Saturday, May 22, 2021

Fiber slack cable manahement

We have to make this pretty but I’m new to it How does one manage this much slack in fiber? Premade cables and the rack is very near this Open warehouse location If you know any other subs that are more appropriate thanks!

https://imgur.com/gallery/gjbG1dA



Need some advice for new networking design

Hello networkers,

i am IT/Broadcast engineer at my organization and except that someone offer me a side job to run and design network for small organization. i have good background of networking and working in this field for almost 3 years except that currently i finished both OCG CCNA books and did Chris Bryant , Neil Anderson and David Bombal course and did many of labs. but i have a problem with choosing best products for example now we have to find a firewall for organization with +20 Users can someone help me please. not expensive one neither cheapest one.

Thanks in advance , Doski



Beginner networking courses

Hello! I’ll be going to college for an IT program with a major in network systems in the fall. Can anyone provide some good online courses to familiarize myself with networking terminology and some of the basic concepts. Thanks!



Anybody Buy SFPs from FS.com?

This company fs.com, does anybody use them? Their SFPs are super cheap, and I guess it's all Chinese surplus. Are they worth buying from?



Is ansible the end of line in network automation?

I would like to start a little discussion about today's network automation

I have been working in network operations since 1995. As a Linux fan from the beginning it was always normal for me to automate configuration tasks in script languages like bash, perl or python. At a large German service provider I worked for in the early 2000s, it was common to generate configs for large customer rollouts using the MS-Word mail merge function o_O. There I was already an alien with my bash and perl scripts; and that's how I felt there.

Nowadays, when you hear the keywords "network automation" you inevitably stumble upon "Ansible", as if it's the de facto standard for this. Is that the case?

In short: I really hate it!

I can't get these "data-model driven" YAML definitions as an abstraction of sequential jobs through my head. I don't know what advantages Ansible brings me. I have done an automation task with python and common and well known software modules like paramiko, XML, JSON, requests and pyEzNC 10x faster than with a collection of Ansible modules each using different authentication mechanisms and task methodologies. Without having the Ansible reference open all the time, I don't have the slightest chance of logging in to just one router.

Am I the only one here? Is Ansible only a tool for the Word mail merge users i mentioned before? Or should Ansible really be the de facto standard for the automation future? - I hope that is not the case.

I can't see that happening.



How exactly is packet size determined?

Hello, I transmited a text file via TCP and captured the resulting traffic into a .pcap using tcpdump.

What I would like to know is, what exactly determines the size of the packets containing the data sent (obviously not counting SYN and ACK packets).

Each packet/frame was 1466 bytes long including the 14 bytes of the Ethernet II header and IP and TCP headers. Why is it 1466 exactly?

Everywhere I look online it says that the maximum size of a packet is is dependent on MTU, whick in my case (Ethernet II) is 1500B (not counting the Ethernet header) so, why is it 1466 instead of 1514 which would be MTU + Ethernet header. But I have a feeling I am misunderstanding something.

TL:DR - How is the size of a packet determined?

Also sorry if the question does not exactly match this sub as the description says "Enterprise Networking Design", but there arent that many places where ne can get networking answers.



Wifi to a distant outbuilding with no electricity

I'm on a mountainside acreage. 800ft away I can see the outbuilding at which I'd like to install a solar-powered wifi security camera. There is no electricity at the outbuilding, so battery/solar is probably the way to go.

Any suggestions on how to go about connecting it to my network?



Router Hops vs Switch "Hops" Terminology

What's the proper way to count, categorize, and factor in switch "hops." Router hops are for routers, etc. But intermediate switches I don't know how to properly talk about in succinct technical terms.

What's the proper terminology here?



Dual firewall DMZ - configuration issues

Hi everybody,

I need to create a DMZ with two firewalls that protect a server.

The problem is not the mechanism itself, but the configuration of IP address and Vlan inside and outside the firewall.

If you have got any advice, guide or similar project, feel free to share it.

Thank you everybody!



Screwed by Cisco COVID-19 exam extension

A warning for any certified Cisco individuals. I got bit by some “fine print” related to the COVID-19 exam extensions.

A bit of back story: I started down the Cisco exam path about 15 years ago and have carefully kept moving forward, taking an exam about every three years. I’ve achieved CCNA R&S, CCNA Security, and CCNP Route & Switch (now Enterprise)

The next certification I am going after is CCNP Security. In December of 2018, I passed the 300-206 SENSS, which left me the 350-701 to pass before December of 2020 to achieve CCNP Security.

I started studying in early 2020, and mid-year, when the six-month COVID-19 extension came out, I thought, “why not” take the extra time. So I slowed down a bit on studying and ended up taking the exam last week.

A few days after I passed the 350-701 I checked and saw that although all my exams extended to 2024, I didn’t achieve the expected certification. When I emailed support, this is what I received:


Your 300-206 SENSS exam expired in December 21, 2020 so you should have taken and passed the 350-701 SCOR exam by that time for it to be counted towards achieving the CCNP Security certification. Please note that cisco exams have fixed validity period of 3 years only. Although as courtesy due to Covid-19 pandemic, we have extended the equivalent Specialist certification associated of this exam which is the Cisco Certified Specialist - Web Content Security for 6 months together with all your other active certifications, we have not extended the expiration validity of the exam. The 3 year exam expiration/validity remains the same so the 300-206 SENSS exam still had an expiration date of December 21, 2020 therefore you should have taken and passed the 350-701 SCOR exam on or before December 21, 2020 for your to have achieved the CCNP Security certification.


What’s so annoying is that I could have easily passed in December had the extension not been granted. And I never saw it detailed that Cisco extended the certifications but didn’t extend the individual exams. How does that even make sense?

I’m asking support if I can speak to someone, but I doubt they will help. Posting in case this is helpful to anyone else, but my guess is it’s likely too late at this point for anyone taking advantage of the extension.



Download speed.

Hey guys! Not sure whether this is the right sub to ask this, please tell me if not! I am just wondering when I have a 100/100 connection, my download through blizzard app, is only going between 10,5 and 12 MB/s? I’m using cable so no wifi to the computer? Is there any router settings I can change, is it by default put at only xx speed or something? Thank you for any advice in advance!



very first in the world to achieve the latest CCIE certification

Hi all

I came across this post on Linkedin,

https://www.linkedin.com/feed/update/urn:li:activity:6800860899818139649/?updateEntityUrn=urn%3Ali%3Afs_feedUpdate%3A%28V2%2Curn%3Ali%3Aactivity%3A6800860899818139649%29

I asked him a couple of questions and this was his response regarding how he prepared for the new CCIE

Hi Walter, Thank you for your congrats and contacting me. I started in Dec 2019 with my CCIE prepartions. Resources which I used are: Books: See my Playlist in O reilly https://learning.oreilly.com/playlists/1f940e2b-6fcc-4333-965a-a05eb3de2df7/ INE Subscription: Went through the CCIE Enterprise course and also the CCIE deep dive RSv5 from Brian McGahan. TCP/IP video course, Wireshark. Automation: CCNA Dev Net from Cisco, Python for Network Engineers Kirk Byers, Nicholas Russo 10Weeks CCNA DevNet preparation. SDA: Khawar B course, including 20hrs rack access, CBT Nuggets Video course. SDWAN: Khawar B course, EVE NG Lab is included, CBT Nuggets Video course. Labbing: Went up to three times through the INE Workbook RSv5 (No Labs for SDx and Automation). I entered also a CCIE training here in Switzerland which last around 8 Months, in this course we received for every topic in the Blue Print Technology Labs, which was very useful and similar strategy as in real Lab. I had there an SDA and SDWAN Pod which I used it during those months of preparation. The last 5 days of the course were like a Bootcamp and we were doing Full Scale Labs. Here the link of the Training Instution: https://netacad.ch/kurse/cisco-networking-academy/ccie-enterprise-infrastructure/ I was also active in a Forum, with people which were preparing also for the Lab and some which already had a try on. Time: I spent around 1600hrs (or even more) for the preparation. 20-25 hrs appr. weekly Strategy which I used: First reading 30-50 pages per day, taking notes, watching videos, Labbing and repeat. :) Last 3 Months I spent time only on Labbing. The answer for point 4 is, the automation part was very easy for CCIE Level, if you know a bit python then you are well prepared. CCNA DevNet is enough for preparation. Hope this is useful for you. Thanks again. Best Regards Nuredin



Need help with finding switches and routers for project

In my project, I am from a company tasked to implement a WAN spanning over different countries. I am then supposed to find switches and routers that can be used to implement the LAN network in each of these countries. Do you guys have any recommendations for the most cost effective switches and routers? or can you guys tell me what to look out for when looking for these products? These products should also be able to function for long-term usage. I need help since I am still very new to networking.

I currently have the cisco 9300 switch in mind but i don’t know if its too expensive.

-Each country has over 1000 hosts

Any help would be greatly appreciated!



Friday, May 21, 2021

Installing certificates on BOYD system

I want to install certificates on user devices for EAP-TLS authentication.
Can I automatic installation part using a web-application or will I need native application for all the platforms?



Why packetfence have two radius servers?

I want to configure packetfence for my local network. I successfully configured freeradius and now when I installed packetfence ZEN, I saw two directories for radius that seem almost the same to me!

/etc/raddb/
/usr/local/pf/raddb/

So, Can someone explain why packetfence have to radius servers? Thanks!



TPLINK OC200 suddenly stopped working, Router sys log "DHCP Server rejected the request of the client". All we did is reorganize the server rack. HELP!

TPLINK OC200 suddenly stopped working, Router sys log "DHCP Server rejected the request of the client". All we did is reorganize the server rack.

While everything is on 192.168.0.1, the controller per the router says it's on 192.168.10.xxx

Factory reset did nothing, i'm so confused... Need to fix by monday...



Adding NTP authentication to core and all distro/access switches. Will this cause service disruption?

Layout: Core gets time from industrial GPS clock. Core is set up as NTP server, and all lower level switches get time via core IP address.

There is currently no authentication / key on NTP.

If i do this in the day, will it cause connections to drop? There are all static routes. Im assuming the only trouble i will get, will probably witb the remote syslog server?

Core switch: Ntp authenticate Ntp authentication key XXX Ntp-trusted key 1 Ntp server 192.168.100.100

All other switches using CORE as NTP server Ntp authenticate Ntp authentication key XXX Ntp-trusted key 1 Ntp server 192.168.100.200

Thanks



Datacenter Core and Edge iBGP update-source loopback IP routing? Static or OSPF?

Looking for insight or personal experiences on which method is best for advertising loopbacks for iBGP. Static routes or OSPF.

Edge is two ASRs and core is two Nexus 7Ks. Any caveats for either. OSPF adds a level of complexity that could prolong trouble shooting. No plans to use OSPF other than possibly for this situation so it would be a rather simple implementation. Any advice appreciated.



Confusion over SFP+ module compatibility

Hi all

I have the following configuration that i'm trying to get working

Server with a Broadcom/Qlogic BCM57711 Dual port NIC connected to a Dell Powerconnect 6224 switch with 2x 10GB XFP module addon

Switch has the following module installed:
Dell FTLX8511D3-FC 10Gbps XFP Transceiver GP-XFP-1S 02C4K7

I used the following module in the server end:
Cisco SFP-10G-SR

I'm using an Orange (I think OM2) multi mode fiber patch lead

The port on the server doesn't come up - it has windows installed and it's not disabled or anything stupid like that.

I know the modules at both ends are OK because if I put the Cisco 10GB module into a Cisco Nexus 5020 switch, and connect that to the Dell switch, it works!

And the server NIC is also OK, because if I connect a DAC cable between it and the Cisco Nexus, that also works. It's just this particular setup with the Dell switch that doesn.t

Should the Cisco SFP+ module not work in my network card? I can't find any info online that says if it should/shouldn't

Thanks in advance



Structured Cabling Small Jobs

For those of you working in organizations that have their own maintenance/facilities/physical plant folks, do you let them run cable for your small jobs? We get the occasional request for a new drop or to have a drop moved and it's getting tough to schedule our vendor for these small jobs. I'm getting some pressure to move to this model and I have some reservations.



How do I enable recirculation interfaces and multicasting group on a Arista vEOS in GNS3?

I'm trying to implement VxLAN on a network which I built on GNS3. If I try to create a recirculation interface, I get the "recirc-channel not supported on this hardware platform". I had the same problem with BGP, but enabling multi-agent fixed it so I'm assuming that there must be a similar solution. I also get the same message when I try the "vxlan multicast-group" command. How can I fix this?



Cant port forwarding ZTE ZXHN H168N- HELP!

i have searched through the internet and tried all the possible ways to port forwarding my router but i cant find a single blog that has similar options on their router as mine! Please help



AIR-ACC1540-KIT1 Thread Pattern?

Does anybody know what the thread pattern for the dust cover cap of a Cisco 1542i Access Point? I want to run flex conduit straight to the AP without having a to use a gland, but I need to create an adapter that fits standard fittings. I have scoured the tech specs but nothing tells what the thread patterns are.

Cables glands work okay in mild conditions, but I've found that in extremely wet conditions running conduit straight to the AP is the only way to survive long term. Just need to find the right thread adapter..



VMware management in distributed environment

We have different teams managing different parts of our infrastructure. Which means one team manages networking part and othe team manages datacenter resources.( Server, compute, vcenter)

Now earlier this was fine as the segregation was apparent and boundary between these two teams was clear.

However last some years we have transitioned into more of a Virtual environment and now our Netgear also mostly moving towards virtual infra.

This has given birth to a question that whether data center resources are to be managed by data center team only or shall we segregate the resource/ vcenter management of network infra and give it to network team?

Any suggestions or experience is appreciated.

Thanks



Anyone else having trouble with TAC with the COVID outbreak in India?

Not complaining at all, their families and livelihood is much more important than my broken metal boxes. Just curious if anyone else is getting the same results. So far we've had issues with Palo, Aruba, and Cisco TAC this week. I'm talking 48 hours to even assign an engineer to critical priority outage ticket. There is just no one available.



Sending raw 802.11 frames

So this is a question about networking but also about C and Linux so I don't know if this is the right place.

What I've got so far: A C program using raw sockets to send frames and a beacon frame copied from wireshark with changed SSID.

I have several questions.

First: Do I need to be in monitor mode to do packet injection? I believe aireplay-ng does packet injections in monitor mode but I noticed that the mac address of interfaces in monitor mode changes and my C program gets the wrong mac address (with the SIOCGIFHWADDR ioctl). There is also a permaddr listed but that doesn't work either.

Second: When I send the frame with hardcoded mac address through a monitor mode interface the packet shows up in wireshark but not on the list of available access points on my computer or phone etc. Do I have to change anything else than the SSID in the frame i copied?

I am not trying to build a practical program or library for packet injection. I am only interested in the low level/learning experience and therefor don't use any libraries for this.



Question regarding VPC and CDP.

I don't think this will be a problem but I am asking out of due diligence before I accidentally cause a problem.

Context: We have shipped a pair of Nexuses to a very remote PoP. One is ours, the other we have sold to a client. Now we reached a gentlemans agreement with the client that we will make a VPC and help each other out with redundancy. Which we did.

Naturally I want to shut off CDP and LLDP towards the clients switch which is in a VPC pair.

Will shutting off CDP have any negative effects on VPC?



Discussion: Need career advice.

Hello networkers,

I am 36 years old with 13 years IT experience and 11-12 years in the networking sector. I'd say my position/experience between experienced to senior network engineer. However, I am struggling to get the position I feel I deserve and I need advice on how to do so.

I got this feeling that I am either selling myself too short or that I am applying for the more challenging jobs which get me rejected. Although I am grateful for having a job during these times, there is still that feeling that says "Come on man! You can do better than this!".

A bit of background. I am from an island nation of 800k people and worked for the only Cisco silver partner in the island. We were doing everything: hospitals, universities, government, military etc. In 2013 I have moved to the UK, which then I was moving jobs every couple of years. The last job I got was "Technical Design Authority" which sounded great, loved the challenge but the reality was far from it.

It appears that the company was more of a scam with managers not knowing the difference between a DVD player and a router and people leaving every month. To give some hard facts, I have joined in August 2018 and left in October 2019. When I joined, the company was around 50 people and when I left they were less than 20. They eventually got sold to another company in mid 2020 where they kept 7 people and had millions in debt.

Anyway, I changed from TDA to Network Engineer in a conglomerate. I pretty much do nothing most of the day, however at first I was happy because this was my first contract job. The salary was decent, not great, but it was my first contract spot which I was happy. Then 2020 came and the UK laws changed in regards to contracting which my boss offered a non-negotiable salary. I did not like the salary and I wasn't going to proceed. However, lockdown started and I got a bit anxious where I just signed the contract and here I am.

Our profession has different meanings for different companies. For example, I once went on an interview in a company where they needed a Senior Network engineer. Although I answered most of the technical questions correctly on the second part of the interview ( I knew my stuff), I struggled on the first part. Questions like "Tell us an example where you have project managed a team in a project" or "Give an example of a successful migration to the cloud." or "We buy a company, what are the steps you do to integrate this company to our network?".

I am studying for AWS certs now which I have no exposure in my current role (or any role in the past) and I am trying to improve my negotiation skills. But I really want to know what I am doing wrong. Or maybe I am feeling FOMO? I could improve my people networking sills.



Question about ACLs

Hello

I am currently studying network security and I am wondering something about ACLs. I know what they are and what their intended use is.

I also know that both Routers and Switches support this feature. Furthermore, I also know that having an extended ACL on an edge router facing the internet has a few benefits like being able to filter all the traffic and it can serve to connect a DMZ for example. And lastly, I understand the general rule of standard ACLs get placed closest to destination address, and the extended ACLs, since they can filter more traffic due to having more data defined they go closer to the source.

However, I don't really understand when you would use an ACL on a switch as opposed to a router?

I've been told that L3 switches can help routers with security so routers can focus on routing, but apparently ACLs don't affect a routers performance anyway because it's directly configured into the forwarding hardware? Also leaving a router that connects to the internet with no ACL could leave it exposed to direct attacks on the router?

Can someone clear this up for me? Sorry if my knowledge is not precise I have only just started to study it.



Is "relay casting" a thing and what protocols should I look into?

We're having problems with multicasting taking too much bandwidth. There's a server which sends the same packets to 2 other remote servers. Insread of always having both packets traveling in our WAN links, I was thinking that maybe some sort of relay technology exists. So server 1 sends a packet to server 2. If the packet matches an ACL, then server 2 would send a duplicate to server 3.

Is that a thing? Can I relay packets instead of multicasting?



ipv6 prefix and AS number for lab environment & selfhosted services with tunnel brokers?

Hi all,

I recently deployed tunnelbroker.net on my lab for selfhosted services and started integrating it into docker. I really love the flexibility of making everything available to the net if I enable the forwarding rule for certain ports on my router.

I started thinking that the only issue I have with tunnelbroker.net is that if I change the tunnel to another provider or I made a mistake with the server location I initially chose I have to assign a completely new /48 range to my internal network. I will have to create the prefixes on my router again and redeploy all my docker containers with the static ipv6 addresses (which is possible as everything is automated with ansible but can be tricky sometimes).

Now my question, I stumbled upon: https://www.tunnelbroker.ch/tunnel. They are selling a 6to4 tunnel with an ASN nummer allowing me to peer with them over the tunnel and having my own ipv6 prefix. Only the prefix seems to be limited to them. What would be the cheapest, easiest way to have my own ASN and ipv6 prefix (/48 is more than plenty) to announce to a tunnel broker? Are there any options available for small individuals? I do have a company for my after hours where I could assign the ASN towards.



Open Source Monitoring / Focus Datacentre Environment

Hey Guys,

we are just planning a Datacentre Environment. Everything from Core Switching to Hosts will be HPE, Firewalling will be PFSense (maybe Sophos, just in decision). Storage is handled through datacentre including monitoring. For Monitoring at VM Level we will use our RMM Tool.

Just thinking about open Source Monitoring, on my list is:

Check MK, Zabbix, Icinga, Prometheus, Nagios

Main requirements are:

Hardware Monitoring, HPE ILO, HPE Aruba Switches

Hyper-V Monitoring, including CPU ready times, Cluster Health

WAN, VPN, Network Traffic

We would love to use Visualization thorugh Grafana because this is already set up (with other DBs)

Would be cool having some feedback what you guys are using.

Thanks in advance!



Thursday, May 20, 2021

Anyone familiar with (Aruba) dynamic segmentation?

So we're deploying/upgrading to Aruba CX switches. I've been reading about dynamic segmentation. I'm still not clear about it so I was wondering if what I have in mind is possible.

Basically I want to know if it's possible to plug in a pc/phone/wap/etc, do mac authentication thru infoblox and clearpass and then once it's verified a user role assigns the appropriate vlan on the switch port. Just figure that will save a ton of time as far migrating all the devices over. The use cases doc i've read mostly talks about the mobility controller taking over, which i don't want.

Any help is appreciated.



Is there any way to turn a public Wifi connection at the public library into a wired one?

I'm trying to play Google Stadia on my Windows 10 laptop at my public library but I'm still getting bad lag spikes even on their 130 mbps 3 ping Wifi connection. People always say ethernet connections for Stadia are the best so I've been doing research into things like travel routers, wifi repeaters, bridges, and extenders that could possibly help with this but I am at a loss on which one I should buy. I asked another redditor and they suggested [this](https://www.reddit.com/r/Stadia/comments/nhb712/is_there_any_way_to_turn_a_public_wifi_connection/gyvlnth?utm_source=share&utm_medium=web2x&context=3) but I'm unsure if that is a good idea. Any one able to help me with this? Thanks.

Oh also I tried going on one of the library's computers, unplugging the ethernet cable on there, and plugging it into my laptop but my laptop won't recognize the connection. So that doesn't work.



Help! Androids won't stay connected to router without internet

So we use routers with no internet as a means of syncing data between a phone app and a postgres database.

Setting a static IP address has been our workaround on older phones but the new phones this doesn't fix things.

Any ideas?? The exact message is "no internet access detected won't automatically reconnect"... An annoying android update that I'm aware of.

Sorry if I'm posting to the wrong sub



Random ONT's throw OMCI COM failures until reboot

I work for a new small ISP, we are GPON FTTH using Adtran TA5k's along with their ONT's (mostly 411's). On one of our shelves, we are seeing OMCI com failure error messages in the logs abundantly. Our other few TA5k logs are clean with no OMCI com failures. We currently have a ticket open with Adtran, but nothing has been discovered so far. The uptime was a 342 days, we reloaded, next day the logs started filling up again.

The issue seems to be becoming more common. About a month ago we noticed it on 1-2 accounts that reported loss of service until they reboot the ont. Then it is good for 12-42 hours. After pulling logs on the unit, we noted the omci com errors assumed it was a bad ont or maybe a physical issue. After replacing the ONT it was "fine" for a week or two then it started again. We then worked our way (replacing everything back to main line fiber.) The main line crew and supervisors went out and reported no issues. We then made our way to the CO, replaced some optics incase there was something off that we couldn't see. Nothing. Still the logs are full of the same error message on different slots and ont's on the shelf. Has anyone ever ran into a problem like this?



Topology based alert correlation?

Are there any products out there that are really good at network alert correlation? I mean correlating network device issues, as well as correlating network issues to app issues (like an app dies because the switch it was connected to died).

I recently sat through sales pitches from Big Panda and Moogsoft and both of them basically relied on you tagging all of your devices with common tags for them to group by.

Me: "how does it know that App A depends on Network Switch B?"

Them: "well you tag both objects with a common Location tag, and then our patented algorithm correlates them together! It's very advanced Machine Learning and AI"

Needless to say I wasn't that impressed.



Recommendations for Hosted Network Scanning?

I'd like to monitor our company's public IP space (several /24s) to track what ports are open, over time, across the entire IP address space. I don't want to home-roll a solution, I would rather pay for it.

I also don't want the full suite of vulnerability scanning. I really just want to know that any given public IP had port 443 open yesterday, but today it has port 443 and 80 open. And whenever there is a change like that, to get an alert of some type.

I think this could all be scripted in Linux using nMap, but as I mentioned I'd prefer a SaaS solution. Most of the solutions I have found online seem like they are going to include a lot of additional capability that will drive the price.

Can anyone recommend some SaaS that can do this for us?



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



Fibre-Links not working after new fibre cable installed. Help!

Hi all,

I posted this earlier but I didn't have much time to really put a proper post together, and I was on my mobile.

We have a link between 2 sites which went down, previously it ran a cat5 cable 146 meters, point to point (don't ask, I didn't do it).

Last Monday, something happened late at night and most of our switches went down, we had to bring the switches back up and then figure out why the links were 'flapping' when plugged in, turned out it was STP, turn that off, we're back in business.

Now the cable which ran to the other building, the port would flap up and down constantly, even when we turned STP off. The local cabling company came in and ran some tests and determined the cable was faulty as their kit was showing extremely strange readings, wrong pairs, strange disconnects....

We've had a fibre link installed by said local cabling company, they have installed a SC fibre patch panel at each side. Obviously our switches are LC fibre, so we've purchased some SC to LC fibre cables, plugged everything in, and nothing.

I've pulled the switch over from the other building and plugged them both directly into each other, bypassing the fibre link in-between, both SFP ports come up and everything is acting normal.

But when we run this through the newly patched cable nothing works at all.

We've swapped the fibre cables over on both sides of the patch panel, tried different SFP ports, replaced the SFP modules, still no link light on either switch.

We are using NetGear AGM731F 850nm 1.25GBd 1000Base-SX/LC SFP modules.

I have confirmed from the cable that the cabling company have laid a multimode cable, and that we're using multimode SC to LC cables from the patch panel to the switches.

I have followed the fibre light from the main switch over to the second building, and in the SC fibre panel, I can see that the light is there, I have then run this cable into the switch, ensuring that the light cables do not clash, still no link light on either side.

On the switches, we don't even get any logs to say anything is there, we get a log to say that the SFP module has been plugged in, but then when we plug the fibre in, it's as if it doesn't exist.

We have one of these on either side:- https://www.batna24.com/en/p/hpe-office-connect-1920s-48g-4sfp-switch-rmmjj

Does anyone have any idea? Any help would be greatly appreciated.



Help with a camera system

Im going to install a large camera system for a business here in a month or two and there will be at least 30 poe cameras installed on a segregated network, each camera using at least 8 watts of power and was wondering what i could power all the cameras with. My initial idea was to use a large poe switch a 300W one and then plug that into a switch down the line with other passthrough switches feeding into the cameras themselves to make everything a little more sleek in terms of cabling. Though the large poe switches im only going to use one port to feed into other passthrough switches so is there a large enough Poe injector that could get this job done?



Catalyst 9300 Port Security Config

I am setting up port security on some 9300's. Want to make sure I have it correct before start rolling the config out. Basically I want a max of 1 MAC address on most access ports (2 where we have Cisco VoIP phones and use the voice vlan command). I'm not looking to save the addresses in the running config and I want a different MAC address to be able to use the same port if devices get moved. Not sure if I am going to use restrict or shutdown but this is what I was looking to add on the access ports:

switchport port-security
switchport port-security maximum 1 (or 2 depending on usage)
switchport port-security violation restrict
switchport port-security aging time 30 type inactivity

I think this would give the desired effect of setting the max I want and clearing the MAC from the port if there had been no activity from that device for 30 minutes so a device could be moved. Am I correct here or have I missed something?



Question on multicast

Good morning all,

I'm trying to figure out a multicast issues that's apparently plagued my organization since before I arrived a couple of years ago. We have a vlan that we use specifically for imaging but when trying to image at another location the multicast traffic is getting refused. One of our managers believes that our routers are denying the multicast traffic.

The way our network is setup:

We have a core switch where the VLANs reside. The different buildings all connect back to the core and are trunked. We have various Cisco 2900 series routers at each building that connect to one of the ports of the building switches that only routes phone traffic from what I understand (Those are the only routes I see on the routers and I think they're only used as a failover incase we lose internet connection and then it switches to landline). The only routes I see on those routers are for the phone vlan.

When our hardware guys try to image a computer via multicast the traffic seems to go through to a certain point and then stops. As a test the router was disconnected and they tried imaging a computer again and lo and behold it worked. However, this doesn't make any sense to me as none of our other vlans are routed through this router so I don't see how it would be responsible for these issues? I'm getting ready to start digging into this further but I wanted to check and see if I'm wrong about the router possibly causing the multicast traffic to drop once it receives it.



Route Scale

So I got curious stumbling around Hurricane Electrics looking glass. Found that their AMS1 router has a staggering 700+ BGP peers configured. Showing 114M routes "Advertised" and ~5M installed.

I assume 114M is just them simply adding up their "sent" routes in the table, which is fairly irrelevant. And I'm not sure the installed (FIB, I assume) count is correct either.

I know they're a Brocade shop (We have a few circuits from them, and they've said so). I'm *assuming* (You know what they say) they're using the MLX series.

If I assume that the "installed" route count is actually FIB. I don't see how they're doing it. The biggest MLX card is does 2.4M v4 routes and 1.8M v6 routes. Am I missing something? It seems like the FIB stats brocade publishes are per-card. Is this some kind of situation where they're scaling beyond a single card because only peers attached to a specific card eat FIB of said local card, and not the system as a whole? IE, if you've got two -x2 cards with 2.4M FIB entries each, you can do 4.8M total on the chassis, but no more then 2.4M per card?

Hoping someone can clarify for me :)

Also, If someone happens to know what they actually run I'd be curious to hear.



I can't tell if I didn't set up my VLAN properly of if the problem is with GNS3.

I have set up a lab on GNS3 with Arista vEOS routers. I set up regular routing ports between the routers and each router is connected to a host. Hosts are part of VLAN100 and the end goal is to set up VxLAN. For now, I just want my VLANs to work. These are the configs I used (sorry for formatting, Reddit doesn't seem consistent no matter how many times I edit it):

ip routing
vlan 100
name Hosts
state active
int vlan 100
ip add 10.0.0.254/24
no shut
int eth12
switchport mode access
switchport access vlan 100
no shut

When I enter "show vlan", VLAN 100's only port is Cpu which not only do I not know what it is, but there should also be eth12. Entering "show ip int brief" shows vlan 100 as down and protocol being "lowerlayerdown". I followed the steps in the documentation so I'm a bit confused about what I'm missing.



Where to buy IP Range from?

I have /23 from APNIC and thats the max they are giving, and i was wondering if i can buy it from anyone. However the pricing via broker are like $27-30, and people are selling directly for abouit $20-$23.

Is there any way i can avoid brokers and get the IP directly from seller? Any such platform? Payment will be done via escrow.com



Default Gateway auto assigned is wrong

Hi all,

My comcast modem has DHCP for the network. 192.168.1.1 is the default gateway.

When I connect a computer and I check ipconfig, it is using 192.168.0.1 as a default gateway. No internet obviously. When I set a default ip and a default gateway of 192.168.1.1, then internet starts working.

How do I make the computers work without having to set a default ip?

Any help would be deeply deeply appreciated!



Do i need srr-queue and mls qos trust?

Hi there!

My users are about 90% wireless. On our access switches (configured by a 3rd party before my time), the trunk ports for WAPs (1gb) and uplinks (10gb) have the following configs added:

srr-queue bandwidth share 1 30 35 5

priority-queue out

mls qos trust cos

auto qos trust

Overall mls config:

mls qos map cos-dscp 0 8 16 24 32 46 48 56

mls qos srr-queue output cos-map queue 1 threshold 3 4 5

mls qos srr-queue output cos-map queue 2 threshold 1 2

mls qos srr-queue output cos-map queue 2 threshold 2 3

mls qos srr-queue output cos-map queue 2 threshold 3 6 7

mls qos srr-queue output cos-map queue 3 threshold 3 0

mls qos srr-queue output cos-map queue 4 threshold 3 1

mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45

mls qos srr-queue output dscp-map queue 1 threshold 3 46 47

mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23

mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35

mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39

mls qos srr-queue output dscp-map queue 2 threshold 2 24

mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55

mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63

mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7

mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15

mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14

mls qos queue-set output 1 threshold 1 100 100 50 200

mls qos queue-set output 1 threshold 2 125 125 100 400

mls qos queue-set output 1 threshold 3 100 100 100 400

mls qos queue-set output 1 threshold 4 60 150 50 200

mls qos queue-set output 1 buffers 15 25 40 20

mls qos

Should I remove this from our WAPs and uplinks as we've been experiencing ongoing slowness (speeds get pretty bad) with Wifi for quite sometime. Thoughts? Our routers are 3rd party managed and already have QOS in place for voice, as they host our voip.

FYI---I'm still learning all the ins and outs of srr-queue, so any help would be great!

cross posted



Create a network of RPi over evolving networks (WiFi/4G/other)

Hello all
I'm managing a fleet of IoT devices based on RPi. We are currently using ZeroTier to make them discover each other even if they are in different locations. However this solution is not working as we want, as we lose connection and need to restart the RPi when then networking between two of the devices changes.
The main change that can occur is the devices going out of WiFi range, which is expected so each of them has a 4G modem.

More concrete example:
Device A sends telemetry to device B. Both are in the same ZeroTier network and can communicate together (ping/ssh is fine).
Moving device A out of range of the WiFi make it lose the link to B. Both are still connected to internet, but cannot see each others anymore. Restarting device A solves the issue while it stays out of WiIFi range.
My diagnostic is that ZeroTier hole-punching works against us. If we lose the first link it used to punch a direct route then it is not able to find a new route.

I'm open to changing from ZeroTier to another service that would allow SSH access to the devices as well as communication between them.

Thanks for any help/suggestions anyone can provide.



NTP Test Tool (Symmetric Mode)

Hi All, I am looking for a tool I can use to test NTP on Windows, however it needs to support symmetric modes rather than just client. (i.e. use 123 for source and destination port) About the best solution I have come up with is to set up a Cisco IOS box on GNS3. Has anyone got experience with this?

Thanks in advance



Need some advice please guys

Hi all, first time poster here.

I'm wondering if I could pick any your brains please.

We have a link between 2 sites which went down, previously it ran a cat5 cable 146 meters, point to point (don't ask, I didn't do it). Last Monday something happened late at night and everything went down until we arrived back in work the next day.

We've had a fibre link installed by a local cabling company, now they have installed a SC fibre patch panel at each side. Obviously our switches are LC fibre, so we've purchased some SC to LC fibre cables, plugged everything in, and no dice.

I've pulled the switch over from the other building and plugged them both directly into each other, bypassing the fibre link, and we're golden.

We've swapped the fibre cables over on both sides of the patch panel, tried different ports, and it still don't work

I've just spoken to the cabling company and they've confirmed they tested it working, and they're bringing some kit over now to test it again and prove it works.

Does anyone have any ideas what else it could be?



Domain controller APIPA

Domain controller receives apipa address when it has been assigned an static ip with x.x.x.1
dc also functions as the dns and dhcp server. The dhcp scope start at x.x.x.10-x.x.x.50.
But how is the dc getting apipa giving duplicate ip.



IPv6 equivalent of 192.168.0.0/16 ?

Hello, i'm configuring a firewall rule and i need IPv6 support.

What is the IPv6 equivalent of 192.168.0.0/16 ?

IPv6 is fairly new for me, so i did not understand the results i got when i searched on google.

Thanks in advance,
Tobi



Networking Interview Questions

1. Difference between hub, bridge, switch, and router?

2. What is SNMP protocol?

3. what are the SNMP Header and the size of the header?

4. Difference between SNMPv1, SNMPv2, and SNMPv3?

5. What are the OSI layers?

6. What is the TCP/IP layer?

7. Differences between TCP and UPD?

8. What is the header size and packet size of TCP, IP, and UDP?

9. What is the use of NAT?

10. What are the Routing Protocols?

11. What is DHCP and what are the packets exchanged between server and client?

12. What is PPPoE?

13. What is VLAN and what are the different modes on VLAN?

14. What is ARP and RARP?

15. What is ICMP?

16. What is IGMP?

17. What is a 3-way handshake in TCP?

18. Which bit is used to close the connection TCP? 

19. What is DNS?

20. What are the socket API calls on server and client in TCP or UDP?

21. How does the server find out what client port to send to?

22. What is IP tunneling?

23. What are the IP address classes?

24. What is the private IP address range?

25. What is a classful and classless network?



EAP-TLS authentication with automated onboarding

Access points of my network uses EAP-TLS to authenticate client devices. The process for joining the network for an average user is too difficult. Is there a way I can automate this process by using an application or some software on the client device?
Most of the devices that connect to the network are Android and IOS devices.



Wednesday, May 19, 2021

What company(s) create and sell cellphone modems that support both BM818-A1 and BM818-E1 as a combined modem?

I'm thinking of buying the Librem 5 cellphone, but in order to use it I have to buy a modem for the U.S and another modem made to work in the EU. I would like to have a modem that combines both the U.S and EU networks on one modem so I won't have to swap them out.



Multiple 100G links over pair of fiber

Hello everyone. I am working on a project where I need to build 4x100G over a pair of dark fiber (2 strands). Distance between sites = 20km.

I am familiar with single lambda 100g CWDM optics but they only work within 10km. Are there any 20km or 40km optics available?

The other option that I am looking into is Solid Optics 8x100G EDFA MUX which seems to be quite pricey.

What solutions would you recommend?



Configuration question about Aruba 2920 switch

I am attempting to setup a port on a Aruba 2920 switch to allow an IP phone and a computer to share the same port. It's running the latest firmware WB16.10.0014. The port is assigned untagged to computer vlan and tagged on the IP phone vlan. It's my understanding that to do this I need to have the port in hybrid mode. At the CLI in port context, I've tried "port link-type hybrid" and all I get is "Invalid input: port". Searched for the port command and I see nothing. Does this mean the switch won't support what I trying to do? Is there another way with this switch or will I need a different switch?



Nokia 7250 ixr-e 24sfp+ 8sfp28 2qsfp28 router

I came across some equipment in an estate sale. I have a pretty decent knowledge of corporate networking / equipment but this is way out of my league. It appears to have everything needed to be fully functional and brand new. Google is sending me down a rabbit hole. Can anyone share some knowledge?



Best practices for local pref/prepending with 2 BGP peers and default routes?

I manage the "edge" network for a small outfit that has a single AS and 2 gig ethernet transit upstreams that send me default routes only (kinda risky in my mind to take on full tables with a Mikrotik RB1100AHx4, but router upgrade is another story).

Right now the "preferred" transit provider (peer #1) has the incoming default route accepted and the local pref set to 100 and the "backup" transit provider (peer #2) has local pref set to 75. Bogons and </24 is filtered out by default, etc. No other local prefs used.

On the outgoing filters for each peer I don't do anything special with peer #1 and prepend the AS path 3 times on peer #2. I have no reason to pick 3 other than it's what seemed reasonable after some research.

The current goal here is to get majority of traffic in/out through peer #1 (last I checked it's about 96%). I know this is a weird setup, but due to current issues with peer #2 I decided to set it up this way for now. Peer #2 will only be used significantly if the session/link with peer #1 goes down.

While I work through getting a third transit provider so I can drop #2, I am wondering if this setup is acceptable and if I'm missing something obvious here. After reading a lot about AS path prepending, it seems like there are possible issues, but this is where I'd appreciate some feedback. Any help is much appreciated!



Open source Monitoring that translates Cisco MIB's without customization and sends alert notification via REST

Hi All

Struggling to find some information and hoping someone may have already done this.

Basically wanted to monitor a couple of Nexus 9K devices for SNMP trap alerts but using something like Telegraf SNMP trap collector would mean I'd have to translate the MIBS.

Our alert collector only receives API requests so wanted to know if there's some out of the box open source tools that can receive and translate cisco Mibs and has an alerting functionality that can post the alert to a REST endpoint.

Thanks for any help.



Interview tips for associate network engineer?

Hey y’all,

I have a technical interview for an associate network engineer at a large bank ( sponsors an NBA team large). I had my first round with the hiring manager which was was a mix of some leadership questions and technical questions.

I was up front and honest about my networking experience. I currently work for a FANG as a support engineer and a lot of our network is extremely automated. Most of the layer 3 issues get pushed out to a separate team, while most of what I do is more related to layer2 and layer 3 switches (vlans, span, trunking, SVI, and a little bit of OSPF). I also have some experience with BGP because our network peers with our data centers and some of our change management projects require me to do sanity checks, including verifying the health of those links.

This role is more technical operations, we support the network services (dns, routing, switching, load balancing, dhcp) while another team does the designing. What advice would you give to me?



Network report for management - what do you do?

Hi guys,

I have a non-technical, but nonetheless network related question to which I can't seem to find conclusive answers from the almighty big G.

Do you do any reporting for management? If so, what kind of information / data do you include there?

We currently create a monthly report of the utilization of interfaces that are connected to WAN links - while I think this is an okay-ish starting point, I think there is not much value in having hourly min/max/avg values.

The problem is that the receivers of this report have no real idea about networking, so I can't just ask them what they want.

I was thinking that e.g. something like "time an interface had utilization higher than X%" would be a better metric to report than average utilization.

What are your thoughts? How do you solve the "I want a report but don't know what I want to see in it" - Problem? What are some metrics you would consider useful to provide a high-level overview of network capacity and health?



How do you keep your ipv6 skills & knowledge up?

Like many of you here, I “learned” ipv6 to pass some certification exams early in my career. I’ve since then never touched v6 in prod and really I forget just about everything.

How do you stay sharp in this subject?



Very Weird - Device wont talk to L3 Switch unless L2 Switch is in-between.

The title is pretty much the TLDR of it. We have some odd stuff going on in our network. To make it short, we have a Large ERPS connected domain with thousands of endpoint. Not a lot of VLANs though. The Master Node of the ERPS domain connects to another set of more powerful Juniper Switches in which connects to other ERPS Master Nodes.

We have a new device (lets just call it an AP) that we need to get onto the network. It get a trunked port since multiple VLANS will be used. When we connect it to one of our L3 Switches, we cannot ping it. Not even if we connect to the same switch directly with a laptop. If we put a dumb L2 switch in-between the AP and the L3 switch, it works.

Here is where it gets even more weird. With L2 Switch connected, and the laptop connected to the L3 switch, the pings are really high (20-30ms with 100+ spikes). If we plug the laptop into the L2 switch, then the pings are where they should be (under 1ms). There are no protection mechanisms on this VLAN like MAC Force Forwarding and IP Source Verify. There's not even a DHCP Server, it's all statically assigned.

Anyone got a clue as to WTH is going on? Our main netadmin is stumped.



Different site connected to one PC

Does anyone have a solution to my current situation?

I have been tasked with connecting multiple building control devices which are on different IP ranges in different geographical locations, for example, I have a building in London and a building in Luton and I want to pull data from both devices at the same time to one PC which has the software to display the information that I am pulling in from the devices.

I have been looking into DMVPNs but each device has different IP address which I can’t change due to the configuration on site and the connection to the other devices on site.

I need to pull the information from these devices in real time, over 300 devices.



Cisco ASA question regarding multiple WAN connections and routing.

I know this was possible with sonicwalls and only took me about 5-10 minutes to setup but I am not familiar with Cisco’s.

We currently have 3 internet connections, I will called them WAN1, WAN2 and WAN3. WAN2 is going to go away hopefully soon and be replaced by WAN3 which will also be our primary internet connection. Currently WAN1 is our primary so this was not an issue but since we are going to make WAN3 our new primary we will have to have a few servers that continue going out of WAN1 no matter what. What would it take to pull this off, is it just as simple as creating a static route for those servers like I would do in a sonicwall?

I’m asking this because we were forced to go with Cisco and outsource to a MSP which is managing our firewalls now and I’m sitting here waiting two weeks for this to get done.



Cisco, anyconnect, LDAP and local auth - both?

Hi all,

We are going to be switching our anyconnect users over to Duo in the not too distant future, but in the meantime I have a site where all users are connecting to a particular ASA using local users. As part of the prep for Duo, I need to change this to LDAP auth for that site - however, I can't change it all at once because there's tooo mannnyyyy users on that ASA.

Can I configure this for both ldap users AND local users while I migrate the users from local to ldap? I haven't been able to find a clear answer in the cisco docs, other than I found one reference that it can be set for ldap primary and local secondary, and if a user fails to match the ldap lookup it will check against local users.

Does anyone have direct experience and advice for setting that up?

Thanks!



Basic VLAN question in a multi-storey building

Hello,

I want to design a network for a multi-storey building (~40 PCs per floor + laptops using wireless). I've currently got a Layer 2 switch for each floor.

I've been looking into VLANs and am wondering whether it's standard practice to assign a VLAN for wired traffic, and another VLAN for wireless, resulting in 2 VLANs per floor. Also, if the PCs will run video conferencing software using VoIP, would you recommend another VLAN for that too?

Would appreciate any clarification - thanks!



Strange IPv6 routing(?) issue

MODS: I'm not 100% sure if this qualifies as Enterprise Networking - My apologies if it doesn't.

Hello Redditors,

I was hoping someone could help me shed some light on the following issue:

We rent a series of VPSs from a decent provider. They give us a VPS with one public IPv4 address and a /64 IPv6 subnet per VPS.

On this particular VPS we run VPNs, of which one is supposed to route all internet traffic for a certain group of workers. On IPv4 this runs flawlessly, but I'm experiencing some weird - what seems like split-routing - issue on IPv6.

Here's the deal:

My outbound IPv6 traffic seems fine, when I use ping6 from the VPS itself I get a reply wherever I ping to. When a client that connects to the VPN tries to ping outside over IPv6 I can see the packets arrive at the other server in tcpdump (when I use one of the other servers to test), and I see the server sending a reply. However the client doesn't receive any response in return.

Upon investigating with tcpdump at the VPN server I noticed that the reply doesn't seem to be reaching the VPS at all. My expectation was that even if I would have some misconfigured routing rules I should at least see the reply packets arrive at the VPN servers' public IF.

Upon contacting the VPS Provider they state that according to some traceroute data the routing on their end is correct, yet the fact that I can't even observe the reply's puzzles me.

Please keep in mind that I might be overlooking something simple, as my IPv6 knowledge isn't that great.

Thanks for any helping effort!



Why can't I send first message from server to a client in UDP protocol?

As UDP protocol is connectionless, why is it enforced to send the message first from server to client? In "sendTo()" function we give port number and IP address of the destination. So what additional requirement does it need?



Cisco QoS with overhead accounting feature question

I'm not overly familiar with QoS other than what I've read so please bear with me if anything below is wrong.

We have a 50 Mbit MPLS circuit. The interface is 100Mb but we pay for 50 Mbit so we need to shape the traffic. We also need to account for 18 bytes of overhead within this 50 mbit. Current config looks like this which work well (random-detect etc removed for the sake of brevity):

policy-map parent_policy class class-default shape average 50000000 account user-defined 18 service-policy child_policy 

Now we are looking to add 5 Mbit of EF for a future voice service we are running across the link. I've read the Cisco QoS Scheduling documentation and it looks like we would be best with the "Priority queue with always on (unconditional) policer model" so that we never exceed the 5 Mbit we are allocated and that EF always has priority over the main internet traffic. So to this end I think i need a nested policy:

policy-map child_policy class EF police 500000 conform-action set-dscp-transmit ef exceed-action drop priority ! class class-default ! policy-map parent_policy class class-default shape average 50000000 account user-defined 18 service-policy child_policy 

My concern is that the overhead calculation will eat into the small amount of EF and so we'll get less than the full 5 Mbit. Ideally I'd like the overhead to be 'wasted' on the default traffic rather than my EF but my reading of the documentation suggests that account user-defined applied at the parent level will cascade down to all child policy classes equally. It does mention that for a 'conditional policer' the overhead is not accounted for but doesn't mention unconditional so i assume it's the same method as the policer.

Am i right in thinking that this will be the case and the EF policer includes the overhead ?

If so, Is there a way to bypass the overhead accounting feature for this EF class other than just guessing the EF packet size and adjusting the shaper accordingly?



Replacing access layer switch in a flexpod

Hi, I posted in the Cisco sub at the link below and was curious if maybe anybody here who is not also on that sub might be able to share some of their insights. I appreciate any help.

Thanks.

https://www.reddit.com/r/Cisco/comments/ng4mpq/replacing_access_layer_switches_in_a_flexpod/?utm_source=share&utm_medium=ios_app&utm_name=iossmf



BGP default route with no next hop

Hi, I'm having trouble understanding how this VRF is able to route packages to a next hop IP address that is not directly connected and has no routes to the next hop IP address. The 185.191.234.110 IP is a Loopback interface in the global vrf on another router

sh ip route vrf Company

B* 0.0.0.0/0 [200/0] via 185.191.234.110, 7w0d

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

B 10.10.92.0/24 [200/0] via 185.191.234.110, 3w0d

B 10.11.26.0/24 [200/0] via 185.191.234.110, 7w0d

B 10.109.0.0/30 [200/0] via 185.191.234.110, 7w0d

B 10.110.0.188/30 [200/0] via 185.191.234.110, 7w0d

B 10.110.0.192/30 [200/0] via 185.191.234.110, 3w0d

B 10.111.0.80/30 [200/0] via 185.191.234.20, 7w0d

sh ip route vrf Company 0.0.0.0

Routing Table: Company

Routing entry for 0.0.0.0/0, supernet

Known via "bgp 65000", distance 200, metric 0, candidate default path, type internal

Last update from 185.191.234.110 7w0d ago

Routing Descriptor Blocks:

* 185.191.234.110 (default), from 185.191.234.110, 7w0d ago

Route metric is 0, traffic share count is 1

AS Hops 0

MPLS label: 287

MPLS Flags: MPLS Required



CiscoConfParse delete child lines

I'm trying to use CiscoConfParse to modify a config. If I delete an object with child objects it leaves all the child objects in place. E.g. if I delete ip sla, it leaves all the child elements in place.

Or if I delete an interface, it leaves all the child elements e.g. (speed,duplex,description) Any idea how to fix this?

Thanks

from ciscoconfparse import CiscoConfParse
parse = CiscoConfParse('config.temp.conf', syntax='ios')
parse.delete_lines('^ip sla 100')
parse.save_as('new_config.txt')



Has anyone ever seen a business requirement for ipv6?

I work for a business that won't change anything unless we have business reason for change, and any implementation of ipv6 at the moment comes under this header. Without any discussion of technical benefits, has anyone ever come across a scenario of a service that just didn't work on ipv4?

*Internal apps all work with ipv4

*All web saas services and sites still work with ipv4 (ignore sites like https://ipv6.google.com/ where there obviously is an ipv4 alternative)

*All client ISP still offer ipv4, even if it's with cgnat

*Seems no shortage of static ipv4 based ISP for business use where I need to have site to site services (at least in UK)

I would like to prepare the business and give real reasons why ipv6 is likely to be necessary and have it ready for when it is (avoiding any last minute rushed implementation) but at the moment I cannot present any justifiable reason they should invest.

Anyone care to share a business case I can take to management?



Anyconnect Update - Some PC's just break

I'm trying to troubleshoot a problem, where I roll out a new anyconnect version as the webdeploy package. Basically, loads of machines work when they reconnect to the anyconnect VPN, i.e. it connects, the update runs, and then it connects to the VPN. However, every freeking update I do, it seems I get about 50 laptops that always have an issue. When I have a look at them, the anyconnect software has been completely uninstalled, and when I get them to download the latest image from my webdeploy URL, it downloads, but the installation fails with the error "There is a problem with this windows installer package. A program run as part of the setup did not finish as expeceted."

The workaround I've been using is to completely uninstall the remaining package on there which seems to be the DART install. Then reboot. Then the downloaded anyconnect file will install properly. It's very unclear what the issue is, and I'm wondering if anyone gets this problem, and how you resolved it.



Subnets required to match a range

Does anyone know of a quick algorithm (ideally excel) or online resource to calculate the minimum set of subnets required to positive match a range of IP addresses. For example, 10.10.10.1 to 10.10.10.10 would consist of:

  • 10.10.10.1/32 (10.10.10.1)
  • 10.10.10.2/31 (10.10.10.2 - 3)
  • 10.10.10.4/30 (10.10.10.4 - 7)
  • 10.10.10.8/31 (10.10.10.8 - 9)
  • 10.10.10.10/32 (10.10.10.10)

FZ.



Tuesday, May 18, 2021

Dlink 1510 and AVAYA G series phone setup

I have tried every single combination on my d link 1510 switch to get a certain port to work with the both the voice vlan and internet vlan.

Here is things i have tried and it's response .

  1. I have tried setting the porn as hyprid with tagged vlan voice and untagged vlan internet , but it doesn't seem to work and the pc doesn't get an ip from DHCP nor does the phone .

  2. I have tried setting the port as trunk with same configuration , the phone gets the voice ip but so does the pc , as it seems it can't join it's own vlan and joins the voice vlan instead.

Am i missing something here? I never faced such issue with Cisco switches , any thing specific i need to do on this d link switch ?

• Setup : 2 vlans , 1 voice , 1 data , 1 pc and 1 ip phone .

• Switch is connected to the phone and the phone to the pc. , I need to setup the port the switch so that the phone jojns the voice vlan and the pc joins the data vlan



Not able reach dns server from the Cisco CPE

So, this is the first time I am putting the query.

Our client reported that they are not able to ping out to out to our dns or Google dns from their side.

We did not make any changes whatsoever from our end.

When we tested from the CPE we are able to ping out of interface which is a bgp peer to our core .

But unable to ping with source vlan1

86.52.223.6 on our core side.and .7 is on Cisco..

We are able to reach 8.8.8.8 fro mour core sourced at peer interface.

So issue is definitely with the Cisco..as we able ping the dns with faeth4 as source but no as vlan1 as source.

I was out of shift so tried to work with colleague on chat.

We tried

Putting access list allowing vlan Putting nat overload which was suggested in some community discussion for similar issue . Neither worked.

No recent changes have been made on Cisco.

Cisco is old 800 series shit router.



Network Architect job prep

I’m about to interview for a network architect job. Looking for ideas how to prepare for the interview. I know it’s a very open ended question but it would be nice to know interviews insights from your experiences.



Constrained Loose Hops vs admin-groups

Apologies if this is too specific but I am trying to look at the pros and cons of using more specific LSP pathing vs colored admin-groups in an MPLS ring application, where there are multiple paths to a destination. Figured this might be a good place to get ideas and thoughts I may not have thought about



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



VPNv4 over IPv6

I'm trying to see if I can run a native IPv6 MPLS core, but support IPv4 and IPv6 within the L3VPNs.

I'm able to exchange VPNv4 NLRIs between my IPv6 peers, but the routes are never installed in the RIB of the VRF. I see it in the BGP database but it bounces back and forth between valid and RIB-failure. Even when it shows up as valid it doesn't show in the RIB.

Valid:

PE1: RP/0/RP0/CPU0:R1#show bgp vpnv4 unicast Status codes: s suppressed, d damped, h history, * valid, > best i - internal, r RIB-failure, S stale, N Nexthop-discard Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1.1.1.1:1 (default for vrf A) *> 1.1.1.1/32 0.0.0.0 0 32768 ? *>i3.3.3.3/32 2001::3:3:3:3 0 100 0 ? Route Distinguisher: 3.3.3.3:1 *>i3.3.3.3/32 2001::3:3:3:3 0 100 0 ? 

RIB-failure:

RP/0/RP0/CPU0:R1#show bgp vpnv4 unicast <...> Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1.1.1.1:1 (default for vrf A) *> 1.1.1.1/32 0.0.0.0 0 32768 ? r>i3.3.3.3/32 2001::3:3:3:3 0 100 0 ? Route Distinguisher: 3.3.3.3:1 *>i3.3.3.3/32 2001::3:3:3:3 0 100 0 ? 

Valid with details:

RP/0/RP0/CPU0:R1#show bgp vpnv4 unicast vrf A 3.3.3.3 Wed May 19 00:03:00.527 UTC BGP routing table entry for 3.3.3.3/32, Route Distinguisher: 1.1.1.1:1 Versions: Process bRIB/RIB SendTblVer Speaker 98 98 Last Modified: May 19 00:02:20.523 for 00:00:40 Paths: (1 available, best #1) Not advertised to any peer Path #1: Received by speaker 0 Not advertised to any peer Local 2001::3:3:3:3 (metric 20) from 2001::3:3:3:3 (3.3.3.3) Received Label 24005 Origin incomplete, metric 0, localpref 100, valid, internal, best, group-best, import-candidate, imported Received Path ID 0, Local Path ID 1, version 98 Extended community: RT:65000:1 Source AFI: VPNv4 Unicast, Source VRF: default, Source Route Distinguisher: 3.3.3.3:1 

RIB:

RP/0/RP0/CPU0:R1#show route vrf A <...> L 1.1.1.1/32 is directly connected, 03:26:43, Loopback1 

Other outputs that might be useful:

RP/0/RP0/CPU0:R1#show bgp vpnv4 unicast nexthops <...> Gateway Address Family: IPv6 Unicast Table ID: 0xe0800000 Gateway Reference Count: 2 Gateway AF Bits : 0x110 Nexthop Count: 1 Critical Trigger Delay: 0msec Non-critical Trigger Delay: 10000msec Nexthop Version: 2, RIB version: 1 EPE Table Version: 1, EPE Label version: 1 EPE Downloaded Version: 1, EPE Standby Version: 0 Status codes: R/UR Reachable/Unreachable C/NC Connected/Not-connected L/NL Local/Non-local PR Pending Registration I Invalid (Policy drop) Next Hop Status Metric Tbl-ID Notf LastRIBEvent RefCount 2001::3:3:3:3 [R][NC][NL] 20e0800000 9/0 00:37:32 (Cri) 2/9 RP/0/RP0/CPU0:R1#show bgp vpnv4 unicast neighbors BGP neighbor is 2001::3:3:3:3 Remote AS 65000, local AS 65000, internal link Remote router ID 3.3.3.3 BGP state = Established, up for 00:56:42 <...> For Address Family: VPNv4 Unicast BGP neighbor version 101 Update group: 0.2 Filter-group: 0.1 No Refresh request being processed Extended Nexthop Encoding: advertised and received Route refresh request: received 1, sent 0 1 accepted prefixes, 1 are bestpaths <...> 


Looking For Ideas

I've inherited a small school district of about 5500 people - Sole Netadmin/System... I'm finally getting to the physical and virtual infrastructure side and I'm trying to get ideas of where to clean up at, what to improve, and what to add.

I'm working on a campus that is basically "a big switch" with Comcast ENS at remote locations and 10GB fiber to all campuses onsite. So, hopefully that helps paint the picture physically. Here's a list of switches too

4500-E, 2960S/L, 1000L, a 2950 here or there (going away and being replaced with 1000L switches)

  • I'm thinking physical recabling (APs are yellow, Data is blue, Phones are black)
  • Remove the 2U cable managers and place switches in between 2U Patch
  • Asset tag all switches and network racks
  • Balance power throughput switches
  • Configure a standard for ports (ports 1-10 are vlan 200 for all switches, ports 11-15 are vlan 250, etc..)
  • Upgrade IOS on switches and do so on a half year basis
  • Cleanup VTP (I inherited switches that are servers, transparent, and off)
    • I'm thinking instead of trunking and then creating the vlan manually on the switches create a VTP on the 4500-E and then set the rest of the switches as transparent
  • Clean up vlan's
  • Setup a log server
  • Create an automation service to automate config backups

These are some of the things above that I came up with but I'd really be interested to hear what others would want to do in a campus all fiber environment.



Anything better then peplink?

Curious for any one that deals with multiple sim card devices for backup connections.

Please share any recommendations



patch upgrade for Cisco catalyst

i have 20 c9200 switches, i have to update them all , i usually hock them to tftp server (my laptop), but man this will be pain in the ass to do them one by one , i have no dna center in hand , so what you guys suggest to do massive upgrade at once?



IP MASQUERADING set up not working

Hi all, I am trying to set up IP MASQUERADING for my schools computer lab and I can't get my client pcs to be able to access the internet.

We are currently using an old router as a temp solution as we have just switched buildings but now want to get it set up on our Fedora server.

I am using firewalld and have set up two zones for each nic card.

External 192.168.1.100 ip address 192.168.1.1 gateway 8.8.8.8 8.8.4.4

Internal 192.168.0.1 set as the ip

With our current setup the server is plugged in to the router but we are going to replace it with the server if I can set this up.

Im trying to keep the 192.168.1.X ip address so we don't have to reconfigure 40 machines but if that is not possible that's fine.

But for setting up purposes I have configured it for 192.168.0.1

I have enabled masquerading and allowed ports 80 and 443 through but I can't ping my client or access internet from it.

On my windows machine all it says is Network 4 no internet.

Any help would be greatly appreciated as I am a student and noob with linux



Unable to get IPSEC VPN tunnel working

I'm building a network in packet tracer with two sites and a site-to-site IPSEC VPN between them. For whatever reason, the VPN just will not come alive. Any help would be massively appreciated.

Site 1:

One PC, one switch, one 2911 edge router w/ VPN configured, once 2811 core router with minimal config.

192.168.0.0/24

Edge router config: https://pastebin.com/u4qDBcmM

show crypto ipsec sa: https://pastebin.com/T6qnJsX1

Site 2:

One PC, one switch, one 2911 edge router w/ VPN configured, once 2811 core router with minimal config.

192.168.1.0/26

Edge router config https://pastebin.com/LQPYmb8f

show crypto ipsec sa: https://pastebin.com/Uud6mkfz

Architecture



Aruba Networks Remote AP

So, I dunno where it was supposed to go, but I got my hands on one. an AP-303H-US Remote Access point, it's supposed to be plug and play for remote access.

It has 3 ports on the bottom, two on the back, a power port, USB A port, and a USB B Mini port. Anyone have any ideas one what I could do to put this to my own use?



DHCP Snooping / ARP inspection question, cisco network.

Is there any reason why snooping and DAI would not work right with interfaces connected to servers? Or something special I need to do? We have both setup on our access switches, and we are going to put it on our core switches that our servers connect to. Now normally, we would only put this on our user vlans, but the networks we are about to add this to are flat networks, meaning servers and clients are on the same vlan.

We tried this in the past and a lot of the servers were causing ports on the switch to go err-disabled from DAI failing, so we ended up just taking it off. Is there a way to avoid this, or is there really no reason this should be happening?



Connecting External HD (USB) to Hardware Firewall

Hello,

My company is looking into getting a firewall and has tasked me with doing some low level research. I have a quick question I hope someone will be able to help me with:

When installing a hardware firewall, is it possible to attach storage media directly to the firewall in a similar was as to a router?

More specifically, we are trying to add a FortiGate "NGFW" and move a USB storage device from the router to the firewall for network access. Is this possible or does the storage media need to be located further downstream? (such as on a computer attached to the network).

Thanks in advance. Sorry for such a basic question this is a topic completely new to me and I have been reading all day trying to understand this process.



Tying network activity to processes.

We have some 'interesting' traffic hitting our honey pot. It's extremely infrequent (and probably benign). I normally have no issue manually pinning network activity to a process ID, but this traffic is setup and torn down as fast as it can. What programs, which methods do others use to handle these scenarios? Overlooking the fact that it's probably benign, I need to be thinking about the future and my ability to track these things down.



DHCP Exclusions versus Limited Scope

I have extensive experience setting up Active Directory servers with onboard DHCP. But it suddenly occurs to me to wonder why both these options exist.

What is the applicable reason to set up a DHCP exclusion range, when you can simply limit the scope itself?



Slow internet speeds after getting a new router

I hope this is the right subreddit for this.

So one of the Antennas for my modem broke so I bought a router, I connected the router to the modem and set up my network. It worked fine but now everything is very slow.

My download and upload speeds are horrendous and browsing the internet is also really slow.

Anyone have any troubleshooting tips, especially for setting up a new router.



School Work: Interview two network administrators. If any of you are are network administrators then I would appreciate you answering a few questions to help with my school work.

Why does your their organizations use the kind of network that you use? (Such as the network covers, its model, and topology)

What security measures are used to protect the network, both internal and external?

How your network functions and what, if anything, the administrator would like to change?

This is for a high school assignment in a business computers class.



'full-time' vs 'part-time' Firewalls

Hi all,

Just wanted to hear some opinions on this.

As a part time firewall I'd consider something like F5's Big-IP that also has a firewall functionality. This compared to a firewall that was designed as a firewall.

Would you consider it to be okay to just use the firewall function of the Load Balancer/Application Delivery Controller/etc... or deploy it after a fully grown firewall?



Unifi 10Gb Link Issues

Hi All,

Firstly I apologize in advance for my inadequacy... I am somewhat new to networking at a business level.

I am setting up a portion of our network using 10Gb fiber links. We currently have a Unifi USW-Pro-48-PoE connected to a Synology RS1221+ via a 10Gb fiber link, using Unifi UF-MM-10G SFP+ and a Mellanox MCX311A-XCAT CX311A ConnectX-3 NIC in the NAS. Additionally, I am trying to connect a PC to the second SFP+ port, also using the same SFP+ modules mentioned above.

My questions are:

  • When connecting the fiber, it seems as if there is an order of operations. I need to connect the fiber to the end device (NAS or PC) first before connecting to the switch. If not done in this order, the link will not establish. I have done other 10gb fiber type stuff (Underwater research) and I do not remember this being an issue.
  • When an SFP+ is installed in SFP+ slot #1, if I install a second SFP+ in slot #2, the link in slot #1 drops. Is this expected behavior? If I unplug and replug in the fiber on the NAS, the link reestablishes.
  • On the PC, when performing an Iperf3 test, my maximum bandwidth is about 3.25Gbps. I would expect the link to saturate at upwards of 7-9Gbps. This is using Iperf with TCP setup.

Any thoughts? Again, I apologize for my shallow depth of knowledge here...

Thanks!



VPN tunnel comes up - no ping reply

When I ping the remote host, tunnel comes up but no reply.

In the ASA logs I’m seeing below error where 161.228.232.212 is the remote host I’m pinging

deny inbound icmp src Inside 161.228.232.212 dst inside 10.62.56.254 (type 0, code 0)



Alternatives to inline SSL Decryption

I'm wondering what others are doing to overcome the performance impacts of SSL Decryption and also question the value of inline SSL-Decrypt. We're thinking of enabling this on our PAN firewalls based on industry security trends, but depending on the % of traffic encrypted and cypher-suite used, you might see a 50-80% performance hit.

I've been thinking that since SSL Decryption only works for "managed endpoints" because you need to push a root cert to act as a CA, why not rely on agents on the managed endpoint for threat detection/prevention? Why do inline inspection when you have the ability to inspect traffic before it gets encrypted and hits the wire? Has anyone taken this approach and if so, which solutions are you using or have you considered? It looks like Microsoft ATP and Crowdstrike are some of the highest rated endpoint protection platforms. If you prevent people from disabling this service, why do inline inspection? How did this "alternative" to SSL Decrypt go down with security audits/certifications?

Also, has anyone looked at Nubeva? They do out-of-band inspection and claim to be able to deal with PFS for decryption through a lightweight agent. It's an interesting story which wouldn't require a refresh of our firewall infrastructure which is right-sized to deal with current workload/throughput but not deal with SSL Decrypt.

Please enlighten me on something that I may be missing. Is there a security gap worth mentioning that would make me want to spend 3x on my firewall infrastructure to enable SSL Decryption for internet destined traffic?



Question about management VLANs combined with DHCP servers

Hey everyone,

I'm currently a little bit confused about a particular issue.

I am looking to simulate a network with multiple switches, 3 VLANs (management,NVR,Office), and one router (router on a stick configuration).

Set up for question :

From my understanding, in an internetwork environment (multiples routers connected to each other through their WAN ports and with a dynamic or static routing scheme implemented), when you have a DHCP server that is separate (not on the routers or switches), it will use relay agents to gather the DHCP client requests. It will then use the IP address of the particular router's interface from which the request came from, to figure out the pool of addresses to use to give to the client which requested.

Ok, but when you have just one router that is connecting different VLANs together, the DHCP server will use the VLAN interfaces' IP addresses to figure out the same thing.

This would normally be no problem, unless you want a Management VLAN. This will be used to give the switches an ip address so that they can be accessed remotely, and as a bonus it will allow firewall rules to keep everyone but maybe IT department out. But if you need DHCP on say, the Office VLAN and maybe a couple more, then the switches that have these VLANs in their databases (which will likely be most if not all), will also be accessible from the Office VLAN interface IP address (which had to be set so DHCP would work).

In this scenario, would you just have to create extra firewall rules to make the switches inaccessible through these Office VLAN interfaces, or is this whole scheme simply wrong for when you want a Management VLAN coupled with DHCP on the same switches?

Sorry if I'm not making sense, this is the best way I could think of to explain this.

Thanks



Monday, May 17, 2021

Best Simulation Tool for my Project (NS-3, OPNET, or OMNET++)

Hello everyone

I'd like to do a simulation of a Li-Fi Network with some functionalities such as Handover, Node discovery, adaptive data rate and so on. Which simulation tool should I choose among these:

  1. NS-3
  2. OPNET
  3. OMNET++
  4. Other (name)

Appreciate your help :)



[Netplan/Ubuntu/Azure] Create a gateway for second NIC on Azure VM with netplan

I have an Azure VM running Ubuntu 18.04 LTS with two NICs. By default, Azure creates a gateway for the first NIC and not the second NIC. I want to create a gateway for the second NIC as well and I have been using ip commands to do this, specifically:

ip route add default via 11.0.0.1 dev eth1 table 11 ip rule add from 11.0.0.7 table 11 ip route add default via 11.0.0.1 dev eth1 proto dhcp src 11.0.0.7 metric 101 

I want to use cloud-init and netplan to do this instead of ip commands to do this but I have had no luck getting it to work. The netplan I am currently using is:

network: version: 2 ethernets: eth0: dhcp4: yes routes: - to: 0.0.0.0/0 via: 11.0.0.1 table: 10 routing-policy: - from: 11.0.0.6/32 table: 10 eth1: dhcp4: yes routes: - to: 0.0.0.0/0 via: 11.0.0.1 table: 11 routing-policy: - from: 11.0.0.7/32 table: 11 

I never worked with netplan or networking in general before so I am not able to debug it correctly. I followed netplan documentation, blog posts and stackoverflow answers with different variations of gateway4, routes and routing-policy parameters but no luck. Can someone please help me with the correct netplan configuration? Thanks!



Help with mnemonics for networking topics

Hi,

I hope this is not OT but I'm looking for people who use mnemonic techniques to remember networking books or topics.

We all know that for BGP bestpath we have We Love Oranges AS Oranges Mean Pure Refreshment and for other lists we something similar but hey! that's just getting a more or less meaningful sentence out of acronyms.

What about the true kernel of mnemonics where you choose well known path or places and associated topics with objects that remind you topics you must remember? Or funny stories that impress you?

I'm going for my CCIE (EI!) and the number of of things to remember is freaking complex and articulated and sometime even meaningless (of course that's the minority)... I would your thoughts on this matter because I don't touch some topics in my daily job and hence I don't have the possibility to burn them in my mind by discussing them with colleagues.

Is anyone of you guys/girls willing to share their thoughts/stories (if any) regardless of how much weird they may look/sound to others and which networking area have you applied it to?

Thanks,

Panatism



Hyper-V Configuration Ethernet/Virtual Switch/DHCP Problem

Ok I am configuring my first Hyper-V machine running on a Windows 2019 Standard host. Everything has gone pretty smoothly but I am having trouble getting my VMs access to the default gateway. I am running a DHCP server on one of my guest VMs and that server is handing out IP addresses to the other guest VMs I have running.

I have configured an External Virtual Switch in Hyper-V manager. The physical ethernet adapter that I have configured the virtual switch on is connected to my router on a port that is only handing out VLANs. I have my DHCP server configured with a static IP but I cannot ping my default gateway from my DHCP server or from any of my guest VMs.

I have been troubleshooting this for two days and finally found something odd about the properties of my ethernet adapter. It is my understanding when I configure a virtual switch through Hyper-V Manager, that Hyper-V will reconfigure the properties of my ethernet adapter and turn off all services except LLDP and Hyper-V Extensible Virtual Switch. My ethernet adapter has LLDP enabled by Hyper-V Extensible Switch Manager is disabled and I cannot enable it manually.

To test this further I have configured one of my router ports to hand out DHCP. When I connect another ethernet adapter to that router port and set up a virtual switch the ethernet adapter properties are set as expected: LLDP and Hyper-V Extensible Virtual Switch are enabled. I am also able to ping the default gateway with this configuration.

I am completely stumped. I have confirmed the dhcp relay settings are configured correctly for the VLANs in my router. I have checked and re-checked my DHCP server and scopes.

Please help.



Device configuration compliance checking

Hi everyone,

Just curious on what the approach everyone is taking on configuration compliance checking these days. I've seen an older post here that suggests Napalm validators, but it looks like that's more for validating deployments which we've already implemented; whereas I'm interested in managing configuration drift for base config (think NTP, firewall, syslog servers etc).

Eventually the end-goal would be to automate the deployment as well, so this wouldn't be as much of an issue but we're not there yet.



Send Arista logs to Graylog

Hi, I have brought up Graylog as our centralized logging server. But I'm not able to see the logs in Graylog server. Here are the input config:

allow_override_date: true bind_address: 0.0.0.0 expand_structured_data: false force_rdns: false number_worker_threads: 72 override_source: <empty> port: 514 recv_buffer_size: 262144 store_full_message: true 

Is it not parsing the logs? Has anyone done it? Thanks for help.



Help: Point to Site VPN and then Site to Site VPN setup

I need help. I am tasked to do something that I don't know much about.

We are a small company, and nowadays everyone is working remotely - the office is empty.

We got a new client, who wants our developers to provide the service to them on the client's network - and they want us to setup IKEv2 Site to Site VPN between their office and ours.

What I need to set up is:

  1. IKEv2 Site to Site VPN connecting our office with the client's
  2. Point to Site VPN for our developers to connect from their homes into our office network, which is then connected to the client network using S2S VPN

What's the right way to go?

I am about to buy Cisco ASA 5506-X (ASA5506-K9) - is it good choice? Will I be able to build both S2S VPN and P2S VPN using this one device?

Cisco pricing is a bit confusing for a first time buyer - they charge for the hardware, and then extra or licenses. Do I need to buy extra license? Which one?



Nexus 9396 as internet router

We currently use 2 ASR 1001-X as our internet routers in an eBGP and iBGP config. We receive partial routes from each ISP. All links are ethernet handoffs or fiber using SPF's.

ASR's have limited 1gb/10GB ports. I was thinking of utilizing 2 9396 in a vPC, running BGP and replacing the routers with the switches. This will give me much more ports.

Has anyone done this? Any reasons not to??

Thx



Need some help with planning of new network for a SAN

Hey guys,

We are currently on the verge of deploying a fresh new SAN (over NFS) for our office. The main goal is to upgrade our current infrastructure for a HA setup.

We currently have a setup of redundant firewalls but need new switches and I could use your help regarding some point.

We need 2 switches with minimum 10GB SFP+. We are a rather small company (with low IOPS requirement) so we are not looking to break the bank since the SAN will also be pretty expensive. Therefore, we have around 3k$ CAD total to spend for the 2 switches.

Here are my questions:

1- I've read that with my budget I should go with some used big brands like Arista instead of new lower end switch like Mikrotik. Since I won't be using iSCI or FC does that still apply to me ? Any switch you recommend ? Anything special spec wise I need to look for ?

2- I was thinking of having 2 different subnets. One for the SAN traffic and one for all the VMs traffic. Would that cause issue if they both flow through the same switch ? I see people recommend dedicated switch just for the storage traffic but it seems rather overkill for us ?

3- To make the whole thing redundant, I was thinking of plugging everything like so and using nic bonding (active-backup) on all the hypervisor and use a single uplink cable between both switch. Is this a good idea ?

In the end I'm just looking for a simple to manage and reliable network.

Thanks for the help



Wi-Fi 6E's Current Status


TL;DR:

  • 6 GHz availability is expanding, but far from universal.
  • Wi-Fi 6E product selection is limited: Mostly high-end, expensive, and hard to buy.
  • Generally speaking, 6 GHz offers less range but higher effective throughput than 5 GHz.
  • Wider channels are more feasible than with 5 GHz, and throughput above 1 Gbps is possible.

- The rules are still being made, and the benefits of 6 GHz haven’t been fully realized yet.

Wi-Fi 6E Is Here*!

*Kind of. The current status of the 6 GHz spectrum and Wi-Fi 6E is complicated. Getting the details right requires reading through white papers and dense documents from regulatory bodies. It also requires sorting through a lot of marketing hype and outdated or incomplete information.

This post is a summary of everything I’ve been able to find. If you notice anything that is wrong or needs updated, please let me know.

Table of Contents

  • Quick Review: What is Wi-Fi 6E?
  • ISM and U-NII Wi-Fi Bands
  • Wi-Fi 6E Availability
  • Global Wi-Fi 6E Timeline
  • Wi-Fi 6E Device Classes and EIRP Limits
  • Wi-Fi 6E Certified products
  • Using Wi-Fi 6E and the Road Ahead

Quick Review: What Is Wi-Fi 6E?

Wi-Fi 6E is the Wi-Fi 6 standard, extended into the 6 GHz band. It uses the same PHY standard as Wi-Fi 6, but offers greater availability of wider channel sizes, and access to clearer spectrum with less interference from legacy Wi-Fi devices. Wi-Fi 6E access points are typically dual or tri-band, and backwards compatible with 2.4 GHz or 5 GHz devices. However, only Wi-Fi 6E clients are able to access the new spectrum.

The addition of 1200 MHz of spectrum in the 6 GHz band is arguably the biggest change in wireless networking since the original 802.11 standard came out in 1997, or the original allocation of the ISM bands in 1985. For perspective, less than 260 MHz of unrestricted spectrum is available in the 2.4 GHz and 5 GHz bands.

Before we look at some Wi-Fi 6E products and performance, I want to look at all the frequencies available for Wi-Fi, where Wi-Fi 6E is available, and the timeline of events that led us here.

ISM and U-NII Wi-Fi Bands

2.4 GHz ISM Band

2.4 GHz ISM: 2400 - 2500 MHz - Availability of the full 100 MHz varies by country. * Most allow 82 MHz for Wi-Fi — Channels 1 to 13 * The US FCC only allows 72 MHz for Wi-Fi — Channels 1 to 11 - Bluetooth, Zigbee, and other wireless technologies also operate in the 2.4 GHz ISM band.

5 GHz U-NII Bands

  • U-NII-1: 5150 - 5250 MHz
  • U-NII-2: 5250 - 5725 MHz
    • Conflicts with radar and satellite communication, requiring the use of dynamic frequency selection (DFS).
    • Broken into three sub-bands, with different rules for each.
      • U-NII-2A — 5250 - 5350 MHz
      • U-NII-2B — 5350 - 5470 MHz (unavailable for Wi-Fi)
      • U-NII-2C — 5470 - 5725 MHz
  • U-NII-3: 5725 - 5850 MHz
  • U-NII-4: 5850 - 5925 MHz
    • Generally not available for Wi-Fi.
    • Since 1999, the US FCC allocated U-NII-4 for a vehicle-safety technology Dedicated Short Range Communications (DSRC), which was never widely used in the US.
    • In late 2020, the US FCC reallocated 45 MHz (5850 - 5895 MHz) for use in Wi-Fi.
      • Indoor operation is allowed, and outdoor operation rules are still being finalized.
      • The other 30 MHz (5895 - 5925 MHz) is set aside for a newer vehicle-safety technology called Cellular Vehicle-to-Everything (C-V2X).

6 GHz U-NII Bands (Wi-Fi 6E)

  • U-NII-5: 5925 - 6425 MHz
    • Indoor/outdoor
    • Channels 1 to 97
  • U-NII-6: 6425 - 6525 MHz
    • Indoor only
    • Channels 101 to 117
  • U-NII-7: 6525 - 6875 MHz
    • Indoor/outdoor
    • Channels 121 to 185
  • U-NII-8: 6875 - 7125 MHz
    • Indoor only
    • Channels 189 to 223

Refer to the U-NII Wikipedia article and List of WLAN channels for more details, and a breakdown of availability by country.

Wi-Fi 6E Availability (as of May 2021)

While the US FCC was the first to announce a decision, regulators around the world have been considering making 6 GHz unlicensed for years. Some regulators are still working through that process, and some haven’t officially started. As of May 2021, this is the list of countries where unlicensed 6 GHz operation is being made possible. The Wi-Fi Alliance maintains a list of all countries enabling Wi-Fi 6E.

Approved Full 1200 MHz

Brazil, Chile, Costa Rica, Guatemala, Honduras, Peru, Saudia Arabia, South Korea, United States.

Approved 500 MHz (U-NII-5 only)

European Union* (5925-5945 MHz excluded), Greenland, United Arab Emirates, United Kingdom.

Considering Full 1200 MHz

Australia, Canada, Columbia, Japan, Jordan, Mexico, Qatar.

Considering 500 MHz (U-NII-5 only)

Argentina, Africa (ATU), Egypt, Oman, Russia, Turkey.

Global Wi-Fi 6E Timeline

Wi-Fi 6E Device Classes and EIRP Limits

There are three main categories of Wi-Fi 6E devices. The classes are mostly shared, but the rules controlling their use vary by country. There are more details and exceptions than what I’m listing here. Refer to your local regulatory bodies rules for more details, such as the US FCC’s guidance for operating the 6 GHz band.

Standard Power (SP)

  • Indoors or outdoors, with integrated or external antennas.
  • U-NII-5 and U-NII-7 bands only.
  • Require the use of an Automated Frequency Coordination (AFC) provider to avoiding interfering with incumbent services.
    • AFC availability is still in process in the US, and other regions are still working on their solutions. AFC is unlikely to be widely available before 2022.
  • SP APs operate at a maximum of 36 dBm EIRP (in the US).
  • SP clients are limited to an EIRP 6 dBm less than the AP they’re connected to, typically 30 dBm.
  • SPI clients rely on their AP for AFC.

Low Power Indoor (LPI)

  • Indoor only, integrated antenna required.
  • LPI APs cannot use external antennas, battery power, or weatherproof enclosures.
  • Can use the full 1200 MHz (depending on availability).
  • Require contention-based protocols to protect incumbent services, but not AFC.
  • LPI APs operate at a maximum of 30 dBm EIRP (in the US).
  • LPI clients are limited to an EIRP 6 dBm less than the AP they’re connected to, typically 24 dBm.

Very Low Power (VLP)

  • Mobile, indoors and outdoors, but offer limited range.
  • Can use the full 1200 MHz (depending on availability).
  • Require contention-based protocols to protect incumbent services, but not AFC.
  • Operate at a maximum of 14 dBm EIRP (in the EU).
  • The US FCC is still working on their rules for VLP devices.

Channel Width Impact on EIRP

  • Maximum EIRP is calculated for 320 MHz-wide channels, which are not available in Wi-Fi 6 (802.11ax).
  • 160 MHz channels reduce max EIRP by 3 dBm.
  • 80 MHz channels reduce max EIRP by 6 dBm.
  • 40 MHz channels reduce max EIRP by 9 dBm.
  • 20 MHz channels reduce max EIRP by 12 dBm.
  • These numbers are subject to change as 6 GHz rules are finalized, and 802.11be drafts evolve.

Wi-Fi 6E Certified Products (as of May 2021)

While the number of countries supporting the 6 GHz band is expanding, the number of 6 GHz devices is too. 338 million Wi-Fi 6 devices are expected to be sold in 2021, and analysts at IDC expect roughly 20% of all Wi-Fi 6 devices to support the 6E standard by 2022. There are many draft Wi-Fi 6E products available now, but only a handful of them have been officially certified by the Wi-Fi alliance for compatibility and inter-operation.

Refer to the Wi-Fi Alliance Product Finder for the most updated list, and details about the specific capabilities that are required to be officially Wi-Fi 6E certified.

Routers and Wi-Fi Access Points - Asus ROG Rapture GT-AXE11000 - Linksys MX8500 (Atlas Max 6E Mesh Kit) - Uses Qualcomm Pro 1210 Chipset - Linksys MR7500 (Hydra Pro 6E) - Uses Qualcomm Pro 810 Chipset

Wi-Fi Cards - Intel AX210

Phones - Samsung Galaxy S21 Ultra - SM-G998U - USA model - SM-G998N - South Korea model

TVs - Samsung QN900A and QN800A (German press release) - Only available with Wi-Fi 6E in certain regions

Chipsets - Broadcom BCM94391 - Broadcom BCM94908R43684W6E - MaxLinear MMID 99A3A0 - Mediatek MT7915 and MT7915STA - Mediatek MTK921K - Used in AMD’s recently announced RZ608 - ON Semiconductor QSR10GU-AX 8x8 - Qualcomm IPQ8074 (Networking Pro 1210) - Qualcomm CA-WIFI6ESTA-50 (Reference Design)

Using Wi-Fi 6E

Like most people, I have spent more time reading about Wi-Fi 6E than using it. Wi-Fi 6E sounds impressive, but how does it work in reality? I don’t have a full answer yet, no one does. It’s still early days for 6 GHz, and we won’t be able to see all of the benefits until more networks and client devices support it. All we can get right now is a sneak peak of what’s to come.

Intel AX210, Windows Betas, and Wi-Fi Analyzers

I didn’t have a Galaxy S21 Ultra to test with, so that meant I was stuck with an Intel AX210 card. Plug it in, grab the drivers, easy right? Not quite.

Thankfully, trailblazers like Dong Kno and Tim Higgins at Small Net Builder have taken the 6 GHz plunge before I did, and I referred to their findings for help. The first thing I did was follow Tim’s instructions for getting 6 GHz support enabled on the Intel AX210. Since Microsoft hasn’t officially added support for 6 GHz, I signed up for the Windows 10 Insider program and installed the latest beta. After a few reboots and a minor registry tweak, 6 GHz support was enabled.

Confirming 6 GHz support wasn’t easy, as all the normal (read: free) Wi-Fi analyzer apps I tried only recognized the 2.4 and 5 GHz bands. I don’t have access to any professional 6 GHz analyzer hardware or software. Until consumer-grade analyzer apps are updated to support Wi-Fi 6E, most of us will be stuck in the same situation.

Adding to the confusion, Windows didn’t show the channels and bands properly, showing all 6 GHz connections as 5 GHz connections on channel 36. By separating the SSIDs I was able to manually connect to the 6 GHz band, and able to confirm a 6 GHz connection in my router's web interface.

Authentication: WPA3 and OWE

The authentication methods for Wi-Fi 6E clients vary by which band they’re operating in: - 2.4 GHz: WPA2, WPA3, WPA2/3 Mixed, OWE, Open - 5 GHz: WPA2, WPA3, WPA2/3 Mixed, OWE, Open - 6 GHz: WPA3 or OWE

Wi-Fi Protected Access 3 (WPA3) is the only authentication method available for the 6 GHz band. When I tried to use WPA3 with my Intel AX210 card, I wasn’t able to connect. I’ve read that a future firmware update from Intel will address that. Since I wasn’t able to associate with WPA3-Personal, I turned to my only other option: OWE.

Opportunistic Wireless Encryption (OWE) is a new standard for encrypting open Wi-Fi networks. It doesn’t provide authentication, meaning anyone can join the network, but it does encrypt the traffic between AP and client. The Wi-Fi Alliance has a good overview of what OWE is, and their Wi-Fi Enhanced Open certification. The very short summary of OWE is that it adds encryption without requiring a password. Both WPA3 and OWE rely on AES encryption underneath, but no security method is perfect.

Multi-Gigabit Ports and Early Performance Metrics

What everyone wants to know: yes, you can break the 1 Gbps barrier with 160 MHz and sometimes 80 Mhz channels in 5 GHz or 6 GHz. This requires a strong connection between AP and client, and 2.5 Gbps or higher ports to effectively use. Thankfully, both of the systems I tested had a multi-gigabit port, and 6 GHz allows for multiple 160 MHz channels.

For testing, I got a few 2.5 Gbps and 5 Gbps USB Ethernet adapters, allowing me to break the gigabit barrier and the ~940 Mbps TCP throughput limit of a typical gigabit Ethernet port.

With 160 MHz channels and a 2.5 Gbps connection, iPerf TCP tests hovered around and above 1 Gbps of throughput to a single client. While this level of performance is possible with 5 GHz, it’s much more realistic to deploy 160 MHz channels or a somewhat-dense 80 MHz channel plan in the 6 GHz band.

As always, single-client throughput numbers are a shallow way to measure Wi-Fi performance. Interference, contention, and aggregate throughput isn’t something I’m setup to scientifically test, so I’ll point to Smallnetbuilder’s recent article on that.

The Road Ahead

In a few years Wi-Fi 6E will be common, 6 GHz will be boring, and Wi-Fi 7 will be the next big thing. The Wi-Fi 7 spec is still being written, but it’s likely to support 320 MHz channels, higher lever 4096-QAM modulation, and multi-gigabit performance. The next Wi-Fi standard will take better advantage of 6 GHz. For now, it’s an open playground for RF nerds (besides those pesky satellites).

Sources and Further Reading