be configured and where is it needed?

I am very grateful for ideas and suggestions



Wireless Survey Tools

What tools is everyone using to perform a wireless site survey?



What guidelines do you use for selecting an iSCSI-capable switch?

I realize that we can always ask each manufacturer "do you recommend this switch for iSCSI traffic?", but are there universal/independent metrics that you use to decide if a switch is suitable for iSCSI?

I'm having a surprisingly hard time finding reliable info on this. A lot of vendors don't want to talk specifics about "application layer" protocols.



Split tunneling for Teams/Zoom/outlook365: some questions

Trying to look around to find something to designate for my split tunneling for apps that are packet sensitive. Essentially right now we route all the users VPN traffic through the local internet, which is not good because our sites in the EU have small circuits.

We use Palo Alto, which can split tunnel by IP, or even domain. Was wondering if anyone happened to have a compiled list for at least the Microsoft ones, considering there's probably a bunch, and a bunch of gotcha's too.

Also curious how file sharing on teams works, if I share a file to you, are you downloading it through teams domains?



Single IP NAT over IKEv2 VTI route based tunnel

Hi,

I am working on a scenario where the requirement is to NAT a single IP address (172.0.0.0/32) while other private networks (10.0.0.0/8) are allowed to traverse an IKEv2 VTI route based tunnel un-natt'd.

Not really sure how to accomplish this and was hoping someone familiar with this kind of set up could give me some clarification on it. 

My initial thought was to configure a NAT pool, ACL, inside source list or route-map and throw an ip nat inside on the tunnel interface like this.

ip pool GLOBAL 192.168.1 10 192.168.1.11 netmask 255.255.255.252

ip nat inside source list SINGLEIP pool GLOBAL

ip access-list extended SINGLEIP

permit 172.16.1.1

deny

interface tunnel1

ip nat inside

However, won't the "ip nat inside" on the tunnel interface deny the other private traffic (10.0.0.0/8) destined for the tunnel?

That's where I find my lack of clarity and need some knowledge. Thanks.



SFP problems between Dell switch and Stratix Switch

I am trying to connect a Dell N3000 to an Allen Bradley 1783.

Here are the models https://i.dell.com/sites/doccontent/shared-content/data-sheets/en/Documents/Dell_Networking_N3000_Series_SpecSheet.pdf

https://literature.rockwellautomation.com/idc/groups/literature/documents/pp/enet-pp005_-en-e.pdf.

The run is about 2 miles in between buildings with ST connections in the patch panel. We are using multimode cables from each switch going to the panel (LC to ST). I have tried multiple different SFPs, but unsure exactly which one to get. I am getting conflicting answers between each vendor.

Both vendors are saying to only use their approved SFPs obviously.. Stratix said to use a 1000Base-LX. For a 2 mile run, multimode fiber, are their any suggestions on which SFP models i should get?

I am trying to get it work locally before making the actual connections. The Dell switch keeps saying invalid transceiver in the syslog.

Help is greatly appreciated



Understanding Multicast

I have a camera and I have been told that it does not support Multicast Streaming. What makes the difference whether a camera supports multicast streaming or not?

My understanding so far is that the source streams to a Multicast address on switch and the switch does the duplication of the data to the different recipients. What stops any device to stream to the multicast address?

I understand that in Unicast the Dst-MAC is determined through ARP. I would imagine that in multicast it would work the same way.

Camera streams to Multicast IP-Address -> Switch responds to ARP -> Camera streams with correct Ethernet Header to switch -> clients can hop into the stream using a Multicast-address?
Is that not the case?



How to deal with TCAM ACL limitations?

If you're running an nx-os switch with 200 VLANs and using it as an L3 router, how would you go about dealing with TCAM limitations in regards to ACLs? Each VLAN is setup with HSRP and requires an ACL to only permit routing and ICMP traffic to the gateway IP.

The limit for the number of ACLs on an nx-os switch is 62. You could essentially do several large ACLs that could be placed on each VLAN, but then you start getting "Tcam resource exhausted" because the number of ACEs is exhausting the TCAM. Is there a way around this without resorting to external hardware?

This is the security requirement - "The Cisco switch must be configured to restrict traffic destined to itself"

It specifically requires ACLs blocking non management and non control plane traffic to any IP on the switch, even from internal networks.



Yet another coffee shop network

I'm setting up a small network for my business running from the same space as my coffee shop. My business network includes my office space area (pcs, printers, some iot devices) and my public network will allow internet access to my coffee shop guests (captive portal, vouchers to log-in).

There's also another portion of the network to handle an AdGuard/pihole DNS server, a NAS, CCTV system and POS terminals.

A high level diagram is here: https://imgur.com/a/gkEU94o


I have some basic understanding of how subnets and VLANs may operate to help me, but i wonder if I would need a dedicated hardware to help me out with this situation. I often see people recommending Mikrotik, Ubiquity, Cisco devices for similar scenarios, but i don't understand what is the key factor or benefit that such devices offer.

A rapsberry pi, some subnetting and a dd-wrt access point may do the job, but am i missing something?



Why do so many people today have 0 upload on speedtest?

Hello,

I was looking on speedtest results for fun and so many people today have 0 upload. Anybody know why? Like legit 0.00 upload



Recommendation for *good* ISP in the United Kingdom...

Hi All,

Having issues with our current ISP - looking to switch from our 1GB to 3-4Gb/10GB Bearer/RO2 etc.

UK market doesnt seem very big : BT, Virgin and errrmmm Colt?

Please share your experiences good and bad? :)



How to share folders between 3 computer on different LANs

Hi everyone, i need to share a folder between 3 different PCs, on two different lan.
Until now I have successfully used HAMACHI from LogMeIn, but yesterday the logmein free trial expired and now to use HAMACHI I am required to use a LogmeinPro subscription at a price of 280 euros per year.

From what I understand Hamachi creates a VPN that simulates the connection between two computers on the same network; is there a way or similar software that allows me to share a folder between computers without having to use services like OneDrive?



Use Mikrotik RB951Ui-2HnD as switch

I have read online that Mikrotik RB951Ui-2HnD can be used as a switch but I have been unable to get it working. I wanted to get it working so that I can connect it to a packet fence NAC but I am not able to get anything to work. Even the tutorials on YouTube seem to be not working. I did a single networking unit in campus so I am not very savvy in the matter but I know the basics. Can this be done or not? And if so can anybody help me set it up. In the region I am in, I am not able to get a managed switch and the ones that are there are crazy expensive. Any assistance will be greatly appreciated.



VSS for Catalyst 6807-XL

Can i run VSS on (2) Catalyst 6807-XL using fibr cable and sfp-10g-sr?

Is there a special license needed? Any special cable?



Monday, February 22, 2021

On the subject of the separation of the data plane and the management plane

Hey guys, just had a few questions about plane separation for my network, so from what I can gather, the main reasons for the separation of the management and data planes is for the ability to filter and add rules to the traffic independently, to keep your management traffic away from your high bandwidth traffic so they don't interfere with each others capabilities and that if your data network goes down you can still manage the network devices.

Is there anything I'm missing or misunderstanding?

I'm also wondering whether or not this is still a worthwhile thing to do with a router-as-a-stick configuration? You still get the ability to add filters and rules onto the separate traffic but since both planes are on the same interface, their capabilities are tied together at the bandwidth of the interface so you don't really get any of the other benefits.

What are your opinions on separation of planes, is it something you think is important?



Noob question about Cisco WAP power supply

Very much a beginner here so I apologize if this is a super basic question or if it doesn’t belong here, but I have recently come into so enterprise equipment for quite a good deal (can’t beat free) and I was wondering how the LAP-1142N wireless access points can be powered. Do they usually use individual power cords or is there a central power supply that I can use (obviously for a much smaller space than a large enterprise building)

Apologies for any misunderstandings or anything of the sort, and thanks in advance.



Tracking Down ARP Flood

Hello,

I'm an AV Integrator and am not new to networking. I have a customer system where our AV system is connected to a router directly off of the ISP (Comcast) modem (bridge mode on). The system consist of an Araknis router, several Araknis APs, an a Luxul switch. I know... I'm not a fan of these brands either but that's what the sales engineer sold.

The system has been working flawlessly for months and just a couple weeks ago, they've been experiencing Internet issues. To no one's surprise, rebooting the switch or router seems to correct things for some time.

In troubleshooting, I could not pinpoint any reasons for Internet to be dropping out. In fact, sometimes, Internet stops working only on one VLAN but not another, though we're probably getting reports about WiFi and not wired VLANs. My suspicion is that this flooding is causing WiFi to slow to a crawl, but it isn't severe enough to disrupt the wired clients.

I fired up Wireshark and the only unusual activity is a bunch of ARP requests originating from a MAC address that is not the router, but pinging every IP address in a VLAN. I've looked for this MAC in the switch MAC tables and it points back to the trunk port to the router. However, the MAC address specified is NOT the MAC address of the router. I suppose it is possible that this router uses different MAC addresses for VLANs but in my experience, at least the VendorID would be the same as what is reported in the router management pages.

I am also seeing these ARP requests on all VLANs as well.

Loop protection is turned on in the Luxul switch, which I am assuming is it's version of STP. It is not reporting any loops, and since this is a closed AV system, I'm sure there are no loops.

So I am wondering... what could this rogue device be, and could these broadcast packets penetrate the NAT from Comcast modem thru my router? I do not know if anything else is plugged into the Comcast modem directly, but with bridge mode on, my router has the Comcast IP, so I don't know what happens when other devices plug into the modem.

If I ping the VLAN gateways, I can see the ping replies in Wireshark as originating from this same MAC address.

I do have the ability to blacklist MAC addresses but I don't want to do that if it is actually the router itself...

Here's a screenshot of what I see...

https://i.imgur.com/XA80B47.png?1



Restaurant Networking Question for scaling footprint

Hi All!

I have a growing restaurant that is expanding from a main concept to an additional concept next door but with some shared footprint, like kitchen space. I have an IT rack that I plan to run the connect to for the second unit and would love some opinions on whether this is the right set up or if I'm poising myself for issues down the road.

I have a fortinet 80F with interfaces 1,2,3 feeding three switches for POS, Cameras, General Networking (respectively)

For this new concept, what I want to do is use interface 4 to run an uplink to a unifi 24 port managed switch. From there I'll split signal to the camera switch, 4 waps (VLANs) and 4 VOIP phones.

I also want to run another 24 port switch unmanaged from that unifi switch and run all the POS all of that unmanaged switch.

My question is two fold...any unforseen issues with running this setup? Would it be better to just get a secondary ONT and run an entirely new network? My hope is that one day I would be able to tie the POS systems together if needed (sharing printing and firing dishes etc)

The second question is lets say from the fortinet interface 1 goes to VLAN POS Network 192.168.192.xxx . If I run interface 4 to that managed switch with VLAN POS Network 192.168.192.xxx also...does that bridge the networks so I can share printers and POS across the units?

Hope that all makes sense! I've been working on a network map and will share when it's done.



junos on EVE-NG: trouble trying to access J-WEB on a vSRX

this is day ONE trying to learn/understand junos (coming from IOS).

I have a ubuntu and vSRX nodes spun up on EVE-NG.

set the IP on ubuntu with 10.1.1.2, connected on ge-0/0/1 on vSRX

set the ge-0/0/1 on vSRX with family ethernet-switching (this should set the interface as an access-port on native vlan correct?)

set the loopback0.0 on vSRX with 10.1.1.1, and added this interface to system services web-mgmt hhtp

at this point, shouldnt i be able to ping between the ubuntu host and lo0.0?

or do i have to create an SVI for vlan1 (native vlan)?

also, i have no fxp0 interface i can use to connect on the node, it only shows ge-0/0/[0-7]. is there an extra setting to enable me to emulate the fxp0 port

thanks!!



Netbox Change logging

To all netbox users,

How do you manage your logs? Also where can I find the default changelogs in my host machine?



Any OSPF/routing guru's? Need some assistance

So I'm attempting to solve a routing issue. Currently we have two datacenters (running VxLAN across the two using MB-BGP EVPN). I need to connect a particular extended subnet to two other routers but am running into an issue advertising the same subnet into OSPF from each datacenter down to the other set of routers are the respective two datacenters.

If you'll see my diagram below I am attempitng to advertise 10.10.10.0/24 down to another set of routers but not have that advertisement go across a data center interconnect line that we have As that would seemingly create a loop (ex: Both sides think they "own" 10.10.10.0/24 due to the VxLAN fabric).

Admittedly, I do not know much about OSPF and this is certainly apparent. Any help would be appreciated.

Quick topology for each DC.

Core switches(running vxlan) -> Share routes up to core firewall via eBGP -> Redistributing the route from ebGP to OSPF on core firewall which is directly connected to edge firewall -> Need to advertise to another set of routers from each datacenter but I don't want this route to be advertised across the datacenters via the edge firewalls which are directly connected.....

(considered filtering the OSPF routes at the edge firewalls but that would mean its unable to either learn it from the core as well (if filtered inbound). If filtered outbound it would obviously not advertise across datacenters as expected but would also not advertise down to the two sets of devices I need it to.

https://ibb.co/z7R4FcW

edit: If i break the OSPF neighboring between the two edge firewalls I could obviously make this work but I dont want to do that is I just need to advertise this one subnet. The OSPF between the two edge firewalls is used to advertise other subnets.

Any help would be greeaattllyy appreciated.



Virgin Media

When logging into my hub, under hub 3.0 status it says: wireless (on 2.4ghx) Internet (access denied)

I’ve tried running the network diagnostic tool but it cuts out and says this site can’t be reached (it seems logging in with the IP only works every now and then.

Trying to figure out why it says access denied! Thanks



Clearpass/Cisco ISE or FortiNac?

Anyone here has experience on Clearpass and any other NAC platform? Have you seen one platform more problematic than the other?



Meta: Would you be interested in someone opening a r/NetworkingRelaxed subreddit?

Hello, I am just wondering if you would be interested in someone creating a r/networkingrelaxed sub?

Personally I like this sub, but sometimes the rules here are just too tight for what I want. There is also r/networkingmemes but that doesn't allow for text posts and is mostly memes anyways.

What I would most like to do on such a sub is talk about weird stories that have happened in my noc life(#noclife), PoPs in both literal and figurative barns, 'interesting' client stories, interesting places I visited and stuff I did related to networking, the 'politics' of working at an ISP, etc...



DHCP Scope Organization

Hello,

I have a question regarding DHCP reservation for Network Appliances and Servers. Let's say I picked a subnet of 10.100.0.0 and Mask of 255.255.254.0. Is it okay to set the Server as 10.100.0.10 and then all the network appliances from 10.100.0.1-9? /Or would it be better to reserve 10.100.0.2 for the server?



CISCO PT Switch ACL not working

I am attempting to configure an ACL on my CISCO 2960 switch in packet tracer. I am following the guidance from CISCOs website. However, I keep getting the error below:

https://imgur.com/a/gmBM3fX

I would be very grateful if anyone could offer some suggestions as to why this might be happening or ways around it.

Thanks in advanced!



Why would I receive dozens of RST/ACK packets without any other packets in the normal TCP handshake?

Over the span of a few days I have noticed dozens of RST/ACK packets all originating from different IP addresses and directed towards all different IP addresses on my network. There were no initial requests by my network to these unknown IP addresses. They are all coming from, and going to what seem like completely random ports (not just ephemeral though, a mixture of low/high source ports and low/high destination ports).

Is there some sort RST/ACK attack or scanning technique going on here? I'm not sure about scanning since I don't believe an IP address would respond to a random RST/ACK but I could be wrong. Googling it hasn't been helpful so I'm interested in any additional insight someone on here might be able to provide.



Visio mass select question

I’m trying to find a way to select all instances of a certain word (i.e. AIR-CAP2802l) in order to change the font color. It’s so time consuming to go through a Visio for a massive site and highlight every instance of the word manually. We use Visio 2016 professional.



Configuring VPN between a very old PIX and an ASA

Hi all! My company acquired another small company which currently has a very old PIX. I need to configure a temporary VPN connection between one of our ASA's and the PIX. I have the VPN in place but am not seeing any traffic from the PIX to our ASA. I do see traffic to the PIX.

I think it is an issue with the nat rule but, due to the age, the syntax is different.

I need to have traffic from the 'VOIP' interface on the PIX route to the 'inside' interface on the ASA.

Any help is greatly appreciated!

ASA

(inside) 10.10.12.1

PIX

(VOIP) 192.168.1.1

PIX NAT Statement:

access-list ASA-PIX-ACL extended permit ip VOIP_LAN 255.255.255.0 10.10.12.0 255.255.255.0 nat (VOIP) 0 access-list ASA-PIX-ACL 


Multi WAN combined (not only load balancing)

Hey guys,

If I would want to use a normal internet (DSL) Connection and combine it with a LTE connection to get the combined upload and download speeds. How would I do that?

The idea was to use two servers. One in my own network with both Ethernet connections attached and one rent by a online provider with a better bandwidth. Then use both Ethernet connections to Transfer everything between these servers. Something like a VPN over two wan connections.

I hope you get the idea? How would you do that? (If it's possible) and if not, how could it be done. The goal is to use multiple Ethernet connections to combine upload and download speeds.

Greetings from Germany :)

P.S. i asked that already in r/sysadmin Here