Saturday, April 10, 2021

4G/5G LTE "Modem pools" that works in the US?

We're using Cradlepoints at our remote offices for connectivity but need more bandwidth.

Wondering if there's a cheaper/more elegant solution than just buying 30 cradlepoints. Are there any COTS modem pool solutions that supports calls/text and data for US carriers (Verizon/Tmobile/ATT)? Or are we stuck buying a bunch of Cradlepoint LTE modems and netcloud subscriptions?



How Pruning avoids loops in Protocol Independent Mulitcast (PIM- SM)?

I can not think of a scenario, how pruning avoid loops in PIM-SM when a router joins a SPT. I understood that it avoids duplicate messages, but how it avoids loops?

I want a scenario where the router joins the Shortest Path Tree (SPT) but never prunes the Shared Tree (RPT).

Can anyone give a brief idea how pruning avoid loops?

Thank you so much!



Mtu size

I have fiber connection,1462+28 is the mtu,after it fragments,but i put fiber modem to bridge,and velop mesh in pppoe mode via lan,does the mtu change? Result on terminal is same…1492



What does Checkpoint offer nowadays?

I am trying to understand what is checkpoint’s strong hold nowadays...It use to be the firewalls but is it still? Is it focusing on Cloud and IoT now? what about market share in North America?

I guess it depends on who I ask, Is checkpoint really less popular than PAN and Fortinet nowadays?

Regarding the firewall offering (within last couple years), I heard from another manufacturer SE: PAN is popular to security guys due to its super marketing; Fortinet is popular to networking guys due to its firewall throughout; Cisco has a good balance... but what about Checkpoint firewalls?

Note: just trying to understand, not to shame on any manufacturers or products.



Advice Needed: Moving from Europe and looking for job prospects within ~2hrs of NYC or DC

Hey team, I'm currently looking to move from Europe back to the States, and I am hoping to have your advice on where to move to. All the immigration legalities are taken care of already. Literally anywhere is fair game at the moment, so long as it meets the following requirements:

  • Solid job prospects for a mid-senior level network engineer (good pay, high job availability, not horrid commute if I have to go in, etc)
  • An airport within ~2 hours drive that has cheap direct flights to Amsterdam (so I can visit family regularly)
  • It has some really pretty nature around (I don't want to live directly in a big city)

I found that the best airports for cheap (sub $300) flights to Amsterdam are coming from Miami, DC, and NYC. I don't particularly care for Miami, so that leaves DC and NYC.

So, the specifics:

  1. Can anyone give any insight into the realistic job market around (probably not in) either of those two cities?
  2. Are there any population hubs around there you can recommend to settle down in?
  3. I'm currently an independent contractor since that is the best and most tax-advantaged way to work in the NL. Is there a big culture of independent network engineers in the states, or is it all salaried?

I would really appreciate your help and responses. Thanks!



Reliable dual-sim LTE routers for backup access

I’m looking for routers for remote sites, used primarily for backup remote access when circuits go down. The requirements are VPN support (IKEv2 ideally), PoE in (passive or 802.3af), and dual-sim. 802.11x is not preferred as it won’t be used for security reasons anyway

I’ve used Digi equipment in the past and found it very stable and very featured- very, very, very featured, which is probably why the cost was so high (Digi6335 - these were ~$500/each at the time of purchase

I’m not looking for any centralized cloud management, SSH is perfectly fine

Any recommendations for brands to look into? I’m familiar with Accelerated (now Digi) and Cradlepoint as very reliable but costly. Is there something between consumer junk and higher-end enterprise that doesn’t require sacrificing stability and features?

Bonus points for anything that provides the ability to run custom scripts via access to the OS. The Digi6335 has a very full-featured Linux system underneath and provides full access to the system via SSH, which was useful in allowing some lightweight custom scripts that send periodic updates to a REST API

Trying to avoid Huawei but not ruling it out...



Measuring DNS performance impact by IDS

Hello Everyone!
Our company's router vendor offers a "security" suite for additional $$$ per year and management is interested in giving it a try. We get one month free trial. One of the major components of the security suite is an IDS engine. I want to find out how it affects our throughput and other gotchas.

The documentation says it monitors DNS traffic in addition to other protocols. How do I measure DNS pps? I was able to test TCP and UDP performance using iperf but not DNS. Testing UDP isn't enough because DNS has additional parsing/checking involved.



Connection problem

Hi Guys,

I am really stunned by this problem and may one of you know what to do.

Right now I have 2 computers. Put together with a networkcable. Firstly one of the computers was setup as the DHCP server, but we didn't get lease. So I tried to put a static IP on both computers and try to ping it. But sometimes the ping gives a reply and the other times it gives a timeout or general failure.

I tried multiple networkcards, networkcables and Fresh OS.

Ping output on one of the computers (192.168.2.40).Other computer (192.168.2.254)

https://ibb.co/wpTv0Lk

Edit: ARP registers the IP on both sides



Confused routing

Hello everyone! I need some advice because I'm out of ideas. I have a Windows Server and I need to access a network. That network is only reachable from a Ubuntu server serving as VPN Tunnel using Strongswan, this Ubuntu has a virtual nic, and a nat postrouting rule to the destination network. I mean. Server 10.x.x.x needs to access the network 10.1.x.x from a client. The Ubuntu server 10.x.x.x has a POSTROUTING -s 10.x.x.x -j SNAT -to 172.17.x.x (virtual nic). From this server I can reach the client network 10.1.x.x only through the virtual nic 172.17.x.x

Which rules I need to use this server as gateway from the Windows SRV?

I hope I was clear and somebody could bring some light over this problem.



Small office firewall recco

Site currently has an Xfinity Gigabit Internet circuit, but will soon have an independent ISP symmetrical Gigabit circuit without Xfinity's usage restrictions. At that point I want to upgrade the firewall to something more capable, especially in the area of maintaining (nearly?) full gigabit throughput. Current unit is consumer grade. Cost is a consideration.

Few users although there are 2 significant "power" users, One's a data analyst who works remotely and is in web meetings several times daily besides her data crunching. I'm the other, IT pro that donates my time to a couple of charities, remotely supporting their networks, plus a single VM host server that I want to back up off-site and have remote access to.

I really like Fortinet gear, but to get a firewall that can handle gigabit throughput (not VPN throughput) puts me into a four figure cost unit with corresponding annual maintenance cost. I don't feel safe with home market devices because of their history of slow/sloppy patching of vulnerabilities. SOHO or better seems necessary.

My work experience was always at the higher end of the market (Cisco, Fortinet, Juniper) and their offerings are just not workable costwise. The budget here is tight. I would love some recommendations for better quality solutions that can handle packet inspection at gigabit speeds, good history of software maintenance, at a cost under $1,000USD. Under $750 would be ideal (annual maintenance being extra).

Suggestions? Unrealistic? Thanks all!



Using a VPS as an SSH Tunnel

Hello,

First of all, I am a newbie, I don't know a lot in networking, so excuse me if I'm dumb at this lol.

I needed a VPS to do SSH Tunneling on the network I'm connected to, the app I'm using for that process is called "HTTP Custom".

After some time I figured out how to listen to SSH on port 443, which was needed in the app I'm using ("HTTP Custom") for that.

The feature I need to use is "SNI (Server name indication)", it requires SSL & Stunnel.

I installed a letsencrypt SSL, but can't figure out the Stunnel part. Can someone help me achieve this?

Or, is there another paid service that offers fast SSH accounts that support Stunnel?

Thanks



How does bit de-stuffing actually work?

So I know how bit stuffing works, it plain and simple you get a bitstream -> 0101101111110, you stuff a zero where there are six 1's and you get -> 01011011111010.

Now while de-stuffing if you find 1111101 in the received bitstream, you change it back to 111111.

But what if the original bitstream had five 1's followed by a 0 and a 1, for example, -> 011111010011111101

while stuffing only the six clumped together 1's will be stuffed with 0 and the bitstream to be sent will be -> 0111110100111110101, but while de-stuffing the output will be ->-> 01111110011111101 which was not the original output. How is this problem solved by computers?



Is there a full list of Bogon Routes?

Hi all, as stated on the title.

I am configuring a new border router and I'd like to configure a BGP filter.

I am looking for a full list (IPv4 and v6) of the Bogon Routes, but googling I am not able to find a ready for use one. Nearest to the scope is this one from IANA for IPv4 and IPv6, but as the title states they are "special" not "bogon".

Which list do you use? Is it avaliable online or it is a DIY one?

Thank you!



Does there exist a high level overview of enterprise networking, without getting into the details?

tl;dr is there a book, website, youtube series, where I can read about what (and why) enterprise networking entails, without the expectation that I would actually need to work on the networks themselves (the how)?

As a program lead for a clinical enterprise application, I'm often required to coordinate incident resolution (or architect new solutions at a high level) between engineers across multiple streams. For example, an integration solution that crosses over 3 data centers isn't working...so we need the people who support the components within each of those DCs, plus the teams who support the networks in between, all on a call to figure out where it's broken.

The lingo network engineers throw out can sometimes sound like an alien language and it's my job to be able to digest this and summarize the situation for clinical executives (who are typically ex nurses and doctors, who know nothing about IT). I know a lot more than the others in similar roles around me, and I have the respect of network admins who are legendary for just ignoring emails from my peers, but always want to learn more.

I've done a cursory search, and every resource I've found is written with the expectation that you're going for your certification, or want to pursue a career in network admin, but that doesn't apply to me.

Appreciate any help! If it's a stupid endeavor, feel free to roast me!



Router recommendations for small DC looking to connect to large IX

Hey,

I am looking for some pointers to figure out what type of router I will need for the following situation:

  • Small data center with a few hundred (soon few thousand) virtual machines (all publicly reachable)
  • A single transit provider (might change in the future)
  • Plans to connect to several IXs (AMSIX, DECIX, some small local ones)
  • Current traffic: ~3 Gbit/s, we expect that to grow steadily but are not sure how fast we will reach 10G
  • Sflow/Netflow or similar functionality
  • Some filtering ability (nothing fancy, as of now just dropping certain ports during attacks)

Historically we were using an Arista device that needs to be replaced (EOL). The quotes we received for the successor device is way out of our budget (and we were hoping to get 2 for redundancy/fallback reasons).

My current thinking is that we must take care that the RIB of the device can hold enough routes we that we might receive via the IXs. Is there anything else I should look out for?

Thanks for your input :)



Remotely connecting wireless IP cameras

We have some Amcrest IP cameras that used to be on site connecting to a Ubiquiti Unifi network at one building and recording to an internal server. We're now moving locations and the cameras have to stay, but all network equipment will be moving sites. The cameras are going to be connected to an unsecured wifi network we *No longer control*.

Is there a way for us to set up these cameras in a way that they can still connect to our network even though its moved offsite (I'm thinking through a dynamic dns address or something that points to our new network location) and still record to that same server as before even though they're at different sites.

Also, what are my options for securing this feed considering the cameras will be on an unsecured wifi that I don't control?



Poe powered dummy switches

I am looking for a Poe powered switch with 5 or 8 non Poe gigabit ports. Preferably I would like it to be a dumb switch. Just power it up with POE. Any help would be awesome.



Python course for network & Cybersecurity professionals

Just wanted to get your feedback on any good Python courses for Network & Cybersecurity professional. I want to get better at programing and automation from network & security perspective? What courses would you suggest.



Confused

Hello Members,

I have been in networking for around 10+ years. Did the normal journey CCNA-->CCNP->CCIE Routing and switching , a litle bit of Cisco wireless,Cisco ASA/FTD firewall, JNCIA for vendor non dependence.

but recently i see more skills are required to get relevant jobs. Most jobs i see contains a mixture of ACI,Ansible,Python,SD-WAN . even AWS/Azure/GCP networking as well. I am in a state of confusion as to what to do to read and develop which skills . Can people read and retain all this stuff ? they surely will be Generalists not specialists.

What suggestions do you have for me ?



Remote port forwarded printer is un-reachable after upgrade

We had a printer at work which was very old and producing bad prints so we switched this out for another one. This printer is basically only used from inside a remotely hosted terminal. I changed the IP of the new printer to match that of the old printer and changed the driver (Printer Properties > Advanced > Driver (Windows 10)). I assumed this would work and the port forwarding which had already been setup for the old printer would now work for the new printer, but that does not seem to be the case.

Relevant points:

  • 80% of the printers we use are the same make and model as the new one with the same port-forwarding setup and the same drivers
  • When printing to this printer from the remote terminal the documents just sit in the queue and the Windows recons the printer is in 'Error'
  • I have double checked that the port forwarding is setup correctly (Port 9100 locally, to port 9107 on our remote server)
  • I have tried printing to this printer from a PC on our local network and this works fine
  • Telnet can reach the printer locally on port 9100
  • Telnet cannot reach the IP of the remote server on port 9107
  • Telnet can reach the IP of the remote server on ports used for other printers we have of the same make and model
  • I have tried turning the printer off and on again

I have talked to an IT company we use and they went through the same basic trouble shooting and checked the port-forwarding for me. They were also stumped and asked if they can reboot our router (the local one doing the port forwarding I guess). I declined this request as it was a bad time. (anytime during working hours is a bad time really)

Has anyone else had this issue? Is there anything else I can try?



An updated source of troubleshooting LABS?

Hello everyone! I have a senior exam next week and the topics are mostly from CCNP. I have spent some time creating my own topologies on GNS3 and making sure that they are working. I am now looking for a source where I can find troubleshooting labs/scenarios but the only ones I found so far are from gns3vault which is somehow ancient. Is it still a good way to try out? or are there new ones?



Network Presence Help

Hi all, sorry if this is covered elsewhere but in my searching I’m not even exactly sure what to search for.

The situation is that I need to configure an access point for a mobile office to always appear that I am in my physical office. That is, traffic must appear to originate from my physical office IP. The catch is that the solution must also be hardware based (with Ethernet or wifi connection) since some of the devices cannot have software installed on them.

I’m happy to spend time researching, but just need a nudge in the right direction of what to pursue.

Thanks in advance.



Internet only half working?

Sorry if this is the wrong place to ask this, lemme know if it is!

So I came home last night and my (Lenovo laptop) computer wouldn’t load any website at all. I checked and the wifi connection said “connected, no internet.” My phone also wouldn’t work on wifi. I recently moved so I thought maybe in the chaos I missed a payment somewhere and decided to call in the morning.

Morning comes, (and idk if it’s the same everywhere, I have both a company I get the modem from (idk what you’d call them?) and they came to install all of that and also a separate ISP) I called the modem people to ask if there’s anything I can do and they say on their end everything looks good. They hook me up with their tech person and he confirms that all my lights on the modem are on, wires secure, I’ve tried turning things off and on etc etc. only the “internet” light on my router is not working. He says to go any further he needs my info (passwords or something) from my ISP, so I call them and they say that they can only send that to me by mail so I won’t get that info or be able to continue with the tech guy until then. I also asked the ISP people if anything looks weird on their end and they say no, everything should be good.

I get frustrated and unplug everything/plug it in again. The internet light on the router STILL doesn’t work, but I restart the computer and now the wifi works, but only with SOME websites. So as of now, I can load YouTube and watch videos as normal but many many sites won’t load and the internet light on the router is STILL off and I can’t continue with the tech man until I get my ISP info in the mail.

Does anyone know what’s happening? What can I do? I’ve tried everything I can think of, forgetting and reconnecting to the wifi, turning my phone computer router and modem on and off multiple times, etc etc

(For context I live in Japan, use NTT Docomo and a Buffalo router purchased here (although I think they’re in America as well.))



Friday, April 9, 2021

I don’t know what my actual job title is?

I know this sounds silly but I’m not sure what my actual job title was at my last job. We always just referred to each other as “techs” but that’s such a broad word! Every time someone asks what I do for a living I just tell them I install cameras since that was the bulk of my work, but in reality I had to do a lot more.

We installed a wide range of systems like access control or security systems, sound systems and anything av related, phone systems, and pretty much anything else related to IT/networking in any way. We did everything from start to finish, existing or new construction. That includes anything from foundation work like trenching and running pipe underground, to finish-work like building network racks, installing cameras, wireless access points, speakers, and mounting TVs, etc. Not to mention configuring every device to work properly on the same network, sniffing out ip conflicts, making sure all the software is set up and ready to use, etc.

Despite the wide range of responsibilities, it was a super relaxed job. If wasn’t on a big project I mostly sat around at the office doing nothing while waiting on either a repair ticket or a smaller new install ticket.

How do I simplify all this into a simple job title? I always see other company trucks out there that advertise the same stuff so I know this isn’t a unique job despite the wide range of work we do. Is it just as simple as calling myself a technician? I know this sounds kinda dumb but any insight is appreciated!



adding an old computer and printer to a small business local network.

I have a small business with a number of large format printers and computer stations. I also have a Kyocera mita KM-4850w (network printer) that requires print drivers that are only compatible with Windows XP. (SP1) version 2002. It currently brings down the entire network when I connect it all up. Any ideas how I can make this work?



SSH from Procurve to Cisco

Hi,

I am using a Procurve Switch as an Out of band management switch and in the event our jump box on the out of band management LAN fails, I would like to be able to SSH into our Cisco switches from the CLI of the Procurve as a last resort.

This is currently working fine for all the access switches (2960X's) but doesn't work for the core switches (3750X's).

I get this:

OOB-PROCURVE# ssh user@x.x.x.x The SSH connection failed: Unexpected error. OOB-PROCURVE# 

Any ideas why this is working for the 2960's and not the 3750's?

I have a feeling its to do with ciphers but am not sure.



Best FOSS Tools For Scripted Auto-Analysis of PCAPs?

  • Tool loads a pcap, prints out all IPs and nations those IPs belongs to
  • Extraction of HTTP requests in HTTP format
  • Cryptographic protocols types / summaries

Does such a tool exist? Is that something I'll need to script/code out myself? Its not about capturing the pcaps as it is analyzing the pcaps in some type of automated fashion, get reports.

Pcaps wont be large.



Extending Office Network to Small Warehouse Inquiry

My seed business has grown such that I need to install wifi in my metal warehouse. Router is installed in main office and need to expand my network to a few APs in warehouse and 4 security cameras near outside door access. Warehouse does not have tall shelving, primarily stacks of seed bags on pallets, has 40 ft ceilings, and 3 forklifts running around loading/unloading trucks at the dock. Unfortunately, it's nearly 200 meters from office router to furthermost point in warehouse where security camera needs to be installed, so will require an 8-port ethernet PoE switch to be installed at a midpoint in the warehouse.

I need to connect to wifi while in the warehouse and doesn't matter if I need to walk a short distance to get a good wifi signal. No wifi connection required on the fork lifts. Biggest concern is the temperature ranges from -15 F in winter to +120 F in summer, so need to get hardened equipment.

Looking for reasonable cost suggestions on hardened APs and an unmanaged hardened ethernet PoE switch that work well together. Will be using shielded CAT6 for the install. Also not against replacing my router to take advantage of newer technology, i.e. wifi 6.

Many thanks in advance.



NMNI help

Hopefully, someone can help me.

I want to monitor if a switch falls out of stack through NMNI and get alerts is there a way to do this?

For example, I had a switch fall out of stack and they both tried to resume as being the master and somehow it caused a broadcast storm, it would have been easier to troubleshoot if NMNI had just reported that they had fallen out of stack, so if anyone knows the solution to my problem that would be great.



Unattended Switch Image Upgrades

Our organization has grown larger since our current process was established, and like many during Covid, most of our staff has been required to work remotely whenever possible. An issue that has come up that I would like advice on is upgrading switch and router images in an automated/unattended way.

Our current policy is that you can stage an upgrade to install during a change window, but you will need to physically be present prior to business hours to verify its functionality. We also have a limited change window of a single day per week. My thoughts are with our small team, if we did one or two locations per change window, any image upgrade process will take almost a year.

We currently use all Cisco switches/routers, and have just started to experiment with DNAC (which was given for free)

How are you all handling upgrading images and verifying success? A bonus question: How often do you update your switch images?



SD-WAN (Viptela) DIA - Advertise 0.0.0.0/0 to Core

Hi Guys,

Getting to grips with SD-WAN and DIA. It seems from the design guide there are two use cases to implement DIA:

  1. Via centralised data policy distributed out by vsmart
  2. Via creating a 0.0.0.0/0 route to VPN0 at the service side VPN template

I would like to use the centeralised data policy method of DIA as this seems to offer more granularity thanks to the use of lists/match statements etc (allows me to match specific prefixes to allow DIA)

However my issue is this, I am peering the cEdge to my core switch with a eBGP handoff, there is no default route in the cEdge to advertise into the core switch, see below

UC03-cEdge1#show ip route vrf 10 Routing Table: 10 Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route H - NHRP, G - NHRP registered, g - NHRP registration summary o - ODR, P - periodic downloaded static route, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR & - replicated local route overrides by connected Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 9 subnets, 4 masks B 10.250.9.0/30 [20/0] via 10.250.9.6, 00:23:13 C 10.250.9.4/30 is directly connected, GigabitEthernet4.10 L 10.250.9.5/32 is directly connected, GigabitEthernet4.10 B 10.250.10.0/24 [20/0] via 10.250.9.6, 00:23:13 m 10.250.100.0/24 [251/0] via 2.2.2.1, 00:23:37, Sdwan-system-intf m 10.250.101.0/29 [251/0] via 2.2.2.1, 00:23:37, Sdwan-system-intf m 10.250.250.0/24 [251/0] via 2.2.2.1, 00:23:37, Sdwan-system-intf m 10.251.10.0/24 [251/0] via 4.4.4.2, 00:23:29, Sdwan-system-intf [251/0] via 4.4.4.1, 00:23:29, Sdwan-system-intf m 10.251.20.0/29 [251/0] via 4.4.4.2, 00:23:29, Sdwan-system-intf [251/0] via 4.4.4.1, 00:23:29, Sdwan-system-intf 

The DIA data policy is getting pushed to from vSmart as expected

UC03-cEdge1#show sdwan policy from-vsmart from-vsmart data-policy _corp_and_guest_DIA-BRANCH direction from-service vpn-list corp_and_guest sequence 1 match destination-data-prefix-list RFC-1918 action accept sequence 11 match source-data-prefix-list All-Traffic action accept nat use-vpn 0 no nat fallback default-action accept from-vsmart lists vpn-list corp_and_guest vpn 10 vpn 29 from-vsmart lists data-prefix-list All-Traffic ip-prefix 0.0.0.0/0 from-vsmart lists data-prefix-list RFC-1918 ip-prefix 10.0.0.0/8 ip-prefix 172.16.0.0/12 ip-prefix 192.168.0.0/16 

I can reach the internet directly from the cEdge's service side interface, however because this method of DIA policy does not create a default route in the routing table I cant advertise anything into my core switch to give the rest of the network DIA - I really don't want to create a static route on the core.

Without switching to the DIA nat route method at the template level, I am struggling to think how i could announce a default route to my core switch.

any ideas please?



Admins & Engineers of University and College Campuses - How do you deal with renovations and increasing port capacity?

Can you offer some insight in how you manage office and classroom renovations that end up with new port requirements, especially when your switch stacks are full.

Do you require the project to pay for a new switches?

How involved are you with reviewing the prints/plans?

Do you have standards/procedures created to deal with these situations?



Homer - sipcapture.org

Hi,

Does anyone know of a subreddit that deals with Homer specifically? or a mailing list?

Thank you.



Machine VPN tunnel and user VPN tunnel from different VPN providers?

If the company wants to use a specific VPN product to access secure internal data and that product doesn’t support pre-login access, is it possible to simultaneously use another VPN product at the same time?

For instance, can we have a machine tunnel running at all times using split tunnel Microsoft AOVPN or Cisco Management VPN Tunnel to keep the machine connected to the Active Directory domain for systems management purposes and so the users can change and reset their domain user passwords at the login screen, but also have the ability to launch an unrelated full tunnel VPN product from within Windows when they need to access the secure internal data?



Setting up multiple Wifi networks

So... I'm starting as an intern at a small company and my boss wants to have 2 different Wifi networks, one for each office, w/ different names but same passwords. Right now, they have one router and the Wifi is spread through multiple UniFi access points.

Does it mean that we need to install more routers, or is it a matter of configuration ? Any ideas or ressources? Thank you!



2 IP blocks from ISP, why not 1?

I've applied for a gigabit fibre internet connection from my ISP. They've finished installing it and have provided the IP details, I have a /30 which is to be used for my router and then they've provided a /29 for me to route myself (i.e. in a different range and not part of their gateway).

I'm trying to split this block between 2 routers/firewalls. Previously on other sites I've put a switch on the end of the ISP device and plugged my routers in and assigned one of the /29 on one device and one of the /29 on the other device. However I can't do that here as it's the /30 which has the "next hop" address for the ISP router.

Is my only option to put my own router on the /30 and then split the /29 into 2 /30s for the next hop for my own routers? This feels really wasteful.

I've asked the ISP if they can provide a /29 instead of a /30 + /29 but they're adamant that this is "how we do it now".



Port aggregation for top of rack and leaf switches

Building out a new network, I've never done multiple aggregation switches before. So I have two ports going from my top of rack switches, to two different aggregations switches. Spanning tree cuts off the second port. Is there a way to get these things to aggregate their bandwidth? It's not like you can bond the ports like you would normally.



An app that takes an ACL, then takes a socket info and tells me on what line it matches.

Tell me this exists. In script or downloadable app preferably so I'm not pasting long ACLs with complex wildcards detailing the company's topology on someone's server.



802.1x / WiFi: Combination of WPA2-EAP and MAC authentication on same SSID?

TL;DR: I have received the order to investigate how to get roughly 300 IoT devices connected to our network but they have a rather limited WiFi support and I'm trying wrap my head around possibilities on how to get them integrated. The vendor often mentioned MAC address whitelisting...

Most of their current customers seem to give them a separate WPA-PSK SSID, I'm not that keen on adding PSK to the mix and no SSID currently has PSK enabled. Also can't simply add another SSID since I'm already at the limit of 4 announced SSIDs our APs can support. The IoT vendor doesn't have any existing customers with WPA-EAP, they would be interested in EAP support but are lacking experience in that area.

I'm trying to understand if we could even remotely think about adding support for these devices onto our main WPA2-EAP SSID for plain MAC authentication bypass. It does sound counterintuitive to me though. I've never encountered this combination and so far, it looks weird to do both (either devices get whitelisted based on their MAC or they do PEAP-MSCHAPv2 / EAP-TLS, so I'm uncertain if that is even a remote possibility. Technically FreeRADIUS on its end can do both at the same time, that's not that uncommon on wired networks - but on wireless?

Though their micro controllers used (an Arduino core) should have had support for EAP-TLS for some years already based on some research... but they failed to import our client certificates we've given them so far and I'm trying to look for alternatives.



Link Aggregation (How to Set Up)

Hello,

I am new to networking and would like some guidance about how to set up.

My NAS offers four ethernet ports that can be used for Link Aggregation. I also understand that these need to be connected individually to a switch. At the moment, my NAS connects to my router. My computer also connects to my router.

What would be the set up with a switch in place? My understanding would be four connections for the NAS, another for my computer and one more that would connect back to the router.

Would this be correct?

Kind Regards



Lifetimes don't have to match on IPSEC tunnel

I have been a network tech/admin/engineer for 12 years, and today a guy tells me lifetimes on a IPSEC tunnel do not have to match. He said that the tunnel will auto negotiate the lowest lifetime configured. I have never heard this before and tried to google it but cannot find anything. Is this true? Is my whole life a lie?



Extreme noob question

Senerio: 100Mbps connection over wifi. if i have a bad signal to the point my device only gets 20Mbps running a speed test, is the router sending out all 100Mbps or only 20Mbps?



3D Network Diagram Symbols



Is there any tool which has one command set that you can use to configure switches / routers from different vendors over ssh?

Working with models from many vendors whose commands are quite different. Wondering if there is a common config tool?



Netbox assign IP addresses to VMs

Hi there,

I'm adding a bunch of VMs to our Netbox inventory. However I can't seem to get an IP address attached to a VM.

From what I've read in the docu I need to create interfaces, assign them to the VM and then assign an IP to that interface. I did that but when I list the VMs nothing shows in the 'IP address' column.

I think the IP address listed there is what is refered to as the 'Management IP' in the VM's properties. Is there a way to bulk input those?



Problems connecting VIC1457 to 91380YC-FX via SFP28 DAC

Anyone have any experience with this? Yes, we are using a 3rd party DAC. We tried a pair of SFP28 LR modules (both legit Cisco and 3rd party), and these came up after fiddling with the FEC settings, changing it to CL91. Cisco TAC recommended we either change to FEC Disable or CL74 to try get the DAC working. Still no link.

To note, I am running ACI vers. 4.2.3l



Thursday, April 8, 2021

TIFU with Cisco Firepower(1150)

TIFU by trying to install Cisco Firepower(1150), did not really know it was this bad. Checking this sub revealed all the hates 😭 but did not know earlier. How serious IFU?

Before had ASA5516 with Firepower, bought Cisco FP 1150 so we can use our 2Gbps internet. Could not even get the EIGRP working, documentation did not help either.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



Nexus 9000-EX/FX QoS with EVPN

I need to implement ECN on a few links on my EVPN datacenter fabric that's running on Nexus 9300-EX and -FX switches.

Based on the available documentation, I need to enable WRED in order to utilize ECN, but the vast, vast majority of flows in my datacenter are non-ECN...so I don't really want to impact non-ECN traffic.

It appears that I should just have to implement the following across my ingress VTEPs, my spines, and my egress VTEPs and it should "just work(tm)".

policy-map type queuing qosQUEUING class type queuing c-out-q-default random-detect minimum-threshold 1 mbytes maximum-threshold 10 mbytes drop-probability 0 weight 0 ecn bandwidth remaining percent 100 class type queuing c-out-q3 priority level 1 class type queuing c-out-q2 bandwidth remaining percent 0 class type queuing c-out-q1 bandwidth remaining percent 0 ! system qos service-policy type queuing output qosQUEUING ! 

According to my research, this should enable WRED (and thus ECN) on all interfaces, but because the drop probability is 0, non-ECN flows should just get tail-dropped. The thresholds shouldn't matter and weight is irrelevant because nothing should be dropped as part of WRED.

As for my spines, DSCP should be rewritten by default on the ingress VTEP and the ECN bit should be copied to the outer IP header, so this same policy should work as expected. The egress VTEP shouldn't need anything special either because all traffic is just in the default class and qos-group (0).

All of my spine/leaf links are 40- and 100-gbps, so I don't believe I'll really ever need it...but I don't want the storage vendor to point fingers at me at this point.

Anyone done this before? Does this plan sound reasonable?

Thanks!



Could use some networking advice

Extreme Troubleshooting Issue

Preface: there are 3 “hosts” in the picture.

Ubuntu 18.04 (me) Cisco Meraki (middle man) Business office (pubIP, verizon fios)

I have a Linux host running ubuntu 18.04. There is unexpected incoming traffic from the busines office that is routed through a Cisco Meraki (source mac address retrieved via tcpdump -e resolves to the Meraki) contacting my server on port 89(arbitrary). Looking for ways to pinpoint the unexpected traffic with a MAC address from the business office. FYI we need this port open for functionality, but we cant have unidentified traffic spamming the port.

Have already:

  • looked at business office outbound router logs (gives no info about destination or port)
  • looked at the Meraki logs to see inbound requests
  • tried solarwinds/wireshark/prtg from the business office, but unable to see any outbound connections to the meraki)
  • viewed established connections regularly via netstat on ubuntu host, but really leads no where. We need to pinpoint the traffic to a MAC address at the business office.

My next two options seem to be:

-take a second look at the Meraki with Wireshark to get more info on incoming connections that are being sent to my ubuntu host. -Contact Verizon fios and see if the address is being spoofed or if there is an issue with the ip they can look into.

Any other ideas are very welcome. If you are reading this, I hope you have an amazing day. Live life to the fullest.



ACI GOLF inter-op with other vendors

Hi All,

Had anyone ever tried ACI GOLF (EVPN L3out) with a non-Cisco vendor? Could this actually be used for a migration strategy out of ACI?

Thanks!



Juniper Set Outbound MED Based on Inbound Community

Is it possible in Juniper MX router to set an outbound MED (Metric) to a neighbor if you receive an in-bound community from that neighbor?

For example, if the neighbor sends in a community string "111:111" I want to set the MED for all routes to that neighbor to say 2000.



Finger-pointing between me and Comcast... looking for a network monitoring module/MiniPC/Box to plug into a customer's site that will collect network health data over time

Situation: Lots of ISP finger-pointing between me (MSP) and Comcast regarding a customer's internet connection. They are on coax (I know, I know, upgrading to fiber scheduled in about 90 days) at 150/20. There are no other ISP options in the area except AT&T DSL at 3/1. No thanks.

About every 12 hours or so, but not exactly every 12 hours, the site internet connection will drop. Monitoring data from the firewalls show that the Comcast modem/all-in-one thing stops responding to pings on its gateway address. Firewall has public IP on its WAN interface so no double-NAT going on.

The Comcast modem's US/DS and ONLINE lights would go out and begin flashing in the past, indicating an upstream problem. Power cycling the modem would fix the problem for another day or so. Now, it's doing something different wherein the US/DS lights stay lit suggesting that it's maintaining upstream connection but it won't pass any data. Nor can the firewall ping it on its gateway IP address.

There are a couple switches between the firewall and the Comcast gateway due to stupid demarc decisions that are beyond my control. The switches are connect the firewall to the gateway (on a dedicated VLAN) by a combination of 10GBASE-LR SMF and 10GBASE-SR. Other traffic across those same links on other VLANs is working fine with no reported or observed issues.

We insisted on a modem replacement which Comcast took a month (yes a literal month) to arrange. They finally did so yesterday and, after they did so, we had smooth sailing for nearly 24 glorious hours. Then this morning, the connection died again. Rebooting the gateway did not fix the issue this time. We had to reboot it, wait for it to come all the way up, and THEN unplug the CAT6 cable from the switch and plug it into a different port. Only then did the gateway begin passing traffic. We've done this with 3 different ports on 2 different switches so I really doubt the switches are at fault.

At this point my customer is beyond frustrated. Comcast is insisting that their new modem is fine and there's no problem, even though the firewall reports wild swings in response time and packet loss pinging the gateway at random times during the day and then hard-down outages about once a day or so.

What I'd like for this problem, and others, is a device that I can plug in at certain points of a customer's site to be remotely accessible and to pull diagnostic data from. I'm thinking a NUC or something like that that can run network monitoring software (Like EMCO Ping Monitor maybe) and possibly has cellular capability so I can see what's happening during an outage. Does anybody have ideas for a device and what software you'd load on it for this kind of thing?



Working from home - how does management gauge your productivity?

I have a huge opportunity here to steer management in the right direction for everyone on my team so I appreciate your input.

The company I work for is beginning to bring my team back into the office while also allowing some who wish (and are able to perform their duties) to continue working remotely. Currently, we send our manager a daily productivity report that lists out what we've done throughout the day and that's about it. Now that permanent remote work is becoming a reality for our company, my manager is telling us he needs better visibility into our productivity. When I asked him how productivity is better measured when I am in a cubicle, he couldn't give an answer (all but admitting that management has always gauged productivity by seeing butts in seats). Now that corporate is ratifying a remote work policy, managers/VPs are required to submit an outline of what that will look like for their department(s) - forcing them to concede that their current metrics are unsubstantial.

So now to my question:
How is is your remote-work productivity measured, and is it accurate without being obtrusive?



RV park Wifi

I currently manage 7 hotels and an RV park. We are looking to replace the old meraki APs that are around the RV park but I've never done an RV park Wifi setup. The hotels are all Unifi gear (before my time) so I was looking to maybe do something similar to the RV park but figured I would do my due diligence and look for other options. I have two buildings in the park, one in the top left corner and one in more or less the middle. I have hardline to those two buildings but not to anywhere else around the site. I understand that it would be best to hardline everything but that just isn't something I can do at the moment. I have power available everywhere on site.

My plan was to use maybe 4 Unifi mesh pros handlined with two on both buildings on opposite sides. Then place maybe 4-6 mesh (non pro) around the park to work as a mesh system.

The park is around 100 spots fairly tightly packed. I have 600/35 coming in.

Any other tips or companies I should look into for my APs?



Patch cable testing lab

Hi all:

Sorry if this is the wrong subreddit for this, but it's a bit of a niche question! I am also unsophisticated in this area, so I apologize as well if I use incorrect nomenclature.

I need to have a number (100 or so) of "ethernet"/patch cables tested to confirm their compliance with their stated Cat6 specifications. Rather than on-site, I'd prefer to be to send them off to a lab somewhere that can do this testing at their site and provide a report on which cables pass/fail to meet Cat6.

I've found individuals who can do this sort of testing "informally", but I'm really hoping there's something more formal out there. Any recommendations?

Thank you in advance.



Cisco SDWAN IRB/Bridge features

So these features exist, but I've never had cause to use them.

Context on the actual feature: You can create "bridges" on the vEdge to connect two interfaces at L2 and use "Integarated Routing / Bridging" interfaces (effectively just SVIs) to route traffic to/from them. Use case for us is to talk to an HA pair of firewalls without putting any dedicated switch(s) in between.

This all works "fine" so far but I've learned to be extremely cautious around features in these products that might be considered "niche" or seldom used. Several times I've been burned by taking the documentation in good faith only to find out later from TAC "ooooh, yeah no one really uses that feature... it's probably buggy and you should avoid it" or "oooh, but if you interpret this single sentence buried in a paragraph 40% down this single article that's the 8th search result on google and even the Sr guys at Cisco took a week and 2 conference calls to find, you can see we don't actually support this".

I've asked Cisco but of course all I get from them is "looks good in the release notes hyuck hyuck".

So does anyone have any experience with this stuff? On the scale from "idk, it just works and I never need to think about it" to "we had to disable this feature to stop it from randomly blackholing traffic" where does it sit? Like I said, as far as I can tell it's working fine, just looking for any contrary experience you folks have had.



Help with IPtables.

Hopefully someone can point me in the right direction. I am trying to host GNS3 or Eve-NG in the cloud and have access to the deployed devices through the public IPs without going through any VPN service. From what I understand I should be able to use IPtables to DNAT from the public to the private IP address.

My Public IP: 145.40.77.169 Private IP of the device(Mikrotik): 192.168.122.215/24

Here are the IPtables commands I have done so far: iptables -A INPUT-i bond0 -j ACCEPT iptables -A OUTPUT -o bond0 -j ACCEPT iptables -A INPUT -i virbr0 -J ACCEPT iptables -A OUTPUT-o virbr0 -j ACCEPT

iptables -A INPUT -m conntract --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p tcp ---dport 8291 -j DNAT --to-destination 192.168.122.215:8291 

I have also attached a few screen shots of my topology and iptables -L command after putting my iptable rules.

I am hoping someone can just point me in the right directions.

https://imgur.com/a/jGVTxSX



Twice Identity NAT

Hello everyone.

We are implementing a security solution to our client, who at the moment has no netwroking staff, their guy retired just two days from the start of our project.

The problem for me is some NAT rules on clien'ts CISCO ASA:

object network HQ

subnet 192.168.0.0 255.255.0.0

object network BD_VC

subnet 192.168.125.0 255.255.255.0

object network BD_SIP

subnet 172.16.49.0 255.255.255.0

object-group network DM_INLINE

network-object object BD_SIP

network-object object BD_VC

nat (inside,outside) source static GO GO destination static DM_INLINE DM_INLINE no-proxy-arp route-lookup

And this is just one of the 80 same NAT configurationg for different branches on the HQ CISCO ASA. I just can't comprehend the purpose of what is going on here. Can someone explain the meaning or use-case of this identical real to mapped translations?



Powershell module for GestióIP

I posted this in r/PowerShell yesterday and thought that maybe someone here might find it useful:
PSGestioIP

Direct link to the git repo: https://github.com/th3d00rw4y/PSGestioIP



Strange routing problem within linux router on AWS VPC

I'm having a strange routing problem within a AWS VPC that I just can't get my head around.

VPC: 10.16.20.128/25 Subnet: 10.16.20.128/25 Routing table: 0.0.0.0 to Internet gateway, 10.16.20.128/25 local Network ACL: standard (rule 100 allow all, rule * deny all) 

I have 2 linux/debian instances. The first one is 10.16.20.132 is also has a VPN connection to an external VPN server for the subnet 10.16.0.0/16 (so a superset of the local network). It also has net.ipv4.ip_forward=1 enabled in /etc/sysctl, which is required for routing.

Both instances can connect to the internet and are able to ping each other. The first instance is able to ping hosts at the other side of the VPN and it's confirmed that the VPN server has a route back to the subnet. In both cases, tcpdump shows all the packets as I would expect them.

When I add a route to the 10.16.0.0/32 subnet on the second host and route it via the first host, I can't ping hosts at the other side of the VPN. The part where I can't get my head around is that I can't even see the packages arrive at the first host using tcpdump. I can see the packets leave host 2, but they never arrive at host 1.

Host 1 config

# sysctl -p net.ipv4.ip_forward = 1 # ip add ... 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 link/ether 02:33:71:2f:34:66 brd ff:ff:ff:ff:ff:ff inet 10.16.20.132/25 brd 10.16.20.255 scope global dynamic eth0 valid_lft 2466sec preferred_lft 2466sec inet6 fe80::33:71ff:fe2f:3466/64 scope link valid_lft forever preferred_lft forever 3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 4: vti1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue state UNKNOWN group default qlen 1000 link/ipip 10.16.20.132 peer <ip.of.vpn.server> inet6 fe80::5efe:a10:1484/64 scope link valid_lft forever preferred_lft forever # ip route default via 10.16.20.129 dev eth0 10.16.0.0/16 dev vti1 scope link 10.16.20.128/25 dev eth0 proto kernel scope link src 10.16.20.132 # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # ping 10.16.20.177 <-- other instance, works PING 10.16.20.177 (10.16.20.177) 56(84) bytes of data. 64 bytes from 10.16.20.177: icmp_seq=1 ttl=64 time=0.362 ms # ping 10.16.0.2 <-- host at other side of the VPN connection, works PING 10.16.0.2 (10.16.0.2) 56(84) bytes of data. 64 bytes from 10.16.0.2: icmp_seq=1 ttl=62 time=12.0 ms 

Host 2 config

# ip add ... 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 link/ether 02:77:24:63:66:c2 brd ff:ff:ff:ff:ff:ff inet 10.16.20.177/25 brd 10.16.20.255 scope global dynamic eth0 valid_lft 2100sec preferred_lft 2100sec inet6 fe80::77:24ff:fe63:66c2/64 scope link valid_lft forever preferred_lft forever # ip route default via 10.16.20.129 dev eth0 10.16.20.128/25 dev eth0 proto kernel scope link src 10.16.20.177 10.16.0.0/16 via 10.16.20.132 dev eth0 # ping 10.16.20.132 <-- instance 1, works PING 10.16.20.132 (10.16.20.132) 56(84) bytes of data. 64 bytes from 10.16.20.132: icmp_seq=1 ttl=64 time=0.373 ms # ping 10.16.0.2 <-- host at other side of the VPN connection, DOESN'T WORK PING 10.16.0.2 (10.16.0.2) 56(84) bytes of data. ^C --- 10.16.0.2 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 58ms 

tcpdump on host 1 when host 2 is pinging

# tcpdump -nn -a -i any not port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes # when pinging host 1 from host 2 07:44:42.518133 IP 10.16.20.177 > 10.16.20.132: ICMP echo request, id 9234, seq 1, length 64 07:44:42.518161 IP 10.16.20.132 > 10.16.20.177: ICMP echo reply, id 9234, seq 1, length 64 # when pinging host at other side of the VPN connection from host 2 <big empty void here> 

tcpdump on host 2 when host 2 is pinging

# tcpdump -e -i eth0 -nn not port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes # when pinging host 1 from host 2 07:50:04.858467 02:77:24:63:66:c2 > 02:33:71:2f:34:66, ethertype IPv4 (0x0800), length 98: 10.16.20.177 > 10.16.20.132: ICMP echo request, id 9239, seq 1, length 64 07:50:04.858859 02:33:71:2f:34:66 > 02:77:24:63:66:c2, ethertype IPv4 (0x0800), length 98: 10.16.20.132 > 10.16.20.177: ICMP echo reply, id 9239, seq 1, length 64 # when pinging host at other side of the VPN connection from host 2 07:53:00.123557 02:77:24:63:66:c2 > 02:33:71:2f:34:66, ethertype IPv4 (0x0800), length 98: 10.16.20.177 > 10.16.0.2: ICMP echo request, id 9241, seq 5, length 64 07:53:01.147564 02:77:24:63:66:c2 > 02:33:71:2f:34:66, ethertype IPv4 (0x0800), length 98: 10.16.20.177 > 10.16.0.2: ICMP echo request, id 9241, seq 6, length 64 07:53:01.275527 02:77:24:63:66:c2 > 02:33:71:2f:34:66, ethertype ARP (0x0806), length 42: Request who-has 10.16.20.132 tell 10.16.20.177, length 28 07:53:01.275641 02:33:71:2f:34:66 > 02:77:24:63:66:c2, ethertype ARP (0x0806), length 56: Reply 10.16.20.132 is-at 02:33:71:2f:34:66, length 42 07:53:02.171582 02:77:24:63:66:c2 > 02:33:71:2f:34:66, ethertype IPv4 (0x0800), length 98: 10.16.20.177 > 10.16.0.2: ICMP echo request, id 9241, seq 7, length 64 07:53:03.195571 02:77:24:63:66:c2 > 02:33:71:2f:34:66, ethertype IPv4 (0x0800), length 98: 10.16.20.177 > 10.16.0.2: ICMP echo request, id 9241, seq 8, length 64 

tcpdump on host 1 when host at other side of vpn is pinging host 2

tcpdump -e -i -n -i any not port 22 tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 08:11:56.672255 In ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 62, id 61024, offset 0, flags [DF], proto ICMP (1), length 84) 10.16.0.11 > 10.16.20.177: ICMP echo request, id 4413, seq 0, length 64 08:11:56.672344 Out 02:33:71:2f:34:66 ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 61, id 61024, offset 0, flags [DF], proto ICMP (1), length 84) 10.16.0.11 > 10.16.20.177: ICMP echo request, id 4413, seq 0, length 64 

tcpdump on host 1 when host at other side of vpn is pinging host 2

tcpdump -e -i eth0 -nn not port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes <big empty void here> 

So it seems that specifically traffic that actually passed the AWS subnet / network stack but has a source or target IP outside of the subnet seems to disappear somewhere between the two hosts in the subnet. The fact that I don't see the packets arrive at the other host (in either direction) makes me think that this might be AWS related, but I can't really rule that out. Anyone has any idea what I can still look at?



looking for who have gateway or need bulk sms

Hi dear ,

This is Gavin Xiang from China skyline company ,my company have a large sms/voice traffic in Australia(61),New zealand (64),Canada(1),Thailand(66),Vietnam(84),Indonesia(62),Malaysia(60),Nigeria(234),Afghanstain(93),India(91),Germany(49)

So i am looking for someone who have gateway or need bulk sms

If possible, I would like to cooperate with you.

Whatsapp: +86 13534195262

skype: live:f07f61bce2b629f4



Wednesday, April 7, 2021

Your Network Documentation Template Arsenal

I find myself creating many 'change control' documents for my network changes. Another type of document I create often is a 'procedural' document, usually to give a step by step on how to complete a task. Today I had to outline my design for a /14 CCTV camera network that I had to subnet into 5x/24 networks. My design also includes the implementation of DHCP and DNS. I was a bit stumped on what to call it, so I called it a 'scope of work', which didn't sit quite right because it also could have been classed as a 'proposal' or a 'design'. What are some of the document types you find yourself creating as a network engineer.



FortiAP? Aruba? Cisco?

Looking at future-proofing a network by using WiFi6 AP's - Currently have a few Fortinet devices in production (after using a plasma torch on all of our Ubiquiti equipment, literally) with some 'meh' WiFI AP's in a terrible mesh setup.

Could anyone recommend an 802.11ax AP device (with, without a central controller) ?

Looking for 1024QAM for the 5ghz stuff.



Simulate a network outage

Hey r/networking

I have a switch running Linux with multiple devices connected to it.

I'm attempting to simulate a network outage on one of the ports. Say the port is swp1.

I've tried with both tc and iptables

tc qdisc add dev swp1 root netem loss 100%

and

iptables -A INPUT -i swp1 -p all -j DROP

However, packets coming from and going to the device aren't dropped.



Quickest way to map out an unfamiliar network?

I’ve been asked to help out one of our local government agencies that unexpectedly lost their sole network/server admin. Documentation is extremely limited so I would appreciate some tips that can help me to get as familiar with the network as possible.



SDN Controller (Ryu) question

I am working on simple sdn using Ryu. I understand the controller must have a link to each switch, to discover topology and update flows, but is there a way for the sdn to still function if the controller is connected to only one switch? Can the flows in each switch be updated?



MPLS questions

Hello everyone

Trying to grasp some MPLS concepts a little better. So you have a label to the packet header and that essentialls tells it which VRF to use or what path it's taking right or is the VRF not related to the labels?

I know there's a label you add to the packet header so the router can just forward the packet based on the label (I guess this makes it so it doesn't have to query a routing table and do a bunch of math making it act more like a switch hence the layer 2.5 right)?

Thanks ahead of time. Sorry for the grammar I just finished a 3 hour long math final exam and I worked all day.



Is VLAN isolation by an ISP secure from other customers?

We're currently using Comcast to connect 2 branch offices via a VPN tunnel. One side is a small office with just a couple devices (where this new serviceis being proposed), and the other side is our main office (has its own Internet separate from this). A new local ISP opened up partnering with a broadband coop in our downtown area. They are offering fiber at the same speed (with much faster upload speed) for half the price as Comcast. We're interested. However we're also government and have some security concerns due to the nature of the data and locations being connected via this tunnel.

The service is a /24 and they will be using VLAN isolation to secure our service from other customers. How secure is this? There will be potentially 235 other devices on the network separated by just VLAN rules. Comcast at least segments to just the range / number of public IPs we need. It seems significantly more secure this way.

Any thoughts or suggestions welcome.



Trying to understand the math behind networking

Hey guys, I have a question. If I have a communication system that must ensure 9600 b/s and it's sending symbols which are 8bits each. How would I calculate the minimum frequency range for it to ensure the necessary speed? Would 1000Hz or 1600Hz be enough?



unable to find on Cisco's website a list of compatible 10GB SFP's

Good evening,

I've looked and looked but I'm unable to find on Cisco's website a list of compatible 10GB SFP's (copper and fiber) for the 3650 Catalyst switch. can someone point me in the right direction?

Thanks yall!



I'm a systems guy with (some limited) networking knowledge. I'll be taking on some responsibilities on our Juniper (and some Arista) switches/routers. Is the JNCIA-JUNOS a good starting point?

As the title says - Our infra mostly uses JunOS. I'm better than most of my colleagues at networking in that I'll frequently troubleshoot and diagnose network issues from the systems perspective, but I can count the amount of times I've logged into a switch on one hand.

I'm looking for some good resources to "learn networking" from a JunOS perspective, as someone who already has a cursory knowledge of things like routing protocols and has some experience reading packet captures.

Thanks!



Anyone know of a guest wifi solution that works off of proximity to your campus/building?

Our guest wifi is currently an open network with a captive portal for login. We create a guest account for one or more users and these accounts give you access based on the guest "type" that you are. This is all pretty standard. I would rather it just be open with an AUP and we just record your access time and what not.

Needless to say, this isn't the most secure thing to do, but it's guest.....

Problem is, we have residential areas within connectivity distance of our wifi making this option a no-go at the moment. So I was curious if there was any such system that anyone had heard of that could allow or deny access to a wifi network based on the client's proximity to the access points?

Sounds pretty easy in theory. Triangulate the client's location, probably do some mobility location tuning, make sure you can track clients' movements and bam, you're able to allow a client on once they're within 10 meters of an AP and disconnect them once they're out of range. Or heck, once they're in range, they maintain access until the signal is too weak and is lost.

Anyone seen or heard of anything like this?

I know we could possibly just tune down our APs along the perimeter of our campus but the distance between us and our neighbors in some areas isn't very wide. Meaning we'd be providing either too strong a signal to prevent them from accessing our wifi or too weak a signal for clients to be able to connect while in the parking lot or even just on the outside of the building.



Seeing multicast counts on Arista eOS?

Hey all.

Troubleshooting multicast with IOS is so damn easy with the count option. I don't see anything similar with eOS. Anyone have any tricks or tips for this? While I don't have the exact command at the moment, I do recall seeing a command that was SUPPOSED to show counts, but it was always 0, or something weird like that.

Any help would be appreciated. Thanks.



Job change question for you guys

I'm curious to hear what people similar to my work experience would do here.

Little about me: Early 40s, I started my career as a Network Engineer 17 years ago and now work as a Senior Network engineer at a small (# of employees 1K) financial company serving a local market. I'm pretty much on my own and work in a operation, implementation and architecture capacity. The work isn't exciting at all. The organizational hurdles coupled with immature IT leadership makes me feel like I'm working for a startup. Before this job I was with a fortunate 10 company with 300k employees and a Network team of about 50. I loved that job for the collaboration of the entire network team and the exciting projects that came across my plate. I had to leave though because the 70 hour weeks became too much and there was no end in site.

I'm in a position now where there is a company that is interested in my skills to fill a Senior Network Engineer role. The company size is perfect and the industry it is in is exciting to me. The team seems great and one of the engineers in that role was a mentor of mine when i started out in the industry. The company also have a network architecture team which I could move up to if an opportunity presents its in the future. So there is only one problem with the job. They would be offering significantly less then what I am making now, a difference of 20K. One of the reasons why is where I live I straddle two job markets. I currently commute an hour to a high paying market where my rate is average in the market. The new job is extremely close to where I live and the rate they would offer me is reasonable.

I could totally take the lower pay with little to know change in my lifestyle and savings. I'm curious to hear of others would approach this opportunity.



MSDP / PIM-SM questions

To start - multicast is a weak point for me. I've done a production MCast deployment before but it was local to a single DC and the RP was a 6880x, so it was easy.

Now I am trying to wrap my head around how to build a multicast network using MSDP to share between AnyCast RP sets across data centers - I just had a few questions that should help me understand a little better. My deployment is a collapsed-core vPC pair per data center acting as Anycast RP sets, with multiple L3 paths between DCs using EIGRP.

1). If I'm not using BGP at all, do I need to use it to peer via MSDP? I saw it gives you the option to specify remote-as when configuring peers.

2). Does each data center need a unique Anycast RP address, or will both data centers advertise the same /32s? I understand each member needs its own unique /32 to map the anycast /32 to, but must the anycasts /32s themselves be the same between DCs or should they be unique?

3). Can you peer MSDP over multiple hops, letting your IGP decide the path? Since there are multiple paths I'm curious if I need to implement MSDP across all hops on all those paths or if each RP set does direct peering using the grt as the underlay transport between peers



Testing network automation in virtual labs (like CML/VIRL, GNS3, etc)

I am working on a project that requires me to spin up a virtual lab, simulating the live environment, test changes there and then, once the changes are verified in lab - apply them to the live environment.

One of the big hurdles I ran into - virtual labs (at least Cisco ones) do not allow you to ssh into virtual devices by default, which makes it nearly impossible to use network automation tools like Ansible. Of course, you could extend the virtual network into the real one, but at least in my environment it would create lots of other issues with security and other teams.

My solution to the problem - write a proxy server in python, which will receive SSH connection from Ansible and proxy them to the virtual device. I have written some very basic script a couple of years ago and used it for some small testing, then somebody else turned the script into a linux service and just recently I added some code to handle CMLv2 lab (where there are no telnet ports exposed anymore, instead you have to SSH into the CML host and type "open virtual_device_id" to open console connection to it).

You can find code with install instructions here - https://github.com/eoprede/ssh_to_telnet_proxy

As an example, here's how I start script in my environment:

/usr/local/bin/ssh_to_telnet_proxy -k /root/.ssh/id_rsa -p 3000 --cml my.cmlv2.com --logfile /var/log/ssh2telnet.log 

And this is how my ansible inventory looks like, when I am connecting to one of the virtual IOS devices:

test: hosts: "ssh2telnet.proxy.com": vars: ansible_connection: network_cli ansible_network_os: ios ansible_user: gesha24@/ecf1dd/n1/0 ansible_password: password ansible_port: 3000 ansible_become: yes ansible_become_method: enable 

After that I can run pretty much any playbook against a virtual device and verify it performs as expected.

Hopefully somebody will find this useful. Reach out here or on git if you have issues/bugs with the code, pull requests are also always welcome.



Clearpass tacacs+ NAD name in access tracker

We are using clearpass as a tacacs server for about 300 devices and it is working well.

One thing that is bugging me a bit though is that in the access tracker view, requests display the username/timestamp/source/NAS/NAD ip address etc in columns just fine but I cant find a way of displaying the NAD name in the columns. This makes it a bit more cumbersome to have to go manually look up the IP address in the Device list to figure out which device it is. There is an option to add "NAS name" as a column but this never gets populated with anything.

Ive spoken to Aruba support and the best workaround we were able to come up with was to add a sysname variable to each NAD with the hostname in it. Then we could open a request and see the hostname in the computed attributes.

It would be a lot more simple and helpful to just have it displayed in a column in access tracker.

Anyone found a way to make this happen?



cannot connect to ASA web interface? (trying to setup anyconnect with web deployment)

Hi everyone,

Disclaimer - I do not have much experience with ASA devices so apologies if I've missed something incredibly obvious;

Im currently trying to setup anyconnect on a cisco ASAv (testing for the moment how the config should look like)

I've wiped the config and started from scratch but im not even able to access the ASA web interface - all I get is:

https://192.168.11.68:555 or https://192.168.11.68/admin

All show xyz took too long to respond

ERR_CONNECTION_TIMED_OUT

My pc has the 192.168.11.90 address

The virtual ASA running is with 192.168.11.68 outside interface;

Unless im doing packet tracer tests wrong - all come up with the dropped by implicit rule, np identity ifc - I suppose the global rule I have does not come in effect here -

ciscoasa(config)# packet-tracer input outside tcp 192.168.11.90 62000 192.168.11.68 https detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.11.68 using egress ifc identity

Phase: 2

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f9ac0f75ea0, priority=0, domain=nat-per-session, deny=false

hits=778, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f9ac134b2f0, priority=0, domain=permit, deny=true

hits=768, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

I also have issue when trying to connect via the ASDM - getting the error "unable to launch device manager";

But the logs from the app don’t show me anything in particular:

OK button clicked

java.net.ConnectException: Connection timed out: connect

at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method) at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) at java.net.AbstractPlainSocketImpl.connect(Unknown Source) at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at sun.security.ssl.SSLSocketImpl.connect(Unknown Source) at sun.net.NetworkClient.doConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.protocol.https.HttpsClient.<init>(Unknown Source) at [sun.net.www.protocol.https.HttpsClient.New](https://sun.net.www.protocol.https.HttpsClient.New)(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at [com.cisco.launcher.s.new](https://com.cisco.launcher.s.new)(Unknown Source) at com.cisco.launcher.s.actionPerformed(Unknown Source) at javax.swing.AbstractButton.fireActionPerformed(Unknown Source) at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source) at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source) at javax.swing.DefaultButtonModel.setPressed(Unknown Source) at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source) at java.awt.Component.processMouseEvent(Unknown Source) at javax.swing.JComponent.processMouseEvent(Unknown Source) at java.awt.Component.processEvent(Unknown Source) at java.awt.Container.processEvent(Unknown Source) at java.awt.Component.dispatchEventImpl(Unknown Source) at java.awt.Container.dispatchEventImpl(Unknown Source) at java.awt.Component.dispatchEvent(Unknown Source) at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source) at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source) at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source) at java.awt.Container.dispatchEventImpl(Unknown Source) at java.awt.Window.dispatchEventImpl(Unknown Source) at java.awt.Component.dispatchEvent(Unknown Source) at java.awt.EventQueue.dispatchEventImpl(Unknown Source) at java.awt.EventQueue.access$500(Unknown Source) at [java.awt.EventQueue$3.run](https://java.awt.EventQueue$3.run)(Unknown Source) at [java.awt.EventQueue$3.run](https://java.awt.EventQueue$3.run)(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at [java.awt.EventQueue$4.run](https://java.awt.EventQueue$4.run)(Unknown Source) at [java.awt.EventQueue$4.run](https://java.awt.EventQueue$4.run)(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at java.awt.EventQueue.dispatchEvent(Unknown Source) at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at [java.awt.EventDispatchThread.run](https://java.awt.EventDispatchThread.run)(Unknown Source) 

java.net.ConnectException: Connection timed out: connect

at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method) at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) at java.net.AbstractPlainSocketImpl.connect(Unknown Source) at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at sun.security.ssl.SSLSocketImpl.connect(Unknown Source) at sun.net.NetworkClient.doConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.protocol.https.HttpsClient.<init>(Unknown Source) at [sun.net.www.protocol.https.HttpsClient.New](https://sun.net.www.protocol.https.HttpsClient.New)(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at [com.cisco.launcher.s.new](https://com.cisco.launcher.s.new)(Unknown Source) at com.cisco.launcher.s.actionPerformed(Unknown Source) at javax.swing.AbstractButton.fireActionPerformed(Unknown Source) at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source) at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source) at javax.swing.DefaultButtonModel.setPressed(Unknown Source) at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source) at java.awt.Component.processMouseEvent(Unknown Source) at javax.swing.JComponent.processMouseEvent(Unknown Source) at java.awt.Component.processEvent(Unknown Source) at java.awt.Container.processEvent(Unknown Source) at java.awt.Component.dispatchEventImpl(Unknown Source) at java.awt.Container.dispatchEventImpl(Unknown Source) at java.awt.Component.dispatchEvent(Unknown Source) at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source) at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source) at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source) at java.awt.Container.dispatchEventImpl(Unknown Source) at java.awt.Window.dispatchEventImpl(Unknown Source) at java.awt.Component.dispatchEvent(Unknown Source) at java.awt.EventQueue.dispatchEventImpl(Unknown Source) at java.awt.EventQueue.access$500(Unknown Source) at [java.awt.EventQueue$3.run](https://java.awt.EventQueue$3.run)(Unknown Source) at [java.awt.EventQueue$3.run](https://java.awt.EventQueue$3.run)(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at [java.awt.EventQueue$4.run](https://java.awt.EventQueue$4.run)(Unknown Source) at [java.awt.EventQueue$4.run](https://java.awt.EventQueue$4.run)(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source) at java.awt.EventQueue.dispatchEvent(Unknown Source) at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at [java.awt.EventDispatchThread.run](https://java.awt.EventDispatchThread.run)(Unknown Source) 

Trying for ASDM Version file; url = https://192.168.11.68/admin/

java.net.ConnectException: Connection timed out: connect

at java.net.DualStackPlainSocketImpl.connect0(Native Method) at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) at java.net.AbstractPlainSocketImpl.connect(Unknown Source) at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at sun.security.ssl.SSLSocketImpl.connect(Unknown Source) at sun.security.ssl.BaseSSLSocketImpl.connect(Unknown Source) at sun.net.NetworkClient.doConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.protocol.https.HttpsClient.<init>(Unknown Source) at [sun.net.www.protocol.https.HttpsClient.New](https://sun.net.www.protocol.https.HttpsClient.New)(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source) at com.cisco.launcher.y.a(Unknown Source) at com.cisco.launcher.y.if(Unknown Source) at com.cisco.launcher.r.a(Unknown Source) at [com.cisco.launcher.s.do](https://com.cisco.launcher.s.do)(Unknown Source) at com.cisco.launcher.s.null(Unknown Source) at [com.cisco.launcher.s.new](https://com.cisco.launcher.s.new)(Unknown Source) at com.cisco.launcher.s.access$000(Unknown Source) at com.cisco.launcher.s$2.a(Unknown Source) at [com.cisco.launcher.g$2.run](https://com.cisco.launcher.g$2.run)(Unknown Source) at [java.lang.Thread.run](https://java.lang.Thread.run)(Unknown Source) 

Trying for IDM. url=https://192.168.11.68/idm/idm.jnlp/

java.net.ConnectException: Connection timed out: connect

at java.net.DualStackPlainSocketImpl.connect0(Native Method) at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source) at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) at java.net.AbstractPlainSocketImpl.connect(Unknown Source) at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at sun.security.ssl.SSLSocketImpl.connect(Unknown Source) at sun.security.ssl.BaseSSLSocketImpl.connect(Unknown Source) at sun.net.NetworkClient.doConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.protocol.https.HttpsClient.<init>(Unknown Source) at [sun.net.www.protocol.https.HttpsClient.New](https://sun.net.www.protocol.https.HttpsClient.New)(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at com.cisco.launcher.w.a(Unknown Source) at com.cisco.launcher.s.for(Unknown Source) at [com.cisco.launcher.s.new](https://com.cisco.launcher.s.new)(Unknown Source) at com.cisco.launcher.s.access$000(Unknown Source) at com.cisco.launcher.s$2.a(Unknown Source) at [com.cisco.launcher.g$2.run](https://com.cisco.launcher.g$2.run)(Unknown Source) at [java.lang.Thread.run](https://java.lang.Thread.run)(Unknown Source) 

I have tried to edit the exclusions in java security to include the address of the ASA to no avail

Here is the current config if that helps, I havent even added nat (I don’t believe I need it at this point as first I want to find out why I cant access the webpage):

ciscoasa(config)# show run

: Saved

:

: Serial Number: 9A5CX2PA9U0

: Hardware: ASAv, 1024 MB RAM, CPU Xeon 5500 series 3392 MHz

:

ASA Version 9.8(4)32

!

hostname ciscoasa

domain-name ciscoASA

enable password $sha512$5000$2PO4iev/ZhVwHDZjUTpOLQ==$7UZvDMLmDKpkZWW7ovccAQ== pbkdf2

names

no mac-address auto

ip local pool Anyconnect 10.10.30.30-10.10.30.254 mask 255.255.255.0

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.10.30.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address dhcp

!

interface Management0/0

management-only

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name ciscoASA

object network obj-Anyconnect-network

subnet 10.10.30.0 255.255.255.0

access-list outside extended permit ip any any

access-list outside extended permit icmp any any

access-list acl_SPLIT-TUNNEL standard permit 10.10.30.0 255.255.255.0

pager lines 23

mtu outside 1500

mtu inside 1500

no failover

no failover wait-disable

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-openjre-7131-101.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

access-group outside global

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication login-history

http server enable

http redirect outside 80

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint _SmartCallHome_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

auto-import

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 0509

……….

quit

telnet timeout 5

ssh stricthostkeycheck

ssh 192.168.11.0 255.255.255.0 outside

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl cipher default custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

webvpn

port 555

enable outside

dtls port 556

hsts

enable

max-age 31536000

include-sub-domains

no preload

anyconnect image disk0:/anyconnect-win-4.9.06037-webdeploy-k9.pkg 1

anyconnect enable

tunnel-group-list enable

cache

disable

error-recovery disable

group-policy gp_Anyconnect internal

group-policy gp_Anyconnect attributes

dns-server value 192.168.11.1

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acl_SPLIT-TUNNEL

default-domain value ciscoASA

webvpn

anyconnect ssl dtls enable

dynamic-access-policy-record DfltAccessPolicy

username admin password $sha512$5000$Mxu7/puUc7yTDgk2DGMlhg==$gKMnlCwocUhsRATjrmmG+Q== pbkdf2 privilege 15

username cisco password $sha512$5000$ul6mbqQIotWXfBrwokk+Uw==$6Q9F7KgQZGVtOU3LhVQXDQ== pbkdf2 privilege 15

tunnel-group prof_ANYCONNECT type remote-access

tunnel-group prof_ANYCONNECT general-attributes

address-pool Anyconnect

default-group-policy gp_Anyconnect

tunnel-group prof_ANYCONNECT webvpn-attributes

group-alias ciscoASAanyconnect enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email [callhome@cisco.com](mailto:callhome@cisco.com)

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

profile License

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination transport-method http

Cryptochecksum:deaafa9e857956c3c2f8a64eff1a15c0

: end

ciscoasa(config)#

Its not licensed but I believe I should still be able to have up to 2 anyconnect clients if im understanding it right?

ciscoasa(config)# show ver

Cisco Adaptive Security Appliance Software Version 9.8(4)32

Firepower Extensible Operating System Version 2.2(2.138)

Device Manager Version 7.13(1)

Compiled on Mon 16-Nov-20 12:53 PST by builders

System image file is "boot:/asa984-32-smp-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 12 hours 23 mins

Hardware: ASAv, 1024 MB RAM, CPU Xeon 5500 series 3392 MHz,

Model Id: ASAv5

Internal ATA Compact Flash, 1024MB

Slot 1: ATA Compact Flash, 8192MB

BIOS Flash Firmware Hub @ 0x0, 0KB

0: Ext: Management0/0 : address is 000c.298f.6350, irq 10

1: Ext: GigabitEthernet0/0 : address is 000c.298f.635a, irq 5

2: Ext: GigabitEthernet0/1 : address is 000c.298f.6364, irq 9

License mode: Smart Licensing

ASAv Platform License State: Unlicensed

No active entitlement: no feature tier and no throughput level configured

*Memory resource allocation is more than the permitted limit.

Licensed features for this platform:

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Standby

Encryption-DES : Enabled

Encryption-3DES-AES : Enabled

Security Contexts : 0

Carrier : Disabled

AnyConnect Premium Peers : 2

AnyConnect Essentials : Disabled

Other VPN Peers : 50

Total VPN Peers : 50

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

Advanced Endpoint Assessment : Disabled

Shared License : Disabled

Total TLS Proxy Sessions : 2

Botnet Traffic Filter : Enabled

Cluster : Disabled

Serial Number: 9A5CX2PA9U0

Image type : Release

Key version : A

Configuration last modified by enable_15 at 13:00:49.789 UTC Wed Apr 7 2021

ciscoasa(config)#

If anyone has any suggestions/advice what to check or configure, it would be much appreciated.

Thank you!



Juniper SD-WAN

Greetings all

I deployed Juniper SD-WAN for one of my customers a year ago.

However , I know that Juniper acquired 128T and they recently started to change the relative data sheets , what I am seeking to know is the deployment for which Juniper will choose 128T edges to be deployed instead of SRX or NFX.

I know that 128T will bring what is called AI-WAN but more information in regards will be helpful.

Thanks



Help understanding PoE Budget

Hi All,

I hope this is the right place for my question, i apologise if not!

I am having a hard time understanding PoE budget and how this is calculated. Please see example below:

16 port PoE switch with 76 watt PoE budget.

IP phones connected with the following PoE consumption: Standby (W) 2.08. MAX (W) 5.9. Class (IEEE802.3af) CLASS2. The table for CLASS2 states 'minimum power required at power on 7.0W'

What would happen if I were to exceed the power budget? Do I risk damage to equipment, or equipment just not receiving power/turning on?

We currently have 13 IP phones connected with no issue, which based on the CLASS2 minimum power means we could be pulling 91W (7W x 13 Phones), but we arent having any issues on a 76 watt switch.

Should i be using the CLASS2 spec or just the MAX (W) spec when choosing a new switch? Even if using the MAX (W) spec, i am still over my budget, but its probably not been an issue if the phones dont use close to their maximum power consumption.

I hope that makes sense and would appreciate if anyone could offer any guidance.

Thanks