Saturday, March 6, 2021

Favorite router brand

What’s your favorite enterprise/prosumer brand for routers and why?



Cannot update Cisco SG250 switch firmware

I'm updating a Cisco SG250 switch, going to Administration > File Management > Firmware Operations. I successfully upload the new firmware file, and then click Swap Image, and as you can see in this screenshot, it says that it's going to the new version after a reboot. Well I reboot and it's still the old version. I even saved the config.

Any ideas here what I can try next? The switch logs don't show anything useful. This switch is still within its return period if it continues to be a hassle although I'd like to avoid that. Thanks.



Can I use a dc12v extension cord for ARUBA IAP 225 ?

Can I use that male to female extension cable for my aruba ap ?



Work trying to block e-mail clients

Hi there,

I work several jobs and to keep them all organized I have historically used Thunderbird mail client so I can easily have access to and respond to my e-mails. I've done this personallly and professionally for years.

For reasons I can only chalk up to someone got paid to shill this, at one of my jobs that I've barely worked for since the pandemic began, the entire organization recently began a mandate forcing EVERYONE to only use Microsoft everything. This has screwed up a bunch of things, despite our existing processes in place, and made it far harder to access many important documents and records (some of which had to be deleted JUST because they were Google Docs or placed in a non-Microsoft location). They've even delivered a hard edict that we can't work on anything non-Microsoft related for the company. In general, it's made everyone's job a nightmare, especially from home, since some MS stuff doesn't match how most people work and has its own issues.

I recently got an e-mail from IT saying they can tell I use a Mail Client (Thunderbird) for my work e-mail and I have to either stop using a mail client and access my e-mail using the glitchy web portal (which I have no reason to ever check) or use the Outlook mail client which I have to buy (which makes no damn sense except for shilling). It was supposed to happen a month ago, so I took it as an empty threat, but as of today, Thunderbird can't access my e-mail account anymore and claims its credentials are wrong when I've confirmed they're fine.

Given how rarely I work there now, I really don't want to have to bother checking the web e-mail portal considering how often it messes up and how much of a hassle it is to keep track of amongst the many other e-mails I parse through daily for all my other jobs. I don't want to get in trouble for being unresponsive because the org thought it was a good idea to willfully scramble all their communications because Microsoft paid them to.

I'd like to know if I can hack my way around this and find a method that hooks this work e-mail back into Thunderbird so I can continue using it there. Would greatly appreciate any help figuring out a fix.



Help with S3500-24T

Hey guys

I got this switch for a really cheap price for something to just lab with and play around with. The issue is that in the CLI, it seems like there’s literally no options for configuration. Cant add vlan interfaces, or IPs, or even setup a port to access a vlan, no option for ip routing, etc.

The firmware version is 7.0.2.0, and I know it’s old af. Still wondering why CLI features are missing. Am I stupid for missing something? Any help is greatly appreciated!

Thank you for those who give their time to help!

Not necessary info: I tried to find a new firmware version but it requires an account to a non-public email, which I don’t want any of my study stuff tied to my workplace email. So I’m SoL on that one.



Networking and medical device management

I've read the whitepapers on some medical equipment, which are often designed with no security controls. They just say "segment me". How are folks handling this? Are folks employing segmentation for groups of devices or literally employing microsegmentation and what does it look like? Potentially hundreds of subnets with their own VLANs? Add switchport tunneling too? How do folks prevent massive sprawl of FW and switch ACLs? Templates? Turnkey solutions?



Understanding network addressing

I am currently studying for my ccna and I’m relatively new to the whole thing. So sorry in advance if it is obvious or this is a dumb question. I’m confused on the way networking addressing works. For example let’s say we have a typical home private network 192.168.1.0 and the subnet is 255.255.255.0, is the the first three octets customizable? I have seen some of my friends networks are 192.168.0.1 or 10.1.1.1 and mine is 192.168.1.0. Could I go home and customize my internal private network to be 192.168.15.1? Or could I make it a class A network and put 10.0.0.1? Or even modify the subnet to whatever I wanted? I understand it is not feasible for a class A since it would be too many addresses but just curious. This has been itching in my mind and I cannot modify my own network to see since they’re is other people using it constantly. Again sorry if it is a dumb question. I’d rather ask a dumb question then not know and be wrong. Thanks in advance



Best course/certification about 5G wireless telecommunication networks?

Hi, I am a PhD student in the field of machine learning and I am looking for a course to learn about 5G wireless telecommunication networks, could you please advise me? For instance I have seen an entry level course from NOKIA that costs 500euro but it's just 6hours. Is it worth the price? Alternatively if you know a good book please let me know.



DC power brick specs for Viptela/Cisco vEdge 100B?

We have a vEdge 100B in the field whose power brick failed spectacularly and was thrown out. Does anyone know the specs on this? I know it is 12V, but I can’t tell the dimensions of the barrel connector from a photo, nor the amperage.

Any help so I can find an aftermarket supply and ship it there would be most appreciated.



Nas not visible in Win 10

I have an old D-Link 323 NAS that I can access via its web interface using a browser and its ip address but I cannot map the drive. It does not appear on the network browser even though other Ethernet devices do. It used to work OK but can't remap it to a drive letter. Many thanks for any help.



How would you automate this?

Ok, up front, there are always many ways to skin a cat. I have only just begun my python journey, and I’ve studied REST APIs for CCNP, but I can’t figure out the rest of the owl for a practical purpose. For instance: got a 300 port switch, need to reconfig all ports on VLAN 123, which, of course, are non-contiguous. How would you go about automating this?



Does anyone have experience with job loss as a result of automation?

I'm curious if anyone has seen first hand any network engineers/admins losing jobs because of automation.

Most of us know that things like Ansible are all the rage lately, but has anyone worked in an organization where the org has become so good at this that they actually need fewer workers?

I personally haven't seen it, and maybe it's hard to see it when it happens, because it's a slow thing. Just curious to hear everyone's experience.



Beginning Network+

Hello, Started taking cyber security classes, and am 6 weeks into my Network+ class. Are there any "beginner" networking or cyber security communities? I searched and couldn't find anything. Thanks in advance.



25Gb Twinax Question

I’ve got a scenario where someone connected a 25GbE Twinax into a Cisco Nexus 9372 10GbE port. The Cable is recognized as 25GbE.

Will it connect at 10Gb or am I replacing the cable lol?



Help with connecting dedicated leased line kit to UDM Pro

Hi guys,

In the UK and have a dedicated leased line I'm trying to connect a new UDM dream machine pro but the dream machine keeps asking to reboot the modem. I believe I have patched everything correctly and have put the static IP details in correctly already

I'm not really sure how I'm supposed to wire/configure this

Any help would be greatly appreciated

http://imgur.com/a/qwifFnU

Resolved: Solution in comments. TLDR Time set incorrectly out of the box. Had to manually configure with SSH



Network/Server Practice

Hello,

I am just starting my "networking career" and consume a lot of content like CompTIA videos/texts.

But of course I also want practice experience with network/server setup, create ,security, maintain and manage.

Is a game server a good start for this? If not, what is suitable for that?

Thank you guys in advance! Stay healthy!



10G networking across a few static public IPs

Networking noob needing help with my SMB. At the colo, we have a new 10Gbps WAN connection. The data center dropped an SFP+ into my main rack. The service includes a block of 5 static public IPs. I don't know how to easily go from here: GUI noob, wishing something like Unifi was available at this tier.

Downstream, I've got five servers, each that need their own static public IP (thus why I have a block of
5 IPs). I was looking at the UI EdgeRouter Infinity because it claims to have 80Gbps throughput. I also like the dual PSU. I also looked at the UI Unifi Dream Machine Pro, but it can only use 1 static IP on the WAN port (no multiple 1-1 NATing), and it has no PSU redundancy.

How do I move forward? Zero experience.



Friday, March 5, 2021

How do you keep focused on your career goals

Hello fellow networkers. I have been struggling with sticking to what to chase next. I am your typical network engineer with a CCNP earning a good salary. I have wanted to move to security in the past but that thought went down the drain pretty quickly. Then the interest went to pre-sales then technical Project management and now I am back to network automation.

I just can't stick to one direction. How have you folks stayed focused on one goal?

I am struggling



Copy Files by Lan

Hi guys i have a question

Now i have place which contains 24 PC

and i need every week to copy same files to each of them manually from one to another by using windows network Lan sharing which only copying with 200 mbps cause I'm using HDD, so my question is there is anyway to save my time and my effort to copy the files to all the devices at the same time with higher speed if that possible?



Feedback on Dorado software

Any feedback on dorado software to manage/flash switches ?



Is a router the best option for what I need?

Sorry if this is a dumb question...

I have a pc that doesn’t have wifi connectivity, on ethernet. I currently have an ethernet hard wired (not through our current router)

I recently bought phillips hue lights, which work through wifi connection. Works perfectly when on the wifi on other devices, however I would like to be able to control them from my pc.

So is the best option to take the hard wired connection from my pc and put it into a router, then from the router into the pc and hue light bridge?

This would make the hue lights discoverable through my pc, correct? If so, is this my best option, or is something other than a separate router a better option?



Choosing which MSP to work for?

I hope this fits the guidelines since this is with regards to career progression rather than entry to networking.

I'm leaving my internal IT job and have two offers that are quite different from two MSPs. I've never worked at an MSP before so I'm not sure what to do.

Both are network engineer positions - one in name only (MSP A), one is true network engineering (MSP B).

MSP A is smaller and the role I'm applying for basically lends me out to about 5 clients at a time to be dedicated support. A lot of that support is network related, but it also includes services like server migrations (e.g. hosted Exchange to M365), AD administration and management, server patching, network device patching, etc. I'd be in the main office and drive out to clients as needed. There will be some break-fix, but the help desk usually sorts that out - I'm there to make sure projects are finished on deadlines, analysis of overall infrastructure health and to make recommendations on improving that health. I would be touching a lot of different infrastructure environments and may be on my own sometimes. I would definitely be client-facing. Interview was with two very high-level folks in the company; the owner who I really got along with (and reviews mention he listens to his employees) and someone else where it was strictly technical so I couldn't get a read on the guy.

MSP B is through and through network engineering. MSP B is big enough to warrant separate systems engineering, network engineering, and helpdesk teams. I'd come in as the low man on the network engineering team and handle tickets every day, all day. I'm at a desk and working from there all day. If the project team gets bogged down or we're ahead of schedule they may throw us a project or two. Reviews on Glassdoor show teamwork problems (lazy teammates, stacking work), but they're all referring to the systems engineering team. During the interview (four people in different interviews) each interviewer stressed that it's a collaborative environment and the guys there always lean on each other for support and to learn. They did make it seem like there's clear progression there as they're hiring to fill holes due to promotions. I got along with all of them pretty well and really hit it off with one guy. I can work remotely from home.

For what it's worth I'm leaving my internal IT job because of burnout and some team issues.

MSP B is paying $90k (+bonus) and MSP A $110k. Good benefits at A, but better at B. I would rather work remotely, but driving isn't too big of a deal to me.

I want to eventually get my CCIE and specialize further or maybe go down the DevOps route.

Anyone have any useful insight I could use here? I'd really appreciate any and all comments!



Help with duplicate IP

I have the Mac address of a device causing an ip conflict. How would I pinpoint the part of the network the device is on? I have a windows server and several unmanaged switches. I would like to at least be able to determine what switch the device interfaces with first to narrow down the general area.



Port forwarding and firewall

I have a Synology NAS running on Static WAN IP cause I need to access its web server(not using quick connect).

Then as the forms on the web say that I have to do port forwarding in order to access home servers from WAN, so I basically just set up port 80 443 and 5001 as the port forwarding to my Synology NAS.

But then one day, I receive loads of warning emails from my server telling that there are bunch of SSH(mine port 44) login failure from some various IP address, and this is the time when I get confused about port forwarding, DOESN'T PORT NOT ON PORT FORWARDING RULE NOT SUPPOSED TO PASSTHROUGH THE ROUTER?

And my other questions are: Does the built-in firewall in a normal router strong enough to protect devices from Dos and other random attacks? What does a firewall machine(I mean a machine with two ethernet ports and it only functions as firewall protection) do more than the built-in one in Router, Windows, and Synology NAS?

ps. Yeah I know always leaving telnet and SSH on is not a good idea, but what if it's been hacked while I'm using SSH for maintenance? Also, if I need a router/firewall, please recommend me the brand(and model).

Sorry for my poor English and thanks for your help.



Replacing old Cisco 2901/K9 that serves as a router on a stick. What is a good cost effective replacement?

This environment has around 70 users which are all connected to Cisco 2960 switches. Those switches and the firewall are connected to one core switch which then forwards packets to the ISR for routing functionality between VLANs and to the firewall. The router on a stick works fine but it is getting up there in age and there is a desire to replace it and try to get a little more performance when they start using VLANs instead of one flat network.

I come from a Juniper world where if it was a small shop I just did all the routing on the SRX firewall and called it a day OR in a larger environment the core switch would also do L3 routing.

We are hoping to get 400+ mbps L3 capabilities. Currently we can do 500 mbps to the storage arrays over L2 but we max out at around 250 mbps when doing L3. Firewall replacement is happening in 4 months.

What is a good bang for the buck option for routing? Just add L3 license to the Cisco c2960? Get a Meraki 24-port switch? HPE? Ubuiti? Ideally it would have at least 7 1gig ports so we could hook all the switches, the ISP, and firewall directly up to the router. POE is not necessary.

Thanks in advance!



What is the most economical way to transport large amounts of data over large distances (100+km) ?

From all that I have seen I have a few options, fiber, or running some sort of cable or satellite and dealing with the delays and upkeep that might include. Fiber I believe would be the best, but is there another option that I may be overlooking? Would some sort of antenna array be strong enough to support such an infrastructure while being cheaper (?) I would believe that this would cause quite a delay after a few relays depending on external factors. Or, would one of the other listed options be better?

I am definitely new to all of this so if there would be a better place to ask my question or an answer already somewhere where I could expand upon the topic with any questions I have please let me know.



Sponsored training recs for check point administration

I've taken training courses on cbtnuggets, pluralsight, and udemy for different things. I was wondering if anyone has a preference between these sites (or something else altogether--stormwind?), specifically for Checkpoint admin training. The point of view here is for someone who is going to be working on the system, not for certification (read: answering questions in a test, etc) which what a lot of courses out there are geared for. Checkpoint itself has some instructor-led courses but they're overseas and really pricey. Any help is appreciated.



Any have a few A10 Networks 1030S?

I need to buy three A10 networks 1030S... anyone using one to level a desk that they'd like to sell? Yes I know, EOL, EOS... but I need them.



Young Networking Administation Student wanting feedback:)

I am just a 19-year-old striving to learn networking as deep as I can and would love some input and tips from others on my network labbing I chose to use twitch as the platform for this want so if anybody would like to stop by and help out that would be great I am currently streaming myself practice static routing then going to do some dynamic routing with OSPF/RIP and combine a bit of static routing as well with that network going to start the lab off in packettracer then switch over to real hardware and configure from there. I would love to have even just one person with a lot or even very little skill to stop by and give some input thanks.

If you would like to the link to the twitch stream is here: twitch.tv/sploit333

I hope this isn't not allowed for this sub I didn't notice anything in the rules saying I couldn't but if its not allowed please mods just go ahead and remove the post.



Dell Sonicwall question

I am trying to assist installing a yealink brand VOIP system behind a Dell sonicwall. The Hosted provider uses SRTP and TCP connections to keep signaling encrypted. We have setup the firewall as the provider requires. Yet the phones will not go out and get their information.

Does anyone know of any quirks in the sonicwall setup that might cause problems for a cloud based VOIP system?



IP_VFR-3-OVERLAP_FRAGMAENTS in cisco logs (+ some strange behavior on lan side) after switching to 1 gig fiber from AT&T.

Anyone have any insight or path towards trouble shooting?

We are running DMVPN (Dual spoke) tunnels. This is the first of these lines we have turned up and are using the same config we would use in our ciscos that we would for any standard internet connection (cable, dsl, etc.).



Software Defined Networking - The Future of Networking

Hi Everyone,

The way we have known networking is currently going through a drastic change. The paradigm is shifting quickly and definitely towards Software Defined Networking (SDN).

In this post, I am going to share some of my thoughts on SDN and how it differs from legacy networking implementations.

The current networking model, which I will refer to as Legacy Networking is implemented by connecting to individual devices and configuring them. In any corporation with a sizable amount of devices, this requires a lot of resources and time. Which is neither scalable nor cost-effective.

SDN, which entered mainstream networking post 2015, works on the premise of Controller-based Networking where a Central device is responsible for the configuration of the complete network. This key property of SDN makes it more efficient and scalable than a Legacy Network. In the corporation mentioned above, it might have taken a company 15 network engineers to provision, manage and maintain a 100-120 device network, with SDN the same task can be carried out by 5 engineers in a much more efficient and timely manner.

In a SDN network, the Administrator registers the network devices on the controller. This process could be a manual process or automated. Once the device is registered, the configuration and monitoring of the device is done centrally from the controller. Configurations that are common among the network devices could be pushed together with the help of Configuration templates. Changing policies or protocols within the network also become easier and a lot more scalable as you control the changes from the centralized controller. It also helps in provisioning new devices on the network. If a new device comes up in the network, it can easily be provisioned and configured by using the templates.

As the network devices are already registered in the controller, the monitoring and troubleshooting of these devices is also done from a central console. The controller becomes a single pane of management for the entire network.

SDN is implemented using different technologies for different parts of the network. A typical network has three main aspects, the Campus Network, the Wide Area Network (WAN), and the Data Center.

There are many vendors in the market that provide SDN solutions, with Cisco being one of the few that have a comprehensive solution addressing the different parts of the network. It is for this reason that I will focus on Cisco technologies that provide you the ability to implement SDN for the three main aspects.

Campus Network

Cisco has a technology implementation that allows you to apply SDN technology to the Campus Network. The technology is called Software Defined Access (SDA). SDA is a technology that uses 3 components to implement SDN for a Campus Network. These components are the Controller called the Digital Network Architecture Center (DNAC). It is an appliance that is responsible for controlling the Campus Network. The second SDA component is the Campus switch. The Campus switches have to be SDA-Aware. There is a range of Catalyst switches that give you that capability. The third SDA component is the authentication server (RADIUS), preferred to be Cisco ISE. The authentication server provides the DNAC the ability to implement Intent-based networking by providing access based on the user/device that is connecting to the network. Imagine a campus with hundreds of switches that need to be provisioned or a policy or configuration change needs to be made to the entire campus network. You can implement such a change by configuring it from the DNAC rather than logging into each Network device and configuring it. SDA also provides the ability to connect to existing Non-SDA networks using L2 Handoff and L3 Handoff capabilities.

Wide-Area Network

Cisco has a technology implementation that allows you to apply SDN technology to the Wide-Area Network. The technology is called Software Defined Wide Area Network (SD-WAN). Cisco’s SD-WAN technology was acquired from Viptela, an industry leader at the time, which CISCO bought in 2017. SD-WAN is a technology that uses 2 components to implement SDN for a WAN. These components are the Controllers and the WAN Edges.

Unlike SDA, SD-WAN has 3 controllers. The first controller called the vManage is used for all the configurations. The second controller called the vSmart is responsible for the Control Plane (Routing). The third controller (vBond) is used for authenticating the devices as they connect to the SD-WAN Network. The Network devices connect to the vBond first. Once they are authenticated, it directs them towards the vManage for Management and vSmart for Control Plane. The controllers are Virtual Machines (VMs) and can easily be implemented in the Cloud (AWS, Azure, etc). You could manage your entire WAN by logging into these controllers.

The second SD-WAN component is the WAN Edge. This is the routing device that sits at the edge of each network. WAN Edge is responsible for the Data Plane. All user traffic is transmitted between sites using the WAN Edge. WAN Edges are transport-independent in terms of connecting to each other. They can connect to other WAN Edges or Controllers using a MPLS Connection, Leased-lines, Broadband Connections, or the Cellular network.

Just like SDA, SD-WAN can also implement policy changes throughout the WAN from a central device, the vManage. This provides extreme scalability to the Network Administrator to implement new networks or make changes to existing devices.

Data Center

Cisco has a technology implementation that allows you to apply SDN technology to the Data Center as well. The technology is called Application Centric Infrastructure (ACI). ACI is a technology that uses 2 components to implement SDN for a Data Center. These components are the Controllers and the Data Center Switches.

The Controller is called the Application Policy Infrastructure Controller (APIC). It is an appliance that is responsible for controlling the Data Center Network. The second ACI component is the Data Center switch. The Data Center switches have to be ACI-Aware. There is a range of Nexus switches that give you that capability. As was the case with the Campus network, Data Center Network could have a large number of switches. If a new switch needs to be added or a change needs to be provisioned, the APIC allows you to configure it scalably and centrally. ACI also provides the ability to connect to existing Non-ACI networks using L2-OUT and L3-OUT capabilities.

In conclusion, as SDN provides a centralized controller-based management mechanism, it makes your network much more efficient, scalable and nimble versus a Legacy Network.

As an engineer, this would be the right time to get acquainted and start developing expertise in these technologies. Given the cost versus benefit analysis of implementing SDN technologies that I have observed, it is my opinion that over the next few years corporations will largely adopt this approach.

Cheers,

Khawar



LAG to etherchannel ?

Hello, I have an Aruba 6300M stack and it will have a Cisco 4506 as the uplink.

Cisco doesn't do "LAG", and can't find info where Aruba does etherchannel.

Can I configure the uplink interfaces on the Aruba as LAG and the downlink on the Cisco as etherchannel and make this work?



NAT on Home LAN routers and modems

So I'm trying to learn about NAT, I know what static and dynamic NAT is. I know what NAT overload is. But what kind of NAT does a home router or modem have configured? Do they use PAT? Or something else?



Dell VLT backup destination

What are the implications of not using the management ports for the VLT backup destination configuration but instead use ip addresses from one of the other configured vlans on the switch?



[HELP] Setting up IP cameras through POE switch, but can't forward data from switch to router

Current wiring - Router to video recorder Router to switch (uplink) Camera to switch

Problem - Amber blinking light on POE uplink. The PoE itself works as there's a red light on my camera. Please help



RRAS VPN Help - Mac Catalina BuiltIn VPN client disconnects after a couple of minutes with activity

Hello fellow r/networking

I have built a RRAS VPN (IKEv2) with PKI authentication for VPN with Windows and Macs, I have gotten it to work partially, I get to connect and get traffic through the tunnel from both kind of OS. But on the mac the client suddenly disconnects from the VPN after a couple of minutes even though there are traffic (PING) going over the tunnel.

ARe there any fellow Network admins taht have ocnfigured this kind of VPN with mac/apple products and if you have had a similar problem.

RRAS Server: Win srv 2019 MAC Client: osX Catalina Authentication: RADIUS/PKI Tunnell Type: IKEv2 (NOT L2TP) 

Thansk in advance for any assistance.



Not able to login at WiFi, login page not opening

I am at work on an offshore rig and got a login account for my period i am staying. On my phone (Android) it works fine.

I connect to the WiFi network like normal and my browser (chrome) opens up and i can fill in the login username and my given password. And everything is working.

But when i try the same on my laptop (ThinkPad T495 - Win10pro) it connects too the WiFi and opens up chrome and start loading the login page, but after a few seconds it redirects a few times and i get a page that says:

Connect to Wi-Fi

The Wi-Fi you are using (Equinor-Internet) may require you to visit its login page.

And the under there's is a blue button thay says: Connect

When i click that nothing happens.. and i am stuck.

I tried with 3 different browsers (Chrome, Opera and Edge) but they all end up in the same "loop".

It also says: "Your connection is not secure"

I tried to tweak some settings and allow using not valid certificate, but no luck.

I have no idea how too fix it..



Ping router with dual internet gateway, reply from other gateway??

I built a 4 NIC Fedora 33 box which is using iproute2 and nftables. I have 2 LAN gateways, a cable modem gateway and a DSL gateway. When I ping the DSL gateway from the internet, the reply comes out the cable gateway (which is set by the kernel as default). Pinging the cable gateway works as expected. Switching the default to the DSL gateway will enable pinging it and disable pinging the cable gateway. I need both gateways to work as expected, at the same time.

I have tried all the recommended multi gateway routing tricks I coud find. Most of them describe creating custom routing tables, but none of them work. The documentation for doing what I want to do is really incomplete, even from the official sources. I suspect the issue is with needing to mark the packets using an nftables rule, but I haven't found any examples using nftables+iproute2. Does anyone know of a decent book or web site which can give me what I need to get this relatively simple configuration to work? Even if it starts off as generalized advanced routing in iproute2+nftables it would be a step in the right direction...



DAD link SWV on cisco 9500 chassis over 1Gig?

Hi,

anybody here that configured the Stackwise virtual for catalyst 9500 series ? (9500-16x to be more specific).

I saw the documentation that says that for SWV links you need to use at least 10gig ports.

But i was wondering what is the minimum requirement for DAD link ?

The reason i'm asking is that we only have 4 10gig sfps for SWV links, and other SFPs (to downlink switches) are only 1Gig (because customer strictly didnt want to pay for 10gig SFPs)

So my question is, is it possible to configure DAD link between SWV members using 1Gig ports, or will i need to have at least 10Gig ?

Thanks!



Thursday, March 4, 2021

Any network engineers from Ireland here?

.



ISP 10Gb Symmetrical Full Duplex Simultaneous?

Not sure if this is something that can vary by ISP's offering, but if our ISP is giving us 10Gb down/up on a 10Gb handoff, would it be correct to assume that you could say, download & upload 9Gb/s simultaneously essentially moving 18gb/s of traffic? Or if you're downloading 9Gb/s, would you be only be able to then upload 1Gb/s at the same time?

The first one is my understanding. That it's a full duplex connection and you could be downloading 10Gb/s while uploading 10Gb/s simultaneously.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



CCIE Expired...

TLDR: "My CCIE expired and I don't care. I have moved on in my career"

About 5 years ago I posted of me passing my CCIE RS which was a process that took the better part of 4 years to accomplish. Well, I got the official email today from Cisco that my CCIE has fully expired.

I renewed my CCIE once and struggled then to convince myself to go through with the re-cert. After I walked out of the testing center I told myself I would never renew my CCIE again.

Stance on certs

I know there is a mix bag of emotions and opinions around certs and I fall in the camp where I have seen tremendous growth in knowledge and my career from the certs I have completed. My stance is, if they work for you and push you in the right direction then go for it. If not, then find another method that pushes you.

Trying to improve your knowledge and skills is NEVER wrong.

I have always been a strong supporter of the core Cisco certs (RS, SP) as they dont just teach a product, they teach the fundamental technologies. But that is slowly changing...

Why let it go?

During those 4 years I set pretty much every other technology and focus aside to grind through my CCIE. And it was painful. I watched as SDN, Network Automation and new skills started to come into light and I set those aside to spend the day/week learning RIP or drilling deeper into SSM multicast.

I knew when I finished my CCIE my focus was going elsewhere and just like the industry, it did. SDN really didn't make the impact we thought it would, but network automation made huge strides in the industry. No one talks about how they can improve their workflows of manually configuring switches.

Since I passed in 2015, I have not seen a single justifiable reason to set a considerable chunk of my time aside to prove I still know now to configure a Cisco network. Just like my college degree, my CCIE is a stepping stone or what I consider my foundational knowledge.

My certification journey played an immense role in getting me to where I am but it has little use right now and the time sink is not justifiable.

Looking Forward

If I had to guess, the network will not be any less important in 10 or 20 years. Hell, you still have to move packets. But it will take less to manage and be more tightly integrated with the full application and infrastructure stack. The Cloud and how it is used and operated is a prime example.

Other hints into this are Kubernetes and NFV which are moving the network intelligence deeper into the server or application and away from the actual fabric. Companies like Celium are moving network control deep into the kernel and SmartNics are giving servers better network control.

SD-WAN and wireless has already removed the complex configuration of tunnels and network segmentation away from the network operator and simplified the operations of of those areas of networking.

This is a trend that will not stop as customer demand on applications require it now. Hint the popularity of Cloud and containerization with app developers.

The network can not functions as a manually configured eco-system anymore. We either make this change or some other group in technology will do it for us.

I chose to help lead this change.

If you made it this far, thanks for spending the time to read. I always welcome discussion, so let me know what you think.



ATT Wifi Extender Help

I've got an ATT Wifi extender that I bought from them, but now I'm not with ATT.

It used to automatically connect to their router as a mesh, but it isn't working with my new box (on spectrum). I've tried resetting it and plugging directly into the router, but no go.

Is there a way I can reconfigure this to work on my new network?



converting from several grown 10Gbit links to a redundant topology

We (read: I; as a one-man-show in the company) are currently upgrading the network in our main branch by getting a few new/additional fiber runs installed between our buildings and to add a third building to the network. As we are not a tech-company bandwidth demands aren't that particularly high, although all services for our branches are hosted locally (main branch is multihomed), so redundancy is getting more and more important.

The current (10g) setup over 2 buildings looks as follows: https://imgur.com/a/EoHXvBa

The 10g uplinks have been added as bandwidth demands increased and are local to each building (-> each stack of 3750x represents one building).

As a third building will be added to the Network shortly, I'd like to clean up the 10g topology and probably add some redundancy; i.e. using 2 10g aggregation switches and redundant 10g links for the switch stacks and servers/routers roughly like this: https://imgur.com/a/KCfOHoE

As already mentioned, we're not a tech company, so my budget is rather restricted (Hence the stacks of used/refurbished 3750X). I'd really like to use cisco gear for the 10g aggregation, but getting approval even for some SX550X-12F, let alone some halfway recent catalysts with a decent amount of 10g SFP+ ports is just impossible. The current 10g links to the switches are through 3x c3kx-nm-10g modules. When adding the 3rd building I'd like to move one to the new 3750x switch for that building to cut some costs here, so 2x 10g uplinks are available per stack.

I've come across the mikrotik CRS3xx series switches, but I couldn't find any useful information about them supporting any form of L2 multipathing, so i suppose they don't support it?

I've never dealt with multipathing outside of routing or FC in my homelab, so I'm not even sure if this is even feasible or useful at this small scale. In cisco documentations multipathing is usually directed towards nexus platforms and/or strict 3-layer hierarchy involving only switches in the multipathing topology, not endpoints. Also the 3750X /w IOS 15.4 (ipservices license) don't seem to support L2MP.

I'd be very thankful to get some advice about a) If the redundant topology on the second diagram is feasible and/or b) If/how multipathing can be handled when using mikrotik CRS3xxs

Just for completeness: I don't think this topology can/should be handled purely with STP, correct?

Or would you advise against multipathing/redundancy and towards using a single 10g Switch? Any advices on what would be a good addition to the 3750Xs we're already running? (Reasonable power consumption is a criteria, so Nexus 5010/5020 are sadly out of discussion)



Aruba -> Ruckus Coexistence, Migration

Hi All,
I am working on a project to replace an existing Aruba WiFi install with Ruckus WiFi. To try and ease the transition and temporary coexistence, we put the Ruckus APs on the same wired VLAN as the Aruba APs and on-prem 3400 controller. The Ruckus APs will be using Ruckus Cloud.

After we powered up about 20 of the Ruckus APs (just powered up - not broadcasting any SSID), we ultimately started to see trouble on the Aruba WiFi. clients were having trouble seeing the SSIDs and connections were getting dropped.

Initial thoughts were that it is something related to spanning tree, but this is disabled on all the wired switches, 3400 controller. etc. Might also be something related to rogue AP stuff - but I am not sure how to see if this is the case? And not sure - if it is relevant - where on the Aruba 3400 I would find where to add the Ruckus APs as trusted neighbors?

Any suggestions much appreciated!



Cisco Catalyst 9300 packet capture

Trying to do some research before I go on site tomorrow and in the chance that I cannot run wireshark or any other form of packet capture on a switch, is there a way to do it from within the switch itself? I saw mention of Embedded Packet Capture, however it seems to be a router only feature.

Thank you in advance



LTE/5G modem only with ethernet and external antenna connectivity

I'm looking for a device to provide a backup WAN connection that doesn't include its own router or wifi. There isn't a nice way to integrate any of the 5g devices that I found as they all seem to want to act as the router and lack real configuration features.

Anyone know of anything or there for this?



Is there a good sub for asking question directly related to DISA STIGs?

I think there are a good bit of people on here who deal with STIGs, but wondering if there is a sub specifically for it? Thanks



MPLS ICCP troubles.

Okay so here's the problem, I work for a power company and I send ICCP traffic over an MPLS network to another power company. Recently we upgraded one of our data historians and set up ICCP exactly the same way as it was on the previous server. There's really not much to ICCP. Anyway I can see my data values trying to reach out but Its not making it to the other power company. IPs subnet mask hasn't changed at all on the new server.

So I got on th phone with the other power company we both ran wireshark on our port to see what going on. And it looks like he's sending a COTP CR packet to initialize the connection and then my server responds back with another COTP DR (disconnect request) within milliseconds. So they're trying to reach out but I'm immediately shutting the down. Now the routers are older cisco 1900's and I believe they have an IPS built in. Do you think I'm onto something by contacting AT&T and having them look into the router ips?

At the moment my server is completely wide open on the windows firewall end I thought at first that the firewall wasn't playing nice so I opened it up completely and then was going to slowly lock it down. But that didn't seem to do jack. My server is essentially connected directly to the MPLS router and is not inline with our OT firewall. I'm really running out of ideas. I'm leaning on the MPLS routers being the issue. Any thoughts?



Need help to understand a confusion

I have a assignment but i have confusion in this question. Can someone help me to understand this? I'm not asking a solution, just want to understand the question. Any help will be appreciated.

"Produce a template to use as a server installation log detailing the important aspects of installing and configuring a secure server"



Daily Checks - Cisco Firepower / FMC

I'm relatively new to managing Cisco Firepower devices. I was wondering if anyone with experience can offer (or point me in the direction) of some daily checks/ preventive maintenance or tuning they do in the FMC. Currently the only true service running on the chassis is threat defense/ IPS feature.

Thanks in advance



Looking for a compact WiFi bridge

Hi All. I am looking for a decent compact unit to use as a wifi bridge. I tested my system using a TP-link n300 nano.Worked great to prove that it could work.

How ever I am looking for something with an external antenna that can then be extended away from the unit with a cable as the unit needs to be mounted inside a stainless enclosure. One product, the Ubiquit air gateway lr caught my attention but from what I can tell it needs to work in conjuction with their other products

Any suggestions would be appreciated.



Looking for a router and switch combination product with 4/5G failover

Hi,

We have an existing managed network with a router providing DHCP and WiFi. Currently I am running a small 8 port switch off that and need to add more wired devices. I would also like to implement 4G / 5G failover for one wired device and some QoS rules to priortise traffic from this device so I was thinking of putting a router in front of the managed router, and then creating a new subnet and providing WiFi from this router instead, as well as adding a switch with additional ports. I could then ask the company providing the managed router to turn off the WiFi on their router.

Does this sound like a reasonable way of doing things?

Is it too much to ask one product to do all of this? The only one I have found that looks suitable is the Mikrotik CRS125-24G-1S-2HnD-IN

This has a micro USB socket, which I assume could be configured to use a USB 4G dongle with a micro USB to female USB type A cable?

I have some experience with RouterOS and it seems that QoS and failover are both supported.

I also want to mount the router/switch in a metal rack cabinet, so I am thinking of getting extension cables for the wireless antennas so that they can be placed outside the rack. Are there any issues with doing it this way?

Any advice appreciated



Can I interfere with other people's internet packets with a modem that doesn't follow multiplexing/DOCSIS standards?

As I understand it, internet modems use time division multiplexing to allow multiple modems/households to use the same coax cable for their internet connection.

What happens if I replace my modem with a device that holds logic high 100% of the time on the coax cable? It's always on, doesn't follow multiplexing/TDMA rules. Would that interfere with everyone else's internet packets?

*I know it sounds like I'm planning to do this. I'm not, just a curious thought.



iperf3 results different on Windows and Linux

I recently bought a couple of Realtek based USB 3.0 to 2.5GbE adapters. Since I don't yet have a 2.5GbE switch, I thought I'd test them using a PC to PC direct connection.

Two modern Windows 10 laptops showed a TCP speed of 1.8-ish Gbps with 1/2/4 streams. Booting them using Ubuntu LiveUSB sticks got me 2.35Gbps which all the online reviewers seem to be getting.

I then tried it using various combinations of laptops and desktops but the results are pretty similar. CPU cores are not being saturated.

Any ideas why will be greatly appreciated

Thanks.



Wednesday, March 3, 2021

Post your best visio network drawing!!

Reading a few posts with people hating on Visio and looking for someone to automate it for them. Reminds me of all the satisfaction and good use I have gotten from some of the ones I have toiled over. Interested to see other r/s jockeys lay theres out!



I need help!!!

So I want a mesh router that has two SSID for 2.4ghz and 5ghz. I’m tired of one ssid network that decided what band the item uses. If you guys know of any mesh router with satellites that has two SSID one for 2.4 and one for 5ghz please let me know



Extending same VLAN over WAN

Hi guys,

My company has a client that has two remote sites. These sites connect back to us and they want to be able to talk to all three sites while being on the same subnet while also supporting multicast and encryption. I have advised against this but the client is adamant. All three sites have a direct connection to the internet, and different public IPs so I've been beating my head against the wall for the last couple of hours trying to devise a solution but I've come up empty. Does anyone have any recommendations?



Service Issues

Hello everyone, for 'enterprise' data-com services like AT&T, CenturyLink, etc. what have you all found to be a good place to see about issues that they may be having? The frustrating part is that of course when you put in a ticket usually there is nothing they can actually tell you about an issue, but we can easily see it is a areawide issue (most of the time). I visit down detector and such, but there seems to be a good bit of noise on that site, just curious of you all's thoughts. It would be nice to have a place where professionals could share issues to correlate the data at least regionally.



[Mellanox] Configuring default gateway on a L3 Switch

This is my company's switch.

https://www.mellanox.com/related-docs/prod_eth_switches/PB_SN2700.pdf

I've been tasked with figuring out how to route between vlans using a network that's connected via the switch. As I understand, this is an L3 switch and it should be capable of routing on the hardware level and it's actually a pretty cool switch because it has multiple protocols and does this all using Linux commands that control the switching fabric.

However, that leaves me in the situation where I find it hard to google how to configure it. Mellanox's docs seem to refer to a different configuration. We're using native Linux.

I figured out how to do layer 2 stuff like create bridges. I gave the bridges IP addresses via Systemd-Networkd.

So bam! I have 5 bridges (that are similar to vlans), each bridge as an IP Address in the subnet of its layer 3 network, so the switch should do this routing for me, right?

Nope, I guess it's not that easy. I believe I need to use `ip route` to configure the routing tables. I need a default gateway. ipv4/ipv6 packet forwarding is already enable on the kernel level. I'm just not sure how to give it these static routes. However, I don't have to add static routes if using another protocol is easier, just not sure how to use the other routing protocols.

So to be more concise, I have 5 bridges with 5 subnets.

192.168.150.4/24 via ?

192.168.151.4/24 via ? < should be able access this guy from 150.4/24

192.168.152.4/24 via ? < should be able to access this guy from 150.4/24

192.168.153.4/24 via ?

192.168.154.4/24 via ?

This is an isolated network. There's no need for an outside connection. I want the L3 switch to be the router between vlans. I only want 3/5 vlans to talk to each other. The L3 switch is connected to every vlan and lies in the center of the network. This network is probably super simple to a network engineer.

Sorry, I'm just not a network engineer by trade, so I don't know what to do. I understand the basics of networks (like the 5 layer model). I've done socket programming. I understand generally how tcp/udp work. Subnetting. I'm more familiar with Linux at this point than Windows. However, designing and implementing a network topology is still a little out of my depth.



Statistics for peering

I am wondering how ISP's collect data on their networks and how they see who would an ideal peering partner be. For example a user goes to netfilx.com and watches a movie. I know they can track their DNS requests but how do they log IP addresses and more importantly AS numbers? Any input is great!

If the question is vague please ask follow ups!



Dataroom Conduit Runs with Extra Turns?

I am IT rep for a new building. The engineer is putting the dataroom on the 2nd floor above a large open room. This data room is also the head end in a 40 building campus. We estimate there will be about 8 each 4" conduits. When I asked about conduit runs, "Shouldn't the conduits go straight down?" They said "Well there will be a few extra turns, no problem".

Wouldn't those huge sweeps be a space problem?

Should I be more concerned about this, or let it go?



Best practice for using a cloud firewall? Active/Active on-prem/cloud or pure cloud?

Got a small environment with a firewall on-prem but want to look at getting a firewall in the cloud instead, so it has more availability than being physically on-prem. This would also mean the VPN built into the firewall is more available. So if our on-prem got wiped out for example, we'd still be connecting to the cloud remotely, getting the same IPs, seeing the same cloud servers. There are about 500 users so when they are on-site I'm wondering if just having an IPSec directing all traffic out to the cloud firewall would be overkill. Or if I should have a firewall on-prem and a matching appliance in the cloud in a Active/active setup.



Cisco SG350 switch VLAN DNS help

I'm a novice when it comes to networking so please bare with me. I have a new network I'm setting up and have issues with DNS.

My setup is as follows | ISP -> Modem -> Untangle Firewall -> Cisco SG350 switch -> Devices and AP

On my switch I have 5 VLANs. Firewall IP is 192.168.2.1. Switch IP is 192.168.2.10. Vlan 1 = 192.168.2.X w/ DHCP from Untangle. VLAN 20 = 192.168.20.X w/ DHCP from switch. VLAN 30 = 192.168.30.X w/ DHCP from switch, and so on for VLAN 40 and 50.

The Untangle Firewall is in router mode with static routes to my switch VLANs.

DHCP from the firewall successfully provides DHCP and DNS to the VLAN 1 on switch. VLAN 1 ports connect to internet no problem.

My problem is I don't know how to pass DNS from my firewall to the VLAN 20-50. Inter-vlan is routing correctly. Connecting to VLAN 20-50 I can ping the Firewall and other switch VLANs successfully. The firewall can also ping the VLAN IP. However, on the device connected to the VLAN, it does not receive DNS. From the connected device, I can ping 8.8.8.8 but cannot ping google.com.

I simply want to point VLAN 20-50 devices to DNS 8.8.8.8. What do I need to do?

note: this is a 'cross-post' from /r/cisco

Here's my switch config:

config-file-header

switch58785p

v2.5.5.47 / RTESLA2.5.5_930_364_286

CLI v1.0

file SSD indicator excluded

@

!

unit-type-control-start

unit-type unit 1 network gi uplink none

unit-type-control-end

!

vlan database

vlan 20,30,40,50

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone

voice vlan oui-table add 00036b Cisco_phone

voice vlan oui-table add 00096e Avaya

voice vlan oui-table add 000fe2 H3C_Aolynk

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone

voice vlan oui-table add 00e075 Polycom/Veritel_phone

voice vlan oui-table add 00e0bb 3Com_phone

no eee enable

no ip arp proxy disable

ip dhcp server

ip dhcp pool network "VLAN 20"

address low 192.168.20.100 high 192.168.20.200 255.255.255.0

exit

ip dhcp pool network "VLAN 30"

address low 192.168.30.100 high 192.168.30.200 255.255.255.0

exit

ip dhcp pool network "VLAN 40"

address low 192.168.40.100 high 192.168.40.200 255.255.255.0

exit

ip dhcp pool network "VLAN 50"

address low 192.168.50.100 high 192.168.50.200 255.255.255.0

exit

bonjour interface range vlan 1

ip name-server 192.168.2.1

!

interface vlan 1

ip address 192.168.2.10 255.255.255.0

no ip address dhcp

!

interface vlan 20

name TRUSTED

ip address 192.168.20.1 255.255.255.0

!

interface vlan 30

name NVR

ip address 192.168.30.1 255.255.255.0

!

interface vlan 40

name WIFI

ip address 192.168.40.1 255.255.255.0

!

interface vlan 50

name IoT

ip address 192.168.50.1 255.255.255.0

!

interface GigabitEthernet1

switchport mode trunk

!

interface GigabitEthernet2

switchport access vlan 20

!

interface GigabitEthernet3

switchport mode trunk

switchport trunk allowed vlan 1-19,21-29,31-4094

!

interface GigabitEthernet4

switchport mode trunk

switchport trunk allowed vlan 1-19,21-29,31-4094

!

interface GigabitEthernet5

switchport access vlan 20

!

interface GigabitEthernet6

switchport access vlan 30

!

interface GigabitEthernet7

switchport access vlan 20

!

exit

ip default-gateway 192.168.2.1



Access IP camera at specific times in my network

Hello

I plan to have an IP continuously streaming at a specific URL inside my network (RTMP). I want to access that camera from the internet only at certain times. What I was planning to do is:

  • The switch redirects a specific port to the RTMP stream,
  • so accessing my OFFICE_IP:PORT shows the RTMP stream
  • when I don't want the stream to be seen, I close that port in the switch from an app that I would make (it would be a managed switch with a REST API)

Does this make sense? Am I overcomplicating things?

Thanks



Is there a hardware that can run with a client to connect it to multiple APs?

This is a dumb question, I'm sorry. I was in IT 15 years ago, and switched to development. Thanks to Covid and being located in the middle of nowhere, finding IT people is very difficult. I hope I'm not breaking any rules here, I'm just running out of options.

I have a large area covered by close to 100 APs. The network works fine and well for nearly everything - desktops, laptops, phones, etc - however we have some trucks that move around the area and need to maintain a remote desktop session. Given that, it's not wholly realistic to expend the budget for replacing the hardware with a mesh network, just for these 5 trucks. Google only talks about mesh networks. The networking company that we hired says our network is great, don't change anything, OR change everything to radio or mesh.

I've been out of the game long enough maybe I don't remember the name of a solution, or maybe it doesn't exist. So my question is: Is there a system I can build that has multiple wifi adapters, which are not allowed to connect to the same AP, which will then determine the best connection at any given moment, and deliver it to a port that the truck's user can connect to?

That is, on the truck have a piece of hardware that can round up three or four APs, create a local connection, and deliver it to a port or short range WiFi so that these guys don't have to wait for Windows to swap from one AP to another while driving around.

I'm happy to do the googling if there is some phrase that will help. Sorry this is dumb.



Aruba 6300m and HPE IMC

Hi has anyone been able to successfully manage the 6300m switches using IMC.

I was recently advised to upgrade IMC to  7.3 (E0705P10) as this would fix the issues.

I have completed this upgrade and While IMC now recognizes the 6300s and can give them the correct system Description, I am still unable to backup the config or push an update to the 6300s.  

I have SNMP enabled on the switch and have the correct details entered into IMC but this still displays an error, although i can see all interfaces on IMC.

I'm not sure what i'm missing and any fresh ideas are welcome.

also posted to r/ArubaNetworks really just hitting a brick wall at the moment



Interface DNS entries for better traceroutes. Are you doing it and if so how?

I am looking to get all our interfaces into DNS that way it is quicker to identify what is going on. How are you all doing it if at all? Part of a process with manual entry during interface creation? Python script that scrapes and updates? Something else?



Can Cisco AnyConnect client VPN terminate on Fortigates or any other edge type of firewall such as maybe NSX edge firewalls?

Hey guys, as the title states, can Cisco AnyConnect client VPN terminate on Fortigates or any other OEMs? Has anyone done anything like this?

I checked Cisco’s data sheets, ordering guides, and FAQs and it looks like based on my research AnyConnect is only compatible with Cisco equipment. Just checking to see if anyone else has implemented AC client with other firewalls that are not ASAs.

Thanks!



LTE to bridge a terrestrial service circuit gap

A little background, I have a few plant locations that are currently serviced by a regional telco we are having trouble with and I'll leave it at that. We are in the process of ordering new WAN circuits and direct fiber to these locations to replace the current ones, but are worried that they may pull the plug on us unexpectedly. I have been tasked with coming up with a contingency plan using LTE internet service and existing VPN infrastructure in the event they pull the plug on use before new circuits are in.

Our requirements are 10-20 Mb of bandwidth, we would be doing VoIP over it but could go to the local GW if necessary. Programs used are general MS Office applications and general internet.

I am wondering if anyone here has used LTE to bridge a gap for a WAN circuits and how that worked out. What service did you use, ATT, Verizon, T-Mobile?



Anyone aware of GPON in use in enterprise campus?

I'm aware of GPON application in FTTH for ISP's, hotels, university campus etc. Anyone aware of any major deployments in the enterprise campus? How has that worked out?



ZTE MF91S

how to setup mobile wifi?



Verizon FIOS intermittent connectivity in the Northeast

I have users throughout my organization reporting to me that they can't connect to our VPN this morning. All users are on Verizon FIOS. There appears to be some intermittent outages in the Northeast on the ISP side.

https://downdetector.com/status/verizon/map/

Just wanted to share with you folks to see if I could save you some troubleshooting.



Mellanox SN3800

Does anyone know how to enter standard mode on this model of mellanox switches.



Network Controller Unifi Alternatives

I have a customer that has a Unifi switch setup. They use this mainly for the cloud controller that let's them kick users off the network if they are too active on their phones for example. Their current provider is extremely difficult to work with and as such we have decided to look around and see what alternatives there are.

The whole point of the system is to act as as gateway to the network, users need to click "Connect" almost as if it is a guest network and we have the ability to remove their access at any point.

What alternatives are out there?

Thanks in advance.



Best RSTP configuration for ports on the Juniper root-bridge switch

Hello Everybody,

I am not sure what is the best-recommended configuration for the ports of the root-bridge switch should I add to all ports on the core-switch(root-bridge) both commands (mode P2P and no-root-port).

Below are the commands from the Core and Access Switches:

Core(root-bridge):

set protocols rstp bridge-priority 0

set protocols rstp interface xe-2/2/7 mode point-to-point

set protocols rstp interface xe-2/2/7 no-root-port

set protocols rstp interface xe-2/3/2 mode point-to-point

set protocols rstp interface xe-2/3/2 no-root-port

Access Switch:

set protocols rstp interface ge-0/0/0 edge

set protocols rstp interface ge-0/0/1 edge

set protocols rstp interface ge-0/0/2 edge

set protocols rstp interface ge-0/0/3 edge

set protocols rstp interface ge-0/0/4 edge

set protocols rstp interface ge-0/0/5 edge

set protocols rstp interface xe-0/1/2 mode point-to-point (this is uplink to core1)

set protocols rstp interface xe-0/1/3 mode point-to-point (this is uplink to core2)

set protocols rstp bpdu-block-on-edge



Enforcing standard configuration

I'm looking for some input on what tools/methods people are using to enforce standard config.

I don't exactly mean a golden config, I just mean ensuring that all your devices have certain lines of config applied.

We do have solarwinds but it's baseline configuration is pretty useless in this regards as instead of just checking that all the lines exist, it matches those that also do not exist and says there is a mismatch.

I am also in the process of trying to script it, just working out the best method at the moment.

So how does everyone else go about doing this?



Tuesday, March 2, 2021

MTU across switches

Hey guys,

So I’m going to link two backbone switches up, each contains about 35 computers and a few servers. The switches are both Dell FTOS but years apart so the operating system is like 9.3 vs 10.5.

I’d like to link them via 10 gig and set the MTU size to 9000 on each perspective interface.

However on one switch after I set the MTU to 9000 it says ip MTU 8968 and layer 2 9000 and on the other switch after I set the interface to 9000 it says ip mtu 8982 while 9000 on layer 2. So a 14 bit difference between the two switches.

I’ve successfully linked the switches up but I got a LLDP configuration mismatch on the interface in the logs, however, everything works.

So I guess my question is : do I want 9000 and 9000 at layer 2 but be off by 14 at layer 3. Or do I want to match 9000 to 90014 at layer 2 to match 8082 to 8082 at layer three?

This is just an access port link, no trunking.

Also I’ve never really tested two switches linked at 9000MTU before while the rest of the network is at 1500. Does it make a big performance difference?

Also I cannot upgrade the OS of the old switch incase anyone wanted to recommend that. Because probably if I did that by default MTU would be the exact same but I can’t because the old switch is in production and I just need this to work for a few months, then the old switch is getting replaced.

Also the same mtu mismatch happens at the default 1500 setting as well.



I want to use my old router as a wireless repeater but can't find WDS option in my old router

screenshot of my router admin page: https://imgur.com/gallery/HmEJo7j



Cisco Routing - Multiple ISP Setup - Incoming traffic issues...

Hi there,

 

We are currently deploying a Cisco ISR in our office, with 2 separate ISP connections, and are running into issues with incoming traffic through ISP2.

 

We have followed the following document to provide ISP/NAT fail-over in case there is an issue on the primary ISP.

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/200785-ISP-Failover-with-default-routes-using-I.html

 

We have tested the ISP fail-over, and everything works great for outgoing traffic. The default gateway fails over to the floating static route, and traffic is NATed through the secondary WAN interface IP.

 

The problem is with incoming traffic to our public addresses space from ISP2. While the primary ISP is active, all incoming traffic to our secondary IP addresses fails. If we fail-over and the default gateway changes to ISP2, everything in this secondary IP range works fine. Once fail-back happens, incoming traffic fails again.

 

Am I correct in assuming that this happens because traffic will come in through ISP2, but go back out through ISP1 (default gateway is set to this), which will then drop it due to the source being from a different subnet?

 

If this is the case, is there any straightforward way to get incoming traffic to our ISP2 public range to go back out ISP2 default gateway (while all other traffic is unaffected)?

 

We would like to be able to utilize this secondary IP space even with the primary ISP active.

 

I was thinking we could utilize Policy based routing but not sure how to best accomplish this, especially when NAT is involved.

 

Thanks so much for any insight you can provide!



Multiple customer issues, trying to understand some odd results

Hello,

As some background i work mostly in small/medium business and ran into a service call for VPN related issues. After doing some diagnostics it seemed like packet loss straight at the modem, the ISP (Cox) is saying everything is fine, weird. I decided to check 5 other Cox customers and found similar issues so i proceeded to see if there was a common cause.

The part i'm stuck on is this traceroute, the first hop's?!

Traceroute 1 (customer that contacted us).

traceroute to 4.2.2.3 (4.2.2.3), 30 hops max, 48 byte packets 1 10.4.8.1 9 ms 6 ms 6 ms 2 100.120.244.96 9 ms 9 ms 8 ms 3 100.120.245.4 42 ms 11 ms 10 ms 4 68.1.5.157 15 ms 15 ms 15 ms 5 62.115.168.234 16 ms 17 ms 17 ms 6 62.115.33.117 15 ms * 

Customer 2 - two towns over. about 100 miles apart.

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 48 byte packets 1. 12ms 11ms 9ms 10.4.120.1 2. 9ms 10ms 11ms 10.4.120.1 3. 12ms 13ms 14ms 100.120.244.120 4. 44ms 19ms 18ms 100.120.244.213 5. 24ms 45ms 25ms nyrkbprj01-ae3.0.rd.ny.cox.net 68.1.5.157 This goes on for another 7 hops till destination. 

I found all 5 customers IP's part of AS22773, unfortunately this is where my knowledge ends.

Either way i'm at the mercy of the ISP but am i looking at the right thing? Thanks!

https://beta-ui.stat.ripe.net/launchpad/S1_AS22773_C2C4C17C12C13C14C15C16C7C9C6C10

Edit: I guess the question was not obvious, i'm trying to gain more information to give the ISP. I have some results that may or may not be normal, should i be seeing RFC1918 ip's after my external IP? The traceroutes are from the firewall which is directly connected to the modem.



Is it possible to split an IP address to route two ways simultaneously?

Jr network engineer here so I apologize if I do a bad job explaining, but here's a situation I'm faced with.

I have Analog data stream that is converted into IP at a remote site and then sent over to my L3 switch which I have control over, at that said L3 switch I have two end devices that cannot talk to each other but both need to be able to access said data stream.

The remote proprietary device that converts the analog to IP has a router on a stick type feature that I set up on its port pointed back to the L3 switch, this allows the stream to be split, this is specifically pointed to virtual interfaces on two separate vlans and with this setup everything seems to be working fine while keeping the two end devices from communicating with each other.

Cut to, there is now a new additional stream that needs to be ingested by both end devices, however this time the remote device does not have a router on a stick type capability that I know of, I could set up two different static routes pointing to each device right? but then they couldn't view the stream simultaneously only one at a time and having to switch between the two depending on who needed to see it more. I could set them both up on the same vlan but then the two end devices will be able to talk to each other.

my question is it possible to route this data to both devices at the same time after it hits my network, in the first example i could do this because the remote end device had this capability and it was split to two ip address before hit my network, could i some how do this on a cisco piece of equipment?

say the end devices are 192.168.1.3 /24 and 172.16.1.3 /24 respectively and the remote stream is 192.169.1.3 /24 , is there a way to tell 192.169.1.3 as it comes into my network to go to both 192.168.1.3 and 172.16.1.3 at the same time?



INE plans changed to All in One plan?

I just noticed that the pricing plan for INE.com changed from paying plans for each separate fields (namely: Networking, Cloud, Cyber Security and Data Science) to All in One?

Could anyone please confirm if you get an All Base Feature annual subscription, you get access to all of the courses available on the site?



STP Issue?

Hi everyone,

I have a network with two Dell switches, connected to a Cisco switch. The main core switch is an older Cisco switch.

The Dell switch keeps having an issue with disconnections (briefly) of the 4 Dell servers connected to those Dell switches. The servers are running VMware 6.7 with VSAN (VxRail) have 4 VLANs on them and the Dell switches are connected to the Cisco switch using port-channel (for redundancy).

The Cisco switch has SVI installed on 3 VLANs that are also on the servers.

There are other Cisco switches on the network. I opened a ticket to work on it back in November, but other than an upgrade of all software and firmware, not much has changed. They may be getting disconnected when a TCN is received and the MAC table is cleared but not sure why I seem to be the only one having the issue.

Are there any suggestions for what I can check or change? Dell and Cisco switches are running RSTP, but I never set up the network originally, but I have noticed there are a couple of switches running MSTP.



Would anyone be willing to share a sanitized Aruba L2 config (2540)?

Hi All -

I am new to the Aruba world (coming from Cisco and Juniper) and have a test 2540 up and running, but I can't help but feel like my config looks clunky. I attempted to set it up to match as close as I can to the Cisco L2s I will be replacing (2960s mostly).

As an example, the end of my config has a spanning-tree bpdu-protection for every single port.

I am hoping someone could share what their standardization is like for L2 Arubas that they support.

I appreciate any guidance

Thanks so much



I feel like I owe you this: Almost 90% of our zoom problems are resolved with WLC firmware upgrade

I asked a question here a while back about our zoom problems dropping, freezing, and etc.

Our 5520 WLC was running 8.3 firmware from 2019. After trying almost everything; be it iperfs, reconfigurations, and etc. Nothing fixed our issues.

We did not have the license to download the firmware and I didn't really suspect firmware, but it should have been the first thing I took care of.

Anyways, bought the smart license last week first upgraded to 8.5 and now we are at 8.10 Zoom works awesome.

Firmware upgrade will be my primary focus going forward.

I know lots of schools are having issues with Zoom. Try upgrading all your network devices.



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



Azure as SSH jump box

Has anyone implemented Azure services as SSH jump boxes to on-prem switches/routers? Trying to figure out if it's possible to get actually rid of VPN completely. Web apps look like easy to do with web application proxy but how about SSH connections? Or maybe something like Apache Guacamole that's published through web application proxy?



Nokia NSP? Thoughts?

Hey all,

We're evaluating new Automation and tooling for our network. I can't get into details but we run 99% Nokia gear. I can't find much on personal experience stuff with it and wanted to ask here.

Does anyone here use it? How do you use it? What do you like? What do you hate?



Versa SD-WAN BW Subscription

I am working with a partner who is considering offering SD-WAN to customers and we are evaluating Versa as one of the big vendors , the customer is interested in BW subscription scheme for branches and I have looked inside the data sheet and did not find anything relative to that , do Versa support BW subscription? Thanks



DC Core and Edge Networking - is there any reason against going full MTU 9000?

Hi all,

I have been doubting myself with this question since knowing about overlay networking (with the use of VXLAN). Apparently, in some networking Leaf-Spine topology, all Leaf and Spine interface MTU seems to be set to more than 9000 (in order to cater for both normal and jumbo frames + VXLAN/UDP/IP overhead). Endpoints on two ends of a connection, with default configuration, send normal frames (1500B or less, caught in Wireshark) and communications seem to happen normally.

In some cases with dynamic routing (OSPF), it requires to set MTU on both sides to the same (because MTU ignore implementation is unstable across vendors), but most modern DC networking devices nowadays also support jumbo frames. So, maybe there's an exception for legacy routing devices?



What is the benefits of using Nexus switches over catalyst in campus?

Hello all,

I am not a Data center engineer however i support a customer where they deploy some nexus switches on specific sites , these switches connect firewalls and servers , my question is what is the benefits of using nexsus over catalyst? As for example VPC in nexus is equivalent to VSS , and some catalyst switches support 10/40G interfaces , for sure there is a reason behind it which i am seeking to know :).



Designing Secured Enterprise network

If you were to design a secured enterprise network, how would you design and what security controls and solutions would be kept into consideration? Perhaps budget is not an issue



Arista Routers

With Cisco's new DNA license requirements and subsequent costs on their new 8500 and 8300 series routers, I'm looking at Arista as an alternative router platform.

Does anyone have any positive or negative feedback for Arista routers?



Confused on Setting up Route

I've got this Layer 3 Cisco Switch that I'm trying to do routing with. One host is directly connected to it with IP address 10.10.10.35/16 with interface vlan 1 SVI of 10.10.0.1. The Layer 3 switch is going to a managaed switch which then is conected to three hosts in different subnets of 192.168.60.0/24, 192.168.70.0/24 and 192.168.80.0/24. Ip routing is enabled, but how do I set routes on the switch to all these different subnets.



Fortigate Exporter for Prometheus

Hi folks,

I am a fan of Fortigate firewalls, I use them myself quite a bit. I am also a long term fan of Prometheus (a commonly used metrics database), and Grafana.

A few months back I created an exporter using the Fortigate API to enable people to monitor their Fortigate firewalls using Prometheus. You can find it here: https://github.com/bluecmd/fortigate_exporter.

This allows you to monitor your Fortigate over HTTPS, and everything in the chain is free and open-source. To me personally getting away from SNMP and MIBs is a huge win, which is one of the reasons I created this exporter in the first place.

There are some community-provided dashboards available to get started:

These days the number of contributors is growing and the features and metrics being added is steady. It is still early days for the exporter, a good time to advertise it a bit here so more people can give it a try. Maybe file issues, suggestions, or even try to add some missing metrics you'd like? :-).

Happy to take any questions!

[[This is a follow-up post from soliciting feedback from the Fortinet community, but I got recommended to post it to this community as well]]



Help setting up Cisco 3560 POE switch for CCTV system

I am setting up a new switch for my business, to be used for wired poe security cameras.

Upon plugging in the switch, I used a console cable and putty and began setting up the switch. I set the enable password, then went into config mode. I set the vlan 1 IP address to 192.168.1.100. I attempted to set the trunk port by using the command "int gbethernet0/1 switchport mode trunk". It said that trunk ports cannot be set on ports that are set to auto. But when I plugged it into the router, it turned amber.

When I plug in the camera, it lights up green, but I cannot access the cameras IP address.

I did some googling, but none of the suggestions I found work. Please help.



Crosscheck Firewall logs and Firewall configs

I was wondering what kind of firewall config anomalies I can detect crosschecking these two datasets.

From a papers I got the following six:

1) Shadowing anomaly: A rule is shadowed when a previous rule matches all the packets that match this rule, such that the shadowed rule will never be activated.

2) Correlation anomaly: Two rules are correlated if they have different filtering actions and first rule matches some packets that match the second rule and the second rule matches some packets that match the first rule.

3) Generalization anomaly: A rule is a generalization of a preceding rule if they have different actions, and if the first rule can match all the packets that match the second rule.

4) Redundancy anomaly: A redundant rule performs the same action on the same packets as another rule, such that if the redundant rule is removed, the security policy will not be affected. In addition, our log based mining approach can discover the following non-systematic misconfiguration anomalies.

5) Blocking existing service anomaly: A common misconfiguration case is blocking a legitimate traffic from a trusted network to an “existing” service. This for example might happen as a result of misconfiguring the port number or deleting by mistake the exception rule that allows the traffic from the trusted network. This type of anomaly can be simply detected when mining the log file as the analyst would know that there is a traffic from a trusted network is being denied to access an existing (legitimate) service/port.

6) Allowing traffic to non-existing services anomaly Another case of the misconfiguration is to permit a traffic destined to non-exiting service. For example, the administer configures rules to pass traffic at port 79; however, there is no “finger’ service available with port 79. In that case this passed traffic with port 79 will be useless. In that case, one option is we need to block traffic with port 79. This anomaly can be detected after mining log files of both the firewall and the remote hosts.

My question, are there any config anomalies besides these 6?



Ever done the "ping trick" for NAC?

Scenario: You have wired 802.1X configuration set up to authenticate devices, and dynamically assign the correct VLAN based on device profile. Non-authenticated ports are placed in a black hole VLAN.

Scenario: Some "dumb device" that doesn't generate a lot of traffic eventually has the auth session time out. The port switches over to the black hole VLAN, and deauths. The device just sits there never sending traffic, and thus never reauthenticates. It will basically stay down forever, unless woken up somehow.

The Ping Trick: Quickly create a local layer 3 interface on the switch in that Blackhole VLAN, with the subnet that the non-authed device is supposed to be in. Ping the device's IP from that vlan interface. The device will receive the ping (assuming you have control-direction in) and will respond to the ping, triggering the authentication process to finally begin.

Once device is up and authenticated you can remove the layer 3 interface again from that blackhole vlan.

This is... cumbersome. And won't scale well. Yet, as far as I know, it's really the only go-to solution for the situations I've described. Or is it?

How are people handling "dumb devices" that must do MAB now? As long as the device is chatty and sending frames now and then it'll stay authenticated. If it goes silent it'll just de-authenticate, and then because it's placed on a black hole VLAN, it'll never receive any packets that would have otherwise woke it back up.

Ideas? I posted about this about a year ago. Still haven't ever seen a solution. I haven't ever really even seen anyone else other than those who post here acknowledge that this is a problem. Usually when I bring it up with vendor reps I get funny looks and the implication that we've set something up wrong, and they've never heard of people having this issue.

EDIT: I've lied. I've seen some other solutions proposed by some users. They are all varying degrees of bandaids.

  • Force the device to set up as DHCP mode, with a short lease time, so it will force the device to periodically generate traffic.

  • Force the device to set up NTP so it will periodically generate traffic.

Depending on the vendor and device, some of these are not workable. There should be a way to fix this on the network side, but I'm sure that gets into a philosophical discussion on whether or not this should be fixed on the network side, because it's not a network problem. And yet.. it is. Because it's our switch changing the vlan and de-authenticating the device, and our end user suffers the consequences, because now their device is "down."



IPsec vs SSLVPN discussion - pros and cons differences.

This is the way I understand these protocols, it may not be 100% accurate, and I'm looking to see what the /r/networking metamind has to say on these topics, and hopefully gain some more insight in the process. Feel free to comment/correct wherever you feel like.

IPsec operates at layer 3 and as such seems a good candidate for LAN to LAN connectivity (though Client to LAN IPsec VPN is also reasonably common). It can handle multicast and broadcast traffic (though I never used this). Riding on top of IP (either as ESP or UDP when using NAT traversal mode) it provides a connectionless service, much like plain IP. When used in interface/VTI mode, it provides for a fair bit of flexibility in terms of dynamic routing. Though the way I see it interface or policy mode isn't something that's intrinsic to IPSec itself, but rather to the specific implementation. At the end of the day IKE sets up the tunnel parameters and the encrypted ESP (or UDP) packets flow between the endpoints. The other endpoint neither knows nor cares if the other side used an interface style configuration or a policy style configuration to decide which packets to encrypt and send over. Initially I thought SSLVPN can't be this flexible, but now that I think about it, OpenVPN is essentially SSLVPN and it can do LAN to LAN just fine (including dynamic routing), though I've never come across a commercial SSLVPN that can do this.

IPsec provides for tunnel and transport modes. The way I used these is usually I go for tunnel mode (and except for Cisco routers the other devices I played with don't even seem to have a transport mode, unless you dig very deep into the nerd knobs). I've only seen transport mode on Cisco and Mikrotik. The only use case I see for transport mode is, when using GRE over IPSEC, it saves you a bit of overhead, since GRE already has the inner IP header. Though afaik you can run GRE over IPsec with tunnel mode IPsec and it works just fine. Is anyone aware of any other use cases for transport mode? Also, transport mode unless it has GRE on top of it is pretty much useless (you could use it to manage the device itself, but SSH does the same thing just fine so why reinvent the wheel).

IPsec is a bit more of a standard than SSLVPN in that a firewall from vendor A will most of the times be able to build a tunnel to a firewall from vendor B (or a Windows/Linux station), whereas SSLVPN implementations are vendor specific and you either need and application from that vendor on the client (or sometimes a browser plugin). But then again, there's OpenVPN

SSLVPN uses the same TLS as HTTPS so it works at layer 4 (or above if you want to consider the TLS as a separate session layer). I would say this makes it easier to use from behind a firewall you don't control. Any hotel/airport Guest Wifi will likely allow TCP 443 to pass through without much hassle, and the same can definitely not be said for IKE and ESP.

I've never had this happen to me, but I think I read somewhere that it's possible for the TCP flow control/retransmission mechanism governing the SSL connection to interfere with the TCP flow control/retransmission running in the TCP sessions in the tunnel. I imagine that there should be no issues with UDP inside traffic other than negating any advantages that the lightweightnes of UDP may bring. However a scenario in which two flow control/retransmission mechanisms are working independently may do more harm than good seems plausible.

The SSLVPN implementations I used were solely for Client to server traffic.

All SSLVPN implementations (that I've seen) are essentially tunnel mode.

I've not seen any LAN to LAN SSLVPN implementation from the major vendors (which isn't to say such a thing does not exist). What I do remember seeing was an OpenVPN + BGP (using Quagga) though at the time I really did not understand the details of how it worked. Looking back on it though I think it was pretty close to DMVPN in terms of dynamic failover capabilities - though it couldn't go as far as dynamic spoke-to-spoke tunnels, an orchestration layer build on top of it with Puppet took it pretty close. And if I understand correctly OpenVPN is essentially an open SSLVPN implementation.

Come to think of it, what do proprietary SSLVPN implementations offer that OpenVPN does not? I'm probably wrong but the only thing I see coming with a proprietary SSLVPN implementation, is the inability to operate with other vendors.

SSH "VPN" though I only very rarely used this, seems much like SSLVPN. Any comments welcome here.

Writing this post I had to reevaluate how things actually work. In the beginning I thought IPsec was for LAN to LAN whereas SSLVPN was for host to LAN, but midway through I realized that OpenVPN (which is SSLVPN) can do LAN to LAN and host to LAN (and I knew from the start that client IPsec VPN was an option). Functionality wise at least when comparing OpenVPN with IKE/IPsec VPN, I find no meaningful differences (though when it comes to specific implementation there may be significant differences). It may be that the IKE/IPsec offers a bit more interoperability(but I suppose this is due to firewall vendors choosing to invest more into IT, probably the same could have been done with SSLVPN) and that SSLVPN will have an easier time traversing firewalls, but that's about it.

Now I'm asking myself, why did we end up with two different protocols that basically do the same thing? Which came first, and why was there another invented when there was already a first one?



Native VLAN / Dummy VLAN

Hey everyone,

I have a question about native vlan / default vlan.

In most cases vlan 1 is the default vlan and it should be changed to i.e. vlan 111 for security reasons.

Now I'm wondering if it is the same as a security aspect:

interface vlan 999

description --> DISABLED

shutdown

and assign all unused ports to vlan 999 instead of using a native vlan? Or am I completely wrong with that?

Thanks



Slow network and ping loss

Hi,

so we added a 4th switch to our core stack (ring) and a new SFP LAG uplink to a new access switch stack.
Also upgraded all stacks to the latest 2.5.5.47 firmware and everything seemed fine on sunday.
Models are all Cisco SG350x in different flavors (with/without POE, 48P, 24P).

With the returning users on monday, shit started to hit the fan.
Users are reporting problems on time critical applications (like Microsoft Dynamics nav).

Tests show that ping response times sometimes jump from <1ms to 2ms, sometimes 15ms, or drop completely. I don't see STP blockings on any stack.

CPU Load on the core stack jumps up and down from 90% to 40%.
Cisco Webinterfaces are extremly slow too.

I'm kinda lost here, been wiresharking the network for some time, i don't see anything too freaky.
I'm wondering if we simply hit the performance threshold of the SG350x (about 300 endpoints) or if the new firmware did something unexpected, although i didn't see much in the release notes, except changes in findIT.

Any help or advice for further debugging would be greatly appreciated.



Monday, March 1, 2021

Network Engineer vs Network Specialist?

I've been working as a Network Specialist for a while and I recently started wondering what the difference is between a Network Specialist and an Engineer? I'm in charge of deploying and configuring Routers, Switches, IP phones and WAP's throughout our campus. I have to design and topologies and IDF rooms as well as the whole wireless setup. I also overlook them to make sure they are running and maintain them, including Jabber, CUCM, and VPN both in setting up and maintaining. I'm sure im forgetting something else. But im alone in our low-budget community college, I love what I do and have wanted to get into networking for a long time. I have no degree yet (currently working on it), also working on getting the CCNA and other certs. I've just been busy studying.

What does a network engineer do differently? I'm exhausted and have been using this as an XP gainer, so when I move to a bigger city, I can have a better chance at getting a Networking position.

Also, I run cables, organize them, map them in documents.

Is it just having a degree? Thanks for the help!



Question about Ekahau Sidekck

Hello. I have questions about Ekahau Sidekick.

I need to perform a physical WiFi survey for a site before implementation of access points. I played around with Sidekick and could determine that it analyses existing APs and SSIDs and can generate a heatmap of the signals being broadcasted, and also can auto-place these existing APs in the best location according to the floor plan. Please note that the building currently has no APs.

Is there any way to:

  1. Input the number of APs that I have bought, e.g. 10 APs.
  2. Input the model of the APs that I have bought.
  3. Use "Continous Survey" option to walk around the building with Sidekick.
  4. Sidekick then determines what are the best locations for these 10 APs.
  5. Additionally, Sidekick recommends whether 10 APs are enough or whether more or less APs are needed.

Thank you all for any help.



Question on spanning tree behavior

Had a network loop today, first one in a long time. A vendor created the loop on an unmanaged switch that plugs into one of my HPE 2920 edge switches. Spanning tree was enabled and killed the vendor port and the uplink port to the core. It was a VLAN that is on all of my 15 switches.

Is it normal behavior for STP to kill the uplink port as well, making the switch an island? I thought it only killed the offending port, the vendor.

Just wondering if this is normal or if I have something configured incorrectly. My network is HP/Aruba.

Thanx



PPPOE sessions traffic generation

Hi everyone,

I am searching about a free tool that can generate multiple PPPoE sessions (DSL traffic), is there any suggestions?

Thanks in advance. Obada Abdallah



Looking for some places to purchase product

So I’m trying to get a list together of wholesale distributors and places similar to companies like ADI and Grainger who can get a variety of material and parts for pricing up contracts and quotes for my new venture I’m starting. I have a few accounts with a few manufacturers and one with ADI already that I’ve been using but I was just wondering what other options are out there for small contractors to order parts and materials through.