Saturday, May 1, 2021

I have a query. What is the hostname of Opendns home for Android/iOS?

Is there a private dns hostname for opendns home?



Networking - Future Prospects

Hi Folks, What’s the best way for Network analysts/engineers/architects to stay relevant for the next decade in the age of AI,ML and Cloud technologies? Could include security administrators as well here. Automation and orchestration and the trend towards managed SaaS makes many operations simple. Looking for guidance and some words of wisdom.... Thanks



Cisco switch image to eve-ng

Can any one guide me how to add Cisco switch image to eve-ng



1GB Ethernet options over OSP copper

Need to extend an Ethernet connection to another building via an existing underground PE-89 flooded telephone cable. Cable has the correct primary and secondary protectors.

Fiber is not an option due to construction costs, RF or FSO is also not an option (no line of sight)

Looking at the Transition Networks Ethernet Over 2-Wire Extender, SKU EO2PD4052. Any other options ?



Extreme SLX 9540 vs CER 2024 (looking for advice)

I posted this earlier on the Brocade subreddit but have a feeling this is a better place to get any comments. I'm looking to upgrade the wan edge routers in one of our data centers. I was planning on purchasing 2 x Extreme (Brocade) CER 2024 switches because I run them in other places, know they are very solid, can still support a full routing table, but at the same time are old and only have 4 x 10G ports. I've started to look at going with the SLX9540 instead but am weary of changing to a newer platform. My biggest concern is stability and bugs. I want to stick with Extreme to limit the number of vendors I have to deal with so currently I'm ruling out Cisco, Arista, Juniper, etc. My experience in the past with Extreme support for our VDX and CER switches has always been great. Although I do think it is strange that sometimes when asking them questions I think are simple end up with their support replicating in a lab before they give advice. Appreciate anyone's opinion or advice.



Why use multi-mode fiber, when you can use single-mode fiber?

It seems you get higher bandwidth, lower attenuation, and more distance from the single-mode fiber.

- Why even use multi-mode fiber anymore?

- Is the cost of single-mode transceivers really that much more costly than multi-mode transceivers? If so, how much cost are we talking about here, and are there other electronics that are contributing to a much higher cost of a single-mode system?



Small DC design

Hi everyone!

I'm designing a small DC for 2 racks with an opportunity to scale. This scheme is used Cisco devices. Two Nexus9K as distribution switches with N2K FEX switches on access layer. End servers use LACP for a connection into FEXes. N9K use VPC for multi-device LACP supporting. Routers ASR1K use HSRP for vlan gateways and VRFs to separate tenant's vlans. ASRs get default route from ISPs through eBGP and use iBGP for ISP active/passive redundancy. Active HSRP ASR checks Internet connectivity by IP SLA and change HSRP priority in case Internet resource is unreachable.

DC topology: https://ibb.co/D7Vywk9

  1. What changes can you suggest to my scheme?
  2. Is there a reason to change HSRP gateways from ASR to N9K to increase bandwidth for East-West traffic? How to organise ISP redundancy in that case?
  3. Is there a reason to connect ISP links into N9K and terminate in ASR instead of direct connect with ASR?
  4. How to orginise ISP redundancy when both ISP provide connection links to both ASRs?
  5. What equivalent Juniper devices should I use instead N9Ks and FEXs? I've considered QFX10002 with Fusion technology, but QFX10002 cost is much higher than N9K.

Thanks for your answers!



Reverse Proxy Concerns

I am deploying DUO reverse proxy (DNG) with 2FA to protect internal web applications

Normally, I would put the DNG server in firewalled DMZ, then create firewall rules to allow 443 from outside the network to the DMZ proxy.

Create DNS for www.myweb.com points to the IP address of reverse proxy, that's what clients will connect to and that's what presents the TLS certificate.

Then point DNG to internal web server and allow port 80 via firewall rules.

My main concern is this design secure enough to protect the internal servers from any attack or do we need to move internal web server to DMZ as well?



www and ftp and smtp and imap of web host (example.com) all unable to load in all apps and tracert. ISP says example.com blocked my IP address. Example.com says my ISP blocked access to all example.com servers.

Today, www.example.com loads (only on laptop browser but not phone), but all the others still give server errors.

I'm trying to determine who is doing the blocking, ISP or example.com, so my question is which one of them is capable of UNblocking www.example.com while still denying access to ftp, smtp, and imap?



Gigavue/Gigamon/Gigasmart H series Gigaview visibility platform nodes

Anyone got any experience with these?

If I'm understanding this correctly - is this just a managed switch with a few extra things? Can I connect one of the SFP+ ports to my UDMP LAN SFP+ and a bunch of the SFP ports to a managed gigabit switch in a LB/LAG sort of deal (specifically I have a stack of brocade switches), giving >1GB (across multiple clients, I get the thing that a single stream's speed isn't increased by doing this)

Also (and seperately) - does anyone know if these have any licensing issues (a la cisco etc)?

(Flaired as 'other' because it fits multiple categories)



Network Segmentation with Zero Trust approach

I am working with an external consultant to design a network for ministry building but I thought to take second opinion from super reddit experts.

Our CTO has advised to use zero trust network architecture.

It would be two-tier network (collapsed core)

We are planning to segment the network with different use cases such as users VLAN A should not talk to user VLAN B, IOT VLAN should not communicate with users and server VLAN.

I am thinking to put a DC FW and then firewall the VLANs gateway to DC firewall or do VRFs in core switches and then terminate the VRFs on the DC firewall.

It will be grateful if anyone can demonstrated any ideas with rough network diagram.

Appreciating any help.



Is there any ways to prevent Cisco Switches and Routers from being reset or tampered with?

Hey everyone, I'm currently in class for networking and in a 2 weeks I will be doing a culminating event where I have to set up a network according to a logical topology given to me. After I set up a networking, an instructor connected via SSH will try to do things like delete VLANs, Trunk Ports, ect as well as physically having access to my networking trying to mess is up by unplugging cables and so on. All my hardware will be included in the Combat Data Network / Data Distribution System (CDN/DDS-M). I'm aware there's no way to prevent the instructor from messing with the network in any way, but I want him to at least get annoyed while trying to mess up the network.

Any tips are appreciated



Differences between being an IT Network Engineer vs other Network Engineering roles

Hi,

I am a Network Engineer who is been working the internal IT department of a big multinational company for almost 7 years. I joined the company working as a L1 IT support Engineer providing IT support for the internal employees that were working on multiple locations from different regions. After being 2 years on the ServiceDesk, one of my managers at that time told me that the company will advertise a Junior Network Engineer position soon and he asked me if I was interested to apply for it. Without hesitation I applied for it and got the job and since then I have stayed on the same department until now. I have experienced multiple events in my role for example my company got merged with another one, new people came and others left, I got promoted as a Senior, I passed some Cisco certifications, etc.

Recently, I have been thinking about my future because actually I really enjoy my job but at the same time I love networking and I would really like to explore different roles out there.

My question would be for those who have experience on multiple networking roles on different companies what are the main differences between working as an Internal IT network engineer vs working for another Network engineering roles such as working for a ISP, Managed Services, supporting the network for a big application platform, etc ? and which is the role that you enjoyed the most?



GRE without IPv4/6 transport

I remember reading something about connecting two routers via GRE without IPv4/6 enabled interfaces but I can't recall how it was done. When I was looking about into it it needs a transport protocol like IPv4/6 right?



Why does setting up a route reflector restart BGP sessions?

Hi, while playing in a lab with BGP RRs, I noticed that if a BGP session is already in place without any RR configuration and then I set up RRs, BGP sessions are reset. Although I didn't explicitly find this written in the RFC, I understand at least Cisco and Juniper do this.

My question is, why? Can't the RR simply send UPDATE messages for the new routes (possibly withdrawing old ones) so they have the ORIGINATOR and CLUSTER_ID attributes? Why is a session restart required?



802.1x (EAP-TLS) security

Hello, From my understanding, under dot1x a port is either unauthorized or authorized, even if the authentication process is encrypted e2e - What prevents a MITM from waiting until authentication has succeeded and then injecting packets?

Even under multi auth which I assume works based on MAC because how else would it identify devices, an attacker can still inject packets by putting the source MAC as the authenticated device...

Am I missing something or is this protocol just bad?



Are Proxyservers still worth setting up in 2021?

I got to manage a school network and my predecessor had set up Squid for content filtering and caching. With almost all of the web traffic being HTTPS - is this still worth it?

I mean the content filtering could only be made on the domain level and caching is not really possible either, if my thinking is correct (on HTTPS).

My thought would be to skip on the Proxy and do the filtering via OpenDNS or with custom DNS entries.

Am i missing out on any benefits that would be worth setting up and maintaining squid?



Stuck on an Internal SSL error for 3 weeks.

We recently got to develop a video conferencing module and connect it to an Asterisk server. We used JavaScript, WebRTC and OpenSSL.

But we've been stuck on an server connection part and tried almost everything on the internet, but in vain. I'll include the error text for reference. I really hope someone can help us through this because we are in a time crunch and really need to move on to the next step.

Error text:

[April 12 15:09:16] ERROR[8086]: iostream.c:647 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error

[April 12 15:09:16] ERROR[8086]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer '219.75.139.45:63402'

[April 12 15:09:16] ERROR[8086]: iostream.c:552 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error



Friday, April 30, 2021

Aruba / HPE GreenLake offering

What has your experience been with GreenLake offering? Which option are you using basic or advanced services?



TFTP data transfer won't start

I'm trying to flash stock firmware for my bricked TP Link TL WR842n v3.1 but data transfer won't start for some reason, my firewall is disabled. Any ideas? Also idk if this is the problem but LAN connection is keep getting disconnected and connected like the router is keep getting rebooting. https://imgur.com/a/3EqJauC



Cisco iWAN to SD-WAN - pros/cons?

My organization is currently running iWAN for our remote site connectivity. We have the ability to upgrade to the newer post-Viptella acquisition Cisco SDWAN solution.

I know there is a detailed guide for making this change, but I was just curious to hear thoughts from anyone that has performed this upgrade.

Any growing pains? Weird issues? Is it really that much better? Easier to manage/administrate?

Basically just trying to figure out if the juice is worth the squeeze at this point. iWAN has been terribly underwhelming. I know Viptella used to be a great product line. Not sure if Cisco has destroyed that product and technology in true Cisco form yet or if it is a solid solution.

Curious to hear from folks that have made the upgrade and your overall thoughts/opinions.

Our setup is pretty basic. We’ve got an internet connection and an MPLS connection to each remote site. The head ends at the datacenters are ASR1001 routers and each remote site has an ISR4451.



Question about reverse cloud migration

Lets say your building the next Facebook (lots of users, minimal downtime and social networking features like feeds, pictures, likes, friends, profiles, messaging, relational data etc.).

From what I have read so far it seems like AWS is a good server infrastructure solution for such an app as it has lots to offer, scalability and is less of a commitment than building a data center.

My questions

Is it likely that it will become advantageous to operate from a data center some point in the future if the app becomes widely successful?

Would reverse cloud migration for a massive social network to dedicated servers be feasible? Would it be uniqley difficult given the fact its a social network and has massive amount of relational data, or for some other reason?



Hyper Segmentation with automation framework

As automation and orchestration solutions become more commonplace, do you think it’s feasible to see a Hyper Segmentation solution emerging? Here’s how I’d envision it works.

Every single host endpoint on the network gets place in its own VRF, dynamically created on the spot when they plug in. Each VRF would have overlapping IP space, and “intent” based flows would be routed with automatically generate source nat configs on the VRF firewall.

I know this sounds incredibly cumbersome and not like a good design, but I’m thinking 25-50 years from now.. like the distant future of SD-Access.



The purple elephant in the magic quandrant - am I crazy for considering Extreme?

So we're looking at replacing ageing Cisco equipment at our SMB with Cisco Catalyst or Aruba, but I've just given Extreme a look and they're around half the price of Aruba, let alone Cisco.

We're a software development house, and have stringent security requirements on what we do. We're looking at technologies such as ClearPass/ISE, StealthWatch/Introspect and possibly NSX to secure our fairly extensive server estate (dev/test is a bit of a wild west), and are looking for a good native management tool (Aruba Central/AirWave, and CloudIQ look good) as we don't have dedicated networking resources in the team. Looking for an integrated wired and wireless network, but also need to have capabilities to drive 25G to servers and storage.

Am I crazy for considering Extreme? I figure they can't be in the magic quadrant for no reason but I hear very few people talking about them, and there aren't that many resellers.



Passing device output in .txt to napalm

Is it possible to pass an output in the form of a .txt to a napalm driver ? We don’t have direct device access so will issue manually show commands and want to use naplam for parsing the outputs into structured format.



Some question regarding data checksum field on the TPC/IP layers

Hello everyone, this is my first time in this sub and I want to ask a question that burdens me since I have done a lot of research already and still don't understand the issue.

It is about check sum calculation in TCP/IP. I notice that the ethernet frame has at the end a FCS field, where the checksum calculation for the integrity of its content is stored. This enable the target device to discard the frame if the checksum (CRC) fails.

Now, there is another checksum field in the transport layer. In case of UDP (that is what I want to implement) in order to calculate the checksum there must be a pseudo header, that is clear enough. Want I don't get is, why do we need a checksum field at the transport layer when the data link layer could have discarded the complete frame already if the payload gets corrupted along its way to the destination?

Does that mean, that the FCS field of the ethernet frame does not take into account some bits flipping in the transport layer's fields? Wouldn't it be redundant to have a Checksum field in the transport layer, when there is already one in the data link layer?

I hope I have made the right questions, since I am so confused. Thank you very much in advance!



Office Network Issues

Looking to get some help.

We have a network in our office with routing dhcp and managed by EdgeRouter Lite.

Also have multiple Netgear s3300-28XPoE+ ProSAFE switches between offices.

We have 3 Main Servers.

Recently we have had multiple power outages in our building and our UPC cannot keep up.

Once we get the hardware up and running it is difficult to connect to remote admin page of the servers.

Also difficulty accessing some IPs in the network.

We are able to get in sometimes after multiple hard restarts on switches, routers and servers.

What could be the issue we are running into.

Thank you in Advance.



Recommendation for a Cisco 8 port POE L2 switch

looking for recommendation for a Cisco 8port POE switch. if only 4 ports do POE, that is fine.

company has a SG250-08HP which seem to do the job. Is there a newer model of this, or another model that is better with less cost?

Switches must be fan less since they will be inside an office.

Thanks



Positron GAM-24-M

Hello everyone, I've got an issue I am hoping someone could help me out with. The company I work for has recently deployed a Positron GAM-24-M in a highrise apartment building. This lets us terminate our fiber in one location, and use the existing telephone wiring to provide gigabit speeds to customers.

One problem we are having is some of the ports appear to be shutting down on their own, and upon a reboot of the GAM, they begin working again. There is nothing in our syslog server about ports shutting down, nothing in the logs of the GAM about it, it appears to just happen randomly.

I know these are kinda niche devices, but I'm hoping someone out there has experience with these that can help me out.

Thanks!



Wireless Segmentation Design

Hi All

I am currently designing a wireless network and I am trying to work out the best way to provide the segmentation of services whilst trying to keep SSIDs to a minimum and maintaining an acceptable level of security. Trying to achieve all of this is proving difficult unless I’m overlooking something.

Our network is currently segmented using VLANs and VRFs. We have a VRF for our corporate network, VRFs for various third party/vendors (about 10), and a VRF for internet only access.

We are a Cisco house and use ISE. I am currently thinking of the following:

Corporate SSID that will use EAP-TLS. Access to our corporate VRF will only be granted for corporate user/computers that present an internal CA signed certificate.

Corporate Guest SSID that will use PEAP-MSCHAPv2. User identities will be local credentials in ISE. Depending on what user ID is used to connect to the network, we can place the user in the required network. This will be used for third parties that need access to their own networks and for employee guest

IOT SSID that will use IPSK. Although we dont have any IOT devices yet, I imagine that we will come across devices that don’t support 802.1X so will need to use PSK. IPSK seems flexible enough to support similar use cases to the Corp Guest SSID.

The only concern that I have with the above design is the use of PEAP-MSCHAPv2 due to its known security vulnerabilities, specifically with Evil Twin and Credential theft. My other concern is that depending on device type, configuration to connect using PEAP is not always as straight forward so may create more tickets into our service desk. I’m also aware that some devices such as Android mobile/tablets running OS 14, have removed the capability to bypass certificate validation. I imagine that other vendors will follow suit which may make this solution unusable as we dont manage the client endpoints (and we dont want to be handing out our root CA to everyone). Is there a solution to this - public EAP cert?

How are other doing this currently? Any advise would be appreciated



Allowing ICMP ping in Windows 10 Firewall

Hello,

I have the basic windows defender firewall and I want it to allow ICMP ping. I have done everything on

Configure the Windows firewall to allow pings (iu.edu) .

But I still get thrown out of the network at short intervals. So every two minutes I have to login again to the network. How can I fix this issue?



Best way to share a printer between networks?

Small office ~20 people.

There are two companies sharing space, they already have a big Ricoh MFP with one NIC. The two networks are physically segregated, one using a Sonicwall TZ600 (IP range is 172.16.10.0 /16), the other a basic little TP Link router with 192.168.2.0 /24. The printer is attached to the larger Sonicwall network. Both companies have their own separate internet connections, the TP Link company is just getting DHCP from their local ISP. The Sonicwall company has public IPs.

My question is what is the best way to share this device between networks. Both companies want full usage of it, meaning the ability to scan as well as print. My thought was take the Ricoh out of the switch (it is currently on the 172 network), give it its own port on the Sonicwall and its own network and create an access rule allowing traffic from the 172 network back and forth to the Ricoh.

Then, on the TP Link router, set up a 1-to-1 NAT and assign an IP for the Ricoh. Plug the TP Link LAN port into a Sonicwall LAN port and repeat the access rule process, allowing traffic from the 192 network to reach the Ricoh.

If I'm imagineering correctly, this will allow both networks to send and receive data from the Ricoh but will not allow the 192 network to see the 172 network.



Firewall Auditing Software - What do you recommend?

We are a Cisco shop running ASAs and Firepower. Any thoughts? Thank you!



Wireless Network Bridge Recommendations

Looking for recommendations on a wireless network bridge for commercial use. I am looking for something with at least 150+ Mbps and preferably 5GHz. I only need range for about 500 feet but the stronger the better. The other building typically only gets about 10 Mbps download on a good day so anything to make that better. TIA



Automation

Hello!

Our Cisco SmartNet are expiring soon. We received an excel spreadsheet with all the devices and I need to check if these devices are still in production. We removed a lot of them in the past year.

We don't have any documentation and we are talking about around 400 Cisco switches.

I obviously don't want to ssh in every single switch and do a show version to get the serial number, find it in the excel, etc. I want to automate this process.

What would be the best way? I also want a framework that I could use in the future. I need to clean up some configs in all these switches and make them consistent. We don't have anything right now. I would like to backup the configs as well. Switches are mostly 2960X, 2960C, 9200L.

I'm good with Python but pretty new with network automation tools (Netmiko, NAPALM, etc.)

Could Ansible and Nornir be the tools I'm looking for?

Thank you



Industrial network

How can I design an industrial network for an environment where there is interference from machines (frequencies, noise, oil, dust)? I'm thinking of designing an optical network an WiFi network, of course I have idea that I should use industrial equipment. But can someone help me, where should I start? Hypothetical situation: I need to send information from a machine through an IoT for example, to a database, where administrative stuff will have access to view...



Without including loops or misconfigurations, what is the world record for most router hops a packet had to take from a source to a destination?

Topic.

Edit: downvotes? Why? Do you not take great pride and passion as a network engineer? This question should inspire a lot of joy and appreciation of your chosen trade!

Edit2: ok I’ll reword into a smarter question: is there any legitimate destination you can’t reach from certain sources due to packet TTL?



Inter-AS MPLS - BGP-LU and injecting in Segment Routing domain

We build state-of-the-art Metro ethernet network with inter AS connectivity and wish to achieve inter domain passthrough for L2VPN and L3VPN services. Dataplane is represented by MPLS Segment Routing. Control plane uses EVPN of course.

Do you have any examples for it in real world? In our case problem arises, when labels from BGP LU (Inter-AS Option C scheme) for nexthop need to be populated into the segment routing domain in another AS.

We have met mentions of BGP-SR or SR-TE ways, but without real applications.

So, what is simplest way to deploying inter-as MPLS SR/EVPN L2 or L3 services?



ESXi Blade Chassis to Nexus 5K - Physical NIC MAC Address

Hi All,

We got a Dell C6400 chassis with 4 ESXi blades. In our configuration each blade has 2 uplinks going to nexus5k switches or his FEX extenders. The 2 ports in the switch for each blade configured as trunk ports. We couldn't see the blades physical nic MAC addresses on the switch side, just the vm's that located on them. Is there a way to locate the physical uplinks nic MAC addresses on the switch side and not just the vm's?

Your help would be appreciated.



NXOS/ACI QSFP+ to 4x10Gb Breakout Port-numbering (in)consistency?

So recently I've been testing various optics on a 9336YC-FX2 (ACI 40/100Gb only switch) connection to a 40Gb blade on a 7706 and was trying to configure the ports into 4x10Gb breakout interfaces as I don't need so many dedicated 40GB cross-connects in-out of the ACI fabric.

My first test was with a WSP-Q40GLR4L, and this worked except for some reason port 1 of the 4 breakout 10Gb interfaces came online briefly then went down and remained permanently down without any real error log to hint at why. Otherwise, the port numbering matched one for one on both the ACI and NXOS sides-- and I just sort of assumed that would be the case.

Next I tried a QSFP-40G-SR-BD, and unlike the singlemode module, all 4 lanes came online. However the port numbering was now shifted. Instead of 1-1 ... 4-4, it was now 1-3, 2-4, 3-1, 4-2. I guess I just assumed that each of 1300nm lanes would just get assigned the same numbering after being converted to breakout interfaces, but I suppose that is not always the case. Is this normal behavior? Do I have some bad modules? Is there any way to manually change or assign the breakout interfaces? Both sets of QSFP+'s are genuine Cisco.



Thursday, April 29, 2021

Rising through the ranks

How does one be a network engineer and then make there way up to a CEO or board member? I find that network engineers and network people are usually the most vocal, the most passionate about being proactive and also the most ignored. How do we keep our values and integrity and rise the ranks, dealing with the business world and the sometimes upper management that have silver tongues and don’t understand technology?

I’m not saying everyone is like that, I have experience across a few orgs and businesses but I am seeing a trend of LinkedIn posts from digital disruptors, helping clients go digital, helping customers get the best from technology blah blah and I don’t believe a word because the underlying infrastructure has been ignored and hanging by a thread...it might also be ok until it’s refreshed by hopefully a MSP that does it properly.

If you know places not like this what are their names so I can apply :)



library issue

I visit a fairly new library in SW MO, and use an older macbook air with OS X 10.15.7.

They have a 5 GHz and 2.4 Ghz wifi network.

I use the brave browser, and after about 5-10 minutes, whatever page I am on will hang, and nothing else will load.

As a workaround, I change networks. If I'm on the 2.4 one, I'll switch to the 5 GHz or vice versa. It'll work for another 5-10 minutes and reoccurs.

I suspect it's something with brave. I spoke with the IT director. Surprisingly, she has not heard of brave.

She asked for my IP address and checked something with filters she said, and was unable to see why it's happening, but she did mention a URL, which was an ad, and I suspect Brave's ad-blocking feature is not playing well with their network.

I asked what network hw they're using and she wouldn't tell me, for security reasons she said.

This has not happened anywhere else. Anyone know why this is happening, and any suggestions to give her?

Also, can someone recommend another browser that's as good better than Brave, aside from Tor, with as good or better ad-blocking and security?



Initial CCNA/NP Lab Setup

Just finished building my network sensor (NMIS w/opCharts) using a salvaged server to create the physical representation of GNS3 or Packet Tracer for my CCNA/NP Lab.

What's the connect order if I want to use the server to monitor the lab nodes, but also access it from my Desktop? I've never done this before and I want to make sure I have everything prepped for when I start studying.

The lab is literally going to be used to make 50 different site configs from 1 router and 1-3 switches all the way to 3 routers with 1 switch each and then everything in-between. Build it up, break it down, repeat.

Server:

  • 8-way Serial Squid to all devices in Lab
  • 4- 1GE Ethernet
    • 1 - InOP
    • 1 - Connected to Desktop
    • 2 - Open ( I should be able to use one to monitor the lab )

Lab (Cisco Only):

  • ASA (5520) [For later on]
  • RTR-0 (2821)
    • 2 - 1GE
  • SW-0 (3560G)
    • 48 port
    • 4 - empty SFP/Ether ports ( should I have bought the modules for these? )
  • RTR-1 (2821)
    • 2 - 1GE
  • SW-1 (3560)
    • 24 port
    • 2 - empty SFP/Ether ports
  • RTR-2 (2821)
    • 2 - 1GE
  • SW-2 (3560)
    • 24 port
    • 2 - Empty SFP/Ether ports

Edit: Thanks for the downvote! Rules #1 and #6. Don't make this political. This is an honest post that is following the subreddit rules.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



LACP vs LAG vs PAgP

Hello guys!

I'm studying for my CCNP and am doing a comparison of the three EtherChannel negotiation protocols. Cannot find any smart information in books regarding the following questions:

- Does PAgP protect against misconfiguration like LACP?

- Which is the most widely used?

- Which one bundles the ports fastest by default? I know that LACP supports fast rate, but is LAG(static) the fastest based on the fact that it uses no negotiation?

- Which provides the wides vendor interoperability? I've read that ESXi only support LAG. - Does PAgP provide fallback to individual link operation?

TY



Need help with Pexpect for device config

Hello,

I am still learning Python for networking :) but can't figure this out. If someone can help would really be thankful. My goal is to pull the 'show run' from the list of devices and create the list of VLANs for every device. Script successfully running show run but not the VLAN configuration. Most certainly it's something wrong with for loop. Any ideas? Thank You

import pexpect import sys Cisco_IOS = ['192.168.122.72', '192.168.122.82'] Arista_EOS = ['192.168.122.83', '192.168.122.84'] user = 'cisco' passwd = 'cisco' command = 'show run' for Cisco_device in Cisco_IOS: ch = pexpect.spawn('ssh %s@%s' % (user, Cisco_device)) ch.logfile = sys.stdout.buffer ch.expect('Password') ch.sendline(passwd) ch.expect('#') ch.sendline('terminal length 0') ch.expect('#') ch.sendline(command) ch.expect('#') for n in range(2, 11): print("Creating VLAN " + str(n)) ch.sendline('conf t') ch.expect('\(config\)#') config_commands = ['vlan %d' + str(n)] #issue here config_name = ['name Pexpect_VLAN_%d' + str(n)] #issue here ch.sendline(config_commands) ch.expect('\(config-vlan\)#') ch.sendline(config_name) ch.expect('\(config-vlan\)#') ch.sendline('end') for Arista_device in Arista_EOS: ch = pexpect.spawn('ssh %s@%s' % (user, Arista_device)) ch.logfile = sys.stdout.buffer ch.expect('Password') ch.sendline(passwd) ch.expect('>') ch.sendline('enable') ch.expect('#') ch.sendline('terminal length 0') ch.expect('#') ch.sendline('show run') ch.expect('#') x = ch.before.decode('utf-8').splitlines() ch.sendline('exit') for line in x: print(line) 


Adtran NetVanta 1550-48 Stack command?

I just moved to could VOIP services thru Frontier and we purchased six of the Adtran 1550-48 switches thru them as part of the upgrade. I'm having hard time finding the CLI commands for stacking them together, or the process required thru the GUI.

This is the first time I have had to work with Adtran hardware some I'm a little unfamiliar with the product see and difference in language.

I've already got the first switch 90% completed, I have all my VLANs configured, IP routes setup, VOIP configuration tested and completed, and most of the other required network information completed. before I go any further I'd like to connect my second switch,

can anyone point me to a thread or instructions for this the commands I have found don't seem to work with my device.

I'd like to start working on link aggregation but can't until this is solved.

Thanks again.



Cisco SD-WAN desing questions

I'm a newbie with Cisco's SD-WAN/SDA strugling with our companys new PoC....

I have a couple of questions somebody can hopefully answer:

1.) I want my guest VPN to have only internet access and no access to DC. I read that I create DIA with templates but how do I block access between the branches? Do I use a local data policy (ACL) to block them between sites, or do I configure a centralized VPN membership policy that blocks them from being advertised in OMP? I would also like to use the same subnet on all branches...

2.) I have a VPN segment for users that is full mesh between branches, I want to add a new VPN that for security reasons cannot communicate between branches but all communication has to go through firewalls in DC. So as far as I understand the concept I have to block the sites from learning each other TLOC and direct the TLOC's to the DC. But in which direction do I apply the policy?

TY



LibreNMS, Oxidized w/ Nginx via Docker-Composer

Hi All, Has anyone installed LibreNMS, Oxidized integrated with Nginx SSL (self signed certs)?
Does anyone has docker-compose can point me to? That would greatly appreciated. Thank you



Router Recommendations?

Any recommendations on a decent business grade router that won't break the bank? Mikrotik? Ubiquiti Edge?

ISP has given us a /30 and a /29 Public LAN to route between. Only gonna be routing between the two subnets for now. Atleast 10 interfaces, some SFP ports would be a plus but not necessary.

A downstream Fortigate will be handling NAT, filtering, etc.



Shortest Path Bridging (Extreme/Avaya Fabric Connect)

I just watched some deep dives into the protocol and how it works and it made me wonder the following.

Has anyone seen it deployed in large infrastructures? Especially in a network that extends over a large geographical area (WANs)? How is it working out? Any pitfalls?

I understand that it was designed for carriers, but it seems to be mostly used for campus networks. I wonder how it handles big latency for example.

I have zero experience with it, but from the technical deep-dives I just watched, it looks to be a really good protocol.



Would a Dell Sonicwall TZ470 support gigabit throughput?

Working on a quote for a potential new client who is getting 1GB fiber installed in the building, they want to be able to get as close to the gigabit speeds as possible with firewall protection features enabled. Just wondering if SonicWall's 7th gen TZ470 would hold up to this, or should I go with a TZ570 or higher. Thoughts?



Trying to make a Network Tester for our Facility and as a training tool. Can you make a Network tester out of a PC?

Me and a Co-Worker (Friend) are talking to each other today in the Server Room at work and had to go test a Port and re-terminate it. Then when we got back top office and started to wonder if you could use your computer and a combination of hardware and/or software to use your computer to be a network tester.

Something like the basic functionality of something like the Link Runner G2 or any other Basic network tester? Can you get the name of the switch your attached to? Its stack number or port number? VLAN? IP? Any way to get Twisted Pair info or even do a cable test to look for Opens/Shorts/Cross or even possibly length?

Beyond using a computer could you create a purpose made one from PC or something else? What are the basic levels of functionality that allows a network tester to get this kind of information? What kind of Protocol or Packets is it sending/receiving?



DMVPN Question - Not Cisco?

Other than Cisco, who is really good at DMVPN phase 3? Full IPSec tunnels, running at a Gig on each spoke. Say, 700 spokes. 4 Hubs, paired, using some specific routing to do load balancing between a couple of pairs? I'm thinking the hubs would be provisioned for 10Gb each initially.. with the ability to scale up to 40Gb. Some QoS capability would be good, but all the links would be private MPLS. SD-WAN type capabilities would be an bonus, but we're not there yet.



What would cause Packets to be so huge and be tagged with "Do not fragment = 1" ?

Investigating speed problems here https://www.reddit.com/r/sophos/comments/mzwfu0/ipsec_vpn_slowness_in_one_direction_over_2x_sites/ and noticed something strange.

Info:
Site A:

300/300mbps

Software Sophos XG firewall

Vmware / Vcenter on a VXrail cluster

Site B:

1/1gbps

Software Sophos XG firewall

Vmware / Vcenter on IBM blades

IPSEC VPN to both sites

Traffic flows fast from Site A to B but is dead slow from B to A

What I noticed while looking at the capture in Wireshark with a sophos engineer is the packets from site B are trying to send at huge sizes way larger than our MTU and upwards of 22000 packet length and these large packets have the header DO NOT FRAGMENT = 1

What would cause the packets to be set to Do Not Fragment? where in the network could cause the size to be so large (or inject data into packets)?

Thanks this is crazy.



Cheap BGP Router

I am looking to test some on prem k8s and there is a LB tool called metallb which uses BGP with a router to direct traffic to k8s nodes. So this is a small scale network and i'm looking for a cheap router that will suit my needs for testing some apps running in this configuration. Does anyone have any suggestions. i'm looking at a cisco 2911, but my network guy says that some cisco hardware may require keys to unlock certain features. i'd like to get something that I can configure ootb.



Internet Service Providers - How do you handle "Internet Abuse" notifications?

Hi fellow ISP employees -

How do you handle those "internet abuse" auto-generated emails you may get from time to time? For example, we'll get an e-mail to our registered abuse POC email address like this:

" One of your clients using the IP: A.B.C.D, which is according to whois allocated to you, has abused/attacked one of our server:
foo.bar.foo - IPv4: W.X.Y.Z

Service: "portscan"
Time: Thu, 29 Apr 2021 10:00:00 +0200"

We're considering coming up with a policy that allows for "1 strike" for the customer that has the IP address at the time of the "abuse." We would simply contact the customer and share the information we received in the abuse e-mail "as-is" and tell them to knock it off and remind them of our terms and conditions. If it happens again, we'd consider suspension or cancelation of service.

But the rabbit hole can go real deep real quick when we start looking too long at these issues, and we don't want to create more work for anybody so we'd like to keep the process simple. Just curious as to how others may handle these situations.

TIA



How can I get a VPN connection to establish from one machine, to another that is on a domain and behind a pfSense box?

Disclaimer: This is a homework/lab question, but I can't get any assistance from my teachers since they never reply or pickup the phone.


Here is an overview of the network (all virtual):

Windows Domain:

Domain Controler

  • Not sure if the DC might be impacting this somehow...

W10 Client: 1 network card has an address of 172.16.0.3.

  • New incoming connection was added for a specific user, enabling "through the internet" option with a pool of IP addresses.

Outside of domain:

Router (pfSense box): 1 network card has an address of 172.16.0.2 that it is using to piggyback from a DC that is OUTSIDE of the domain above. Port forwarding rule in place with the following:

  • Protocol: TCP/UDP

  • Interface: 172.16.0.2 vNIC

  • Destination: 172.16.0.X address

  • Destination Port Range: PPTP

  • Redirect Target IP: 172.16.0.106

  • Redirect Target Port: PPTP

W10 Client: VPN Connection added in Windows Settings with the following options:

  • Server Name or Address: 172.16.0.2

  • VPN Type: PPTP

  • Username/Password: Provided in those fields.


I've enabled ICMP on the pfSense box just to confirm I can ping from the Router to the W10 station that is in the domain. I also enabled pinging the interface on that router from any source, but I can't get a successful ping from the W10 client OUTSIDE of the domain, to the pfsense router.

Any ideas of what I should check?



Unifi or Omada alternative with low processing power requirement.

Light weight Unifi or Omada alternative?



F5 Big-IP trial for lab

Hi there,

I'm trying to set up a basic lab to get my feet wet with F5 (company is about to purchase one) as I haven't worked with it before.

For labbing I use GNS3 on Ubuntu. F5 offers a 90 day trial for the Big-IP. So has anyone used those trial versions with the GNS3 appliance? I suppose I can run the F5 as a VM and connect that to an infrastructure in GNS3.

Any recommendations?



Is my IT guy lying to me? (Android 11, PEAP MSCHAPv2)

So I'm having some issues with work wifi, IT says unfixable, I feel like it should be...?

Ever since the Android 11 update, I can't connect to work wifi. (PEAP MSCHAPv2)

The wifi set up now says I must enter a domain? And the IT guy tried a few domains then told me the wifi equipments are too old, and there is no way to connect my phone to the intranet. Says the access points are too old and there's no budget allocated to buy new ones that support these newer security requirements.

This has a very big impact on my work flow, as i have to move around the workplace constantly, and finding a nearby computer to access the intranet to check on tasks or real time data kind of sucks. (And all the colleagues trying to help by showing me step by step how they set it up on their phone, then trying on my phone, then giving up)

They even took how to connect your android phone to wifi document off the intranet! Now just says contact IT if needing assistance with Android devices. Almost makes me regret not getting an iPhone.

So, is this the IT guy not wanting to do the work / not knowing how to fix it and lying to cover it up? Or is it actually unfixable without replacing hardware?



Options for a TOR OOB Management Switch

I am adding a TOR switch to each of my racks to separate OOB management. We use Dell Force 10s across the board now. These will just be single switches linked across racks. I have Cisco at the edge.

Any ideas on a decent model I can use for this? Vendors are sending me either lists of their stock or top end 10G switches! I think I only need something 'basic'. Cheers.



Wednesday, April 28, 2021

OSPF - network command in ‘router ospf’ vs redistribute connected

For years we only had an area 0 and had “redistribute connected subnets” for the access layer and a mix of “network 172.... area 0” or “ip ospf area” interface commands for core links.

I read this decade old article and wanted to share it: ospf and connected networks.

The big take away for me: redistribute connected creates ex2 type routes and you can’t summarize those on ABRs. Using the network command creates IA routes which you can summarize (Just started splitting out network into geographic areas.)

We are cleaning up a decades work of “organically configured” OSPF and it has been fun.



Looking for IPv4 resource

Hi everyone,

I am new to this IP industry, and trying to find some IPv4 resource to purchase or re-leasing. Can anyone share their experience of IPv4 sourcing? Cause I really had no clue on how to get started, thanks a lot.



Anyone have any technical analysis on the DoD's massive BGP advertisement?

Or should I say Global Resource Systems, LLC's massive BGP advertisement?

https://www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/

I don't buy for a second they handed over control of all these IPs to a private company just to prevent BGP hijacks. It also doesn't make sense to say it's a DoD shell company doing this. Everyone knows it's the DoD, why bother with the flimsy disguise? Beyond the initial route announcements, has anyone seen traffic from/to these address blocks? Are there any other technical discussions out there analyzing this? Anyone have any decent theories as to what is going on?



Tagging interface causes latency on other interfaces

I have two switches that are connected and passing a tagged VLAN (75). If I configure the switches like I have them listed below everything works fine.

SW1

Gi0/2 - Tagged 75 and connected to Gi0/1 on SW2 Gi0/3 - No VLANs and connected to Gi0/2 on SW2 Gi0/4 - Untagged 75 (as native VLAN)

SW2

Gi0/1 - Tagged 75 and connected to 3 ESXi hosts Gi0/2 - Tagged 75 and connected to same 3 ESXi hosts

However, if I then tag Gi0/3 on SW1 for 75 it actually breaks my connection to the ESXi hosts and introduces major instability in the network. I start to see huge latency and disconnects across the 75 VLAN. Including on Gi0/4 which isn’t related to anything but just shares the VLAN and is connected to a desktop. I’ve verified it always happens when both ports Gi0/2 and 0/3 are tagged for 75. If only one is tagged it works great. Any thoughts?



VLAN path in cisco switches

Hi all. I have several Cisco switches (Catalyst, Nexus) connected to each other with end users workstation, servers, IP phones, management network and so on, each with a dedicated VLAN.

I would like to predict L2 path for certain VLAN, for example: "I don't want that VOIP traffic goes there, because that link (trunk port) is 100 Mbit while I have other paths with 1 Gbit speed" - just an example of course.

How can I manage this? If I connect to every switch and type

show spanning tree vlan XXX

I will find the path toward root switch, which is were traffic for a specific VLAN is directed.

Correct? Am I missing something?

Thank you.



SNMP OID to poll to determine if a LAG member is down?

I'm trying to figure out how I would determine via SNMP polling that an LACP member port is down?

I want to use Prometheus to poll a device and get a metric back that would tell me when an LACP bundle member is down/not functioning properly.

I've looked through various MIBs, but I can't seem to find something (Cisco & Juniper) that would tell me the Operational Status of LACP bundle members



Class Based Quality of Service

I work for a small ISP and we just begun implementing Cisco Class Based Quality of Service (CBQoS). I'm looking into what network monitoring options are available for CBQoS. So far, the best looking tool I've found for the job is SolarWinds NetflowTrafficAnalyzer. However, this product is primarily designed for NetFlow ingestion - they just happen to lump CBQoS monitoring in there for some reason. This would result in our paying a lot more for licensing than is really necessary for CBQoS.

People who are using and monitoring CBQoS on their devices, what do tools do you use?



Connecting two buildings

Hi all

My company's looking at renovating a building we own accross the street and I'm looking at a solution to try to extend our LAN there. In a perfect world, we'd have a bridge between the two buildings and I'd just pull a few fibers across it, but that won't happen. I'd like to run a few fibers underground between the two buildings, but our CEO thinks we may have issues getting a permit to dig up a busy city street. Leasing a line doesn't make any financial sense seeing as the place is literally across the street (I told him as much, though he still wants a quote). So my question is whether anyone's ever used something like Ubiquiti's airfiber antennas to connect a pair of buildings. If so, did they work well? Were there issues in inclement weather, etc.



Problem with Aruba 535 AP and Cisco 3850 Switch W

I've got four APs that pull an IP address, connect to the controller, and seem to function perfectly well, with the exception of there are no WLAN's active. When I do a show lldp neighbor on the switch, the Capability field is blank, where there should be a "W". Can anyone help me?



Problem with Aruba 535 AP and Cisco 3850 Switch

I've got four APs that pull an IP address, connect to the controller, and seem to function perfectly well, with the exception of there are no WLAN's active. When I do a show lldp neighbor on the switch, the Capability field is blank, where there should be a "W". Can anyone help me?



Flipping Eigrp delay value between two routers and port channel

Currently I have router01 that has an Eigrp delay of 1000 on it providing internet and dmvpn services. the router02 has eigrp delay set to 1500 same set of services.

Both routers port channel into a 3750 switch with 1000/1500 delay values on each respective interface.

I need to "flip" the routers so that router02 (delay 1500) is primary for DMVPN and Internet.

What is the best method to do this?

1) change delay value on switch first?

2) change delay value on router02 (from 1500 to 1000) now I have both routers using same delay, but my current bandwidth command (300m) in router02 is higher

3) change delavaude on router01 (1000, to 1500) now it matches router02 delay but it's current bandwidth statement is lower 100 meg vs 300m

I will be doing this from remote so I don't want to get kicked out and not need to use my "reload in 20".

suggestions?



Can't login to my Nokia SR 7750

New to the Alcatel/Nokia platform, and this router is about to go into production. However, when trying to login (via SSH or console), I get the copyright output (indicating a correct login, it doesn't give the output with an incorrect pw), then it goes right back to the login prompt. Rebooting it now isn't a big deal, but once it's in production, rebooting will take down 40k customers.



Urgent: need to somehow switch the country of my wifi signal/IP in order to connect with work VPN

Hi all,

Somewhat of an urgent question; my job has stupid security systems and only allows me to log in to our VPN from a wifi signal in either France, Germany, Luxembourg or Belgium. However, due to personal reasons, I have to be in The Netherlands for some time. Sadly my work has no sympathy for my situation at all... :(

Is it in any way possible for me to somehow change the ‘country’ of my IP signal, e.g. through adjusting the router/modem itself or through using my phone as a hotspot and having some hack or application which changes the output signal to a wifi emitted from one of the above mentioned countries?

Any suggestions extremely welcome, thank you so much for your time!



Adding Second Interface with Different Public IP for Same ISP

We have a situation that I'm not sure how to proceed correctly. This location is currently utilizing two different firewalls - a Sophos XG 310 and a Sonicwall NSA 3500. The way this was originally configured, a small switch was put in place before the firewalls, with one ISP connection coming into the switch, then one connection from the switch going to each firewall. They have one public IP from the ISP going to the Sonicwall, and one public IP (for the same ISP connection) going to the Sophos. I am wanting to move the public IP that is currently on the Sonicwall to the Sophos without disrupting the flow of traffic to the ISP. We have several services that use the public IP that is currently on the Sonicwall. How can I move the connection from the Sonicwall to the Sophos as a second interface for the same ISP and allow communcation for the services to work properly?



Network Design (practice question)

Hi All

I’m trying to re-sharpen my networking skills, I don’t do much networking in my current job, and have been there for 10 years. A bit of backround - I had my CCNA which expired 5 years ago, and worked in with Cisco Routers and Switches in my previous job.

I’m eyeing a new networking role and going through practice scenarios. I’m given a scenario to design an office with four floors, each will have a hundred devices requiring wire and wireless connections. Assume a worker will undock their laptop and use a wireless connection.

Going into this, I figure I keep things simple and use a /25 mask providing 126 usable hosts.

Usable host range for each floor -

192.168.0.1 - 192.168.0.126 192.168.1.1 - 192.168.1.126 192.168.2.1 - 192.168.2.126 192.168.3.1 - 192.168.3.126

Am I going down the right path? I’m a bit unclear how I would design the wireless and wired connections. Would I create 2 vlans isolating each with a DHCP pool?

I look forward to any feedback!



Migrating F5 LTM to virtual but stuck on the design

I am in the process of moving our F5 over to a new pair of virtual LTMs but I am stumped on how best to do it. The issue is that the existing LTMs have internal, DMZ, and public internet networks on them. Our VMware hosts do not have the DMZ or internet networks on them and I really don't want to extend them into it.

The ultimate goal is to create a separate VM cluster for public facing servers but we just aren't there yet. Any ideas on how best to design this out?



Anyone familiar or have used Harting RJ Industrial Multifeature RJ45 connector?

Came across it this morning. I've always had probs crimping cat5 and thought this may be a solution. But judging from the video, this doesn't seem to cut the time down as proclaimed.



Can I use LACP between two switches to increase bandwidth for multiple users?

Hi! A bit new to networking. Right now in the office we have a Qnap NAS connected to a switch with a single cable, and then that switch is connected to another switch. That last switch is connected to a bunch of PC clients that need to access the Qnap.

Of course, that is one hell of a bottleneck, since there is only one cable between the switches and the for the Qnap.

Both the switches are the same model and support LACP. My Qnap has 4 ports and supports it too.

I want to aggregate those 4 ports on the qnap and the switch, and then aggregate like 4 ports on each switch to allow for more client traffic. I know each client will still be at 1Gb, but at least that would reduce or remove the bottleneck of having multiple clients at the same time.

Am I right? Is that how it works? Sorry for the newbie question!



Different SNMP communities

Hello all,

Im working at a large networking company (not an ISP). I realised that different customers of ours have different SNMP communities. I was wondering, what is the benefit of having different communities for each customer? Why do we have that, is it because of security reasons?

Appreciate your replies.



Force 10 VLTi Backup Link Question

I am looking to replace a 3048 stack (TOR with a LAG to another rack in the DC) with a 3048 in a VLT config. This is due a recent issue with the existing stack needing a FW update, and I need to take both offline to complete that.

The issue I have is with the backup link. Both management ports have an IP, if I cable them directly to each other, its fine - but I obviously cannot manage them then.

So, I thought I would plug each one into a port on the peer, the backup link will not connect, the ping will not respond. I plug a laptop in and I can ping both management ports no problem. So i know the VLT is working and IPs are fine.

Does anyone have any ideas how I can get this backup link working? Thanks.



Bit confused on how class policies for CoS working

Hi, at the ISP I work at, we usually have 4 service policies we implement on EFPs. The policies are the following:

-MONO_CoS0 -MONO_CoS1 -MONO_CoS5 -MULTI_Forbidden (which despite the name is applied when we need to match CoS 0, 1 and 5)

I read the cisco documentation and it seems pretty straightforward what confuses me is how we're doing this in our network.

If I do a:

show class-map MONO_CoS0/1/5 

this is the output:

Class Map match-any MONO_CoS0/1/5 (id 1) Match cos 0 1 2 3 4 5 6 7 

This applies for all of the 3 MONO_CoS policies, the only value that changes is the id. If these policies should match just one of these 3 CoS, shouldn't they just contain the revelant CoS value under their matching criteria?

Bit different for the "Multi_Forbidden" policy which has two class maps assigned to it:

  • MULTICOS
  • MULTICOS_allowed

The output is this:

show class-map MULTICOS_allowed Class Map match-any MULTICOS_allowed (id 5) Match cos 0 1 5 show class-map MULTICOS Class Map match-any MULTICOS (id 4) Match cos 2 3 4 6 7 

I am assuming the matching criterias are recursive so once a policy is applied on an EFP the router will go through the class until it finds a match then stops. So in case the router receives traffic not matching cos 0 1 and 5 rather than dropping it, thanks to the other entry it will still forward it. Which, is the only explanation I can give myself right now.

However, if that the case, why aren't the policies for the mono CoS configured in the same way? E.G. 2 class map, one containing solely the cos the policy should match the second containing the rest?

Could someone kindly explain or point me to some documentation to read that explains this? I haven't been able to find any that deals with multicos.

Thanks in advance



Cisco FP8360-K9 Hard drive missing

Hello community,

I'm reaching out because after a long research I'm a bit stuck here.

We have found a Firewall FP8360-K9 but there is no hard drive inside.

On Cisco datasheet's I can only read '' Solid State HDD'' but I'm not able to find what is the default pn..

Does anyone have one of those complete to could communicate the p/n or someone that has a clue?

Help is greatly appreciated!



Tuesday, April 27, 2021

Anytime use Software defined perimeter (SDP)? If so, which one?

I've been working on zscaler private access for a bit and was wondering what the experience on other vendors like appgate, perimeter81, netskope, etc is like?



Can network engineer work remotely like 100% remotely?

There are some job posts looking for network engineers and it says it is remote work.

I am not sure if network engineers can work 100% remotely.

Does 100% remote network engineer role really exist?

I am asking this because I have been applying for remote jobs.



Can't find anything to limit child's social media use on Mac

I've search the net high and low, and can't find anything that will allow me to set a rule which will block my son from accessing certain websites (on his Mac) for more than 1 hour per day.

There are plenty of solution for setting a schedule, say, only 4pm-5pm. No good.

And with macOS Screen Time you can set a limit for a particular site, like, 1 hr for discord.com -- but I want to set 1 hr for a group of websites (which he will divide up as he likes.)

Does anyone have any idea how to accomplish this?



Rsocks proxies available for 10$ a month

https://rsocks.net/?ref=U9f55DFIE-asn4pX_DTBu4TRoIHzE0bnj-uzba

These can be used for any of your needs there's a good support too. Definitely check them out if you are looking for high speed proxy servers.



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



Looking for a tester to find throughput for fiber

I have been tasked to find a tester to test a section of MM in an old building to see if it has any issues.

I'm partial to Fluke testers, but if anyone has experience with another brand. We're limited to $3000.00.

(I put throughput in header, can't delete... please down vote for my ignorance)

Thanks



Can anyone help, new to this.

I tried to search on internet but didn't understood it clearly, I will share an example:

I have 10 servers which i dont have direct access through the vpn but i have access to the 11th server and i can only access all the 10 servers through the 11th one through ssh , how can i access all the 10 servers without ssh, is there any way i can tunnel all the 10 servers through the 11th one? For now i am using MTPUTTY to connect to the 11th server in multiple tabs and then typing all the 10 ips and logging in 😭😭

Just tired of logging in again and again typing all those server ips again and again, please help me in this, 

Thanks in advance. New to networking in learning phase.



Link saturation without dropping pings?

We have a very simple network and have recently been getting complaints of Zoom video issues. Our 2gbps ISP link has been close to fully saturated (~1.7 / 1.8 gbps according to our in-line filter's statistics) during the time where users complain. Zoom has a handy statistics window that shows packet loss on the receive side for video of our user's connections. I've verified it does not happen off network. It's a little hard to try to packet capture because this is a combination of TCP 443 traffic and UDP 8801 traffic coming from the Zoom servers and I don't think I can do a packet capture that would show the loss because I don't have every UDP packet being captured at Zoom egress server link to compare for loss.

I tested outside of my firewall and web filter to rule all of that out and if I use our backup ISP, we don't see the issue (Our backup ISP is not being utilized right now for reasons outside of all of this so it's got a lot of available bandwidth). I talked to the ISP and they said they did not see any issues and the only thing they said was the link WAS saturated at points during the day and that UDP handles drops far worse than other traffic (duh). They've set some Zoom QOS to try and solve the problem but I will have to see how it goes tomorrow. My only issue with the theory is I've been running MTR and pings to public hosts all week and have not dropped a single packet to them.

Any thoughts on what this might be, if ICMPs should be lost if it was saturation, and what recommendations on troubleshooting strategies would be are greatly appreciated.

Thanks in advance!



SDWAN | Interpret Viptela Service Chaining?

Hello, Would like to know the meaning of below service chain configuration. The situation is that I encountered an issue where we run a packet capture end-to-end but from the 3rd party(cloud security provider) side I'm seeing that somehow the packets from the branch get translated since the public IP I saw in 3rd party capture is IP from the Data center.

The setup is that from the branch site we are forwarding the HTTP/HTTPS traffic to 3rd party sec. provider.

from my assumption, this is the traffic flow for web/https ? https://ibb.co/2ZYmrxn

a. Hub - vEdge Configuration vpn 10 service FW address 192.17.1.254 (Forti firewall) service netsvc1 interface gre1 b. vSmart Configuration site-list CUST_SID site-id 123 policy site-list CUST_SID control-policy CUST-CP-Out out data-policy CUST_DATA-POLICY from-service cflowd-template CF_AP control-policy CUST-CP-Out sequence 60 match route site-list CUST_SID (site-id 123) ! action accept set service FW tloc-list MY-TLOC-LIST tloc-list MY-TLOC-LIST tloc 10.78.250.196 color mpls encap ipsec preference 100 tloc 10.78.250.197 color mpls encap ipsec preference 50 tloc 10.78.251.132 color mpls encap ipsec preference 200 tloc 10.78.251.133 color mpls encap ipsec preference 150 tloc 10.78.251.133 color metro-ethernet encap ipsec preference 150 tloc 10.78.251.133 color biz-internet encap ipsec preference 150 tloc 10.78.251.133 color public-internet encap ipsec preference 150 data-policy CUST_DATA-POLICY sequence 100 match source-ip 0.0.0.0/0 destination-port 443 80 ! action accept count 100 cflowd set service netsvc1 local cflowd-template CF_AP flow-inactive-timeout 120 collector vpn 10 address 10.10.48.54 port 2055 transport transport_udp source-interface loopback10 c. Branch - vEdge vpn 10 service netsvc1 interface gre1 

QUESTION:
1, Based on the above diagram, is that the correct flow. From the branch site it will be forwarded to the hub then to the firewall?
2. How Hub and Firewall handle the reply/return traffic back to branch site then to the target destination? Since the source IP address already translated to public IP, is it going to based on src/dst ip or TLOC etc?
3. In terms of the return traffic from the actual target destination, What will happen those it go to Brand -> hub -> FW(nat back to private ip) -> hub to branch -> Client? What is the correct process.
4. AS you can see we also have a service netsvc1? What is the purpose of this? Are we going to use this first?
5. What show command , test that can be preformed to validate the flow?

Thanks for you inputs, kinda confuse here.



Bird and Quagga compatiblity - multicast

I was tasked with deploying IP multicast routing on our servers using PIM. The servers currently run BIRD and a custom application on top of that for configuration.

Since BIRD doesn't support PIM and I don't really feel comfortable touching the old code for the config app (which to my understanding was mostly built by copy pasting from StackOverflow so you can imagine how horrid the code looks, but hey, it works), I want to ask first: would it be possible to keep BIRD for RIP/OSPF and only use Quagga for its PIM daemon, since pimd requires Quagga to function and I couldn't find anywhere if the two routing daemons are interoperable? Or will I have an easier time going with just Quagga?



Router or WiFi extender

I have lan cable that is coming from a router in another office room. I want to set up a new WiFi connection using the lan cable. Can I use a WiFi extender for this. Or do I need a router.



Time spent studying outside work hours

I've noticed in much of IT there is a ton to learn and not a lot of time to do it. I'm looking into network engineering as a career path after being a generalist for a number of years and I'm wondering how much time outside of work hours would be a reasonable expectation for studying concepts and preparing for qualifications such as the CCNA.

Any insight would be greatly appreciated.



dACL isn't being downloaded to Cisco 3750X

I am working on an ISE project to implement posturing and compliance for our client machines. We created a test NAD (a used 3750x with ios 15.0(2)SE12 because we're still using old style commands on our production 3850s running version 3 of IOS-XE). One of the issues we're running into is that the test client authenticates to ISE from the test NAD but the dACL isn't downloaded to the switch. We're currently running ISE 2.6 patch 6 atm and I can see that the test NAD is able to talk to ISE using the configured PSKs on the switch and ISE NAD settings.

Would anyone have an idea of what is causing this to happen?



BGP equivalent route map CISCO-MIKROTIK

I have a question. On MikroTik routers you can add an inbound routing filter with action=reject.

Which will add the route in the routing table but as inactive.

Is there an equivalent route map command in cisco that would do that?



East/West Encryption

I'm looking for solutions to encrypt EW traffic on Brocade devices. I've started looking into MACsec and ISL encryption. We had a solution from Unisys but it has too many issues.



JunOS upgrade on 550HM fails

Has anyone seen this error message when going from 15.1X49 to anything other than a later release of 15.1X49?

https://pastebin.com/6F7ThZkp

I’ve googled around and there doesn’t seem to be a solution for this other than reimagine the system? This happens with basically any and all versions. It upgrades successfully if I add the no-validate flag.



Carrier grade NAT

How do you implement carrier grade NAT?

My company is looking to adopt an m&a strategy, acquiring 10 to 50 businesses over the next 1 to 5 years. We are trying to figure out how to account for whenever one or several of these entities have overlapping private IP space with our own. We are planning on integrating them into our domain so we need connectivity to their DCs but we are certain that inevitably one or more of these acquired companies will overlap with our IPs.

What are some strategies, aside obviously from re IP ing, for implementing NAT at the edge?



SAN network design advice

Our Storage Network engineer recently left the company and I inherited his responsibilities. We have a dual Fabric Fabric SAN including 10 Switches per Fabric. There is a mix of 8 Gb Cisco MDS 9513, 16 Gb Cisco MDS 9710 & 32 Gb Cisco MDS 9710 running in a partial mesh topology.

The partial mesh topology doesn't seem logical to me but I got told it's a result of our growing infrastructure without thinking of a proper topology, for example a Core-Edge topology.

First of all, our SAN works and we don't need to put a lot of effort or resources in it. I'm now 2 years with this company and we haven't had any serious issues so far. So I'm cautious to make any changes.

We have different VSANs and template starter zones in place for most of our Storage Systems. Whenever a new server needs to be zoned the template zone is copied and the server WWN's are added. I don't know if this is a general best-practice but it seems to work and causes no problems. There is always the possibility someone removes all the zonings in a VSAN per accident but we do take regularly zone back-ups.

I've been reading about Cisco Smart zoning but I doesn't see much value for our company. What do you guys think? Any advice for my position? I have more of a Sysadmin background so this SAN Network is a bit new for me but I'm eager to learn.



Rx Errors on Aruba 6200f

I recently upgraded from an Aruba 2530 series switch to an Aruba 6200f series switch. About 2 days later all of our Infinias door controllers on this one switch start showing up as disconnected in Infinias. Ping reveals a ton of packet loss. We power cycle the door controllers get about 10 good pings then they start dropping packets again.

the interfaces show high Rx errors and CRC/FCS as well. I then think maybe I needed to set the port speed so I research and see that the door controllers are 10-T Ethernet and set the port to speed 10-full. I then power cycle the door controllers (They are PoE)

That doesn't work so I set them to 10-Half and power cycle the door controllers again. That Still didn't work so I then set them back to 10-full and power cycle the switch. All appears fine now...

I'm not seeing anything stand out in the logs... This is all the logs show now.

2021-04-27T02:11:40.070115+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:11:34.058368+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 2c:f8:9b:50:de:0f is updated on 1/1/48 2021-04-27T02:11:10.623885+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO| Throttled 1 Messages 2021-04-27T02:10:40.042534+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:10:35.658218+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 2c:f8:9b:50:de:0f is updated on 1/1/48 2021-04-27T02:10:10.026049+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:09:45.618456+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO| Throttled 1 Messages 2021-04-27T02:09:40.022143+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:09:10.014050+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:08:46.189502+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 2c:f8:9b:50:de:0f is updated on 1/1/48 2021-04-27T02:08:40.614158+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO| Throttled 1 Messages 2021-04-27T02:08:09.994235+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:07:51.277628+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 2c:f8:9b:50:de:0f is updated on 1/1/48 2021-04-27T02:07:39.986369+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:07:10.608433+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO| Throttled 1 Messages

Port 5 is connected to a phone and port 48 is connected to our ISP's network. Either way not sure if what i'm now seeing in the logs is normal.



One of our Buildings Suddenly Went Down Offline This Weekend

Hi all,

We had a network outage in one of our buildings on the weekend just gone. I wasn't on-call so my colleague had to deal with it.

The building access layer switches all connect back to a distribution switch stack (a stack of two Cisco Cat 9200L units - yes I know 9200L is an access layer switch but there's barely any load on them) and from this switch stack we have a cross stack ether-channel that connects back to our two main server rooms on-site, our "core" Cisco C-6509 VSS chassis pair using a Layer 2 MEC. Luckily, I recently built a new syslog server so we do have some logs to help show what happened during this outage. It happened on Sunday 25th March at 4:16am. Here's the syslog for the switch stack and the core side:

https://github.com/smartiedude/Issues/blob/main/2021-04-25--Syslog.txt-switch-stack1.txt

https://github.com/smartiedude/Issues/blob/main/2021-04-25--Syslog--core-6509-side.txt

I've also attached a gif showing a picture of the topology to help you visualize it:

https://github.com/smartiedude/Issues/blob/main/Drawing2.gif

Looking at the switch stack side logs I can see that both stack members have reloaded... Chassis 2, followed by Chassis 1... in the stack. I have no idea why this happened. I have some questions I don't understand that I was hoping you might be help me to make some sense of....

  • Why did the switch stack suddenly decide to reload on it's own at 4am?
  • On the core side logs, the two interfaces on the "core" C-6509 VSS chassis in both server rooms went into an 'error disabled' state. Why is this? There's two logs on the core side at 04:17:57 that indicate this was because of a "channel-misconfig error" but I don't understand why a switch stack chassis member going down at the other end would suddenly be classified as a misconfig error.
  • Why did STP start flapping on Po22 on the core side? I was under the impression that if one of the Po members dies then STP should remain stable because the Po22 and all it's members are considered one individual link.

My colleague didn't quite understand what happened or what caused the outage at the time he was called. All he told me was that he logged into the core side and brought the two downward facing interfaces back up by 'shut', 'no shut' to get them out of err-disabled state on the core side (which you can see in the logs because I've got command archiving being logged too so I can see what commands anyone entered on the CLI) and it all started working again. He didn't know that both chassis had actually reloaded on the downstream building side switch stack until I showed him in the logs afterwards.

Any info, advice or experience is welcomed.

Thank you my friends.



How does Cisco Partner smartnet work?

So I have a smartnet for a Cisco device via a Cisco partner. They provide the first few tiers of support and can send me iOS files when I need it.

I checked with the Cisco sncheck tool and it says there is no support. The providers engineer said this is normal and they will still provide the support etc.

This doesn't sound right to me? Surely if Cisco say it's not in support then I'm not legally entitled to software updates and TAC support?

Does anyone know where it says the in the partner agreement with Cisco that every device needs an agreement or am I wrong?



Campus to Data Center spine-leaf

I know this has been discussed here, in different iterations, but for the life of me, I'm not finding the perspective I need on this.

Complete campus redesign, including the basement DC, and now would be the time to do it. If we were to convert from a classic 3-tier campus network to a spine-leaf, what is the simplest/preferred method for tying the rest of the office network into the new DC design? I keep going back and forth between carving out a core/distribution and connecting that to a leaf to have a defined delineation (and maybe a safety blanket) between the old way of networking and the new... Or does it make more sense (mostly cost) to simply tie access closets to a pair of dedicated leafs and use those as my aggregation point? I appreciate relevant perspectives on this. Also, just know I feel like a noob for asking this.



Monday, April 26, 2021

Why should Network Engineers learn Linux?

Hello. I had an interesting debate at work regarding this question: Why should Network Engineers learn Linux?

Some people think we should learn Linux for X reasons, other people think that learning Linux is pointless por Y reasons.

Based on your experience, what do you think?



Juniper MX204. Please send help.

Hi all, I am a project manager who has started working in the telco industry in the last year. They specialise more in the enterprise and govt. market rather than retail and I am mostly involved in I&O projects. I have learnt a little about each of the different engineering types and how the technology works. I have mostly been educating myself online as required but I'm now on a project that has a tech aspect I just can't wrap my head around. If I ask the designers and engineers to simplify it for me one more time I am positive that I will lose all credibility and my project will fail. I obviously don't want to reveal too much so hopefully I am giving enough info for someone to explain this like I am five. It is also quite a large project so I will just be using a singular example of one component. I believe the simplest way to describe it is:

We are implementing agg hardware (Juniper MX204 universal router platform) to an existing backhaul to maximise efficiency at the interconnection point.

I have been operating on the assumption/belief that the purpose of this activity is to increase network capacity. Likely because all my previous projects have been around increasing capacity on the fibre network. However, one of the engineers just corrected me that we are not trying to increase capacity. So what is the purpose of the agg hardware? What does it achieve?

Please be kind in your replies. I know this might sound like the stupidest question ever; it's just that I went too far down the rabbit hole (technology wise) that now I'm having trouble forming a high-level, big-picture understanding. Also, I know that PMs don't necessarily need to deeply understand the engineering side of things; but I am far more effective when I know what the hell is going on.

SOS



Jumbo Frames, let’s talk about it.

I always see some of the comments agree. Some portion agree with tweaking it or leaving it as is. This makes it extremely hard as a rookie, to determine what is the proper step to best optimize an environment. When it comes to performance tuning an environment, what is the official recommendation? Is the other half comments just saying to leave things default because they don’t understand something? Is the other half stating to do things just out of a 0.9% performance increase? Is it an ego or self pride thing? Is it a vendor oriented device thing? Which white paper do I confirm to begin coming up with a solution? I’m genuinely fucking lost. Please fuck me up with knowledge, I beg you.



Dell Force10 Stacking - does it create bottlenecks?

When stacking 2 x s4810 switches (stacking, not VLT, MLAG, LACP, VSS, etc. ), are you limited to a 40Gbps link? There's no way to utilize more than one of the 40Gbps ports?

Within one switch, the fabric capacity is 640Gbps. So 40 is pretty darn limiting in comparison, no?



Bricked in rommon mode, flash is missing

Hello all,

I have a C3850 that was powered on for the first time today, and seems to be bricked, only booting into rommon mode. The flash directory is missing, and I can't do an emergency recovery because the sda9 directory is missing as well. I tried to boot from a usb flash drive but that is failing as well. This switch has been sitting for a couple of years and had never been utilized before. Below I have listed in the comments the output for my boot attempts and directory verification/troubleshooting. Any input or assistance is greatly appreciated.



Spanning-Tree Path Cost Long Method (32 bit path cost value enablement) Considerations?

Hi,

We're planning to enable the long method (32 bit value) for spanning-tree path cost across our switches, and I am curious if anyone has done this at a reasonably large scale before and what the implications of the change were. Did the spanning-tree process treat this as an event that required re-convergence (a topology change), or was it relatively seamless/low-impact and the path cost values started to reflect the 32 bit / long method shortly after this option was enabled?

Thanks!



Moca Coax Splitters: Powered vs Non-Powered

Hello everyone,

I'm a bit of a makeshift IT/Network admin for a small manufacturer. Loads of fun. The building we work in was built in a different century. The place was long wired for coax, but not ethernet and I don't have budget/permission to start wiring. Instead, I have set up a moca 2 network which is working decently enough for our needs. I'd like to extend it to several more rooms with an 8 way splitter.

Should I get a powered splitter or an unpowered one? Why should I use one over the other?



Help w/ port-tagging / vLAN issue on Cisco 4321 router

I have a Cisco 4321 router that is currently connected to a Verizon internet connection. The Verizon internet connection requires port tagging on vLAN 40 in order to see their network. As such, I have configured the port like this and can successfully ping Verizon's default gateway (xx.xx.xx.13) and other IPs across the internet.

interface GigabitEthernet0/0/0

description Verizon

ip address xx.xx.xx.14 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

negotiation auto

port-tagging

encapsulation dot1q 40

set cos 0

My next step is to test connectivity from a workstation. I have set gi0/0/1 to have an IP of 192.168.0.1 and setup a workstation to connect to it with an assigned IP of 192.168.0.2. When I have the port set like this, it can ping gi0/0/1 (192.168.0.1), gi/0/0/2 (xx.xx.xx.14), but not the Verizon default gateway (xx.xx.xx.13).

interface GigabitEthernet0/0/1

description LAN Facing Internet Subnet

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

negotiation auto

I am of the belief that port-tagging to identify the traffic as part of vLAN 40 is potentially the culprit. As such, I have attempted to configure gi0/0/1 like this:

(1st attempt)

interface GigabitEthernet0/0/1

description LAN Facing Internet Subnet

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

negotiation auto

!

interface GigabitEthernet0/0/1.40

encapsulation dot1Q 40

ip address 192.168.0.1 255.255.255.0

(2nd attempt)

interface GigabitEthernet0/0/1

description LAN Facing Internet Subnet

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

negotiation auto

port-tagging

encapsulation dot1q 40

set cos 0

...however, the workstation cannot ping gi0/0/1 nor can the workstation be pinged from the 4321 router.

What am I missing to get the workstation to use the internet through the router in this scenario?



Networking of the future to include cloud and automation?

I'm sure we've all had these discussion with our co-workers at some point, but lately I notice when I mention I'm studying AWS SAA-02, I almost get this look of 'why'? Sometimes I get the actual question "Why made you want to study that?" and I have a time of explaining, ....because I ]m interested in it, but also because I think our networking engineering jobs are heading that way along with automation in the future, down the road, however you want to put it. I'm curious though what you guys think. I mean Cisco offers DevNet now, so to me that speaks something for us as network guys. Would it be beneficial for network professionals who are still going to be in out field 15-25 years more down the road be proactive in learning automation and cloud or should we just stick with enterprise r&s? Thoughts?



Moving from ops to engineering

Hi All,

After 3 years in operations (which was quite successful as I was promoted in-team) I changed to an engineer position which turned out to be a really boring project and the only thing I could benefit from that I met with firewalls (PA) and security. Other than this, my main activites now are user support and administration..

I've applied for a few engineering position. 2 was really promising. The first I failed by not much, but that position was really demanding, including the regular routing switching but also, wifi, voip, and security. And this is a role I am really looking for. They declined me because they needed an engineer who knew all of these things right off the bat, because the previous engineer almost finished his notice period. (I'm really curious if they found someone in this very small time range..)

The second one was a bit way over my head but they decided to invite me to a first round interview which was 80% technical. Technical as in the interviewer did not went in to too much detail it was more of a high level discussion. What did I work with, how I used tools, troublehsooting methods and so on.

And this is where I felt that I'm missing key skills that makes an engineer engineer. E.g. designing, implementing even some project management aspects.

The problem is that I'm in a senior role now with senior pay, so yes I could go back to a junior role but that would cost me at least 30-40% pay reduction which I would avoid.

Question is: how can I acquire meaningful skills in this matter without a real engimeering job.

Thanks in advance!



Cisco ISE and Cisco WLC

Hello all,

I am unsure if this is the right place to put this, so if it isn't, please let me know a better place to put it.

At my job, we are having an issue with iPhones (Maybe all Apple devices, but I'm not sure), Cisco ISE, and Cisco WLC 5520.

We have an SSID named "X-Wifi" that is used for employees to connect their personal devices so that they can get Internet access. The SSID is set up to go through a Guest Flow in ISE, and the employee gets a browser re-direct to ISE asking them to authenticate themselves using their AD credentials.

ISE is set up so that the employees are required to re-authenticate themselves every 30 days. On Andriod phones, this works fine. Every 30 days, the Andriod phone user gets redirected to ISE, where they enter their AD credentials again, and they get Internet access again. On iPhones, this re-authentication process does not work. After 30 days, the iPhone user does not get re-directed to ISE, so they never re-authenticate, so they lose Internet access.

The work-around that we have been using is to have the iPhone user Forget the X-Wifi network, and then re-connect to it. Once they re-connect to it, they get the browser redirect to ISE requesting that they enter their AD credentials.

We use ISE version 2.4.0.357 Patch 11, and WLC 5520 version 8.10.112.0.

I thought that it is caused by Apple's CNA feature, however, everything I have seen on it says that the initial re-direct won't work if that is causing the issue. Also, I read that the fix for that issue is disabling captive portal bypass on the WLC, which it is disabled at the global level and the WLAN level is set to None.



Layer 1 | How could I find a SIM card for SMPP

Hello,

I’m looking for a way to make my own OTP / 2FA. I’m looking for a SIM card that is compatible with SMPP protocol.

I looked at the phone provider in Canada and they doesn’t seems to offer such SIM cards. I don’t want an expensive plane because I will not send a lot of SMS/MMS.

Not it’s for testing.

Let’s me know what provider do you suggest me to go with.



Quick question

If i was to make a connection between a home pc and an remote web server which layers of the OSI model protocols would be referenced (in order from pc to web server)

Thanks



Cisco Smart Licensing

If I were to get a Cisco 9k Switch i.e 9300 with Network Advantage and DNA Advantage.

Would it be possible to not connect it to the smart licensing portal at all fresh out of the box and all the function would not be affected?

I know that you have a EVAL Mode for the first 90days so does this apply to both Network Advantage and DNA. So after 90days does L3 Routing capabilities stop because the Network Advantage wasn't able to call-home?



How would I stop getting copyright infringement emails?

I recently got a copyright infringement email and got it again for the same file how would I stop getting them?



Anycast DNS

Hello,

Has anyone configured Anycast DNS using a single subnet stretched between sites?

Any advice appreciated.



EVPN on Catalyst 9300 switches

Hello All,

I have just theoretical knowledge about BGP EVPN. Does any one know if Cisco Catalyst 9300 with network advantage license can be used to set up a lab for BGP EVPN. I saw Cisco configuration guide for 9300 (BGP EVPN), but I don't know which features are supported on this platform. If some one who has implemented EVPN on c9300 would please share their experiences. This would be just a lab setup for learning purpose.



Experience with outdoor network cabinets?

I'm think about setting up a outdoor network cabinet for my NAS. I've found a few with IP67 rating, but i was wondering if you guys have any experiences with these types of cabinets.

I'm worried about humidity and fog getting in and corroding electronics. Temperatures not so much.

Any tips or experiences you guys can give? Thanks.

Edit: IP rating



Best Practice for Jumbo Frames Switching

I'm trying to wrap my head around jumbo frames... The network that we're building will have some endpoints that generate some jumbo frames. To my understanding, these frames will never be subject to routing - they'll remain within the LAN and strictly be subject to switching.

The entirety of the network comprises of 2xC9300 switches.

What are the best practices for something like this? Create a dedicated VLAN for jumbo frames? Cisco seems to advise to use a separate switch dedicated for jumbo frames, is this the right way of doing it?



Multiple bgp peering / migration

I have to migrate some active prefixes from ARIN to RIPE (new AS number) on an active peering and am currently planning out the steps to do it. Would appreciate input from anyone who has done similar.

My plan so far is to

  1. Get our ISPs to add an additional dot1q transit interface to our circuit with them
  2. Configure my side to peer with them from the new ASN but not advertise/accept anything initially.
  3. Advertise an unused/spare prefix on the new peering and confirm operation is okay
  4. Transfer prefixes from ARIN to RIPE
  5. Stop advertising prefixes on old peering and start advertising them on the new one
  6. Test

How does that look? Am I making this more complex than is required?

Should I just change our ASN on the existing peering and get the ISP to update their side and call it a day?



LACP bundling time

Hey guys!

Been breaking my head and researching LACP options for a few days now... I'm doing some practical labing with some of my older 2960 switches (lacp rate fast no supported). And I cannot come to a conclusion if LACP active/active time bundles the ports faster than active/pasive? Is there any other way to make the links bundle faster?



Sunday, April 25, 2021

Can an ISP see the applications used on mac?

Long story short I need to know if The ISP can see what apps i'm running on a macbook air

I just need to know if my parent would be able to call the ISP and ask to see what applications have been running on my computer (ex. a game)

If so, Is there a way to hide the fact a certain application is running from the ISP or make sure they aren't able to call and ask the ISP for the info (Maybe something with the router settings (I can get into the Router login thing))

That's all, thank you



Resource monitoring

I have been looking into available software both free and paid subscription for monitoring devices within a network. Looking for any recommendations that anyone uses for work. Currently looking at Libre, IP Monitor, PRTG. Goal is to be able to setup alerts for events such as firewall failover or if a switch in a stack fails. Additional goal is to be able to take backups of network equipment configurations. Any recommendations appreciated would be for environment mainly of Cisco devices along with servers both physical and virtual.



Bulk config of a few hundred access switches

What does everyone do when they have to program a few hundred access switches? I have to configure around 100 of these HPE aruba 24 port managed switches. I am pretty good with ansible and general scripting languages but these will be fresh out of the box..so ssh is not setup. Assume DHCP is setup and can be leveraged.