Saturday, March 27, 2021

Help with ONT Adtran GPON 452

I have a new Adtran GPON 452 that was installed. The power is on and the fiber has been spliced in. I was not around when the service provider installed it, but he mentioned that another tech would come back and we just needed a “fiber ready router” to plug the incoming Ethernet into inside. The tech that is suppose to come back and “plug in the Ethernet” is several weeks out. I have since setup my networking equipment correctly (dynamic), but no internet to my WAN. I do NOT have a static IP from my utility provider.

It looks as if the tech ran a test and wrote on the door so I am assuming there is connectivity along with all the lights are solid green. Is there something I can do to turn it on?

If I plug an Ethernet cable from The Ethernet Port 1 / 2 on the ONT to my USG WAN 1 I get no internet access to my USG. Assuming everything on my USG and POE are set correctly, any ideas to get the ONT online? Not looking to step on my providers toes, but if this is something simple I rather just enable it would be very cool and I can cancel the interior tech.

I am fairly experienced with the hardware I have - Ubiquity USG 4 Pro (Gateway) and POE 24 Port Switch so I’m confident it’s at the ONT or before. I do have the correct tools to open up the ONT (keyed Hex etc)

Thank you in advance for any help.



Lost between Asterisk and CUCM what to chose?

Hi,

I'm looking for the best option for me between Asterisk and Cisco Unified Communications Manager (CUCM). They both have advantages and disadvantages.

My number one priority is: I'm willing to build my own SIP trunk line and apparently Asterisk and CUCM are both able to make SIP trunk.

The advantages of Asterisk :

  1. Free forever
  2. Good Design and modern UI/UX
  3. More popular (If I'm not wrong)

The advantages of CUCM:

  1. Very full (not sure if Asterisk have the same amount of conditionality)
  2. Could create SIP Tunk and SCCP, DID, much more
  3. Certification CCNP (350-801)
  4. Used by large businesses

Downside:

  1. Not free 60-day trial and hard to know the price for CUCM 12.5
  2. Old UI and not user friendly
  3. Made for Cisco phones

Note: I'm taking the training: 350-801 with 300-070

I'm new to the world of telephony, so if I'm wrong in a place please correct me. If I missed something please correct me.

For now, I don't have many calls, but in the next few years, I will probably become a SIP trunk provider.

Finally, which PBX Should I choose between Asterisk and Cisco Unified Communications Manager?

Thanks



New to this please don’t bully

So I’m new to this entire networking thing I have a 10 gigabit switch that connects from my nas to my pc’s so that is 10 gigabit switch to 10 gigabit port but I’m wondering can I go from 10 gigabit switch to 1 gigabit port for my laptop?



setting default ip route to node running dns server connected to internet

I have 3 nodes connected via a router one of the machine is connected to internet via a different nic interface . Other machines cannot be connected the same way as the machine that is currently connected as they don't have only one nic interface, however I believe I can set an IP route some how.

Can anyone help me please ?

the node connected to internet 193.168.1.164 via 172.0.0.1

other nodes on same lan

193.168.1.165

and

193.168.1.166



Shallowest 48 port POE switch?

Hey guys,

I need to replace an access switch that is currently mounted sideways in one of those structured media cabinets. We currently have a Ubiquiti Edgeswitch 24 port POE that is mounted there, but we have run out of ports and need 48. Unfortunately, there is no additional room to stack another 24 port switch, and the Ubiquiti 48 port model is too long to fit here.

Does anyone know of a good shallow PoE switch that can fit sideways in a wall (16" on center, so 10-12" depth would be ideal). Normally, I'd steer clear of brands like Netgear, and gravitate towards Juniper, Cisco, Arista or whatever, but if theres something that works, we'd consider netgear. Also, SFP+ ports would be ideal, as the current switch only has SFP.

I know it would be ideal to just place a small rack here and get whatever switch works, but unfortunately, due to the geometry, this will not work (this is mounted to a wall behind a door, and the mounting location is otherwise perfect). Also, we dont need L3, but it would be nice.



3750X - Restrict SSH access to non Management SVI's

Hi,

I cant seem to find any working examples of this elsewhere.

I have a 3750X core switch with the below SVI's:

VLAN 100 - 10.1.0.254/24

VLAN 101 - 10.1.1.254/24

VLAN 102 - 10.1.2.254/24

VLAN 103 - 10.1.3.254/24

Vlan 100 is the management vlan but out of the box I can ssh into any of the above IP's without any problem.

How can I get it so that when I SSH into 10.1.0.254 it works but when I ssh into the other addresses, it doesnt work?

I am already able to restrict based on source but am wanting to restrict on destination instead.



Can you prevent spoofed packets from entering the internal network ?

tldr: The end goal is to not have spoofed packets with arbitrary payloads enter the network.

Consider some IPv4 network with public IP and lots of devices behind a NAT. To some extend NAT and a stateful firewall prevents someone on the external network directly sending traffic to the inside. However, if you manage to spoof packages in a way that you know what the firewall expects it will let those packets through. The OS/application will then decide what to do with those ... which could have some undesired consequences depending on the payload of the packets.

This seems to be a problem in particular for UDP packets since you have not many options to create a state. To my knowledge, having the right src/dst port/ip will make a packet go through.

Is there anything you can do about this?

With TCP and in particular encrypted traffic this is a bit easier. At least you can create some intercepting proxy which decrypts and forwards the packets to the final destination. So the actual packet from the external network is gone and will in most cases not make its way to the end application.

But (unencrypted) UDP is a problem. Is there some way to change the payload of the packet while still preserving its meaning? There are converters for pdf/doc files to some other format like images in order to remove scripts/macros. The image has less functions but is still human readable. I did not came across something similar for packets though. I don't think this is generally possible. Some kind of intercepting/mangling proxy would be nice but works only for encrypted stuff. Also I'm not aware of any solution that works for encrypted UDP like QUIC or DTLS.

Maybe there are some other options?



[Question] I was wondering how many of you have actually seen Linux being used as the default OS for users? If so, how big was (were) the organisations?

I am not talking about Linux used in servers, but workstations in use by the non technical staff. For example, the receptionist or someone in accounts or marketing. MacOS does not count. I imagine developer, sysadmins and technical staff might use it, but I am interested in more wider enterprise use.

A colleague and I had a mild argument, and he was insisting that linux is not as uncommon as I think. My point was, if it was common, you would have more commercial software available. Right now, most of the linux software looks/feels like labours of love and "community" supported rather than active professional development. I am happy to be wrong on this, and it is entirely possible that my view is distorted by my professional experience.



You inherit two cisco switches (2 x Cisco SF300-48PP 48-port 10/100 PoE+ Managed Switch with Gig Uplinks) what will you choose next?

So... Bit of a fun challenge, I guess. And down to different perspectives... How would you get this network setup (i.e. What router, access points, etc...) to simply get the WiFi (gigabit) working over two floors in a building that fits 200 employees?



Telephony Question - Number, Greeting/Message and IVR availability checker

Anyone heard of a service that can call into phone numbers to confirm the availability of phone numbers, IVR menus, messaging and etc....



Friday, March 26, 2021

How would an ISP capture the metadata of their customers

By law it a requirement for ISP to store meta data like customer IP and destination of traffic. What systems can you use to do this from a Cisco router. We are starting a small ISP and would like to know what other software is required



Mobile network question

Before asking my question I need everyone to understand this is truly a mobile network and I really had no idea how to build one when I started. Just had an end goal and I made it happen my way.

I drive an 18 wheeler and my network is in the truck with me. I haul a lot of military loads that need to be under constant video surveillance per my contract.

now this is what I have. I have a synology rt2600ac router so I can utilize the 4g capability to get internet to the network via my hotspot, I have a synology nas and a linksys lgs352mpc network switch to power my 12 small ip ptz cameras on the truck.

so my question is this I know I can get a static ip for my hotspot from Verizon however it is a one time fee of $400, so is there any need to get a static ip for it? if so what is the reason for doing so?



Question about Cisco ASA default OSPF costs

This is driving me crazy, and I haven't found any Cisco documentation to explain this finding. I'm thinking it's an ASA thing, but I don't see why it would be.

  • I have several routed Cisco ASAs participating in OSPF.
  • They are the only OSPF router on most interfaces, so they report those as stub networks with a cost of 10.
  • Any transit networks also have a cost of 10.
  • All these ASAs use 1 Gbps or 10 Gbps interfaces with a reference bandwidth of 100 mbps.

I don't understand why those networks have a cost of 10 instead of 1, as I see no OSPF commands to explain it. Since this is common to all our ASAs regardless of software version, I'm wondering if this was an architectural decision to make firewalls less likely to be used for transiting. I'm not satisfied with that hypothesis b/c the cost is the same for transit and stub networks.



Getting into Network Security.

Hi Dears,

Need the advice from your expertise.

-When i search to apply for a Senior Network Engineer positions these days , companies usually combine the position to be Network & Security Engineer , i have a solid background in Enterprise networking but not Security, how can i get into track ? What i notice is that they require experience in Multiple vendors , for example in firewall requirements they want candidates to be aware of ( Cisco ASA & Firepower , Palo Alto , Fortigate , Juniper ) , F5 , are all those firewalls works similarly? How can someone master all these different vendors?

-Any tip of where to start? I am thinking of getting into old CCNA Security curriculum is this a good start?

-I will not be able to practice these technologies and vendors as i dont have access to firewalls on , is there a virtual appliance of those vendors to labbing ?

-What is the best study techniques for Security topics and concepts as i had a tough time understanding and memorising the configuration of IPSec and encryptions.

-What are the best study materials out there?



Companies to travel with as a network engineer

Currently a network engineer for Verizon. Wondering if there’s any companies I could get a job as a network engineer with which includes traveling



Nexus 7k Module Replacement.

Hi Dears,

We will need to replace a faulty module of Cisco Nexus 7k , is there any configuration precautions to be taken after the module is replaced? Or it will be just plug and play ? The current module holds the VPC peer link so it will be down for a while i guess.



DDoS question

We've had a couple attacks recently. Both were session based attacks the overwhelmed our fortigate. One was attacking RDP and one was IKE. Neither of which is open to the internet. The sessions were de oed but still to many per second. I had an idea of setting up nat pools for the schools that I think the kids who are starting it would be at it. Not that it's actually coming from the school I'd just be able to see which ip they are attacking in the logs so know who.looked up their Ip. This would narrow it down to an IP that just that school uses for out bound traffic. Not that it would help us catch them or mitigate the attack. Any issues this might cause? Anything else you can setup on fortigates that would help? I'm assumeing the built in DDoS tools are useless if the sessions are getting to it? I've looked into zayo DDoS protection but not sure it's worth the price for as little as this happens.



Some Friday Rack humor.

Not sure of this allowed here delete if not. Didn't seem to break any rules besides maybe low quality? Has anyone seen the listing for these racks? https://www.amazon.com/dp/B07YYJMCNV/ref=cm_sw_r_cp_apa_fabc_68VX1KR731CYYHNWMZA5?_encoding=UTF8&psc=1 Some of it's a little cringe but I find it overall pretty funny. Promise I'm a real person and not a shill. Figured some one might get a kick out of it like I did.



Azure HCI Switching

My company is looking to implement an HCI solution in a datacenter for offloading compute. Looking at Microsoft's site they recommended the dell S522 series as well as Lenovo NE10032. We were also looking into Juniper, Aruba, and Arista. Has anyone deployed and HCI solution?

Our requirements are 100GbE with three clusters.



How does handoff equipment connect at the ISP

I work in a small company, dealing more on the sysadmin side but trying to learn more about networking. I am specifically interested in service provider stuff. We have a EDI fiber circuit through Comcast. The handoff is a Ciena box. My understanding is that the Ciena box is facilitating an Ethernet connection between our router and Comcast's router? We have a /30 between them. Is this how it works, or is it more complicated than that? Like at what point does it transition from Ciena equipment to Juniper/Cisco or whatever they run at the central office?



usb ethernet adapters: can't unlock 2.5/5gbe functionality with cisco switch

Hey folks,

At the office we have a pair of cisco SG350XG-48T switches, which according to the literature are multigigabit capable. 10g works fine with our one device with a 10gbe nic and another downstream branch switch.

The problem:

Our office is full of imacs which are 1gbe. we do a lot of file transfers and thus want to leverage our fast network. since external devices are the only current option, i picked up a 2.5gbe and a 5gbe usb 3 dongles to test out. No matter what i have tried, i can't get them to breach 1gbe.

What i've tried:

Multiple imacs/multiple ports/multiple cables/windows laptop

setting speed manually to 2.5/5 in client machine, with the 5gb adapter it will show as no cable connected (aquantia/marvell driver), and the 2.5 will connect but still only show 1gbe connection(realtek). I tried adjusting numerous other settings in the network device manager, nothing affected.

Updated drivers, no difference.

On the switch side, tried setting to 10gb as well as auto negotiate, no success. Tried digging through online docs and all the other settings in the switch to see if there was something else to adjust, but i'm here, so you know how that went.

Hope someone here can point to that one thing i haven't tried or some inherent reason why it won't work. Thanks!

Edit: all systems have usb 3.0/usb 3.1g1/usb 3.2 g1 (all same nonsense)



Checkpoint - Separate interface for RA VPN and S2S VPN

I have a R80.30 cluster which has two external connections - ISP1 and ISP2.

For our Remote Access VPN, ISP1 interface is chosen under IPsec VPN | Link Selection. However, I am turning up a S2S VPN to Azure and want to use ISP2 for that connection. How is this achieved?

I have done a bit of googling but did not find anything besides sk32229 which is very old so I am not sure if it still relevant.



Troubleshooting Network Speed Cap

Hi guys,

I recently started experiencing slower network connectivity. My ISP is comcast and I have the 800Mbps plan. I tested the speed from my gateway to the internet and got about 900Mbps which is fantastic... But when I test my speed from my PC (wired ethernet connection) to the internet, I get a cap at 240Mbps.

I tried different speedtests and tried downloading files and still got about the same result (~240Mbps). I also tried to reset the modem and restart my computer - nothing. I would like to mention that I was getting the 800Mbps speeds up until about 4 days ago.

Hardware: Killer E2500 Gigabit Ethernet Controller
Not using any VPN.

Can anyone help me figure this out?
Thanks!



Taking over a Control Network

It looks like IT will be taking over maintaining the Control network where I work. The network is in up and stable. If anyone can give any heads up about how much different this will be for myself than maintaining an enterprise network that would be awesome.



Replacing L3 Switches - Looking for general advice

Our current Cisco Catalyst 3750's lose support in October. So in the next few weeks, we'll be replacing them with Netgear M4300-24X's.

I'm a sysadmin but at this point in my career, I've been pretty light on the networking side, so I'm a little worried about the unknown-unknowns.

Taking a Cisco config and translating it to a Netgear config is one thing. But I'm also not sure about the best way to actually bring everything over to the new switches.

My boss wants to configure them to be an exact copy of the switches we're replacing and then move the cabling over. I'm thinking it may be easier to copy the config but use new VLANs so the new and old switches can coexist for a time and we can bring everything over slowly, once we confirm it's working.

Let me know what you think.



Has anyone switched over from Enterprise to Server Provider to do more "pure networking"? How has it worked out?

I have been on the networking team at a medium-sized enterprise for four years now. In that time I feel my routing and switching skills have diminished. My day-to-day mostly involves "network services" such as DNS, DHCP, F5, firewalls, URL filtering, etc.

My love for networking started when I earned my CCNA and CCNP R&S within about a year. In fact that is what earned me this first networking position I am in right now. But I feel like I touch or look at routing at my job maybe once per week (if that?). I can't help but feel that I've become more of a general system administrator than network engineer at this point, when you look at how I actually spend my day.

Has anyone felt this way and switched over to service provider or some other more routing-focused role? What was your experience like?



Moving from one enterprise site to another

We have two DCs connected with OTV between and running Nexus 7k at core/agg and Nexus 5K as distro.

We also have a dark fiber from the active DC to the head office which is routed to where we have C9300 routers at corp site where we created office vlans.

The management wants to move offices and also we need to move the routers to the new office and order new dedicated fiber to our DC.

I am a bit confused here how we shall manage this without any downtime, the management wants both offices running until we have moved to the new one.

As we have locally created VLANs on the C9300 routers at current office how do we make that work with the new site at the same time so users can connect the laptop to the same subnets and both offices?

My first thought was setting up MP-BGP and VRFs or even Vxlan.

Anyone got any smart idea to make it as smooth as possible without downtime?



Reverse Proxy setup over multiple servers

Our network is littered with resources over multiple servers, for an exemple our jenkins is at 192.168.0.5:50000, our test environment is at 192.168.0.2:443, our other app test environment is at 192.168.0.2:8080, and so and so.

I've been looking to deploy a reverse proxy to redirect something like jenkins.company.local to 192.168.0.5:50000, and then create an A record on our local DNS from jenkins.company.local to the ip of the reverse proxy, but I haven't found any tutorials that cover this use case. Is it even possible?



Hide network traffic via multiple SSH tunnels?

I am recently tasked to improve our workplace security via installing third party agents (essentially a black box) to monitor suspicious network traffic on employees' work computers, which made me wonder, since ssh traffic is encrypted, is it possible for network traffic to be hidden via multiple nested SSH tunnels together with tools like scp to transmit data out of work computers?

As far as my understanding of networking goes, the only traffic that should be detectable is the initial SSH connection from work computer to the first SSH server. Any "other" malicious traffic beyond that layer shouldn't be detectable?

Appreciate any advice!



Does make sense to active the SD-WAN on a single path?

Hi,

I wonder, can I activate sd-wan just for an MPLS path?

Eg: I have 8 branches with no direct internet access. All my traffic comes via MPLS to my central location then goes to the internet. Does SD-wan give me any advantage?



Watchguard BOVPN to Azure

Hi all!

I have a Watchguard 12.5.1 (Feature key expired for this customer)

They have a BOVPN to Azure using the Watchguard BOVPN Interface, setup following this guide

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_vif_static_routing_azure.html

So here's the layout:

Azure BOVPN UK South

10.100.1.0/24 - Servers

Azure BOVPN UK West

10.101.1.0/24 - Servers

Watchguard in Datacenter - 10.10.10.0/24

So in the Watchguard BOVPN I have only the one route for the required azure region instance which is to the Server network as a route.
This all works fine, onsite from a machine i can reach the Azure domain controllers via RDP, Ping and do nslookup on them.

When I use the Watchguard conditional DNS Forward and only have the azure servers tied to clientdomain.com it refuses to resolve it at all. (This works fine when only using the legacy onsite server)
If i set the DNS to azure directly on a server it works fine as well.

So i must be missing something on the Watchguard. But I don't see any blocked traffic, and i'm totally lost.



Why is it that networking cables can be wired the same on both ends?

With phone lines, you traditionally have to reverse the TX and RX on one end.

Does this have anything to do with Ethernet having a separate pair for TX and RX and the RJ45 jacks on the NICs are always expecting pin 1 to be TX+ and pin 3 to be RX+ and they somehow work it out (Auto-MDIX?)?

Thank you, I haven’t been able to get a clear answer online.



Thursday, March 25, 2021

CSR1000V Doesn't seem to like Subinterface. Any help?

So, I have a CSR1000V that I'm hooking down into a switch and want to trunk some vlans up to it. Router on a stick, like basic CCNA 101.

However, it appears the CSR does not want to work with it. I've tested in a live environment with Gibraltar and Amsterdam releases as well as in CML2 doing a simple mockup.

Test config is pretty simple. Multilayer switch on one side with simple trunk

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 10,20

negotiation auto

spanning-tree portfast network

interface Vlan10

ip address 192.168.10.1 255.255.255.0

interface Vlan20

ip address 192.168.20.1 255.255.255.0

On the CSR1000V router I've got my subinterfaces setup

interface GigabitEthernet1.10

encapsulation dot1Q 10

ip address 192.168.10.10 255.255.255.0

interface GigabitEthernet1.20

encapsulation dot1Q 20

ip address 192.168.20.10 255.255.255.0

So it's pretty dead simple right now. I verified my vlans are trunking, and the interface vlans are up/up. Nothing will talk over it though. My live switch isn't doing much, my switch in CML seems to be building arp table entries.

However, what does work is setting up a Native Vlan. I configure a native vlan and encapsulation dot1q native on the router and my native vlan can pass. This happened in both live and cml2 environments. However, the normal vlans don't work.

When I search subinterfaces and the CSR1000V on google I find people having issues, but most of them seem to have been GNS3 issues or changing vnic drivers (I tried this on ESXI in the live setup but my NIC just disappears if I don't have it at VMXNET 3).

Anyone have any solutions or ideas? I know I'm not screwing up my config. When I do it on an IOSV router and switch instead of a CSR router it works fine.



Large scale flow collection

Hi /r/networking,

I am wondering if anyone can share some advice on large scale flow collection - ideally supporting Netflow/jFlow/IPFIX/sFlow.

Forgive me if my terminology use is wrong, I come from a sysadmin/dev background.

We're an MSP who also operates an ISP network, and we're looking to collect flows from around ~250 MPLS tails, with room to grow.

Each customer has their own VRF and overlapping IP spaces, so we need to be able to collect and identify the customer in the solution.

Most vendors I have spoken to do not seem to scale to our needs - with the exception of Elastic Stack.

We've been running a proof of concept of ElastiFlow to collect flows from our PE routers, and although I am a big fan of it, we're also trying to factor in the operational costs of running an Elastic cluster.

I've so far spoken to ManageEngine (who unfortunately only allow for 30 collectors - which is already way fewer than we require).

I've also had some quotes from Solarwinds, but trying my best to avoid using their products... for reasons...

We also have monitoring via Icinga2, and we're not really interested in replacing this - most offerings are an all in one package that want to do everything - we're purely interested in flow data.

Budget is not a huge consideration at the moment, as long as it is within reason.



Force10 S5200 to Cisco nexus9k

Hello...

We have 2 force 10s with a VLT interconnect between them. I plan on running 2 x 40gb links per switch to a cisco nexus 9k's (vpc port channel). Im not sure if anyone has much experience with Dell force10 switches running back to a nexus or would anyone have any 'gotchas' i should be looking out for. Any input would be appreciated.

Thanks



Climbing up the ladder or not ?

I’ve been a network engg for like 6 years now, last 4 with a automotive OEM company. Lately I’ve been getting tasks to create excel sheets, never ever had that before. Notepad++ and visual code were my tools. With more and more excel, does it mean I’m climbing up the ladder of the corp world? As i heard and saw that management talks more in excels and ppt’s.. thoughts ?



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



ARP Traffic from Router on Public Net

Possible dumb question incoming.

One of my clients has an office in a small office building. The tenants share a public /24 which is advertised by a Ubiquiti EdgeRouter that is owned by the landlord, I guess.

I was doing some maintenance, and noticed continuous traffic on the WAN interface of the client firewall despite there being no devices connected. If I did a packet capture on the WAN link, the EdgeRouter is constantly sending out ARP requests for unused IPs. I'm guessing there's incoming traffic from the internet that the EdgeRouter is trying to forward to a device that doesn't exist.

Who has x.x.x.201? Tell x.x.x.1
Who has x.x.x.123? Tell x.x.x.1
Who has x.x.x.84? Tell x.x.x.1

Is this an issue? I know the firewall will just ignore them, and other than that there's no issues with the connection. I don't control the EdgeRouter, but is there a configuration that could be changed so it's not constantly broadcasting ARPs over the subnet?



[Question] Networking Two Locations together Best Practices

I'm working with a company and trying to determine the best way to network two physical locations together. They currently have locations in different cities on opposite ends of the country that are connected via VPN that I configured. This works well.

This particular setup, however, is two buildings in close proximity, only separated by a driveway that belongs to one of the buildings.

I know the option of VPN'ing the businesses, over the internet to each other, exists.

What I don't know, is there some other/better way to directly connect the buildings? They have offered to install some conduit under the shared driveway from one building to the other. My hesitance in connecting the buildings via LAN like this, is that they need to maintain PCI compliance and I'm not sure running a LAN cable like that, even under ground through conduit, wouldn't somehow expose a PCI vulnerability.

I'd imagine that even between the two buildings, a direct VPN would be required from one building to the other so that it would prevent any potential man-in-the-middle exploit?

They want to maintain PCI compliance, they want to have the fastest speed possible and they'd prefer, if possible, to share one internet connection and not have to have one for each building.

Am I thinking about this correctly? Are there any "Best practices" ways of doing this? Thanks.



Migrating WLC's from Aruba to Cisco 9800

Hey all, have never done a migration before, just a fresh implementation of a WLC. I inherited an existing Aruba controller that I am now decommissioning and replacing it with a Cisco 9800 and Cisco 9120 WAPs.

All is ready to go, now I just need to physically replace the WAPs. That said, can I use the same SSID and WPA key from the existing Aruba network and replicate that on the Cisco side for a seamless transition or would that cause issues?



IP Transit vs DIA

I do a lot of Managed Services (web/voip/server management) from a Data Center and have 3 DIA connections using BGP. Looking at new connections, what does IP Transit do for me vs DIA? I see people talking about IP Transit all the time but I really do not understand what it is or how it's different?

Would someone care to explain in simple terms? I've watched 3 videos and read articles and it still does not make sense.



Blocking ICMP one way

I work at an institution that has public wifi. We have three VLANs - VLAN 100 is for public use, VLAN 1 is for Management, and VLAN 5 is for staff PCs.

We want to stop VLAN 100 from sending any ICMP requests to VLANs 1&5 and still be allowed to send ICMP requests to VLAN 100 from 1&5. Unfortunately, every time I try to set up an ACL, it stops all ICMP traffic. I'm obviously doing something wrong. If anyone knows the proper Cisco Switch commands to set this up properly, please let me know. I can't find anything online that seems to be exactly what I'm looking for. Our network addresses are as follows:

VLAN 100: 192.168.100.1 /22

VLAN 5: 192.168.5.1 /24

VLAN 1: 192.168.1.239 /24



Enterprise network stack hierarchy

Hi! Was wondering if everyone can agree if this a good setup to have.

ISP router Firewall IPS Core switch ?



Block inter-vlan traffic but allow access to the Internet

Hello,

I am using a Dell N2024P with multiple VLANs set-up and inter-vlan routing enabled. There are also a few switches down the line.

I am looking for a way to block all internal traffic from the devices in VLAN 9 but allow access only to the Internet.

I am only a Beginner which just completed CCNA 1 and 2 so be gentle :).

How can this be implemented? Let me know if you need more info.

Cheers!



Small network over 2 buildings upgrade design

Hello, we have a small network with 2 buildings. At this time:

- the Main Building, with the main data center and 5 floors. Each floor with its 1G access switch. They go directly to the Core switch (a stack with 2x 48 10GBASE-T ports). Core switches receive all connections in the data center (3xESX, 2xSAN, access switches, firewalls, routers). There is a 2x10 SFP+ fiber connection to the second building. The core is the router for all VLANs on the network. There are VLANs that spread over all the buildings (wifi, video, servers, storage,...)

- second building: there is a 3xcisco 3750 stack that receives all client connections and connects to the CORE. We recently added a 10GBASE-T Multigigabit switch for new Wi-Fi access points and for a 2xESX connection and a SAN for remote backup and possible disaster recovery from the main data center. At the moment there is no L3 in this building (we could manually enable it with static routes if necessary).

Now we are going to update the whole network and we are thinking about the design. We have new requirements:

- 10G / 25G Fiber / Dac connection in the main data center for new servers and SAN (but still need to maintain 10GBASE-T connections)

- We have to anticipate 10G fiber / DAC ports in the backup data center

- Multi-gigabit wifi access points

- Digital audio and video over the network

- Capacity for next 7 years

I was thinking in a design like:

- Main building:

  • multigigabit access switches with 10G uplinks to the core
  • Core like a leaf and spine:
    • Leaf: 10GBASE-T pair of stacked switches. It could be the L3 router of the entire network. Uplink to second building at 40G / 100G
    • Spine: L2 10G / 25G pair of stacked fiber switches for new servers and SANs. 40G / 100G Leaf to core connection

- Second building:

  • -Stack of 3x Multigigabit access switches
  • 2x 10G fiber switches connected to the multigigabit stack. The uplink to the core could be from these switches or from the Multigigabit stack.

What you think? Suggestions? Anything to consider?

Thanks



OSPFv3 For Juniper

I had an interview and the CTO mentioned if successful, my next stage would be to complete a lab. They use primarily Juniper equipment and the lab would be based on OSPFv3 and BGP.

Now I am not familiar with the Juniper CLI so I have been looking up on the CLI syntax as I am more familiar with Cisco. I managed to get the Juniper Olive image to lab up in Virtual box. I'm currently waiting for Juniper vLabs to grant me access so that I can lab up there.

I just wanted to find out from you guys that are more familiar with the protocol what common problems you find using these two or to watch out for?

The role is for a Network Field Engineer in the UK.

Sidenote: I now understand why some people switch or prefer Juniper. The way the configuration is grouped and laid out is very appealing to me now.



What are Cisco ACI service graph drawbacks ?

Hello,

Can someone please give me his feedback about implementing Cisco ACI service graph ?

Thanks in advance.



How do you troubleshoot a serial link that isn’t working?

What are the ways to troubleshoot a serial link that isn’t working?



Deleting a VFI member

Hi,

we've recently changed the configuration of some services in our network and I got tasked with cleaning up the leftover of old configurations. However, now I have to clean up a member from a VFI and I cannot figure out how to do so. The problem is that I cannot figure how to do it. This is the relevant configuration:

show bridge-domain 1908 Bridge-domain 1908 (3 ports in all) State: UP Mac learning: Enabled Aging-Timer: 300 second(s) Maximum address limit: 64000 Port-channel14 service instance 1908 vfi MI1602_MIH401_1908 neighbor 172.16.128.3 5726 vfi MI1602_MIH401_1908 neighbor 172.16.128.3 5723 

I want to delete the member that has the VC id of 5726. So the first step was to take the vfi out of the bridge domain.

#show l2vpn vfi name MI1602_MIH401_1908 Legend: RT=Route-target, S=Split-horizon, Y=Yes, N=No VFI name: MI1602_MIH401_1908, state: down, type: multipoint, signaling: LDP VPN ID: 1022201906 Local attachment circuits: Pseudo-port interface: pseudowire100184 Interface Peer Address VC ID S pseudowire100186 172.16.128.3 5723 Y pseudowire100185 172.16.128.3 5726 Y 

This is the VFI itself. I want to remove the pseudowire 100185 as I said above but I cannot do so. Writing no pseudowire100185 returns me an error as apparently the range of valid pseudowires is up to 100000. So, I cannot even understand how they've created these in the first place. The router is an ASR 907 running IOS-XE 16.6.5a if that's of any help.

Anyone can help or, can provide a link to some documentation that explains VFI and how they work. I cannot find much infos about these online somehow.

Thank you and have a nice day



Microsoft services blocked by OpenDNS.

I recently discovered that Microsoft's login.live.com is blocked by opendns. I tried whitelisting the site but it doesn't seem to work. My blocked domains are mainly pornography and spam sites. I could use some help.



Is there a Microsoft BGP looking glass?

I'm trying to find out what route certain traffic is taking when coming from Microsoft/Azure but I cannot find anyway to either do a traceroute from a Microsoft resource or look at their BGP tables.

I've even tried setting up a free Azure instance so I can do a traceroute from a VM. Although I can ping from the VM's, traceroute just gives me * * * on every hop.

I did try reaching out to Microsoft a while back but didn't get a response.

Is there a website/resource where you can look at routes taken by Microsoft/Azure?

Thanks



Wednesday, March 24, 2021

Combing two networks - two ospf areas, or two ospf processes

We have 300 switches (3560, 2960XR, 9300) and about 900 IPv4 routes in TCAM. The New network has about 100 switches (Linux boxes running bird and a dozen 7050 arista) and 200 routes.

Both are area 0, and combining them would be hitting some TCAM limits on the weaker switches.

We started converting the new network to area 20 (and plan on going back and changing original a network to area 10 and leave two switches as ABRs in area 0).

Does anyone ever just leave the two networks in separate area 0s and then have two ospf processes on the routers that touch both? Seems like that may be less work... wonder what I’m missing in terms of long term stability.



Sites and Services replication

Hello r/

I'm finally taking my first steps into networking configuration for a production network and am tasked with splitting a network apart with some vlans. We are a small team and I have more knowledge in networking than my other 2 colleagues but have no real experience in configuring production networks.

It's a small company, where one office is located in Germany and another is located in Belgium.

I only am allowed to segment the network in Belgium, the network in Germany remains configured without any vlans. We use Zyxel hardware

There is a site-to-site VPN and was wondering if I need to configure specific firewall rules for DFS replication. When the server in Germany wants to replicate, how can it access the vlan of the server when it enters the firewall on the site in Belgium?

If I make a rule which indicates that the DFS Service which originates from Site_Germany, can only go through if the destination is the DC in Site_Belgium, will it assign that vlan to the frames?

Sorry for any dumb questions, trying to learn and getting experience in the networking aspect of IT since thats where I want to go to.



NetMiko Truncated output

from netmiko import ConnectHandler
from netmiko.ssh_exception import NetMikoAuthenticationException
from netmiko.ssh_exception import NetMikoAuthenticationException
iou1 = {
'device_type': 'cisco_ios_telnet',
'ip': '172.16.1.1',
username': 'Username',
'password': 'password123',
}
try:
    Connect = ConnectHandler(**iou1)
    output = Connect.send_command_timing("sh vlan")
print(output)
except (NetMikoAuthenticationException, NetMikoAuthenticationException) as error:
print(error)

OUTPUT

---- ----------------- ------------------ ------------------ ----------------

1 1 gi1/0/48 gi1/0/1-47, DV

te1/0/1-4,

gi2/0/1-48,

te2/0/1-4,

gi3/0/1-48,

te3/0/1-4,

gi4/0/1-48,

te4/0/1-4,

gi5/0/1-48,

te5/0/1-4,

gi6/0/1-48,

te6/0/1-4,

gi7/0/1-48,

te7/0/1-4,

gi8/0/1-48,

te8/0/1-4,Po1-32

2 Local gi1/0/1-3,gi1/0/6, S

gi1/0/8,

gi1/0/10-18,

gi1/0/20-27,

gi1/0/29-39,

gi1/0/41-48

More: <space>, Quit: q or CTRL+Z, One line: <return>

How can I get the full output, it stops at

More: <space>, Quit: q or CTRL+Z, One line: <return>

When you are logged into the router you can use 'Space bar' to show full output, how can I get full output from my python script



Traceroute Vs Netcat

Hello Everyone,

I have two RHEL 7 servers on an private network where Traceroute can reach a port but Netcat cannot. I don't see any SELinux messages (/var/log/messages) or anything in the firewalld logs either. I believe that this is related to why the (Slurm) nodes in our cluster can't communicate with each other. Here is an example:

$ sudo nc -zv 172.30.0.186 6818 Ncat: Version 7.50 ( https://nmap.org/ncat ) Ncat: Connection refused. $ sudo traceroute -T -p 6818 172.30.0.186 traceroute to 172.30.0.186 (172.30.0.186), 30 hops max, 60 byte packets 1 172.30.0.186 (172.30.0.186) 0.105 ms 0.106 ms 0.103 ms 

Note that I am not ruling out that this could be a firewall or an SELinux issue. Does anyone have any ideas on how to troubleshoot this?



Why NAT

I’m building a new Data Center. We received a /27 from ATT and a /30 for point to point. We plan on using the /27 for DMZ connected to the firewall. What would be a good argument to use private IPs on the DMZ servers and then NATing them? Why wouldn’t I just use the Public /27 directly on the DMZ server? By doing this we eliminate complexity, and additional config that comes with NAT on the firewall. Users from the inside can simply use the public IP of the DMZ and the packet would use the default router to get to the firewall where DMZ (public IP) is connected. From the internet the traffic would use a static route on the ATT router that points to our firewall.

Do you see any reason for going with private IPs on the DMZ servers and then NATting them?



Mellanox ConnextX-4 LX Ethernet Drivers? Can only find OFED.

I'll admit, I'm not an expert at datacenter NICs, so this may be a bit of a noob question. I have 7 of the ConnectX-4 LX Ethernet cards for a server, and I'm running Windows Server 2019. I cannot for the life of me find any ethernet drivers for them. Anytime I find a hopeful link, it directs me to the OFED drivers, which from what I can tell are for Infiniband and not Ethernet. I finally downloaded them and went through the install process, but it warned me it would flash the HCAs with new firmware. Again, from my GooglFu, it appears that HCAs are exclusively Infiniband and not Ethernet.

Where in the world do I find Windows Ethernet drivers for the ConnextX-4 LX?



Many Hosts, DHCP or Static

Hi Folks,

I am doing a project where I have to subnet 1000 cctv camers into 4-5 24 bit subnets. While I am at it, should I insist that we switch all cameras over to DHCP? They are all static at the moment. What would be the advantages of DHCP in this scenario?



Process to Improve Change of Office IP

my office is continuously expanding so we are updating our public IP subnet on a continuous basis. are there any best practices out there that we can use as a guide?



CatTools aternative

I have been using CatTools freeware to take scheduled backups and run commands on multiple old Cisco devices. It is really good.

On more modern devices I am getting the error "Failed to connect Reason: (30044) No available encryption algorithms match with the server".

It sounds like I need to upgrade the software, however there is no more freeware. It costs $850.

Is there a good lower or no cost alternative?

Thanks!



Dell S6010-ON 40Gbe to UTP

Hello,

At work we are going from Dell S6000 switches to Dell S6010-ON switches in the future at new racks.
But before I bring new S6010's into production I want to test/simulate something at our office with 2 simple laptops/desktops

Is it possible to get UTP (RJ-45) to work on those 40Gbit/s QSFP ports?
Does anyone know what I need in order to connect 2x 1Gbit UTP devices into the 40Gbit/s QSFP ports?

Thanks a lot.

- Jessy



ASA (9.x) to FortiGate NAT Conversion

I have the following NAT Rule from the ASA (code 9.x) and I'm trying to convert it to FortiGate (Code 6.4.4). I'm using Central NAT on FortiGate. What is the best way of doing this? Do I need two rules, Central SNAT and DNAT?

nat (OUTSIDE,INSIDE) source static OBJ-10.10.17.136-143 OBJ-10.10.65.64-71 destination static OBJ-10.10.65.124 OBJ-10.10.160.40

I used the FortiConverter but the output is messy.



Switch CISCO SG350-10P POE problem

Hello,

I have created "time ranges / recurring ranges" for the POE power supply of my equipments (Raspberry).

When the switch restarts, it powers the Raspberry for a few seconds then applies the time range.

The Raspberry's are then cut instantly.

How can I prevent the POE ports from being powered up when the switch starts up?



Looking for service assurance monitoring solution

What does everyone use for service assurance monitoring? My company has made a swift migration to all things PAAS,SAAS in the last year or so, and I've found that internet service reachability has become more critical than internal network reachability. With that being the case I'm trying to find a solution that would allow me to monitor all of these solutions from each remote office. I've looked at Aruba and Netscouts solutions, but wanted to check to see what other solutions people may have found whether it be home grown or open source.



I can't believe the audacity of Cisco (partially joking)

In anywhere I can find on their website, they don't indicate that an access port's configuration will tag incoming frames with a vlan id that you configure on the port level configuration, if the frame has no tag on it (in the case of a dumb NIC).

I have gone all the way through CCNP without knowing this seemingly basic knowledge ffs. While I have always suspected it, I feel dumb as shit right now.



Guest Wifi - What can our Marketing dept. capture?

Hello!

I have a marketing department that wants to be able to capture everything about a guest device on our wifi (even the phone number). I told them I'm pretty sure that's illegal. The best I can do are the MACs. Does anyone know of any website(s) that I can direct them to as far as what we're allowed to capture? I am located in Canada....but anything would help. TYIA!



WiFi Adapter Connection Issues

How do I get a Router to find a WiFi transmitter so that the WiFi adapter can pick up the Router WiFi signal ? The WiFi Router is useless as it needs to inherit a WiFi signal for it to work.

As well, I have a WiFi device that gives a pin code which I have to enter into my AP. If I understand correctly the router has to support WPS, correct ? And if it doesn't then how do I get this WiFi device to connect; is there anything I could get to make it work for the router ?



quick question about DDNS

so i have a bell home hub 3000, and in the settings page theres an option for dynamic dns. you can chose between DYNdns and no-ip. i made a noip account and synchronized my account to it. i felt proud of myself for some reason, but to be honest i have no clue at all what i just did. i just want someone to tell me what linking your noip account to your bell does. thanks :)



Clearpass vs ISE

Have any of you used both extensively, to the degree that you have spent considerable time and effort learning the system and implementing as much as you can to "get the most out of them?"

How do they stack up against each other?

I have heard that ISE has a lot more "special sauce" to it than Clearpass, but most of it requires Cisco switches.

Clearpass seems better suited for non-Cisco switch environments for that reason.

But... I'm looking for actual fellow networker experiences. I know I could probably find some white paper article online or whatever, but that's all going to be mostly sales stuff. I'm looking for first hand experience.

What do you think? What are the pros and cons you've seen between the two?



weird issue that I can't make sense of: even on the conservative firewall optimization setting, pfsense timeouts active TCP keepalive connections at 15 minutes like clockwork.

I hope someone can help shed some light on that...

network topology :

/24 public IP range -> pfsense 1 WAN IP

pfsense 1 (2.4.4-RELEASE-p3) -> route to /27 part of the range to pfsense 2 WAN IP + rule to pass ANY TCP to public IP range destination

pfsense 2 (2.4.4-RELEASE-p1) -> DMZ interface with 91.x.x.254/27 as IP + rule to pass TCP 443 to 91.x.x.248 (the actual server) on WAN

WAN is the same subnet for both routers, on the same vswitch, with the same gateway.

the server on this public IP serves a PWA that has a TCP keepalive function, sending a JSON to an API endpoint every 5 seconds, to which the server replies with its own JSON. this usually works without issues. everything apart from that keepalive works perfectly well.

the issue is that this TCP keepalive will simply get dropped without warning or closure after 15 minutes. it used to be 1m sharp in "normal" optimization mode.

on pfsense 2 I can see the connection as ESTABLISHED (on both WAN and DMZ, actually) :

DMZ tcp 80.x.x.28:17480 -> 91.x.x.248:443 ESTABLISHED:ESTABLISHED 120 / 71 4 KiB / 8 KiB 

and incrementing packets every 5 seconds as expected.

on pfsense 1, the same connection shows up like this :

WAN tcp 80.x.x.28:17480 -> 91.x.x.248:443 CLOSED:SYN_SENT 120 / 0 7 KiB / 0 B WAN tcp 80.x.x.28:17480 -> 91.x.x.248:443 SYN_SENT:CLOSED 120 / 0 7 KiB / 0 B 

the fact that I do not have any packets coming FROM the server on pfsense 1 is weird, I didn't think I had to open anything for this to work but it might be the case?

I'm really not sure what's happening here. any help welcome.



Cisco ASA and QoS policy

I'm not really a firewall guy but I'm trying to isolate some QoS issues.

On a router and switch (depending on what switch you have) you have to create and assign QoS policy.

Generally curious, when you are setting up inbound connections that terminate on your firewall, are you configuring QoS policy on your firewall similar to how you would on a router?



Cisco Modeling Labs Enterprise Edition - Host Specs

We're investigating purchasing a CML Enterprise license to do some labbing and datacenter emulation and I'm curious if anyone else is emulating a relatively large environment in CML and what server specs they have. Networking would have to purchase the host so we'd like to know what to ask for when we get a quote. We have roughly 70 Nexus and ASR devices across each datacenter, and while I don't think we'd be looking at dropping every single node in our lab environment, it would be nice to be able to run at least 40 nodes. I'd assume 128 gigs of RAM would be the minimum, but not sure what to ask for in terms of CPU cores. Anyone else out there doing something similar?



solarwinds123 t-shirt groupbuy

This is a group buy for a t-shirt commerating solarwinds123. This shirt is certified made by Interns, just like that default password.

It's set up strictly as "buy your own shirt and it'll be shipped to you".

Design: https://gyazo.com/2fa31f17c6251dff6bc0c83b59e40bb0

Purchase link: https://www.customink.com/g/jbk0-00cd-zst5

Per u/rocketpanda40: Be aware that my experience with customink in the past is they're always about 1 size small

EDIT: Shoutout to u/BirdPeckofPower, u/nanonoise, and u/redux12 for being the actual comedic impetus for this shirt idea, from this thread: https://www.reddit.com/r/sysadmin/comments/mbnmkq/solarwinds_customer_retention_pulling_out_all_the/.

I expedited one and as soon as it gets here I'll post a selfie with the shirt on or ban. Rush delivery is allegedly March 30th. I set the group buy to 50 being conservative... We do need to fill 50 at least though. Be aware that it's sending me the emails you sign up with for some reason (I'm going to delete that shit, but wanted all to know).

EDIT2: 50 was apparently VERY conservative. its not even AM on East coast USA and theres 90+ orders in... I'll contact them about upping it and getting a better deal.... --Apparently they'll cut me a check for the savings if we reach enough orders. If that happens (as in if I receive a cent off of this) I'll post a poll for the sub and I'll donate all the proceeds to whatever the sub votes.



Encrypting payload over https

so i am communicating with the server over https where my app is connected to restful api is there any advantage when encrypring the body of the post request if i am sending sensetive data

edit: i will encrypt the data at client side and decrypt it at server side



SilverPeak First-packet iQ - substance or marchitecture

Hello

In short, I am getting into the details with regards to how vendors do application identification in conjunction with SAAS optimisation. Initially focusing on Cisco Meraki and Silverpeak

The full back story is I am currently in the early stages of exploring SD-WAN for my organisation, and I am starting to get my head around some of the products and new features on the market.

One area that seems to be getting a lot of focus is SAAS optimisation/ SD-internet/ Smart SaaS QoE as I have heard it called. Essentially looking at how vendors can optimise the traffic delivery from branches to a SAAS applications. I understand how different vendors achieve this at a high level. What I want to understand further is how an application is identified, how different vendors approach identification and what makes some engines more superior than others.

I am familiar with Meraki and I currently have a Cisco Meraki MX67 with a SD-WAN plus license. I have started my initial testing with this product as I used it for SD-WAN at a previous company and I see the value of its simplicity. I am aware that its Smart SAAS QoE is not available yet however I have been able to test the L7 VPN exclusion feature which is a stepping stone to achieving there Smart SAAS QoE. Just to state this post is more about understanding the application recognition element over comparing the full SAAS optimisation element of both vendors.

Meraki have 10 major applications to select from with the option of defining other custom applications via IP or URL. Im testing this at the moment and it works as you would expect. I am running a packet capture and I can see the relevant traffic break out onto the internet rather than take the default route over the VPN to my test datacenter MX.

More information on the feature.

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2F%2FURL_Based_Local_Internet_Breakout))

I have started to explore the literature on Silverpeaks First Packet IQ and it sounds very impressive. What I am struggling with is trying to distil from the Silverpeak marketing message what the real benefits are of this innovative and industry first feature over and above what I am seeing the Meraki box. Is this just marchitecture or is there real substance to this Silvepeak feature.

I admit my understanding of application recognition is relatively elementary so any guidance is massively appreciated. If you can shed any light on this specific feature and potential advantages and pitfalls that would be great.

What is the limitation with defining applications by IP and URL only?

What common SAAS applications would I fail to identify on the MX?

Silverpeak Feature in more details

https://www.silver-peak.com/products/unity-edge-connect/first-packet-iq

‘Silver Peak’s innovative First-packet iQ identifies applications on the first packet. Using multiple techniques, First-packet iQ identifies more than 10,000 applications and more than 300 million web domains. First-packet iQ goes beyond typical Deep Packet Inspection (DPI) and port-level approaches used today and it adds a cloud-hosted internet map and geolocation database in addition to real-time machine learning to provide the highest levels of application intelligence.’

Thank you in advance for your input



VPN connection from client in another country is very slow, any ideas?

Hi everyone,

I'm the only network engineer at this company and so I have no one else to bounce ideas off of, so I'm coming to you, r/networking. The company I work for is in Germany, we have 2 Palo Alto Firewalls and we use GlobalProtect as our VPN with a gateway on both PAs (one is physical on site and the other is a VM in a cloud). The company hires a few people living in other countries and they just work remotely. I've never heard any issues with this until this week. Someone working from Uzbekistan cannot reach any of our internal sites.

After a lot of investigating, we found that the connection through the VPN is so slow that the DNS requests come to late or not at all and after a failed request from our DNS his PC sends a request to his local modem, which obviously only resolves external sites. I checked on the PA for his public IP that his connecting with for GlobalProtect and checked the security logs from that IP and more that half of the connections are being dropped because of no answer. So I'm now thinking that his internet or the connection from his country to us is just not good enough, but he can quickly resolve and load any other German/European websites.

Is there anything I can even do here? It's odd to me that he can easily reach other pages in other countries but only our GlobalProtect connection is bad. It's also good to note that the 2 PAs don't use the same internet, because one is in the cloud it just uses whatever that cloud provider has. Otherwise I would have contacted our internet provider to see if they had anything going on that could be causing this.

Any ideas are greatly appreciated. I'm hitting a wall here and you are my last hope for fixing this.



AFL OTDR Stuck in boot screen

Dear All,

I have been using an AFL M200 OTDR for all the fiber testing, recently my OTDR stopped booting in to the menu screen, it will stay on the boot up screen showing AFL logo and never goes in to the menu.

Suspecting the issue is due to memory got full due to old test results in the device, Thier support is saying the device is EOL and will never help to fix it.

Kindly help me if anyone have any workaround to fix this issue.



Tuesday, March 23, 2021

Air gapped networks monitoring

Hi, I hope this is the right place to ask.

(Background) I am a sound engineer working with Redundant Physical Dante networks (Dual VLan per physical network) that include Netgear GS728 and Cisco SG3xx Switches. These networks are temporary for each event and are not always the same exact devices. Our 2 Networks exist in a vacuum and are not tied to the internet or to each other.

(Question) I'm looking for a way to view Topographical maps and link speeds for both networks.

I have tried Spiceworks, but it has dramatically more features than I need and it struggled to trace my networks from a single computer.

I am open to spending some time on this, but not mountains of Cash since the company won't be covering the cost of the tool.

One recommendation to me was Zabbix another that I found was CheckMK. I'm willing and capable of deploying to Raspberry Pi(s) but I'm hoping for some guidance along the lines of capability. Does either of these pieces of software or any software allow the selection of the monitored Network port? One thought was to have 2 Raspberry Pis and Teamviewer into each to see the data, but I don't know if that would work since they would each have 2 Network Ports.

(Goal) I want to be able to monitor redundant networks for topology and link speeds from "1" device.

Any advice is appreciated!



LAG load distribution concept clarification

We all know the high level concept of how a frame gets load balanced across a LAG. Frame comes in and a hash is taken based on source/destination L2 or L3 or maybe even L4 header information. Hash is pinned to a member link and away it goes , forever pinned to that member link.

The point I need clarification is that based on my readings, the most common way that a hash is generated is for Layer 2 header information. Does this mean that if I have an L3 routed link the switch is only looking at L2 info to make the hash? Or is it based on if I am going over an L2 or L3 link would determine the type of load distribution that will be done?

Cisco documentation: The default load-balancing mode for Layer 3 interfaces is the source and destination IP L4 ports, and the default load-balancing mode for non-IP traffic is the source and destination MAC address

Does that mean that traffic going across a Layer 2 port--channel trunk , by default is non-IP traffic and therefore source/dst MAC address is used?



Cisco Live: DC or dev track

I have a lot of experience with ACI and I'm afraid it's just going to be the same ole intro to ACI I keep finding everywhere. Anyone else have thought that going?(virtual)



I have to pick a side I think

I need some guidance here.

I am a generalist, started with computers in 1984 (actually 1980 but it doesn't matter). Just turned 50.

Since 1995 I have been doing mostly the work of a network engineer, always loved to deal with routers and switches and not people. But I was also attracted to security, implemented ACL filtering in 1996 and worked with firewalls and I'm not bad at Network security.

Also end of 90s worked a lot with Slackware, Suse, Redhat (which was a blessing then)

I am dabbling with automation now.

In 2005 I started more on the management side as VP of Tech, Cto and such but always was hands on, I could not separate myself from getting involved.

I am very much considering going into security Engineering, Analyst and such as honestly always liked it but, reading here on reddit I realized I still like network engineering, routing architectures, protocols, designs and such

Mostly think for the next 20 years (if God keeps me alive, yes I'm a believer and I also respect if you don't believe in anything) the security field will allow more opportunities to work than network engineering.

I'm sure some of you reading this can relate.

What are your opinions? Damn autocorrect, SwiftKey, it was awesome, one day, year and half ago started acting up, googling I found Mickeysoft bought it, there goes a good android keyboard,now it is not as usable.

Thanks in advance



Need help with SNMP Traps

Hello,

I've been tasked with setting up a basic per-port mac limitation config on some Juniper ex-4300 switches, and to get SNMP monitoring set up to log events when it triggers.

I've never worked with SNMP traps before, and the corresponding OID for this is notify-only. I've had this on my project list for a while and keep making little to no progress as I either don't understand this well enough to google my way to an answer, or a simple answer doesn't seem to exist anywhere so I'm hoping someone here can help me out.

Here's my current snmp config on the switches:

root@EX4300TEST> show configuration snmp community *redacted* { authorization read-only; clients { 10.251.0.253/32; } } trap-options { source-address 10.251.0.252; agent-address outgoing-interface; } trap-group dwni { version v2; destination-port 162; categories { chassis; link; configuration; services; } targets { 10.252.0.253; } } 

And on the receiving end (centos 7/rhel)

[root@*redacted* snmp]# cat snmptrapd.conf snmpTrapdAddr udp:10.251.0.253:162 authCommunity log,execute *redacted* traphandle default /usr/sbin/snmptt 

I've verified snmptrapd is running, but nothing is logging with this config. Obviously I've got some chunks missing but getting frustrated trying to find answers as to what.



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



MitM attacks ever actually happen on a trusted network?

Has anyone actually witnessed a Man-in-the-Middle attack on their LAN?

Our security team is worried about certain systems that I manage that have vulnerabilities for MitM. (though they are old, only option is to replace)

I'm just wondering how often this actually happens in the real world. I know it's theoretically possible if you aren't following endpoint security best practices.

But realistically, how often does someone break into your datacenter and then setup MitM?

I guess adding the office LAN, outside the datacenter increases this risk significantly. WiFi, increasing it even more.

Over the internet, sure, I'm certainly worried about it.



Velcro cable ties

Sorry for the non-technical question, but what do you prefer for velcro cable ties. We have a few different ones that kinda suck, wondering what else is out there that I could try.

Thanks.



IPv6 Addressing and Architecture references

Hey Networking!

I'm rolling out IPv6 to our Top of Rack switches for server deployment purposes at least initially and I want to utilize the built in auto-configuration capabilities of IPv6 as much as possible. My goal isn't to define a static IPv6 network per ToR switch nor mimic what an IPv4 deployment would look like. I'm looking to use Neighbor Discovery, Routing Advertisements and maybe stateless DHCPv6 and network boot strings. The dream is to have every single point-to-point link auto-configured with link-local addressing including to the server and to have all the host addressing decentralized until they have been enrolled into our environment with MaaS or something like that.

However while I can read RFCs:
https://tools.ietf.org/html/rfc8425

And there are plenty of intro-to-IPv6 articles out there, they all start from the assumption that IPv6 should be deployed exactly like IPv4 which ignores many of the capabilities and niceties that IPv6 has built in. They don't provide a good overview of what an IPv6 network should look like.

Basically I'm looking for an IPv6 deployment guide that assumes you want an IPv6 Fabric where hosts are able to fully configure themselves and have a routable IP without manual configuration of either the host itself, nor the switch the host is actually connected to. If manually setting the default gateway for the server or the ToR is part of the deployment, then we've already started off wrong.

Anyone have any experience or references doing something like what I've described? I have already setup a server (manually) where it uses BGP to advertise it's address into a BGP core, but I don't know how to scale that to make the server/ToR deployment automatic, that's the specific part I'm looking for.



Curious what others are doing for wireless authentication? In particular Cisco WLC

Just curious what others are doing for wireless authentication with active directory and a Cisco WLC. Currently we're using a radius server but that seems somewhat antiquated. I'm curious what others are using? ISE? or something else?



What to use for iSCSI switch?

We've always been a Cisco and HPE shop when it comes to switches, but I'm tired of paying huge prices for simple 10Gb layer 2 switches for iSCSI.

Our existing standard is two Cisco 3850-12XS (12 SFP+ ports), but most of the 3850 line is EoS and I expect the -12XS to go end of sale soon. And even then, I thought they were too expensive for what they were doing.

Does anyone make a small (10,12,16,24) SFP+ switch that has sufficient buffers, performance, and reliability to run a smallish iSCSI setup (2 ESX hosts and two Nimble arrays)?

All I need is jumbo frames. No layer 3, no MLAG, nothing fancy. A separate management interface would be nice, but if I have to add a trunk to my main switches and create a management SVI, that's OK too.

These switches would be only for iSCSI - they won't even be connected to the main network (other than for management).

What are you folks using for "cheap" iSCSI switches?



Datacenter Patch Panel Question.

I am in a situation where I have to move equipment at a datacenter to a new location. The datacenter team is providing me a 10GB patch panel connection between racks, but I only have a QSFP module available that operate at a 40GB speed. Would I be able to use the QSFP for the project since it operates at 40GB speed instead of the 10GB speed?

Here is the link to the layout:

https://ibb.co/0YscFSQ

Here is the link to the transceiver:

https://www.fs.com/products/34913.html

Here is the link to cable to patch panel:

https://www.fs.com/products/40221.html



MFA cisco swts

Does anyone how or if MFA with duo is possible to set up on Cisco switches?



API that returns IPv4 prefixes for a particular BGP AS number

Hello,

I am wondering if there is any API available to retrieve a list of IPv4 prefixes for a given BGP AS number. I know there are public internet route servers where one can run a "show ip bgp" type command with filters (regular expressions) to see a list of prefixes originated by a particular AS number. I am interested in finding out a programmatic way of retrieving prefix list perhaps as a JSON output. I am not looking for any paid service, I just need to use it one time only.

Thanks for looking into this.



iSCSI and Jumbo Frame network latency

We have started to experience high network latency when our newer Dell EMC Unity SANs replicate across the network. All of the SANs and the network switch that the SANs and the VM host servers are connected to are all configured for jumbo frames. All devices have an MTU configured of 9216. However the next hop up switch and then the L3 device that does routing are not configured for jumbo frames.

The distribution layer switch is a Dell S4048-ON switch which I should be able to enable jumbo frames on. However our L3 device for this office is a HA pair of Sophos XG430 devices. The way the S4048-ON switch connects to the XG430 in its LAN LAG will not allow for the configuration of jumbo frames.

Would it be best to move the L3 connectivity for our iSCSI traffic down to the S4048-ON switches and then route that traffic through the XG430? Letting the S4048-ON device handle the breakdown of jumbo frames to the 1500 byte payload for cross network replication?

When our replication process starts pings that are routed across the network go from <1ms to over >200ms. All pings on the same subnet stay under <1ms.

Thanks for any recommendations.



Introducing BGP routing and IPv6 with minimal downtime

Hello guys,

I started working for a company whose network was designed by devs and server admins. I'm spending my days mapping stuff, and 3/4 of what I see makes absolutely no sense. Luckily it's not the production network but a section specifically for R&D where new products/builds are created and tested.

The main issue I faced was that the company had a presence in many datacentres worldwide. Still, only a few sites had the cabinets gathered in a cage, so my predecessor thought of having a 10G link for each rack and put a layer 3 switch with its management interface on vlan1 and assign a public IP. Luckily for me, he was sensible enough to restrict access only from a handful of IPs

I managed to create a consolidation plan and migrating all the racks in a cage; I'm putting a couple of BGP-capable routers in each cage and keep the current switches to handle the L2 comms. On top of that, our main ISP doesn't BGP peering with Google on IPv6, so I'm bringing another one in and configure the IPv6 peering on that interface.

I'm not really on top of my game with BGP peering, and this is the first time I need to to this involving IPv6. Any one of you has had any similar experience? What would you do? In case you already faced a similar challenge, what went wrong, and how did you cope with that?



Magic Wan & Firewall

Blog

What do you guy think of this ? Let cloud servers handle your routing ?



Cisco SG250 Smart Switch Operating System?

Hey guys, I don't know if any one will be able to help me out, but I am having issues with my Cisco SG250HP smart switch when trying to setup a remote syslog server. While this is the bigger issue, my support contact for the server is wanting to know what version of IOS the switch is running.

If I am not mistaken, the Smart Switch series doesn't run IOS, but I cant find anything other than the firmware version. If anyone could point me in the right direction that would be great or if you know any issues with model when setting up a remote sys log server.

Thank you in advance for any help!



Merging multiple DVRs on 1 software

Hello!

I hope everyone is doing well.

I currently own:

3 HikVision NVRs (I watch feed online via hikconnect)

8 XMeye IP cameras with no DVR (connected straight to internet) (Using a software called CMS to watch them online via Serial)

1 chinese branded NVR (Dahua I believe?)

I was looking for a solution to add ALL those in 1 software to watch remotely online.

CMS apparently does support Hikvision, but I can't seem to add the DVR (See image below)

Any support would be appreciated!

Also in case of suggestion of any alternative software, please let me know. I was checking iSpy but I can't seem to figure out how to configure XMeye cameras nor HikVision online.

Imgur: The magic of the Internet



Cisco switch Radius behaviour

Hello,

I have a weird problem with my current Radius setup in the company.

Some infos before:

VLAN assignment happens on the radius server.
Policies for dot1x and MAB for devices that are not able to do dot1x
Switch port:

 desc Radius Port switchport mode access switchport voice vlan 5 switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security maximum 1 vlan voice switchport port-security access-session host-mode multi-domain access-session closed access-session port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10 auto qos trust dscp spanning-tree portfast spanning-tree bpduguard enable service-policy type control subscriber DOT1X2MAB service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy service-policy output AutoQos-4.0-Output-Policy 

The problem I have is that non-domain notebooks won't connect to a different switch port when a phone, printer or domain notebook was connected before. The link never goes up. I need to cycle the port and then it works. The port doesn't go in violation or shut also there are no logs saying that something has failed. Also we have a intercom system that does mab but apperantly it loses connection sometimes and I need to cycle the port to make it reachable again.

Why does it behave like this?



Akips BGP Alerts

Looking to see if anyone else here has experience with Akips BGP alerts? I could be doing things completely wrong, but so far the alerts are so spammy they are useless.

We are using a third part integration and every time bgp changes state the original alert is resolved and a new alert is generated with all the same information. It only takes a few down BGP sessions to create so much noise the whole system is useless. With 10k bgp session being monitored it's not unusual to have 10-15 with issues at any given time.

I need a way to cut down the noise without missing things.



Monday, March 22, 2021

Programmable networking startup, Syntropy, seeks to improve upon BGP. What's your take?

Syntropy, an enterprise-oriented NaaS startup, has been getting attention now that execs from Verizon and AT&T have joined their advisory board. They want to speed up BGP's shortest path routing algorithms by adding an encrypted, agent-based layer that computes the fastest path in its mesh of nodes. In a somewhat novel move, they will be paying nodes to join the network (either in conventional currency or their own token). They are claiming up to ~200 ms improvements across cloud providers. What do you think of their approach? I think it's fascinating, but I'm skeptical they'll see adoption beyond the crypto community.

Here's more information on their decentralized autonomous routing protocol (DARP): https://www.syntropynet.com/darp



Does commscope/Ruckus make robust security firewall/routers like say Meraki? What kind of recommendations can you make for a full Meraki network move to another platform?

We're a full Meraki network - MX firewall, MS switches, and MR APs... We're on the fence for security cameras between Meraki, Rhombus, and Verkada. That's prob a different topic though!

We've been getting kinda fed up with the licensing shenanigans at Meraki and have been toying with the idea of a full network overhaul to some other system - my boss seems to think Ruckus APs are the top dog and wants to go full Ruckus but I'm having a hard time finding anything about a serious security and routing appliance like the MX 450 we have now. The one thing we have now is a single pane "PAIN" of glass for our entire network and it makes setting and manipulating VLANs, WLANs, and special access SSIDs a breeze. (Not to mention packet captures and port cycling I do dozens of times a day for troubleshooting).

I've heard the controllerless Ruckus APs are very limited in what you can configure right now with promises for fuller features, but cannot find any specific documentation about what features are lacking compared to a more complex setup.

What features are missing in the Ruckus APs? What firewall/routers are available? I'm guessing their switches are brocade? Are they configurable via the cloud or a controller or is it a one by one system old fashion style?

Our topology: We have 7 outlying buildings that all feed back to our main building with 10gb fiber and a 5gb internet connection at the main site that all buildings share (if that gives you an idea of bandwidth requirements). We have about 4500 devices in total - 1500 wired, 3000 wireless... give or take.



VDX 6740 - Simple SNMP Polling

This is a bit embarrassing but is anyone experienced with Brocade VDX and multi chassis switches. Never used one before but only trying to do something as simple as SNMP on it and it wont connect/send back anything when I snmpwalk.

Config:

ip access-list standard mgmt seq 10 permit 192.168.2.0 0.0.0.255 seq 20 permit 10.10.21.6 0.0.0.0 seq 30 deny any ! snmp-server enable trap snmp-server community <community> ipv4-acl mgmt snmp-server host <ip> <community> version 2c use-vrf mgmt-vrf ! 

I can ping and ssh to a ve interface on my management vlan and that's how I need the SNMP polling to work but it will not poll for the life of me.



Weird Drops

I have a Net gear switch in production environment which has few clients connected to it.

When I ping the clients connected to the switch there are no Packet drops.

But when I ping the Switches Management IP I see a drops

Pinging 10.1.1.65 with 32 bytes of data:

Request timed out.

Reply from 10.1.1.65: bytes=32 time=259ms TTL=63

Request timed out.

Reply from 10.1.1.65: bytes=32 time=354ms TTL=63

Reply from 10.1.1.65: bytes=32 time=100ms TTL=63

Request timed out.

Request timed out.

Request timed out.

Reply from 10.1.1.65: bytes=32 time=134ms TTL=63

Reply from 10.1.1.65: bytes=32 time=226ms TTL=63

Request timed out.

Reply from 10.1.1.65: bytes=32 time=252ms TTL=63

Request timed out.

Request timed out.

Reply from 10.1.1.65: bytes=32 time=132ms TTL=63

Reply from 10.1.1.65: bytes=32 time=209ms TTL=63

Request timed out.

Reply from 10.1.1.65: bytes=32 time=269ms TTL=63

Reply from 10.1.1.65: bytes=32 time=156ms TTL=63

Reply from 10.1.1.65: bytes=32 time=201ms TTL=63

Request timed out.

Request timed out.

Reply from 10.1.1.65: bytes=32 time=231ms TTL=63

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Reply from 10.1.1.65: bytes=32 time=284ms TTL=63

It matters because I need to login to the switch and manage it but at the moment I can't?

Any idea why that's happening ?



How can i start networking/ widen my social circle?

I like doing business, learning new skills and making connections. I have many interests like art, reading language, sports, music and anything creative. I am active physically and mentally. I want to have a very big impact on the world. That's besides the point anyway. I just need to widen my social circle and area of influence.



Question on how to chose the right power supply rating for Nexus 9k

Think this is the kind of stuff that no CCxx teaches but comes from designing more networks.

I'm trying to put together a BoM and for the power supply for the 9k I see an option for 750W AC, 1100W AC. Aside from the obvious, what would be a reason to choose the higher power supply. Is it only if the switch is expecting to be very busy?



Who all is doing Cisco SDA? Does it actually work? Is it worth it? What is your experience with it?

Im curious whether the technology is stable enough for a full blown SDA deployment? I realize you need Cat 9k, DNAC and ISE to use the system and Im considering doing a POC very soon. What else do you need for SDA? What all have you see as major benefits and problems with the solution? What skillset is most beneficial to have when deploying SDA? I have a R/S background with a lot of VPN/MPLS/DMVPN overlay solutions and In hoping that background will help with the fundamentals. From what Ive seen on ciscolive, it seems like it might be ready for action...

Thanks for any feedback.



POE powered media adaptor

I have Fiber to the Home by ATT but NID is not protected by UPS. Does anyone know of Fiber to Copper Media Adaptor that is powered by POE from the switch I will be connecting it to?



Use MS Authenticator OTP for VPN MFA [help needed]

Hi,

We currently have our Cisco Anyconnect VPN setup using Azure AD SAML authentication and ISE for authorization.

However, one corner case is Sign-on Before Login (SBL), which does not support SAML auth. Basically when we send a user a new laptop they need to sign in to VPN at first turn on before logging in, to get onto our AD and get all the MS goodness pushed to their machines, a one time process.

The MS authenticatior app has a built in OTP function, however I couldn't find how to get this to talk RADIUS with either the ASAs or ISE. If I were able to get this done, I'll just create a separate SBL VPN profile for users to use in this instance, which just uses RADIUS. This way we didn't give on MFA for this niche situation

Does anyone know how to get this to work, or perhaps have a more elegant solution?

-JJ



Packet Shaping Recommendations?

Well, another packet shaping company bites the dust - Sinefa has been purchased by Palo Alto and there are no plans to keep the traffic shaping.

Packeteer is gone, Exinda, etc.

This is a bit of a long shot (and an old discussion archived here): https://www.reddit.com/r/networking/comments/6moqkr/looking_for_recommendations_on_a_traffic_shaping/

But does anyone have any current products for traffic shaping? I've seen this feature in a few devices like firewalls, but that's overboard for what I'm trying to find... just a shaper of some sort.

Thoughts?



I want to connect 5 or more switches/routers console cables to a device on my desk so can swap between them

Hello, so I'm looking for a solution for this. I have 1 console cable from my PC. That I want to swap between switches/routers.

I don't want to go the back of the devices all the time. I want to plug all of them into 1 device. Then I swap between the switches with my console cable in the device instead.

Sorry for wierd description. In school we had some kind of patch panel that were connected to this device that I don't know the name of.

Thanks for help.



What are you folks using for device images in Netbox? Any other insider tips appreciated.

Got a new datacenter build coming and want to be on top of documentation so decided to give Netbox a shot. Was just curious what method you folks use for images? Do you just snip images from the internet? Do you take pictures of the actual devices and crop and use those? Do you snip Visio images or is there a clever way to convert those?

Also any tips or tricks experienced users would like to share as far as navigating, maintaining, or just being plain more efficient in Netbox is appreciated. We have Solarwinds for IPAM so likely won't use Netbox for that now. I also plan to dabble with the Netpalm integration at some point.



AWS Direct Connect partner recommendations?

Anyone using Megapath or one of the other AWS DC capable partners? If so can you recommend one or not recommend one? Share pricing as well if you can. Already have services with ATT and Zayo so those 2 would probably be the path of lease resistance.



MSP connectivity with customer

We are setting up a remote office with 50 IT employees where we are assigned to provide managed services to our client.

We will be managing the entire infrastructure from remote office including SAP, AD, Network, Security, and Software development.

I would like to know how do you establish connectivity with your customer?

What are the best practices to monitor all systems?



VLAN setup not working?

I'm trying to setup a new guest VLAN for some new Unifi AP's I'm testing internally and I'm going round in circles. I will be the first to admit my VLAN game isn't as strong as it probably should be, but I have tried various configs and its just not working. Can anyone shed any light?

The setup is:

Draytek 3220 router - https://snipboard.io/LkJVjz.jpg

Draytek LAN1 -> Switch Port 1

D-Link DGS-1024 switch - https://snipboard.io/XQ7tZc.jpg & https://snipboard.io/78QKuV.jpg

Switch Port 25 -> LAN1 on Unifi AP

Unifi AP - https://snipboard.io/8Qf1qR.jpg & https://snipboard.io/HLTi0b.jpg

My test device can connect to the wireless but doesn't get an IP address. I have done similar setups before without issues but normally plug the AP's directly into the router LAN ports. This Draytek only has a single LAN port so I'm routing the VLAN through the D-Link switch and I think that's where the issue is? I'm pretty sure as the Guest SSID/Network is tagging the packet that the setting on the D-Link should be 'Tagged' but its not working?



Cisco ISE with Open WiFi Authentication

Bit of a Cisco ISE and WiFi noob,

Does anyone know if it is possible to have Cisco ISE authenticate a device access to an SSID without been prompted for a username/password, and also without any client based authentication?

A client wants to have some OT devices connect to a hidden SSID without any user intervention, but to use ISE profiling for dynamic VLAN assignment.

My understanding so far is that this is not possible. EAP seems to be the trigger to direct SSID authentication to ISE in which either a username/password or certificate has to be used to authenticate before hitting the authorization policy where the device profiling/dynamic VLAN assignment happens.

If someone can confirm my theory or have a potential solution, that would be a great help.

Thanks



Extreme networks problems

I tried to post this question in the /r/extremenetworks sub but have to be approved to post.

I inherited a extreme cloud installation at five sites when I took this job. It works, mostly. We need to add some external access points and one internal access point at one of our facilities. The problem is we can't seem to purchase any additional licenses for the original extreme cloud product. Only the extreme cloud IQ product. We are being told we would have to pay for new licenses for all of our existing access points in order to move to the new platform.

Has anyone else encountered this problem?



Cisco configs to Dell Switch

Is there a way to copy a Cisco config from a 3750G to a Dell n2048P switch on the CLI?

Do I have to use the Dell open mange switch GUI for configuring the setting form the Cisco switch?



Struggling to properly configure Vlans on Cisco sg350x

Hey guys,

I need some help with configuring a switch (SG350x) , my boss has thrown me in the deep end while he's off work. He's asked me to get a switch up and running and this is a bit of a struggle for me since I'm the O365 and Server guy in the organization.

He wants a switch configured with

a layer 3 Vlan for VOIP, with 4 of the ports to be access vlan x to connect the pbx, sbc, laptop etc.

Whatever that means...

I'm really struggling with this one, a lot of this stuff is kind of over my head, I'm also not very familiar with Cisco either, unfortunately.

I've gotten the switch online, have assigned vlan1 an IP and the switch itself has an IP address.

I've created a VLAN with an ID of 10, I have added 4 ports under port to vlan membership to vlan 10. I have configured an IP address under ipv4 interface settings and have tied it to vlan 10.

However, when plug into one of the ports associated with my vlan, I'm getting an APIPA address. I'm really not sure what I'm doing wrong.

Can someone kindly, in an idiot-proof way, explain to me where I'm going wrong? How the heck do I assign an IP range to my vlan? I've gone over dozens of articles on creating vlans but I cant seem to figure this one out.

thanks!



Anyone script an interface and a device pull from VeloCloud Orchestrator?

We've got some VeloCloud Edges and an Orchestrator. I'd like to easily do a Top 10 Interface utilization report, a Top 10 CPU, a Top 10 Memory Utilizaiton. And maybe a worst Jitter/Packet Loss/Delay report. Right now I can go in to Orchestrator, but it is very much look at everything and whittle your way down. Is anyone scripting a daily pull of hourly utilization?



Ethernet Cable Question for Work

I do not know if this is the right subreddit to ask this question.

At work we are trying to setup some doors and the ethernet that they came with have different colors inside the sleeve. They are brown blue yellow green red black orange and grey. We needed some more wires because we think some of the ones we got were bad so we purchased some Cat6 wires and they came with the standard colors (blue, blue white etc). We asked the company's tech support to see how we can interchange the colors and they gave us a key in which colors to substitute, sadly it did not work. We decided to test another portion of the door that required the RJ45 connection on both sides and things did not work as they were supposed to. So we came to the conclusion that the wires may not be interchangeable. I am hoping someone here might have some insight in what we can do or where we can purchase that specific ethernet wire.

I know most people will think why would a door require ethernet cables, this company is like a manufacturer so the doors need to lock or unlock based on certain parameters and they communicate via 2-4 ethernet cables/door.

Thank you for all your help