Saturday, August 14, 2021

How can payload size be between 46-1500?

So I'm learning about ethernet frames right now, and I'm confused as to how the payload size can be between 46 and 1500... If the size of the data is different for each frame, how does your NIC know when the data stops and the Frame Check Sequence starts?

Edit: I should have been more specific, I’m talking about Ethernet 2 frames.



Certified Network Defender(CND) vs CompTIA SEC+

Hope u r all well Networking community.

I already have my CompTia Network+. Want to pursue Network Sec path. I feel like Sec+ might be relevant but not as much as CND. Hence, i want to jump straight to EC-Council CND. What are your thoughts my people? Kindly advice.

Thank you’ll.



How many people share a DOCSIS line in a typical cable deployment? How much bandwidth is shared per node?

My cable modem has 32x8 DOCSIS 3.0 channels and 2x2 DOCSIS 3.1 channels. Out of the 3.1 channels, only one is used for downstream and only if you are on a gigabit plan.

I don't know how many channels the ISP has enabled at the CMTS per node, I'm not exactly sure how that works. Is it basically the max for the DOCSIS standard? After all, coax will only support so many channels, even the trunk cables carry the same amount, correct? They just attenuate less.

So let's assume the trunk cables carry 32x8 DOCSIS 3.0 and 2 DOCSIS 3.1 full channels. I'm sure they haven't enabled DOCSIS 3.1 on the upstream. That's basically 256 + 192 + 192 = 640 MHz of total download and only 51.2 MHz for the upload, total 700 MHz on the cable for internet and the rest for cable TV, makes sense.

So that means the total capacity for the entire node is about 5 gbps down and 200 mbps up (assuming they use the full capacity of the DOCSIS 3.1 channels). That can't be because they subscribe 200 people per node and they offer gigabit connections. Are there multiple trunk cables coming off of each node? What am I missing? How much bandwidth is typically shared per node?

Sorry, lots of questions...



Tools for network management, incident handling , backup and patching.

Hello, wonderful people of networking world.

I am an ex-network engineer, currently applying for a semi-networking role. One of the questions I have been tasked to respond to was proposing solutions for all processes that the network team must support (monitoring, incident handling, backup, patching, etc.). I am inexperienced in this area as my previous role was heavily focused on implementing changes and troubleshooting in CLIs.

Now, I don't want to cheat. I would just like to ask for recommendations on what software to check out so I can educate myself on the matter and decide on my own. I would help myself with googling, but all I could get (probably because of using incorrect keywords) was mainly definitions of those terms. No useful info, nothing regarding implementation of such software or enterprise-level examples.

Any and all help is greatly appreciated!

TL;DR : Want to check out monitoring, incident handling and patching software, cannot find anything on Google. Looking for recommendations on what to research.



dynamic routing best practices

if you do 'network 0.0.0.0 255.255.255.255 area 0' its a security issue because there might be a reason why some interfaces should not be seen by the dynamic routing process... how would one exploit this?



Certificates yay!

So, probably no one's favorite subject.

But I had a couple questions. When a server, controller, etc, allows the upload of a trusted CA, and intermediate CA, and the signed certificate . What do you normally do?

I know you can chain the root and intermediate into the signed certificate, but if they're uploaded all separate isn't that the same? If not how does it differ?

Lastly, cert trust issues I know are pretty much entirely client side, they don't have the ca or intermediate installed etc. How do you explain that to clients/customers in a way they accept it? Cause I seem to always get the generic "that's not acceptable that's too much work"

Maybe there's no explaining it to them...and we'll be forever ranting about that.



SONiC DHCP-Relay with vlan as circuit-ID

Documentation is semi lack lust on SONiC, does anyone have more info on how dhcp relay works? It uses isc-dhcp-relay so it should definitely be possible.



Help me investigate slow download speed from my server

I have slow speed issues with my server that is running on Ubuntu. It has 250Mbits link but when downloading from it my speed is capped around 5Mb/s. I have connection of 1Gb/s.

I'm pretty sure that the issue is related to the tcp window size. Window scaling is enabled on both and tcpdump shows that the scaling is 10 for the server and 9 and 8 for the clients. But the window size value is low. I see 30 or 32 for the depending on which client is connecting and a value around 300 for the clients. . So the calculated window size is low.

Sometimes I don't this issue and in this case the calculated window size is around 30000000

I don't have issues when uploading to the server.

How is this total window size is determined?



a question regarding boosting cellphone signal

hello, so i have poor reception at a specific place, i have no internet connection there and there is a signal but i only get 1 bar, so i been seeing some anthenas you can buy to point at the closest cell phone tower to boost the singal but they all see, expesive, untill i came across this one: https://www.ebay.com/itm/383643555928?mkevt=1&siteid=1&mkcid=2&mkrid=21572-161791-658771-9&source_name=google&mktype=pla_ssc&campaignid=12962885462&groupid=122186319055&targeted=pla-1248581038030&MT_ID=&adpos=&device=c&googleloc=20514&itemid=383643555928&merchantid=116792603&geo_id=100&gclid=CjwKCAjw092IBhAwEiwAxR1lRnRWwQMMEIhFVGPzDQyg6IBNdPXxG5FD_StVta-AboAEWE0Ae7BdIxoC8LAQAvD_BwE&autorefresh=true

i basically need to boost a 4g signal, do you think it will do the job? thank you for the help



I am looking for a Computer Network expert who can help me with a project

Hey guys, I am looking a Computer Network expert who can help me with a project I am working on. It is a paid job of course. Please DM me for more details. Thanks!



How does data transmission through coax and twisted pair differ?

I think of coax as basically radio waves contained within the outer shielding, kind of like how fiber-optic is light contained within glass. And the copper core is what generates the waves along the way, almost like a really long antenna. Is that a correct analogy?

I think of twisted pair -- Ethernet, USB, etc. as fundamentally different. They generate RF and can be affected by it (despite the twisting), but that's not what they use to communicate, instead they use voltage drops (electrical pulses) to simulate 1s and 0s. And this is why a coax signal needs a modem to convert the RF analog waves to digital pulses, and twisted pair or fiber optic cables don't because it's already "digital" pulses of either light or voltage.

Am I correct in my assumptions so far?

Where I get confused is that coax and twisted pair are still fundamentally copper electrical cables, yet I think of coax as RF and of twisted pair as using electrical pulses (and not wanting to have anything to do with RF). To further complicate things, is Wi-Fi then basically the same as coax, except the waves aren't contained within a cable? And does that mean that a wireless AP is a modem of sorts?



IPTV, Virgin Media, Deco M5

Hi there,

My ISP is Virgin Media and I have the Superhub 3 router which is in modem mode. I have 3x Deco M5s which are in router mode and they work amazing.

I have recently acquired an IPTV service which I play it on my Smart TV. Things were working fine until yesterday where I cannot play any channel permanently or sometimes I can play it and it would stop all of a sudden.

I did look up on reddit and on google, many people are experiencing the same issue. My question therefore, is there a way round where I can watch my IPTV using Deco M5s? or is there an IPTV service which is Deco M5 friendly?

Many thanks.



How does a half-duplex medium (e.g. Wi-Fi) affect simultaneous up/down transfer in practice?

I'm sorry if this question is confusing, let me clarify what I mean.

So, Wi-Fi is half-duplex. This means it can either transmit or receive, but not both at the same time.

So let's say an AP and a client are connected at a theoretical link (PHY) of 1200 mbps up and 1200 mbps down.

In the real world, this means you'd see roughly 600 mbps download and 600 mbps upload. But if you try both at the same time, you'll only get 300 mbps down and 300 mbps up because it's half-duplex.

Am I correct in my thinking so far?

Okay, now let's say you have an asymmetrical internet connection. Let's assume you get 500 mbps down and 50 mbps up to your ISP, and you have the same 1200 mbps up and 1200 mbps down theoretical Wi-Fi links.

You try to run simultaneous up and down tests. What should you see?

  1. The up and down each get cut in half (so you get 250 mbps up and 25 mbps down)
  2. Only one gets cut in half (upload is 25 mbps, download is full 500 mbps or vice versa)
  3. You get the full 500 mbps up and 50 mbps at the same time because it's below what the Wi-Fi link can support (600 mbps combined up and down).

Sorry if it's confusing, I'm just trying to understand Wi-Fi better and make sense of some speed tests.



Python Libraries for Network Automation

Good morning everyone happy Saturday!!

So im transitioning into IT from a different field. I hve an AAS in CIS and my Sec+ and studying for other certs. Currently pursuing BS in Cyber. I feel networking knowledge is critical for a career in cyber so thats where I want to start my career.

I think having Python automation knowledge for networking is super important and a great skill to have when looking for Net Engineer positions.

As of today, what libraries are being used the most and for what when it comes to networking?

How often is it used?

Is it as critical as i think it is to have this skill set?

What are some good books/courses?

Thank you for you time in advanced everyone!



Struggling to understand management VRFs...

I started reading about management interfaces and that brought me down a rabbit hole on how I should use a management VRF to advertise my equipment's loopback interfaces, subinterfaces, or VLAN interfaces. What I am struggling to understand is how this is actually applied in the real world. How is this most commonly (and most simply) implemented so that, let's say one PC in a NOC, is able to access both the management VRF and the normal/global routing table?

This is assuming we are using in-band management, I understand there are ways to do this via OOB management.

Additionally, I understand there are definitely gaps in my knowledge regarding VRFs - if anyone can point me in the right direction for this particular use, that'd be great.



Friday, August 13, 2021

How to configure /53 Ipv6 subnet into routers and PC using packet tracer?

Hi all, I am trying to configure a ipv6 address 2001:dbe:0000:0000::1/53 into the router interface. It works but when I set the Ipv6 configuration to automatic on the PC, it does not work. But if i set the ipv6 address as 2001:dbe:0000:0000::1/64 , it somehoe worked. Am I doing anything wrong because my projects requires me to use a /53 subnet?



Cisco FTD/FMC site-to-site azure bug

Recently set up a site-to-site tunnel to Azure on FTD 2110s (version 6.7.0) and have come across a curious bug. We have an internal subnet of 10.0.48.0/23 that when added to the crypto map sometimes pings to servers on the azure subnet of 10.50.1.0/16 subnet and sometimes not.

We spent hours troubleshooting and Cisco took a day to respond, however we were able to find a work-round for the problem before they could get back to us by separating the subnet into 10.0.48.0/24 and 10.0.49.0/24 in the crypto-map. we also have a 192.168.110.0/23 and a 10.0.44.0/23 which have caused us no problems. Also, all the other /24 subnets have no problems.

This has to be a bug right? At first I thought it was our core switches having issues (nexus 7k), but once I changed from one /23 to two /24 the problem went away.

Any ideas at all?



I quit working for an ISP provider and here is my record and recollection.

imgur.com/dh1mBJM

2 years as an ISP technician the workbook remembered 852 networks.

There have been some ups and downs on the job (in the winter especially downs), but it's been an adventure and colleagues there were great. I learned a ton about dealing with customers, tech and the general ghosts in troubleshooting.
To clarify I was working in the Mikrotik Wireless branch. Imho more fun than dealing with optic fibre. You do get cold in winter and it's really risky up there on rooftops that are shaped like A with no footholds or handholds whatsoever. You learn to slide like a snail to keep some grip somewhere.



Network Issue - Split Data and Voice

Got a strange issue for a project I have been assigned. I have been asked to rebuild a network from scratch for a small organization. I have been a network tech for several years, but this is the first time I have run into this kind of setup. To preface, there is nobody at this company that can assist me - so reaching out.

Please see diagram here - https://imgur.com/a/El5n7aU

The ISP offers VoIP/Data services, the client is subscribed to both. This is an organization with over 1000 devices on a /20. There are no VLANs except for the default. So all of the devices, except the phones (which are on a separate VLAN), are on the same subnet.

Fiber comes in from the demarc to what I assume is an ONT with 2 network cables leaving it. 1 going to the vendor router, the other going to the company owned firewall.

Everything is fine until I found out that the data "trunk" (no trunks, everything on default VLAN) runs from the firewall, to the switch, then back to the vendor switch. Then, the vendor switch runs fiber via SFP to another vendor switch to a new building. That switch connects to the company owned switch then to other endpoints.

I need to run VLANs and subnets appropriately with the devices in the network. I am afraid the VLANs will not traverse along the fiber uplink to the other vendor switch in BUILDING B. This is due to unknown configs, and probably other factors unknown to me.

The ISP will not give me the Cisco switch configs. Am I wrong in thinking that there will be VLAN and security issues? Please let me know if there is anything I need to clarify. I threw this diagram together pretty quickly. Any assistance is super appreciated.



ESX servers - How many nics is enough?

I'm running Cisco ACI and attempting to convert from FC to iSCSI on our storage networking side and we have been running into a ton of issues relating to our iscsi setup. On our FC side we have servers with a 2 10Gbe + 2 HBA setup. On our iscsi side we've been trying to get away with using just 2 10/25Gbe for converged LAN/SAN access however this has been failing spectacularly.

I have no doubt that dedicated nics for storage would help but Cisco docs indicate converged LAN/SAN with only 2 nics would work. Granted their design docs indicate UCS servers running through Fabric Interconnects which we are NOT doing.

I also recall being told that doing things like doing QoS in the datacenter is an absolute nightmare and when possible it's better to throw more bandwidth at the problem... so how am I still choking with 25Gb? Is SAN traffic just a different beast that needs dedicated nics? And do I also need dedicated nics for things like vmotion? The whole exercise was supposed to reduce the amount of cabling complexity to each host, but now it seems like there's more than ever...



Is Juniper's new SD-WAN really "tunnel-less" ?

I've started reading about Juniper's new acquisition, and I keep seeing them tout it as a "tunnel-free" SD-WAN. It provides encryption between endpoints and hides the source/destination addressing....isn't that the definition of a tunnel, or is my own definition just overly broad? I'm trying to figure out if I'm missing something here.



Session Timeout and DHCP Address Required on Cisco Wireless?

I've recently implemented new SSIDs on our campus, including in our residence halls, with some different security setups through ISE. As part of the new SSID creation, I left a number of settings at their defaults to start with, including the session timeout at 30 minutes. One setting I did not leave at default was the DHCP Address Assignment requirement. I turned this on in order to try to prohibit people from setting up static IPs on their devices (we have seen this occur on occasion in the past).

After setup, I read somewhere that turning on the DHCP required option isn't really considered best practice and can cause various issues.

We've had a few reports of game consoles and such in the residence halls losing connectivity during multiplayer games and that, when they time it, it does seem to be consistent to that 30 minute mark. On the other hand, my understanding as I've been learning ISE is that there are several good reasons to keep a lower session time like the default 30 minutes instead of raising it too much or disabling it completely (which is what we used to do).

I'm wondering if the session time itself is probably the issue or if it is a combination of that with the DHCP requirement.. for example, is the WLC forcing an entire DHCP transaction to occur between the client and the DHCP server which causes a delay in wireless session renewal.

I'm curious what others in this space are doing for these types of settings, particularly with residence halls?

Thanks!



Is the job market for network engineers still healthy?

I am interested in network engineer as a career. However, I was checking BLS and it says network engineers will only see a 4% growth in the future. 4% growth does not look promising to me. Or perhaps I am being naive. I understand seasoned network engineers will probably be fine. But I don't know if it would be unwise for someone new to start their path toward a network engineer today. (I do live in Northern Virginia/DC area if that matters)

For those who are network engineers or of a similar position and well established in your career, what do you think of the job market for network engineers today?



Should you use AWS Route 53 for both your domains and subdomains or use it only for one of them?

We have a domain on GoDaddy and planning on routing the traffic to it through Route 53 and later will be creating subdomains using Route 53 too. So I wanted to know what are the pros and cons and also the security concerns for both scenarios of using GoDaddy for only the domain and Route 53 for subdomains and vice versa.



RE-IP to a larger internal IP block

Since this topic comes up alot in network I figured I'd post this for anyone else to find and people can correct me if this plan isn't 100% correct.

I'm working to RE-IP our completely flat network to get segmentation for our internal corporate traffic, mgmt traffic, and customer traffic from a single flat no VLAN network to 3 VLANs.

Currently our network stack is a clustered firewall that serves DHCP on a /24 block to the whole network. Devices on the network are switches, storage mgmt ports, compute mgmt, and ESXi with Windows 2012-2019 VM servers.

I'm going to move the current flat /24 space 192.168.3.x/24 to 192.168.0.x/22. To make the transition as painless as possible I'm going to have all VMs keep there static IPs and keep the gateway the same 192.168.3.1. The only thing I'm going to update is the subnet on the machines. Note by keeping the gateway the same since I'm going to keep DHCP going I have to split the DHCP range space around 192.168.3.1 so my valid range is 192.168.0.1-192.168.2.255 and 192.168.3.2 to 192.168.3.254.

To change all the IPs on the windows machines I'm going to use powercli "Set-vmguestnetworkinterface -netmask “255.255.252.0” -GuestCredential (Get-Credential)" with an array to do this to all the windows machines in the network. This will push out to all the VMs an update to there windows IP space through ESXi. Note this script isn't complete this is just for 1 machine but you can google how to do it to the rest.

Once I get all the devices into the correct IP space then I'll push out the VLAN changes across the network and firewall.

by changing all the VMs first I'll still be able to reach all the devices from Vcenter or Vsphere as those will be the last devices to get changed over and I'll still be able to get to my firewall via VPN in my case or by just connecting right into the firewall on a separate port/IP space.

Hope this helps anyone looking to get out of the /24 trap that alot of people get into thinking you'll never run out of those IPs.



BGP Multihome - One provider partially down

Hi Everyone,

We are an eBGP multihomed to two transit providers (and a number of other peers on a peering exchange). Failover is pretty painless when one of the providers goes hard down (i.e. eBGP session drops).

However, if one of the providers has an issue within their network (such as flapping internal link, flapping iBGP sessions), then our edge router can not detect the failure and remove routes / advertisements to the bad peer.

What is the recommended approach to detecting a "soft" failure of a provider? The current solution is to manually alter the import/export policies on the problematic BGP session, but this is obviously not ideal as it requires manual intervention.

We're using Juniper MX at our edge. Should I be looking into use RPM probes to monitor each circuit from each Juniper MX at my edge?



Weird serial connectivity issue (Arista 7050SX3-48YC8)

Just bought my first pair of Arista switches (7050SX3-48YC8) to begin displacing some of the Cisco footprint in my datacenter. I've hit the stupidest issue and feel like I'm taking crazy pills. This is going to sound embarrassingly trite / novice, but I have to ask if there's anything odd / unique about how to console in to an Arista switch, the pinning, first boot requirements, etc. I've just spent the last hour trying to connect to these switches (Serial to USB) and it's spit out nothing but unicode jibberish.

  1. Yes, I’m set to 9600 8-N-1.
  2. Yes, I made sure I’m not accidentally plugged in to the Mgmt port (I tried both to confirm).
  3. Yes, I’m seeing the same behavior on both switches.
  4. Yes, I restarted my computer attempting both on my MacBook (my usual) and in my Windows VM via PuTTY.

And lastly yes, I have configured literally hundreds of switches before (Aruba, Cisco, Juniper, etc.) so the familiarity is definitely there. I even swapped out my usual “goes with me everywhere” serial cable for the one they included. Same behavior.

This is ridiculously frustrating. Any idea what might be going on here would be appreciated.



Core ARP table issues - Netgear

Hello

I'm deploying a solution with Netgear swtiches.
It consists of core, aggregation and access switches.

Core is set up a layer-3 with ip routing and vlans across the network. Aggregation and access is layer-2. Trunking as also set up correctly.

I'm having an random issue with the less "chatty" host devices that suddenly aren't able to be pinged.
I can only ping these devices from the core or on their own vlan.
Every time this happens i can log onto the core swtich, ping the ip of the device and then it's accessible from everywhere.

All the swiches are on vlan 1. Now the ARP table on the core is missing a couple of the access layer swtiches. If i ping one from the core it's back in the ARP and accessible again.

When a host isn't reachable it's missing from the core ARP table, but it's in the mac-addr-table.

It's exactly the same problem as described here: https://community.cisco.com/t5/switching/core-switch-not-generating-arp-requests-in-response-to-ping/td-p/4117633

This is driving me nuts. Either I've configured something wrong or there is a bug in the SW on the core swtich.

Any ideas?



Troubleshooting gigabit network issue

Hi all,

I am a novice at enterprise level networking, but learning as I go along.

I have installed a Ubiquiti UDM-Pro + switch to upgrade our previous unmanaged rack. Our setup is:

UDMP - USW-24 - cat 5e patch panel - cables to various ports installed in the flooring.

If I plug in an unmanaged gigabit switch to the floor, devices connected get gigabit speeds. But if devices are connected directly to the floor (no additional switch), the speed is only 100mb.

Could someone explain to me why this is, please? If the device, cables, patch panel and switch all support gigabit speed then why do I need to connect another unmanaged (or managed) switch on the other end to get full speed?

Thanks in advance for your knowledge.



Can a DHCP server be on a different VLAN?

I have 4 Vlans setup currently

VLAN 1 - Native

VLAN 10 - Data (192.168.0.0/24)

VLAN 3 - Wireless (192.168.3.0/24)

VLAN 30 - Untrusted devices. (192.168.30.0/24)

Currently all the VLANS can interact with each other ex. 192.168.10.100 can ping a device with an address of 192.168.3.124.

I am looking to setup rules to deny this type of traffic. I have a DHCP windows server on my data VLAN that has scope for each VLAN. If I add in these rules (Meraki L3 Switch) will this stop DHCP from working on my Data, Wireless, and Untruested VLAN's?

From what I know it will stop working on those three VLANS. I thought about allowing just the address of the DHCP server to each network but doesn't that kind of defeat the purpose of the added security from doing this?

Should I just look into setting up DHCP through my Meraki switches?

Thanks.



ISP Managed Residential WIFI Solution

I work for an ISP and we deploy a GPON network. I am looking for WIFI solution for our residential and business customers. I am looking for a product that has a management system that can monitor and do testing (speed test) each of the wireless routers and repeaters at a customer location. Ubiquiti is the closest thing I have found that would work. They have the UniFi product line and the UISP product lines. There is also TP-Link but there management system appears to be a rebranded Gene ACS which I am not impressed with. Are there any other vendors that provide WIFI routers, repeaters, and a management system?



How to allow new VLAN through sonciwall Firewall?

I am trying to setup a new VLAN 30 on my network, I have three other VLANS setup. I believe I have all the settings correct since when I connect to the new 30 VLAN I get an address from it (provided by win server DHCP). I can contact other things on the new VLAN and also devices on oter VLANs since I dont have an rules setup on the L3 switch yet.

The problem is that I cannot access the internet, I think my firewall is blocking the traffic. I do get a DNS address and I know it works since it is used on all the VLANS.

I added the new VLAN as a address object in the firewall but I still am not able to get internet access.

Not sure what I am missing as everything looks to be setup the same as the other VLANS.

Any ideas?



When would you ping 127.0.0.1?

I'm studying for my CCNA, a few lessons into Niel Anderson's Udemy course he talks about the 127.0.0.0/8 range being reserved for localhost. He also mentions that you can ping this address range to check that TCP/IP is functional on the pinging computer.

When would you ever need to test this? In what situation would TCP/IP not be functional?



setup suggestion for a small network

I have a network that have about 200-300 IP devices. A few servers, some switches and AP, and a lot of computers and other network devices. Currently, we have a SonicWALL with a few interface port, WAN, Office, and Phone. We recently have a request to implement cameras and the devices needed for them, 50 or so IPs needed. I would usually just add a new interface and assign a a new subnet range for that. And if required, create ACLs for network segregation. How would you guys lay out the network so that it would be meaningful, efficient, and easy enough to manage for a team of 1 or 2 tech? Would creating a new subnet range for the cameras on the next available firewall interface be good enough?



Firewall ruleset design: block closest to source or closest to destination?

Hi all,

My team is implementing a set of firewalls, each acting as a gateway for its own "zone".
Each firewall has an interface in its zone, and an interface in a common transit zone. A diagram: https://ibb.co/XySZtDg.

It is commonly advised to block the traffic as closest to the source as possible, before entering the firewall (for efficiency reasons).

Based on the above, we would enforce the ruleset on each interface belonging to a non-transit zone (direction: from-zone-to-transit).
I assume it is still necessary to perform firewalling on the interfaces in the transit zone (direction: from-transit-to-zone).

Would you say the above makes sense, or are there better ways?

I'd really love to read more about firewalls design. I'd be grateful if you could suggest a resource where I could learn more.

Thanks.



Troubleshooting New ICX-7650 Core, Out of Ideas?

We recently replaced our old core with a new 7650, everything seemed to be going correctly up until a couple days ago. When we started noticing that servers from VLAN 7 cannot communicate with other devices in other VLANs.

We have a couple of test servers in VLAN7 and nothing can get into them such as port 80,443, 22, 3389. We have an ACL on our VE for that interface that has all the correct entries which should pass traffic. The strange part is, these servers that aren’t available from other VLANs are fully available if you would use an outside connection and use their NAT address, then you can work with them. I’ve tried calling and using Ruckus Support but they have been less than helpful, saying “That’s weird, the ACL was removed from your VE, and the traffic still isn’t passing”.

I've verified that the ACL is correct, (sequence # permit any ip host X.X.X.X), I've tried removing the ACL from the VE, adding more entries into the ACL, the ACL debugging mode (which when used, showed that the sequence number for my server isn't even getting hits, so the traffic isn't getting that far into the ACL), the only permit deny is sequence number 50000, all our other ACL entries range from 100-900. This allows the final entry to be permit deny so that nothing gets blocked until the end.

I’ve done Everything I can think of, I’ve traced my Mac addresses from the core to their final destination ports before going into the servers and I can see them the entire way, which means layer2 connectivity is there. No default gateways change, and we don’t have any layer3 devices, it’s a flat layer2 network. If you ping these devices in VLAN7 they respond, you can trace route to them and if you use remote management and test from inside of VLAN7 everything works and acts normally. Besides the one ACL there are no others.



2 @ip have same @mac

hello

i have tow address ip take the same address mac when I do show IP arp in switch cisco



iPerf ($0) vs Fluke Networks CIQ-100 ($1,800)

What main benefits would I get from a Fluke tester such as the CIQ-100 over something like iPerf for measuring the quality of a network drop?



Redesign company network to harden security

hi everybody, i now work for a company that started small and grew in the last few years, but the former sysadmins (external company) just did a crap job and put literally everything in the same 192.168.0.0 subnet.

currently, there is 1 cluster with 2 nodes, 1 san, 1 server outside the domain, 2 NAS, and a lot of workstations, printers, and various assorted devices.

the cluster has a slew of virtualized machines: 2 Win2012r2 DCs, 1 Exchange 2016 and others, last but not least a virtualized pFsense which is used as the main and only gateway.

now, this is horrendous to me. but untangling this mess is not easy. I was thinking about sectioning everything with VLANs, something like this:

- physical servers , san, nas

- virtual servers

- workstations, printers

- other stuff connected to the network (like pbx, dvr, etc)

would that make sense? i don't particularly like the idea of routing everything through the virtual pFsense tho... and i don't think buying a L3 switch or a physical firewall is much of an option now...



Thursday, August 12, 2021

Why hot-potato and cold potato-routing routing are named so?

Are they named because packets are not buffered as if potatoes are too hot to hold?

https://en.wikipedia.org/wiki/Hot-potato_and_cold-potato_routing



Trouble getting DNS and DHCP on newly attached switch (crosspost from /r/sysadmin)

I can't go home until I figure this one out, so I figured I'd reach out for help. I've crossposted from /r/sysadmin in hopes of someone seeing this and helping me out of a jam.

I was tasked with bringing a production switch from one school district's network to another (districts merged, long story), so I was trying to maintain as much as possible here, but in the process of bringing the switch in, I've somehow managed to create a situation where the switch can see all the internal networks, but can't see past our network's connection to the DNS and DHCP servers, behind a switch managed by our state IT, which serves as the connection to the rest of the world. I'm fairly new to managing a network of this scale, so naturally I'm a bit in over my head here, as in the process we lost our network admin and I got a battlefield promotion, so to speak.

Configs (pruned to what I believe is relevant):

Working switch:

Current configuration : 16126 bytes
!
! Last configuration change at 13:42:00 CST Tue Aug 10 2021 by ****
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
service unsupported-transceiver
!
hostname 101-school1-Core
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
switch 1 provision ws-c3850-12xs
switch 2 provision ws-c3850-12xs
!
ip routing
!
system mtu 9198
no errdisable detect cause gbic-invalid
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
hw-switch switch 2 logging onboard message level 3
!
redundancy
mode sso
!
!
vlan configuration 70,170,270,400
ip flow monitor Netflow-to-Prime input
!
vlan 70
name Old Data
!
vlan 904
name Loop-Edu
!
vlan 905
name Loop-School2
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
template 1/0/1
!
interface TenGigabitEthernet1/0/11
description Loop-School2
switchport access vlan 905
switchport mode access
!
interface TenGigabitEthernet2/0/11
description Loop-Edu
switchport access vlan 904
switchport trunk native vlan 904
switchport mode access
storm-control broadcast level 10.00
storm-control unicast level 10.00
!
interface Vlan1
ip address 172.16.7.6 255.255.255.128
ip ospf 10 area 0
!
interface Vlan70
description ***DATA VLAN***
ip address 10.162.72.1 255.255.252.0
ip helper-address 10.162.64.65
ip helper-address 10.162.64.30
ip helper-address 10.2.5.40
!
interface Vlan904
description Edu - School1
ip address 172.16.0.38 255.255.255.248
ip ospf 10 area 0
!
interface Vlan905
description School1 - School2
ip address 172.16.0.41 255.255.255.248
ip ospf 10 area 0
!
interface Vlan921
ip address 172.16.0.137 255.255.255.248
ip ospf 10 area 0
!
router ospf 10
network 10.160.80.0 0.0.0.255 area 0
network 10.162.16.0 0.0.3.255 area 0
network 10.162.72.0 0.0.3.255 area 0
network 10.162.84.0 0.0.1.255 area 0
network 10.162.136.0 0.0.0.255 area 0
network 10.162.176.0 0.0.1.255 area 0
network 10.162.178.0 0.0.1.255 area 0
network 10.162.180.0 0.0.1.255 area 0
network 10.162.182.0 0.0.1.255 area 0
network 10.162.184.0 0.0.1.255 area 0
network 10.162.186.0 0.0.1.255 area 0
network 10.162.240.0 0.0.1.255 area 0
network 10.162.242.0 0.0.1.255 area 0
network 10.162.244.0 0.0.1.255 area 0
network 10.162.246.0 0.0.1.255 area 0
network 172.16.0.32 0.0.0.7 area 0
network 172.16.0.136 0.0.0.7 area 0
network 172.22.2.0 0.0.0.255 area 0
network 172.22.4.0 0.0.0.255 area 0
network 172.22.16.0 0.0.0.255 area 0
!
ip default-gateway 10.162.64.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.162.64.1
!
!
access-list 101 permit udp host 10.162.64.102 any eq 16962
!

ap group default-group
end

Trouble switch:

Current configuration : 17572 bytes
!
! Last configuration change at 19:59:44 CST Sun Feb 28 1993 by ****
!
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service unsupported-transceiver
!
hostname *****-3560G-Sw
!
boot-start-marker
boot-end-marker
!
system mtu routing 1500
vtp mode transparent
ip routing
no ip domain-lookup
ip domain-name *domain*
!
no errdisable detect cause gbic-invalid
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 100
name Voice
!
vlan 904
lldp timer 60
lldp reinit 3
lldp run
!
interface GigabitEthernet0/14
switchport mode access
switchport nonegotiate
switchport voice vlan 100
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
auto qos trust
storm-control broadcast level 0.50
storm-control multicast level 0.50
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/25
description Edu-School1
switchport access vlan 904
switchport trunk encapsulation dot1q
switchport trunk native vlan 904
switchport mode access
!
interface Vlan1
ip address 10.160.80.1 255.255.255.0
ip helper-address 10.2.5.40
!
interface Vlan100
description Voice Vlan
ip address 10.160.81.1 255.255.255.0
!
interface Vlan904
description Edu-School1
ip address 172.16.0.37 255.255.255.248
ip ospf cost 30000
ip ospf mtu-ignore
ip ospf 10 area 0
!
!
router eigrp 100
network 10.160.80.0 0.0.0.255
redistribute connected
!
router ospf 10
network 10.160.80.0 0.0.0.255 area 0
network 10.160.0.0 0.0.255.255 area 0
network 172.16.0.32 0.0.0.7 area 0
!
ip route 0.0.0.0 0.0.0.0 10.162.64.1
!
ntp server 129.6.15.28 prefer
ntp server 129.6.15.29
end

The good one is able to get dns info. The bad switch naturally also doesn't get DHCP from the helper-address.

A diagram would look like this:

Problem switch <=> School1 <=> School2 <=> School3 <=> School4 <=> State Network <=> DNS/DHCP

I can ping all the way to School4, but can't ping the state network, though this is true for all our switches. Packets are supposed to get to School4 and take a static route out into the state network.

What obvious thing have I missed due to being new to this?



Cisco > ESX Host Trunk Settings (VTP, PortFast, etc)

I'm preparing for some network switch upgrades at work and stumbled across a few questions regarding ESX host connections to a switch.

  • Should PortFast be enabled on the ESX trunk port?
    • Consensus seems to be yes
  • How about BPDUguard / BPDUfilter?
    • This seems personal preference based on probability of a VM sending BPDUs. We have some random appliances from Avaya for example, so I'm not sure I would trust BPDU Guard.
  • VLAN tagging / VTP v3
    • How does an ESX host respond to VTP pruning?
    • Depending on how pruning is handled, and since VTP allows all VLANs on a trunk link by default, should VTP be disabled entirely on that trunk port?
      • This seems ideal from a security and ESX host performance standpoint - why make the ESX host process all that broadcast traffic?
      • Only concern would be forgetting the switchport trunk allowed vlan ADD keyword and nuking a host.

Appreciate any input. I never really considered the possibility of PortFast on a trunk port before and we don't currently rock Cisco gear so not the simplest setup to test in a lab (can't even get pruning to work with vIOS in EVE).



Upload slow - multiple branches - cannot isolate issue

So, here's what i've done since this radioactive ticket graced my lap:

  1. Ticket was sitting backlogged for sometime with mention of circuits installed. Slow upload. So, had the provider test. Nothing. Some sites fine.
  2. Started probing/comparing one of the sites. I started looking at all the configs at the site (router, encryption router, switch). Nothing stood out.
  3. Started trial and error at the shaper and QoS settings - nothing, though looking back, probably had no reason to check QoS as, utilization wasn't being hit. /shrug
  4. Learned that customer at the site has a symantec web filter proxy running for multiple sites. Was awfully curious, but this seemed to turn out as a red herring (tested user without it enabled for the site).
  5. Did iperf. Along with gobs of speed tests with an access port. Fortunately we found that a direct connection to the wall jack showed symmetrical speeds! Yey! So I isolated the issue to the phone.
  6. After trial and error I tested the automatic port synchronization setting from Call Manager due to some weird negotiation issues I noticed. Fixed the issue. Mass deployed the fix to the phones.....
  7. Except issues still persisted at the other sites
  8. Eventually 'fixed' the rest of the sites. Most of the remaining sites I patched up were at the access switch, with some manner of hard coding speed/duplex on ports - the trunks and/or access switches, along with the APS setting in call manager.
  9. Last site remained. NO IDEA. There is nothing that stands out different. Now there are apparently more sites reporting asymmetrical speeds.

Equipment is 29xx for routers, and switches are 37xx. Customer is vrf'ed to our DC.I don't have any good explanation for why the negotiation behavior even was a problem. I also don't think the new sites, or even all the sites had necessarily all the same exact problem, but all the ones i fixed were speed/duplex issues i fixed.

If anyone has experience with this kind of weirdness I'd love to hear it. Or maybe some ideas on where to go next. Thankfully TAC is on board and kind of helping (with one of our routers still in contract). Packet captures on encryption router are next.



Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.



How do y'all monitor client network status/ISP status?

An organization wants to know ahead of time if its employees are having client side connection issues to the corporate VPN. Does anyone use a service, or has built a tool to do this?

I don't know much about Internet health monitoring, but could something be done by figuring out the ASes of client IPs and somehow doing probes or pings back to said networks? Or is there an API or service for querying if a client region is down?



Dual port NIC vs 2 separate one port NICs?

Hey,

I'd like to know what the differences are between one dual port NIC and 2 separate single port NICs?

Does a dual port NIC have 2 separate MAC addresses, or only one? For a pfsense firewall router, would
I have to have a PC with 2 NICs or a dual port one would also work? Thanks.



Life-Saver Training Resources - Passed CompTIA A+ | What's next?

Yesterday, I passed the CompTIA A+ after 10 days of intense studying.

I would like to personally thank Professor Messer and CompTIA Bundle for all the free and paid resources.

My ultimate goal is to follow a cybersecurity career path and start learning basic hacking skills.

After A+ the next target is N+, but I would like to get any advice from the community how to start learning hacking at the same time.

Thank you



Meraki switch port buffer size

I am having a hell of a time finding real tech specs for the egress buffer size on Meraki switch ports. There's nothing in the data sheets about it. I found Cisco Live presos with marketing gloss saying that the MS425 and MS450 have "deeper buffer" than the other models. But there is no mention of what that means in terms of hard numbers.

Anyone possibly have more insight? Looking for detail specifically on the MS350 and MS425 models. Please send Meraki hate to /dev/null. TIA.



Cisco ASA - l2l VPN vs Null0 routing

I have an "as needed" l2l VPN on a Cisco ASA, but when the VPN is down, causes a routing loop.

ie.

VPN UP:
1. Traffic to 172.16.1.1 (remote) gets to core and has a route to ASA-FW
2. Traffic is sent to ASA-FW and routed over VPN via crypto map

VPN DOWN:
1. Traffic to 172.16.1.1 (remote) gets to core and has a route to ASA-FW
2. Traffic is sent to ASA-FW and has a less specific route for 172.16.1.1 back to core
3. Traffic is sent back to core which again has route to ASA-FW (loop)

I think my best solution here is to add a Null0 route on the ASA-FW for the remote subnet (172.16.1.0/24), but there seems to be some confusion as to what that would actually do.

I've read that routing is decided first, and then if the next hop is part of a crypto-map, it will then decide to encrypt or not. But if that's true, wouldn't it see the route to Null0 and drop it before any crypto-map processing?

What should happen if I add this Null0 route? Is there a better solution? Thank you.



Filter BGP ingress announcement from ISP

Hello guys,

I'm currently testing FFR on debian 10 to replace very old vyos BGP servers. We have two BGP servers advertising two prefixes and each prefix is linked in prority to one server ( two different DC with two ISPs). We have also IBGP with our internal routers for private networks ( if one goes down, all traffic will go to second bgp server ) .

One ISP is announcing the entire world to us and i can't figure how to block it, we don't do transit so we don't have any use for the advertisements. I have unfortunately not a lot of knowledge regarding BGP configuration, so i came asking better knowledgeable peers ( pun intended) on the subject, in order to build a proper bgp configuration.

I appreciate all inputs and details, since i would like to better understand BGP.

Thanks a lot comrades.

Here is my current config. ``` router bgp 34536 bgp router-id 80.77.225.82 neighbor EDGE peer-group neighbor EDGE remote-as 34536 neighbor IBGP peer-group neighbor IBGP remote-as 34536 neighbor REFLECTORS peer-group neighbor REFLECTORS remote-as 34536 neighbor 80.77.225.21 peer-group EDGE neighbor 149.14.62.17 remote-as 174 ! address-family ipv4 unicast network 80.77.226.0/24 neighbor EDGE next-hop-self neighbor EDGE route-map EDGE out neighbor IBGP default-originate neighbor IBGP prefix-list DEFAULT in neighbor REFLECTORS default-originate neighbor REFLECTORS prefix-list DEFAULT out neighbor 149.14.62.17 weight 100 neighbor 149.14.62.17 prefix-list SUMMARIZE out neighbor 149.14.62.17 route-map ISP in exit-address-family ! ip prefix-list DEFAULT seq 70 permit 0.0.0.0/0 ip prefix-list NEWEL seq 80 permit 80.77.224.0/20 ge 21 ip prefix-list SUMMARIZE seq 95 permit 80.77.226.0/24 ! bgp as-path access-list VIA-COGENT deny 174_ ! route-map EDGE permit 10 match as-path VIA-COGENT ! route-map EDGE permit 20 match ip address prefix-list NEWEL ! route-map ISP deny 10 match as-path VIA-COGENT set local-preference 200 ! route-map ISP permit 20 !

```



Cheap 40Gb/s Mellanox Infiniband Switch worth it?

Looking to try and achieve the fastest throughput possible on a budget and came across several switches on Ebay for Mellanox and QLogic switches that are 40Gb/s with QSFP+.

From the perspective of normal routing/switching with Cisco 2960/3560 or Dell N2200 or Powerconnect series, how different or how challenging would it be to connect these switches to my network?

Are there any 'Gotcha!" that I should be aware of?

How is it that these are so cheap???

Here is a link directly to the eBay page, hopefully this is allowed:

https://www.ebay.com/itm/184626885993?hash=item2afc9eb569:g:A6kAAOSwAE9fchf2



NAT IP of a current system to new "internal" IP.

Some background before my question:

I'm an MSP tech and am trying to enhance my networking skills. There's a client need that I don't quite know how to fulfill, and I think this subreddit may be able to help me. We're a small shop and we can generally get by with what we know about simple networking stuff, but I'm taking on the lion's share of the networking stuff that comes across our desk.

Here's my scenario: we're migrating our largest client's ERP (running on an AS400 system) that's being hosted by us in a data center, to cloud-hosted and managed by another company (we frankly don't want to touch that timebomb with a 10-foot pole). Users have a link to an app that is connected to the AS400 at 10.0.x.10. We worked with the vendor to set up a site-to-site VPN and verified connectivity between the clients' network and the IP address at the vendors' data center which is 10.7.x.30. The vendor's networking team basically simplified it to this: "Yeah, just nat the IP of the new box in there."

I understand the concept of NAT in the terms of translating a handful of internal IP's traffic to go through the public IP address, but when it comes to the real-world application of it I'm not sure what would be required. Their network is hub-and-spoke and the current box is hosted in the data center that also has the firewall that does all of the routing/etc. All sites are connected to the data center via SDWAN. The firewall in question is a Cisco ASA5505 with firepower management.

If I understand correctly, there's a NAT rule (or a few?) that I need to put in place to basically tell it "when internal traffic tries to do anything with 10.0.x.10 (send to or receive from) that it will now point to 10.7.x.30? If that is the case, what does that rule look like? And if I am entirely off-base here can anyone set me down the right path? I'm hoping this need will give me a fuller understanding of

Thanks in advance, and I apologize if I broke any subreddit rules - I did read them and I didn't perceive this question to do so.



Router-Switch-Router Question

Greetings networking folks,

Got 3 Ubiquiti devices (I know, I know, I accept all judgment) - 1 Switch 48 PoE devices, 1 EdgeRouter Infinity, 1 USG PRO 4 (router)

I have a setup similar to the following:

internet > L1 modem > USG-PRO-4 (192.168.1.1) > switch (192.168.1.0/24) > EdgeRouter > laptop (172.16.0.2)

My question is: I'm trying to route the laptop to the internet. Eventually the EdgeRouter will be implemented in an office with a Dual-WAN setup, but for testing purposes I want to familiarize myself with the EdgeRouter

What is the setup/what have I done:

1) configured IPs on 2 interfaces on the EdgeRouter (192.168.1.200 eth0, 172.16.0.1 eth7)

2) confirmed the laptop can ping both interfaces on the EdgeRouter

3) confirmed a device on the 192.168.1.0/24 network can ping both interfaces on the EdgeRouter

4) confirmed there are no firewall settings on the EdgeRouter (it has none on fresh deployment far as I can tell)

5) attempted creating a route using the following methods:

  • set protocols static route 172.16.0.0/24 next-hop 192.168.1.1 < DIDN'T WORK
  • set protocols static route 172.16.0.0/24 next-hop 192.168.1.200 < EdgeRouter errors out

6) The 192.168.1.0/24 network does not have a configured VLAN

Have tried Googling tutorials, but nothing that fits my particular scenario shows up. Experience with routers is Cisco Packet Tracer and SOHO routers, so if this is an absurd question I apologize for wasting anyone's time :)



DELL 5548 LACP/LAG configuration

I have a Dell 5548 switch and I'm setting up a LAG to a device.
In the webgui, I see a setting that says "Load balance - " then it has 3 options.

Layer 2, Layer 2/3, Layer 3

Can someone explain to me what this does?



Cisco 2960X (5) stack pinging intermittently - but devices connected to it are fine.

This one has me scratching my head.

I have a stack of 5 2960X 48-port switches in an IDF connected via 10gig fiber to a 3850 in the MDF. While there are 2 fiber connections, they aren't set up as etherchannel and one of the two is shutdown on the 3850 - don't ask me why, I didn't do this. I guess someone wanted a manual failover or something.

Not sure if related: Yesterday we upgraded our AT&T MPLS network to an AT&T AVPN network. We did the upgrade at about 5:30 PM, I left the building at about 7:15 PM. Basically I just swung the patch cord going from the old MPLS router to the new AVPN router which was programmed with the same IP. Everything worked fine. New router is physically connected via GigE to one of my 3850's in the MDF.

At just after 8PM we started getting "down" alerts from our PRTG monitor. I'm getting about 54% loss of packets when I do a ping stream to it - not alternating, but it will work for a few minutes, then it will stop for a few, then it will be sporadic, it's all over the place.

I tried rebooting the whole stack during the night, just for kicks. It seemed fine for a few minutes after and I went to bed, but then it started up again. Nothing is appearing in the log on the switch, I thought maybe I was dealing with an IP conflict but if so, it's not being logged. But I keep thinking there must be some sort of ARP issue here? Not sure. Last night I also tried shutting down the active fiber uplink to the IDF and no shutting the other. Everything came up but in the same state where I was losing about half my pings so I set it back the way it was.

All of the devices connected to the switch - AP's on the same VLAN, PC's and phones on other VLANs - are all fine. People are on their phones and the voice quality is perfect. But out of the blue I can't reliably ping the switch. And since PRTG keeps reporting it down, up, down, up, my management is asking why it's down or flapping and I keep having to explain that the users are fine.

Thoughts?

sh ver Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(4)E8, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2019 by Cisco Systems, Inc. Compiled Fri 15-Mar-19 10:55 by prod_rel_team

ROM: Bootstrap program is C2960X boot loader BOOTLDR: C2960X Boot Loader (C2960X-HBOOT-M) Version 15.2(4r)E3, RELEASE SOFTWARE (fc4)

SHC-DAL-IDF-SW uptime is 10 hours, 17 minutes System returned to ROM by power-on System restarted at 15:54:32 CDT5 Wed Aug 11 2021 System image file is "flash:/c2960x-universalk9-mz.152-4.E8.bin" Last reload reason: Reload command

...

Switch Ports Model SW Version SW Image


  • 1 52 WS-C2960X-48FPD-L 15.2(4)E8 C2960X-UNIVERSALK9-M
    2 52 WS-C2960X-48FPD-L 15.2(4)E8 C2960X-UNIVERSALK9-M
    3 52 WS-C2960X-48FPD-L 15.2(4)E8 C2960X-UNIVERSALK9-M
    4 52 WS-C2960X-48FPD-L 15.2(4)E8 C2960X-UNIVERSALK9-M
    5 52 WS-C2960X-48FPD-L 15.2(4)E8 C2960X-UNIVERSALK9-M


Two Stacked Cisco 10GbE switches + LACP (x1 SFP+ to each switch) = 20Gbps?

Morning Reddit,

I need help clarifying if I will achieve 20Gb networking or only 10Gb

Equipment is:

  • x2 Cisco SG350XG (Stacked)
  • x1 Server w/ Dual 10Gb NIC's.

Configuration is:

  • Switch 1 Port 1 is configured with LACP
  • Switch 2 Port 1 is configured with LACP
  • Server NIC 1 is connected to Switch 1 Port 1 (LACP)
  • Server NIC 2 is connected to Switch 2 Port 1 (LACP)

Can these Cisco switches, despite being two separate data planes but acting as one 'brain', achieve a combined 20Gbps throughput? or is this a pipe dream and I have to have TWO ports in switch 1 and TWO ports in switch 2 for a *true* redundant 20Gbps link?



Network Redesign Project

https://imgur.com/a/Nhf6IrV

We have a project for a relatively small sized district public school with 4 different Remote Locations size of 1000 students and 200 staff total. BAS1 is the main location that has the firewall and 2Gbps internet from ISP and BAS1 is connected to all other Locations(BAS2,BAS3,BAS4) with 1Gbps P2P E-Lines.

As seen on the network Diagram, basically there is one WLC for all the buildings and all buildings have L3 Switch that connects to BAS1 Layer3 switch and routed internally or goes to ISP.

Everything in RED means suggested redesign for the network infrastructure:

Wireless: If we wanted to have BAS1-Staff, BAS2-Staff, BAS3-Staff, BAS4-Staff SSIDs on this Cisco 5520 WLC all other buildings will see all the WIFI SSIDs broadcasted(if broadcasted of course). What would be a better solution here? They have 2 Cisco 2504 WLCs laying around, how could we repurpose them in this case?

Catalyst 9200L 24-port PoE+ 4x10G uplink Switch: Is it not a good idea to use this as the Core L2 switch to connect to all the buildings? This way BAS1 L3 Core Switch load will be reduced(not that it is doing lots of work) and will only deal with BAS1 site

Cisco ISR4451-X/K9: They also have this and must use this in the network because it was bought from E-Rate funding. Can this be used to route to and from ISP and internal network, basically replace the job of BAS1 Core L3 switch for routing.



Cisco WLC flexconnect question

If i have a WLAN with flexconnect enabled to flex clients into VLAN 500 but I also have the WLAN Anchored to an anchor controller - Where does the client end up?

Is it anchored or does it ignore the anchor config and just get flexed out locally?



How do you clean your Swtiches/Routers?

So I use compressor to blow out the dust and then spray them with a "cleaning spray" and then use paper to wash the chassi.



Books to learn the fundamentals

Hi. I finished school (General IT Course) last year and i landed a job in Telecomm as RAN Technician. I'm leaving this next week for a more related job. It will be a junior role in IT Service desk. However on the last few months i got interested in the networking area and i decided that i want to start studying networking including taking the CCNA certification in the future. On my course we just learned the basics of basics of networking and before i start watching youtube/udemy videos i would like to read a book first. I've found lots of them but i would like to know if you guys recommend any specific book to start. I will also watch some youtube videos and i think the new job will give me access to the Udemy platform.

Im in europe if that helps recommend you places to buy, and i would like to be less than 30€ for now :)

Thanks in advance



Wednesday, August 11, 2021

Favorite industrial/DIN mount switches?

I've got a project coming up where I'll need some industrial switches that I can mount in controls cabs for a customer. Specs wise, within the cab there is 12vAC, 24vDC and 24vAC available for power, I'll need at least 4 (but preferably more) RJ45 ports and two SFP cages & VLAN support.

I've been looking at Phoenix Contact & Moxa switches, but I thought I'd reach out to the hivemind and see what it had to say.



Wave 2 WIFI 6 AP without subscription

Any wave 2 WIFI 6 capable access points that you know of that doesn't require a subscription.

Looks like the unifi AP's are the only one. Trying to see what's out there.

I have looked at Cisco, Rukus, Aruba so far.



Switch that can break out WAN connection

I am looking for a switch that can handle our Small Business 2 WAN connections and split it out to two different firewalls for a total of 6 physical connections. It will split the switch into 2 VLANs to separate traffic. Will I need anything special or a large backplane for this?

We were using a Cisco SG300 for the task, but we were not getting our maximum speeds of 1G/1G out of it and only 10% was available up and down. I believe the switch was bad, but was told we needed a beefier switch to handle the routing table. If this is only doing layer 2, wouldn't there be no routes in the routing table except for maybe the default route if the switch is managed?

I believe even something like 2 unmanaged 8 port switches would work for the task if we didn't want to vlan the switch.



Grafana or PRTG based SNMP/Syslog collector READY TO GO

Hi everyone.

Looking for docker package with PRTG/Grafana+DB as Syslog/SNMP collector.

Something I can install and setup in few clicks.
Any suggestions are welcome.

Cheers.



NTT launches private 5G platform aimed at CIOs



PTP link drops traffic that exceeds MTU (with and without DF bit)

Tshooting an issue unique to a certain link.

Typical traffic tests OK. speedtests, web browsing, etc, all normal. bandwidth, packet loss, jitter, RTT, iperf tcp/udp tests as expected.

but certain traffic fails. tests show something about this link is dropping (not fragmenting) UDP/ICMP when it exceeds MTU. in my case, this causes problems with TFTP transactions and certain Aruba AP control traffic.

on all other routers, I can ping an internal host on the far side of the router's link with any packet size I want. As long as I leave the df-bit off, it fragments and succeeds:

working-rtr#ping 10.100.3.37 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms working-rtr#ping 10.100.3.37 size 1500 Type escape sequence to abort. Sending 5, 1500-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms working-rtr#ping 10.100.3.37 size 2000 Type escape sequence to abort. Sending 5, 2000-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

Adding in the df-bit, I get expected results:

working-rtr#ping 10.100.3.37 size 1500 df-bit Type escape sequence to abort. Sending 5, 1500-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: Packet sent with the DF bit set !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms working-rtr#ping 10.100.3.37 size 1501 df-bit Type escape sequence to abort. Sending 5, 1501-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: Packet sent with the DF bit set ..... Success rate is 0 percent (0/5)

But on the router behind this PTP, I get inconsistent results.

I can send 1500-byte pings with and without df-bit like normal:

rtr-behind-ptp#ping 10.100.3.37 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 25/25/27 ms rtr-behind-ptp#ping 10.100.3.37 size 1500 df-bit Type escape sequence to abort. Sending 5, 1500-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: Packet sent with the DF bit set !!!!!

...and as expected, I can't send more than 1500 with the df-bit:

``` rtr-behind-ptp#ping 10.100.3.37 size 1501 df-bit Type escape sequence to abort. Sending 5, 1501-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds:

Packet sent with the DF bit set ..... Success rate is 0 percent (0/5) ```

But unlike all other routers, I can only get to 1504 without the df-bit. Beyond 1504 the pings fail.

rtr-behind-ptp#ping 10.100.3.37 size 1501 Type escape sequence to abort. Sending 5, 1501-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/10 ms rtr-behind-ptp#ping 10.100.3.37 size 1502 Type escape sequence to abort. Sending 5, 1502-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/11 ms rtr-behind-ptp#ping 10.100.3.37 size 1503 Type escape sequence to abort. Sending 5, 1503-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/11 ms rtr-behind-ptp#ping 10.100.3.37 size 1504 Type escape sequence to abort. Sending 5, 1504-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/11 ms rtr-behind-ptp#ping 10.100.3.37 size 1505 Type escape sequence to abort. Sending 5, 1505-byte ICMP Echos to 10.100.3.37, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

routers on both sides of this link have typical/default interface configs, same as other working links that have no problem passing pings > 1500 bytes.

this PTP link is built with Cambium PTP550 radios with 1542 byte MTU on all units.

the radios are strictly L2, they are not part of the routing path. the branch router's default route points directly to our core router. And again, all typical traffic routes fine.

Opened a case with Cambium support, but I don't see how this could be a cambium issue because I expect the router interface's 1500 byte MTU to trigger fragmentation before they hit the PTP link. I assume I missed something?

let me know if you need other details. thanks!



HDMI and USB extension

Is there an affordable way to get HDMI and USB To extend 7 meters. I’m looking at over Ethernet but the kits are near £100 each



How did you get started into Networking? What initial resources helped you the most?

Hello Everyone. As the two questions ask, how did you get into Networking and what are some good beginner resources that made you stay in Networking? Someone I work with said they are interested in Networking so I wanted to help them out as much as possible. Do you have any great online resource I can recommend to them? (other than this sub of course! :-) ).

His network skills are mostly come from setting up LAN parties, and basic client device troubleshooting (showing IP's and pinging devices).



NetFlow recommendation

Hello everyone !

I was just wondering what are you guys using for NetFlow.

We want a good looking dashboard that we can make simple queries.

For example, in the last 30 days, all the flows that the destination IPs were in the 192.168.0.0/16 subnet.

Any recommendations ?

I was looking at ElastiFlow with Elasticsearch & Kibana.

Thanks !



How much data do trunk coax cables carry? Please clarify some things about HFC network topography.

Pardon my ignorance on this, I am just trying to understand how a hybrid fiber-coax network works. I think I have most of the basics down, but I am unclear on how much bandwidth is pushed through the trunk cables before they split off and where the DOCSIS equipment is on the ISP side.

So if I'm understanding correctly, from the headend, you have fiber cables terminating into optical nodes where the data is converted to coax and then using RF amplifiers (these days just one?) it is branched off into smaller coax cables feeding about 150 subscribers per node these days.

Okay, but how many trunk cables initially come from the node? Are they physically larger/thicker than the cable that comes into your home? And the central conductor being then thicker allows it to carry more bandwidth? How many times are the trunks split off into smaller cables, i.e. how many steps?

When I think of bandwidth over a coax network, I think of the DOCSIS specs, e.g.1 gbps down, 200 mbps up theoretical using DOCSIS 3.0. But that is to the individual subscriber using the "standard" size coax that is found in homes. How is all of that data then encoded/congregated into the larger trunk cables, how much data can they carry, and where is the DOCSIS equipment on the ISP side? If it's in the node, then is there a DOCSIS modem for each subscriber in there or a larger DOCSIS "supermodem" that takes the larger amount of data from the trunk cable from a whole bunch of subscribers and demodulates it at the same time? If so, do these larger modems have different specs from the typical DOCSIS specs in that they can handle a lot more bandwidth? Where are those specs found?

Related to all of this, how much bandwidth do cable ISPs allocate to subscribers vs. how much is actually available? Theoretically, if everyone maxed out their connection at the same time to a node serving 150 subscribers, what % of their "promised" bandwidth would they get at that moment for a typical HFC deployment?

Okay, lots of questions, I'm clearly confused. I don't expect anyone to answer everything here, but any insight is appreciated.



Causing buffering / higher latency on purpose for testing

Hi,

not sure if this is advanced enough, even though it does concern business/industrial network.

We have issues with some connections to PLC's of industrial machines when connected over VPN. Seems like the PLC's start to actively drop connections (monitored via Wireshark) when ping is a bit higher than 50-70ms. Considering that some of them are sitting on a temporary 4G connection, that is quite an issue.

This happens when using a programming software which really is designed to have a local LAN connection to the machine. Manufacturer says, that some clients do use VPN's successfully, but community says that issues on high ping connections are normal.

Is there a way of buffering packets on purpose, so I can test this behaviour when physically at the machine? Or does this smell like changing source code of say OpenWRT to introduce an adjustable delay FIFO buffer?

Thanks!



PoE+ switches limited to 17w by default?

I've seen this on a few vendors so far but I'm not seeing any documentation to support it.

Most recently, an Aruba 2530 (a J9772A) would drop the PoE load on a new timeclock... we initially diagnosed it as a failed timeclock and wasted weeks troubleshooting the wrong thing. This was additionally complicated because the customer uses Aruba Central, which does not report an error nor allow a method of configuring the switch to go to full power on a port.

Gotta add the following to the interface config:
poe-allocate-by value
poe-value 30

Is this a standard practice I am unaware of? Is this in hopes of preventing lawsuits for large bundles of cables lighting on fire or something?



Core switch peering - Design question

Simple design - a Nexus vPC pair collapsed core with WAN routers hanging off of it, and a firewall for internet egress hanging off of it

We naturally could do /30 links everywhere, however, since the plan is to use Layer3 peer-router to peer SVIs over the vPC peer link, why not just use that VLAN as a "peering domain" for all L3 devices hanging directly off this core? Everything peers with each other, and can directly route to each other using the core just for switching that traffic.

The benefit of this design (imo) is that I can have LACP trunk connections to all my other L3 devices, peer using the peering domain tag, but then still have the ability to build new tagged networks on the routers and have them ride that redundant link to the core -- in some cases I may want the gateways for certain networks (like replication) to not live locally on that collapsed core, and this gives me the option of homing that gateway on a tagged interface on one of the WAN routers in a VRF, and just use the core for switching that traffic down to the replication appliances.

Anyways, my question is: are there any glaring drawbacks or issues I may run into with this particular configuration? Outside of VTEPs requiring a real routed link for VXLAN encapsulated traffic to egress (this deployment will never use VXLAN), I can't think of any.



Palo Alto support cost

So, we invested in quite a few Palo gateways in 2019.
Premium support were purchased for 3 years, so we were just getting some numbers for next years budget.

Guess what, price increase since 2019 is ... 55% !
Found this article Important changes to Premium support which is mostly BS in my opinion.

I've never seen anyone increasing support cost in this range before, and PAN wasn't exactly cheap to begin with either.

Just a warning for people considering PAN.



Just purchased a Net Prowler (TNP700). Can anyone comment on Pro's vs. Con's?

Main Aim: I'm just wondering if anyone can comment on whether the latest firmware for it fixes (or introduces) any previous known issues - if there were any at all - as well as Pro's and Con's please.

IT Technician, not full-time Cabling guy.

After doing much research into what was currently available (and affordable for my budget) for a quick basic Network Diagnostic Tool, I settled on the Plantinum Networks Net Prowler (TNP700 Model). It has similar features (and more, also less, in some respects) than it's Fluke Networks equivalent, the Link Runner AT-2000 - which was way out of my budget ballpark).

PockEthernet is dead as a Dodo now (and had some irregularities and quirks that apparently never got resolved and resulted in some bad readings), pairing to my phone everytime I want a reading would be a joke anyway, hence my selecting the Net Prowler.

I bought a NOYAFA NF-8601S last year (which I swear by, because it's absolutely fantastic!) and although it feels "cheap" in build quality, it's got most of the features found in the Fluke AT-1000 / 2000 and Net Prowler (for example, it can Cable Trace via tone on a live network, as well as do Port Flash, Ping, Wire Mapping, TDR, and Scan), but I wanted something that could scan beyond the first Switch it comes to as well as identify it via LLDP. It can also measure PoE voltage, but not determine output Current - which is another feature I wanted (and will get with the Net Prowler).

If you don't want things like LLDP or PoE Current testing, then I think that the NOYAFA NF-8601S is the best budget Cable and basic Network diagnostic tool out there to date. I'm still keeping it and will use it, but will use the Net Prowler for more in-depth diagnosing.

Anyway, thanks in advance if you can contribute any thoughts or share experience.



Network device with very high latency in LAN?

We've got a brand new network printer and put it in our LAN for testing (in the same room). What we don't understand is the latency is extremely high which is more than 1,000 ms for this device when we perform ping test.

We have also performed similar ping test on other devices on LAN and we found the latency is less than 5 ms.

Even Internet device such as google.com has less than 10 ms response time.

What can we do to troubleshoot and fix this issue?



ASA 5506x

I need to replace a set of ASA 5506x’s with the same model (I know old, bad etc, but customer insists). Our service department ordered the wrong license, now they have ordered one security plus license. My question is do we need one or two security plus licenses to enable failover?

Many thanks!



Tuesday, August 10, 2021

Are the Fluke and NetAlly LRAT-2000 the same device in different colors?

I've got an older Fluke LRAT2000 with what I hope is a dead battery pack. I'm wondering if I can purchase a NetAlly battery pack and use it on my older Fluke unit. If replacing the battery pack doesn't fix the issue I'm having, if I buy a NetAlly LRAT2000, will it work with my existing fluke accessories (reflectors, etc.)?



Terminate shielded CAT6 into regular keystones

Hi all,

I’m hearing mixed things depending on who I speak to...

We have shielded CAT6 plenum cable pulled between a few of our rooms and our MDF. Is there any issue with using regular (non shielded) CAT6 keystones on both sides of the shielded cable?

We had shielded cable pulled a while back as a sort of future proof because we weren’t exactly sure what types of signals we would send across the runs. However, today we are positive that we are just sending 1G connections (PC’s, phones, etc) across the runs.

Any risk in using regular keystones?

Thanks!



Move Cisco 9300-48U from one stack to another

I have to walk someone over the webex/phone to remove a 9300--48U from 1 stack to another. I've added to existing stacks and replaced failed switches within a stack but not all that comfortable with the provision commands or maybe I'm over thinking this.

1 - remove stacking cable, remove switch from rack

2 - no switch stack-member-number provision (switch # that we just removed)

2- console into switch we just removed (this probably will be painful walking this dude through this over the phone)#erase startup-config#reload

3 - rack switch in new-existing stack - connect stack cables - power on

4- after it joins the stack configure interfaces

edit: 16.9.4 code

Am I missing anything?



Rant Wednesday!

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.



Implementing ACLs in a large enterprise environment

Hello, I work in a large enterprise environment. We have access and control of all the switches, but no control over the router/routing side of things. Currently, our management IP addresses of our switches are in the same VLAN as the rest of our end users and devices, VLAN 100. I would like to create a separate VLAN 60 solely for our management addresses. I understand how to create SVIs and how to use our Layer 3 switch to make communication between VLANs possible. What I am a little stuck on is how to correctly apply ACLs so that only 4 workstations with IP addresses 172.0.0.10, 172.0.0.11, 172.0.0.12 and 172.0.0.25 can access and communicate with the management VLANs. Everyone else should not be able to ping, http etc to the management addresses of the management VLAN. I understand that for this application I should be using an Extended Access List, which leads me to my next question: As Extended Access Lists are meant to be put closest to the source of the packets, how does this work in a large enterprise environment with 30 switches? Do I need to put the ACL on every capable L3 switch that we have? Or is there one L3 switch I can put it on to make it work everywhere? I have attached a network diagram of the environment I'm working in. Any help would be greatly appreciated. Thank you.

https://imgur.com/a/C0X7AFX



"Walker" electrical products? I'm trying to match some old floor mounted boxes

I have to tear out some cable running under the floor. It was installed probably 15+ years ago. The in-floor fittings are going to be left with holes in them so I was *hoping* to find some replacement covers that are missing.

I managed to identify the floor boxes as "Walker S265" models. Did this manufacturer totally disappear from the planet? Some of the websites I looked at seem to almost imply it's connected to Legrand but I can't officially find anything.

Anybody familiar with "Walker" electrical products? Are they still a manufacturer?



100 GbE over twisted pair for 100m -- will it ever be possible?

I know 100 GbE for consumers is a long way away, even 10 GbE has barely taken hold.

But I like to think ahead and imagine what 100 gigabit networking will look like in the consumer space. Currently there is no 100 gigabit over twisted pair standard, it's either fiber or twinaxial (the latter only for 5m). Clearly twisted pair is what is used in the consumer space.

So that got me wondering, do you think it would even be possible to do 100 gigabit over twisted pair for 100m? Or even 30m? Or will it require so much shielding and larger gauge wires as to be impractical.

I'm leaning toward no. I think when 100 gigabit consumer products become available in 5-10 years, they'll just standardize one of the the current enterprise multimode fiber standards (OM3 or OM4), maybe give the cables some extra "shielding" to make them more rigid and consumer-friendly, pick and integrate a transceiver standard/plug into consumer NICs and we'll just have Ethernet over fiber coexisting with RJ45 plugs in the consumer space. Kind of like USB-A and USB-C. It'll be interesting to see how they market it.

Anyway, that's what I'm thinking. Maybe I'm wrong and they can do it over twisted pair. They can already do 40 gigabit over 30 m, but I have a sense that's the limit of twisted pair, it also uses a lot more power at these bandwidths. Maybe twinaxial could do 100 meters, but that seems highly impractical for the consumer space.

What do you think?



How to configure main and secondary VPN's from checkpoint FW to ASA FW

How to configure two different VPNs (one primary and one secondary) from Checkpoints firewalls to the Cisco ASA of a partner company, each one from a different ISP?

The idea is to have the maximum possible redundancy in case of loss of an ISP, VPN downtime....etc... to be able to continue working.

How could I configure the checkpoints for this? is it necessary to change the routes? and the Nateo?

Anyway, I am opened to whatever topology alternative.

I attached my topology proposal.

https://ibb.co/ZVmHVMr

Best regards.



Back into networking! Looking for images available on GNS3

Hello there,

Started my career as a network engineer, went to software development, and now I've finally made it back to being a software engineer IN the networking space.

Got a lot to catch up on I left the field just as NFV and SDN were becoming a thing.

There's some new technology I'm trying to get my hands on and lab with GNS3. Most noteable I'm looking to setup a small SRV6 virtual lab on GNS3.

I no longer have access to any Cisco bin's.

Can anyone recommend any free and open source networking solutions I can run on GNS3 which have some of the newer features such as SVR6/SVR-MPLS ?

Thanks alot!



Inconsistent Network Traffic

I am suffering through one of the most confusing issues I've encountered since I became a sysadmin. I've a diploma in IP engineering, but have primarily done sysadmin over the last 20 years, so I'm rusty-ish but think I have a good foundation.

We recently put in a dedicated link between our head office & a remote site. Previously, communication was handled by a site-to-site VPN tunnel. Traffic was routed:

Head Office core switch - HO Firewall - VPN tunnel over internet - SiteA firewall - SiteA core switch

Now, traffic will be routed:

HO core switch - dedicated link - SiteA core switch

The HO core switch is an HP ProCurve 5412ZL, while the SiteA core switch is an HP Aruba 2920. SiteA originally had a 2910, but we came across this problem and decided to replace it with a 2920, in case it was the switch. (it wasn't)

When I change the routing table on the switches so that traffic is sent over the dedicated link, low level traffic like ping works in all situations, but higher level protocols like RDP and SMB are all over the place. For example, I can RDP from servers at HO to *some* SiteA servers, but not others, even if they're on the same subnet (or even hosted on the same hyper-v server). In addition, some protocols work to a server, but not other protocols: I can RDP to a Domain Controller we have out there, but replication to/from it fails.

Even ping, which is successful between every server I've tried, is a little odd: RTT will be 5-6ms, but every so often, I'll get a single RTT of 235-237ms.

We have this same setup (HO core switch - dedicated link - SiteB HP 2920 core switch) at another site in our organization, and there are no problems there. I'd like to think I've set everything up properly, but I'm willing to consider all options.

As mentioned, what really throws me is that something like RDP will work fine to Server1 at the DR site, but not Server2, even though they're on the same Hyper-V server and can both be pinged. How can I isolate a) what the problem is exactly and b) where it's occurring?



errdisable for POE up/down events in IOS.

Does anyone know if there is a way to errdisable ports when a device's POE controller is faulty? It seems as if the switch will continuously give power to the device over and over non-stop by default.

I would like to have the switch put the port in an errdisabled state if the POE controller has to give power more than x number of times per minute.



Looking at a small homelab setup to work towards a CCNA/other certs, Will this equipment work well?

I am looking into a career change in the near future into networking, and I am wanting to setup a small homelab to work with and practice on while I learn.

I found a post on craigslist near me for some equipment that they guy suggests for getting A CCNA/CCIE and was wondering if it would actually be good for learning on.

The equipment list is:\

  • Cisco ASA 5505 Firewall
  • Cisco 1921 (Qty 2) Routers - One has an HWIC-16a adapter card for out of band octal cables (comes with octal cable adapter)
  • Cisco Catalyst 3560 24 port switch
  • Cisco Catalyst 3550 24 port switch
  • Cisco Catalyst 3350 24 port switch
  • Cisco 2811 router with two T1 DSU/CSU cards installed
  • Cisco 2801 router with three T1 DSU/CSU cards installed and removable flash memory

Would all of this be a good start? Its listed at $300 right now. If not, what should I be looking for instead?



Can someone tell what kind of frames these are?

I built a simple sniffing program in C that gives me the raw frame data of all frames my monitor interface catches. Here is the code for it but I think it works fine.

#include <asm-generic/socket.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <errno.h> #include <sys/ioctl.h> #include <arpa/inet.h> #include <netinet/ether.h> #include <sys/socket.h> #include <netinet/in.h> #include <linux/if.h> #include <netdb.h> #include <linux/sockios.h> #define BYTE_TO_BINARY_PATTERN "%c%c%c%c%c%c%c%c" #define BYTE_TO_BINARY(byte) \ (byte & 0x80 ? '1' : '0'), \ (byte & 0x40 ? '1' : '0'), \ (byte & 0x20 ? '1' : '0'), \ (byte & 0x10 ? '1' : '0'), \ (byte & 0x08 ? '1' : '0'), \ (byte & 0x04 ? '1' : '0'), \ (byte & 0x02 ? '1' : '0'), \ (byte & 0x01 ? '1' : '0') void write_log(unsigned char *data, int size, int log_file){ for(int i = 0; i < size; i++){ if(i % 16 == 0 && i != 0){ dprintf(log_file, "\n"); } dprintf(log_file, "0x%02X ", data[i]); } dprintf(log_file, "\n"); for(int i = 0; i < size; i++){ if(i % 16 == 0 && i != 0){ dprintf(log_file, "\n"); } dprintf(log_file, BYTE_TO_BINARY_PATTERN" ", BYTE_TO_BINARY(data[i])); } dprintf(log_file, "\n\n\n"); } int main(int argc, char **argv){ int log_file = open("log.txt", O_CREAT | O_RDWR, S_IRWXO); int sock_raw = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); setsockopt(sock_raw, SOL_SOCKET, SO_BINDTODEVICE, argv[1], strlen(argv[1])); unsigned char *buffer = (unsigned char *)malloc(65536); int data_size = 0; while(1){ data_size = recvfrom(sock_raw, buffer, 65536, 0, 0, 0); write_log(buffer, data_size, log_file); } return 0; } 

Between many other frames that I think are fine I receive these which dont make any sense for me, neither in radiotap nor in 802.11 standard. Can someone tell what these are?

0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0x34 0x81 0xC4 0xDC 0xDC 0x8C 0x88 0xE1 0x00 0x00 0xA0 0x00 0xB0 0x52 0xF0 0x07 0xE6 0x7F 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 11111111 11111111 11111111 11111111 11111111 11111111 00110100 10000001 11000100 11011100 11011100 10001100 10001000 11100001 00000000 00000000 10100000 00000000 10110000 01010010 11110000 00000111 11100110 01111111 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0x34 0x81 0xC4 0xDC 0xDC 0x8C 0x89 0x12 0x01 0x70 0xA0 0x00 0x00 0x00 0x1F 0x84 0x07 0xA3 0x97 0xA2 0x55 0x53 0xBE 0xF1 0xFC 0xF9 0x79 0x6B 0x52 0x14 0x13 0xE9 0xE2 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 11111111 11111111 11111111 11111111 11111111 11111111 00110100 10000001 11000100 11011100 11011100 10001100 10001001 00010010 00000001 01110000 10100000 00000000 00000000 00000000 00011111 10000100 00000111 10100011 10010111 10100010 01010101 01010011 10111110 11110001 11111100 11111001 01111001 01101011 01010010 00010100 00010011 11101001 11100010 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 

These are two frames and the binary for each one is the same as the hex.



Question on unmanaged switches

I'm working with a relatively janky set-up for one of our users. We currently have it set up Ethernet from main switch -> desktop PoE phone switch (100mbps) -> unmanaged switch (100mbps) -> 3 different devices, including users PC. Windows is showing a 100mbps connection, but in practice is averaging 5, up to 10. Ended up putting them on Wi-Fi (360mbps) but obviously not an optimal fix.

My main question is if I remove the phone as a switch (put it on wall power), and have everything running through the unmanaged 100mbps switch (will probably upgrade to gigabit), could that fix the problem?



HE routing issues

Hey guys (and girls), I'm getting the hang of networking more and more, but the public internet and BGP routing is still a big of a mystery to me. It's on my bucket list to start studying. I'm just an enterprise admin managing a lot of offices, and we just get simple fiber/dsl lines (no peering/transits/whatever) and build tunnels between them.

Since 01.00 AM AST we have a network outage between the Caribbean and the Netherlands, and it looks like HE is dropping packets somewhere between NYC and LON.

We have 10-15% packet loss, which is too much for our ipsec tunnels to handle. I see traffic from other providers, that is routed over Liberty Global, Cogent, etc, works fine. So my interpretation is that it must be HE.

Is there some online resource you guys monitor for stuff like this? Global outages, fiber cuts, subsea cables ripped, etc? Is there a hidden mailing list somewhere where network admins get together and collaborate their findings?

I can't find anything on HE's site, or a weathermap, noc page, etc. I asked my provider to route traffic through another ISP than HE, but here in the Carib, this can take a loooong time..

9. sub-53ip25.rev.onenet.cw 0.0% 304 1.2 1.9 1.0 22.4 2.8
10. 190.242.167.46 0.0% 304 1.3 2.2 1.0 29.0 3.2
11. 69.79.100.38 0.0% 304 33.9 41.0 33.4 137.4 19.1
12. 100ge7-1.core1.mia1.he.net 0.0% 304 34.7 36.1 34.4 56.7 4.4
13. 100ge11-1.core1.atl1.he.net 0.0% 304 48.7 48.6 48.4 50.0 0.1
14. 100ge3-1.core1.ash1.he.net 0.0% 304 63.2 64.4 63.0 108.2 4.8
15. 100ge1-1.core1.nyc4.he.net 0.0% 304 68.4 68.8 68.1 79.4 1.7
16. 100ge7-1.core1.lon2.he.net 10.5% 304 157.9 145.9 143.6 162.7 2.7
17. 100ge0-30.core2.lon3.he.net 83.2% 304 143.1 143.5 142.4 161.3 2.6
18. 100ge0-33.core2.ams2.he.net 35.0% 304 147.7 154.4 146.8 236.4 16.2
19. kpn-as1136.kpn-asd-dc2.nl-ix.net 35.6% 304 151.6 150.3 148.2 152.8 1.0



ST-LC SM in Omaha

Anyone in the Omaha metro area have a 30 meter or longer ST-LC SM fiber we could purchase from you today?

Provider drop was requested as LC but wasn’t made so. Hoping to stand this up this evening.

Thanks!



How To Track Battery Charging Stations Across a City Like Kampala or Nairobi (E. Africa)

Hello, and I apologize if this is the wrong subreddit, but I'd be willing to accept any advice possible.

I'm working with someone who is an engineer attempting to create alternative power for things like Vehicles/Motorbikes/Etc.

In Nairobi there are stalls all over for loading mobile money, charging phones, and small tasks. If we were to setup a battery charging network (not so different then Teslas system in the US), would it be possible to create IDs for each location, track which batteries are currently charging at each location, and have live data tracking of this remotely?

Is there something I can search to begin this task? I know this is vague, but I can help clarify anything you throw at me.

Thanks in advance.



Mako Firewall Problem

I'm in kind of a convoluted situation that I could use some help with. I work for a little MSP and VOIP phone provider, and one of our clients is a corporate entity with their own IT department and a bunch of locations. They only use Mako firewalls (6600 model I believe?) in the disparate locations, and I have essentially no experience with them.

Additionally, the guy running their IT department just got what amounts to a battlefield promotion, and he doesn't know much about the Makos either.

Anyway, we can't figure out how to set up port address translation, or even a simple forward. The methods for doing that are pretty different from platform to platform, and since I don't have direct access to these, all I've been able to do is make suggestions for things to try. I've looked and haven't been able to find a guide for exactly how to do it, so if anyone could point me in the right direction, I'd be very grateful.