Saturday, June 12, 2021

Proper grounding in extended outdoor networks

In addition to several other hats I do facilities work at a low budget but physically large outdoor venue. My professional data work has all been indoors (single site, no inter-building runs) so I'm a bit out of my depth here.

The site in question has multiple transformers but most of the network is powered by just one of them (the connection between the two is via F/UTP with shield connected at one end, and I haven't had a problem with it other than one direct strike on a power line). Most runs are around 80m, between switches ultimately powered from one electrical panel. The furthest powered switch is over 1km from the panel. After that, it's all POE, which gets us another few hundred meters with POE++.

Cable is gel-filled (nothing else survives out there, tho the ants seem to love it) direct burial F/UTP, which can be in conduit, buried, or aerial, depending on local conditions. I've been consistently connecting the shield at one end of the cable and not the other, using surge protectors at both ends (usually L-com), grounding to a separate ground rod NOT bonded to the power ground (where there's power). Switch cases are grounded to the same local ground system. They're all small, relatively inexpensive switches (ubiquiti 8 port POE for example) powered by external transformers, but I'm not sure if that isolates them effectively from the electrical ground or not.

I've read multiple sources on avoiding ground loops, how to properly ground lightning protection devices, etc. I've seen several posts recommending you ground the protector (and thus presumably the cable shield as well) via a low impedance path to the main grounding system. Which would be great if it weren't hundreds of meters away. That's clearly not an option. I haven't found much advice for situations where you've run power and data a km away from the panel.

So. Am I doing the right thing by bonding the cable shields at a single end, and grounding the surge protectors to separate ground rods? Or is that likely to make things worse due to earth potential differences from nearby lightning causing current to flow back through the equipment? Would I be better off connecting the surge protectors and cable shields to the electrical ground?

Fiber, unfortunately, is not an option at this point.



Point of Sale - networking general advice inquiry

Hope this post doesn't get taken down, because I've been out of the enterprise networking game since I took over as my brothers caregiver.

So, my sisters boyfriend owns a bar and his POS system, and internet are all kinds of not functioning properly, and I've not touched Enterprise level networking in over 5 years, closer to 6, both my CCNA and CCNP are expired.

His system keeps freezing up, and I just wanted to know if anyone has any advice towards POS systems these days, or anything of that nature as I've never really touched POS all that much. I already know one of his problems is that his system is all running on 1500 feet of CAT4 when the distance between the two points is only 85 feet.

So, the bar is a basement style bar, think Cheers style bar, but a bit smaller, and video games instead of billiards. He has Comcast Business for his ISP, not sure what the specs for the service is, but he's using one of their crappy wireless modems. His POS systems manufacturer is TOAST, and they forced him to purchase their switch, and various other hardware devices that he supposedly needs for his bar. I figured I'd update his ethernet to CAT8 as I'm fairly certain that's the current standard, please advise me if I'm wrong. I figured I'd clean up his rats nest of a cabling situation that he showed me images of. I also think his wifi could use with a mesh system as it's still fairly large.

I'm waiting on photos and whatnot, but it'd be extremely helpful if there's any advice any experienced Point of Sale techs can give me. Once again, been out of the game for quite a while, and so I'm not really up to date on standards, terminology, or anything else of that nature. I've just been side hustling with basic cable running, and custom PC builds. So, any advice or information anyone can provide would be extremely helpful.



DNP Master not communicating after virtual ip address switchover of DNP slave

I don't have much networking experience and this isn't my area of expertise so forgive me if I'm not very verbose and don't explain too well.

I'm attempting to send DNP communications from a redundant RTU (basically a middleman between field devices and our DNP system) setup to our DNP master system. The redundancy for these RTUs utilizes a virtual address that switches over when the primary fails. The DNP master system is setup to be polling the virtual address.

The problem is our DNP master system (which is not my department) doesn't seem to accept communication from the virtual address anymore when an RTU fail-over occurs (backup unit becomes active). I previously tested the RTU with a DNP SCADA test box and saw no issue on fail-over. I also see the RTU working fine on my end sending data through the virtual address. The DNP master system just seems to stop all communication with the RTUs virtual address.

Any tips on troubleshooting this and what might be wrong? Monday I'm planning on doing some wireshark analysation. I'm not a network guy I'm a software guy so I'm somewhat helpless here lol, hoping to learn more from this experience.



Managed PoE switch with PoE passthrough and local CLI?

I am looking for a small switch (only need 2-3 ports) with PoE passthrough - meaning it's powered by PoE input, and then also outputs PoE only some of the output ports.

This is for standard PoE (i.e. 48V, 802.3af/at/bt etc., not passive 24V). The Mikrotik RB260GSP seems to be 24V passive PoE only.

Local CLI control would be nice - which rules out things like the Unifi US-8.

VLAN support would be good as well.

The Cisco 3560CX-8PT-S seems to be another good option - but apparently the idle power draw is around 20W (yikes), and it's also a fair jump up in price. Also, it seems to be a fairly old model (2014) - not sure if there's a more modern replacement?

Does anybody know of any other options out there?



what path do you recommend for someone to take?

should college be a focus? or should certificates be the way to go. I eventually want to end up in a career of network security and i just want a road map so to speak.

much thanks to anyone who reads!



Public IP for router interfaces

Are there any RFCs that allocate a prefix for using on p2p router interfaces?

It seems like a waste of public IP space for everybody to use an IP/prefix on interfaces for the purpose of setting up adjacencies and won’t actually be announced into the global routing table.



Multicast DR and Assert

Can someone please just clear this up for me so I can move on with my life. I'm trying to understand the point of the assert message with PIM, and why it's necessary if we have a DR for a shared segment. As I understand it the DR is responsible for sending PIM joins/prunes as well as PIM registers. The point being, that if (for example) 2 last hop routers are connected to the same segment as a receiver, only 1 router sends PIM joins upstream for any receiver who wants a feed. In my mind, this would imply that since the DR is the only one sending PIM joins for a particular multicast group, that it is the only one building the shared tree (lets assume we are running PIM-SM). Now the assert message is to elect a forwarder for the segment. Now, why would we need that? If for example, the designated forwarder for the segment was the other router (i.e. not the DR), then the tree is not built on this device, and the outgoing interface lists upstream would be pointing to the DR for any multicast feeds being sent from the source downstream to the receivers. So my question is, what is the point of the PIM forwarder/assert message if we have a DR on the segment?



Cisco SD WAN cost?

I am currently in a networking class and for one of our assignments we have to tell how we would connect two offices (HQ and a satellite office) in a city, approximately one mile apart (we get to assume the cabling available), and list the estimated cost associated with it. The fictitious company is rapidly expanding, so I wanted to pick something that was easily scalable. I decided to use an SD WAN over internet for the WAN connection, and was going to use Cisco's SD WAN service. I saw on their website that it requires a Cisco DNA Advantage subscription, but there's no way to get pricing (even an estimate) without talking to sales. I tried using the chat option, but no one was available. Is anyone able to give me an idea of how much this might cost?



Seeking Advice for Network Design, VPN, Firewall, Windows Server & RDP for a small business trying to enable remote work

Hello community! I'm a small business owner, seeking help for setting up network for enabling remote operations for my business.

So, I have an ERP software which is used simultaneously by over 20 users daily. Up until COVID, we have had a main computer setup which had the ERP App Server and MSSQL Database Server. All the client computers installed in office were connected to the main computer via local network. The challenge obviously was that we could use the software only when in office.

With the advent of COVID related lockdown, I brought the main computer to my home, connected it to a server with Windows Server edition, got a fixed IP from my ISP and gave access to all my employees using Windows' RDP deployed on the server.

Since then, I've been through two ransomware attacks, which compromised all my data, causing huge losses in business. Upon discussing it with local networking professionals, I received advice saying that such attacks can be avoided if I do these:

  1. add VPN
  2. add Firewall
  3. remove RDP dependency ("As RDP is one of the most insecure way of accessing database remotely", quoting as advised)
  4. move database from local system to cloud like AWS

Now, I talked to my ERP provider and they confirmed that they can provide me a solution where I don't need RDP and simply installing the software on any remote client, and connecting it to Database Server (local or cloud) would do the job.

Now, I have couple of questions:

  1. Regarding Windows RDP: Is RDP actually the point of security lapse? Isn't there a way to make it more secure? Not that I am a big advocate of RDP, but I'm looking for a solution that comes with least number of changes in existing workflow, as it becomes a big challenge to update every client computer and re-train my staff.
  2. Regarding VPN and Firewall:a. Will setting up VPN and firewall actually save me from these ransomware attacks? To what degree will I be able to protect my data by adding these to my infrastructure?b. If you recommend that I should use VPN and firewall, then: I have received a couple of price quotations from multiple vendors, and I don't know how to evaluate. I'm attaching images here in expectation of your evaluation about which one I should opt for.c. Can we bypass VPN and Firewall by setting up DB on AWS? Are cloud services like AWS, Google and Azure safe option? Do they eliminate any and all risk of ransomware attacks?
  3. Regarding Network Design: I am attaching images of current and proposed network designs, expecting your critical evaluation and requesting suggestions for improvement.

(For some reason I can't attach images directly in the post, so adding it via Google Drive folder)All images are in this link: Network Designs and Price Quotations

My requirements are that over 20 people should be able to use the ERP anytime of the day from anywhere in the world.

Please help!



Network speed is low in upload

Hello,

I have a 100 Mbps connexion from my ISP in the company , and when I make the test speed from cable. I detected that the upload is very down (downlowd is 64.93 and upload is 6.79) althogth theire are no much traffic in the netowrk. what could be the reason for this result, please?

Thank you.



Bandwidth benchmark: Direct / SSH / ZeroTier / ZeroTier self-hosted / TailScale

Context

First post on Reddit, not sure to make it the right way.

I am not a member of any of the companies cited in this post, I am simply publishing the results of a quick test that I carried out on a personal basis.

It is a bandwidth comparison between a direct Internet connection, an SSH tunnel, ZeroTier, self-hosted ZeroTier and TailScale between my personal laptop and a remote server.

Test computer

Laptop:

  • Ubuntu 21.04
  • Ethernet conneciton: 1 Gbps

Speedtest measure:

  • Ping: 9 ms
  • Download: 904 Mbps
  • Upload: 157 Mbps

Test server

AWS instance :

  • t3.large instance
  • Ubuntu 20.04
  • Network burst bandwidth according to AWS: 5 Gbps

Speedtest measure:

  • Ping: 1.22 ms
  • Download: 4751 Mbps
  • Upload: 4772 Mbps

Measuring tool

Basic usage of iPerf3, other tests should be done to obtain more significant and complete measurements, do not hesitate to send your proposals and contributions.

iPerf3 command line used on the server side:

iperf3 -s 

iPerf3 command line used on the client side, 8 threads:

iperf3 -c <ip-address> -P 8 

The tests were run several times for each measurement to ensure that the results were not exceptional.

Direct access

Opening of the iPerf port, directly accessible from the Internet (unsecured connection). Results:

[ ID] Interval Transfer Bitrate [ 5] 0.00-10.03 sec 59.8 MBytes 50.1 Mbits/sec receiver [ 8] 0.00-10.03 sec 69.5 MBytes 58.2 Mbits/sec receiver [ 10] 0.00-10.03 sec 76.1 MBytes 63.7 Mbits/sec receiver [ 12] 0.00-10.03 sec 43.2 MBytes 36.1 Mbits/sec receiver [ 14] 0.00-10.03 sec 53.4 MBytes 44.7 Mbits/sec receiver [ 16] 0.00-10.03 sec 54.5 MBytes 45.6 Mbits/sec receiver [ 18] 0.00-10.03 sec 63.8 MBytes 53.4 Mbits/sec receiver [ 20] 0.00-10.03 sec 45.0 MBytes 37.7 Mbits/sec receiver [SUM] 0.00-10.03 sec 465 MBytes 389 Mbits/sec receiver 

SSH Tunnel mode

SSH tunnel established as follows:

ssh <login>@<ip-address> -L 15201:localhost:5201 

Results:

[ ID] Interval Transfer Bitrate [ 5] 0.00-10.18 sec 37.0 MBytes 30.5 Mbits/sec receiver [ 8] 0.00-10.18 sec 37.0 MBytes 30.5 Mbits/sec receiver [ 10] 0.00-10.18 sec 37.0 MBytes 30.5 Mbits/sec receiver [ 12] 0.00-10.18 sec 37.0 MBytes 30.5 Mbits/sec receiver [ 14] 0.00-10.18 sec 37.0 MBytes 30.5 Mbits/sec receiver [ 16] 0.00-10.18 sec 37.0 MBytes 30.5 Mbits/sec receiver [ 18] 0.00-10.18 sec 37.0 MBytes 30.5 Mbits/sec receiver [ 20] 0.00-10.18 sec 37.0 MBytes 30.5 Mbits/sec receiver [SUM] 0.00-10.18 sec 296 MBytes 244 Mbits/sec receiver 

ZeroTier

ZeroTier installation and access via the ZeroTier IP. Results:

[ ID] Interval Transfer Bitrate [ 5] 0.00-10.02 sec 12.6 MBytes 10.5 Mbits/sec receiver [ 8] 0.00-10.02 sec 12.7 MBytes 10.7 Mbits/sec receiver [ 10] 0.00-10.02 sec 13.1 MBytes 11.0 Mbits/sec receiver [ 12] 0.00-10.02 sec 12.5 MBytes 10.4 Mbits/sec receiver [ 14] 0.00-10.02 sec 11.8 MBytes 9.86 Mbits/sec receiver [ 16] 0.00-10.02 sec 11.4 MBytes 9.58 Mbits/sec receiver [ 18] 0.00-10.02 sec 13.1 MBytes 10.9 Mbits/sec receiver [ 20] 0.00-10.02 sec 13.8 MBytes 11.6 Mbits/sec receiver [SUM] 0.00-10.02 sec 101 MBytes 84.6 Mbits/sec receiver 

Self-hosted ZeroTier

ZeroTier is installed on a basic OVHCloud Sandbox VPS using a version of the controller and the ztncui interface, launched via Docker (GitHub available). Results:

[ ID] Interval Transfer Bitrate [ 5] 0.00-10.02 sec 41.9 MBytes 35.1 Mbits/sec receiver [ 8] 0.00-10.02 sec 41.2 MBytes 34.5 Mbits/sec receiver [ 10] 0.00-10.02 sec 36.7 MBytes 30.7 Mbits/sec receiver [ 12] 0.00-10.02 sec 40.0 MBytes 33.5 Mbits/sec receiver [ 14] 0.00-10.02 sec 37.8 MBytes 31.7 Mbits/sec receiver [ 16] 0.00-10.02 sec 41.9 MBytes 35.1 Mbits/sec receiver [ 18] 0.00-10.02 sec 38.2 MBytes 32.0 Mbits/sec receiver [ 20] 0.00-10.02 sec 40.3 MBytes 33.7 Mbits/sec receiver [SUM] 0.00-10.02 sec 318 MBytes 266 Mbits/sec receiver 

TailScale

Removing the ZeroTier client before testing TailScale. Installation of the TailScale client and access via its IP. Results:

[ ID] Interval Transfer Bitrate [ 5] 0.00-10.03 sec 42.5 MBytes 35.5 Mbits/sec receiver [ 8] 0.00-10.03 sec 64.3 MBytes 53.8 Mbits/sec receiver [ 10] 0.00-10.03 sec 43.6 MBytes 36.5 Mbits/sec receiver [ 12] 0.00-10.03 sec 71.6 MBytes 59.9 Mbits/sec receiver [ 14] 0.00-10.03 sec 51.6 MBytes 43.1 Mbits/sec receiver [ 16] 0.00-10.03 sec 49.9 MBytes 41.7 Mbits/sec receiver [ 18] 0.00-10.03 sec 65.6 MBytes 54.9 Mbits/sec receiver [ 20] 0.00-10.03 sec 47.9 MBytes 40.1 Mbits/sec receiver [SUM] 0.00-10.03 sec 437 MBytes 366 Mbits/sec receiver 

Comments

The ZeroTier measure is surprisingly low. The tests were done several times to validate the measurement, it did not change the result. It will probably be necessary to try again later.

ZeroTier via its managed and free offer is very complete in terms of management functionality, network splitting, etc... It is probably the most complete of this comparative at the moment.

The self-hosted version of ZeroTier with its own interface meets the basic need and works very well. However, you need to be willing to manage an additional server, which can be a barrier for some.

On the TailScale side, the free version allows you to easily connect different machines, and by relying on WireGuard and NAT magic, offers good performance. If you want to use different networks and accounts as it can be the case for ZeroTier in a native way, TailScale will not allow you to do it easily for the moment but the question is asked (here for example).

This short performance comparison is not complete and deserves more measurement and competitors, feel free to make your proposals.



Trying to resolve Cisco VPN drops

Hello,

There's a few people on my team who have issues with their Cisco VPN drops. I can't find a solution from Cisco or something on the internet. My best guess is it's one of the keep alive timers.

I'm trying to force the client side of the VPN to stop dropping during any kind of minor drops from their house due to their crappy ISP connections. Below is something I came across on the spiceworks forum.

https://community.spiceworks.com/how_to/818-fixes-for-cisco-vpn-client-with-dsl

I have added...

ForceKeepAlives as a registry key in the Cisco registry with the value of one due to how our VPNs are configured. Can this work? Also, does anyone have any other info?



Can anyone help identify this device I seen in a video?

Can anyone help identify this device I seen in a video? Closest I got was watchguard firewall but I'm not confident.

http://imgur.com/a/UhT3TWE



Add Network to a Proxmox VM with internet access but not accessible from outside

Is there a way I can add a network to VM on proxmox with:

  1. VM has internet access (through host? I'm not sure if this is how it works)
  2. VM need not have an external IP and need not be accessible on internet. (I have limited IP's rented from the dedicated server provider)

Am new to networks so any help would be greatly appreciated.



Friday, June 11, 2021

Hikvision hik-connect trouble over WLAN

Having trouble setting up hik connect over wlan

I have a hikvision nvr and im putting in the nvrs ip address into hikconnect under manual adding while connected to the router which does not have internet access but still getting a connection failed each time i try



BGP Peer Flap Dampening

Is there any concept such as BGP Peer Dampening on Cisco IOS? I'm not finding anything. I've investigated BGP route dampening and ip event dampening. Both of these solve some scenarios, but not the main goal I'm trying to solve which is a BGP peering flapping over and over with a service provider but without losing the interface to them. I've thought about an EEM script, but I'd like something more purpose built. Thanks!



Recommendations for a good and cheap enterprise class router

I have centurylink business fiber and would like to use my own router as i have a lot of devices connected doing various things (total sustained download between 400~ devices is around 200mbits)

Looking for a good yet not too pricey router that can handle my needs.



Best Practice - Access Point terminations

Is it best practice to terminate the cable end closest to the access point with a male end or a female end and then use a patch cable? To me, the female end seems like it would be an extra point of failure?



Senior Network Engineer at small MSP

Hello all,

I have a second interview for a senior network engineer at the small MSP (50 employees total with around 20 clients). I've never worked for an MSP before and never for such a small company. Two of my network engineering jobs have been in mid size corporate environments and another one was at an intermediate unit (education, in between the state department of education and the local school districts).

Can anybody who has worked for a small MSP let me know what I'm in for if I take this job (assuming I get past the second interview)? Also, anyone have any pointers on things that I should ask in the interview (if there's anything specifically related to MSPs that I should ask)?



IT Problem - What makes 2 not like the other 12

Symptoms: At 2 sites of 12 The speed test at the firewall shows poor results that gets worse over time until the connection grinds to a halt.

Tests:
Rebooting everything simultaneously at the data rack clears the issue but it will return tomorrow or later today.
Rebooting the modem alone clears the issue but it will return tomorrow or later today.
Rebooting just the firewall has no effect.
Bandwidth graphs look pretty normal at control and affected sites.
At 1 affected site the Spectrum tech replaced the modem. No affect.
At the other affected site Spectrum did not as they said their tests didn't find a problem.
Running a speed test with and without the LAN plugged in has no effect.

Background:
11 (including both affected) sites recently had roughly 10 Fanvil X3U phones installed that connect to a central PBX (3CX)
12 sites are setup mostly identically setup and configured.
All 12 sites have Single cable Modem connection in a corporate environment.
All 12 sites have pfSense firewalls version 2.5.1.
12 sites are in an IPSEC mesh configuration.
All 12 sites have a 52 port PoE switch that powers a number of PoE devices.

6 of 12 sites have Spectrum (including the affected) with a speed
of 400/20 with 150/10 at the firewall under load.
1 of 12 is on 1000/1000 using a Comporium Fiber connection that connects the mesh to a Datacenter (Where the PBX is).
5 of 12 sites have Comcast with 500/35 speeds.



Private Ethernet Transport between two buildings and different subnets

Sanity check time!

Hoping y'all can help me out. I took over a customer in the middle of a WAN circuit upgrade and a "Private Ethernet Transport" connection. The two buildings are down the street from one another. Currently sites are connected via S2S VPN over their respective WAN connections (Soon to be replaced).

Main site is 192.168.0.0/24

Remote site is 192.168.1.0/24

The ISP is telling me their router is set up with int 0 WAN and int 1 is the PET line.

I am good with the WAN changes, but I'm trying to confirm the following makes sense-

  • Create new VLAN on switches at each location. VLAN 99
  • Connect an access port in VLAN 99 to the next available int on the SonicWALL- X4
  • Give the X4 interface an IP- 192.168.99.1/24 at main and 192.168.99.2/24 at the remote building
  • At main- add route for 192.168.1.0/24 next hop X4
  • At remote site- add route for 192.168.0.0/24 next hop X4

    With the routing in place, a host at each location should be able to communicate and at that point, I can remove the S2S. Correct?



DNAC - opinions?

I’m a bit underwhelmed by it. I guess I was expecting more. The whole requiring new gear limited our options - like no reason to use/license stealth watch.

I’ve ran through the process of onboarding a few times for some new 9ks. Just seems like so much manual work to import in the beginning. I’m trying to think of easy/lazy ways to make these implementations smooth. Would like to hear any shortcuts anyone else might have come up with. Here’s a few ideas I’m thinking;

  1. Run a python script and convert the config to 9k. This seems straight forward. It’s prep work prior for the template.
  2. Would be nice if there’s a way to bypass the GUI and insert template, net profile, set claim, provision etc? Anyone know if that’s a thing?

The troubles we have bringing up some of these switches is that they don’t come up in order. Even if we set ToR with the right serial it isn’t a guarantee that the switches populate correctly, so then we have to renumber the switch stack which add to the time. Then there’s other little gotchas.

What are your thoughts and feelings about DNAC?



Help with understanding L2/L3 Port-channels

Is it possible to create a layer 3 port-channel using the VLAN interface on a L3 switch to a IOS XE Router interface? For example, using GNS3 I set the L3 switch as the core with multiple routers in a port-channel connected to it. The port-channel formed, I can ping one another, and I can see the neighbor relationship. My worry though is that when I check the etherchannel summary of both devices, the L3 switch says it is a Layer 2 channel (SU) while the RTR says it is a Layer 3 channel (RU). Will this cause any issues with devices or networks that will be behind this router? Can I connect more routers to the switch in the same method using the same VLAN interface on the L3 switch? Maybe I'm reading too much into it. but the layer 2 channel to layer 3 channel is really confusing me. Any remark is appreciated!!

Relevant config example:

-----L3 Switch------

interface Port-channel1

switchport access vlan 10

switchport mode access

!

interface GigabitEthernet0/1

switchport access vlan 10

switchport mode access

negotiation auto

channel-group 1 mode active

!

interface GigabitEthernet0/2

switchport access vlan 890

switchport mode access

negotiation auto

channel-group 1 mode active

!

interface Vlan10

ip address 10.0.10.1 255.255.255.0

!

router eigrp 100

network 10.0.0.0

----RTR----

interface Port-channel1

ip address 10.0.10.2 255.255.255.0

!

interface GigabitEthernet1

no ip address

channel-group 1 mode active

!

interface GigabitEthernet2

no ip address

channel-group 1 mode active

!

router eigrp 100

network 10.0.0.0



Reliable Switchport Detection Source?

Yea, the title is confusing. Let me explain. No No... that will take too long. Let me sum up. (Princess Bride Reference)

Our developers are trying to improve the device location tech in our software.

Currently, when we setup our software, we read into a database all the switches (Chassis ID and Port ID) which we obtain utilizing SNMP (Polling the LLDP Device table) (Link to what I believe the table is http://www.circitor.fr/Mibs/Html/L/LLDP-MIB.php#LldpChassisId)

When our clients startup, they listen for the LLDP packet coming from the switch, and send the ChassisID and PortID to the DB, and voila, we know where we are plugged in, and magic software stuff happens based on the location.

Until the switches are stacked. As we start adding switch stacks, we've noticed that the ChassisID changes based on which switch is selected as master on bootup. Yes there are things we can do to force the same switch to be the master, but when we have to replace that switch, that breaks.

We currently do not re-query the switches to "refresh" the data.

So... I'm pretty sure this is how most IP phones do E911 location mapping. But I don't know that for a fact.

Are there other methods out there that identify port location?



Device/Code Certification Process

What does the device/code certification process at your job look like?

When new hardware comes in or a new software update is released for an existing platform, what kind of testing is done to "validate" the device/code performs as expected?

Do you document your results in a formal tool, if so, what is it called?

I'd like to compare how my company does things to others in the industry to see where we can improve.

My employer is very certification heavy where we certify every small change between software updates and new devices. For example, new update comes out for a Nexus 9K, we deploy the update in lab and execute 100s of tests against the device manually and record the results one by one in a document. These results are then uploaded into an in-house tool. Given the high level of touch points, the certification process takes a week+ to complete, and is highly prone to user error. We are in the process of using pyATS/Genie and robot framework to develop automated test cases, but once those tests are complete and the results are generated, it's not obvious to me how best to document them, and how best to report on currently "approved" devices, software releases, and configurations.

How does your team handle this?



Creating a secure global connection profile

I'm trying to think of a secure way to allow SolarWinds NPM to run report jobs on all devices in our network with a single log in. We used to do this though an RSA authentication server. Security set up an RSA account with a pin only. We recently switched over to SecureAuth and we were thinking we can use the same method but with the increase of ransomeware attacks, we have concerns. Does anyone have any ideas?



FTTC v EoFTTC in the UK

Reaching out to people working in the UK, anyone with views and experience of Openreach backed FTTC and other vendors LLU backed EoFTTC products.

In designing remote sites for up to 10 users do you have a preference or horror stories of one or the other. I like to design out risk, I cannot justify fibre DIA for these sites, but the extra for the SLA uplift and the performance benefits of not sharing bandwidth is within budget.

Basically what I am asking, is it really technically better or just a sales pitch for a more expensive service.

Ta



How to create a VPN Business

Hi all! I'm not sure if this would be the correct place to ask, but I'm genuinely curious about the process behind this.

I am interested in selling proxy IPs and I'm really confused about the necessary steps.

From what I have gathered (or believe to have gathered), is you would need to purchase a subnet of some sort, of a range of IPv4.

You would need some sort of server that allows multiple IPs, maybe?

You would somehow create an open port for each IP and generate a username and password for each IP.

Then you would essentially group them or individually sell them, and keep track of which are sold and which are available.

This is of course, how I believe it works, but please correct me here. If further insight on this could be provided, or pointing me in the direction of additional resources, it would be greatly appreciated! Thank you!



Error Flow Control and Error Correction in Data Communications

Are Error Correction methods considered protocols? For example, my syllabus covers:
Error Flow Control methods: Stop-and-Wait, Sliding Window
Error Correction methods: Forward Error Correction, Automatic Repeat Request, Hybrid Automatic Repeat Request
while I was doing research to better understand these topics, I noticed how Stop-and-Wait was referred to as 'Stop-and-Wait Protocol' and Sliding Window was referred to as 'Sliding Window Protocol'. However, I never saw any of the Error Correction methods referred to as 'Forward Error Correction Protocol' or 'Automatic Repeat Request Protocol'. Is it because Error Correction methods simply can't be referred to as protocols while Error Flow Control methods can?



Need suggestions for a new VOIP Provider - US

Maybe the wrong place to ask but I'm really tired of listening to salesmen.
Our current VOIP Provider is awful. It's cloud based and everything sucks about them. Everything from customers not able to hear us or them to dropped calls or never even ringing through. Softphone app works when it wants to and physical phones will not provision reliably.

Can you guys share who your provider is and how have they been? I would LOVE to have an on-site SIP Server again. Having that as an option would be very nice. Wholesale support would also be a massive bonus.



Network Related Question.

I have a 400Meter factory. I am using Mikrotik RB3011UiAS-RM to handle 100 Dahua IP Camera, 4 NVR, and 80 desktop user. I am using Mac Binding and Static IP to assign internet.

My First Question is. Is my router enough to support my load or it's better to upgrade. Please suggest model.

This is my first post. accept any mistake please ;)



Netbox customize Prefixes->Prefix->IPs table

Hi there,

Is there a way to customize the table I get when I click to a specific Prefix and then on the IPs tab?

To be more specific I'd like it to show the MAC address for the interface instead of the name.

Any way do get this?



Need default credentials for Aruba 2930F Switch

Hello,

I've not managed to find what username and password to provide when trying to enter "enable" mode. Nothing I come across on the world wide web seems to work for me.

Called HP / Aruba support yesterday but they weren't very helpful either.



Static IP assignment before booting process

Hi

Does Cisco IP phones support static IP assignment before booting process ?



Thursday, June 10, 2021

How do I view used IP Addresses in a VLAN on a Cisco 3750X Switch?

I have a Cisco 3750X Switch.

On this switch is a VLAN with devices configured to use it. The IP addresses being assigned in this VLAN are configured to be static. I can see certain IP addresses are currently in use, but being static, I want to know if the next available IP is available or if it was already assigned and then the device was unplugged.

Is there a way to go back and see all IP addresses that have already been reserved?

Example:

Currently I see devices using:

10.112.42.1 10.112.42.2 10.112.42.5 10.112.42.10

To me, that means .3, .4, .6-.9 were used on devices that are no longer plugged in.

Theoretically, the next device to use the VLAN could be .11. However, if other devices have been on the VLAN and unplugged, it could be even higher. So that's what I'm trying to figure out. Can I see which IP addresses have already been reserved/used?

Thank you!



working with ansible-pyats cannot get show bgp all neighbors xx.xx.xx.xx advertised-routes

I am not sure i am getting the syntax right but I want to get the advertised-routes out of a router in structured data.

playbook: (note this is in a home lab)

---
- name: Show bgp adv routes
hosts: ios-router
connection: network_cli
gather_facts: no
roles:
    - ansible-pyats
tasks:
    - pyats_parse_command:
command: show bgp all neighbors 10.250.150.10 advertised-routes

register: output
    - debug:
var: output.structured

output:

TASK [pyats_parse_command] *********************************************************************************************************************************************

fatal: [192.168.86.211]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "changed": false, "msg": "Unable to parse output for command 'show bgp all neighbors 10.250.150.10 advertised-routes' ('Device' object has no attribute 'execute')"}

command does have output on a router, and I can use something like 'show ip route' and get structured data but I need the advertised routes.

thanks!



Fiber Networking Noob

Not sure if this is the right sub for this?
My company recently got new workstations with 25GbE NICs with SFP28 ports and was presented an upgrade plan from the workstations manufacturer to a new 100GbE NIC with QSFP56 Ports.
I know that I can connect 4 servers with SFP28 cards/transceivers to a single QSFP28 port in a switch with a breakout cable. I´m puzzled if this also works the other way around? So I´m connecting 4 SFP28 ports on the switch to one QSFP56 NIC in the workstation? This would limit the single connection/lane speed to the SFP28 transcievers?
Reason would be that the smaller workstations will deliver their content with 25GbE to the "main" render workstation that needs the bigger NIC bandwith to ingest all of them at once.

I just feel overwhelmed by this new QSFP56 with little experience in more than single lane fiber networking



BGP - Peering, AS'es, and what is Comcast doing?

Hey all,

I've used Comcast's DIA product (EDI) over several jobs and while I'm well versed in enterprise networking, most of the carrier magic is....well magic to me.

Mostly for my own knowledge but I'm curious why/how this happens. I peer with AS7922, however looking at the BGP paths, or here - https://bgp.he.net/AS33668#_peers I see that AS33668 sits between me, and 7922. Why is that happening and what's the reasoning behind it?

Looking at the HE output, it's clear that AS33668 is for Michigan, so at least that makes sense, but why don't I peer with that AS, and not 7922? Easier for them to manage on their end and they do the proper overrides in the AS path?



Internet Circuit with multiple WAN IPs

I'm thinking about setting up a poor man's segmented networks. Modem - > Switch - > Router 1 & Router 2. Each router would be set to its own static WAN IP. Anything weird I may encounter when performing this setup? Any crossover cables, etc needed for this setup?



Ubiquiti USG & Vlans

Not sure if this qualifies as a enterprise question, although it is for our shop.
We have a USG with a Unifi switch attached for our wireless networks.

We have 7 APS connected.
It has a direct connection on the WAN to the internet through a DSL modem.

We have recently revamped our network, and we want to put 4 vlans on this router, and have it handle unsecured traffic.
VLAN 100 - Management (10.30.100.x)
VLAN 102 - Secured wifi (10.30.102.x) (connects to our regular switchstack on vlan, and is handled by internal DHCP)

VLAN 200 - Wifi traffic for guests. (10.30.200.x) (USG DHCP)(preferably as a guest network that cannot talk to other networks.
VLAN 201 - IOT (10.30.201.x) (USG DHCP)(ring doorbell and such)

I want the AP's on the management network (not vital it be VLAN 100)

I'm having trouble getting a VLAN only network on the USG having the USG give out DHCP

I want the AP's to get DHCP on the 100 network, preferably from the USG)

I want the VLAN 200 clients to get DHCP from usg

I want VLAN 201 clients to get DHCP from USG.

I'm a little stuck.

I've created 3 lan networks on LAN 2. I can Assign these to different VLANS and DHCP scopes, but I don't know how to configure the switch to give 100.x addresses to the AP's, and 200.x ip's to the wireless clients (Unifi switch config)

If I assign both vlans to a switch-port, how would it decide which range to give to the ap connected, and which range to give to the clients?



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



Bgp route reflector option : cisco asr1001 or FRRouting ?

i have 2 old cisco asr1001

i am planning to deploy the RR on the network i was thinking to deploy on a pair of old cisco asr1001 (4G ram) or install the FRRouting on server. (anyone try this ?)

Which option is the best ?



Are there any communities for network support/TAC folks to compare their various pain points?

I've been in the support game in some form or another for nearly a decade now, and I often feel like there's a constant sense of surprise when I hear that the stuff that drives me crazy isn't as bad on my side as I'd think.

I've never really heard of communities for different vendor support folks to vent and/or give each other perspective, so I'm curious if any exist, or if people would be interested in one (and no, I'm not talking tailsfromtechsupport, I mean a way for people to commiserate or provide genuine strategies for one another)



Intermittent issues across our network ever since the Fastly outage the other day

We've been having circuits drop for 20-30 seconds at a time ever since the Fastly incident the other day, and not limited to one region or one particular network. Circuits completely independent from each other region-wise, all the way from the Mid West to the West Coast.

Entire swaths of customer equipment has been going offline in some areas, generally one state at a time, and then coming back online after a few minutes.

It's like the entire Internet has a chaos monkey running through it, and we can't pinpoint it to one circuit, one area, or one region; with any rhyme or reason.

Then when everything seems normally, we start to see insane jitter running through the network, up to 5% packet loss, then back to normal. Of course, everything internal or on our own fabric is unaffected.

I haven't seen reports anywhere of this, but now I'm going through things with a fine-toothed comb; wondering where this chaos monkey is, and how it's affecting systems at random that have almost nothing to do with each other.



Cisco 3850 to dell MXL force 10 switch RSPAN

Hi,

I’m trying to do an RSPAN from a Cisco 3850 to a dell m1000e server chassis with force 10 mxl switches. Is it possible to mirror a port on the Cisco and bring it over to the dell on a dedicated vlan?

I attempted this and lost network connectivity to the esx host I was trying to mirror to (on an unused port).



Lan switch causing lag spikes

Hello i recently bought a lan switch because i needed to connect one more pc to lan but didnt have any lan ports left so i bought the TP-Link TL-SG105 its connected to my wifi extender its a Fr!tz repeater 1200 its connected to my Fr!tzbox 6600 cable and before i connected the lan switch to the wifi extender i didnt have these ping spikes and they are only happening if my other pc uses the internet by like 70 mbits and i have a 250 mbits connection and i dont know whats causing this problem

here are pictures of a ping test without the other pc using the internet and when its using the internet
https://imgur.com/a/blVwm4P



Cisco TLDP for VC labels only

I have an SR core and I'm trying to use LDP for signaling martini circuits. When I configure targeted LDP sessions between my PEs, a label is allocated for all of my host routes. Is there a way to have it only allocate VC labels?



VXLAN vendor interop? Arista / Cisco NX

Has anyone successfully gotten VXLAN to function cross vendor between Arista and Cisco Nexus 9k?

I have a temporary need to do it, and after configuration i find that the Cisco's learn the macs from the Aristas just fine, but not vice versa.

It seems to be the fact that the arista is using a unicast "vxlan flood vtep x.x.x.x" address which points all of the traffic to the cisco successfully, but there is no analogue i can find on the Cisco side.

In a time crunch and if I can't get this to work, need to engineer out another solution.



E1 Cable Connection to a BT ASDH NTE 4U/7A

Hello all,

I am struggling to connect my gateway to a BT ASDH NTE 4U/7A. This is providing a Q.931 ISDN service.

My gateway installation manual says I need to make a 120 ohm crossover cable using Cat5 and RJ45 connector by termianating as follows:

Pin 1---Pin 4
Pin 2---Pin 5
Pin 4---Pin 1
Pin 5---Pin 2

So I made the cable up and there isn't a Layer 1 link (customer LED is amber and not off). I have tried a straight through cable, still nothing

I have another E1 link to the same rack to a different BT unit and this connects fine to my other gateway which is exactly the same as my first gateway with exactly the same config but via a straight through patch cord.

Can anyone advise if I need to use a special cable or a special pin out to interface to a BT ASDH NTE 4U/7A, or if they have an instalaltion manual/datasheet for it please?

Thanks in advance!



Growing pains and management, looking for a set of standards to reference

I am part of a smaller (6 currently) company that is in the process of hiring several new people. Im happy but this is stressful and it's coming out that one of our biggest weaknesses is lack of established policies and practices for new people to catch on to. I hope I'm not being too vague when I say that we have been very shoot from the hip so far.

but recently I decided if we dont do something about it now. I vaguely remembering while cramming for a cysa+ exam they spent some time talking about a set of standards for things such as who has access to what passwords, separation of duties, doubling up on people who can perform a role so if something leaves we're not sitting dead, etc.

it all seems so daunting and I just wish I could reference a single doc for best practices as a starting point.



Enhanced Endpoint Tracker

Does anyone know or can share an OVA for the ACI Enhanced Endpoint Tracker. - https://aci-enhancedendpointtracker.readthedocs.io/en/latest/

Cisco TAC has requested we install it as a best practice due to some endpoint learning problems we are having. However - neither they or the email address referenced can seem to get me a copy of the OVA. The emails to their email inbox go unanswered and unfortunately for reasons I'll avoid the docker container is a no go.

It's also no longer present on the ACI Application site.

It is maddening to me when a public tool is put out there but a company makes you go through hoops to get access to it.

So on top of turning to my Cisco Rep and my local network I figured maybe Reddit might come to the rescue.



iperf3 - unable to connect to server: Connection refused

Is there any flag to override this?

In iperf2, I'm able to send a stream of UDP data to an IP address using a command like:

iperf -c <remote_ip> -u -b 100M -n 5G 

I'm trying to use the latest version, which is iperf3.

I'm trying to conduct throughput tests, where there isn't an iperf process at the other end. I can send a bunch of UDP data to an IP address at the other end of the link. Then using netflow statistics, I can see the throughput speed of the link.

This works fine for iperf (v2). However I can't see a flag in iperf3 to ignore a missing server. Does this not exist in iperf3 (to avoid it being used as a denial of service tool?)

(I've been looking through the iperf support forums on sourceforge, can't find this question addressed.)



Recovering Cisco switch passwords

I am working on trying to gain access to our network switches. Our local fiber provider (which is a very small company) provides connectivity to their fiber through some Cisco 2960-L switches that we purchased. Due to the agreement we have with them we do not get access to the management of the switch as the equipment is shared between several companies in the area. However the main person who manages this equipment is now on a ventilator in the hospital with COVID. The passwords that were left with a co-worker of his are not working. This co-worker reached out to me to see if we have the device password which I do not. (We do have other admin rights to some of their equipment) I was also given permission to attempt to access the devices to assist them. I do have a log file with the MD5 hashed enable password and the main 2 users. They are configured to use the type 5 passwords.

The enable and user password hash are 30 characters long. The salt appears to be 4 characters.

My understanding is that hashcat should be able to assist with processing this hash but so far I have had little luck with this yet.

Are there any recommendations for gaining access to these switches without losing the configs and with little/no downtime?

If this is something that should not be discussed I am open to chatting with someone through chat.



Looking for resources to learn iBWave (survey/planning tool)

I was handed a copy of iBWave and asked to become competent in using it. The app is endlessly complex & not intuitive at all, and while it does seem quite capable, I am overall struggling to see the value of it over, say, Ekahau (eg they put a lot of emphasis on stuff that just don't make sense, like 3D, auto-ap placements, and channel planning, none of which am I particularly impressed by after using them nor would I really use anyways).

Their documentation is pretty underwhelming considering the complexity; I've reviewed just about every official video tutorial they've published and read through the in-app help but seem to have hit a dead-end because outside of following exact steps to accomplish basic design tasks, I'm still not where I need to be to work with this software.

And so, I'm wondering if anyone has any resources, experience, or anything they'd be able to share?



Configuring static routing firm for an additional IP class at our firm

Hi,

I need to configure static routing at our firm and I'm completely lost (new to static routing and never figured it.) How to configure (Network Destination - Subnet Mask - Gateway) in our router. Seems whatever I do it's wrong.

We have a static IP (let's call it 5.5.5.5) and an additional 8-IP class which is routed through 5.5.5.5.

The 8-IP class has this space: 82.70.39.16 - 82.70.39.23 (changed numbers a bit but anyway).

I need to be able to connect a server that will use the IP 82.70.39.20 (for example) and be accessible from the internet. (also please let me know if this IP should be configured on LAN interface of the server OR do I need translate that to the private address space (192.168.0.x).

Can someone help with this? Much appreciated!

(note: if a different sub is required, please let me know which one is suitable, and I'll move this post right away. )

TIA



Need for an orchestrator

Most of my career was spent doing network devops for a software development company. Our mentality was, open source all the way and if we couldn't find a product that did what we wanted, we either developed it ourselves or expanded the capabilities of that software ourselves.

I started a new job and the decision was made to use an orchestrator. Ultimately it sounds cool and I can see a few usecases for it, but ultimately, I don't think the value it would bring alligns with the effort it would take to setup and actually build automations with.

I can essentially do everything the orchestrator can do in python, gitlab ci and ansible. An example could be using the orchestrator to make a simple API call is like a 40 step process in a gui that uses some weird programming language. We wouldn't be able to easily take the created api call out of the software and implement it anywhere else. Comparing that to writing a reusable python script to do the exact same thing will allow us to run it from anywhere, not tie us down to a proprietary software and allow us to easily manage and expand its capability.

Anyway, are you using a network orchestrator? If so, which one? And what do you find is useful about it?



Help Identifying 2 New Applications in Our Top 10!

I'm looking for help identifying two applications that have been on our top 10 applications being used viathe CheckPoint SmartConsole. I've taken a look around and asked other colleagues, but I can't get any answers about what they are, or if they are something we should be looking at:

  • cf.dash.row.aiv-cdn.net
  • gaptv2.xyz

Thanks in advance!



Trying to upgrade my simple rj-45 connectors tester

Tldr:. Want a fancier tester/tracker/distance finder etc for Ethernet and BNC cable. Budget $160 ish. Please and thank you guys. Would like more than I need right now for future use

For the readers🥲 Hey guys quick question. I've been working with a friend installing security cameras and some other small tasks like Ike running Ethernet cables around to feed other rooms. I've been looking for a tester/ tracker for Ethernet cables. I was thinking of buying an updated tool from my the cheap ones that came from my Amazon crimping tool set.

They work great to tell me if I've properly finished the rj-45 connectors. And it's great to have a probe or tracker to find cables. I just would like to upgrade and get something that had a distance finder and other cool little features i might or might not use any time soon . Ive looked a around for a couple of hours and basically found a couple since there's not much reviews or suggestions. I was wondering if you guys had any suggestions on something similar to my top 3 choices. What made consider these was the fact it has a bnc connection and recently I've had to work with failing cables and just wanted to be able to test a cable before even running it(sucks going back to find out why). If you guys have any suggestions on something else similar to this it's be great. Not trying to spend too much and would like to stay in the $160 range but might spend a bit more if it's worth it. Thanks again guys. If you think there's better options for Ethernet and don't need the BNC option let me know

https://www.amazon.com/dp/B07HHZV7TV/ref=cm_sw_r_cp_apa_glc_fabc_9NB9S2EEP6A0BDKR1FEB?_encoding=UTF8&psc=1

https://www.amazon.com/dp/B077R1LM6J/ref=cm_sw_r_cp_apa_glc_fabc_5HXBX34FZ3VEHQ8KF4T2

https://www.amazon.com/dp/B06XCS1GT3/ref=cm_sw_r_cp_apa_glc_fabc_PZ73D6T0SSD66QSQ17VX?psc=1

Two are the same brand and model but according to the best and most informed review shows that the s( blue) mode could do cat7 and can only do 1 wire at a time while the red one can use remote identifier to Idenrify multiple cables. Thanks if you read through to the end. Haven't posted i no here before and wanted to follow the rules about showing effort.



Firepower VTI to AWS

I have setup an IPSEC VPN to AWS on a Firewpower device using VTI tunnels. With AWS you can only initiate VPNs from the customer side (not the AWS side) Normally with other vendors like Juniper etc you have the option to "establish-tunnels-immediately" or similar where it will automatically try and bring up the VPN.

How does this work from a VTI point of view because the route to AWS is via the VTI interface but because the VTI interface is down it means the route is not in the route table. It's a chicken and egg scenario.. So if you try and initiate traffic to go over the VPN it never even tries. This is confirmed if you run a packet-tracer, it just shows the packet going out the outside interface.

If you do a debug on the Firepower there is zero logs for VPN traffic.

Thanks



CiscoConfParse - does it understand all config in a show run?

Hi,

Ive started to write a script to compare a live config against a master config for auditing purposes.

When I run the CiscoConfParse to find all object or final all children i seem to get empty lists based on some commands i type such as spanning-tree mode mst.

example below is it funing my command ip ssh version the following command i typed was for spanning-tree mode mst

[<IOSCfgLine # 306 'ip ssh version 2'>]

[]

does anyone have an answer to this issue? or is it CiscoConfParse cant interpret it?



Slow Wan Link , what is the best way to prioritize traffic to certain app ?

Hi guys hope yall having good day Today

As the title say

we have ship in the open sea and the network inside connected to a VSAT through ISP , But it's very slow and very limited bandwidth ( 700 kbps ), I wanna prioritize the traffic to certain critical apps like email and voip phones .

What is the best way to achieve that ?

Thanks



Wednesday, June 9, 2021

Good methods for learning communication protocols in detail?

The vast majority of my searches regarding a specific protocol return a theoretical overview of its functionality. If I dig deeper I’m able to find how I can implement and configure existing software that uses said protocol. However I’m struggling to find information about the literal contents of the packets sent at each step, as well as other nuanced information (which I imagine there must be plenty of).

How would you recommend I go about studying protocols in this much detail? So far I have been playing around with C sockets, but I’m probably going to get bored of creating a program for every new protocol I study.

Should I use something like wireshark and netcat to play around with various protocols? If yes, how would I go about doing it for something as infrequent as a dhcp lease? Should I create a virtual dhcp server?



VPN users connecting to VLANs.

Good evening,

I am trying to configure a fully remote setup for some employees. We are going to to be hosting a few virtual servers on one Hyper-V server. We want the employee to be able to VPN into the Firebox (or similar) and be placed on a VLAN where there server will be. One server will have 15 users the rest will have 2-3. Would it be possible to do it this way or will I have to go a different route? Thanks.



9500 EIGRP problem

I have a 9500 connected to a 9300, which is the connected to a bunch of 3850s. All are running IP base or Advantage. The 9500 gets all the routes from all the rest of the switches, and can send traffic anywhere. However, none of the other switches get the routes for any of the subnets on the 9500, so it is inaccessible from the network (I can get into it via a console connection).

Is there anything different about EIGRP on the 9500 that I need to do to get the other switches to see its routes? When I do show ip EIGRP neighbors on either side, I see the opposite switch, so they see each other…



Looking for switch with 3+ 2.5GBE RJ45 ports and 2 or more 10gb SFP+ ports

I’m a bit lost with this whole new connection requirement for 10GB networks but it’s time to upgrade my network as I’m moving tons of data. Two machines on this node are 2.5gbe and one will be a dual 10gb sfp. Coming into this will be a 1000mbit rj45 source. I could upgrade the previous link in the network, but I’m sure the 1GBit 16 port switch would be loads more expensive than just adding one high speed Switch to the system.

So any suggestions? Wanna keep it under $300 if possible.



6 remote sites but only 5 remain online at any given time

Hi all - first post here!

I've been troubleshooting a strange error for the past week which I'm calling an exclusive token ring issue. I have 6 remote sites, only 5 of which come online at any given time. If I reboot the offline one, it will come online and then another random site will slowly die. More details below...

I have a Palo Alto FW acting as the route point for 8 different VLANs. I'm sending 7 of those VLANs down a trunk with the 8th acting as a native VLAN. Next stop is a KG-175X encryptor (with an IP on the native VLAN), which is shipping each of those 7 VLANs out to each of my 6 remote sites using a manual PPK SA (with an appropriate PPK chain and multicast group configured).

Next stop for each remote site is a KG-175G encryptor (with an IP on the native VLAN) with the same manual PPK SA (with the same PPK chain and multicast group configured), which then ships all 7 VLANs down to a 2960x (with a management address on the native VLAN) which distributes them out to machines on each VLAN at each remote site.

I've purposely omitted detail on my black side infrastructure as I'm pretty confident there's no issue here. My multicast group on my black side/core infrastructure looks good - I see each encryptor's black side IP join the group with the appropriate RP, etc.

However, on my red side, only 5 of the 6 sites are up at any given time. If I reboot the offline site's KG and switch, that site will come online, and then another site will slowly die. It feels like some kind of weird PPK/multicast limit, but according to the manufacturer's documentation, I should be able to push something like 64 VLANs through those encryptors without issue.

Intra-VLAN pings between machines at the local site work. Today, I hooked up a tap to various ports on the 2960x - I can see my inter-VLAN pings coming in to the offline site, however none of the 6 machines (all Windows 10) attached to the various VLANs on that switch will respond to pings, even with static addresses set. For a kicker, machines will randomly work at various times throughout the day, but subsequently die without warning/as mysteriously as they came alive. The switch at the offline site knows the MAC address of the Palo Alto VLAN interface serving as the gateway for each of the VLANs, but it's almost like the machines don't think they do and thus don't bother sending any inter-VLAN traffic out.

I know this is long, but I'm kind of at the end of my rope here - has anyone seen anything like this or does anyone have any ideas?



VPN Tunneling Help

I recently added a new site to my company and need help with the networking. I need the employees at the other site to be able to access the networked devices(servers, drives) at the main office, but I have been stuck. I have tried to follow a couple of guide and gotten frustrated when I couldn't get them to work. I thought that VPNs would be the best option but I can't seem to get a client working. If anyone has any advice or a better way to do this it is all greatly appreciated.



Private sector Vs public sector question

Anyone here with experience in both private and public sector? What are the hours like in the public sector compared to private. I have been in the financial industry for some time and 50-60 is the average with many times getting up to 70-80. How are the politics between the two?



Is it possible to set proxy address per pid for a browser?

Looking for insight on if its possible to configure multiple proxies on a single device. I've seen split tunnel configuration where you have something like office traffic going through a pac and rest of traffic going out a different route. Was curious if its possible to have several proxies setup each targeting an individual instance via process id.



How does lisp use underlay to forward traffic in overlay?

So I’m reading about LISP and the concept of EIDs/RLOCs and using an underlay protocol like BGP to route between these points in the overlay.

How exactly do they communicate between each other?

How does lisp know to forward traffic via the undleray to reach different points in the virtual overlay?



SecureW2 Still Alive?

We are needing to implement something along the lines of SecureW2 pretty quickly, but no one answers the phone. Multiple calls (Voicemails) and email forms on their website. Anyone hear of anything going on with them?



WiFi extenders question

Do WiFi extenders output the same speed as your primary router? For example, if my primary (main floor) router is outputting 1000mbps, will my extender (basement) also output 1000mbps?



Failover to image on USB (Cisco Cat3650)

We recently had an issue with an off-site office whose switch ended up with a corrupted image after consecutive power failures (no, no UPS, don't get me started). We've looked at leaving a USB drive on site with a working image, so that if someone has to make the long drive out everything is already there. However, I was thinking that, if we have that USB drive there, why not plug it into the switch and have it boot straight off it in the event the flash image gets mangled? The problem is I can't seem to get the bootvar to accept multiple paths. I know you can do this on a chassis system, but has anyone done this or something similar on an access switch?



Managing devices on a public network

What's a good practice for managing devices on a public network? I've always been a fan of out-of-band management but I'm curious how others handle management (ssh, snmp) for remote devices on public networks, for customer handoffs, WISP radios, node amps, etc.

Does it make sense to extend a management VLAN, or is this part of the overall design of something like MPLS?



Books about CDNs?

Hi everyone. Title basically says it all. Looking for books that were found to be particularly useful.

Thanks!



VPN splitting using Windows Hosts file

Hello, I connect to Internet via a VPN server using Kerio VPN Client. It's possible to define some records in Hosts file that let me open specific IP or website without VPN connection just direct Internet connection!? Sorry if it's not right place to ask! 🙈😊



How is the netgate TAC Enterprise support?

Some background: I currently have a rack in a datacenter that has a sonicwall tz400. It does the job but whenever an issue (servers are down with no network connectivity) comes up and I contact support, I get nowhere. It eventually fixes itself without me doing anything. I would be on the phone with sonicwall support doing a lot of troubleshooting and making sure everything is set up correctly, would go through their basic troubleshooting with them but could never get the issue resolved. The last 3 times this happened the call ended with the technician saying "I am at the end of my shift" and instead getting someone else and explaining to them what they did and what the issue is, they would just push me to a different technician in the queue and will need to start over from scratch. To this day, I still don't know what the actual issue is after a lot of troubleshooting.

I am currently looking to replace my current sonicwall firewall with a netgate appliance with pfsense and getting the TAC Enterprise support for phone support.

The appliance I am trying to get is the XG-7100 1U. I just want to see and hear about other people's experience with their support during an emergency where there is an emergency concerning the appliance and servers are down due to it. I would like to know how quickly they will get back to you on email and on phone support and what the quality is like during emergencies.



Is there such a thing as an unmanaged switch with lots of fibre ports?

I'm looking for an oddly specific sort of switch, and haven't had any luck with my search so far. Maybe it's the search terms I'm using. Or perhaps such a thing doesn't exist!

Does anyone know of a manufacturer that makes an unmanaged switch with 10 (or more) fibre optic ports? The type of fibre port doesn't matter (SFP preferred, but ST or SC also okay - MM fibre) I have an old EtherWAN switch that fits this description, but it is now starting to fail slowly and I want to replace it before it goes completely dead! I can find loads of unmanaged switches that have two fibre ports, but I need more than that for my application.

Basically, I'm looking for a unmanaged fibre optic switch, with lots of ports. Any suggestions?



Microsegmentation

Looking at microsegmentation products, what does everyone thing about NSX, zscaler ZWS(Edgewise) Or any other product you have first hand experience with?



If you could re-design TCP, what would you fix?

This is question from Daniel Miessler's top cybersecurity interview question I've been thinking a lot about, but have no clue. Do any of you have an idea ? I'll be happy to read your opinions on TCP !



C9500 - Stackwise or Not?

We have 2 separate c9500-40x switches running as our core. There is a mixture of L2 and L3 links connecting various other buildings. Core running HSRP and ECMP to link access cabinets in these buildings. We are close to needing another 2 switches as running out of ports. Have read a few things online that people are still having issues with stackwise virtual so not sure if I want to go this route with another 40x switch. If I don't go the Stackwise route I could buy another 9500 and run L2 and L3 links to it and increase port count. Another option could be 9600 chassis pair and future proof. This would be my preferred option but it may come down to ££. Any advice welcome!



Tuesday, June 8, 2021

Physics gonna physics? Or am I insane?

Tl;dr: does a wireless access point mounted at approx a 35-40° angle (vaulted ceiling) mean that the performance will be ass?

Longer version: We’ve had weirdo wireless issues all over our company for quite a while now. It always “worked” but there were those semi-frequent reports of “hey it kicked me off but I was able to get on after I turned off WiFi for a minute. Just wanted to let y’all know.” Sometimes worse. But usually small quirks like that. Well in an auditorium on our most wirelessly dense campus we have had almost CONSTANT problems with wireless. This became more apparent when we started running orientation in that auditorium (so that we could better spread out our students). Finally, enough was enough. We hired a wireless architect to audit our deployment... And he basically told us to disable ALL of the Cisco WLC “best practice” settings. No more RRM, DCA, no more channels wider than 20MHz, no dual band SSIDs, no MU MIMO, no TxBF, no MBR lower than 12/24.

So I made these changes on our backup WLC (we run two 5520’s in N+1 HA) and migrated all this building’s APs to it. Started testing. It was shit. Waited about 30 minutes just to let things settle (we’re still doing dynamic channel and power for the time being bc we also need more APs for coverage). More testing. Shitty in auditorium. Excellent in hallways and classrooms. I could keep a call up while I walked the halls with virtually no artifacts so roaming and coverage appear to be good. Back to auditorium. Call drops. WiFi signal drops. Reconnect. Speed test=abysmal. W T F.

So at this point the ONLY difference I can think of - and my team has batted this around before - is that the two access points in the auditorium are both mountain on opposite sides of a vaulted drop ceiling, approx 35-40° off horizontal axis (and they’re across from each other so almost facing each other at a very narrow angle).

Is that even possible? I know I’ve always been told that APs should never be mounted sideways - always down. Could this very slight tilt be causing THIS much trouble?

I also want to clarify that my team is mostly high level LAN/WAN and Data Center. Wireless has, for much the history of this company prior to us, been an after thought. Even with this new controller that we installed a couple years ago, we simply used the Cisco best practice wizard, thinking it would be set it and forget it. Now we’re trying to reinvent that wheel for the better.

Also any other feedback or suggestions would be appreciated! We’re running all Cisco 3802 and 9100 series APs on (2) 5520 controllers in N+1 HA.

Thanks!



Repair a bundle of 8 cut cat5e cables, best way?

Was thinking a pair of of these with patch cables between them.

https://www.monoprice.com/product?p_id=7299

Is that too much? Should I just do keystone jacks on one side and male rj45 cable ends on the other?

Some other type of punch down junction block?



How do you find loops?

Ok, a little explanation as this happened to me a couple of times already. 3 or 4 network switches of different type, usually a Cisco in the mix. All at almost full capacity. Network rack looks like spaghetti cat5 vomit And access to these switches is undocumented. To put it in perspective, today i had to deploy wifi to a new location and discovered 2 Unifi 48 port switches. There were also 3 Cisco (2 were off) and a tp-link. The tp-link was fully used. I did not find a Unifi controller in any of the servers a f no one knew who installed them, so i proceed to boot up the cloud key that was just purchased. I logged into it and i accepted the adoption.....boom network went down. Even with static i could not login to the servers...until i tested using fqdn account instead of pre 2k....(i had the wrong pre2k) Now logging in, i realize that the problem is the firewall, so i connect directly to the sonicwal and my coworker connects to the modem. Modem works on IPv6 so internet is up, but firewall is not responding. I restart the firewall, same problem, so i remember a problem with a Sonicwal once when X0 decided to stop working and only X3 would work....but that was not it (or it is possible it was) I connect the firewall from the tp-link to the Cisco and it works, so now i am confused.... First thing i thought was that someone set VLAN on the Unifi switches using ssh (i have seen that sadly), but that was not it.... I never found the IP for the tp-link switch...as the Mac address sticker must be on top or bottom and it is not visible thanks to the other switches, but the Cisco was turning off and on 5 ports due to STP. I used what it was showing for CDP neighbor (really old iOS so even that only showed the ports) and the uplink in the Unifi to draw a diagram and found 2 loops....i found another by checking connection manually but i still think there is one more. Besides checking manually, i don't know of another way. What i think that happened is that the switch restart in the Unifi after a firmware upgrade got the stp running in the Cisco. I cannot prove it, but it seems sonicwal must have some implementation as well because this is the second time a Sonicwal locks up when a Cisco switch triggers stp to stop a loop. Cisco is very quick at that. I had it activated in a 8 port switch with just 1 cable connected......twice on different switches different places. People tell me i am crazy, but removing both switches fixed all the problems. Only way to avoid them is better documentation, which we are working, but i am wondering if there is another technique to get this done better. I am just lucky it was me on site, and not someone else, or if i was working remotely. So, how do you check loops? Any other suggestions? Magic? Sacrifices to the Ethernet gods?



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



Windows machines will not connect to the wireless network

I have a Meraki infrastructure with the staff SSID pointed to a radius server (username/password). Recently all Windows machines have stopped authenticating to the SSID (Macbooks are not affected and authenticate find). I have looked at several forums and attempted the solutions on the radius server (although I have not been able to find exactly the same issue) and nothing seems to work. So I am reaching out to the awesome members of r/networking to see if you have seen this before or have any sugestions. Thank you.



What would you consider as "good" or "acceptable" when running Iperf or Tamsoft Throughput test?

I know this is kind of an open question but i am still hoping to get some interested answers.

While running Iperf3 of Tamosoft's Throughput test (or something similair), what would you guys consider as good or acceptable while running the test from:

  • Wired 1Gbit Windows 10 => wired 1Gbit virtual server 2019
  • Wireless 5g WiFi client (android) => wired 1Gbit virtual server 2019
  • Wired 1Gbit Windows 10 machine => wired 1Gbit Windows 10 machine
  • Wireless 5g WiFi client (android) => Wireless 5g WiFi client (android) Wireless 5g WiFi client (apple) => Wireless 5g WiFi client (android)

As for the android client, let's say we use a Samsung S10+ of a S21 ultra. As for the Apple phone let's say we use a IPhone 12.

I am looking for:

TCP up/down Mbps (including average) UDP up/down Mbps (including average) & loss % RTT Jitter And any other numbers you guys find interesting / use

Of course i know there are more variables (like 5g WiFi, how many radios?), but like i said i am just looking for which numbers you guys look for in general.

Thanks in advance!



Help: Network problem, not able to set same IP on new NIC

Before I start, I want say thank you for the community first. And I did search and tried the solutions from others before. But I still got problem. Here its:

My PVE host has 2 NICs before. The /etc/network/interfaces config shows below. ``` auto lo iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

auto vmbr0 iface vmbr0 inet static address 192.168.0.141/24 gateway 192.168.0.1 bridge-ports eno1 bridge-stp off bridge-fd 0

auto vmbr1 iface vmbr1 inet static address 192.168.0.142/24 bridge-ports eno2 bridge-stp off bridge-fd 0 ```

I wanna try 10GBE recently and got some used equipment including Brocade ICX 6450-48P and 2 Intel 10GBE NICs. Plan is using 10GB on my PVE and PBS host. So installed both NICs on the hosts. No trouble Debian shows them right after. Then started changing /etc/network/interfaces based on what I read. My plan is replacing the old NIC by the new one. Here is what I tried. enp2s0f0 and enp2s0f1 is the 2 interfaces from new NIC. For my test only enp2s0f1 is connected. I will use only this one for my test.

Try out #1:

First I just tried to replace interface for vmbr0 by enp2s0f1, its not working at all. Either 192.168.0.141 or 192.168.0.142 can not reach the host. The solution comes from this thread ``` auto lo iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

iface enp2s0f0 inet manual

iface enp2s0f1 inet manual

auto vmbr0 iface vmbr0 inet static address 192.168.0.141/24 gateway 192.168.0.1 bridge-ports enp2s0f1 bridge-stp off bridge-fd 0

auto vmbr1 iface vmbr1 inet static address 192.168.0.142/24 bridge-ports eno2 bridge-stp off bridge-fd 0 ```

Try out #2:

Then I tried to use different IP for vmbr0. And it works, I can reach both 192.168.0.151 and 192.168.0.142. ``` ...

auto vmbr0 iface vmbr0 inet static address 192.168.0.151/24 gateway 192.168.0.1 bridge-ports enp2s0f1 bridge-stp off bridge-fd 0

auto vmbr1 iface vmbr1 inet static address 192.168.0.142/24 bridge-ports eno2 bridge-stp off bridge-fd 0 `` Then I could login WebUI change thevmbr0IP back to192.168.0.141`. I was happy then I realized non of the VM's network is working. :(

Try out #3:

Now I am thinking just keeping the old vmbr0 and vmbr1 and adding new vmbr2. Then somehow set the default interface using by Debian to vmbr2. Then later I can change all VMs to use vmbr2. This way everything works normally except I really can't find a way to set the default interface to vmbr1. I tried ip route add default, I tried putting the set the default gateway to vmbr2. None of them works. iperf3 test still see the traffic going through 192.168.0.141.

Conclusion:

I don't what to do now. It will be best if anyone can tell me how can completely replace the old gigabit NIC. Otherwise a working solution to set all traffic through new vmbr2 would be fine as well I guess. Thank you so much for reading the long post first. And I wish some one could help me on this.

PS: I am using pvesh set /nodes/pve-dellr330/network every time I change /etc/network/interfaces.



Route based VPN (VTI) from FTD to Azure

I have setup a route based VPN to Azure and not matter what I try only phase 1 will come up (using Ikev2)

I have multiple Azure accounts in my company so I setup another VPN with the exact same settings to a different account and the VPN comes up immediately with no issues. The Azure and FTD configs are exactly the same fot both vpns apart from different tunnel IPs and vnets etc.

For Phase1 I am using:

AES256/SHA256 PRF SHA256 DHG14 

Phase2:

AES256/SHA256/No PFS 

Below are the logs.. I just keep getting no proposals chosen no matter what I try. It works fine on the second Azure account.

I'm debugging at max level but no details are show:

debug crypto ikev2 protocol enabled at level 255 

Can anybody see anything I'm missing here?

IKEv2-PROTO-4: (2424): Received Packet [From 20.101.121.179:500/To 221.23.29.58:500/VRF i0:f0]

(2424): Initiator SPI : B107C8FB8BD06F8D - Responder SPI : B61763775F0F7B1F Message id: 1

(2424): IKEv2 IKE_AUTH Exchange REQUESTIKEv2-PROTO-5: (2424): Next payload: ENCR, version: 2.0 (2424): Exchange type: IKE_AUTH, flags: INITIATOR (2424): Message id: 1, length: 224(2424):

Payload contents:

(2424):

(2424): Decrypted packet:(2424): Data: 224 bytes

(2424): REAL Decrypted packet:(2424): Data: 144 bytes

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_RECV_AUTH

IKEv2-PROTO-4: (2424): Stopping timer to wait for auth message

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_NAT_T

IKEv2-PROTO-4: (2424): Checking NAT discovery

IKEv2-PROTO-4: (2424): NAT not found

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID

IKEv2-PROTO-7: (2424): Received valid parameteres in process id

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID

IKEv2-PROTO-4: (2424): Searching policy based on peer's identity '20.101.121.179' of type 'IPv4 address'

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_SET_POLICY

IKEv2-PROTO-7: (2424): Setting configured policies

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_VERIFY_POLICY_BY_PEERID

IKEv2-PROTO-4: (2424): Verify peer's policy

IKEv2-PROTO-4: (2424): Peer's policy verified

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_AUTH4EAP

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_POLREQEAP

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_AUTH_TYPE

IKEv2-PROTO-4: (2424): Get peer's authentication method

IKEv2-PROTO-4: (2424): Peer's authentication method is 'PSK'

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_GET_PRESHR_KEY

IKEv2-PROTO-4: (2424): Get peer's preshared key for 20.101.121.179

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_VERIFY_AUTH

IKEv2-PROTO-4: (2424): Verify peer's authentication data

IKEv2-PROTO-4: (2424): Use preshared key for id 20.101.121.179, key len 24

IKEv2-PROTO-4: (2424): Verification of peer's authenctication data PASSED

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK4_IC

IKEv2-PROTO-4: (2424): Processing INITIAL_CONTACT

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_REDIRECT

IKEv2-PROTO-7: (2424): Redirect check is not needed, skipping it

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NOTIFY_AUTH_DONE

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_CONFIG_MODE

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_GET_CONFIG_MODE

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_PROC_SA_TS

IKEv2-PROTO-4: (2424): Processing IKE_AUTH message

IKEv2-PROTO-2: (2424): Failed to find a matching policy

IKEv2-PROTO-2: (2424): Received Policies:

IKEv2-PROTO-2: (2424): Failed to find a matching policy

IKEv2-PROTO-2: (2424): Expected Policies:

IKEv2-PROTO-7: (2424): Failed to verify the proposed policies

IKEv2-PROTO-2: (2424): Failed to find a matching policy

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NO_PROP_CHOSEN

IKEv2-PROTO-4: (2424): Sending no proposal chosen notify

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_MY_AUTH_METHOD

IKEv2-PROTO-4: (2424): Get my authentication method

IKEv2-PROTO-4: (2424): My authentication method is 'PSK'

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_GET_PRESHR_KEY

IKEv2-PROTO-4: (2424): Get peer's preshared key for 20.101.121.179

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_GEN_AUTH

IKEv2-PROTO-4: (2424): Generate my authentication data

IKEv2-PROTO-4: (2424): Use preshared key for id 221.23.29.58, key len 24

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_CHK4_SIGN

IKEv2-PROTO-4: (2424): Get my authentication method

IKEv2-PROTO-4: (2424): My authentication method is 'PSK'

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_OK_AUTH_GEN

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_SEND_AUTH

IKEv2-PROTO-4: (2424): Generating IKE_AUTH message

IKEv2-PROTO-4: (2424): Constructing IDr payload: '221.23.29.58' of type 'IPv4 address'

IKEv2-PROTO-4: (2424): Building packet for encryption.

(2424):

Payload contents:

(2424): VID(2424): Next payload: IDr, reserved: 0x0, length: 20

(2424):

(2424): b4 17 62 77 4c 38 88 58 c1 8e 27 0b 4d b2 2a b5

(2424): IDr(2424): Next payload: AUTH, reserved: 0x0, length: 12

(2424): Id type: IPv4 address, Reserved: 0x0 0x0

(2424):

(2424): c1 1d 1d 3a

(2424): AUTH(2424): Next payload: NOTIFY, reserved: 0x0, length: 40

(2424): Auth method PSK, reserved: 0x0, reserved 0x0

(2424): Auth data: 32 bytes

(2424): NOTIFY(NO_PROPOSAL_CHOSEN)(2424): Next payload: NONE, reserved: 0x0, length: 8

(2424): Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_ENCRYPT_MSG

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_NO_EVENT

IKEv2-PROTO-7: (2900): SM Trace-> SA: I_SPI=233875B27E20D5E8 R_SPI=843CA17A05220010 (I) MsgID = 00000001 CurState: READY Event: EV_DEL_IC_RCVD

IKEv2-PROTO-7: (2900): SM Trace-> SA: I_SPI=233875B27E20D5E8 R_SPI=843CA17A05220010 (I) MsgID = 00000001 CurState: DELETE Event: EV_FREE_SA

IKEv2-PROTO-4: (2900): Deleting SA

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_OK_ENCRYPT_RESP

IKEv2-PROTO-7: (2424): Action: Action_Null

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_TRYSEND

(2424):

IKEv2-PROTO-4: (2424): Sending Packet [To 20.101.121.179:500/From 221.23.29.58:500/VRF i0:f0]

(2424): Initiator SPI : B107C8FB8BD06F8D - Responder SPI : B61763775F0F7B1F Message id: 1

(2424): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-5: (2424): Next payload: ENCR, version: 2.0 (2424): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (2424): Message id: 1, length: 160(2424):

Payload contents:

(2424): ENCR(2424): Next payload: VID, reserved: 0x0, length: 132

(2424): Encrypted data: 128 bytes

(2424):

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: R_BLD_AUTH Event: EV_CHK_AUTH_FAIL

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK

IKEv2-PROTO-7: (2424): Action: Action_Null

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE

IKEv2-PROTO-4: (2424): IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started

IKEv2-PROTO-4: (2424): Session with IKE ID PAIR (20.101.121.179, 221.23.29.58) is UP

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT

IKEv2-PROTO-4: (2424): Initializing DPD, configured for 10 seconds

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE

IKEv2-PROTO-4: (2424): Checking for duplicate IKEv2 SA

IKEv2-PROTO-4: (2424): No duplicate IKEv2 SA found

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: READY Event: EV_R_OK

IKEv2-PROTO-4: (2424): Starting timer (8 sec) to delete negotiation context

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: READY Event: EV_NO_EVENT

IKEv2-PROTO-7: (2424): SM Trace-> SA: I_SPI=B107C8FB8BD06F8D R_SPI=B61763775F0F7B1F (R) MsgID = 00000001 CurState: READY Event: EV_DEL_NEG_TMO

IKEv2-PROTO-7: (2424): Deleting negotiation context for peer message ID: 0x1



The Meraki API finally lets us create switch L3 interfaces

I just wanted to let you guys know, it's probably old news but it is news to me!

I had to stand up a network today and I didn't want to have to clickity-click my way through making a bunch of L3 interfaces on a switch, lo and behold the API has it now.

It made a boring and arduous job that would have taken 20 minutes into a mildly interesting job that took about 20 minutes. Mostly because my setup was way out of date, my API key had been deleted and the API structure has changed a lot since I was last in there.

But it works and I'm happy with that.



Outdoor Midsized Wireless Recommendation

In need of recommendations for a midsize outdoor wireless deployment. APs will live on poles with roughly 25feet of elevation. Property is 4ish acres with trees. All APs will be cabled with no need for meshing.

Expected usage will be about 80-120 devices at any given time.

Have used Unifi UAP‑AC Outdoor in the past with mixed results and looking for a more reliable solution.

Camp ground with many RVs

Thanks



Is it possible for a FiberChannel SFP to work in an Ethernet port? If so, how?

Context: After upgrading our ACI fabric over the weekend I was told the interfaces on our DataDomain were down. After some investigating I don't see how they were ever up. The DD is attached into a 10g SFP+ port on a 93180YC-FX leaf with a DS-SFP-FC8G-SW SFP and fiber to another SFP+ ethernet port in the DD with the same model FC SFP. These ports are ethernet and show as such in the DD config (eth0a and eth0b). Is there anyway possible this could have ever worked as such? I swapped these connections out with Twin-ax and didn't have to change any ACI config and they come online immediately but they are swearing this device was working on those ports prior and for the life of me I can't see how. There is a third connection that is a 1Gb copper management interface and I can only assume they were functioning with that somehow.



Netmiko not sending second send_config_set commands

I'm still pretty new to Netmiko and am running in to an issue trying to configure a helper address on SVIs. I have a list of their names, ie interfaces = ('Vlan10', 'Vlan20', etc...) and am trying the following to send the helper-address to the device:

for svi in interfaces: output = net_connect.send_config_set(f'interface {svi}', 'ip helper-address 10.1.1.20') print(output) 

The output that I get shows it entering the SVI config mode, but it doesn't implement the helper address. I've manually confirmed that the helper-address isn't in place and it's not just the output variable not recording it.

configure terminal Enter configuration commands, one per line. End with CNTL/Z. switchname(config)#interface Vlan10 switchname(config-if)#end switchname# 

Any ideas why it's skipping over that second command in send_config_set?